The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 29 Issue 26

Monday 15 February 2016

Contents

Indian Supreme Court says nothing wrong with banning the Internet
Prashanth Mundkur
UK politicians green-light plans to record every citizen's Internet history
James Vincent
US intel chief: we might use the Internet of Things to spy on you
Spencer Ackerman and Sam Thielman
Tesla Updates Self-Parking Software After Consumer Reports Raises Concerns
Consumerist
Wrong number of hits in Bing
M. E. Kabay
Lack of reproducibility of research
Anthony Thorn
Pirate Bay of science?
Fiona Macdonald
Apple owns up to '1 January 1970' iPhone bricking bug
Monty Solomon
Motorcycle software recall
Mike Tashker
Office 2013 patch KB 3114717 freezes 32-bit Word 2013 on Win 7, 8.1, 10
Woody Leonhard
Creative Cloud deletes files you *really* wanted
Barry Gold
And Then There Were 4: Phone Booths Saved on Upper West Side Sidewalks
Monty Solomon
Russian hackers, Kazan-based Energobank, and Ruble-$ exchange rate
HackerNews
Re: Asiana: Secondary Cause of Crash Was Poor Software Design
Peter Bernard Ladkin
Re: IoT Insecurity by design
John Beattie
Re: Doing University exams on computers?
3daygoaty
Len Finegold
Rogier Wolff
Info on RISKS (comp.risks)

Indian Supreme Court says nothing wrong with banning the Internet

Prashanth Mundkur <prashanth.mundkur@gmail.com>
Sat, 13 Feb 2016 07:57:23 -0800
  [There's very little coverage of this in the Indian press; I noticed this
  by accident.]

Nothing wrong in Internet ban to maintain law and order: Supreme Court
Utkarsh Anand, Indian Express, February 12, 2016
http://indianexpress.com/article/india/india-news-india/nothing-wrong-in-internet-ban-to-maintain-law-and-order-supreme-court/

  The Supreme Court on Thursday held that Internet services can be stopped
  temporarily by a state government to maintain law and order situation, and
  that such a ban did not violate fundamental rights. “What is wrong with
  such a ban? There can be such a ban for law and order,” observed a bench
  of Chief Justice T S Thakur and Justice R Bhanumathi, while upholding the
  Gujarat High Court's judgment declaring the ban right.


UK politicians green-light plans to record every citizen's Internet history (James Vincent)

Hendricks Dewayne <dewayne@warpspeed.com>
February 11, 2016 at 8:49:17 AM EST
James Vincent, *The Verge*,
UK politicians green-light plans to record every citizen's Internet history
But recommend that no encryption backdoors should be installed
<http://www.theverge.com/2016/2/11/10965098/uk-snoopers-charter-select-committee-criticism>

Surveillance legislation proposed by the UK last November has been examined
in detail by the country's politicians, with a new report recommending 86
alterations, but broadly approving the powers requested by the government.
The parliamentary committee scrutinizing the draft Investigatory Powers Bill
said that companies like Apple and Facebook should not be required to
decrypt messages sent on their services, but approved plans to record every
UK citizen's browsing history for 12 months. The committee also gave a
thumbs up to the bulk retention of data, and the targeted hacking of
individuals' computers, known as "equipment interference."

The Investigatory Powers Bill will be the first legislation to fully codify
digital surveillance in the UK, and has been dubbed the "snoopers' charter"
by critics (a name used to refer to similar laws rejected a few years ago).
The Bill has been attacked by ISPs, privacy advocates, the UN, and the
world's largest tech companies, with critics agreeing that the Bill is being
rushed into law and that its wording is confusing. Critics point to portions
of the law like the statement that "data includes any information that is
not data." The UK's home secretary and the Bill's principal architect,
Theresa May, later explained that this was supposed to refer to things like
paper.

This latest report repeats these complaints, stressing the need for clarity
in the Bill's language. However, it also gives its approval to a number of
controversial items. The report's authors says that the bulk interception
and surveillance should be "fully justified" in a rewrite of the
legislation, and notes that although these powers might contravene the EU's
right to privacy, "security and intelligence agencies would not seek these
powers if they did not believe they would be effective." This is despite the
fact that this sort of mass surveillance (already in place, of course, just
not officially legislated) has often proven to be ineffective, as with last
year's terrorist attacks in Paris.

