Final School project (Legit question) - Developers

I'm in the final year, i need to do a final project, which goes with one or two subjects i take. This one will obviously be IT. The plan is to create a digital environment where students can take test for that subject. I'm a employee for school and they've shown great interest in such project. I'm planning to create this in with a Combination of PHP/JavaScript and MySQL. This because exams will can be taken from both Windows computers and Macbooks. It's not really the programming part of the actual exam taking etc. At first this will probably run from any modern browser. To prevent cheating, i will probably have to create some kind of external application, which runs both on OSX and Windows XP, that locks the student to taking the test and not quickly googling an answer! Could the programming section point me into a right direction? I'll probably have to learn programming for OSX (I got a macbook from school so i can use xcode). I know that .NET has the ability to use a Webbrowser control, Basically that will just show the exam in such control, until the student sends in his exam, then the application unlocks the computer and they have full ability to do whatever they want again, but not to edit the exam anymore. Does such thing exist for OSX applications? The majority of the exams will be run from OSX, i don't even know if i will ever create a Windows version because my school is phasing out Windows computers from the school. Each new student gets a Macbook instead of regular books.

I don't like the idea of locking a computer, I'd say a time limit is a better option (in addition to open-ended questions like short response rather than multiple choice, but that's beyond the scope of your software). It just seems evil to use a computer to control someone, especially when a smart person could get around your "security". It's like using knowledge for tyranny.

Open answers are possible? They should not be able to go do anything else until either the time expires, teacher unlocks it or they end the test.

[QUOTE=Goz3rr;32151700]Open answers are possible? They should not be able to go do anything else until either the time expires, teacher unlocks it or they end the test.[/QUOTE] How about instead of locking the PC, just let the software download the tests (encrypted) and then decrypt them only when it assures that there is no internet connection. If the connection is re-established, stop the test and mark the student as a cheater. Naturally, they user would still be able to fake offline mode by firewalling your application or something, and the encryption key would have to be on the client since the decryption happens after the user goes offline meaning that it could in theory be broken.

Unbreakable security is just impossible. If you use WebBrowser control, your students can navigate to every possible page by pressing Ctrl+L.

Perhaps you could let them setup another user on the laptops, with restricted rights. Via ssh the teachers can upload the tests on the computer. The logs can also be sent to a server and examined there, to make sure a student didn't somehow bypass the system or aquire the rights to establish a network connection. One weakspot I can see is the use of virtualisation software. You could have the guest OS running with disabled networking where you write the test and on the host OS with what you cheat. Since virtualisation is not perferct you could check for some articfacts, but if the student knew what you are looking for this can probably be faked. Perhaps you can somehow disturb WLAN networks. Then you could let the students grab their tests via LAN and easily control the information that is transmitted.

Like i said, its most likely osx only at first. I have no idea how to program for osx. So i dont know what is and isnt possible. The disabling internet idea seems good, but what if they have notes stored in a offline text file? Maybe the teacher should just have the remote desktop viewing open to assure there wont be any cheaters [editline]6th September 2011[/editline] All macbooks are connected over wlan, lan is not an option The average teacher can barely make keynotes, let alone using ssh. There will be an easy ui for teachers. Like i said, atleast the teacher ui (adding questions etc) will be done with php, all data will be on a mysql database but its the student part im not sure about yet.

You could easily hide the ssh stuff in a script. And you should, even for those who know what they're doing, since they won't want to repeat the steps for hundrets of students :P As for stored text-files: Again, just setup a different user who does not have the rights to read from the texts. I do not believe that this is secure enough though, like I said I'm pretty sure that virtualisation is one of the possible vulnerabilities. In general I do not believe that there is a secure way to do this with only software.

The only virtualization they can do (which isnt really) is boot into a locked down xp with bootcamp [editline]6th September 2011[/editline] Im not looking for perfect security, just your average computer user proof

Unless the user installs VirtualBox or whatever. 'Average computer user proof' is no where near secure enough for taking exams!

Teacher can watch all screens at the same at their own macbook, for them it should be fairly easy to spot cheaters

Depending on the size of the classes this seems bad. Might also not help with virtualisation, since only that desktop would be watched.

I'd say that writing a program to go to a page written in PHP with it's own web browser control just for that page seems a bit backwards. Instead, why not design a secured file format for questions, an application to serve the questions, and design a front end for a database that communicates with your program through encrypted sockets? That way you could still have the test be stored online on an SFTP server or such, still obscure all your database interactions, and not have to deal with website setup and security.

At my university they did online quizzes (though final exam was always on paper). Usually 5 - 20 questions, can be multiple choice or open ended. If open ended then it's up to the lecturer to mark the answers. Cheating isn't much of an issue in a classroom of 30 people or less (since this is a school, it should be that) where everyone is in a room and is visible. It's up to the teacher to stop them cheating. You don't need to worry about internet access restriction or whatever, hell I know for a lot of mid semesters I've done, accessing the internet was allowed. If a teacher doesn't want to do all that, they can just do it on paper.

Or the test writer could format questions in a way such that 'cheating' isn't helpful. It depends on the subject, but imagine doing a general essay on a book you read, and they give you the book. Wouldn't do you much good, would it?

While it would be a bit unorthodox, you could theoretically use the onfocus event in javascript. Just keep checking that the body element (or some child) of your tests 'web page' has focus, if not > fail. Just a thought.

[QUOTE=Elspin;32155888]I'd say that writing a program to go to a page written in PHP with it's own web browser control just for that page seems a bit backwards. Instead, why not design a secured file format for questions, an application to serve the questions, and design a front end for a database that communicates with your program through encrypted sockets? That way you could still have the test be stored online on an SFTP server or such, still obscure all your database interactions, and not have to deal with website setup and security.[/QUOTE] Why designed a completely new file format that doesn't really do much? All that is sent to the student are the questions. The answer remain on the server so there's no way they can see those.

The way they did it when I took my CompTIA A+ was they had a dual boot with a separate installation of Windows XP which was stripped completely bare, leaving only the Prometric testing interface. This interface is connected securely to the Prometric testing server. In short, if you are planning to do this project, then security and cheating prevention should be your top priorities.

[QUOTE=lazypenguin;32158233]While it would be a bit unorthodox, you could theoretically use the onfocus event in javascript. Just keep checking that the body element (or some child) of your tests 'web page' has focus, if not > fail. Just a thought.[/QUOTE] That would work, except if someone accidentally clicked the taskbar or menu. It would just lead to problems

The tests will take place under teacher supervision, right? Students aren't going to have time to set up a virtualized environment during the test with a teacher watching over their shoulder. Anyway, the surest way to prevent students from accessing the Internet while taking the test is to put the test computers in an environment that doesn't [i]have[/i] access to the Internet, only to the local server where the test is hosted. That could be as simple as connecting them all to an ordinary off-the-shelf Linksys (or whatever) router appliance, and unplugging its WAN cable when it's time for the test to begin.

[QUOTE=Wyzard;32179408]The tests will take place under teacher supervision, right? Students aren't going to have time to set up a virtualized environment during the test with a teacher watching over their shoulder. Anyway, the surest way to prevent students from accessing the Internet while taking the test is to put the test computers in an environment that doesn't [i]have[/i] access to the Internet, only to the local server where the test is hosted. That could be as simple as connecting them all to an ordinary off-the-shelf Linksys (or whatever) router appliance, and unplugging its WAN cable when it's time for the test to begin.[/QUOTE] There's about 20 (Or even more) AP's spread throughout the whole school. These can't just be shut down everytime there's a test.

[QUOTE=Goz3rr;32160361]Why designed a completely new file format that doesn't really do much? All that is sent to the student are the questions. The answer remain on the server so there's no way they can see those.[/QUOTE] You're missing the point - it's a mess to put a web browser inside a form and then grab pages written in PHP from a webserver when you're making a single function program. It shouldn't take more than 20 minutes to write a file format and then a program to create the files, which was just a suggestion to make delivering questions easier.

What would the point of an external application be when you can borrow a friends laptop?

[QUOTE=Darwin226;32151961]How about instead of locking the PC, just let the software download the tests (encrypted) and then decrypt them only when it assures that there is no internet connection. If the connection is re-established, stop the test and mark the student as a cheater. Naturally, they user would still be able to fake offline mode by firewalling your application or something, and the encryption key would have to be on the client since the decryption happens after the user goes offline meaning that it could in theory be broken.[/QUOTE] If the student would be smart enough to completely lock out the program from detecting the fact that you're accessing the internet, I'd say that they'd smart enough to pass anyway.

You'd have to watch them. There's no way to know if someone's texting ChaCha or browsing the internet on a device that's off of your network.