[opensource] RE: New Web Browser
Lowell Toms
toms.16 at osu.edu
Fri Oct 26 09:09:26 EDT 2007
Thanks to Brian for taking the time to write about the mysterious lockdown
browser that is referred to on Carmen's front page; as always, I was
clueless and appreciate the information. It is odd that such information
has to come through the back door.
While most of the posts are about problems associated with the software
implementation of such a browser, I see another area of concern. First,
like some of the posters, I also believe that taking a pen and paper test is
the tried and true means of measuring someone's understanding. So, isn't
the demand for such a web based system based on two glaring problems that
are rampant at Ohio State; those two problems being, huge classroom
enrollments that tax the instructor's ability to deal with conventional
testing, and the quest for some instructors to speed up and automate their
teaching duties so they can get back to the product that provides tenure -
research? Brick and mortar schools need to take a serious look in the
mirror, because if the large lecture (without allowing student questions)
and computerized testing become the norm, why the need for the bricks?
In my perfect world, class size is never over 30, students can ask
questions, and freshmen are given a copy of Ubuntu with vmplayer when they
arrive on campus. Further, all typed assignments are .odt or .pdf,
engineering students use octave, gcc, and maxima, and the university
promotes open source code initiatives (for credit) for software that isn't
up to proprietary standards like stats packages and cad.
(takes rose colored glasses off and sighs)
-----Original Message-----
From: opensource-bounces at cse.ohio-state.edu
[mailto:opensource-bounces at cse.ohio-state.edu] On Behalf Of
opensource-request at cse.ohio-state.edu
Sent: Thursday, October 25, 2007 5:27 PM
To: opensource at cse.ohio-state.edu
Subject: Opensource Digest, Vol 31, Issue 5
Send Opensource mailing list submissions to
opensource at cse.ohio-state.edu
To subscribe or unsubscribe via the World Wide Web, visit
http://mail.cse.ohio-state.edu/mailman/listinfo/opensource
or, via email, send a message with subject or body 'help' to
opensource-request at cse.ohio-state.edu
You can reach the person managing the list at
opensource-owner at cse.ohio-state.edu
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Opensource digest..."
Today's Topics:
1. New Web Browser (Brian Swaney)
2. Re: New Web Browser (Adam C. Champion)
3. Re: New Web Browser (Paul Betts)
4. Re: New Web Browser (Brian Swaney)
5. Re: New Web Browser (Adam C. Champion)
6. RE: New Web Browser (Marc Uhrich)
----------------------------------------------------------------------
Message: 1
Date: Tue, 23 Oct 2007 18:39:51 -0400
From: Brian Swaney <swaney.29 at osu.edu>
Subject: [opensource] New Web Browser
To: opensource at cse.ohio-state.edu
Message-ID: <1193179192.5730.30.camel at brians-laptop>
Content-Type: text/plain; charset="us-ascii"
Ok, I tried sending this directly to the list, but it seems to trip all
of the spam alarms. I'll try linking to a web page this time. The same
general message is there. Basically, DRM meets OSU, and out pops this
new program.
http://www.cse.ohio-state.edu/~swaneybr/lockdown-analysis.html
Any comments are welcome.
-Brian Swaney
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://mail.cse.ohio-state.edu/mailman/private/opensource/attachments/200710
23/3e2234dd/attachment-0001.html
------------------------------
Message: 2
Date: Thu, 25 Oct 2007 00:32:37 -0400
From: "Adam C. Champion" <champion at cse.ohio-state.edu>
Subject: Re: [opensource] New Web Browser
To: opensource at cse.ohio-state.edu
Message-ID: <ffp696$ipu$1 at news1.cse.ohio-state.edu>
Content-Type: text/plain; charset=UTF-8; format=flowed
Great writeup, Brian! I wondered what this "Lockdown Browser" I saw on
Carmen was. Since my research interests are computer and network
security, I find the "'secure' testing" problem domain and this
"lockdown" behavior intriguing. How do you provide students with Web
access and form submission for an online test yet deny them most of the
user-interface requirements of a Web browser (let alone "normal" use of
Windows)? It seems Respondus is using IE components due to its ActiveX
script requirement---but how does it "lock down" students' *entire*
interaction with the OS (e.g., prevent them from closing or minimizing
the browser)?
