Critical Analysis of Respondus LockDown Web Browser
This past year, the Carmen team got a new program for all of us to use. The catch is, it sucks, and your instructors can hold your grade in the balance if you don’t play with their new toy1. The program is inappropriately called “Respondus LockDown Browser,” and it’s supposed to be the next generation of “secure” test taking. While I passionately despise those who earn their marks unduly by plagiarism/forgery/exam-shoulder-surfing, this program is invasive and outright stupid. Take a look at the demo.
This is exactly what media vendors like to call Trusted Computing, and what the GNU foundation describes as [Treacherous Computing](http://www.gnu.org/philosophy/can-you-trust.html ““Trusted Computing,” brought into perspective by the GNU foundation”). Trusted/Treacherous Computing (depending on who you ask), by design, controls what a user can and cannot do with their computer. It is meant such that your computer will obey the company who wrote the software instead of you. I don’t have a problem with regulating what students can and cannot do when they take exams, but we should not be expected to use this junkware, especially not without some alternate means of taking the exam. It’s either take the test in a noisy computer lab, or install the program on your own computer. I can’t vouch for anyone else, but personally I certainly don’t like those options, and would much rather take my exam in person.
First of all, this is the first time anyone at this school has been able to require the use of a specific piece of software to earn a marginal grade. Unless instructors specifically state on the syllabus that you must use a specific proprietary program, such as Microsoft Office for some earlier CSE courses, they cannot hold it against you for submitting a final paper in PDF format instead of Microsoft Word. They may recommend we conform to the Microsoft way and use the standard XP/Vista with Microsoft Office, but they do not require it. Believe it or not, unless an instructor specifically stated on the syllabus that a student must be using a specific version of a specific program, the instructor cannot hold a student accountable for not submitting an assignment in the latest and greatest Microsoft Office format, so long as it is a generally readable format, such as PDF. Statistics classes sometimes use SPSS, but the students are not required to use it. In Math 152, students can compute calculus equations with spreadsheets, but OpenOffice.org is acceptable. While you may not get the same support for it from OIT, you can still connect to OSU’s network with a Linux operating system (just not an out-of-date operating system, as per MCSS). They don’t even specifically require you to use their corporate anti-virus, which you can get for free here. Now, they are requiring a specific program, upon which you are graded, and the program needs to be run in a proprietary operating system. You need not look any further than the Ubuntu forums to find users complaining being discriminated against for their operating system. I suppose a more appropriate name for this new toy is “Respondus™ Lock-Out Browser” - I’m willing to negotiate rights to the trade mark if Respondus is interested; it may earn some perks from Microsoft…
Violating their norm of freedom to use whatever software you choose, and of making their web pages W3C-compliant isn’t the only concern this program raises though. One must ask, as I did when I first saw the above video, what if the browser, web page, or something in between malfunctions? At the time, I had taken very few Carmen quizzes, and didn’t have access to any, much less requiring me to play with OSU’s new anti-cheating toy, so I couldn’t really join in on their fun, but that didn’t stop me from closely and thouroughly investigating the matter. I found a number of ways in which a student could bypass its restrictions, some of which I’ll cover later on, and used some of them to simulate just what would happen in such an event. The program restricts use of Windows' Task Manager, most commonly known as “Control-Alt-Delete”. Since I normally use Linux as my primary operating system, and use Windows for something to feed virus samples to anti-viruses so I could test their definitions, I had a few tools to force processes to quit, and make a few other deep cuts to the operating system. To perform this, I launched AVG Anti-Spyware between the time I launched Respondus Lockdown Browser, and the time it fully started up. As the browser filled up my screen, removed the Taskbar (Start Menu and System Tray), and planted its other generally invasive hooks, AVG opened on top of the browser. I then used AVG’s process monitor to terminate “LockDown.exe”, and found its hooks remained in effect, despite the program having closed. The Taskbar was still removed, right-clicking had no effect, pressing [Ctrl]+[Alt]+[Delete] or [Alt]+[F4] opened an error message that the said operation was disabled by my administrator (which was funny because I am the administrator for my laptop, and I should be allowed to properly shut down Windows if I want). After restarting Windows, the right-clicking worked again, and I saw the Start Menu again, but I was still unable to shut down Windows or open the Task Manager. Seriously. The option to shut down Windows was removed from the Start Menu. Essentially, I was permanently forbidden from ever using the single most common part of Windows, pressing Control-Alt-Delete, as well as from shutting down Windows. I noticed this also happens if the computer is unexpectedly shut down while the program is running, which to do so you need to remove the battery and unplug it. This, along with the fact that during a quiz you are forbidden from closing the browser during a quiz, makes you completely dependent on everything to work properly, with your operating system’s stability hanging in the balance. As most programmers will know, no program is perfect, and there will be at least some problems, so this program will make damaging changes to people’s computers, who don’t have a choice about using it because their grades are dependent on their compliance. I encountered one such error, and while I was fortunately not required to use this program to take the quiz at that time, it does raise concerns. I took a screenshot here; pardon the strange interface for those who are not familiar with Linux. You’ll