You are here

planet code4lib

Subscribe to planet code4lib feed
Planet Code4Lib - http://planet.code4lib.org
Updated: 5 days 5 hours ago

William Denton: Conforguring dotfiles

Tue, 2016-05-10 14:24

I’ve added my dotfiles to Conforguration: they are there as raw files in the dotfiles directory, and conforguration.org has code blocks that will put them in place on localhost or remote machines.

I did some general cleanup to the file as well. There’s a lot of duplication, which I think some metaprogramming might fix, but for now it works and does what I need. My .bashrc is now finally the same everywhere (custom settings go in .bash.$HOSTNAME.rc) which is a plus.

Islandora: Looking Back at iCampFL

Tue, 2016-05-10 14:16

Last week the Islandora Foundation had the privilege of taking Islandora Camp to Fort Myers, Florida, courtesy of our gracious hosts at Florida Gulf Coast University. Full credit goes to Melissa VandeBurgt and her awesome colleagues Kaleena Rivera, Guy Cicinelli, Parker Fruehan, and Lauren McCraney for having us in their space and making everything run so very smoothly.

It's the attendees that make the camp, and iCampFL was fortunate to have a great group. Florida has a very strong local Islandora community, including big teams at Florida State University (yay DigiNoles!) and Florida Virtual Campus, both members of the Islandora Foundation. We also welcomed guests from further afield - Vermont, Pennsylvania, Ontario, and Chile, to name a few. With 33 attendees from a wide variety of universities, service companies, and library consortia, it turned out to be a pretty perfect group for an Islandora Camp and we had an amazing time. There was plenty of great discussion about Islandora CLAW and the future of the project, tools and resources we can share right now, and how everyone can become more engaged with the Islandora community and make a contribution that suits their skills.

Beautiful location? For sure:

Last day of #islandora iCamp, beautiful day on the FGCU campus. @islandora pic.twitter.com/3VQ8H9NyTX

— Guy Cicinelli (@GuyCicinelli) May 6, 2016

Islandora Camp Jorts. pic.twitter.com/TKZr765pdL

— nick ruest (@ruebot) May 4, 2016

We had a great time at #iCampFL, but its time for the FSU web dev team to hit up Miami! pic.twitter.com/InqMUS33sx

— Bryan J. Brown (@bryjbrown) May 6, 2016

Great Presentations? Absolutely:

Local flavour? Apparently:

I've now ate gator at a Bass Pro Shop.

My life is complete. #florida

— nick ruest (@ruebot) May 3, 2016

And that was Islandora Camp Florida. If you'd like to join us for another Islandora Camp this year, you have two more chances: iCampBC in Vancouver, July 18 - 20 and iCampMO in Kansas City October 12 - 14. We hope to see you there!

Library of Congress: The Signal: O Email! My Email! Our Fearful Trip is Just Beginning: Further Collaborations with Archiving Email

Tue, 2016-05-10 13:25

Apologies to Walt Whitman for co-opting the first line of his famous poem O Captain! My Captain!  but solutions for archiving email are not yet anchor’d safe and sound. Thanks to the collaborative and cooperative community working in this space, however, we’re making headway on the journey.

Email Archiving Stewardship Tools Workshop final panel. Franziska Frey, Christopher Prom, Glynn Edwards, Riccardo Ferrante, and Wendy Gogel. Photo courtesy of Kari Smith.

Email archiving as a distinct research area has been around a while but the discipline is still very much emergent. Stanford University Library, for example, has been working on acquiring and processing email from collections since 2010. ePADD’s Glynn Edwards can trace her initial conversation on developing email archiving software  with Smithsonian Institution Archives’ Ricc Ferrante at the 2012 Society of American Archivists conference in San Diego and she agrees it is very gratifying to see the growth of support and interest, especially over the past year.

The Archiving Email Symposium (videos of the presentations are now available), hosted by the Library of Congress and the National Archives in June 2015, was one of the inspirations for the Email Archiving Stewardship Tools (Harvard EAST) workshop at Harvard Library on March 2-3, 2016. In addition to Harvard and the Library of Congress, participants for the workshop included the Smithsonian Institution Archives, Stanford University Libraries’ ePADD project, MIT Institute Archives and Special Collections, University of Illinois Urbana-Champaign, Artefactual Systems and BitCurator Consortium.

The high-level goals of the two-day workshop, organized by Harvard’s Wendy Gogel and Grainne Reilly, were community building, updating each other on current work, identifying and prioritizing gap areas and exposing the HL community to email-archiving efforts in the field at large. Just bringing the group together ticked off the first goal so we started the day with a mark in the win column.

Glynn Edwards summed up the mood in the room this way: “It was exciting to be part of the working group at Harvard sharing information about our various tools, processes, and needs and to begin conceptualizing a path of data and metadata through different tools contingent on their workflows. There was a lot of energy in the room and a willingness to work together to find ways to re-purpose metadata between tools and collaborate on building shared lexicons to assist with processing and discovery.”

Harvard’s Widener Library. Photograph courtesy of Kate Murray

Edwards also found inspiration in Prom’s statement that “email is one of the richest, one of the most revealing, if not the most revealing, of sources currently being generated.” She goes on to say that “while correspondence has always been an important format in archival collections; email is often more – more immediate, more complex, more exposing. This is highlighted again on an almost weekly basis in breaking news – as the Governor’s emails regarding Flint Michigan water crisis were released or emails and documents referred to as the Panama Papers were leaked.”

My personal interest is in the digital formats used for email messages and other personal information manager or PIM formats including calendaring, text and instant messages. As Prom indicated in the DPC Technology Watch Report Preserving Email (PDF), there’s a convergence in the email archiving community around the MBOX family and EML as de facto preservation formats for email messages primarily because of two related factors: transparency and integration with toolsets.

EML format description from LC’s Sustainability of Digital Formats website

The Library of Congress’s Sustainability of Digital Formats website defines transparency, one of seven sustainability factors, as “the degree to which the digital representation is open to direct analysis with basic tools, including human readability using a text-only editor.”

Native or normalized MBOX and EML files also can be used as access copies because they can be imported into a variety of email clients. It’s no surprise then that these two plain text and very transparent formats, MBOX and EML, are integrated into popular email archiving tools and most modern email clients can import and export one or both of the formats. The Smithsonian Institution Archives’ CERP toolset ingests MBOX-formatted messages before converting to XML, as will the still-in-development DArcMail (Digital Archive Mail System). The ePADD project developed at Stanford University Libraries also requires MBOX for ingest. Harvard University Libraries’ Electronic Archiving System (EAS) ingests EML-formatted messages.

The MBOX format family from the Sustainability of Digital Formats website

Harvard EAST workshop participants discussed some of the issues with these formats, including the lack of format validation tools and the challenges of working with formats, like MBOX, without documented standards.

Reflecting again on Whitman’s poem, email archiving is still a work in progress and our voyage of discovery is nowhere near closed and done. However, projects like the Harvard EAST workshop move us all further along.

LibUX: 037 – [Terrifying] Voice User Interfaces with Jason Griffey

Tue, 2016-05-10 00:27

Jason Griffey swings by world-famous LibUX headquarters to geek-out with Michael about voice user interfaces. We get stoked and portend ill futures.

Jason’s the founder and principal at Evenly Distributed, a technology consulting and creation firm for libraries, museums, education, and other non-profits, a well as a Fellow at the Berkman Center for Internet & Society at Harvard University, and was formerly an Associate Professor and Head of Library Information Technology at the University of Tennessee at Chattanooga.

Here’s what we talked about

What if we didn’t need to learn arcane commands? What if you could use the most effective and powerful communication tool ever invented? This tool evolved over millions of years and allows you to express complex ideas in very compact and data dense ways yet can be nuanced to the width of a hair [2]. What is this tool? It is our voice. Brian Roemmele

  • 8:46 – We talk about the benefits of the data-crunching power behind the Amazon Echo in Amazon web services compared to Apple’s Siri.
  • 10:10 – IBM Watson‘s API and developer community
  • 11:30 – HTML5 Web Speech API

She saw this as an entity, as a person – not as a thing, but as a conversational partner! Jason Griffey, on his daughter’s reaction to Alexa

  • 17:00 – It’s all about empathizing with the things we use! We tend to think voice interfaces are cool because it makes doing hard programm-y things easier, but the tangential thing they bring is company, community.
  • 18:45 – On interfaces responding to your tone of voice.
  • 21:19 – Have we seen any of this implemented in libraries or at the higher-ed level?
  • 24:00 – On gender

It is no accident that every single one we have named that is commercially available and sold to people — Cortana, Siri, Google Now, and Alexa — those are female gendered. These are all bots that are the result of someone building them, they are all gendered in a way that I think is problematic.Jason Griffey

  • 30:23 – Creating a personality that would anticipate the personality you need at at that time!

