Telling Everyone to Just Uninstall Java was a Terrible Idea

Ezra F notes on his blog that the Department of Homeland security has recommended that everyone uninstall Java from laptops and desktop computers. Java applets have become a key vector for malware. Oracle seems to be struggling to correct these persistent problems.

The DHS recommendation is terrible. It replaces a known disruption vector with an unknown one. We can model malware out breaks and use quarantine and cleanup tools to manage them. It is expensive, but we have a pretty good idea of how expensive. Enterprises and ISP’s can do more with intrusion detection systems, firewalls and other security technologies to reduce these costs and the impacts of these outbreaks. Java isn’t the only vector for malware and if we do all remove it, hackers will find something else. The proposal to uninstall java on all PC’s immediately will not yield the desired security benefits and it brings in a lot of unknown costs to the system.

Java applets are all ubiquitous. Every enterprise is going to have to audit their web infrastructure and make sure that the technology delivered by applets is replaced or non-essential. What DHS is creating is a Y2K level effort with an immediate delivery delivery. It seems likely that most companies will be unable to comply with the recommendation. Furthermore the notion that consumers will be able to uninstall Java also seems unlikely. Java is hard to remove and easy to accidentally reinstall. For the reason a above, It seems to me that DHS’ suggestion fails as practical and useful advice.

This recommendation to just kill Java is a bit like the Lehman Brothers bankruptcy. It seems reasonable at first, but once the costs and consequences become clear we realize that we’ve just traded one mess for another even bigger one.

We know that Java is a vector for malware and that Oracle has been too slow to address these problems. Sun/Oracle got widespread acceptance of this technology based on promises about security and support.

I think DHS and other US government agencies such as the Federal Trade Commission and Department of Justice could do more to pressure Oracle to address the flaws in their product. Java was represented to partners and consumers as a secure and ubiquitous technology that enabled web developers to create rich web applications that ran on a number of platforms. Hundreds of billions of dollars of technology investments were made based on that assurance. If this was an aircraft, an automobile or other manufactured product we’d have congressional hearings and agencies lining up to investigate. Remember Toyota’s acceleration flaw a few years ago? This problem is at least at this magnitude and yet all we have DHS issuing a warning to consumers and seemingly taking no action to get the vendor to cleanup its mess.

I suppose one could argue that a car accelerating out of control is far more easy for voters to get upset about than a software security flaw. This reinforces my earlier point that most consumers will be unable to act in the proscribed manner and instead continue to have systems that are vulnerable.

Instead of just uninstalling Java, perhaps we are better off contacting offices of consumer affairs, members of congress and Oracle to get Java secured.

Ed Tech 2013 and Beyond

The New Media Consortium’s Horizon Report on Emerging Technologies in Education is in its preview stage for 2013. One of the report’s authors, Bryan Alexander wrote a blog post on the subject. I made a couple of quick comments over there and will offer some expanded thoughts below.

I think the Horizon Report has done a fairly good job of capturing some of the more mainstream trends in technology. I’m skeptical of the timings and relationships of some of the elements. First I will go through the timeline proposed by the NMC Report and then let me highlight a few items I think they missed as summarized by Bryan:

Time-to-Adoption Horizon: One Year or Less

  • Massively Open Online Courses  — I’m a believer in MOOC’s but I think this timeline is too aggressive.  The business models for the MOOC providers like Coursera, Udacity and EdX are still evolving.  MOOCs are potentially huge change agents for the way universities organize and deliver teaching and learning.
  • Tablet Computing —  I’m in general agreement with the report here.

Time-to-Adoption Horizon: Two to Three Years

  • Big Data and Learning Analytics — I think there are two parts to this.  First the technology platforms like Blackboard Analytics and Outcomes are pretty well developed now and seem to have crossed over from early adopters to mainstream usage.   I can see how this could actually be moved ahead to 1 year or less for most higher education institutions.  On the other hand there remains a gap between the ability of these platforms to organize data and the knowledge of the consumers of the information in stats to really take advantage of the data.  There will be a tremendous organizational shift to train and hire staff capable of reaching the right conclusions from the metrics presented.  There will also be competing models for a long time to come.  Look at Baseball where big data and analytics are used all the time to assess and improve player performance.  Give “Money Ball” a read and think about how far we have to go in evaluating and assessing program and student performance metrics.
  • Game-Based Learning — This technology always seems 3-5 years out.  Also the definition it self is so broad that as a technology concept it is almost meaningless.  As a teacher pointed out to me recently, we already have sticker charts.

