33 comments

[ 3.3 ms ] story [ 51.8 ms ] thread
Good article, but you could also just use a VPN to trick it.
I use a Firefox preference to pin my location to a spot near, but not at, my house:

user_pref("geo.provider.network.url", 'data:application/json,{"location": {"lat": 45.0, "lng": -122.0}, "accuracy": 128.0}');

I _believe_ this also stops wifi data from leaking anywhere.

I've recently vibe-coded "where-am-i", a small CLI that returns your approximate location using the technology described here.

https://github.com/denysvitali/where-am-i

Tbh, I think this geolocation method is amazing, and I'm grateful it exists, because GPS indoor really sucks.

Is it common for North American universities to take attendance? Seems like a whole lot of effort to gain little and infantilize your students. They're paying tuition, and if they don't show up to class they get punished by not learning enough and subsequently failing their exams/assessments. And if they don't fail their exams/assessments then clearly mandating lecture attendance for them wasn't necessary anyway.
It's a protection for the faculty and students.

If you fail someone who rarely attended class, and they claim that they did, asked you for support, and never received it, how might you defend yourself?

If you have an excellent student who encounters a hardship, how might you petition for leniency to allow them to drop without penalty beyond a cutoff, or delay submitting final grades until they can complete makeup work?

Maybe it’s because I studied in Austria where universities generally provide very little handholding to students but I don’t understand the point of compulsory attendance in university lectures. If students think they can pass exams without attending the lectures then they should be able to do that. I certainly did that once or twice when I realized I needed some more credits before the end of the term. It’s a different thing with lab/exercise sessions but your lack of participation there would be noticed anyway.
It was the same when I studied applied physics in England many years ago. No one checked or cared if we attended lectures in the physics and maths departments. In fact anyone could have attended the lectures even if they were not a student because there was always plenty of room. But the law department where my wife studied, at the same university, did check who was attending.

As for laboratory exercises in the physics department, they were in theory compulsory but still no one checked. The final year included a long experimental project that had to be documented and conclusions defended in a viva. Again no one formally checked that we actually did it but as we were grouped into small teams for this anyone who didn't pull their weight would have been reported by their fellow students and would not have had access to the experimental results which would have made it difficult to write it up and defend.

I take attendance (the old-fashioned way) in my college classes for a couple of reasons:

- Some students are "sponsored" by scholarships or organizations that request attendance data. - I want to know the attendance record for a student who is asking for an extension, or extra-credit work, or some other informal accommodation. - I like to draw fancy graphs correlating attendance and final grades.

But other than that, I don't care if students are in class or not. They're adults. Learning is their responsibility.

My PC doesn't have any wireless connections and the Geolocation API always fails. I guess I'd fail this course (which is apparently correct, as I was supposed to be attending in person with a laptop.)

Edit: Presumably it would be possible to hack the browser to return a false position.

Edit: Make it a convenient browser add-on, perhaps. There must be other applications.

Edit: pkulak points out that you just have to set a Firefox option. Why do I even comment on things I know nothing about.

The root problem is that a lot of higher education is nurturing a culture of cheaters right now.

Your future doctors, scientists, government officials, etc... will have had to compete and gain coveted academic and career opportunities, in an environment that both has been heavily gamified, and is being overrun by cheaters.

Insulting measures like this TopHat practically endorses the culture of cheating, by telling students that they can't be trusted, and turning into yet another cheating challenge/task.

Schools with any integrity should be bending over backwards to find, nurture, and support students of integrity.

And to save those who only got admitted by being sketchy, but first semester is a chance to unlearn the bad lessons from before.

Not by treating them as criminals to be monitored, but by treating them like the respectable people they should aspire to be, and which the school expects and requires that they be.

And, for any hopelessly shitty students, who fail to honor this first semester extension of trust, the school should smack them to the curb. Lost tuition income, lost named buildings/chairs, and expensive lawsuits from helicopter parents, be damned.

TL;DR: location API exists. Wifi-based location exists. American universities apparently use this to take "secure" attendance.
Oh wow, it's the modern version of the clicker, the physical device assigned to you at the beginning of the term used for classroom participation and attendance checking, and which was most definitely defeatable via "the unpatchable strategy of Having Friends".
One time I worked at a zoom competitor, and our team got to prototype a "detect if these people are in the same room as each other" feature for dealing with echo cancellation etc, where everyone's laptop would emit a unique high frequency, and everyone's laptop would listen for other frequencies. Of course it worked in pristine conditions and fell down in the real world. But it was a fun experiment...
As the article mentions this tech has been in widespread use for over two decades now. You have likely used it on your phone today without knowing it. GPS is accurate but also very fickle (takes time to get a lock, battery hog, doesn't work great when surrounded by buildings, doesn't work great when inside a building, doesn't work in bad weather). Wifi data is plentiful today in every urban setting, and you can get an exact location in under a second.
I assume that smart comp sci kids already have some sort of proxy running on an Android phone that publishes the current in-classroom WiFi environment, and a browser plugin or Linux hack that their stay-at-home friends can run that intercepts the geolocation calls and spoofs the responses with what the in-classroom android phone is seeing.
I've had companies send us laptops for VPN access that had LTE modems and GPS specifically for location verification before granting access to the VPN.
Imagine having your services so poorly secured or authenticated that you need to protect Layer 3 access this tightly.
> Apple’s instructional opt out page (appending _nomap) to the SSID.

this is good information.

on the other hand, it is pretty impossible to turn off wifi on some apple computers. (when I look at wifi, I get a greyed out off toggle)

You have to get into csrutil to disable the chips from powering up.

Times are getting so much tougher. I remember my early morning organic chemistry classes using top hat. I never showed up to class, but I had my top hat app open.

The answers were usually kept simple, so I'd guess things like 0 or 1 (the questions were never written in the app). I think I ended up with 60% or so on them, which was nice, since it was a bonus component meant to be a little boost to the grade anyways.

I held onto Symbian longer than I should have, but am surprised this practice hadn't crossed my path before now. IMHO it's insidious. It's one thing for a Google Street View car to war scan my WiFi router, but another for my own phone to secretly rat me out. Not that I use Location myself, but I can't stop other members of the household. I assume this is yet another practice that Android forks like GrapheneOS disables?
Gives you verifiable control over, at least.
Does the "Stop broadcasting SSID" option in most Wifi access points / routers prevent wardriving or is the BSSID still leaked?
In this case the AP still beacons (which includes the BSSID), just with the SSID field set to "".
Now the question: can you spoof your location? Say you are an admin on your system (for instance you run a Linux distro), can you make your OS return the same list of SSID/BSSIDs as your friend who is in the classroom (or as you recorded the day before) to pretend you are there?

Would be a fun experiment, and a nice follow-up post :-).

Glad to see a fellow Madisonian make it to HN frontpage. Great work!
I don't think it's appropriate for a professor to use this feature. Am I in the minority?
The question is, can we patch our browser to respond with whatever we want when getCurrentPosition() is called?

Then we can be wherever we want, super precisely!