If you like, you can download the MP3, or you can subscribe to LibUX on Stitcher, iTunes, Google Play Music, SoundCloud or plug our feed right into your podcatcher of choice. Help us out and say something nice. You can find every podcast right here on www.libux.co.

The post 037 – [Terrifying] Voice User Interfaces with Jason Griffey appeared first on LibUX.

DuraSpace News: Fedora 4 Workshop at OR2016

Tue, 2016-05-10 00:00

Austin, TX  Will you be traveling to the 11th Annual International Conference on Open Repositories #OR2016 next month in Dublin, Ireland? The Fedora team is pleased to announce that they will offer a full day Introduction to Fedora 4 Workshop on Monday, June 13. New and existing Fedora users will have the opportunity to learn about and experience Fedora 4 features and functionality first-hand.

FOSS4Lib Recent Releases: Evergreen - 2.10.3

Mon, 2016-05-09 23:58

Last updated May 9, 2016. Created by gmcharlt on May 9, 2016.
Log in to edit this page.

Package: EvergreenRelease Date: Monday, May 9, 2016

Evergreen ILS: Evergreen 2.10.3 released

Mon, 2016-05-09 23:51

We are pleased to announce the release of Evergreen 2.10.3, a critical bugfix release.

  • Evergreen 2.10.3 fixes a critical bug wherein a newly-registered patron record could not be used to log in to Evergreen using the password supplied during registration. Under some circumstances, the same bug could also prevent patron records that were modified via the patron registration form from being used to log in.
  • Also, emails sent using the Action Trigger SendEmail reactor now always MIME-encode the From, To, Subject, Bcc, Cc, Reply-To, and Sender headers. As a consequence, non-ASCII character in those fields are more likely to be displayed correctly in email clients.

Please visit the downloads page to retrieve the server software and staff clients. Due to the nature of the critical bug fixed in this release, we strongly recommend that users and testers of the 2.10.x series upgrade as soon as possible.

District Dispatch: Archived copy of CopyTalk webinar now available

Mon, 2016-05-09 20:00

Check out a recording of ALA’s May 5th CopyTalk webinar.

If you missed the May 5, 2016 “Higher education copyright programs and services,” you can now access the archived copy.

Program description:

Universities and their libraries provide copyright information to the members of their community in different ways. Hear three copyright and scholarly communication librarians describe the services they offer regarding copyright to their faculty, staff, and students. Our presenters will include Sandra Enimil, Program Director, University Libraries Copyright Resources Center from the Ohio State University, Sandy De Groote, Scholarly Communications Librarian from the University of Illinois at Chicago, and Cindy Kristof, Head of Copyright and Document Services from Kent State University.

Other CopyTalk webinars can be found in CopyTalk archive.

The post Archived copy of CopyTalk webinar now available appeared first on District Dispatch.

SearchHub: Secure Fusion: Single Sign-On

Mon, 2016-05-09 19:25

Single Sign-On (SSO) mechanisms allow a user to use the same ID and password to gain access to a connected system or systems. In a web services or distributed computing environment, single sign-on can only be achieved by registering information about the sign-on authority with all systems that require its services. The previous article in this series Secure Fusion: Leveraging LDAP shows how to configure Fusion so that passwords and permissions are managed by an external LDAP server. Fusion can be configured to work with two more kinds of single sign-on mechanisms: Kerberos and SAML 2.0. This article covers the configuration details for both of these.

Fusion Logins and Security Realms

A Security Realm provides information about a domain, an authentication mechanism, and the permissions allotted to users from that domain. A Fusion instance can manage multiple security realms, which allows users from different domains to have access to specific Fusion collections.

For a non-native security realm, the domain and its user database exist outside of Fusion. Configuring Fusion for this realm simplifies the task of managing Fusion user accounts. Fusion need only store the username and user’s security realm; permissions for a specific user are inherited from the permissions defined for the users and groups belonging to that realm. It’s still possible to manage the permissions for that user directly in Fusion, but this goes against the principle of letting user management be somebody else’s problem.

When you first access Fusion via the browser, the initial login panel has three inputs: user name, password, and an unlabeled pulldown menu for realm choices. Fusion’s native realm, which is always available, is the default realm choice. To login via a non-native realm, choose the appropriate realm name from the pulldown menu. Choosing a non-native realm may change the login panel inputs. For an LDAP realm, a user enters their LDAP username and password in the appropriate boxes on the login panel and Fusion relays this information to the LDAP server for that realm for authentication. To login to either a Kerberos or SAML realm, the login panel doesn’t have inputs for either. In the screenshot below, the screenshot on the left shows the login panel for a native or LDAP realm and the screenshot on the right shows the login panel for a SAML or Kerberos realm:

Since all Fusion logins requires a username and password, how does the auth magic happen? There is no magic, just some browser sleight-of-hand. For SAML and Kerberos logins the browser becomes the intermediary between Fusion and the authentication mechanism. Because the authentication process works indirectly through the browser, system configuration requires additional work beyond registering the security realm information in Fusion. In order to understand the configuration details, we present a quick overview of how SAML and Kerberos work.

SAML

SAML is a standard for exchanging authentication and authorization data between security domains. The SAML protocol allows web-browser single sign-on (SSO) through a sequence of messages sent to and from the browser, which relays information between Fusion and the SAML authority acting as the Identity Provider (IDP). To configure Fusion for SAML, you must register the information about the SAML authority as part of the security realm configuration process. In addition to configuring the Fusion security realm, you must configure the SAML identity provider to recognize the Fusion application.

Once Fusion is configured for a SAML realm, this realm is added to the list of available realms on the initial Fusion sign-on panel. When the SAML realm is chosen from the list of available realms, the browser then redirects to the IDP which handles user authentication. Upon successful authentication, the IDP sends a response back to the browser which contains authentication and authorization information as well as the URL of the Fusion application. The browser redirects back to the Fusion URL, passing along the SAML message with the user authentication and authorization information. Fusion then issues a session cookie which is used for subsequent user access.

Kerberos and SPNEGO Kerberos

The name Kerberos comes from Greek mythology where Kerberos (or Cerberus) is the ferocious three-headed guard dog of Hades, the original hellhound. Kerberos protocol messages are protected against eavesdropping and replay attacks. Instead of sending passwords in plaintext over the network, encrypted passwords are used to generate time-sensitive tickets used for authentication.

Kerberos uses symmetric-key cryptography and a trusted third party called a Key Distribution Center (KDC) to authenticate users to a suite of network services, where a user can be either an end user or a client program. The computers managed by that KDC and any secondary KDCs constitute a realm. A Kerberized process is one which has been configured so that it can get tickets from a KDC and negotiate with Kerberos-aware services.

The next several paragraphs outline the steps involved in the Kerberos protocol. It’s background information, so you can skip ahead to the next section on SPNEGO, as this is pretty dry stuff. We tried to get Margot Robbie to explain it for you but she wasn’t available, so instead we downloaded the following diagram from some old MSDN documentation, since Microsoft’s Active Directory uses Kerberos for its security infrastructure. It shows the essential steps in the Kerberos protocol, from initial login through authentication and authorization to application access:

Here is a summary of the steps outlined in the above cartoon, calling out the essential acronyms you need to know in order to configure Fusion for Kerberos authentication:

  • Step 1. To login, the client sends a message to the KDC’s Authorization Server (AS) requesting a ticket granting ticket (TGT).
  • Step 2. The Authorization Server verifies the user’s access rights and sends back an encrypted TGT and session key. At this point, the user is prompted for a password. The clear text password is encrypted before it is sent to the AS. If authentication succeeds, the user’s TGT will be valid for service requests.

Steps 1 and 2 happen only upon user login to the Kerberos realm, after which the TGT and session key are used to gain access to services in that realm.

