罕見血病青年急求藥費續命

27歲的冲仔患上罕有白血病，每 3個星期需要 13萬元購買自費藥吊命。梁御和攝

2011-11-10

生命無價，治病卻有價！ 27歲的冲仔初踏社會，對人生充滿盼望，卻被罕有白血病襲擊，數月間雙目幾近失明，現依靠每三星期逾 13萬元的自費藥吊命，並等候配對合適骨髓進行移值。最禍不單行是傾盡積蓄為他支付藥費的母親近日又發現乳房有腫瘤，令瀕臨斷藥的樂仔深受打擊。不甘生命就此消逝的他撐起軟弱的身軀求援，盼善心人助他重燃生命之火。
「我希望可以好番，照顧阿媽！」現在沙田威爾斯親王隔離病房的冲仔，癌細胞攻擊雙眼致視物模糊，目無焦點地說：「我已經幾個月未返過屋企，醫生幫我做過一、二線化療療程都冇效。之後醫生話我眼球內出現血塊，家只可以睇到模糊光影」。

自費療程每次需 13萬元
今年五月，原本身體健壯的冲仔發現頸部腫起，全身出現瘀痕，入院檢查後確診為急性淋巴細胞白血病。數年前大專畢業的冲仔在政府部門任職合約制電腦工程人員，他不斷進修，一直以成為正式公務員為目標，奈何患上惡疾，人生計劃被打破，生命更一度危在旦夕。醫生見冲仔年紀尚輕，建議他嘗試一種香港較少用的自費藥物 Nelarabine療程，每三星期一次，每次需費 13萬元。冲仔父母動用所有儲蓄，讓他注射了兩針，初步效果理想，癌細胞指數下降至 10%。到醫院日以繼夜照顧兒子的冲母焦急地說：「醫生 8月時已經幫佢搵骨髓，醫生話大概要等半年，呢段時間要好好控制病情，估計仲要等多三個月，要捱到做移植，估計藥費隨時過百萬」。


冲仔年輕時身體健康，料不到突然患上惡疾。


冲仔幼時樣子精靈可愛，圖為與父母及姊姊合照。

母親驗出胸部有腫瘤
冲仔患病後停工，生活全賴任職三行工人的父親支持。父母為救他騰出畢生積蓄，惟藥費高昂，根本無法繼續支持。看到父母為自己憂心，媽媽更可能因此憂出病來，冲仔深感歉疚，「阿媽之前驗身發現胸部有腫瘤，家等候進一步化驗係咪惡性，我好擔心」。他希望可繼續用藥保住性命，趕及找到合適骨髓移植，得以康復，報答父母劬勞。
在病旁侍候兒子的冲母聽見兒子孝心，雙眼發紅說：「佢可以好番，開開心心咁生活，已經係最大嘅報答」。母慈子孝，還望社會善長集結力量，以實際行動給予他們支持，讓冲仔好好地活下去。
「冲仔」捐款編號： C3122

網上捐款： http://hk.charity.nextmedia.com/site/index.php?fuseaction=site.donate

收藏 分享

TAKE ASSESSMENT: TEST 7 TOPIC 7

Take Assessment: Test 7 Topic 7      
Name Test 7 Topic 7
Instructions Instructions:
   1. You have 30 minutes to complete this test
   2. You only have one attempt and must finish it once started
   3. Answer all 6 questions
Timed Assessment This Test has a 30 minute timer.The elapsed time appears at the top right of the window.
A 1 minute warning will be displayed.
Multiple Attempts Not allowed. This Test can only be taken once.
Force Completion This Test must be completed now. 

       

   Question 1   
  Which below are elements of a security audit and alarms model? (15.2)
 A. System logs, email logs and apache logs
 B. Operating system updates / patches, application updates / patches and anti virus updates
 C. Audit analyzer, security reports, archives and security audit trail
 D. None of the above
 

From the text, Stallings & Brown (2008), page 477 and 478, the elements of a security audit and alarms model are described as follows;

• Event discriminator: The is logic embedded into the software of the system that
monitors system activity and detects security-related events that it has been
configured to detect.
• Audit recorder: For each detected event, the event discriminator transmits the
information to an audit recorder. The model depicts this transmission as being in
the form of a message. The audit could also be done by recording the event in a
shared memory area.
• Alarm processor: Some of the events detected by the event discriminator are
defined to be alarm events. For such events an alarm is issued to an alarm
processor. The alarm processor takes some action based on the alarm. This action
is itself an auditable event and so is transmitted to the audit recorder.
• Security audit trail: The audit recorder creates a formatted record of each event
and stores it in the security audit trail.
• Audit analyzer: The security audit trail is available to the audit analyzer, which,
based on a pattern of activity, may define a new auditable event that is sent to the
audit recorder and may generate an alarm.
• Audit archiver: This is a software module that periodically extracts records from
the audit trail to create a permanent archive of auditable events.
• Archives: The audit archives are a permanent store of security-related events on
this system.
• Audit provider: The audit provider is an application and/or user interface to the
audit trail.
• Audit trail examiner: The audit trail examiner is an application or user who
examines the audit trail and the audit archives for historical trends, for computer
forensic purposes, and for other analysis.
• Security reports: The audit trail examiner prepares human-readable security
reports.


   Question 2   
  Which of the following *are* supported by the Cisco Systems' "Monitoring, Analysis and Response System (MARS)"?
 A. Network devices: Cisco software
 B. Firewall / VPN devices
 C. Intrusion detection software
 D. Anti virus
 E. Applications: Apache IIS web servers
 F. All of the above  G. None of the above
 
Refer to your text, page 503, Computer Security Principles and Practice, Stalling & Brown, 2008.


