Schoolwork Linux – 21st Century Typewriter

Montgomery County Schools, and most private schools as well, have migrated to an online document creation and storage system that all students must use (Google Docs) along with an online homework manager (Edline). Most research for tasks such as writing papers is also done online.

The wisdom of bringing the educational system online is debatable. The decision to do this, by myriad school systems across the nation,  was clearly made without much thought as to how students might be protected from inappropriate content.

The wide variety of gaming, social networking and media web sites available on current day computers are severe distractions to many students who need a computer to do their assignments. In the 1980’s, an equivalent situation would have been trying to do your homework in an arcade surrounded by your friends, with optional porn movies available at the press of a button.

This online approach forces diligent parents to assume the role of Internet gatekeeper, standing near their children and watching to make sure they do what they’re supposed to do. The Internet cannot be turned off because students need it to do research.

What students need is a word processor and a safe online encyclopedia in a quiet room with no smart devices. No instant messaging, no games, no social network apps, no iTunes, no YouTube.

I’ve taken a Linux distribution called Peppermint 3 and heavily modified it to satisfy the above requirement. It’s been turned into a 21st century typewriter by taking Linux and the Firefox browser and modifying it into a locked-tight and unchangeable mechanism that allows only a few specific websites (Edline, Google Drive, Google Docs, Wikipedia without images and a few others) and one application (Firefox). More sites can be added if necessary. All other applications have been removed.

I call it “Schoolwork Linux”. While the target users are elementary and middle school students, it’s beneficial for high school students and even adults who need to write without distractions.

Schoolwork Linux has just one administrator account to log in but the end user does not need to know (and shouldn’t know) the password as the account is set to auto login.  Administrators (usually parents) do need the password to enter the wireless connection credentials on initial setup.

Using Schoolwork Linux is the epitome of simplicity. Once it is installed on an old desktop or laptop, reboot, connect to your wireless or wired network, sign on to Google and it’s up and running. Then tell the kids to get to work. No need to babysit.

A freeware proxy server called Privoxy was used to implement the white list of permitted web sites. All Internet input and output is funneled through Privoxy, which is configured to disallow all websites except the ones that are listed above. Because Privoxy is such a powerful filter, it is actually employed by some viruses to inject ads into web pages even though its default behavior is to eliminate ads. Don’t worry about that, though.

Privoxy uses what it calls a Trust File to perform this white listing. This is a list of trusted websites. All others are rejected and a message stating such is displayed in Firefox. I initially tried using a different Privoxy mechanism called action files which use the commands +block and –block to disallow and allow websites, but this never seemed to work properly.

What stops a user from modifying Firefox and the trust file, or using another browser, in order to gain access to the web?

Firefox is locked tight in that the proxy server settings are locked, and cannot be modified by the user. And Firefox is the only browser on the computer (actually there is another but nobody will ever find it). Firefox is also set to never remember history or logins/passwords and this setting is also locked so a user cannot change it. This means a user has to login whenever Schoolwork Linux is started, but also means their data is safe if the PC is in a public school, or in a private residence with multiple users.

The Privoxy configuration setup is sufficiently complex that it would require tens of hours of study just to understand how it works, and that’s for somebody well versed in computer software. So by dint of its complexity, it’s probably impossible for the typical Schoolwork Linux user to understand and modify it. And the clincher is that all the Privoxy configuration files require a root password to change. As previously stated, the end user does not know this password.

Creating a white list using the Privoxy trust file is not trivial. It’s not as simple as inserting the desired webpage as a single entry line. Web pages often use many sub-URLs which a user never sees. For instance, Google Docs relies on the following URLs:

+docs.google.com
+accounts.google.com
+clients*.google.com
+fonts.googleapis.com
+fonts.google.com
+drive.google.com
+plus.google.com
+apis.google.com
+lh*.google.com
+fonts.gstatic.com
+*.gstatic.com
+safebrowsing.google.com
+*.docs.google.com
+*.client-channel.google.com
+lh*.googleusercontent.com
+www-kixfileopen-opensocial.googleusercontent.com
+www-onepick-opensocial.googleusercontent.com
+accounts.youtube.com

It won’t work properly if any of these are missing from the trust file. In order to determine which URLs a website needs, Privoxy provides a debug log which logs all rejected sites. By iterative testing and examination of the debug log, the proper URLs can be found and included in the trust file.