  • Step 3. To access a Kerberized service, the client sends a message to the KDC’s Ticket Granting Service (TGS) which includes identity information encrypted using the session key received in step 2.
  • Step 4. The TGS verifies the request and creates a time-sensitive ticket for the requested service.
  • Step 5. The client application now sends a service request to the server containing the ticket received in Step 4 as well as identity information encrypted using the session key received in step 2. The server verifies that the ticket and identity information match, then grants access to the service.
SPNEGO

If a client application wishes to use a Kerberized service, the client must also be Kerberized so that it can support the necessary ticket and message exchanges. Since Fusion is a web service, available either in a browser or via HTTP requests to Fusion’s REST-API, then the web application used to access Fusion must be able to carry out the Kerberos protocol in order for the end user to access Fusion.

SPNEGO was developed to extend Kerberos to web applications using the standard HTTP protocol, starting with Internet Explorer. Both IE and Safari support SPNEGO out-of-the-box, while Firefox and Chrome require additional configuration. The Unix curl command-line utility also supports SPNEGO; it can access a Kerberized web service using the negotiate command-line option.

When a Fusion user belonging to a Kerberos security domain sends a request to the Kerberized Fusion UI via a web application that supports SPNEGO, the web application sends a SPNEGO request via HTTP or HTTPS to Fusion and Fusion communicates with the Kerberos KDC to determine the identify and authorization status of that user. If the user hasn’t authenticated to the KDC/Authentication Service, Fusion sends a 401 response to the web application which contains a Negotiate header. This status/header response triggers SPNEGO compatible clients to fetch a local ticket from their Kerberos “ticket tray” and they then encode the ticket and send it back to Fusion. Fusion decodes the ticket and perform a SPN.doAs(user) authentication request to the KDC/Authentication Service. Depending on the results, Fusion will either execute the original request (along with a session cookie) or return a 401 (without the Negotiate) to the browser.

Fusion Configuration

Configuring a new security realm can only be done by a Fusion user who has admin-level privileges. To configure a new security realm from the Fusion UI, from the “Applications” menu, choose menu item “Access Control”. This displays the Access control panel, which has sub-panel “Security Realms”. From the Security Realms sub-panel, click on the “Add Security Realm” button:

This opens an editor panel for a new Security Realm, containing controls and inputs for all required and optional configuration information. The security realm name must be unique. There is a pulldown menu from which to choose the realm type:

Configuring Fusion for a SAML security realm

To configure a SAML realm, the realm type is “SAML”. On the Fusion UI, there SAML realm configuration requires the following pieces of information:

  • Identity Provider URL – the URL used by the SAML authority for single sign-on. Usually a URL which ends in “saml/sso”, e.g., “https://www.my-idp.com/<my-app-path>/sso/saml”
  • Issuer – SAML Issuer Id. A unique ID for that authority, e.g. “http://www.my-idp.com/exk686w2xi5KTuSXz0h7”.
  • Certificate Fingerprint – the contents of the SAML authority certificate, without the certificate header and footer. You must get this certificate from the SAML Identity Provider. The certificate is a text file which has a pair of header and footer lines which say “BEGIN CERTIFICATE” and “END CERTIFICATE”, respectively. The fingerprint consists of the lines between the header and the footer. You can cut and paste this information into the text box on the Fusion UI.
  • User ID Attribute – an optional attribute. The Identity Provider contains the user database. By default, the Fusion username is the same as the login name known to the Identity Provider. When another field or attribute in the user record stored by the IDP should be used as the Fusion username, that attribute name is the value of the User ID Attribute. To know whether or not you need to specify the User ID attribute, you need to be able to examine the user database stored by the IDP.

In addition to configuring Fusion for SAML, you must register Fusion with the SAML IDP. The amount of information varies depending on the SAML authority.

All systems will require the Fusion URL to redirect to upon successful login; this is the protocol, server, and port for the Fusion application, and path “api/saml”, e.g. “https://www.my-fusion-app.com:8764/api/saml”. If the Fusion application is running behind a load-balancer, then this URL is the load-balancer URL plus path “api/saml”. Note that the load-balancer should be session-sticky in order for the sequence of messages that comprise the SAML protocol to run to completion successfully.

Some authorities may require additional information. In particular the SAML 2.0 “AudienceRestriction” tag may be part of the SAML message. This tag specifies the domain for which the SAML trust conditions are valid, which is usually the domain in which the Fusion app is running, e.g. “https://www.my-fusion-app”.

See the Fusion Documentation for example configurations.

Configuring Fusion for a Kerberos security realm

If the Fusion application running in a Kerberos security realm will be interacting with other resources in that realm, then it is critical that Fusion has the proper Kerberos authorization to access those resources. This is determined by the Fusion’s identity and credentials. Getting this information properly squared away will almost always require working together with the sys admin that is the keeper of Kerberos. Bring gifts.

To configure a a new Kerberos security realm, the realm type is either “Kerberos” or “LDAP”:

  • To configure a realm which uses Kerberos for authentication and which doesn’t have an associated LDAP server for group-level permissions, choose option “Kerberos”.
  • To configure a realm which uses Kerberos for authentication and which also gets group-level membership and permissions from an LDAP server, choose option “LDAP”, and then in the “Authentication Method” section of the LDAP realm configuration panel, choose “Kerberos”, as shown here:

A Kerberos security realm requires two pieces of information:

  • Service Principal Name – this is the name for the Fusion service itself in the Kerberos database.
  • Keytab Path – the keytab files contains Fusion’s encrypted identity credentials which Fusion sends to the KDC during as part of the protocol described above.

The usual scenario in an enterprise organization is to have a Kerberos admin create a service principal with a random key password. Then, the admin generates a keytab, which is then used for Fusion service principal authentication.

See the Fusion Documentation on configuring Fusion for Kerberos for further details on keytab files and how to test them.

For Kerberos security realms which don’t use LDAP, the Fusion UI also displays inputs for the optional configuration parameter “Kerberos Name Rules”. These are used to specify what the Kerberos user’s Fusion username is. The default Fusion username is constructed by concatenating the Kerberos username, the “@” symbol, and the Kerberos domain name. E.g., user “any.user” in Kerberos domain “MYORG.ORG” will have the Fusion username “any.user@MYORG.ORG”.

Discussion

Fusion provides different types of security realms for different kinds of single sign-on mechanisms. The difference between the LDAP configuration, covered in the previous post in this series Leveraging LDAP, and the Kerberos and SAML mechanisms presented here is that for the latter, the dialog between Fusion and the servers which provides authentication and authorization is mediated by the browser.

In order for a Fusion application to work with a Kerberos or SAML realm, additional configuration steps are required outside of Fusion. In a Kerberized environment, there is a single Kerberos authority. Fusion itself is registered as a service with the Kerberos KDC. Once Fusion and the browser have been properly configured, Fusion can carry out the steps in the Kerberos/SPNEGO protocol. In SAML, everything is distributed, thus the Fusion application must be configured to work with the SAML authority and the SAML authority must be configured to work with Fusion. Checking you work is also more complicated; since Fusion doesn’t talk directly to the server, the configuration panels for Kerberos and SAML don’t provide a “test settings” control.

Configuring Fusion for single sign-on makes sense when there is a tight coupling between the owners and permissions on the documents in your collection and the individual users who have access to them. When your search application requires search over a collection with document-level security via ACLs, then you need to create a user account for all the users who can access those documents. Otherwise, Fusion’s native authentication mechanism is appropriate in situations where the users of the system fall into distinct categories and members of a category are interchangeable. In this case, you can define a set of generic users, one per category type, and assign permissions accordingly.

This is the fourth in a series of articles on securing your data in Lucidworks Fusion. Secure Fusion: SSL Configuration covers transport layer security and Secure Fusion: Authentication and Authorization covers general application-level security mechanisms in Fusion. This article and previous article Secure Fusion: Leveraging LDAP show how Fusion can be configured to work with external authority services, providing fine-grained security as needed. Fusion analyzes your data, your way, according to your access rules.

The post Secure Fusion: Single Sign-On appeared first on Lucidworks.com.

