mozilla / webliteracymap

A collaborative effort, led by Mozilla, to define the skills and competencies required to read, write and participate on the web.
http://webmaker.org/literacy
Other
16 stars 10 forks source link

Define skills under 'Security' competency for v1.5 #25

Closed dajbelshaw closed 9 years ago

dajbelshaw commented 9 years ago

Security Keeping systems, identities, and content safe


See spreadsheet at http://goo.gl/R1tjj3

jgmac1106 commented 9 years ago

There was a question about:

Suggested rewrites for this skill included:

jgmac1106 commented 9 years ago

There were three comments asking for a skill about protecting personal identity. Some argued identity should fit under privacy and security should be system specific.

dajbelshaw commented 9 years ago

Updated competency descriptor as I'd copied/pasted incorrectly!

I think this works:

Not so keen on the (false?) dichotomy between 'convenience and protection'. Mitigating external threats through changing practices seems like something to address somehow.

xellpher commented 9 years ago

Where do strong passwords belong? Wasn't there a mention about them earlier?

gaditb commented 9 years ago

Honestly, do we want "mitigating external threats trough changing practices" to be it's own skill just like that? That doesn't seem like that bad phrasing.

Or maybe two: "Identifying risky or insecure practices" and "Limiting, eliminating, and containing risky or insecure practices" (the verbs should probably be rephrased).

And like I'd like to -- maybe not emphasize, but at least explicitly address throughout, the fact that there often is a tradeoff between "convenience" and "protection". And it's not a constant thing -- some activities are more like Jaywalking-Or-Not (e.g. signing up and logging in to a small, I-will-use-this-like-once web service/forum over HTTP), some are more like Not-Playing-On-Railroad-Tracks (don't run random stuff from the internet), some are more like Washing-Hands (using unique passwords -- takes extra time, requires deliberate setup/tools, can be done to greater or lesser completeness, but useful and should be used everywhere and important)

And we need to acknowledge that. If we just tell people "don't play on the railroad tracks" in the same voice as "don't jaywalk", they're just gonna do both.

dajbelshaw commented 9 years ago

Added the following after today's half-hour hack meeting:

Definitely need something more broad than 'strong passwords' as well! What do people think of Roz Hussin's suggestion?

sometimesmotion commented 9 years ago

I'm not so sure about 'ensuring' - it's difficult to assess if someone has 'ensured' the security of their account. Additionally, there is no point at which someone can sit back and say 'job done!' about securing their account/data- it's an evolving threat. How about a verb that implies continued management/vigilance:

jgmac1106 commented 9 years ago

I like maintaining as well.

xellpher commented 9 years ago

I like the suggestion by @sometimesmotion

This is what I was talking about yesterday, from the privacy badge deliverable:

Explaining ways in which computer criminals are able to gain access to user information Name: Privacy: Passwords

Description: The ‘Privacy: Passwords’ badge is earned by those who want to find ways to create stronger passwords and keep track of them. This includes using services that securely manage and save unique passwords.

Criteria: Link to an example of a computer criminal getting access to user information through weak passwords Describe motivations that computer criminals have for stealing personal information Change your passwords to stronger, unique ones (e.g. using LastPass / 1Password) and/or utilize two-factor authentication.

xellpher commented 9 years ago

What Roz talked about yesterday is also there in skill number 5: Identifying and taking steps to keep important elements of identity private

Should that be added here as well? Or does that belong in Privacy?

xellpher commented 9 years ago

To answer myself: I think "Identifying important elements of identity" belongs in privacy, whereas the locks on the door "Managing and maintaining account security" belongs here.

dajbelshaw commented 9 years ago

OK, adding the following as agreed upon:

We're at four skills now under Security. Do we need a fifth, or is this ready to be closed?

jgmac1106 commented 9 years ago

I am okay with four. Though I wonder if passwords belong under security and not privacy. We seem to badging under assumption that passwords are part of privacy.

jgmac1106 commented 9 years ago

If we move computer criminal skill over from privacy I would be okay with no password skill as these would be redundant.

dajbelshaw commented 9 years ago

We seem to badging under assumption that passwords are part of privacy.

We created badges according to Web Literacy Map v1.1. I don't think we need be limited by that - particularly given the addition discussion and layers of nuance we've identified between Security and Privacy.

