The challenge of Digital Identification in a Cloud world, Password Managers Emerge

At time when the news headlines are filled with a parade of data breaches (DNC, Yahoo, etc.), the Password Manager has emerged as an effective tool to solve the problem of Digital Identification.  Digital Identification is the way you prove who you are to all your Cloud based online accounts.

The Password Manager is a online system combined with software tools that allows users to create long, complicated password strings that are unique to each online system. This prevents passwords from being guessed and prevents compromised passwords from being used to access other sites if one system has been hacked.

The challenge for online service providers is to secure their systems and accounts but allow users easy and convenient access.  Without a Password Manager, long, complicated and unique passwords are not something that people can easily use.

Without a Password Manager, username and passwords are ineffective because:

  1. People choose passwords they can remember, which are simple for criminals to figure out.
    • Brute Force techniques allow criminals to guess thousands and millions of common combinations (Ex. Password1, Sex123, etc.) from dictionaries and lists of already discovered passwords from previous data breaches.
    • Old fashioned PI work is surprisingly successful using social media and public records to formulate possibilities including children’s initials, birth dates, mailing addresses, pets names, hobbies, etc.
    • Phishing techniques like was used in the DNC hack trick users into sharing their passwords through fake websites and email solicitations.
  2. Long, random, secure passwords are difficult for humans to remember and as a result are not used or are stored insecurely.
    • Often, passwords are kept on sticky notes under keyboards, in note pads and in insecure online address books in Google or Outlook.
    • Users find creative ways to compromise complex password requirements by making minor modifications, writing  them down but leaving out some characters, etc.
  3. The same passwords are often shared across different systems.
    • Long complex password that change frequently are hard to remember, so users use the same or similar passwords across many systems
    • Hackers know passwords are shared across multiple systems so they try and access other online systems once a password is discovered and verified.

The Password Manager evolves

The original password managers were not useful because they were inconvenient.  They presented too much of a challenge to setup, organize and access.  Also, securing all your passwords and private information with a single password seemed like having all your eggs in one basket.  If that system and password was compromised, so was everything else!

Modern password managers have solved most of these challenges.  They are now the hub of your digital identity.  Products like 1Password, LastPass and Dashlane provide simple solutions to protect your passwords and provide convenient access from all your devices and online.

You are in control

  • With the help of these tools, long, random, unique and complex password are created for your online accounts.  The Password Manager software makes logging in and accessing your online accounts simple without having to remember these passwords.
  • There is no need for 3rd party solutions like certificate authorities to issue and manage your credentials.  No one else can grant access to your online accounts and you don’t have to use permanent physical characteristics like your fingerprints, DNA, etc. to identify yourself.
  • No one but you can see your passwords and account info. None of these online solutions store your passwords in a form that is accessible to anyone other than yourself. They do this by employing high levels of encryption within their systems and they encrypt your passwords with your own master password, which they don’t have.

Isn’t this risky, putting all your eggs still in one basket?

Many people still get stuck on the single master password and the concern with having all your eggs in one basket.  It’s a legitimate concern but these systems have checks in place to limit this risk.

  • Before you can attempt to un-encrypt your database with the master password, you must first authorize your devices and demonstrate control of the email account associated with your account.
  • Attempts to access your account are logged and reported to you so you’ll know quickly if someone else is trying to access your account.
  • 2FA/Multifactor Authentication can additionally be added onto your account.
  • The Master Password is never stored in their system, so if they become compromised hackers still should not have access to your information.

Emergency access

One feature that I find particularly compelling is “Emergency Access.”  When someone becomes ill or passes away unexpectedly, there is a panic among family, friends and sometimes within businesses to try ensure access to online accounts and protected files.

My wife and I have many online accounts related to finances, insurance, mortgages, photo sharing, etc.  One day I realized I had no idea what passwords my wife was using for many of these accounts as they change often and have so many different requirements.  With the Emergency Access feature, I can setup emergency access to her passwords after a 2 day waiting period.

Why shouldn’t we just use alternatives to passwords?

