HTTPS Everywhere Rule Sets for UMBC, tools.ietf.org

The server tools.ietf.org supports TLS, but my browser's HTTPS Everywhere seems unaware of this fact. So I wrote a rule set for that server. I have previously posted here an HTTPS Everywhere rule set for an oft-used (by me) server at UMBC; for convenience, this is reproduced below.

<ruleset name="tools-ietf">
  <target host="tools.ietf.org" />

  <rule from="^http://tools\.ietf\.org/" to="https://tools.ietf.org/" />
</ruleset>

<ruleset name="userpages-UMBC">

  <target host="userpages.umbc.edu" />

  <rule from="^http://userpages\.umbc\.edu/" to="https://userpages.umbc.edu/"/>

</ruleset>

Where do these rules go? See the EFF docs or my prior description.

HTTPS Everywhere Rule Set for userpages.umbc.edu

Many of the servers at  UMBC do not support HTTPS, but userpages.umbc.edu, the server(s) for user home pages, does. However, probably few people access it securely. For those using HTTPS Everywhere, I wrote an extension for HTTPS Everywhere:

<ruleset name="userpages-UMBC">

  <target host="userpages.umbc.edu" />

  <rule from="^http://userpages\.umbc\.edu/" to="https://userpages.umbc.edu/"/>

</ruleset>

I haven't figured out how to install this in my Chrome profile, but it works fine with Firefox HTTPS Everywhere. Tips would be appreciated.

First, HTTPS Everywhere must be installed. Most people should install it anyway. The EFF is doing great things for the public, which is why I donate annually.

Second, the file must be installed "in the HTTPSEverywhereUserRules/ subdirectory in your Firefox profile directory" (see the EFF page). Then restart Firefox. On my Xubuntu system, this directory was

~/.mozilla/firefox/xxxxxxxx.default/HTTPSEverywhereUserRules. The penultimate part of that path will vary from system-to-system.

[ Originally omitted; added 2013-06-09 ]:
Third, the file name must match the domain name, userpages.umbc.edu in this case.

Get HTTPS Everywhere from the EFF here.

Impressive Fireball at UMBC

Yesterday I was close enough to an explosion to feel the heat on
my face, 40m or so away. It was at the electrical substation just north
of the campus police station.  Not very loud, but an impressive
fireball. I have to start carrying a camera.

As a result, UMBC is closed today for lack of electricity. New media reports:

• Transformer Explosion Knocks Out UMBC Power, http://columbia.patch.com/articles/transformer-explosion-knocks-umbc-power
• Baltimore Sun apparently has no idea of or maybe no interest in what actually happened:   http://www.baltimoresun.com/news/education/bal-umbc-power-outage-0603,0,573995.story

Migrating UMBC E-mail to Gmail

Some months ago UMBC began migrating e-mail to the Google cloud. This migration has been voluntary, but everyone will be moved over in January. I like Gmail, and considered moving some months ago, but decided not to because it was unclear whether there would be a solid wall (psychologically as well as logically) between my personal Gmail account and my UMBC Gmail account. This will not be an issue for a number of reasons:

(1) The accounts are separate, one reached via mail.google.com and the other via gmail.umbc.edu. I can reach both via the traditional mail.google.com URL, but with two different user names. I plan to explicitly go via (and link to) the gmail.umbc.edu address.

(2) I usually use Chrome for Gmail, but use Firefox for UMBC (myUMBC) services. Firefox add-ons allow me to selectively turn off undesired scripting within myUMBC and Chrome does not display PeopleSoft slop properly (I suspect it really does, however, and that PeopleSoft is simply not following web standards, but this is something for future investigation). So I will continue to use Chrome for personal Gmail, and will use Firefox for UMBC mail.

(3) I use different themes for the two Gmail services, and so my work and my personal screens look very different.

(4) The UMBC Gmail has "myUMBC" prominently displayed in the upper left.

(5) If all of that is not enough, I can simply return to an IMAP client for UMBC e-mail and continue to use the browser for personal Gmail.

The one drawback I have seen in my initial look is that Google says it may take several days for my old e-mail to migrate to Google. Since I have switched, I can no longer access UMBC Squirrel mail, and so none of my old e-mail folders are currently available via the web. Since grades are due in a couple weeks, this could become sufficient motivation to temporarily configure an IMAP client on my laptop. However, I do not foresee much inconvenience here except possibly delaying my grading of assignments submitted via e-mail.

I do suspect there is still a way into squirrel mail, but do not plan to spend any time finding the way.

Alert! Alert!

UMBC police are using a false alarm as an argument that we should sign up for text alerts. I guess the argument is "See, we sent out another useless alert. Don't you want to be sure you don't miss any of this irrelevant information?"

This country has been running scared since 9/11/01, and the situation a couple years ago in Blacksburg didn't help. But enough is enough, and "e2campus" is too much. We're expected to sign up to be alerted for events of near-zero probability, so almost any e2campus alert will be a waste of time.