Similarly, the committee found no faults with the government's plans to
force ISPs to store users' web history for 12 months at a time. This
information (known as Internet Connection Records or ICRs) would be
available to police without a warrant, with the report noting: "We heard a
good case from law enforcement and others about the desirability of having
such a scheme. We are satisfied that the potential value of ICRs could
outweigh the intrusiveness involved in collecting and using them."

Evidence submitted to the committee pointed out that these records would
reveal "sensitive information" about citizens' political, religious, and
sexual preferences, as well their health and daily activities, while ISPs
noted that storing this data securely would be a "technical challenge."
Experts also testified to the difficulty of sorting this data, as many apps
like Facebook and Twitter keep a near-constant connection to the Internet,
and Internet users can access sites they're not aware of. One expert noted
that he created a blog with a "tiny one-pixel image in the corner" that
showed up as Pornhub.com on visitors' Internet history.


US intel chief: we might use the Internet of Things to spy on you (Ackerman/Thielman)

Hendricks Dewayne <dewayne@warpspeed.com>
February 10, 2016 at 7:58:26 AM EST
Spencer Ackerman and Sam Thielman, *The Guardian, 9 Feb 2016
http://www.theguardian.com/technology/2016/feb/09/internet-of-things-smart-home-devices-government-surveillance-james-clapper

James Clapper did not name specific agency as being involved in surveillance
via smart-home devices but said in congressional testimony it is a distinct
possibility

The US intelligence chief has acknowledged for the first time that agencies
might use a new generation of smart household devices to increase their
surveillance capabilities.

As increasing numbers of devices connect to the Internet and to one another,
the so-called Internet of Things promises consumers increased convenience --
the remotely operated thermostat from Google-owned Nest is a leading
example.  But as home computing migrates away from the laptop, the tablet
and the smartphone, experts warn that the security features on the coming
wave of automobiles, dishwashers and alarm systems lag far behind.

In an appearance at a Washington thinktank last month, the director of the
National Security Agency, Adm Michael Rogers, said that it was time to
consider making the home devices *more defensible*, but did not address the
opportunities that increased numbers and even categories of connected
devices provide to his surveillance agency.

However, James Clapper, the US director of national intelligence, was more
direct in testimony submitted to the Senate on Tuesday as part of an
assessment of threats facing the United States.  “In the future,
intelligence services might use the [Internet of Things] for identification,
surveillance, monitoring, location tracking, and targeting for recruitment,
or to gain access to networks or user credentials,''

Clapper did not specifically name any intelligence agency as involved in
household-device surveillance. But security experts examining the Internet
of things take as a given that the US and other surveillance services will
intercept the signals the newly networked devices emit, much as they do with
those from cellphones. Amateurs are already interested in easily compromised
hardware; computer programmer John Matherly's search engine Shodan indexes
thousands of completely unsecured web-connected devices.

Online threats again topped the intelligence chief's list of worldwide
threats the US faces, with the mutating threat of low-intensity terrorism
quickly following.  ...


Tesla Updates Self-Parking Software After Consumer Reports Raises Concerns

Gabe Goldberg <gabe@gabegold.com>
Fri, 12 Feb 2016 20:24:29 -0500
http://consumerist.com/2016/02/10/tesla-updates-self-parking-software-after-consumer-reports-raises-concerns/


Wrong number of hits in Bing

"M. E. Kabay" <mekabay@gmail.com>
Mon, 8 Feb 2016 16:45:26 -0500
Has anyone else noticed that Bing can return exaggeratedly high numbers of
hits on a search item?  Specifically, I was ego-surfing on my own name using
the string "m. e. kabay" and nearly fell off my chair when Bing returned the
number of hits = 1,850,000,000.

Nearly TWO BILLION HITS???? I tried Bing for the word "god" and found only
223,000,000 hits. Therefore according to Bing, I have more hits than god.  A
Google search returns the far more modest number of hits = 19,100.  Comments
from the Bing crew?

