On a recent visit to the University of Exeter the Digimap team learned of their regular Mapathon sessions. Dr Damien Mansell from the University of Exeter’s Department of Geography has kindly written a short piece about their mapathons for this blog: The second week of November was an important one for Geographers and Geography departments around […]
Today I’m at the IT Futures Conference 2017, an annual University of Edinburgh conference. I’m chairing a session later but I’ll otherwise be liveblogging our wonderful speakers.
John Lee is introducing the day – which is being recorded – and also noting todays hashtag which you should definitely keep your eye on today: #itfutures.
John: Today’s event is about Scaling and Transformation and there is a lot to challenge ourselves with, we hope there will be lot for us to think about and reflect upon over the Christmas break.
Our first speaker today is Melissa Terras, who recently joined us from UCL as our new Professor of Digital Cultural Heritage.
University Technology Futures: the View from a Newbia at the UoE – Professor Melissa Terras, UoE College of Arts, Humanities and Social Sciences
There are two ways to do these things: the show and tell or saying something more meaningful. I hope to do the latter today.
So, I went from studying Greek sculpture to doing hardcore machine learning in my PhD and research. I then went to UCL where I was one of the founders of the UCL centre for Digital Humanities, working on
I will be directing “digital stuff” at the College of Arts, Humanities and Social Sciences, and working heavily with the Edinburgh Futures Institute which is leading data driven innovation for the College of Arts, Humanities and Social Sciences. So, futures… There are lot of those… So many futures initiatives and organisations but also we face rather uncertain future… And we will we be looking at these issues at the EFI, how to deal with this uncertain future and the changing information environment. And of course the word comes from financial markets, it is speculative. When you think to the future you see speculative fiction imaging what might happen, but what does this mean for us as a University.
If I’d given this talk a few years ago it would have been quite different. The internet is changing as an environment and it has become a less pleasant place to be over the last few years. I’ve actually done some grieving for the internet I grew up with… I’ve been online since I was 17 and a lot has changed. But lets be more positive, what will we do to equip ourselves for this information environment?
So, lets start with the students – those people we criticise for not being able to buy a house because they are buying too many avocados… Lets start with ethics… I’ve been working on a project called Digital Library Futures – looking at usage stats of who borrows what, and that comes with issues of anonymity, huge ethical issues, huge data protection issues. These are the conversations we have to have with our students to understand what we can and should do.
I’ve said it before but… All data is history. It comes with a cultural background, a societal history… We do this in historical studies all the time, but do we do this with our informatics students? We’ve been doing some work at UCL on the Time Digital Archive (1785-2010) which looks at how men and women are talked about… If you use this as a training corpus for machine learning you are embedding the bias and historical issues into that learning. Even historic information has a real impact on current computational work and approaches.
Which brings me to diversity… There is a lovely piece of nineteenth century newspaper analytics identifying images from newspapers… But only white men. There were images of women and non-white people in those papers but machine learning hasn’t recognised them. This is so important in how we use and train machine learning and what computational methods we use…
And then there is context and understanding what you engage with… There are the sites that let you automatically insert yourself in a range of images – without any idea of provenance or context. Or the Twitter bots that will give your profile image a smile… A huge shout out here for librarians.
What about academics? Well all of the above! But also… We need to understand what is happening
How locked down the digital environment is – there are things I can’t do with my desktop, and then three days later it changes. I’m working on an EU handwriting recognition project and it’s hard to install the software I’m writing. To enable data driven innovation we have to give people flexibility – if you don’t do that people do workarounds and that’s where security issues start to come in. We need to ensure we have the access to do this work.
The other thing I wanted to mention is the Jeremy Bentham Panopticon… Whether through diary systems… And also lecture recording… And the change in rules that students can record anything and what that means for what we say… How you talk about your work changes when that is recorded. Being recorded at any time by students what does that mean for students… And what does that mean for students from, say, Turkey… Anything we do can potentially be done at any one time. You may think that I’m being paranoid. There have been all sorts of threats, death threats, scandal, etc. when something is broadcast and shared. How do we support staff and students if something goes wrong. So we have to understand that challenge, to engage with difficult topics.
I’m a great believer in looking after it’s own data… What does the university do to archive it’s own websites… What can we do to best look after our own information environment – our work, our data, our web content.
So, we have a bright future ahead. But it’s a complicated future. We have to be aware of all of this, we have a role to be the place to go for truth when truth is being debabed.. And that’s where the Edinburgh Futures Institute comes in. We are still developing our work – keep an eye on the website, https://efi.ed.ac.uk/. It has huge potential and a real opportunity to be a beacon of light and truth at a time when the world really needs that. And I am hugely excited to be here and in a role that can help shape that.
Q1) You talked about light and truth… What about openness… And being closed about some things… How do you provide spaces that are both open and closed and safe?
A1) I am a firm believer in Open Data and Open GLAM, but I think it’s about equipping people with the skills to understand when and how and what framework you can share under. It’s not about closing things off but about being tooled up as an individual. The Open Data and Open Science agenda tends to be about projects post-peer review when they are ready to share. I was talking with a colleague here working on the history of censorship and she isn’t on Twitter because of the abuse she’d get for her work – and that is the right decision for that context… Having those skills to decide is important.
Q2) Thinking about the GDPR coming in, as a newbie, how do you think the University is prepared, and how do staff manage their own digital environment in that context?
A2) I am on committees at Edinburgh, I was on similar at UCL, and I have sat as an external person on similar groups at Oxford. Across all universities there is a need to help stafff understand the legal requirements, and the significance of them. These things are generally understood better when something goes wrong… In a way that’s the “Daily Mail” test – will what we are doing be at risk of appearing there?! But I have been cheered by what I have seen over the last few weeks here, and where the thinking is at.
Mr Stefan Hyttfors
I thought I would start by telling you about my 21 year old son who is a university student. He lives away from home… This summer we sat down together to have this great barbeque, to talk about his plans for the summer… About what he would do for a summer job… And he said “no, I won’t get a summer job” and that surprised us as he had lots of plans, and they require money… But he said “it’s fine! I have this crypto currency wallet” and he had 2 bitcoin – which last summer was worth about $5000. And I wanted to start with that… He questioned what is money, is paper money real? It’s belief, we believe it has value because it has been there for a long time… We have symbols… the dollar, the pound, the krona, the Euro… We don’t believe in the paper anymore but we believe in the banks, we check on our phones. We don’t ever see our money as a thing… We know what they owe us, as long as we believe in that system, it works. He said he doesn’t believe in that system – it’s dysfunctional and it will be disrupted… It is an inefficient system… I believe in crypto currency. And his bitcoin is worth more like $37k, so he was right, he didn’t need a summer job.
What Melissa told us about education is right, if we want to create new citizens… We do know that in the future we have huge problems… We have climate change. We don’t know if we can cope with that yet… There are ways to change your impact: eat less meat; fly less; drive an electric car or ditch the car altogether. There is one way to trump all that: have less children! We are in this time where the best way to save the future is to stop having kids… Which is strange… Surely a better faster idea woudld be suicide? Zero carbon emissions! But this is serious… We need to understand and think about how we think about the future, about what we can do… I’, in a hotel tonight, in the hotel has a sign to reuse the towels to save the planet… But the planet will be fine for millions of years… We have to think about the future of humanity, and that’s about sustainability in all senses – environment, diversity, equality… If we don’t do that we will have more divide, more people scared about human futures.
