This whole story is a shock to me: I wrote my first online quizzes and problem sets in the 20th century. Submissions were always graded on the server side and answers were never available to the browser.
I was involved in a lot of crappy testing software people wanted to sell our university. That was the first criterion I insisted on these publishers satisfied.
By the mid-aughts, everyone seemed to have understood it. ... WTF happened that now we are talking about disabling view-source in browsers as a security measure?!
I wasn't even aware that was a thing (even though I've had to use Chrome in many enterprise settings). Is this just the `npm install` automatons not understanding the distinction between the client and server in client/server applications?
Worse. It is apparently to protect teachers who create quizzes in Google Forms. They don’t know anything about servers or clients, just that Google Forms is easy to use.
This is only acceptable is the purpose is to provide practice questions that do not count for credit. Just like it is a good idea to provide answers to practice questions at the end of the book (sometimes printed upside down).
Of course, to be useful as a learning tool, the answers to such practice question must include an explanation of why, say, (c) is a better answer than (a), (b), and (d).
So, set up practice questions in Google forms, put actual answers/explanations on a web page for students to learn.
You can still do exams in Google forms ... Just don't leave the grading to Google forms. Instead, grade asynchronously.
Again, that would be actual work, so, no leave everything to Google, and accuse students of cheating and take away `view-source`. Right. That's what things have come to.
If you can view the answers in view-source, that's a failing grade for the test writers, whether it's Forms or any other tool. Fail the teachers, pass the students smart enough to discover this (or, more well-versed in technology than those tasked to teach them).
Unacceptable capitulation to poor educational quality.
The problem is that there are no platforms from the government or states. Schools or I bet individual teachers have to find a solution for themselves. There are solutions out there some cost a lot of money and some are just not easy to deploy. This is systemic and not anything we should put on teachers or individuals that have no chance to change the shitty work environments they are in.
I totally agree. After 30h of teaching, (depending on the teacher) around 10h to 40h of preparation per week I don't see any room for dealing with shitty software problems. Simple cheap solutions directly benefit the children.
If I were in charge of Google, anyone who approved this change instead of saying something like "WONTFIX, this is ridiculous, fix your app to not put answers in the page source instead" would be fired.
Bonus points for the bug reporters complaining that it's taking years to 'fix' this (which seems like plenty of time to fix their quizzes, given how much free time they apparently have to lobby Google), and for someone observing that the 'solution' is, like all security-by-obscurity fails, already broken (because of devtools).
Meanwhile, the code complexity and unintuitive behavior (who would ever expect 'view-source' to have a blacklist or be controllable by the web page?!) will get externalized onto all Chrome users forevermore.
> who would ever expect 'view-source' to have a blacklist or be controllable by the web page
This is about enterprise policy in a managed environment. It was already able to block a URL - like https://google.com - but not view-source:https://google.com.
Yes, the `javascript:` prefix tells the browser to interpret the url as javascript. Try this one for example
javascript:alert('hello world');
Do note that some browsers remove the `javascript:` part when you paste it into the url bar because it could easily be used maliciously so you might have to type that yourself.
>who would ever expect 'view-source' to have a blacklist or be controllable by the web page
i would expect that when a browser displays source code at a url that looks like view-source://the-url-of-the-page, and gives me a pattern-matching blacklist feature, then blocking view-source://* would block urls matching that pattern. having a blacklist feature that selectively doesn't work on certain types of URLs seems like a bug to me.
removing a special-case exclusion is hardly unintuitive behaviour, unless you're using the definition of "unintuitive" that means "something i don't like"
No, you would not expect a URL you can render and view and run to then suddenly have view-source blocked, because you are not just viewing the source, you are loading, parsing, and executing it. That's what they are asking for, to browse a URL but then disable view-source (of the URL you are currently successfully browsing).
So they embed answers in page source, blame students with basic common sense skills for viewing page source, and trying to "fix" _that_ instead of fixing the whatever quiz system they are using to not send the answers to the client?
It is the equivalent of using heavy marble blocks instead of paper to prevent flipping the page because answers are written on the back of the exam: it tries to hide the symptom of the problem instead of fixing the real problem.
Rather than fixing the broken quiz, they’ve chosen to restrict access to a web browser feature with limitless educational value.
Perhaps if the creators of the web service had spent more time with the view-source tool during their own schooling they would have designed a better quiz system, one that was less vulnerable to this “exploit”.
The layers of incompetence are hilarious. Incompetent web developers restrict access to a valuable resource, which will inevitably lead to more incompetent web developers.
I don't agree that using view-source during a test is a critical event in the life of a web developer the lack of which could derail them into "incompetence". But what do I know?
If the best they can supply is an online exam document that literally contains answers in the html document, then maybe paper exams should come back while they think about what they’ve done and try again later
Wow, you seem to ride a really high horse if this is the hill you want to die on. As if technical debt and subpar solutions are totally alien to software developers.
I think you're trying to say something close to perfect is the enemy of good. Which I totally agree with. But worse than what we have now, isn't an acceptable stepping stone because things might get better. If teachers can't write tests that students can't cheat on without using paper, then we still need paper.
While yes, theses tests are broken. The problem isn't the test, the issue is breaking something useful, so that we can have something that might get better some day. No, it won't get better. More people will depend on putting answers in the html source code delivered to clients, and everything will keep being shit.
I'm perfectly happy to die on this hill. But the hill isn't "subpar solutions can never be used, everything must be perfect from commit 0" The hill I'm willing to die on is "Don't break something that's currently good, to fix something that's already horribly broken and bad." Which I' argue is a good hill to die on.
> If teachers can't write tests that students can't cheat on without using paper, then we still need paper.
LOL. Teachers will never be able to prevent students from cheating. This will only help against a very easily accessible way of cheating that would otherwise render Google Forms Quiz useless for teachers.
They don't remove your precious feature. I would fight against this too, if they would. They just allow admins to restrict it on workstations they manage. Just having a shitty electron app in Windows kiosk mode is the alternative... which I thinks is definitely worse.
> LOL. Teachers will never be able to prevent students from cheating. This will only help against a very easily accessible way of cheating that would otherwise render Google Forms Quiz useless for teachers.
If Google Forms Quiz embeds the test answers into the html, then is it is already worse than useless.
> They don't remove your precious feature. I would fight against this too, if they would.
I've already said this to you in another thread, but my sister is a school teacher. I do tech support for her all the time. This *is* something that *WILL* make my life harder. Now that you know it's a feature I need and use to be able to help her, will you actually argue against this with me?
> They just allow admins to restrict it on workstations they manage. Just having a shitty electron app in Windows kiosk mode is the alternative... which I thinks is definitely worse.
I think electron is worse, but if that's the only other option, then I'd rather they break the test specific electron app instead of the chromium browser that I have to use for everything. This is where I also point out that just because the feature does allow for a small list of websites to block view-source on. There's nothing preventing a stupid or lazy admin who sets it up from blocking it on every computer the school uses.
> You seem to unknowingly argue against straw men!
No, I'm not. I feel as if you're trying to insult me.. But I think it might be I'm not explaining myself well enough.
> I've already said this to you in another thread, but my sister is a school teacher. I do tech support for her all the time. This is something that WILL make my life harder. Now that you know it's a feature I need and use to be able to help her, will you actually argue against this with me?
Lol, my mom was a teacher, my wife is a teacher, my sister is a teacher, my sister in law will be a teacher. For all I did tech support. Now what?
Actually I think this is a very nice simple solution. Under the circumstances that teachers like to use Google Forms and Google seems to shit on teachers with this use case, let the admin simply deactivate view source for Google Forms URLs and no problem any more. This will only affect student accounts, maybe even only student exam accounts and the problem is solved, especially in primary education.
