Posts

Posted on

Crap Detection for Node Package Manager

Open-source software allows the source code to be freely available to the public, allowing anyone to inspect, modify, use, or distribute the code. It is typically developed and maintained by a community of volunteer developers who collaborate and contribute to the project. According to the Linux Foundation, open-source code is used in 70-90% of every software found today (A Summary of Census II: Open Source Software Application Libraries the World Depends on – Linux Foundation, n.d.). Most of this code is a result of open-source development frameworks.

Open-source development frameworks are libraries of code and tools that provide a foundation for building software applications efficiently by supplying reusable components. Using open-source development frameworks can help streamline the software development process and reduce the time and effort required to build applications from scratch. Frameworks can be used for creating a wide range of software, including web, mobile, and desktop applications.

Development frameworks typically rely on package managers.  A package manager is a tool that helps manage the libraries, dependencies, and other components needed for a project. Using a package manager, developers can automate installing, updating, and tracking libraries needed for their projects. Many package managers employ a team of reviewers who review every request to push new updates to the repository. However, some frameworks may include public repositories in which anyone can upload their packages for the community. The Node Package Manager (NPM), which runs on the JavaScript open-source framework NodeJS, is one of the most popular public repositories and thus makes it a target for harmful activity. 

Types of Malicious Code

Several types of malicious code can exist on NPM, including:

  1. The most obvious is that some packages themselves may contain malicious code, such as backdoors, trojans, or malware, that can harm the software or compromise the security of the system it is installed on. In other cases, malicious packages may simply lie about what the package does, instead running damaging commands such as modifying system files, altering settings, or collecting and transmitting sensitive data without the user’s consent. For example, a data-stealing package was uncovered in late 2022 after going undetected for over a year (NPM Malware Attack Goes Unnoticed for a Year | TechTarget, n.d.). There has also been an increase in crypto mining malware on NPM in 2022. These malware packages contain code that mines cryptocurrencies on the computer of the person who installs the package, using their system resources without the user’s knowledge.
  2. Supply Chain Attacks. Packages on NPM may have dependencies on other packages that contain vulnerabilities, which can put the developed software at risk if the vulnerabilities are not detected somewhere in the chain. (Ellison et al., 2010)
  3. Malicious code could be hidden in packages that have suspiciously similar names to popular and frequently used packages. These are known as typo-squatting and combo-squatting attacks (Vu et al., 2020). For example, in 2017, a popular package called ‘cross-env’ was typo-squatted and malicious code hosted on a package called ‘crossenv’ preyed on developers who accidentally misspelled the package name. (Npm Blog: ‘Crossenv’ Malware on the Npm Registry, n.d.)
  4. Stealing credentials of legitimate NPM accounts and pushing malicious code onto its repository (Vu et al., 2020)

Information Literacy on NPM

The term crap detection is used describe a process of deciding whether something found online is true. To help analyze packages for possible malicious code, several studies have been done on lightweight NPM vulnerability auto-detection tools. They are very effective. In most cases, with over 90% success rate (Sejfia et al., 2022) and able to identify exact types of vulnerability (according to OWASP) with a high degree of accuracy (Brito et al., 2023). They are, however, not perfect, and we, as developers, must do our part to avoid falling into the pit of malicious intent. Here is a summary of recommendations from the studies. I am basing this on the C.R.A.A.P. and S.I.F.T. tests for information literacy, I will call this the F.I.S.T. test for NPM literacy:

  • Package Frequency of download and package updates: The NPM website contains the weekly downloads of every package on the repository. The Frequency of maintenance of a package also gives information about the safety of use, check the last publish date to see how active this project is. Projects that are not actively maintained or have low weekly downloads are a cause for concern.
  • Inspect the code: Before installing a package, review it to ensure it doesn’t contain any malicious code. Go to the package’s Github account and quickly scan the code for malicious behaviour. Look for things like email dependencies, non-consensual sending of HTTP requests, etc. This may be difficult for beginners of a framework.
  • Use Secure sources: Only install packages from trusted sources like NPM or verified package managers like yarn. From the NPM website, verify information about the package’s publisher, such as the publisher’s website and social media accounts. If they have very little information online, it may suggest they are trying to hide something.
  • Use auditing Tools: Use security tools like npm audit, which scans installed packages for known vulnerabilities, to help you identify and mitigate potential security risks. npm audit will look at existing packages in your system, but since you can only run this command after the package has been installed, it may already be too late. Alternatively, there are also many NPM rating tools. Spectralops.io lists the Top 5 NPM audit tools in 2022. Among them are Synk and SpectralOps. Both tools provide reviews and ratings of every NPM package. Search the packages you intend to use to check its rating and to ensure they are not on the known vulnerabilities list. A package with low ratings or negative reviews may indicate potential security issues.

