OCIONEWSLETTER Issue 21 • OCT 2015
SPOTLIGHT
e-Learning Championship Series (6) Angel Lu, Crusher Wong
INDEX SPOTLIGHT 1
e-Learning Championship Series (6)
FEATURE
Since the beginning of modern technology era in the mid-1990s, information technology has not only revolutionized the way we live, but also brought a tremendous impact on teaching and learning. In this issue, we are going to showcase three innovative, yet successful, applications of e-learning adopted by Dr. Brian W King from the Department of English, Dr. Charlotte Frost from the School of Creative Media and Dr. Alain Guilloux from the Department of Asian and International Studies.
4
Drones and Information Security
8
Windows 10 at First Glimpse
Collaborative writings on Wikipedia
10
MOOCs Debut in CityU
12
CityU’s Virtual Museum of Chinese Minerals
Writing is always regarded as the loneliest art on earth because writers usually write independently while readers read privately. After years of solitude, the Internet breaks down the boundary of nations and allows people to meet and share ideas across the globe in a blink. Wikipedia has been one of the symbols of such collaborative work among worldwide netizens. Having gained inspirational insights from the previous collaborative writing course in the form of online platforms/webapps, e.g. Google Documents, to allow synchronous editing, Dr. Brian King brilliantly saw the possibilities to turn Wikipedia as a great e-learning tool for secondlanguage writers.
IT SECURITY AWARENESS SERIES BY JUCC 14
Cloud Computing – Security Practices for General User
ITSM SERIES 6
ITSM Awareness Series (Part 3: Change Management)
STATISTICS AT A GLANCE 18
WiFi Usage Statistics
GLOSSARY CORNER 20
IT Security – What is Team Ghostshell?
Collaborative writing is a kind of writing where different scholars may share different definitions, i.e. writing at the same time, writing the same document. However, the definitions may vary, and all roads lead to Rome – where the writing shall be contributed by different authors who express genuine emotions and ideas. As a result, teaching a collaborative writing course is a difficult, yet an exciting experience. “Literally, I saw flames in students’ eyes since their writings are going public! Experiential learning rather than didactic approach is important as students are given the chance to taste writing authentic articles,” Dr. King remarked.
2
OCIO NEWSLETTER
Students had to come up with their own Wikipedia subjects before composing. Meanwhile, students also learned to collaborate under a set of editing rules of Wikipedia. The challenge was yet to come when a brand new article was published. Students were often criticized by the Hong Kong Wiki team mainly for their overwhelming references and the credibility of the referencing sources. The online collaborative writing practice gave students the opportunity to be in charge of and defend the survival of their articles. It was a successful transformative progress in raising students’ writing awareness as students had to take thorough considerations on expressions and professional terms to avoid challenges from the public. Communication is the basis of successful collaborative writing. Therefore, the forms and ways of communication among students during their collaboration attracted the attention of Dr. King. With the aid of the OCIO, Dr. King recorded the entire communication process by employing Echo360. The captured process, both online and offline, will act as valuable references for Dr. King to explore further utilization of the platform to provide genuine writing experience to students, as well as a successful case study for future exploration of a new educational paradigm.
From Community Supported to Individual Academic Writing Dr. Charlotte Frost is also a devoted fan of collaborative writing. With the mind of sharing and funding from Teaching Startup Grant of CityU, Dr. Frost initiated Arts Future Classroom, as well as its sister project – Arts Future Book which is about exploring experimental new academic publishing models, to investigate creative ways of teaching and critical thinking. The Arts Future Classroom encourages course instructors to refine and share a set of battery-included e-learning tools, i.e. relevant readings, slides, demonstration and guides of teaching software. The idea was geminated from a Wikipedia project by Dr. Frost. The project, featured by the South China Morning Post in 2014, invited a group
of volunteers to compile entries about Hong Kong female Artists. Upon the completion of the project, Dr. Frost was aware that the tools used in the project could be extracted and reused as a skeleton of future classes. Since the class-kits were usually based on opensource platforms and resources, every teacher could conveniently adopt and modify the pre-defined tools to provide similar courses without reinventing the wheel. The Educational Toolkits Crowdsourcing Competition launched by Arts Future Classroom unveiled the winning toolkits in July 2015. Interested parties are encouraged to share their comments and insights at http://artsfuture. org, the website of Arts Future Classroom. Pioneered as a personal project, Dr. Frost has successfully created an astonishing well-beloved platform for writing whizzes. PhD2Published is an energetic blog where thousands of newbies and old-birds are learning and sharing together. Green hands bootstrap their writing by adopting suggestions from the platform, while veterans are generous to host online chat groups to provide precious in-depth academic writing strategies on PhD2Published. The best part of the platform is that writers can expand their social circles to share ideas not only with their colleagues, but also with everyone who has Internet access from all corners of the world. Consequently, PhD2Published has been an instant success with over 12,000 current followers on twitters. In 2011, Academic Writing Month (AcWriMo for short and #acwrimo on twitter), inspired by National Novel Writing Month, received great response from the community of PhD2Published. AcWriMo is a month-long academic write-a-thon in which writers set themselves a reasonable goal and other participants in the community will support the goal with advice and related information. The writing month allows academic writers to nurture their academic writing skills at all stages of their careers. Thousands of tweets and writing tips from writers of 15 different countries shared ideas on academic writing, which generated an incredible amount of web traffic with over 300,000 budding novelists.
Issue 21 • October 2015
accounts could be created and students were assigned to different authorities and roles prior to the striking of the simulated disaster.
