IMS issues press release for new e-learning interoperability standards

News from the IMS Global Learning Consortium:

The IMS Global Learning Consortium (IMS GLC) today announced the public review of the first phase of the Learning Tools Interoperability (LTI) standards to allow open and seamless integration of educational web applications. Called “Basic LTI or BLTI,” this first standard addresses the most common roadblocks to achieving a seamless experience for teachers and students.

Reading this press release, I couldn’t help but notice two things:

  1. There’s an awful lot of chest-puffing and self-congratulation going on here — people’s credentials are thrown around an awful lot, and over half of the press release is filled “Statements of Support.”
  2. There’s no hyperlink to the standards that are being announced, nor is there any information about how you can read the new standard proposal, whether you can try it yourself, how long it’s open for review, etc.

If the new standards are written as poorly as this press release, it’s going to be 1,000 pages of useless spec. All filler, no killer.

Advertisements

What feature is missing from your e-learning development tool?

I have some simple questions I’d love to get feedback on.

I’m curious about what people are looking for in their e-learning authoring tools, specifically:

  1. What feature is your current tool missing that you would love to see implemented? Support for team collaboration? Support for themes or custom CSS styling? Support for language localization? A beer dispenser? Etc.
  2. What feature does someone else’s tool have that you’re jealous of?

For me? I wish the most popular tools (Captivate, Articulate, Lectora, etc.) would output cleaner HTML and JavaScript. I also wish there was less reliance on Flash and PowerPoint. But if you read my blog regularly, you probably already knew that!

Please post your opinion in the comments below, and please ask others to give their 2 cents. (You can also reply via twitter if you prefer)

I’m really looking forward to your comments. Thanks!

DevLearn 2009 Recap

(Okay, I admit it… this post is WAY overdue.)

Let me begin by saying this is not a rant, but rather an honest account of my impressions regarding this year’s DevLearn.

Nearly two months have passed, and when I think of DevLearn I think of two things: Social media gone wild, and hallway conversations.

Social Media Gone Wild

DevLearn 2009 was absolutely wonderful if you’re into incorporating social media into e-learning. Or should I say “using social media for learning,” without the “e.”

Unfortunately for me, I’m not really interested in using social media for learning. I mean, I learn via social media all the time — Twitter and RSS feeds are a raging river of information flooding my head with ideas every day. But when it comes to creating e-learning projects at work, we’re not ready for social media. It doesn’t really have a place in our plans yet, and we’re A-OK with that.

So upon attending DevLearn, you can guess how dismayed I was about the lack of breadth regarding session topics… it seemed as though every other session was about social media. Perhaps the conference should have been named SoMeLearn.

I believe this was my fourth DevLearn conference — I live nearby so it’s not difficult to attend — and I’d have to say this one felt the lightest when it came to the Dev part of DevLearn. There were so few hands-on technical sessions that I had a hard time finding them. I know I’m not the only person who felt this way, as a number of folks confided similar sentiments. Chad Udell, one of this year’s presenters (probably the best technical session I attended) had [link no longer available]:

[T]he conference wasn’t all rainbows and unicorns for me. There are some real underlying problems I have with the conference’s overwhelming love affair with Social Media or Web 2.0 or whatever you may want to call it. […] Do we really need 5-6 sessions about “Leveraging Twitter in your Learning Organization”? […] Given that Mark Oehlert so masterfully managed the Social Learning Jam as a dedicated area for discussion about using Social Media for learning in the eneterprise, it seems a tad silly to have so many concurrent session on the topic.

I may be cast out by talking so candidly about this, but here’s the crux of it for me: If the conference really is called “DevLearn” shouldn’t their (sic) be more “Dev” in the schedule?

I wholeheartedly agree, Chad. I have nothing against social media and finding its place in learning, but did it have to steal so much focus from other areas? Despite my MA in education, I consider myself a developer first and foremost. I like to get my hands dirty. I want more “developy”-type sessions, especially considering the price of the conference. This is meant to be constructive criticism… hopefully next year DevLearn will have a more rounded/balanced session lineup.

Hallway Conversations

Returning to the positives, it was wonderful to meet so many people in person. I’ve “known” many people via Twitter and the blogosphere for quite some time, but it’s a real trip to meet these folks in person. Janet Clarey had a nice post about it (great to meet you, fellow introvert!). In fact, if there was anything about Devlearn 2009 that really stood out for me, it was how great the hallway conversations (and after-parties) were.

