This Thursday we will be having a guest speaker come in and teach us about interface design. The speaker will be Matthew Stanford, who is currently working on his masters degree over in the design department. You may think that design isn’t important, but I have learned from experience that your really awesome code will go unnoticed if you don’t have a nice interface to go with it. I urge you to come if you can because this is a very important presentation that will help everyone make their work more presentable. The meeting will be at 7p in 266 Dreese.posted: 10-22-2008
This Thursday we will be taking a look at the Nintendo Wii remote (or Wiimote) and giving a brief overview of how it works. After that we will look at some of the Wiimote hacks that have been done by other people and hopefully come up with an idea for a new hack that we can start working on as a club project. We will be meeting at 7pm in Dreese Labs room 266.posted: 10-21-2008
We are having a club meeting this Thursday [10/23/08] at 7:00p in Dreese 266. Due to the the fact that everyone is really busy this week we are unsure if there will be any presentation given.posted: 10-17-2008
This past year, the Carmen team got a new program for all of us to use. The catch is, it sucks, and your instructors can hold your grade in the balance if you don’t play with their new toy1. The program is inappropriately called “Respondus LockDown Browser,” and it’s supposed to be the next generation of “secure” test taking. While I passionately despise those who earn their marks unduly by plagiarism/forgery/exam-shoulder-surfing, this program is invasive and outright stupid. Take a look at the demo.
This is exactly what media vendors like to call Trusted Computing, and what the GNU foundation describes as Treacherous Computing. Trusted/Treacherous Computing (depending on who you ask), by design, controls what a user can and cannot do with their computer. It is meant such that your computer will obey the company who wrote the software instead of you. I don’t have a problem with regulating what students can and cannot do when they take exams, but we should not be expected to use this junkware, especially not without some alternate means of taking the exam. It’s either take the test in a noisy computer lab, or install the program on your own computer. I can’t vouch for anyone else, but personally I certainly don’t like those options, and would much rather take my exam in person.
First of all, this is the first time anyone at this school has been able to require the use of a specific piece of software to earn a marginal grade. Unless instructors specifically state on the syllabus that you must use a specific proprietary program, such as Microsoft Office for some earlier CSE courses, they cannot hold it against you for submitting a final paper in PDF format instead of Microsoft Word. They may recommend we conform to the Microsoft way and use the standard XP/Vista with Microsoft Office, but they do not require it. Believe it or not, unless an instructor specifically stated on the syllabus that a student must be using a specific version of a specific program, the instructor cannot hold a student accountable for not submitting an assignment in the latest and greatest Microsoft Office format, so long as it is a generally readable format, such as PDF. Statistics classes sometimes use SPSS, but the students are not required to use it. In Math 152, students can compute calculus equations with spreadsheets, but OpenOffice.org is acceptable. While you may not get the same support for it from OIT, you can still connect to OSU’s network with a Linux operating system (just not an out-of-date operating system, as per MCSS). They don’t even specifically require you to use their corporate anti-virus, which you can get for free here. Now, they are requiring a specific program, upon which you are graded, and the program needs to be run in a proprietary operating system. You need not look any further than the Ubuntu forums to find users complaining being discriminated against for their operating system. I suppose a more appropriate name for this new toy is “Respondus™ Lock-Out Browser” - I’m willing to negotiate rights to the trade mark if Respondus is interested; it may earn some perks from Microsoft…
Violating their norm of freedom to use whatever software you choose, and of making their web pages W3C-compliant isn’t the only concern this program raises though. One must ask, as I did when I first saw the above video, what if the browser, web page, or something in between malfunctions? At the time, I had taken very few Carmen quizzes, and didn’t have access to any, much less requiring me to play with OSU’s new anti-cheating toy, so I couldn’t really join in on their fun, but that didn’t stop me from closely and thouroughly investigating the matter. I found a number of ways in which a student could bypass its restrictions, some of which I’ll cover later on, and used some of them to simulate just what would happen in such an event. The program restricts use of Windows’ Task Manager, most commonly known as “Control-Alt-Delete”. Since I normally use Linux as my primary operating system, and use Windows for something to feed virus samples to anti-viruses so I could test their definitions, I had a few tools to force processes to quit, and make a few other deep cuts to the operating system. To perform this, I launched AVG Anti-Spyware between the time I launched Respondus Lockdown Browser, and the time it fully started up. As the browser filled up my screen, removed the Taskbar (Start Menu and System Tray), and planted its other generally invasive hooks, AVG opened on top of the browser. I then used AVG’s process monitor to terminate “LockDown.exe”, and found its hooks remained in effect, despite the program having closed. The Taskbar was still removed, right-clicking had no effect, pressing [Ctrl]+[Alt]+[Delete] or [Alt]+[F4] opened an error message that the said operation was disabled by my administrator (which was funny because I am the administrator for my laptop, and I should be allowed to properly shut down Windows if I want). After restarting Windows, the right-clicking worked again, and I saw the Start Menu again, but I was still unable to shut down Windows or open the Task Manager. Seriously. The option to shut down Windows was removed from the Start Menu. Essentially, I was permanently forbidden from ever using the single most common part of Windows, pressing Control-Alt-Delete, as well as from shutting down Windows. I noticed this also happens if the computer is unexpectedly shut down while the program is running, which to do so you need to remove the battery and unplug it. This, along with the fact that during a quiz you are forbidden from closing the browser during a quiz, makes you completely dependent on everything to work properly, with your operating system’s stability hanging in the balance. As most programmers will know, no program is perfect, and there will be at least some problems, so this program will make damaging changes to people’s computers, who don’t have a choice about using it because their grades are dependent on their compliance. I encountered one such error, and while I was fortunately not required to use this program to take the quiz at that time, it does raise concerns. I took a screenshot here; pardon the strange interface for those who are not familiar with Linux. You’ll notice an “Internal server error” in the bottom-left corner. Upon encountering this, I was unable to save any more responses or submit the quiz. I actually had to e-mail the screenshot to the TAs managing the quiz and have them grade the e-mail instead. Now, what if I were required to use Respondus Lockdown Browser to take the quiz? I would have been “locked in” a dead web page, prevented (supposedly) from using any other programs or closing this program, and left with only the option of improperly shutting down Windows, which as mentioned before, will result in problems. Basically, to get my computer back, I’d have to bite the bullet and let the restrictions on my computer become permanent. I would personally like a response from OIT on this matter. The first time I discovered this, I asked them to fix it; their program, they clean up the mess, right? Plus, I didn’t expect that to happen and didn’t have the time to re-install. They were able to help me find an article to restore the task manager, but not to shut down Windows. I was able to restore this with one of my security applications, SpyBot S&D, but that was only because I was lucky enough to have had it installed earlier and it detected a certain system change. I sent 8-Help an e-mail regarding the matter, so they could assist other users who encounter the same problem by creating a guide on their site, but I instead received a response from a Carmen administrator telling me to send my concerns to Respondus themselves, who are clearly not going to do anything about it, instead of escalating my ticket. I also sent them this video in my message, in response to their claim that they did not believe the problems I was facing were due to their kiosk browser, but I wasn’t intent on reaching the Carmen admin at that point.
Ok, so Ohio State is going through a lot to stop cheating, which doesn’t surprise me, and they should in general, because cheaters suck. However, this program is not only unsafe, but ineffective. Before I start describing how to circumvent its restrictions, let me point out the easiest way of completely bypassing it, which this program can never stop. All one has to do is use another computer. It can be a lab computer, they can use a desktop/laptop combination, or borrow one from a friend or roommate, and take turns cheating. Instructors who hesitate to give tests online sometimes fear for students’ ability to cheat if they aren’t monitored, but when they hear of this new program that is supposed to solve the age-old problem while they can relax and focus on their research, letting Carmen do the grading, they feel relieved and reassured. This program is not going to stop students from taking pictures of the test with their cell phones, it’s not going to stop students from taking group tests or paying another person to take it for them, it’s not going to stop students from looking at notes or textbook material, it’s not going to stop students from accessing online resources to find answers elseware, and it’s not going to stop students from copying answers from elseware. You are not going to stop cheating by telling students to take the quiz in their dorms, unsupervised, on their personal computers, no matter what kind of junk you force them to install. Ohio State clearly did not research this in advance. The numberof high-profile universities, which are supposed to consist of members who are intelligent enough (no offense) to know better, that got suckered into this scam, and still trust the program to solve the cheating problem, proves to me, without a doubt in my mind, the inconceivable power of advertising. On a more serious note, if an instructor wants to be certain that there is no cheating, they have to do it the old-fashioned, proven effective way, and actually watch for cheaters. If someone from TELR is reading this, please heed my words and reasearch products before buying them, especially the ones from unsatiisfied users. Now onto how easily it is circumvented from within the affected machine.
