ocio newsletter issue 21
DESCRIPTION
October 2015 - The twenty-first issue of the OCIO Newsletter of the City University of Hong Kong.TRANSCRIPT
Issue 21 • OCT 2015 SPOTLIGHT
e-Learning Championship Series (6)Angel Lu, Crusher Wong
Since the beginning of modern technology era in the mid-1990s, information technology has not only revolutionized the way we live, but also brought a tremendous impact on teaching and learning. In this issue, we are going to showcase three innovative, yet successful, applications of e-learning adopted by Dr. Brian W King from the Department of English, Dr. Charlotte Frost from the School of Creative Media and Dr. Alain Guilloux from the Department of Asian and International Studies.
Collaborative writings on WikipediaWriting is always regarded as the loneliest art on earth because writers usually write independently while readers read privately. After years of solitude, the Internet breaks down the boundary of nations and allows people to meet and share ideas across the globe in a blink. Wikipedia has been one of the symbols of such collaborative work among worldwide netizens. Having gained inspirational insights from the previous collaborative writing course in the form of online platforms/webapps, e.g. Google Documents, to allow synchronous editing, Dr. Brian King brilliantly saw the possibilities to turn Wikipedia as a great e-learning tool for second-language writers.
Collaborative writing is a kind of writing where different scholars may share different definitions, i.e. writing at the same time, writing the same document. However, the definitions may vary, and all roads lead to Rome – where the writing shall be contributed by different authors who express genuine emotions and ideas. As a result, teaching a collaborative writing course is a difficult, yet an exciting experience. “Literally, I saw flames in students’ eyes since their writings are going public! Experiential learning rather than didactic approach is important as students are given the chance to taste writing authentic articles,” Dr. King remarked.
INDEX
SPOTLIGHT
1 e-Learning Championship Series (6)
FEATURE
4 Drones and Information Security
8 Windows 10 at First Glimpse
10 MOOCs Debut in CityU
12 CityU’s Virtual Museum of Chinese Minerals
IT SECURITY AWARENESS SERIES BY JUCC
14 Cloud Computing – Security Practices for General User
ITSM SERIES
6 ITSM Awareness Series (Part 3: Change Management)
STATISTICS AT A GLANCE
18 WiFi Usage Statistics
GLOSSARY CORNER
20 IT Security – What is Team Ghostshell?
NEWSLETTEROCIO
Students had to come up with their own Wikipedia subjects before composing. Meanwhile, students also learned to collaborate under a set of editing rules of Wikipedia. The challenge was yet to come when a brand new article was published. Students were often criticized by the Hong Kong Wiki team mainly for their overwhelming references and the credibility of the referencing sources. The online collaborative writing practice gave students the opportunity to be in charge of and defend the survival of their articles. It was a successful transformative progress in raising students’ writing awareness as students had to take thorough considerations on expressions and professional terms to avoid challenges from the public.
Communication is the basis of successful collaborative writing. Therefore, the forms and ways of communication among students during their collaboration attracted the attention of Dr. King. With the aid of the OCIO, Dr. King recorded the entire communication process by employing Echo360. The captured process, both online and offline, will act as valuable references for Dr. King to explore further utilization of the platform to provide genuine writing experience to students, as well as a successful case study for future exploration of a new educational paradigm.
From Community Supported to Individual Academic WritingDr. Charlotte Frost is also a devoted fan of collaborative writing. With the mind of sharing and funding from Teaching Startup Grant of CityU, Dr. Frost initiated Arts Future Classroom, as well as its sister project – Arts Future Book which is about exploring experimental new academic publishing models, to investigate creative ways of teaching and critical thinking. The Arts Future Classroom encourages course instructors to refine and share a set of battery-included e-learning tools, i.e. relevant readings, slides, demonstration and guides of teaching software. The idea was geminated from a Wikipedia project by Dr. Frost. The project, featured by the South China Morning Post in 2014, invited a group
of volunteers to compile entries about Hong Kong female Artists. Upon the completion of the project, Dr. Frost was aware that the tools used in the project could be extracted and reused as a skeleton of future classes. Since the class-kits were usually based on open-source platforms and resources, every teacher could conveniently adopt and modify the pre-defined tools to provide similar courses without reinventing the wheel. The Educational Toolkits Crowdsourcing Competition launched by Arts Future Classroom unveiled the winning toolkits in July 2015. Interested parties are encouraged to share their comments and insights at http://artsfuture.org, the website of Arts Future Classroom.
Pioneered as a personal project, Dr. Frost has successfully created an astonishing well-beloved platform for writing whizzes. PhD2Published is an energetic blog where thousands of newbies and old-birds are learning and sharing together. Green hands bootstrap their writing by adopting suggestions from the platform, while veterans are generous to host online chat groups to provide precious in-depth academic writing strategies on PhD2Published. The best part of the platform is that writers can expand their social circles to share ideas not only with their colleagues, but also with everyone who has Internet access from all corners of the world. Consequently, PhD2Published has been an instant success with over 12,000 current followers on twitters.In 2011, Academic Writing Month (AcWriMo for short and #acwrimo on twitter), inspired by National Novel Writing Month, received great response from the community of PhD2Published. AcWriMo is a month-long academic write-a-thon in which writers set themselves a reasonable goal and other participants in the community will support the goal with advice and related information. The writing month allows academic writers to nurture their academic writing skills at all stages of their careers. Thousands of tweets and writing tips from writers of 15 different countries shared ideas on academic writing, which generated an incredible amount of web traffic with over 300,000 budding novelists.
OCIO NEWSLETTER2
A Simulation Come to LiveDisaster has always been an evergreen topic in novels. The strike of disasters, however, is even more dramatic and sudden in reality. During any crisis, decision-makers suffer from tremendous pressure owing to the influx of chaotic information cast under thick mists of uncertainty. As a result, Dr. Guilloux’s goal is to create a real-time exercise for students in his Disaster Management course. Equipped with 15 years of crisis management experience in Médecins Sans Frontières (Doctors Without Borders), Dr. Guilloux’s course included a computer simulation of a disaster scenario and students were required to draw up critical decisions within time constraints. Every five minutes, cues and props were sent to the students’ simulator that calibrated into class time so as to recreate a situation designed to approximate the reality that one would encounter during a disaster scenario. Feeling extremely challenged, students had to break down, digest and confirm all the incoming information quickly and make the best decisions they could on the basis of the information and research they possessed during the weeks leading up to the computer simulation. To make matters more challenging, the information received might require additional analysis. Besides, students working in small groups had to communicate effectively within and across groups to make the best decisions.
