Philip Hutchison points out that the emperor is, in fact, naked. As many of us know, but prefer not to talk much about, SCORM (both 1.2 and 2004) is, on its own, vulnerable to "exploits" (aka cheating).
Philip explains:
"The fact is, SCORM — the most common communication standard in e-learning — is fairly easy to hack. It uses a public JavaScript-based API that is easy to tap into and feed false data, and because it's a standard, you know exactly what methods and properties are available in the API. It doesn't matter what vendor or product produced the course (Articulate, Adobe, etc.)… if it uses SCORM, it's vulnerable."
I have long used a bookmarklet to aid my testing, and can complete, pass, score pretty much as I please in most SCORM environments.
In fact, I've often assumed that users would quickly figure out how to hack the system, and I run regular reports to find the cheaters (there are a number of indicators that would identify likely cheaters, the most simple of which is time... if a two hour course is completed in 5 minutes, you've probably got a cheater on your hands).
As the years go by, however, and no cheaters show up in my net, I've come to realize that either the cheaters are way smarter than me, or they simply aren't out there.
So why isn't the SCORM interface being hacked more often?
1) Security through obscurity - while the interface is published, most "average" users have never even heard of SCORM. It would take some effort to grok the standard. Effort that clearly, most users (in my experience) are not willing to make.
2) Fear of repercussions - cheating is one thing, cheating in such a way that you won't be caught is another. As I pointed out earlier, there are a number of ways cheaters can be detected.
3) Most users actually want to learn. In the world of corporate training, while users may grumble, most actually do want to learn the material presented.
and finally,
4) There are easier ways to cheat.
All the above being said, the issue of security in SCORM is something that LETSI and ADL should be working to address.
Posts