   Question 3   
  Which of the following statements best describes "system-level audit trail"? (15.5)
 A. traces the activity of individual users over time
 B. captures data such as login attempts, both successful and unsuccessful, devices used, and OS functions performed
 C. generated by equipment that controls physical access and then transmitted to a central host for subsequent storage and analysis
 D. may be used to detect security violations within an application or to detect flaws in the application's interaction with the system

Four different categories of audit trails are;

System-level audit trails: captures data such as login attempts, both successful and unsuccessful, devices used, and OS functions performed

Application-level audit trails: may be used to detect security violations within an application or to detect flaws in the application's interaction with the system.

User-level audit trails: traces the activity of individual users over time.

Physical access audit trails: generated by equipment that controls physical access and then transmitted to a central host for subsequent storage and analysis.



   Question 4   
  Which of the following areas (categories of data) should audit data be collecting? (15.4)
 A. deletion of objects
 B. identification and authentication functions
 C. printout of data
 D. use of access rights to bypass a policy check
 E. All of the above  F. Only A, B and D above

All actions that may effect access to data are to be collected by audit data.

The following are all categories of data that audit data should collect;

• Introduction of objects within the security-related portion of the software into a
subject’s address space
• Deletion of objects
• Distribution or revocation of access rights or capabilities
• Changes to subject or object security attributes
• Policy checks performed by the security software as a result of a request by a
subject
• The use of access rights to bypass a policy check
• Use of identification and authentication functions
• Security-related actions taken by an operator and/or authorized user (e.g.,
suppression of a protection mechanism)
• Import/export of data from/to removable media (e.g., printed output, tapes,
disks)


   Question 5   
  Which of the follow need to be understood to perform effective reviews and analysis of an organisation's systems audit logs?
 A. characteristics of common attack techniques
 B. organisations policies regarding acceptable use
 C. the operating systems and major applications
 D. security software used on hosts
 E. brand computers purchased by each department of the organisation
 F. All of the above
 G. Only A, B, C and D above
The brand of computers purchased is not relevant, but all other points listed are needed to be understood to review and analyse an organisation's systems audit logs.

Refer to your text, page 498, Computer Security Principles and Practise, Stalling & Brown, 2008.  

   Question 6   
  Audit logs that track user activity on an information system provide __________.
 A. identification
 B. authorization
 C. accountability  D. authentication

Mor-Christian General Soccer Ability Skill Test Battery

Introduction

Soccer is one of the popular sports in the world, as there is a very large number of people that play football at different levels. According to a survey conducted by FIFA published in 2008, over 300 million people from more than 200 countries regularly play football. As a result, we can see that effective skill tests are vitally important for placement, grading, diagnosis in various levels, since sport skill test is an instrument that elicits an observable respone which provides information about motor skill used in a sport.

Mor-Christian General Soccer Ability Skill Test Battery(Mor & Christian, 1979) is one of the soccer tests that evauate passing, dribbling and shooting ability in soccer. Here, the content of the tests will be discussed and evaluated in the following part. On the contrary, there are the suggestions on improving the quality of the test that instructors not only administer the tests smoothly, but also test the subjects’ ability widely.

a)    Mor-Christian Soccer Dribbling Test

( Validity-0.73 , Reability-0.80 )

There are many good criteria in this test, including short period of time for administering, equipments, human resource, availability of venue and objectives. In this test, there is a short period of time, around 2 minutes for each subjects. Besides, few human resources and equipment are required, so that the test is easy for setting and administer. But large area is oocupied by the circular path in this test, some testing area may not provide sufficient area to carry out various tests at the same time. Actually, it is good for students that three trials are allowed in this dribbling test, as the learning effect is a key factor to reduce the relibility, so trials can help the subjects to familiarize the testing procedures. Moreover, clockwise and conterclockwise direction are required to finish that the test is suitable for real situation, soccer need to dribble in all direction continually in the match, not only in their dominant direction. However, there are some suggestions in this test. The first one is the distance between cones. In the outline of setting, there is 5 yds among the cones within the path, but too long distance may cause the reduction of validity and reliability. Dribbling refers to the maneuvering of a ball around a defender through short skillful taps or kicks with either the legs, excess time is allowed for dribblers to co-ordinate their body and it is easy to dribble all the cones if there are too long distance among the cones. In fact, players in the competition often execute dribbling in the short distance from the defenders, so the distance is suggested to reduce from 5 yds to 3.5 or 4 yds, and it can let the subjects in dribbling test as well as real situation. The second suggestion is that  subjects’ liner-dribbling ability can be tested, not only in circulat direction. Since players also face the challenges face to face in the match, so the liner-dribbling part is suggested to follow the circular dribbling, this combination can fit in real situation and increase the validity of the test.

b)    Mor-Christian Soccer Shooting Test

( Validity-0.78 , Reability-0.96 )

This shooting test can verify the shooting ability exactly, especially for the soccer attackers, as it can test the object shooting accuracy. However, shooting power is not tested and scoring scheme has a contridiction. Shooting ability is mainly consist of accuracy, power and speed, and the speed is a key factor to determine the quality and the chance of scoring, but this test just test subject’s shooting accuracy only. Also, the scoring scheme has conflict that the score is counted even subjects shoot at the other corner which is not they claimed, since there is a large difference in shooting two opposite concer, so the instruction of scoring scheme is not clear and unintelligible.

Actually, there are many reasons that it is quite difficult to administer this shootiing test. First of all, time consuming is factor that every subject consume much time to finish all of the trials, around five to six minutes, so an inconvenience may be caused. Second is about the availability of venue, because not all of the testing area contain a standard goal or sufficient area for setting, so this test is limited by small venue. Thirdly, many equipments are required for setting this test when it compares with another two tests, so it increases the difficulty in setting.

c)     Mor-Christian Soccer Passing Test

( Validity-0.91 , Reability-0.98 )

This passing test has the highest validity and reability in these three tests, it prove that it has  good criteria for a sport skill test, however, it also has some drawbacks.