> They don't remove your precious feature. I would fight against this too, if they would.
They are removing a feature I use.
But you didn't answer any of my other questions. And ignored my comments about how a lazy or stupid admin will just block view source on every computer and every website. You said taking tests on computers is supposed to make things faster, and more accessible. How does giving admins the ability to disable features that kids can use to learn about computers and the web make things more accessible to students who's school computer is their only computer?
Why should school admins block view source for teacher accounts?
IMO a stupid admin you can ask to enable view source for teacher accounts is far better than a proprietary test application that you are not even able to understand nor debug in any way.
Just activate the group policy for exam workstations only and students will not encounter this on any other school computer. Or even better provide special exam accounts.
Because most people don't understand security in any way shape or form. Blocking everything is easier than trying to figure out what should be blocked, and what shouldn't. I agree that it's better to ask them to unblock it on teacher accounts. But I can't do that, perhaps a teacher could. But I suspect that the tech admin that's stupid enough to block everything by default is the same type that's stupid enough to think that it's better security, and would just ignore then request to unblock it on teacher's computers. But I also have a nephew in school. What about when he asks me for help? Is he going to be able to ask the admin to unblock his computer?
When this feature is used, they will probably also block dev tools, internet access to most websites and especially remote access. I simply don't see your concerns being of any merit.
I sincerely hope your nephew's computer is not managed by his school's admins.
> Just having a shitty electron app in Windows kiosk mode is the alternative... which I thinks is definitely worse.
Honest question here, why is this worse? Why wouldn't you want a kiosk mode for taking tests?
Blocking URLs is kind of a half-baked answer anyway, you don't really want people to have access to most browser features for the embedded page, including dev tools, including the URL bar, you don't want them to be able to Ctrl-S the page, you don't want them to be able to access bookmarklets that can reveal source, etc, etc. If you're using Google Forms to give tests, there are probably other issues there beyond whether or not kids can look at the source code, and the reality is you probably do not want to actually use a full-featured browser to give that test.
So there's very little downside I can see to having a single-purpose Electron app that's installed on school computers. I mean, hopefully you're not using kids own computers for this anyway if you care about security, because you have no way to verify that they haven't messed with the browser or bypassed your restriction then. So if they're school machines, because this is a policy for work machines that are managed... yeah, of course you should install a testing app, and of course you should put machines into a kiosk mode. Why wouldn't you?
I would think "put school-owned machines into kiosk mode" would be the first step to take as an admin if someone is trying to administer secure tests on those machines.
I guess they use some kind of kiosk mode but still want to preserve some browser functionality. E.g. allow access to more exam material not embedded into the quiz or an Encyclopedia for research during exams.
An app has to be developed and this development costs money and somebody has to pay this money.
> An app has to be developed and this development costs money and somebody has to pay this money.
Doesn't Chrome already have a kiosk mode built into it?
> but still want to preserve some browser functionality. E.g. allow access to more exam material not embedded into the quiz or an Encyclopedia for research during exams.
Open Internet access seems like a really bad way to provide that. There are maybe 5 different ways I can think of off the top of my head that are quick to do that circumvent a view-source restriction if the rest of the browser is enabled.
Sure, an enterprise admin might know to disable (some of) those methods, but if they're smart enough to do that, aren't they also smart enough to set up a kiosk display? Kiosk apps aren't some kind of new technology, these get used all over the place.
I'm curious about the intersection between teachers/admins who are not well-equipped enough to avoid using anything other than Google Forms to deliver tests, but that are well equipped enough to build a network policy that blocks students from just sending each other test answers during the test.
I don't know, I don't want to be cynical here, but this kind of thing is literally the job of a network admin, isn't it? It's why you hire them, to set up stuff like this.
Technical debt like knowingly shipping privileged information to the client by design? I mean, it is true that 'perfect' is the enemy of the good. But 'terrible' is also the enemy of the good.
I would question whether a computerized test with these problems is actually better than a paper test. But more than that, I would question whether people have an obligation to make other products worse just to accommodate bad coding.
I don't think anyone is demanding perfection by (correctly) pointing out that not designing a product to deliberately leak secure information is kind of the bare minimum bar in a secure testing environment.
Is that a bad thing? Ignoring for the moment the idea of cheating on tests is a problem with the student or the test.
Are paper tests a bad thing? Why do intelligent state voting systems depend on paper, or backups? Why do ultra high security computer systems still log to paper?
Well, it brings kids in front of a computer and teachers save time. Google Forms Quiz has a grading and summary feature:
* Frequently missed questions
* Graphs marked with correct answers
* Average, median, and range of scores
Kids who would be able to take a test via computer are near the set of kids who have a cellphone within 2 meters of their hand at all times. Access to, and technological literacy is not the problems facing the generation of people taking tests today. Whereas, everything is broken is currently, and still looking like the problems of both today, and tomorrow. In part because people are willing to implement user hostile features like disabling the ability to fix bugs on your own.
This is not user hostile. In this case the user is the teacher not the kid. Man, do they really have to deploy iPads in kiosk mode for shitty tests so you don't shit on them? Teachers do their best to optimize and digitize teaching under the worst circumstances. If this litte bugfix helps them I am happy.
Please note that this feature is part of managed Chrome which can be restricted in many other ways. The exam workstation itself of course too.
> This is not user hostile. In this case the user is the teacher not the kid.
Then what is the kid? And who is *using* the computer to take the test? And who is *using* the browser? And who is *using* Chromium that would like to learn something about the source, that now has view-source disabled? Are they not users, just because someone else wrote the test?
> Man, do they really have to deploy iPads in kiosk mode for shitty tests so you don't shit on them? Teachers do their best to optimize and digitize teaching under the worst circumstances. If this litte bugfix helps them I am happy.
I'm happy to help teachers too, but this helps them by hurting others. That's *not* ok!
> Please note that this feature is part of managed Chrome which can be restricted in many other ways. The exam workstation itself of course too.
Sure, but that's still wrong. Just because bad thing is bad, or closer to how you put it, there's other things you can't do with this software. Doesn't mean that adding more restrictions is a good thing.
No, I think that's a bad idea too. I think the test that's sent to the client shouldn't have the answers inside the test itself. We keep comparing this to paper tests, what's a better solution, printing the answers on the back side of paper test, and then gluing another piece of paper over the answers? Or not printing the answer on the back of the test?
> No, I think that's a bad idea too. I think the test that's sent to the client shouldn't have the answers inside the test itself. We keep comparing this to paper tests, what's a better solution, printing the answers on the back side of paper test, and then gluing another piece of paper over the answers? Or not printing the answer on the back of the test?
So server side security is in this case better because it's a more clean solution? In this case the cleanliness of the solution is irrelevant as long as it works. Students can always sneak in attach a keylogger to the teacher's keyboard and read out the password for accessing all tests. It's about erecting a barrier that is good enough.
> So server side security is in this case better because it's a more clean solution?
Yes, absolutely. There's nothing a client can do if the server doesn't send it the answers.
> In this case the cleanliness of the solution is irrelevant as long as it works.
*NO!!* How good a solution is always matters! Another solution to students cheating is for an older student to stand over them as the take the test, and beat them with a stick if they try to view the source of the test. That' would be a solution to this problem, but it's so obviously bad. But hey, it'd work. It'd actually work better than this because it would work on every test, on every site, in every browser, for every computer... Because how clean a solution is doesn't matter, who cares if there's a little blood on the screen?
> Students can always sneak in attach a keylogger to the teacher's keyboard and read out the password for accessing all tests. It's about erecting a barrier that is good enough.