Students were then assessed on their ability to meet multiple objectives (e.g. focus on their missions, anticipate, prioritize, communicate, and protect vulnerable groups and critical infrastructure) under real time constraints and imperfect information. No wonder many students felt overwhelmed or stressed but this was also why most students found the exercise realistic and enjoyable in a challenging way.
To make the simulation genuine, however, Dr. Guilloux has spent a lot of time out of the classroom to design the exercise and make it a valuable experience for students. With the assistance of the OCIO, Dr. Guilloux finally identified Kato (http://kato.im) , an instant messaging platform, which met the learning and teaching needs of the course. Under Kato, dedicated relevant-identity
accounts could be created and students were assigned to different authorities and roles prior to the striking of the simulated disaster.
In fact, communication and interaction among stakeholders take an indispensable role when dealing with catastrophes. Even though a few students grumbled that the online platform was difficult to operate as messages could not be sent in bulk to their assigned department, the short reply from Dr. Guilloux smashed all the complaints. REALITY. “The imperfections mirror the reality of communication processes in real time. Literally, there is a lot of bureaucracies for an information to pass through. I was expecting students would take a break more often from their computers and actually communicate with the responsible parties face-to-face,” explained Dr. Guilloux.
With wide support and positive feedback reflecting students’ strong willingness and total engagement to be part of the simulation, Dr. Guilloux is confident to run the course again in the coming academic year. To fully utilize the benefits resulted from this innovative simulation, Dr. Guilloux is now exploring the possibility of bringing research and teaching together. The logs of online activities, discussions and decisions made by the students are a valuable reference to develop future simulation exercises. Students can now be more exposed in authentic class activities through the adoption of educational technology.
With the aid of technology, e-simulation exercises transformed literal case studies into a gratifying environment for students. Dr. Guilloux was thankful for a nurturing environment, be it the exchange of ideas with colleagues on how best to structure simulations or use technology. He highly valued seminars such as the one the Department of Asian and International Studies organized in April 2015 on seeking excellence and enhancing teaching through technology, the precious help of student volunteers, and of course, the close support from Dr. Crusher Wong and his team at the OCIO provided over the semester.
Empowerment Learning by Technology From all these successful cases, it is not difficult to grasp the idea that communication and sharing is the true recipe to grant educators and learners the effective education. As people are propelled by common interests to excel in education, great ideas are generated through wise choice of technology.
1 Andrei Soroker, CEO of Kato and Sameroom, had announced that 31 August 2015 would be Kato’s last day of service via email to users.
Issue 21 • October 2015 3
FEATURE
Drones and Information SecurityOffice of the Chief Information Officer
Drones, officially known as
Unmanned Aerial Systems/Vehicles
(UAS/UAV), have been a popular
recreational activity for hobbyist
in recent years. They are easy
to be controlled with the help
from improved technologies and
features such as self-stabilizing,
automatic take-off and landing, and
auto-homing. Miniaturization of
components like motors, gimbal,
gyroscope, and GPS allows drones
to fly farther and longer. Mass
production of drones also results in
an affordable price to many. Sounds
attractive, right? But you might not
be aware of the dark side of drones.
So, let’s visit some of the issues here
from IT security’s point of view.
Unencrypted radio broadcastingObviously, drones are controlled
using remote controllers through
radio signals. Limited by the
processing power of drones
and remote controllers, radio
signals are usually unencrypted.
This means they are openly
broadcasted and eavesdroppers
can capture all videos sent
from the drone to your remote
controller over the air. This
happened to military drones as
well [1][2].
HijackingWhat’s even worse, your drone
can be hijacked. While it is easy
to intercept the communication
between your drone and remote
controller, it is not difficult to create a
signal with the same frequency and
channel, and then jam the channel
and make your drone uncontrollable.
It is also possible to customize
a remote controller, which has a
stronger signal output and takes
control over your drone. Someone
also claimed to have installed
jamming device on a drone, flew it
and took down other nearby drones
[3][4].
GPS spoofingDrones also use GPS to locate
themselves and fly. Many of them
also use waypoints to plan for routes
OCIO NEWSLETTER4
so that the owners can set waypoints
on maps, transfer the route to the
drones, and allow the drones to fly by
themselves. Many drones also come
with an auto home function, which
records the starting point of flight
and helps the drone to fly back to the
starting point if it loses communication
with the remote controller. However,
civilian GPS signals are unencrypted and
can be spoofed. In other words, your
drone can be fooled, and it can be driven
away from the original route [5][6].
MalwareMalware is also a concern. After
all, a drone is equipped with a
microcomputer, which is designed
to receive control signals, read data
from sensors, calculate and adjust the
motors. As a rule of thumb, there are
vulnerabilities in all computers systems
which can be hacked. It was claimed
that malware were developed for
attacking drones. It was also reported
that there were plans to use drone as a
platform to spread malware [7][8].
What to do?All the above is just the tip of the
iceberg, to draw your attention to the
fact that drones can leak privacy, be
taken down or even hijacked. So what
shall we do? Our recommendation is to
go back to the basic risk management
strategy:
Avoidance: eliminate the risk by
refraining from buying and playing
drones
Transfer: buy an insurance which
covers the loss for yourself and third
parties, so that you don’t have to bear
the full burden of a total loss. Such
insurance plans are not yet available
Data, retrieved from http://www.
nbcchicago.com/investigations/
drone-public-wi-fi-302649331.html
[3] Dutch News Design (2015), Alert:
your drone data is intercepted by
hackers and security, retrieved form
http://www.dutchnewsdesign.
com/dronejournalism/drone-data-
intercepted-by-hackers-security-
data-thieves-governements/
[4] Computerworld (2013), Hacker-built
drone can hurt, hijack other drones,
http://www.computerworld.com/
article/2486491/mobile-wireless/
hacker-built-drone-can-hunt--
hijack-other-drones.html
[5] Forbes (2015), Watch GPS Attacks
That Can Kill DJI Drones Or Bypass
White House Ban, retrieved from
http://www.forbes.com/sites/
thomasbrewster/2015/08/08/qihoo-
hacks-drone-gps/
[6] The University of Texas at Austin
(2015), Todd Humphreys’ Research
Team Demonstrates First Successful
GPS Spoofing of UAV, retrieved from
http://www.ae.utexas.edu/news/
features/todd-humphreys-research-
team-demonstrates-first-successful-
gps-spoofing-of-uav
[7] The Hacker News (2015), MalDrone
– First Ever Backdoor Malware
for Drones, retrieved from http://
thehackernews.com/2015/01/
MalDrone-backdoor-drone-
malware.html
[8] PC Magazine (2015), Forget
Phishing: Malware Now Coming
for Your Via Drones, retrieved
from http://asia.pcmag.com/
security/4587/news/forget-
phishing-malware-now-coming-for-
your-via-dr
on the market; however, this may
come anytime, so, keep an eye on it.
