Moodle

The secure window thing was not implemented by me, I don't understand how it works, and my employer has no interest in it. Therefore, I can't really afford to take time to fix it myself. However, I know it is important to a lot of people, so hopefully someone can come up with a patch.

If someone does come up with a solution, I will, of course, get it checked in quickly.

Hi Tim,

may be that there isn't a solution in the moment. But if there is a feature that doesn't work, it should be disabled in actual version. What do you mean?`

I'll publish it in the forum?

Do you know who implemented this feature?

I think Timothy Takemoto implemented it - he was paid to do so by somebody,

hi Tim/Ralf,

We are using extensively the "Secure Window" mode in all our proctored exams (mid-terms and finals). Out of the 900 courses (just for this semester), 30 courses are using quizzes with "security window" and the trend to use quizzes here is getting higher quickly.

We're still running 1.6.5 and definitely, we cannot move to 1.8.x (or 1.9?) by the end of January 08 if the secure window doesn't work. I hope we'll get meanwhile a fix for that.

I don't think anything has been done to break 'Secure' mode in 1.8.2 - so it should work exactly the same as in 1.6.x. It is just that no-one has been maintaining it, and in particular, IE7 does not like the JavaScript used.

hi Tim,

Does this mean that the problem of this "secure window" bug is only with IE 7?
In that case, we can live with it by telling instructors and lab admins to use only IE 6 for proctored quizzes.

I really don't know. We never use 'secure' window. What it does is a mystery to me. However, it does matter to a lot of other people, so I am really hoping that the open source 'scratch your own itch' thing will kick in, and that someone with an interest in it will investigate and fix any problems. I will of course, apply any patches I get to core Moodle.

I just tested it on a 1.6.3 system and found that It didn't work under Opera 9.2 and Moodle 1.6.3. Also some widgets disable the 'secure window' feature. .

Dear Ralf

Thanks for letting me know about this.

I did not really write it. I paid moodle.com to implement it based on my hack (theme.zip here
http://moodle.org/mod/forum/discuss.php?d=12821
which merely compiled code by Rob Butner and Indjana Dzons
http://moodle.org/mod/forum/discuss.php?d=2425&parent=17556

Despite my entreties, however, the Moodle javascript was (I believe) never as agressive as the original in the original empties the clipboard buffer every second and this is the most effective any copying measure I know. It even prevents screen shots using the print screen key, AFAIK.

More modern versions of Internet explorer warn the user that this is happening but accepting it is a condition of entry.

However, as far as I know even the most effective Rob Butner version did not work on Opera browsers.

I am not sure why it should have stopped working (other than in Opera) but as someone says above, more recent versions of IE are more likely to complain. And as you say, there are some browser add ins, for instance for maxthon browser that will disable specifically copy protection (while leaveing javascript intact). I am not sure if these plugins affect the clipboard clearing mechanism in the Rob Butner version.

The secure window works in tandem with the #is java script on# checker created by I think Vy which opened another windown on login if a secure window is being used somewhere. This warned users to allow popups and switch on javascript. I think that the warning system is not working in some popup blocked enviroments.

You are right that ctr plus tab allows students to change window. I am not sure how that will allow them to cheat but it is not a good idea. I would like it if all control characters were disabled.

