Citation and Paraphrasing

>Thanks for your response Professor Mickler. I was not aware of the issues with Wikipedia as I had not>seen your announcement. I truly thought this was a reliable source… but I will take your comments to>heart and read the article link you sent as well. Is Webopedia in the same vein then?

Hey Steven. I think one has to use caution when approaching self-contributed and self-policed information sources as references. Wikipedia is, by definition, a ‘wiki’ – a community application with a loose framework of fact and journalistic standards reviewed by volunteers who’re not experts in their field. Therefore, when I look at information from something like Wikipedia (Webopedia may fall into this same idea), I must realize that the information may be erroneous, may have error in fact, may be inaccurate, or may be biased.

Further, Wikipedia is _not_ a source. It’s an application, but not a recognized authority on anything. When I want to learn something, I turn to a textbook, published by a reputable publishing house, who vouches for the authenticity of its author who is usually credentialled in some way as to present the information. These same standards can be applied to web-based or electronic publishing, whereas the author is a credentialled authority. Wikipedia has had published/documented problems in its editing, and, its authors are volunteers. Therefore, it’s irrelevant – neat to read, maybe handy, but not a credible authority.

Where I find the biggest problem is that students turn to Wikipedia for _everything_, or, they paraphrase Wikipedia as a source. The student uses Wikipedia as a crutch – instead of reading a legitimate authority presented as required reading in a course (say, our textbook), our student reaches for a handy cliffnote created by somebody on the web, THEN reitterates that content because they’re too darn lazy to compose something themselves. An academic challenge for students, absolutely, but one that begins with educators: Wikipedia and its content must be scrutenized by an instructor. There are times that I’ll allow a student’s use of Wikipedia because what they cited is immaterial to the larger discussion, or, is generic information that I know as fact. However, when I see the crutch, it’s my inclination to kick it out from underneith the student (grin).

>I had no intent to cause issue by paraphrasing or using the thoughts of Wikipedia in my assignments.

Absolutely. Do look at the problem of paraphrasing when it comes to citation.

>When it comes to paraphrasing, I try to write my assignments in the style I speak.>Sometimes exact quotes do not grammatically make sense to me, so I use my own style to change a>bit of wording, but remove it from the quotation since it is not borrowed thoughts, just my own>grammatical fixing.

Your perception is in error. This is a direct quote from Einstein:

“In light of knowledge attained, the happy achievement seems almost a matter of course, and any intelligent student can grasp it without too much trouble. But the years of anxious searching in the dark, with their intense longing, their alterations of confidence and exhaustion and the final emergence into the light — only those who have experienced it can understand it.”

Say I re-wrote this for “grammatical fixing” and presented it for credit in a classroom:

“It seems reasonable that anybody can find knowledge without too much trouble if they tried. However, only those who’ve exchaustively searched for knowledge can understand the rewards of that experience.”

This, Steven, is a rip-off of Einstein. I have deliberately paraphrased his idea and reworded it. It’s wrong, I should never do this, and if I did, I should cite my paraphrasing to indicate that I’m paraphrasing Einstein.

Imagine if somebody re-worded Orwell’s “War of the Worlds” to “Planetary Wars”. Same characters, same plot, different words. Somebody would get sued for breach of copyright (grin).

> My understanding is that to quote/citate something was to place between the quotation marks the exact>text that you are citing and to give credit.

Sure. This is one aspect of citation, and, this works so long as the content doesn’t _present_ the student’s argument. Sometimes, students will cite whole paragraphs from sources without even attempting to make a point of their own. This is also a problem of paraphrasing: the student allows their source to construct their argument and presents their sources _narrative_ as _their_ conclusions. “Error! Danger Danger Will Robinson, Danger!” A student can’t hand me direct quotes form four authors and call it their assignment – that’s crap! I should see the student develop their own conclusions then support those conclusions with evidence from an authority (1st or 3rd party), giving their conclusion credo.

>This is the first time someone has alerted me to this issue, thanks.