  [Maybe they were bitten by Bing Cross-Bee.  PGN]

Professor of Computer Information Systems, School of Business & Management
College of Professional Schools, Norwich University, Northfield, VT, USA


Lack of reproducibility of research

Anthony Thorn <anthony.thorn@atss.ch>
Fri, 12 Feb 2016 11:27:57 +0100
An article in *The Economist* highlights appalling lack of reproducibility
in (not only) cancer research papers.  The risks here are obvious, and
should be added to the risks resulting from the non-publication of negative
results.

The new "Preclinical Reproducibility and Robustness Channel" mentioned in
the article can only start to address this.

The main points:

For example, when staff at Amgen, a Californian drug company, attempted
to reproduce the results of 53 high-profile cancer-research papers they
found that only six lived up to their original claims.

The problem, though, is not restricted to medicine. An analysis of 98
psychology papers, published in 2015 by 90 teams of researchers
co-ordinated by Brian Nosek of the University of Virginia, managed to
replicate satisfactorily the results of only 39% of the studies
investigated.

http://www.economist.com/news/science-and-technology/21690020-reproducibility-should-be-sciences-heart-it-isnt-may-soon


Pirate Bay of science? (Fiona Macdonald)

"Mark Stahlman" <mark@tmtstrategies.com>
February 12, 2016 at 9:44:40 AM EST
Fiona Macdonald, Science Alert, 12 Feb 2016,
  (via Timour Shchoukine and Dave Farber)
Researcher illegally shares millions of science papers free online to spread
knowledge—Welcome to the Pirate Bay of science.
http://www.sciencealert.com/this-woman-has-illegally-uploaded-millions-of-journal-articles-in-an-attempt-to-open-up-science

A researcher in Russia has made more than 48 million journal articles --
almost every single peer-reviewed paper every published—freely available
online.  And she's now refusing to shut the site down despite a court
injunction and a lawsuit from Elsevier, one of the world's biggest
publishers.  <http://bigthink.com/neurobonkers/a-pirate-bay-for-science>

For those of you who aren't already using it, the site in question is
Sci-Hub <http://sci-hub.io/>, and it's sort of like a Pirate Bay of the
science world. It was established in 2011 by neuroscientist Alexandra
Elbakyan, who was frustrated that she couldn't afford to access the articles
needed for her research, and it's since gone viral, with hundreds of
thousands of papers being downloaded daily. But at the end of last year, the
site was ordered to be taken down by a New York district court—a ruling
that Elbakyan has decided to fight, triggering a debate over who really owns
science.
<http://www.nature.com/news/pirate-research-paper-sites-play-hide-and-seek-with-publishers-1.18876>

"Payment of $32 is just insane when you need to skim or read tens or
hundreds of these papers to do research. I obtained these papers by pirating
them,"Elbakyan told Torrent Freak last year.  "Everyone should have access
to knowledge regardless of their income or affiliation. And that's
absolutely legal."
<https://torrentfreak.com/science-pirate-attacks-elseviers-copyright-monopoly-in-court-150916/>.

If it sounds like a modern day Robin Hood struggle, that's because it kinda
is.  But in this story, it's not just the poor who don't have access to
scientific papers—journal subscriptions have become so expensive that
leading universities such as Harvard and Cornell have admitted they can no
longer afford them. Researchers have also taken a stand—with 15,000
scientists vowing to boycott publisher Elsevier in part for its excessive
paywall fees.

<https://www.theguardian.com/science/2012/apr/24/harvard-university-journal-publishers-prices>
<http://www.nature.com/nature/journal/v426/n6964/full/426217a.html>
<http://thecostofknowledge.com/>

Don't get us wrong, journal publishers have also done a whole lot of good --
they've encouraged better research thanks to peer review, and before the
Internet, they were crucial to the dissemination of knowledge.

