[opensource] RE: New Web Browser

Lowell Toms toms.16 at osu.edu
Fri Oct 26 09:09:26 EDT 2007


Thanks to Brian for taking the time to write about the mysterious lockdown
browser that is referred to on Carmen's front page; as always, I was
clueless and appreciate the information.  It is odd that such information
has to come through the back door.

While most of the posts are about problems associated with the software
implementation of such a browser, I see another area of concern.  First,
like some of the posters, I also believe that taking a pen and paper test is
the tried and true means of measuring someone's understanding.  So, isn't
the demand for such a web based system based on two glaring problems that
are rampant at Ohio State; those two problems being, huge classroom
enrollments that tax the instructor's ability to deal with conventional
testing, and the quest for some instructors to speed up and automate their
teaching duties so they can get back to the product that provides tenure -
research?  Brick and mortar schools need to take a serious look in the
mirror, because if the large lecture (without allowing student questions)
and computerized testing become the norm, why the need for the bricks?

In my perfect world, class size is never over 30, students can ask
questions, and freshmen are given a copy of Ubuntu with vmplayer when they
arrive on campus.  Further, all typed assignments are .odt or .pdf,
engineering students use octave, gcc, and maxima, and the university
promotes open source code initiatives (for credit) for software that isn't
up to proprietary standards like stats packages and cad.

(takes rose colored glasses off and sighs)
        

-----Original Message-----
From: opensource-bounces at cse.ohio-state.edu
[mailto:opensource-bounces at cse.ohio-state.edu] On Behalf Of
opensource-request at cse.ohio-state.edu
Sent: Thursday, October 25, 2007 5:27 PM
To: opensource at cse.ohio-state.edu
Subject: Opensource Digest, Vol 31, Issue 5

Send Opensource mailing list submissions to
	opensource at cse.ohio-state.edu

To subscribe or unsubscribe via the World Wide Web, visit
	http://mail.cse.ohio-state.edu/mailman/listinfo/opensource
or, via email, send a message with subject or body 'help' to
	opensource-request at cse.ohio-state.edu

You can reach the person managing the list at
	opensource-owner at cse.ohio-state.edu

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Opensource digest..."


Today's Topics:

   1.  New Web Browser (Brian Swaney)
   2. Re:  New Web Browser (Adam C. Champion)
   3. Re:  New Web Browser (Paul Betts)
   4. Re:  New Web Browser (Brian Swaney)
   5. Re:  New Web Browser (Adam C. Champion)
   6. RE:  New Web Browser (Marc Uhrich)


----------------------------------------------------------------------

Message: 1
Date: Tue, 23 Oct 2007 18:39:51 -0400
From: Brian Swaney <swaney.29 at osu.edu>
Subject: [opensource] New Web Browser
To: opensource at cse.ohio-state.edu
Message-ID: <1193179192.5730.30.camel at brians-laptop>
Content-Type: text/plain; charset="us-ascii"

Ok, I tried sending this directly to the list, but it seems to trip all
of the spam alarms. I'll try linking to a web page this time. The same
general message is there. Basically, DRM meets OSU, and out pops this
new program.

http://www.cse.ohio-state.edu/~swaneybr/lockdown-analysis.html

Any comments are welcome.

-Brian Swaney
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://mail.cse.ohio-state.edu/mailman/private/opensource/attachments/200710
23/3e2234dd/attachment-0001.html

------------------------------

Message: 2
Date: Thu, 25 Oct 2007 00:32:37 -0400
From: "Adam C. Champion" <champion at cse.ohio-state.edu>
Subject: Re: [opensource] New Web Browser
To: opensource at cse.ohio-state.edu
Message-ID: <ffp696$ipu$1 at news1.cse.ohio-state.edu>
Content-Type: text/plain; charset=UTF-8; format=flowed

Great writeup, Brian! I wondered what this "Lockdown Browser" I saw on 
Carmen was. Since my research interests are computer and network 
security, I find the "'secure' testing" problem domain and this 
"lockdown" behavior intriguing. How do you provide students with Web 
access and form submission for an online test yet deny them most of the 
user-interface requirements of a Web browser (let alone "normal" use of 
Windows)? It seems Respondus is using IE components due to its ActiveX 
script requirement---but how does it "lock down" students' *entire* 
interaction with the OS (e.g., prevent them from closing or minimizing 
the browser)?