And now we have the internet. The internet is a stupid network…. For thousands of years we collaborated in hierarchy…. Better to be part of that at any level rather than being alone. But now we have a decentralised network… It’s all of us and everything, in a mess… And since we are connected in a mess and not a hieracrchy, we don’t need a boss… So I have experience, and I can tell my son how to address issues in the world… But what if I’m wrong…. That means there is no boss, no teacher, who chas the power to say what should happen, innovation is at the edges… In universities you pushed out ideas, you had the power; companies too pushed things out. But now innovation is in the edges… There is no boss now. It’s decentralised, that’s the whole point… This is how crypto currencies are being established right now… Rather than haing trust in just one bank… Lets instead trust in all of us, keeping transactions across millions of ledgers, there is no middle man, no one database to hack anymore… This couldn’t work without network effect. In any university or country we need to have scale… This took off about 10 years ago… This summer was the tenth anniversary of the launch of the first smartphone, and it’s an amazing product launch from Steve Jobs – who points out current “smart” phones which are all about hardware, which can’t be easily changed as the world changes… He said then that we’d fixed the issue for computers but not for phones… Well we are still just at the beginning. Things are still changing..
The world is changing from hardware to software… Not just phones… From a University building to software… From products to services… This means we can’t think of the future in a linear fashion… In a corporation they talk about growth, in a country it’s GDP growth… in our lives we see our ages go up but it’s an odd way to mark things… I might instead celebrate the years I have left to live to keep me focused on what matters… Whatever we work on we do everything a little bit better all the time, we compete on scalable efficiency… If we are more efficient than competitors we are safe. This is a model that is seen as best practice right now… But that applies until we find a new way to address the issue… That is probably technology but may well not be devices… For instance I don’t need to own a car now, I can use Uber… That’s a new technology. New stuff is new! The world changes… And that always appears in “S” curves…. First it doesn’t work, we ridicule it… Then leaders are learners… That’s where we need a university to study and explore – there would be no new practice without it… Then we learn and adjust… and eventually it takes off and quickly thanks to network effects.
But what if I’m the blue (steady upwards) line here… What if I don’t know how to solve the problem… When the red line crosses the blue line, the blue line is over… This is a bit like the Christmas Pig in Sweden – all looks good until Christmas! Right now we have big organisations going out of business… disruption are our unicorn companies… You get disruption because you do something very very good with efficiency in mind… And you get disrupted because they find a totally different way to solve a problem. We say this in media – newspapers, music, film. And now we see it in retail… We see lots of large retail brands ticking along, busy, doing well… And then Amazon performing so much more successfully. Eric Hoffer says “In times of change learners inherit the earth; while the learned find themselves beautifully equipped to deal with a world that no longer exists”.
As humans we always solve our problems with technology. So 1914 we have the Ford Model T launched… We have huge adoption growth, a few years of decline during the second world war, but by 1991 we are at 91% adoption… You have 76 years to adopt the technology… But right now the S curves are like rockets! An idea appears and it is adopted hugely fast! And we don’t need to shift products anymore, we can ship ideas… Artificial Intelligence is about creating machines that do not need to be programmed… Maybe you heard about the defeat of a Go champion beaten by a Google algorithm. This isn’t chess, Go is a game with 10 to the 5 variations, which has been taught from generation to generation. And that was last year, now there’s a new version of that algorithm – Alpha Go Zero – which learns the game from nothing and in 40 days learned enough to win 100 games in a row against the previous algorithm… What AI learns from us may only slow us down…
It’s scary though! We worry “Will robots take our jobs?” but that’s stupid. We are the creators. We solve problems with technology, we are part of technology… If you think about your day, your experience, how you think about life… Think about electricity and what would happen if you took that away, what that would mean for our lives… It’s hard to imagine that though. Douglas Adam described what you have now, that’s what has always been… But everything invented after the age of 35 is just not ormal… We take for granted the technology we have available to us. Technology is part of us. It’s not robots or human beings, it’s still us and what we want to do with technologuy…
When I was growing up computers were the size of a room… It wasn’t accessible or cheap, it was a huge mainframe… Now we’ve moved to mobile, to wearable, to technology that can be embedded in us as well… Your grandkids will talk about you, and think you know nothing… We will have new problems… Technology will tell us not to have another beer because it will knock 15 minutes off your life… Your insurance company may stop covering you… That’s a new problem… Maybe privacy becomes the currency in the new world
So, as we think ahead think about one word, think about dematerialisation. Digitisation means the marginal cost go down… It goes down over time… What is the marginal cost of taking pictures now? It’s zero! But you used to just have 24 shots to use, or maybe 36… It was a bigger cost… You didn’t take lots of them… Then you sent them off… And two years later you finish the film and send off… Now our toddlers can take 2000 self portraits a day! We talk about healthcare in those terms of unaffordability now, maybe we afford it through digitisation….
One more example we hear about is the automobile industry… Cars were complex… Now they are smaller, lighter, autonomous… We only have a driver now because the law requires a human in charge… Today when you say “look at that guy, he’s texting and driving!”, but in less than 10 years time you’ll say “look at that guy, he’s driving! People are the inefficient part… 1.2 million people die in traffic accidents… We don’t know how to drive… But how do deal with this… This traffic cop pulls up the Google Car and he doesn’t know what to do… No-one is in charge… But if we need fewer cars, we make fewer cars… That means the automobile industry will decline… We need to move from physical ownership of cars to the shared infrastructure for getting around. And that can be ok. But that won’t work when policy makers force us to stay in the past, to protect the old way of doing something..
Same with education… If you grow up in Uganda you just need access to the internet… You can take one of 250 courses at Harvard for free online… You don’t need the concrete building. It doesn’t matter how much political power you have, technology beats politics… They trump politics and borders… Online there is no Brexit… It’s not just corporations but also individuals that have access to technology. We can solve big problems this way. That means that the issue isn’t technology but humanity… Do we want sustainability, equality, space to explore… Do we want to see GDP growth. What do we believe i as a society… We have fantastic ecooic growth… GDP is growing… More people on the planet than ever before have access to technology, to healthcare, to vaccines. But non-humans… Oceans, forests, etc. are dying, we are clearning land to support us farming meat. We have huge air pollution issues. If we keep going on that blue line we won’t have water, air, forests to support us, we all depend on us eventually… No matter what you believe in…
There is one thing we can all relate to… There are 7.5Bn people on just one planet… No matter what business or education or purpose model we have, we have to solve our problems within that limit… Until 1986 we were just about sustainable…. Right now we are using 1.6 planets worth of resources… We have to create much more with much less… Some things, some business models, some GDP standards have to shrink not grow. It’s pretty clear that my son and his generation are aware of this, they see that old model doesn’t work, that it doesn’t make them happy… We have all these things, but we don’t have happiness… That’s not my opinion, that’s the WOrld Health Organisation’s opinion. We have a huge number of people with depression, we had 800m suicides last year. A lot of things are pointing the wrong waays… This is why future generation think old models are bullshit. They see that there must be a better way to do it… Stephen Hawkins says that “history teaches us what didn’t work” – we have to come up with better conclusions… If we are at this point in history when sustainability means no babies… Then we clearly have to change… From an educational perspective I think it is clear I don’t need a university, or a teacher… I need a network. Perhaps the university or the teacher can be a helpful node in this network… But it has to be about creating a better future, rather than preserving an old model.
Response – Jen Ross
What we have from Stefan is an opportunity to reflect on what we need to do as educators to consider different sorts of materiality. We have to educate not just with technology but about it. We have to see technology as deeply integrated with society ad our values. This has implications for what we do as an organisation as well… How do we want students to respond to this new world… People at this university talk about the future in a lot of interesting ways. Posing interesting questions… This year Sian Bayne and I led a course on digital futures, and the Near Future Teaching project is looking at what teaching of the future should be… These conversations are happening. And this organisation is already thinking about ethical issues… And I want to ask you about being creative and critical in these discussions, and who can you talk to about the ideas today?
Q1) I noticed in Stefan’s presentation a self-driving car… Am I correct in saying that a self-driving car slowed when passing two females… and is that an example of bias in the algorithm.