Mitigate: reduce the likelihood of
occurrence, such as playing in a safe
zone, keeping the firmware of your
drone up-to-date, monitoring the
trend of risks and regulations related
to drones, etc.
Acceptance: understand the risk and
accept what might happen.
You can also derive a mix of the above
to manage. Whatever risk management
approach you may adopt, please be
reminded that you will also have to bear
the consequences.
Without doubt, safety is of utmost
importance and please bear in mind
that drone is not a toy. It can also be a
life hazard when it falls down from just
a few metres and hits someone, or its
propellers hit somebody. Therefore,
before flying any drone, please be
familiar with all the safety instructions
and receive proper trainings.
Finally, please note that if you plan to
use drone, you must fully comply with
all applicable local laws and regulations,
and you must also obtain proper
approval from the landlord or approving
authorities in advance.
Further readings
[1] Wired (2012), Most U.S. Drones
Openly Broadcast Secret Video
Feeds, retrieve from http://www.
wired.com/2012/10/hack-proof-
drone/
[2] NBC Chicago (2015), How a Drone
Could Spoof Wi-Fi, Steal Your
Issue 21 • October 2015 5
The ITSM Awareness Series of articles aims to raise awareness among CityU IT provisioning units (both Central IT and departments) and interested parties of the current best practice in IT service
management (ITSM).
An overview of the CMDB
(Configuration Management
Database) was provided in Part 2
of this series. The CMDB supports
a number of processes include the
Change Management process, which
is described below.
Risk assessments on requested
changes must consider CIs’ relations
and dependencies that might affect
related IT services and customers.
Change Management is one of the
control processes of the IT Service
Management (ITSM) framework. It
works closely with Configuration
Management and Release and
Deployment Management, and
also with the two resolution
processes: Incident and Service
Request Management and Problem
Management. Change Management
mainly manages service transition
changes including rollout of a
new service, making changes to
an existing service, or removal of a
service.
The following sections summarize
the Change Management model
established at CityU. Participants of
the process should always refer to
the relevant policies, procedures and
documents for operation, as they will
be revised and improved from time
to time.
ITSM Series
ITSM Awareness Series (Part 3: Change Management)Strategic IT Development team, Office of the Chief Information Officer
Change Management ModelAn effective Change
Management is managed
and operated pursuant to
the established University
policy, procedures and
process flows in the
ITSM tool. It is reviewed
regularly by monitoring
performance indexes to
see if there is room for improvement.
In general, each proposed change
to an IT service shall have a change
record (known as “Request for
Change” (RfC)) raised for assessment
and approval with a documented
detailed change plan that includes
but not limited to the following:
• Description
• Reason for change (service
requirement, business benefits)
• Requestor and Responsible staff
• Classification (impact, urgency,
priority)
• Assessment (service/user impact)
• CI Involved and specify any change
on CI information
• Any service downtime or service
degraded
• Schedule of change
• Plan to reverse or remedy an
change with unexpected result
All RfCs shall go through a life cycle
as shown below:
Different roles within Change
Management have their own
responsibilities. In short, a Change
Requestor is responsible for
raising the RfC; a Change Manager
is responsible for performing
assessment, approval and post
implementation review, and the
Change implementation members
(e.g. Change Developer / Tester /
Deployer) are responsible for change
development, test and deployment.
For change requests classified in
certain risk criteria (e.g. impact class
major or critical), it must be reviewed
and approved by Change Advisory
Board (CAB) which usually consists
of business and IT authorities. For
emergency change, an RfC can be
raised after the event but approval
(can be by verbal words/email/
text) must be obtained from explicit
manager and Emergency CAB (ECAB).
Below is a quick card to present the
three change types (standard, normal
and emergency) classified by impact
and urgency, and the responsible
approval parties.
Figure 1. Quick card of change approval requirements
Raise & Record >> Assess & Classify
>> Approve & Plan >> Develop >>
Execute >> Post Review >> Close
Standard Change
Normal Change
Minimal Minor Major Critical
Low
Medium
High
Emergent ECAB + Change ManagerEmergency
Change
Impact
Urgency
CAB + Change Manager
Change Manager
OCIO NEWSLETTER6
Figure 2. Change Request Form
Figure 3. Records relation
Change Management toolThe ITSM Change Management
application used by CityU facilitates
basic RfC recording and supports
the following highlighted features to
assist the process management and
decision making:
1. Manage approval flows of different
change types
2. Present change “Should Close” date
according to service agreed level
defined based on priority
3. Detect CI conflict and prompt alert
if the same CI is involved in more
than one change in any overlapped
period
4. Analysis direct and indirect impacts
of involved CI cause to other CI(s)
and service(s) according to the CIs
relation and impact levels defined
5. Associate with related Incident /
Problem/ Release records
6. Manage activities by using “Actions”
or “Actions Plan” (e.g. tasks of CI
updates and approval)
7. Present Changes schedule in
calendar view.
The block diagram (fig.3) shows
what other records should be
linked to a Change record in the
following circumstances as an
example:
1. A Release manages a Change
release and deployment
2. An Incident requires a Change to
resolve service issues or resume
service
3. A Problem requires a Change to
deploy fix to services to prevent
incident reoccur
4. A CI is involved or affected in a
Change
Proactive Change vs Reactive ChangeThere are many reasons to induce
changes. Like someone makes
changes to his own computer
because of various needs such
as new software installation,
hardware upgrade, operating
system patching, etc. In IT service
management, changes can be
generally grouped into Proactive
Change and Reactive Change. The
former is a change made before
a circumstance happened, while
the latter is a change made after
a circumstance happened. For
instance, a patching to operating
system is scheduled because of
known security vulnerability, not yet
inducing any impact is treated as a
proactive action. If the patching is
scheduled after impact is already
introduced, that is a reactive action.