There is no reason for permitting Google Search and YouTube on Schoolwork Linux as they are uncontrollable to a large degree, and are distractions to students using this device.

Wikipedia is a valuable source of data, but does contain pictures that could be considered obscene for certain topics such as nudism and body parts. These images cannot be selectively blocked, so I chose to block all Wikipedia images. Most originate from a URL called Wikimedia, so Privoxy was configured to block that URL. The Wikipedia content is not affected.

The main goal of Schoolwork Linux is to eliminate distractions when using a computer for school assignments and to make it impossible to view age-inappropriate photographic content. It could be useful in homes, elementary and middle schools. Schools are currently required to filter Internet access, but I haven’t found any references to a locked tight and white list oriented PC such as this. Using a smart device while using Schoolwork Linux defeats the entire purpose and is strongly discouraged.

In a nutshell, Schoolwork Linux is a typewriter, homework manager and encyclopedia. Nothing more.

It works on any spare computer. If that computer stops working, just reinstall Schoolwork Linux on another old or cheap PC and get back to work. It’ll work fine on a cheap $99 Micro Center refurbished laptop or desktop, or even a netbook. No data is saved locally so there are no backup issues.

There are Windows based parental control that are available, but none has a white list feature that works as well as Schoolwork Linux. And none to my knowledge will remove images from Wikipedia.

Here are some screenshots of Schoolwork Linux. It’s very minimalist. The only icon on the desktop is Firefox. Click on the images below to enlarge them.

s1

When the user clicks on Firefox, the Google Docs login screen appears as the home page. Note the websites on the bookmarks bar. Those are the ONLY sites a user can visit. Also remember that all Wikipedia images are blocked.

s2a

 

 

Posted in Uncategorized | Leave a comment

A Scam to Steal your Identity

If sharing your identity with other people bothers you, read this carefully. This is a very effective scam to get to your mail attachments and online cloud storage.

Left click or middle click the images to enlarge. It’s important that you see all the details. Note: I’ve smeared actual names in order to protect the innocently conned.

This is my Thunderbird Inbox. Note the email titled “Secured Investment Document”.

Clipboard01

Just above you can see the button titled “View Folder”. Expo 2020… sounds semi-interesting. Somebody you know sent it, so based on that, many people will click on the button. Actually you may or may not know them but your email is in their address book. And it wasn’t them who sent it. It was somebody who hacked into their email the same way they are trying to hack into yours. Keep reading.

I clicked on it and Firefox opens. The message below appears. This should convince most people to back off now. IE offers a similar message. But it might not appear depending on the browser or if the browser is poorly configured.

Clipboard03

I clicked on “Ignore this warning”. Then the screen below appeared. This is the scam part.

Clipboard05

All they want is a valid email address and password. Once they have that, they can peruse your email for sensitive or financial info. Note the URL beginning with “kl”. It’s clearly not Google. Always pay attention to URLs. If it doesn’t look legitimate or just plain “right”, do not proceed.

When I clicked on the drop-down arrow to the right of “Gmail” button above, the screen below appeared which offered a selection of all the major email players. Note the “Others” option. This permits them to get the credentials for email with any domain name.

Clipboard02

I entered a fake email address and password. Then the screen below appeared. That screen is just a ruse. I think at this point, they already have the info they need (your email and password). They are just trying to trick you into thinking it’s legit. Again, note the URL beginning with “kl”.

Clipboard04

Be careful. Never fall for a scam like this. The unfortunate owners of this email account did fall for it. Their email address and password were stolen when they entered their email credentials and their account was then used (by people unknown in a place unknown) to send email like this to everyone in their address book, in order to steal more email addresses. More importantly, their email attachments and/or cloud drives were almost certainly searched for tax and financial data that could be used to steal their identity.

This scam has many variants. Always be careful and look at these types of emails with a very critical eye. Taking the time now could save you a lot of time later.

And one more very important note: Stealing your email credentials is not the only way to view your attachments. If your financial institute, bank or accountant is emailing sensitive financial information as attachments, you need to tell them to stop doing that immediately. The alternatives are sending it as an encrypted attachment or a fax. Attachments can be intercepted by packet sniffers at any point between you and the sender (and there are a lot of points). If they are sending you an encrypted attachment, they must not send the password in that email or in any email. It should be conveyed to you via phone or fax.

 

Posted in Uncategorized | Leave a comment