Programming / Coding Glossary

This is the first post of 2020!

From Java programming, I am picking up Python.

[Side note: When I attended my final Java tutorial, I answered a question on GUI (graphical user interface, a screen “through which a user interacts with electronic devices such as computers, hand-held devices and other appliances. This interface uses icons, menus and other visual indicator (graphics) representations to display information and related user controls, unlike text-based interfaces, where data and commands are in text”, Techopedia, 2 Jan 2020).

What is so cool about this? I majored in History; I had taken Java to fulfil graduation requirements.

So my instructor’s comment changed my worldview, I mean – wow – I get coding (with much guidance from others).

So why not give new things a try? Especially if you’re learning to help others…]

Returning to the topic, I see the massive need for foundational knowledge. Thus, here is an attempt to make learning easier for many (including myself)…

ASCII

ASCII is the acronym for the American Standard Code for Information Interchange. It is a code for representing 128 English characters as numbers, with each letter assigned a number from 0 to 127. For example, the ASCII code for uppercase M is 77. Most computers use ASCII codes to represent text, which makes it possible to transfer data from one computer to another.

Text files stored in ASCII format are sometimes called ASCII files. Text editors and word processors are usually capable of storing data in ASCII format, although ASCII format is not always the default storage format. Most data files, particularly if they contain numeric data, are not stored in ASCII format. Executable programs are never stored in ASCII format.

The standard ASCII character set uses just 7 bits for each character. There are several larger character sets that use 8 bits, which gives them 128 additional characters. The extra characters are used to represent non-English characters, graphics symbols, and mathematical symbols.

Several companies and organizations have proposed extensions for these 128 characters. The DOS operating system uses a superset of ASCII called extended ASCII or high ASCII. A more universal standard is the ISO Latin 1 set of characters, which is used by many operating systems, as well as Web browsers.

Another set of codes that is used on large IBM computers is EBCDIC.

Vangie Beal. (accessed 2 Jan 2020). ASCII. Webopedia.

…Technically, ASCII is 7-bit representing only 128 characters (0-127). The range 0-31 are control characters, with 32-127 representing alphabetical characters from A to Z, numerals from 0 to 9 and punctuation marks (though not in that order). ASCII only may be used to encode U.S. English.

Some people confuse codes above 128-255 to be ASCII, but technically speaking, they are not. As computers evolved, it became common to use an 8-bit byte. This last character allowed for an extra 128 characters, which is known as extended ASCII. Different systems implement extended ASCII differently, so there are compatibility issues that aren’t encountered in the first 128 characters.

American Standard for Information Interchange (ASCII). (accessed 2 Jan 2020). Techopedia.

Binary file

A binary file is a file stored in binary format. A binary file is computer-readable but not human-readable. All executable programs are stored in binary files, as are most numeric data files. In contrast, text files are stored in a form (usually ASCII) that is human-readable.

Webopedia Staff. (accessed 2 Jan 2020). Binary file. Webopedia. [See also Binary (07 Oct 2019) by Computer Hope – https://www.computerhope.com/jargon/b/binary.htm].

Boolean

… any of a number of mathematical systems, esp. one (Boolean algebra) devised using algebraic rules and symbols for the analysis of symbolic logic, which is now widely used in digital computers since its true-false results are compatible with binary numbers

Collins Dictionary (American English). (accessed 2 Jan 2020).

A Boolean system is based on things that can be either true or false, but not both. It links statements with words called operators, such as AND, OR, and NOT. Boolean systems are used to write computer programs, especially Internet search programs.

Longman Dictionary of Contemporary English. (accessed 2 Jan 2020).

Encryption

… As of 2001, the US Department of Commerce’s National Institute for Standards and Technology (NIST) has adopted the Advanced Encryption Standard (AES) as the standard for government encryption (PDF). Since its adoption, AES has become a standard part of cryptography around the world, both in government and civilian applications.

AES is a form of symmetrical encryption and can be used to generate 128-bit keys, 192-bit keys, and 256-bit keys, depending on the number of encryption rounds data is subjected to. AES creates blocks of 16 bytes that are shifted, mixed, and substituted each round…

AES is incredibly secure, so much so that the US government considers AES128 sufficient to secure data classified as secret, and AES192 and AES256 safe for top secret data. AES is effectively unbreakable, and it’s easy to see why mathematically. A 128-bit encryption has 2 128 potential solutions, a 192 bit 2192, and a 256 has 2256 possible solutions. Do a quick calculation, and you’ll see why it would take even the most powerful computers an impossibly long time to crack it.