Gary Hegenbart said it nicely in his DevLearn recap:

Almost everyone I met included their Twitter name as part of the introductions. […] Twitter accelerated the conversation because if you just met someone you follow or who follows you, then you already knew a lot about the person.  It felt like a reunion and conversation flowed easily and freely.

It was absolutely awesome to finally meet The Beard (aka Aaron Silvers) in person, even if we never really found much time to chat. (Does this guy command a crowd or what? I should start calling him “The Mayor.”) And it goes without saying that if Brian Dusablon and Steve Howard are in the house, we have to hit a pub for a beer and a chat! In my case a Coke since I had to commute an hour by car. Sad, I know.

I learned firsthand that (Mark Oehlert + Kris Rockwell + Koreen Olbrish) === instant mischief. This time it was zombie mischief. LETSI’s Avron Barr was there, and I had the pleasure of driving Mike Rustici to the airport (sorry if I scared you with my crazy driving!). I could go on and on. I’m something of an introvert, so I may not have seemed very excited, but trust me, it was fun.

Following BJ Schone’s footsteps, here’s a list of tweeps I chatted with (apologies if I left you off the list, it wasn’t intentional):

Best Practices in E-Learning

Someone recently posted a blog entry ranting about the use of the term “best practices” in our industry. I understand the frustration with thoughtless pronouncements about best practices, especially coming from people who may not know any better; it will often sound a lot like how mom used to say “eat this, it’s good for you” without really knowing whether it’s true. However, there is a big difference between best practices in terms of learning theory — something that’s difficult to quantify/prove — and technology.

A friend of mine, upon completing his MA in psychology, joked that his degree is the only one you can get where you can’t prove a thing that you’re taught. Learning theory is a form of psychology, and as such, you are guaranteed to run into a gazillion different opinions on how learning occurs: behaviorism, constructivism, cognitivism, yadda yadda yadda. Likewise, you will hear many opinions on what development models to follow (ADDIE vs agile vs something-or-other), evaluation methodology, and perhaps edge-case debates such as centralized learning structures versus de-centralized learning structures (social media peeps, I’m looking at you).

I guarantee these conversations will involve lots of name-dropping and liberal use of the term “best practice.” In these situations, I agree that there is no single answer to ANY of these issues, and context will be king.

Most technical issues, on the other hand, most certainly DO have best practices, and for good reason.

For starters, accessibility is a best practice. Why? Well, because it’s the right thing to do. No one should be denied an opportunity to learn simply because their ears or eyes or arms don’t work like yours do. Establishing a baseline level of accessibility is fairly easy to do, regardless of the size of your budget or your time constraints. For example:

  • For the hearing impaired: Text transcriptions and/or closed captioning for videos and Flash animations are as easy to set up as ever. Free/cheap video players like the Flash video component, the JW Player, and Flowplayer all support multiple captioning standards and make it easy to add captioning to a video. Rapid e-learning development tools such as Articulate Presenter and Adobe Captivate allow you to add captions or notes to your SWFs. (Side note: the text transcriptions for TED talks are an excellent example of what can be accomplished with just a little extra effort.)
  • For the visually impaired: If the content of your course is provided in a text format such as HTML, screen readers can read the text to the end user. What does this require of you? Well, if you use standard HTML, not much… just a little extra care in your layout and alternate text. If you embed an image, video, or animation, provide fallback text that describes the image or what happens in the video/animation. SWFObject (a free system for embedding SWF files in HTML documents) makes this easy to do.
    Similarly, Adobe has been working hard to make Flash Player and Adobe Reader more accessible to major screen readers. What do you have to configure to make it work? Nothing so far.
  • For those who can’t use a computer mouse: Thanks to initiatives like WAI-ARIA and companies like Adobe who are actively building keyboard support into their products, many script-based interactions (such as course navigation, quiz questions, and other activities) can be scripted to work without a mouse. Alternate input devices are often mapped to the keyboard input; if your course can be completed using a keyboard, you’re golden.
  • For the color blind: Accessibility can often be improved simply by adding text labels to color-coded objects and not relying on color alone.