If a student is able to sneak a keylogger onto the computer of a teacher without getting caught, they're smart enough that the test is pointless to them.
Ok, so a simple group policy is equal to beating children until blood hits the screen.
> If a student is able to sneak a keylogger onto the computer of a teacher without getting caught, they're smart enough that the test is pointless to them.
Attaching keyloggers is stupidly simple. Security is always a trade off. This was my actual point. In case of keyloggers it's more a matter of lacking risk awareness since it would probably bring criminal charges.
The kid is an excuse for a "teacher" and "assistants" to get paid and get benefits and for Google to start collecting data on them from a very young age.
In my years in the school we had many "inspirations". We wrote Turbo Pascal based phishing CLIs, decrypted PWL files, exploited wrongly set access rights etc.
I don't see a point where making this kind of stuff secure in another more targeted way (e.g. central exam server) is helping in any way.
You can still held hacker competitions in computer science classes anyway (hopefully mandatory for all).
Based on my somewhat recent high school experience, mandatory computer science classes will not happen at a high school level on a consistent basis between schools, at least not without massive systemic change.
What "computer" class is these days is "MS Office" class. Except actually it's "MS Word and Excel class, except the teacher only ever calls it "the typing thing".
And even if there were sanctioned hacker competitions, they would become classwork and therefore boring. The fact that it is against the rules is part of the draw.
For what it's worth, I think there's something to be said for leaving a situation like this inherently insecure. Yes it's manipulative, but somebody learning something from their own drive is a lot better than standardized testing beating it into the infodump section of the brain.
Your "inspirations" sound quite enjoyable! You were definitely much more skilled than me or anyone I knew.
I don't think holding wargames in class would make them boring because of that. I would've enjoyed such a thing. For normal classes some kind of "hacking adventure" where using view source and other tricks to move forward is necessary I also don't see any boring faces. The teacher who sells this stuff to the children is key here. This is why teachers should have as much time for preparation as possible. At best this preparation would be like preparation of an actor (with extensive knowledge of the plot), because everything else is already at hand (just my idea of what teachers should be).
That would be enjoyable. If we had a functional school system I think this could actually work.
I just see the intentionally insecure quiz working in the current setting, and there being no way to implement the wargames in an effective way in this setting.
So we should... preserve this exploit (since without the answers being in the HTML, said friend won't have reason to point it out) forever and let people cheat, so we get more web developers? What exactly are you saying?
> So we should... preserve this exploit (since without the answers being in the HTML, said friend won't have reason to point it out) forever and let people cheat, so we get more web developers? What exactly are you saying?
One man's exploit is another mans feature. But more directly, no I'm not saying either of those things. I'm saying that user hostile design, like preventing the user from being able to do something they otherwise could is what causes people to hate computers. In this case, it's better to fix the problem [someone including answers within the test they're sending to the client] instead of breaking a feature so that someone can keep doing something stupid.
Just another reason to use/advocate/support Firefox, and alternative browsers. Ultimately this is good for Google. Just like with hiding the url, as far as they're concerned, the less people look under the covers, the better.
Firefox isn't installed on many university computers. CS students don't have access to root/sudo and are forced to use existing software. Exams "don't work" on Firefox (UA-checks...) so when doing exam on your own PC, have to install Chrome, and yes, disconnect any external screen, allow software to record the screen and turn on webcam.
If a portion of the Cryptocurrency community winds up having their tech used as a promotion for censorship[0] in this manner, I will die laughing from the irony.
[0] I hate throwing out this word, as it's always used wrong - including my usage here - and tends to carry a lot of other connotations with it which I don't want to affiliate myself with. Is there a better word to use here?
Seems to be a useful feature also when you want to use Chromium as Kiosk software.
I honestly don't get why so many commentators are upset. They are using Google Forms for tests. And these tests leak answers through the source code. Schools are not well funded and this setup itself is not very professional. When you can fix this by giving admins such possibilities, why not?
It's not like your Chrome will prevent you from viewing any sources. As you can also read in the article the restriction can be limited to certain URLs. IT ONLY AFFECTS MANAGED ENVIRONMENTS WHERE ADMINS CAN DO MUCH MORE RESTRICITNG THINGS ANYWAY.
So much this. I think the issue is that the fix was packed up as the solution for broken test-taking software (or misuse of Google Forms for that intention), and people everywhere are complaining that it's not a valid reason, with which I agree.
However, there are legit environments where people might want to prevent users from accessing devtools and view-source functionality, like when using it as a kiosk software.
From security standpoint, it might be also reasonable to disable at least devtools in enterprise environments, since users can not necessarily be trusted with such access (which is the reason why many sites, such as Facebook, display warning to not enter anything in the console, especially if someone instructed them or they found it online).
Why is this sickening? The same admin can also restrict your browser to just one valid URL or make your whole machine usable by left mouse clicks only. Being not able to view the source in this context is sickening? Do teachers really have to create an electron app for this stuff?
> It was fixed by Microsoft principal program manager Eric Lawrence
So rarely do you get to learn the name of the person who willingly make applications user hostile. The defective code is obviously^1 the test, not the browser. Yet, Eric decided to break the usefullness of an existing feature to try to prevent kids who are smarter then the test from beating the test. The reason everything is broken, is because of these types of decisions. I just wish fewer people like Eric would make decisions to break stuff to try to fix other more broken stuff. I wonder what someone will have to break now to get around this new defect in Chromium :(
^1: Obvious to anyone that understands the basics of web and computer security.
I think the article said the disabling of view source is an enterprise feature that's limited to specified URLs. Prior, the bug was, it wasn't working. That is, you could not disable view source for list of URLs.
I agree. View source is generally a good thing. But if an org wants to disable it for some limited set of URLs that's not really an issue. This feature doesn't effect everyone.
My takeaway of the news here was that this bug was open for so long and was finally fixed. But perhaps I read with the wrong lens.
Can someone tell me a reason why an organization would want to block this feature?
And blocking this in Chrome wouldn't be enough; they'd also need to whitelist execution for programs so people can't just use a portable browser. Then whitelist permitted websites and network connections to prevent use of other online workarounds.
This all can't be easier than solving the root issue.
It's not, they're not trying to solve all issues. Just the ones they're aware of. You're thinking too deeply if you're trying to understand their motivation. Occams' Razor also applies to understanding motivation. Students are cheating by viewing source -> block viewing source. Is much easier to understand than fixing the actual problem, which looks like.
Students are cheating by reading the source code -> the source code contains the test -> the test shouldn't also contain the answers -> the source code shouldn't contain the answers -> we need to remove the answers from the source code.
It is easier, because apparently companies like Google shit on scenarios like that for schools for software like Google Forms Quiz. As a school either you buy expensive software that sometimes still has such problems or you simply block access to source - immediate problem solved.
This feature is just an improvement over not being able to see sources at all. A portable browser comes on a storage device which is not allowed in this scenario. Otherwise you could simply have a crib sheet on it.
Maybe the whitelist is just for a local intranet (wikipedia mirror whatever).
> I think the article said the disabling of view source is an enterprise feature that's limited to specified URLs. Prior, the bug was, it wasn't working. That is, you could not disable view source for list of URLs.
Yes, but my problem isn't fixing this bug. My problem is now that this bug is fixed, Chromium is worse. The feature is bad, and actively user hostile. It shouldn't exist, thus contributing to make something that should not exist, function is bad.
> I agree. View source is generally a good thing.
It's always a good thing. There's no case I can think of where software has a built in ability to diagnose and fix problems with it is a bad thing.
> But if an org wants to disable it for some limited set of URLs that's not really an issue. This feature doesn't effect everyone.
