Online Education

What does a University Degree get you?

This post has no answers. It only has questions. Questions which are, no doubt, hard to answer. But I believe they are questions which need thinking about and – eventually – answering if universities are to continue to be the education driving force they strive to be.

Many students are coming to university with the sole purpose of making themselves more employable. With Barack Obama, Christy Clark and other high profile politicians espousing that if, by the end of a degree program a student isn’t employable, then the University has failed, then the expectation is set and the pressure is on to deliver programs which achieve that goal.

This means that simply having a degree certificate from an institution isn’t as powerful as it once was. No longer is being accepted into the University of Tokyo (for example) a precursor for success. You’re not set for life any more, simply by being accepted. The onus is on the University to respond to the changing business world to deliver courses appropriate to making their students employable.

What happens if companies or whole business sectors start highly valuing self-taught, online courses more than a university degree?

Let’s say, for example, an entrepreneurial, private-sector company provides a wealth of useful, modern, well-taught courses available on a multitude of mediums. These courses are affordable, self-paced and are delivered by a company whose name is becoming synonymous with quality. After you complete these courses you get a ‘badge’ of some sort.

Now let’s say as an employer, I see that one prospective employee has a degree in a relevant field but another prospect has a set of badges from this online provider. I can find out precisely what these badges are, what this person had to do to achieve them and I already know that they did this in their own time.

Which person am I more likely to call for interview? Does it matter which university the first person’s degree was from? If so, is there a certain group of Universities from which obtaining a degree will always be held in high regard?

It will be no surprise to say that this sort of thing is happening already. In the IT sector there are websites such as CodeAcademy or Treehouse which allow people to train themselves in an ever-growing number of programming languages. More and more companies are starting to interview people based on their online accreditation (normally in combination with a github profile and/or stackexchange score). More job advertisements are saying ‘University degree or relevant experience‘ and, importantly, that relevant experience clause is starting to include provable online training and community experience. Some adverts are simply leaving off the requirement for a university degree completely.

Are there sectors by which this sort of movement couldn’t be affected? Probably. (I, for one, wouldn’t want to be operated on by someone who learned their trade from WebMD and Wikipedia, for example.) Are there more sectors which could start valuing a University degree less and less?

What happens if University accreditation becomes worthless?

Surely institutions like Harvard and MIT (not chosen at random) will always have their name and reputation to fall back on? i.e. Get a degree from one of those universities and you’re going to be in with a damn fine shot of being employable simply because you attended one of them. Is this hypothesis supported by the fact that the University of Oxford simply hasn’t embraced MOOCs? What can universities offer students beyond just accreditation? And are those offerings enough to warrant the financial costs (to the student and/or the government) if the value of accreditation depreciates?

Many of these questions are completely hypothetical. Many of them may not even have answers right now. And there are many more questions on a more macro- and micro-scale that I haven’t asked. Food for thought.

Standard
WordPress

Botnet attack on UBC WordPress websites

For the past 24 hours (since about 10PM on 21st July 2014), UBC IT has detected a large botnet attack specifically targeting WordPress websites. If your site is hosted on UBC CMS or UBC Blogs, you should have no reason for concern. This sort of attack happens regularly and we have systems in place to mitigate against issues of this sort.

As UBC Blogs and UBC Wiki are behind the CWL, attacks don’t reach the servers hosting these services.

For other WordPress websites, outside of CMS and Blogs, you may have noticed a slow-down as their servers may be publicly accessible. If you are the administrator of small-to-medium WordPress websites on campus, I recommend installing and activating the WordFence plugin. This plugin adds several layers of security to your site and should work ‘out of the box’. If you wish to specifically ban the IP addresses being used at the moment, here’s a list of the IP Addresses that we have detected;

  • 83.166.232.57
  • 83.166.232.20
  • 83.166.232.14
  • 83.166.232.56
  • 83.166.232.50
  • 83.166.232.19
  • 83.166.232.15
  • 36.250.243.25
  • 115.211.224.21
  • 180.158.32.58
  • 94.244.25.97
  • 46.35.255.250
  • 37.115.86.78
  • 178.92.211.97
  • 109.196.178.179
  • 173.79.120.88
  • 94.230.93.70
  • 86.170.32.166
  • 77.93.60.68

This list is not exhaustive, but should be a good start. Note, however, that at the moment I don’t recommend WordFence for large WP installs or very high traffic sites. There is a noticeable performance issue. I recommend in that case that you speak to your faculty’s IT department.

