Moodle Security, Censorship, and Trust — An Observation
It’s no secret that Moodle, the open-source learning management system, has suffered from some very serious security problems recently. And those security problems aren’t limited to individuals who simply buy a cheap, $5 hosting account, install Moodle using Fantastico, and try to set up an online class when they really don’t know what they’re doing.
In fact, some of the biggest Moodle security problems have impacted customers of some of the largest professional Moodle hosting providers–Moodle Partners–commercial companies endorsed and certified by Moodle to provide professional, enterprise-level services.
One example of this is the Moodle porn spam issue that impacted millions of Moodle sites all over the world–and still impacts an untold number of sites today. This issue received world-wide attention when Primary School Moodle sites, provided by a certified Moodle Partner, were found to be infested with vile pornography.
Source: Primary schools hit by porn hackers
Source: Porn infecting ‘thousands’ of e-learning (Moodle) sites
Another example is the huge security hole first reported here just a couple months ago demonstrating how any teacher on any Moodle site in the world could download the entire user database table and have access to all user information–usernames, passwords, e-mail addresses, phone numbers, etc., for every user on the Moodle site. Professional Moodle partners all over the world got caught sleeping at the wheel…again.
Source–just one of many: Groot gat in open source e-learning cms Moodle
One would think that an open-source “community” with problems as serious as Moodle has had recently, would invite open and honest communication about its products and services, but you would be wrong.
I don’t know many things for sure, but one thing I do know is that Moodle has not seen the last of these types of problems. The closed, arrogant, intolerant, atmosphere that has been cultivated on moodle.org by the Moodle lead developer will continue to ensure that there is no shortage of people just waiting to expose the next big hole…it’s not a matter of “if” there is another big hole…it’s only a matter of “when” it will bite Moodle (ergo Moodle users) in the rear.
Related posts:
- Moodle — 1990’s LMS Technology in 2010? Moodle should make my life easier, not harder. I...
- A Critical Moodle LMS Security Vulnerability — All Versions EDIT: Start of edit posted on 25 Nov 09…...
- “Ridiculous $400/hr. for Moodle support with no guarantee” Saw a very interesting post in the moodle.org forums...
- An Urgent Moodle Upgrade Notice — Upgrading is a Must! Moodle released an urgent upgrade notice today, two weeks...
- Moodle Password Salting: An Introduction to this New Feature This video introduces you to the new user password...
I follow all of your WordPress posts and videos. They’re the best on the web and it’s clear you know what you are talking about. I don’t use Moodle, but it seems you know what you are talking about there as well. Just looking at the problems you have listed in this post and in the related posts here, I have to wonder why anyone would use this program? Or maybe no one does use it. I looked at that forum where the post was deleted, after having to jump through all kinds of hoops to create a stupid account just to look at it, and it seems pretty dead compared to forums on wordpress.org. If WordPress had those kinds of problems, I think I would be looking for something else. Come to think of it, why not just use WordPress anyway?
@BillW
You do make some good points. Compared to WordPress, you could say no one really uses Moodle. But, Moodle is different from WP and is intended for a difference audience. People use WP for many reasons, but top among the reasons is because it’s very easy to set-up a website/blog/content management system with WP and it’s easy to learn and use. Moodle is a Learning Management System and is really only used by educational organizations…yes, millions of “individuals” install it using some auto-installer, but virtually none of them actually “use it”.
However, your question asking “why not just use WordPress.” is far more valid than most realize. Of the very small proportion of Moodle installs that are actually used, most–even in academic institutions–are only using Moodle as a document repository…a place for the teacher to upload a syllabus, maybe some handouts, maybe some links to other web resources, etc. Probably 90% of Moodle use is as a document repository. So, could WordPress do that?…do it much better?…do it in a lot simpler manner?…Yes, absolutely.