Galen Charlton: Cataloging and coding as applied empathy: a Mashcat discussion prompt

Mon, 2016-05-09 17:20

Consider the phrase “Cataloging and coding as applied empathy”.  Here are some implications of those six words:

  • Catalogers and coders share something: what we build is mainly for use by other people, not ourselves. (Yes, programmers often try to eat our own dogfood, and catalogers tend to be library users, but that’s mostly not what we’re paid for.)
  • Consideration of the needs of our users is needed to do our jobs well, and to do right by our users.
  • However: we cannot rely on our users to always tell us what to do:
    • sometimes they don’t know what it is possible to want;
    • sometimes they can’t articulate what they want in a way that lends itself to direct translation to code or taxonomy;
    • it is rarely their paid job to tell us what they want, and how to build it.
  • Waiting for users to tell exactly us what to do can be a decision… to do nothing. Sometimes doing nothing is the best thing to do; often it’s not.
  • Therefore, catalogers and coders need to develop empathy.
  • Applied empathy: our catalogs and our software in some sense embody our empathy (or lack thereof).
  • Applied empathy: empathy can be a learned skill.

Is “applied empathy” a useful framework for discussing how to serve our users? I don’t know, so I’d like to chat about it.  I will be moderating a Mashcat Twitter chat on Thursday, 12 May 2016, at 20:30 UTC (time converter). Do you have questions to suggest? Please add them to the Google doc for this week’s chat.

Bohyun Kim: Cybersecurity, Usability, Online Privacy, and Digital Surveillance

Mon, 2016-05-09 17:20

** This post was originally published in ACRL TechConnect on May. 9, 2016.***

Cybersecurity is an interesting and important topic, one closely connected to those of online privacy and digital surveillance. Many of us know that it is difficult to keep things private on the Internet. The Internet was invented to share things with others quickly, and it excels at that job. Businesses that process transactions with customers and store the information online are responsible for keeping that information private. No one wants social security numbers, credit card information, medical history, or personal e-mails shared with the world. We expect and trust banks, online stores, and our doctor’s offices to keep our information safe and secure.

However, keeping private information safe and secure is a challenging task. We have all heard of security breaches at J.P MorganTarget, SonyAnthem Blue Cross and Blue Shieldthe Office of Personnel Management of the U.S. federal governmentUniversity of Maryland at College Park, and Indiana University. Sometimes, a data breach takes place when an institution fails to patch a hole in its network systems. Sometimes, people fall for a phishing scam, or a virus in a user’s computer infects the target system. Other times, online companies compile customer data into personal profiles. The profiles are then sold to data brokers and on into the hands of malicious hackers and criminals.

Image from Flickr – https://www.flickr.com/photos/topgold/4978430615

Cybersecurity vs. Usability

To prevent such a data breach, institutional IT staff are trained to protect their systems against vulnerabilities and intrusion attempts. Employees and end users are educated to be careful about dealing with institutional or customers’ data. There are systematic measures that organizations can implement such as two-factor authentication, stringent password requirements, and locking accounts after a certain number of failed login attempts.

While these measures strengthen an institution’s defense against cyberattacks, they may negatively affect the usability of the system, lowering users’ productivity. As a simple example, security measures like a CAPTCHA can cause an accessibility issue for people with disabilities.

Or imagine that a university IT office concerned about the data security of cloud services starts requiring all faculty, students, and staff to only use cloud services that are SOC 2 Type II certified as an another example. SOC stands for “Service Organization Controls.” It consists of a series of standards that measure how well a given service organization keeps its information secure. For a business to be SOC 2 certified, it must demonstrate that it has sufficient policies and strategies that will satisfactorily protect its clients’ data in five areas known as “Trust Services Principles.” Those include the security of the service provider’s system, the processing integrity of this system, the availability of the system, the privacy of personal information that the service provider collects, retains, uses, discloses, and disposes of for its clients, and the confidentiality of the information that the service provider’s system processes or maintains for the clients. The SOC 2 Type II certification means that the business had maintained relevant security policies and procedures over a period of at least six months, and therefore it is a good indicator that the business will keep the clients’ sensitive data secure. The Dropbox for Business is SOC 2 certified, but it costs money. The free version is not as secure, but many faculty, students, and staff in academia use it frequently for collaboration. If a university IT office simply bans people from using the free version of Dropbox without offering an alternative that is as easy to use as Dropbox, people will undoubtedly suffer.

Some of you may know that the USPS website does not provide a way to reset the password for users who forgot their usernames. They are instead asked to create a new account. If they remember the account username but enter the wrong answers to the two security questions more than twice, the system also automatically locks their accounts for a certain period of time. Again, users have to create a new account. Clearly, the system that does not allow the password reset for those forgetful users is more secure than the one that does. However, in reality, this security measure creates a huge usability issue because average users do forget their passwords and the answers to the security questions that they set up themselves. It’s not hard to guess how frustrated people will be when they realize that they entered a wrong mailing address for mail forwarding and are now unable to get back into the system to correct because they cannot remember their passwords nor the answers to their security questions.

To give an example related to libraries, a library may decide to block all international traffic to their licensed e-resources to prevent foreign hackers who have gotten hold of the username and password of a legitimate user from accessing those e-resources. This would certainly help libraries to avoid a potential breach of licensing terms in advance and spare them from having to shut down compromised user accounts one by one whenever those are found. However, this would make it impossible for legitimate users traveling outside of the country to access those e-resources as well, which many users would find it unacceptable. Furthermore, malicious hackers would probably just use a proxy to make their IP address appear to be located in the U.S. anyway.

What would users do if their organization requires them to reset passwords on a weekly basis for their work computers and several or more systems that they also use constantly for work? While this may strengthen the security of those systems, it’s easy to see that it will be a nightmare having to reset all those passwords every week and keeping track of them not to forget or mix them up. Most likely, they will start using less complicated passwords or even begin to adopt just one password for all different services. Some may even stick to the same password every time the system requires them to reset it unless the system automatically detects the previous password and prevents the users from continuing to use the same one. Ill-thought-out cybersecurity measures can easily backfire.

Security is important, but users also want to be able to do their job without being bogged down by unwieldy cybersecurity measures. The more user-friendly and the simpler the cybersecurity guidelines are to follow, the more users will observe them, thereby making a network more secure. Users who face cumbersome and complicated security measures may ignore or try to bypass them, increasing security risks.

Image from Flickr – https://www.flickr.com/photos/topgold/4978430615

Cybersecurity vs. Privacy

Usability and productivity may be a small issue, however, compared to the risk of mass surveillance resulting from aggressive security measures. In 2013, the Guardian reported that the communication records of millions of people were being collected by the National Security Agency (NSA) in bulk, regardless of suspicion of wrongdoing. A secret court order prohibited Verizon from disclosing the NSA’s information request. After a cyberattack against the University of California at Los Angeles, the University of California system installed a device that is capable of capturing, analyzing, and storing all network traffic to and from the campus for over 30 days. This security monitoring was implemented secretly without consulting or notifying the faculty and those who would be subject to the monitoring. The San Francisco Chronicle reported the IT staff who installed the system were given strict instructions not to reveal it was taking place. Selected committee members on the campus were told to keep this information to themselves.

The invasion of privacy and the lack of transparency in these network monitoring programs has caused great controversy. Such wide and indiscriminate monitoring programs must have a very good justification and offer clear answers to vital questions such as what exactly will be collected, who will have access to the collected information, when and how the information will be used, what controls will be put in place to prevent the information from being used for unrelated purposes, and how the information will be disposed of.

We have recently seen another case in which security concerns conflicted with people’s right to privacy. In February 2016, the FBI requested Apple to create a backdoor application that will bypass the current security measure in place in its iOS. This was because the FBI wanted to unlock an iPhone 5C recovered from one of the shooters in San Bernadino shooting incident. Apple iOS secures users’ devices by permanently erasing all data when a wrong password is entered more than ten times if people choose to activate this option in the iOS setting. The FBI’s request was met with strong opposition from Apple and others. Such a backdoor application can easily be exploited for illegal purposes by black hat hackers, for unjustified privacy infringement by other capable parties, and even for dictatorship by governments. Apple refused to comply with the request, and the court hearing was to take place in March 22. The FBI, however, withdrew the request saying that it found a way to hack into the phone in question without Apple’s help. Now, Apple has to figure out what the vulnerability in their iOS if it wants its encryption mechanism to be foolproof. In the meanwhile, iOS users know that their data is no longer as secure as they once thought.

