Your Personal Password Plan

Computer Web Signin User SecurityA few days ago, Yahoo revealed that a suspected 2014 security breach generated enough media to give us a much-needed respite from the presidential campaign. Some simply recycled the same old password resetting advice, some boldly predicted apocalypse, and some entertained us with CYA articles from within Yahoo.

Leaving behind the hyperbole, the only certainty is that passwords are not going away anytime soon, and that this will surely happen again. If you’re like most people, you need a plan so that you can feel safe enough, and can ignore these articles in the future.

Here’s the plan. It will take you a while, but once you’re done, you can relax that your important personal data is as safe as it can reasonably be:

  1. Make a list of all the websites and apps that you use regularly
  2. Mark the ones that have important personal information* stored in them
  3. Download LastPass** and install it on your computer and mobile devices. Splurge for the $12/year LastPass Premium, your passwords are important.
  4. Install the basic Google Authenticator App (available from your device’s app sotre) on your mobile device
  5. Create a very strong master password in LastPass, memorize it, and turn on two-factor authentication in LastPass using Google Authenticator
  6. On every site/app you marked, do the following:
    • Change the password to a unique, LastPass generated strong password.  It is very important that you do not use the same password across multiple sites/apps.
    • Turn on two-factor authentication using Google Authenticator
    • Add each site/app to your LastPass account
  7. Set password and/or fingerprint locks on all your mobile devices
  8. Encrypt the hard drives on all your laptops

*All financial websites, all email accounts (Gmail, Yahoo,, etc.), all cloud files (Dropbox, iCloud, Google Drive, etc.), all health-related sites, all insurance sites. Shopping sites? If you don’t store your credit card number on them, then don’t worry too much. Only store your card on shopping sites you use regularly, like Amazon or Seamless, in which case you should mark those as personal information.
**Why LastPass? Because we like it. All well known online password managers such as 1Password and Dashlane all work well.

Frequently Asked Questions:

  1. What if LastPass gets hacked? The short answer is, it doesn’t really matter because your passwords are strongly encrypted and only you have the key. You also have multi-factor authentication, which will protect you while you change your passwords.
  2. What is two-factor authentication? It’s an additional way to ensure you are whom you say you are. This is currently the best way to protect sensitive information. Even if someone, somehow, figures out your password, they can’t log in as you unless they also verify identity through other means such as a text message or Google Authenticator.
  3. Am a 100% safe if I do all this? Of course not. But you will have done everything you reasonably can do to protect yourself.
  4. What if I share passwords with other family members? Get them a LastPass account too, and share the passwords with them through LastPass.
  5. Do I need to regularly change passwords? Not a bad idea, but not necessary if you do all the above.

The Problem with Microsoft OneDrive

imagesSince its inception in 2007, Microsoft OneDrive for Business, a cloud file sharing tool, has been plagued by marketing missteps. Given Microsoft’s Azure and Office 365 excellent launches into the cloud space, OneDrive’s inability to gain market share among IT departments or consultants is a head-scratcher.

Compared to its main rivals Box, Dropbox, and Google Drive,  OneDrive sits dead last in usage, stability, and business-related features. In addition to technical issues such as a buggy sync tool,  marketing miscues include a painful re-branding following a lawsuit from Britain’s Sky TV service and a recent walk back from a promise of unlimited storage.

As an IT provider and a staunch supporter of the public cloud, we’ve tested and supported all the major cloud file sharing platforms. Considering OneDrive’s advantage of tight integration to Windows and Office 365, we expected much more. Instead, Microsoft’s product led to the the highest number of support calls and lowest user satisfaction.

Microsoft revealed its own lack of faith in OneDrive with a 2014 partnership with Dropbox, which has recently deepened. In a quiet IPO market, an acquisition announcement may not be far off.

Until then, Microsoft will continue to hedge its bets with updates to OneDrive, knowing that most IT experts prefer its rivals. Stay tuned.

Blockchain: change is coming

blockchainFew people outside of the tech industry have heard of blockchain, which is the technology behind Bitcoin. Many technology experts believe that over the next decade, blockchain will revolutionize how we do business.