Many have predicted for a long time that the LMS is dead, or is well on its way to being dead and replaced by more robust apps like WP, Facebook, Google, etc. While I’m not sure that’s true for the high-level LMS market like Blackboard, I think that’s very true for the lower-end LMS like Moodle, ATutor, Sakai, etc. It’s really getting more and more difficult for the average user to navigate their way around the Moodle environment and many people are slowly coming to realize that having a place to hold a syllabus and maybe have an online gradebook, that no one can figure out how to use, really isn’t worth the effort when so many easy-to-use web 2.0 apps are readily available for use.
And that’s without even considering the significant Moodle security issues…
I have also been following your security vulnerability posts. One of the things Open Source should by you is a transparent and vibrant culture. We are evaluating LMS’ and the choice is between Moodle and Blackboard. We will probably move to Moodle in a hosted environment. Do you see Moodle improving or utterly failing in the security arena. It only takes one lawsuit to make Moodle much more expensive than Blackboard…..although Blackboard has had a hashing issue of their own to contend.
@Dave W:
You are absolutely right about the one lawsuit…I’ve been warning them of that for years now. I’m surprised it hasn’t already happened. Moodle has had one big security problem after another…the spam porn and this latest database issue are just two of the most recent. Before that, Moodle installed, by default, with the moodle_data directory in the public_html directory leaving it wide-open to the world through simple Google searches…you can still find literally thousands of Moodle sites with that problem.
The real scary thing about all of this is that in virtually all of these recent security cases, Moodle HQ was told of the problems months before they were made public and they simply ignored the warning until they were forced to address them. If past experience is any indication of the future, then yes, Moodle will continue to suffer from very serious and public security issues. My best advice to you would be to not move to Moodle in a hosted environment…the ONLY way I would trust Moodle is to host it myself, in-house. Good luck with whatever you decide, but if your decision is Moodle you had better plan to “stay on your toes” a lot more than you would have to with Blackboard…and, even though I hate to say it, Blackboard NG is going to be a pretty cool environment…expensive, but cool.
@Dave W
Dave, once upon a time Moodle had a very vibrant and transparent culture. The community on moodle.org was very active and engaged and it was a real joy to be part of something that seemed to be driven by a grass-roots movement. There was a lot of trust in the product and a real sense of community. But somewhere along the line Moodle lost that community feel and became more of a closed, corporate feeling entity. It seems the business arm of Moodle has taken over and now it feels more like a Microsoft community than an “open source” community. Really sad, but I guess not unexpected. I dropped out of the community long ago when I saw this trend evolving.
Unfortunately, when you have a closed, profit-minded community, which I believe is what moodle.org has evolved into and still have open code, then that’s a recipe for disaster as evidenced in Figaro’s posts here. I would not trust the moodle codebase with any data I wanted to protect these days. It may be okay for a hobby site, but not for my institutional data.
@John
Welcome John and thanks for some historical insight. I have to agree with the “closed, profit-minded community” comment you made here. If you simply look at the thread that is the subject of this post, it’s amazing what has happened just in the past few days in this one thread in the most “open forum” on moodle.org–the “lounge”…the forum moderator (who is a paid moodle.com employee) has deleted dozens of posts in the past few days that merely challenged the statement that moodle partners (moodle.com contractors…see the connection here?) provide peace of mind, security, etc. The posts didn’t even name a specific partner or claim any wrong doing on anyone’s part…the post simply questioned the stated assumption of the quality of services that Moodle partners provide.
See some of the censorship in the following thread and understand, it is happening in lots more places on moodle.org than this one thread and most of the time, the posts are simply being deleted without comment…as if they never existed:
http://moodle.org/mod/forum/discuss.php?d=141979 (Note: if prompted to login, simple click “Login as a guest”)
If that is not evidence that moodle.com, the for-profit arm of Moodle, has taken over the moodle.org “community”, I don’t know what proof anyone needs.
