It is called Firesheep

This is a follow up to my last post – I hope this scares you. At the time I made the previous past available, I was unwilling to reveal the name of the software I was describing for fear of encouraging the very behavior I was warning users about. However, the number of downloads of this software is approaching 750,000 at this moment and attempting to limit awareness seems pointless.

So, the software that concerns me is a Firefox extension named Firesheep. When used in a setting that provides open wifi, this software captures the cookies associated with certain types of social software and allows the individual capturing these cookies to login to the accounts of sites associated with these cookies. A couple of additional comments. First, this access does not apply when cookies involve https – your banking data appear to be safe. However, some services (e.g., Facebook) use https login, but then send cookies in the clear. So, you cannot be assured that because you see https you are safe. It is not possible to capture cookies sent by every online service, but this may change as the software is upgraded. Finally, firesheep is pretty much a common man’s tool providing the capabilities that hackers already have. That is the point of the developer and I guess each of us will decide what we think of the decision to make public a tool providing this capability to pretty much anyone. The motive is really to force change. Open wifi providers can do certain things (go to WPA protection and offer login info to users). The big online services can also go to https throughout.

What can you do? Here are a few ideas I have picked up. I offer no guarantee. Clearly you could simply avoid public wifi.

I would suggest when using public wifi you consider using Firefox with the following extensions:

  • Blacksheep – this is an extension that supposedly reveals if someone in your vacinity is using firesheep
  • HTTPS Everywhere – this extension from the Electronic Frontier Foundation will attempt to force https – provider must have https as a possibility

When I and pretty much anyone else writes about copyright the post usually begins with the statement – I am not a lawyer (even lawyers seem to say this). I am adapting this CYA for this situation to indicate that I am not a hardcore hacker. I can use the tool I describe here to steal cookies, but so can you. I make no pretense of knowing how much I would rely on the suggestions I make. I have tried them using two computers in an open wifi setting and know that they do offer some protection.

Loading

Open WIFI – I hope this scares you

I have been trying to decide how to present this without encouraging the behavior I describe here. I have decided not to name the product I describe. Many who follow this blog already know the name of the free download I am describing, but I think I can spread the alarm without adding to the problem.

Be aware that in any location with open wifi, others sitting in the same location can steal cookies sent by your computer to the Internet. Among the different functions a cookie serves, a cookie allows your computer to stay connected to a site that requires a name and password login. You do not have to login for each page you view. However, cookies are basically sent through “the air” and can be captured. I picked up the cookies in the image below in 5 minutes in the coffee shop across the street from my office.

I could click on one of these icons and I login as that person.

What to do?

1) I showed the manager.

2) Be aware of any wifi that does not require you to login. As I understand the situation (via Leo Laporte and This Week in Google), everyone can be given the login name and password for a protected wifi system and no one could do what I have just done. Use WPA encryption. In other words, the name and password can be given to everyone. Hence, Starbucks could use Starbuck and Starbuck and post this information prominently. It is not the password that provides the protection but the way the encryption works to isolate users. I hope this is correct because it would certainly be a practical solution – I listened to the Security Now podcast to verify, but I have also found a little different story online.

3) https is protected, but I would think the danger would be present for those who use the same name and password on other http and https accounts. I am guessing here, but this would seem to be possible.

I have viewed stories regarding measures that may thwart this security problem or at least alert you that someone is running the software within the vicinity. I cannot vouch for these measures. I may post again to reveal more later, but this is obviously a real danger for those of us who frequent coffee shops and other locations with open wifi.

Loading

Bloglines Resuscitation

A month or so ago we were informed that Bloglines was going away. For many of us, Bloglines was the first rss tool  we used to follow bloggers and topics. For those of us assisting others make use of technology, it was likely the tool we taught. Free services face a certain reality no matter how useful the service. There must be some revenue from somewhere to maintain the service.

I did not know the history of Bloglines, but according to wikipedia it was sold to ask.com in 2005. Whatever Ask’s original idea, it decided to give up on the service and shut it down on Oct. 1. many of us moved on. Just a few days ago it was announced that Bloglines was available again.

