Blackboard Security

Interesting articles accusing Blackboard of being lax about security. A Black Eye for Blackboard Over Its Response to Major Security Flaws which is about Millions of student exams, tests and data exposed. I saw the security bulletins, but I was not aware of the back story leading to why it was announced. We run an unaffected product, so I mostly ignored it. After reading the stories a couple times and the security bulletins again, my general read is still: overblown.

Blackboard’s practice is to work with the reporting client to determine the nature of the issue, whether it is being exploited, and test the fix. On the occasion where I was the reporting client, I was asked not to publish information about it as that would allow malicious individuals to exploit it before other clients implemented the fix. As I recall, the time from my reporting it to getting a patch was about a month. Plus, what I reported was pretty specific, Blackboard took that and looked more broadly and fixed everything they found. Then again, I reported a single issue not 16. Also, I tend to report such things to John Porter directly as I trust him to seriously address them. Someone opening a low priority ticket to the Tier I helpdesk, not providing the data Bb requests, or even worse incomprehensible data can get stuck in the Blackhole (where support tickets go to die). Every client needs to read Blackboard’s information on how to report security issues.

A problem with Blackboard only talking to the reporting client(s) is other individuals might already be aware of the exploit. The idea of keeping mum will prevent others from finding out fails to consider Newton invented Calculus at the same time as Gottfried Leibniz. Security by hoping no one else finds out… isn’t secure. Clients not provided ways of detecting whether the exploit is being used cannot report to Blackboard that their systems were compromised.

“We are not aware of any institution’s academic or student data having been compromised in any way by these issues,” Tan said.

In this statement, “any institution” means the clients who discovered this vulnerability not all clients. Blackboard is reassuring that the problem is minor and clients applying the patches quickly will keep it minor. Calling this a zero-day security vulnerability implies attack code is out there available to be used. So attackers potentially have information while defenders do not? Unfair. Epic fail. But only when it leaks to the attackers or they independently figure it out.

More interesting is the vulnerability claims Blackboard considered invalid because they “were due to misconfigured security settings.” So if an administrator sets an incorrect configuration the problem does not exist? For example, an administrator does not set Secure HTTP on the login, so a malicious person in a coffee shop snatches passwords and uses it to alter grades. (Or worse a 9 year-old compromises his teacher’s password.) Yes, it is the administrator’s negligence, but as a partner Blackboard should be helping administrators not be negligent. Keep this in mind: When a Blackboard system is compromised, only Blackboard cares whether it was administrator negligence or Blackboard code.

As a defender, I want all the information I can to protect my users from attackers. Whenever I talk about this with other clients, I hear the same thing. Instead I am left with fear, uncertainty, and doubt. Not that I expect any other vendor to provide me more information than Blackboard. This is why I like the idea of open source.

LMS Non-Negotiables

I listened in on the first town hall meeting for our USG LMS Transition Task Force on Thursday. There are 3 more town halls this week and a final one December 9th. It sounds like the task force is looking for what items are non-negotiable, extremely important, nice to have. Here are the non-negotiable items from the list. Here are my thoughts.

  • Security: Agree. Student data is critical information to keep away from those who ought not see it while giving access to those who should. I would include in this an audit log of administrative actions such as changing passwords, resetting virtual classrooms, or anything else which possibly could be abused.
  • Scalable: Agree. We’ve seen fantastic usage growth other the years. When I started with this project four years ago, we had only around 100,000 active users. We now approaching 300,000 active users. Even each user does more now than then. There is no reason we will see an end to usage growth.
  • Integrates with enterprise systems (i.e. Banner): Agree. There is a need for a relatively easy way to ensure the faculty and the students have accounts which are placed in the correct virtual classrooms. I’ve seen a desire for real-time integration. The Luminis Data Integration Suite always looked to cause more problems than it would solve.
  • 508 Compliance: Agree. Every user ought to be able to get the information in the class. However, to truly meet this I would think that would include fixing faculty uploaded content so that is accessible.
  • Don’t go backwards (features and functionality meet or exceed current functionality): Unsure. I’m not aware of an LMS option which meets every feature we currently have in Vista 8. The only way to meet this one is to negotiate which are the non-negotiable features.
  • Cross-platform and cross-browser support: Could not agree more. Most web sites I visit work in any web browser I choose. Vista 8 has limited supported operating system and browser combinations. Don’t forget the cantankerous Java Applets multiple versions of Java behave erratically and prior to Java 1.6.0_11 left in place older versions. Also sometimes new versions of Java suddenly do not work.
  • Ease of use and good user interface (student, instructor, administrator): Agree. More is not always better. I sense a frustration about a lack of efficiency accomplishing tasks.
  • Timely support and response: Agree. I understand this one to mean fix the problem in 1-2 weeks not a year plus.
  • Good communication regarding downtime: Unsure of the intent. Vista 8 has a pretty good announcements tool. Does it mean be more aggressive in telling the users when the system will go down next for a scheduled maintenance? I wonder if it means my organization (hosting) ought to take a firmer hand rather than continue to depend on the campuses in letting end users know.
  • Back up and restore capability (minimum 1 year – nice to go back farther)/archiving/back-up without significant downtime: Unsure of the intent. Our system backups are daily without any downtime involved. My best guess is it means something like a wiki history for all content and tools and maybe the whole virtual classroom. Should something bad happen the faculty member ought to be empowered to fix it and not depend on going to an administrator every time. While Vista 8 allows faculty to make their own backups, this was disabled to avoid performance issues. Also, the restore overwrites everything and not selective enough to ensure the faculty would not lose other data trying to retrieve something specific. Imagine losing 10 weeks of work in order to retrieve an accidentally deleted file. (Administrators have unintentionally done this.)
  • Ability to bring in guests to the system (i.e. collaboration): Agree. In a bricks-and-mortar classroom, the faculty can just ask a guest to come to the right room in a building. With Vista, the virtual classroom is more like a fortress requiring the faculty member to complete some kind of paperwork/memo to get an id so the guest can pass through security.