There are few equipments in this test like the dribbling test metioned before, so instructors can prepare the test easily. Nevertheless, subjects consume a lot of time to finish all of the passing tests in different positions when it compares with other two soccer tests , around 4 minutes for each subject. Furthermore, it requires many human resources to keep the fluency of the test. For the objectives, the test is good for subjects’ passing abiliy, since the proper distance and several passing direction in the test are essential for a soccer match and it can explain why there are the high validity and reability. On the other hand, the test result may not reflect actual ability. It is because players will not pass the ball on the fixed points like this passing test if they play in the match. Players need to run and then pass the ball continually, so this passing test is not fit to test subjects’ actual passing ability. Moreover, ability of long pass is not involved in the test, so long pass testing is suggested to administer, as long pass is an important part in soccer, it is used in defenders and side attackers normally.

Conclusion

are the basic skills in soccer, it is necessary to test players’ ability of these aspect. Mor-Christian General Soccer Ability Skill Test Battery is one the the good tests to evaluate although there are some suggestions for improvement. In fact, not only these three aspect, many skills are also required for a good soccer player. For instance, agility and header are two of the important skills in soccer, perhaps it is better that various parts are included beside dribbling, passing and shooting and test the subject comprehensively.

乳字的意思

老師給小朋友解釋：“乳”就是“小”的意思。
比如“乳豬”就是“​小豬”，“乳鴿”就是“小鴿”。
小明，請你用“乳”字造個句。

小​明：我家經濟條件不太好，只能住 20坪的乳房。
老師： （我暈）這個不行。換一個。

小明：我每天上學都要跳過我家門口的​一條乳溝。
老師：（暈死）不行，再換一個。

小明：老師，我想不出​來了。把我的乳頭都想破了。

REVIEW ASSESSMENT: TEST 3 TOPIC 3

REVIEW ASSESSMENT: TEST 3 TOPIC 3

Question 1
Which of the following best describes a relational database? (5.2)
Question 1 answers
A. A relational database uses a single file to store data sequentially.

B. A relational database is a collection of tables (also called relations).

C. A relational database organises its data in a tree-like structure.
D. None of the above.
E. A and B and C.

Question 2
How many primary keys and how many foreign keys are required in a relational database? (5.3)
Question 2 answers

A. One primary key and zero or more foreign keys.

B. Every table must have one primary key and one foreign key.
C. None, as primary keys and foreign keys are not always required.
D. None of the above.

Question 3
Which statement below best describes a Decentralized Administration Policy? (5.4)
Question 3 answers
A. A small number of Administration users may grant and revoke access rights.
B. The owner (creator) of any table reserves all rights to grant and revoke access rights to each table that he or she has created.

C. In addition to granting and revoking access rights to a table, the owner of a table may also grant and revoke authorisation to other users, allowing them to grant and revoke access rights to the table.

D. There needs to be at least one Administration person in each organisational unit of a company who can grant and revoke access rights to any specified table.
E. All of the above

Question 4
Which statement below best describes an inference threat to a RDBMS? (5.6)
Question 4 answers
A. An inference threat arises when an unathorised person has gained access to a database.

B. An inference threat arises when the database administrator allows remote connections to the database server.

C. An inference threat arises when the database table structure is known to be poorly designed.

D. An inference threat arises when the combination of a number of data items can be used to infer data of a higher sensitivity.

Question 5
Which statement below best describes perturbation? (5.8)
Question 5 answers
A. Provides answers to all queries, but only to authorised users.

B. Provides answers to all queries, but the answers may be approximate.

C. Provides answers to all queries, but the user identification of the querry is logged.
D. Only provides answers to queries that are not classified as secret.

Question 6
Which statement below best identifies the disadvantages of database encryption? (5.9)
Question 6 answers
A. Key management
B. Insecurity
C. Inflexibility
D. Vulnerabilities
E. Both A and B

F. Both A and C

G. Both B and C
H. Both C and D

Essay - Let's put a halt to capital punishment

  Capital punishment, also known as death penalty or execution, is the most extreme sentence which can be devised in about 59 countries including China, Japan and the United States of America nowadays, according to Amnesty International’s figures in 2008. While more and more people actually come to realize problems of practicing capital punishment, yet, supporters insist on claiming that it is the most effective way to deter people from committing crimes. They continue to think that capital punishment is the only proportionate compensation for the victims whereas life imprisonment will solely cause a high cost which is ultimately paid by our hard-working and observant taxpayers unfairly. At first glance, their claims may seem reasonable and unassailable. However, you will probably find the flaws when you examine closer.

  First and foremost, capital punishment may actually be practiced to kill people who have not committed any crimes mistakenly or deliberately. For instance, with the help of advanced technology such as DNA investigation, 23 people executed in the United States of America in the 20^th century have actually been found guiltless. Doubtless, there is absolutely no way that can compensate these innocent people who were killed only because of wrong judgment. Yet, this kind of tragedies actually happens in most, if not all, of the other countries across the globe exercising capital punishment. In China, for example, a man called Tan Hang Sin was convicted to have killed his own wife and executed 16 years ago. Surprisingly, his wife was found to be still alive later. How ridiculous it is! Capital punishment is initially established to help uphold justice, protect people and penalize criminals. Ironically, it is now practiced to kill sinless people and just let criminals go free! How many harmless people should actually sacrifice before countries exercising capital punishment finally wake up? Worse still, capital punishment is sometimes utilized by dictators or dictatorial governments to extinguish their opponents deliberately. North Korean former president, Kam Tai Chung, was once accused of betraying North Korea and sentenced to capital punishment. However, the underlying reason why he was sentenced to capital punishment was that he was the leader of an opposition party at that time. It is undeniable that such kind of abuse of capital punishment still really exists in some countries around the world. Capital punishment actually becomes a form of witch hunt.