As for asymmetrical encryption, there’s currently no single standard in place. There is a long list of asymmetric encryption methods, but the most commonly used one by far is RSA. A variety of encryption systems make use of asymmetric encryption, such as DSA, Diffie-Hellman key exchange, ElGamal, YAK, and others…

There is a form of encryption considered unbreakable, when applied correctly, and it’s over 100 years old: The one-time pad.

One-time pads are a symmetric encryption that have very specific instructions to ensure their encryption is unbreakable. In order to be successful, a one-time pad has to:

  • Be made up of completely random numbers;
  • Have only two existing copies;
  • Be used only once; and
  • Be destroyed immediately after use.

One-time pads are impractical for use in the digital encryption world because of the difficulty that comes with a single-use encryption key: It’s hard to keep the key limited to exactly two copies, and destroying it after use is difficult if it’s stored digitally.

While they may not be used for digital encryption, one-time pads do demonstrate an important thing about encryption: Key security is paramount. A strong, computationally impractical to break key may as well be unbreakable unless it’s used improperly or stolen…

Brandon Vigliarolo. (19 Apr 2019). Encryption: A cheat sheethttps://www.techrepublic.com/article/encryption-a-cheat-sheet/.

Jokes

*Why did the computer keep sneezing?
It had a virus.

*Why do Java developers wear glasses?
Because they don’t C# (see sharp).

* What do you call a computer that sings?
A Dell. (Like Adele the singer.)

[Selection : ) ] Computer Hope. (1 Dec 2019). https://www.computerhope.com/jargon/j/joke.htm.

XOR

Short for eXclusive OR, the XOR operator is a Boolean operation used in database searches and other searches that returns a TRUE value only if a document contains only one match.

computer XOR help

In the example above, the command would return results of documents or a value that contains either “computer” or “help”. However, it would not return the results if the documents or value contains both of these words.

XOR operator. (26 Apr 2017). Computer Hope.

Known as the exclusive OR operator, a Boolean operatorthat returns a value of TRUE only if just one of its operands is TRUE. In contrast, an inclusive OR operator returns a value of TRUE if either or both of its operands are TRUE.

XOR operator. (accessed 2 Jan 2020). Webopedia.

XOR algorithm of encryption and decryption converts the plain text in the format ASCII bytes and uses XOR procedure to convert it to a specified byte. It offers the following advantages to its users −

  • Fast computation
  • No difference marked in left and right side
  • Easy to understand and analyze…

Cryptography with Python – XOR Process. (accessed 2 Jan 2020). Tutorials Point. https://www.tutorialspoint.com/cryptography_with_python/cryptography_with_python_xor_process.htm. [Consider also Adventures in Cryptography with Python – XOR Cipher. 25 Jul 2018. Abhishek Shukla. https://www.abhishekshukla.com/python/adventures-in-cryptography-with-python-xor-cipher/].

Linked

Personal Data, Singapore – What & Why

*v2 – Dec 2019: added 4th Why.

What does Personal Data mean?

1. What is personal data?
Personal data refers to data, whether true or not, about an individual who can be identified from that data; or from that data and other information to which the organisation has or is likely to have access.

This includes unique identifiers (e.g. NRIC number, passport number); photographs or video images of an individual (e.g. CCTV images); as well as any set of data (e.g. name, age, address, telephone number, occupation, etc), which when taken together would be able to identify the individual. For example, Jack Lim, 36 years old, civil servant, lives at Blk 123 Bishan St 23.

Frequently Asked Questions. (updated 18 Nov 2019). http://www.ifaq.gov.sg/pdpc/apps/Fcd_faqmain.aspx?FAQ=70555. Personal Data Protection Commission (PDPC), Singapore.

Application of the Personal Data Protection Act
The PDPA covers personal data stored in electronic and non-electronic forms.

The data protection provisions in the PDPA (parts III to VI) generally do not apply to:

  • Any individual acting in a personal or domestic basis.
  • Any employee acting in the course of his or her employment with an organisation.
  • Any public agency or an organisation in the course of acting on behalf of a public agency in relation to the collection, use or disclosure of the personal data. You may wish to refer to the Personal Data Protection (Statutory Bodies) Notification 2013 for the list of specified public agencies.
  • Business contact information. This refers to an individual’s name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his or her personal purposes.

These rules are intended to be the baseline law which operates as part of the law of Singapore. It does not supersede existing statutes, such as the Banking Act and Insurance Act but will work in conjunction with them and the common law.

Overview. (7 Aug 2018). https://www.pdpc.gov.sg/Legislation-and-Guidelines/Personal-Data-Protection-Act-Overview. PDPC, Singapore. 

Why does it matter?