Time-to-Adoption Horizon: Four to Five Years

  • 3D Printing — With online services like Shapeways, ThingVerse of existing 3d models, and technology like the 123D Catch app for your mobile app and cheap 3d printers like Makerbot already out there.  Industrial design and engineering students should already have access to this technology and with the increased cost and accessibility that is already out there,  I think it is likely that this technology will enter in to the rest of campus much sooner.
  • Wearable Technology — Judging by the number of people I see wearing their Jawbone Up’s, Nike+ watches and other gadgets, I think we are also underestimating the timeline for this.  Given how rapidly consumers adopted the iPhone and iPad devices, I think we’re likely to see a breakthrough gadget or two in the next 6 months to a year.

Something that was left out.

I know that the committee evaluated a lot of technologies and trends; and I suppose I should have dropped these into the wiki when it was open. Personally the most significant technology and trend that I think was left out is the whole Arduino/Maker movement.  The notion that individuals can rapidly develop customized Internet connected electronic gizmos is a potential game changer.  I would make a pretty big bet that in 3-5 years the Maker Culture of DIY gadgets, hack spaces and specialized gadgets will have a major impact on education.  In K-12 this means that shop class is about to start making a big comeback.

Crackdown on Coursera

Bartender pouring drinks

Would you care for a stiff drink of free online learning.

It seems that some government officials in Minnesota have declared those offering MOOCs or other free online classes to be dangerous outlaws who must be prosecuted. What’s next? Will Minnesota go after Khan Academy? Hacker spaces and Instructables? Enterprising Barry Dahl suggests opening coffee shops over the border where students might freely learn. I suppose this beats the alternative of going to some underground speakeasy, or should it be “learneasy” where some bright bohemians will drink from the cup of free online learning through foreign proxy servers.

Eugene Volokh of the UCLA School of Law and the Volokh Conspiracy blog explores some of the constitutional and legal issues in play here for those scratching their head wondering how this can be remotely constitutional.

Update: Slate reports that Minnesota has reconsidered its position and will cease the crack down on any free online courses. As FDR said upon the repeal now is a great time for a beer.

Back to School: Cheaters Edition

First let me note up front that I know MOOC is a potentially incorrect term and that we are really talking about Coursera courses that are open enrollment and delivered to large numbers of students for free. The press has labeled it a MOOC cheating scandal, so I’m using the term in that context.

Dr Chuck was in town recently and we had an opportunity to talk at length about some of the recent headlines around cheating, especially the recent issue at Coursera.

Reflecting on our discussion the following thoughts have been bouncing around my head.

Future expected value of Coursera Certificates.

Specifically as Coursera becomes a more mainstream way to get educational content there may come a point where actual academic credit was granted to students completing the course. A view that cheating is widespread in fully online programs could be extremely harmful to free online courses. A secondary effect of the anticipated value of the course may be the trigger for the behavior of other students who took it upon themselves to identify the cheating students.

The Solitaire Problem

People cheat at solitaire and single player video games. There are probably a number of reasons people would cheat in these situations, but I expect that some of them are motivated primarily by the desire to finish or complete the game for its own sake. When it comes to reducing and policing online cheating among these students, I anticipate student’s completion pressure will outweigh any social penalty. These cheaters don’t seem as motivated by the external validation or social rewards. However these users can as will be caught by their peers who have a vested interest in the value of the program.

Instruction practice and good course design remain important tools to block both types of cheaters. Courses which encourage collaboration and use peer review, can discourage certain types of cheating such as plagiarism. Courses that have a high status value to students, encourage students to police the class because they don’t want the course to lose value.

Instructure’s Black Eye

Instructure got a bit of a black eye when a software update allowed a large number of students to change grades, resulting in front page headlines in the Salt Lake Tribune. Instructure has been less than forthcoming about the nature of the bug and even suggested that the grade changes may have been inadvertent by the students, not intentional. Given the fact that Canvas is supposed to be a single multi-tenant instance one wonders if this was grade book corruption limited to a single customer or if there may be more widespread problems and security lapses.

