http://www.respondus.com/LDB_Vista_Prod2/LDB_Vista_Prod2.html
This is exactly what media vendors like to call "Trusted Computing," and what the GNU foundation describes as "Treacherous Computing"2. Trusted/Treacherous Computing (depending on who you ask), by design, controls what a user can and cannot do with their computer. I don't have a problem with regulating what students can and cannot do when they take exams, but we should not be expected to use this junkware, especially not without some alternate means of taking the exam. It's either take the test in a noisy computer lab, or install the program on your own computer. I can't vouch for anyone else, but personally I certainly don't like those options, and would much rather take my exam in person.
Should students be allowed to use instant messaging clients while they take exams? No. Should faculty force students to use this type of program on their personal computer (or take an exam in a computer lab, with lots of distractions)? I don't think so either. Maybe if they set this special browser up in a designated test-taking location, or just tighten up the non-administrative privileges on the machine so they can't do anything unauthorized...
Sure, maybe I get a little too worked up about privacy/security, but nobody has a right to your computer except the owner. That includes spyware/adware (including bundles), policeware3, DRM4, viruses/worms/rootkits, and "consumer feedback" (phoning home) as they call it. Let me reemphasize that. Nobody. Not Microsoft/Hollywood5, not TimeWarner6, not Zango7, not p0rn companies, not some arrogant teenager with too much free time who wants you to buy v:i:a:g:r:a or wipe your hard drive, not the government8 (remember way back, when they had to get search warrants, but now they're into wiretapping?), not Storm BotNet9 (spammers) -- Nobody.
That includes the school. Just because they are an educational institution and mean well, or because they give you your grades and decide (sometimes arbitrarily) if you succeed or fail, doesn't give them a right to your computer. That's what they call "Trusted Computing" (or some call it Treacherous Computing2) Not only is it invasive, but I can think of several ways around it.
First, let's consider what would happen if the browser malfunctioned due to defect. Since it disables the Task Manager, the student would need to restart the computer in the middle of the exam to escape. What else are they allowed to do? Should I remind you that they will most likely have failed the exam in the process? Not even by a lack of knowledge on the content they're being tested on, but by a bad program. Imagine failing for doing the exam exactly as you were told to. Considering that one of my trial installations did not dump an uninstall tool (but still appeared in Add/Remove Programs) and I had to manually delete its registry keys and directories in safe mode to get rid of it, that occurance doesn't seem too out of the question... Besides, it doesn't even have to be by internal defect. Something could go wrong anywhere from the page, to the server, to the server's connection, to the user's connection, to the user's operating system, causing the browser to malfunction due to an unhandled exception. By the way, if it does malfunction, which can happen (it has happened to me), and either crashes, or freezes (forcing you to manually restart the computer, as it also disables System Shutdown), then disabling System ShutDown becomes permanent, as well as blocking the task manager from running, even after restarting. Note: If this happened to you, this article can help you to resolve it easily). A fix I found to protect the task manager from getting disabled is with McAfee Enterprise, offered for free to all students. After installing McAfee, you will see a shield icon on the taskbar. Right-click it and choose VirusScan Console (top option). Then, double click on Access Control from the menu that comes up, select "Anti-virus Standard Protection" in the left-side menu, and check "Prevent registry editor and Task Manager from being disabled" on the right-side. Click "Apply" and "Ok" then close the VirusScan Console, and your Task Manager should be protected. Note that if you try to run the Task Manager while using the browser, Respondus will immediately recognize Task Manager is coming and can't be stopped, and close it, but at least if it malfunctions your Task Manager won't stay disabled. To think that one would need to use their anti-virus program on something their school provides to protect their own computer is beyond belief and outright ridiculous. Unfortunately, this will not prevent your ability to properly shut down Windows from being disabled. If the browser crashes, and your Task Manager is not disabled, then you can fix the problem where the TaskBar is still hidden in 1 of 2 ways. The first is if Respondus only crashed once, you can restart it, and let it close properly (which will only restore the taskbar). If it keeps crashing, then you can run the Task Manager, click on the "Processes" tab, find and select "explorer.exe" and click "End Process" (note all of your desktop icons will now disappear as well). Then, to restore the icons, go to File --> "New process (run)" and type in "explorer". I cannot fix the revoked privilege to shut down your computer, but the shortcut in this Zip file can replace it. I'm sorry if anyone who played a part in bringing this to is offended, but to require students to use a program that, in order to protect the integrity of their machine, need to block part of its components with an anti-virus program's access control mechanisms is outright disgusting to me, and I suspect that I'm not alone in my opinion. Note: I recorded a video of this occurance here.
