As a NZ public school student, I get to deal with the wonder that is Network For Learning (N4L) and to put it simply, wow this sucks.

However, my main gripes didn’t start with the wifi—it’s good enough to stare at a blank google doc pretending to do work—but it started with secure access.

What even is secure access? Well to put it simply, they rebranded Ruckus Cloudpath to N4L secure access, and sent a guy out to schools to change some wifi settings.

So, being the slightly privacy conscious, curious person I am, I open up my browser on my laptop, go to the magic domain (let’s call it school.n4l.co.nz for the sake of privacy) and start the ✨experience✨ which mainly consists of handing over my school Microsoft creds and getting thrown to this screen:

Yes N4L, I’m using Linux, but no, I’m not using Fedora or Ubuntu, and no, I am absolutely not downloading some random, closed-source app just to authenticate to an access point.

So I decided to dig deeper, after all I didn’t have to connect to the new managed network yet…

So I called for help.

Fellow student dev, Arslaan Pathan highlighted just how deep the rabbit hole goes: “they block everything My site was blocked for “Games” by the automated filter because I mentioned ONCE in the about me that I like Minecraft/other games I had to personally send an unblock request My school blocked GITHUB for ages and it took months to get it unblocked The GitHub block actively disrupted student’s digital tech homework”

which makes N4L sound a bit hellish, which is very true. I find it to be a good time to mention that every few months they randomly block GitHub Desktop, then unblock it a few weeks later. so that’s fun.

So filled with this knowledge, I decided it was time to get on the new network myself. I sat down with the N4L helpdesk they set up in the Library, and got told “yeah just press other device and it gives you the passcode”

Really?

It’s that easy to circumvent “secure access”?

How secure really is secure access?

With that, I worked out that the other device passcodes are auto generated but don’t have a limit on how much you can use them. If you wanted to be really ‘protected’ from N4L, just get everyone to use one password, and maybe Cloudflare warp while you’re at it. You can never be too safe.

This is the absolute definition of security theater. They ‘built’ a massive, expensive gate and forgot to put fences on the sides.

See also: This meme I made in google slides

That’s not even the worst part. Some schools make their students install a certificate file, which lets the Palo Alto or Fortigate firewall DECRYPT THEIR INTERNET TRAFFIC?

I’m no security expert, but that seems like a small security vuln to me, all it takes is one rogue admin and your whole network is compromised. The good thing is my school didn’t opt in to this, but I don’t exactly trust N4L when it comes to safely storing passwords or sensitive info. If a bad actor compromises N4L’s root certificate, they can spoof any website (like a bank or Google) without the user’s browser triggering a security warning.

Here’s where the fun starts: it turns out that people don’t really read their emails, so from where I’m sitting in the library, I can see a long queue of confused students with their laptops. It turns out switching off the old wifi network does cause issues. Who knew? It also turns out people don’t want to download a suspicious closed source app to connect to the internet. No way.

So to recap

• N4L Secure Access isnt very nice
• We dont know what N4L is doing with our data
• Linux users are left out
• This can be circumvented with one click

Catch ya next time, josh [at] slitro [dot] studio

It all started yesterday.

I was bored, and had a few bits of old hardware lying around. I was sifting through old laptops and broken iPads when I found the perfect device to play around with:

The Mi Pad 3.

However, it was old, slow, and not usable for anything more than watching a YouTube video.

But that’s when I had an idea.

My M3 iPad Air is overkill for most things. And when I use my phone, I end up on Instagram.

I didn’t need a powerful device. I needed a simple one.

So I wiped the Mi Pad, chucked Niagara Launcher on it, and downloaded:

• Mini Metro
• Apple Music
• Jellyfin
• NewPipe
• Pinterest

And nothing else.

No Slack notifications, no distractions, and no social media.

At first, it was interesting. I wasn’t sure how or if I would use it, but it all clicked when I sat down in my beanbag, put on my bootleg Regional at Best CD, and played Mini Metro.

There was no lag, no friction, and no urge to open Instagram and doomscroll till 1am.

I even gave it a place. It sits between my CDs and my CD player (yes, I like my physical music).

Suddenly it didn’t feel like an old tablet anymore. It felt like a tool.

A tool to entertain.

And somehow, it’s better than my newer tech.

Because it doesn’t try to do everything.
It just does a few things really well.

Old hardware isn’t bad. We just use it wrong.