NPM Improvements

Other solutions are suggested to improve the existing architecture and workflow of the package managers themselves. This includes:

  • Updating NPM policy to allow automatic updating to the latest version of a package to mitigate technical lag (the time it takes a developer to recognize a malicious package and update it)
  • securing critical accounts on NPM,
  • providing trust scores for developers, and
  • eviction of typo- and combo-squatters.

(Kaplan et el. 2021)

Conclusion

The Node Package Manager (NPM) is a powerful tool that helps software developers manage and share the packages they use in their projects. It provides an array of community packages which can be added to the software while enabling developers to write and share code with the community. However, with its growing popularity and widespread use, knowing how to perform crap detection on NPM effectively is a valuable asset for any modern developer looking to improve their information literacy skills.

References

A Summary of Census II: Open Source Software Application Libraries the World Depends On – Linux Foundation. (n.d.). Www.linuxfoundation.org. Retrieved February 5, 2023, from https://www.linuxfoundation.org/blog/blog/a-summary-of-census-ii-open-source-software-application-libraries-the-world-depends-on#:~:text=Introduction

NPM Blog: ‘crossenv’ malware on the npm registry. (n.d.). Blog.npmjs.org. Retrieved February 4, 2023, from https://blog.npmjs.org/post/163723642530/crossenv-malware-on-the-npm-registry.html

Vu, D.L., Pashchenko, I., Massacci, F., Plate, H., Sabetta, A. (2020). Typosquatting and combosquatting attacks on the python ecosystem. 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), pp. 509–514.  

Ellison, R. J., Goodenough, J. B., Weinstock, C. B., & Woody, C. (2010). Evaluating and mitigating software supply chain security risks. Carnegie-Mellon Univ Pittsburgh PA Software Engineering Inst.

Kaplan, B., & Qian, J. (2021). A survey on common threats in npm and pypi registries. Deployable Machine Learning for Security Defense: Second International Workshop, MLHat 2021, Virtual Event, August 15, 2021, Proceedings 2 (pp. 132-156). Springer International Publishing.

NPM malware attack goes unnoticed for a year | TechTarget. (n.d.). Security. Retrieved February 4, 2023, from https://www.techtarget.com/searchsecurity/news/252525968/NPM-malware-attack-goes-unnoticed-for-a-year#:~:text=The%20researchers%20said%20that%20by

Brito, T., Ferreira, M., Monteiro, M., Lopes, P., Barros, M., Santos, J. F., & Santos, N. (2023). Study of JavaScript Static Analysis Tools for Vulnerability Detection in Node.js Packages. ArXiv. https://arxiv.org/abs/2301.05097

Sejfia, A., & Schäfer, M. (2022). Practical Automated Detection of Malicious npm Packages. ArXiv. https://doi.org/10.1145/3510003.3510104

Posted on

Are Limitations to Screen Time Necessary?

According to the American Academy of Pediatrics (2013), it is recommended that parents limit children and teens’ entertainment screen time to no more than two hours daily, stating that an increase in screen time has been linked with eye problems, violence, cyberbullying, obesity, lack of sleep, and academic decline. They quickly note that this is not a significant cause of these problems, and this information should be balanced with educating your kids about these factors. Despite this, I find this to be a gross generalization. Studies have shown that culture and class affect the amount and the type of technology children are exposed to (some are good, and some are not). Benefit from technology is greatly affected by family context (Konca, 2021).

Fraser Health, the leading health authority in B.C. Canada makes a similar recommendation of 2 hours a day (Screen Time for Children, n.d.), stating that parents should instead “Choose activities such as playing outdoors, reading or crafting over screens.” However, e-readers and tablets offer the storage of thousands of books, and web-enabled devices can give extra information on books at your fingertips. Or is reading not considered entertainment? What if I enjoy reading?  Also, who does crafts without the use of a tablet? Do you have craft ideas off the top of your head?