I could go on for a while, but the point is that accessibility is definitely a best practice. It isn’t hard, and it certainly isn’t expensive to make a course accessible. It’s also the law if you receive any Federal funding.

There are definitely other technical best practices for e-learning:

  • SCORM: Technically not a standard but rather a collection of standards, SCORM is a best practice because it ensures your course will work on pretty much every major LMS (if you don’t like SCORM, AICC is equally valid). How can I say with confidence that SCORM is a best practice? Because in the bad old days before SCORM, developers had to spend weeks re-coding courses to work with each LMS’s proprietary code base. Once SCORM was widely adopted, the issue largely went away. No one wants to go back to the bad old days.
  • Valid HTML and CSS: If you write HTML and CSS, ensuring they validate means you know your pages will work in every major browser. We learned this lesson in the Netscape/Internet Explorer wars. Best practices on the web are still evolving; for example, sometimes it’s ok to write CSS that won’t validate if you know the repercussions and your code fails gracefully in older browsers. The best practice is simply that your pages work in most, if not all, browsers.
  • Don’t use proprietary code: See above. If your course uses ActiveX, which is only supported in Internet Explorer, your course won’t work in any other browsers. Almost anything implemented with ActiveX can be implemented using other non-proprietary methods. Again, the best practice is to ensure your pages work in most, if not all, browsers.
  • Follow sensible coding conventions: Well-written code that follows documented — and very well-reasoned — code conventions means your code will likely contain less errors, will be easier to update if the need arises, and will be more future-proof, avoiding expensive bugs like the Y2K bug, which could have been prevented with a bit of foresight. A great example of this type of code convention is Douglas Crockford’s JavaScript: The Good Parts.

There are definitely times when people throw around the phrase “best practice” and are simply talking out of their butts. “Never use yellow.” “Never use clip art.” “Never hire a penguin.” “Never let the learner do X.” “Always make the user do Y.” “Always use ___ format.” “Always use ___ pedagogy.”

Whatever.

Just remember that best practices DO exist, but not in every circumstance. And unless you want the evil eye from me and my compadres, remember to never use the phrase “best practice” unless you can back it up with evidence and sound reasoning.

Post script: I’ve noticed this bandying of best practices usually occurs when someone is trying to establish their expertise or exert control on a project, frequently in front of management-types. This is the same sort of thing Machiavelli did when he wrote The Prince, so why not treat them as Machiavelli would and … well, I guess another best practice is to know when to shut up, so I’ll stop here.

Introducing the CaptivateController

This post has been updated to reflect changes to the CaptivateController since its initial release

It took me much much longer than I anticipated, but I am happy to announce the new CaptivateController utility. The CaptivateController is a JavaScript utility that helps you control Captivate SWFs as well as get/set Captivate variable values using simple JavaScript commands. For example:

//Assuming your SWF is embedded using the ID "Captivate"
var myMovie = CaptivateController("Captivate");
myMovie.pause(); //Pauses the Captivate SWF
var author_name = myMovie.get("cpInfoAuthor"); //Queries variables
myMovie.set("myCustomeCaptivateVariable", "myValue"); //Sets variable values

For those of you familiar with the pipwerks.captivate.control utility, this CaptivateController is not a simple rehash of the original; it is a complete re-write that adds a number of extra features, including:

  • Support for Captivate 2, Captivate 3, Captivate 4, and Captivate 5.x files
  • Auto-detection for skins; you can write the exact same JavaScript whether your SWF uses a skin or not
  • New query methods, including the ability to query a user-defined variable in a Captivate 4+ file
  • New set method for setting the value of a variable in Captivate 4+

The CaptivateController is intended to make your life easier — it deals with a number of inconsistencies so you don’t have to, including inconsistencies between Captivate 2/3 SWFs and Captivate 4 SWFs (there was a major shift under the hood, going from using GetVariable to using Captivate 4’s proprietary cpGetValue via ExternalInterface). It also handles inconsistencies with Flash Player in different browsers. Safari and Internet Explorer each provided their own small challenges.

There are still some inconsistencies that cannot be solved using JavaScript; for instance, Captivate 4 SWFs published using ActionScript 3 provide a richer set of system variables than Captivate 4 files published using ActionScript 2. I expected to have the same access to all system variables regardless of ActionScript version, but alas it was not meant to be. Captivate 5+ provides many m ore system variables than previous versions of Captivate.

