security

Be more secure! Upgrade today.

Want better functionality? Upgrade today.

Save a developer! Upgrade today.

The save a developer thing is the impetus for this post.

The upgrade today mantra annoys me.

1. Software rarely spends enough time in alpha and beta cycles to to identify all the issues.
2. People have been so burned by using software in alpha and beta cycles, they are hesitant to try upgrades and help determine the issues.
3. This lack of attention to the problems ensure, versions 1.0, 2.0, n.0 typically have a ton of unknown problems or are even less secure at times.

Unfortunately, the vendor who makes the application platform we run, Blackboard, has a philosophy to look at new web browsers while they are in beta but not actually work towards fixes for the new browsers until after the products are released. With most releases of Java or supported web browsers (Internet Explorer or Mozilla Firefox), Blackboard heard the complaints by the early adopters and released within a couple months an update which resolved the reported issues.

The students and faculty members fail to understand the issue. I think I do. Blackboard (like WebCT prior) understands there are differences between beta and final. Some of us argue these differences are usually minor. However, this is all asking someone to predict the future which we know is haphazard at best.

Long alpha and beta cycles allow more users to get involved, give those back to the developers, have them fixed before the version release. Burning users with buggy software ensures their lack of faith.

This is intended to be a more thoughtful response to Laura regarding Course Management Systems and the need for innovation.

Currently, Course Management Systems are bloatware. They got this way by trying to provide everything to everyone. One instructor wants a feature, the university presses for this feature, the CMS programmers put in the feature. Okay, maybe not even 1/2 the time, but given that we have about 15,000 instructors, even a tenth getting a tenth of what they want adds up very quickly. Where they overlap is where companies feel the pressure to add these features.

In my experience, people have found CE and Vista clunky and difficult to use since 2001ish. Basically, that was when the shiny newness wore off at Valdosta State. If anything, then its gotten worse over time. Personally, I think this is the case because its not easy to use. Part of this lack of ease is because of the sheer number of possible actions required to accomplish frequent tasks. Another part is the overwhelming possible branches one might take [1] in the decision tree. Part of what makes us intelligent is visualizing the goal and taking the steps necessary to get is there. When software is not easy to use, the users feel stupid because they cannot figure out how to get to the goal.

Think about the complaints we have been seeing about CE6 from people using CE4. They are griping about features they are used to using disappearing. No one wants to lose the features or options they frequently use. They also wish the features or options they never use would disappear.

From what I’ve seen, instructors will make use of what the university
provides. When universities don’t provide what instructors want, then
these instructors will find what they want elsewhere and make use of
it. Large companies take a long time to integrate new features. By the
time they figure out the user base wants something, incorporate it,
release it, and customers implement it, the users have become used to
using it elsewhere are not attracted to a feature they’ve been using
for years elsewhere. So then we invoke FERPA and whatever to move them
to the CMS which is more clunky than what they were using already.

So enough with my griping… What is the solution? Well, maybe we should think about what a Course Management System should do?

1. Course management: This means it provides the university administration means by which they can control access to classes. Its not for the faculty so much as provosts, vice presidents, and registrars to be comfortable the university is not allowing students to take something without paying the institution.
2. Learning: Specifically, these are communication of concepts and evaluation of concept comprehension.

In a nutshell, #1 is the course list and administration screens while #2 is the course internals. If our focus is recreating the university in an online environment, then the CMS is the right approach. By importing the data from the student information system, we build a hierarchy just like the course catalog and put students into virtual representations of these classes. This mindset is where instructors want to build classes that consist of their lectures, the assignments, and the assessments. Its the face-to-face class online. Thankfully, online classes are moving to using tools to better utilize the advantages of the WWW. However, the focus is more towards improving peer discussion.

Maybe this approach isn’t the best one for learning? Last month I read a few articles off a web site advocating a different model: students gathering and creating information themselves (Personal Learning Environment). The instructor in this model becomes more of a mentor like independent study or how universities functioned at the time of our Founding Fathers. I’ve been hearing this is the direction education ought to take for over a decade now. However, I think its unlikely as its easier on the instructor to use the bird shot approach.

My Approach: The CMS is only an integration framework to provide access to tools. It doesn’t try to provide these tools at all. There are hundreds of wiki products who are better at some things depending on how its used. Why should the CMS think it can do it better than all of them? Same thing applies to blogs, social bookmarking, file sharing, etc. This means universities will provide a number of these tools and support dozens of different applications and integrate them all. We will have to better understand data flow, security, how all these pedagogically work well together. It’ll be a nightmare.

[1] One of things I unfortunately still do is recreate the user’s actions by figuring out what they clicked on in the recorded session. Much of the problems we see are user error, probably through not understanding the ramifications of the action.

So, you are a teaching an online class. Students cheating naturally is a concern. How does one prevent them from stealing answers?

• Code in the online class system? Unfortunately, the makers of the learning management systems lag behind the creativity of cheaters. Plus, they can only control their systems. How do they enforce security in the web browser, desktop / laptop, cell phone, classroom, or any other environment?
• JavaScript? This is the most laughable solution. I’ve known how to disable JavaScript in browsers I use since 1999. I’ve never met a JS security solution I could not beat by simply turning off JavaScript. With Firefox and the Web Developer toolbar it literally takes two clicks. People like it because its cheap. I guess you get what you pay for in this case.
• Code in the operating system? Dozens of software applications are designed to prevent cheating by controlling what can be done with the desktop or laptop. Certainly this appears to be the most comprehensive solution. However, it often means students go to a proctored environment. What’s the point of taking a class online if I have to go to a classroom?
• Cameras? The only solution that deals with the possibility of face-to-face or cell phone type collusions. These operate by the students exhibiting suspicious behavior. Students will have to figure out how to act naturally.

The better the solution, the more expensive and less likely to be purchased. Instead, we’ll use cheesy JavaScripts because students are dumb. They’ll never figure it out. Unless by never you mean with a simple Google search.

Heh…

Character-for-character, password length is more important for security than complexity. Requiring complexity but allowing passwords to remain short makes passwords more vulnerable to attack than simply requiring easier-to-remember, longer passwords. Password size does matter

I am not sure I understand the debate here. Why can’t it be a little of both? Roger is arguing that complexity doesn’t really matter if the length is suffient. Others counter that using the characters Roger says most people don’t use is suffient. What seems to be missing is that people don’t use long passwords or complex passwords. Plus people give out their passwords all the time to anyone.

So what is the point of this argument if no one is going to follow this advice in the real world? If you say it has to be a minimum of 8 characters, then 90% will meet that minimum and have no more. I would love to hear the ire policy makers face when they require passwords with a minimum of 32 characters.