Aside from the tragedies which may be caused by capital punishment, legal sanctions should also in no way be regarded as a means for victims or their family members to take revenge on criminals. Honestly, when people get offended, it is common and normal for people to firstly think of taking revenge. “An eye for an eye and a tooth for a tooth” seems likely to be the first sentence springs up in our mind. Nevertheless, it is also true that we should all know and be reminded that taking revenge is useless and meaningless. Victims can never be brought back to life even when the criminals are killed. However, if the criminals are executed, they will surely lose a precious chance to turn a new leaf and more families will lose their family members forever and ever. There is a Chinese saying that “Do unto others as you would be done by”. When you have lost your beloved family members and you know the pain of this, you should never support capital punishment to cause others to suffer. After all, “an eye for an eye only ends up making the whole world blind”.

Apart from uselessness and meaninglessness of capital punishment, ethical problems should also be considered thoroughly. As a matter of fact, no-one in the world should be allowed to end any others’ lives for any reasons. Isn’t it nonsensical that we claim that we respect human life but we do not respect criminals’ lives at all? Isn’t it absurd that we claim that killing is wrong but we keep on killing criminals at the same time? I am sure that no-one will deny that life is precious. I find it especially preposterous to say that we should support capital punishment because many prisons are over-crowded and under-funded now and life sentence will cause a huge burden for our taxpayers. Not to say that prisoners can actually carry out some kinds of social services in jail to keep themselves productive, should a human life be anyway weighted like this? No way! How can we support to kill someone because he or she will become a burden of our society? It is really totally non-sense. Besides, Studies in the United States of America show that capital cases actually cost between $1 million and $7 million from arrest to execution. Nevertheless, life sentence cases only costs about $500,000, which is only half of the cost of capital cases. There is actually no more ridiculous excuse for us to support capital punishment.

  In conclusion, capital punishment is actually a bane in disguise. Although it may seems that capital punishment can deter people from committing crimes, it is also capital punishment that causes more and more tragedies to make more and more people killed “legally”. Besides, acceptance of capital punishment definitely implies that taking revenge is a decent thing to do whereas it is definitely not. We should, thus, immediately stop this kind of wrong message from being passed on to the public and to our next generation. Another thing that we should immediately make clear is that life is doubtlessly invaluable and that criminals’ lives are also doubtlessly invaluable. No-one should be allowed to take away any others’ lives and high costs should not be a reason to support capital punishment. Therefore, it is my firm belief that capital punishment should be abolished at once under all circumstances and it is high time for all countries in the world to wake up to figure out what capital punishment really brings us. As the old saying goes, “to err is human”. We all have made some mistakes in our life and we all hope that others can forgive us and give us a second chance. So, why can’t we just also give all criminals a second chance?

Take Assessment: Test 4 Topic 4

Question 1

Which of the following is NOT identified as a intruder "class"? (6.1)

	A.	Masquerader
	B.	Imposter
	C.	Misfeasor
	D.	Clandestine user

The following are identified by the text (page 177) as intruder classes;

1. Masquerader: An individual who is not authorized to use the computer and who
penetrates a system's access controls to exploit a legitimate user's account.

2. Misfeasor: A legitimate user who accesses data, programs, or resources for which
such access is not authorized, or who is authorized for such access but misuses his
or her privileges.

3. Clandestine user: An individual who seizes supervisory control
of the system and uses this control to evade auditing and access controls or to
suppress audit collection.

Question 2

Which of the following is NOT a desirable characteristics of an IDS? (6.5)

	A.	Be fault tolerant in the sense that it must be able to recover from system crashes and reinitializations.
	B.	Impose a minimal overhead on the system where it is running.
	C.	Be able to scale to monitor a large number of hosts.
	D.	Allow dynamic reconfiguration; that is, the ability to reconfigure the IDS without having to restart it.
	E.	Be able to be configured according to the security policies of the system that is being monitored.
	F.	Need substancial human supervision to run.

These are desirable characteristics (specified in textbook, p 183) of an IDS;

•Run continually with minimal human supervision.
•Be fault tolerant in the sense that it must be able to recover from system crashes
and reinitializations.
•Resist subversion. The IDS must be able to monitor itself and detect if it has been
modified by an attacker.
•Impose a minimal overhead on the system where it is running.
•Be able to be configured according to the security policies of the system that is
being monitored.
•Be able to adapt to changes in system and user behavior over time.
•Be able to scale to monitor a large number of hosts.
•Provide graceful degradation of service in the sense that if some components of
the IDS stop working for any reason, the rest of them should be affected as little as
possible.
•Allow dynamic reconfiguration; that is, the ability to reconfigure the IDS without
having to restart it. 

Question 3

Which of the following ARE useful for profile-based intrusion detection? (6.7)

	A.	Counter: A nonnegative integer that may be incremented but not decremented until it is reset by management action. Typically, a count of certain event types is kept over a particular period of time.
	B.	Gauge: A nonnegative integer that may be incremented or decremented. Typically, a gauge is used to measure the current value of some entity.
	C.	Interval timer:  The length of time between two related events.
	D.	Resource utilization: Quantity of resources consumed during a specified period.
	E.	All of the above.
	F.	Only A, B and C above.

All the following ARE useful for profile-based intrusion detection (see textbook page 186);

Counter: A nonnegative integer that may be incremented but not decremented until it is reset by management action. Typically, a count of certain event types is kept over a particular period of time.

Gauge: A nonnegative integer that may be incremented or decremented. Typically, a gauge is used to measure the current value of some entity.

Interval timer:  The length of time between two related events.

Resource utilization: Quantity of resources consumed during a specified period.

 Question 4

Which of the following best describes the "operation" of a virus or worm? (7.3)

	A.	Dormant phase.
	B.	Propagation phase.
	C.	Triggering phase.
	D.	Execution phase.
	E.	All of the above.
	F.	None of the above.