A1) I have an autopilot on my car… and you get used to that quickly… That makes me dangerous in my wife’s car – I forget I am in charge. What Melissa raised is important in terms of bias embedded… Maybe Alpha Go can teach us something about teaching the algorithm… Maybe we can learn something new… It’s an amazing time to be alive. Thinking about the future as a destination makes the present an obstacle… We know what the future will be like because this moment is the future…
Q2) One of the interesting things about being this room is that people here work on systems… The internet isn’t stupid… That’s a live issue in the debate over net neutrality… That’s likely to break at some point… People have been trying to keep the network stupid but what happens when that breaks, what happens without net neutrality…
A2) I don’t know it has to break… But in a decentralised network there is no way to stop it… So big organisations doing things to individuals doesn’t work this way… You could only shut down blockchain by cutting power… And that’s hard to do… Most of the blockchain miners are in China and not in the big cities… I don’t believe in paranoid scenarios where you have evil Trump, evil Google… As soon as they do something bad enough… We go somewhere else… I refer to bitcoin as it’s a really interesting example. Big banks have a business model that depends on all the big people… So how do you close down a network like Bitcoin… You could do that by paying them to opt out… But that would cost £300bn right now. I do see huge problems with protectionism, because of populism, because of inequality. We have enough stuff but we don’t share it well enough… People get scared and then we go for protectionism and nationalism… I don’t claim to have an answer…
Q3) I was meeting with union heads yesterday and AI came up and the potential for disruption or job losses… I’d like to hear your view on the total amount of meaningful work and jobs over time… Any thoughts on how to deal or think about that.
A3) It’s a valid and important question. What is a meaningful job? Gallup says that only 13% of the workforce is really engaged in their role… Most people do “robot jobs”. That should mean that that opens up… As long as job loss means free time rather than our future being screwed, that’s fine… As long as people believe that we need jobs and politicians argue about creating jobs… It’s easy… Ignore technology… that will create jobs… The issue is sharing resources and the outcome… But that’s not easy… And more time means more time to think about the meaning of life. I don’t have a boss or a job as such. I’m curious, I travel, I’m essentially a student… And what I do funds my life… Lets talk about sharing resources as a problem… We have a system that has served us well… But now we are scared of missing out… That’s the thing about Trump and Brexit… People are scared… We have to realise that and address it…
And with that we go to coffee…
As Christmas approaches we thought we’d pull together a few Christmas themed activities for Primary schools.
Activity 1: Whats the quickest route for Santa?
This is a whole class activity and involves the use of pupil postcodes. The locations are plotted onto a map, pupils will then have the ability to see all the locations Santa has to go in order to visit all the pupils in the class. Pupils should then either work independently or in teams to identify the quickest route for Santa to go. The amount of combinations should make it an interesting little competition to see who identifies the quickest route! (Perhaps a Christmas themed prize for the winner
Step 1: Create a excel spreadsheet with the pupils postcode and their name. NOTE: Make sure the postcode column has ‘postcode’ at the top and the name column has ‘label’ at the top. Please also ensure that you save the file as a .csv (comma separated value) rather than an .xls.
Step 2: Once you have saved your file in Excel, you need to upload it into Digimap for Schools. Simply open the annotations toolbar and then go to the markers section and upload your file. Step 3: This is the stage at which you are able to start planning Santa’s route. You will see all the locations with the pupils name beside it. You then simply get the pupils to draw a line between the different pupils houses to see which is the quickest route. You can use the measurement tool to get the length of the individual routes. Remember you can add some photos to your map also!
Activity 2: Digimap Christmas Jigsaw’s
This can be done either as an online Jigsaw or as a hard copy. You can generate a series of maps with ‘secret’ Christmas phrases or words that correspond to places on your maps. E.g.
To create an online Jigsaw I’ve used Jigsaw planet https://www.jigsawplanet.com which is very simple to use and allows you to create your jigsaw. Alternatively you can simply download a Jigsaw image from Google e.g. http://miamibox.us/puzzle-piece-template.html and place it over your map in Powerpoint. Here are is an example of both:
These are quite festive little activities which can be all done pretty quickly in Digimap fro Schools. We wish you all the very best in the run up to Christmas and hope these activities can be of some help!
We’ve created a quick video to show you how to do these tasks above….
The Geography GCSE curriculum has changed over the last number of years so we decided to have a quick look into what had changed and more importantly how Digimap for Schools can cater for these changes. We looked in particular at the AQA, Edexcel, OCR, WJEC and CEA examination boards. We noted that the majority of these examination boards now mandate that two field studies are required, one for physical and one for human geography.
As we got into the bare bones of the specifications we noted some common themes occurring in the Controlled Assessment/Fieldwork. Many of them had similar themes for the Data Collection and Data Presentation elements of fieldwork. We created this short video highlighting how Digimap for School can help. Hopefully this will showcase how beneficial the service is to teachers and pupils at GCSE.
On 30th November 2017, we released Beta versions of our new Roam mapping application for all Digimap Collections. Log in to Digimap and click on each Collection to find the link to each new Roam: The functionality of the new application remains the same, but we hope you agree that the updated look is easier […]
We’re always interested to hear how you use the Statistical Accounts. Family historians are one of the key groups who make use of our service so we were delighted to see Jane Harris recently publish a blog on using the Statistical Accounts for family history research. Jane has kindly agreed that we republish her post – we hope it’s useful for those of you researching your Scottish roots!
Jane specialises in Scottish genealogy and family history. A member of the Association of Professional Genealogists and the Scottish Genealogy Network, Jane provides both family history research and tutoring so you can do research yourself. Her particular interests include the Stirling area, where she lives, and Orkney, where she was born and grew up. Jane described her experience with the Statistical Accounts for us:
A row of books with rather dull dust jackets; a couple of interesting quotes in a lecture or course book. That sums up my knowledge of the Statistical Accounts from my student days. When I started seriously researching my own family history many years later that view changed rapidly. Checking the earlier censuses, I was fascinated by the number of distinctively Highland surnames in my father’s home parish of Walls, Orkney. The Old Statistical Account provided an explanation: that a large number of people had come from “Strathnaven”, having been cleared to make way for sheep, so early victims of the clearances. I was hooked.
The Statistical Accounts are now one of my standard sources for client research in the late eighteenth to mid nineteenth centuries, both for general background and also for specific information on churches, migration, occupations and so on.
Now for Jane’s original blog, with some great pointers…
S is for Statistical Accounts of Scotland
Keep reading! They are far more than numbers. The Statistical Accounts are two fascinating sets of reports on each Scottish parish in the 1790s and the 1830s/40s. They cover economic and social activities as well as natural resources.
What, when, who, how?
Sir John Sinclair of Ulbster sent out 171 queries to the ministers of each of the 938 parishes in Scotland in the 1790s. Their responses form the Old Statistical Account (OSA). In 1832, because of all the changes that had taken place in Scotland, a new survey was agreed. The responses are collectively known as the New Statistical Account (NSA). Find out more about the background.
How are the Statistical Accounts useful for family history?
- Context for our ancestors’ lives.
“The prejudices, entertained by the inhabitants of this parish, against inoculation [sic] were, for a long time, invincible. But the better sort, setting the example, the rest gradually followed… In one season 460 were inoculated, of whom only 3 died” (Kilmalie, Invernesshire, Old Statistical Account, p409). Mortality by age group statistics (Glasgow, Old Statistical Account p508).
- Information on churches other than the established Church of Scotland.
“There is in St Ninians a Relief meeting-house… there is another meeting-house in Ba-burn connected with the United Secession” (St Ninians, Stirlingshire, New Statistical Account p336).
- The state of the parish registers: “the fourth is a mere ragged fragment” (Wick, Caithness, New Statistical Account p137). May explain why you can’t find a baptism:
- Names of landowners, which could lead you to estate records.
