Now, while Cracked.com is not considered an academically rigorous source, they are up there with Jon Stewart and Stephen Colbert when it comes to satire and not having to make up facts to be funny or truthful. Many of the students in my CS 280 class are concerned about privacy and government intervention in their lives. At the same time, many of them are looking for government regulation when it comes to privacy policies on the Internet.
Personally, I look at the government as the last place I would look for assistance in my life. I operate my personal and business lives as if the government is NEVER going to help me, and that's been a pretty accurate way of living my life. When it comes down to it, the government just isn't all that bright for the most part. I do hold the Canadian government in a bit higher regard when it comes to IQ, compared to the American government but not enough for me to change my mind for the most part.
Consider how good law enforcement / national security is at basic surveillance......
http://www.cracked.com/article_19677_6-people-who-turned-tables-government-surveillance.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+CrackedRSS+%28Cracked%3A+All+Posts%29&utm_content=Google+Reader
Or the priorities of government....Seriously, did these things need to be banned?
http://www.cracked.com/article_19192_6-things-you-wonE28099t-believe-got-banned-by-modern-governments.html
Protecting your privacy on the Internet is actually quite simple, don't post anything you don't want plastered on the front page of the Leader-Post or emailed to your boss. Don't use companies whose privacy policies aren't up to your personal standards. While Google and Facebook dominate their markets, they are not the only companies that do search or social networking. Market economics will reward a company who can provide search as good as Google while at the same time providing a higher level of privacy to its users. The drawback may be that you pay a monthly fee to use the service since they will not be able to charge as much for advertising because they don't have as much information about their users.
How much would you pay for Google quality searches without the privacy implications? Personally, I will continue to use Google as I police my own privacy. As a challenge, I will give the first person who can find an embarrassing article, picture, or status update about me $25 (it must have come from me or one of my customers - no fair making one up yourself using photoshop).
Ready, set, go!
Tuesday, February 21, 2012
Sunday, February 19, 2012
Final thoughts on our Ethics Review
One of the most valuable parts of this project has been the feedback form the U of R Research Ethics Board (REB). In our initial plan, we had failed to do everything we could to protect the interests, reputation, and employment status of the research subjects. We had not taken into account various legal and ethical issues, assuming only that nothing bad would happen because the director had signed off on the project. We had not fully taken into account that there were three parties to this project, the researchers, the target organization, AND the University of Regina.
One of the main problems with our plan was the simple fact there were three parties to the proposed penetration test (pen-test). According to Chan Tuck Wai in his report Conducting a Penetration Test on an Organization you have to be very careful about how you conduct penetration tests on a network. Since such tests often involve what would otherwise be illegal activities, prior, proper legal preparation is essential. Normally, only the pen-testing company and the client company are parties to these agreements. Together they can hammer together all the legal protections needed. If employees are upset about the pen-testing, their legal actions are restricted to their employer and the pen-testing company - both are risks that can be mitigated through careful planning. However, in our case the U of R was also involved which would give an aggrieved employee another party to sue. Unfortunately, the U of R’s reputation may not be able to survive the publicity of “teaching a class on how to break into networks”. For this simple reason, our proposed project was rightly killed by Enterprise Risk Management.
The REB reported a large number of problems regarding our initial research plan. The major issues came to protecting employees from any repercussions of their actions during these tests. Despite assurances from management that no actions would be taken against employees who “failed” a test, the REB pointed out that while it is possible that no entries may be made in an employee file, management is human, and could remember who made mistakes during the pen-test. Since our initial plan was to present a very open and honest in-service with the cooperating organization, naming names would have been a problem, even if the names would never be mentioned in presentations outside of the organization.
The Interagency Advisory Panel on Research Ethics has issued the Ethical Conduct for Research Involving Humans. This document acknowledges the need for deception in research, particularly in the field of psychology. According to the Advisory Panel, “it is the responsibility of researchers to justify the need for such a departure” (p. 37) from fully informed consent. Further, given that we are undergraduates and not formally trained in research techniques, we should only be engaged in Minimum Risk research. Regardless of how much we anonymize the data by cutting out names, the use of edited transcripts, or disguising audio, the simple fact is that we cannot stop employees from talking to others about what we had done. This factor, regardless of anything we do, prevents this research from being Minimum Risk. There is simply no way we can enforce a “no-repercussions” policy from being applied, which again opens the U of R to a legal risk it cannot reasonably expect to take.
