Simple Task of Making an exam secure

[xyris]

Hi Guys,

I am totally (maybe not so, did some playing with) new to VB, myself being a C and PHP guy. I have been asked to write an online objective test script in php with an offline test taking back end. I can do the tricky test stuff with php and load it through the web browser thingy in VB, but the main task is to prevent the test taker from cheating. He is not to be allowed to exit the program without recording of what he has done to escape it, ie, CTRL+ALT+DEL should log that tried to access task manager and other win key combinations should log such access, and return some valid code/flag, which is checked and the test terminated (I can do that part) for trying to cheat. Any help (considering I am totally a n00b with no exp in API, Handlers and stuff) would be greatly appretiated.

Regards,
xYrIs

[DNA7433]

Why not just return that "cheating" error code if the app exits without the user finishing what they're supposed to finish?

[xyris]

Its not just exit. If he is taking a test about MS Word (believe it, we do have such tests over here) and has a question like hotkey to change align, he can simply search the net if no-one is looking over the guy. We want to prevent all outside access/ know all outside access till the exam is over. Knowing simply doesnt stops at it, but thereby terminating the user's test saying he cheated.

[xyris]

And also, if he moves away from the test app (considering the ms word question above) and actually finding the answer opening ms word, that would end all the concept of exams. Need some really strong method to secure the test app from being skipped, temporarily moved away from, terminated (and say it crashed, to retake the exam...) etc.

[xyris]

Nothing else?

[leinad31]

The solution is to transfer the test process into accredited testing centers, wherein the network is configured to allow only internet access to the host containing the tests and none other.

[Ellis Dee]

I'm just guessing here, but I think you can tell if the testing form loses focus. You can't tell why it lost focus, but the moment it does you can assume they're cheating.

On a personal note, your exam questions sound silly to me. Nobody ever has any need to memorize hotkeys or the exact process to do an application function. That's what help files are for. It would be more meaningful to allow them to access the internet or load Word or whatever they need to do to find the right answer, and then measure how long it took them to come up with it.

Each incorrect answer would tell them to try again, and if they can't get the right answer, they fail.

Just my $0.02.

[Ellis Dee]

To put it into context, there is a high probability that I would score very poorly on a test about the minutia of VB6, despite being a reasonably competent VB6 programmer.

I rely heavily on the intellisense dropdowns and help file, as it should be.

[xyris]

Howdy,

The test is not organized by me, but the state govt. in my country, so I cant do anything about it, its questions etc. And the example I cited was dumb, I agree. I am just saying that, the answers may lie in the testing computer itself. The govt. requested me to secure the app by totally disallowing access to anything else but the app. By doing so, there may be a probability that the app crashes and messes the os. So I DONT WANT TO DISABLE BUT TO KNOW WHAT HAPPENED. I can convince the authorities that I can implement this method so that it may not crash the os but also fights out cheating.

[Ellis Dee]

Ah, gotcha. Well, I don't know how to do it, but all you have to do is detect when the form loses focus. The Form_LostFocus event won't fire when the application itself loses focus, but I'm sure there is an API technique to determine the moment the application loses focus. As soon as that happens, you've identified a cheater.

No need to lock anything.

[xyris]

Any help (considering I am totally a n00b with no exp in API, Handlers and stuff) would be greatly appretiated.

Thats fun!

[Al42]

What you need is an embedded controller - a computer that has only one function, your program. There's no way to exit the program, since the computer boots into it. You completely control everything that happens from, but not including, power on to, but not including, power off. That means that your program is the operating system.

Or you can just educate the morons who are specifying the job - there's no way to completely eliminate cheating, unless you have someone watching the person taking the test.

[Ellis Dee]

One idea might be to make a maximized, borderless form set to be AlwaysOnTop and that whenever it resizes (which shouldn't even be possible) it forces itself back to maximized?

This wouldn't prevent using anything else on the computer, but what it would do is make it impossible to actually see anything else on the screen until you closed it.

[xyris]

@Ellis Dee,
Using ALT+TAB can switch programs without minimizing them. + The cheater (I'll call him that) can use task manager and terminate the program, and accuse of program crash, which in normal case would let him retake the test some other time, if not identified promptly of cheating. Anyway, the pgm will be full screen, borderless and always on top. But still, these conditions persist.