Biometric or genetic authentication: Science fiction has often extolled the benefits of genetic or biometric authentication including retinal scanners, fingerprint readers, voice recognition or DNA scanning.  The problem with these technologies are twofold:

  1. They can be fooled:  If a would be hacker learns a target’s fingerprint, retinal pattern or DNA unique identifiers, systems can be devised to represent these unique patterns in a way that can fool an automated system.  There are currently many examples online of fingerprint readers being fooled.
  2. Once a biometric or genetic marker has been compromised, users cannot “reset” them, they are hard coded into our bodies.  So if one’s identity was stolen and it was tied to a unique DNA identifier, the individual is now unable to easily reclaim his identity.

Digital Certificates: For a time there was a lot of discussion about how Digital Certificates from certificate authorities could replace passwords.  These certificate systems are currently widely used for securing websites, securing corporate and the government systems, and to sign software code.  They use a private and public key model to encrypt and identify authorized users and systems.

However, Digital Certificate systems have failed to become broadly used because of two major challenges:

  1. There is no one to trust with all this power!
    • Over the past few years there have been several high profile compromises of certificate authorities including Comodo, Symantec, and others.
    • Certificate authorities hold the master keys, allowing a single point of failure.  This allows malicious actors who successfully compromise one of these systems to access unauthorized systems or issue illegitimate certificates.  This allows the publishing of fake bank, google, or other systems where users are tricked into providing information through fake systems.
  2. Public and private key certificate systems have proved to be too complicated and inconvenient for most average users.
    • Users have to be able to understand the private and public key model, which is often beyond the interest and abilities of most users.
    • Personal certificates are not very convenient.
      • I can load my Private Key on my computer so that when I go to my banking site I can easily log in, but what do I do when i’m at my parents house?
      • I can load my Private Key on a USB Smart Card but that opens up many other challenges and security risks including plugging in USB drives to other people’s computers.

2FA or Multi Factor Authentication: 2FA (Two form Factor Authentication) or Multi Factor Authentication is the technique of using 2 or more methods to uniquely identify a user.  This usually includes some form of password combined with a text message, phone call or possession of physical hardware Token (USB device, Phone App or computer app that generates random numbers, etc.).

  1. 2FA or Multi Factor Authentication doesn’t get rid of passwords but makes them much harder to compromise.
    • Even if a hacker knows a user’s password, they cannot gain access to a system without the second or third authenticator.
  2. 2FA and Multi Factor Authentication methods are becoming broadly and freely available with many online systems including Apple, Facebook, Google, Yahoo, Microsoft, etc.
    •  The problem with these solutions are that they make access a lot less convenient. This is especially true if you’ve misplaced your smartphone or are not working on your own computer or if you’re sharing access to a system (usually can’t list multiple cell phone numbers).
    • Additionally they don’t eliminate the password, they just make it more secure.

A good option now for greater security

The convenience of the Cloud’s always on, always available nature means that these systems are always available to enterprising criminals all over the world.  Long gone are the days when systems are safely behind physical walls and firewalls requiring special software and/or physical access.  There is a significant need now for greater security across all these systems and the Password Manager is one of our best options.


Best Bluetooth speakers for home and office with some business inspiration to boot!

This subject may seem like a fluff topic but I have to tell you about these speakers and the company behind them.  They’ve got me pumped because they are great speakers, lots of fun to use, have great business applications and even offer a great business lesson.

The Product

The products I’m talking about and love are the Oontz Angle 3 and Oontz Angle 3XL.  They are inexpensive ($30-$110) Bluetooth speakers with truly incredible sound given their size and cost.  They have a built-in mic for use with phones and computers as a sound source and are super easy to setup and pair with your devices (phones, computers, etc.).

As you can imagine, they are a great way to bring music wherever you are but they also offer impressive portable speakers for business presentations and can be used as a portable speakerphone for ad hoc conferences when paired with your smartphone.  So these are great to place in conference rooms or with traveling executives and sales staff.

