Wednesday, October 24, 2012

Experimenting with social education.

I've been talking about and believing in"social business" for several years.  However, I've also been watching some of the changes to the education system--it's becoming more social too.

Recently, MIT and Harvard joined together with others to form EdX.  EdX, along with offering online courses, will research how students learn and how technology can transform learning–both on-campus and worldwide.

I was discussing this with a peer, and he said I can't talk about the concept if I haven't taken an online class.  He didn't think the online classes  would be successful because it would be too isolating.  After much back-and-forth, I'm taking up the challenge--I've enrolled in CS50.  It's a introductory class, designed to teach people not just to program, but how to think.  And not just one, or a hundred people.  But over 50,000 53,000+ students.  Obviously, the class has been designed to scale and it's not a trivial class.

The syllabus is the same for the on-campus class.  There's lectures, extra help, and community-support.  Of course, there's assessments too--8 problem sets (15 - 20 hours each), 2 quizzes, and a final project. Obviously, it's going to take a team of people to grade the problem sets and quizzes, and projects.

But, there's more differences.  It takes different tools to manage the class.  You can't use a paper grade book.  You need to design the assessments to be graded autonomously or at least with the help of technology. The part that's interesting is not about recording the lectures, that's trivial.  It's all about how to incorporate the lectures with everything else needed to make the class effective.  Keeping interest, and a sense of community.  It's more than just selling class t-shirts and mugs (but feel free!)

Class logo

Online learners who achieve a passing grade in CS50x will earn a certificate of mastery that indicates successful completion of the course, but will not include a specific grade. Certificates will be issued by edX under the name of HarvardX. For CS50x in Fall 2012 – Spring 2013, certificates will be free.

I've watched my first set of lectures and completed my first problem set. I've learned  that the difference between ASCII "A" and "a" is just one bit (0100 0001 vs. 0110 0001; I've never cared to check that before).  I've built a baseball game program in Scratch, a language much more user-friendly than the Basic and Logo I learned on.

I'm not sure that I've been inspired yet, but it is learning.  It's more than the Kahn Academy.  It is collaborative   It is effective.  Who knows, it just might work.

Of course, if you're feeling inspired, then it's not to late to join me in this experiment.  Click to sign up. And if you do, be sure to comment and also join the community! Who knows, we may just collaborate on a project set...

Thursday, August 23, 2012

Personal Information. How much is too much?

I read the blog post by Patrick Townsend recently about how Personally Identifiable Information (PII) is protected by law and it got me thinking...  First, PII is information that, alone or with other information, can be used to uniquely identify, contact, or locate a single person. (See also the definition on Wikipedia).  However, in the US, what's considered personally identifiable varies by state.  Some don't give any guidance, some just copy laws from other states verbatim.  Some really try to think about it.  The EU seems to be much more strict than the US, and Germany most strict of all I've studied.

Obviously, a first name + last name + US Social Security Number (SSN) would uniquely identify me.  But so would  my email address.  And my name + date of birth + place of birth is probably close to unique.  My fingerprints or other biometric data clearly would be PII.

But what about protecting or limiting it?  Massachusetts courts have crafted rules to say PII must be protected in documents that will be made public during a legal case.  They give some ideas of what's acceptable and how to fix it:
...In the case of a social security number, taxpayer identification number, credit card or other financial account number, driver’s license number, state-issued identification card number, or passport number, only display the last four digits... 
Do these rules really help?  Probably.  But I don't mind some people or places having my PII.  It can make for a better experience (pre-filled forms on web sites, for example) or that by knowing my location and age they can potentially provide better content for me.  For example, if I'm currently in Tokyo but live in NYC, then based on my age, a website could give me tourist information about either Tokyo Disneyland or Tokyo night clubs. It could do it based on my age obviously, or where I'd traveled before (scary!).  If based on my credit card data or FourSquare checkins, I'd been to Disney World Florida, I might be a good candidate for Tokyo Disneyland.  If I spend hundreds in NYC bars, then maybe something more apt to my tastes.

Also, I know that certain government agencies need PII to do their job (taxes, passports, etc), but the real trick is how to limit PII sharing to a "need to know" basis.   And of course, the devil is in the definition of "need".   Citibank wants to know my total net worth determine if I'm a wealthy investor or a lowly serf (the latter, I assure you).

But it's the aggregation of PII that scares me.  The web site aggregates twitter location data, plus Google Street View to make it easily available to see where someone lives, what's nearby and display local;y-relevant ads.  See NakedSecurity's blog for more.  More scary is Take This Lollipop which is meant to scare you about what you're sharing on Facebook.  It's worth a good viewing.  Just lock the front door first.

