So it’s happened again – a security researcher showing a marketing claim to be atrociously false has been threatened with a copyright monopoly lawsuit to take down the posted proof. The company DigiExam claims that their examination software is “cheat proof”, which it can’t be by definition when it’s running on somebody’s own computer: these are DRM fantasies. Security researcher Hannes Aspåker developed a proof of concept to show the claim is false and posted it, and was promptly hit with a threat of copyright monopoly infringement lawsuit from DigiExam to take down the proof: DigiExam is deliberately creating chilling effects on free speech in order to protect its false marketing.
DigiExam is a company claiming to sell secure education examinations intended to run in an education environment, but on the student’s own computer. To anybody with a shred of technical knowledge, the security in this situation is utter nonsense, due to the simple fact that DigiExam doesn’t hold the key to the student’s own computer, but the student does: the student can run and modify any code they like to give whatever result they like, including modifying DigiExam’s code to not be cheat proof, which it therefore isn’t to begin with. This is Security 101 for anybody even mildly technically competent.
This hasn’t prevented DigiExam from making bold (and false) claims about being “cheat-proof”. Security researcher Hannes Aspåker decided to face the false marketing head on, and developed a proof of concept showing the modified exam software from DigiExam failing to live up to any of its marketing claims. This is what security researchers do: they puncture dangerous marketing made of nothing but hot air. It didn’t sit well with DigiExam, though. Specifically, when seeing this GIF demonstrating how DigiExam’s product security has been disabled, DigiExam considered it a good idea to threaten the security researcher with a copyright monopoly infringement lawsuit over this particular demonstration artwork, which was made by Aspåker and not them:
This kind of legal threat can cause a lot of people to back down in the face of unknown adversity. Most people don’t know the laws and underlying treaties in detail, and outright fear the concept of facing a courtroom. Thus, such a threat has a chilling effect on legitimate research, even when the threat is utterly baseless, which makes it malicious and in bad faith.
However, this particular security researcher contacted me to ask for some advice, and without technically providing legal advice, I could tell unusually quickly that DigiExam are unusually full of shit. They have no legal clue whatsoever, they’re just angry that someone is pulling the pants down on an obvious lie, and are resorting to anything they can come up with in order to save face. This is a particularly nasty case of deliberately creating chilling effects on baseless takedown grounds just to protect DigiExam’s marketing. (Disclaimer: Aspåker did not ask me to write this article, I’m doing that on my own to call attention to the particularly nasty abuse of legal threats on DigiExam’s part.)
Here’s the (legally) recorded call of when this researcher calls DigiExam back and says he won’t take down the security bulletin in response to the threat:
Call in Swedish where the threat from DigiExam is reiterated.
What’s said by DigiExam’s representative in this call is the following (at the one minute mark), after the lawsuit threat has been reiterated:
— Aspåker: So I understand you’re claiming copyright [to the second GIF and demanding I’m taking it down]?
— DigiExam: Yes. Our logotype and our interface is our brand, and we have trademark protected them. It’s simply our property.
Let’s review: they are claiming they hold a copyright monopoly to the GIF (which was created by Aspåker, not them), and are saying that the logo and interfaces are their trademark, “simply our property”. This is a stunning ignorance and conflation of wildly different exclusive rights – the copyright monopoly and trademark rights – not to mention the utter clueless confusion with property rights, which is something completely different again from exclusive monopolies.
First, the copyright monopoly goes to the creator of an artwork, end of story. The creator is Aspåker. There can be some problems when other people’s artwork can be seen as part of the new work, and they did claim something about the logotype, something that literally thousands of court cases have determined is perfectly fine to portray in critical reports. Further, they move on to claim trademark rights – where you register your name (or color or smell etc) in one of 45 classes of goods and services, to prevent other actors in that class to use your trademark. It’s noteworthy here that if you don’t sell a good or service, you can’t infringe on somebody’s trademark by definition. DigiExam aren’t even aware of these most basic concepts of the threats they’re spewing.
To top it off, Aspåker’s advisory was posted on Medium, which doesn’t go by Swedish laws in the first place but United States code, which has an extensive Fair Use defense against this type of bullshit. Ohyeah, there’s also that rather important detail: Aspåker isn’t the legal publisher in the first place, Medium is. DigiExam had no business giving a Cease and Desist to Aspåker to begin with: he’s the legal equivalent of a reporter publishing at Medium.
(However, in republishing the GIF here on this blog, I am also taking on that role as publisher. And I’m based in Sweden. As a constitutionally protected publisher. I also happen to be one of the world’s leading experts on copyright monopoly law, unlike DigiExam, and would love to crush such assholes under ten tons of bricks if they so much as whisper a threat to me.)
The Internet doesn’t take kindly to baseless takedown threats in order to save one’s own face – in particular not copyright monopoly threats against security disclosures. This shit should be criminal. This action from DigiExam was far more harmful than the security bulletin in the first place, and they deserve to know what the Internet thinks of their shit. This kind of behavior, to throw around force and legal threats to deliberately create chilling effects against researchers who reveal your marketing claims as bullshit, is one of the least acceptable things conceivable to free speech.
The full article by Hannes Aspåker is reproduced (and republished!) below for reference.
The Myth of the Cheat Proof Digital Exam
Why it is impossible to lock someone out of their own computer
The age-old tradition of pen-and-paper exams has barely changed at all over the last century, and it carries with it a lot of burden. They are costly and environmentally unfriendly to print. Students complain of hand cramps and teachers grumble over unreadable handwriting. And what to do when one of the students’ exams is misplaced and then trashed by the janitor?
