Experience with 'Secure' Exam Testing Software?

Durindana writes "My law school has decided using the Exam4 software from Extegrity, thinking it would be a good idea. I disagree; the software can only be used by students on their own laptops, and (of course) Exam4 is mono-platform. Anyone have experience using this software (e.g. security level, reliability) or, hopefully, successfully opposing its use? It strikes me as a hell of a disadvantage to students who'd like an alternative to hand-writing but - for some strange reason - don't own a Windows laptop."

To re-phrase

[psilosopher256]

To re-phrase this question: "What are the security vulnerabilities of my exam software, and how can I exploit them to do well on my test?"

Re:To re-phrase

[burns210]

now remember, when you cheat, only cheat so that MOST of the answers are right, if you get 100% on all your tests, you will look suspicious!

Re:To re-phrase

[Ed+Avis]

If you are running the software on your own laptop, then you don't need to care about 'vulnerabilities'. It's your laptop so you can run what you like on it anyway! For example, run the exam software in a VMware virtual machine or under a debugger. If you demonstrate this point to the exam organizers I'm sure they will rethink their plan.

To do online exams you need to control the PCs being used, as done with Lexis.

Gak, we use the same crap

[Fux+the+Penguin]

We use this software at my dental school, and I really, really don't like the school's policies on it. For now, you have the option of either using the software or still taking a book test. Thanks, I'll use the pencil and paper method. However, they're changing that in the future. The problem is the school gives you no leeway if you have a computer problem.

Their policy is:

Students choosing to type their exams must provide their own computers and may do so only if they have downloaded the software to their computer at least 24 hours prior to the beginning of the dental school's exam period, have tested the software and have a computer in working order. Links to the software will not be available for download at exam time. At the end of the exam, and within the time limits stated on the exam, students must choose the "Submit Electronically" function on the software and then promptly return to the examination room in order to return their examination questions and the exam envelope with a notation on both the exam and the envelope that the exam was taken and submitted electronically. Students who experience technological problems during the examination period should consider the amount of time remaining before continuing (or restarting) the exam in blue books. No additional time is provided for students experiencing technological problems. However, after the examination ends the IT Department will offer good faith assistance retrieving exam files from the student's computer. Given the exam software's ability to confirm time and submission in an encrypted fashion, the Office of Registration & Enrollment will accept an IT-certified copy of the file retrieved from the student's computer as a timely submission(if indeed it was submitted timely according to the electronic notation), if there is no evidence of tampering on the student's machine or file.

So, if their software is buggy or something...that's it, too bad, game over, you're screwed. If it's all the same, I'd rather use a pencil and piece of paper. I've never heard of a blue screen of death on a #2 pencil.

Check your school's policies on what happens when the software screws up. This may just be the standard form the company sends to every college to give to their students, or it may different for your school.

Re:Gak, we use the same crap

[judd]

Christ on a stick. That's a brilliant parody. It can't be for real.

Aren't you Americans supposed to be litigious? SUE! And don't forget to name Extegrity as co-defendants.

Anyone else see the irony?

[Kethinov]

Unless I'm missing something, this is hillarious. The way I read it, his law school is forcing everyone to get a Windows laptop to be able to run some exam software. The implications of this are fun to think about. For one, by forcing everyone on a single platform, the law school seems to be going against the Microsoft antitrust rulling. Secondly, doesn't using "exam software" on people's personal computers seem a little insecure? How long until someone brute forces all the multiple choice questions?

Re:Anyone else see the irony?

[1iar_parad0x]

I met a guy who tried to brute force the multiple choice questions. He had to retake the class.

Exam software??

[ewhenn]

How long until the masses discover "net send"??

Re:Exam software??

[Sk0Rn]

lol, That's how we get 100 on every test in my IT class. The best part: We learned about net send from the class.

Re:Exam software??