No drama – that’s what I’m here for, to teach, and this is one of my pet projects (grin).

>I will try to do a better job of grammatically fixing my thoughts in the future around quotes…

The problem is not grammar – it’s rules concerning citation. Our Cybrary has a great APA section, by the way.

>used as to not cause confusion like this again. I appreciate your candid responses, this will help me >tremendously in the future.

Thank you, sir. And happy to help.
R

Firewalls+Proxies – Application/Network Layer Differences

In response to firewalls as network appliances becoming more like application-layer firewalls (proxy servers)….

This is true – the network appliance of a firewall is being bundled with more significant capabilities as a natural response to consumer demand.The advantages of a proxy server traditionally have to do with session layer controls.

With a proxy, an administrator can setup ACL restrictions on Internet access with very specific and minute detail.With a proxy, for example, we could assign one form of user object (say, Group A) Full Access to the AOL Instant Messenger Port on the proxy service; we could set a specific user object, or, another group (Group B) at No Access to the same port.

Even more so, as a proxy is an application layer service, we can deny not just ports but _applications_ from transversing the gateway. We could say that, for example, QuickBooks as an application cannot access the Internet, or, we’ve determined that our standard is IE, so another browser like Netscape is not allowed to be used to access the Internet. Also, because this is such a high layer, we can also deploy some interesting encryption on the packets that would otherwise be there, controlled by session and presentation layer interaction.We could also allow port-level access based on an ACL security descriptor – Administrators can do this, General Users can do this.

We could also setup routing restrictions based on object-level and security descriptor-level ACL’s. The routing path for Group A is X, and the routing path for Group B is Y.

And we could setup specific logging and controls by session layer – that some user objects are audited more significantly than others.In our model here, user objects on both the local and remote subnets _must_ authenticate as a session-layer service (say, an NDS, LDAP/KERBOS, or AD structure) to even use the Internet.

We could see a reasonable IP address distributed via our DHCP to an internal host. A normal firewall would consider this acceptable and allow for gateway transversal. However, an application-layer firewall (a proxy) could be configured to challenge the user at the session-layer (who are you, give me a credential) _before_ the service is to recognize the transversal.

Therefore, everybody on the network has a single gateway in our case study here, and, everybody – local or remote, LAN or WAN, WiFi or Wired – must authenticate to the proxy _first_ before exiting the only gateway.

As a single point of entry and exit, that can be monitored at the IP layer (layer 3), the transport layer (layer 4), the session layer (layer 5), the presentation layer (layer 6), and the application layer (layer 7), this makes for a very formidble and auditable gateway.

As Nathan pointed out, many network appliances like firewalls are being shipped with greater intelligence, even allowing them to perform as application-layer firewalls, integrated into the directory services of our choice. Wrangling with them is about as challenging as NSD’s (Network Storage Devices) – usually they’ve a different o/s than your directory service and integrating them is an administrative headache, but still, it offers a great deal of control, more so than a simple layer 3/4 firewall.

R
www.micklerandassociates.com

Dispelling an Intellectual Property Urban Legend

From: Nichole
Subject: Copyright Law question

Hello Professor, This is a bit off topic, but I was wondering if you could confirm or dispel a copyrighting urban legend for me…In the music circle, it has been asserted that if you write a song and mail it to yourself, it is sort of a “poor man’s copyright”, i.e., what one receives in the mail becomes the addressee’s legal property and owns the song/lyrics. Is this true, and is it enforceable? Just curious

***

Hmmm the premise being, I suppose, that it’s stamped by an official agency, the US Post Office.

I found the following text from an article at GuitarNoise.com (http://www.guitarnoise.com/article.php?id=105):

Once the song is finished and on paper, make a copy of it. On the bottom line put the international copyright symbol © (Alt-0169 if you’re using a computer) followed by your name, the year, and your address. (ex: Ben Dover, 2000, 123 Anystreet, Sometown, USA) Put that copy in an envelope, write on the back of that envelope the title of the song, address it to yourself (don’t forget to put a stamp on it!) and mail it to yourself. I also get someone to sign across the seal, but that’s not necessary, although it does show that it hasn’t been tampered with. When you receive it, don’t open it! File it away somewhere safe. You now have copyright protection.