@Al42
Embedded controller isnt gonna work out, since I AM NOT RUNNING THE TEST CENTER. The guy over there might wanna do many other things on the same pc before and after the test. Think of this test as being taken place in rural villages/small towns where they educate kids with one or two computers only. Hence just one or two computer would have to do many many tasks, like, tutorials, typing tutors, exams, and I hate to admit, but even small games for kids. (They eventually get bored of study stuff any way, so need ENTERTAINMENT). Educating is not gonna happen, since as you said, they are morons, and never understand a sh** since they are also the authorities.

My analysis now would be:
1. Disable CTRL+ALT+DEL from starting Task manager (Reg key method)
2. Block ALT+TAB some way (no idea how)
3. Terminate Explorer.exe (shell) when my pgm starts. and restart it when my pgm quits. Found some references, but dont know how to do it.

Advantages: If my app crashes, restart will put back all but (1). I can simply give them a .reg file to be executed which puts back (1) if my app crashes and task manager gets disabled for ever.

Disadvantages: Unless I disable ALT+TAB, doing (3) serves no purpose, since if any pgm other than mine is running, they can move to it, and if it has an open prompt, they can start pgms from it.

[Mr.Mac]

You could have a timer SUB which continually tests for the existence of another window and if one appears, it disqualifies the applicant and shuts the program down.

Mac

[xyris]

@ Mac,

Lol, even if some stupid antivirus nag pops up, that'd disqualify the student. Or say, something....

[Billy Conner]

a few registry tweaks i know of that could help you in some way...read carefully before doing.(also helps if the users of the computer dont have Admin access)
http://www.pctools.com/guides/registry/detail/969/
http://www.pctools.com/guides/registry/detail/146/
http://www.pctools.com/guides/registry/detail/113/

another method you try is to have your App with a timer disabling the interface of everything but the windows you desire. that would be pretty easy. but you'd either have to keep track of the windows you disabled to re-enable later or you'd have to restart the pc to clear it.

and about the threat of task manager terminating your app. you can stop the task manager from starting and/or you could remove your app's Exe from the WindowEnum list, such as some rootkits do. there is code for that or i can provide it if you need, its also on PSC fi you do a quick search.(works for 2k,Xp,havent tested vista),

also a comment about the cheating, i think it would be better to actually log the window caption of each window activated and its exe name, so it can be evaluated as to how they cheated(if they really did) and to what extent.

[xyris]

Disabling other apps and keeping track of them is a good idea but tideous for a newbie coder like me, for that, I'd have to fully borrow codes from people here, and that'd be injustice, however, its in my consideration though.

Disabling task manager/ Not showing app name in it was already thought to. (http://www.vbforums.com/showpost.php...1&postcount=14 ; Point 1)

Logging is good, really. And it'd be great to do that, but still, it'd be better for me to not let them cheat nah? Rather cheating and getting caught. Nobody would want that. I wouldnt cheat/malpractice in an exam hall if a teacher/invigilator was lurking around me. I feel it to be better.

[Billy Conner]

but when it comes down to it. if they cheat, you need evidence. otherwise you have nothing to show what they did when they deny it(and they will make every excuse in the book). i think it would be best in your case to have proof to show the people your giving the test for, so that you wont be just stuck with "they cheated, my app said so...the end"

Edit:

basically yes you want them not to cheat. but i'll tell you this. anyone taking a test on a mechanical device. they CAN cheat with the knowhow. you must try your best to not let them. but in the cases they get around what you have not thought of; you need to keep track in other ways. especially on the cases of cheaters that are wrongfully accused due to a flaw in your code or a problem in the machine itself.

[xyris]

Lol, I am not intending to make people/kids/students feel/prove guilty. My opinion is to not allow people to cheat, denying chances to, which might, (donno for sure) make such cheaters become good. Anyway, logging and denying access would be better. To save my head and also to prove my point, ie, to make people good (wont work in many occasions, I know )

[leinad31]

This problem is best referred to a network security specialist, where there are more effective ways to implement this, compared to an application level implementation... there are such things as user profiles, file/folder access grants, virtual subnets, routing filters, etc. The time it would take THEM to implement the solution you need will be a lot less compared to trying to have the application handle it all... and they can simply change network settings instead of having to recode/recompile/redeploy.