Catch ya next time,
josh [at] slitro [dot] studio

I’m Switching to gitlab.

After ingo (ingo.au) got shadowbanned for no apparent reason, I’ve decided I have had enough with github and microslop and migrated all my (important) repos to gitlab.

Whats wrong with github?

I dont want this to be too long so here are some bulletpoints

• AI everywhere
  • I don’t want (or need) copilot on my home screen
• Microsoft
  • Slopifying code
• Copilot training on public repos
  • No, stay away from my open source
• The github ui sucks! Just look at how unefficent this UI is! Github, why do I have to go into accounts to get access to my organisations/groups? WHY? Gitlab has done an awesome job of making a nice home page, and github, a company owned by microsoft can only produce this? EVEN MY SELFHOSTED GITEA INSTANCE HAS BETTER UI THAN GITHUB!!! Seriously, this open source project has BETTER UI THAN GITHUB?

Takeaways

• Your online accounts can be banned at any time
• Avoid oauth when you can
  • A lot of the pain that has been caused caused is because I was too lazy to use bitwarden.
    • Ill go more in depth into oauth soon…
• My new gitlab profile is castawhat

josh [at] slitro [dot] studio

Home automation is cool! Big tech however, isn’t. That’s where home assistant comes into play!

Before home assistant I used to use Google Home, but I’ve switched because

• Google does funky stuff with our data
• Not everything is supported
• I don’t want to be locked in to one platform
• The app is bad

But what exactly is home assistant?

Home assistant is an open source home automation platform, a bit like Google Home, except you actually own your data, it runs locally and you can make it do (almost) anything! There are no subscriptions, no upgrading your hub for one feature and no sending data to a server in the USA to turn your lights on and off. It’s self hosted, and I run it on a Pi 4 sitting by my wifi router.

This here is my very own home assistant dashboard! This lets me:

• Turn on/off my lights and change brightness
• Check the weather in my area
• Customise my sunrise alarm
  • (A sunrise alarm slowly brightens lights until the set time)
• Control my Sonos Speaker

Some other things I run on home assistant

• A tailscale exit node
  • Self hosted VPN. School censorship doesn’t affect me as it routes traffic through my home network.
• Music Assistant
  • Powerful platform for local music streaming
• ESPhome
  • Turn ESP32s into smart home sensors!

If you’ve got a spare Pi lying around and an afternoon (or few), give Home Assistant a go! The official docs are solid, the community is huge, and worst case this time next month you will have spent hundreds of dollars on sensors, buttons, and other smart home devices.

See ya next time,

Josh

josh [at] slitro [dot] studio

I’m Switching to Zed.

I’m always playing with new tools, and I’m making a change: saying goodbye to VSCode and hello to Zed.

First Impressions:

• My laptop runs cooler
• Battery life has noticeably improved
• The interface feels cleaner and more intuitive
• Everything I used in VSCode (Except Amp) is in Zed.

But why?

VSCode

• Is laggy
• Kills battery
• Feels ai focused

Which are probably 3 things you dont want.

Want to keep VSCode (Without the microslop?)

Try VSCodium! It’s VSCode compiled from source, without all the microsoft crap. I used that for a while between VSCode and Zed, but it still keeps two of the problems from VSCode, the lag and that it kills battery.

So, if you’re Still using VSCode, why not jump on zed?

josh [at] slitro [dot] studio

A new blog? In this economy?

So yeah, I moved the blog to the website!

I made a Slack bot!

Following up on a previous post (The Hack Club Problem), where I questioned my limited skill level and knowledge and asked, “How am I going to make a Slack bot in 18 days?”, I’m happy to say I’ve somehow done it!

What started out as Josh’s Servant, which literally just spit my Last.fm “now playing” into a channel—has evolved into Slack Annoyance, a jack-of-some-trades, master-of-none bot. It posts Last.fm now playing to a channel, /acnhquote for Animal Crossing quotes, Greg (an AI bot that commits Hackatime fraud), Geoff (who catches Hackatime fraudsters), and a welcomer bot.

I would be lying if I said I did this alone, Kyle (Dekoder-py) also maintains the bot and has the Lastfm and welcomer bot setup in his channel. Without him, Slack annoyance would still be just lastfm.

However, a cool Slack Bot cant replace the utility of workflows. Winterflows now exist, which are a workflow replacement. However, (No offense to the creator of winterflows) there was something so easy and effortless about workflows. I litreally made my welcomer workflow on the bus.