A Simulation Come to Live Disaster has always been an evergreen topic in novels. The strike of disasters, however, is even more dramatic and sudden in reality. During any crisis, decision-makers suffer from tremendous pressure owing to the influx of chaotic information cast under thick mists of uncertainty. As a result, Dr. Guilloux’s goal is to create a real-time exercise for students in his Disaster Management course. Equipped with 15 years of crisis management experience in Médecins Sans Frontières (Doctors Without Borders), Dr. Guilloux’s course included a computer simulation of a disaster scenario and students were required to draw up critical decisions within time constraints. Every five minutes, cues and props were sent to the students’ simulator that calibrated into class time so as to recreate a situation designed to approximate the reality that one would encounter during a disaster scenario. Feeling extremely challenged, students had to break down, digest and confirm all the incoming information quickly and make the best decisions they could on the basis of the information and research they possessed during the weeks leading up to the computer simulation. To make matters more challenging, the information received might require additional analysis. Besides, students working in small groups had to communicate effectively within and across groups to make the best decisions. Students were then assessed on their ability to meet multiple objectives (e.g. focus on their missions, anticipate, prioritize, communicate, and protect vulnerable groups and critical infrastructure) under real time constraints and imperfect information. No wonder many students felt overwhelmed or stressed but this was also why most students found the exercise realistic and enjoyable in a challenging way. To make the simulation genuine, however, Dr. Guilloux has spent a lot of time out of the classroom to design the exercise and make it a valuable experience for students. With the assistance of the OCIO, Dr. Guilloux finally identified Kato (http://kato.im) , an instant messaging platform, which met the learning and teaching needs of the course. Under Kato, dedicated relevant-identity
In fact, communication and interaction among stakeholders take an indispensable role when dealing with catastrophes. Even though a few students grumbled that the online platform was difficult to operate as messages could not be sent in bulk to their assigned department, the short reply from Dr. Guilloux smashed all the complaints. REALITY. “The imperfections mirror the reality of communication processes in real time. Literally, there is a lot of bureaucracies for an information to pass through. I was expecting students would take a break more often from their computers and actually communicate with the responsible parties face-to-face,” explained Dr. Guilloux. With wide support and positive feedback reflecting students’ strong willingness and total engagement to be part of the simulation, Dr. Guilloux is confident to run the course again in the coming academic year. To fully utilize the benefits resulted from this innovative simulation, Dr. Guilloux is now exploring the possibility of bringing research and teaching together. The logs of online activities, discussions and decisions made by the students are a valuable reference to develop future simulation exercises. Students can now be more exposed in authentic class activities through the adoption of educational technology. With the aid of technology, e-simulation exercises transformed literal case studies into a gratifying environment for students. Dr. Guilloux was thankful for a nurturing environment, be it the exchange of ideas with colleagues on how best to structure simulations or use technology. He highly valued seminars such as the one the Department of Asian and International Studies organized in April 2015 on seeking excellence and enhancing teaching through technology, the precious help of student volunteers, and of course, the close support from Dr. Crusher Wong and his team at the OCIO provided over the semester.
Empowerment Learning by Technology From all these successful cases, it is not difficult to grasp the idea that communication and sharing is the true recipe to grant educators and learners the effective education. As people are propelled by common interests to excel in education, great ideas are generated through wise choice of technology. 1 Andrei Soroker, CEO of Kato and Sameroom, had announced that 31 August 2015 would be Kato’s last day of service via email to users.
3
4
OCIO NEWSLETTER
FEATURE
Drones and Information Security Office of the Chief Information Officer
Drones, officially known as Unmanned Aerial Systems/Vehicles (UAS/UAV), have been a popular recreational activity for hobbyist in recent years. They are easy to be controlled with the help from improved technologies and features such as self-stabilizing, automatic take-off and landing, and auto-homing. Miniaturization of components like motors, gimbal, gyroscope, and GPS allows drones to fly farther and longer. Mass production of drones also results in an affordable price to many. Sounds attractive, right? But you might not be aware of the dark side of drones. So, let’s visit some of the issues here from IT security’s point of view.
Unencrypted radio broadcasting Obviously, drones are controlled using remote controllers through radio signals. Limited by the processing power of drones and remote controllers, radio signals are usually unencrypted. This means they are openly broadcasted and eavesdroppers can capture all videos sent from the drone to your remote controller over the air. This happened to military drones as well [1][2].
Hijacking What’s even worse, your drone can be hijacked. While it is easy
to intercept the communication between your drone and remote controller, it is not difficult to create a signal with the same frequency and channel, and then jam the channel and make your drone uncontrollable. It is also possible to customize a remote controller, which has a stronger signal output and takes control over your drone. Someone also claimed to have installed jamming device on a drone, flew it and took down other nearby drones [3][4].
GPS spoofing Drones also use GPS to locate themselves and fly. Many of them also use waypoints to plan for routes
Issue 21 • October 2015
so that the owners can set waypoints on maps, transfer the route to the drones, and allow the drones to fly by themselves. Many drones also come with an auto home function, which records the starting point of flight and helps the drone to fly back to the starting point if it loses communication with the remote controller. However, civilian GPS signals are unencrypted and can be spoofed. In other words, your drone can be fooled, and it can be driven away from the original route [5][6].
Malware Malware is also a concern. After all, a drone is equipped with a microcomputer, which is designed to receive control signals, read data from sensors, calculate and adjust the motors. As a rule of thumb, there are vulnerabilities in all computers systems which can be hacked. It was claimed that malware were developed for attacking drones. It was also reported that there were plans to use drone as a platform to spread malware [7][8].
What to do? All the above is just the tip of the iceberg, to draw your attention to the fact that drones can leak privacy, be taken down or even hijacked. So what shall we do? Our recommendation is to go back to the basic risk management strategy: Avoidance: eliminate the risk by refraining from buying and playing drones Transfer: buy an insurance which covers the loss for yourself and third parties, so that you don’t have to bear the full burden of a total loss. Such insurance plans are not yet available
on the market; however, this may come anytime, so, keep an eye on it. Mitigate: reduce the likelihood of occurrence, such as playing in a safe zone, keeping the firmware of your drone up-to-date, monitoring the trend of risks and regulations related to drones, etc. Acceptance: understand the risk and accept what might happen. You can also derive a mix of the above to manage. Whatever risk management approach you may adopt, please be reminded that you will also have to bear the consequences. Without doubt, safety is of utmost importance and please bear in mind that drone is not a toy. It can also be a life hazard when it falls down from just a few metres and hits someone, or its propellers hit somebody. Therefore, before flying any drone, please be familiar with all the safety instructions and receive proper trainings. Finally, please note that if you plan to use drone, you must fully comply with all applicable local laws and regulations, and you must also obtain proper approval from the landlord or approving authorities in advance.