For example, see Menteith, Perthshire, New Statistical Account p1108.
- Local history generally, development of industries, migration and so on.
“What accounts for this [population] increase of 71 is the settlement of a colony of Highlanders, who had been forced to emigrate from Strathnaven [sic], where their farms had been converted into sheep pasture” (Walls, Orkney, Old Statistical Account p313).
- The minister’s view on his parishioners.
This snip from the Dalziel, Lanarkshire, (Motherwell area) New Statistical Account is particularly rich:
Topography, geology, botany, agriculture, weather, population statistics, diseases, the state of the church and manse, manufactures, occupations (for example see table from Inverness’ Old Statistical Account below), wages, prisons, schools, language, history, antiquities, communications – and much more. Each account as individual as the minister who wrote it. You can find them all on the Statistical Accounts of Scotland website.
Thanks to Jane for letting us share her thoughts. You can find Jane’s blog here:
Follow Jane on Twitter @janenharris
Let us know your story
Could you share your Statistical Accounts experience with us? What have you found that’s been particularly helpful in your local or family history research? We’d love to hear from you. Comment below or email us, email@example.com.
Today I am at the Scottish Government for the Digital and Information Literacy Forum 2017.
Introduction from Jenny Foreman, Scottish Government: Co-chair of community of practice with Cleo Jones (who couldn’t be here today). Welcome to the 2017 Digital and Information Literacy Forum!
Scottish Government Digital Strategy – Cat Macaulay, Head of User Research and Service Design, Scottish Government
I am really excited to speak to you today. For me libraries have never just been about books, but about information and bringing people together. At high school our library was split between 3rd and 4th year section and a 5th and 6th year section, and from the moment I got there I was desperate to get into the 5th and 6th year section! It was about place and people and knowledge. My PhD later on was on interaction design and soundscapes, but in the context of the library and seeking information… And that morphed into a project on how journalists yse information at The Scotsman – and the role of the library and the librarian in their clippings library. In Goffman terms it was this backstage space for journalists to rehearse their performances. There was talk of the clippings library shutting down and I argued against that as it was more than just those clippings.
So, that’s the personal bit, but I’ll turn to the more formal bit here… I am looking forward to discussions later, particularly the panel on Fake News. Information is crucial to allowing people to meaningfully, equally and truly participate in democracy, and to be part of designing that. So, the imporatnce of digital literacy is crucial to participation in democracy. And for us in the digital directorate, it is a real priority – for reaching citizens and for librarians and information professionals to support that access to information and participation.
We first set out a digital strategy in 2011, but we have been refreshing our strategy and about putting digital at the heart of what we do. Digital is not about technology, it’s a cultural issue. We moved before from agrarian to industrial society, and we are now in the process of moving from an industrial to a digital society. Aiming to deliver inclusive economic growth, reform public services, tackle inequalities and empower communities, and prepare people for the future workplace. Digital and information literacy are core skills for understanding the world and the future.
So our first theme is the Digital Economy. We need to stimulate innovation and investment, we need to support digital technologies industr, and we need to increase digital maturity of all businesses. Scotland is so dependent on small businesses and SMEs that we need our librarians and information professionals to be able to support that maturity of all businesses.
Our second theme is Data and Innovation. For data we need to increase public trust in holding data securely and using/sharing appropriately. I have a long term medical issue and the time it takes to get appointments set up, to share information between people so geographically close to each other – across the corridor. That lack of trust is core to why we still rely on letters and faxes in these contexts.
In terms of innovation, CivTech brings together the public sector teams and tech start-ups to develeop solutions to real problems, and to grow and expand services. We want to innovate and learn from the wider tech and social media context.
The third theme is Digital Public Services, the potential to simplify and standardise ways of working. Finding common technologies/platforms build and procured once. And design services with citizens to meet their needs. Information literacy skills and critical questioning are at the heart of this. You have to have that literacy to really understand the problems, and to begin to be looking at addressing that, and co-designing.
The fourth theme is Connectivity. Improving superfast broadband, improving coverage in rural areas, increasing the 4G coverage.
The fifth theme is Skills. We need to build a digitally skilled nation. I spent many years in academia – no matter how “digital native” we might assume them, actually we’ve assumed essentially that because someone can drive a car, they can build a car. We ALL need support for finding information, how to judge it and how to use it. We all need to learn and keep on learning. We also need to promote diversity – ensuring we have more disabled people, more BAME people, more women, working in these areas, building these solutions… We need to promote and enhance that, to ensure everyone’s needs are reflected. Friends working in the third sector in Dundee frequently talk about the importance of libraries to their service users, libraries are crucial to supporting people with differing needs.
The sixth theme is Participation. We need to enable everybody to share in the social, economic and democractic opportunities of digital. We need to promote inclusion and participation. That means everyone participating.
And our final theme (seven) is Cyber Security. That is about the global reputation for Scotland as a secure place to work, learn and do business. That’s about security, but it is also about trust and addressing some of those issues I talked about earlier.
So, in conclusion, this is a strategy for Scotland, not just Scottish Government. We want to be a country that uses digital to maximum effect, to enable inclusion, to build the economy, to positively deliver for society. It is a living document and can grow and develop. Collective action is needed to ensure nobody is left behind; we all remain safe, secure and confident about the future. We all need to promote that information and digital literacy.
Q1) I have been involved in information literacy in schools – and I know in schools and colleges that there can be real inconsistency about how things are labeled as “information literacy”, “digital literacy”, and “digital skills”. I’m slightly concerned there is only one strand there – that digital skills can be about technology skills, not information literacy.
A1) I echo what you’ve just said. I spent a year in a Life Sciences lab in a Post Doc role studying their practice. We were working on a microscopy tool… And I found that the meaning of the word “image” was understood differently by Life Scientists and Data Scientists. Common terminology really matter. And indeed semantic technologies enable us to do that in new ways. But it absolutely matters.
Q2, Kate SVCO) We are using a digital skills framework developed that I think is also really useful to frame that.
A2) I’m familiar with that work and I’d agree. Stripping away complexity and agree on common terms and approaches is a core focus of what we are doing.
Q3) We have been developing a digital skills framework for colleges and for the student lifecycle. I have been looking at the comprehensive strategy for schools and colleges by Welsh Government’s… Are there plans for similar?
A3) I know there has been work taking place but I will take that back.
Q4) I thought that the “Participation” element was most interesting here. Information literacy is key to enabling participation… Say what you like about Donald Trump but he has made the role of information literacy in democracy very vital and visible. Scotland is in a good place to support information literacy – there are many in this room have done great work in this area – but it needs resourcing to support it.
A4) My team focuses on how we design digital tools and technologies so that people can use them. And we absolutely need to look at how best to support those that struggle. But is not just about how you access digital services… How we describe these things, how we reach out to people… I remember being on a bus in Dundee and hearing a guy saying “Oh, I’ve got a Fairer Scotland Consultation leaflet… What the fuck is a Consultation?!”. I’ve had some awkward conversations with my teenage boys about Donald Trump, and Fake News. I will follow up with you afterwards – I really welcome a conversation about these issues. At the moment we are designing a whole new Social Security framework right now – not a thing most other governments have had to do – and so we really have to understand how to make that clear.
Health Literacy Action Plan Update – Blythe Robertson, Policy Lead, Scottish Government
The skills, confidence, knowledge and understanding to interact with the health system and maintain good health is essentially what we mean in Health Literacy. Right now there is a huge focus in health policy on “the conversation”. And that’s the conversation between policy makers and practitioners and people receiving health care. There is a model of health and care delivery called “More than Medicine” – this is a memorable house-shaped visual model that brings together organisational processes and arrangements, health and care professionals, etc. At the moment though the patient has to do at least as much as the medical professional, with hoops to jump through – as Cat talked about before…
Instructions can seem easy… But then we can all end up at different places [not blogged: an exercise with paper, folding, eyes closed].