Typical phases (as described by the textbook on page 220) of operation are; a dormant phase, a propagation phase, a triggering phase, and an execution phase.

 Question 5
Which of the following is NOT an effective worm countermeasure? (7.7)

	A.	Signature-based worm scan filtering.
	B.	Threshold random walk (TRW) scan detection.
	C.	Filter-based worm containment.
	D.	Rate halting.
	E.	DNS base scanning worm detector.
	F.	Payload-classification-based worm containment.
	G.	Rate limiting.

 A "DNS base scanning worm detector" would likely fail to detect an IM worm outbreak, because an IM worm’s attack payload will most likely be forwarded through the IM server, using the target’s user ID instead of a target IP address (Yan, Xiao,& Eidenbenz, 2008 pg 2).

See page 236 of textbook for details on the following.

Signature-based worm scan filtering: This type of approach generates a worm
signature, which is then used to prevent worm scans from entering/leaving a
network/host. Typically, this approach involves identifying suspicious flows and
generating a worm signature. This approach is vulnerable to the use of
polymorphic worms: Either the detection software misses the worm or, if it is
sufficiently sophisticated to deal with polymorphic worms, the scheme may take a
long time to react. [NEWS05] is an example of this approach.

Filter-based worm containment: This approach is similar to class A but focuses on
worm content rather than a scan signature. The filter checks a message to
determine if it contains worm code. An example is Vigilante [COST05], which
relies on collaborative worm detection at end hosts. This approach can be quite
effective but requires efficient detection algorithms and rapid alert dissemination.

Payload-classification-based worm containment: These network-based
techniques examine packets to see if they contain a worm. Various anomaly
detection techniques can be used, but care is needed to avoid high levels of false
positives or negatives. An example of this approach is reported in [CHIN05],
which looks for exploit code in network flows. This approach does not generate
signatures based on byte patterns but rather looks for control and data flow
structures that suggest an exploit.

Threshold random walk (TRW) scan detection: TRW exploits randomness in
picking destinations to connect to as a way of detecting if a scanner is in operation
[JUNG04]. TRW is suitable for deployment in high-speed, low-cost network
devices. It is effective against the common behavior seen in worm scans.

Rate limiting: This class limits the rate of scanlike traffic from an infected host.
Various strategies can be used, including limiting the number of new machines a
host can connect to in a window of time, detecting a high connection failure rate,
and limiting the number of unique IP addresses a host can scan in a window of
time. [CHEN04] is an example. This class of countermeasures may introduce
longer delays for normal traffic. This class is also not suited for slow, stealthy
worms that spread slowly to avoid detection based on activity level.

Rate halting: This approach immediately blocks outgoing traffic when a threshold
is exceeded either in outgoing connection rate or diversity of connection attempts
[JHI07]. The approach must include measures to quickly unblock mistakenly
blocked hosts in a transparent way. Rate halting can integrate with a signature- or
filter-based approach so that once a signature or filter is generated, every blocked
host can be unblocked. Rate halting appears to offer a very effective
countermeasure. As with rate limiting, rate-halting techniques are not suitable for
slow, stealthy worms.

Yan, G., Xiao, Z. & Eidenbenz, S., 2008. Catching instant messaging worms with change-point detection techniques. In Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats.  San Francisco, California: USENIX Association, pp. 1-10. Available at: http://portal.acm.org/citation.cfm?id=1387715 [Accessed March 14, 2010].

Question 6
Which of the following is NOT a typical USE of a BOT? (7.8)

	A.	Distributed Denial of Service (DDoS) attack.
	B.	Spamming, an attacker is able to send massive amounts of bulk e-mail (spam).
	C.	Keylogging, captures keystrokes on the infected machine.
	D.	Persistant, activates each time the systems boots.
	E.	Spreading new malware, Botnets are used to spread new bots.
	F.	Installing advertisement add-ons and browser helper objects (BHOs), Botnets are used to gain finanical advantages.
	G.	Attacking IRC chat networks, Botnets are also used for attacks against internet relay channel (IRC) networks.
	H.	Manipulating online pols / games, since every bot will have a unique ip address, every vote will have the same crediability as a vote by a realp person.

  

See page 240 of the textbook for details.The following are uses for bots; Distributed Denial of Service (DDoS) attack, Spamming, an attacker is able to send massive amounts of bulk e-mail (spam), Keylogging, captures keystrokes on the infected machine, Spreading new malware, Botnets are used to spread new bots, Installing advertisement add-ons and browser helper objects (BHOs), Botnets are used to gain finanical advantages, Attacking IRC chat networks, Botnets are also used for attacks against internet relay channel (IRC) networks, and Manipulating online pols / games, since every bot will have a unique ip address, every vote will have the same crediability as a vote by a realp person.

COMPUTER CONTROL AUDITING AND SECURITY > TAKE ASSESSMENT: TEST 6 TOPIC 6

Question 1
	Which below are indirect threats posed by fire? (13.2)
	A. Heat B. Release of toxic fumes C. Water damage from fire suppression D. Smoke damage E. Fire itself F. All of the above G. Only A, B, C and D above

The direct threat is the damage caused by the fire itself. The indirect threats are from heat, release of toxic fumes, water damage from fire suppression, and smoke damage.

Question 2
	TRUE OR FALSE - An overflowing of water into a data center can cause direct damage to all or part of the information system. (13.6)
	True False

Prevention and mitigation measures for water threats must encompass the range of such threats. For plumbing leaks, the cost of relocating threatening lines is generally difficult to justify. With knowledge of the exact layout of water supply lines, measures can be taken to locate equipment sensibly. The location of all shutoff valves should be clearly visible or at least clearly documented, and responsible personnel should know the procedures to follow in case of emergency. To deal with both plumbing leaks and other sources of water, sensors are vital. Water sensors should be located on the floor of computer rooms, as well as under raised floors, and should cut off power automatically in the event of a flood.