@figaro
Figaro, did you see this latest post in the lounge?
http://moodle.org/mod/forum/discuss.php?d=143730
Mauno seems to really dislike you. I hope he doesn’t know where you live
@John
It seems Mauno is either paranoid or just hasn’t had a chance to take his meds this morning. He’s typically a level headed (albeit, misguided) guy, so I’m betting it’s the meds. I won’t address the flat out lies and half-truths in his flame, but a quick observation:
Yea, pretty amazing isn’t it? Someone else starts a post there and I get flamed by Mauno for it. He seems to see me everywhere…hey, Mauno, I’m not Olli…he is a lot younger and better looking than me
You see the post in the video here that was censored? It was supposed to be a violation of their code of conduct. When Mr. Grober objected to that post being deleted, his objections were deleted multiple times. He finally had to post them on an outside site to preserve what he said (since if you look in the thread all you see now is that he has been branded as posting something inappropriate)…here are his deleted posts: http://a126.elog.com/
Now look at Mauno’s post (remember, he is a “moderator”)…it seems his post doesn’t violate “the code”.
A perfect example of why I made this video and blog post in the first place.
As some have observed here and in this same moodle.org post, the moodle.org forums have evolved into being a Store Front for the for-profit arm of Moodle. They are doing nothing illegal and they certainly have the right to censor at will in their forums…I’m merely holding up a mirror to that behavior…people are free to form their own opinions of what they see…
I read a very good article on the life cycle of open source a year or so ago. This discussion prompted me to look it up and re-read it. I was happy to find it still on the web.
http://java.sys-con.com/node/166872
I think this describes the Moodle situation pretty well, except that the Hawks have actually joined forces with the “kids in the basement” and when the kids allow that to happen, it’s no longer a win-win situation for all. It’s win-win for the kids and the hawks–everyone else beware!
Kudos to successful open source software like WordPress who hasn’t invited the Hawks to take up residence in the basement. The WordPress kids still own the house, they do their thing, the Hawks still circle and do their thing, and all is well. Unfortunately, the Hawks own the lease to the Moodle house.
Not surprising, the person wielding the flame thrower typically doesn’t feel the heat
Apology, half-hearted as it is, accepted. The “meds” reference was in jest — my apologies if you think it was serious
I’ll leave you with this:
Here is your problem figaro. You are quoting Thoreau to people who are clearly challenged by the Sunday comic strips. Heavy reading for MK is The Moodle Users Guide and maybe his Pokemon cards. Using Mauno’s simpleton logic, Thoreau was nothing but an “idiot” for not following the local custom. If only Mauno had been there to educate Thoreau about Rome
At least Olli didn’t bite and jump on Mauno’s flame-bait bandwagon and Marc is clearly an Anomaly in that crowd. So, they’re not all a bunch of thought control freaks. But, if you want to get along on moodle.org you had better learn the Goose-step comrade.
http://en.wikipedia.org/wiki/Goose-step
@Defcon
Well…my Goose-stepping isn’t that great, so looks like I’m out of luck
Steve,
Thank you for that story – I used some days to read Thoreau’s texts and I agree that his writings have influenced many public figures…not only in your home country.
I suppose Defcon knows nothing about my background so it might be good to note that original meaning of that saying about Rome is not so far from ideological ideas of Thoreau:
Ambrose displayed a kind of liturgical flexibility that kept in mind that liturgy was a tool to serve people in worshiping God, and ought not to become a rigid entity that is invariable from place to place. His advice to Augustine of Hippo on this point was to follow local liturgical custom. “When I am at Rome, I fast on a Saturday; when I am at Milan, I do not. Follow the custom of the church where you are.” Thus Ambrose refused to be drawn into a false conflict over which particular local church had the “right” liturgical form where there was no substantial problem. His advice has remained in the English language as the saying, “When in Rome, do as the Romans do.”