But it does effect some people? Who cares if it's bad, it only hurts people I don't care about right? What about me? This user hostile design mistake COULD effect me. My sister is a school teacher. I help her with technical support all the time. Now she could come to me ask me why this site looks broken, and instead of being able to quickly tell her what's wrong, I now have to spend hours trying to unbreak the web browser on her school laptop. Things like this bother me so much because all it does is punish the smart people. Oh, you know how to fix your problems? Well fuck you, now it's harder!
> My takeaway of the news here was that this bug was open for so long and was finally fixed. But perhaps I read with the wrong lens.
Sounds like you're thinking to narrowly. Everyone is complaining because this is does make everything more complicated for no good* reason. And is likely to break work flows for a lot of people.
Crib sheets are cool or what? Do you really suggest teachers should prefer paper exams over Google Forms exams because removing the ability to cheat by removing the view source function from the exam workstation is evil? Do you really think any kid won't know the "trick" after the first one finds it out? This will not make any kid smarter...
I would be able to take all of this consternation over grading and preparation time more seriously if I had never taught in my life. Teachers' union members get small class sizes and assistants. Plus, it is not as if the material is soooo new and original every time. Grading paper tests is not hard. If it is multiple choice, grading is trivial. I am assuming these teacher's are not letting Google grade essay questions.
If the past two years have shown anything, it is that there are a heck of a lot of teachers' union members will do anything to get out of the actual work of teaching.
In the real world, the issue with this feature is that by making the idea that enterprise users gain security by prohibiting `view-source` commonplace and routine, Google and Microsoft are going to turn `view-source` into criminal activity soon. And teachers not wanting to do work is a convenient excuse.
Writing a decent quiz application is a weekend project for any developer who does not need left-pad to pad a string. The key part is the content, the question bank. Almost all publishers have question banks to go with almost every textbook.
Heck, some of us would actually read them and decide which ones made good practice questions and which ones did not.
> If the past two years have shown anything, it is that there are a heck of a lot of teachers' union members will do anything to get out of the actual work of teaching.
The teachers I know and I know quite many (basically the female side of my family consists of teachers) do not act like that. They try to come by with the sub-par software choices that were made for them. I agree that there are also many bad apples. The education system in Germany is especially well-suited for bad apples :( (non-terminable).
> In the real world, the issue with this feature is that by making the idea that enterprise users gain security by prohibiting `view-source` commonplace and routine, Google and Microsoft are going to turn `view-source` into criminal activity soon. And teachers not wanting to do work is a convenient excuse.
This is nonsense. There are much more restricting policies available.
> Writing a decent quiz application is a weekend project for any developer who does not need left-pad to pad a string. The key part is the content, the question bank. Almost all publishers have question banks to go with almost every textbook. Heck, some of us would actually read them and decide which ones made good practice questions and which ones did not.
Do you really think kids who can look up answers in the source can't come up with workarounds for this laughable block? It only takes one student with the right idea and this whole thing is worthless again.
This is a serverside problem, attempts to hide it in the client are doomed from the start.
Kiosk mode or similar restricting modes are normal browser features. I don't see a problem here. The reason to make this digital is to easily be able to grade it. Cheating will always be a problem. Easy and cheap prevention methods are key, because your average education system is cheap and badly organized.
Ahh, and see, there's the problem. You're operating under the assumption that cheating is a problem with the student and not the test. That's incorrect. We're talking about knowledge and correctness. If I present you with a problem, can you find a solution. Humans, correctly, will prefer the easiest solution. If your "test" has solutions that you don't want to accept (like cheating) that's a problem with your test, not with the solution.
As an example; if I write a password function called `check_password()` and in it, it uses C `if (strcmp(test_password, known_password)) goto fail;` and someone sends in the string "\0" is the password test good, or bad? Sure someone is cheating, but is the test good, or is the test bad?
> Easy and cheap prevention methods are key, because your average education system is cheap and badly organized.
So the average education system is broken, the best solution we have, and the one we should implement is to break other things that are working as intended?
> You're operating under the assumption that cheating is a problem with the student and not the test. That's incorrect. We're talking about knowledge and correctness. If I present you with a problem, can you find a solution. Humans, correctly, will prefer the easiest solution. If your "test" has solutions that you don't want to accept (like cheating) that's a problem with your test, not with the solution.
This is nonsense. Foremost the test is to help the teacher to understand the student. If the lazy student constantly cheats they will fly under the radar and crash hard eventually. Tests themselves are just a crutch. Modern education is about helping children learn in spite of sending them away with somehow comparable grades.
> So the average education system is broken, the best solution we have, and the one we should implement is to break other things that are working as intended?
It's not breaking things. It's a feature for a browser in a managed environment. When teachers would develop an electron app with the same functionality would you be happy?
> This is nonsense. Foremost the test is to help the teacher to understand the student. If the lazy student constantly cheats they will fly under the radar and crash hard eventually.
I consider my very self lazy, and I used to cheat on tests all the time. I haven't crashed yet.
> Tests themselves are just a crutch. Modern education is about helping children learn in spite of sending them away with somehow comparable grades.
I agree actually. Tests should be just a way to learn about students. But schools, teachers and students, assign value to the grades they get on these tests. If grades didn't matter to anyone but the teacher so they could learn how well they're doing as a teach, students would have any interest in cheating. But we're arguing about if disabling view-source is a reasonable solution to prevent students from cheating for how test are used now. And It's not.
> It's not breaking things. It's a feature for a browser in a managed environment. When teachers would develop an electron app with the same functionality would you be happy?
No, I'll be happy when people stop making excuses for bad design, and other people stop breaking features in a feeble attempt to fix a bug in a different and mostly unrelated system.
In other words the efficient student who used the path of least resistance. It is easy to call such people lazy, but in my experience that label is mainly used to avoid the responsibility of fixing the issue. People convincing me I'm lazy caused more damage than a whole school career based on cheating would have.
Exams should mainly test understanding, not the ability to memorize things. Once you do that cheaters automatically become a smaller issue. Unless it's a memorization test(vocabulary etc.) there's no reason to withhold information imho, just like it doesn't make sense to have someone write software without access to Github or StackOverflow.
> Modern education is about helping children learn
In that case modern education is a total failure across the board.
Maybe my non-neurotypical perspective is a bit biased, but it is difficult to think of just one instance where any part of the education system was actually helpful. Einstein's quote about judging fish based on their ability to climb trees never lost significance.
Though I do have some understanding there; the education system in its current form does not attract competent teachers, and despite some awareness improvements rarely get funded beyond pilot tests.
It doesn't get easier and cheaper than a sheet of paper.
Going digital isn't good cheating prevention. It's the first step to repeating this "view page source" drama.
Once you add computers to the equation you open up countless more possibilities. Setting a few rules in the browser is like closing a single hole of a colander.
Not really. In a real paper & pencil exam you take in the same room with your teacher, the teacher is available to answer clarifying questions. More than once, a question one of my students asked led me to realize that a multiple choice question might have more than one good answer or an essay question can be phrased better etc. The real time feedback is a learning opportunity for the teacher and the student: The goal of a test in a high school or college classroom is not measurement. It is a continuation of learning.
I do not see how anything remotely close to that is possible when tests/grading are offloaded to Google forms.
So imagine this setting. You set up multiple learning stations / activity centres where students can independently learn on their own. These learning stations are analog and digital. They contain some tests that are mandatory and can be taken at any time by the students. To perform the tests the students go to one of maybe five workstations in secluded areas in the classroom that can be watched by the teacher. After each day the teacher can analyze the grading and can be reasonably sure nobody did cheat.
Please do not use HN for personal attack. Even if you assume that you don't owe a person better, you owe this community better if you're posting here. The damage caused by this route greatly exceeds any benefits. It's not what we want to become.
