PIP, PIP, Hooray! Sending Push Notifications to iPhones

tomking_tn80x60-21 Posted by Tom King

Sometimes it’s important to know when someone finishes an assessment. Using standard, built-in Perception functionality you can have an automated email pushed to anyone you like–for instance the participant, a manager, or an instructor. But today I’d like to show how you can push an instant notification to an iPhone.

Perception PIP files can be a powerful yet lightweight way to integrate with web applications. Using only a PIP file and a $2.99 iPhone application, you can send push notifications of assessment completion or results directly from Perception to your iPhone (actually up to 5 iPhones or iPod Touch devices at once). Interested to see it in action? Take a look at this 45 second video.

It was surprisingly easy to do that with the help of the Perception Web Deployment Guide section on PIP files, and the Prowl API information. Of course, I also had to spend $2.99 to get Prowl on the iTunes App Store. If you’d like to learn how it is done, please take a quick look at the 5 minute explanation below.

Preview image of video on How to Create Push Notifications Using PIP and Prowl

To make things still easier, the Questionmark documentation team added a Knowledge Base article to the Questionmark Support site, How can I use PIP and Prowl to send push notifications to my iPhone? (Community logon by Questionmark Software Support Plan customers required). I hope this inspires you to do your own creative PIP file integrations.

General Session at European Users Conference: E-assessment and Interoperability, Standards and Accessibility


Posted By Sarah Elkins

The European Users Conference is less than one month away, and I’m pleased to announce that Tom King, Questionmark’s Interoperability Evangelist, and David Sloan from the University of Dundee will be leading the Tuesday morning General Session, focusing on E-Assessment and Interoperability, Standards and Accessibility.

Tom King is actively involved with many e-learning technology specification groups, and a regular contributor to this blog. Tom will provide an overview of the current status of major standards and the specification organisations behind them, and highlight some of the emerging needs and promising developments.  David Sloan will give an overview of accessibility-related legislation, standards and best practice, and show how Questionmark can help support the creation of accessible assessments.

The conference is set to be an exciting two days for Perception Users with Best Practice sessions on the latest trends in assessment management, eight Case Study presentations, and some great Technical Training sessions. Make sure you check out the full conference agenda and if you haven’t already done so, register for the conference!

Understanding eLearning Standards- AICC HACP


Posted by Tom King

I prepared a new segment on Understanding eLearning Standards. This segment addresses the “how” of elearning standards, and specifically run-time communication using the common AICC HACP specification. [Don’t worry SCORM fans, there will be another segment focusing on the SCORM runtime.]

Standards fans (and hockey fans) are likely to appreciate the analogies used to explain a run-time environment in general. The video also steps through the lifecycle of an activity running in an LMS environment. Then I drill down to the specific of AICC, including both the common browser-to-LMS and the compelling server-to-server uses of AICC HACP.aicctm1

Finally, the segment closes with a review of key resources from the AICC web site to help you make the most of AICC HACP.

By the way, here is an extra resource for members of the Questionmark Software Support Plan Community. There is a great Knowledge Base article on customizing the Perception v4 PIP file for AICC. This article shows how you can use a custom PIP file to utilize additional demographic or custom variables from an AICC compatible LMS. Check it out.

Stay tuned to the Questionmark Blog for the next segment that will address SCORM Run-Time Communication.

Understanding Common eLearning Standards


Posted by Tom King

I’ve prepared a video podcast which is your introduction to key interoperability standards for elearning. It also serves as my introduction to video podcasts. Your feedback on both the content and the style will be put to use as I continue the series—so please post comments or send email.

The video for Part 1 provides a quick overview of the need for interoperability standards, the names of the keys standards, and the types of interoperability they support. Part 1 addresses AICC, ADL SCORM, IEEE LTSC and IMS specifications at a high level. It introduces the concepts of run-time communication, content packaging, and meta-data.

I hope you find it a good refresher if you are already somewhat knowledgeable about these standards, and an excellent introduction if you are new to most of this.

Defense in Depth: Security for SCORM and Beyond


Posted by Tom King

My earlier post, The Importance of Security and Integrity of Performance Data addressed a specific emerging SCORM security issue. It also raised the issue of “Defense in Depth” as an approach for improving security. Here are some defense in depth approaches you can use right now to increase security and decrease vulnerability.

Key ways to reduce vulnerability and improve security.

  • Audit trails and accountability. Have a second source of data to cross-check. Ideally this data should be automatically collected. Data sent to a SCORM or AICC LMS is also sent to a Questionmark Perception server via a different data conduit.
  • Secured Communication. Transfer responsibility for the result data to a server. Questionmark’s secure server-to-server implementation of AICC does this.
  • Increased Client/Browser Security. Reduce the attack surface of the runtime. Use a Secured Browser that disables or limits functionality not directly needed for the primary activity. Questionmark Secure is a browser that does this for AICC or SCORM.
  • Direct Proprietary Communication. This approach works by centralizing the chain-of-custody for the data to one trusted provider. Questionmark Perception can manage the process completely from authoring to scheduling to delivery to reporting.