  [Long item truncated for RISKS.  PGN]


Apple owns up to '1 January 1970' iPhone bricking bug

Monty Solomon <monty@roscom.com>
Mon, 15 Feb 2016 14:07:38 -0500
Apple says a fix is on the way to prevent users bricking their iPhones and iPads by setting the date to the 1970s.
http://www.zdnet.com/article/apple-owns-up-to-1-january-1970-iphone-bricking-bug/


Motorcycle software recall

"Mike Tashker" <tashkerm@gmail.com>
Mon, 15 Feb 2016 12:35:20 -0800
[Neither source nor manufacturer specified] 4 Jan 2016

A major German motorcycle manufacturer today announced that they were
suspending the use of Windows 10 in their large Adventure/Touring-class
motorcycles. The rollout, which started in January, resulted in problems
with the CANbus interface. A controller area network (CANbus) is a vehicle
bus standard designed to allow microcontrollers and devices to communicate
with each other in applications without a host computer. Riders were
receiving false positive failure indications for various electrical and
mechanical components. In addition the main instrument cluster would
sometimes display the adapted equivalent of the Windows 'Blue Screen of
Death'; this could be cleared by restarting the vehicle. Affected owners
were advised to bring their bikes back to a dealer, who will roll the
software back to Windows 7.


Office 2013 patch KB 3114717 freezes 32-bit Word 2013 on Win 7, 8.1, 10 (Woody Leonhard)

Gene Wirchenko <genew@telus.net>
Mon, 15 Feb 2016 09:21:31 -0800
Woody Leonhard, InfoWorld, 12 Feb 2016
There are reports of the patch causing similar lockup problems with
  Excel 2013 and Outlook 2013
http://www.infoworld.com/article/3032642/microsoft-windows/office-2013-patch-kb-3114717-freezes-32-bit-word-2013-on-win-7-81-10.html

February's Patch Tuesday continues its tempestuous ways. Now there's word
that one of the optional Office 2013 patches, KB 3114717, makes many
installations of Word 2013 unusable. In addition, there are reports --
apparently related—of lockups and slowdowns with Excel 2013 and Outlook
2013.

When KB3114717 is installed typing in a .docx Document becomes nearly
impossible and CPU load goes to 100% (.doc has no issues). This happens with
Word 2013 only, Word 2016 is not affected. Tested on Windows 8.1 Enterprise,
Windows 10 Enterprise 10240 and Windows 10 Enterprise 1511.

Poster amcmill (who isn't listed as a Microsoft employee) gave a definitive
response last night in one of the Microsoft Answer forum threads on the
subject: [snipped post]

Of course, amcmill didn't mention that uninstalling the patch in Windows 10
is an ongoing pain. Every time you reboot Windows 10, the patch will
reinstall, and you'll have to remove it all over again—unless you dig
into the wushowhide utility, KB 307930, which I discussed in a similar
context last month.

Just be glad you don't have Windows 10 and its forced updates .... if you're
lucky.  [Or is that "farce updates"?]


Creative Cloud deletes files you *really* wanted

Barry Gold <barrydgold@ca.rr.com>
Mon, 15 Feb 2016 07:24:26 -0800
A recent release of Adobe Creative Cloud had a bug: when you sign in, it
deletes the first folder on the hard drive (in collating order). That's
usually a hidden file, like maybe a system folder—or the .bzvol directory
that Backblaze uses to store backups.

*http://www.bbc.com/news/technology-35577498*

Exactly *why* Creative Cloud was deleting a folder is not explained in the
article.

Some of the bugs that pop up in software make me think of early books about
Dianetics and Scientology by L. Ron Hubbard: the "reactive mind" or "bank"
that does things automatically that are often not what you wanted to happen.

Maybe we should turn Scientology auditors loose on ours software programs...


And Then There Were 4: Phone Booths Saved on Upper West Side Sidewalks

Monty Solomon <monty@roscom.com>
Thu, 11 Feb 2016 20:28:49 -0500
The boxy, glass-enclosed booths that were once ubiquitous on city sidewalks
are all but a memory now ” except for the four that are being replaced by
refurbished models.
http://www.nytimes.com/2016/02/11/nyregion/and-then-there-were-four-phone-booths-saved-on-upper-west-side-sidewalks.html


Russian hackers, Kazan-based Energobank, and Ruble-$ exchange rate

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 11 Feb 2016 18:15:13 PST
Russian Group of Hackers reportedly cracked into the Kazan-based Energobank
and messed up with the Ruble-Dollar exchange rates.