Today, almost all business transactions, whether paying a vendor, buying an item on eBay, or trading stocks, take place through an intermediary  that verifies, logs, and validates the transaction. For example, in the case of banking, the intermediary is known as a clearing house. This model, which was established long before the internet, has several drawbacks. For one, the middleman takes a piece of the action.  For example, exchanging currencies carries a hefty fee. An intermediary also slows things down – think of the last time you deposited a check, and how long you had to wait for it to clear. Finally, this model is vulnerable; if an intermediary is incapacitated, the entire marketplace can grind to a halt.

In 2008, a person or group (it’s not entirely clear) named Satoshi Nakamoto proposed a different way of transacting business. Instead of an intermediary, we could use technology to ensure that every business transaction is verified, logged, and validated. Instead of an intermediary,, all business participants keep a copy of a list of all the relevant business transactions. Then when a new transaction is requested, anyone can log it in the list (called a “ledger”). The ledger would then automatically sync to all the other copies of the ledger. The transaction is verified and validated when a majority of participants record and approve the transaction.  Since there is a history of all transactions, and multiple copies of the ledger, the system is less vulnerable to fraud and outages.

While the jury is still out on Bitcoin, the best-known example of blockchain technology in action, financial services companies worldwide, including most major banks, are aggressively testing variations of blockchain to conduct financial transactions. They know that traditional banking models will eventually go the way of the newspaper and the travel agent, and they don’t want to be left behind.


The Weakest Link in your Company’s Security Plan? It’s You

chain with paperclipBest practices for cybersecurity at small-medium sized businesses (SMBusually focus on network security, operating system patches, password management, and monitoring.

While these practices are important components of every security plan, the lowest-hanging fruit for potential attackers has shifted over the last few years. As more businesses have moved their email servers and other sensitive applications to the cloud,  fortifying a typical attack vector, attackers have shifted their strategy.

Nowadays, the most common damaging security breeches involve sophisticate spear-phishing attacks that penetrate every company’s weakest link, its people.

It’s well known that people are biased to believe a good story. Technology itself will never prevent a good con. In addition to strong monitoring, what a business needs to do is prepare and educate.

Preparing means controlling the damage that spear-phishing can do. For example, limiting the amount of money of a bank transaction to $5,000 without multiple approvals. Educating involves familiarizing your staff with specific examples of common social engineering attacks, and building a healthy skepticism in your all employees Education must be ongoing and reinforced to be effective.

Next time you think about how you’ll improve your company’s security, or even the security in your personal life, follow all the recommended best practices. But don’t forget that you, your employees, or your family, may be the weakest link in the chain, and take action to prepare and educate.

When the Clouds Darken

Dramatic Sky With Stormy Clouds Before RainMoving your critical technology services such as email, file sharing and storage, and even basic document editing is the best investment you can make to improve up-time, accessibility, security, and disaster recovery for your business’s technology ecosystem.

However, there is no such thing as 100% up-time. Over the past few years, Microsoft Office 365, Google Apps, Gmail, Salesforce, Box, and Dropbox have all reported various outages. Even the most critical online services are not immune. For example, the high-profile outages of Nasdaq and Bloomberg.

Many think of business continuity and disaster recovery as plans for true disasters such as a black-out, server crash, or weather emergency. We believe that all businesses, big and small, should have a business continuity plan that includes what to do when important technology services are unavailable. For example, let’s say you use Dropbox for your business. What will you do when Dropbox has an outage? What about Office 365? or Salesforce?

For some organizations, the answer may be simple and straightforward. Others may want to prepare a contingency plan for using other email services, accessing cloud backups, or even using secondary systems.

Creating a realistic, well thought-out business continuity plan will help you decide what’s critical for your business, and what actions to take when the inevitable outages do arise.

Even Presidents Need Tech Support

rtr_bernie_sanders_phone_jc_160201_12x5_1600Everyone of a certain age, or with an aging parent, knows that adapting to new technology doesn’t always come easy to our country’s seniors.  But what about to our presidential candidates? Let’s take a quick look at our front-runners, and see how they would fare juggling the demands of running the country while keeping up with technology. Enjoy! Oh, and Happy President’s Day!