[Ianoo]

The worst part is how trivially easy it usually is to get to a command prompt under Win2K. I am no-longer at school but I did work at an establishment with a stupidly locked down network for some time and coming up with all sorts of tricks such as adding "cmd.exe" as a favourite using the Word "Save As..." dialog box then calling it up in Internet Explorer and watching it run...

dis/advantage

[forevermore]

My wife is applying to law school this year, and we've run into the same questions. Do we get her a powerbook now, and hope that her preferred school (U. Washington) continues to not use the software, or do we wait until school is about to start before we decide? Granted, we're now waiting because she got a new desktop machine and I can't afford to get her a laptop, but the question is still out there.

On the "disadvantage" side of things, exam4 looks particularly bad. Other pages allow students access to some of their notes (thus, making it advantageous to have a laptop) but no find/search functionality (or some other kind of feature-disabled option). Thus, you can get at the notes in digital form, all of them, but have to put up with a few restrictions. If all you get is a word processor (read: text editor, since it doesn't really do any extra word-processing things), there's not much advantage for the students. Of course, the professors will have the advantage of not having to read handwritten tests, etc.

Most law schools that use software like this also seem to consider it OPTIONAL. If your school is basically forcing you to buy/use a Windows-based laptop, they'd better be a top-tier school worth the extra $1500+...

Re:dis/advantage

So, uh, how did you decide who would be the 'wife'?

Re: dis/advantage

[TheSnakeMan]

I'm in law school now, and one thing you can count on is that everyone else is running Windows, and 99% of them are taking notes in Word (I've run into a few people who use WordPerfect).

In fact, law school is yet another place that being a Linux geek does not help you. When someone wants to borrow notes, you can bet that they're not gonna want yours, as yours aren't in Word format. This isn't so bad, except that of course, when it comes time for you to grab notes from someone else, your options may be limited by the fact that your notes haven't been circulated.

Any study aides that your wife purchases in software form are going to run on Windows. Bar review materials run on Windows. Patent bar review materials run on Windows.

Beyond law school, any firm that your wife works for is going to run Windows, she's gonna have to do Word documents, there's no way around it. Short of working for yourself, the law world works with Windows and Word. Even when working for yourself, you can believe that any software you want to use for billing, forms, etc. will be Windows-based.

The point of this is that your wife, if she's going to law school, is going to have to deal with Windows. At the top tier schools and otherwise.

And the monetary issue is laughable. I don't know how expensive UW is, but I'm going to a state school on half scholarship, and I'm still gonna be $55k in the hole when I get out. The $1500 for a laptop is pocket change in those terms.

If your wife is hellbent on sticking with Linux, going to law school might not be the best idea for her.

Re: dis/advantage

[ldspartan]

Blockquoth the parent:

Beyond law school, any firm that your wife works for is going to run Windows, she's gonna have to do Word documents, there's no way around it. Short of working for yourself, the law world works with Windows and Word. Even when working for yourself, you can believe that any software you want to use for billing, forms, etc. will be Windows-based.

Just to pick nits, I worked IT at a law firm in southern Connecticut for three years, and during that time they used Macs on the desktop, and the billing software was web-based (and I wrote it). :)

Re:dis/advantage

[whorfin]

I would think that paying $1500 for a new windows notebook in order to be able to graduate from Law school would be the smallest of your expenses.

It may even be less than the cost of your books for the first year.

Re: dis/advantage

[Mr.+Slippery]

When someone wants to borrow notes, you can bet that they're not gonna want yours, as yours aren't in Word format.

Uh, you're taking notes with such heavy formating that you can't export to plain text (or at least RTF)? Damn, you must type and mouse fast to be able to do that. (I can't type fast enough to make taking notes on a keyboard any where near practical, much less take notes with heavy formatting.)

Re:dis/advantage

[JeffTL]

I'd go for the Powerbook. If someone mandates a Windows laptop, you can get that too, but I doubt that'll happen.

exam on laptop+wireless+chat = profit!

[anon+mouse-cow-aard]

'nuf said....

DON"T CLICK ON LINK IN PARENT!!!

Tubgirl warning.

but were talking bout law skool

and you forgot the most important part:

????

UltraSecure Mode

[joelparker]

From the website, emphasis mine:

• "UltraSecure Mode" requires a special "Start Code"
  for invoking "UltraSecure Mode" and a "Secret Number"
  for unlocking the encrypted exam answers; and our nifty
  "ExamOpener" utility software that "semi-automatically"
  retrieves exams from the floppy disks...