Change Management is a relatively
complex process as it operates
across the four stages of Information
Technology Service Management
System (ITSMS) from (1) service
plan, (2) design and development,
(3) transition to (4) operation. To
understand the concepts of proactive
and reactive is very important to
enable change management operate
wisely, even more so for the entire
IT service management system,.
“More proactive less reactive” is
not just a theory but an achievable
result. Proactive action is always
planned which means resources from
limited pool can be allocated ahead
with higher guarantee. In contrast,
reactive action is mostly unplanned
in which resources are allocated
on an ad hoc basis and a draw of
resources might cause chain effect to
others. By using ITSM processes to
explain, more effort paid on Change
or Release Management causes less
effort drawn to Incident or Problem
Management, as every piece of
change to IT service must be tested
and accepted before it is deployed
into production. The higher the
managed level during service plan,
design and development stages, the
lower the needs of rework or remedy
in transition and operation stages
will be.
Issue 21 • October 2015 7
Windows 10 – the latest version of the Windows
Operating System was launched in July 2015. It
takes a huge leap forward and gives users a deep
impression. It introduces plenty of new features
and improves a number of existing features.
Besides , the best news is the free upgrade of
Windows 10 for genuine Windows 7 and Windows
8/8.1 devices. Users can take this free upgrade
offer to get the full version of Windows 10 before
29 July 2016. Once the device is upgraded,
Windows 10 is free on that device.
List of Windows 10 Editions from free upgrade:
From Edition To Edition
Windows 7 Starter
Windows 10 HomeWindows 7 Home Basic
Windows 7 Home Premium
Windows 7 ProfessionalWindows 10 Pro
Windows 7 Ultimate
Windows 8.1 Windows 10 Home
Windows 8.1 Pro Windows 10 Pro
Introduction of Windows 10’s FeaturesPlenty of new features are introduced in Windows
10, and below are just some significant ones :
1. New Start Menu The Windows 10 Start Menu is a major
improvement over Windows 8. It combines the
best of the Start Menu of both Windows 7 and
Windows 8. A Windows 7-like Start Menu shows
a scrolling view of all your applications sorted
alphabetically. An extra pane is on the right-
hand side of the scrolling menu, so users can pin
Windows 8-style live tiles there.
FEATURE
Windows 10 at First GlimpseTony Chan
Windows 10 also provides quick ways to switch
between desktop and tablet modes so as to cater
for the devices with/without touchscreen. A
Tablet mode button for toggling the setting can
be found in the Action Centre. Users can swipe
left from the right edge of your touch enabled PC
to open the Action Centre.
New Start Menu
Tablet Mode
OCIO NEWSLETTER8
2. New Web Browser - Microsoft Edge Windows 10 includes a new web browser -
Microsoft Edge replaces Internet Explorer as the
default browser. It has new features like Web
Note, Reading View, and Cortana … etc.
• Web Note - lets you annotate, highlight, and
add notes directly on webpages.
• Reading View - lets you enjoy and print
online articles in an easy-to-read layout that
is optimized for your screen size. While in
reading view, you can also save webpages or
PDF files to your reading list for later viewing.
• Cortana - lets you highlight words for more
information and gives you one-click access
to things like restaurant reservations without
leaving the webpage.
3. New Security Innovations Windows 10 has more built-in security
protections to help safeguard your device against
illegal access, viruses, phishing, and malware.
• Windows Hello - lets you sign in to your
Windows 10 devices with biometric
authentication - using your face, iris, or
fingerprint to unlock your devices.
• Device Guard - will lock a device down so that
it can only run trusted applications from the
Windows Store, selected software vendors,
and signed line-of-business applications. It
only works with devices running Windows 10
Enterprise.
• Microsoft Passport – securely authenticates
you to applications, websites and networks on
your behalf without sending up a password.
Thus, there is no shared password stored
on their servers for a hacker to potentially
compromise. Strong two-factor authentication
that consists of an enrolled device and a
Windows Hello (biometric) or PIN will be asked
to verify that you have possession of your
device before it authenticates on your behalf.
Schedule of Windows 10 Support at CityUWe have begun to evaluate Windows 10 since
its technical preview version. Currently, we
are experimenting with the final release, and
participating in seminars and training courses to
prepare for the support. The new OS also needs
to be tested for its compatibility with our existing
environments. Before formally supported and
widely deployed on campus, support units have to
ensure that all the in-house developed applications,
e-learning and administrative systems can run
smoothly under Windows 10. As general practice,
Windows 10 will be made available on computers
managed by the Central IT for teaching and learning
first.
References
• Windows 10 FAQ & Tips – Microsoft
http://www.microsoft.com/en-us/windows/
Windows-10-faq
• Microsoft Edge
http://www.microsoft.com/en-us/windows/
microsoft-edge
• Windows Hello
http://windows.microsoft.com/en-us/
windows-10/getstarted-what-is-hello
• Device Guard overview
https://technet.microsoft.com/en-us/library/
dn986865(v=vs.85).aspx
• Microsoft Passport overview
https://technet.microsoft.com/en-us/library/
dn985839(v=vs.85).aspx
Web Note
Issue 21 • October 2015 9
1 Minute MOOCsMassive Open Online Course (MOOC)
is a recent development of distant
education that promotes unlimited
participation and open access via
the web. Similar to a typical lecture,
learners are required to attend
lessons, complete readings and
finish assignments, despite all in a
distant online approach. Compared
to traditional settings, MOOCs free
the physical constraints, i.e. distance
or fixed schedule, so that teaching
and learning can be carried out in a
more flexible and interactive format.
MOOCs are more like collaborative
learning platform emphasizing bi-
directional exchange, rather than uni-
directional communication, through
the assessments and forums on the
web. Boosted by the advancement
of web technology and bandwidth,
FEATURE
MOOCs Debut in CityUAngel Lu, Crusher Wong
MOOCs have become the big-thing in
education and worldwide institutions
are keen on putting up their MOOCs.
