TOKYO (MacHouse) - 3 days ago, we reported that as many as 72 websites with open-source course management system package called Moodle were spam-exploited by an organized cyber criminal group. The list of victimized websites has grown. Newly spam-exploited websites include those of

Saint Lous University School of Medicine (See Screenshot 01.)
Global Production Engineering
Met e-learning
Northern States Conservation Center
Mansoura University Learning Center (See Screenshot 02.)…

See complete post at: http://seo.mhvt.net/blog/?p=550

Lots of Moodle security issues reported over the past few weeks…just browse the Moodle Security tag on this blog. A core developer and Moodle HQ employee “Highly recommended” everyone upgrade who is running versions 1.6 to 1.9 in a moodle.org forum post about a week ago…can you find that upgrade recommendation?  See the following post: http://www.moodleus.org/blog/?p=312 

Have you received your security alert from Moodle HQ informing you of the need to upgrade? Neither have I

Security Through Obscurity? I don’t think so!

Source: http://moodle.org/mod/forum/discuss.php?d=107591 

Moodle automatically changing course enrollment keys to the teachers personal password? One would think if a problem like this was reported in the moodle.org forums, someone at Moodle HQ would at least comment on the issue…well, one would think.

You can click on the link below the screen capture to see the entire thread. This problem was reported over 2 weeks ago and no comment from anyone at Moodle HQ.

Humm…maybe they are still having a hard time finding these since there is still no security forum on moodle.org…the clock is still ticking (99 days, 9 hours) on that one!

But, in the meantime, my regular Moodle HQ readers can keep up on the security issues by continuing to read this blog. Let’s see how long it takes someone with a bunch of avatars under their name to reply in that thread now

Security Through Obscurity? I don’t think so!

Source: http://moodle.org/mod/forum/discuss.php?d=106109 

Moodle Security Through Obscurity? I don’t think so!

Once again, test it for yourself…the video says it all!

The site is here: http://extremeclassroom.com/lms19/

The course is: Test Course 2

The login is:

Username: moodlestudent
Password: moodlestudent

One of my readers sent me the following graph the other day, so I figured since Moodle HQ likes numbers so much, I would post these for the disciples to consider. Now any artist will tell you “A picture is worth a thousand words”…so, what does that picture say to you?

Maybe it’s saying something like this….

Over the summer, many Moodle admins decided it was finally safe to upgrade from 1.6 to 1.9…everything seemed to go well.  Now it’s September, the teachers are back, and are discovering all the roles related problems.  The administrators realize that they can’t fix the problems because they don’t understand roles, so they post to moodle.org. Then they discover nobody, not even the developers who developed them, understands them either…this becomes painfully clear by the lack of response to their cries for help in the forums. Of course, moodle partners, like all good business people, see this as an opportunity and, well, you can guess the rest.

There is also another very interesting transformation happening in the moodle.org forums directly related to these roles issues. As someone who has been following the discussion forums and the development of Moodle for the past few years, I can’t help but notice how the Moodle development has shifted from a teaching/learning focus to an administration focus and nearly all the discussion in the forums now revolve around administration issues. Moodle.org now looks more like a set of discussion forums for a student management system than a learning management system.

Think about it…since Moodle 1.5 what teaching-learning tool improvements have been made in Moodle?

– Let’s see…you’ve lost workshop, exercise, and journal.
– You’ve lost significant ability to manage and configure your discussion forums since many of the most important forum settings have been moved to role overrides…and we know, allowing teachers to override roles is “very dangerous”. 
– The forums themselves, have had no added functionality since 1.5…you’ve only lost functionality since the implementation of roles. 
–The Wiki is still useless…no better illustration of that than the fact that moodle.org chooses to use MediaWiki instead of its own wiki.
– The moodle blogs haven’t been improved since they were implemented and they are so bad, that when a Moodle Partner finally started a bog, he started one on Blogger.
– There have been no improvements, or even changes, to Chat since it was implemented. Still no way for the teacher to do simple things like make their own name show in a different color-font size so they can be distinguished from others in a chat. Not to mention features like you have in skype rooms. I’ll bet you think Moodle developers use chat for their own developer meetings don’t you? Wrong…they don’t even use Moodle for those online meetings.
– In short, there have been no major additions to the teaching-learning tool set in Moodle and no major improvements to the teaching-learning tools since version 1.5. 

What has changed since Moodle 1.5?