I share your concerns about DRM. Last year, I wrote an honors thesis on 
the proliferation of trusted computing, DRM, and the associated legal 
and social ramifications; it's online at my website 
(http://www.cse.ohio-state.edu/~champion). From what I read on your 
writeup, however, I don't think the browser uses DRM; it "merely" 
controls the user's interaction with the (proprietary) WebCT application 
and the Windows OS. I would normally associate DRM with copyright owners 
enforcing usage policies with legally-purchased digital works, like 
songs and movies. The only copyright issues I see are those associated 
with "who owns" the test and any images included therein (like the 
copyrighted Wikipedia image), as well as Blackboard, Inc., which holds 
the copyright to WebCT and its trade secrets. Certainly, OSU's 
contract/site license with WebCT and Respondus is another 
intellectual-property issue. But, of course, I am not a lawyer :).

I strongly believe that paper-and-pencil tests are one of *the* best 
ways to check that students have learned course material. Vigilant 
proctors/instructors should deter students from cheating; if students 
perceive they will be "caught in the act," they will be less likely to 
cheat than if they notice the TA engrossed in a paper and think they can 
get away with cheating. Besides, if you're taking an computer-based test 
that requires you to answer a set of questions before going on to the 
next set, you may not be able to go back and check/correct your previous 
answers within the test's time limit. (If you've taken the 
computer-based GRE, you know *exactly* what I'm talking about!)

Just my two cents.

Regards,
Adam

P.S. When I tried to read your "Carmen response" links, my firewall 
logged attempted connections from the CSE department website on ports 
39728-9 and 50697-8. Any idea what's going on? Is it the spam filter?



Brian Swaney wrote:
> Ok, I tried sending this directly to the list, but it seems to trip all 
> of the spam alarms. I'll try linking to a web page this time. The same 
> general message is there. Basically, DRM meets OSU, and out pops this 
> new program.
> 
> http://www.cse.ohio-state.edu/~swaneybr/lockdown-analysis.html
> 
> Any comments are welcome.
> 
> -Brian Swaney


------------------------------

Message: 3
Date: Thu, 25 Oct 2007 13:38:34 -0400
From: Paul Betts <paul at paulbetts.org>
Subject: Re: [opensource] New Web Browser
To: "Adam C. Champion" <champion at cse.ohio-state.edu>,
	opensource at cse.ohio-state.edu
Message-ID: <0bee55509f3b378449b1fb7301146e89 at localhost>
Content-Type: text/plain; charset="UTF-8"

> but how does it "lock down" students' *entire*
> interaction with the OS (e.g., prevent them from closing or minimizing
> the browser)?

If they're running their own ActiveX control, they can do *anything they 
want*. They are running arbitrary C++ code in the context of your username.