In Feb 2015, a hacking group, known by the name METEL, successfully breached
into the Russian Regional Bank for just 14 minutes and caused the exchange
rate to fluctuate between 55 and 66 rubles per dollar, which finally
resulted in the increment of Ruble's value.

According to Russian security firm, Group-IB, who investigated the incident,
the Metel Hacking group infected Kazan-based Energobank with a virus known
as the Corkow Trojan and placed more than $500 million in orders at
non-market rates.

“This is the first documented attack using this virus, and it has the
potential to do much more damage,” Dmitry Volkov, the head of Group-IB’s
cyber intelligence department, told Bloomberg.

The hackers had taken the advantage of Spear Phishing Technique, which
appears to come from a legit source. A single click on the link in the
malicious mail took over the access to the system followed by ultimate
exploitation.

After gaining the access to a local system, the trojan was able to cause a
havoc deepening the attack to its Intranet. This way, the malware named
Corkow found the isolated system which handles the money transaction
exclusively to the outer world.

Corkow malware, initially discovered in 2011, regularly updates itself to
evade detection by antivirus programs, and has infiltrated more than 250,000
computers worldwide and infected at least 100 financial institutions.

The Energobank claimed losses of 244 million rubles ($3.2 million) due to
the trades.

But, the Moscow Exchange had denied the allegations of any hacking attempt
by the fact that; the changes in the Stock Market would be an output of
Trader's mistakes. They also not found any hint of currency manipulation.

The attack was earlier ported to target ATMs of Russia, affecting Russian
bank card system that resulted in hundreds of millions of rubles being
stolen via ATMs in August. Another attack with the same malware also
facilitated hackers to use credit card limitlessly.

Metel is only known to be active in Russia (affected 73% Russian Banks),
although it may present a threat to financial institutions across the globe.
Authority has not yet handcuffed any of its criminals who are raising a
global bank threat.

http://thehackernews.com/2016/02/russian-exchange-hacked.html


Re: Asiana: Secondary Cause of Crash Was Poor Software Design (Goldberg, RISKS-29.25)

Peter Bernard Ladkin <ladkin@rvs.uni-bielefeld.de>
Fri, 12 Feb 2016 11:31:25 +0100
In 2013, an Asiana Airlines Boeing 777 grounded short of the runway at San
Francisco International Airport while landing, hitting the seawall and
cartwheeling along the runway. Astonishingly, only three people were killed,
two of them from trauma injuries sustained while apparently not wearing
their seat belts (which is required of all passengers on landing). The
aircraft was destroyed.

The weather was clear, and there was almost no wind. The pilot flying was
conducting a manual approach, since the glideslope on Runway 27L was out of
operation. Speed decayed well below what it should have on short final
approach, and it was noticed very late, leaving the crew unable to arrest
the speed drop and sink rate on very short final. Monitoring speed on
approach to landing is basic to any piloting of aircraft; it is central to
pilot training from the first hour on. Many pilots, both professional and
amateur, asked themselves how this could have happened. The US NTSB has
answered, in July 2014.

Gabe Goldberg resurrects a newspaper article from nearly two years ago,
which suggested that Asiana Airlines wanted to locate the primary cause of
the crash of its Boeing 777 aircraft at San Francisco (SFO) in clear weather
on a windless day in "poor software design" and the operation of the Boeing
777 autothrottle system.

These presumably refer to submissions to the NTSB which the journal had
seen. The NTSB's public meeting, at which the conclusions of their
investigation are presented (but not the detailed reasoning) and comments
are invited, took place on 24 June, 2014, nearly three months after the
article that Goldberg cited.

Risks readers may prefer primary sources. The NTSB's final report is:
http://www.ntsb.gov/investigations/AccidentReports/Reports/AAR1401.pdf
since July 2014, a month after the Public Meeting. It includes the
submission of the Aviation Accident and Railway Investigation Board of South
Korea.