Further readings [1] Wired (2012), Most U.S. Drones Openly Broadcast Secret Video Feeds, retrieve from http://www. wired.com/2012/10/hack-proofdrone/ [2] NBC Chicago (2015), How a Drone Could Spoof Wi-Fi, Steal Your
Data, retrieved from http://www. nbcchicago.com/investigations/ drone-public-wi-fi-302649331.html [3] Dutch News Design (2015), Alert: your drone data is intercepted by hackers and security, retrieved form http://www.dutchnewsdesign. com/dronejournalism/drone-dataintercepted-by-hackers-securitydata-thieves-governements/ [4] Computerworld (2013), Hacker-built drone can hurt, hijack other drones, http://www.computerworld.com/ article/2486491/mobile-wireless/ hacker-built-drone-can-hunt-hijack-other-drones.html [5] Forbes (2015), Watch GPS Attacks That Can Kill DJI Drones Or Bypass White House Ban, retrieved from http://www.forbes.com/sites/ thomasbrewster/2015/08/08/qihoohacks-drone-gps/ [6] The University of Texas at Austin (2015), Todd Humphreys’ Research Team Demonstrates First Successful GPS Spoofing of UAV, retrieved from http://www.ae.utexas.edu/news/ features/todd-humphreys-researchteam-demonstrates-first-successfulgps-spoofing-of-uav [7] The Hacker News (2015), MalDrone – First Ever Backdoor Malware for Drones, retrieved from http:// thehackernews.com/2015/01/ MalDrone-backdoor-dronemalware.html [8] PC Magazine (2015), Forget Phishing: Malware Now Coming for Your Via Drones, retrieved from http://asia.pcmag.com/ security/4587/news/forgetphishing-malware-now-coming-foryour-via-dr
5
6
OCIO NEWSLETTER
ITSM Series
ITSM Awareness Series (Part 3: Change Management) Strategic IT Development team, Office of the Chief Information Officer
The ITSM Awareness Series of articles aims to raise awareness among CityU IT provisioning units (both Central IT and departments) and interested parties of the current best practice in IT service management (ITSM).
An overview of the CMDB (Configuration Management Database) was provided in Part 2 of this series. The CMDB supports a number of processes include the Change Management process, which is described below. Risk assessments on requested changes must consider CIs’ relations and dependencies that might affect related IT services and customers. Change Management is one of the control processes of the IT Service Management (ITSM) framework. It works closely with Configuration Management and Release and Deployment Management, and also with the two resolution processes: Incident and Service Request Management and Problem Management. Change Management mainly manages service transition changes including rollout of a new service, making changes to an existing service, or removal of a service. The following sections summarize the Change Management model established at CityU. Participants of the process should always refer to the relevant policies, procedures and documents for operation, as they will be revised and improved from time to time.
Change Management Model
Standard Change
Normal Change
Impact An effective Change Minimal Minor Major Critical Management is managed Urgency and operated pursuant to Low CAB + Change Manager the established University Medium Change Manager policy, procedures and High process flows in the Emergency ITSM tool. It is reviewed Emergent ECAB + Change Manager Change regularly by monitoring Figure 1. Quick card of change approval requirements performance indexes to see if there is room for improvement. In general, each proposed change to an IT service shall have a change record (known as “Request for Change” (RfC)) raised for assessment and approval with a documented detailed change plan that includes but not limited to the following: • Description • Reason for change (service requirement, business benefits) • Requestor and Responsible staff • Classification (impact, urgency, priority) • Assessment (service/user impact) • CI Involved and specify any change on CI information • Any service downtime or service degraded • Schedule of change • Plan to reverse or remedy an change with unexpected result All RfCs shall go through a life cycle as shown below: Raise & Record >> Assess & Classify >> Approve & Plan >> Develop >> Execute >> Post Review >> Close
Different roles within Change Management have their own responsibilities. In short, a Change Requestor is responsible for raising the RfC; a Change Manager is responsible for performing assessment, approval and post implementation review, and the Change implementation members (e.g. Change Developer / Tester / Deployer) are responsible for change development, test and deployment. For change requests classified in certain risk criteria (e.g. impact class major or critical), it must be reviewed and approved by Change Advisory Board (CAB) which usually consists of business and IT authorities. For emergency change, an RfC can be raised after the event but approval (can be by verbal words/email/ text) must be obtained from explicit manager and Emergency CAB (ECAB). Below is a quick card to present the three change types (standard, normal and emergency) classified by impact and urgency, and the responsible approval parties.
Issue 21 • October 2015
generally grouped into Proactive Change and Reactive Change. The former is a change made before a circumstance happened, while the latter is a change made after a circumstance happened. For instance, a patching to operating system is scheduled because of known security vulnerability, not yet inducing any impact is treated as a proactive action. If the patching is scheduled after impact is already introduced, that is a reactive action. Figure 2. Change Request Form
Change Management tool The ITSM Change Management application used by CityU facilitates basic RfC recording and supports the following highlighted features to assist the process management and decision making: 1. Manage approval flows of different change types 2. Present change “Should Close” date according to service agreed level defined based on priority 3. Detect CI conflict and prompt alert if the same CI is involved in more than one change in any overlapped period 4. Analysis direct and indirect impacts of involved CI cause to other CI(s) and service(s) according to the CIs relation and impact levels defined 5. Associate with related Incident / Problem/ Release records 6. Manage activities by using “Actions” or “Actions Plan” (e.g. tasks of CI updates and approval) 7. Present Changes schedule in calendar view.