Back when computers first emerged you needed to understand a lot more about computer languages, you had to understand how it worked… It was complex, there was training… What happened? Well rather than trianing everyone, instead they simplified access – with the emergence of the iPad for instance.
So, this is why we’ve been trying to address this with Making it easy: A health literacy action plan for Scotland. And there’s a lot of text… But really we have two images to sum this up… The first (a woman looking at a hurdle… We’ve tried to address this by creating a nation of hurdlers… But we think we should really let people walk through/remove those hurdles.
Some statistics for you: 43% of English working age adults will struggle to understand instructions to calculate a childhood paracetamol dose. There is lot bound up here… Childhood health literacy is important. Another stat/fact: Half of what a person is told is forgotten. And half of what is remembered is incorrect. [sources: several cited health studies which will be on Blythe’s slides]. At the heart of issue is that a lot of information is transmitted… then you ask “Do you understand?” and of course you say “yes”, even if you don’t. So, instead, you need to check information… That can be as simple as rephrasing a question to e.g. “Just so I can check I’ve explained things clearly can you tell me what you’ve understood” or similar.
We did a demonstrator programme in NHS Tayside to test these ideas… So, for instance, if you wander into Nine Wells hospital you’ll see a huge board of signs… That board is blue and white text… There is one section with yellow and blue… That’s for Visual Impairment, because that contrast is easier to see. We have the solution but… People with visual impairment come to other areas of the hospitals. So why isn’t that sign all done in the same way with high contrast lettering on the whole board? We have the solution, why don’t we just provide it across the board. That same hospital send out some appointment letters asking them to comment and tell them about any confusion… And there were many points that that happened. For instance if you need the children’s ward… You need to know to follow signs for Paediatrics first… There isn’t a consistency of naming… Or a consistency of colour. So, for instance Maternity Triage is a sign in red… It looks scary! Colours have different implications, so that really matters. You will be anxious being in hospital – consistency can help reduce the levels of anxiety.
Letters are also confusing… They are long. Some instructions are in bold, some are small notes at the bottom… That can mean a clinic running 20 minutes late… Changing what you emphasise has a huge impact. It allows the health care provision to run more smoothly and effectively. We workshopped an example/mock up letter with the Scottish Conference for Learning Disability. They came up with clear information and images. So very clear to see what is happening, includes an image of where the appointment is taking place to help you navigate – with full address. The time is presented in several forms, including a clock face. And always offer support, even if some will not need it. Always offer that… Filling in forms and applications is scary… For all of us… There has to be contact information so hat people can tell you things – when you look at people not turning up to appointments was that they didn’t know how to contact people, they didn’t know that they could change the appointment, that they wanted to contact them but they didn’t want to make a phone call, or even that because they were already in for treatment they didn’t think they needed to explain why they weren’t at their outpatients appointment.
So, a new action plan is coming called “Making it easier”. That is about sharing the learning from Making it Easy across Scotland. To embed ways to improve health literacy in policy and practice. To develop more health literacy responsive organisations and communities. Design supports and services to better meet people’s health literacy levels. And that latter point is about making services more responsive and easier to understand – frankly I’d like to put myself out of a job!
So, one area I’d like to focus on is the idea of “Connectors” – the role of the human information intermediary, is fundamental. So how can we take those competancies and roll them out across the system… In ways that people can understand… Put people in contact with digital skills, the digital skills framework… Promoting understanding. We need to signpost with confidence, and to have a sense that people can use this kind of information. Looking at librarians as a key source of information that can helps support people’s confidence.
In terms of implementation… We have at (1) a product design and at (3) “Scaled up”. But what is at step (2)? How do we get there… Instead we need to think about the process differently… Starting with (1) a need identified, then a planned structured resources and co-developed for success, and then having it embedded in the system… I want to take the barriers out of the system.
And I’m going to finish with a poem: This is bad enough by Elspeth Murray, from the launch of the cancer information reference group of the South East Scotland Cancer Network 20 January 2016.
Q1) I’m from Strathclyde, but also work with older people and was wondering how much health literacy is part of the health and social care integration?
A1) I think ultimately that integration will help, but with all that change it is challenging to signpost things clearly… But there is good commitment to work with that…
Q2) You talked about improving the information – the letters for instance – but is there work more fundamentally questioning the kind of information that goes out? It seems archaic and expensive that appointments are done through posted physical letters… Surely better to have an appointment that is in your diary, that includes the travel information/map….
A2) Absolutely, NHS Lothian are leading on some trial work in this area right now, but we are also improving those letters in the interim… It’s really about doing both things…
Cat) And we are certainly looking at online bookings, and making these processes easier, but we are working with older systems sometimes, and issues of trust as well, so there are multiple aspects to addressing that.
Q3) Some of those issues would be practically identical for educators… Teachers or lecturers, etc…
A3) I think that’s right. Research from University of Maastrict mapped out the 21 areas across Public and Private sectors in which these skills should be embedded… And i Think those three areas of work can be applied across those area… Have to look at design around benefits, we have some hooks around there.
Cat) Absolutely part of that design of future benefits for Scotland.
Panel Discussion – Fake News (Gillian Daly – chair; Lindsay McKrell (Strathclyde); Sean McNamara (CILIPS); Allan Lindsay (Young Scott))
Sean: CILIPS supports the library and information science community in Scotland, including professional development, skills and ethics. Some years ago “information literacy” would have been more about university libraries, but now it’s across the board an issue for librarians. Librarians are less gatekeepers of information, and more about enabling those using their libraries to seek and understand information online, how to understand information and fake news, how to understand the information they find even if they are digitally confident in using the tools they use to access that information.
Allan: Young Scot is Scotland’s natural charity for information literacy. We work closely with young people to help them grow and develop, and influence us in this area. Fake News crops up a lot. A big piece of work we are involved in is he 5 Rights projects, which is about rights online – that isn’t just for young people but significantly about their needs. Digital literacy is key to that. We’ve also worked on digital skills – recently with the Carnegie Trust and the Prince’s Trust. As an information agency we reach people through our website – and we ensure young people are part of creating content in that space.
Lindsay: I’d like to talk about digital literacy as well as Fake News. Digital literacy is absolutely fundamental to supporting citizens to be all that they can be. Accessing information without censorship, and a range of news, research, citizenship test information… That is all part of public libraries service delivery and we need to promote that more. Public libraries are navigators for a huge and growing information resource, and we work with partners in government, in third sector, etc. And our libraries reach outside of working hours and remote areas (e.g. through mobile levels) so we have unique value for policy makers through that range and volume of users. Libraries are also well placed to get people online – still around 20% of people are not online – and public libraries have the skills to support people to go online, gain access, and develop their digital literacy as well. We can help people find various source of information, select between them, to interpret information and compare information. We can grow that with our reading strategies, through study skills and after school sessions. Some libraries have run sessions on fake news, but I’m not sure how well supported thse have been. We are used to displaying interesting books… But why aren’t our information resources similarly well designed and displayed – local filterable resources for instance… Maybe we should do some of this at national level, not just at local council level. SLIC have done some great work, what we need now is digital information with a twist that will really empower citizens and their information literacy…
Gillian Daly: I was wondering, Allan, how do you tackle the idea of the “Digital Native”? This idea of inate skills of young people?
Allan: It comes up all the time… This presumption that young people can just do things digitally… Some are great but many young people don’t have all the skills they need… There are misconceptions from young people themselves about what they can and cannot do… They are on social media, they have phones… But do they have an understanding of how to behave, how to respond when things go wrong… There is a lot of responsibility for all of us that just because young people use these things, doesn’t mean they understand them all. Those misconceptions apply across the board though… Adults don’t always have this stuff sorted either. It’s dangerous to make assumptions about this stuff… Much as it’s dangerous to assume that those from lower income communities are less well informed about these things, which is often not correct at all.