A more subtle problem is with compatibility. It seems someone already thought of it, in making an alleged Apple version of the browser, but that doesn't cover everything. Most programs offered are not required for school. If you bring your own computer, they recommend you install their Enterprise McAfee on it, but you're not going to fail Spanish class if you don't. SPSS is a learning aide for statistics, but not essential. All the while, users of other, less common operating systems roam the campus (yes, there are more to computers than Macs/PCs). These programs are designed to work only in specific proprietary operating systems, but what options does that leave for the Unix-based user? Since it doesn't work in Wine, Unix users are left with installing Windows, going to a lab, or using a virtual machine, which some might consider academic misconduct. What if they aren't willing/able to take an exam in a public computer lab because it's too noisy or they live off-campus on a tight schedule?
The typical instructions for installing it, by the way, require the students to enable ActiveX controls, something I have long advised against. Windows has been bitten in the rear many times by ActiveX exploits,10 which install malicious software on their machine simply by them visiting a page. I've seen it happen myself and helped users to clean up after their computer, and explained why they should "just say no" to ActiveX, but now they want OSU students to enable it? What sense does it make to REQUIRE students to enable this unsafe scripting in a university environment, where the computers are targeted by identity thieves (40,000 or so students' personal information) and spammers (superior overall bandwidth and network of thousands of other computers) alike? As an example of how targeted we are... the OSU spam filter blocks around 20,000 of virus attempts per DAY11. Is Ohio State trying to get students' computers infected? I'm really sure the IT staff have better things to do than clean everyone's machines. Plus, I always thought OSU was concerned about our privacy and security. At least their wireless is about as secure as it gets, but a chain is only as strong as its weakest link...
Now, does this "LockDown" really work? It certainly is frustrating, and in the right environment, I could see how it might work, but let's consider it in the typical, intended environment for it: on students' own personal machines and in lab computers, with nobody monitoring the test-taking facility except for the program.
Upon starting up, it runs a scan for known "cheating" programs from its black list. If, say... AIM is detected, it will alert the user that this program must be closed for the browser to continue, and offers to close it for them. Sounds clever, doesn't it? This operation is similar to a virus scan. It looks for KNOWN programs running and disables them based on the user's preferences. Like all other anti-malware tools, that doesn't include unknown programs, in this case, open source, less common, and newly developed software. For example, I ran a bunch of different IM clients at the same time before starting it up, and it didn't close anything. All I had to do was send myself an instant message from the other end, and out pops an instant message window, on top of this "secure" exam. It doesn't even recognize Internet Explorer 7 as a "popssible cheating program". I didn't do it in this picture, but if someone sends you a link in an instant message, it will let you open the link in your default web browser (even "known cheating applications").
Update: After I made a big fuss over Respondus' anti-cheating toy not blocking less common, 3rd-party Instant Messaging clients, they added Pidgin. However, upon realizing this, I also realized the program simply searches running processes against its own blacklist, and if anything matches up, the "cheating program" is closed. To bypass the restriction, all one needs to do is rename the program's executable. For instance, I renamed "pidgin.exe" to "pigeon.exe" and Respondus let it slide as if it were a normal system process running in the background. When you open the main executable inside a text editor, and scroll through it a while, you'll see all of its known "cheating" programs in a list as plain text.
Update: (again)Now Respondus is requiring you to close anti-malware programs -- the very things keeping you safe from the countless exploits in Internet Explorer, which the LockDown browser implements. Although the program blocks nearly every screen capture program, I took this screenshot of the browser ordering me to close AVG with yet another exploit, which I have decided not to post to this web page. Just when I thought they couldn't sink any lower, they came out and surprised me.
Of course, if instructors or the Carmen/LockDown authors want to regulate the testing environment, they're going to have to do better than that. "Locking down" one of the many computers the student has access to is not sufficient to prevent the student from looking at notes while taking the exam, and if instructors want to regulate the testing environment, they should do so in person, the way that is proven to be effective.
