FSFE/fsfe-website
25
31
Fork 90
Code Issues 64 Pull Requests 11 Wiki Activity

Compare commits

base: FSFE:9f35e1db226c830985f9898c67b93f065696de94
Branches Tags
FSFE:master
FSFE:feat/pyproject
FSFE:news-20250618-interop
FSFE:dario-patch-4
FSFE:dario-patch-3
FSFE:fix-lp
FSFE:interop-survey-minor
FSFE:SFP035-add-mastodon
FSFE:mailing_lists_done
FSFE:dario-patch-2
FSFE:dario-patch-1
FSFE:newsletter-20250604
FSFE:ADD-event-20250620-02-01-f7335b248733ee26
FSFE:news-20250529-refund
FSFE:NL-fix-anchor
FSFE:Banner-translation-team
FSFE:20250523-event
FSFE:ADD-event-20250530-01-01-6ae16dbf0e0edc00
FSFE:test
FSFE:html-timeline
FSFE:pdfreaders-deprecate
FSFE:compare-xml-structure
FSFE:followup-default-mail
FSFE:feature/peertube-for-upcycle-android
...
compare: FSFE:9dc0cafe3023bddb63f72685bb7a77ad5dd85593
Branches Tags
FSFE:master
FSFE:feat/pyproject
FSFE:news-20250618-interop
FSFE:dario-patch-4
FSFE:dario-patch-3
FSFE:fix-lp
FSFE:interop-survey-minor
FSFE:SFP035-add-mastodon
FSFE:mailing_lists_done
FSFE:dario-patch-2
FSFE:dario-patch-1
FSFE:newsletter-20250604
FSFE:ADD-event-20250620-02-01-f7335b248733ee26
FSFE:news-20250529-refund
FSFE:NL-fix-anchor
FSFE:Banner-translation-team
FSFE:20250523-event
FSFE:ADD-event-20250530-01-01-6ae16dbf0e0edc00
FSFE:test
FSFE:html-timeline
FSFE:pdfreaders-deprecate
FSFE:compare-xml-structure
FSFE:followup-default-mail
FSFE:feature/peertube-for-upcycle-android

2 Commits
9f35e1db22 ... 9dc0cafe30

Author SHA1 Message Date
anaghz
9dc0cafe30 Merge pull request 'adding Vilnus news item' (#3378) from news-202418-Vilnus into master
All checks were successful
continuous-integration/drone/push Build is passing
Details 
Reviewed-on: #3378
 2023-04-17 07:42:43 +00:00
Ana Galan
72c742112f adding Vilnus news item
All checks were successful
continuous-integration/drone/pr Build is passing
Details
2023-04-17 09:41:53 +02:00
1 changed files with 168 additions and 0 deletions
Show Stats Expand all files Collapse all files