As a result of the feedback form the REB, we will not be conducting a real Social Engineering based penetration test. Instead, we will demonstrate Social Engineering attacks using actors, and will provide strategies for combating the threat of Social Engineering in your organization. As for what we really think about the REB, there is only two words we can say. Merci beaucoup! Your input was valuable and it is something we will take with us in our future endeavors in the world of IT.
One of the main problems with our plan was the simple fact there were three parties to the proposed penetration test (pen-test). According to Chan Tuck Wai in his report Conducting a Penetration Test on an Organization you have to be very careful about how you conduct penetration tests on a network. Since such tests often involve what would otherwise be illegal activities, prior, proper legal preparation is essential. Normally, only the pen-testing company and the client company are parties to these agreements. Together they can hammer together all the legal protections needed. If employees are upset about the pen-testing, their legal actions are restricted to their employer and the pen-testing company - both are risks that can be mitigated through careful planning. However, in our case the U of R was also involved which would give an aggrieved employee another party to sue. Unfortunately, the U of R’s reputation may not be able to survive the publicity of “teaching a class on how to break into networks”. For this simple reason, our proposed project was rightly killed by Enterprise Risk Management.
The REB reported a large number of problems regarding our initial research plan. The major issues came to protecting employees from any repercussions of their actions during these tests. Despite assurances from management that no actions would be taken against employees who “failed” a test, the REB pointed out that while it is possible that no entries may be made in an employee file, management is human, and could remember who made mistakes during the pen-test. Since our initial plan was to present a very open and honest in-service with the cooperating organization, naming names would have been a problem, even if the names would never be mentioned in presentations outside of the organization.
The Interagency Advisory Panel on Research Ethics has issued the Ethical Conduct for Research Involving Humans. This document acknowledges the need for deception in research, particularly in the field of psychology. According to the Advisory Panel, “it is the responsibility of researchers to justify the need for such a departure” (p. 37) from fully informed consent. Further, given that we are undergraduates and not formally trained in research techniques, we should only be engaged in Minimum Risk research. Regardless of how much we anonymize the data by cutting out names, the use of edited transcripts, or disguising audio, the simple fact is that we cannot stop employees from talking to others about what we had done. This factor, regardless of anything we do, prevents this research from being Minimum Risk. There is simply no way we can enforce a “no-repercussions” policy from being applied, which again opens the U of R to a legal risk it cannot reasonably expect to take.
As a result of the feedback form the REB, we will not be conducting a real Social Engineering based penetration test. Instead, we will demonstrate Social Engineering attacks using actors, and will provide strategies for combating the threat of Social Engineering in your organization. As for what we really think about the REB, there is only two words we can say. Merci beaucoup! Your input was valuable and it is something we will take with us in our future endeavors in the world of IT.
Tuesday, February 14, 2012
Sicko and SOPA
I know it’s not IT related, but I still had to write this.
Last night I watched Michael Moore’s film, Sicko. While it’s an older film (2007) I still found it quite good. While many people, particularly Americans do not like Michael Moore, and others find this film very one sided, he still raises some very interesting and valuable points about health care systems around the world. His critics accuse him of cherry picking facts, looking for the health care horror stories, and putting universal health care on a pedestal it doesn’t deserve.
Last February a lump was found in my lung that was the size of a mandarin orange. I was immediately referred to two different specialists. I was facing the loss of the lower left lobe of my lung if the lump was found to be cancerous. By April, I was recovering from surgery, and the lump was found to be non-cancerous. Only a small piece of my lung was removed, and I was completely cured.
At no time did I have to do any of the following (unlike many Americans):
Political Change
In Canada, the NDP will never form the government. I personally won’t vote for them because I’m not a fan of unions. However, I must acknowledge the valuable contribution they have made to Canadian politics. Simply by getting Canadians used to the idea that there are legitimate choices at the ballot box and asking the tough questions in Parliament is valuable\
.