The block diagram (fig.3) shows what other records should be linked to a Change record in the following circumstances as an example: 1. A Release manages a Change release and deployment 2. An Incident requires a Change to resolve service issues or resume service 3. A Problem requires a Change to deploy fix to services to prevent incident reoccur 4. A CI is involved or affected in a Change
Proactive Change vs Reactive Change There are many reasons to induce changes. Like someone makes changes to his own computer because of various needs such as new software installation, hardware upgrade, operating system patching, etc. In IT service management, changes can be
Figure 3. Records relation
Change Management is a relatively complex process as it operates across the four stages of Information Technology Service Management System (ITSMS) from (1) service plan, (2) design and development, (3) transition to (4) operation. To understand the concepts of proactive and reactive is very important to enable change management operate wisely, even more so for the entire IT service management system,. “More proactive less reactive” is not just a theory but an achievable result. Proactive action is always planned which means resources from limited pool can be allocated ahead with higher guarantee. In contrast, reactive action is mostly unplanned in which resources are allocated on an ad hoc basis and a draw of resources might cause chain effect to others. By using ITSM processes to explain, more effort paid on Change or Release Management causes less effort drawn to Incident or Problem Management, as every piece of change to IT service must be tested and accepted before it is deployed into production. The higher the managed level during service plan, design and development stages, the lower the needs of rework or remedy in transition and operation stages will be.
7
8
OCIO NEWSLETTER
FEATURE
Windows 10 at First Glimpse Tony Chan
Windows 10 – the latest version of the Windows Operating System was launched in July 2015. It takes a huge leap forward and gives users a deep impression. It introduces plenty of new features and improves a number of existing features. Besides , the best news is the free upgrade of Windows 10 for genuine Windows 7 and Windows 8/8.1 devices. Users can take this free upgrade offer to get the full version of Windows 10 before 29 July 2016. Once the device is upgraded, Windows 10 is free on that device. List of Windows 10 Editions from free upgrade: New Start Menu
From Edition
To Edition
Windows 7 Starter Windows 7 Home Basic
Windows 10 Home
Windows 7 Home Premium Windows 7 Professional Windows 7 Ultimate
Windows 10 Pro
Windows 8.1
Windows 10 Home
Windows 8.1 Pro
Windows 10 Pro
Windows 10 also provides quick ways to switch between desktop and tablet modes so as to cater for the devices with/without touchscreen. A Tablet mode button for toggling the setting can be found in the Action Centre. Users can swipe left from the right edge of your touch enabled PC to open the Action Centre.
Introduction of Windows 10’s Features Plenty of new features are introduced in Windows 10, and below are just some significant ones : 1. New Start Menu The Windows 10 Start Menu is a major improvement over Windows 8. It combines the best of the Start Menu of both Windows 7 and Windows 8. A Windows 7-like Start Menu shows a scrolling view of all your applications sorted alphabetically. An extra pane is on the righthand side of the scrolling menu, so users can pin Windows 8-style live tiles there.
Tablet Mode
Issue 21 • October 2015
2. New Web Browser - Microsoft Edge Windows 10 includes a new web browser Microsoft Edge replaces Internet Explorer as the default browser. It has new features like Web Note, Reading View, and Cortana … etc. • Web Note - lets you annotate, highlight, and add notes directly on webpages. • Reading View - lets you enjoy and print online articles in an easy-to-read layout that is optimized for your screen size. While in reading view, you can also save webpages or PDF files to your reading list for later viewing. • Cortana - lets you highlight words for more information and gives you one-click access to things like restaurant reservations without leaving the webpage. 3. New Security Innovations Windows 10 has more built-in security protections to help safeguard your device against illegal access, viruses, phishing, and malware. • Windows Hello - lets you sign in to your Windows 10 devices with biometric authentication - using your face, iris, or fingerprint to unlock your devices. • Device Guard - will lock a device down so that it can only run trusted applications from the Windows Store, selected software vendors, and signed line-of-business applications. It only works with devices running Windows 10 Enterprise. • Microsoft Passport – securely authenticates you to applications, websites and networks on your behalf without sending up a password. Thus, there is no shared password stored on their servers for a hacker to potentially compromise. Strong two-factor authentication that consists of an enrolled device and a Windows Hello (biometric) or PIN will be asked to verify that you have possession of your device before it authenticates on your behalf.
Schedule of Windows 10 Support at CityU We have begun to evaluate Windows 10 since its technical preview version. Currently, we
Web Note
are experimenting with the final release, and participating in seminars and training courses to prepare for the support. The new OS also needs to be tested for its compatibility with our existing environments. Before formally supported and widely deployed on campus, support units have to ensure that all the in-house developed applications, e-learning and administrative systems can run smoothly under Windows 10. As general practice, Windows 10 will be made available on computers managed by the Central IT for teaching and learning first. References • Windows 10 FAQ & Tips – Microsoft http://www.microsoft.com/en-us/windows/ Windows-10-faq • Microsoft Edge http://www.microsoft.com/en-us/windows/ microsoft-edge • Windows Hello http://windows.microsoft.com/en-us/ windows-10/getstarted-what-is-hello • Device Guard overview https://technet.microsoft.com/en-us/library/ dn986865(v=vs.85).aspx • Microsoft Passport overview https://technet.microsoft.com/en-us/library/ dn985839(v=vs.85).aspx
9
10
OCIO NEWSLETTER
FEATURE
MOOCs Debut in CityU Angel Lu, Crusher Wong Massive Online Open Course (MOOC), besides from “Cloud”, has been a recent buzz word in the fields of technology and higher education. New York Times even declared 2012 as “The Year of the MOOC”. Numerous institutions have invested time and effort to develop their own MOOCs, and CityU is no exception. In this article, we are going to cover the latest trend of MOOCs and CityU’s preparations to jump on the bandwagon.