One unique feature of the Oontz Angle 3XL (the larger unit) is that if you buy two of them, you can set them up to offer true stereo sound with each one carrying a separate stereo channel.  I have not tested this as the single units have proved to be more than sufficient for my needs.

The history

I used to be a bit of an audiophile when I was younger and was really into a company called Cambridge Soundworks, based in my home town of Newton MA.  I visited their factory store, dreamed of their speakers and even tried to get a summer job there.

Cambridge Soundworks has gone through enormous changes over the years.  At one time they had a national chain of retail stores and huge online direct distribution.  But with anyone familiar with the consumer electronics and Hi Fi industry, everything changed with the iPod and digital music and people lost interest in component music and high fidelity sound systems.  And so the likes of Lechmere, Tweeter, Circuit City and many others went out of business in the late 2000s.

Cambridge Soundworks was no exception and was struggling in the late 90s but had a niche with products that worked directly with computers and the new portable music players like the iPod, known as SoundWorks.  They had comparatively good sound next to the competition.  In 1998 Creative Labs, a computer components and portable electronic manufacturer, acquired Cambridge Soundworks.  As best I can tell, Creative Labs cannibalized Cambridge Soundworks for their technologies and distribution and ended up closing all their retail locations. Their products dwindled, there was no innovation and their brand suffered.  As a loyal and committed customer, it was very sad to see this downfall.

In 2011, SoundWorks, Inc. was formed and purchased the remaining assets of Cambridge Soundworks from Creative Labs Inc.  They relaunched the business based on a new product called Oontz, a portable Bluetooth speaker system.  Frankly I was dismayed.  As someone who was into sound quality this was the last straw! Bluetooth was notoriously bad at carrying high fidelity sound and the speakers were so small that I couldn’t imagine anything worthwhile coming out of them.

Fast forward to 2016 and I’m a HUGE fan!  I think the Oontz products are incredible.  Yes, they still don’t offer truly high fidelity sound, but they do provide an exceptional solution for a convenient, connected speaker and mic system with good sound. And they have achieved this with a product that is simple to use and has better sound than the competition at a lower cost.

My takeaway

As a business owner I can become overwhelmed with the necessity and constant pressure to innovate and evolve to stay relevant. It is easy to get stuck in the nostalgia and wishful thinking of what used to work or how things used to be.  All you have to do is think of behemoths like Polaroid and BlackBerry to know what the risks are.  But when I think of Cambridge Soundworks, I’m inspired and amazed at the vision and guts it takes to truly innovate and evolve a business.

I’m inspired by Cambridge Soundworks because they were not held back by their own old products and past successes.  They were forward looking, understood their unique value proposition of good simple sound products at a lower cost, and created great brand new products that people want.

The result is a business reborn and great speakers I can call the Best Bluetooth speakers for home and office.

To Slack or not to Slack?

As many already know, the cloud based messaging tool Slack burst onto the market in the summer of 2013 and has become one of the hottest business messaging platforms around.  Honestly I was slow to pick up on its relevance and what differentiated it from other solutions.  I remember reading about it, looking into it and thinking I just didn’t have time for another gimmicky or niche solution which could expose me and my clients to security risks.

I’ve seen many new technologies come and go over the years and some of them stick around but don’t have the adoption or credibility to be a real business solution.  This has been the greatest challenge to Slack, because in order for it to become a solution that people can use, they have to prove that it is a safe, secure and reliable place to put businesses communications and files.

Brilliantly, Slack has used the same playbook as DropBox.  They managed to get their product into teams and businesses through the IT back door by offering free services that anyone can setup, offering simple, well written software and web apps.  And they have been so overwhelmingly successful at promoting their product that they have real credibility now.

Our Experiment

In our office we’ve been using Skype for Business for the last 4+ years and found it to be a great solution for keeping track of people’s Presence and reducing Inbox bloat.  So when we switched a couple months ago to Slack on a trial basis, I was very skeptical and didn’t want to give up what we already had.

In Skype for Business, Presence allows users to post their availability and what they are up to, like an electronic bulletin board.  This makes looking for help and answers much quicker than sending out multiple emails, calls, checking calendars, etc.