These are the four we've decided upon. I reckon passwords are firmly within the realm of 'putting locks on your doors' (i.e. Security) rather than 'curtains on your windows' (i.e. Privacy). We'll run with the following for v1.5 unless anyone throws a Hail Mary in the dying seconds:

jamiea commented 9 years ago

" Detecting online scams etc." seems a bit higher level to me. How about exchanging the verbs for this skill to make it more accessible:

dajbelshaw commented 9 years ago

See where you're coming from, @jamiea but 'detecting' seems to be a bit more front-foot and active than 'recognising'.

What do others think? :)

jamiea commented 9 years ago

Agreed, though the amount & level of activity required can perhaps be gleaned from the excellent http://honeynet.org/about project. Check out the papers in the right hand aside.

(Scary project map here, leave it open in the tab! http://map.honeynet.org/ )

jgmac1106 commented 9 years ago

Can you detect a scam without an actual attack? How would clubs teach this skill?

On Thu, Mar 19, 2015, 7:46 AM jamiea notifications@github.com wrote:

Agreed, though the amount & level of activity required can perhaps be gleaned from the excellent http://honeynet.org/about project. Check out the papers in the right hand aside.

(Scary project map here, leave it open in the tab! http://map.honeynet.org/ )

— Reply to this email directly or view it on GitHub https://github.com/mozilla/webliteracymap/issues/25#issuecomment-83521192 .

jamiea commented 9 years ago

If there's no safe 'dummy' open learning materials for this out there, other than by using real-world examples personally I didn't see how else one can detect a scam. Genuine detection seems like a risky business requiring what I'd consider to be a high level of pre-existing resources and knowledge to conduct a secure investigation that reaches accurate conclusions.

jgmac1106 commented 9 years ago

Agree. Its why I lean away from word detecting and think explaining or analyzing (bloom bump) works better.

On Thu, Mar 19, 2015, 9:40 AM jamiea notifications@github.com wrote:

If there's no safe 'dummy' open learning materials for this out there, other than by using real-world examples personally I didn't see how else one can detect a scam. Genuine detection seems like a risky business requiring what I'd consider to be a high level of pre-existing resources and knowledge to conduct a secure investigation that reaches accurate conclusions.

— Reply to this email directly or view it on GitHub https://github.com/mozilla/webliteracymap/issues/25#issuecomment-83582822 .

jamiea commented 9 years ago

+1 Analyzing

and a nice appropriate definition in Bloom's that IMO seems to satisfy some of the necessary pre-requisites of 'detecting'

dajbelshaw commented 9 years ago

Hmmm... so the problem we've got with all of the verbs that we've proposed here (detecting / recognizing / analyzing) is that they pre-suppose, to a greater or lesser degree, that an attack is currently taking place:

How about:

Still not quite right, but how about the direction of travel? :)

sometimesmotion commented 9 years ago

+1 I like the new phrasing - it's more concrete and obvious as a goal/outcome. I think this makes it more useful for the clubs. We've been using the -ing tense so:

dajbelshaw commented 9 years ago

Oops! +1 (thanks @sometimesmotion)

jgmac1106 commented 9 years ago

+1

On Thu, Mar 19, 2015 at 12:48 PM Doug Belshaw notifications@github.com wrote:

Oops! +1 (thanks @sometimesmotion https://github.com/sometimesmotion)

— Reply to this email directly or view it on GitHub https://github.com/mozilla/webliteracymap/issues/25#issuecomment-83658890 .

dajbelshaw commented 9 years ago

OK, so unless I hear otherwise, we're going with:

Any thoughts on preferred ordering? :)

jamiea commented 9 years ago

Wasn't that going to be: Recommending how to avoid online scams and 'phishing'?

sometimesmotion commented 9 years ago

Yes- get rid of 'Detecting online scams...' and I feel good about these. The order isn't so important from my point of view. There's no clear hierarchy with these.

jgmac1106 commented 9 years ago

I am good.

gaditb commented 9 years ago

I'd go for:

While there isn't a hierarchy, I feel like that puts it in order of both importance and ease/amount of work. If people get bored/scared off after the first two, I want to to be those.

dajbelshaw commented 9 years ago

Oops. Sorry about that. So, per @gaditb's suggestion, the order for these skills would be:

We've 6 hours to decide whether we're OK with that. +1 from me!

jamiea commented 9 years ago

+1

dajbelshaw commented 9 years ago

Right, closing this and updating overview. Comment to re-open if you've any objections!

batman - thumbs up