1 Minute MOOCs Massive Open Online Course (MOOC) is a recent development of distant education that promotes unlimited participation and open access via the web. Similar to a typical lecture, learners are required to attend lessons, complete readings and finish assignments, despite all in a distant online approach. Compared to traditional settings, MOOCs free the physical constraints, i.e. distance or fixed schedule, so that teaching and learning can be carried out in a more flexible and interactive format. MOOCs are more like collaborative learning platform emphasizing bidirectional exchange, rather than unidirectional communication, through the assessments and forums on the web. Boosted by the advancement of web technology and bandwidth,
Figure A: Acronym for Massive Open Online Course
Illustration, entitled “MOOC, every letter is negotiable,” exploring the meaning of words “Massive Open Online Course” is adapted from flickr[1].
MOOCs have become the big-thing in education and worldwide institutions are keen on putting up their MOOCs. Up to December 2014, there are over thousands of MOOCs hosted by the major MOOC providers. In 2016, City University of Hong Kong (CityU) will be a newcomer to MOOCs to bring its Discovery-enriched Curriculum (DEC) to the global level.
PDAs foster the development of GE MOOCs in CityU In March 2015, CityU has established Professionals Development Awards (PDAs), funded up to $1,000,000 per award, to support the University’s e-learning strategy and DEC. With an aim to expand the University’s regional and global access to the
fruits of DEC initiatives, PDAs provide “in-house sabbatical” for full-time faculty and teaching grade staff to develop signature CityU Gateway Education (GE) MOOCs, either a brand-new or a battle-proven one. Under the scheme of PDAs, the awardees will not only be provided with rich resources subject to the needs, they are also permitted to have some release time during summer or semester to proceed their development. Having been reviewed by the PDA Selection Panel, three proposals have been approved in May 2015 and approximately HK$2,800,000 has been awarded to facilitate these projects.
Table: Popular MOOCs Providers (Data updated up to August 2015)[2][3][4][5][6][7]
Issue 21 • October 2015
MOOCs in CityU The debut of CityU’s first MOOC, Innovation and Entrepreneurship based on PIPE®, is expected in January 2016, followed by two others, namely Biomedical Research in One Health and Discovering Socially Engaged Art respectively, in September 2016. These courses will be available free of charge for learners around the world. The first MOOC GE course – Innovation and Entrepreneurship based on PIPE® from the Department of Systems Engineering and Engineering Management, is built upon an existing GE2304 course, Innovation and Entrepreneurship for Young Professional, which has been offered as credit-bearing course for CityU students. The original course has attracted the interest of local newspapers and universities in China and Taiwan. 80 instructors from 50 universities attended the workshops and the seminars to investigate ways to enhance student’s creativity by discovering real-life problems, generating creative new ideas and finally planning for a new business. This pioneer of MOOC is expected to raise more attention from the public so as to promote the core value and the upcoming MOOCs of CityU. The second, Biomedical Research in One Health from the Department of Biomedical Sciences (BMS), another PDAs granted project, intends to aid students’ understanding
of the processes of design and development of diagnostic and therapeutic products through discovery and innovation. Owing to the rapid growth in urbanization, deterioration of physical environment and aging population, there are growing problems for biomedical scientists to tackle. However, all these areas of concern currently lack proper approaches and solutions, so creativity can be the salvage. Through combining the multi-disciplinary knowledge of BMS and vast exposure of MOOCs, Biomedical Research in One Health will allow participants to apply the integration of knowledge with subject-specific skills, as well as cultivate possible future solutions to address the growing concerns in biomedical science. The third PDAs funded project, Discovering Socially Engaged Art from the School of Creative Media, will focus on fostering students’ awareness of socially engaged art to encounter increasingly complex local, national and global level social issues. Arts are expressions of creativity and this awarded project is without exception. MOOC is often formatted only as a series of videoed lectures and this course will envision four interconnected components, including lecture videos, documentaries of selected socially engaged art projects, an online case study database and an online platform for students’ presentations. This ambitious
MOOC will, hopefully, be a signature course for CityU students and beyond to explore the further possibilities of MOOCs in CityU.
Embrace MOOCs in CityU Even though CityU is not an early bird in MOOCs, by concentrating on the core values of DEC and distilling proven experiences from other implementers, CityU will undoubtedly develop its MOOCs in its distinctive characteristics. Let us await and embrace CityU’s upcoming MOOCs, as well as bring forth the courses to a worldwide stage.
References: [1] MOOC. In Flickr. Retrieved September 3, 2015 from https:// www.flickr.com/photos/ mathplourde/8620174342/sizes/l/ in/photostream/ [2] List of 42 Providers offering MOOCs. In Class Central. Massive open online course. Retrieved September 3, 2015 from https:// www.class-central.com/providers [3] Coursera. Retrieved September 3, 2015 from http://en.wikipedia.org/ wiki/Coursera [4] Udacity. Retrieved September 3, 2015 from http://en.wikipedia.org/ wiki/Udacity [5] edX. Retrieved September 3, 2015 from http://en.wikipedia.org/wiki/ EdX [6] Khan Academy. Retrieved September 3, 2015 from http:// en.wikipedia.org/wiki/Khan_ Academy [7] FutureLearn. Retrieved September 10, 2015 from https://www. futurelearn.com/about
11
12
OCIO NEWSLETTER
FEATURE
CityU’s Virtual Museum of Chinese Minerals Vicker Leung
Illustration by Amanda Mok
When we talk about natural minerals, it is very easy for us to name a few common ones that exist in our daily life, such as iron, gold, and diamond. Of course, there are far more than these in this world. In the IMA Database of Mineral Properties [1], there are more than 5,000 species recorded, showing how awesome the mother nature is.
part of the collection can be seen in the book “The Smale Collection: Beauty in Natural Crystals” [2] published in 2006.
The Virtual Museum In 2014, Prof. Smale decided to take a step further, working with the Central IT to develop the CityU Virtual Museum of Chinese Minerals, bringing his finest specimens onto the Internet.