Skype for Business has also been great at reducing the Inbox bloat associated with the multiple interoffice emails, which tend to crowed out important emails.  And Skype for Business keeps your conversations available and searchable in your mailbox for review and documentation.

The Verdict

So after getting everyone connected on Slack and running it in place of Skype for Business for several weeks, we decided to stay on Slack.  In the end Slack offered several benefits that users felt better served our needs.


  1. The Slack software and web interface are simpler and more usable.  They are easy to understand and follow and get the information we need.  Slack provides great software for smart phones, Macs and PCs.  In Skype for Business, the software is slow to load and connect.  On the Mac users are still limited to an old Lync client, which is very limited and buggy.
  2. Conversations among multiple users (Channels in Slack parlance) remain persistent, which is enormously helpful.  This allows messages to be posted and users to review and contribute to them at another time.  They can also see the history of the conversation to give them context and allow them to catch up.  In Skype for Business, conversations are immediate, meaning you can’t send a message for someone to receive and respond to later.  If you do message someone who’s busy or offline, they may (not reliably) get an email with the “missed conversation.”  Once someone disengages a chat session, the session is over and a new conversation must be established without the chat history.
  3. Notifications and continuity between devices is very smooth and reliable.  Slack always seems to know where to notify you (Computer, phone, web, etc.) and is very good at reliably reflecting which messages are new and unread regardless of where you check.  Also, being able to manage notifications based on topic (Channel), direct messages or specific words is helpful in limiting unnecessary distraction.
  4. Extensibility is a very strong and a unique feature of Slack.  It allows integration and extension of the Slack systems to many third party solutions and plugins.  I haven’t used many of these yet but they are widely used with many 3rd party add-ins.
  5. Slack offers persistent file storage.  Unlike Skype for Business, which transfers files from one system to another when they are shared, Slack actually stores them.  This has some collaborative benefits but also introduces new security considerations. We have not been using the file sharing capabilities as we’ve implemented Slack with a very specific purpose and strict usage guidelines.  We don’t allow client data, sensitive information or files stored in the Slack systems.


Using Slack does have some drawbacks.

  1. Its support for Presence is very limited.  It really only has a “Do not disturb” mode and a light indicator to show if a person is online.  You cannot easily reflect location, current task or to indicate if you’re in the office but busy in a meeting.  This has also been reflected in the feedback I’ve gotten from users that Skype for Business seems more immediate.
  2. The user interface can become very muddled with what I call “Channel Creep” or “Channel Sprawl.”  Having too many Channels and overlapping Channels can get very confusing.  Ultimately someone needs to be in charge and maintain some level of order in an organization.
  3. Slack can also be another monthly cost.  In the Cloud age, businesses are saving on capital expenses but are being drained by the growing list of monthly subscriptions critical to their daily operations. It is true that the free offering may be sufficient for many users, but the free offering is limited and may not always be available.
  4. Slack possesses some security and data portability challenges.  The lack of data portability means you cannot easily take your data elsewhere if for example you decide you don’t want to use Slack anymore.  You can export your data for compliance and archiving, but the exported data is mostly unusable outside the Slack system.
  5. Security is also a consideration as Slack creates a new attack vector exposing communications and documents stored outside primary communications and storage systems like Google for Work, Office 365, DropBox, Box, Egnyte, etc. It constitutes yet another system, set of user accounts, passwords and copies of duplicate files for businesses to try and manage.  In 2015, Slack suffered a major security compromise exposing all their user profiles including passwords to hackers.


There are alternatives to Slack with similar communication models including HipChat and Fleep.  Both products have received much less media coverage then Slack but offer very compelling alternative solutions.  Not to be outdone, Microsoft is planning on introducing Skype Teams, which reportedly will have much of the same capabilities as Slack.


All in all, Slack is a great messaging technology that many businesses should consider using.  It offers a unique approach to messaging with significant advantages over older communication platforms like email, IM and voice.

