IMS QTI Still Relevant Despite 2.1 Being Revoked

IMS withdrew the QTI 2.1 spec, despite some existing implementation and information going back to 2006 that is was imminently ready for use. The official IMS wording seems to be toned down a bit, but there is also a clip from early wording on Rowin Young’s blog. Other early opinions ended up on list servers like this. I’ve fired up a Google alert on this issue and will be tracking it. Meantime, one of my co-workers at Questionmark and a key contributor to QTI 1.x, John Kleeman, has penned, Why QTI Really Matters.

Check it out and watch for updates here. I expect a few more QTI experts and pundits from other specification bodies to have some observations soon. However, an unnamed organization with a litigious nature may be unwittingly suppressing discussion.

SCORM Vulnerabilities + IMS Spec withdrawal = Excitement

Exciting times for elearning standards. Lots of discussion about two unrelated events. First, SCORM “cheats” are published and the community rallies to address the issues. Secondly, and coincidentally, the IMS recently withdrew the QTI spec from further work by IMS membership. I’ll follow-up on the IMS QTI issue in a subsequent post (likely linking to more detailed information from others).

What is SCORM Cheatlet?
I coined “cheatlet” as a portmanteau of cheat and bookmarklet (itself a portmanteau of bookmark and applet). A bookmarklet is a browser bookmark that uses the javascript: protocol prefix instead of the typical http: prefix used for web pages. This allows one to create a bookmark that runs JavaScript code in the browser.

I dove into bookmarklets when developing my iPastelet utility for iPhone in the summer of 2008. It immediately occurred to me that this technique could be an interesting way to hack/cheat the SCORM JavaScript API. Thus was born my implementation of the cheatlet. It worked easily and nearly immediately. By clicking a bookmark, I could send a score to an LMS. I tuned it to send a time, a status, and in a sinister turn, close and then nullify the API object handle to prevent any legitimate data from overwriting the hacked score.

Cheatlet Concept goes Public
In late August 2008, with a working demo of this code in hand, I sent it to major players in the SCORM world, including a major ADL contract agency, major LMS vendors, SCORM code suppliers of various types, and tool vendors. Many vendors responded that it was simply an instantiation of a hack to a known issue. One indicated they were well aware of this and raised the issue early on to discourage the AICC from deprecating HACP for the JavaScript API, that vendor was Questionmark (Disclosure, I started work for Questionmark in January 2009).

I seemed to be more concerned than others. In late August, I submitted a paper on the issue to the LETSI SCORM 2.0 Workshop, without disclosing precisely how to implement or code the exploit. The paper, Security Before Features was discussed online and at the Pensacola meeting in October 2008, but little seemed to happen as a result. Work continued on SCORM 2004 4th Edition without any API changes.

Cheatlet Example/Running Code Goes Public
Flash forward to a few weeks ago. Working completely independently, Phillip Hutchison had a similar moment of inspiration and crafts his own SCORM “cheatlet” bookmark. The big difference was this included a working cheat as a link right in the blog post (chealet linked since removed, but code is still available by request to Phillip). Soon this issue received broader attention. Reaction and opinions flew about the internet. Plateau proactively sent a letter to its US government LMS customers about this issue to help calms their fears. Ironically, I think this also drew further attention and discussion.

Defense Approaches, Work-arounds, Opinions
Soon after the example code hit the internet, opinions flew between experts on twitter, email and blogs. I posted a overview of the issues on the Questionmark blog, along with a follow-up post on general defensive strategies, including some specific solutions to support those approaches.

The ADL posted workarounds for some aspects of the vulnerability. Both are more clearly aimed and HTML/JavaScript coders, but that may be exactly who read this blog.

Some feel quite strongly that SCORM has never been suited for more than the lowest-stakes elearning events. I feel that stakes must always be viewed as a continuum. Furthermore, I believe it is far easier to consider the high stakes end of the spectrum first and back-down as necessary. In any environment, is incredibly difficult to start with little or no security and patch your way up to a secure system.

Others may see it differently. I’m sure there will be plenty of opinions. I’d say my views on this issue tend to align with Phillip Hutchison (whom I’ve never met, but respect) more than Mike Rustici (whom I’ve known & respected for many years). I’ll come back and update this post as they emerge. Other opinions include:

They Saw It Coming, BUT… Newspapers Now, LMS Next

I just read Clay Shirky on Newspapers and Thinking the Unthinkable. Substitute “LMS/Central Training Department” for instances of “Newspaper/publishers” and it is a real wake-up call.