Prof. Stephen Smale’s collecting philosophy emphasizes the beauty of the specimen
The Smale Collection Prof. Stephen Smale, University Distinguished Professor in CityU, is a great mathematician as well as a private mineral collector. Since the late 60s, he traveled around the world with his wife Clara, searching for great mineral specimens to build up their fabulous collection.
“This virtual museum is based on photographs of about 300 of the best Chinese mineral specimens of our collection.” Prof. Smale described. The featured collection in the virtual museum can be classified into around 60 species, which were collected from over 40 different mines across China. Prof. Smale’s collection across China
By far Prof. Smale owns more than 1,000 world-class specimens, and
Each specimen in the virtual museum bears a high definition
Issue 21 • October 2015
Some of Prof. Smale’s favorites in the virtual museum. (Left) 9cm tall Quartz from Huanggang Mines (Right) 13cm wide Fluorite from Yaogangxian Mine
photo together with a detailed caption describing the species, dimension, locality and most importantly the story of how the specimen became part of Prof. Smale’s collection. There are many mineral websites on the Internet, but they seldom include photos in this exceptionally high resolution, Prof. Smale explained.
Digital Beauty The core of the virtual museum no doubt is the specimens, and the high-resolution photos play an important role. All the photos on the virtual museum were taken by a famous mineral specimen photographer Jeff Scovil [3]. To capture the true beauty of each specimen, Scovil spent hours setting up the stage to ensure that lights and the angles were best calibrated. Each photo on the virtual museum goes beyond 12 megapixels, allowing visitors to zoom in to check out all the fine details. Prof. Smale mentioned that the use of Photoshop was minimized to prevent any doctored photos, returning the true color of the specimens.
Technologies behind the Scene To allow visitors to browse quickly through the large collection of 300 specimens, a Pinterest-like masonry layout is used in the virtual museum. Users can also make use of the realtime filtering feature to check out specimens of a particular mine or species. Cloud service Flickr is used as the photo storage and Content Delivery Network (CDN) to ensure mineral lovers around the world can enjoy the high definition photos with an optimized speed.
Going Further The virtual museum is officially launched on 10 August 2015, and since launch there are already thousands of visitors browsing Prof. Smale’s collection. The museum is also featured in the newsletter of the award-winning mineral magazine, The Mineralogical Record [4], published in August 2015. In the next few months, the virtual museum will be further improved based on the massive suggestions
by the visitors. The development team will also bring the museum onto smartphones and tablets in the form of a mobile app, which will probably become the very first mobile virtual museum available in the minerals community. Reference: [1] IMA Database of Mineral Properties http://rruff.info/ima/ [2] “The Smale Collection: Beauty in Natural Crystals” by Stephen Smale http://www.amazon.com/SmaleCollection-Beauty-Natural-Crystals/ dp/0971537186/ [3] Scovil Photography http://scovilphotography.com/ [4] The Mineralogical Record http://www.mineralogicalrecord.com/ Mindat.org http://www.mindat.org/
CityU’s Virtual Museum of Chinese Minerals http://www6.cityu.edu.hk/chinese-minerals/
13
14
OCIO NEWSLETTER
IT Security Awareness Series by JUCC With an aim to enhancing the IT security awareness of the CityU community, the Thales Transport and Security (Hong Kong) Ltd. was commissioned by the Joint Universities Computer Centre (JUCC) to prepare a series of articles on IT security and they will be adopted and published here for your reference.
Cloud Computing – Security Practices for General User Microsoft locks paid OneDrive accounts – monitor behavior and content 22nd April 2014 Microsoft locks out paid users from their OneDrive account and denies access to their files for 24 hours. Users are complaining on the Microsoft forums about receiving messages that their account is temporarily blocked. Accounts are blocked for various reasons, including what Microsoft calls ‘suspicious activity’, ‘large volume of traffic’ or violations of the Microsoft services agreement or code of conduct. Users are presented with the following message when they try to login to their account.2
The cloud is composed of an extensive bulk of computers owned by a third-party in remote location(s). The Internet provides a bridge between personal data and the cloud, enabling users to upload, download and modify data from any device and anywhere. People or companies can rent data storage or processing power from the cloud when needed, and then “return” it when no longer needed. This greatly reduces investments in large hard drives, or time spent deleting old data folders to make space for new data. Soon, there will be no need for frequent use of physical storage devices such as USB thumb drives to exchange data. Most cloud service providers offer computer applications as alternatives for large amounts of software. This can reduce the budget for software licenses given that a cloud service provider offers the applications for a fixed fee, enabling everyone in an office to have access to many applications, all in one portal. Through the cloud, sharing and collaborating with others on a project is seamless and easy. For example, a Power Point presentation for class could be simultaneously worked on by several group members. Students can share and modify study
guides from anywhere in the world. Plus, giants like Amazon, Google, and Microsoft are fighting for a piece of this pie –which technically means they are fighting over who owns most of the Internet- making the cloud accessible for anyone’s budget (price battle lowers the price). Most clouds even offer enough free space for personal data, including recurring backups -- all free of charge.
Examples of Popular Cloud Service Providers Dropbox offers free 2GB storage space. Users can upload files via their software client or over web interface. It has 256-bit AES encryption and two-step verification security features. Also, it provides business plan for companies who need sharing files over the Dropbox. Similar to Dropbox, Box offers free space up to 10GB as basic plan. Users can upload files via the software client or web interface. Business users can consider paying the monthly fee for unlimited storage depending on their business needs.