Hillary: When someone says “technology” around Hillary these days, she probably winces, expecting an attack on her sketchy use of a private email server. The truth is, Hillary’s always struggled with technology. A look at some of her emails while she was Secretary of State show her, at various times, frustrated with her Blackberry and trying to figure out how LinkedIn works.  Hillary however clearly has her pulse on how technology is affecting everything from our kids to ISIS, and would easily comprehend and adapt to anything thrown her way.

Bernie: His campaign is clearly winning the social media battle, and his staff was even accused of hacking Hillarybut what about Bernie himself? In an interview, he admits he’s not a techie, but considers himself “smart enough to hire excellent people.“ Hmm, that doesn’t sound very convincing to me.
Grade: C+

The Donald: The only one in this group who’s spent most of his life in the private sector, Trump is still frighteningly behind in his use of technology. In 2007, while many of us were transitioning from emails to texts and tweets, the mega-mogul didn’t even own a personal computer or use email.  Even by 2013, when asked about his email use, he replied  “Very rarely, but I use it”.
Grade: F

Ted Cruz: Younger than Bernie by about 30 years, you’d think Ted Cruz could walk the walk when it comes to technology. Not quite. A Facebook post in November revealed his cluelessness about Net Neutrality. Still, between his youth, and the savvy use of data and social media, he’s clearly in touch with technology.
Grade: B-

Wired to Believe

Being Robbed By A ScamAlthough the Internet as we know it is now approximately 25 years old, with an entire generation born into a plugged-in world, internet fraud continues to grow. Whether it’s mind-numbingly stupid rumors (no, Mark Zuckerberg is not giving away $4.5M to 1,000 users), mildly convincing pleas for help from abroad, (But wait, isn’t Aunt Bess dead?), or well engineered spear phishing attacks, we continue to surf with our collective head in the clouds. It’s estimated that in the U.S. in 2014, almost $1B was lost in online scams.

Educating users, while important, doesn’t always help. Is it because, as PT Barnum famously quipped , there a sucker born every minute?  (oh, wait, he actually didn’t say that) Perhaps. Or maybe we’re just wired that way.

A recent New York Times article, “Born to Be Conned” explored the idea that humans are simply wired to believe a story, and will fail to identify obvious red flags, what researchers call Pinnochio Circling, in order to fulfill a narrative. The more “transportive” the story, the more easily we’re fooled. This makes the Internet, which can easily conjure up fantastical stories, details, and images, a great medium for a con.

Can technology help? Many security researchers and big-data analysis firms think so. The hope is that using algorithms to examine data for patterns, inconsistencies, and unusual behavior may neutralize our biased thinking. However, even these systems are ultimately subject to human manipulation, and I think we all know that there’s a new con artist born every minute too.


The Custom Software Conundrum

Customer Relationship Management System. Interaction And GamificI recently met  a potential client that desperately needs a new CRM (customer relationship management) and calendaring system. They have been using a custom-built system (Filemaker based) hosted on their own server, as well as an integrated calendaring system, also hosted on their own server.

While these systems had been working for years, they have recently started failing.  The business has grown, and the calendaring software can no longer handle the volume of data. The integration between the custom CRM and the calendar is also broken. In a familiar refrain we hear from many clients with heavily customized software, the original developer is “no longer available.” In addition, the company’s remote offices have grown frustrated with the slow connections to the internally hosted systems.

All indications point to a lightly-customized SaaS solution. Indeed, the firm had recently hired a marketing expert that was exploring various online options.

While a majority of the technology industry has moved to SaaS, there is still a large contingent of small and medium-sized businesses that see one-time investment in custom software as a better value. Is it? The answer, of course, depends on the specific business situation. However, there are only a few cases in which we recommend custom software.

A quick SWOT analysis of this decision:

Custom Solution


  • No monthly reoccurring costs
  • Built to exact specifications 



  • Poor remote access
  • Requires expensive maintenance and upgrades
  • High capital costs
  • All integrations must be custom-built

  • Workflow can be perfectly customized



  • Software breaks, developer not available
  • Downtime



SaaS Solution


  • No/few capital costs
  • No maintenance and upgrade costs
  • Scalability
  • Excellent remote access



  • High monthly recurring costs
  • Workflow must be somewhat modified to fit software




  • Easy integration into multiple systems
  • Excellent mobile options



  • N/A




As you can see, the decision is a simple one in most cases. Cost overruns, delays, frustrations, and unseen efficiency costs are easily forgotten years after a custom software project. Even if SaaS software costs more, the balance is heavily weighed in its favor. The only factor that can tip the scales towards a custom-built solution is workflow. If workflow is very complex or specialized, heavy customization will be required. Even then, using a PaaS (platform as a service) instead of hosting software yourself is justified.