Up to December 2014, there are over
thousands of MOOCs hosted by the
major MOOC providers. In 2016, City
University of Hong Kong (CityU) will
be a newcomer to MOOCs to bring its
Discovery-enriched Curriculum (DEC)
to the global level.
PDAs foster the development of GE MOOCs in CityUIn March 2015, CityU has established
Professionals Development Awards
(PDAs), funded up to $1,000,000 per
award, to support the University’s
e-learning strategy and DEC. With
an aim to expand the University’s
regional and global access to the
fruits of DEC initiatives, PDAs
provide “in-house sabbatical” for
full-time faculty and teaching
grade staff to develop signature
CityU Gateway Education (GE)
MOOCs, either a brand-new or
a battle-proven one. Under the
scheme of PDAs, the awardees
will not only be provided with
rich resources subject to the
needs, they are also permitted to
have some release time during
summer or semester to proceed
their development. Having been
reviewed by the PDA Selection
Panel, three proposals have
been approved in May 2015 and
approximately HK$2,800,000 has
been awarded to facilitate these
projects.
Illustration, entitled “MOOC, every letter is negotiable,” exploring the meaning of words “Massive Open Online Course” is adapted from flickr[1].
Figure A: Acronym for Massive Open Online Course Table: Popular MOOCs Providers (Data updated up to August 2015)[2][3][4][5][6][7]
Massive Online Open Course (MOOC), besides from “Cloud”, has been a recent buzz word in the fields of technology and higher education. New York Times even declared 2012 as “The Year of the MOOC”. Numerous institutions have invested time and effort to develop their own MOOCs, and CityU is no exception. In this article, we are going to cover the latest trend of MOOCs and CityU’s preparations to jump on the bandwagon.
OCIO NEWSLETTER10
MOOCs in CityUThe debut of CityU’s first MOOC,
Innovation and Entrepreneurship
based on PIPE®, is expected
in January 2016, followed by
two others, namely Biomedical
Research in One Health and
Discovering Socially Engaged Art
respectively, in September 2016.
These courses will be available
free of charge for learners around
the world.
The first MOOC GE course –
Innovation and Entrepreneurship
based on PIPE® from the
Department of Systems
Engineering and Engineering
Management, is built upon
an existing GE2304 course,
Innovation and Entrepreneurship
for Young Professional, which has
been offered as credit-bearing
course for CityU students. The
original course has attracted
the interest of local newspapers
and universities in China and
Taiwan. 80 instructors from
50 universities attended the
workshops and the seminars
to investigate ways to enhance
student’s creativity by
discovering real-life problems,
generating creative new ideas
and finally planning for a new
business. This pioneer of MOOC
is expected to raise more
attention from the public so as to
promote the core value and the
upcoming MOOCs of CityU.
The second, Biomedical
Research in One Health from
the Department of Biomedical
Sciences (BMS), another PDAs
granted project, intends to
aid students’ understanding
of the processes of design and
development of diagnostic and
therapeutic products through
discovery and innovation.
Owing to the rapid growth in
urbanization, deterioration
of physical environment and
aging population, there are
growing problems for biomedical
scientists to tackle. However,
all these areas of concern
currently lack proper approaches
and solutions, so creativity
can be the salvage. Through
combining the multi-disciplinary
knowledge of BMS and vast
exposure of MOOCs, Biomedical
Research in One Health will
allow participants to apply the
integration of knowledge with
subject-specific skills, as well
as cultivate possible future
solutions to address the growing
concerns in biomedical science.
The third PDAs funded project,
Discovering Socially Engaged
Art from the School of Creative
Media, will focus on fostering
students’ awareness of socially
engaged art to encounter
increasingly complex local,
national and global level social
issues. Arts are expressions
of creativity and this awarded
project is without exception.
MOOC is often formatted only
as a series of videoed lectures
and this course will envision four
interconnected components,
including lecture videos,
documentaries of selected
socially engaged art projects, an
online case study database and
an online platform for students’
presentations. This ambitious
MOOC will, hopefully, be a signature
course for CityU students and beyond
to explore the further possibilities of
MOOCs in CityU.
Embrace MOOCs in CityUEven though CityU is not an early
bird in MOOCs, by concentrating
on the core values of DEC and
distilling proven experiences from
other implementers, CityU will
undoubtedly develop its MOOCs in
its distinctive characteristics. Let us
await and embrace CityU’s upcoming
MOOCs, as well as bring forth the
courses to a worldwide stage.
References:
[1] MOOC. In Flickr. Retrieved
September 3, 2015 from https://
www.flickr.com/photos/
mathplourde/8620174342/sizes/l/
in/photostream/
[2] List of 42 Providers offering
MOOCs. In Class Central. Massive
open online course. Retrieved
September 3, 2015 from https://
www.class-central.com/providers
[3] Coursera. Retrieved September 3,
2015 from http://en.wikipedia.org/
wiki/Coursera
[4] Udacity. Retrieved September 3,
2015 from http://en.wikipedia.org/
wiki/Udacity
[5] edX. Retrieved September 3, 2015
from http://en.wikipedia.org/wiki/
EdX
[6] Khan Academy. Retrieved
September 3, 2015 from http://
en.wikipedia.org/wiki/Khan_
Academy
[7] FutureLearn. Retrieved September
10, 2015 from https://www.
futurelearn.com/about
Issue 21 • October 2015 11
FEATURE
CityU’s Virtual Museum of Chinese MineralsVicker Leung
When we talk about natural
minerals, it is very easy for us to
name a few common ones that
exist in our daily life, such as iron,
gold, and diamond. Of course,
there are far more than these in
this world. In the IMA Database
of Mineral Properties [1], there are
more than 5,000 species recorded,
showing how awesome the
mother nature is.
The Smale CollectionProf. Stephen Smale, University
Distinguished Professor in CityU,
is a great mathematician as well
as a private mineral collector.
Since the late 60s, he traveled
around the world with his wife
Clara, searching for great mineral
specimens to build up their
fabulous collection.
By far Prof. Smale owns more than
1,000 world-class specimens, and
part of the collection can be seen
in the book “The Smale Collection:
Beauty in Natural Crystals” [2]
published in 2006.