notice an “Internal server error” in the bottom-left corner. Upon encountering this, I was unable to save any more responses or submit the quiz. I actually had to e-mail the screenshot to the TAs managing the quiz and have them grade the e-mail instead. Now, what if I were required to use Respondus Lockdown Browser to take the quiz? I would have been “locked in” a dead web page, prevented (supposedly) from using any other programs or closing this program, and left with only the option of improperly shutting down Windows, which as mentioned before, will result in problems. Basically, to get my computer back, I’d have to bite the bullet and let the restrictions on my computer become permanent. I would personally like a response from OIT on this matter. The first time I discovered this, I asked them to fix it; their program, they clean up the mess, right? Plus, I didn’t expect that to happen and didn’t have the time to re-install. They were able to help me find an article to restore the task manager, but not to shut down Windows. I was able to restore this with one of my security applications, SpyBot S&D, but that was only because I was lucky enough to have had it installed earlier and it detected a certain system change. I sent 8-Help an e-mail regarding the matter, so they could assist other users who encounter the same problem by creating a guide on their site, but I instead received a response from a Carmen administrator telling me to send my concerns to Respondus themselves, who are clearly not going to do anything about it, instead of escalating my ticket. I also sent them this video in my message, in response to their claim that they did not believe the problems I was facing were due to their kiosk browser, but I wasn’t intent on reaching the Carmen admin at that point.
Ok, so Ohio State is going through a lot to stop cheating, which doesn’t surprise me, and they should in general, because cheaters suck. However, this program is not only unsafe, but ineffective. Before I start describing how to circumvent its restrictions, let me point out the easiest way of completely bypassing it, which this program can never stop. All one has to do is use another computer. It can be a lab computer, they can use a desktop/laptop combination, or borrow one from a friend or roommate, and take turns cheating. Instructors who hesitate to give tests online sometimes fear for students' ability to cheat if they aren’t monitored, but when they hear of this new program that is supposed to solve the age-old problem while they can relax and focus on their research, letting Carmen do the grading, they feel relieved and reassured. This program is not going to stop students from taking pictures of the test with their cell phones, it’s not going to stop students from taking group tests or paying another person to take it for them, it’s not going to stop students from looking at notes or textbook material, it’s not going to stop students from accessing online resources to find answers elseware, and it’s not going to stop students from copying answers from elseware. You are not going to stop cheating by telling students to take the quiz in their dorms, unsupervised, on their personal computers, no matter what kind of junk you force them to install. Ohio State clearly did not research this in advance. The numberof high-profile universities, which are supposed to consist of members who are intelligent enough (no offense) to know better, that got suckered into this scam, and still trust the program to solve the cheating problem, proves to me, without a doubt in my mind, the inconceivable power of advertising. On a more serious note, if an instructor wants to be certain that there is no cheating, they have to do it the old-fashioned, proven effective way, and actually watch for cheaters. If someone from TELR is reading this, please heed my words and reasearch products before buying them, especially the ones from unsatiisfied users. Now onto how easily it is circumvented from within the affected machine.
In a previous version of this article I covered advanced ways of bypassing the restrictions, which confused some users, but I’m just going to touch on some of the more basic ones. If you want the original version, click here. Upon startup, Respondus Lockdown Browser checks your running processes against a list of “known cheating programs”, such as “aim.exe”. Opening the main executable in notepad will predictably display a bunch of garbage, but you can find a list of blacklisted programs in plain text. A funny note, after I posted my video on Windows getting hosed by Respondus Lockdown Browser, they updated it to prevent use of AVG. I guess Respondus doesn’t like me exposing how crappy their program is on public websites, because I can’t think of any other good reason they would require users to terminate background processes that help to protect their computer. Anyway, the funny thing about this algorithm is how easy it is to bypass. All a user has to do is take the blacklisted file, such as “aim.exe”, and rename it to something not on the list, such as “xyz.exe”, double-click it, and Respondus will ignore it. Note: while their updates are a little unorganized, a current version will also check a few other variables which are harder to change. Of course, you could always just use the old version, not to advocate cheating. I have found several other holes, such as running arbitrary programs during a session, opening links in other browers, or moving the window around to access your desktop, and 2 particularly “critical” forms of them remain unpublished, as a reminder to Respondus that there are still easy ways to bypass their restrictions. An additional hole, which is just in the design, is the philosophy that blacklist, or signature-based definitions of malicious are going to have many false negatives. This is a concept discussed in CSE 551, in which I am currently enrolled, and that is common knowledge among anti-virus vendors who are researching heuristics analysis. For example, I found a really nice open source screenshot program, which is not well-published, that automatically takes screenshots in a user-specified interval, and was able to do wonders as far as photographing tests is concerned because it didn’t recognize the program. There may be infinitely many programs like this, and Respondus is never going to block them all because someone will just come along and write another.