Of course, there is a reason exams have not yet experienced the digital revolution that most other parts of our society have. If you let students write exams on their own computers, the technology not only streamlines the process, but also inadvertently gifts the test takers with thousands of new and imaginative ways to cheat the system — smuggling hand-written notes will seem like the stone age when compared to Wikipedia. The alternative, schools supplying a trusted test device to each student in the class, is an economical and administrative nightmare.
This has not stopped a handful of young startups from trying to tackle this problem. The most successful one I have heard of, the Swedish company DigiExam, promises the best of both worlds: Students can bring their own devices to the exam hall, and their system will ensure that they can not use the computers to cheat while writing their answers.
The company has seen a fair bit of success. The application is used at more than 600 schools in over 40 countries, including more prestigious ones such as the Stockholm School of Economics and Columbia University.
Unsurprisingly, the cheat proof aspect plays an important role in their marketing: On the website they boldly label themselves as “Easy to use — Cheat proof — Reliable”. A slogan that, unfortunately, falls flat as soon as you realise it would take a competent student no more than 15 minutes to circumvent every single safeguard they have put in place.
To be fair, it must be said that DigiExam has made admirable effort to prevent abuse. When the exam has started the student can do nothing but answer the questions — no switching to Wikipedia to check some quick facts. Full kiosk mode is enforced, and with it the menu bar, desktop switching, and all other functions not strictly necessary for completing the exam are disabled. Scheduling a script to pause the process at system level after the exam has started will just leave you with an unresponsive screen. You might try to bypass all this by opening the app in a virtual machine, but you will find that DigiExam easily detects the VM and shuts itself down.
As said, it is an admirable effort, but ultimately futile. Because the challenge they are trying to solve is — by definition — impossible.
When somebody owns a computer, that in all likelihood means they have root access to it. And when they have root access, they are capable of changing the behaviour of any program that runs on it in any way they’d like.
How To Disable Cheat Protection in Any Digital Exam
An application is essentially just a bunch of machine instructions: a collection of ones and zeroes that tells the computer which commands to execute. If you want to change the behaviour of an application you have been given, the most reliable and universal way of doing that is to directly edit these machine instructions — changing the ones and zeroes–to do something else.
To do this you will need a disassembler (for OS X, I recommend Hopper) and/or a hex editor (such as Hex Fiend).
A screencast of me editing the binary of an open source program
Now, I will not show you how to break DigiExam specifically, as I would n0t want to make it entirely too easy for an enterprising student to use this article in order to gain an unfair advantage. But I will tell you the general process of how to disable certain parts of an application, a method which can be applied to DigiExam as well as any other digital exam software.
The first step is to disassemble the application (convert it from machine code to a more readable format) using a disassembler such as Hopper. Then follows some detective work were we search the disassembled application for the method responsible for enabling cheat protection, either by following its flow of execution or by searching directly among the names of its methods and variables.
When we have found the part of the program that we want to disable, we neuter it by modifying or removing some of the machine instructions so that it no longer performs its intended function. We can either do this in the disassembler and then reassemble the program, or we can edit the binary of the application directly using a hex editor.
Generally, only small adjustments are necessary. Disabling an entire section of code often requires nothing more than setting the value of global constant to 0 instead of 1, or changing a jump if equal (je) instruction to its oppositejump if not equal (jne).
In fact, to disable every kind of cheat protection in DigiExam the student only needs to modify two machine instructions at two specific places. This takes no more than 15 minutes — 10 minutes to find the relevant sections and 5 minutes to make the changes.
A modified version of DigiExam with cheat protection disabled
I can not understate the inevitability of this exploit, as there is nothing DigiExam can do to prevent this. Any safeguards they attempt to construct, no matter how complex, can (and will) ultimately be dismantled by someone using this technique.
The only sliver of protection available is to employ what is known as obfuscation and anti-tampering techniques. These increase the time investment required by making it harder (but not impossible) for malicious users to explore and understand the codebase.
Recently, advanced (and ghoulishly expensive) obfuscation software has miraculously increased the time until cracked versions of AAA video games hit the internet from a few days to to a few weeks or months. This works wonders in the video game industry, where the majority of units are sold immediately after release, but is only a small comfort for an exam software that is meant to be used indefinitely.
The Full Extent of the Problem
So digital exams on personal computers can never be trusted, but why should we care? It is a fair question. After all, regular exams can be cheated as well. And if the student needs access special technical knowledge to do so, that does not seem very problematic.
But in reality, it will require neither knowledge nor effort. The application needs only be cracked once by a single individual, such as me, who can then upload and share the corrupted version with either their friends or with all 600 schools.
And while cheating on a regular exam is confined to concealed notes or peeking at your neighbours desk, in the digital world only your imagination sets the limit. Automatic spelling and grammar correction? Piece of cake. An extension that grabs and copies the answers from a friend writing the same exam? Sure. It could even paste the answers letter for letter in sync to random tapping on the keyboard, to make it appear as if typed out by hand. If you can dream it, you can do it.
In spite of this, the Swedish National Agency for Education has decided DigiExam fulfills its criteria for a secure digital examination. With this official seal of approval the application was used by more than twenty thousand Swedish students when writing the national subject exams this spring.
So maybe next year, upping your grade on the national exam could be as easy as finding your favourite among a growing batch of cheating software. A digital revolution for sure — but is it in the right direction?
A note about responsible disclosure
Usually when I discover a security flaw in a piece of software or on a website I contact the authors in private and give them time to fix the issue before going public, a process known as responsible disclosure.
This, however, is not a fixable bug. This in an inherent and unfixable flaw with the entire concept of digital exam software. Therefore, while I have contacted DigiExam ahead of time and notified them about this article, I felt I was unable to offer them a timeframe in which to “fix” it. Furthermore, responsible disclosure also entails disclosing vulnerabilities to the public as early as possible to allow the users to make informed decisions as to the safety and security of the tools they employ.