-- 
Paul Betts <paul at paulbetts.orG>

On Thu, 25 Oct 2007 00:32:37 -0400, "Adam C. Champion"
<champion at cse.ohio-state.edu> wrote:
> Great writeup, Brian! I wondered what this "Lockdown Browser" I saw on
> Carmen was. Since my research interests are computer and network
> security, I find the "'secure' testing" problem domain and this
> "lockdown" behavior intriguing. How do you provide students with Web
> access and form submission for an online test yet deny them most of the
> user-interface requirements of a Web browser (let alone "normal" use of
> Windows)? It seems Respondus is using IE components due to its ActiveX
> script requirement---but how does it "lock down" students' *entire*
> interaction with the OS (e.g., prevent them from closing or minimizing
> the browser)?
> 
> I share your concerns about DRM. Last year, I wrote an honors thesis on
> the proliferation of trusted computing, DRM, and the associated legal
> and social ramifications; it's online at my website
> (http://www.cse.ohio-state.edu/~champion). From what I read on your
> writeup, however, I don't think the browser uses DRM; it "merely"
> controls the user's interaction with the (proprietary) WebCT application
> and the Windows OS. I would normally associate DRM with copyright owners
> enforcing usage policies with legally-purchased digital works, like
> songs and movies. The only copyright issues I see are those associated
> with "who owns" the test and any images included therein (like the
> copyrighted Wikipedia image), as well as Blackboard, Inc., which holds
> the copyright to WebCT and its trade secrets. Certainly, OSU's
> contract/site license with WebCT and Respondus is another
> intellectual-property issue. But, of course, I am not a lawyer :).
> 
> I strongly believe that paper-and-pencil tests are one of *the* best
> ways to check that students have learned course material. Vigilant
> proctors/instructors should deter students from cheating; if students
> perceive they will be "caught in the act," they will be less likely to
> cheat than if they notice the TA engrossed in a paper and think they can
> get away with cheating. Besides, if you're taking an computer-based test
> that requires you to answer a set of questions before going on to the
> next set, you may not be able to go back and check/correct your previous
> answers within the test's time limit. (If you've taken the
> computer-based GRE, you know *exactly* what I'm talking about!)
> 
> Just my two cents.
> 
> Regards,
> Adam
> 
> P.S. When I tried to read your "Carmen response" links, my firewall
> logged attempted connections from the CSE department website on ports
> 39728-9 and 50697-8. Any idea what's going on? Is it the spam filter?
> 
> 
> 
> Brian Swaney wrote:
>> Ok, I tried sending this directly to the list, but it seems to trip all
>> of the spam alarms. I'll try linking to a web page this time. The same
>> general message is there. Basically, DRM meets OSU, and out pops this
>> new program.
>>
>> http://www.cse.ohio-state.edu/~swaneybr/lockdown-analysis.html
>>
>> Any comments are welcome.
>>
>> -Brian Swaney
> _______________________________________________
> Opensource mailing list
> Opensource at cse.ohio-state.edu
> http://mail.cse.ohio-state.edu/mailman/listinfo/opensource



------------------------------

Message: 4
Date: Thu, 25 Oct 2007 13:53:14 -0400
From: Brian Swaney <swaney.29 at osu.edu>
Subject: Re: [opensource] New Web Browser
To: paul at paulbetts.org
Cc: opensource at cse.ohio-state.edu,	"Adam C. Champion"
	<champion at cse.ohio-state.edu>
Message-ID: <1193334794.5797.34.camel at brians-laptop>
Content-Type: text/plain; charset="us-ascii"

There is an option at the bottom of the page to manually download an
executable installer, but I made the point because ActiveX, at least by
my experience (with the exception of setting update.microsoft.com as
your home page) it's a really bad practice. Every month or so I had to
clean out trojans and occasional viruses (last big one was 4 backdoors,
a keylogger, and 1 delete-random-system-file-on-boot viruses, with 20 or
so trojans; I'm guessing downloaders played a big part but still...),
some appearing in a folder called "ActiveX Objects". After having this
friend install Firefox, telling the whole family not to use Internet
Explorer, and teaching them about malware, that got reduced  to maybe
once or twice a year at most. If OSU is to protect the campus from
viruses, ActiveX is not a good idea, but that's just my opinion.

Paul, I'm not sure what you mean by "in the context of your username".
You don't have to log in to install it, despite the license agreement
warning not to distribute the program to those not affiliated with the
institution. One of the school's public articles has the download URL in
a screenshot, which is where I sampled/honey-potted it from.

-Brian Swaney


On Thu, 2007-10-25 at 13:38 -0400, Paul Betts wrote:

> > but how does it "lock down" students' *entire*
> > interaction with the OS (e.g., prevent them from closing or minimizing
> > the browser)?
> 
> If they're running their own ActiveX control, they can do *anything they 
> want*. They are running arbitrary C++ code in the context of your
username.
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://mail.cse.ohio-state.edu/mailman/private/opensource/attachments/200710
25/f15d262c/attachment-0001.html

------------------------------

Message: 5
Date: Thu, 25 Oct 2007 14:32:42 -0400
From: "Adam C. Champion" <champion at cse.ohio-state.edu>
Subject: Re: [opensource] New Web Browser
To: opensource at cse.ohio-state.edu
Message-ID: <ffqnga$c79$1 at news1.cse.ohio-state.edu>
Content-Type: text/plain; charset=UTF-8; format=flowed

Wow. I thought ActiveX scripts ran in a "sandbox" within the client's IE 
browser, like Java applets do in any browser. I know IE 7+ in Vista 
places restrictions on scripts and "active Web content", but users of 
previous Windows versions can't download IE 7+! So other versions of IE 
run ActiveX scripts with the user's permissions? Yikes.