I believe the first piece of advice is accurate: afix the copyright symbol. This is appropriate for establishing copyright; copyright is bestowed at the moment of creation. The rest of the instructions, to mail it to yourself, is simply a matter of convincing evidence (notice that there’s nothing here from the US Copyright and Patents Office (http://www.copyright.gov/) which would really be the legal way to go.

To further disprove, I tried to Snope this … (http://www.snopes.com/legal/postmark.asp), which further suggests that this is, in fact, an urban legend. It says:

Mailing one’s works to oneself and keeping the unopened, postmarked envelope as proof of right of ownership to them (a practice known as the “poor man’s copyright”) has no substantive legal effect in the U.S. We’ve yet to locate a case of its use where an author’s copyright was established and successfully defended in a court of law by this method. At best, such mailings might serve to establish how long the author has been asserting ownership of the work, but since the postmarked-and-sealed envelope “proof” could be so easily circumvented, it is doubtful courts of law would regard such evidence as reliable.

So, I’d say: urban legend, Nichole…! You’d be better off filing with the US office at the link I provided for ~$45.R

R
www.micklerandassociates.com

Data Classification Discussion – SP800-60 Demo

Great points professor.

What are your thoughts on Data Classification policies of call centers?

For Example Dell Support in INDIA has all of our info (SSN (only for the home users who finances thorugh Dell), Credit Card Number, Home Address), at this point that is helping us a bit for the fact that customer support personnels in INDIA/CHINA don’t know what is the value of having access to all those on a single screen but when they will, it is going to be a tough game forl US consumers.

***

Well, Jigan, I’d probably begin by asking myself a couple questions similiar to the outlined process of the SP800-60.

1. What are my information types?
2. What is my impact assessment per type based on CIA?

Hence our formula:

SC (Type) = ({Confidentiality {impact}},{Integrity {impact}},{Availability {impact})

I’ll use your example for a minute with SSN’s, and use the same impact assessment model that the Feds use of LIMITED, MODERATE, HIGH, and N/A.

SC (SSN’s of home users) = {MODERATE, LOW, LOW}

My justification for this assessment is as follows:

1. The Confidentiality loss of customer SSN’s is problematic and warrants a serious breach of information system security. However, it is not a _catastrophic_ breach that would jeopardize operations or put personnel at risk.

2. The Integrity of the loss of SSN’s of home users is relatively limited. I can still audit the original data trail and recover all elements that contributed to the state of the data prior to the breach.

3. The Availability of the loss is also limited, as I still have access to this data even though someone has stollen it, or, it’s been exposed. Further, if this data was not available, it may not really jeopardize my operation in a serious way – at most, it may be an inconvenience.

I would perform this same assessment for the other information types you indicated (Credit Card Numbers, Home Addresses, and the like), developing a matrix similiar to what we see in the appendix of the SP800-60 beginning on page 12:

http://csrc.nist.gov/publications/nistpubs/800-60/SP800-60V2-final.pdf

This in hand, Jigan – as a CSPM – I’d be better prepared to answer your question. I’d also be in a better position by which to evaluate the ATP Controls over this information at several points of distribution (perhaps as copies to local servers in India; as a data stream moving across a WAN; as a reproduction event – when a copy is made; and at the point of origination). I could then lay it out on a table for you:

1. Here is how the data is classified.
2. Here are the steps by which the data is delivered.
3. Here are the ATP Controls surrounding the distribution of that data.

Do we see gaps? Vulnerabilities? If we classify SSN info for our customers as (MODERATE, LOW, LOW), you can see where – from a classification perspective – this is a relatively low-risk piece of information that we’re giving to these phone support people.