The Cloud requires a new kind of intelligence, “Cloud Smarts”

Growing up as kids we could easily differentiate between school smarts and street smarts.  School smarts were the skills needed to excel in the classroom and school institution and street smarts were the “intuitive” skills that some had to survive on the “streets” and negotiate challenges, strangers, bullies and other potential threats.  These different kinds of smarts came to different kids with different levels of ease and were learned and taught in school and the home.

But in today’s Cloud enabled world driven by Big Data, there is a new set of skills and understandings that almost all of us are unaware of.  I would like to term these skills and understandings as “Cloud Smarts.” As a society, it’s increasingly critical that we cultivate an awareness of Cloud Smarts and its impact on our daily lives.  Without this awareness our democracy, economy and even our own free will are at stake!

The Cloud and Big Data Explained

The Cloud allows data and systems for many users to be maintained centrally.  This has a lot of benefits including huge operational and development efficiencies and improved access through web-based systems.  It also allows the data from a huge sampling to be analyzed, giving insights and making sense of data that would otherwise be inaccessible and seem random.  Big Data is the ability to analyze and make sense of these huge seemingly unrelated data sets.

Here are a few good examples of the positive impact of the Cloud and Big Data.

Example 1:

A large restaurant Point of Sale (POS) Cloud solution is able to see across thousands of its subscriber restaurants and develop insights using Big Data tools that can identify likely fraud patterns by analyzing retail, inventory and transaction information.  They share these findings as a benefit to its subscribers and alert them when likely fraud is taking place in their operation.

Example 2:

A large Antivirus company uses its millions of software agents across its installed base to inventory file signatures of all the files its software scans.  With this information, Big Data tools can help identify maliciously modified files and files that don’t belong on systems.  This helps the Antivirus company to identify threats that have not yet been discovered and improve the accuracy of detection of known threats.

Example 3:

A large Cloud provider of file and email services is able to see logon and access patterns of users across a large user set and geography and is able to use Big Data tools to identify likely hacking attempts by a sophisticated global actor. With this information they are able to notify the affected users and put in place counter measures to limit user exposure.

Anonymity and therefore privacy are lost forever

Cloud systems and Big Data are wonderful when they help solve problems that are becoming increasingly complex in a connected world.  However, with this incredible insight into huge amounts of data and patterns, anonymity becomes a thing of the past.

It doesn’t matter how many laws the EU puts into place “protecting” privacy or how well the medical industry protects your medical records through HIPAA compliance practices, people’s online behaviors generate unique patterns that, through the use of Big Data along with publicly available data sources, can uniquely identify them.  If you don’t believe me, check out this article.

Your Internet behaviors are being collected from many sources including your ISP (through sold DNS traffic), your Cloud service providers and Ad tracking systems (like the SilverPush system linked above). They are being carefully curated and stored by companies you’ve never heard of before called Data Brokers.  Data Brokers are happy to sell any of this information to whomever is willing to pay for it and allow the information to be used for whatever purposes the buyer would like.

With the loss of anonymity and personal privacy, the Cloud and Big Data can lead to some scary outcomes.  Here’s a few examples of the Cloud and Big Data gone wrong.

Example 1:

A large sales organization uses several online Cloud services to help facilitate their sales team.  The team can “share” materials with prospective consumers by sending presentation materials and links to online resources about their services and products.  Because the prospect is logged into Google online services (Chrome web browser) and also their FaceBook account, the Sales person can pull lots of personal profile information about the prospect without them being aware.  This is permissible through the Google and Facebook terms of use.  Also, the tool used to share the product materials allows the sales person to see what pages the recipient spends most time on, what info is skipped, etc. all without the prospect knowing it. The sales person is now armed with a trove of personal information without the prospect having any idea that the scenario is lopsided and the prospect’s chances of making an informed and fair decision are significantly impaired.