Around the same time, the Senate’s draft bill titled as “Compliance with Court Orders Act of 2016,” proposed that people should be required to comply with any authorized court order for data and that if that data is “unintelligible” – meaning encrypted – then it must be decrypted for the court. This bill is problematic because it practically nullifies the efficacy of any end-to-end encryption, which we use everyday from our iPhones to messaging services like Whatsapp and Signal.

Because security is essential to privacy, it is ironic that certain cybersecurity measures are used to greatly invade privacy rather than protect it. Because we do not always fully understand how the technology actually works or how it can be exploited for both good and bad purposes, we need to be careful about giving blank permission to any party to access, collect, and use our private data without clear understanding, oversight, and consent. As we share more and more information online, cyberattacks will only increase, and organizations and the government will struggle even more to balance privacy concerns with security issues.

Why Libraries Should Advocate for Online Privacy?

The fact that people may no longer have privacy on the Web should concern libraries. Historically, libraries have been strong advocates of intellectual freedom striving to keep patron’s data safe and protected from the unwanted eyes of the authorities. As librarians, we believe in people’s right to read, think, and speak freely and privately as long as such an act itself does not pose harm to others. The Library Freedom Project is an example that reflects this belief held strongly within the library community. It educates librarians and their local communities about surveillance threats, privacy rights and law, and privacy-protecting technology tools to help safeguard digital freedom, and helped the Kilton Public Library in Lebanon, New Hampshire, to become the first library to operate a Tor exit replay, to provide anonymity for patrons while they browse the Internet at the library.

New technologies brought us the unprecedented convenience of collecting, storing, and sharing massive amount of sensitive data online. But the fact that such sensitive data can be easily exploited by falling into the wrong hands created also the unparalleled level of potential invasion of privacy. While the majority of librarians take a very strong stance in favor of intellectual freedom and against censorship, it is often hard to discern a correct stance on online privacy particularly when it is pitted against cybersecurity. Some even argue that those who have nothing to hide do not need their privacy at all.

However, privacy is not equivalent to hiding a wrongdoing. Nor do people keep certain things secrets because those things are necessarily illegal or unethical. Being watched 24/7 will drive any person crazy whether s/he is guilty of any wrongdoing or not. Privacy allows us safe space to form our thoughts and consider our actions on our own without being subject to others’ eyes and judgments. Even in the absence of actual massive surveillance, just the belief that one can be placed under surveillance at any moment is sufficient to trigger self-censorship and negatively affects one’s thoughts, ideas, creativity, imagination, choices, and actions, making people more conformist and compliant. This is further corroborated by the recent study from Oxford University, which provides empirical evidence that the mere existence of a surveillance state breeds fear and conformity and stifles free expression. Privacy is an essential part of being human, not some trivial condition that we can do without in the face of a greater concern. That’s why many people under political dictatorship continue to choose death over life under mass surveillance and censorship in their fight for freedom and privacy.

The Electronic Frontier Foundation states that privacy means respect for individuals’ autonomy, anonymous speech, and the right to free association. We want to live as autonomous human beings free to speak our minds and think on our own. If part of a library’s mission is to contribute to helping people to become such autonomous human beings through learning and sharing knowledge with one another without having to worry about being observed and/or censored, libraries should advocate for people’s privacy both online and offline as well as in all forms of communication technologies and devices.

ACRL TechConnect: Cybersecurity, Usability, Online Privacy, and Digital Surveillance

Mon, 2016-05-09 16:58

Cybersecurity is an interesting and important topic, one closely connected to those of online privacy and digital surveillance. Many of us know that it is difficult to keep things private on the Internet. The Internet was invented to share things with others quickly, and it excels at that job. Businesses that process transactions with customers and store the information online are responsible for keeping that information private. No one wants social security numbers, credit card information, medical history, or personal e-mails shared with the world. We expect and trust banks, online stores, and our doctor’s offices to keep our information safe and secure.

However, keeping private information safe and secure is a challenging task. We have all heard of security breaches at J.P Morgan, Target, Sony, Anthem Blue Cross and Blue Shield, the Office of Personnel Management of the U.S. federal government, University of Maryland at College Park, and Indiana University. Sometimes, a data breach takes place when an institution fails to patch a hole in its network systems. Sometimes, people fall for a phishing scam, or a virus in a user’s computer infects the target system. Other times, online companies compile customer data into personal profiles. The profiles are then sold to data brokers and on into the hands of malicious hackers and criminals.

Image from Flickr – https://www.flickr.com/photos/topgold/4978430615

Cybersecurity vs. Usability

To prevent such a data breach, institutional IT staff are trained to protect their systems against vulnerabilities and intrusion attempts. Employees and end users are educated to be careful about dealing with institutional or customers’ data. There are systematic measures that organizations can implement such as two-factor authentication, stringent password requirements, and locking accounts after a certain number of failed login attempts.

While these measures strengthen an institution’s defense against cyberattacks, they may negatively affect the usability of the system, lowering users’ productivity. As a simple example, security measures like a CAPTCHA can cause an accessibility issue for people with disabilities.

Or imagine that a university IT office concerned about the data security of cloud services starts requiring all faculty, students, and staff to only use cloud services that are SOC 2 Type II certified as an another example. SOC stands for “Service Organization Controls.” It consists of a series of standards that measure how well a given service organization keeps its information secure. For a business to be SOC 2 certified, it must demonstrate that it has sufficient policies and strategies that will satisfactorily protect its clients’ data in five areas known as “Trust Services Principles.” Those include the security of the service provider’s system, the processing integrity of this system, the availability of the system, the privacy of personal information that the service provider collects, retains, uses, discloses, and disposes of for its clients, and the confidentiality of the information that the service provider’s system processes or maintains for the clients. The SOC 2 Type II certification means that the business had maintained relevant security policies and procedures over a period of at least six months, and therefore it is a good indicator that the business will keep the clients’ sensitive data secure. The Dropbox for Business is SOC 2 certified, but it costs money. The free version is not as secure, but many faculty, students, and staff in academia use it frequently for collaboration. If a university IT office simply bans people from using the free version of Dropbox without offering an alternative that is as easy to use as Dropbox, people will undoubtedly suffer.

Some of you may know that the USPS website does not provide a way to reset the password for users who forgot their usernames. They are instead asked to create a new account. If they remember the account username but enter the wrong answers to the two security questions more than twice, the system also automatically locks their accounts for a certain period of time. Again, users have to create a new account. Clearly, the system that does not allow the password reset for those forgetful users is more secure than the one that does. However, in reality, this security measure creates a huge usability issue because average users do forget their passwords and the answers to the security questions that they set up themselves. It’s not hard to guess how frustrated people will be when they realize that they entered a wrong mailing address for mail forwarding and are now unable to get back into the system to correct because they cannot remember their passwords nor the answers to their security questions.

To give an example related to libraries, a library may decide to block all international traffic to their licensed e-resources to prevent foreign hackers who have gotten hold of the username and password of a legitimate user from accessing those e-resources. This would certainly help libraries to avoid a potential breach of licensing terms in advance and spare them from having to shut down compromised user accounts one by one whenever those are found. However, this would make it impossible for legitimate users traveling outside of the country to access those e-resources as well, which many users would find it unacceptable. Furthermore, malicious hackers would probably just use a proxy to make their IP address appear to be located in the U.S. anyway.

What would users do if their organization requires them to reset passwords on a weekly basis for their work computers and several or more systems that they also use constantly for work? While this may strengthen the security of those systems, it’s easy to see that it will be a nightmare having to reset all those passwords every week and keeping track of them not to forget or mix them up. Most likely, they will start using less complicated passwords or even begin to adopt just one password for all different services. Some may even stick to the same password every time the system requires them to reset it unless the system automatically detects the previous password and prevents the users from continuing to use the same one. Ill-thought-out cybersecurity measures can easily backfire.

Security is important, but users also want to be able to do their job without being bogged down by unwieldy cybersecurity measures. The more user-friendly and the simpler the cybersecurity guidelines are to follow, the more users will observe them, thereby making a network more secure. Users who face cumbersome and complicated security measures may ignore or try to bypass them, increasing security risks.