Now, political opinion may _change_ my impact assessments, particularly after an embarassing incident, which may change my assessment – say (HIGH, LOW, LOW) – demanding I take extra precautions to secure the confidentiality of the SSN, Jigan. But clearly, if I do this, I can see:

1. What I initially created as a security model based on impact assessment.
2. The event that forced a reconsideration of that model.
3. The changed impact assessment and Security Category, demanding a re-evaluation of ATP (Administrative, Technical, and Physical) Controls.

Notice the chain of events, the documentation, the justification of actions and priorities, the audit trail demonstrating how a change in political perception changed the Categorization of a single piece of information, thus demanding a change in ATP controls along various steps of delivery.

In the end, Jigan, I’d have a clean audit trail to render a decision or thought to you about sharing the information. Notice I’m not giving you an answer (grin). That is because I don’t know the facts. We must collect evidence, facts, develop a process, by which to answer your question – delivering SSN’s, Credit Cards, and Home Address information to India may be perfectly safe and harmless… because of the assessment practices and precautions that I took as a CSPM.

R

Comments on Outsourcing

A message from a student:

Hi Professor Mickler,

I’ve got a question for you. Do you think offshoring lowers our ability as a nation to face enemies? For example Our military uses spare parts from Japan and also uses uniforms made in foreign countries. Since our textile industry in all but non- existent. Could these countries not hold back on these needed supplies in a future conflict and hurt our national security. This is just a thought of what offshoring can affect.

***

Well, I’ll give you my opinion and you can take that for what it’s worth (grin).

Outsourcing (offshoring/nearshoring) is a symptom of two economic realities:

1. Given the state of telecommunications, multilateral trade, and transportation, national boundaries bear little significance in isolating socio-economical growth. Globalization is a natural extension of the interconnectedness we have as societies and cultures now.

2. Capital will always transfer to those who can provide a common good or service, at the same quality as any other, at a lower price.

So long as these principles hold true – that political hegimony does not attempt to engage in cultural and economic protectionism thus isolating itself from the world, and, the WTO is still regarded as a positive mechanism by its participants – then outsourcing is a natural extension of what consumers and societies desire.

The US military is not a private institution and isn’t swayed by the profit motive like private industry is. The military doesn’t have quarterly reports, the SEC breathing down its neck, or an accountability to public shareholders. Therefore, the military doesn’t require an “ROI”, so to speak, on its capital investments, although there are practical limitations on what $390 billion a year will provide (grin). They are constrained by budget. The military need not justify anything – it could, if it wanted to, demand that its contractors and internal operations source from domestic firms exclusively.

However, I would reason that this mandate would inflate costs and it’s reasonable to presume the military wants to extend its buying power. The contractors to the US military would only be so happy to oblige if the military forced 100-percent domestic sourcing, but the reality is that costs would increase and scarcity being what it is, somebody is rationally deciding that cost containment is more significant than the risk of using outsourced components and services. Therefore, sourcing from “our enemies” is the military’s _conscious_ decision, and they do it for the same reasons that you and I shop at Wal-Mart. We want to extend our buying power.

So long as those economic truths are static, and the decision-makers inside of the military are rational, I don’t foresee that changing unless it becomes a matter of strategic priority that over-rode rational decision-making.

Personally, no, I don’t see it as a competitive or strategic disadvantage to US interests. The US outspends our closest competitor on military spending 10:1; the application of that spending by the best trained military on the planet is (bar none) of more strategic importance than where the supplies and services come from. I think there’s a more disasterous consequence awaiting for us in the consumer economy: what happens if we engage China in a conventional conflict and Americans are unable to access cheap hair spray, or, plastics, or, consumer electronics? The more significant impact to releasing the dogs of war in an interconnected, global economy is the reality that we’d cripple our ability to _fund_ a military effort in the first place; we’d hurt ourselves. Thus, one could stand to reason the importance of a vast central military to engage other nation-states when geopolitical, economic, and social interconnectivity tie us so close together that it’d be like attacking _ourselves_ (grin).

R