I share your concerns about DRM. Last year, I wrote an honors thesis on
the proliferation of trusted computing, DRM, and the associated legal
and social ramifications; it's online at my website
(http://www.cse.ohio-state.edu/~champion). From what I read on your
writeup, however, I don't think the browser uses DRM; it "merely"
controls the user's interaction with the (proprietary) WebCT application
and the Windows OS. I would normally associate DRM with copyright owners
enforcing usage policies with legally-purchased digital works, like
songs and movies. The only copyright issues I see are those associated
with "who owns" the test and any images included therein (like the
copyrighted Wikipedia image), as well as Blackboard, Inc., which holds
the copyright to WebCT and its trade secrets. Certainly, OSU's
contract/site license with WebCT and Respondus is another
intellectual-property issue. But, of course, I am not a lawyer :).
I strongly believe that paper-and-pencil tests are one of *the* best
ways to check that students have learned course material. Vigilant
proctors/instructors should deter students from cheating; if students
perceive they will be "caught in the act," they will be less likely to
cheat than if they notice the TA engrossed in a paper and think they can
get away with cheating. Besides, if you're taking an computer-based test
that requires you to answer a set of questions before going on to the
next set, you may not be able to go back and check/correct your previous
answers within the test's time limit. (If you've taken the
computer-based GRE, you know *exactly* what I'm talking about!)
Just my two cents.
Regards,
Adam
P.S. When I tried to read your "Carmen response" links, my firewall
logged attempted connections from the CSE department website on ports
39728-9 and 50697-8. Any idea what's going on? Is it the spam filter?
Brian Swaney wrote:
> Ok, I tried sending this directly to the list, but it seems to trip all
> of the spam alarms. I'll try linking to a web page this time. The same
> general message is there. Basically, DRM meets OSU, and out pops this
> new program.
>
> http://www.cse.ohio-state.edu/~swaneybr/lockdown-analysis.html
>
> Any comments are welcome.
>
> -Brian Swaney
------------------------------
Message: 3
Date: Thu, 25 Oct 2007 13:38:34 -0400
From: Paul Betts <paul at paulbetts.org>
Subject: Re: [opensource] New Web Browser
To: "Adam C. Champion" <champion at cse.ohio-state.edu>,
opensource at cse.ohio-state.edu
Message-ID: <0bee55509f3b378449b1fb7301146e89 at localhost>
Content-Type: text/plain; charset="UTF-8"
> but how does it "lock down" students' *entire*
> interaction with the OS (e.g., prevent them from closing or minimizing
> the browser)?
If they're running their own ActiveX control, they can do *anything they
want*. They are running arbitrary C++ code in the context of your username.
--
Paul Betts <paul at paulbetts.orG>
On Thu, 25 Oct 2007 00:32:37 -0400, "Adam C. Champion"
<champion at cse.ohio-state.edu> wrote:
> Great writeup, Brian! I wondered what this "Lockdown Browser" I saw on
> Carmen was. Since my research interests are computer and network
> security, I find the "'secure' testing" problem domain and this
> "lockdown" behavior intriguing. How do you provide students with Web
> access and form submission for an online test yet deny them most of the
> user-interface requirements of a Web browser (let alone "normal" use of
> Windows)? It seems Respondus is using IE components due to its ActiveX
> script requirement---but how does it "lock down" students' *entire*
> interaction with the OS (e.g., prevent them from closing or minimizing
> the browser)?
>
> I share your concerns about DRM. Last year, I wrote an honors thesis on
> the proliferation of trusted computing, DRM, and the associated legal
> and social ramifications; it's online at my website
> (http://www.cse.ohio-state.edu/~champion). From what I read on your
> writeup, however, I don't think the browser uses DRM; it "merely"
> controls the user's interaction with the (proprietary) WebCT application
> and the Windows OS. I would normally associate DRM with copyright owners
> enforcing usage policies with legally-purchased digital works, like
> songs and movies. The only copyright issues I see are those associated
> with "who owns" the test and any images included therein (like the
> copyrighted Wikipedia image), as well as Blackboard, Inc., which holds
> the copyright to WebCT and its trade secrets. Certainly, OSU's
> contract/site license with WebCT and Respondus is another
> intellectual-property issue. But, of course, I am not a lawyer :).