Last year Instructure went out of its way to do a public security audit and invited Phil Hill into view the process. I think we’ve now seen that this was more of a marketing stunt than a real commitment to transparency and openness about their security, or a demonstration of a continuous process. Point in time security audits are fairly meaningless if a code base is changing ever week.

Harvard Students Get Busted

There has also been a lot of publicity around a major cheating scandal at Harvard. In reviewing the reports in the media. I can see how the course design, student expectations and even classroom management played a role in the actions by the students. The class seems to have had limited participation requirements and the grade was totally dependent on the final exam. Students were told they didn’t even have to show up for class, as long as they passed the final exam. They were told by peers and the teacher that this class was easy. I don’t think this excuses the behavior of the students. After all these are Harvard students who are supposed to be the best educated, elite of the elite.

Going back to the Coursesa incident it is notable that students in a free program with unknown academic value are willing to out their fellow students, while the students who are getting a Harvard “A” cover it up and actually copy their peers.

The uncertain future value is key here. The students at Coursera are much more heavily invested in the integrity of the experience because it will only have value if the community makes it have value. Harvard students get the benefit of public social currency in the public belief in the quality and integrity of the academic experience at Harvard. The immediate reward from taking and completing a free online class is the knowledge gained and there is a possibility of a future reward if the free online class certificate is seen by others as meaningful. The immediate reward of an “A” in the Harvard class was having an “A” on your transcript and the future reward of a Harvard degree is a known thing. If there are fifty resumes for a single entry level opening and you are interviewing 3 candidates, the person with the Harvard diploma has a decent chance of getting into the top 3 all other things being equal.

Closing Thoughts

A few themes emerge. First is that we can always be wary of the difference between marketing and reality. Marketing would say that all Harvard courses are academically challenging, Instructure is secure, etc. However reality paints a more complex picture. The second is that high SAT scores and admission standards do not alter the fundementals of human behavior. If people think they can get something by cheating, many will, even elite students. Finally we see that great courses can be taught anywhere. Good design and setting expectations for students can deter cheating. Students need to understand that the value of the “A” is only good if it is earned, and if others are getting the “A” without earning it, it is diminishing the value of their own experience.

Khan Academy Kerfuffle

Justin Reich at Ed Week is sponsoring the MTT2K contest offering up to $750 to the best video “critique” of a Khan Academy video. The first winner is an over the top snark fest. Why would they be handing out prizes for best troll? Did I miss some announcement where Ed Week got acquired by 4Chan? Paying people to snark seems wasteful, the people on the Internet will gladly post snark for free.

For whatever reason bashing Khan seems to be the trending topic. Audrey Watters at Hack Education, jumped into the fray last week comparing the millions of students at Khan Academy with McDonald’s customers. Her blog post seems to extend on a tweet she made while Sal Khan was presenting at BbWorld. After careful reading I see that she does raise an important question which is, “Is the Hack Education Blog is more like Denny’s or the Waffle House?” My answer is that it doesn’t matter because either way you are getting a big plate full of crap.

I suppose I should try to elevate the level of discourse here and provide points, counterpoints and such. It is difficult though, as the arguments raised against him seem more based on emotion rather than reason. I understand that there are highly effective math teachers and programs out there who don’t have the same visibility as Khan Academy. I think humans tend to be tribal and I can see where it is possible that Khan presents a challenge to the current leadership structure of the tribe and perhaps is creating an alternate tribe. This is a very emotional response though, not a rational one.

I suppose my reaction is emotional as well. I am a bit of a math geek, but it has always been a struggle for me. I was working on a problem a few years ago and found myself in need of a refresher on some bits of linear algebra. It was during that time that I came across one of Mr. Khan’s You Tube videos. It really helped me out quite a bit and since then I’ve been hooked. So here I am on my own blog reacting to the snarky attacks on Khan Academy with snark of my own.

I hope this bit of introspection has amused you. It certainly amused me.