I don't think that interpretation is fair... I spent a lot of time trying to make sure I didn't write anything I thought sounded like a personal attack. I named him specifically because he's already spoken and "defend" the change. (Even providing comments and explanations here on HN.) I'd also assert that naming him specifically, like they do in the article, is the best way to associate the decision with a human who's made that decision. Because I feel that it's important that people realize that the decisions they make matter. With a little less time an consideration, more people will make decisions like these that I believe make life harder for both me, and other people who use their software. If you have a better way to personalize decisions like this than to connect them to the person who made them, I'd be eager to hear it. Because I couldn't come up with anything better then, nor can I now with a second thought.
Without relation to the duty that I owe any individual, it bothers me that you'd say this comment is harmful to the HN community. I might be able to be convinced that calling out bad behavior is often more harmful than helpful. But the assertion that this makes the list of comments that degrades hackernews feels unjustified.
But, given it's your community; it doesn't matter much how I feel, so if you're unconvinced let me know, and I'll make sure I don't comment on anything remotely controversial anymore.
I appreciate that you edited it down from something that might have been worse, but these things are too simple to finesse. What you posted was (a) a sharp critique that (b) named a person and referenced him repeatedly and (c) made it about the person ("Eric decided to"). That definitely clears the bar for what counts as a personal attack. Why not just make your substantive points without making it be about the person?
I'm not asking you to stop commenting on anything controversial! This was a more specific point than that. However, I do think some calibration to local conventions would be helpful (https://news.ycombinator.com/newsguidelines.html). For example https://news.ycombinator.com/item?id=29214019 is another flamewar comment of the kind that we're trying to avoid here. If you find yourself beginning with "So you lied when you said...", that's a bad sign!
(Btw, since "lie" implies intent to deceive, and it's pretty much impossible to gauge intent over the internet, that word is pretty much always out of bounds in arguments here. It's also unnecessary.)
> Why not just make your substantive points without making it be about the person?
Because the point I wanted to include is that it was a person who made this decision. Using someone's name is how you personalize them. She, He, They, are all abstract and dehumanizing the decision. I specifically wanted to avoid abstract language because I didn't want to give the notion that it's just a small commit in a huge company. I thought it was important to highlight the fact that this small commit made by an individual is the commit that is the problem. It's not large corporation who owns the repo that wrote this code. It was a person with a name. Just like the reader is a person with a name.
> I'm not asking you to stop commenting on anything controversial! This was a more specific point than that. However, I do think some calibration to local conventions would be helpful (https://news.ycombinator.com/newsguidelines.html). For example https://news.ycombinator.com/item?id=29214019 is another flamewar comment of the kind that we're trying to avoid here. If you find yourself beginning with "So you lied when you said...", that's a bad sign!
The reason I suggested this was because I don't think the local conventions are a reasonable request. Not because I disagree with them generally, but because they're not applied universally. I can even use that comment thread as an example. The person I was arguing with wasn't trying to speak fairly. More then a few time the commenter would ignore parts, and only respond to others. I'm fulling willing to admit they don't have any real responsibility to respond in full to everything, and they clearly should be allowed to select what they want to reply to, or not. (Apart from the common courtesy.) But they clearly said something they didn't really mean. I lack another explanation than arguing in bad faith. Mea culpa, I used 'lie' a word that does appear to imply intent to deceive. But arguing without care, willfully making statements you don't really mean, and then ignoring responses requesting consensus is arguing in bad faith. Even if it's unintentional. To be clear, I don't anything he did could be reasonably considered in defiance of the guidelines. But IMO it's close; close enough to be inconsiderate, but not close enough to warrant a comment from an admin. Close enough to disrespectful that's it's provocative, but far enough to appear banal.
I like the rules hackernews encourages, but not the end result. Conversations aren't elevated by absence of emotion. Only by well thought out, rational conversations by speakers who are also willing to listen. Especially to thoughts or ideas they find uncomfortable. Again, mea culpa. I agree with you for some interpretations, I easily stepped onto, or over the line. But lacking the eloquence required to have real conversations without emotion, speaking about people who make decisions that make the world infinitesimally worse, or argue unfairly, I often can only author responses that appear brash. Which unfortunately does appear to break from local conventions. So if that is harmful, I shouldn't comment. :(
Edit: I looked into how to delete my account or comments, but that's not something hn want's to permit. Are you able to redact my original post? I don't think it's right to leave something that's objectionable.
There's no need to redact the original post - it's already dead, which means few people will see it, and in any case a single comment is not such a big deal.
I don't think it's that hard to abide by the HN guidelines, and you're clearly sincere, so if you want to do that it should be possible to calibrate and keep commenting in a good way, should you choose to.
Absence of emotion is definitely not a goal here! It's fine, more than fine, for people to share their feelings. It's just not fine to wield emotional energy against others. Those are two very different things, though not always so easy to tell apart in the moment.
Can the HN post title be changed to the article title? The post title is inaccurate and misleading. No functionality was removed, just a fix added for Chromium not respecting `view-source` URLs in the URL blocklist.
Y’all need to chill out with the hyperbole. Eric Lawrence, who I’ve worked with and wrote FIDDLER btw, which does the opposite of what anyone down here is proportions he’s intending, specifically noted that he was fixing a bug in the Blocklist policy. Basically the policy works for all schemes except view-source. He fixed the policy so that it does what it should do, which is work for all schemes. There are uncountable other ways to look at the source of webpages, many of which can also be blocked by enterprises, but it’s completely silly to imply that this change is causing a closed or evil ecosystem. Jeeeesus people need to think critically.
There are plenty of people out there who would love to see this feature more widespread. See all the fuss about making sure end users can't look under the carpet, like disabling copying, obfuscating JS, and DRM.
Good god, organisations/enterprises really have too much control over the browser. I believe that only top secret organisations like... The NSA need such a locked down browser for employees/students. I also believe that locking down internet access only limits ones ability to work and be happy, ultimately being detrimental to efficiency. While there are plenty of outlets for distraction, workers have managers and the work that's been done can be seen. Team chats exist.
117 comments
[ 2.8 ms ] story [ 197 ms ] threadI was involved in a lot of crappy testing software people wanted to sell our university. That was the first criterion I insisted on these publishers satisfied.
By the mid-aughts, everyone seemed to have understood it. ... WTF happened that now we are talking about disabling view-source in browsers as a security measure?!
I wasn't even aware that was a thing (even though I've had to use Chrome in many enterprise settings). Is this just the `npm install` automatons not understanding the distinction between the client and server in client/server applications?
Idiocracy is here.
This is only acceptable is the purpose is to provide practice questions that do not count for credit. Just like it is a good idea to provide answers to practice questions at the end of the book (sometimes printed upside down).
Of course, to be useful as a learning tool, the answers to such practice question must include an explanation of why, say, (c) is a better answer than (a), (b), and (d).
So, set up practice questions in Google forms, put actual answers/explanations on a web page for students to learn.
You can still do exams in Google forms ... Just don't leave the grading to Google forms. Instead, grade asynchronously.
Again, that would be actual work, so, no leave everything to Google, and accuse students of cheating and take away `view-source`. Right. That's what things have come to.
Unacceptable capitulation to poor educational quality.
See https://support.google.com/docs/thread/39605334/google-forms... to verify.
Meanwhile, the code complexity and unintuitive behavior (who would ever expect 'view-source' to have a blacklist or be controllable by the web page?!) will get externalized onto all Chrome users forevermore.
This is about enterprise policy in a managed environment. It was already able to block a URL - like https://google.com - but not view-source:https://google.com.
Blocking devtools was already possible.