I think the way this played out was not good. Because Bloglines was not available, I explored a bit and found a method for following feeds that was superior to my experience with Bloglines. I use an iPad app, Newsrack, to follow feeds from Google Reader. The big advantage of this arrangement is the opportunity to process information by sharing items I identify as useful to Instapaper, Delicious, or my email. At this point Bloglines is going to have to offer some new features to get me back.

Loading

GeoDome – Science by immersion

Cindy presently facilitates the implementation of a grant focused on providing immersive educational experiences using a GeoDome. To imagine the structure of a geodome think in terms of the blow-up, large size, outdoor structures you sometimes see temporarily set up in parks during the summer to provide fun for kids repurposed as a mobile planetarium and more. The key to the immersive experience is a special 3-D projection system. The effect of being in the environment can be quite physical – if the sky suddenly begins to spin around you it is difficult to stand up.

The twin goals of the project, at least as I understand them, are to bring unique science experiences into area schools and to expand how pre-service teachers think about science education. The system is most fully developed as a planetarium, but is capable of offering other experiences. I took the following pictures at a DomeCast – a presentation on the geology of oil streamed to interested sites from Denver.

IMG_3725

IMG_3726

IMG_3731

Loading

Anti-mathemagenic web activity

There is a concept related to learning and studying that I have carried over from my grad school days. E. Rothkopf proposed a concept he called a “mathemagenic” activity. I remember mathemagenic to translate as giving birth to knowledge or something similar. It was the idea that an external activity could encourage productive cognitive behaviors in some learners and at the time I remember it being associated with adjunct or interspersed questions. In other words, attempting to answer questions can engage students in thinking behaviors they might not generate on their own. I suppose there are similar concepts, e.g., generative activity, but I continue to use the original term rather than adopt newer, but similar terms.

Anyway, I like the idea that external activities can encourage productive internal behaviors. I assume this assumption is what encourages suggested study strategies and learning tasks. As I have used the concept in my own teaching, I began to consider whether some external activities could be anti-mathemagenic. In other words, could certain activities limit learning. My original example originated from thinking about my own behavior. In my example, highlighting is the external behavior. Sometimes it seemed when I was feeling lazy I would identify important ideas while reading that I did not fully understand, but I would highlight this material assuming I would return and think more carefully later. Of course, if I failed to return to review, I would be worse off for deferring the work of understanding.

I have read Carr and other critics of Internet information processing and I have begun wondering whether certain patterns of Internet use are anti-mathemagenic. The key here would be if some less productive behavior were substituted for more productive behavior.  I sometimes find myself using Instapaper in a way that could be mathemagenic. Instead of fully reading something I identify as potentially valuable, I send things to instapaper and I assume I will read carefully later. I think moving from blogging to micro-blogging would fit. Blogging is work. It takes time and thought. Microblogging (Twitter) is easy in comparison. Twitter may be an effective way to offer links to others, but it offers little in encouraging personal thinking.

Mathemagenic and anti-mathemagenic activities are difficult to spot in someone else. You can’t see internal behaviors. However, I am guessing if what you are doing is easy or quick little cognitive activity is involved.

Loading

Am I getting credit for this?

Cindy recently relayed to me a post from the IT forum regarding blogging (and I assume other forms of online expression) and whether such activity should count for anything among those of us who are college academics. This got me thinking. I have blogged since 2003 and authored content for pubic consumption before that. Sometimes I did the latter because of funding I had secured (I was lucky enough to be in on a Technology Challenge grant many years ago), but mostly I wrote and still write as a hobby. Perhaps I should now argue for compensation. I also serve as a department-level administrator and I deal with contracts and expectations on a daily basis. I have listened to many arguments related to what faculty members would like to receive credit for doing. My point? I can imagine myself dealing with this topic from several perspectives.

First, here are some of the links referenced on the listserv and on linked blogs:
Hastac
Virtual School Meanderings

My reaction as blogger:
If I were to attempt to make a case for my online content as part of me job, I think I would argue that it would be part of my service or perhaps part of my teaching (as professional development). I think some of the things I have read (listed above and comments to those posts) reach the same conclusion, but then note that this does not really count for much. I work (except for my administrative responsibilities) in what is pretty much a 60, 30, 10 model (teaching, research, service). Most of the evaluation for teaching relates to what I do with students and very little to my own efforts at professional development. I don’t know that I even bother to list professional development activities (what I read, time spent at conferences, etc.) when I list my annual activities. The 10% for service also gets broken down and variability from one faculty member to another is some fraction of 10% amounts to very little difference in the annual merit evaluation and certainly little toward major decisions (tenure, promotion).