1. Reputational Damage

2. Legal Costs

3. Moral Obligation to take proper care of others’ information e.g. to prevent identity fraud, hacking etc.

4. Better data management, for instance removing unneeded information and organisation, would improve understanding of customer needs and help promote targeted marketing for future income

Consider the below judgments published online by the PDPC; they stretch across diverse sectors in Singapore:

04 Nov 2019
Breach of the Protection Obligation by Tan Tock Seng Hospital
A warning was issued to Tan Tock Seng Hospital for failing to put in place reasonable security arrangements to prevent the unauthorised disclosure of personal data of its patients. 85 Notification letters to patients to reschedule appointments were sent to wrong addresses.

04 Nov 2019
Breach of the Protection Obligation by Ninja Logistics
Directions, including a financial penalty of $90,000, were imposed on Ninja Logistics for failing to put in place reasonable security arrangements to protect customers’ data in relation to the Tracking Function Page on the Ninja Logistics website. This resulted in customers’ data on the website to be accessible by the public.

04 Nov 2019
Breach of the Protection Obligation by Singtel
A financial penalty of $25,000 was imposed on Singtel for failing to put in place reasonable security arrangements to protect the personal data of users on its My Singtel mobile application.

10 Oct 2019
Breach of the Protection and Accountability Obligations by Advance Home Tutors
A financial penalty of $1,000 was imposed on Advance Home Tutors for failing to put in place reasonable security arrangements to protect the personal data collected from its tutors and for not developing and implementing data protection policies and practices necessary to ensure its compliance with PDPA.

10 Oct 2019
Breach of the Protection Obligation by Barnacles
A warning was issued to Barnacles Pte. Ltd. for failing to put in place reasonable measures to protect the personal data of individuals who had made dining reservations via its website; and retaining such personal data when it no longer had any legal or business purpose to retain it. As a result, the personal data of 149 individuals were accessible over the Internet.

10 Oct 2019
Breach of the Consent and Notification Obligations by Amicus Solutions and a Financial Consultant
Amicus Solutions and a financial consultant were issued directions, including to pay financial penalties of $48,000 and $10,000 respectively, for breaches of the PDPA. Amicus Solutions failed to notify and obtain consent for the disclosure of individuals’ personal data that it sold to the financial consultant who used such personal data for telemarketing purposes.

06 Sep 2019
Breach of the Accountability Obligation by Executive Link Services
A financial penalty of $5,000 was imposed on Executive Link Services for breaches of the PDPA. The organisation failed to appoint a data protection officer and did not have written policies and practices necessary to ensure its compliance with the PDPA.

06 Sep 2019
Breach of the Protection, Retention and Accountability Obligations by O2 Advertising
Directions, including a financial penalty of $10,000, were imposed on O2 Advertising for breaches of the PDPA. The organisation failed to put in place reasonable measures to protect individuals’ personal data collected from an advertising campaign and did not cease retention of such data when it was no longer required. The organisation was also directed to appoint a data protection officer and put in place data protection policies and practices.

For the latest refer to Data Protection Enforcement Cases on the PDPC website.

Related

Skeleton for Cyber/Data Security SOP

*Version 2 – added inputs from Chapter 1 and 5 of Allison Cerra’s The Cybersecurity Playbook. (2019). Wiley, New Jersey, US.

To begin, note that both aspects overlap but distinctions remain. Data found on a cloud drive or electronic medium comes under cyber and data security while data in hardcopy remains under data security.

SOP (Standard operating procedure) and/or policies can be implemented for different functions and complemented by a general one. And yes, review these SOPs/policies regularly!

General / Data Protection Officer (DPO) / Cyber Security Officer (CSO)