For those of you in similar searches, does this list look similar to yours? What would you add?

Some things I am surprised are not non-negotiable.

  • Better grade book: The existing one in Vista 8 is cumbersome, especially the grade calculator. A key use of the LMS is for students to understand their performance in the class. However, keeping up with the calculated grade at any given point is a lot of work for the faculty.
  • Reporting and analytics: The faculty, advisors, and tutors need to know which students are having difficulty.  Department heads and deans need to know which instructors are failing to spend enough effort teaching a class. People composing budgets need to know how much the LMS and auxiliary software are used.
  • Administrator becomes another user: Similar to *nix’s “su – user”, some problems only become apparent when using the correct account. Rather than change the password, take a look, and give the user the new password, administrators need an easier way of reviewing.

Computer Metaphors

An effective way to explain something is to use a metaphor. This can be especially effective by picking an metaphorical object or behavior with which the audience is already familiar.

The one I see most often is comparing computers to a car. This morning I saw this on an email list describing a person’s experience  migrating to Vista 8 from Vista 3.

It is like I have traded in a familiar (though frustrating) car for one that has the lights, wipers, and radio in new locations.

Also this morning, Vista 8 was compared to a malfunctioning pen forced on faculty who would rather use a better pen. Nevermind all pens are not used exactly the same. (Fountain vs rollerball) Some require more maintenance and care than others.

A coworker always says Free Open Source Software like Sakai or Moodle are free as in free puppies not free beer. Nevermind proprietary bought systems like Blackboard are bought as in bought puppies.
🙂

Information Should Be Free

Mark Guzdial makes the point teachers add value to the learning process. Normally, I would agree. However, I got hung up on a misquote from a Walter Isaacson article How to Save Your Newspaper in TIME offering micropayments as the solution to newspapers finding a working model to survive since advertisements are not the right one.

Mark said it was “information must be free.” TIME said, “[T]he Web got caught up in the ethos that information wants to be free.” Mark correctly attributed it to Steven Levy who said, “All information should be free,” but in the context of: “Access to computers — and anything which might
teach you something about the way the world works — should be
unlimited and total.” 

Higher education provides such access. However, we hide the access behind beaucracy and tuition. Is it worth it?

Another thought on all this came from a Dorothy E. Denning quoting Richard Stallman:

I believe that all generally useful information should be free. By ‘free’ I am not referring to price, but rather to the freedom to copy the information and to adapt it to one’s own uses. … When information is generally useful, redistributing it makes humanity wealthier no matter who is distributing and no matter who is receiving.

This reminds me of the concept of Creative Commons and open source. Restrictions to information like copyright ensure the creator makes money. At the same time copyright provides some opportunities for reusing it. (CC and open source just do it better than the Copyright Office.

Course Management Systems are Dead!

Heh. Blackboard Vista is headed for a brick wall? Who knew?

7. Course Management Systems are Dead! Long Live Course Management Systems! Proprietary course management systems are heading for a brick wall. The combination of economic pressures combined with saturated markets and the maturing stage of the life cycle of these once innovative platforms means that 2009 may well be the year of change or a year of serious planning for change. Relatively inexpensive and feature-comparable open source alternatives combined with some now learned experience in the process of transition from closed to open systems for the inventory of repeating courses makes real change in this once bedrock of education technology a growing possibility. As product managers and management view these trend lines, I think we might see incumbent players make a valiant effort to re-invent themselves before the market drops out from underneath them. Look for the number of major campuses moving (or making serious threats to move) from closed systems to open ones to climb in the year ahead. The Year Ahead in Higher Ed Technology

It is true the big player in proprietary CMS / LMS / VLE software has lagged in innovation for quite a while. Remember though Blackboard bought WebCT and kept around the other product while hemorrhaging former WebCT employees. That alone kept them extremely busy not to lose every customer they bought. The next version, Blackboard 9 should be available soon. That is the litmus test for their future success.