The Virtual MuseumIn 2014, Prof. Smale decided to
take a step further, working with
the Central IT to develop the
CityU Virtual Museum of Chinese
Minerals, bringing his finest
specimens onto the Internet.
“This virtual museum is based on
photographs of about 300 of the
best Chinese mineral specimens
of our collection.” Prof. Smale
described. The featured collection
in the virtual museum can be
classified into around 60 species,
which were collected from over 40
different mines across China.
Each specimen in the virtual
museum bears a high definition
Illustration by Amanda Mok
Prof. Stephen Smale’s collecting philosophy emphasizes the beauty of the specimen
Prof. Smale’s collection across China
OCIO NEWSLETTER12
photo together with a detailed
caption describing the species,
dimension, locality and most
importantly the story of how the
specimen became part of Prof.
Smale’s collection. There are many
mineral websites on the Internet, but
they seldom include photos in this
exceptionally high resolution, Prof.
Smale explained.
Digital BeautyThe core of the virtual museum
no doubt is the specimens, and
the high-resolution photos play
an important role. All the photos
on the virtual museum were taken
by a famous mineral specimen
photographer Jeff Scovil [3]. To
capture the true beauty of each
specimen, Scovil spent hours setting
up the stage to ensure that lights
and the angles were best calibrated.
Each photo on the virtual museum
goes beyond 12 megapixels,
allowing visitors to zoom in to
check out all the fine details. Prof.
Smale mentioned that the use of
Photoshop was minimized to prevent
any doctored photos, returning the
true color of the specimens.
Technologies behind the Scene To allow visitors to browse quickly
through the large collection of 300
specimens, a Pinterest-like masonry
layout is used in the virtual museum.
Users can also make use of the real-
time filtering feature to check out
specimens of a particular mine or
species.
Cloud service Flickr is used as the
photo storage and Content Delivery
Network (CDN) to ensure mineral
lovers around the world can enjoy
the high definition photos with an
optimized speed.
Going FurtherThe virtual museum is officially
launched on 10 August 2015, and
since launch there are already
thousands of visitors browsing Prof.
Smale’s collection. The museum is
also featured in the newsletter of the
award-winning mineral magazine,
The Mineralogical Record [4],
published in August 2015.
In the next few months, the virtual
museum will be further improved
based on the massive suggestions
by the visitors. The development
team will also bring the museum onto
smartphones and tablets
in the form of a mobile app, which will
probably become the very first mobile
virtual museum available in the minerals
community.
Reference:
[1] IMA Database of Mineral Properties
http://rruff.info/ima/
[2] “The Smale Collection: Beauty in
Natural Crystals” by Stephen Smale
http://www.amazon.com/Smale-
Collection-Beauty-Natural-Crystals/
dp/0971537186/
[3] Scovil Photography
http://scovilphotography.com/
[4] The Mineralogical Record
http://www.mineralogicalrecord.com/
Mindat.org
http://www.mindat.org/
CityU’s Virtual Museum of Chinese Minerals http://www6.cityu.edu.hk/chinese-minerals/
Some of Prof. Smale’s favorites in the virtual museum. (Left) 9cm tall Quartz from Huanggang Mines (Right) 13cm wide Fluorite from Yaogangxian Mine
Issue 21 • October 2015 13
The cloud is composed of an
extensive bulk of computers
owned by a third-party in remote
location(s). The Internet provides
a bridge between personal
data and the cloud, enabling
users to upload, download and
modify data from any device and
anywhere. People or companies
can rent data storage or
processing power from the cloud
when needed, and then “return”
it when no longer needed. This
greatly reduces investments in
large hard drives, or time spent
deleting old data folders to make
space for new data. Soon, there
will be no need for frequent use
of physical storage devices such
as USB thumb drives to exchange
data.
Most cloud service providers
offer computer applications as
alternatives for large amounts
of software. This can reduce the
budget for software licenses given
that a cloud service provider offers
the applications for a fixed fee,
enabling everyone in an office to
have access to many applications,
all in one portal.
Through the cloud, sharing and
collaborating with others on a
project is seamless and easy.
For example, a Power Point
presentation for class could be
simultaneously worked on by
several group members. Students
can share and modify study
guides from anywhere in the
world. Plus, giants like Amazon,
Google, and Microsoft are fighting
for a piece of this pie –which
technically means they are
fighting over who owns most of
the Internet- making the cloud
accessible for anyone’s budget
(price battle lowers the price).
Most clouds even offer enough
free space for personal data,
including recurring backups -- all
free of charge.
IT Security Awareness Series by JUCCWith an aim to enhancing the IT security awareness of the CityU community, the Thales Transport and Security (Hong Kong) Ltd. was commissioned by the Joint Universities Computer Centre (JUCC) to prepare a series of articles on IT security and they will be adopted and published here for your reference.
Cloud Computing –Security Practices for General User
Dropbox offers free
2GB storage space.
Users can upload
files via their
software client or
over web interface. It has 256-bit
AES encryption and two-step
verification security features.
Also, it provides business plan
for companies who need sharing
files over the Dropbox.
Similar to Dropbox,
Box offers free
space up to 10GB
as basic plan. Users
can upload files via the software
client or web interface. Business
users can consider paying the
monthly fee for unlimited storage
depending on their business
needs.
Examples of Popular Cloud Service Providers
Microsoft locks paid OneDrive accounts – monitor behavior and content 22nd April 2014
Microsoft locks out paid users from their OneDrive account and denies access to their files for 24 hours. Users are complaining on the Microsoft forums about receiving messages that their account is temporarily blocked. Accounts are blocked for various reasons, including what Microsoft calls ‘suspicious activity’, ‘large volume of traffic’ or violations of the Microsoft services agreement or code of conduct.
Users are presented with the following message when they try to login to their account.2
OCIO NEWSLETTER14
Google Drive not
only provides
storage to users
but also online applications
such as Google Doc. User can
edit their online files without
the pre-installing any software
on their computers. 15GB free
basic storage is offered to new
registered users. For users with
Android phone, Google offers
additional free storage space. It
also provides mobile phone data
backup solution which can be
accessed anywhere anytime using
the Internet.
