Secure e-mail isn’t really e-mail. Is it really secure?

Most e-mails are not encrypted.  What this means is that if someone intercepted your email message, they would be able to read it.  This is, of course, a big concern to those sharing sensitive information.

One solution is to avoid e-mailing any sensitive information. Many online apps (such as Box and Cisco’s Sharefile) offer secure alternatives to email. While these work well, many of our clients find that when they’re in a rush, they end up e-mailing sensitive information regardless.

Another option, one that has been in use for many years, is known as secure or encrypted e-mail.  Secure e-mail applications work directly with your e-mail system. For instance, Microsoft Office 365’s Message Encryption (“OME”), which is included in some Office 365 subscriptions, works seamlessly with Microsoft Exchange and Outlook.

Microsoft Office 365 Message Encryption (Source - Microsoft (c))

Microsoft Office 365 Message Encryption (Source – Microsoft (c)

When a user puts a code word into the subject line (e.g. ‘PRIVATE’) and presses send, Microsoft’s OME converts the e-mail message into a web page.  Instead of the message, the link to the web page is then sent to the recipient.  The recipient can then open the message in a browser, but first must confirm her identity through a one-time code, which is autotically sent to her e-mail address.

Since the message is encrypted end-to-end, Microsoft’s OME is a substantial improvement over standard email.  However, as you might expect, secure e-mail has some vulnerabilities.  For example, if someone can access the recipient’s mailbox, he can decrypt any secure message using the code that is sent subsequently.  In addition, a sophisticated hacker can “listen in” over a network, wait for an encrypted e-mail, and then wait for the code.  The code, however, does expires after 15 minutes, severely limiting an attacker’s time window.

Even though it’s not a perfect solution, secure email’s ease of use, in-transit and at-rest encryption, and expiring codes, make it a useful tool for those sending sensitive information over email.

Can you see me now?

Working from homeVideo calls have become a staple of business communication. Most business communications packages, including those by Google and Microsoft, already include some form of video capability.

At Cartwheel, we use video to communicate with each other when working remotely, conducting interviews with candidates, and in some client meetings. Since we use a number of different video applications, we wanted to share our take on which work best.

For businesses that rely on very high-quality video and audio, we recommend stand-alone systems such as BlueJeans. Although they require expert implementation and are costly,  these systems can integrate into existing phone systems, reserve bandwidth on your network, and have advanced features such as recording and broadcasting.

For the rest of us that want decent video conferencing ability, but don’t mind the occasional hiccup in quality, below are the ones we’ve used. Note that all these applications offer both iOS and Android apps for video on the go.

Video for internal communication

  • Slack: We were originally skeptical of Slack’s usefulness, but have grown to love it. Primarily used for team communication, Slack helps eliminate lots of back and forth emails. Slack has both audio and video conferencing, and both are very good. In addition to a simple, effective interface, Slack recently added  screen sharing. However, we do sometimes experience video dropping while on calls with many users.
  • Google Hangouts: For those using G-Suite for email, Hangouts is the logical choice. Fortunately, it’s also a very solid one. Google has combined its chat and video capability in Hangouts. The video and audio sound quality are strong, however the integration into other Google tools is a little confusing. For instance, clicking on Contacts from Hangouts does not bring up your G-Suite Contacts, but instead takes you to your “Hangouts” contacts. Why another list?
  • Skype for Business: For Microsoft Office 365 users, Skype for Business is included in most packages. In typical Microsoft fashion, Skype for Business is a combination of a few different applications and platforms. Lync, the now retired chat application, and the consumer version of Skype were combined onto the Office 365 platform. This can make things a bit confusing to set up, but once you do, you’ll find Skype for Business a solid video experience.

Video for external communication

Communicating with people outside your organization, customers or vendors for instance, requires a different type of video application. Features such as easy sign-in, browser-based clients, and quick set-up are important requirements.

  • Zoom: A heavily funded “unicorn”, Zoom has grown by offering simple, high-quality video calls, webinars, and training tools. We’ve had a few calls through Zoom, and found the application easy to install, and the video quality excellent.
  • ClickMeeting: This marketing company spin-off focuses on webinars, and includes branding and recording tools. The price is right for events up to 500 people, and the set-up is relatively easy.
  • Webex:  One of the earliest entries in the video conferencing and webinar market, Webex has tried to keep up with the competition with a number of different options, including screen-sharing and phone dial-in capability. Still, the application feels stale, the install is a bit messy, and the pricing is not as favorable as some of the newcomers.