And cheaters get "Double Secret Probabtion"
then a nifty fine of "One Trillion Dollars"
and jail time in an "UltraSecure" cell
guarded by "Sharks With Laser Beams"

Re:UltraSecure Mode

Well, at least they can claim that, yes their software is "Totally Secure"*.

.

.

*"Totally Secure" is a marketing term used in this context to describe the cardboard packaging and is not meant to imply and function or ability of the software. Unicorp Global Enterprises hereby disclaims all warranties or functionality or even if you'll get an empty box or not.

Bolcks access to other programs?

[CowboyNick]

Just like in UltraSecure Mode, access to all other material on the computer is blocked.

Run the exam software in Virtual PC. Anyone? This is like print-screen crack for MS Reader...

My experiences

[David+Price]

I've also encountered Extegrity's product, which is required at my law school. It does have at least rudimentary protection against the most obvious workarounds - when I tried to run it within VMWare, it "failed security check" and refused to operate. I'm not sure how exactly it checks to see if it's running in a virtualized environment - one project I have on my back-burner is to see how well it deals with bochs.

I'm also the proud owner of a PowerBook. My solution was to trade some other computer gear for a big old PC laptop with a mostly-dead battery that meets the system requirements. I plan to use that laptop only for taking exams. Aside from exams, my school is fairly platform-agnostic: papers are turned in on paper, and the only electronic interaction with professors is via email. The one kink that I have run into is profs and fellow students who insist on sharing their academic insight via Word .doc files. OpenOffice hasn't failed me yet, though, and of course Word for the Mac exists and is frequently available at a steep discount to students.

Gak, you're posting the same crap

[Gzip+Christ]

We use this software at my dental school

That's funny, because it looks like you lifted the policy that you quoted from The University of Maryland's Law School Policy. I think it's no coincidence that this is the first link that shows up when you search in Google for exam4 policy. Do not follow the advice of the original poster - it is bogus advice and he is lying. He is most definitely is not in "dental school" and does not use Exam4. He is making up crap like this to get extra karma, which is kind of funny, but he is spreading disinformation and plagairizing posts by others in the process. Read his journal if you don't believe me.

Re:Gak, you're posting the same crap

[Gzip+Christ]

Perhaps that's the same policy that EVERYBODY HAS FOR EXAM4.

Whatever. Lest anybody believe this "anonymous" coward, just read the original poster's journal or look at his comment history. His posts are all either made up or copied from somebody else.

You can't trust the client

[Muggins+the+Mad]

As someone who also develops examination software, and who is doing academic research into computer security, I have to say that this is a ridiculous idea. Aside from requiring people to have specific hardware and purchase specific (pricey, but I guess they're law students...) software, the security issues here are horrendous.

The *only* ways to do this kind of thing is either have the software running on trusted hardware like a previously set up computer lab, or run the software on a trusted server and give the *untrusted* clients only a thin-client (citrix/ts/vnc/web browser). AND you have to have someone supervising them to make sure they've smuggled no notes in and aren't cut'n'pasting from another app.

Surely a law school, of all places, would have someone who knows a bit about information security on staff?

This software looks like exactly the kind of product developed by someone with no security training outside Microsofts VB tutorials.

Exactly the kind of software not to use for anything important - and Exams at Law School are important - there is a huge amount of money and future careers involved.

- Muggins the Mad

Re:You can't trust the client

[ForestGrump]

No, the plan is that these students graduate.
then they turn around and sue the school back for the tution cuz they were forced into doing something "illegal"- which was being forced to use doze.

-Grump

Re:You can't trust the client

[JamesP]

Surely a law school, of all places, would have someone who knows a bit about information security on staff?

I am sure they have several DMCA specialists....

Complex solutions

[bobthemuse]

No matter how great the software is, it will still be running on a platform which can have problems (no matter what OS). I'm surprised that nobody is manufacturing small wireless devices solely for taking such tests. Make them cheap enough that the school could afford to buy them for everyone and hand them out before each exam. Student logs in, registers answers. Wouldn't be difficult to transmit results as you go, so in the event of a hardware or network failure, no information would be lost. Grab another one, log in, continue.