Lindsay: Yes, we find the same… For instance… Young people are confident with social media… But can’t attach a document for instance…
Comment from HE org: Actually there can be learning in both directions at University. Young people come in with a totally different landscape to us… We have to have a dialogue of learning there…
Gillian: Dialogue is absolutely important… How is that being tackled here…
Sean: With school libraries, those skills to transfer from schools to higher education is crucial… But schools are lacking librarians and information professionals and that can be a barrier there… Not just about Fake News but wider misinformation about social media… It’s important that young people have those skills…
Comment: Fake News doesn’t happen by accident… It’s important to engage with IFLA guide to spot that… But I think we have to get into the territory of why Fake News is there, why it’s being done… And the idea of Media and Information Literacy – UNESCO brought those ideas together a few years ago. There is a vibrant GATNO organisation, which would benefit from more Scottish participation.
Allan: We run a Digital Modern Apprenticeship at Young Scot. We do work with apprentices to build skills, discernment and resiliance to understand issues of fake news and origins. A few weeks back a young person commented on something they had seen on social media… At school for me “Media Studies” was derided… I think we are eating our words now… If people had those skills and were equipped to understand that media and creation process. The wider media issues… Fake News isn’t in some box… We have to be able to discern mainstream news as well as “Fake News”. Those skills, confidence, and ability to ask difficult questions to navigate through these issues…
Gillian: I read a very interesting piece by a journalist recently, looking to analyse Fake News and the background to it, the context of media working practice, etc. Really interesting.
Cat: To follow that up… I distinctly remember in 1994 in The Scotsman about the number of times journalists requested clippings that were actually wrong… Once something goes wrong and gets published, it stay there and repopulates… Misquotations happen that way for instance. That sophisticated understanding isn’t about right and wrong and more about the truthfulness of information. In some ways Trump is doing a favour here, and my kids are much more attuned to accuracy now…
Gillian: I think one of the scariest things is that once the myth is out, it is so hard to dispel or get rid of that…
Comment: Glasgow University has a Glasgow Media Group and they’ve looked at these things for years… One thing they published years ago, “Bad News”, looked at for instance the misrepresentation of Trade Unionists in news sources, for a multitude of complex reasons.
Sean: At a recent event we ran we had The Ferret present – those fact checking organisations, those journalists in those roles to reflect that.
Jenny: The Ferret has fact checking on a wonderful scale to reflect the level of fakeness…
Gillian: Maybe we need to recruit some journalists to the Digital and Information Literacy Forum.
And on that, with many nods of agreement, we are breaking for lunch
SUNCAT has been updated. Updates from the following libraries were loaded into the service over the two weeks. The dates displayed indicate when files were received by SUNCAT.
- Bath University (01 Sep 17)
- Bristol University (07 Sep 17)
- British Library (06 Oct 17)
- British Museum (08 Sep 17)
- CONSER (Not UK Holdings) (18 Oct 17)
- Cranfield University (21 Oct 17)
- Dundee University (01 Oct 17)
- Edinburgh Napier University (01 Oct 17)
- Imperial College London (01 Oct 17)
- King’s College London (01 Oct 17)
- Kingston University (01 Oct 17)
- Lancaster University (01 Oct 17)
- Leeds University (20 Sep 17)
- London School of Economics and Political Science (01 Oct 17)
- Manchester University (01 Oct 17)
- National Archives (01 Oct 17)
- National Library of Scotland (06 Oct 17)
- National Library of Wales (01 Oct 17)
- NERC (Natural Environment Research Council) (08 Sep 17)
- Natural History Museum (01 Oct 17)
- Northumbria University (01 Oct 17)
- Nottingham University (04 Oct 17)
- Open University (01 Oct 17)
- Oxford University (24 Oct 17)
- Reading University (08 Sep 17)
- Royal College of Nursing (08 Sep 17)
- Royal College of Physicians of London (14 Apr 17)
- Royal College of Surgeons of Edinburgh (18 Aug 17)
- St. Andrews University (20 Oct 17)
- Sheffield University (01 Oct 17)
- Sheffield Hallam University (01 Oct 17)
- Senate House Libraries, University of London (04 Oct 17)
- Southampton University (23 Oct 17)
- Swansea University (01 Oct 17)
- University of Wales Trinity Saint David (01 Oct 17)
- Warwick University (05 Oct 17)
- York University (01 Oct 17)
To check on the currency of other libraries on SUNCAT please check the updates page for further details.
On 3rd October 2017, we released a Beta version of a new Roam mapping client for Digimap’s Ordnance Survey Collection. OS Roam – Beta is available next to the existing version, simply log in to the Digimap service and select Ordnance Survey Collection to view the new beta version: Whilst the functionality remains the same, we hope you […]
This afternoon I’m at the Keynote Session for Information Security Awareness Week 2017 where I’ll speaking about Managing Your Digital Footprint in the context of security. I’ll be liveblogging the other keynotes this afternoon.
The event has begun with a brief introduction from Alistair Fenemore, UoE’s Chief Information Security Officer, and from his colleague David Creighton Offord, the organiser for today’s event.
Talk by John Whitehouse, PWC Cyber Security Director Scotland covering the state of the nation and the changing face of Cyber Threat
I work at PWC, working with different firms who are dealing with information security and cyber security. In my previous life I was at Standard Life. I’ve seen all sorts of security issues so I’m going to talk about some of the things I’ve seen, trends, I’ll explain a few key concepts here.
So, what is cybersecurity… People imagine people in basements with balaclavas… But it’s not that at all…
I have a video here…
(this is a late night comedy segment on the Sony hack where they ask people for their passwords, to tell them if it’s strong enough… And how they construct them… And/or the personal information they use to construct that…)
We do a lot of introductions for boards… We talk about technical stuff… But they laugh at that video and then you point out that these could all be people working in their companies…
So, there is technical stuff here, but some of the security issues are simple.
We see huge growth due to technology, and that speaks to businesses. We are going to see 1 billion connected devices by 2020, and that could go really really wrongly…
There is real concern about cyber security, and they have concerns about areas including cloud computing. The Internet of Things is also a concern – there was a study that found that the average connected device has 25 security vulnerabilities. Dick Cheney had to have his pacemaker re programmed because it was vulnerable to hacking via Bluetooth. There was an NHS hospital in England that had to pause a heart surgery when the software restarted. We have hotel rooms accessible via phones – that will come to homes… There are vulnerabilities in connected pet feeders for instance.
Social media is used widely now… In the TalkTalk breach we found that news of the breach has been leaked via speculation just 20 seconds after the breach occurs – that’s a big challenge to business continuity planning where one used to plan that you’d perhaps have a day’s window.
Big data is coming with regulations, threats… Equifax lost over 140 million records – and executives dumped significant stock before the news went public which brings a different sort of scrutiny.
Morrisons were sued by their employees for data leaked by an annoyed member of staff – I predict that big data loss could be the new PPI as mass claims for data loss take place. So maybe £1000 per customer per data breach for each customer… We do a threat intelligence service by looking on the dark net for data breach. And we already see interest in that type of PPI class suit approach.
The cyber challenge extends beyond the enterprise – on shore, off shore; 1st through to 4th parties. We’ve done work digging into technology components and where they are from… It’s a nightmare to know who all your third parties are… It’s a nightmare and a challenge to address.