You've patched one hole. How many more are possible? We know where this game goes...
i would expect that when a browser displays source code at a url that looks like view-source://the-url-of-the-page, and gives me a pattern-matching blacklist feature, then blocking view-source://* would block urls matching that pattern. having a blacklist feature that selectively doesn't work on certain types of URLs seems like a bug to me.
removing a special-case exclusion is hardly unintuitive behaviour, unless you're using the definition of "unintuitive" that means "something i don't like"
Great move /s
Google Forms
Perhaps if the creators of the web service had spent more time with the view-source tool during their own schooling they would have designed a better quiz system, one that was less vulnerable to this “exploit”.
The layers of incompetence are hilarious. Incompetent web developers restrict access to a valuable resource, which will inevitably lead to more incompetent web developers.
Vs
> Woah it worked, this is so fucking cool, what else can I make the computer do?
It's probably not critical for someone who's decided to be a web developer. It's the foundation that's created every self taught hacker ever.
While yes, theses tests are broken. The problem isn't the test, the issue is breaking something useful, so that we can have something that might get better some day. No, it won't get better. More people will depend on putting answers in the html source code delivered to clients, and everything will keep being shit.
I'm perfectly happy to die on this hill. But the hill isn't "subpar solutions can never be used, everything must be perfect from commit 0" The hill I'm willing to die on is "Don't break something that's currently good, to fix something that's already horribly broken and bad." Which I' argue is a good hill to die on.
LOL. Teachers will never be able to prevent students from cheating. This will only help against a very easily accessible way of cheating that would otherwise render Google Forms Quiz useless for teachers.
They don't remove your precious feature. I would fight against this too, if they would. They just allow admins to restrict it on workstations they manage. Just having a shitty electron app in Windows kiosk mode is the alternative... which I thinks is definitely worse.
You seem to unknowingly argue against straw men!
If Google Forms Quiz embeds the test answers into the html, then is it is already worse than useless.
> They don't remove your precious feature. I would fight against this too, if they would.
I've already said this to you in another thread, but my sister is a school teacher. I do tech support for her all the time. This *is* something that *WILL* make my life harder. Now that you know it's a feature I need and use to be able to help her, will you actually argue against this with me?
> They just allow admins to restrict it on workstations they manage. Just having a shitty electron app in Windows kiosk mode is the alternative... which I thinks is definitely worse.
I think electron is worse, but if that's the only other option, then I'd rather they break the test specific electron app instead of the chromium browser that I have to use for everything. This is where I also point out that just because the feature does allow for a small list of websites to block view-source on. There's nothing preventing a stupid or lazy admin who sets it up from blocking it on every computer the school uses.
> You seem to unknowingly argue against straw men!
No, I'm not. I feel as if you're trying to insult me.. But I think it might be I'm not explaining myself well enough.
Lol, my mom was a teacher, my wife is a teacher, my sister is a teacher, my sister in law will be a teacher. For all I did tech support. Now what?
Actually I think this is a very nice simple solution. Under the circumstances that teachers like to use Google Forms and Google seems to shit on teachers with this use case, let the admin simply deactivate view source for Google Forms URLs and no problem any more. This will only affect student accounts, maybe even only student exam accounts and the problem is solved, especially in primary education.
> They don't remove your precious feature. I would fight against this too, if they would.
They are removing a feature I use.
But you didn't answer any of my other questions. And ignored my comments about how a lazy or stupid admin will just block view source on every computer and every website. You said taking tests on computers is supposed to make things faster, and more accessible. How does giving admins the ability to disable features that kids can use to learn about computers and the web make things more accessible to students who's school computer is their only computer?
IMO a stupid admin you can ask to enable view source for teacher accounts is far better than a proprietary test application that you are not even able to understand nor debug in any way.
Just activate the group policy for exam workstations only and students will not encounter this on any other school computer. Or even better provide special exam accounts.
I sincerely hope your nephew's computer is not managed by his school's admins.
Honest question here, why is this worse? Why wouldn't you want a kiosk mode for taking tests?
Blocking URLs is kind of a half-baked answer anyway, you don't really want people to have access to most browser features for the embedded page, including dev tools, including the URL bar, you don't want them to be able to Ctrl-S the page, you don't want them to be able to access bookmarklets that can reveal source, etc, etc. If you're using Google Forms to give tests, there are probably other issues there beyond whether or not kids can look at the source code, and the reality is you probably do not want to actually use a full-featured browser to give that test.
So there's very little downside I can see to having a single-purpose Electron app that's installed on school computers. I mean, hopefully you're not using kids own computers for this anyway if you care about security, because you have no way to verify that they haven't messed with the browser or bypassed your restriction then. So if they're school machines, because this is a policy for work machines that are managed... yeah, of course you should install a testing app, and of course you should put machines into a kiosk mode. Why wouldn't you?
I would think "put school-owned machines into kiosk mode" would be the first step to take as an admin if someone is trying to administer secure tests on those machines.
An app has to be developed and this development costs money and somebody has to pay this money.
Doesn't Chrome already have a kiosk mode built into it?
> but still want to preserve some browser functionality. E.g. allow access to more exam material not embedded into the quiz or an Encyclopedia for research during exams.
Open Internet access seems like a really bad way to provide that. There are maybe 5 different ways I can think of off the top of my head that are quick to do that circumvent a view-source restriction if the rest of the browser is enabled.
Sure, an enterprise admin might know to disable (some of) those methods, but if they're smart enough to do that, aren't they also smart enough to set up a kiosk display? Kiosk apps aren't some kind of new technology, these get used all over the place.
I'm curious about the intersection between teachers/admins who are not well-equipped enough to avoid using anything other than Google Forms to deliver tests, but that are well equipped enough to build a network policy that blocks students from just sending each other test answers during the test.
I don't know, I don't want to be cynical here, but this kind of thing is literally the job of a network admin, isn't it? It's why you hire them, to set up stuff like this.
I would question whether a computerized test with these problems is actually better than a paper test. But more than that, I would question whether people have an obligation to make other products worse just to accommodate bad coding.
I don't think anyone is demanding perfection by (correctly) pointing out that not designing a product to deliberately leak secure information is kind of the bare minimum bar in a secure testing environment.
Are paper tests a bad thing? Why do intelligent state voting systems depend on paper, or backups? Why do ultra high security computer systems still log to paper?
Please note that this feature is part of managed Chrome which can be restricted in many other ways. The exam workstation itself of course too.
Then what is the kid? And who is *using* the computer to take the test? And who is *using* the browser? And who is *using* Chromium that would like to learn something about the source, that now has view-source disabled? Are they not users, just because someone else wrote the test?
> Man, do they really have to deploy iPads in kiosk mode for shitty tests so you don't shit on them? Teachers do their best to optimize and digitize teaching under the worst circumstances. If this litte bugfix helps them I am happy.
I'm happy to help teachers too, but this helps them by hurting others. That's *not* ok!
> Please note that this feature is part of managed Chrome which can be restricted in many other ways. The exam workstation itself of course too.
Sure, but that's still wrong. Just because bad thing is bad, or closer to how you put it, there's other things you can't do with this software. Doesn't mean that adding more restrictions is a good thing.
So server side security is in this case better because it's a more clean solution? In this case the cleanliness of the solution is irrelevant as long as it works. Students can always sneak in attach a keylogger to the teacher's keyboard and read out the password for accessing all tests. It's about erecting a barrier that is good enough.
Yes, absolutely. There's nothing a client can do if the server doesn't send it the answers.
> In this case the cleanliness of the solution is irrelevant as long as it works.