  • DPOs and CSOs should keep abreast of threats or legal judgments
    • In Singapore, this comes from the Personal Data Protection Commission (PDPC) and Singapore Computer Emergency Response Team (SingCERT)
    • Thereafter, they could disseminate selected judgments or trends on a quarterly basis.
    • The cyber threat alerts should be shared as soon as possible to prevent attacks.
    • Generally, DPOs and CSOs should undergo training and/or read up book/magazines on their areas as well. Role modelling is vital!
  • The definition of data, based on local laws, must be defined and shared within the organisation; like judgments these could be communicated from time to time to reinforce a data secure culture.
  • There should be a vision of what a secure cyber/data landscape looks like.
  • Dependent on senior management support, audits and enforcement would be executed accordingly.
  • Actionable tasks
    • regular changing of secure password e.g. yearly
    • immediate deletion of password reset emails
    • securing passwords e.g. writing them on paper and locking them up, usage of password manager
    • reminding all to ensure emails/accounts are logged off when they leave their workstations or at the end of the day
    • using thumbdrives/flashdrives with encryption
    • encouraging separate thumbdrives/flashdrives for work and personal use
    • encouraging regular virus and malware scans (boot-up: which could detect threats concealed when the computer is running, whole system, specific/targeted e.g. thumbdrives/flashdrives)
    • ensuring timely updates and patches of programmes
    • encrypting documents/data on IT platforms
    • regular backing up of documents/data
    • multiple factor authentication e.g. mobile phone one-time-password (OTP) and password to access email
    • establishing up to date cyber/data training programmes which may be tied to performance indicators
    • ensuring updated IT security systems/platforms
    • ensuring access hygiene (through IT, Legal, and Human Resources) i.e. removing those who no longer need to see/view/edit the data/system (including vendors/temporary staff); specific individuals should be designated to review access rights regularly
    • creating a safe whistleblower programme to pre-empt employees with malicious intent
    • giving reward/recognition to employees who contributed to data/cybersecurity [final 3 points from The Cybersecurity Playbook]

Hardcopy Data

Cyber or Online data

  • Time limits need to be set regarding how long data should be kept
    • An individual worker or officer should be assigned to dispose of it accordingly.

Notes

Cerra who works for McAfee, Inc. — a computer security software company, as a Senior Vice President. [According to Bloomberg, you can find the headquarters at 2821 Mission College Blvd Santa Clara, CA 95054 United States. It employs 6210 people. See – https://www.bloomberg.com/profile/person/17548903 (accessed 30 Nov 2019)]

Full versus Wholesale Banks – S’pore

Well simple things like discovering a difference really makes my day!

MAS = Monetary Authority of Singapore (Singapore’s central bank); SMEs = small and medium-sized enterprises.

The digital full-bank licence will allow licensees to provide a wide range of financial services and take deposits from retail customers. A digital wholesale bank licence will allow licensees to serve SMEs and other non-retail segments.

Singapore to issue up to five new licences to digital banks. Jamie Lee. (29 Jun 2019). The Business Times, Singapore.

Singapore’s central bank plans to issue up to five digital bank licences to suitable applicants, in a move that could deliver the biggest shake-up in two decades in a market dominated by local banks…

The central bank will also issue up to three digital wholesale bank licences which will be open to both local and foreign players.

Digital wholesale banks will not be allowed to take Singapore deposits from individuals, except for fixed deposits of at least S$250,000 and will be permitted to maintain deposit accounts for corporate and small and medium enterprises.

Singapore to allow virtual banks as part of a move to open up the market. (30 Jun 2019). Reuters via CNBC, US [ global headquarters in Englewood Cliffs, New Jersey]

See also:

The Banking Industry and the Major Players in Singapore. (no date / acessed 29 Jul 2019). GuideMeSingapore / Hawksford. 16 Raffles Quay, #32-03 Hong Leong Building, Singapore, 048581.

Business Diversification

In response to the announcement, gaming peripherals brand Razer’s chief strategy officer Limeng Lee said MAS was “forward-looking” in “opening up more financial options to consumers and businesses”. The announcement is timely as Razer has been growing its financial technology business in South-east Asia in recent months, he added. “We will definitely consider applying for the digital bank license and are keen to help spur innovation in Singapore’s financial sector,” Mr Lee said.

A Singtel spokesman said they are “open to exploring the feasibility of such an opportunity and will be reviewing the licensing conditions”.

Singapore to allow digital banks; MAS issuing up to 5 new licences: Tharman. (updated 29 Jun 2019). The Straits Times, Singapore.

The culture in Singapore seems to gravitate towards property investments whenever we have substantial excess cash.

SPH seems to have adopted this culture. It has built up a respectable property portfolio over past decades.

SPH (SGX:T39) – Is This The End for This Blue Chip Stock? Alvin Chow | Date: September 27, 2017. DrWealth. 71 Ayer Rajah Crescent #03-06, Singapore 139951.

The Edge Markets. (June 28, 2017). Why SPH needs to restructure itself. The Fifth Person.

3 Data Protection Judgments – Singapore

For learning and prevention: 3 case studies [v.2 – 1 Aug 2019]

The first government judgment and warning relates to the popular messaging app, WhatsApp. The second judgment and fine involves email. The final judgment and warning concerns website security.

2     One of the many preschools under the Organisation’s management is the Sparkletots @ Kampong Chai Chee centre (the “preschool”). In the course of the year, the preschool would organise various school trips, sometimes with the participation of the parents. In preparation for these trips, the preschool would collect the parents’ personal data (including NRIC numbers) to allow for verification of the parents’ identity on the day of the trip.