Eight Tips to Reduce Online Cheating in Your Online Class

Jeffrey Young talked to me for a story he was doing on online cheating for the Chronicle of Higher Education. I’ve given a lot of thought to the problem of cheating in online courses during my career building edu software. Here are a few tips I’ve gathered to help you build online courses that stop cheaters.

1-Culture and Learning Design — The culture of the class and the learning design can have a major impact on cheating behaviors.  More constructivist activities like blogging, wiki creation and group projects tend to reward learning.  Foster a culture that rewards contributing to the corpus of knowledge within the class.  If students are recognized for individual contributions, they will pressure their peers to do their own work rather than copy each other.

2-Question Pools and Random Blocks — Build question pools and use random blocks instead of single questions— Instead of giving each student the same question, create variations for each topic area and then use the “random block” feature to show a different set of questions with the same difficulty for each student.  If you have a question bank from a publisher this is very easy to do because questions are often tagged by level of difficulty and topic.

3-Randomize Question Ordering, Answer Order and Question by Question display — In most systems you can set a quiz to go question by question, instead of all at once.  You can also randomize the order of questions and the order of multiple choice or matching questions.  This makes copying off another student’s system a bit more difficult.

4-Change quiz feedback display options — for high stakes exams change feedback display options to hold the feedback until after the grades are posted.  You can also limit the time that feedback is available for students.

5-Use “Negative marking” — You can assign negative points for a wrong answer.  This penalizes students for guessing by lowering their overall score with each wrong answer. This feature was added to quizes in Blackboard Learn SP8.

6-Use calculated questions — Calculated questions allow you define a range of variables and formula to ensure that each student does a unique problem set.  

7-Allow multiple attempts and use “formative assessments”— use the quiz to help the learner understand the topic rather than high stakes summative quizzing.  The goal here is to develop topic mastery by having students take the same quiz multiple tmes in the learning process and be able to see their ongoing mastery of the subject.  By lowering the stakes of the individual quiz attempt the student is rewarded for learning rather than punished for failing. 

8- Think like a video game designer — Consider video games where the player repeats the same level over and over again until they master it.  In really good games the mastery of the level is the reward, and using a cheat code makes the game boring and unplayable. “Watch a video, click next and take a quiz” style courses reward “cheating” and copying.  Completing the sequence is the reward, people will do whatever gets them through sequence the fastest. Cheating may be a symptom that the learning design needs to be revisited for the activities in the class. For more on this read Punished By Rewards by Alfie Kohn.

Just Call me the Cookie Monster

One of my recent projects has been to look at how the UK Cookie Law may affect universities and software makers such as my employer. Some folks have even started calling me, “the cookie monster”.
I guess I’ve earned that moniker after months of meeting with product owners, customers and lawyers to talk about this new law. I’m not a lawyer, so what you a reading here is just one guys opinion. My employer’s blog will have more official details. My goal here is to try to explain some background into my thinking after chatting with lawyers, clients and attending a few briefings by SIAA and others.

Compliance is fairly straightforward. Here is the model I used:

Get a list of all your organizations web sites and web applications

Depending on how large your organization is this might prove painful. Especially if you have random departments websites

Figure out if the site is likely to be used by people in the UK or EU

The UK law enforces the EU Data Protection Directive. The law protects these users. You’ll want to review this and decide what your risks are. Is the UK ICO going to come after a WordPress blog in the US? I don’t know.
Also sites such as intranets used just within a company by employees probably don’t need to be reviewed because only your employees are using it in a private capacity. On the other has if customers and others use the site then it probably needs to be reviewed.

Next make a list of cookies

There are first party cookies like those set by IIS, Tomcat and PHP. Then there are all the thirds party cookies set by all all those Facebook like buttons, tweet counters and Google Analytics. Finally there are things like flash cookies, HTML local storage, mobile app storage which count as cookies under the regulations. I used the View Cookies extension for Firefox as a starting point.

Figure out what the cookies are doing
What is being connected to that cookie. Since programmers try to use cookies for many things. For example you might have the Google Analytics cookie. Or you might have a session cookie that is tracking users and letting the user set preferences. The law says if the cookie is strictly necessary, you don’t have to get use consent. However since most cookies do double duty and most sites have other cookies, it really is better just to document as many cookies as possible.