The NTSB concludes that the primary cause was as follows:

  The National Transportation Safety Board determines that the probable
  cause of this accident was the flight crew's mismanagement of the
  airplane's descent during the visual approach, the pilot flying's
  unintended deactivation of automatic airspeed control, the flight crew's
  inadequate monitoring of airspeed, and the flight crew's delayed execution
  of a go-around after they became aware that the airplane was below
  acceptable glidepath and airspeed tolerances. Contributing to the accident
  were (1) the complexities of the autothrottle and autopilot flight
  director systems that were inadequately described in Boeing's
  documentation and Asiana's pilot training, which increased the likelihood
  of mode error; (2) the flight crew's nonstandard communication and
  coordination regarding the use of the autothrottle and autopilot flight
  director systems; (3) the pilot flying's inadequate training on the
  planning and executing of visual approaches; (4) the pilot
  monitoring/instructor pilot's inadequate supervision of the pilot flying;
  and (5) flight crew fatigue, which likely degraded their performance.

There is only one issue relating to systems design, namely complexity of
AT/AP/FD, cited with regard to the Operating Manual and the airline's
training. Everything else refers to human performance, namely behavior,
training and supervision.

Unusually, all four Board members who signed the report filed personal
statements. There was obviously some disagreement on what kind of causal
role the AT control played, and whether to recommend to the FAA that a
design review be conducted. Apparently there are some anecdotes that some AT
behaviour on these aircraft is "unexpected". But the Boeing 777 had been in
service for two decades up to this accident, with the only previous accident
a result purely of a fuel systems failure (and featuring an
almost-miraculous rescue by the cockpit crew; Captain Peter Burkill became
one of James Reason's "heros" in talks Jim gave on outstanding human
performance).

The statement by the Aviation and Railway Accident Investigation Board
(ARAIB) of South Korea, says, in stark contrast,

  ARAIB believes that this accident is one of a series of recent accidents
  caused by a failure of the pilots to recognize unexpected operations of the
  autothrottle system.

  ARAIB is deeply concerned that the Report fails to engage in in-depth
  investigation and to address the issue of a deficiency in the low-speed
  alert and speed protection of the B777 automation system, particularly as
  it was a key agenda in the investigative hearing. The NTSB and ARAIB's
  joint investigative efforts have been focused on this very issue, so it
  comes as a surprise that the issue was only dealt with superficially in
  the Report and not as a probable cause of the accident.

  ARAIB recognizes that a deficiency in the automation system related to
  speed protection has been a major cause of several recent aviation
  accidents. In this respect, international standards need to be developed
  and implemented to improve aviation safety.

It is hard to see what the ARAIB is talking about.

Astonishingly, they apparently don't consider the failure of the crew to
monitor airspeed on final approach, and to keep it within reasonable bounds,
to be causal. I invite Risks readers to ask any pilot they know what heshe
thinks about that piece of reasoning.

It is obscure to which "recent accidents" the ARAIB is referring. As far as
I can see, there haven't been any. The automation in question is similar on
both Boeing 777 and Boeing 787 aircraft, as discussed by the NTSB. The only
other major aviation incidents to these aircraft are: * the fuel systems
anomaly mentioned above on the Boeing 777 at PHR, and * three incidents
involving conflagrations of lithium-based batteries on Boeing 787 aircraft.

Such systems as AT are quite different amongst different aircraft, and, as
Board Member Weener remarks in his personal note, pilots have to learn the
operation of the system installed on the particular aircraft they are
operating. Weener points out that there is just "one data point" about any
possible issue with this AFCS, namely this accident. He disagreed with
recommending that the FAA conduct a special review in advance of determining
from other less formal incident data whether there was any issue which
generalised.

Peter Bernard Ladkin, University of Bielefeld, Causalis Limited, Causalis
IngenieurGmbH www.rvs.uni-bielefeld.de www.causalis.com


Re: IoT Insecurity by design (RISKS-29.25)

John Beattie <jkb@hignfy.demon.co.uk>
Fri, 12 Feb 2016 13:00:45 +0000
"Who owns the data streaming out of your home?  Apparently not you.  So do
you have a legal right to interfere with that data exiting?"

It has occurred to me that we could make an improvement in IoT generally
just by assigning ownership of data streams.  A single datum is more or less
worthless, of course. But a stream has value and that value should reside
with the originator of the stream.