Issue 21 • October 2015
Google Drive not only provides storage to users but also online applications such as Google Doc. User can edit their online files without the pre-installing any software on their computers. 15GB free basic storage is offered to new registered users. For users with Android phone, Google offers additional free storage space. It also provides mobile phone data backup solution which can be accessed anywhere anytime using the Internet. While iOS devices such as iPad, iPhone, iPod and Macintosh computers are getting more popular, iCloud from Apple offers a basic plan of 5GB free storage space. Even for users who do not have any Apple devices, they can just register for an Apple ID to enjoy this free service. The main feature of Apple iCloud is mainly for the consistency of files and configuration settings across all Apple devices. For example, once user creates or updates schedule over their Calendars of iCloud, all devices using the same Apple ID will be updated when connected to the Internet. Similar to Apple, Microsoft offers 15GB free storage spaces through OneDrive. Users can even get 3GB more when activating the camera roll backup from Microsoft devices. However, different with Google Drive, if a user would like to edit files directly from OneDrive, the user would need to pay Office365 in advance. Microsoft also has special plans for users to get unlimited storage space1.
Amazon Web Services (AWS) not only offers storage capacity but also the following cloud applications which are useful for business applications: • AWS Trust Advisor • Amazon Mobile Analytics • Amazon Cognito • Amazon DynamoDB and more The first registered user can enjoy 12-month of free tier access to AWS cloud services. Free storage space is definitely the commercial way of attracting new users to register for cloud services. Different cloud service providers offer similar plans by providing cloud storage and related services. Nowadays, smartphone registration is another good avenue for users to increase their cloud space without extra pay.
Benefits Using Cloud The usage of cloud becomes popular for many good reasons. Notwithstanding the frequently use case of sharing bulk data which email system imposes size limitation, the following are other advantages of using cloud services: • Elasticity of Resources Where workload and capacity of IT systems cannot be easily predicted, cloud is a suitable platform that more computing computer can be acquired or de-provisioned dynamically according to the business and resource requirements • Data access from anywhere Data is not no longer restricted on a personal computer or confined within an internal network. It can be made available and shared with many others simultaneously, whenever there is Internet access. • Cost Saving The “pay-as-you-go” and “one-time-
payment” models make the cloud accessible without purchasing powerful computer systems with expensive storage space. Likewise, users can pay at his or her discretion to use “more” virtual drives, memory and CPUs when needed and “return” it when it is not necessary. • Quick Deployment Once the cloud service is chosen and paid for, it only takes a couple of minutes to implement. On the contrary, in-house servers can take weeks or months for proper installation (getting OS and software license and patching, setting up firewalls, authentication programs and backup systems). • Software Usage The installation, license and update of software become the responsibility of cloud service provider. Moreover, the usage of software can be accessed by any devices with Internet access. • Data Backup Data backup is no longer a hassle to users. It becomes part of the chores performed by the cloud service provider. Users are however recommended to create one more backup copy to local drive for contingency purpose. • Security system The security system of cloud service providers is probably better than what an average individual or a small to medium company can build. Nevertheless, users should take note the potential security concerns and follow the recommended practices as described later in this newsletter. • Team Collaboration Team work becomes more convenient as group papers, conferences and presentations can be worked on simultaneously by different team of students or staff.
15
16
OCIO NEWSLETTER
iCloud Data Breach: Hacking And Celebrity Photos 2nd September 2014 A group posted a proof of concept script on the popular code repository called Github that would allow for a user to attempt to breach iCloud and access a user account. This script would query iCloud services via the “Find My iPhone” API to guess username and password combinations. The problem here was that apparently Apple AAPL +2.94% was not limiting the number of queries. This allowed for attackers to have numerous chances to guess password combinations without the fear of being locked out.3
Security Concerns & Recommended Practices Before diving into “the next big thing”, users should be aware of the security concerns when using cloud. The upmost concern is that when data is uploaded to the cloud, it is “shared” with a third-party, which is the cloud service provider you have entrusted with your data. What if the service provider corrupts the data due to technological errors? What if the service provider goes out of business? What if the service provider releases access of data to law enforcement for national security reasons? What if hackers break into the service provider storage area? All these concerns are beyond user’s control. The counterargument to this disadvantage is that cloud service providers live and die by their reputation, thus, they have state of the art security systems; systems that small companies or households would probably never be able to afford. The following are other security concerns and recommended practices when using the cloud: • Possible Downtime Without Internet access, it is impossible to access cloud service and data. In addition, when cloud service providers schedule maintenance, or unfortunately suffer from server outages or service attack that cause service interruption, users will not be able to access the cloud services. The global service outage of Microsoft Azure on 19th August 2014 is a good example4. Data backup to local drives is still an important practice for users utilizing cloud services.
• No Sensitive Data If you, your classmates and/or co-workers use online e-mail, online photo albums (Flicker) or music services (Pandora and Spotify), you are already using the cloud. For really personal or sensitive data, think twice before uploading to the cloud. There was already a notorious data breach incident about celebrity nude photos on iCloud. From a risk management perspective, you should ask yourselves what kind of data cannot be afforded to be compromised in the worst scenario. Prudent decisions should then be made not to store such data in the cloud. If there is a need to use the cloud to store personal and sensitive data, add your own layer of encryption to the data before uploading to the cloud, and ensure that you own your own encryption key.
Cloud Common Usage: People are usually uploading data not only to one specific cloud platform but also to others. For example, files kept at Dropbox which are most frequently used can be backed up to Google Drive. Also, data and configurations of smartphone devices could be backed up to the cloud, such as iPhone to iCloud. • Prone to Attack Having centers full of private or sensitive data is appealing to hackers; thus, hacking attacks could be fairly common. Poor design and implementation of security by the cloud service providers can easily result in data breach incidents.
Issue 21 • October 2015
Check carefully what security features are implemented by the cloud service providers. Examine what data encryptio is used on the cloud platform, how data is protected during uploading and downloading, and the authentication channel. Choose cloud service providers with reputable name with no precedence of security incidents. • Software Features For Universities’ usage, administrators should make sure that cloud members can be easily added and deleted depending on the academic year. Also, check carefully the correct package of cloud applications with the intended features before paying for usage. Sometimes cloud applications may miss some features which would be otherwise available when buying the software separately.