> September 23, 2010
>
> To: The UMBC Community
>
> Fr: Mark Sparks, Chief of Police
>
> Re: False Report of a Shooting on Campus
>
> This morning, Baltimore County Police responded to a 911
> call of a possible shooting in front of the Retriever
> Activities Center (RAC) within about two minutes of
> receiving the call. Both police agencies did a thorough
> search of the RAC and surrounding area and found no evidence
> of a shooting through the search or citizen interviews on
> the scene. The call was apparently unfounded, and is being
> treated as a False Report call by the Baltimore County
> Police Department.
>
> An e2Campus text alert was sent out once the UMBC officers
> developed enough information about the call, to tell the
> campus the nature of the call and that it was unfounded.
>
> Members of the campus community are encouraged to sign up
> for e2campus, an emergency alert text-messaging system that
> will permit the University to notify subscribers to any
> campus-related emergency (such as potential campus safety
> hazards or campus closures due to weather). It is compatible
> with mobile phones, Blackberries, "smart phones," satellite
> phones, e-mail, wireless PDAs and pagers. Normal
> text-messaging rates apply. There are no additional
> charges. Sign up for this important service today at
> http://my.umbc.edu/go/alerts.

tcsh Update

Maybe I don't need to worry about changing shells too soon, if only because tcsh is the default shell for UMBC's Linux cluster, GL.




So it's not just me and the OSU of yesteryear, but also UMBC.

Blackboard Security, UMBC

A couple items that instructors using Blackboard at UMBC should be aware of: First, at the beginning of most sessions when one is preparing to post new content, a requester pops up asking for permission to run a Java application. The correct answer is, emphatically, no. Everything works fine if you deny that application permission to run, so there's no need to grant it complete and total access to your PC (or to your account on the PC which, for most Windows users, is the same as the PC itself). Second, OIT often refers to Blackboard as a secure place to post grades. In some respects this is true. However, be aware that the grades are transfered in the clear, so anyone eavesdropping can see all the grades of everyone in your class. On campus this is probably a minimal problem for wired users. It's a switched Ethernet, and hard to eavesdrop on. The campus wireless is not encrypted however, so accessing a Blackboard grade book using 802.11 on campus is not secure. By the same token, accessing a blackboard grade book from off campus is not secure.

Improving the Usability of myUMBC

myUMBC has become, in the words of one of our students, very media heavy. Even with a broadband connection, it takes a long time for things to load, presumably due to load on the servers and perhaps scripting locally. One of the annoying things is a rotating banner of supposed news items. I've chosen not to do anything about that yet. Two things I have disabled, however, using Firefox add-on Karma Blocker, are: The chipmunk animation that loads whenever a page is not found. This is doubly bad, since it's not only many useless bytes transferred, but it also makes noise. This is triply bad, because the 404 not found chipmunk normally occurs after clicking a bad link in myUMBC. Karma Blocker rule:

# Block myUMBC 404 not found chipmunk
[group]
score=10
rule=$url$='dramatic_chipmunk.flv'

For those who want to see the animation, the full URL is https://my.umbc.edu/shared/images/player/player.swf?vidLoc=/errors/images/dramatic_chipmunk.flv The second thing is the MyUMBC alert "feature." There is good reason to have such features, but when it's used to tell people not to respond to phishing attacks and to tell people after the fact that the University opened late that morning, it's not clear it's useful. But it also takes several clicks to dismiss the alert, and until dismissed there's this huge honking red thing in a prominent position on the screen. The solution is to get rid of the red thing. The alert is presented as a white number on a red background. Get rid of the background, and it bcomes a white number on a white background. Much better. Karma Blocker rule:

# Block UMBC Alerts
#[group]
#score=10
#rule=$url=='https://my.umbc.edu/modules/dashboard/images/alert_bubble.png'

Disabling Alerts in myUMBC

UMBC's OIT has added an Alerts feature to myUMBC, the system everyone uses for everything at UMBC. Being close to people who were in Norris Hall during the Virginia Tech shootings, I understand the motivation and think that, on the face of things, the alerts are a good idea. However, they're being used for mundane matters--Wednesday around 11am I saw the alert that said campus was closed that morning until 10--and very cumbersome to dismiss. You have to click on the alert notification, click on the specific alert, and then click on something indicating that you've seen the alert. They really want to know we've seen every alert. Unfortunately, myUMBC is very media heavy, and, even from on campus, very slow. So each click takes several seconds. So I looked on myUMBC for an option to disable alerts, or some way to dismiss them more quickly. No luck. NoScript (my favorite Firefox add-on) didn't help, since the alerts aren't implemented as a specific script. So I went hunting. The hunt led to Karma Blocker 0.3.2. Essentially I tell this nifty little Firefox add-on that the myUMBC alert has bad karma, and so it keeps the alert from loading. What it really does is get rid of the red alert background, which means my count of alerts awaiting is a white number on a white background. The rule I use is: # Block UMBC Alerts [group] score=10 rule=$url=='https://my.umbc.edu/modules/dashboard/images/alert_bubble.png' OIT could easily break this by renaming or moving the image file. I'm hoping they don't. If they do, I can make the rule more general.