So we're gonna do something a little bit different this time. See, the next episode is episode 50 and I feel like that's a pretty big milestone since most podcasts don't even make it past number 20. So I thought why not go back to my very first episode and redo that one. Just, use the same notes, use the same transcript, same everything, but just do it again now after everything I've learned and all the techniques I've improved and my equipment that's changed. I mean that one was actually recorded in a walk-in closet with my head under a blanket. Now I'm in a fairly well treated room and using pro-grade definitely not professional mics but pretty good. So I hope you enjoy. Here's episode 1, Secure and Private is a Process Not a Destination, the Redux.



Okay, I know what you're thinking
I changed my gmail password. I don't use Internet Explorer. I use an ad blocker. Anything else is a hassle.
And, to an extent, you're right: attempts at security and privacy CAN go overboard and be a hassle but with good intent. Still, after all, there IS an upper limit on the hassle security policies place on users before said users simply stop using the app. (I mean, if you had to manually type in a 20 character password every time you wanted to open your email account on your phone... would you even use it?)
So let's look at some best practices in security and privacy in general but also a couple considerations specific to those of us in higher education, like the need to jump on a campus VPN when working remote.
I'd like to preface this by saying I'm not a security expert and these are very general suggestions and observations that I've made... so, much like starting a new workout routine or diet, consult with your IT staff for any peculiarities particular to your institution. There is much, much more you can do to protect yourself in the new digital landscape like using sandboxed