Personally, I do not limit screen times for my six-year old son, Jacob.  There are days that he spends seven hours in front of a screen, and there are days that he spends less than an hour.  The important thing is that he is learning something from the experience. Screen time can be used to develop digital, creative, problem-solving, communication, social, and goal-setting skills  (Using Screen Time and Digital Technology for Learning: Children and Pre-Teens, n.d.). Currently, Jacob primarily plays two games: Geometry Dash and Mario Maker. On the surface, both games provide no educational value. The former even contains many elements, such as photosensitivity and loud music, that have been known to cause seizures in players (Millichap, 1994). I have found that these games provide benefits from every category listed above, teaching children to collaborate on building levels and giving feedback to peers. Besides learning online etiquette, reading, and typing skills, Jacob has gained extensive practical knowledge about game mechanics like angle rotations, alpha transparencies, z-index, collisions, conditional structures, and counters.  Some of these concepts I am teaching to my university students.

So to all health authorities: I agree with your other recommendations. Please consider deleting or altering the gross generalization of time limitations (or at least clarify it further). Otherwise, each time Jacob plays a game, I will need to set a timer on my phone, which will cut into my two hours of screen time.

References

Konca, A. S. (2021). Digital Technology Usage of Young Children: Screen Time and Families. Early Childhood Education Journal. https://doi.org/10.1007/s10643-021-01245-7

American Academy of Pediatrics. (2013). Children, Adolescents, and the Media. PEDIATRICS132(5), 958–961. https://doi.org/10.1542/peds.2013-2656

Screen time for children. (n.d.). Fraser Health. Retrieved January 22, 2023, from https://www.fraserhealth.ca/health-topics-a-to-z/children-and-youth/physical-activity-for-children/screen-time-for-children#.Y8zGYezMJqs

Using screen time and digital technology for learning: children and pre-teens. (n.d.). Raising Children Network. Retrieved January 22, 2023, from https://raisingchildren.net.au/school-age/school-learning/learning-ideas/screen-time-helps-children-learn#:~:text=Screen%20time%20can%20help%20children

Millichap, J. G. (1994). Video Game-Induced Seizures. Pediatric NeurologyBriefs8(9), 68. https://doi.org/10.15844/pedneurbriefs-8-9-5

Posted on

Feedback in Gamification App

Motivation

Gamification and Game-based learning are well-studied fields in education, the effects of which generally positively impact learning. From ISTE standard 1.1.c “Students use technology to seek feedback that informs and improves their practice and to demonstrate their learning in a variety of ways.” (Brooks-Young, 2017), the question that I set out to investigate is: How effective is gamification in a learning tool in terms of feedback to a student? The conclusions in this post will help improve a programming practice web application currently in development. The current iteration of the application has a series of programming challenges that a student can work through.  The student can submit a program to any programming challenge and immediately receive a ‘pass’ or ‘fail’ on the problem.  I aim to determine what game components and digital feedback techniques should be added to improve this online tool.  The long-term use and integration of such a tool into a classroom setting to provide teachers a tools for providing practice problems for students. Under the TPACK model, the pedagogical view would be a game-based learning tool that allows students to level up as they gain more experience, the technology would be the programming platform on the web application, while the content knowledge would be gained by the programming itself.

Gamification, Game-based Learning, and Serious Game

In Teaching in a Digital Age, the author distinguishes between the following terms. Serious games are game-like interactive systems and “are referred to as entertaining tools with a purpose of education, where players cultivate their knowledge and practice their skills through overcoming numerous hindrances …” (Zhonggen, 2019, cited in Bates, 2022). Game-based learning is “the pedagogical approach of utilizing games in education.” (Anastasiadis, Lampropoulos and Siakas, 2018, cited in Bates, 2022). Gamification is the “use of game design elements in non-game contexts” (Deterding et al., 2011, cited in Bates, 2022). Game design elements for gamification include player profiles, experience points (XP), levels, badges, leaderboards, team collaboration, quests, social graphs, and certificates.

According to these definitions, my tactic is the gamification of an existing learning tool using a game-based learning pedagogical approach.  I would not call the current web app a serious game since it does not possess game-like characteristics. It is widely accepted that gamification increases the app’s usability, so we seek to find the types of feedback that would prove most beneficial for the programming app.

Feedback

There are primarily two forms of feedback: explanatory and corrective. Both types of feedback inform the player of the correctness of their answer, but explanatory feedback provides the player with an additional principle-based explanation. Currently, my application provides only corrective feedback. A 1993 study using a digital game designed to teach environmental principles found “… that a version incorporating explanatory feedback significantly improved recall performances compared with a version where no feedback was available”. (Leutner, 1993, as cited in Erhel et al., 2013). Another study “… of the Design-A-Plant game showed that the use of explanatory feedback improved learners’ transfer performance more than corrective feedback did.” (Moreno and Mayer, 2004, cited in Erhel et al., 2013).