Are you a founder?

On a recent flight from the west coast, I watched a biography, The Founder, about Ray Kroc, the founder of McDonald’s.

Kroc was a middle-aged, struggling blender salesman with a history of entrepreneurial failures. He came across the McDonald brothers after they order some blenders. The McDonalds were running a small, popular hamburger stand in San Bernardino, California. They innovated by eschewing the trendy, restaurant-style  burger joint and instead invented the no-frills, fast-food approach. The McDonald brothers were happy micromanaging their small operation, and were wary of franchising and losing quality control.

Kroc, convinced they were sitting on a gold mine, persuaded them to give him a chance to sell some franchises. After a few years of fast, aggressive growth,  Kroc bought out the McDonald brothers.  Kroc died a billionaire in 1984.

It’s a fascinating story that sheds light on what it takes to start a business, to run a business, and to grow a business.  The McDonald brothers were great at starting and running their hamburger stand. However, when it came to growing, they didn’t have the personality, the drive, nor the tools. Kroc was the opposite – an aggressive, extroverted man willing to do whatever it takes to sell an idea. Was he a founder? I guess it depends on our definition. He was a certain kind of founder.

The Founder got me thinking about the businesses I’ve founded, ran, and grown, as well as those of my clients and friends. Are you a founder? What kind are you?


What’s in your stack?

Stack of pancakes

Stack of pancakes

You may have heard various computer people throw around the s-word. A stack, in IT terminology, usually refers to a solution stack. Any software application, whether it’s your website, email client, favorite iPhone app, or your online CRM, is developed and run on top of a set of standardized, prebuilt, building blocks. These building blocks, each running on top of another, together define a stack. Application builders have a choice of different stacks, and usually choose based on the type of application, the target device(s), cost, and personal preference.

The archetypal stack consists of Linux, Apache, MySql, and PHP, and is therefore known as LAMP. The LAMP stack has historically been used for many of the most popular web applications including the original Facebook!

This simplified diagram is the LAMP stack that ran the original Facebook site. In this stack, which is all open-source and free to use, the servers are running an operating system known as Linux. On top of Linux, runs Apache, a web server that was responsible for “serving” your Facebook pages to your browser. MySQL, which also runs on Linux, is a general-purpose database, in which Facebook stored user names, posts, pictures, etc. Finally PHP is a scripting engine, that when run on Apache, can interpret code in order to customize web pages by using the information stored in the MySQL database.

In order to build the first Facebook, our young Mark Zuckerburg only had to design his database and build dynamic web pages using HTML and PHP. The stack would then allow the Facebook web site to run on practically any hardware, and work on any standard browser. Before publicly available stacks like LAMP were built, programmers had to create all the building blocks themselves, which greatly increased the time and effort required to bring a product to market.

Today, typical stacks add many more blocks and layers, and usually reside in the cloud. Some stacks, such as AWS Lambda, completely free application developers from worrying about servers, operating systems, or databases, and can even provide drag and drop interfaces that empower users to build complex business processes without even knowing any code!

Your Personal Password Plan

Computer Web Signin User SecurityA few days ago, Yahoo revealed that a suspected 2014 security breach generated enough media to give us a much-needed respite from the presidential campaign. Some simply recycled the same old password resetting advice, some boldly predicted apocalypse, and some entertained us with CYA articles from within Yahoo.

Leaving behind the hyperbole, the only certainty is that passwords are not going away anytime soon, and that this will surely happen again. If you’re like most people, you need a plan so that you can feel safe enough, and can ignore these articles in the future.