Audit trails. Keeping parallel records such as with a double-entry accounting system is one way to achieve an audit trail. Having such an audit trail is key to identifying and recovering from errors or misdeeds. Questionmark provides capabilities for such an audit trail through both its SCORM and its AICC implementations. Perception achieves increased security and this audit trail by sending data to the LMS using the SCORM or AICC standard and, in parallel, sending data directly to the secure Perception server database. In the case of an error or misdeed, the LMS system results and the results in the secured Perception database can be compared to recover from either a security breach or an error.

Secured Server-to-Server Communication. In the cheatlet exploit, the openness of the published SCORM API and the browser JavaScript layer are used to inject false data from the client side. One way to increase the security is to remove this client side vulnerability and use AICC instead of SCORM. The innovative Perception server-to-server implementation of the AICC HACP specification demonstrates this, by having the browser relay minimal data to the Perception server. The client is not capable of directly injecting falsified overall score data. The Perception server is ultimately responsible for judging response and data communication with the LMS, not the browser client.

In 2002, Paul Roberts of Questionmark identified and described the risks of the client-side API (see Security Issues with the JavaScript API, Paul Roberts, 2002 on the AICC web site). He urged the AICC to continue to support the HACP protocol because of the value of the increased security enabled with a server-to-server AICC implementation. The diagram below helps explain this communication.


Increased Browser Security. As currently implemented, this exploit relies on user access to the UI to open a bookmark. Changes to the launch environment (browser) can reduce this vulnerability. The Questionmark Perception Secure Browser is a commercialized browser solution built for the rigorous requirements of high-stakes testing environments. When a participant takes an online assessment using Questionmark Secure, the secure browser displays the HTML content of the assessment, but disables key functions such as task-switching, right click options, screen captures, menus and printing. There simply isn’t a means to access a menu or bookmark to trigger.

Direct Proprietary Communication In this scenario, one trusted party is responsible for the full span of access, delivery, and results. It does run somewhat contrary to cybersecurity practice of published protocols and specifications that can bear wide scrutiny. It can also undermine interoperability, something near and dear to my heart. In the long run, I believe you’ll find Questionmark moving in directions that addresses these type of concerns.

However, there are many valid circumstances where the values of single party chain of custody and trusted relationship trumps other concerns. High stakes test are often the prime case for this, and it is critical to expand cyber-defense-in-depth with adjunct security measures (such as tight control of source materials, exam monitors, proctors/invigilators).

Work-around versus defend-against. Finally, as an exercise for the reader, you may consider reading the the two ADL workarounds published April 2, 2009. You’ll find that the excerpt on Securing Your Assessments provides a means of masking the location of answer-judging source code sent to the client by some systems. While useful, it doesn’t provide the same security and depth of defense as other approaches. Consider for instance using Questionmark Secure (prevents ‘view source’) with the Perception SCORM implementation (adds audit trail) and Perception server-side evaluation logic (secures the evaluation logic on the server-side). That is defense in depth. One might even replace SCORM with AICC in this case for additional security in addition to or in lieu of Questionmark Secure.

Whenever faced with security concerns regarding the possibility of cheating, abuse or data integrity, I encouraged you to think about defense in depth and the role of all the components in security.

The Importance of Security and Integrity of Performance Data


Posted by Tom King

There’s been much discussion among developers and insiders about recent posts and vendor notices regarding automated cheating tools for SCORM 1.2/SCORM 2004 content. I’d like to share some thoughts on the underlying issues and measures that can be taken to reduce vulnerability. This is no joke… unlike the recent fun on Eric’s blog.  This is the first in a series of posts on this topic. I’d like to review a few key concepts before delving into specific areas and solutions that will come in the posts to follow.

Security is important. The cornerstone of successful education, training and certification is the effective use of assessments. Inaccurate, misleading or falsified performance data can lead to poor decisions, increased liability and other significant risks or consequences. Questionmark is keenly aware of the importance of security and has addressed the issue from the beginning.

Vulnerabilities exist. Note that this is vulnerabilities in the plural. About a week ago, an independent elearning developer published one: a simple bookmarklet to send false score and status data to a SCORM LMS (see Cheating in SCORM, Phillip Hutchison, 2009). [Note: The post remains, but the sample bookmark has been removed after an outside party requested this.]

Using the published exploit is as simple as saving a book mark to your browser and then picking that bookmark while content is running. It is what I’ve called a “cheatlet” and current implementations may foreshadow other potential issues (see Security Before Features, Tom King, 2008 on LETSI SCORM 2.0 web site). Others have discussed how common in-browser debugging tools like Firebug can be used to similar effect. The key message is that this type of exploit is possible, and it gets easier and more viable over time.

Defense in depth. That phrase is a bit of a mantra in the cybersecurity world. Questionmark has taken this approach with its implementation of interoperability solutions, including SCORM. Some in the SCORM community recognize the “cheatlet” exploit as a known weakness that has just become easier for the common man to use. They go on to indicate that SCORM shouldn’t be used for high stakes assessments, and end their argument or response there. It is left for future specifications to deal with this issue. However there are several alternatives to decrease vulnerability.

I think I now have your attention for the subsequent posts. Also, if you’re attending the Questionmark User Conference 2009 this coming week in Memphis, please feel free to  stop by for my session on standards and ask about this or other standards-related issues.