Can check out the Automated Test Suite, which illustrates which variables are available for each flavor of Captivate SWF (has not been updated for Captivate 5+).

Download

The CaptivateController weighs in at about 6kb (compressed) and has been successfully tested in Chrome (Mac/Windows), Firefox (Mac/Windows), Safari (Mac), and Internet Explorer (Windows).

Quickie documentation

I haven’t had the time to do a full write-up of the CaptivateController API, but the following information should be enough to get you started.

Don’t forget to check out the test suite. A list of Captivate Variables can be found on the Automated Test Suite, a list of Captivate 2-4 variables can be found here, and new CP5+ variables can be found here.

“Control” methods available in the API

Method Notes
pause()
resume()
next()
previous()
rewindAndStop()
rewindAndPlay()
gotoSlideAndPlay(slidenumber) Uses 1-based numbering: gotoSlideAndPlay(3) will take you to Slide 3. If you prefer Captivate’s built in zero-based numbering, use useZeroIndex(true) to change the numbering to a zero-based index.
gotoSlideAndStop(slidenumber) Uses 1-based numbering: gotoSlideAndStop(3) will take you to Slide 3. If you prefer Captivate’s built in zero-based numbering, use useZeroIndex(true) to change the numbering to a zero-based index.
gotoFrameAndPlay(framenumber)
gotoFrameAndStop(framenumber)
volume(volumelevel)
  • Takes number, 0-100
  • Returns current volume level, 0-100
  • Volume only works in CP4+
mute()
unmute()
muteAndShowCaptions()
unmuteAndHideCaptions()
showCaptions()
hideCaptions()
showInfoBox()
hidePlaybar() Doesn’t seem to work consistently via JavaScript
showPlaybar() Doesn’t seem to work consistently via JavaScript
lockTOC()
  • Enables/disables user interaction on TOC
  • Only works in CP4+
unlockTOC()
  • Enables/disables user interaction on TOC
  • Only works in CP4+
exit()
useZeroIndex(boolean) Specifies whether gotoSlideAndPlay and gotoSlideAndStop should use zero-based numbering (0 = slide 1). Set to true to use zero-based numbering. The default is false. Warning: This should only be invoked if you wish to use a zero-based index for gotoSlideAndPlay and gotoSlideAndStop.

Example:

//Assuming your SWF is embedded using the ID "Captivate"
var myMovie = CaptivateController("Captivate");
myMovie.pause(); //Pauses the Captivate SWF
myMovie.mute(); //Mutes the Captivate SWF

Commands can also be chained together, like so:

var myMovie = CaptivateController("Captivate");
myMovie.pause().mute(); //Pauses then mutes Captivate SWF

Query methods

The primary query technique is to use .query(“captivate_variable_name”). For example,

var myMovie = CaptivateController("Captivate");
//Retrieves the author's name, if available
var author = myMovie.query("cpInfoAuthor");

You can also use this method to query user-defined variables:

var myMovie = CaptivateController("Captivate");

//Retrieves the variable My_custom_variable_name, if available
var myUserDefinedvariable = myMovie.query("My_custom_variable_name");

I have created some additional query methods below. Some are designed to help avoid worrying which version of Captivate is being used (ie they work with both CP3 and CP4), and others provide data directly from the Flash SWF (not using CP variables).

Method Notes
captivateVersion() Returns major number, currently either 2 or 4 (Captivate 3 SWFs self-identify as CP2 SWFs, nothing can be done about this.)
asVersion() Returns either 2 or 3
FPS() Returns the frames per second of the SWF
hasSkinSWF() Returns a boolean indicating whether the SWF is using a skin
hasTOC() Returns a boolean indicating whether the movie has a Table of Contents
hasPlaybar() Returns a boolean indicating whether the SWF has a playbar
width() Returns a number indicating width in pixels
height() Returns a number indicating height in pixels
volume() Returns a number (0-100) indicating volume level. Note: volume only works in CP4+
percentLoaded() Standard Flash SWF method, not specific to Captivate.
getname() Returns the SWF’s ID. Standard Flash SWF method, not specific to Captivate.
geturl() Returns the SWF’s URL. Standard Flash SWF method, not specific to Captivate.