I can think of many ways these "features" can be abused, and potentially 
open up security vulnerabilities...

-Adam

Paul Betts wrote:
>> but how does it "lock down" students' *entire*
>> interaction with the OS (e.g., prevent them from closing or minimizing
>> the browser)?
> 
> If they're running their own ActiveX control, they can do *anything they 
> want*. They are running arbitrary C++ code in the context of your
username.
> 


------------------------------

Message: 6
Date: Thu, 25 Oct 2007 17:17:44 -0400
From: "Marc Uhrich" <uhrich.1 at gradsch.ohio-state.edu>
Subject: RE: [opensource] New Web Browser
To: <opensource at cse.ohio-state.edu>
Message-ID:
	
<46CB246A6FE23948B81E95787CC154210782302B at exchange.gradsch.ohio-state.edu>
	
Content-Type: text/plain;	charset="US-ASCII"

I'm responding to both Brian and Adams comments here.....

What Paul means by "context of your username" is the permission
structure of the user account logged onto the computer at the time.  For
example, if you logged into a lab computer where there are a lot of
restrictions the code the active X control runs will be limited by these
restriction.  If you are running your computer with administrator
privileges, like most windows users, the active X control can do *pretty
much* anything it wants.  

This is a fundamental issue between convenience and security.  Active X
controls allow people to write really sophisticated web applications,
but opens them up to severe vulnerabilities.  Microsoft has figured out
this glaring security hole and made some attempts to mitigate it in IE
7.   As far as I know, IE 7 on both Windows XP and Windows Vista
disables Active X controls and disables the prompt to install them.
Prior versions prompted but naive or uninformed users would just click
yes to make things work and circumvent this control.  It's nice to see
that they might limit active X code in IE7+ instead of just "hiding it".
To be honest, I haven't been following it much.

All of this reminds me of the famous quote in Spiderman "with great
power, comes great responsibility".  Using the countless spam messages
and continuous net attacks we get here at the Graduate School as an
indicator, I don't think the general internet community is, or will be,
ready for the responsibility. 
Marc Uhrich
Systems Engineer @ OSU Graduate School
247 University Hall, 230 N Oval Mall
Columbus, Ohio  43210
(614) 292-0600
 

-----Original Message-----
From: opensource-bounces at cse.ohio-state.edu
[mailto:opensource-bounces at cse.ohio-state.edu] On Behalf Of Adam C.
Champion
Sent: Thursday, October 25, 2007 2:33 PM
To: opensource at cse.ohio-state.edu
Subject: Re: [opensource] New Web Browser

Wow. I thought ActiveX scripts ran in a "sandbox" within the client's IE
browser, like Java applets do in any browser. I know IE 7+ in Vista
places restrictions on scripts and "active Web content", but users of
previous Windows versions can't download IE 7+! So other versions of IE
run ActiveX scripts with the user's permissions? Yikes.

I can think of many ways these "features" can be abused, and potentially
open up security vulnerabilities...

-Adam

Paul Betts wrote:
>> but how does it "lock down" students' *entire* interaction with the 
>> OS (e.g., prevent them from closing or minimizing the browser)?
> 
> If they're running their own ActiveX control, they can do *anything 
> they want*. They are running arbitrary C++ code in the context of your
username.
> 
_______________________________________________
Opensource mailing list
Opensource at cse.ohio-state.edu
http://mail.cse.ohio-state.edu/mailman/listinfo/opensource



------------------------------

_______________________________________________
Opensource mailing list
Opensource at cse.ohio-state.edu
http://mail.cse.ohio-state.edu/mailman/listinfo/opensource


End of Opensource Digest, Vol 31, Issue 5
*****************************************



More information about the Opensource mailing list