3     The present investigations arise from one such school trip. A few days before the trip was scheduled to take place, a teacher at the preschool sent a photograph of a consolidated attendance list to a “WhatsApp” chat group, reminding parents of the upcoming school trip. The attendance list contained personal data relating to the 15 students in that particular class and their parents, and included the contact numbers and NRIC numbers of five of the parents (the “Personal Data”). The “WhatsApp” chat group comprised… parents of students from that class.

4     The teacher who sent the photograph of the attendance list quickly deleted it after being alerted to the disclosure of personal data by one of the parents within the group chat. That same parent later lodged a complaint with the Personal Data Protection Commission (“PDPC”). The PDPC thereafter commenced investigations into the incident…

8     After a review of all the evidence obtained by PDPC during its investigation and for the reasons set out below, I am of the view that the Organisation had failed to make reasonable security arrangements to protect the personal data in its possession and control, and has thereby breached the Protection Obligation under section 24 of the PDPA. This breach is attributable primarily to the Organisation’s lack of specific policies or procedures in place to guide its employees on the use, handling and disclosure of personal data, especially in the context of communicating with parents…

16     To  its  credit, the  Organisation also  acted swiftly  to  address their inadequate  policies – a  response  which,  in my assessment,  carries  mitigating value. The following remedial actions taken by the Organisation have therefore been taken into account:

(a) Immediate suspension of all “WhatsApp” chat groups following the disclosure;

(b) Expedited the implementation of a set of “Social Media Policy / Whatsapp chat group rules” that was already under development when the breach occurred;

(c) Rolled out a suite of other policies across the Organisation including a “Document Retention Policy” and an “Information Security Policy”; and

(d) Undertook the development of a practical employee handbook and conducted refresher training for its employees.

17     Having considered all the relevant factors of the case, I am of the view that these remedial actions have sufficiently addressed the current gap in policies and practices relating to the handling of personal data by the Organisation’s employees. I have therefore decided to issue a warning to the Organisation for breaching its obligations under section 24 of the PDPA, without further directions or imposing a financial penalty.

PAP Community Foundation [2019] SGPDPC6 (CaseNoDP-1807-B2434). Personal Data Protection Commission. (23 Apr 2019). https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision—PAP-Community-Foundation—230419.pdf. Singapore.

2     On 27 November 2017, the Personal Data Protection Commission (the “Commission”) received notification from the Institute of Singapore Chartered Accountants (“ISCA”) that one of its employees inadvertently sent an email attaching a Microsoft Excel document containing personal data of 1,906 individuals (the “Excel File”) to an unintended recipient (the “Incident”)…

5     On or about 23 November 2017, as part of business operations, 2 ISCA employees (the “First Employee” and the “Second Employee”, collectively the “Employees”) were unable to open the Excel File (stored on ISCA’s internal shared drive) as it appeared to be corrupted. The Employees sought the assistance of ISCA’s IT department. Arising from this, ISCA’s IT Support Specialist sent an email to the System/Network Engineer from the ICT department to recover the Excel File from the backup server, and to send the recovered Excel File to the Employees.

6    On 24 November 2017, the System/Network Engineer created an email to send the recovered Excel File as an attachment to the Employees (the “Subject Email”). As the earlier email from the IT Support Specialist did not include the Employees in the addressee list, the System/Network Engineer had to specifically insert the Employees in the recipient section of the Subject Email. Due to the auto-complete feature in Microsoft Outlook’s email software, the System/Network Engineer inadvertently selected an accounts manager (the “Unintended Recipient”) 1 in a listed telecommunications service provider (“Telco”) instead of the First Employee as they both had the same first name. The Subject Email containing the Excel File was therefore sent to the IT Support Specialist, the Second Employee and the Unintended Recipient. The Excel File was not encrypted with a password…

18     The Commissioner found that ISCA failed to put in place reasonable security arrangements to protect the Subject Data in the Excel File during email transmission for the following reasons:

(a) The volume (1,906 members) and type (data with a higher expectation of confidentiality) of Subject Data in the Excel File warranted direct protection. In this regard, ISCA should have had a policy/SOP that applied to all employees requiring password based encryption for the Excel File in respect of both external and internal emails. This would be a reasonable security arrangement to protect the Subject Data against unauthorised access in the event the Subject Email was sent to any unintended recipient…

23     Having considered all the relevant factors of this case, the Commissioner hereby directs ISCA to do the following:

(a) Within 90 days from the date of the Commissioner’s directions, review its policies and security arrangements in respect of electronic transmission of documents containing personal data; and

(b) Pay  a  financial  penalty  of  S$6,000.00  within  30 days  from  the date of the Commissioner’s direction, failing which, interest at the rate specified in the Rules of Court3 in respect of judgment debts, shall accrue and be payable on the outstanding amount of the financial penalty until the financial penalty is paid in full.