You can also grab a reference to the SWF itself by using .swf. This is the equivalent of document.getElementById():

var myMovie = CaptivateController("Captivate");
myMovie.swf === document.getElementById("Captivate");

Set method

There is a new set method (added November 2011) that enables developers to easily set the value of a Captivate variable using JavaScript. For example:


var myMovie = CaptivateController("Captivate");
myMovie.set("myCustomCaptivateVariable", "myValue");

Here is a test page demonstrating the set method.

Download

Download the CaptivateController The CaptivateController is now hosted on GitHub! The CaptivateController is licensed under an MIT license, and is free to use.

DISCLAIMER: This controller is provided as-is. Use this controller at your own risk. I cannot be held responsible for any problems you may encounter while using the controller. kthxbai.

SCORM security (two kinds of SCORM people)

I’ve had a flurry of emails and messages regarding my SCORM cheat the past few days, and have received feedback from a number of well-regarded SCORM aficionados, some of whom contributed to the standard and helped make SCORM what it is today. This is wonderful, I’m very happy to hear from everyone, especially regarding such an engaging topic.

But as I hear more from these seasoned SCORM pros, I’ve made (what I believe to be) an interesting observation: there is a sharp division between die-hard SCORM developers and casual users. I suppose I’ve felt this way for a long time, but it’s really coming into focus this week. Let me try to define the camps.

  • Die-hard SCORM developers (aka scormmies). The scormmie is a person who understands what SCO roll-up means, and can hand-code an entire manifest. A scormmie thinks the word metadata is sexy. This person believes a course should be designed to use SCORM from the start, complete with sequencing and interaction tracking; if the course isn’t running in an LMS, it won’t function without being loaded into some kind of SCORM player or test suite. Scormmies get angry if their LMS hasn’t implemented the entire SCORM spec.
  • Casual users (aka shruggies). The shruggie is a person who doesn’t care about multi-SCO courses. Shruggies don’t want to be bothered by the technical details, and use rapid e-learning development tools to build courses, freeing them from needing to know any of the technical mumbo-jumbo. Metawhat? “SCORM… yeah, that’s one of the publishing options in [insert product name here], right? So it will work with my LMS?”

The e-learning market has changed significantly

Over the last week I’ve mostly heard from scormmies who make comments such as ‘well, if a developer knows what they’re doing, they’d never make their course that vulnerable to begin with!‘ and ‘a developer should never design a course to only require a completion and score… that’s asking for trouble.

The problem with this line of reasoning is that the e-learning landscape has changed dramatically since SCORM was first conceived; the scormmie used to be the majority. Now, with the proliferation of e-learning development tools and LMSs, the scormmie is a minority. Most “e-learning developers” are not programmers by trade, and are not familiar with the very complicated and intimidating SCORM spec. They use tools that do the heavy lifting for them.

If you survey most e-learning development tools (which is a booming market), the courses they publish are almost exclusively single-SCO courses that only use the simplest core SCORM functionality: completion status, lesson location (bookmarking), score, and suspend_data. These products are designed to create courses that work without SCORM, which means they only add the minimal SCORM code needed to get the course running on an LMS; all other logic is generally handled internally. They certainly don’t use sequencing and navigation or cmi.interactions.

LMS vendors generally advise customers to buy these off-the-shelf tools to build their courses. E-learning conferences are packed with tool vendors and advertisements selling the virtues of a ‘no technical expertise required’ tool. At work I sometimes get calls from vendors trying to sell me the latest and greatest tool.

The majority of courses are no longer developed by scormmies

All of this leads to one point: I think some of the SCORM guys have lost touch with the current market and don’t realize just how much of a problem a simple SCORM cheat like mine could be. Sure, it probably wouldn’t work on courses developed by seasoned scormmies because multi-SCO courses that utilize interactions are much too complicated for my itty-bitty script to tackle… but courses developed by mainstream development tools are easy targets. Ducks in a barrel. So long as the API is JavaScript and unprotected, a script like mine can bypass the SCO completely and set the course to complete before the learner even gets past the table of contents. The only way to figure out if someone cheated is to run a completion report and look for unusual patterns, which is highly unlikely in most corporate environments. As a friend noted the other day, there are many more script kiddies who can write cheats like mine now than there were when SCORM was first proposed.