Ok, so maybe that's stretching it. It is really hard to go between the 2 windows, but that's not the worst of it. This browser assumes the user only has access to 1 machine. It doesn't do anything about them logging onto another computer. So, let's say a student goes to his/her dorm, puts it on their desktop, then they can just pull out their laptop, log onto ResNet, and browse/IM for answers on a different computer while they take the test. If they don't have another computer, they could log onto to the new browser from a lab computer while they use their laptop (or another lab computer) to look up answers. If they still can't, who is to say that the student can't just use someone else's computer or ask them for help? Who is to say they can't just run the browser inside a virtual machine? Even if by some chance the student doesn't have access to a second computer, there is no way locking down their computer is going to prevent them from looking off hard copies of references. The student could very well copy answers from a textbook, or their notes. If no such materials exist, then the student could simply go online beforehand, print off the materials, then use them while taking the exam. What good does preventing the student from looking up answers one way do if they can just use a different method? It's sort of like saying the student may not bring notes, but requiring the student to take the test directly out of the textbook and not watching/caring if they look up answers in the glossary. It's sort of like letting the student use a computer for the exam without watching them... wait... it is.
Respondus LockDown Browser is not an effective way to regulate what a student can and cannot do during an exam. It's frustratingly invasive, and ineffective, which sort of reminds me of Blu-Ray/HD DVDs5 and Sony's "Content Enhanced" DRM rootkit12. I will adimt, it does something. It does 2 things: it drives the user mad, and it keeps students from copying the page source. It does that quite well. However, the only way instructors can truly regulate what is done during an exam is to monitor it in person. Making the class use a "LockDown" program isn't going to do the trick. Content producers tried that to keep people from pirating music, and look where it's going. They make worse and worse restrictive software, driving people away from buying the software/music (in some cases encouraging people to go after pirated content13, just to avoid the DRM), but the real pirates still crack all their product keys and encryption to this date. If it doesn't work for them, then why would on Earth it work any better in a school? I understand this technique didn't work too well for Dayton,14 and ended up as a lawsuit over academic misconduct, which is what I thought OSU was trying to avoid... If the instructor doesn't want students using instant messaging programs, copying pages, or looking up answers, then the test should not be taken on a computer, but in person (personally I'd prefer to take it in person instead of on this program).
What can we do? OSU already bought a campus-wide license for us to use it, and they're going to make sure to get the most use out of it right? If something gets an overall negative reaction in a university, unless it makes a significant profit for the institution, they won't keep it around for long. Let the coordinators of this project know how you feel about it by e-mailing carmen
osu.edu. If you get spam filtered,
as I did, send it using their form here.
Let them know (politely) that the browser isn't going to do it's job (NOTE:
I do not recommend spamming or harassing them). Tell your instructors what they are really asking when they
restrict you to using this browser. If you are an instructor who agrees with this article, then please don't
place this burden on your students. Ask yourself first, "Would you want your grade based on the type
software that you use?" Would you be willing to use this piece of junk? If not, then please make this point
to the directors that told you to use it. If you don't say anything, then they will continue as normal under the
assumption that everyone is fine with it and their new program is working wonderfully. To the students reading this,
Let your instructors know we shouldn't be required to use a specific program to get a marginal grade, when the
software otherwise has nothing to do with the content. Let them know that this regulatory software puts a burden on
the honest students who are legitimately interested in learning the material, while it has little to no impact on the
cheaters, because they will just find one of many ways around the "controlled environment" anyway. If you sit there
Mahatma
Gandhi once said "you must be the change you wish to see in this world." If we don't let OSU know what we think
about being "locked down" from our own computers, they will not stop, and probably eventually try something worse.
Who knows? Maybe they'll try having you take a test with one hand on a fingerprint scanner the whole time and fail
you automatically if you ever take it off or if it gets unplugged. Let's encourage OSU to find better things to spend
our tuition on than bad software, before they wind up as confident in it as The University of Florida or the many
other schools making students use it15.
UPDATE: I received a response from carmen
osu.edu, who thought my concerns were "unique". Read more here.