Thats about all I have for you right now, and I’ll see some of you in the Flavortown Kitchen.

As always, if you have an issue, josh [at] slitrostudio [dot] me

On Monday at 10am EST, the Hack Club Slack went down for the long-awaited migration to Slack’s Enterprise Grid.

In theory, this unlocks all the fun enterprise-tier features: SAML SSO via Hack Club Account (IDV), a unified identity layer, and Workflow Builder Branching (which was very short-lived — RIP Workflows).

The keyword being “in theory.”

As soon as things came back up, everything was a little off.

Problem #1: Email mismatch My Slack account uses a different email than my Hack Club Account (IDV). Because Enterprise Grid treats your SSO as the primary email, Slack logged me into a completely different account that wasn’t mine, but still an account on an email I owned.

Problem #2: This might break my ability to submit to YSWS Programs Since my emails are split — one on the slitrostudio.me domain, the other being my old Gmail — I have no idea how this affects things like submitting The House Standard Deviation to Flavortown. If Hack Club Accounts are now the source of truth and I can’t change that email, that’s… not great.

I’ve managed to get back into my normal Slack account, but everything else (like YSWS programs) is blocked because I can’t re-verify my identity. I don’t exactly want to risk getting flagged for fraud just to submit again. And right now, IDV simply doesn’t support changing your email.

HQ’s current answer is basically: “wait until IDV supports email changes.”

For a migration that’s supposed to unify identity, it’s a strange place to be stuck.

Thanks for listening to me yap.

UPDATE: HQ and community members are working on a fix. More details at bottom of post.

Hack Club Has A Problem. (It’s Slack)

Slack (and salesforce) are greedy. But where does a Non-profit teaching high schoolers to code fall into this?

Well, I’ll put the workflow problem this way.

Imagine purchasing your meeting rooms Samsung TVs, everyone uses them constantly, and then Samsung emails you saying “hey, you’re using those too often — fix it.” You bring it to the CEO and he goes, “yeah, cool, shut them off.”

Sound odd?

I thought so, but that’s what is happening with the Hack Club Slack.

At 4:23pm NZDT, there was a message posted on the #community channel. I have attached it below. “Hey y’all!

Due to repeated abuse of workflows, we sadly will be removing workflows from the Hack Club Slack on December 9th, 2025 This is not something we wanted, but sadly due to repeated abuse, and no way to prevent the abuse, it makes sense to disable them. We recommend moving your workflows to Slack bots as workflows may stop working.

We know this is a big change. So we are also launching a $100 bounty for someone that can create a privacy-conscious Slack bot that can be configured to add people to private channels, with approval and optional questions. This can be used as a replacement for personal and private channel adders. Put your GitHub in the thread if you want to participate ”

This was sudden, and with only 18 days of notice? I have ~7 Slack workflows and no knowledge on how to make a slack bot, even worse, Zach Latta said “Also - this is a community of programmers and I’ve never seen so much defense of a no code tool :-P”. It’s not the fact that its no-code, it’s that it was easy to quickly make one to say, ask what you did during your day at 5:45 PM everyday. HQ even relies on many no-code tools (Airtable and Zapier for example). Even people inside HQ didn’t even know this was happening. See the below message from Rowan in #community. “When the great Slack migration happened, core HQ people in HQ-HQ got a heads-up and had a meeting to discuss this. We talked it through, everyone could ask questions, and we wrote up migration guides for all.

This never happened for banning workflows.”

This left me with 3 questions.

1. How am I going to make a slack bot in 18 days?
2. Why weren’t other people in HQ notified about this?
3. How screwed are we if Slack reached out to us about this? (Did i mention Slack reached out to us about this)

The best part? If we move to mattermost in 5 years (When our enterprise runs out) we are screwed again. To be clear, there was real abuse. Some workflows were being triggered thousands of times a day, flagging us as a problem. So yes, Slack has a reason to be concerned, but fixing abuse doesn’t require eliminating the entire feature for 20,000+ teenagers with 18 days of notice. Rate limits, caps, approvals, or workflows restricted to trusted people would’ve solved the abuse. Instead, we are losing the whole system.

UPDATE

One part of what workflows were used for, joining private channels, has been implimented into Neon’s bot Zeon. Existing workflows will stay.

Message to Hack Club HQ

If you want anything fixed to be more accurate or clarified, email me at josh [at] slitrostudio [dot] me Thanks!