In a previous version of this article I covered advanced ways of bypassing the restrictions, which confused some users, but I’m just going to touch on some of the more basic ones. If you want the original version, click here. Upon startup, Respondus Lockdown Browser checks your running processes against a list of “known cheating programs”, such as “aim.exe”. Opening the main executable in notepad will predictably display a bunch of garbage, but you can find a list of blacklisted programs in plain text. A funny note, after I posted my video on Windows getting hosed by Respondus Lockdown Browser, they updated it to prevent use of AVG. I guess Respondus doesn’t like me exposing how crappy their program is on public websites, because I can’t think of any other good reason they would require users to terminate background processes that help to protect their computer. Anyway, the funny thing about this algorithm is how easy it is to bypass. All a user has to do is take the blacklisted file, such as “aim.exe”, and rename it to something not on the list, such as “xyz.exe”, double-click it, and Respondus will ignore it. Note: while their updates are a little unorganized, a current version will also check a few other variables which are harder to change. Of course, you could always just use the old version, not to advocate cheating. I have found several other holes, such as running arbitrary programs during a session, opening links in other browers, or moving the window around to access your desktop, and 2 particularly “critical” forms of them remain unpublished, as a reminder to Respondus that there are still easy ways to bypass their restrictions. An additional hole, which is just in the design, is the philosophy that blacklist, or signature-based definitions of malicious are going to have many false negatives. This is a concept discussed in CSE 551, in which I am currently enrolled, and that is common knowledge among anti-virus vendors who are researching heuristics analysis. For example, I found a really nice open source screenshot program, which is not well-published, that automatically takes screenshots in a user-specified interval, and was able to do wonders as far as photographing tests is concerned because it didn’t recognize the program. There may be infinitely many programs like this, and Respondus is never going to block them all because someone will just come along and write another.
Speaking of writing programs, I really hope they don’t excpect computer science majors (including myself) to use Respondus Lockdown Browser. The use of this proprietary program raises a concern about requiring use of certain operating systems, despite the policy of not requiring use of specific software. Since it only runs in Windows XP (when I last tested it in Vista, it was extremely unstable), and Mac OSX. You will have many users using Linux, and other less common operating systems that this program can’t run on. You will have students running Windows XP inside of other operating systems (picture), with full access to online resources; you will have student locked out for the operating system they use (those who don’t run virtual machines); you will have students discovering all sorts of ways around it; you will have students spoofing Lockdown Browser sessions on Carmen; you will have students modifying the code; and such students will be particularly unhappy when they are told they have to use a certain proprietary operating system.
The recommended installation procedure for Respondus Lockdown Browser requires that ActiveX be enabled as you follow a link to their download site, which isn’t even in OSU’s domain. ActiveX, which is Microsoft’s Windows-only way of letting websites run arbitrary C++ code on your machine, is an extremely unsafe-natured script. I’ve seen Windows get bit in the rear by it, and helped users clean it off their machine many times. When a user asks me about sites asking to run ActiveX, I tell them to “just say no”. Now, surely OSU must understand the nature of this script, do they not? If they are as dead-set on securing the network as they claim to be, then why on Earth are they telling users to run ActiveX? Here is a website, though out-of-date, that accurately describes how ActiveX has made Outlook an extremely unsafe program. If anyone doesn’t believe me, here is where you install the silly program. If ActiveX isn’t enough of a bite, they even use Java applets to install it on Macs. Take a look. I guess for some reason Respondus must have been too good to simply link to a .dmg, .exe, or .msi file in a simple HTML tag. That’s what they think of W3C standards I guess.
