Tuesday, September 27, 2011

Conficker Worm - Interview with Mark Bowden

Good interview that provides an overview of the Conficker worm and the fragility of the Internet.

It's Difficult to Assess Student Writing

For the past year I've participated on my university's assessment committee. Although most universities struggle with assessment I think my university has some unique challenges. My university is currently upper division, possibly the only university left that begins at the junior level (although we're just beginning a year long campus debate over the merits of becoming a 4-year institution). The university's regional accrediting organization recently told us that we are still responsible for undergraduate student learning outcomes such as writing, critical thinking, etc.

Beginning with the assessment committee took a commonly used rubric from AAC&U and first decided to use the rubric to assess a small sample of student papers from different disciplines such as education, english, psychology, and business. As a business professor I found the task intriguing but difficult. I am not a writing professor and found it impossible to distinguish between criteria such as understanding audience vs. context vs. purpose vs. task vs. focus. It was a bit easier to assess content development and content syntax/usage/mechanics.  It was interesting and challenging to assess quality and quantity of sources used for a personal reflection paper such as a student's philosophy of teaching statement.

Assessment is an uncomfortable and humbling process. When working with my peers from my own college and also from other disciplines including english (literature and composition), nursing, psychology, chemistry, and business, we all expressed the same concerns about rating the papers totally different from the others. The papers were anonymous, but it was easy to figure out a paper was from an english course when it connected everything to Wuthering Heights. I was a bit nervous that my ratings would reveal that I am either a pushover, too tough, or, more worrisome, an incompetent instructor?

One of the papers was a competitive analysis of a specific industry, and I rated it as fairly well written across all criteria, addressing each of Porter's competitive forces.  As least one rater assessed it as totally unacceptable on most criteria. I am most comfortable in providing students with feedback on executive summaries, memos, white papers, case analyses, project proposals, RFPs, requirements documentation, or pure academic research papers. 

To be continued...

Security Expert: U.S. 'Leading Force' Behind Stuxnet [NPR]

One year ago, German cybersecurity expert Ralph Langner announced that he had found a computer worm designed to sabotage a nuclear facility in Iran. It's called Stuxnet, and it was the most sophisticated worm Langner had ever seen....

Click for full article: Security Expert: U.S. 'Leading Force' Behind Stuxnet : NPR

Saturday, September 24, 2011

Usernames Continued: Universities and FERPA

In my previous post I discussed usernames and their role in the authentication process. Systems in a university setting has similarities with any organization but have different regulatory requirements. Before Federated Identity Management (FIM) or Single-Sign-On (SSO), many universities also used to use SSN or a student ID or as a username to access some systems on campus. Using an ID# or personal pin# was probably not a good idea since the SSN or student ID may have also been used to authenticate students in a way similar to a password is used in other instances by some university departments to access student records.

In addition the Family Education Records Privacy Act (FERPA) helped push universities away from using confidential information such as SSN as a student ID or username. FERPA is the federal law protects certain pieces of student records from being made public without student consent. For example, faculty are no longer allowed to post a list of student grades attached to their SSN as was common in the past. But student email accounts are not protected by FERPA as they are considered "directory information". For campuses with FIM or SSO systems the email would likely be the same as the username and therefore also be made public. Students do have the option to make any of their "directory information" confidential if they choose.

Thursday, September 8, 2011

Are Usernames Supposed to be Private?

It is a common misperception is that system usernames are always meant to be private. In most cases, usernames are not meant to be private, and I would argue that in many cases in which they are meant to be private the people designing the access control and authentication systems may have made a mistake. A username is part of the identification & authentication process. The ID (e.g., username) is authenticated or verified through correct entry of at least one private piece of information, such as a password, and sometimes additional authentication factors something the user knows (password/challenge question), has (key card/security token), or is (biometric such as fingerprint or retina scan).
[Tip: Use a strong password.]

Think about your workplace account. Most organizations now have single-sign-on (SSO) systems that allow you to login to multiple systems with the same username and password. The username is typically the first part of the email address or the email address in its entirety. Most organizations assign an email/username rather than allow employees to choose their own to create a naming convention that allows for creation of unique account name. But if you know the basic naming convention for an email which includes a person's name or initials, then you will likely be able to determine anyone else's email address in the same organization if you know an individual's name, and thus you will know the username as well.

Problems may occur if an organization allows the user to choose the username or the naming convention used to create a username includes some information that should remain confidential. In the past it was more common for a username to include or be one's social security number, bank account number, or student ID number. A SSN username or similar should not be used as a username, when it may also be used in a different setting to authenticate someone in a way similar to a password.