How long until a PDA becomes cheap enough to do this? Install a customized open source OS which doesn't support anything but this app, you'd be set. Most of them already have the tools, UI, encryption, networking, etc. You could do this today with ~$100 PocketPCs. If someone could find a way to do this on old PalmPilots or Visors.....

Re:Complex solutions

[FCKGW]

Just hope they have some decent authentication/encryption mechanism for the wireless transmission (yeah, I know you already mentioned encryption), or else someone sitting outside with a laptop and airsnort/kismet/ethereal/whatever will get all the answers. This is especially bad if said person will be taking the same exam in the next day or so.

Sue!

By forcing you to use windows software, the law school is violating your civil rights! Openly discriminating against a group of computer users, just because they carry around laptops with a shiny Apple logo, is no different the discriminating against a group because they have dark colored skin wrapped around their bodies.

What kind of name is "Extegrity"?

[Feztaa]

I'm surprised that nobody else has brought this up, but hear me out...

If "interior" is the opposite of "exterior", then what is the opposite of "extegrity"? :)

Re:What kind of name is "Extegrity"?

[ottothecow]

I wish I had mod points...its funny or insightful or at least interesting...MOD UP

Re:What kind of name is "Extegrity"?

[David+Price]

I figured that one too, when I saw the name. It might not mean "the opposite of integrity" but it sure does draw a nice distinction.

If integrity is right behavior due to moral values within, extegrity is right behavior due to a system of rules imposed from without. Sounds about like what the product they're hawking is for.

Re:What kind of name is "Extegrity"?

[Feztaa]

If integrity is right behavior due to moral values within, extegrity is right behavior due to a system of rules imposed from without. Sounds about like what the product they're hawking is for.

That's an interesting take. I guess that means that if you have strict principles that guide your behavior, you have a lot of integrity; but if you are simply a law-abiding person with few principles, you have a lot of extegrity... :)

Re:What kind of name is "Extegrity"?

[sharkey]

It might not mean "the opposite of integrity"

Maybe it's "ex" as in "no longer". Eg., They used to have integrity, but they no longer do.

Locked down environment

[alman]

When I was going to school, the Sys Admin had a special enviornment setup on the Solaris server, that had very minimal tools. We would use a thin client to get access (new accounts too) to the resources to do the exam. The exams were 4 hours and we did not have any previous time with the enviornment. Worked good, if you spent any time trying to find ways around the system, you just ate into the exam time.

Laptops?

[Tom7]

Don't law schools often require or subsidise the purchase of a specific supported laptop, for precisely this kind of reason? If the students don't have windows laptops, or laptops at all, how can they be expected to take tests at all?

Orthogonal

Oh, maybe you haven't studied enough yet to know that niggers are evil...

Remember that not all people with dark skin are niggers, and not all niggers have dark skin.

Re:Orthogonal

Did he claim otherwise? In fact, did he mention skin color at all?

Security joke

This exam software is a joke. I just used Windows Media Encoder to encode an entire movie of the practice test I just took. Gimme a F*** break there is no such thing as secure online exam software. I'm a developer for a Course Management system and I've seen a lot of these "secure" testing platforms. They can all be beaten in about 10 minutes at the most. The real story here is that this company is marketing this exam software as 100% "secure" to people who don't know better. What a joke.

Marketriod Website

[gcaseye6677]

Since their entire website is written by a marketriod (UltraSecure mode), to be read by paraniod school administrators, you can bet this software is all hype, no substance. It will be cracked 10 minutes after a school announces it will be used. They may have some success running it securily in a supervised computer lab, but if students are expected to install it on their home computers or in an open lab, good luck.

technically better solution

[penguin7of9]

Running software on untrusted hardware can never really be secure. If the school wants to do this sort of thing, they need to provide the machines.

They could either buy a set of laptops specifically for exams, or they could buy some low-end machine whose primary function is word processing. Examples are the Dana AlphaSmart and the LaserPC. A simple cold boot will bring them back into a known configuration. Buying a few dozen of those may even be cheaper than a site license for the "Extegrity" software.