All of this summed up, Respondus Lockdown Browser is not an effective way to stop cheating. It is frustrating for students who are genuinely interested in the material and have to put up with a lousy program to gain access to the material, and completely ineffective at its intended purpose. This sort of makes me think of copy-protection, a.k.a. DRM. Look where DRM is going. Content producers have tried many times to regulate what users can do, and you wind up with the true, hardcore pirates cracking it, and the legitimate users resorting to P2P just so they can avoid all the invasive restrictions. They make worse and worse DRM controls, run around rampant suing single mothers with children living off SSI for sums that will drop your jaw, and drive more and more people away. The true cheaters are always going to find a way to cheat, while the honest students are the ones who suffer for it by using this piece of crap; just like how the true pirates will always crack the copy protection and the legitimate customers are the ones who suffer from not being able to play songs in “unauthorized” media players, or move them to other media devices. If it doesn’t work for the multi-billion-dollar companies, then why the Hell does OSU expect it to work for them? It didn’t work well for the University of Dayton…2
What can we do? OSU already bought a campus-wide license for us to use it, and they’re going to make sure to get the most use out of it right? If something gets an overall negative reaction in a university, unless it makes a significant profit for the institution, they won’t keep it around for long. Let the coordinators of this project know how you feel about it by e-mailing email@example.com. If you get spam filtered, as I did, send it using their form here. Let them know (politely) that the browser isn’t going to do it’s job (NOTE: I do not recommend spamming or harassing them). Tell your instructors what they are really asking when they restrict you to using this browser. If you are an instructor who agrees with this article, then please don’t place this burden on your students. Ask yourself first, “Would you want your grade based on the type software that you use?” Would you be willing to use this piece of junk? If not, then please make this point to the directors that told you to use it. If you don’t say anything, then they will continue as normal under the assumption that everyone is fine with it and their new program is working wonderfully. To the students reading this, Let your instructors know we shouldn’t be required to use a specific program to get a marginal grade, when the software otherwise has nothing to do with the content. Let them know that this regulatory software puts a burden on the honest students who are legitimately interested in learning the material, while it has little to no impact on the cheaters, because they will just find one of many ways around the “controlled environment” anyway. If you sit there Mahatma Gandhi once said “you must be the change you wish to see in this world.” If we don’t let OSU know what we think about being “locked down” from our own computers, they will not stop, and probably eventually try something worse. Who knows? Maybe they’ll try having you take a test with one hand on a fingerprint scanner the whole time and fail you automatically if you ever take it off or if it gets unplugged. Let’s encourage OSU to find better things to spend our tuition on than bad software, before they wind up as confident in it as The University of Florida or the many other schools making students use it3.
I received a response from firstname.lastname@example.org, who thought my concerns were “unique”. Read more here.
This Thursday’s meeting (October 16th in Dreese Labs, room 266) will include a presentation on source control management. The main tool that will be used is Mercurial, however most of what is shown can be applied to many of the other source control management tools. When you are working by yourself on really small programs, like the ones you do in CSE 221,222,321, then you can get away with not using any source control tools. However, real-world projects involve lots of different files and are worked on by many people that are located in different places– and this is why it’s important to understand how to use a source control management tool. As usual the meeting will be at 7:00 pm in Dreese Labs room 266. The meeting is open to anyone who wants to learn about source control management. After the presentation we will try to work on getting a project started since we haven’t done so yet.posted: 10-01-2008
This Thursday, at 7:00 pm in Dreese Labs room 266, we will run through an introduction to Linux, in a way that any computer user - new or veteran - can understand. Some basic points to be discussed are:
If time permits we plan on discussing how one picks a Linux distribution, running a LiveCD, and running through the installation procedure, also covering some of the more advanced setups like setting up a computer so it can run both Windows and Linux (with a menu at startup asking which one you want), how to mount directories, and what to do if Windows gobbles up your Master Boot Record (MBR) making Linux unbootable.posted: 09-15-2008
The Open Source Club is going together to the Ohio Linuxfest this year on Saturday, October 11th. The first presentation is at 9:30 am. Rather than drive/taxi, bring your Buck-IDtm and you can ride COTA for free…posted: 09-09-2008
We have scheduled a meeting for Thursday, September 25th at 7:00 pm in Dreese Labs room 266. There is no official meeting topic as we will spend the time doing introductions (trying to be sociable or something to that extent). Meetings are open to everyone as always, so please stop by.posted: 08-21-2008
This Thursday (October 9th) in Dreese Labs room 266, I am presenting on Net Neutrality. See a summary of what I’m presenting below.