Question 3
	A device that assures the delivery of electric power without interruption is a(n) __________. (13.7)
	A. GFCI B. HVAC C. GPS D. UPS

To deal with brief power interruptions, an uninterruptible power supply (UPS) should be employed for each piece of critical equipment. The UPS is a battery backup unit that can maintain power to processors, monitors, and other equipment for a period of minutes. UPS units can also function as surge protectors, power noise filters, and automatic shutdown devices when the battery runs low. For longer blackouts or brownouts, critical equipment should be connected to an emergency power source, such as a generator. For reliable service, a range of issues need to be addressed by management, including product selection, generator placement, personnel training, testing and maintenance schedules, and so forth.

Question 4
	What are the benefits of security awareness, training and education programs for a organisation? (14.1)
	A. Improving employee behavior B. Increasing the ability to hold employees accountable for their actions C. Mitigating liability of the organization for an employee's behavior D. Complying with regulations and contractual obligations E. All of the above

1. Improving employee behavior
2. Increasing the ability to hold employees accountable for their actions
3. Mitigating liability of the organization for an employee's behavior
4. Complying with regulations and contractual obligations

Question 5
	At its core, a(n) __________ policy is a document that outlines the protections that should be enacted to ensure that the organization’s assets face minimal risks. (14.3)
	A. Safety B. Acceptable use C. Change management D. Security

An organizational security policy is a formal statement of the rules by which people that are given access to an organization's technology and information assets must abide.

Question 6
	Which of the following are reasons why organisations would have a email and internet use policy? (14.7)
	A. Stop work time being consumed through non-work-related activities B. Stop staff members looking at work related websites C. Stop staff members emailing organisation suppliers and or clients from outside the organisation D. None of the above

1. Significant employee work time may be consumed in non-work-related activities, such as surfing the Web, playing games on the Web, shopping on the Web, chatting on the Web, and sending and reading personal e-mail.

2. Significant computer and communications resources may be consumed by such non-work-related activity, compromising the mission that the IS resources are designed to support.

3. Excessive and casual use of the Internet and e-mail unnecessarily increases the risk of introduction of malicious software into the organization's IS environment.

4. The non-work-related employee activity could result in harm to other organizations or individuals outside the organization, thus creating a liability for the organization.

5. E-mail and the Internet may be used as tools of harassment by one employee against another.

6. Inappropriate online conduct by an employee may damage the reputation of the organization.

Octopus card scandal

In Hong Kong, almost everyone has at least one Octopus card (on average each person possess two cards!), which is a rechargeable contactless stored value smart card using the RFID technology. It is widely used in Hong Kong because it brings a lot of convenience to the people for shopping, eating in restaurants, taking class attendance in almost all the high schools of HK etc…and almost all public transportation (especially for the mass transit system (MTR)). Each card has a built-in microchip containing an electronic purse which can actually calculate and store all the information regarding the holders’ transaction details. It is also recognised internationally and wins many prestigious awards. Many companies from different regions and countries visited Octopus Company (which is mainly owned by MTR company of HK) to learn the advanced technology and management of Octopus system. While Octopus cards can be purchased anonymously for cash, over 2.4 million customers have registered for the widely adopted Octopus Rewards program with their personal information, according to the information posted in its website.

However, such a “giant” and “prestigious” company suddenly became a controversial target in this July (2010) when it was disclosed by a local media that the management of the Octopus company has been selling nearly 2 million customers’ private data to merchants since 2006. The Octopus company made a total revenue of HK$44 million by selling these customer’s personal data.

The Octopus controversy, the company's CEO first denies that clients' personal data has been sold to third parties for direct marketing. With further investigation by local legislators, she admitted that her earlier denial was erroneous because she did not have critical information when she issued her first denial. She later revealed that Octopus had made HK$44 million in revenue selling information on 1.97 million customers to six companies during the past 4.5 years.

As CEO of the company and the person who might well initiate such deals, she should have had full knowledge of the business. Through her public denial when confronted by the media and legislators who pressed serious concerns on behalf of the public, she has shown a lack of honesty, lack of business ethics, and lack of social responsibility.

Under the pressure of all the medium (newspaper, TV, radio etc.) and the direct intervention of the local government, the MTR board (which owns 57% of share of Octopus company) apologized to the public for “inconsistencies and errors in public communications made by Octopus management.” The octopus management team has decided to donate all the money earned by selling the privacy to merchants to charity.

However, the people responsible involved in this scandal will not face any lawsuit because there are not any existing privacy laws to regulate this kind of scandal (which might be a bit surprising). Octopus’ privacy policy explicitly states that customer data may be used by “any of [Octopus'] selected business partners” for marketing and Octopus asks for information irrelevant to the card’s operation). Therefore the public has urged to form the legislature to set up the laws/rules to forbid the sale of personal information immediately. The public is outraged at being lied to and outraged that the company has denied selling information for years.

So please discuss what you learned from such example. And what social responsibility, business ethics, and privacy responsibility should a large corporation have? How can regulation of companies such as Octopus, with strong government support, be achieved without these companies failing to comply with the rules themselves? Should local privacy law be revised and regulatory control over Octopus be strengthened concerning supervision and monitoring of business ethics of the business giants? How?

------------------------------

Example 1:

When i was child, I still use my coins and run to the LTR station. Then being hurry to buy ticket because i was going to miss a class. Since Octopus was established, i begin to take a contract with it and have a great convenience for my transportation. Of course, i still didn't know what privacy is.

Now, when i see the news talking that the company of Octopus will sell their customers including me and my parents, the personal information. I feel a bit horrible. Sometimes, personal information is not too important for me, but it does not mean that the company should sell our personal information and the important point is they denies that.

To be honest, the deal is already noted that the personal information maybe used by other partners of Octopus. That can be the residents problem that we never see the policy to purchase Octopus with private data. Moreover, it just making the advertisement always phone us, and still not make us a critical lost i think. Why we don't see the policy and information of every deal detail? If the information for us is really important, we should beware for this even more.