Martin Luther King, Jr. noted in his autobiography that his first encounter with the idea of non-violent resistance was reading “On Civil Disobedience”:
Here, in this courageous New Englander’s refusal to pay his taxes and his choice of jail rather than support a war that would spread slavery’s territory into Mexico, I made my first contact with the theory of nonviolent resistance. Fascinated by the idea of refusing to cooperate with an evil system, I was so deeply moved that I reread the work several times.
In my opinion Thoreau’s insistence that evil must be resisted and that no moral man can patiently adjust to injustice was correct – we may just have different personal opinions about meaning of “evil” or “injustice” in public forums or posts
Henry David Thoreau probably never wrote about ranting but following words written by him have been often quoted:
“Goodness is the only investment that never fails.”
“Be true to your work, your word, and your friend.”
“The language of friendship is not words, but meanings. It is an intelligence about language.”
Best regards,
Mauno
@Mauno
Hello Mauno. Yes, I’m sure we do have different opinions, but if those opinions are censored, then we will never know just how different, or maybe not-so-different they may be. I don’t understand how you can look at what has happened in the lounge and feel that it was “justified”. Do you really think that initial post should have been deleted? Do you really feel that Marc’s follow-up objections, should have been deleted? Those are rhetorical questions you can ponder while you continue to think about civil disobedience.
If the censorship was limited to those posts, then this could be considered a one-time thing, but in my informed opinion and experience, it’s only one example of a long time systemic problem on moodle.org.
I get a kick out of open conversation, but I don’t know if I can live with being anomolous
Thoreau was pissed because unbeknownst to him his ass got bailed out… While I don’t know about citing wikipedia as authoritative, they certainly got that right ;=}
But as an anomaly I have to suggest that I find most of what has come out of the mouths of GOP leaders over the last few years painfully inane, irrational, etc. Yet I will always insist that jackasses like Rush and Glenn be afforded freedom of speech in the marketplace of ideas. If people are duped by their pathetic fear mongering it is because, as Hamilton feared, the masses are ignorant and public education has failed its role in preserving democracy.
I abhor ad homina but applaud emerson; I applaud those who speak out on ideas for as we see in the story of the Emperors new clothes, it is the guileless child who may have something to offer; ie credentials do not make or break arguments….
But where am I going with this? I just received mail charging that Figaro is as guilty of censorship as Helen and that my correspondents attempt to post here was obstructed. The mail also suggests that I am asea in the matter. Lastly, the mail challenges me to post the senders remarks here myself.
And, indeed, but for the risk of posting that which is private I would so have done…. And I will so post – you know who you are
Resend copy clearly identified for posting here and I will make common cause with your efforts to be heard here, whatever measures may be de jure chez moodle.
Somber John Donne advised not to send for whom the bell tolls …… while Dean Swift’s rapier wit sets one’s ears ringing, but both would have agreed with Red Green, “I’m pulling for you. We’re all in this together.”
Well, anyone can say anything…doesn’t make it true. I haven’t yet not approved a comment on this topic. Look at the comments here on the “Critical Moodle security vulnerability” post…several comments there that weren’t too flattering of me. Having said that, I owe no one at moodle.com the right to post here, so it doesn’t mean I won’t obstruct their attempt to post here. I don’t claim to be the champion of social constructivism.
Let me tell your correspondent what I am not guilty of.
I’m not guilty of owning and operating a .org, open source community site, where I allow my .com business partners to freely (and exclusively) advertise their wares, allow all members of my site to praise my partners services, allow anyone to recommend my business partners services to the world, allow people to give testimony about what great service they are getting from my business partners, but where I censor anyone who even suggests that my business partners services may not always be as top-notched as they are being told…even if they provide proof.
I wonder what your correspondent would think of my ethics and morals if I operated that kind of site? I wonder if he/she knows anyone who does operate that kind of site?
@netbuoy
Just to close the loop here 9 days later, I’ll state one fact and one assumption:
Fact: You haven’t posted the correspondents comment he/she claims wasn’t approved.
Assumption: After calling the correspondent’s bluff you didn’t receive that clear copy with directions to post here.