Change is hard, but it can be done. Tommy Douglas changed the debate in Canada about health care. SOPA and PIPA were defeated as a result of public uprising. The RIAA and MPAA called it undemocratic because the protestors didn’t meet in backrooms with Congressmen like good lobbyist do, but the backlash worked. It can work again for ACTA. It can work for health care. Popular dissent, freedom of speech, and freedom of assembly all work. Politicians need to be afraid for their jobs.
So if Freedom of Speech, and popular uprising work, why didn’t Occupy X work? Simple – they didn’t have a clear message.No one could clearly articulate what was Occupy. Some were against the TARP bailouts, others said it was about affordable housing, others said it was about health care, and still others said it was about gay marriage. It made it too easy for the powers that be to simply ignore Occupy. They could not ignore the very targeted message the anti-SOPA group put out.
Lessons
When looking for change, make sure you have a very targeted message. Successful leaders craft their message for a specific audience and do not attempt to be all things to all people. Make no mistake, the lobbyists always have a specific, targeted message when they speak to MPs, Senators, or Congressmen. For us to defeat ACTA a similar targeted message is needed. Just like with the SOPA issue.
Last night I watched Michael Moore’s film, Sicko. While it’s an older film (2007) I still found it quite good. While many people, particularly Americans do not like Michael Moore, and others find this film very one sided, he still raises some very interesting and valuable points about health care systems around the world. His critics accuse him of cherry picking facts, looking for the health care horror stories, and putting universal health care on a pedestal it doesn’t deserve.
“Too many OB/GYNs aren’t able to practice their love with women all across this country.” - George W. Bush.Sicko has three major themes running through it:
- The plight of un/under insured Americans and what the insurance companies will do once you have a major claim
- A comparison of different Universal health care systems in Canada, England, and France
- The plight of 9/11 rescue workers – he actually takes some of them to Cuba for treatment – and treatment they got
Last February a lump was found in my lung that was the size of a mandarin orange. I was immediately referred to two different specialists. I was facing the loss of the lower left lobe of my lung if the lump was found to be cancerous. By April, I was recovering from surgery, and the lump was found to be non-cancerous. Only a small piece of my lung was removed, and I was completely cured.
At no time did I have to do any of the following (unlike many Americans):
- Get approval from my insurance company for the procedures
- Pay any deductible to even see a doctor
- Fight with Sask Health when they dropped my coverage retroactively after discovering I had a sore elbow in 2002
- Fund raise with my neighbours so I wouldn’t lose my house to pay for everything
- Wait a life-threatening length of time
- Declare bankruptcy when the insurance company then simply decides not to pay the doctors.
Political Change
In Canada, the NDP will never form the government. I personally won’t vote for them because I’m not a fan of unions. However, I must acknowledge the valuable contribution they have made to Canadian politics. Simply by getting Canadians used to the idea that there are legitimate choices at the ballot box and asking the tough questions in Parliament is valuable\
.
Change is hard, but it can be done. Tommy Douglas changed the debate in Canada about health care. SOPA and PIPA were defeated as a result of public uprising. The RIAA and MPAA called it undemocratic because the protestors didn’t meet in backrooms with Congressmen like good lobbyist do, but the backlash worked. It can work again for ACTA. It can work for health care. Popular dissent, freedom of speech, and freedom of assembly all work. Politicians need to be afraid for their jobs.
So if Freedom of Speech, and popular uprising work, why didn’t Occupy X work? Simple – they didn’t have a clear message.No one could clearly articulate what was Occupy. Some were against the TARP bailouts, others said it was about affordable housing, others said it was about health care, and still others said it was about gay marriage. It made it too easy for the powers that be to simply ignore Occupy. They could not ignore the very targeted message the anti-SOPA group put out.
Lessons
When looking for change, make sure you have a very targeted message. Successful leaders craft their message for a specific audience and do not attempt to be all things to all people. Make no mistake, the lobbyists always have a specific, targeted message when they speak to MPs, Senators, or Congressmen. For us to defeat ACTA a similar targeted message is needed. Just like with the SOPA issue.
Monday, February 6, 2012
The Research Ethics Board wants a word with you . . .