The javascript in Rob Butner's any copying measure can be decripted using the decryption thml page attached to my post here
http://moodle.org/mod/forum/discuss.php?d=13828&parent=67237
Here we go, I have decrypted it (this is the ROB BUTNER, not the moodle version)
<SCRIPT LANGUAGE="JavaScript"><!--
hp_ok=true;function hp_d00(s){if(!hp_ok)return;document.write(s)}//--></SCRIPT>
<SCRIPT LANGUAGE="JavaScript"><!--
function hp_ne(){return true}onerror=hp_ne;function hp_dn(a){return false};function hp_de(e){return(e.target.tagName!=null&&e.target.tagName.search('^(INPUT|TEXTAREA|BUTTON|SELECT)$')!=-1)};function hp_md(e){if(e.which==1){window.captureEvents(Event.MOUSEMOVE);window.onmousemove=hp_dn}}function hp_mu(e){if(e.which==1){window.releaseEvents(Event.MOUSEMOVE);window.onmousemove=null}}if(navigator.appName.indexOf('Internet Explorer')==-1||(navigator.userAgent.indexOf('MSIE')Unable to render embedded object: File (=-1&&document.all.length) not found.=0)){if(document.all){document.onselectstart=hp_dn}else if(document.layers){window.captureEvents(Event.MOUSEUP|Event.MOUSEDOWN);window.onmousedown=hp_md;window.onmouseup=hp_mu}else if(document.getElementById&&!document.all){document.onmousedown=hp_de}}if(window.location.href.substring(0,4)=="file")window.location="about:blank";function hp_nls(){window.status="";setTimeout("hp_nls()",10)}hp_nls();function hp_dp1(){for(i=0;i<document.all.length;i++){if(document.all[i].style.visibility!="hidden"){document.all[i].style.visibility="hidden";document.all[i].id="hp_id"}}};function hp_dp2(){for(i=0;i<document.all.length;i++){if(document.all[i].id=="hp_id")document.all[i].style.visibility=""}};window.onbeforeprint=hp_dp1;window.onafterprint=hp_dp2;document.write('<style type="text/css" media="print"><!--body{display:none}--></style>');function hp_dc(){hp_ta.createTextRange().execCommand("Copy");setTimeout("hp_dc()",300)}if(navigator.appName.indexOf('Internet Explorer')==-1||(navigator.userAgent.indexOf('MSIE')Unable to render embedded object: File (=-1&&document.all.length) not found.=0)){if(document.all&&navigator.userAgent.indexOf('Opera')==-1){document.write('<div style="position:absolute;left:-1000px;top:-1000px"><input type="textarea" name="hp_ta" value=" " style="visibility:hidden"></div>');hp_dc()}}function hp_ndd(){return false}document.ondragstart=hp_ndd;//--></SCRIPT>

I am afraid I don't have the money to use more recent versions of moodle. I am afraid I will not be able to pay for an upgrade even if I had some more funds because the function is working well enough for me in 1.6.3 other than in Opera. I estimate that only 1 percent of my users use Opera.

I am really surprised that any employer using quizes would not want to provide this option. As I have said many times on the forums it seems to me that some religious proscription is at work: "Thou shalt not interfere with the power of the computer" My guess is that the end users (teachers) are not being given the chance to express their desire to prevent student cheating as far as possible, **even if only to a limited extent. I suggest that if teachers were polled there would be sure to be some teachers that would want this feature due to the time it takes to make quizes and desirability that there be **as few* "brain dumps" (all the right answers) *as possible*.

Tim

There is a further problem with the secure window in Moodle 1.7 (and possibly later versions) because it produces an endless stream of "Do you want to allow this page to paste information from your clipboard" dialog boxes.

http://moodle.org/mod/forum/discuss.php?d=86907 has a more detailed description of the problem, and information on its exact cause along with a quick workaround (basically disabling some of the security).

Chris

I've never been a fan of this feature since I think it's a bit misleading in that it is so easily circumvented e.g. by using Opera or various power user features of Firefox. If you can't control the browser they are using then this doesn't really add anything but a false sense of security.

Which leads me to my constructive suggestion: perhaps the Moodle community could come up with some documented steps to create a locked down version of Internet Explorer or Firefox that's suitable for taking Moodle quizzes and prevents the kind of abuse people are seeing. If you've used IE in a corporate environment you may be familiar with the ability to set what users can do.

There's a commercial product here for WebCT and others that attempts similar things though I think it, similarly, mostly claims things it can't deliver with any certainty . Some of the things it tries to do (e.g.stopping you using other apps) should really be done at the OS level: http://respondus.com/products/lockdown.shtml

You'd probably be 90% there if you just used Mozilla Prism (http://labs.mozilla.com/2007/10/prism/) set up to go directly to the Quiz URL and got them to log into the OS as a user with very few priveleges and only that app installed(I know there's an easy interface for stuff like that is built into OS X and Vista, usually called "parental controls" and much more complex and powerful stuff built into Linux and most Windows versions). That's what I'd be looking into if I wanted to combat this kind of thing.

Just spotted that these two bugs are essentially the same. Have transferred the watchers. If you care, you will have to transfer your votes.

I still have no idea what to do about this. (And I still - speaking personally - think secure mode is a bad idea. As quiz maintainer I may not have that luxury.) What I really hope is that the open source, scratch-your-own-itch, or with-enough-eyes-all-bugs-are-shallow, will lead to a solution without me lifting a finger.