Google Keep

Woman Writing In Notepad At Wooden TableWhile Evernote has been a part of my life for a couple of years now, the application has slowly morphed into a behemoth.

 I think the majority of people who want a note-taking application only need the following features:


  • Ease of use online and mobile
  • Offline usage
  • Quick search/find
  • Note sharing (e.g. shopping lists)
  • Some kind of backup/undo feature

Unfortunately, Evernote, in trying to find a business model, has added features that only a tiny percentage of users need. These features have muddied the user interface and made the simple things harder.

Since I’ve become immersed in the Google platform for certain work and homelife tasks, I decided to give Google Keep a try. Google Keep, launched in 2013, is Google’s second attempt at note-keeping after shutting down its Google Notebook app in 2011.

At first blush, Google Keep is perfect. After years of navigating Evernote’s busy interface and complex notebook schema, it was great to have all my notes right in front of me. Adding a new note, image, or to-do list is very intuitive, and works perfectly. In addition to standard notes, Google Keep allows you to easily export notes into Google Docs, share notes, and create reminders. The iPhone application is excellent, and works offline without needing to buy a subscription (“ahem” Evernote).

It wasn’t until I started working in Google Keep that I found its fatal flaw.

Every once in awhile, while editing,  I’ll accidentally erase part or even all of a note. This generally isn’t an issue, as Evernote Premium has a “Note History” feature that takes snapshots of your note every few hours. This has saved my keister more than once.

Unfortunately, Google Keep has no way of retrieving an old note. The internet is littered with desperate pleas for help. Given other Google Apps’ (Docs, Sheets, etc.) incredible revision history features, why this isn’t built into Google Keep is a real head-scratcher..

So for now, it’s back to Evernote.

Work with a View

Businessman Working by the BeachThe end of the year is a busy time for Cartwheel. It’s also vacation time for my family.  This means that both my wife, who’s a physician, and I have to prepare to work from anywhere while away. That includes airports, in the air, in hotel rooms, and if we’re lucky, on the beach.

Working on vacation can be frustrating if you’re not prepared, and can mean disaster if you don’t do it securely. Luckily, we’ve been doing this for years, and have it down to a science. Below, I’ve shared our secrets to make sure you can work from anywhere with minimum frustration.


The first part of the preparation is equipment. Make sure that you have everything you’ll need to work anywhere. For us, that packing list includes:

  • 2 Laptops & chargers
  • 2 iphone chargers
  • Double car USB adapter
  • 2 Headphone/Earpieces

Since power isn’t always available, (maybe I’ll have to try this solar-powered iPhone charger this year) it’s good to be power-conscious when using your devices on vacation. This includes turning the brightness down on your laptop and mobile devices.

Internet Access

Bringing your own internet access is the way to go. Every carrier allows you to use your mobile device as a wireless access point. Not only is this the most secure way to connect (public WiFi is notoriously insecure), but it’s often the fastest. Of course, this is impossible in places without any cell reception, but in those cases it’s best to work offline anyway.

Working Offline

The plane can be a great place to work. Unfortunately, WiFi access is still unavailable on many flights, and can be infuriatingly slow. Before I go, I always make sure to sync at  least a few folders of relevant work to my laptop. Usually, this is either catching up on correspondence, doing some big picture planning, or even working on next year’s budgets. Regardless, it’s key to remember to update these files when you get back online.


Nothing can ruin your vacation faster than losing your iPhone or having your laptop stolen. Worse, stolen or compromised data can not only ruin your vacation, but may do serious damage to your personal or business life. In addition to common sense (don’t put your laptop in your checked baggage, etc.), make sure you have all the standard business security policies in place. These include password protected mobile devices and encrypted hard drives.

Ideally, we all shouldn’t be working at all on vacation. But barring that pipe-dream, being prepared makes working on vacation pretty pretty painless. Who knows, you may even decide to permanently work from the beach!