Chef Julia Childs would have turned 100 last week.  Did you know she was a spy in WWII?  Her records as from the US OSS (precursor to the CIA) are out in the public domain after being declassified.  This includes mundane stuff like her commendations and pay from 1944, but it also included her SSN and a copy of her physical exam.  She was 6'1" and weighed 155lbs. Her blood pressure?  Vision? Hearing?  Heart Rate? They're in there.  (note it's a 280mb PDF).  Clearly that's going too far in sharing PII. Even for someone who's been dead since 2004.  There has to be information, and I'm generally of the opinion that open is better (especially for governments) but, releasing medical records is too extreme for me.

I guess it's like pornography, I'll know there's too much PII when I see it, but defining how much sharing of PII is too much is complex.  There's certainly no easy solution.

Please comment if you have other good examples of how PII has been used for good or evil.

Wednesday, August 22, 2012

Radical changes in data storage

My first hard drive for my Mac Plus had just 10mb of storage.  It seemed like a huge improvement compared to floppy disks.  It made boot up and program access faster, didn't fail, and fit neatly below the form-factor of my Mac.  Jump forward to today, and I can easily get a USB stick that stores thousands times more data in a fraction of the space.  However, we have more and more data to store. And those files are getting bigger and bigger.

So while Word file size is growing due to increased use of graphics, revisioning and embeddeding, the cost of that hard drive space has gone from over $100/mb in my Mac Plus to below $100/1,000,000 mb today ( or roughly $100/tb).  Huge improvement.

Now comes the interesting partThere are new storage tools coming.  Amazon just launched their Amazon Glacier product for long-term storage, at $0.01/100,000 mb ("a penny/gb").  That's game-changing.  Well below 1/10th of current providers. But, be sure, there will be other similar one too.  Now you know yet another reason why Google is terrified of Amazon.

Oh, and by the way, it's moving stoarage from a CapEx to an OpEx expense too, but that's a story for another day.

DNA Strand image

Now, what's really interesting is what's next-- DNA.  People have know there's lots of data in DNA.  But gene sequencing has become cheaper and faster, it's potentially the next wave of storage.  Harvard cracks DNA storage, It may not be as fast as a hard drive, but for offline archival needs, 700 tb of data that takes up no power, is stable long term, and is about the size of a raisin is a pretty good start to revolutionizing the storage industry yet again.

Wednesday, August 15, 2012

Spoiled by video collaboration

I re-learned a very important lesson yesterday. Video collaboration is useful when everyone can follow along, but where it becomes priceless is when you're confused.

I requested a presentation on a particular topic from a partner.  They arranged a salesperson to come and present to us.  The problem was, he didn't understand our business, my goals in asking for the meeting, or the problem I wanted to solve. It was not even a close fit.  We were looking for apples and we got t-shirts.

Don't miss the feedback!
The worst part was, the salesperson didn't know.  We were on an audio call.  The presenter sent along slides just before we started.  (They were from 2005!).  Had I seen them before hand, I could have called it off.  But I didn't.  I just let him go on and sat through his presentation. (Keith Brooks would say it was a Sales Presentation that Sucked).

But that was my fault.  The presenter was on audio.  There was no out-of-band feedback mechanism.  Had he been on video, he could have seen our eyes glazing over.  He would have known we were confused.  Maybe bored.  Or worse.  He could have known to ask questions to ensure our engagement.  But he didn't know. No feedback.

Sleeping?  At least you know how much
I'm paying attention to the presentation.
When you're on video, you can see the audience.   You know when it's time to stop with the slides.  When you have to grab their attention back, be it with a joke, a stretch, or just a check-in.  It's this ability to get the non-verbal feedback that I really appreciate.  It's something that I become so accustom to using video working at Polycom, that I took it for granted.   Just doing an audio-only sales presentation (even with HD Voice) is not interactive enough.

If you think low-quality postage-stamp video is useless you're right.  But today's HD video collaboration, 1:1 or with multiple participants  on the screen, really helps me be more effective.  Certainly it would have helped this seller know that his message didn't get through. I can't imagine having meetings where we're not face-to-face anymore; where audio is my only option.  To me, I've re-learned the lesson:  you're engaged when you can actively participate.   Verbally, non-verbally, some other way.  I'll take video every day.

By the way, don't have business-quality video yet?  Download Polycom's free video client in your favorite device's app store (search "Polycom")  or for your Mac/PC.

Friday, August 3, 2012

Poor password capabilities frustrate me

There's really no excuse.  There's no excuse at all for weak password capabilities, especially for financial services companies. 

Outline of security
I recently attempted to increase the complexity of my online banking passwords.  It should have been simple, but the dizzying array of requirements made it more difficult than it needs to be. And the requirements were awful!  I don't mind if complexity isn't required (ok, I do, but that's a different issue)  but let me pick whatever password I can remember.