Here’s the plan. It will take you a while, but once you’re done, you can relax that your important personal data is as safe as it can reasonably be:

  1. Make a list of all the websites and apps that you use regularly
  2. Mark the ones that have important personal information* stored in them
  3. Download LastPass** and install it on your computer and mobile devices. Splurge for the $12/year LastPass Premium, your passwords are important.
  4. Install the basic Google Authenticator App (available from your device’s app sotre) on your mobile device
  5. Create a very strong master password in LastPass, memorize it, and turn on two-factor authentication in LastPass using Google Authenticator
  6. On every site/app you marked, do the following:
    • Change the password to a unique, LastPass generated strong password.  It is very important that you do not use the same password across multiple sites/apps.
    • Turn on two-factor authentication using Google Authenticator
    • Add each site/app to your LastPass account
  7. Set password and/or fingerprint locks on all your mobile devices
  8. Encrypt the hard drives on all your laptops

*All financial websites, all email accounts (Gmail, Yahoo,, etc.), all cloud files (Dropbox, iCloud, Google Drive, etc.), all health-related sites, all insurance sites. Shopping sites? If you don’t store your credit card number on them, then don’t worry too much. Only store your card on shopping sites you use regularly, like Amazon or Seamless, in which case you should mark those as personal information.
**Why LastPass? Because we like it. All well known online password managers such as 1Password and Dashlane all work well.

Frequently Asked Questions:

  1. What if LastPass gets hacked? The short answer is, it doesn’t really matter because your passwords are strongly encrypted and only you have the key. You also have multi-factor authentication, which will protect you while you change your passwords.
  2. What is two-factor authentication? It’s an additional way to ensure you are whom you say you are. This is currently the best way to protect sensitive information. Even if someone, somehow, figures out your password, they can’t log in as you unless they also verify identity through other means such as a text message or Google Authenticator.
  3. Am a 100% safe if I do all this? Of course not. But you will have done everything you reasonably can do to protect yourself.
  4. What if I share passwords with other family members? Get them a LastPass account too, and share the passwords with them through LastPass.
  5. Do I need to regularly change passwords? Not a bad idea, but not necessary if you do all the above.

The Problem with Microsoft OneDrive

imagesSince its inception in 2007, Microsoft OneDrive for Business, a cloud file sharing tool, has been plagued by marketing missteps. Given Microsoft’s Azure and Office 365 excellent launches into the cloud space, OneDrive’s inability to gain market share among IT departments or consultants is a head-scratcher.

Compared to its main rivals Box, Dropbox, and Google Drive,  OneDrive sits dead last in usage, stability, and business-related features. In addition to technical issues such as a buggy sync tool,  marketing miscues include a painful re-branding following a lawsuit from Britain’s Sky TV service and a recent walk back from a promise of unlimited storage.

As an IT provider and a staunch supporter of the public cloud, we’ve tested and supported all the major cloud file sharing platforms. Considering OneDrive’s advantage of tight integration to Windows and Office 365, we expected much more. Instead, Microsoft’s product led to the the highest number of support calls and lowest user satisfaction.

Microsoft revealed its own lack of faith in OneDrive with a 2014 partnership with Dropbox, which has recently deepened. In a quiet IPO market, an acquisition announcement may not be far off.

Until then, Microsoft will continue to hedge its bets with updates to OneDrive, knowing that most IT experts prefer its rivals. Stay tuned.

Blockchain: change is coming

blockchainFew people outside of the tech industry have heard of blockchain, which is the technology behind Bitcoin. Many technology experts believe that over the next decade, blockchain will revolutionize how we do business.

Today, almost all business transactions, whether paying a vendor, buying an item on eBay, or trading stocks, take place through an intermediary  that verifies, logs, and validates the transaction. For example, in the case of banking, the intermediary is known as a clearing house. This model, which was established long before the internet, has several drawbacks. For one, the middleman takes a piece of the action.  For example, exchanging currencies carries a hefty fee. An intermediary also slows things down – think of the last time you deposited a check, and how long you had to wait for it to clear. Finally, this model is vulnerable; if an intermediary is incapacitated, the entire marketplace can grind to a halt.

In 2008, a person or group (it’s not entirely clear) named Satoshi Nakamoto proposed a different way of transacting business. Instead of an intermediary, we could use technology to ensure that every business transaction is verified, logged, and validated. Instead of an intermediary,, all business participants keep a copy of a list of all the relevant business transactions. Then when a new transaction is requested, anyone can log it in the list (called a “ledger”). The ledger would then automatically sync to all the other copies of the ledger. The transaction is verified and validated when a majority of participants record and approve the transaction.  Since there is a history of all transactions, and multiple copies of the ledger, the system is less vulnerable to fraud and outages.