Compare the situation with all those software licenses that we all click
through.  They exist exactly because without them, the end-user has lots of
rights over the software installed on his or her computer. Likewise,
assigning ownership to any data stream would help make it clear what legal
agreements were needed and what strength they had.

On the other side, I can already hear a response that the present situation
suits the commercial organisations just fine: they get all the data for
free. But assigning ownership would help the commercial position just as
much because anything that has value can be bought, worked on and sold, and
turn a profit.

Currently the commercial organisations are selling the information which is
derived from raw streams: I would suggest that the principle that the value
of a stream resides with the originator _of_that_stream_ would still
apply. If your organisation takes a stream of data and filters it or
combines it with another stream, that output becomes a new stream and the
value of that stream resides with your organisation.

Notice that a stream has value which certainly depends on the kind of data
which is sent in each packet but also on the frequency, timeliness, jitter
and other QoS of the stream.

As a principle, would it work?


Re: Doing University exams on computers? (RISKS-29.25)

"3daygoaty ." <threedaygoaty@gmail.com>
Fri, 12 Feb 2016 10:26:28 +1100
I wrote a large online exam system for a university and this was eventually
re-written into an Internet voting application!

Some e-exam requirements for server hardness, individual logins, privacy and
equity of access were close to requirements for online balloting. That was
1999.  Internet voting for any kind of serious ballot is nuts.  However,
integrity controls for supervised (so not vote-from-home) electronic
balloting are pretty promising and I would direct you to Pret a Voter and
friends.

I had technical issues running both exams and elections online.  They were
always resolved satisfactorily one way or another, at the time even with low
or non-existent transparency.  These days I would think students who did not
get the marks they expected would ask for proof their exam answers were
marked unchanged.  If I were writing the exam system again I would look to
provable security and a range of other techniques to remove "blind" trust on
software, networks and machines.

I hope this helps!


Re: Doing University exams on computers? (O'Keefe)

<lxf@drexel.edu>
Thu, 11 Feb 2016 23:02:34 -0500
A view from the US:

My impression is that it’s done only by outfits which can afford the
expense of rooms of dedicated computers wired so they do not talk to the
outside, with dedicated staff to set up the exams.  I know of it only at a
medical school (e.g., ours).  At (somewhat typical) Drexel, we'd need rooms
with several hundred terminals; so we use paper and teaching assistants.
Letting students use their own laptops has a series of problems (cheating,
sick computers, etc.).  Do let me know what you find.  And have you yet
chosen a flag?


Re: Doing University exams on computers?

Rogier Wolff <R.E.Wolff@bitwizard.nl>
Sun, 14 Feb 2016 12:48:33 +0100
Although, of course, there are plenty of risks associated with "doing
university exams on computers", there are also plenty of benefits.

When I was in university, you had to present your student card for checking
during the exam. But there was no crosscheck that you submitted your work
under your own name. It was possible to have the better student submit his
work as the lesser student and vice versa.  Then the better student could
redo "his" exam later having done a practise run submitting his work for the
lesser student.

With computer exams: Assign the workstations beforehand, check IDs at the
entrance, and direct students to their previously assigned workstation. Keep
"possible cheating associates" well apart!

With computers you can randomize the questions: randomize the order,
randomize multiple choice answers, randomize the numbers in
calculations. That reduces the risk of cheating. ("What does the guy to my
left have on question 22? And the girl to my right?)

Some questions require an intermediate answer half way along. To give those
that didn't get that first part right a chance to do the latter part
correctly, you have to provide them with the intermediate answer in the
second half of the question. With a computer-exam you can mark a question
as: Q15: We'll give you the answer in Q16, so you cannot review/correct this
answer after clicking through to Q16.

You can enforce rules like: "you are not allowed to go back and correct
answers. Your first answer stands".

There are of course many other advantages of using computers to take
exams. (immediate grading, dynamic (moving) questions, etc., etc.)

Proper risk-management will weigh the advantages against the new risks and
make an informed decision.

R.E.Wolff@BitWizard.nl  http://www.BitWizard.nl/  +31-15-2600998
Delftechpark 26 2628 XH  Delft, The Netherlands. KVK: 27239233

Please report problems with the web pages to the maintainer

Top