Image from Flickr – https://www.flickr.com/photos/topgold/4978430615

Cybersecurity vs. Privacy

Usability and productivity may be a small issue, however, compared to the risk of mass surveillance resulting from aggressive security measures. In 2013, the Guardian reported that the communication records of millions of people were being collected by the National Security Agency (NSA) in bulk, regardless of suspicion of wrongdoing. A secret court order prohibited Verizon from disclosing the NSA’s information request. After a cyberattack against the University of California at Los Angeles, the University of California system installed a device that is capable of capturing, analyzing, and storing all network traffic to and from the campus for over 30 days. This security monitoring was implemented secretly without consulting or notifying the faculty and those who would be subject to the monitoring. The San Francisco Chronicle reported the IT staff who installed the system were given strict instructions not to reveal it was taking place. Selected committee members on the campus were told to keep this information to themselves.

The invasion of privacy and the lack of transparency in these network monitoring programs has caused great controversy. Such wide and indiscriminate monitoring programs must have a very good justification and offer clear answers to vital questions such as what exactly will be collected, who will have access to the collected information, when and how the information will be used, what controls will be put in place to prevent the information from being used for unrelated purposes, and how the information will be disposed of.

We have recently seen another case in which security concerns conflicted with people’s right to privacy. In February 2016, the FBI requested Apple to create a backdoor application that will bypass the current security measure in place in its iOS. This was because the FBI wanted to unlock an iPhone 5C recovered from one of the shooters in San Bernadino shooting incident. Apple iOS secures users’ devices by permanently erasing all data when a wrong password is entered more than ten times if people choose to activate this option in the iOS setting. The FBI’s request was met with strong opposition from Apple and others. Such a backdoor application can easily be exploited for illegal purposes by black hat hackers, for unjustified privacy infringement by other capable parties, and even for dictatorship by governments. Apple refused to comply with the request, and the court hearing was to take place in March 22. The FBI, however, withdrew the request saying that it found a way to hack into the phone in question without Apple’s help. Now, Apple has to figure out what the vulnerability in their iOS if it wants its encryption mechanism to be foolproof. In the meanwhile, iOS users know that their data is no longer as secure as they once thought.

Around the same time, the Senate’s draft bill titled as “Compliance with Court Orders Act of 2016,” proposed that people should be required to comply with any authorized court order for data and that if that data is “unintelligible” – meaning encrypted – then it must be decrypted for the court. This bill is problematic because it practically nullifies the efficacy of any end-to-end encryption, which we use everyday from our iPhones to messaging services like Whatsapp and Signal.

Because security is essential to privacy, it is ironic that certain cybersecurity measures are used to greatly invade privacy rather than protect it. Because we do not always fully understand how the technology actually works or how it can be exploited for both good and bad purposes, we need to be careful about giving blank permission to any party to access, collect, and use our private data without clear understanding, oversight, and consent. As we share more and more information online, cyberattacks will only increase, and organizations and the government will struggle even more to balance privacy concerns with security issues.

Why Libraries Should Advocate for Online Privacy?

The fact that people may no longer have privacy on the Web should concern libraries. Historically, libraries have been strong advocates of intellectual freedom striving to keep patron’s data safe and protected from the unwanted eyes of the authorities. As librarians, we believe in people’s right to read, think, and speak freely and privately as long as such an act itself does not pose harm to others. The Library Freedom Project is an example that reflects this belief held strongly within the library community. It educates librarians and their local communities about surveillance threats, privacy rights and law, and privacy-protecting technology tools to help safeguard digital freedom, and helped the Kilton Public Library in Lebanon, New Hampshire, to become the first library to operate a Tor exit replay, to provide anonymity for patrons while they browse the Internet at the library.

New technologies brought us the unprecedented convenience of collecting, storing, and sharing massive amount of sensitive data online. But the fact that such sensitive data can be easily exploited by falling into the wrong hands created also the unparalleled level of potential invasion of privacy. While the majority of librarians take a very strong stance in favor of intellectual freedom and against censorship, it is often hard to discern a correct stance on online privacy particularly when it is pitted against cybersecurity. Some even argue that those who have nothing to hide do not need their privacy at all.

However, privacy is not equivalent to hiding a wrongdoing. Nor do people keep certain things secrets because those things are necessarily illegal or unethical. Being watched 24/7 will drive any person crazy whether s/he is guilty of any wrongdoing or not. Privacy allows us safe space to form our thoughts and consider our actions on our own without being subject to others’ eyes and judgments. Even in the absence of actual massive surveillance, just the belief that one can be placed under surveillance at any moment is sufficient to trigger self-censorship and negatively affects one’s thoughts, ideas, creativity, imagination, choices, and actions, making people more conformist and compliant. This is further corroborated by the recent study from Oxford University, which provides empirical evidence that the mere existence of a surveillance state breeds fear and conformity and stifles free expression. Privacy is an essential part of being human, not some trivial condition that we can do without in the face of a greater concern. That’s why many people under political dictatorship continue to choose death over life under mass surveillance and censorship in their fight for freedom and privacy.

The Electronic Frontier Foundation states that privacy means respect for individuals’ autonomy, anonymous speech, and the right to free association. We want to live as autonomous human beings free to speak our minds and think on our own. If part of a library’s mission is to contribute to helping people to become such autonomous human beings through learning and sharing knowledge with one another without having to worry about being observed and/or censored, libraries should advocate for people’s privacy both online and offline as well as in all forms of communication technologies and devices.

LITA: Mindful Tech with David Levy, a new LITA webinar

Mon, 2016-05-09 15:59

Don’t miss the opportunity to participate in this well known program by David Levy on the timely topic of Mindful Tech. The popular interactive program will include exercises and participation now re-packaged into a 2 part webinar format. Both parts will be fully recorded for participants to return to, or to work with varying schedules.

Mindful Tech: Establishing a Healthier and More Effective Relationship with Our Digital Devices and Apps
In 2 Parts, Tuesdays June 7 and June 14, 2016, 1:00 – 2:30 pm Central Time
David Levy, Information School, University of Washington

Register Now for this 2 part webinar

This two part, 90 minutes each, webinars series will introduce participants to some of the central insights of the work Levy has been doing over the past decade and more. By learning to pay attention to their immediate experience (what’s going on in their minds and bodies) while they’re online, people are able to see more clearly what’s working well for them and what isn’t, and based on these observations to develop personal guidelines that allow them to operate more effectively and healthfully. Levy will demonstrate this work by giving participants exercises they can do, both during the online program and between the sessions.

Presenter

David Levy

David M. Levy is a professor at the Information School of the University of Washington. For more than a decade, he has been exploring, via research and teaching, how we can establish a more balanced relationship with our digital devices and apps. He has given many lectures and workshops on this topic, and in January 2016 published a book on the subject, “Mindful Tech: How to Bring Balance to Our Digital Lives” (Yale). Levy is also the author of “Scrolling Forward: Making Sense of Documents in the Digital Age” (rev. ed. 2016).

Additional information is available on his website at: http://dmlevy.ischool.uw.edu/

Then register for the webinar

Full details

Can’t make the dates but still want to join in? Registered participants will have access to both parts of the recorded webinars.

Cost:

  • LITA Member: $68
  • Non-Member: $155
  • Group: $300

Registration Information

Register Online page arranged by session date (login required)
OR
Mail or fax form to ALA Registration
OR
Call 1-800-545-2433 and press 5
OR
email registration@ala.org

And don’t miss the other upcoming LITA continuing education webinars:

Email is a Postcard, with Alison Macrina and Nima Fatemi
Offered: Thursday May 26, 2016, 1:00 – 2:00 pm Central Time

Tor-ify Your Library, with Alison Macrina and Nima Fatemi
Offered: Tuesday May 31, 2016, 1:00 – 2:00 pm Central Time

Questions or Comments?

For all other questions or comments related to the preconference, contact LITA at (312) 280-4269 or Mark Beatty, mbeatty@ala.org.

Eric Lease Morgan: Making stone soup: Working together for the advancement of learning and teaching

Mon, 2016-05-09 12:26

It is simply not possible for any of us to do our jobs well without the collaboration of others. Yet specialization abounds, jargon proliferates, and professional silos are everywhere. At the same time we all have a shared goal: to advance learning and teaching. How are we to balance these two seemingly conflicting characteristics in our workplace? How can we satisfy the demands of our day-to-day jobs and at the same time contribute to the work of others? ‡

The answer is not technical but instead rooted in what it means to a part of a holistic group of people. The answer is rooted in things like the abilities to listen, to share, to learn, to go beyond tolerance and towards respect, to take a sincere interest in the other person’s point of view, to discuss, and to take to heart the idea that nobody really sees the whole picture.