So, who should you be worried about? Threat actors vary…. We have accidental loss, Maware that is not targeted, and hacker hobbyists in the lowest level of sophistication, through to state sponsored attacks at the highest level of sophistication. Sony were allegedly breached by North Korea – that firm spends astronomical amounts on security and that still isn’t totally robust. Target lost 100 million credit card details through a third party air conditioner firm, which a hacker used to get into the network, and that’s how the loss occured. And when we talk organised crime we are talking about really organised crime… One of the Ukrainian organised crime groups were offering a Ferrari for their employee of the month prize for malware. We are talking seriously Organised. And serious financial gain. And it is extremely hard to trace that money once its gone. And we see breaches going on and on and on…
Equifax is a really interesting one. There are 23 class action suits already around that one and that’s the tip of the iceberg. There has been a lot of talk of big organisations going under because of cyber security, and when you see these numbers for different companies, that looks increasingly likely. Major attacks lead to real drops in share prices and real impacts on the economy. And there are tangible and intangible costs of any attack…. From investigation and remediation through to DEO and CTO’s losing their jobs or facing prison time – at that level you can personally liable in the event of an attack.
In terms of the trends… 99% of exploited vulnerabilities (in 2014) had been identified for more than a year, some as far back as 1999. Wannacry was one of these – firms had 2 months notice and the issues still weren’t addressed by many organisations.
When we go in after a breach, typically the breach has been taking place for 200 days already – and that’s the breaches we find. That means the attacker has had access and has been able to explore the system for that long. This is very real and firms are dealing with this well and really badly – some real variance.
One example, the most successful bank robbery of all time, was the Bangladesh Central Bank was attacked in Feb 2016 through the SWIFT network .These instructions totalled over US $900 million, mostly laundered through casinos in Macau. The analysis identified that malware was tailored for the target organisation based on the printers they were using, which scrubbed all entry and exit points in the bank. The US Secret Service found that there were three groups – two inside the bank, one outside executing the attack.
Cyber security concerns are being raised, but how can we address this as organisations? How do we invest in the right ways? What risk is acceptable? One challenge for banks is that they are being asked to use Fintechs and SMEs working in technology… But some of these startups are very small and that’s a real concern for heads of securities in banks.
We do a global annual survey on security, across about 10,000 people. We ask about the source of compromise – current employees are the biggest by some distance. And current customer data, as well as IPR, tend to be the data that is at risk. We also see Health and Social Care adopting more technology, and having high concern, but spending very little to counter the risks. So, with Wannacry, the NHS were not well set up to cope and the press love the story… But they weren’t the target in any way.
A few Mythbusters for you…
Anti-Virus software… We create Malware to test our clients’ set up. We write malware that avoids AVs. Only 10-15% of malware will be caught with Anti-Virus software. There is an open source tool, Veil-Framework, that teaches you how to write that sort of Malware so that you can understand the risks. You should be using AV, but you have to be aware that malware goes beyond that (and impacts Macs too)… There is a malware SaaS business model on the darknet – as an attacker you’ll get a guarantee for your malware’s success and support to use it!
Myth 2: we still have time to react. Well, no, the lag from discovery to impacting you and your set up can be minutes.
Myth 3: well it must have been a zero day that got us! True Zero Day exploits are extremely rare/valuable. Attacker won’t use one unless target is very high value and they have no other option. They are hard to use. Even NSA admits that persistence is key to sucessful compromise, not zero day exploits. The NSA created EternalBlue – a zero day exploit – and that was breached and deployed out to these “good guys” as Wannacry.
Passwords… They are a thing of the past I think. 2-factor authentication is more where we are at. Passphrases and strength of passphrases is key. So complex strings with a number and a site name at the end is recommended these days. Changing every 30 days isn’t that useful – it’s so easy to bruteforce the password if lost – much better to have a really strong hash in the first place.
Phishing email is huge. We think about 80% of cyber attacks start that way. Beware spoofed addreses, or extremely small changes to email addresses.
We had a client that had an email from their “finance director” about urgently paying money to an account, which was only spotted because someone in finance noticed the phrasing… “the chief exec never says “Thanks”!”
Malware trends: our strong view is that you should never ever pay for a Ransomeware attack.
I have another video here…
(In this video we have people having their “mind read” for some TV show… It was uncanny… And included spending data… But it wasn’t psychic… It was data that they had looked up and discovered online… )
It’s not a nice video… This is absolutely real… This whole digital footprint. We do a service called Digital Footprinting for senior execs in companies, and you have to be careful about it as they can give so much away by what you and those around you post… It’s only getting worse and more pointed. There are threat groups going for higher value targets, they are looking for disruption. We think that the Internet of Things will open up the attack surface in whole new ways… And NACS – the Air Traffic people – they are thinking about drones and the issues there around fences and airspace… How do you prepare for this. Take the connected home… These fridges are insecure, you can detect if owner is opened or not and detect if they are at home or not… The nature of threats is changing so much…
In terms of trends the attacks are moving up the value chain… Retain bank clients aren’t interesting compared to banks finance systems, more to exchanges or clearing houses. It’s about value of data… Data is maybe $0.50 for email credentials; a driving license is maybe $25… and upwards the price goes depending on value to the attackers…
So, a checklist for you and your work: (missed this but delighted that digital footprint was item 1)
Finally, go have a look at your phone and how much data is being captured about you… Check your iPhone frequent locations. And on Android check Google Location History. The two biggest companies in the world, Google and Facebook, are free, and they are free because of all the data that they have about you… But the terms of service… Paypal’s are longer than Hamlet. If you have a voice control TV from Samsung and you sign those, you agree to always on and sharable with third parties…
So, that’s me… Hopefully that gave you something to ponder!
Q1) What does PWC think about Deloitte’s recent attack?
A1) Every firm faces these threats, and we are attacked all the time… We get everything thrown at us… And we try to control those but we are all at risk…
Q2) What’s your opinion on cyber security insurance?
A2) I think there is a massive misunderstanding in the market about what it is… Some policies just cover recovery, getting a response firm in… When you look at Equifax, what would that cover… That will put insurers out of business. I think we’ll see government backed insurance for things like that, with clarity about what is included, and what is out of scope. So, if, say, SQL Injection is the cause, that’s probably negligence and out of scope…
Q3) What role should government have in protecting private industry?
A3) The national cyber security centre is making some excellent progress on this. Backing for that is pretty positive. All of my clients are engaging and engaged with them. It has to be at that level. It’s too difficult now at lower levels… We do work with GCHQ sharing information on upcoming threats… Some of those are state sponsored… They even follow working hours in their source location… Essentially there are attack firms…
Q4) (I’m afraid I missed this question)
A4) I think Microsoft in the last year have transformed their view… My honest view is that clients should be on Windows 10 its a gamechanger for security. Firms will do analysis on patches and service impacts… But they delayed that a bit long. I have worked at a firm with a massively complex infrastructure, and it sounds easy to patch but it can be quite difficult to do that in practice, and it can put big operational systems at risk. As a multinational bank for instance you might be rolling out to huge numbers of machines and applications.
Talk by Kami Vaniea (University of Edinburgh) covering common misconceptions around Information Security and to avoid them
My research is on the usability of security and why some failings are happening from the point of view of an average citizen. I do talks to community groups – so this presentation is a mixture of that sort of content and proper security discussion.
I wanted to start with misconceptions as system administrators… So I have a graph here of where there is value to improving your password; then the range in which having rate limits on password attempts; and the small area of benefit to the user. Without benefits you are in the deadzone.
OK, a quick question about URL construction… http://facebook.mobile.com? Is it Facebook’s website, Facebook’s mobile site, AT&T’s website, or Mobile’s website. It’s the last one by construction. It’s both of the last two if you know AT&T own mobile.com. But when you ask a big audience they mainly get it right. Only 8% can correctly differentiate http://facebook.profile.com vs http://profile.facebook.com. Many users tend to just pick a big company name regardless of location in URLs. A few know how to to correctly read subdomain URLs. We did this study on Amazon Mechanical Turk – so that’s a skewed sample of more technical people. And that URL understanding has huge problematic implications for phishing email.