[Ellis Dee]

Sounds like they might not even have a network, much less a guy in charge of network security.

Think of this test as being taken place in rural villages/small towns where they educate kids with one or two computers only.

[leinad31]

Sounds like they might not even have a network, much less a guy in charge of network security.

Its online.
Its for the government.
They can always hire or outsource.

And it shouldnt be part of the scope of the software. The cheating is because of access to resources which should be controlled by other means (operating system security, network security), and not by the testing software.

In the very first place it shouldn't be HIS problem but someone else's. His concern is simply ensuring his software conforms to what's required security wise... if his app should implement https instead of just http, etc etc along those lines.

Consider a user accountaccount/profile named test which has no access to other files/devices on hdd except test software... extend concept to no access to resources on network. When done they logoff.

[Billy Conner]

In the very first place it shouldn't be HIS problem but someone else's. His concern is simply ensuring his software conforms to what's required security wise... if his app should implement https instead of just http, etc etc along those lines.

"...but the main task is to prevent the test taker from cheating."

I could see if its not his problem if the gov or whomever bought the machines and set them up specifically for the purpose of test taking, but they did ask him to prevent cheating as showed in the quote from his original post.

in my opinion, the only thing he would need to do is make the test have focus so the user doesnt stray and waste time.he could set boundries on the OS via the registry like i linked before(or buy an app thats made for that purpose). Operating systems with user accounts are totally customizable to restrict about anything. he should just setup a user account that has restrictions on everything. i think there is even a way to carry over your user details to another machine via disc or flash drive. to save alot of hassle as well.

[leinad31]

I could see if its not his problem if the gov or whomever bought the machines and set them up specifically for the purpose of test taking, but they did ask him to prevent cheating as showed in the quote from his original post.

in my opinion, the only thing he would need to do is make the test have focus so the user doesnt stray and waste time.he could set boundries on the OS via the registry like i linked before(or buy an app thats made for that purpose). Operating systems with user accounts are totally customizable to restrict about anything. he should just setup a user account that has restrictions on everything. i think there is even a way to carry over your user details to another machine via disc or flash drive. to save alot of hassle as well.

Just the user account would suffice, if he doesnt know how to set it up himself then consult someone who does. The requirement was made by people who don't understand how it should be done, and since there's no one there to tell them otherwise (someone with networking background) then they all accepted the requirement at face value.

A focus oriented solution might be made erroneous by something as simple as an alert box for the php, or a modal form for vb.

[xyris]

Guys, I am an MCSE, a CCNP and a network engineer. I didnt want this to come in, in the first place, that I am from India. I am well aware of what security we can implement by policies, registries, remote profiles, ADS, etc etc. I am not building this for the corporate companies. The guys in the test center MIGHT use the same machine to play minesweeper, and in turn, has every single chance of getting the system busted. These guys may re-install OS, change usernames and do all lot of sh** to the system itself. I have absolutely NO CONTROL over what they do in the system or what I can do in the system, because, I'll personally have to make sure the settings stay there forever which is impossible, since mine is a short term project for the govt. What they want from me is a simple .exe file or whatever with one click install fixing everything for them. That's one of the reason why I made the test a scripted network resource, so as not to get messed up by the illeterate, or idotic guys in the center. The govt (to any level of stupidity) expects me to build an app that forbids cheating, and the app alone must totally ensure this. I CANNOT rely on anything other than my app alone, to do this. If I go and tell them, that you need a network engineer, a systems engineer, and maybe a software expert, they'll say "Go hang yourself, as******" in the native language. I undertook this project for a tiny amount, but if I do this, I'll get a major hold in the IT dept. of the Govt, which brings me to a greater advantage of getting their every other project. They need this done with absolutely very little expense and to an idealistic utopian extent.

[leinad31]

With all your credentials you shouldn't have said yes without some leeway.

Make a bootable Linux on CD, implement your test (with additional security in case CD lost) there.

EDIT: or try packaging a firewall with your app... won't handle access to local files though.