Institute of Singapore Chartered Accountants [2018] SGPDPC 28. Personal Data Protection Commission. (13 Dec 2018). https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision—Institute-of-Singapore-Chartered-Accountants—131218.pdf. Singapore.

2     On 8 June 2018, the Personal Data Protection Commission (the “Commission”) received a complaint from an individual (the “Complainant”) in relation to the publication of personal data belonging to 50 individuals on the Organisation’s website, http://www.tutorcity.com.sg (the “Website”). Specifically, images of the educational certificates of tutors using the Website were found to be publicly accessible by Internet users (the “Incident”)…

7     As part of the Website’s features, tutors interested in using the Organisation’s matching service are given the option of voluntarily uploading up to three different educational certificates onto the Website. These certificates assisted the Organisation in matching the needs of the student in question to suitable tutors. These certificates were not intended to be made publicly accessible.

8     Notwithstanding this, all uploaded certificates were stored in the /Public_html/directory (the “Public Directory”) of the Website’s server within a sub-folder, Public_html\tutor\tutor_image (the “Image Directory”). Both directories were not secured with any form of access controls and were accessible by the public so long as the path to the relevant directory was known…

21     In the present case, I am advised that where documents containing personal data have to reside on web servers, folder or directory permissions and access controls are a common and direct way of preventing their unauthorised access by public users and web crawlers. Depending on its circumstances, the Organisation could therefore have implemented any of the following reasonable technical security measures to prevent its Image Directory from being indexed by web crawlers:

(a) First, the Organisation could have placed these documents in a folder of a non-public folder/directory. Access to such documents will then be controlled by the server’s administrator. While this may not be ideal in complex servers with multiple web applications—given that it may not be practicable for the server administrator to control access to all these files—this is not the case for the present Website.

(b) Second, the Organisation could have placed these documents in a folder of a non-public folder or directory, with access to these documents being through web applications on the server. This could be done through PHP scripts. To access the data in the documents, users would have to first log into the web application.

(c) Third, the Organisation could have placed these documents in a sub-folder within the Public Directory but control access to files by creating a .htaccess file within that sub-folder. This .htaccess file may specify the access restrictions (e.g. implement a password requirement or an IP address restriction). An index.html file  could  also  be  created  within  that  sub-folder  to  show  a  HTML page  with  no  content  or  a  denial  of  access. Any  unauthorised  user would  then  need  the  specific  URL  to  access  a document in  the  sub-folder. However, given that the Public Directory is the web root directory containing all  the  content  to  be  displayed  on  the  Website,  it  should  not  have  overly restrictive  access  rights.  This  may  pose  some  challenges  for organisations seeking  to  balance  access  restrictions  to  specific  documents  against  retaining accessibility to website content that is intended to be public…

27    I find on the facts above that the Organisation did not make reasonable security
arrangements to protect personal data in its possession or under its control against the risk of unauthorised access. The Organisation is therefore in breach of section 24 of the PDPA. I took into account the number of affected individuals, the type of personal data at risk of unauthorised access and the remedial action by the Organisation to prevent recurrence. I have decided to issue a warning to the Organisation for the breach of its obligation under section 24 of the PDPA as neither further directions nor a financial penalty is warranted in this case.

Tutor City [2019] SGPDPC 5 (Case No DP-1806-B2228). Personal Data Protection Commission. (23 Apr 2019). https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision—Tutor-City-230419.pdf. Singapore.

Related

…The absence of a second layer of basic checks “amounted to extremely weak internal work process controls (that) fell far short of the standard of protection required for such sensitive personal data”, said PDPC deputy commissioner Yeong Zee Kin in a decision paper issued on Wednesday…

In its advisory guidelines, PDPC had recommended that paper containing personal information be shredded into small pieces and not dumped in unsecured bins.

Similarly, personal data stored on electronic media such as computer hard disks, USB drives or DVDs must be erased using specialised software to avoid accidental data leaks.

Aviva fined $6,000 for data breach. Irene Tham. (Oct 13, 2017). https://www.straitstimes.com/tech/aviva-fined-6000-for-data-breach. The Straits Times. Singapore.

Aviva’s most recent offence involved four underwriting letters meant for four different people to a single person, all contained in one envelope. The letters contained client’s full names, addresses, policy details, and sums assured.