Read it. Think about it. Who are the real-world, radical change-observing “pragmatists” and who are the in denial status-quo with incremental-change “revolutionaries” in your organization?

Are the people who say that the now and the future is in informal learning, collaboration, mobile and social networking the revolutionaries,or the pragmatists? Are the experts those wizened experienced people who say learning & training have been and always will be structured, pre-defined and centralized, (and they often add or else it is wasteful and inefficient).

Look outside your windows (or preferably Mac) there is a whole world (-wide web 2.0 ) happening. What the heck, check it out on your phone or Xbox or …

See past the matrix illusion of the Central Committee’s integrated-firewalled-siloed starts-and-stops-at-your-enterprise LCMS-LMS-authoring-tool including Centralized Succession Planning, now with connect-to-your-actual-cubemate-Social-Networking™.

Got it? Good. Now go read two Jay Cross posts, New Roles for Former Trainers and then Agile Instructional Design. For bonus points tonight or tomorrow, twitter (+2), text (+1) or email (+.05) a few colleagues and collaborate on how you can apply scrum techniques on your next training or elearning effort.

Feedback? Like this kind of post? Let me know, I’ve got a few more cans of elearning willy pete in the armory.

Geek Cribs Follow-up: “The Setup”

Via Daring Fireball, I learned of “The Setup”; a series of posts/interviews with techno glitterati describing their work setups. A much cooler (and computer-centric) approach than my early December post, What if… MTV Cribs for iPhones.

So far The Setup covers Alex Payne (of twitter), YACHT (I can’t describe YACHT), Gabe Newell (of Valve videogames), Steven Frank (of Panic Inc and Transmit fame) and John Gruber (the famous fantastic Daring Fireball and Markdown maker).

Elearning Events Updated for 2009

The Elearning Events Calendar is updated with key elearning conferences and trade shows from January 2009 – June 2009. I didn’t do a good job of updating it from August-December 2008, but I’ll try to be better. If you are aware of a conference I missed, send an invite or email to events(at) and I’ll add it soon after I hear from you.

I’ve added events from AICC, ADL, Articulate, eLearning Guild, I/ITSEC, IMS Global, the Masie Center, Questionmark, SumTotal, Training Magazine, and more. I’ll add links for the Plateau and Saba conferences when details become available (they are usually in Fall).

I also moved the calendar to a separate page to make it easier to read and navigate. The link to the new page is in the header navigation of my site as Events, as well as the first link in the opening paragraph of this post.

Happy New Year 2009.

What if… MTV Cribs for iPhones and Macs

It’d be cool if there was a “geek work cribs” that showcased the preferred tools of geek celebs (and minor celebs). If there is, I don’t know about it. Nonetheless, we all find posts and pages to that effect here and there. Recently, fellow geek (and elearning celeb) Aaron Silvers kindly posted a page-by-page list of what’s on (and no longer on) his iPhone. There are some cool ways to do things like this that I’ll share too.

First, get an account (or two) at, but do NOT populate it- yet.

Next, get AppFresh, a Mac OS X application that helps you keep apps, widgets, preference panes and plugins up-to-date. Conveniently, it also connects to you iusethis account for Mac OS X. Run AppFresh, and it will create a list of your Mac apps and check for new version. Add your iusethisaccoutn via the AppFresh preferences.

Once the list is populated by AppFresh, you can easily click to add items to from AppFresh. Now you have a readily updated list that you can share as a page or RSS feed (see link at bottom of your apps or event page on the iusethis site).

The iPhone section of the site isn’t quite as auto-magically updated. I’d love to see AppFresh or something like that scour your iTunes directory to populate such a list though (hint). Fortunately, the folks at iusethis do make it easy to find iPhone apps on their site or add your favorites while their forms pull in data from the iTunes App Store.

Now for the mobilemind iusethis lists:

Once you are signed up and sharing like this, iusethis will also identify like-minded neighbors by way of your application set. Note that the respective OS X and iPhone sites also have overall lists for New, Interesting and Top apps.

Hey Aaron are we iusethis neighbors? (PS- I too dropped Appigo To Do for the freeRemember the Milk app.) Poor Appigo, first To Do dropped for the free RTM app, and now AccuFuel has been replaced with the $4.99 Gas Cubby. All good apps, just a matter of preferences and $4-$5.