While iOS devices
such as iPad, iPhone,
iPod and Macintosh
computers are
getting more popular, iCloud
from Apple offers a basic plan
of 5GB free storage space. Even
for users who do not have
any Apple devices, they can
just register for an Apple ID to
enjoy this free service. The main
feature of Apple iCloud is mainly
for the consistency of files and
configuration settings across all
Apple devices. For example, once
user creates or updates schedule
over their Calendars of iCloud, all
devices using the same Apple ID
will be updated when connected
to the Internet.
Similar to Apple,
Microsoft offers
15GB free storage
spaces through
OneDrive. Users can even get
3GB more when activating the
camera roll backup from Microsoft
devices. However, different with
Google Drive, if a user would like
to edit files directly from OneDrive,
the user would need to pay
Office365 in advance. Microsoft
also has special plans for users to
get unlimited storage space1.
Amazon Web Services
(AWS) not only offers
storage capacity but
also the following cloud applications
which are useful for business
applications:
• AWS Trust Advisor
• Amazon Mobile Analytics
• Amazon Cognito
• Amazon DynamoDB and more
The first registered user can enjoy
12-month of free tier access to AWS
cloud services.
Free storage space is definitely the
commercial way of attracting new users
to register for cloud services. Different
cloud service providers offer similar
plans by providing cloud storage and
related services. Nowadays, smartphone
registration is another good avenue
for users to increase their cloud space
without extra pay.
payment” models make the cloud
accessible without purchasing
powerful computer systems
with expensive storage space.
Likewise, users can pay at his or
her discretion to use “more” virtual
drives, memory and CPUs when
needed and “return” it when it is
not necessary.
• Quick Deployment Once the cloud service is chosen
and paid for, it only takes a couple
of minutes to implement. On the
contrary, in-house servers can
take weeks or months for proper
installation (getting OS and
software license and patching,
setting up firewalls, authentication
programs and backup systems).
• Software Usage The installation, license and
update of software become the
responsibility of cloud service
provider. Moreover, the usage of
software can be accessed by any
devices with Internet access.
• Data Backup Data backup is no longer a hassle
to users. It becomes part of the
chores performed by the cloud
service provider. Users are however
recommended to create one more
backup copy to local drive for
contingency purpose.
• Security system The security system of cloud
service providers is probably better
than what an average individual
or a small to medium company
can build. Nevertheless, users
should take note the potential
security concerns and follow
the recommended practices as
described later in this newsletter.
• Team Collaboration Team work becomes more
convenient as group papers,
conferences and presentations can
be worked on simultaneously by
different team of students or staff.
The usage of cloud becomes popular for
many good reasons. Notwithstanding
the frequently use case of sharing
bulk data which email system imposes
size limitation, the following are other
advantages of using cloud services:
• Elasticity of Resources Where workload and capacity of IT
systems cannot be easily predicted,
cloud is a suitable platform that more
computing computer can be acquired
or de-provisioned dynamically
according to the business and
resource requirements
• Data access from anywhere Data is not no longer restricted on
a personal computer or confined
within an internal network. It can be
made available and shared with many
others simultaneously, whenever
there is Internet access.
• Cost Saving The “pay-as-you-go” and “one-time-
Benefits Using Cloud
Issue 21 • October 2015 15
• No Sensitive Data If you, your classmates
and/or co-workers use
online e-mail, online
photo albums (Flicker)
or music services (Pandora and
Spotify), you are already using the
cloud.
For really personal or sensitive
data, think twice before uploading
to the cloud. There was already
a notorious data breach incident
about celebrity nude photos on
iCloud.
From a risk management
perspective, you should ask
yourselves what kind of data
cannot be afforded to be
compromised in the worst
scenario. Prudent decisions should
then be made not to store such
data in the cloud.
If there is a need to use the cloud
to store personal and sensitive
data, add your own layer of
encryption to the data before
uploading to the cloud, and
ensure that you own your own
encryption key.
Before diving into “the next big thing”,
users should be aware of the security
concerns when using cloud. The
upmost concern is that when data is
uploaded to the cloud, it is “shared”
with a third-party, which is the cloud
service provider you have entrusted
with your data. What if the service
provider corrupts the data due to
technological errors? What if the
service provider goes out of business?
What if the service provider releases
access of data to law enforcement
for national security reasons? What
if hackers break into the service
provider storage area? All these
concerns are beyond user’s control.
The counterargument to this
disadvantage is that cloud service
providers live and die by their
reputation, thus, they have state of
the art security systems; systems
that small companies or households
would probably never be able to
afford.
The following are other security
concerns and recommended
practices when using the cloud:
• Possible Downtime
Without Internet
access, it is impossible
to access cloud
service and data.
In addition, when cloud service
providers schedule maintenance,
or unfortunately suffer from server
outages or service attack that
cause service interruption, users
will not be able to access the cloud
services. The global service outage
of Microsoft Azure on 19th August
2014 is a good example4.
Data backup to local drives is still
an important practice for users
utilizing cloud services.
• Prone to Attack Having centers full of private or
sensitive data is appealing to
hackers; thus, hacking attacks
could be fairly common. Poor
design and implementation of
security by the cloud service
providers can easily result in data
breach incidents.
Cloud Common Usage:People are usually uploading data not only to one specific cloud platform but also to others. For example, files kept at Dropbox which are most frequently used can be backed up to Google Drive. Also, data and configurations of smartphone devices could be backed up to the cloud, such as iPhone to iCloud.
Security Concerns &Recommended Practices
iCloud Data Breach:Hacking And Celebrity Photos 2nd September 2014
A group posted a proof of concept script on the popular code repository called Github that would allow for a user to attempt to breach iCloud and access a user account. This script would query iCloud services via the “Find My iPhone” API to guess username and password combinations. The problem here was that apparently Apple AAPL +2.94% was not limiting the number of queries. This allowed for attackers to have numerous chances to guess password combinations without the fear of being locked out.3
OCIO NEWSLETTER16
Check carefully what security
features are implemented by
the cloud service providers.
Examine what data encryptio
is used on the cloud platform,
how data is protected during
uploading and downloading,
and the authentication channel.
Choose cloud service providers
with reputable name with
no precedence of security
incidents.
• Software Features For Universities’ usage,
administrators should make
sure that cloud members can
be easily added and deleted
depending on the academic
year.
Also, check carefully the correct
package of cloud applications
with the intended features
before paying for usage.
Sometimes cloud applications
may miss some features which
would be otherwise available
when buying the software
separately.