Example 2:

Large stock traders already use High-Frequency trading to connect directly into the electronic stock markets using fiber optic lines and high-speed computers to make hundreds and thousands of trades in fractions of seconds.   They use algorithms to anticipate even very minor changes in stocks and the market and make many buys and sells as a stock goes up or down.  These small changes can mean big money if you’re able to sell thousands of stocks in a fraction of a second.  Many people already find the High-Fequency trading unfair to the average joe trader.  But now imagine if High-Frequency trading firms were able to combine this capability with seemingly inside knowledge only available to them through the use of huge data sets and Big Data tools?  They might be able to correlate information from Data Brokers, Internet traffic behaviors, trending on FaceBook, trending on Twitter, trending on Google, weather feeds and other data sources to anticipate specific movements in the market.  They may even be able to track the likely geographical movement and purchasing behaviors of key executives to help determine certain outcomes.

Example 3:

It is possible that local and national elections are being impacted by well financed special interest groups using Data Brokers and other online data sources to create highly customized and individualized advertisements that would directly speak to individuals’ specific situations and concerns in order to influence their thinking and voting?  This advertising is unfair and manipulative because the viewer has no idea that the message is individualized and is based on inside knowledge of them.  These advertisements may not even look like Ads and may direct them to seemingly reputable resources and reporting with a specific political bent or misinformation.  It is very difficult to regulate these types of efforts and the use of Big Data and the availability of information in the Cloud makes these efforts relatively simple and scalable to roll out.

We must develop a good sense of “Cloud Smarts”

I’m constantly asking my friends, colleges, clients and family if they care if Google (The Cloud) knows so much about their behaviors: Searches, documents, photos, movements around the globe, phone calls, friends, etc.  And resoundingly they all say for the most part, No they don’t care!  They like the information, convenience and free services they get and are willing to give up “some info” to get them.

So what do we do to protect ourselves and make sure we continue to benefit from the Cloud and Big Data while not giving up the freedoms that make our society great?

Ultimately Laws will need to evolve to catch up with the technology to adequately protect citizens.  But until then, individually we have to cultivate an awareness of what data is out there, how easily it is collected, who has it (anyone who wants it) and how it can be used to impact our behaviors and our fortunes.  This trend is only accelerating as more systems and solutions move to the Cloud and more of our daily lives are conducted online.

We can also demand transparency and clarity from our Cloud providers.  One company who is setting the bar for this level of transparency is Microsoft with Office 365.  They clearly spell out how data is stored, protected and used and provide tools for customer auditing.

Cloud Smarts starts with a healthy sense of feeling vulnerable, a good defensive posture and being mindful of what data you knowingly put online (Ex. Google, Facebook, “free” services, Ad links, etc.). We can no longer browse the Internet believing we’re in control, because mostly we’re not.  We have to understand that Ads, links, sales people and other “strangers” likely have more information about us than we realize.

Brian Krebs is a well known reporter and blogger on computer and Internet security.  His blog posts and writings on security breaches and the general sense of online insecurity are eye opening and have helped me stay informed and understand the full scope of the issues.  He has several posts about ways to protect yourself online including setting up a Credit Freeze and Tools for a Safer PC.   There was also a very interesting article about Data Brokers on NPR worth reading.

Staying informed, aware and skeptical are the foundation of the new Cloud Smarts we should all start practicing.  Perhaps if we’re lucky the kids in school will learn about this, give it a better name and help teach us about the new reality.

Where does the traditional phone fit in with the modern business – VoIP and Internet Based Phones Solutions

VoIP  (Voice over Internet Protocol) has been in use since the early 2000s by both businesses and consumers.  However, if anyone remembers the early days of Vonage at home, you probably remember the horrible call quality issues.  Today the technology has improved and the needed bandwidth is now readily available.  VoIP is now the new standard for business and home phone systems.

VoIP basically means the phones are connected and calls are being carried over network equipment using Internet based protocols instead of the traditional low voltage copper lines in use since their invention by Alexander Graham Bell.