168
news/2023/news-20230418-01.en.xhtml Normal file
View File

@ -0,0 +1,168 @@
<?xml version="1.0" encoding="UTF-8"?>
<html newsdate="2023-04-18">
<version>1</version>
<head>
<title>Lithuania: Students stop university from using only proprietary authentication</title>
</head>
<body>
<h1>Lithuania: Students stop university from using only proprietary authentication</h1>
<p>Vilnius Tech officials attempted to enforce the use of proprietary
two factor identification (2FA) methods. Some students were concerned
the methods would compromise privacy and could not be run in their
devices, and proposed an alternative way to get the authentication.
Finally, the university reversed its decision.</p>
<figure>
<img src="https://pics.fsfe.org/uploads/medium/dd/63/d5b9fdb1b49c66b8f6e972194473.png"
alt="Collage with a picture of a girl and a building" />
</figure>
<p>Vilnius Gediminas Technical University (VGTU), a public university
in Lithuania, recently attempted to make 2FA methods mandatory for
access to its platforms. The problem came when some students noticed
that the available methods would make the platforms inaccessible to
those who did not wish to use proprietary tools. Students using phones
run by Free Software would lose access to their university tools, such
as email. So they demanded open standards and Free Software. After
weeks of student complaints, and with no official explanation, the
measure was reversed. In a symbolic act, one student even hacked the
universitys GitLab instance and reported it to the IT department.
</p>
<h3>University attempted to lock out students who use Free Software phones</h3>
<p>On 14th February an email was sent out to all students and staff,
instructing them to configure 2FA within two weeks, or they would not
be able to access university services. What raised concerns was that
the system set up by VGTU only allowed two options for 2FA, Microsoft
Authenticator (app notifications) and SMS.</p>
<p>While there is nothing wrong with enforcing 2FA, the methods mandated by VGTU are proprietary and
privacy-compromising. Microsoft Authenticator is proprietary software,
meaning that users are not allowed to study, share, and improve the
code without restriction. In addition, the app was only available on
two platforms: Android with Google Play services or iOS, meaning that
people using alternative Free Software App stores were locked out. The
alternative SMS option required users to share their phone number and
personal information with Microsoft, which also made students
uncomfortable.
</p>
<figure>
<img src="https://pics.fsfe.org/uploads/original/a5/7e/d8183a4c190838db48c34b73f60a.jpeg"
alt="A phone showing a Free Software two-factor authentication app" />
</figure>
<h3>No way to evade it</h3>
<p>Several students demanded that VGTU also allow open standards and Free
Software. The “app passwords” option, which is normally built into
Microsoft Authenticator, was not available. This would have allowed
students to access their university email from other clients without
2FA. The “Configure app without notifications” option, which would have
allowed the use of other password managers/authenticators, was also
unavailable. Since the university disabled alternatives, the only
option for the university community was reliance upon Microsoft.</p>
<p>Some students contacted the IT Helpdesk requesting that the TOTP (time-based
one-time password) option be enabled. However, the IT department
claimed that their systems were not designed to support such
authentication. The department stated that two-factor authentication
options were currently available, SMS and the Microsoft app, and that
the use of TOTP could be considered in the future. In short, the IT
department did not listen to these students demands.
</p>
<blockquote>
<p><em>"This university has a bad habit of enforcing proprietary software and doing
little research on the free alternatives. Free software has always been
better and easier to use. It's hard to study when you can't agree with
invasive EULAs," states Zehra Irem Kuyucu, one of the affected students.</em>
</p>
</blockquote>
<h3>Raising the anti-discrimination argument to the university
community</h3>
<p>The students then went on to raise their concerns to
other members of the university community, including the Deputy
Manager, the Students Office, and the Department of Information
Technologies. They pointed out that the study agreement did not require
them to have a working phone running Google Play services or iOS.
According to Lithuanian law, educational institutions cannot
discriminate against students on the basis of their social status or
beliefs, and the University's 2FA restrictions could discriminate
against students who refuse or are unable to install a proprietary
application on their personal devices.
</p>
<h3>Silent victory: access to services, student GitLab hack</h3>
<p>After students who could not configure 2FA had been blocked for
about a week, the university community was able to access their email
again on 27 March. No one was notified of the change. The university
didnt offer a one-time password option for 2FA.
</p>
<figure>
<img
src="https://pics.fsfe.org/uploads/medium/8f/84/674b05f8a41d2c82bf72ed7f8977.jpg"
alt="Portrait of a girl outdoors" />
<figcaption>Zehra, one of the frontrunners in demanding alternative access without Microsoft services.</figcaption>
</figure>
<p>
A few days later, one of the students, Zehra Irem Kuyucu, even went one step
further. She resorted to drastic measures by <a
href="https://gitlab.digilol.net/Siren/vgtu-article/-/blob/master/vgtu.md">hacking
the university's GitLab instance</a>. She explained that she wanted to “teach what
their infrastructure is worth, as another bad habit they have is poor
security, despite authoring articles about it”. Then she sent an email to the IT department with security advice. She has, on other occasions, also reported problems regarding
other parts of their infrastructure, such as HTTP plain-text
authentication or poor wireless network security.
</p>
<h3>Conclusion</h3>
<p>The use of two factor identification methods
helps to secure devices and data but it should be implemented in a way
that is not locking anyone out. VGTU's mandate for 2FA only gave the
option of using proprietary software, raising concerns to some students
who did not want to compromise their privacy. The university's decision
to disable options that would have allowed students to access their
university email using other clients without 2FA was unfair, as it left
students with no options but to use Microsoft Authenticator or to share
their phone number and personal information with Microsoft. The IT
department's refusal to enable TOTP as an option was also not
satisfactory, as it meant that students who did not have devices
compatible with Microsoft Authenticator were discriminated against.
While the university claimed that TOTP use would be considered in the
future, there was no timeline for when this would happen.
</p>
<p>After students who could not configure 2FA had been blocked for about a week,
the university silently retreated. The university community was able to
access their email again on 27 March.
</p>
</body>
<tags>
<tag key="front-page"/>
<tag key="lt">Lithuania</tag>
<tag key="deviceneutrality">Device Neutrality</tag>
<tag key="education">Education</tag>
<tag key="2FA">2FA</tag>
</tags>
<discussion href="https://community.fsfe.org/t/1012"/>
<image url="https://pics.fsfe.org/uploads/medium/dd/63/d5b9fdb1b49c66b8f6e972194473.png"
alt="Collage with a picture of a girl and a building"/>
</html>