>
> I strongly believe that paper-and-pencil tests are one of *the* best
> ways to check that students have learned course material. Vigilant
> proctors/instructors should deter students from cheating; if students
> perceive they will be "caught in the act," they will be less likely to
> cheat than if they notice the TA engrossed in a paper and think they can
> get away with cheating. Besides, if you're taking an computer-based test
> that requires you to answer a set of questions before going on to the
> next set, you may not be able to go back and check/correct your previous
> answers within the test's time limit. (If you've taken the
> computer-based GRE, you know *exactly* what I'm talking about!)
>
> Just my two cents.
>
> Regards,
> Adam
>
> P.S. When I tried to read your "Carmen response" links, my firewall
> logged attempted connections from the CSE department website on ports
> 39728-9 and 50697-8. Any idea what's going on? Is it the spam filter?
>
>
>
> Brian Swaney wrote:
>> Ok, I tried sending this directly to the list, but it seems to trip all
>> of the spam alarms. I'll try linking to a web page this time. The same
>> general message is there. Basically, DRM meets OSU, and out pops this
>> new program.
>>
>> http://www.cse.ohio-state.edu/~swaneybr/lockdown-analysis.html
>>
>> Any comments are welcome.
>>
>> -Brian Swaney
> _______________________________________________
> Opensource mailing list
> Opensource at cse.ohio-state.edu
> http://mail.cse.ohio-state.edu/mailman/listinfo/opensource
------------------------------
Message: 4
Date: Thu, 25 Oct 2007 13:53:14 -0400
From: Brian Swaney <swaney.29 at osu.edu>
Subject: Re: [opensource] New Web Browser
To: paul at paulbetts.org
Cc: opensource at cse.ohio-state.edu, "Adam C. Champion"
<champion at cse.ohio-state.edu>
Message-ID: <1193334794.5797.34.camel at brians-laptop>
Content-Type: text/plain; charset="us-ascii"
There is an option at the bottom of the page to manually download an
executable installer, but I made the point because ActiveX, at least by
my experience (with the exception of setting update.microsoft.com as
your home page) it's a really bad practice. Every month or so I had to
clean out trojans and occasional viruses (last big one was 4 backdoors,
a keylogger, and 1 delete-random-system-file-on-boot viruses, with 20 or
so trojans; I'm guessing downloaders played a big part but still...),
some appearing in a folder called "ActiveX Objects". After having this
friend install Firefox, telling the whole family not to use Internet
Explorer, and teaching them about malware, that got reduced to maybe
once or twice a year at most. If OSU is to protect the campus from
viruses, ActiveX is not a good idea, but that's just my opinion.
Paul, I'm not sure what you mean by "in the context of your username".
You don't have to log in to install it, despite the license agreement
warning not to distribute the program to those not affiliated with the
institution. One of the school's public articles has the download URL in
a screenshot, which is where I sampled/honey-potted it from.
-Brian Swaney
On Thu, 2007-10-25 at 13:38 -0400, Paul Betts wrote:
> > but how does it "lock down" students' *entire*
> > interaction with the OS (e.g., prevent them from closing or minimizing
> > the browser)?
>
> If they're running their own ActiveX control, they can do *anything they
> want*. They are running arbitrary C++ code in the context of your
username.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://mail.cse.ohio-state.edu/mailman/private/opensource/attachments/200710
25/f15d262c/attachment-0001.html
------------------------------
Message: 5
Date: Thu, 25 Oct 2007 14:32:42 -0400
From: "Adam C. Champion" <champion at cse.ohio-state.edu>
Subject: Re: [opensource] New Web Browser
To: opensource at cse.ohio-state.edu
Message-ID: <ffqnga$c79$1 at news1.cse.ohio-state.edu>
Content-Type: text/plain; charset=UTF-8; format=flowed
Wow. I thought ActiveX scripts ran in a "sandbox" within the client's IE
browser, like Java applets do in any browser. I know IE 7+ in Vista
places restrictions on scripts and "active Web content", but users of
previous Windows versions can't download IE 7+! So other versions of IE
run ActiveX scripts with the user's permissions? Yikes.