We also tried http://twitter.com/facebook.com. Most people could tell that was Twitter (not Facebook). But if I used “@” instead of “/” people didn’t understand, thought it was an email…
On the topic of email… Can we trust the “from” field? No. Can we trust a “this email has been checked for viruses…” box? No. Can you trust the information on the source URL for a link in the email, that is shown in the bottom of the browser? Yes.
What about this email – a Security alert for your linked Google account email? Well this is legitimate… Because it’s coming from accounts.google.com. But you knew this was a trick question… Phishing is really tricky…
So, a shocking percentage of my students think that “from” address is legitimate… Tell your less informed friends how easily that can be spoofed…
What about Google. Does Google know what you type as you type it and before you hit enter? Yes, it does… Most search engines send text to their servers as you write it. Which means you can do fun studies on what people commonly DON’T post to Facebook!
A very common misconception is that opening web pages, emails, pdfs, and docs is like reading physical paper… So why do they need patching?
Lets look at an email example… I don’t typically get emails with “To protect your privacy, Thunderbird has blocked remote content in this message” from a student… This showed me that a 1 pixel invisible image had come with the email… which pinged the server if I opened it. I returned the email and said he had a virus. He said “no, I used to work in marketing and forgot that I had that plugin set up”.
Websites are made of many elements from many sources. Mainly dynamically… And there are loads of trackers across those sites. There is a tool called Lightbeam that will help you track the sites you go to on purpose, and all the other sites that track you. That’s obviously a privacy issue. But it is also a security problem. The previous speaker spoke about supply chains at Target, this is the web version of this… That supply chain gets huge when you visit, say, six websites.
So we as users you access a first party website, then they access third party sites… So they access ad servers and that sells that user, and ad is returned, with an image (sometimes with code). Maybe I bid to a company, that bids out again… This is huge as a supply chain and tracking issue…
So the Washington Post, for instance, covering the yahoo.com malware attack showed that malicious payloads were being delivered to around 300k users per hour, but only about 9% (27k) users per hour were affected – they were the ones that hadn’t updated their systems. How did that attack take place? Well rather than attack, they just brought an ad and ran malware code.
There is a tool called Ghostery… It’s brilliant and useful… But it’s run by the ad industry and all the trackers are set the wrong way. Untick those all and then it’s fascinating… They tell you about page load and all the components involved in loading a page…
To change topic…
Cookies! Yes, they can be used to track you across web sites. But they can’t give you malware as is. So… I will be tackling the misconception that cookies is evil… And I’m going to try to convince you otherwise. Tracking can be evil… But cookies is kind of an early example of privacy by design…
It is 1994. The internet cannot remember anyone between page loads. You have an interaction with a web server that has absolutely no memory. Cookies help something remember between page loads and web pages… Somehow a server has to know who you are… But back in 1994 you just open a page and look at it, that’s the interaction point…
But companies wanted shopping baskets, and memory between two page reloads. There is an obvious technical solution… You just give every browser a unique identifier… Great! The server remembers you. But the problem is a privacy issue across different servers… So, Netscape implemented cookies – small text strings the server could ask the browser to remember and give back to it later…
Cookies have some awesome properties: it is client visible; third party tracking is client visible too; it’s opt out (delete) option on a per-site basis; it’s only readable by the site that set it; and it allows for public discussion of tracking…
… Which is why Android/iOS both went with the unique ID option. And that’s how you can be tracked. As a design decision it’s very different…
Now to some of the research I work on… I believe in getting people to touch stuff, to interact with it… We can talk to each other, or mystify, but we need to actually have people understand this stuff. So we ran an outreach activity to build a website, create a cookie, and then read the cookie out… Then I give a second website… To let people try to understand how to change their names on one site, not the other… What happens when you view them in Incognito mode… And then exploring cookies across sites. And how that works…
Misconception: VPNs solve all privacy and security problems. Back at Indiana I taught students who couldn’t code… And that was interesting… They saw VPNs as magic fairy dust. And they had absorbed this idea that anyone can be hacked at any time… They got that… But that had resulted in “but what’s the point”. That worries me… In the general population we see media coverage of attacks on major companies… And the narrative that attacks are inevitable… So you end up with this problem…
So, I want to talk about encryption and why it’s broken and what that means by VPNs. I’m not an encryption specialist. I care about how it works for the user.
In encryption we want (1) communication between you and the other party is confidential and has not been changes, and no-one can read what you sent and no one can change what you sent; and (2) to know who we are talking about. And that second part is where things can be messed up. You can make what you think is the secure connection to the right person, but could be a secure connection to the wrong person – a man in the middle attack. A real world example… You go to a coffee shop and use wifi to request the BBC news site, but you get a wifi login page. That’s essentially a man in the middle attack. That’s not perhaps harmful, it’s normal operating procedure… VPNs basically work like this…
VPNs are not magic fairy dust. The University runs an excellent VPN – far better for coffee shops etc!
So, I like to end with some common advice:
- Install anti virus scanner. Don’t turn off Windows 8+ automatically installed AV software… I ran a study where 50% of PhD students had switched off that software and firewalls…
- Keep your software updated – best way to stay safe
- Select strong passcode for important things you use all the time
- For non-important stuff, use a password manager for less important things that you use rarely… Best to have different password between them…
- Software I use:
- Ad blockers – not just ads, reduce lots of extra content loading. The more websites you visit the more vulnerable you are
- Ghostery and Privacy Badger
- Password Managers (LastPass, OnePassword and KeePass are most recommended
- 2-factor like Yubikey – extra protection for e.g. Facebook.
- If you are really serious: UMatrix and NoScript BUT it will break lots of pages…
Q1) It’s hard to get an average citizen to do everything… How do you get around that and just get the key stuff across…
A1) Probably it’s that common advice. The security community has gotten better at looking at 10 key stuff. Google did a study with Blackhats Infosec conference about what they would do… And asked on Amazon Mechanical Turj about what they would recommend to friends. About the only common answer amongst blackhats was “update your software”. But actually there is overlap… People know they should change passwords, and should use AV software… But AV software didn’t show on the Blackhat list… But 2-factor and password managers did…
Q2) What do you think about passwords… long or complex or?
A2) We did a study maybe 8 years ago on mnemonic passwords… And found that “My name is Inigo Montoya, you killed my father, prepare to die” was by far the most common. The issue isn’t length… It’s entropy. I think we need to think server side about how many other users have used the same password (based on encrypted version), and you need something that less than 3 people use…
Q2) So more about inability to remember it…
A2) And it depends on threat type… If someone knows you, your dog, etc… Then it’s easier… But if I can pick a password for a long time I might invest in it – but if you force people to change passwords they have to remember it. There was a study that people using passwords a lot use some affirmations, such as “I love God”… And again, hard to know how you protect that.
Q3) What about magic semantic email links instead of passwords…
A3) There is some lovely work on just how much data is in your email… That’s a poor mans version of the OAuth idea of getting an identity provider to authenticate the user. It’s good for the user, but that is one bigger stake login then… And we see SMS also being a mixed bag and being subject to attack… Ask a user though… “there’s nothing important in my email”.
Q4) How do you deal with people saying “I don’t have anything to hide”?
A4) Well I start with it not being about hiding… It’s more, why do you want to know? When I went to go buy a car I didn’t dress like a professor, I dressed down… I wanted a good price… If I have a lot of time I will refer them to Daniel Salvo’s Nothing to Hide.
Talk by Nicola Osborne (EDINA) covering Digital Footprints and how you can take control of your online self
And that will be me… So keep an eye out for tweets from others on the event hashtag: #UoEInfoSec.