Bb9 is a newer version of Academic Suite, aka Classic. There is no direct upgrade path from CE / Vista to Bb9. There is a Co-Production upgrade path where one can run both versions side-by-side with a portal interface to access either version without having to login again. Content still has to be extracted from the old and placed in the new. (Since we are running Vista 3 and Vista 8 side-by-side now, this doedsn’t give me warm fuzzies.) This was the upgrade path some WebCT and Blackboard clients took getting from Vista 3 to 4 only to find Vista 4 was junkware. Similarly, those leaving CE4 for CE6 were frustrated by the move. So, I would predict:

  1. Those on Classic 8 now will go to Blackboard 9 ASAP.
  2. Smaller colleges on CE 8 who through turnover no longer have the people burned by the CE4->CE6 migration will probably move to Blackboard 9 this summer prior to Fall.
  3. Smaller colleges on CE 8 who still remember will migrate after AP1 (maybe a year after Bb9 release).
  4. Larger colleges on CE or Vista 8 will move some time between AP1 and AP2.
  5. Consortia groups like GeorgiaVIEW, Utah State System, or Connecticut State University System will wait and see.

That last group doesn’t take change easily. They have the nimbleness of a Supertanker cargo ship.

I am still waiting for the tweets about Moodle and Sakai, the open source alternatives, to change from in general “X sucks, but at least its not Blackboard.” to “X is the best there is.” If “at least its not Blackboard” is the only thing going for the software, then people will stay where they are to see where things go. There needs to be compelling reasons to change.

Unfortunately the cries of the students and the faculty in the minority are not enough. Most people are happy enough. They can accomplish the important things. They get frustrated that IT took the system down, data center power issues, network issues, or a performance issue. None of which go away by picking FOSS.

Open Source Is Not Broken

Cohen says:

Open-source code is generally great code, not requiring much support. So open-source companies that rely on support and service alone are not long for this world. The traditional open-source business model that relies solely on support and service revenue streams is failing to meet the expectations of investors.

The whole point is to have a model producing great code. As these open source companies try to be everything to everyone, they eventually hit the same issue as proprietary companies: Bloatware. The software starts to suck and the users abandon the ship for another product which seems to do the same job better.

We Need a 4th Vista DBA / Technical Support

Work for OIIT!

Become our 4th DBA / technical support person for our team.

  • Located in Athens, GA (college town, UGA football)
  • $, benefits, generous leave, rare snow
  • we love open source
PDF of GeorgiaVIEW DBA position

Check out the PDF (right) for more information.

Sorry for the convoluted route to the application…

  • Click this link to go to our HR site.
  • Click the “View Job Postings / Apply for Job” link.
  • Check the “Information Instructional Tech” box.
  • Enter “learning” for the keyword and click search.
  • Systems Support Specialist 3” is our DBA position. We also have a Business Systems Analyst position for a less technical position.

We’d love to have you.

Blackboard Won Suit Against D2L

Blackboard acquired patent ‘138 and brought a lawsuit against Desire2Learn. I would say 80-90% of the commentary about this case has been from anti-Blackboard crowd with about 90% of the rest from the let’s-wait-and-see crowd. Blackboard very much has been mum on the subject. I do not recall a blog of a single Blackboard supporter saying how great it will be for them to win this case. All I have seen are assurances from Bb they do not intend to sue into the ground open source (after EDUCAUSE got on Bb’s case).

I understand motivations for filing a patent request. I understand why they started the lawsuit after getting the patent. What I don’t understand is the reasoning for why the patent was awarded. Also, I don’t understand why Blackboard won the lawsuit. In truth, I probably both have more and less information.

  1. Examiner’s notes would describe the other bases of information about the decision.
  2. Transcripts of the trial would describe what information the jury heard.

Lacking, this information, I cannot really put myself in the shoes of the people who made these decisions to understand why they were made.

In the realm of public opinion, Blackboard certainly has given its vocal detractors very strong ammunition. Mainly the complaints are about using lawsuits to suppress smaller companies and establish dominance rather than innovation to win over new customers. It is about fear and uncertainty.

Drink the Kool-Aid!!

Abandoning Pidgin for (Back to) Trillian

Back in mid August I switched to Pidgin as my IM client. I even found plugins like Guifications and Encryption to add back functionality. Starting now, I am going back to Trillian.

The painful behavior I cannot stand is Pidgin removing my accounts without any visual notice. What is the use of an IM client that doesnt’ connect to the IM service? In every instance, accounts were disabled. Normally I see a visual indicator like I normally do when an account is having issues connecting. For some reason I didn’t get anything.

In the meantime I am back to Trillian. I’ll give Gaim/Pidgin/NextName another try the next time I start having major problems with Trillian. Web-based Meebo requires remembering to login to a web site consistently. Maybe I should try Miranda again?

tag: , , Trillian, Miranda IM, ,

links for 2007-11-11