Moodle should make my life easier, not harder. I do appreciate what it allows me to do—post course content without having to fashion an entire course web page on my own, include RSS feeds from other sources, have one central location for grades and hand-ins and such—but I feel that sometimes it is more lacking for power users than for beginners. Good software should accomodate beginners, advanced beginners, power users, and experts equally well, and in this sense Moodle fails.
A very good summary. Moodle is good for beginners who really only need a place to upload some docs, have an online gradebook–if they can figure out how to use it–, and allow students to upload assignments. It does have those features and a few others–essentially the same features it had 5/6-years ago. Hard to believe? Download and install Moodle version 1.5 and look at what it had in 2004/2005 vs what it has today.
All the core features are pretty much the same…could explain a lot of the frustrations felt by power users. Yea, Moodle is cheaper than Blackboard, like a Mule is cheaper than a Mercedes. Until, of course, the vet bills (1, 2, 3, etc…) start coming in…then the cost of the Mercedes doesn’t seem so high and it’s a heck of a lot nicer ride without leaving a trail of manure behind it
Of course, Moodle 2.0 has been in the works for about 2 years now and promises to deliver a revolution to the LMS world once released. Moodle.com has opted out of the Google summer of code this year because 2.0 development demands all their time/energy. So, who knows, maybe 2.0 is what power users like the one quoted above have been waiting for…we’ll see.
It’s no secret that Moodle, the open-source learning management system, has suffered from some very serious security problems recently. And those security problems aren’t limited to individuals who simply buy a cheap, $5 hosting account, install Moodle using Fantastico, and try to set up an online class when they really don’t know what they’re doing.
In fact, some of the biggest Moodle security problems have impacted customers of some of the largest professional Moodle hosting providers–Moodle Partners–commercial companies endorsed and certified by Moodle to provide professional, enterprise-level services.
One example of this is the Moodle porn spam issue that impacted millions of Moodle sites all over the world–and still impacts an untold number of sites today. This issue received world-wide attention when Primary School Moodle sites, provided by a certified Moodle Partner, were found to be infested with vile pornography.
Another example is the huge security hole first reported here just a couple months ago demonstrating how any teacher on any Moodle site in the world could download the entire user database table and have access to all user information–usernames, passwords, e-mail addresses, phone numbers, etc., for every user on the Moodle site. Professional Moodle partners all over the world got caught sleeping at the wheel…again.
One would think that an open-source “community” with problems as serious as Moodle has had recently, would invite open and honest communication about its products and services, but you would be wrong.
I don’t know many things for sure, but one thing I do know is that Moodle has not seen the last of these types of problems. The closed, arrogant, intolerant, atmosphere that has been cultivated on moodle.org by the Moodle lead developer will continue to ensure that there is no shortage of people just waiting to expose the next big hole…it’s not a matter of “if” there is another big hole…it’s only a matter of “when” it will bite Moodle (ergo Moodle users) in the rear.
They build a product that for the past 9 years has been giving away virtually all personal information on every Moodle install in existence.
Once they are forced to address the problem and release what seems to be a broken upgrade that causes the OP in the thread above more major problems, then he’s quoted $400/hr to talk with a Moodle Partner with no guarantee of results.
In addition, if you are among the tens of thousands of people using the 1.7 or 1.6 branches (which, as of today, are still being offered for download on moodle.org), it seems support has been discontinued for those branches and there is no fix for your sites. Upgrading is your only option.
Update: The following was posted to the web less than an hour after the “Advanced notice to admins” email was sent out.
Just three of several places where this is already posted on the web. By this weekend, it will be all over the web.
Advanced email notice to moodle admins is a myth! It’s a nice theory, but doesn’t translate into practice.
Advanced email notice to Moodle admins, that, by Moodle’s own figures reach 0.001666% of the user-base does not work. Additionally, it’s Thanksgiving day in the US. If an admin in the US does get that email, he/she will probably read it 5 days from now on Monday.
If Moodle wants to send these notices out to an email list, that anyone can sign-up on with no verification of their identity, then that’s great, but in addition, these notices should be plastered across the moodle.org homepage…a place where Moodle users frequent! And every Moodle blogger should be encouraged to post this information to their blogs…blogs Moodle users read! Shouldn’t Moodle users be given at least as much advanced notice as hackers who may be subscribed to that “advanced notice” list?
Important information like this could be posted on the moodle.org homepage, right above the Moodle Business Partner advertisements. This is just a friendly (common sense) suggestion to consider if Moodle really wants to get this kind of urgent information out to as many of their users as possible in a timely manner.
This video introduces you to the new user password salting feature in Moodle and demonstrates how to add this to your site. If your Moodle site is older than the date of this blog post, then chances are your passwords are not secure…this video shows you how to add password salting to significantly improve the security of your site.
If you are among the tens of thousands of people using the 1.7 or 1.6 branches (which, as of today, are still being offered for download on moodle.org), it seems support for those branches has been discontinued and there is no fix for your sites. Upgrading is your only option. End of edit on 25 Nov 09
——————————————————————–
The embeded video below is a short, to the point, demonstration of a very serious Moodle security/privacy vulnerability that impacts all versions of Moodle. This video is intended to simply demonstrate the exploit. For further detail on the potential extent of this exploit, read the post below this video and see the extended video linked at the bottom of this post. In my informed opinion, aside from the obvious Moodle site security and potential user identity theft issues, this exploit has significant implications on FERPA compliance for all US public education institutions using the Moodle LMS.
If you are a Moodle user at any level, but particularly if you are using Moodle in an educational institution in the US, after watching this video, you may want to have discussions with your network security, FERPA, and/or legal experts on your campus to determine how this may impact your institution and what action you may need to take.
If you are a Moodle administrator, teacher, student, or even if you have ever simply created an account on a Moodle Learning Management System (LMS) site, you need to read this post and watch the videos. It’s no secret that Moodle has suffered from some pretty serious security and user privacy issues over the past few years, but nothing before, that I am aware of comes close to the severity of the Moodle security/privacy vulnerability I discovered a few days ago. In the videos below I will demonstrate the problem and show you how you can verify the problem on your own Moodle site using nothing more than a normal teacher account. I’ll also show you how to patch the vulnerability and will discuss some important implications that you may need to consider after patching your site.
I stumbled across this problem after seeing the following exchange in the developer’s forum on moodle.org.
I spent 10 years in the 1980’s as a teletype/crypto maintenance technician and although I haven’t kept up with the field, that reply by a core Moodle developer caught my attention. Particularly the last two sentence that read:
“Something that has been encrypted can be decrypted. Something that has been hashed cannot be.”
I think most people know the first sentence is correct, but the last sentence is completely off the mark. The user passwords in Moodle are unsalted, MD5 hashes. MD5 has been proven to be breakable for years now–salted or not. A quick Google search on MD5 gives anyone all the information they need to know about the history of MD5 and its vulnerabilities. If you want to read up on it, you can start here (http://en.wikipedia.org/wiki/MD5) to get a good overview of the history and vulnerabilities and then follow dozens of other links for Brute Force MD5 cracking sites, like this one (http://gdataonline.com/seekhash.php) as well as more sophisticated methods for cracking MD5 hashes using Rainbow Tables and pre-computation methods…the later, I admit, I don’t fully understand.
So, bottom line…knowing that MD5 is no longer considered secure (and hasn’t been for a long time); and knowing that Moodle user passwords are stored in the Moodle database as simple, unsalted MD5 hashes; then seeing the post above from one of the Moodle core developers and “security experts”…I got curious. The videos below show what I found…you need to watch them.
Recent Comments