I can think of many ways these "features" can be abused, and potentially
open up security vulnerabilities...
-Adam
Paul Betts wrote:
>> but how does it "lock down" students' *entire*
>> interaction with the OS (e.g., prevent them from closing or minimizing
>> the browser)?
>
> If they're running their own ActiveX control, they can do *anything they
> want*. They are running arbitrary C++ code in the context of your
username.
>
------------------------------
Message: 6
Date: Thu, 25 Oct 2007 17:17:44 -0400
From: "Marc Uhrich" <uhrich.1 at gradsch.ohio-state.edu>
Subject: RE: [opensource] New Web Browser
To: <opensource at cse.ohio-state.edu>
Message-ID:
<46CB246A6FE23948B81E95787CC154210782302B at exchange.gradsch.ohio-state.edu>
Content-Type: text/plain; charset="US-ASCII"
I'm responding to both Brian and Adams comments here.....
What Paul means by "context of your username" is the permission
structure of the user account logged onto the computer at the time. For
example, if you logged into a lab computer where there are a lot of
restrictions the code the active X control runs will be limited by these
restriction. If you are running your computer with administrator
privileges, like most windows users, the active X control can do *pretty
much* anything it wants.
This is a fundamental issue between convenience and security. Active X
controls allow people to write really sophisticated web applications,
but opens them up to severe vulnerabilities. Microsoft has figured out
this glaring security hole and made some attempts to mitigate it in IE
7. As far as I know, IE 7 on both Windows XP and Windows Vista
disables Active X controls and disables the prompt to install them.
Prior versions prompted but naive or uninformed users would just click
yes to make things work and circumvent this control. It's nice to see
that they might limit active X code in IE7+ instead of just "hiding it".
To be honest, I haven't been following it much.
All of this reminds me of the famous quote in Spiderman "with great
power, comes great responsibility". Using the countless spam messages
and continuous net attacks we get here at the Graduate School as an
indicator, I don't think the general internet community is, or will be,
ready for the responsibility.
Marc Uhrich
Systems Engineer @ OSU Graduate School
247 University Hall, 230 N Oval Mall
Columbus, Ohio 43210
(614) 292-0600
-----Original Message-----
From: opensource-bounces at cse.ohio-state.edu
[mailto:opensource-bounces at cse.ohio-state.edu] On Behalf Of Adam C.
Champion
Sent: Thursday, October 25, 2007 2:33 PM
To: opensource at cse.ohio-state.edu
Subject: Re: [opensource] New Web Browser
Wow. I thought ActiveX scripts ran in a "sandbox" within the client's IE
browser, like Java applets do in any browser. I know IE 7+ in Vista
places restrictions on scripts and "active Web content", but users of
previous Windows versions can't download IE 7+! So other versions of IE
run ActiveX scripts with the user's permissions? Yikes.
I can think of many ways these "features" can be abused, and potentially
open up security vulnerabilities...
-Adam
Paul Betts wrote:
>> but how does it "lock down" students' *entire* interaction with the
>> OS (e.g., prevent them from closing or minimizing the browser)?
>
> If they're running their own ActiveX control, they can do *anything
> they want*. They are running arbitrary C++ code in the context of your
username.
>
_______________________________________________
Opensource mailing list
Opensource at cse.ohio-state.edu
http://mail.cse.ohio-state.edu/mailman/listinfo/opensource
------------------------------
_______________________________________________
Opensource mailing list
Opensource at cse.ohio-state.edu
http://mail.cse.ohio-state.edu/mailman/listinfo/opensource
End of Opensource Digest, Vol 31, Issue 5
*****************************************
More information about the Opensource
mailing list