• AvMed: Data of 208,000 at risk after Gainesville theft
• Stolen Shands laptop had info of 12,500 patients

I found out about the first incident because Erin and I are one of the 200,000 people whose data is at risk, and we got a letter from AvMed about it. I noticed the second looking for more information about the AvMed thefts.

Once again, I find myself angry because of the timing. The AvMed laptops were stolen on Dec. 11. We got our letter in mid-February: more than two months later. Along with a bunch of smarmy-ass corporate doublespeak, the letter included an offer for identity theft protection at AvMed’s expense. Um… thanks!

Hey, sorry we’ve burned down your house eight weeks ago… how about a free fire alarm system?

The AvMed letter also neglected to mention a key detail which comes out in the Sun article: the thief was likely an AvMed employee:

A company security employee reported at 4:20 p.m. that two Dell laptops had been locked in a conference room after staff left at 5 p.m. Dec. 10 and that the door remained locked during each security check and when staff returned at 8:30 a.m. Dec. 11, said Alachua County Sheriff’s Office spokesman Art Forgey.

The employee said the only people with keys are security staff and cleaning crew.

“We don’t want to jump to any conclusions,” said AvMed spokeswoman Cochita Ruiz-Topinka when asked if the thefts were an inside job.

You don’t want to jump to conclusions. Thanks, Cochita. So just how did the laptops vanish, then?

Encrypt all your data, folks. On every laptop. On every desktop. On every server. Now. It isn’t hard. If your IT people are too stupid to do it, fire them and get new people. If your management is too stupid to do that, it’s time for new management.

Western is fairly open to open source. I say “fairly” because while I can think of several cases where open source software is readily available and used on campus, I can also think of several examples of software procurement where open source was basically eliminated from day one. Overall, I’d say the climate could be better. Folks like me who want to install and support their own software on WIU servers aren’t prevented from doing so by policy. But we do have to contend with a very outdated web server. That’s what drives me to wrecking.org for my WordPress installs; it’s much easier to keep the software up to date there.

Having said that, Clancy Ratliff reminded that many people aren’t so lucky, when she wrote to ask about my use of open source. It’s not unusual for IT staff to object to open source software because of security, privacy, problems obtaining support, a lack of standardization, or all of the above–whether or not such problems exist. So, as Clancy asked:

How should faculty respond when university IT staff members express suspicions about open source software, and refuse to install it and/or support it?

What exactly are they afraid of?

I think Clancy’s second question points to the answer for the first. First and foremost, faculty need to fully understand the grounds for any reluctance to install software. Many (most!) IT staff work with limited resources and have epic demands on their time. They’re not really afraid of anything; rather, they simply don’t need more to deal with. For example, I used to get a single course release (from a standard 3/3 load) in exchange for service as department technology coordinator. That was about half what it should have been. Hell, maybe a third. So I made decisions based on the amount of time involved, refusing most time-intensive projects out of hand. It didn’t really matter what the project was; if it was labor intensive, the answer had to be “No.”

So let’s back up a step: faculty should think carefully about the way they make requests. Obviously, emailing the helpdesk, “Plz install OpenOffice in r computer labs kthxbai” isn’t going to cut it. But it’s often equally ineffective to drop a two- or three-page request email into a system administrator’s inbox with cc: to the department chair. Rather than ask that something be installed, ask to meet to discuss possibilities–and don’t invite the chair. A little dogfooding really helps: when students ask for deadline extensions, alternative assignments, or things which make unexpected demands on our time, how do we react? More favorably, I think, when students make open-ended requests which invite us to help shape them.

I suggest this framework:

1. An initial meeting to discuss the project in general terms;
2. Research which answers questions about the scope of the installation;
3. A proposal which shapes the request as a project with desired outcomes, a schedule, and a primary contact.

Imagining the installation and use as a project shouldn’t unnecessarily complicate things. Rather, a project framework can clarify what’s expected of all parties, for how long, and for what purposes. Above all, that documentation makes it clear faculty will communicate with IT staff about the project, and not expect them to go it alone. And if it turns out that internal or external funding will be needed, turning an initial request into a grant proposal won’t be difficult.

Research should address the following:

• What, specifically, are the software and hardware demands of the installation?
• What support needs will be generated? Who will need help? When? With what expected turnaround time? Who can provide help? When? At what cost?
• Consider support alternatives: should help requests be diverted to faculty, TAs, or others? If so, will additional funding be necessary?
• Clarify the time frame: is the product to be installed and maintained for a single semester? For an academic year? Forever?
• Why is the software needed? For a single class? Multiple classes? An entire program?
• Is similar software is already on campus–maybe not in the building, or even close by, or even on this campus? Is that alternative acceptable? Why or why not?
• Will the software create unnecessary risks to computer security or stability?