Will Adobe XFL revolutionize Rapid Elearning Workflows?

For some time Adobe insiders and followers have been talking about XFL, a package file format for Flash (here, here, here and more in search). XFL combines XML and some binary assets in a zip archive. Currently Adobe CS4 applications use XFL as an interchange format.

How does this impact rapid elearning? Office automation tools are also using package file formats, such as the somewhat controversial Microsoft Office Open XML format. This is the metaformat that subsumes the underlying markup languages for word processing, presentation and spreadsheet content.

Taken together I suspect we will see the rise of many custom workflow and “homebrew rapid elearning” applications. It will be easier than ever before to use common zip and XSL tools to take “SME content” in .docx and .pptx files and transform them into XFL. From XFL to published SWF is an easy step for CS4, and will allow for expert tuning/enhancement in Flash itself. That sort of tuning isn’t possible in current tools.

Corporate developers and elearning shops will likely create their own tools and workflows like Mohive and CourseAvenue Studio, but optimized for their market, clientele, content, style, work cycle and requirements.

Still others developers will bypass tools like Adobe Presenter, Articulate Presenter, and iSpring Pro, Rapid Intake ProForm, instead creating their own tools. These tools will likely work with specialized, optimized and more structured Word or PowerPoint files/templates, but also provide more optimized workflows and optimized content.

I think the opportunities for more flexible rapid elearning development will increase. The race is on for Articulate and Adobe to improve their offerings with richer tools and more instructional design savvy built-in. Wonderful as it is, Articulate Engage could be just the tip of the proverbial iceberg. Likewise, CourseAvenue Studio and Mohive will need to expand the value of their workflow, repository and shared template capabilities.

Elearning professionals can contribute design skills to these new custom processes. Those with Flash skills will appreciate content flowing more easily from Word and PowerPoint to Flash, allowing upstream production efficiencies while still resulting in “raw” Flash files that can be enhanced and enriched with animations, effects and AS3 code.

It will be interesting to observe as the likely home brew solutions, open source tools, tool kits and SDKs emerge– all making it easier for content to flow from office automation tools to Flash source code file formats. I suspect other package file formats will also emerge and contribute to interesting solutions.

Social Networks: Support, Abuse and Filters

Today I received a spammy-spoofy email that looked like it was from LinkedIn. LinkedIn is a service I trust and respect; it moved conscientiously and cautiously in the face(book) of pressure from multiple social networking sites.

As times get tight, it will be interesting to see what happens with social networks. The pessimist in me suspects that schemes and scams will increase, as well as sincere, legitimate requests for connections and job assistance from true friends.

I hope people will be supportive of their closest contacts and colleagues. Tim Sanders’ Love Is the Killer App is a quick read and perhaps too touch-feely for some, but the premise is good— be open, trusting and giving with your social network.

As a social network, we can help stop abuse from scammers and schemers. Here is,

What I Did and you can do, too

  1. Check the message title and source in email headers. (Yep, spoofed as L:inkedIn)
  2. Check my own LinkedIn network and groups. (Did someone I know harvest names? Nope.)
  3. Check the LinkedIn groups that I manage (AICC and LETSI). (Not a member; if so I would have bounced them out of the group. I will be monitoring these groups.)
  4. Check Terms of Service. (No, this does not seem consistent with TOS.)
  5. Report the abuse if any. (In this case, I turned on full headers and forwarded the email to abuse (AT)

The LinkedIn User Agreement is notable for a few key sections that I appreciated:

2. Your Rights — What You May Do
3. Our Rights and Obligations — What We Must And May Do
11. LinkedIn User DOs & DON’Ts

I’ll be tracking this one, since this scammer is quasi-promoting LinkedIn, via their claim to be an expert on using LinkedIn for job-hunting and encourages its use. That seems to be a conflict of interest for LinkedIn. We’ll see.

UPDATE November 21, 2008: LinkedIn got back to me on November 19, indicating they were investigating the spam. As of November 21, 2008 the alleged scammer/spammer is still on LinkedIn promoting their personal network of 2M “friends & colleagues” along with their skills in recruiting and life balance. Draw your own conclusions.

Meantime, there are plenty of ways to find experts on job-hunting with LinkedIn. We also all need to be aware of way Clay Shirky (author of Here Comes Everybody ) labels as a “failure of filters”– in social networks, emails, twitter and even blogs. I encourage others to filter actively and with fairness.

Social Network Terms of Service and Abuse Reporting