Privacy, first.
There's a pretty heavy overlap between internet security and privacy best practices because a breach of one can so often come from laxness in the other.
Here's a good example: know those Security Check questions you see on websites (cough... like banks)? How about "Name of your first pet?" or "Mother's maiden name?" For folks with a fairly open digital lifestyle, these aren't really all that secure. One nostalgic blog post or Instagram photo could reveal that info to anyone willing to do just a teensy bit of digging.
Instead of locking down your freedom to share these aspects of your life online just think about untrue but memorable answers to those questions (or better yet, make them actual passwords using a manager, which we'll talk about in just a second).
It's hard to be TNP and still have high levels of privacy, especially online. Faculty are inherently semi-public figures in that we work with large numbers of people, we publish or otherwise disseminiate work that we're doing and strive for attribution. This podcast is proof of concept, bsaically. We like getting our names out there. Some professors are even true public figures and household names.
The more public we are or want to be, the more we have to deal with, in some part, a loss of privacy.
I'm not suggesting this is a loss of SECURITY, which we'll come to shortly.
First things first: use a Virtual Private Network or VPN.
A VPN is used to obfuscate you and your data online, essentially. A good VPN will encrypt all the data going to and from your machine, it will hide your IP (the personally identifiable address you have on the internet), it will keep no logs of your activity, and will provide you with worldwide access at speed. (Sidenote: it can also prevent you from using Netflix because of their own anti-proxy policies, so you'd need to turn it off to watch Orange is the New Black. That's that hassle I mentioned.)
Two of the most popular commercial VPNs are PrivateInternetAccess (often abbreviated as PIA) or NordVPN, both good options you'll need to pay for but they're the price of a cheap beer when you purchase them on a yearly basis. Granted, you can roll your own for free but it's far from plug-and-play and I'll put directions for doing that in the show notes.
While using these VPNs it's possible that you won't be able to connect to your university's VPN (for those who have to log in when off-campus to see their student-information system, for example, this can be a problem). A solution I've found is to use the VPN at the router-level so your entire network routes through it. This way, on a device-level you can still log into the VPN at school and get your work done if need be.
Of course, you might have to flash custom firmware on your router and even then your mileage may vary on that, so check with your IT folks.
Here's one thing that you might run into:
You start using a VPN at home and the fastest, closest exit node is, say, in a different state.
Now where you WERE logging into your email from your actual location, now all of a sudden you're in a different state.
Ding ding, red flag at IT and you find yourself locked out of your account and of course this always happens when you're about to submit grades or something.
So I repeat: have a chat with your IT folks and see if you can get whitelisted for that particular flag if you're worried about it.
On to social media:
Some have argued for and against faculty using social media. It would be hard for someone in my field, Educational Technology, to be anti-social media (and I'm not) but there are some basic steps you can take to protect yourself.
If you're posting online don't check-in when you're out somewhere and especially don't check-in at your own residence.
If you want to be totally skeeved out, take a look at pleaserobme.com (which has been "turned off," as it were, and converted into a privacy checker but... well, just go take a look. Link in the show notes) http://pleaserobme.com/
You might even want to consider having separate personal and public accounts for services like Twitter and Instagram (if that's your thing). Facebook you can at least just make a public Page.
How about apps and services that help protect your privacy?
For calls (and we're getting into that overlap with security again) maybe snag a Google Voice number if you want to put your phone number on documents like syllabi.\
For Pick something with end-to-end encryption. (That means only you and the person you're talking to can see what you're saying -- unless someone physically picks up your device or looks over your shoulder but... you'll have to deal with that intrusion on your own.)
If you're serious about it, go with Signal from Open Whisper Systems. Even staffers the Senate have been approved to use it now. Even better, combine it with a custom Google Voice number.
If you're a bit more casual but still want to reap the benefits of that encryption, go with WhatsApp. And yes, Facebook bought it, but the encryption is still fine.
Now, let's say you want to step up your game a little bit and not just encrypt your text messages and calls. That brings us to PGP, a method of securely sending messages and files.
If you know a bit about this already, you're probably chuckling to yourself. And you'd be right to: there's really no super friendly way to use PGP that straddles the line between usability and security.
The closest thing I know of is Keybase which, according to their website, "helps you perform cryptographically-secure operations with people you know on the internet." And yes, I'll put the link to it in the show notes, too.
All this reminds me of that little flow chart you may have seen bouncing around the interwebs a while back. It was a very simple guide to determining "Is my information private?" It had one fork at the question, "Did you put it on the internet?" If the answer was yes, then no, it wasn't private. If the answer was no, the answer was humorously still not 'yes' but 'probably.' And that... is not wrong.
Security
As I said, there's overlap between security and privacy. For example, the reason you concern yourself with security is to maintain your privacy and safety. Here I just want to focus on the security in-and-of itself, not necessarily what's being protected by that security.
Using a password service to make that "You have to change your password" issue a little less annoying
There's no shortage of these, like 1Password and LastPass, which have the double-edged sword of being accessible online.\
If you want to crank up the security level a bit beyond that, go for something like KeePass and sync your vault between computers (though you won't be able to access them on the web).
According to Pew Research a measely 12% of internet users in 2016 used a password manager and two-thirds rely on memorizing their passwords.
And while some have argued that physically writing down a password and keeping it at your desk is more secure than having them online, I'd like to point out that it just takes one poorly-aimed selfie to make that info public knowledge. Jus' sayin'.
Picking good passwords
Any fan of XKCD will know the "correct horse battery staple"
And no, there is no way around it, so just get used to it
By the way, did you see the VCU's iris scanning? Source
Encrypt your harddrives
For Windows, use the built-in BitLocker encryption. If you're looking to encrypt other than a full disk, skip TrueCrypt as it's no longer viable and try VeraCrypt. (Link in the show notes)
For Macs (and please correct me if there's a better alternative out there), there's FileVault 2. And again, links are in the show notes)
Pick a good antivirus package (though, these days, you're more likely to get hit with malware like WannaCry than you are an old-fashioned virus, so investing in active protection like Anti-MalwareBytes is beneficial)
Your university probably has one with a campus license that allows you to install it on all your machines. If they do, great, go for it. If they don't, there are any number of free AVs out there. LifeHacker does a fairly frequent round-up of these so I'll stick the link to that in the show notes. Spoiler alert: it's Avira and Sophos for PC and Mac, respectively.
Having MalwareBytes installed, even the free version, is good, too.
But please, whatever you do (especially if you're on a Windows machine), update your software and OS whenever it asks you to.
A little bit of hassle now saves a lot of pain later as anyone hit by the WannaCry ransomware will tell you
Oh, and if you're wondering about encryption, privacy, and cloud storage... that's another show.
How university policies can impact these
As I've said, university policies can throw a wrench in what would otherwise be fairly normal security measures
Likewise, to some, the policies they do enforce might seem overly ambitious or even downright draconian
Many universities have begun requiring--not just allowing--for two-factor or two-step authentication
Note that there is a difference between these two!
Two-step is what most people think of when they hear either of the terms. It's like the one-time code you use to log into Gmail after entering your password.
Two- or multi-factor authentication requires two different TYPES of authentication, like a password and a physical key or biometric data.
Either way, enable it if it's an option.
Likewise, the on-campus requirement for some systems can be problematic, as I mentioned.
It's worth noting that not all VPNs are created equal.
The VPN you sign onto in order to access those systems, while still called a VPN, is not made with the same intent as the commercial or personal VPN you use at home for anonymity, encryption, and safety.
The one at the University is made to cover their butts and by extension, yours.
If it feels like your university is lagging behind in some of these areas it might be worth asking why.
Then fire up that VPN you're paying for.
After all, you're likely not just dealing with your own data, but that of your students and colleagues, as well.
So while all this might seem overwhelming, it really boils down to just a few changes in your digital muscle memory. Might hurt a bit at first but the hassle is nothing compared to the trouble you could find yourself in, otherwise.
For more information on security, privacy, digital civil liberties, and more, visit the Electronic Frontier Foundation at eff.org.


So there it is, the very first episode that I ever did for the podcast aside from that little teaser trailer I did as episode zero. So remember some of the stuff you heard in that is maybe a little outdated or maybe just not relevant anymore but I wanted to do exactly what I had in my notes so you can compare them if you want. S'up to you. Next time is the 50th episode, like I said, and I think we're going to do an episode on milestones. Should be fun.

As always, thank you for listening to this little podcast-thing of mine AND ALSO happy 2020! If you found it entertaining or informative or useful, please do subscribe and rate it on the podcatcher of your choice, whether that's iTunes, Stitcher, Google Play, Spotify, or however you listen. And, as usual, I'd love to hear from you. You can find me on Twitter at newprofcast. Show notes, transcripts, and more can be found on the website at thenewprofessor.com. Until next time.