Who gets the blame for the vulnerability?

Can the tool makers be blamed? Maybe, but hey, their #1 priority is satisfying the needs of the community, and the community wants quick, easy, and ‘can run on a CD-Rom’. Could the vendors have implemented more sophisticated SCORM mechanisms? Yes. However, everyone chooses the path of least resistance (and least development dollars), and we all know SCORM development is not a walk in the park. I’ve been using SCORM for five years and still avoid most of the complicated stuff because it’s … well … complicated.

The community at large (aka the shruggies) has bought into the notion that SCORM is the standard for e-learning. This is what the scormmies wanted, and it made the most sense for everyone involved, even the tool vendors. But how many people knew about the security vulnerabilities in the JavaScript-based API? A lot: the SCORM authors, the ADL, LMS vendors, tool vendors, and a number of prominent SCORM developers. Did any of these people warn the end clients of the risks? Maybe, but I personally have never been warned of any SCORM security issues in my five odd years of SCORM work. I’ve never been told “don’t use SCORM for that because it isn’t secure.”

Why didn’t anyone act?

I wasn’t privy to the early conversations, but I’ve been told that SCORM developers have said “don’t use SCORM for high-stakes assessments” from the very beginning, circa 2000. If this is the case, why has nothing been done to improve SCORM’s security? It’s only been about nine years. Did convenience beat out security in the race to implement the standard?

I get the impression that the scormmies (and remember, my term scormmie just means a person that works with SCORM, not necessarily an official representative) felt no one would bother trying to hack the system, and that a well-built course would be so difficult to cheat that it would be easier to simply take the course. With today’s simplistic single-SCO courseware tools, I don’t think this is a valid argument anymore.

I’ve also heard from scormmies that we’re still fine, because everyone knows SCORM shouldn’t be used for high-stakes training. I think a significant number of corporate, military and government trainers would disagree with that assessment, because the LMS salesperson never mentioned it. Neither did the e-learning development tool vendor. Oh, and that instructional designer we hired out of college? She’s heard of SCORM but has no clue how it works. Isn’t it safe since you have to log into the LMS with a password? There’s a padlock icon and an https protocol… that means it’s secure, right?

Nope.

Simple-SCO courses are used for all kinds of sensitive training nowadays. Compliance training alone is huge these days and can be found in examples from almost every simple-SCO tool vendor. As a colleague recently remarked, “it’s all low stakes until someone’s attorney gets involved”.

No hard feelings!

I would like to point out that I am not targeting anyone in particular, have no animosity towards anyone, and have the utmost respect for the scormmies and what they do (I’m half-scormmie myself). I’m an optimist with a very critical eye, and this post is intended as constructive criticism… criticism intended to cause positive change.

It simply became apparent to me that at some point the scormmie community dropped the ball and got complacent; it seems as though the whole community assumed no one would bother to hack a course. Well, I did. And I used public documentation to do it. It took two hours while I was flying on an airplane, and I’m not the sharpest tack in the box. I’m sorry if my cheat script caused a stir (and if this blog post makes some people uncomfortable) but we need to talk about this issue. Now.

What’s the solution?

OK, we’ve covered enough of the criticisms and the importance of working towards a solution… I’m ready to let it rest. Let’s finish on a positive note: SCORM uses existing technology and standards, and if multinational banks can protect billions of dollars from cyber-criminals using standard web technology, we should be able to secure our courseware, too. I personally think we should be able to figure something out in the next couple of months and that it ideally shouldn’t require much work to implement — no need to wait until SCORM 2.0 comes out!

Here are some suggestions I’ve heard:

  • using a secure web service to handle important duties such as processing completions and scores
  • rolling up SCOs in a way that forces the LMS to analyze multiple SCOs before setting pass/fail (a second ‘dummy’ SCO could be used if the course is a single-SCO course)
  • using form posts to submit the completions (the form post would contain a unique encrypted key that must match a key on the LMS)

Personally, I’m especially interested in ideas that don’t require modifications to LMS implementations and might only involve a strategic re-organizing of a SCO’s manifest or SCORM code. Perhaps using a SCO roll-up can become a security best practice, even if the course only uses one SCO? That type of simple solution would be ideal since it wouldn’t require modifications to an LMS or SCORM spec — it would only require a broad marketing effort to get the word out to all SCORM developers and toolmakers.

