June 18th, 2017 | Tin Foil Hat Time | No Comments Yet
Schools are pushing online resources, email addresses, and computers on kids in their districts at a higher rate than ever, but only a few actually teach anything about online security. I was pleased to find there are some decent starting-point educational resources provided by the government but reading through the resources showed they are inadequate for modern-day security risks facing modern students. Herein, we will look at the issue and hope to address the problem with some advice.
Companies are pushing out free and low cost online educational resources for students. It is my contention the real purpose is not to increase education as much as it is to build online profiles on students through data collection. Such data can be used to evaluate how brand loyalties change and adapt over time and in response to both predicted and coerced stimuli. I address these issues in my video Spying On Students Through Technology so I will not recount those details here.
In addition to the students requirements for sign up with these big data collection companies like Google or Microsoft, they are often issued Chromebooks or other lower-end laptops they are required to use in the classroom and at home to complete their homework and other school-related tasks. But though students are issued computers and accounts, the default passwords are often times social security numbers or other birth dates. In a few cases, those passwords cannot be changed!
The problem is intensified further by the requirement or recommendation to use third-parties websites and applications where the student is encouraged to sign up for access or require acceptance of cookies. As a result, students encounter constant encouragement to use online services, locked school computers, and they are even forced to use services by companies that are known to collect user data and create online profiles for sale to advertisers.
The challenge is all these online tools and issued devices are often time provided without any initial or on-going training about the security risks, or the personal risks to using such technologies. We are in a glorious time of great technological advances and we need to embrace these technologies, but we have to be aware of the risks the technologies bring to the table. We need to learn about what we fill out, what we don’t. What services we use, which ones we don’t, and which ones to use as a wallflower. We need to learn about the advantages and disadvantages of certain types of computer devices. And oftentimes education is not providing any education on any of these technologies.
The devices we use to access educational materials merits some discussion. We could access a website from our own computer, a school issued computer, a school computer, or a personal mobile device. The safest of these is always a personally owned computer because you can control ad networks and tracking much better on your personal computer. The school issued computers do not often have administrative access to perform the extra security checks, and while I am not versed in Chromebook, I am 99% percent confident I can’t access the hosts file on those either. The mobile devices are also locked down from preventing personal data collection, and while they can be reasonably secure, I would still use my own personal computer so I can lock out some websites and cookies from data tracking.
The consideration here is to prioritize the device you use for educational tasks. Personally, I would use a personally owned computer before I would use a school owned computer. Make sure you lock down sites you do not want to use like facebook.com out of the hosts file. You can see the How To Geek article on editing your hosts file on the different computer systems.
We will discuss passwords next because devices and online accounts should be locked by a password. It is true too many passwords are required in our modern world and as a result, password managers have become widely promoted products. We all need to determine a password management system that works for us, and students are no exception. Lets consider all these issues:
A good password is too complicated to be guessed and does not consist of palindromes, existing words, or personal information. Eight to ten characters is a good length, and it should have uppercase and lowercase characters, numbers, and special characters. If you can develop a system that works for you allowing some degree of memorization, kudos to you! I can remember the most common complicated passwords I have created, but not all of them.
Tools exist to help you in the creation or memory help for passwords, but I personally prefer my own method for password creation. It is very important that every account you have contains a unique password. One method is to use a common semi-randomized base, then attach something you could remember from each application attached to that. The reason you want every password unique is if one account is hacked, the password could be applied to every account you own. If the passwords are different, a hacker cannot get into your other accounts. Though it may be possible to figure out a scheme if you use one, it would be very uncommon unless you are directly targeted because the password account hacks is an automated process. For this reason, you should also not use the exact email for every account, something that is difficult to do if you are using gmail, hotmail, etc, but if you have your own domain, you can set up an email for each service and then forward all accounts to a central address you check.
It will invariably be impossible to manage all your passwords without an aid. The worse thing you can do is keep a password list in the clear on an internet connected computers. If you do keep a password list on a text file or spreadsheet, it should be on an encrypted computer that is only on when you are using it. I store my password lists on an encrypted banking computer that is only used to check banking accounts.
You could also use a password manager, but you never use an online manager. This provides too many risks. First, your passwords are online on a separate companies servers, so they own your data. While most of them encrypt the data, I will not trust any company to have access to the passwords for all of my online accounts, under any circumstance. You can get excellent offline, or better known as local account managers, and many of them will allow you to export the data to be imported across other platforms. You should find a solution for each device. You will not need all of your passwords on all of your devices, so think about what passwords should be on which devices and distribute your passwords accordingly.
Now to consider the applications students are often required to use for educational purposes. These will consist of required applications like email accounts and learning management solutions. The optional ones will likely be the sites offering articles, homework practice, or ‘educational games’. We will look at each of these groups.
The educational services market is getting fierce. Google is still the dominant company in the marketplace, but Microsoft is gaining some ground. These services are being provided free or low cost to the district, but it is my contention the reason is the companies want to collect student data. Regardless, the schools frequently require the use of these accounts, so my advise to not stay logged into this account when you do not need it, and do not use the account for anything that is not directly related to school. It is best if you have a dedicated computer for this account, but that is not always possible. Alternatively, you can create a separate user account for your school work and a separate for your personal computer use.
Once you have established the computer you will use for your school account, make sure you pick a good password and keep it in your password management. Use a different account for all of your services. Also, many accounts will want to use two-factor authentication. This is good for security, but never tie that authentication to a phone number. Phones have become a hacking target and it is easy for an identity thief to get a phone in your name. The best case is to tie your account to a Yubico key because this is a physical device. If that will not work, tie it into a separate email address, but NOT your primary personal address because this will allow the account to tie your school account to your personal account and that would defeat the purpose of this extra account.
The optional services will be sites you will need to create an account to use and many are free. On the ones you would need to create your account, you should tie this into the school account. If it is school related, always use that school account. But when you create the account only ever fill in the required information. An optional educational service should never need your name, address, or other personal information. Only give an email address if it is absolutely required.
The free services will come in two varieties. First, you will encounter academic resources hosted by colleges. This will have a .edu ending in their URL, and they will be the safest online resources to use. Generally, they will not have any data tracking and are paid for by the university so they are not trying to sell advertising or other weird products.
The second free service are those distributed by groups looking to either push advertising or collect data. I generally find these sites to be the worse because they will be collecting data bother directly through data sign-in forms, but they will also load down the computer with tracking cookies and advertising network cookies. Such sites collect data about you as you navigate to other places on the web.
The core of our security is how you interact with the web on a regular basis. We will receive emails, texts, and random popup forms.
Often times when you give your email address for these companies offering free services, which can include social media, your email is sold to other people to use for marketing. As a result, you will be inundated with emails you never wanted to receive. If any of these are determined to be legitimate, you should unsubscribe. The problem here is you cannot always tell. Just because an email or text said it was from Facebook, it does not mean that it is. A Phishing attach is when a scammer makes up an email to look like it is legitimate but when you land on the page it will be a login link. The link, however, is really a blanket form that is designed to steal your login. Never, under any circumstance, do you click on a link in an email or text and then fill out a login page you land on. Always go directly to the site, verify you are on the correct site, and login from there.
Popups are the bane of the internet. Though many browsers are now designed to block extra windows from popping up, most popups now are css-mediated and popup blockers do not block them. A basic tip is to never fill out the information on that popup form. Just because a form shows up on your screen, that does not mean you need to fill it out. Be wise and never give any information to anyone unless it is completely intentional and absolutely required.
There is so much more that can be said about this topic but that will have to do for now. Check out other videos on this site to learn more about protecting yourself online.