So University students and staff are
advised to develop the following
good computing habits when using
the cloud:
• Exercise safe browsing habits - if a
web site looks shady, it usually is
shady. Don’t further click on links
or downloads;
• Use devices that you trust to
connect to the cloud, i.e. minimize
the use of public computers which
do not fulfil the security standard;
• Enable and use two-factor
authentication if available from
cloud service providers;
• Choose different passwords
and credentials for University IT
systems and public cloud services;
• Change passwords regularly;
• Log off sessions when finished;
• Don’t open or click on links in
strange or unsolicited e-mail;
• Install anti-malware software on
computing devices.
The Hong Kong Government has
created a web site to educate the
public about cloud usage, useful tips
and checklists regarding cloud usage
can be found from http://www.
infocloud.gov.hk/.
The Importance of Safe Passwords6
Regardless if data is stored in house
or in the cloud, it is important that
passwords for different sites should
be kept different and securely
protected. This way, if anything is
ever compromised, hackers will not
have access to other accounts using
the same password. Likewise, it is a
good practice to change the cloud
access passwords regularly.
References
1. “OneDrive now with unlimited
storage for Office 365
subscribers.” 27 October 2014.
Web. 11 November 2014
2. “MYCE News” 22 April 2014. Web.
29 Sept 2014
In corporate environment,
users are normally governed by
corporate IT security policy and the
computing devices are typically
standardized with hardened security
configurations.
But in Universities, students and staff
are allowed to use own computing
devices. And security governance is
more relaxed compared to corporate
environment.
A lot of the attacks these days are
targeting end users. Once a user’s
computer is compromised, the
data stored in the cloud can be
subsequently retrieved by the hacker.
3. “Forbes” 2 September 2014. Web.
29 Sept 2014
4. “Microsoft Cloud Service Azure
Experienced Global Outage” 19
August 2014. Web. 11 November
2014
5. “Government Technology – Data
Breaches in the Cloud: Who’s
Responsible?” 26 August 2014.
Web. 29 Sept 2014
6. “Your Dropbox Account May Have
Been Hacked (UPDATE: Dropbox
Says No)” 14 October 2014. Web.
16 Oct 2014
Copyright Statement
All material in this document is,
unless otherwise stated, the property
of the Joint Universities Computer
Centre (“JUCC”). Copyright and other
intellectual property laws protect
these materials. Reproduction or
retransmission of the materials, in
whole or in part, in any manner,
without the prior written consent of
the copyright holder, is a violation of
copyright law.
A single copy of the materials
available through this document
may be made, solely for personal,
non-commercial use. Individuals
must preserve any copyright or other
notices contained in or associated
with them. Users may not distribute
such copies to others, whether or not
in electronic form, whether or not
for a charge or other consideration,
without prior written consent of the
copyright holder of the materials.
Contact information for requests for
permission to reproduce or distribute
materials available through this
document are listed below:
Joint Universities Computer Centre
Limited (JUCC)
c/o Information Technology Services
The University of Hong Kong
Pokfulam Road, Hong Kong
Tips for Students and Staff
Issue 21 • October 2015 17
Unknown 28.3%
Android 27.5%
iPhone 22.8%
Other 15.4%
OS X 5.9%
WiFi Device Type Summary
STATISTICS AT A GLANCE
WiFi Usage Statisitics
OCIO NEWSLETTER18
WiFi Clients
WiFi Bandwidth Usage
Issue 21 • October 2015 19
Editorial BoxOCIO Newsletter Advisory Board Dr. Andy Chun (OCIO) Ms. Annie Ip (OCIO) Mr. John Hui (ESU) Mr. Raymond Poon (CSC) Mr. Peter Mok (CSC) Ms. Maria Chin (CSC)
Publishing Team Ms. Noel Laam (CSC) Ms. Annie Yu (CSC) Ms. Joyce Lam (CSC) Mr. Ng Kar Leong (CSC) Ms. Kitty Wong (ESU) Ms. Doris Au (OCIO)
For Enquiry Phone 3442 6284
Fax 3442 0366
Email [email protected]
OCIO Newsletter Online http://issuu.com/cityuhkocio
GLOSSARY CORNER
IT Security – What is Team Ghostshell?Andy Chun
TEAM GHOSTSHELL is a well-known hacker group responsible for a string of high-profile hacks over the past years. In August 2012, its Project Hellfire exposed over 1.6 million accounts from over a 100 websites around the world, including data from the CIA, the Pentagon, NASA, Interpol, banks and from Wall Street. In October 2012, Team GhostShell’s Project WestWind leaked over 120,000 records from 100 major universities around the world. In November 2012, Team GhostShell declared war on Russia with its Project Blackstar, leaking over 2.5 million accounts belonging to the government, education, law enforcement, telecom, research institutes, medical facilities, and large corporations. In January 2013, its Project SunRise hacked numerous African universities and businesses, releasing over 700,000 accounts/records. Exposed data sometimes contain names, email addresses, passwords, phone numbers, dates of birth, citizenship, ethnicity, marital status, gender, and database schema information.
After being dormant for three years, it emerged again in June 2015, claiming that they have access to billions of accounts and trillions of record sets. So far, they have breached and leaked over 13,000 people’s details found in
over 300 websites. Among the sites hacked are numerous universities from around the world, including several from Hong Kong. All exposed data were made public and posted online. Data leaked from Hong Kong universities were said to include names, emails, phone numbers, etc. but no financial information.
Experts believe the current 2015 hack used similar tactics as the 2012 attacks, i.e. compromising databases through SQL injection attacks and poorly configured PHP scripts. SQL injection is a technique whereby malicious code is inserted into a database so that a command can be executed, usually enabling attackers to access and export data to hackers’ own database servers.
To protect yourself, always use strong passwords and never use same password in different websites. Use two-factor authentication whenever available. Systems should always be patched and up-to-date. If getting input from users, always filter input to avoid SQL injection attacks, and sanitize outputs to avoid cross-site scripting (XSS).
The data exposed by GhostShell was accompanied by a manifesto of sorts, titled “Dark Hacktivism,” which explained the reasons for their attacks and campaigns, such as raising awareness of the poor quality of security at major organizations’ websites; high tuition fees at universities, political agendas, tough teaching regulations and job uncertainty for graduates.
OCIO NEWSLETTER20