*NO!!* How good a solution is always matters! Another solution to students cheating is for an older student to stand over them as the take the test, and beat them with a stick if they try to view the source of the test. That' would be a solution to this problem, but it's so obviously bad. But hey, it'd work. It'd actually work better than this because it would work on every test, on every site, in every browser, for every computer... Because how clean a solution is doesn't matter, who cares if there's a little blood on the screen?
> Students can always sneak in attach a keylogger to the teacher's keyboard and read out the password for accessing all tests. It's about erecting a barrier that is good enough.
If a student is able to sneak a keylogger onto the computer of a teacher without getting caught, they're smart enough that the test is pointless to them.
> If a student is able to sneak a keylogger onto the computer of a teacher without getting caught, they're smart enough that the test is pointless to them.
Attaching keyloggers is stupidly simple. Security is always a trade off. This was my actual point. In case of keyloggers it's more a matter of lacking risk awareness since it would probably bring criminal charges.
The kid is an excuse for a "teacher" and "assistants" to get paid and get benefits and for Google to start collecting data on them from a very young age.
And besides, if everyone knew for that second test then that's a lot of seeds right there alone.
I don't see a point where making this kind of stuff secure in another more targeted way (e.g. central exam server) is helping in any way.
You can still held hacker competitions in computer science classes anyway (hopefully mandatory for all).
What "computer" class is these days is "MS Office" class. Except actually it's "MS Word and Excel class, except the teacher only ever calls it "the typing thing".
And even if there were sanctioned hacker competitions, they would become classwork and therefore boring. The fact that it is against the rules is part of the draw.
For what it's worth, I think there's something to be said for leaving a situation like this inherently insecure. Yes it's manipulative, but somebody learning something from their own drive is a lot better than standardized testing beating it into the infodump section of the brain.
Your "inspirations" sound quite enjoyable! You were definitely much more skilled than me or anyone I knew.
I just see the intentionally insecure quiz working in the current setting, and there being no way to implement the wargames in an effective way in this setting.
One man's exploit is another mans feature. But more directly, no I'm not saying either of those things. I'm saying that user hostile design, like preventing the user from being able to do something they otherwise could is what causes people to hate computers. In this case, it's better to fix the problem [someone including answers within the test they're sending to the client] instead of breaking a feature so that someone can keep doing something stupid.
This is beyond ridiculous and seriously diminishes my overall faith in humanity.
https://www.techdirt.com/articles/20211021/23033847793/misso...
[0] I hate throwing out this word, as it's always used wrong - including my usage here - and tends to carry a lot of other connotations with it which I don't want to affiliate myself with. Is there a better word to use here?
I honestly don't get why so many commentators are upset. They are using Google Forms for tests. And these tests leak answers through the source code. Schools are not well funded and this setup itself is not very professional. When you can fix this by giving admins such possibilities, why not?
It's not like your Chrome will prevent you from viewing any sources. As you can also read in the article the restriction can be limited to certain URLs. IT ONLY AFFECTS MANAGED ENVIRONMENTS WHERE ADMINS CAN DO MUCH MORE RESTRICITNG THINGS ANYWAY.
However, there are legit environments where people might want to prevent users from accessing devtools and view-source functionality, like when using it as a kiosk software.
From security standpoint, it might be also reasonable to disable at least devtools in enterprise environments, since users can not necessarily be trusted with such access (which is the reason why many sites, such as Facebook, display warning to not enter anything in the console, especially if someone instructed them or they found it online).
Chromium: Permit blocking of view-source: with URLBlocklist - https://news.ycombinator.com/item?id=29170886 - Nov 2021 (126 comments)
View-Source in Chromium - https://news.ycombinator.com/item?id=29193561 - Nov 2021 (1 comment)
So rarely do you get to learn the name of the person who willingly make applications user hostile. The defective code is obviously^1 the test, not the browser. Yet, Eric decided to break the usefullness of an existing feature to try to prevent kids who are smarter then the test from beating the test. The reason everything is broken, is because of these types of decisions. I just wish fewer people like Eric would make decisions to break stuff to try to fix other more broken stuff. I wonder what someone will have to break now to get around this new defect in Chromium :(
^1: Obvious to anyone that understands the basics of web and computer security.
I agree. View source is generally a good thing. But if an org wants to disable it for some limited set of URLs that's not really an issue. This feature doesn't effect everyone.
My takeaway of the news here was that this bug was open for so long and was finally fixed. But perhaps I read with the wrong lens.
And blocking this in Chrome wouldn't be enough; they'd also need to whitelist execution for programs so people can't just use a portable browser. Then whitelist permitted websites and network connections to prevent use of other online workarounds.
This all can't be easier than solving the root issue.
Students are cheating by reading the source code -> the source code contains the test -> the test shouldn't also contain the answers -> the source code shouldn't contain the answers -> we need to remove the answers from the source code.
This feature is just an improvement over not being able to see sources at all. A portable browser comes on a storage device which is not allowed in this scenario. Otherwise you could simply have a crib sheet on it.
Maybe the whitelist is just for a local intranet (wikipedia mirror whatever).
Yes, but my problem isn't fixing this bug. My problem is now that this bug is fixed, Chromium is worse. The feature is bad, and actively user hostile. It shouldn't exist, thus contributing to make something that should not exist, function is bad.
> I agree. View source is generally a good thing.
It's always a good thing. There's no case I can think of where software has a built in ability to diagnose and fix problems with it is a bad thing.
> But if an org wants to disable it for some limited set of URLs that's not really an issue. This feature doesn't effect everyone.
But it does effect some people? Who cares if it's bad, it only hurts people I don't care about right? What about me? This user hostile design mistake COULD effect me. My sister is a school teacher. I help her with technical support all the time. Now she could come to me ask me why this site looks broken, and instead of being able to quickly tell her what's wrong, I now have to spend hours trying to unbreak the web browser on her school laptop. Things like this bother me so much because all it does is punish the smart people. Oh, you know how to fix your problems? Well fuck you, now it's harder!
> My takeaway of the news here was that this bug was open for so long and was finally fixed. But perhaps I read with the wrong lens.
Sounds like you're thinking to narrowly. Everyone is complaining because this is does make everything more complicated for no good* reason. And is likely to break work flows for a lot of people.
*: for most definitions of good reason.
If the past two years have shown anything, it is that there are a heck of a lot of teachers' union members will do anything to get out of the actual work of teaching.
In the real world, the issue with this feature is that by making the idea that enterprise users gain security by prohibiting `view-source` commonplace and routine, Google and Microsoft are going to turn `view-source` into criminal activity soon. And teachers not wanting to do work is a convenient excuse.
Writing a decent quiz application is a weekend project for any developer who does not need left-pad to pad a string. The key part is the content, the question bank. Almost all publishers have question banks to go with almost every textbook. Heck, some of us would actually read them and decide which ones made good practice questions and which ones did not.
The teachers I know and I know quite many (basically the female side of my family consists of teachers) do not act like that. They try to come by with the sub-par software choices that were made for them. I agree that there are also many bad apples. The education system in Germany is especially well-suited for bad apples :( (non-terminable).
> In the real world, the issue with this feature is that by making the idea that enterprise users gain security by prohibiting `view-source` commonplace and routine, Google and Microsoft are going to turn `view-source` into criminal activity soon. And teachers not wanting to do work is a convenient excuse.
This is nonsense. There are much more restricting policies available.
> Writing a decent quiz application is a weekend project for any developer who does not need left-pad to pad a string. The key part is the content, the question bank. Almost all publishers have question banks to go with almost every textbook. Heck, some of us would actually read them and decide which ones made good practice questions and which ones did not.
So why do teachers develop Google Forms Quizzes
This is a serverside problem, attempts to hide it in the client are doomed from the start.