As people — members of the human race — we form communities with both our strengths & our weaknesses, with things we know would benefit the group & things we would rather not share, with both our beauties and our blemishes. This is part of what it means to be people. There is no denying it, and if we try, then we are only being less of who we really are. To deny it is an unrealistic expectation. We are not gods. We are not actors. We are people, and being people — real people — is a good thing.

Within any community, there are norms of behavior. Without norms of behavior, there is really no community, only chaos and anarchy. In anarchy and chaos, physical strength is oftentimes the defining characteristic of decision-making, but when the physically strong are outnumbered by the emotionally mature and intellectually aware, then chaos and anarchy are overthrown for a more holistic set of decision-making proceses. Examples include democracy, consensus building, and even the possibility governance through benevolent dictatorship.

A community’s norms are both written and unwritten. Our workplaces are good examples of such communities. On one hand there may be policies & procedures, but these policies & procedures usually describe workflows, the methods used to evaluate employees, or to some extent strategic plans. They might outline how meetings are conducted or how teams are to accomplish their goals. On the other hand, these policies & procedures do not necessarily outline how to talk with fellow employees around the virtual water cooler, how to write email messages, nor how to greet each on a day-to-day basis. Just as importantly, our written norms of behavior do not describe how to treat and communicate with people outside one’s own set of personal expertise. Don’t get me wrong. This does not mean I am advocating written norms for such things, but such things do need to be discussed and agreed upon. Such are the beginnings of stone soup.

Increasingly we seem to work in disciplines of specialization, and these specializations, necessarily, generate their own jargon. “Where have all the generalists gone? Considering our current environment, is it really impossible to be a Renaissance Man^h^h^h Person?” Increasingly, the answer to the first question is, “The generalists have gone the way of Leonardo DiVinci.” And the answer to the second question is, “Apparently so.”

For example, some of us lean more towards formal learning, teaching, research, and scholarship. These are the people who have thoroughly studied and now teach a particular academic discipline. These same people have written dissertations, which, almost by defintion, are very specialized, if not unique. They live in a world pursuant of truth while balancing the worlds of rigorous scholarly publishing and student counseling.

There are those among us who thoroughly know the in’s and out’s of computer technology. These people can enumerate the differences between a word processor and a text editor. They can compare & contrast operating systems. These people can configure & upgrade software. They can make computers communicate on the Internet. They can trouble-shoot computer problems when the computers seem — for no apparent reason — to just break.

Finally, there are those among us who specialize in the collection, organization, preservation, and dissemination of data, information, and knowledge. These people identify bodies of content, systematically describe it, make every effort to preserve it for posterity, and share it with their respective communities. These people deal with MARC records, authority lists, and subject headings.

Despite these truisms, we — our communities — need to figure out how to work together, how to bridge the gaps in our knowledge (a consequence of specialization), and how to achieve our shared goals. This is an aspect of our metaphoric stone soup.

So now the problem can be re-articulated. We live and work in communities of unwritten and poorly articulated norms. To complicate matters, because of our specializations, we all approach our situations from different perspectives and use different languages to deal with the situations. As I was discussing this presentation with a dear friend & colleague, the following poem attributed to Prissy Galagarian was brought to my attention†, and it eloquently states the imperative:

The Person Next to You The person next to you is the greatest miracle and the greatest mystery you will ever meet at this moment. The person next to you is an inexhaustible reservoir of possibility, desire and dread, smiles and frowns, laughter and tears, fears and hopes, all struggling to find expression. The person next to you believes in something, stands for something, counts for something, lives for something, labors for something, waits for something, runs from something, runs to something. The person next to you has problems and fears, wonders how they're doing, is often undecided and unorganized and painfully close to chaos! Do they dare speak of it to you? The person next to you can live with you not just alongside you, not just next to you. The person next to you is a part of you. for you are the person next to them.

How do we overcome these impediments in order to achieve our mutual goals of the workplace? The root of the answer lies in our ability to really & truly respect our fellow employees.

Working together towards a shared goals is a whole lot like making “stone soup”. Do you know the story of “stone soup”? A man comes into a village, and asks the villagers for food. Every time he asks he is told that there is nothing to give. Despite an apparent lack of anything, the man sets up a little fire, puts a pot of water on, and drops a stone into the pot. Curious people come by, and they ask, “What are you doing?” He says, “I’m making stone soup, but I think it needs a bit of flavor.” Wanting to participate, people begin to add their own things to the soup. “I think I have some carrots,” says one villager. “I believe I have a bit of celery,” says another. Soon the pot is filled with bits of this and that and the other thing: onions, salt & pepper, a beef bone, a few tomatoes, a couple of potatoes, etc. In the end, a rich & hearty stew is made, enough for everybody to enjoy. Working together, without judgement nor selfishness, the end result is a goal well-accomplished.

This can happen in the workplace as well. It can happen in our community where the goal is teaching & learning. And in the spirit of cooking, here’s a sort of recipe:

  1. Understand that you do not have all the answers, and in fact, nobody does; nobody has the complete story nor sees the whole picture. Only after working on a task, and completing it at least once, will a holistic perspective begin to develop.
  2. Understand that nobody’s experience is necessarily more important than the others’, including your own. Everybody has something to offer, and while your skills & expertise may be imperative to success, so are the skills & expertise of others. And if there an established hierarchy within your workplace, understand that the hierarchy is all but arbitrary, and maintained by people with an over-developed sense of power. We all have more things in common than differences.
  3. Spend the time to get to know your colleagues, and come to a sincere appreciation of who they are as a person as well as a professional. This part of the “recipe” may include formal or informal social events inside or outside the workplace. Share a drink or a meal. Take a walk outside or through the local museum. Do this in groups of two or more. Such activities provide a way for everybody involved to reflect upon an outside stimulus. Through this process the interesting characteristics of the others will become apparent. Appreciate these characteristics. Do not judge them, but rather respect them.
  4. Remember, listening is a wonderful skill, and when the other person talks for a long time, they will go away thinking they had a wonderful conversation. Go beyond hearing what a person says. Internalize what they say. Ask meaningful & constructive questions, and speak their name frequently during discussions. These things will demonstrate your true intentions. Through this process the others will become a part of you, and you will become a part of them.
  5. Combine the above ingredients, bring them to a boil, and then immediately lower the temperature allowing everything to simmer for a good long time. Keeping the pot boiling will only overheat the soup and make a mess. Simmering will keep many of the individual parts intacked, enable the flavors to mellow, and give you time to set the table for the next stage of the process.

Finally, making stone soup does not require fancy tools. A cast iron pot will work just as well as one made from aluminium or teflon. What is needed is a container large enough to hold the ingredients and withstand the heat. It doesn’t matter whether or not the heat source is gas, electric, or fire. It just has to be hot enough to allow boiling and then simmering. Similarly, stone soup in the workplace does not require Google Drive, Microsoft Office 365, nor any type of wiki. Sure, those things can facilitate project work, but they are not the means for getting to know your colleagues. Only through personal interaction will such knowledge be garnered.

Working together for the advancement of learning & teaching — or just about any other type of project work — is a lot like making stone soup. Everybody contributes a little something, and the result is nourishing meal for all.

‡ This essay was written as a presentation for the AMICAL annual conference which took place in Rome (May 12-14, 2016), and this essay is available as a one-page handout.

http://fraternalthoughts.blogspot.it/2011/02/person-next-to-you.html

LibUX: Web education must go further than a conference budget

Mon, 2016-05-09 04:13

Best practices evolve rapidly as does the technology of the web. Trends come and go. First the browser support for newfangled CSS improves, allowing us to add not just stylistic but functional complexity to our sites and apps that use to require JavaScript – or Flash, before that. I — not that I should have — made it sort of a technical point of pride to design public and academic library websites and all their tropes — tabs, off-canvas menus, carousels — using and abusing the checkbox hack 1 to push whole projects into production without a lick of JS.