While the jury is still out on Bitcoin, the best-known example of blockchain technology in action, financial services companies worldwide, including most major banks, are aggressively testing variations of blockchain to conduct financial transactions. They know that traditional banking models will eventually go the way of the newspaper and the travel agent, and they don’t want to be left behind.


The Weakest Link in your Company’s Security Plan? It’s You

chain with paperclipBest practices for cybersecurity at small-medium sized businesses (SMBusually focus on network security, operating system patches, password management, and monitoring.

While these practices are important components of every security plan, the lowest-hanging fruit for potential attackers has shifted over the last few years. As more businesses have moved their email servers and other sensitive applications to the cloud,  fortifying a typical attack vector, attackers have shifted their strategy.

Nowadays, the most common damaging security breeches involve sophisticate spear-phishing attacks that penetrate every company’s weakest link, its people.

It’s well known that people are biased to believe a good story. Technology itself will never prevent a good con. In addition to strong monitoring, what a business needs to do is prepare and educate.

Preparing means controlling the damage that spear-phishing can do. For example, limiting the amount of money of a bank transaction to $5,000 without multiple approvals. Educating involves familiarizing your staff with specific examples of common social engineering attacks, and building a healthy skepticism in your all employees Education must be ongoing and reinforced to be effective.

Next time you think about how you’ll improve your company’s security, or even the security in your personal life, follow all the recommended best practices. But don’t forget that you, your employees, or your family, may be the weakest link in the chain, and take action to prepare and educate.

When the Clouds Darken

Dramatic Sky With Stormy Clouds Before RainMoving your critical technology services such as email, file sharing and storage, and even basic document editing is the best investment you can make to improve up-time, accessibility, security, and disaster recovery for your business’s technology ecosystem.

However, there is no such thing as 100% up-time. Over the past few years, Microsoft Office 365, Google Apps, Gmail, Salesforce, Box, and Dropbox have all reported various outages. Even the most critical online services are not immune. For example, the high-profile outages of Nasdaq and Bloomberg.

Many think of business continuity and disaster recovery as plans for true disasters such as a black-out, server crash, or weather emergency. We believe that all businesses, big and small, should have a business continuity plan that includes what to do when important technology services are unavailable. For example, let’s say you use Dropbox for your business. What will you do when Dropbox has an outage? What about Office 365? or Salesforce?

For some organizations, the answer may be simple and straightforward. Others may want to prepare a contingency plan for using other email services, accessing cloud backups, or even using secondary systems.

Creating a realistic, well thought-out business continuity plan will help you decide what’s critical for your business, and what actions to take when the inevitable outages do arise.

Even Presidents Need Tech Support

rtr_bernie_sanders_phone_jc_160201_12x5_1600Everyone of a certain age, or with an aging parent, knows that adapting to new technology doesn’t always come easy to our country’s seniors.  But what about to our presidential candidates? Let’s take a quick look at our front-runners, and see how they would fare juggling the demands of running the country while keeping up with technology. Enjoy! Oh, and Happy President’s Day!

Hillary: When someone says “technology” around Hillary these days, she probably winces, expecting an attack on her sketchy use of a private email server. The truth is, Hillary’s always struggled with technology. A look at some of her emails while she was Secretary of State show her, at various times, frustrated with her Blackberry and trying to figure out how LinkedIn works.  Hillary however clearly has her pulse on how technology is affecting everything from our kids to ISIS, and would easily comprehend and adapt to anything thrown her way.

Bernie: His campaign is clearly winning the social media battle, and his staff was even accused of hacking Hillarybut what about Bernie himself? In an interview, he admits he’s not a techie, but considers himself “smart enough to hire excellent people.“ Hmm, that doesn’t sound very convincing to me.
Grade: C+

The Donald: The only one in this group who’s spent most of his life in the private sector, Trump is still frighteningly behind in his use of technology. In 2007, while many of us were transitioning from emails to texts and tweets, the mega-mogul didn’t even own a personal computer or use email.  Even by 2013, when asked about his email use, he replied  “Very rarely, but I use it”.
Grade: F

Ted Cruz: Younger than Bernie by about 30 years, you’d think Ted Cruz could walk the walk when it comes to technology. Not quite. A Facebook post in November revealed his cluelessness about Net Neutrality. Still, between his youth, and the savvy use of data and social media, he’s clearly in touch with technology.
Grade: B-