Standard
code, WordPress

TimThumb Vulnerability June 2014

tl;dr: UBC Blogs, UBC CMS and the new CTLT Events websites are not and were not vulnerable. Your blog or cms site is and was safe.

A serious vulnerability was disclosed earlier this week in a popular third-party image manipulation script called TimThumb. The vulnerability allowed an unauthorized visitor to create, remove and modify many files on the server on which it was used.

Specifically, the 0-day issue is with a part of TimThumb called ‘webshot’ which, when enabled, creates a screenshot of a specified URL. Webshot is disabled by default in TimThumb meaning most websites that use it are safe from this particular attack.

Simply disabling webshot, by setting WEBSHOT_ENABLED to be false is enough to prevent this attack.

What about my UBC Blog or UBC CMS Site?

Your blog or site is – and was – completely safe. The vast majority of sites on Blogs or CMS do not use a theme which includes TimThumb. Of those themes that do use it, all have the webshot functionality disabled (the default).

Across our platforms we have 3 themes which use TimThumb. 2 of these are deprecated (CLF-Base and Thesis) and will be phased out this summer. The other 1 (Koi) isn’t widely used. As mentioned, all 3 were using a non-vulnerable version of this script.

How can I test for the vulnerability?

The easiest way – on a linux-based server – is to use a combination of the find and grep commands. You can search for the string ‘WEBSHOT_ENABLED’ in a simple one-liner:

find /var/www/location/of/wordpress/wp-content -type f -print0 | xargs -0 grep -l "WEBSHOT_ENABLED"

This will give you back the location of any files (recursively, within the wp-content directory – including plugins and themes) which contain the string ‘WEBSHOT_ENABLED’. If you receive results, you should open those files and ensure that it is set to false, i.e.

define( 'WEBSHOT_ENABLED', false );

A small rant from a WordPress developer

TimThumb, directly, has nothing to do with WordPress. It is a separate, stand-alone, can-be-used-anywhere PHP script written several years ago by someone for their own use on their own (WordPress) site. That person chose, in the spirit of open-source, to release what-was-to-be-named TimThumb so others could benefit from and improve upon his code. It solved a problem that many developers were having and gained a large audience very quickly. WordPress was already the most popular open-source CMS (as it remains to be) and as such had a huge following within the WordPress community.

The original developer – for whatever reason – could no longer support TimThumb and it was picked up and forked by several others.

Whilst the team behind the WordPress project have provided assistance in fixing vulnerabilities in the past and helped spread warnings to folks who were using outdated, vulnerable code, they really have nothing to do with it. As such, WordPress itself, has nothing to do with it. (As it happens, TimThumb is now practically obsolete within a WordPress environment as WP provides its own internal, native ways of doing what TimThumb can do).

Poorly researched articles by journalists who should know better have proclaimed that ‘yet again WordPress is vulnerable’. Not only is this nonsensical (WordPress, as a code base, hasn’t been hacked for an awfully long time now) and wholly inaccurate (as explained above), it’s nothing more than link bait which belittles and patronises the reader.

Comments like this;

So, there I was yesterday thinking about this one website I’ve been planning for months now on building and again toying with the idea of using WordPress but going back and forth in my mind about it because every so often I see yet another article about WordPress and some kind of security vulnerability and here today is a brand new one! So much for WordPress!

are made by people who have read such poorly researched and written articles. It is not the commenter’s fault that they have this impression, it’s the alarmist headline-writers who are to blame.

If you fit Pirelli tyres on your BMW and Pirelli discover there’s a flaw in their tyre, do you think headlines would be “BMW Cars now deadly to drivers”? Same idea.

Further information on TimThumb and the vulnerability

Standard