Security is last here. It’s first for many. As Clancy continued:

Are they afraid that, say, OpenOffice contains spyware that could compromise the privacy of student records? That hackers can, via the open source application, send worms and such into the university network? Other stuff too?

What’s your advice for faculty who want to get open source software installed in university computer labs but have to deal with this obstacle? Are there sources in particular that you recommend, sources that offer evidence that open source software is generally secure?

I’ve had proposals for installing software shot down because of security risks, real and otherwise. I’ve refused them myself. The risks are real. However, for me, arguments which compare the relative security of open source and proprietary software miss the point completely. All computing is risky. Rather, I suggest that faculty research the security and securability of specific software involved. Have project developers, and third parties, audited the codebase in the past? What mechanisms for reporting bugs exist? How do developers typically respond to bug reports? How often is the software updated? How are updates installed? Can the software be installed on a “sandbox” server, or access-controlled in some way?

Again, asking IT staff what questions they have is a good idea–not in a predatory manner, but with forward thinking in mind. With answers to these questions, staff can better understand the risks involved with a particular software package, and the measures necessary to minimize the chances that risk will develop into actual problems. On the other hand, faculty can point out refusals to install “insecure” software which are unfounded.

Finally, faculty should help establish a means for evaluation of the use of the software over time. Two related parts:

1. Is the software actually being used by the expected population? If not, it should be discontinued, and the reasons for non-adoption investigated. On the other hand, if adoption is enthusiastic, will additional resources be needed? Might others be interested in helping scale up the installation? In that case, evaluation shows good reason for continuing maintenance and upgrade cycles.
2. I wish we (big we: higher education, and little we: geeks who teach writing) had more data on the comparative quality of the software we use to do our jobs. I’ve used WordPress for discussions for a long time, and had varying reactions to it from students. But I’ve never heard a student praise WebCT. As higher education gets more and more data-centric, we need ways to make the arguments I outline here in terms which administrators will be willing to engage.

I’m interested to hear what others think: how would you answer Clancy’s questions? Why? What problems do my answers raise, or ignore? What have you done to get the software you would like to have in your classrooms, on your campuses?

What could be very interesting:

• Specific strategies for addressing fiscal problems in Illinois, using a Digg-like submission and ranking system
• Web apps which allow people to build their own budget proposals, or simulate the effects of certain policy changes
• Dynamic visualizations of fiscal data, past and present
• Raw data in easy-to-remix form

is instead simply another comment board filled with commonplaces, flames, rants, and the occasional interesting idea.

I thank Byron, Andrew, and the contributors for their excellent work.

I got nothin’ against interface changes, and some of these are probably improvements. But too often I get the feeling that Facebook is just fiddling around. What happens if we put this here? Whee! And should a web site really need this much explanation?

For the record, I don’t think I forgot my password; I think it was zorched by the database issues.

I hope this gets fixed soon; I have a new issue of Composition Forum to index…

total 193 workouts, 6d 12h 52m, 1,284.5 mi

Here’s the data, and a sparkline (up = running, down = biking).

Though I fell short of these goals in a few ways, I’m happy that I:

• ran a great half-marathon;
• added mileage, with 360 miles more than last year;
• worked out 26 more times in 2009 than 2008;
• had only two weeks with fewer than three workouts, and 27 with more than three;
• suffered no injuries–the best part!

Obviously the weak spot here is swimming. Perhaps I’ll be able to swim more in 2010. Goals soon.

• Jan: the Gators win their second football championship in three years, largely due to Percy Harvin and Tim Tebow.
• Feb: we celebrate, realizing Amelia’s sleeping isn’t a fluke. (And we are celebrating still!)
• Mar: we travel to Florida to see family; I enjoy a very productive CCCC.
• Apr: a quick trip to southern Illinois; my brother and his wife meet us for hiking with the girls. Rainy but fun.
• May: we travel to Florida again, seeing different family this time, and friends in Gainesville too.
• June: I get tenure and a raise, and present at MEA with Jeff and Thomas.
• July: we get a new roof and gutters. I present at WPA.
• July: the girls and I spend a long week in Michigan, enjoying beaches from Grand Haven to Traverse City.
• August: We finish our kitchen upgrades.
• September: I ran a personal best in the Quad Cities half-marathon: 1:49:17.
• October: Madelyn and Amelia turn four and one.
• November: WIU approves my request for AY2010-11 sabbatical, not long after my summer stipend is funded as well.
• December: Amelia starts walking! And I finish 2009 with travel to Philadelphia to present at MLA. (More on that soon.)

Once again, a great year, and 2010 looks even better.