– In 1.6 you got unicode.
– In 1.7 you got Flexible Roles and Capabilities and a completely broken Moodle system.
– In 1.8 you got a recovery from the disaster that was 1.7. Now Moodle actually, sort of, worked again.
– In 1.9 you got a gradebook that is just about as complicated as roles. And, the site administration block has grown to at least four times the size it was in 1.6 with an ever increasing set of complicated ”admin checkboxes and drop-downs”. 
– So, in short, virtually all the development since 1.5 has been in the areas of administration, management, testing, and grading. Not exactly a social constructivist/constructionist focus, wouldn’t you say?

The trend seems pretty clear to me…the bun (admin stuff) keeps growing and the beef (teaching-learning stuff) keeps shrinking. Makes one ponder the famous question:

Where’s the Beef?

Hummm…now that I think about it…this sounds like a “Frances Issue” doesn’t it? Wouldn’t be surprised to see this pop-up in the “lounge” and generate a whopping three thoughtful responses from disciples

Wow…now there’s a problem we haven’t seen before <wink> <wink>

In reading the Moodle Partner’s response to that post I detect a sense of resignation to the fact that this is something that’s just going to happen, so expect it and just live with it. I’m not sure how acceptable it is for people to just expect to be locked out of their site, but there you have it…

I really should rename the category I file these in from “Weekly Roles Victim” to “Hourly Roles Victim”, but I just don’t have time to post all of them here

Roles…the worst decision in Moodle since Moodle!

Source: http://moodle.org/mod/forum/discuss.php?d=107421 

Hummm….well, I would say that’s a good thing to notice.

Here’s another one for you Howard…hope it’s not your day off

Roles…the worst decision in Moodle since Moodle.

Source: http://moodle.org/mod/forum/discuss.php?d=107333 

Looks like the subject of one of my posts felt the need to correct the record. See the comments in the following post for the correction…and some interesting logic

http://www.moodleus.org/blog/?p=313 

Recognize this? It’s a pretty common occurrence on moodle.org. If the gurus can’t keep moodle.org running, do you really think you can keep your institutions LMS running on Moodle? Something to consider when considering Moodle as your production LMS. LMS reliability for a few teachers and students is one thing…reliability for your entire campus?

If you’re thinking roles only causes problems for new, inexperienced Moodle admins, think again. The problem reported below is from a long time moodle user, administrator, trainer, moodle documentation writer, and dedicated Moodle disciple. I’m sure a partner can fix this for a reasonable fee ;-) 

Roles…the worst decision in Moodle since Moodle!

Source: http://moodle.org/mod/forum/discuss.php?d=107139 

I reported on a possible moodle security exploit about a week ago here on my blog…see post at link below:

http://www.moodleus.org/blog/?p=301

Moodle HQ finally “discovered” the exploit a few minutes ago…humm…still think Moodle HQ takes Moodle security seriously? I’m happy Moodle HQ stumbled across this problem, but I’m not sure relying on stumbling across security problems is a good strategy. Eloy ”highly recommends” everyone using versions from 1.6 to 1.9 upgrade…I wonder if Moodle HQ will expect everyone to stumble across the post below in order to get that information ;-)

The clock is still ticking on that dedicated security forum on moodle.org….92 Days, 16 Hours and counting

Security Through Obscurity? I don’t think so!   

Source: http://moodle.org/mod/forum/discuss.php?d=106616#p470865 

The quote above is from some live blogging by Stephen Downs. He must be very familiar with moodle.org as well Evidently, he was blogging during a presentation on PLEs (Personal Learning Environments). I’m very skeptical about how well one can actually absorb, understand, and evaluate a presentation when they are writing and passing judgement on the presentation “during” the presentation (I don’t buy-into this popular idea of people’s unlimited milti-tasking abilities), but he does make a couple of good points. I think the most important point he made in that live blogging session was an observation on Moodle and other VLEs. Simply calling something a “social constructivist platform” doesn’t actually make it one…listening Moodle HQ ;-)

Stephen is noting that the different ways that people are organizing themselves online for the Connectivism course (i.e., Moodle, Second Life, Ning, etc.) are impacting the quality of the conversation. On Moodle, where things are very hierarchical, there are a few people dominating “conversation” and stifling most other ideas. Bloggers are more open, diverse, etc. (represent more of the semantic principles)–having more “productive” discussions. No one is dominating the conversation–everyone is heard, everyone has a voice.

Source: http://michelemartin.typepad.com/thebambooprojectblog//2008/09/liveblogging-st.html

I’m just assuming the quote above is Stephen’s…it could be from someone else blogging about Stephen…it’s difficult to tell with the way it was written. Anyway, the importance is not in who said it…it’s in the truth that is being spoken.