There are dozens and dozens of sites that describe what is a good password, and how to choose it.  For example, see Microsoft, Google, Naked Security and xkcd sites.  However, the password capabilities on the system have to support strong passwords.  I found that many banking systems did not.  Let's start with what I wanted to use.  It was similar to:
      ValidSpeedLimitzR: {30|45|55}nearHome
but I couldn't even come close. Forget that it's 37 characters, it's easy to type, secure and I can remember it.  The problem was the password capabilities on the online banking system.  They limit password entropy and make it less secure.  See below: 

American Expreess:
  • Must be different from your User ID
  • Must contain 8 to 20 characters, including one letter and number
  • May include the following characters: %,&, _, ?, #, =, -
  • Your new password cannot have any spaces and will not be case sensitive.
  •  Must contain 7-32 characters
  •  Must include at least one number and one letter
  •  Cannot include special characters (&, %, *, etc.)
  •  Cannot be the same as your User ID
  •  Cannot be the same as any of the last five Passwords you've used
  • Password must be 6 to 32 characters long and contain at least one number.
  • No special characters 
Fidelity Investments: 
  • Use 6 to 12 letters and/or numbers
  • Do not use symbols, punctuation marks, or spaces (e.g., #, @, /, *, -.)
Granted, some special characters are hard to type on mobile devices like iPhones and iPads. And in the "olden days" you worried about people embedding html or javascript inside an improperly parsed form field so that may be a motivation not to allow special characters.  But, there's no reason not to allow a long password.  No real reason not to allow special characters or spaces today.   And certainly there's no possible reason NOT to make it case sensitive. I'm not saying require them because that's a whole other discussion, just permit  it. 

How can we expect to have encourage users to strong passwords if the systems don't support them!  Come on financial companies, you must do better!


Update 1: 2012-08-03

I was so frustrated, I sent this tweet to @AskAmex:
@AskAmex I changed my online password and found weak pw policies--not even case sensitive! Why not?

to which @AskAmex replied:
@luriep Hi Peter, thx for feedback. Our PW policies meant to be secure but easy for our customers to use. Use %&_?#= for addl security. ^M

Which, of course, is bogus:

AmEx suggests {AZ09%&_?#=} = 42 characters
Stronger way: {azAZ09%&_?#=} = 68 characters (although I'd argue you should support 32 and not 6 special characters, but that only makes the point much bigger)

42 is less than 68 and the difference skyrockets  when you take it to ^8 or ^20 (based on pw length).  I don't see their password policies as anywhere near secure as they very easily could be...

Wednesday, August 1, 2012

No Microsoft allowed? Really!?!?

I had a meeting with a customer (who shall remain nameless) and the account rep told me that I was not allowed to bring in any Microsoft products.  The customer was adamant.  None!

No Microsoft?Now I am a tech guy with an android phone, an iPad, and a few PCs.   I have WinXP, Win7, and Ubuntu running on different laptops.  I run virtualization software and  have several images with other OSes.  Our corporate standard is Win7 and MS office suite.  Not the most "non-Microsoft" environment.  I find the right tool or environment for the task and get the job done. Isn't that really what productivity and work are all about?

However, even for me to go Microsoft-free takes some planning.

In addition to PowerPoint, I have OpenOffice and Lotus Symphony, so doing the presentation was easy.  I converted it to PDF, to make it universal and I preloaded the presentation onto my iPad.  I run both IBM Sametime and Microsoft Lync, so I had to hide the latter client on my devices.

I am not anti-Microsoft bigot, but I do try to respect the client's wishes, no matter how unusual. But I learned something from this.

When I was done, I realized that I had a pretty much open source or freeware PC environment.  I had a bunch of $0.99 apps, and yet could be productive.  I don't know if it makes me flexible or foolish wasting time managing and learning different environments.  All I know is the client's requirement was understood, and they were able to listen to me without distraction.

Thankfully, I didn't have a windows phone.

Oh, and this post was done on my iPad, using a Linux based MiFi, typed in a paid app and uploaded in Safari onto Google Blogspot. Microsoft free.

Thursday, July 26, 2012

A Security Nightmare

This is getting bad.  Very bad.  Keeping a company safe from hackers has always been difficult.  However, in recent weeks, things are getting worse.  Consider these three items that I tweeted about in the last couple weeks:
This power strip is not what it seems!
What happens when devices that look like one thing are something else?  What happens when virus start to infect things that have always been safe in the past?  What happens when pretty much anything is hackable?  Even "safe" .pdfs

Security Fails. 