I would love to hear other ideas, as I feel we can probably come up with any number of workable solutions.   Please add to the discussion! Remember, these need to be solutions that can be implemented easily and by the single-SCO type of courseware tools flooding the e-learning market.

By the way, while we’re at it, can we improve accessibility in our e-learning, too? 😉

Cheating in SCORM

I’m always surprised how little people talk about cheating in e-learning; maybe it’s a fear of revealing just how easy it can be. The fact is, SCORM — the most common communication standard in e-learning — is fairly easy to hack. It uses a public JavaScript-based API that is easy to tap into and feed false data, and because it’s a standard, you know exactly what methods and properties are available in the API. It doesn’t matter what vendor or product produced the course (Articulate, Adobe, etc.)… if it uses SCORM, it’s vulnerable.

I’ve whipped up a proof-of-concept bookmarklet that when clicked will set your SCORM course to complete with a score of 100 (works with both SCORM 1.2 and 2004).

This bookmarklet isn’t guaranteed to work with all courses… it’s just a demonstration of what’s possible, and could be made much more sophisticated by someone highly motivated to cheat.

As e-learning continues to boom, we should be looking into ways of making courses more secure and more difficult to hack. I believe higher security should be achievable with current web technologies. For instance, how about requiring any score or completion data to be accompanied by a unique encrypted security key? Then no external script could inject false data because it wouldn’t have the required security key.

I don’t think cheating is a problem at the moment, but we should be proactive and implement better security before it becomes a problem.

Update #1: For those who are curious, the bookmarklet has been successfully tested in a few LMSs and test environments, but I won’t be revealing which ones. For those interested in the tech specs, the bookmarklet is an anonymous JavaScript function with no global variables. It was error-checked in JS Lint then compressed with the ‘shrink variables’ option enabled, which means it’s pretty hard to decipher. If you’re interested in seeing the uncompressed code, post a comment below with your email and I’ll consider sending a copy.

Update #2: The bookmarklet has been taken down. I am no longer distributing the code, though you’re welcome to write your own.

The pipwerks forum is dead, long live the new eLearning Technology and Development Google Group!

A year ago this week, I launched the not-for-profit and ad-free pipwerks E-Learning Development Forum. It was mostly intended to be a way for me to answer questions about some of my projects, such as the SCORM API wrapper, SCORM ActionScript classes, and my many Captivate hacks. The forum wasn’t a vanity project so much as an attempt to avoid email… I’d rather post answers online where everyone can see them than reply to individual emails. I had also hoped other people in the e-learning community would get involved and ask/answer questions beyond the scope of my pipwerks projects.

Now that a year has passed, I decided to step back and evaluate the success of the forum. The numbers aren’t bad: over 200 members, over 550 posts. Of course, it isn’t about the numbers, but about helping people; I’d like to think that most of those 200 people found the answers they were looking for. This is great, and makes me happy. If I helped even one person, the forum can be considered a success.

However, I also noticed a considerable lack of participation from others. Aside from a few helpful folks, I wound up answering most of the questions myself. This means it wasn’t so much a forum as an “Ask Philip” column. Not exactly what I had in mind.

When combined with the effort it takes to maintain a website (security patches, compatibility issues, styling, etc.), the forum started to feel more like a weight on my shoulders than anything else. So, as of today, I have closed down the forum and moved over to a Google Group: the eLearning Technology and Development group.

I’ve been using Google Groups for over a year with the SWFObject Google Group and Aaron Silvers’ Flash For Learning Google Group (no longer online). It isn’t a perfect system, but I’ve learned to enjoy its simplicity. It’s also free and relieves me of administrative hassles such as applying updates and backing up data. Sweet. Plus you can use Google Groups via email, which means you never even need to visit the site. Bonus.

I’d like to say thank you to all the people who posted in the pipwerks forum, and invite you to join me in the new eLearning Technology and Development group.

I’d also like to ask anyone and everyone who develops e-learning to drop by and sign up for the eLearning Technology and Development group. Ask questions — lots of questions — and let’s see if we can get a good community going!