Add consent popup or checkbox dialogue to your sites

When the user visits your site, before you set any of these third party or start associating the cookie with personal info, give the user a popup (such as you got when you first visited this site).

I’m using the WordPress Cookie Warning plugin on this site.

Collect the info together and publish

Put a page explaining you cookies. Here is my page.

Review other privacy practices

Take a moment to review the information you are gathering. Make sure this is consistent with your privacy policies and needs. Make sure you store and dispose of private information in ways that match the sensitively of the information gathered. Also review who has access to the information. As information becomes more sensitive you should be locking it down. For example final grades at pretty sensitive, while an email address by itself might less sensitive.

Get ready for more change

Governments around the world are looking at this issue of ePrivacy. As html5 becomes more sophisticated and allows for more sophisticated client applications we will see regulations emerge. The general thrust of these regulations is to rely less on industry standards and place more burdens on website operators.

My take

Big news last week in my software niche. I’m coming up on 13 years writing software at Blackboard. I’m still as passionate as ever about making good software that makes it easy for instructors and learners to share and collaborate. I’m not stopping now and neither are my fellow developers.

I heard a rumor has been spread that I’m giving up on innovation to commoditize. Not just me, but the whole of Blackboard, Angel, Sakai and Moodle. Heck they even say John Baker at D2L gave up. I don’t know maybe D2L did give up, though I doubt it. For the others I know that the rumor is false.

I could point to road maps and recent features, but there are plenty of places like CourseSites where one can see ongoing innovation. The originator of this silly rumor should get the exhaust system on their tank checked. The fumes seem to be making them goofy

Blackboard CourseSites Goes Semantic

There is too much talk about open and openness these days. No one seems to agree on what open is, but everyone agrees it is important. We’ve descended into semantic chaos where people fight to claim they are really “open” and others accuse them of just “openwashing”. I’m taking a break from the terms. Instead I’m just going to describe the technologies I’ve implemented and leave it to you, the reader to decide if you want to call it open, closed, or something else.

To start this new policy off let me describe one of our latest features and then I invite your comments and feedback.

On CourseSites I’m leading ongoing development to make it easy to share the Course experience more broadly via Social Media and Search. This capability is delivered using the emerging Semantic Web infrastructure put forth by the team at the Learning Resource Metadata Initiative and

The first is to create a public component of the course, a web page where anyone can drop by and ask to join, or browse as a guest (if the instructor wants). It links to a public instructor profile with a blog, where the instructor can elect to describe his or herself in a way that connects to the courses they teach. The Course home page also acts as a place to share the educational materials from the class in both IMS Common Cartridge or Blackboard Learn archive format. The materials are shared under the Creative Commons CC-BY license. This allows a permissive reuse of the materials in other educational contexts, while preserving the attribution of the original authors.

These pages contain Semantic web tags to describe the materials they contain. This makes them searchable, share-able and otherwise useful to applications beyond Blackboard. For example look at this example Course Homepage as rendered through the browser:

How the Human Sees the Course Homepage

Now consider how Google sees the same page:

How google views the Course Homepage

Note how information is encoded in a way that Google can pull key details right form the page. Information such as “version” and file links are consumable by a third party application. The descriptive scheme we use has been developed by a broad set of search engine companies at (above). This ensures that from the moment we launched this feature Google and other search engines can consume the information.

We’re also experimenting with ways to make this page more accessible to social discovery as well. We include a standard “share” gadget that lets you publish the link to these materials to hundreds of different social media solutions. Also included on these pages is another Semantic Web technology pushed by Facebook called “OpenGraph“. This allows the link you share to Facebook to contain smart data.  Here is that same course homepage viewed through Facebook.

How CourseSites sees the course home page. LInk and title information are pre-populated.

This integration from Blackboard into Google, Bing, and other search engines along with social media like Facebook and Twitter was done completely through the Blackboard Building Blocks technology.  One of my next projects will be to take the building block and work to make it available to other Blackboard installations.  I hope in participating in the adoption of  a standards driven technology supported by search engines and social media, we will encourage sharing, re-use and re-mixing of educational resources that are linked into the LMS/VLE.