Now the seam-bursting popularity of React calls into question the pros of writing the web in anything but JavaScript. Pretty convincing high-level arguments 2 manage to trivialize the benefits of things like “the separation of concerns” – the existential crisis of a bygone era.

Just because we’ve settled on a particular separation of concerns doesn’t mean that separating along different concerns has no merits. If I’ve got well-defined HTML/CSS/Javascript for a component in my application, it would be great to have that stuff all in one place. A comment by “Michaius”
The Debate Around “Do We Even Need CSS Anymore?”

I don’t think links should open in a new window, but the relevance of the argument depends on both circumstance and time, which — as you know — is a-changin’.

Both the relevance and agency of libraries pivot around the technical knowledge of the people at its core. Our understanding and mastery of the web is what gives voice to the base values of librarianship: Safiya Noble bringing to light the politics inherent in algorithms turns the lens inward on that thing at the crux of what libraries do in part because that thing is already or will be a computer program and thus [some]3 librarians must become programmers to articulate and continue the mission.

And this creates an obstacle wherein library organizations who carve-out salaries for dedicated tech folk need to figure out how they are going to address their continuing education.

It must go further than an available conference budget.

Endnotes
  • 1 I am still kind of fan but there are serious accessibility concerns. This March, Hugo Giraudel wrote in Introducing A11y Toggle:

On top of that, the checkbox hack has some accessibility issues. See, for a content toggle to be fully accessible to assistive technology users, it should respect the following: the toggle should have a aria-expanded attribute to define its current state (true for expanded, false for collapsed); the toggle should have a aria-controls attribute linking to the toggled content in case they are not in order in the document so that assistive technologies can provide a shortcut; the toggled content should have a aria-hidden attribute to define its current state (true for collapsed, false or no attribute for expanded). All of this cannot be done with CSS itself.

The post Web education must go further than a conference budget appeared first on LibUX.

Dan Scott: Library stories: 2020 vision: "Professional research tools"

Sun, 2016-05-08 23:07

For a recent strategic retreat, I was asked to prepare (as homework) a story about a subject that I'm passionate about, with an idea of where we might see the library in the next three to five years. Here's one of the stories I came up with, in the form of a brief scene as we observe a researcher at work:

Scene: a cluttered home office. Faculty member LISA stands at her desk, tapping at a keyboard. She is distilling some of her recent findings into a proposal for an upcoming conference. At the top of the screen in front of her is the working title “Deliberate practice and mining accidents: an inverse relationship”; the paper will tie leading ideas from two different disciplines together.

At the moment, she is working on the second paragraph, which lays the groundwork for her novel approach by drawing on some of the classic works in each field. She types:

The concept of “deliberate practice” was introduced by Ericsson et al

LISA: OK EasyWriter, insert footnote: Ericsson deliberate practice

Taking the cue from the invocation phrase “OK EasyWriter”, the microphone in one of her computing devices wakes up her AI research assistant (AIRA) which accesses her personal bibliographic database. She has been compiling a list of the papers she has been reading, along with annotations. AIRA also has access to her research team’s extended bibliographic database, which holds the citations, papers, research data, and general wisdom accumulated by the core researchers of her team since they set it up in 2016. AIRA also knows what subject-specific databases she normally searches and which papers she has bookmarked, downloaded, read, previously cited, or have cited her. It taps into general online databases like BinGooHoo Academic Scholar for citation trails, recent publications, and a comprehensive overview of the available copies of a given paper, whether through freely available versions online or those licensed by her library. As a fainter signal, AIRA knows what she has commented on in social media channels SnapTwitFaceSlackBook and uses sentiment analysis to determine whether those comments were favourable or snarky.

AIRA: [positions a list of three papers that LISA might want to cite, in order of likelihood based on all of this data, right under her cursor]

LISA hovers over the top entry. The citation information expands to overlay more information, including the abstract, number of citations, and annotations from her own copy of the paper. She clicks the top entry for a 1993 paper.

LISA: [mutters] Yep, let’s get that a bit closer to 6,000 citations.

LISA finishes the quick synopsis of Ericsson’s thesis but wants to show that she is aware of his current thinking. Hovering over the citation again, she checks Ericsson’s recent publications and finds a 2018 entry that is reflecting on the 25th anniversary of his seminal paper. Scanning the abstract, she notes with satisfaction that Ericsson still considers the basic thesis sound and adds the citation to her personal bibliographic database, which displays a green check indicating that a copy of the paper has also been added to her personal reading list from one of the library-licensed or reputable open access sources.

LISA also wants to acknowledge at least the leading critical reaction to the thesis. Hovering over the citation and the “Cited by” list breaks those citations down into rough categories such as “Supportive”, “Critiques”, and “Non-substantive”. Topping the “critiques” list is a 2007 paper by Hill that, according to the abstract, finds no significant correlation between hours of deliberate practice and accomplishments of spelling bee contestants competing in their second language.

LISA then drills into the “critiques” list for Hill’s paper, and finds that the defenders of Ericsson’s thesis have pointed out important limitations to the breadth of Hill’s findings and overly broad assertions. They accept that the lack of correlation holds for rote vocabulary memorization, but point to studies that have repeatedly demonstrated as having a significant impact on skills combining cognitive and physical tasks--such as would be related to LISA’s overall thesis concerning mining-related incidents. LISA adds Hill’s critique to her personal reading list, as well as two of the selected counter-responses.

From a technology perspective, all of the pieces are pretty much in place and just need to be pulled together—Zotero group bibliographies, linked open data, voice recognition, artificial intelligence and agents, and the likes of Google Scholar and Google Doc's ability to provide citations upon demand—and I think most or all of it will inevitably happen. So an interesting aspect to consider is what role we as librarians will play as this comes to pass. I believe one role is to help researchers make the most of the tools that are available; those who adapt and harness the power of these tools have the potential to be much more productive than their peers.

Roy Tennant: What Pace Progress?

Sun, 2016-05-08 16:07

Over 30 years ago I led a team at the UC Berkeley Libraries to use HyperCard to create a library orientation guide. This project, which we did not know at the time, formed the foundation of our web design work to follow in the early 1990s.

What saddens me is that 30 years on I don’t think we have actually made a lot of progress.

Hypermedia was a transformative idea that got its start with products like HyperCard, but then exploded around the world with the advent of the World Wide Web. No one can refute the revolutionary nature of that change.

But what has happened since seems more like incremental changes around the edges. Sure, now everyone uses Javascript, CSS, and other technologies that didn’t even exist in the early days of the web, but the user interaction is mostly the same with the added benefit of more interactivity.

But where is the next revolution? Is it linked data? Maybe, but we have yet to experience some really revolutionary changes in what we do or how we do it. Perhaps soon. That’s the thing about revolutions. You don’t always know it’s coming until you’re right in the middle of it. All I know, is that the next revolutionary change in our world has been a long, long time coming.

Open Library: Not just scanning – Thoreau’s Cape Cod

Sat, 2016-05-07 16:51

It makes no odds what it is you carry, so long as you carry the truth along with you. – intro to 1893 edition

There are many good responses to “Why do we still have libraries when everything is online?” My favorite one has to do with the importance of finding people to curate and sort and sift through the enormous bulk of online material to create knowledge and wisdom from what is merely just data. Small projects which do not scale. Henry David Thoreau went to Cape Cod in the mid 1800s and wrote about the experience. His writings on Cape Cod were published in 1865 and reprinted many times after that. The text can be found any number of places, but actually flipping through the books reveals a lot more about the cultural history of this book and the text it contains. Just the covers alone are lovely to look at.

Cover featuring the Eastham Windmill

 

Cover featuring cranberry motif

Looking through the many copies Open Library has, there’s a lot of marginalia and other interesting things to peek at. One version appears to have been purchased for a dollar while another may have cost upwards of thirty.

The book was frequently given to libraries as a gift. Sometimes by people you may have heard of.

Some of these versions have beautiful and unusual illustrations and some have photographs.

Some have illustrations nearly obliterated by low quality scanning (not ours).

And some have little mysteries. What does “By transfer The White House” mean? What did the War Department think of this book?

All of these are aspects of the book–one work,many editions–that surface through close inspection, with human eyes.

The Concord MA library has scanned, assembled and anotated a set of images of Thoreau’s surveys which is another wonderfully curated set of digitized ephemera that help us understand our world..

Pages