In my CS 280 class (Risk and Reward in the Information Society) we have to do a group topic. I had an immediate idea that had even been in my head before the class even began. Fortunately, I was able to get three great partners within 24 hours of posting the idea and our group was formed. Now, at this time I cannot divulge the nature of this idea, but I can tell you that while the professor liked the idea he noted there may be a problem. Enter the Research Ethics Board and the requirement to do a full review of the ethics of our idea.
My initial thought was "Oh no, there goes our idea" but it has turned out to be a serious blessing in disguise. The concerns they have been raised has forced our group to clearly communicate about what is important, and what we really need to do to get good results. When you are in the middle of an idea that you think is incredibly awesome you are blind to the problems hiding in the corner. Even though the ethics review did not focus on the central thesis of our project, the Research Ethics Board has asked good questions and brought up excellent objections in their ethical review. Have you ever read the ethical guidelines for research? It is a great guide for coming up with your next research project:
http://pre.ethics.gc.ca/pdf/eng/tcps2/TCPS_2_FINAL_Web.pdf
Our group has now rewritten our research plan to deal with the objections raised by the REB, and guess what? We will still accomplish the same goals. We should still be able to do our research. Yet, it will be easier for us to do, we will be able to complete it quicker, and our presentation will be even more meaningful for both our class and for others who will have a chance to read it. Why? Because the review has forced us to consider what was truly important, eliminate side investigations that would get us into trouble, and most of all to share our ideas.
The other big advantage the the Ethics Review? When you are taking a course in programming, you really learn the materials when you sit down in front of a text editor and start writing programs. You learn about digital circuits when you open up a logic simulator and start putting together gates, flip flops, registers, and other cool stuff to make complex circuits. Where best to learn about ethics then to actually write a real Ethics Review Proposal for your project. Even if I never learn anything more from this course, the REB has taught me more than enough to justify taking the course. As a mature student I really appreciate the extra work - it is really making me think harder, and learn more, and that is something I can put on my CV. I haven't just taken a course on IT Ethics, I've actually written and participated in the ethical review procedure - something that is valuable in itself.
Hopefully we will get our formal approve from the REB soon, but if not, we have already discussed Plan B - always something good to have anyway.
More on the Office of Research Services at the University of Regina is found here: http://www.uregina.ca/research/index.shtml
My initial thought was "Oh no, there goes our idea" but it has turned out to be a serious blessing in disguise. The concerns they have been raised has forced our group to clearly communicate about what is important, and what we really need to do to get good results. When you are in the middle of an idea that you think is incredibly awesome you are blind to the problems hiding in the corner. Even though the ethics review did not focus on the central thesis of our project, the Research Ethics Board has asked good questions and brought up excellent objections in their ethical review. Have you ever read the ethical guidelines for research? It is a great guide for coming up with your next research project:
http://pre.ethics.gc.ca/pdf/eng/tcps2/TCPS_2_FINAL_Web.pdf
Our group has now rewritten our research plan to deal with the objections raised by the REB, and guess what? We will still accomplish the same goals. We should still be able to do our research. Yet, it will be easier for us to do, we will be able to complete it quicker, and our presentation will be even more meaningful for both our class and for others who will have a chance to read it. Why? Because the review has forced us to consider what was truly important, eliminate side investigations that would get us into trouble, and most of all to share our ideas.
The other big advantage the the Ethics Review? When you are taking a course in programming, you really learn the materials when you sit down in front of a text editor and start writing programs. You learn about digital circuits when you open up a logic simulator and start putting together gates, flip flops, registers, and other cool stuff to make complex circuits. Where best to learn about ethics then to actually write a real Ethics Review Proposal for your project. Even if I never learn anything more from this course, the REB has taught me more than enough to justify taking the course. As a mature student I really appreciate the extra work - it is really making me think harder, and learn more, and that is something I can put on my CV. I haven't just taken a course on IT Ethics, I've actually written and participated in the ethical review procedure - something that is valuable in itself.
Hopefully we will get our formal approve from the REB soon, but if not, we have already discussed Plan B - always something good to have anyway.
More on the Office of Research Services at the University of Regina is found here: http://www.uregina.ca/research/index.shtml
Subscribe to:
Posts (Atom)