Speaking of writing programs, I really hope they don’t excpect computer science majors (including myself) to use Respondus Lockdown Browser. The use of this proprietary program raises a concern about requiring use of certain operating systems, despite the policy of not requiring use of specific software. Since it only runs in Windows XP (when I last tested it in Vista, it was extremely unstable), and Mac OSX. You will have many users using Linux, and other less common operating systems that this program can’t run on. You will have students running Windows XP inside of other operating systems (picture), with full access to online resources; you will have student locked out for the operating system they use (those who don’t run virtual machines); you will have students discovering all sorts of ways around it; you will have students spoofing Lockdown Browser sessions on Carmen; you will have students modifying the code; and such students will be particularly unhappy when they are told they have to use a certain proprietary operating system.
The recommended installation procedure for Respondus Lockdown Browser requires that ActiveX be enabled as you follow a link to their download site, which isn’t even in OSU’s domain. ActiveX, which is Microsoft’s Windows-only way of letting websites run arbitrary C++ code on your machine, is an extremely unsafe-natured script. I’ve seen Windows get bit in the rear by it, and helped users clean it off their machine many times. When a user asks me about sites asking to run ActiveX, I tell them to “just say no”. Now, surely OSU must understand the nature of this script, do they not? If they are as dead-set on securing the network as they claim to be, then why on Earth are they telling users to run ActiveX? Here is a website, though out-of-date, that accurately describes how ActiveX has made Outlook an extremely unsafe program. If anyone doesn’t believe me, here is where you install the silly program. If ActiveX isn’t enough of a bite, they even use Java applets to install it on Macs. Take a look. I guess for some reason Respondus must have been too good to simply link to a .dmg, .exe, or .msi file in a simple HTML tag. That’s what they think of W3C standards I guess.
All of this summed up, Respondus Lockdown Browser is not an effective way to stop cheating. It is frustrating for students who are genuinely interested in the material and have to put up with a lousy program to gain access to the material, and completely ineffective at its intended purpose. This sort of makes me think of copy-protection, a.k.a. DRM. Look where DRM is going. Content producers have tried many times to regulate what users can do, and you wind up with the true, hardcore pirates cracking it, and the legitimate users resorting to P2P just so they can avoid all the invasive restrictions. They make worse and worse DRM controls, run around rampant suing single mothers with children living off SSI for sums that will drop your jaw, and drive more and more people away. The true cheaters are always going to find a way to cheat, while the honest students are the ones who suffer for it by using this piece of crap; just like how the true pirates will always crack the copy protection and the legitimate customers are the ones who suffer from not being able to play songs in “unauthorized” media players, or move them to other media devices. If it doesn’t work for the multi-billion-dollar companies, then why the Hell does OSU expect it to work for them? It didn’t work well for the University of Dayton…2
What can we do? OSU already bought a campus-wide license for us to use it, and they’re going to make sure to get the most use out of it right? If something gets an overall negative reaction in a university, unless it makes a significant profit for the institution, they won’t keep it around for long. Let the coordinators of this project know how you feel about it by e-mailing carmen@osu.edu. If you get spam filtered, as I did, send it using their form here. Let them know (politely) that the browser isn’t going to do it’s job (NOTE: I do not recommend spamming or harassing them). Tell your instructors what they are really asking when they restrict you to using this browser. If you are an instructor who agrees with this article, then please don’t place this burden on your students. Ask yourself first, “Would you want your grade based on the type software that you use?” Would you be willing to use this piece of junk? If not, then please make this point to the directors that told you to use it. If you don’t say anything, then they will continue as normal under the assumption that everyone is fine with it and their new program is working wonderfully. To the students reading this, Let your instructors know we shouldn’t be required to use a specific program to get a marginal grade, when the software otherwise has nothing to do with the content. Let them know that this regulatory software puts a burden on the honest students who are legitimately interested in learning the material, while it has little to no impact on the cheaters, because they will just find one of many ways around the “controlled environment” anyway. If you sit there Mahatma Gandhi once said “you must be the change you wish to see in this world." If we don’t let OSU know what we think about being “locked down” from our own computers, they will not stop, and probably eventually try something worse. Who knows? Maybe they’ll try having you take a test with one hand on a fingerprint scanner the whole time and fail you automatically if you ever take it off or if it gets unplugged. Let’s encourage OSU to find better things to spend our tuition on than bad software, before they wind up as confident in it as The University of Florida or the many other schools making students use it[3](http://www.respondus.com/products/campus_list.shtml “Respondus' list of schools using their “LockDown” browser”).
I received a response from carmen@osu.edu, who thought my concerns were “unique”. Read more here.
Resources: