Counter argument required

Counter argument required

by Just H -
Number of replies: 5

Hi folks

As per my previous post over in "Comparison and Advocacy" we have a consultant pushing another platform. I have just found out he has thrown security concerns into the mix with the head of our ICT department. Specifically this paper from 2011. While researching the issues raised in that paper I stumbled upon this paper from 2013 which, to put it politely, is basically a rehash of the 2011 paper.

I'd appreciate any feedback on these security concerns as to validity and pointers to any counter argument I can present.

Unfortunately, this is somewhat urgent.

My thanks in advance.

Regards
H

Average of ratings: -
In reply to Just H

Re: Counter argument required

by Tim Hunt -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers

It you want positive stuff about Moodle, look in Moodle Buzz.  http://docs.moodle.org/25/en/Case_for_Moodle is also worth a read.

I am not sure that paper is worth a read. Based on the fact that their first four assertions about Moodle are pretty lame:

1. Moodle is only for IT experts. It is complex for normal users to use and more than 66% of them are teachers, researchers and administrators [11]. It is difficult for beginner technicians to install and use Moodle [9], because there are many technical word lists in installation instructions.

Well, if you hang out in these forums, you meet some 'ordinary teachers' who have installed their own Moodle site. Anyway, the substance of the complaint seems to be that the installation documentation contains technical words. Exactly how much does that worry you?

 

2. Moodle will work, but not by itself. If there is not a course administrator that can work with both teachers and technicians in creating on-line materials, then Moodle will remain an empty shell, like a good aircraft but with no pilot. Lack of simple-to-obtain support [11]. Forums carry a great deal of information, but nearly all forums are in the English language.

Well, yes. OK. But that is like saying that Microsoft Word is useless. If you don't type anything into it, all you get is a blank document.

3. It does not support the SSL implementation all over the site.

This is just crap. Look at this site for example. It is Moodle. It is HTTPS throughout. It has been possible to set up Moodle like for years.

4. It stores the user data into cache which can be later used by the attacker to launch the attack for next session.

I am not sure what they mean by this, and the rest of the paper does not really explain.

Having read the paper, I only have one worry: A peer reviewed journal decided to publish that?!

It does not cause me to worry about Moodle security, and I work at the Open University, were we have about 10 copies of Moodle running, the larges of which has about 240,000 student accounts, and over 50,000 people logging in every day.

Average of ratings: Useful (1)
In reply to Tim Hunt

Re: Counter argument required

by Just H -

Thanks Tim, 100% agree and my thoughts exactly when I hit the first para of the paper. As far as I'm concerned the email that initiated my post is 100% FUD from a person pushing his own agenda. My main problem is I'm up against a consultant (why do organisations never seem to bother asking the people in house never mind trust them to make decisions on things like this?) and the head of our ICT Department and I don't have an IT background.

 I'm in the middle of penning a "career limiting response" (no worries as I don't have a career here anyway smile ) pointing out that the original email was at best "misguided", as is our ICT boss (who threw in some garbage of his own "These risks are impossible to mitigate as the hosting provider is not within our control and the data resides outside Australian borders" ... yeah, because Australian server management is soooooo much safer than American!). Already have you guys at OU as an example to throw into the mix and just looking to make sure I don't look a prat when shooting down the so called security issues smile

Average of ratings: -
In reply to Tim Hunt

Re: Counter argument required

by Howard Miller -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers

"Introdaction"... off to a bad start there. 

This stuff applies in the greater part to *any* online site. It's a poor paper. As Tim says, it's mostly shocking that this stuff gets published. 

Average of ratings: -
In reply to Howard Miller

Re: Counter argument required

by Just H -

Indeed, along with not having an IT background I don't have an education background either but I have always assumed peer reviewed papers would be checked for typos and grammar along with accuracy. Being someone that is somewhat ashamed at the fact I can only speak one language, that is in no way a criticism of the authors of the paper ... more of the people that reviewed it prior to publication.

Average of ratings: -
In reply to Just H

Re: Counter argument required

by Marcus Green -
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Plugin developers Picture of Testers

Quick everybody, stop using Moodle because it has a cache. While you are at it stop using any web app with a cache. Woops all my interesting interactive web has disappeared.  

Average of ratings: -