Ahh, and see, there's the problem. You're operating under the assumption that cheating is a problem with the student and not the test. That's incorrect. We're talking about knowledge and correctness. If I present you with a problem, can you find a solution. Humans, correctly, will prefer the easiest solution. If your "test" has solutions that you don't want to accept (like cheating) that's a problem with your test, not with the solution.
As an example; if I write a password function called `check_password()` and in it, it uses C `if (strcmp(test_password, known_password)) goto fail;` and someone sends in the string "\0" is the password test good, or bad? Sure someone is cheating, but is the test good, or is the test bad?
> Easy and cheap prevention methods are key, because your average education system is cheap and badly organized.
So the average education system is broken, the best solution we have, and the one we should implement is to break other things that are working as intended?
This is nonsense. Foremost the test is to help the teacher to understand the student. If the lazy student constantly cheats they will fly under the radar and crash hard eventually. Tests themselves are just a crutch. Modern education is about helping children learn in spite of sending them away with somehow comparable grades.
> So the average education system is broken, the best solution we have, and the one we should implement is to break other things that are working as intended?
It's not breaking things. It's a feature for a browser in a managed environment. When teachers would develop an electron app with the same functionality would you be happy?
I consider my very self lazy, and I used to cheat on tests all the time. I haven't crashed yet.
> Tests themselves are just a crutch. Modern education is about helping children learn in spite of sending them away with somehow comparable grades.
I agree actually. Tests should be just a way to learn about students. But schools, teachers and students, assign value to the grades they get on these tests. If grades didn't matter to anyone but the teacher so they could learn how well they're doing as a teach, students would have any interest in cheating. But we're arguing about if disabling view-source is a reasonable solution to prevent students from cheating for how test are used now. And It's not.
> It's not breaking things. It's a feature for a browser in a managed environment. When teachers would develop an electron app with the same functionality would you be happy?
No, I'll be happy when people stop making excuses for bad design, and other people stop breaking features in a feeble attempt to fix a bug in a different and mostly unrelated system.
In other words the efficient student who used the path of least resistance. It is easy to call such people lazy, but in my experience that label is mainly used to avoid the responsibility of fixing the issue. People convincing me I'm lazy caused more damage than a whole school career based on cheating would have.
Exams should mainly test understanding, not the ability to memorize things. Once you do that cheaters automatically become a smaller issue. Unless it's a memorization test(vocabulary etc.) there's no reason to withhold information imho, just like it doesn't make sense to have someone write software without access to Github or StackOverflow.
> Modern education is about helping children learn
In that case modern education is a total failure across the board. Maybe my non-neurotypical perspective is a bit biased, but it is difficult to think of just one instance where any part of the education system was actually helpful. Einstein's quote about judging fish based on their ability to climb trees never lost significance.
Though I do have some understanding there; the education system in its current form does not attract competent teachers, and despite some awareness improvements rarely get funded beyond pilot tests.
It doesn't get easier and cheaper than a sheet of paper. Going digital isn't good cheating prevention. It's the first step to repeating this "view page source" drama.
Once you add computers to the equation you open up countless more possibilities. Setting a few rules in the browser is like closing a single hole of a colander.
Not really. In a real paper & pencil exam you take in the same room with your teacher, the teacher is available to answer clarifying questions. More than once, a question one of my students asked led me to realize that a multiple choice question might have more than one good answer or an essay question can be phrased better etc. The real time feedback is a learning opportunity for the teacher and the student: The goal of a test in a high school or college classroom is not measurement. It is a continuation of learning.
I do not see how anything remotely close to that is possible when tests/grading are offloaded to Google forms.
https://news.ycombinator.com/newsguidelines.html
In general, we're trying to avoid the online callout/shaming culture here. Again, the negatives exceed the positives.
https://hn.algolia.com/?sort=byDate&type=comment&dateRange=a...
Without relation to the duty that I owe any individual, it bothers me that you'd say this comment is harmful to the HN community. I might be able to be convinced that calling out bad behavior is often more harmful than helpful. But the assertion that this makes the list of comments that degrades hackernews feels unjustified.
But, given it's your community; it doesn't matter much how I feel, so if you're unconvinced let me know, and I'll make sure I don't comment on anything remotely controversial anymore.
I'm not asking you to stop commenting on anything controversial! This was a more specific point than that. However, I do think some calibration to local conventions would be helpful (https://news.ycombinator.com/newsguidelines.html). For example https://news.ycombinator.com/item?id=29214019 is another flamewar comment of the kind that we're trying to avoid here. If you find yourself beginning with "So you lied when you said...", that's a bad sign!
(Btw, since "lie" implies intent to deceive, and it's pretty much impossible to gauge intent over the internet, that word is pretty much always out of bounds in arguments here. It's also unnecessary.)
Because the point I wanted to include is that it was a person who made this decision. Using someone's name is how you personalize them. She, He, They, are all abstract and dehumanizing the decision. I specifically wanted to avoid abstract language because I didn't want to give the notion that it's just a small commit in a huge company. I thought it was important to highlight the fact that this small commit made by an individual is the commit that is the problem. It's not large corporation who owns the repo that wrote this code. It was a person with a name. Just like the reader is a person with a name.
> I'm not asking you to stop commenting on anything controversial! This was a more specific point than that. However, I do think some calibration to local conventions would be helpful (https://news.ycombinator.com/newsguidelines.html). For example https://news.ycombinator.com/item?id=29214019 is another flamewar comment of the kind that we're trying to avoid here. If you find yourself beginning with "So you lied when you said...", that's a bad sign!
The reason I suggested this was because I don't think the local conventions are a reasonable request. Not because I disagree with them generally, but because they're not applied universally. I can even use that comment thread as an example. The person I was arguing with wasn't trying to speak fairly. More then a few time the commenter would ignore parts, and only respond to others. I'm fulling willing to admit they don't have any real responsibility to respond in full to everything, and they clearly should be allowed to select what they want to reply to, or not. (Apart from the common courtesy.) But they clearly said something they didn't really mean. I lack another explanation than arguing in bad faith. Mea culpa, I used 'lie' a word that does appear to imply intent to deceive. But arguing without care, willfully making statements you don't really mean, and then ignoring responses requesting consensus is arguing in bad faith. Even if it's unintentional. To be clear, I don't anything he did could be reasonably considered in defiance of the guidelines. But IMO it's close; close enough to be inconsiderate, but not close enough to warrant a comment from an admin. Close enough to disrespectful that's it's provocative, but far enough to appear banal.
I like the rules hackernews encourages, but not the end result. Conversations aren't elevated by absence of emotion. Only by well thought out, rational conversations by speakers who are also willing to listen. Especially to thoughts or ideas they find uncomfortable. Again, mea culpa. I agree with you for some interpretations, I easily stepped onto, or over the line. But lacking the eloquence required to have real conversations without emotion, speaking about people who make decisions that make the world infinitesimally worse, or argue unfairly, I often can only author responses that appear brash. Which unfortunately does appear to break from local conventions. So if that is harmful, I shouldn't comment. :(
Edit: I looked into how to delete my account or comments, but that's not something hn want's to permit. Are you able to redact my original post? I don't think it's right to leave something that's objectionable.
I don't think it's that hard to abide by the HN guidelines, and you're clearly sincere, so if you want to do that it should be possible to calibrate and keep commenting in a good way, should you choose to.
Absence of emotion is definitely not a goal here! It's fine, more than fine, for people to share their feelings. It's just not fine to wield emotional energy against others. Those are two very different things, though not always so easy to tell apart in the moment.
> Microsoft engineer fixes enterprise-level Chromium bug students could exploit to cheat in online tests
> Ability to block 'view source' for specific URLs hasn't actually worked for years
The post title is a decent summary.