“[Aviva] failed to conduct a more thorough review of its internal departments… that are subject to the same vulnerabilities and risk similar failures as the prior incident,” PDPC said…

Meanwhile, AIG had printed a wrong fax number, which was actually that of Japanese products retailer Tokyu Hands, on 125 policy letters. PDPC said that AIG policyholders could have mistakenly sent their personal data to Tokyu Hands due to the misprint.

Singapore’s privacy watchdog fines three insurers for data breaches. Gabriel Olano. (5 May 2018). https://www.insurancebusinessmag.com/asia/news/breaking-news/singapores-privacy-watchdog-fines-three-insurers-for-data-breaches-99807.aspx. Insurance Business Asia.

Flaws: Confidence Interval and P-value

Confidence Interval Problem

A type II error is a statistical term used within the context of hypothesis testing that describes the error that occurs when one fails to reject a null hypothesis that is actually false. In other words, it produces a false positive… A type II error is sometimes called a beta error.

A type II error can be reduced by making more stringent criteria for rejecting a null hypothesis. For instance, if an analyst is considering anything that falls within a +/- 95% confidence interval as statistically significant, by increasing that tolerance to =/- 99% you reduce the chances of a false positive. However, doing so at the same time increases your chances of encountering a type I error. When conducting a hypothesis test, the probability or risks of making a type I error or type II error should be considered…

The difference between a type II error and a type I error is that a type I error rejects the null hypothesis when it is true (a false negative). The probability of committing a type I error is equal to the level of significance that was set for the hypothesis test. Therefore, if the level of significance is 0.05, there is a 5% chance a type I error may occur.

The probability of committing a type II error is equal to 1 minus the power of the test, also known as beta. The power of the test could be increased by increasing the sample size, which decreases the risk of committing a type II error.

Adam Hayes. (Apr 19, 2019). Type II Error. https://www.investopedia.com/terms/t/type-ii-error.asp. Canada/US. [Investopedia is part of the Dotdash publishing family and operates under CEO Neil Vogel and the rest of the Dotdash Senior Management Team.]

P-value Difficulty

…Texas A&M University professor Valen Johnson, writing in the prestigious journal Proceedings of the National Academy of Sciences, argues that p less than .05 is far too weak a standard.

Using .05 is, he contends, a key reason why false claims are published and many published results fail to replicate. He advocates requiring .005 or even .001 as the criterion for statistical significance.

The p value is at the heart of the most common approach to data analysis – null hypothesis significance testing (NHST). Think of NHST as a waltz with three steps…

Most researchers don’t appreciate that p is highly unreliable. Repeat your experiment and you’ll get a p value that could be extremely different. Even more surprisingly, p is highly unreliable even for very large samples…

…there’s a price to pay for demanding stronger evidence. In typical cases, we’d need to roughly double our sample sizes to still have a reasonable chance of finding true effects. Using larger samples would indeed be highly desirable, but sometimes that’s simply not possible…

…The core problem is that NHST panders to our yearning for certainty by presenting the world as black or white — an effect is statistically significant or not; it exists or it doesn’t. In fact our world is many shades of grey — I won’t pretend to know how many. We need something more nuanced than NHST, and fortunately there are good alternatives.

Bayesian techniques are highly promising and becoming widely used. Most readily available and already widely used is estimation based on confidence intervals.

A confidence interval gives us the best estimate of the true effect, and also indicates the extent of uncertainty in our results. Confidence intervals are also what we need to use meta-analysis, which allows us to integrate results from a number of experiments that investigate the same issue.

We often need to make clear decisions — whether or not to licence the new drug, for example — but NHST provides a poor basis for such decisions. It’s far better to use the integration of all available evidence to guide decisions, and estimation and meta-analysis provides that…

Geoff Cumming. The problem with p values: how significant are they, really?
(November 12, 2013). https://theconversation.com/the-problem-with-p-values-how-significant-are-they-really-20029. The Conversation Media Group, Level 1, 715 Swanston Street, Parkville, VIC 3010, Australia.

Related

Stats: Confidence Interval & P-value (Definitions)

I begin this particular journey after reading parts of Statistics Done Wrong: The Woefully Complete Guide by Alex Reinhart (2015). It was interesting but too tough, so I sought out other books.

You can probably infer from my earlier post that I chanced upon Statistics 101 by David Borman. One key idea I tried to understand was this:

Reinhart advises users of statistics to replace point estimates (p values) with confidence intervals (estimates of uncertainty).

This is because Reinhart felt: “misinterpreted p values cause numerous false positives.”