I do not regard my activity as research and I have reviewed very little online that I feel should qualify. I am an educational researcher by profession and my research activity is assumed to be based on data that I collect. I publish formal papers based on these data and my analysis. Writing in reaction to what I read elsewhere is just my opinion and not research. My opinion may be worth something because of my personal experiences, but offering such opinions would be public scholarship as teaching or service and not research.

My reaction as administrator:
When we hire individuals we make a good faith effort to explain the type of program we are and the type of activities we expect of those we hire. Certainly, this is what we expect of individuals in evaluating them for tenure. If individuals decide they would like to spend time in creative ways after tenure, we encourage such behavior (I think the faculty handbook says 20% of effort) but what one does with this 20% does not guarantee anything when it comes to merit. I guess my point is that it is possible that offering “information” to the public in the form of blogs or other unmoderated content could be of value if an institution say offering such information to be part of the institutional mission. I think you ask this question before accepting a contract and not argue about expectations later.

If a blogger (or writer) can make some money I think we accept this as part of the 20% allowed for such activities.

Powered by ScribeFire.

Loading

Flashcards

I have an assignment in my Educational Psychology class that asks each student to try and then evaluate a study strategy. I offer a list with some options and allow students to add their own. Past experience has demonstrated that the students gravitate toward a limited number of options. I now require students to register their selection with me and I cut off an option after it has been selected by 10 students. I want to create a situation in which we have some different options to discuss.

The most popular choice this semester was note cards (flash cards). So much for trying something new. It has always struck me as a little sad that advanced students seem focused on memorization. Perhaps they see the challenges of exams differently than I do. I think I am asking them to demonstrate or apply, but they see the most immediate challenge as recognizing key terms in the questions. Perhaps they feel that once they can translate any unique terminology, the rest tends to be easy. So, I have mixed feelings about this post. Here, I offer a suggestion for a “better” flashcard system. Clearly knowing some things is necessary, but we hope students make the investment to do more.

Handheld devices (phones, iPod, iPad) offer a convenient technology by which improvements to note card flashcards might be accomplished. I see I generated a post in 2008 describing flashcard apps for the iPod Touch. Cindy has been exploring newer flashcard systems for the iPad so I purchased a few myself and spent some time during the football game exploring. My favorite ended up being Flashcard Deluxe. I purchased the version I used to generate the screen captures, but there is a lite version you might explore.

Technology offers the opportunity to improve the traditional flash card experience in several ways. The advantages I describe are available in my recommended app, but may not be in alternatives.
1) A device-based system can collect data on performance. With Flashcard Deluxe, the student determines whether a response is correct or not (actually a three level system is available – strong answer, moderate answer, poor answer) and this delineation can be used to change the probabilities of seeing an item again. You swipe a different direction to indicate which best represents your answer. Items can also be categorized. The self-scoring system also allows the question types to be varied – you could use multiple choice, but why not use open ended questions. Just creating the questions and responses is likely a valuable learning experience.
2) A device-based system allows multimedia. My daughters were heavy flashcard users because of the types of content they studied to become a physical therapist and an occupational therapist. Cindy did get the youngest to use a technology-based system. I don’t know if they would have sketched representations of the things they studied or not. How do you study musculature and the skeletal system with terms and definitions?
3) A digital system allows the accumulation and sharing of content. Flashcard Deluxe allows sets of flashcards to be downloaded from Quizlet and from a collection accumulated by OrangeorApple (the company responsible for Flashcard Deluxe). A student or group of students could create and share study aids.

A couple of screen captures:

This is the card that allows the creation of a given flashcard. There are three sides – a question, the answer, and other info. You do not have to use all three. In the following image, you can probably figure out that the question is really an image (the picture), the second side is the name of the organism, and the third side provides some additional information. I was a bit lazy in generating this example. You can include a lot of content on each side.

So, this would be the “question” side of the card.

This would be the third side (in this case, the deck was intended to be a collection of macroinvertebrates that indicate good or poor water quality).


Powered by ScribeFire.

Loading