It is also essential to distinguish between generic and tailored feedback and negative and positive feedback. Generic feedback is a general statement, whereas tailored feedback is specific to the player.  Negative feedback focuses on improvements that can be made, whereas positive feedback focuses on what the player did well during the last session. It is found that negative feedback is most effective when the player immediately has another turn, and positive feedback is more effective when the turn is delayed or non-existent (Burgers et al., 2015, cited in Welbers et al., 2019). Another study found that generic feedback was more effective than tailored feedback. This contradicts conventional thinking, and the authors quickly noted that it was due to corrective feedback. It is conjectured that tailored explanatory feedback, especially if accompanied by hints tailored to the player, could encourage participation (Welbers et al., 2019).  

One theme prevalent in these studies is the idea of instant feedback within games. Azumi (2015) highlights the addictiveness of massive multiplayer online role-playing games (MMORPG). These games require players to work together to accomplish a goal. Including a gamified collaboration element benefits programming education students in the learning process as they attain immediate feedback from peers (Azumi, 2015). In fact, “feedback in serious games and game-based learning can also take the form of responses from dialogues with non-player characters or instant feedback messages related to game controls and challenges performed.” (Laine & Lindberg, 2020, cited in Krath, 2021). Intuitively, immediate feedback allows players to make instant adjustments to quickly correct failures and set new goals.

Other Lessons Learned

Although unrelated to feedback, it is interesting to note that gamification applications in Computer Science have mixed results. A gamification platform that contained game dynamics was used to teach a course in Software Engineering where the students did not feel interested in the gamified environment. It is conjectured that older students and those who have much experience with lecture-based learning is less receptive of game-base learning (Berkling and Thomas 2013, as cited by Nah). On the other hand, a course in Information Systems and Computer Engineering introduced multiple game design elements into the course design itself. This increased student engagement and lecture attendance but did not significantly improve student grades (Barata et al., as cited by Nah). We must ensure that online tools do not replace the programming learning experience which only comes from solving real-world problems.

Conclusions:

From the readings and conclusions above, the following actions should be taken to incorporate gamification elements in the programming application. 

  1. Since a student can debug, alter, and resubmit an incorrect program immediately, the application should give immediate negative feedback, displaying elements of the code or test cases that failed in the execution of a program.
  2. Lessons should be drawn from the MMORPG. We should add a collaborative element, allowing students to form teams to solve problems.  Students can gain peer feedback and also benefit from developing a personal learning community.
  3. Welbers et al. (2019) noted that tailored explanatory feedback might encourage player engagement and participation. One way to do this is to give feedback by sending weekly progress reports and questions tailored to the user’s skill level.
  4. Programming challenges beyond a student’s skill level should be hidden until the required experience points are attained. This is a form of positive feedback which is most beneficial when the game play is delayed.

References

Erhel, S., & Jamet, E. (2013). Digital game-based learning: Impact of instructions and feedback on motivation and learning effectiveness. Computers & Education67, 156–167. https://doi.org/10.1016/j.compedu.2013.02.019

Welbers, K., Konijn, E. A., Burgers, C., de Vaate, A. B., Eden, A., & Brugman, B. C. (2019). Gamification as a tool for engaging student learning: A field experiment with a gamified app. E-Learning and Digital Media, 16(2), 92–109. https://doi.org/10.1177/2042753018818342

Nah F.F., & Zeng, Q., & Telaprolu, V. R., & Ayyappa, A. P., & Eschenbrenner, B., (2014). Gamification of education: A review of literature. HCI in Business, 401-409. https://doi.org/10.1007/978-3-319-07293-7_39

Azumi, S., Iahad, N., & Ahmad, N. (2015). Gamification in online collaborative learning for programming courses: A literature review. ARPN Journal of Engineering and Applied Sciences, 10(23).

Krath, J., Schürmann, L., & von Korflesch, H. F. O. (2021). Revealing the theoretical basis of gamification: A systematic review and analysis of theory in research on gamification, serious games and game-based learning. Computers in Human Behavior125, 106963. https://doi.org/10.1016/j.chb.2021.106963

Bates, A. W. (Tony). (2022). Chapter 8: Pedagogical differences between media. Pressbooks.bccampus.ca. https://pressbooks.bccampus.ca/teachinginadigitalagev3m/part/chapter-8-pedagogical-differences-between-media/

Brooks-Young, S. (2017). ISTE standards for students: a practical guide for learning with technology. International Society For Technology In Education.