VoIP systems offer many benefits over traditional phone lines and phone systems including:

  • Simplified self administration, usually web based
  • Enhanced functionality including voicemail to text by email, call recording and internet based voicemail management
  • Simple and powerful automated attendant systems for flexible and professional call routing
  • Simple and powerful presence and call routing including find me follow me functionality, so calls can easily be routed to cell phones, home phones, office phones or wherever you are
  • Simplified unified system for offices and remote staff because all that is needed is good Internet connectivity
  • Built-in phone conferencing


VoIP solutions come in two main flavors, On Premise and Cloud Hosted.

The On Premise solutions have four main benefits:

  1. They can include integration with on premise CRM applications and other on premise software.  This is great for customer service departments and other call heavy departments.
  2. Lower cost for some organizations that have a requirement for a large number of handsets but few actual users.  This might include labs, manufacturing facilities, kitchen operations, etc.  Hosted solutions will charge monthly for handsets even if they’re not being used while on premise solutions only charge for the lines being used for inbound and outbound calls.
  3. Greater control and visibility into security as systems are maintained in-house and access to systems is limited.  This mitigates some exposure to threats like eavesdropping, call hijacking and long distance fraud, among other threats.
  4. Generally greater reliability and call quality due to the frequent use of dedicated switched circuits and the elimination of variables from network and Internet bandwidth limits.

Cloud Hosted solutions offer the following benefits:

  1. Very low up-front costs
    • Handsets and possibly some networking equipment are the only needed equipment
    • Dedicated Internet connectivity may also need to be purchased
  2. Very low maintenance costs as those costs are built into the monthly recurring subscription fees
  3. Unparalleled flexibility and scalability allowing phones to be setup at multiple locations, can be easily moved and can be easily expanded or contracted to accommodate changing workforce and business
  4. Lower Long Distance charges as many VoIP solutions offer fixed and inclusive National and International LD solutions


VoIP pitfalls and common mistakes

There are some significant pitfalls with using VoIP solutions, and often the sales people for these systems are not familiar with all the networking and technical challenges that should be considered, so it is really important to include your IT staff or consulting firm in these decisions.

Choosing the wrong VoIP solution or improper implementation can lead to lots of frustration, can impact call quality and wreak havoc on business data networks.  Some of these mistakes include:

  • Using the same data network that is used for your computer equipment
    • In this setup users “uplink” their machines through the VoIP phones.  This may be OK for some simple networks but it effectively puts a network switch in front of every computer.  This can have a significant impact on network performance and may impact the performance of some high throughput applications.
    • Using phones with slower ports than the existing networking equipment on your network.  Many phones are sold with 10/100Mbps ports while many offices are running 1000Mbps networks.  Newer networks are even going to 10Gig speeds.   By uplinking to these phones, the networks are effectively slowed down by a factor of 10 or more.  The phones with slower ports are less expensive and easier to sell for sales people who are not familiar with these limits.
  • Not provisioning proper Internet connectivity or traffic segmentation and prioritization
    • This can lead to dropped calls and call quality issues, especially when bandwidth becomes challenged by large computer downloads and online applications.
    • Simultaneous loss of multiple critical business data systems including phones and Internet when there is a reliance on a single Internet provider.
  • Purchasing too much networking equipment that overlaps with existing data infrastructure
    • Sometimes VoIP providers try to replace existing networking switches and firewalls, which may not meet the needs of the data systems, but are sold to accommodate the needs of VoIP systems.  This can lead to all sorts of network and security challenges.


Do you really need phones anymore?!

Before making any changes or replacing your current phone system, many businesses should really ask themselves do they even need phones anymore and if so how many?  It used to be that every desk and person needed a phone with voicemail, but now that paradigm has shifted.  Many startup companies don’t get phones for much of their staff unless they are direct client facing.  I’ve seen whole offices of programmers with no phones.

With so many modes of communications including email, chat, IM, voice services like Skype and Google Voice, Slack, Yammer, etc. in addition to users’ mobile phones, desk phones have become superfluous for many. In fact, I have users complaining about having to have an office phone as it is just another voicemail they have to manage. Similarly many people are seeing their home LAN lines as unnecessary.


Alternative Internet based phone solutions

Many businesses should consider using a Virtual Phone System rather than a full-fledged VoIP or on-premise phone system.  Virtual Phone Systems include some elements of a VoIP solution but do not actually include handsets.