Gord Doctorow. (22 May 2015). Statistics Done Wrong: The Woefully Complete Guide. https://boingboing.net/2015/05/22/statistics-done-wrong-the-woe.html.

At my second or third reading of Borman, I gained more insight, yet it was far from enough so I did even more research. The below is my attempt at comprehending these two terms.

Confidence Interval

A Confidence Interval is a range of values we are fairly sure our true value lies in.

Confidence Intervals. (no date). https://www.mathsisfun.com/data/confidence-interval.html. MathsisFun.

The value from the sample (the specific term is statistic) can relate to a population parameter such as the mean (average) or relative frequency. Some suggest that the “ultimate goal of the field of statistics is to estimate a population parameter by use of sample statistics.” [Courtney Taylor. (24 Jun 2019). Learn the Difference Between a Parameter and a Statistic. ThoughtCo.]

Let’s consider the mean height of trees in Country A. If the sample achieves a 99% confidence interval, it means 99% of the data matches with the entire population. [99% of the data comes within 3 standard deviations under the bell curve/normal distribution; for 95% it is 2 standard deviations. Borman, p. 129.]

P-value Definition (with other definitions for clarity)

Hypothesis: A statement that might be true, which can then be tested.

Chi-Square Test. (no date). https://www.mathsisfun.com/data/chi-square-test.html. MathsisFun.

A p-value is

  • “the level of marginal significance within a statistical hypothesis test representing the probability of the occurrence of a given event.”
  • “an alternative to rejection points to provide the smallest level of significance at which the null hypothesis would be rejected. A smaller p-value means that there is stronger evidence in favor of the alternative hypothesis.”
  • “calculated using p-value tables or spreadsheet/statistical software.”

Brian Beers. (26 Apr 2019). P-Value Definition. https://www.investopedia.com/terms/p/p-value.asp .

Applying the P-value

Because different researchers use different levels of significance when examining a question, a reader may sometimes have difficulty comparing results from two different tests…

The p-value approach to hypothesis testing uses the calculated probability to determine whether there is evidence to reject the null hypothesis. The null hypothesis, also known as the conjecture, is the initial claim about a population of statistics.

The alternative hypothesis states whether the population parameter differs from the value of the population parameter stated in the conjecture. In practice, the p-value, or critical value, is stated in advance to determine how the required value to reject the null hypothesis.

Brian Beers. (26 Apr 2019). P-Value Definition. https://www.investopedia.com/terms/p/p-value.asp.

How small of a p-value do we need in order to reject the null hypothesis? The answer to this is, “It depends.” A common rule of thumb is that the p-value must be less than or equal to 0.05, but there is nothing universal about this value.

Courtney Taylor. (18 May 2017). What Is a P-Value? https://www.thoughtco.com/what-is-a-p-value-3126392.

Why p<0.05 ?

It is just a choice! Using p<0.05 is common, but we could have chosen p<0.01 to be even more sure…

Chi-Square Test. (no date). https://www.mathsisfun.com/data/chi-square-test.html. MathsisFun.

The null hypothesis states a commonly held belief or premise which the researcher tests to see if they can reject it. The key point to grasp is that the researcher wants to always reject the null hypothesis and the P-test aids them in achieving this goal. Another point to note is that if the P-test fails to reject the null hypothesis then the test is deemed to be inconclusive and is in no way meant to be an affirmation of the null hypothesis.

Akhilesh Ganti. (1 Jun 2019). P-test. https://www.investopedia.com/terms/p/p-test.asp.

Example of P-value Testing

Assume an investor claims that their investment portfolio’s performance is equivalent to that of the Standard & Poor’s (S&P) 500 Index. In order to determine this, the investor conducts a two-tailed test. The null hypothesis states that the portfolio’s returns are equivalent to the S&P 500’s returns over a specified period, while the alternative hypothesis states that the portfolio’s returns and the S&P 500’s returns are not equivalent. If the investor conducted a one-tailed test, the alternative hypothesis would state that the portfolio’s returns are either less than or greater than the S&P 500’s returns.

One commonly used p-value is 0.05. If the investor concludes that the p-value is less than 0.05, there is strong evidence against the null hypothesis. As a result, the investor would reject the null hypothesis and accept the alternative hypothesis.

Conversely, if the p-value is greater than 0.05, that indicates that there is weak evidence against the conjecture, so the investor would fail to reject the null hypothesis. If the investor finds that the p-value is 0.001, there is strong evidence against the null hypothesis, and the portfolio’s returns and the S&P 500’s returns may not be equivalent.

Brian Beers. (26 Apr 2019). P-Value Definition. https://www.investopedia.com/terms/p/p-value.asp.

Other views on Reinhart’s book