We are currently having some problems with our content managing system, Drupal, so changes here will be limited. We apologize for the inconvenience, and a group of us are working hard on the issue, despite limitations such as not having physical access to our server. We expect to have the site fully functional by the end of this summer, possibly with some great new features for active members. We are planning a great number of projects this year (some of which may be aided by our server), more than we’ve had for a long time. Details are still pending and yet to be revealed, so stay tuned, and expect dramatic changes to our website.
The Open Source Club welcomes members of all backgrounds, from freshmen who are curious about open source software, to veteran Linux/Unix users and developers out of graduate school. Come find us at the involvement fair on The Oval just before school starts and learn what we’re all about.posted: 04-05-2008
We are meeting Thursday, April 10th, at 7:00 in Dreese Labs room 266. The topic for our meeting is source code version control, and what works best for, and there has already been much traffic over this on our mailing list. Subtopics so far include bitkeeper, cvs, git, Google Code, Mercurial, svn, trac, and open discussion of any other source code management programs not yet mentioned that deserve recognition.posted: 03-27-2008
We had our first meeting for the quarter in Dreese Labs room 266 at 7:00 pm. Meetings end whenever they end, with no specific time. No absolute topic was decided on, so we discussed a few random things, such as South Park creators Trey Parker and Matt Stone streaming South Park online for free (where we legally watched a recent episode from Season 12, which does play in Linux without DRM hacks), Adobe creating a web-based free express (and watered down) version of Photoshop, we also spent a few minutes sharing our web-development views. The meeting was open to students and non-students alike, and pizza was served as always. Altogether we had a great turnout and I look forward to a similar turnout at our next meeting.posted: 03-03-2008
Last week, we had a really good turnout and watched some demos of hacking the Nintendo Wii remote to create your own virtual 3-D environment in relative to your perspective, along with a few other slick multi-touch-screen interfaces, bordering on making keyboards obsolete. We had a really great turnout and are considering doing it in the future. More information is yet to come… There is also some talk about hacking the new Eee, a $500 child-sized laptop similar to the OX (One Laptop per Child campaign) with Linux pre-installed that, for the price, has some pretty impressive hardware specs, and I might add it is very light-weight.posted: 02-28-2008
We are meeting tonight (Thursday, February 28th) at 6:00 pm in Scott Lab room 103. Please note that this is not the normal time/location we meet. We are meeting one hour before our normal meeting time, and in Scott Lab instead of Dreese Lab. Our guest speaker, Jim Muir, is a nuclear and mechanical engineering who had better write solid code, and this presentation could be volatile, so we can just let Scott Labs bear this one. Jim Muir is speaking to us about a new open source content management system called SilverStripe. Pizza will be served and as always everyone is welcome.posted: 01-24-2008
After months of returning error messages to users who went to opensource.cse.ohio-state.edu/forum, the Open Source Club forums are back online. This past summer, p0rn and pharmaceutical spammers had a field day, then our website got taken offline and we had to disable forums and comments. We have cleaned up some lingering spam comments, re-enabled the forum, and added a captcha requirement in order for anyone to log in, as well as a few other random things. Spamming in the forums will absolutely not be tolerated. If you find any spam on this site, please report it here and a moderator will delete it and block/delete the offending user’s account.
For the time being, only .edu e-mail addresses may register but if you have a
current account with another address that you already registered then it should
still be active. If you do not have a
.edu address and would like access to
the forum, you can contact me
or another administrator telling us your e-mail address before you try to create
the account so we can authorize it. Please only do this if you do not have a
.edu address. Otherwise, we ask that you use your school address for
registering. We use this to keep track of users (e.g. someone with a
email@example.com is less likely to be a spammer than
firstname.lastname@example.org) and to restrict spammers from creating accounts just to hose
the page with inappropriate content.
A couple of weeks ago we attended the Student Involvement Fair and had a blast. Here are some photographs of the event courtesy of Peter.posted: 11-16-2007
Our last meeting (Nov 15) was about the Open Handset Alliance’s Android. A mobile operation system and application stack. We had a demo with the Hello World and spent a lot of the time playing with the emulator prototype. Because I feel this is a very interesting development, I personally will be working on creating some apps for the platform. In addition, Google has $10M in prizes for developers who create interesting new applications for this platform.posted: 10-28-2007
Slashdot Digg YouTube You are likely to have been eaten by a grue