About the CEO, she should admitted that her denial earlier. In the business, the important thing is honest. Honest also is the major thing of social responsibility and business ethics. If a person lies just once, no one will trust him again, like he dig a hole in his honest. The hole can't be fixed forever. When he lies more, there will be more holes. However, the CEO of Octopus company can admitted her false earlier, instead of after it become a scandal and too late.

The customers has lack of knowledge for their privacy and Octopus’ privacy policy explicitly states that customer data may be used. It exactly is legal for their personal data being used, but the customers has not enough knowledge so they look like being lies. The problem is, the company use that to make the great amount revenue and the revenue is just for the company themselves. So i think it is not moral and unfair for the customers. Customers can't sense their important information should not be given to company.

The resident especially children doesn't know what privacy is yet. However, the government can promote the education about the privacy for the student, remind that i didn't know what privacy is when i still was a child. So there should be some education for child, teach them what information themselves should not be issued to strangers, make stronger about the privacy education. Let them always remember these rules until they become independent. So that they will have a better defence with their privacy, which maybe more important than their money. Although Octopus card's fee is low, customers may lose more money when their important information is given to others.

Octopus does a false event, but i still would like to use it. It is too convenience in our life and sometimes we will be given back our money because of many discount (e.g. MTR student 50% fee). Without this card, transportation and other things will be more costly and trouble.

---------------------------------------------

Example 2:

Hong Kong’s Octopus Holdings Limited sold customers’ personal information to other companies and has been paid HK$44 million since January 2006. It raised a lot of discussions among the society regarding the social responsibility of enterprises. In fact, it is not something new to identify what people need by analyzing the customers’ data and then determine how to market the products. It is widely accepted by customers. However, when enterprises do not take the customer value seriously for a short-term profit, the customers were not likely to continue paying for their products.

In the local corporate culture, most managers of practices have business backgrounds, especially in marketing and promotion. Maximizing profit is their only target and they pay less attention to the public interests. Like the Octopus Holdings Limited, it has a weak customers’ privacy scheme. Opt-out instead of opt-in mechanism is used for their services where customers’ data will be available to others. The company then claims that it is the user’s responsibility to dig for it. The Octopus Holdings Limited sold user's personal information and even not giving them sufficient opportunities to know how their personal data would be used. The company has not promoted human rights protection in the business policies. It obviously violated corporate social responsibility.

Selling customers’ data by the Octopus Holdings Limited is just one of examples showing that customers’ personal data is not well protected by corporates. The case also relates to the control of unsolicited commercial electronic messages, such as faxes, emails, short messages, pre-recorded telephone messages, etc. If the Hong Kong Government can do a deeper research for the cases, it may find that both the Unsolicited Electronic Messages Ordinance enforced by the Office of the Telecommunications Authority and Personal Data (Privacy) Ordinance enforced by the Office of the Privacy Commissioner for Personal Data, Hong Kong have been broken at the same time. Since the enforcement of the two ordinances is co-related, it is advised that the two offices can work together and exchange information.

Octopus is one of the world’s leading smart card payment systems. The public thus has a very high expectation to the Octopus Holdings Limited. After the case, both the customer relationship and trust to the company are damaged. An enterprise should seek for a balance between business and social values. If it takes care about the social responsibility, the image of company and the employers’ sense of belonging will be improved. It will benefit from the situation.

-----------------------------------


Example 3:

In Hong Kong, many people use Octopus card. We use octopus card everywhere, transportation, convenience shop, fast food shop, etc. Octopus card become an important part of us.

Few years before, Octopus company starting a reward promotion called　“Earn and Redeem Reward”. Customers can redeem points by using Octopus card. But while the customers apply for the “Earn and Redeem reward”, they should sign for an agreement, the terms and condition inside contain a few pages of terms, including some terms with 1-1.5mm font. How many of us will read the terms and condition Octopus company state? A public survey revealed that more than 90 per cent of the respondents said they hadn’t read the personal information statements when they provided data to apply for Octopus services, reports Bloomberg.

In July, while the Octopus “Earn and Redeem reward” happening occur. The Hong Kong citizens start to pay attention to the privacy problem. This happen tells us that we should pay more attention to protect our personal information and the Hong Kong companies should pay attention to their social responsibility, business ethics and privacy responsibility.

In this case, Octopus Company trying to conceal the information of the terms and conditions, Octopus company only concern to fulfill the privacy law of government but ignore customer’s reception to selling our personal information. This is an action lack of social responsibility and business ethics, makes the customers very disappointed.

In fact, the companies have responsibility to explain the terms and condition to us clearly, and let us know clearly how they will handle our personal information ,because many people will not read the terms themselves, some of them are not able or don’t have enough knowledge to read the terms. For example, they can make the fonts bigger, or explain the terms to us while we sign the contract, to let customers from every ages clearly watch the terms and condition.

As the biggest shareholder of Octopus, Government also to be one's unshirkable responsibility, they take not enough monitor to the company. I think it’s the time for them to revise the local privacy law. Maybe they can revise the law, ensure a readable font size in the terms and condition, or ensure all the companies should monitor by an individual organization, to protecting the privacy information.

In conclusion, Hong Kong companies should make more improvement to their social responsibility, business ethics and privacy responsibility. Many times, we have no choice to choose a service providers, it’s hard for us to decline the contract. So, responsible companies are very important. They should monitor themselves to protect the customer information. A good company will not always face to money, they will concern more about the social responsibility, these action cannot earn much money, but it can improve their business ethics, also can build their brand, the outcome is more great.

-----------------------------



Example 4:


In today’s modern society, corporate company should not only concern on the profit of their company but also on business ethics and social responsibility. Company shouldn’t just look at the minimum requirement of the law, the company’s decision will not face any lawsuit or harm to the public, but this might lose the public trust.


