Comments on: SCORM Security – Some Perspective

By: Ryan

Ryan — Wed, 09 Mar 2011 00:40:11 +0000

I am not 100% sold on the idea that if we can’t completely secure SCORM, we shouldn’t worry about its security shortcomings(Perspective section). I definitely think that you can take steps towards having a “high stakes” environment. The problems you describe seem to be more related to online training methodology rather than securing data. Yes, someone could take an assessment for me, but in a “high stakes” environment you would have a proctor or supplementary testing. Securing data is one thing, but methodology is completely different. There are many steps that can be taken if we only pick up our feet. Moving API calls from the client’s browser to a back-end application is only the first step in a security plan for SCORM. Waiting for fraud to happen and relying on detection are inefficient unless you can limit the incoming fraud. This is why online merchants (relating back to the credit card analogy) put their own measures in place to prevent fraud like captcha, IP address checks, blacklisting, etc. The fact is that with very little time and effort SCORM can close the enormous holes and work on the smaller holes later.

By: Jerry Thompson

Jerry Thompson — Sat, 16 Oct 2010 16:09:34 +0000

The fact that SCORM is due for an overhaul, was music to my ears. Don’t get me wrong but SCROM has a few ‘bugs’ that should be fixed and I see that some are already gone. And another thing is the documentation which is a pain in the a**…I really wish it could be more straight forward and easy to ‘implement’ sort of speak.
Anyhow, I really enjoyed your article. Thanks!

By: Jason Phimosis

Jason Phimosis — Tue, 28 Sep 2010 22:36:25 +0000

“we need to decide how much of a priority to give security in relation to other conflicting design aspects.”

I could not agree more with this concept. At the same time, there needs to be training to deliver good content to the student. However, this is not where we stop.

We need to make sure that the student has memorized or retained this information. Of course, the student will not be able to retain everything, but we need to make sure that most of it is absorbed.

By: Cheating on SCORM Courses – It’s Not Difficult < VS SCORM

Cheating on SCORM Courses – It’s Not Difficult < VS SCORM — Fri, 31 Jul 2009 19:24:27 +0000

[...] sitting beside him/her during the test. You’ll find a more detailed discussion of this on Mike Rustici’s blog. Share This [...]

By: Philip Hutchison

Philip Hutchison — Sun, 05 Apr 2009 06:17:55 +0000

Excellent post, Mike. I especially like the credit card analogy.

I sincerely wish the ADL posted SCORM documentation that was as understandable and easy to follow as what you’ve written here.

By: Nina Pasini Deibler

Nina Pasini Deibler — Sat, 04 Apr 2009 21:29:53 +0000

Hey Mike,

Thanks for this post — and for putting things in perspective. I’ve been saying these things for years now — anyone who thinks “online learning” or “online assessment” that is NOT proctored is secure is fooling themself.

Angelo and I alluded to many of the same comments you’ve made here when we posted some workarounds for the SCORM vulnerability on ADLNet.gov. But, as I learned in my first year developing pilot training, there really is no way to, as you say, <> And likewise, how do we know the learner <> In most “high stakes” (ala life or death subject matter) there’s more than an online test that ensures someone is properly trained to perform the tasks required of them. For pilots, there are multiple check rides (simulator and aircraft) with a highly qualified instructor to ensure the learner can actually pilot the aircraft.

If someone requires real security for their online assessments, life or death kind of security, and they want to meet all three aspects of the definition you supplied here, then (1) assessment must be proctored (2) learner must supply 2 forms of photo ID — maybe even some DNA and (3) assessment must be stored, scored, and processed on other than the delivery machine.

Thanks, as always, for trying to keep things in perspective!
NINA

By: Structured Methods › links for 2009-04-04

Structured Methods › links for 2009-04-04 — Sat, 04 Apr 2009 18:10:25 +0000

[...] SCORM Security – Some Perspective The SCORM community is abuzz these days with talk about the security (or lack thereof) in SCORM. As an “alpha-scormmie”, I’d like to share some of my perspectives on the issue and try to put things in context. [...]