PS: If you’re wondering why I bothered creating a new group considering there are many other discussions groups/forums out there, the answer is simple: no product favoritism and no advertising. Product forums by vendors such as Adobe and Articulate are focused solely on their products, while bulletin boards by organizations such as the eLearning Guild tend to have a ton of ads and a focus on their events and sponsors. I’d like less clutter in my life, and a simple Google Group (even with the AdSense ads) is a nice clean way to handle discussions. Hope you agree!

Adobe eLearning Suite and Captivate 4 released

Adobe has officially announced Captivate 4 and the Adobe eLearning Suite.

http://www.adobe.com/products/elearningsuite/
http://blogs.adobe.com/rjacquez/2009/01/new_year_new_adobe_elearning_s.html
http://blogs.adobe.com/captivate/2009/01/announcing_elearning_suite_and.html

The eLearning Suite is basically a version of the Adobe Creative Suite geared towards e-learning developers. It includes Adobe Presenter (PowerPoint-to-SWF converter) and Adobe Captivate 4.

My first thought upon finding out about the eLearning Suite a few months ago: “Why should I buy the eLearning Suite if since I already have CS3/CS4? The only real difference seems to be the inclusion of Captivate, which I can get separately, and Presenter, which I probably won’t even use.”

The answer is that the versions of Flash and Dreamweaver that come with the eLearning Suite include elearning-specific add-ons: the new Learning Interactions for Flash, and the Course Builder extension for Dreamweaver. These add-ons are completely new, written from the ground-up, and despite the old name are not the same Learning Interactions and Course Builder that have shipped with prior versions of Flash and Dreamweaver. The kicker is that (from what I’ve been told) these add-ons will NOT be available separately and can only be obtained by purchasing the entire suite. *sigh*

If I were starting from scratch and was trying to choose a version of the Creative Suite to buy today, I’d be very tempted to get the eLearning Suite. However, as an owner of (multiple copies of) the CS4 suite, I’m not about to shell out big $$ for the eLearning Suite. Frankly, this lack of sympathy for loyal existing customers — who have already spent a small fortune — is quite disappointing. I can’t understand why this all-or-nothing approach is being taken, especially in an economy that will almost certainly cause already meager training budgets to drop significantly. I’m hoping the decision will be revisited, because I’m sure I’m not the only one who feels this way.

As for Captivate 4, if you’re an existing Captivate user, it’s a worthy upgrade. There are a number of useful new features, the most notable being the (limited) scripting capability and the new aggregator tool.

SCORM resources

I recently emailed a shortlist of good SCORM development resources to a colleague, and figured I should probably post a list here, too. This is a quickie list, and I’m sure I’m leaving someone out. If you know of any resources I’ve missed, please add a link in the comments. This list is presented in no particular order.

  • Claude Ostyn’s site. He passed away in 2007, so there haven’t been any updates since then. His materials present a nice overview including lots of examples.
  • The ADL website. Their SCORM Documentation Suite is the official documentation. Must-have for any SCORM developer.
  • Redbird DevNet [link no longer available]. They have a nice tutorial/walk-through of SCORM 2004 architecture.
  • Rustici Software. A for-profit business that works almost exclusively with SCORM. They’ve posted some helpful resources on their site.
  • Aaron Silvers has been writing about SCORM (especially with regards to Flash) for a long time.
  • adlCommunity. A site dedicated to advancing ADL’s technologies. There are some good resources for SCORM developers, including an overview of SCORM written by the late Philip Dodds, one of the chief architects of SCORM.
  • Academic ADL Co-Lab. An offshoot of the ADL that offers SCORM resources and training for would-be SCORM developers. Also hosts Joe Nelson’s custom SCORM JavaScript framework LibSCORM (“a boilerplate template that implements common SCO Tracking and Communication functionality”), which some may find useful.

Of course, I also have a few SCORM odds and ends on my site you may find useful:

For those of you who don’t know, SCORM 2.0 is in the works, and is being handled by Learning Education Training Systems Interoperability (LETSI). SCORM 2.0 is still in the formative stages and won’t be ready for a few years (minimum), but you can certainly join the conversation and help mold SCORM 2.0 by visiting the LETSI site.

Update: LETSI is no longer tasked with SCORM 2.0, which will remain with the ADL. LETSI will continue to work on e-learning technology standards, including a potential replacement for SCORM.