Octopus card help to save transaction time for transportations, settle payment of fast-food chain and gives our life more convinience. However such a a “giant” and “prestigious” company suddenly become a big seller by selling our personal information for 4.5 years without our consent.


Although Octopus had stated that the applicant information would be used by “any of [Octopus'] selected business partners”, how many people had awared of this statement or denied to apply such a convenience service due to this reason?


“More than 90 per cent of the respondents said they hadn’t read the personal information statements when they provided data to apply for Octopus services”2, reports Bloomberg.
I believe that they hadn’t read through the terms and condition when signing any contract including submit the data for apply service and was caused by the font size, wordings and voluminousness of the statement.


Recently we had received a lot of advertising phone calls, we cannot clarify if this is related to Octopus or not, but the trend is many companies gain revenue by selling customer’s information to their business partner. If the government still not revising the local privacy law, the problem will get worse.


The goverment has the responsibility to revise the local privacy law to constrain the companies, which have to provide options for applicants to choose if they are willing to accept their personal information will be disclosed to or used by the third party companies. The government should check whether those companies have failed to comply with the rules, and reveal the result to the public in order to enhance the transparency of the companies.


If the company was listed in failing to comply with rules or denies to the public like the CEO of Octopus, its company image will be discredited. It takes times to re-build the public image of Octopus company after the public knew they sold their information, “Octopus must do more than replace its chief executive officer to regain public trust”1, two lawmakers said.


Hong Kong residents lack knowledge for their privacy protection and it is legal for their personal information being used by companies, which the company business operate as opaque system, the residents could not know whether their privacy have been well protected. The government should provide education through programmes and advertisement to elevate how to protect personal information.


The Octopus issue is an alert for people in Hong Kong starting to protect their personal information by read through the statement when signing contract or apply any kind of services.


Octopus did a wrong action and Hong Kong resident had lost their confidence on using octopus, but it is too convinient to our daily life, we will keep using it for transportation but might not go for further extend on other usage.


Now there is a pressing need to revise the privacy law and regulatory control over and strengthened the concerning supervision and monitoring of business ethics, forbid the sale of personal information immediately after revealing Octopus had sold customers’ information. The public is outage and didn’t know whether there are other companies had followed the same track several years ago.


The Octopus data leak has sparked public outrage over privacy laws in Hong Kong, with many voicing concern that their private information is being exposed and there are few laws to protect them.”Currently the highest penalty for privacy infringement is a fine of a few thousand HK dollars, which is an insufficient deterrent for large multi-million enterprises.”3 Dr. Wilson Wong said (Assistant Professor of Politics and Public Administration at the Chinese University of Hong Kong, )
“the current laws fail to protect citizens and leave them exposed to information abuse.”4 Emily Lau said (Member of the Legislative Council)


From my point of view, hopefully the Government can revised the local privacy law before such kind of issue happen again and well protect all resident’s personal information.


_______________________________


1 Bloomberg Businessweek , August 05, 2010
www.businessweek.com/news/2010-08-05/octopus-must-do-more-to-regain-trust-lawmakers-say.html


2, 3, 4 Theepochtimes, by Liang Lsui & Sonya Bryskine, August 05, 2010 www.theepochtimes.com/n2/content/view/40410/

-------------------------------------


Example 5:

For the case of selling customers’ personal data, I believe that the fiasco is just the tip of the iceberg. Although Octopus’ privacy policy clearly states that customer data may be used by “any of [Octopus'] selected business partners” for marketing and Octopus asks for information irrelevant to the card’s operation, how many customers read the personal information statements?

Bloomberg.com found that more than 90 per cent of the respondents in a public survey said they hadn’t read the personal information statements when they provided data to apply for Octopus services. I believe that it is true as the font size of privacy policy in personal information statements is very small, and there are many words in privacy policy.

Certainly, many people will ignore the personal information statements, as font sizes are small and lots of words in there. Moreover, the aged people cannot read the statements well, should staff of octopus explain the details of Octopus’ privacy policy well when customer purchase the octopus card?

I am sure there are cardholders who don’t mind Octopus Company selling their personal data. In fact two companies exchange their customers personal data without make announcement already make customers antipathy.

So that in the future, when I buy any products and services, I will study privacy policy provided clearly to protect myself. In addition, I will also remind people I know to study any statement and policy related with them to avoid any unlucky things happen such as personal data was sold.

Society expects that organizations should provide products and services that are needed and desired by customers. However, people in Hong Kong really feel disappointed about it, as customers do not want to spread of their personal information. Customers provide their personal data because they believe that company needs their information to provide good services. However, Octopus Company did not protect personal data of its customers well, and after sold the personal data, customers will only receive more advertisement from other companies, but services provided by Octopus Company did not improved.

Government may check companies have failing to comply with the rules themselves or not in a fixed period, and show out the result. If a company is in the list of “failing to comply with the rules themselves”, its goodwill should be decrease and net profit will also decrease. Companies will not fail to fulfill with rules themselves, as they need customers’ trust. Moreover, business ethics of company people can understand which company is worth to trust or not.

In addition, government may provide some training course or information through social media to let people understand more how to protect their personal information. Also, government may also let managers of companies to understand how important of social responsibility, business ethics, and privacy responsibility.

Besides, local privacy law should be revised and regulatory control. One of reasons of Octopus Card admits making money selling personal data to third parties is there are not any existing privacy laws to regulate this kind of scandal. The people responsible involved in this scandal will not face any lawsuit. It is because people who purchased Octopus Card must be agreeing that customer data can be used by any of Octopus' selected business partners”. I think that customer should have their right to control the usage of their personal information between company bases on local privacy law.

Be honest, if personal information of managers in Octopus Company were sold or exchanged by another company, will they feel good? I wish local privacy law could be well to protect people in Hong Kong,