If you are a longtime moodleuser, then you should understand that moodle users are already “united”. A very few of them with lots of avatars under their names are united around the moodle.com mission. If you’re not a paying customer, you’re simply a nuisance in their eyes.

Source: http://moodle.org/mod/forum/discuss.php?d=107018

In fact, there is another discussion on moodle.org happening right now and the answer given there to a user problem illustrates my point perfectly. The answer is pretty clear…here is the interpretation. “You’re not a paying customer, so stop whining.” And you thought this was a “community” driven by open source principles?

Source: http://moodle.org/mod/forum/discuss.php?d=106982 

I received the following from one of my readers a couple of days ago.

I recently noticed this announcement by Helen Foster on moodle.org site news:

As the statistics show, our community continues to grow rapidly.
We have over 1,500 new users registering each day.
Congratulations to our 500,000th registered user, who wins a T-shirt from the Moodle Shop. [Source: http://moodle.org/mod/forum/discuss.php?d=105549]

Once you register with moodle.org, there’s no way to unregister.  You are a member for life!  So this number is like the number of people who have passed through Grand Central Station.

I just ran Xenu (broken link checker) on all the sites listed on moodle.org/sites.  Of the 36,000 sites listed, at least 4,000 (11%) do not exist or do not respond.  I did not get the complete count because my virus program was going crazy during the check, warning me about sites designed to steal passwords, download trojans, etc. 

Of the “OK sites,” I’m sure the vast majority are inactive.  For example, the high school district where I used to teach recently gave Moodle the boot.  But I’m sure their 13,000 registered users and hundreds of shell courses will continue to be counted.

There are a couple of very good points in that observation.

1. Once you create an account on moodle.org there is no way to delete the account.
2. Once a site is “registered” there is no way to “unregister” and even if there were, no one would do it.

There are some other very good points that weren’t mentioned in the observation above…

1. The moodle version and build information that is included in the footer of every moodle site also feeds back to Moodle HQ so they can include virtually every Moodle code base on the Internet in their “stats”…forget the security vulnerability this creates.
2. Anyone with a $3 per month hosting account and Fantastico can install as many moodles as they want with a couple of clicks. Just consider how many you have installed? Now, consider how many of them you actually use. I’ve probably installed Moodle a thousand times over the past few years.
3. Moodle HQ would have you think that One Moodle Install = One Blackboard Install, similar to what this fool tried to claim in one of the most ridiculous Moodle propaganda pieces on the Internet…that is, aside from all the disciple propaganda in moodle.org ;-)

I wonder if the t-shirt Moodle HQ is sending to that “500,000th registered user” comes in Bot size? By my calculations the probability of any random account created on moodle.org belonging to a computer bot is about p>.965…see, I can generate stats as well

Meet Mr. Bot…the 500,000th registered moodle.org user….and the 499,999th, and 499,998th, and 499,997th, and 499,996th, and………….well, you get the point

Reference: Lies, Damned Lies, and Statistics — Benjamin Disraeli

The next time you decide to open a post on moodle.org, ask yourself first, would the Disciples approve? It seems moodle disciple and one of the lead Moodle HQ Generals, is still having a tough time with the whole social constructivist thing ;-) See the complete thread at the link below.

Source: http://moodle.org/mod/forum/discuss.php?d=106982

There is an interesting discussion [well, between two users at least] on moodle.org about a possible admin email/messaging system security exploit, but since moodle.org has a dedicated discussion forum for virtually everything except for Moodle Security, you may have a difficult time finding it. See the discussion at the link below:

http://moodle.org/mod/forum/discuss.php?d=106616

The clock is still running on the moodle.org security forum.

Security Through Obscurity? I don’t think so.

Roles…the worst decision in Moodle since Moodle.

Source: http://moodle.org/mod/forum/discuss.php?d=106722 

Well, I thought I had seen it all, but what I found today surprised even me. Over 40 insecure Moodle 1.9 sites on a single server.

The screenshot below is of a moodledata directory that contains over 40 subdirectories that are individual moodledata directories of individual Moodle sites. So you’re skeptical? Well, I can’t say I blame you. I was pretty surprised myself. I’ve hidden the directory names in the screenshot to try and protect the identity of these sites, but this is pretty easy to find with a simple Google search.

Security Through Obscurity? I don’t think so!

Screen Captured on 20 September 2008.

The video says it all…

This is a very active 1.9.2 Moodle site…is it yours?

Security Through Obscurity? I don’t think so!