Tips for Students and Staff In corporate environment, users are normally governed by corporate IT security policy and the computing devices are typically standardized with hardened security configurations. But in Universities, students and staff are allowed to use own computing devices. And security governance is more relaxed compared to corporate environment. A lot of the attacks these days are targeting end users. Once a user’s computer is compromised, the data stored in the cloud can be subsequently retrieved by the hacker.
So University students and staff are advised to develop the following good computing habits when using the cloud: • Exercise safe browsing habits - if a web site looks shady, it usually is shady. Don’t further click on links or downloads; • Use devices that you trust to connect to the cloud, i.e. minimize the use of public computers which do not fulfil the security standard; • Enable and use two-factor authentication if available from cloud service providers; • Choose different passwords and credentials for University IT systems and public cloud services; • Change passwords regularly; • Log off sessions when finished; • Don’t open or click on links in strange or unsolicited e-mail; • Install anti-malware software on computing devices. The Hong Kong Government has created a web site to educate the public about cloud usage, useful tips and checklists regarding cloud usage can be found from http://www. infocloud.gov.hk/. The Importance of Safe Passwords6 Regardless if data is stored in house or in the cloud, it is important that passwords for different sites should be kept different and securely protected. This way, if anything is ever compromised, hackers will not have access to other accounts using the same password. Likewise, it is a good practice to change the cloud access passwords regularly.
References 1. “OneDrive now with unlimited storage for Office 365 subscribers.” 27 October 2014. Web. 11 November 2014 2. “MYCE News” 22 April 2014. Web. 29 Sept 2014
3. “Forbes” 2 September 2014. Web. 29 Sept 2014 4. “Microsoft Cloud Service Azure Experienced Global Outage” 19 August 2014. Web. 11 November 2014 5. “Government Technology – Data Breaches in the Cloud: Who’s Responsible?” 26 August 2014. Web. 29 Sept 2014 6. “Your Dropbox Account May Have Been Hacked (UPDATE: Dropbox Says No)” 14 October 2014. Web. 16 Oct 2014 Copyright Statement All material in this document is, unless otherwise stated, the property of the Joint Universities Computer Centre (“JUCC”). Copyright and other intellectual property laws protect these materials. Reproduction or retransmission of the materials, in whole or in part, in any manner, without the prior written consent of the copyright holder, is a violation of copyright law. A single copy of the materials available through this document may be made, solely for personal, non-commercial use. Individuals must preserve any copyright or other notices contained in or associated with them. Users may not distribute such copies to others, whether or not in electronic form, whether or not for a charge or other consideration, without prior written consent of the copyright holder of the materials. Contact information for requests for permission to reproduce or distribute materials available through this document are listed below: copyright@jucc.edu.hk Joint Universities Computer Centre Limited (JUCC) c/o Information Technology Services The University of Hong Kong Pokfulam Road, Hong Kong
17
18
OCIO NEWSLETTER
STATISTICS AT A GLANCE
WiFi Usage Statisitics WiFi Device Type Summary
Unknown 28.3% Android 27.5% iPhone 22.8% Other 15.4% OS X
5.9%
Issue 21 • October 2015
WiFi Clients
WiFi Bandwidth Usage
19
20
OCIO NEWSLETTER
GLOSSARY CORNER
IT Security – What is Team Ghostshell? Andy Chun
TEAM GHOSTSHELL is a wellknown hacker group responsible for a string of high-profile hacks over the past years. In August 2012, its Project Hellfire exposed over 1.6 million accounts from over a 100 websites around the world, including data from the CIA, the Pentagon, NASA, Interpol, banks and from Wall Street. In October 2012, Team GhostShell’s Project WestWind leaked over 120,000 records from 100 major universities around the world. In November 2012, Team GhostShell declared war on Russia with its Project Blackstar, leaking over 2.5 million accounts belonging to the government, education, law enforcement, telecom, research institutes, medical facilities, and large corporations. In January 2013, its Project SunRise hacked numerous African universities and businesses, releasing over 700,000 accounts/ records. Exposed data sometimes contain names, email addresses, passwords, phone numbers, dates of birth, citizenship, ethnicity, marital status, gender, and database schema information. After being dormant for three years, it emerged again in June 2015, claiming that they have access to billions of accounts and trillions of record sets. So far, they have breached and leaked over 13,000 people’s details found in
over 300 websites. Among the sites hacked are numerous universities from around the world, including several from Hong Kong. All exposed data were made public and posted online. Data leaked from Hong Kong universities were said to include names, emails, phone numbers, etc. but no financial information. Experts believe the current 2015 hack used similar tactics as the 2012 attacks, i.e. compromising databases through SQL injection attacks and poorly configured PHP scripts. SQL injection is a technique whereby malicious code is inserted into a database so that a command can be executed, usually enabling attackers to access and export data to hackers’ own database servers. To protect yourself, always use strong passwords and never use same password in different websites. Use two-factor authentication whenever available. Systems should always be patched and up-to-date. If getting input from users, always filter input to avoid SQL injection attacks, and sanitize outputs to avoid cross-site scripting (XSS). The data exposed by GhostShell was accompanied by a manifesto of sorts, titled “Dark Hacktivism,” which explained the reasons for their attacks and campaigns, such as raising awareness of the poor quality of security at major organizations’ websites; high tuition fees at universities, political agendas, tough teaching regulations and job uncertainty for graduates.
Editorial Box OCIO Newsletter Advisory Board Dr. Andy Chun (OCIO) Ms. Annie Ip (OCIO) Mr. John Hui (ESU) Mr. Raymond Poon (CSC) Mr. Peter Mok (CSC) Ms. Maria Chin (CSC) Publishing Team Ms. Noel Laam (CSC) Ms. Annie Yu (CSC) Ms. Joyce Lam (CSC) Mr. Ng Kar Leong (CSC) Ms. Kitty Wong (ESU) Ms. Doris Au (OCIO) For Enquiry Phone 3442 6284 Fax 3442 0366 Email csc@cityu.edu.hk OCIO Newsletter Online http://issuu.com/cityuhkocio