It's not the fault of the users.  The attacks are getting too advanced.  Even experienced, somewhat security-aware admins can fall victim for these things.   I have a 39-character password.  I've been infected. I've had malware. It's a pain!

@DaveAitel, is starting to suggest that its' a waste of employees time to be trained in security awareness. I disagree.  There has to be a balance.  Users are not security experts.  Even if they were, we can't train users about things that don't yet exist.  There has to be a holistic approach.  Train users, but have defense in depth.  Use best practices.

If you can reduce your attack vectors, all the better.  But at a minimum, please secure your environment: 
  • regularly patch and test everything for vulnerabilities.  (How fast can you patch your PCs and servers? Is it hours, days, or weeks?)
  • segment your network  Keep confidential data isolated.
  • encrypt confidential data (hash and salt password!) 
  • no open WIFI access points, no open mail relays, etc.
  • require strong authentication (pass phrases, hard tokens, etc.)  and check for good passwords.  As said by xkcd:
Through 20 years of effort, we've successfully trained everyone to use passwords that are hard to remember but easy for computers to guess

Just remember, there's always unlimited resources to resolve a security problem once CNN learns that your company has been hacked, a USB key is lost, or  laptop full of medical records, financial aid applications, or space station codes 

Thursday, July 19, 2012

Why retail shopping drives me [insane | online]

We needed new patio furniture.  Ours is about 14 years old, rusting, and really needs replacing. We've been out a couple times looking, but still haven't found what we were looking for.  My wife saw an ad in the local paper for resin wicker chair and table set.  Not the highest end, but given our weather, it might just work.  So she sent me on a mission--find them.   We called the closest store, and they were all out.  We called the next closest, and they said they had the tables we were looking for.

I arrived, couldn't find it, so asked for help.  The manager looked up their inventory and it said they had the table and 5 chairs in stock.  It was near closing time, so I paid for the purchase while they pulled it from the stock room.

When we finished, the stock room they could only find 4 chairs.  No table.After doing a "return" of the missing items I left somewhat frustrated.  After 7 visits to 4 different stores, I have all 8 chairs I wanted, but still no table.  I'm very very frustrated, because they don't know what they have, where they have it, and where it's going. They're 30 years behind the times.

1)  Even on clearance items, an organization should know their inventory, across the chain.  Not having real-time inventory in inexcusable in 2012.  (I understand shrinkage and other inventory issues, but generally, you should know what's where!)

2)  You should know what's coming in, and when it is expected.  I can go to Amazon and pull up the tracking number from the order I placed December 12, 2002 (almost 10 years ago!)  How can you not know what's coming?

3)  Figure out a way to take a phone order.  One store had the tables I needed.  I was ready to pay by credit card over the phone.  Their "systems" could not handle it.   Both tables were gone by the time I arrived 45 minutes later.   Certainly added to my frustration.

Not a smarter business.

One of the table/chair sets.
I want to support local business, but compared to how easy it is for me to go on line and find what I'd like, it's getting harder and harder to do it!

P.S. After calling around to each of the 5 stores near me, twice a day, we came home with both tables and 8 chairs. 

Thursday, July 5, 2012

Would you panic if your laptop disappeared?

During a recent trip, I watched in horror as a man realized that he had left his laptop sitting in a train station.... 3 hours previous. He was in total panic.  Fortunately for him, some kind soul had turned it in  and he was able to recover it at the lost and found department.  But it got me thinking.  I've never lost an actual laptop

  • I did leave my iPad on a plane early this year, but the Delta ground crew helped me get it back before the next flight departed and it disappeared. 
  • I have had three hard drives die in the last year, but with good backup practice (and the help of Carbonite), I restored all my data. 
  • I had my car broken into and my blackberry stolen, but one phone call to my IT department and it was remotely wiped. 

But I never actually "lost" the whole laptop.   

Thinking about it, the loss is two fold: 
1)  How do I get my data back?
2)  Is there any concern about the data on missing device? 

The first part is easy.  I am an extremely strong believer in automatic backup. I use and strongly recommend Carbonite, but there are several very good products out there.  I also have a local external drive but only backup there occasionally.  

It was the second part that really got to me.   Now it was my last data recovery that got me thinking as I looked at all the files that were being restored (lurie-peter-federal-state-taxes-2011.pdf being one, downloaded copies of credit card statements, etc) as there's a lot of information on my laptop.  And my wife has confidential files on her computer too.  

I don't know if my work laptop is encrypted or not (I presume it is) however, my personal laptops are not.  Should they be?  Probably.  Can I find a way to do it transparently, inexpensively, and relatively securely?  Maybe... I'm going to play with TrueCrypt and write up results later.  

Meanwhile, until I get everything locked down, I guess I have to keep track of my laptops. :)