These solutions allow businesses to have a phone number, automated attendant and call routing but lets them take advantage of the diverse phone solutions their staff already have in place including mobile phones, traditional LAN lines, etc.  This is great for a distributed work force or sales team and offices that have low call volumes.  These types of solutions can also be effectively combined with VoIP and On Premise systems to meet the needs of many businesses.  Some of these Virtual Phone Systems include Grasshopper, VirtualPBX  and OneBox.


Great VoIP solutions for office and home for people who don’t “need” a LAN line

The move is on in homes across US to drop their home LAN lines.  People don’t see the need for the expense and functionality is redundant with their mobile phones.  Even small home based businesses are simply using mobile phones and other solutions like a Virtual Phone System.  But there are still good reasons to have a primary phone line and there are some really good inexpensive solutions to meet this need.

Some of the compelling reason to still have a “LAN” line are:

  • Phone number tied to a location:  Sometimes you need to call a location rather than a person and the LAN line is always in the same place.  So if calling the house or the office, you may not care who picks up but that someone does.
  • Safety: Having a fixed phone to ensure communications in the event of an emergency can be very important.  Mobile phones wander and are tied to users but kids and staff may need to place calls to safety personnel when mobile phones are not available and don’t reflect a traceable address for 911 operators.
  • Call quality: Good VoIP phones is still offer better call quality then mobile phones, especially within some buildings or areas where coverage may not be good.

Ooma is one of my favorites choices for VoIP solutions for home or small office.  They offer “Free” and Premium solutions that meet most user’s needs at a very compelling price.  The “Free” offering requires an up-font $100 purchase and monthly $4/month “Taxes and Fee” for their basic service plus International LD and other service charges. Their Premium services is only an additional $10/month, but this may not be necessary for many users.

In a world of so many communications options, the traditional phone has still managed to stay relevant.  But with the Internet as its backbone, the phone has morphed into a much more flexible and capable tool with many different deployment options, which businesses and individuals should be keen to take advantage of.

Encryption, a double edged sword for businesses and home users trying to stay safe on the Internet

People may think of encryption as a technology that protects users’ privacy and security. And it’s true, encryption can be a powerful tool to protect ones privacy and secure sensitive information.  However, the current trend toward encrypting everything has created a significant challenge for businesses and users trying to stay safe from hackers and malware.

Encryption is the process of scrambling data so that only the intended users can access it. There are many forms of encryption.  Some encryption technologies protect data in transit such as TLS/HTTPS, which protects the information passed back and forth to websites and through email.  Other forms of encryption are used to protect data at rest on hard drives, iPhones, and cloud storage.

What does this mean for me, my business or my family?

It’s great to know that my credit card number is safe as I buy products online or conduct online banking.  But this same technology is also helping the bad guys to hide their malware and their efforts to steal our money, resources and secrets. The expensive technologies we’ve put in place including gateway firewalls, web filters, email scanning, Antivirus, etc. has been rendered increasingly ineffective now that more and more traffic is protected by the cloak of encryption. The content can only be viewed once it is executed and unpacked on your machine or your network, and by then it too late!

Imagine my 9 year old son, at home, going to to search for videos for fast cars and Hot Rods.  I do limit his access to sites by category, but is considered a legitimate and safe site. is run entirely over HTTPS, encrypting all traffic from my home computer to the servers.  Once he’s connected, the Next Generation Layer 7 Firewall I have installed at home (perhaps overkill for home but this is my line of work) can’t see anything going back and forth between my son’s input and the results that YouTube gives him because its all encrypted.  His search terms and the results are blind to the filtering I put in place. So when that video of Hot Rods shows up, which was not at all what he was expecting, me and my wife are put in the unenviable position of answering our very inquisitive son why someone might make that video!

The same is true with other legitimate sites.  Almost 50% of websites online are WordPress sites.  These sites, if not maintained, are highly susceptible to compromise. I’ve seen many examples of sites becoming compromised and distributing malware to unsuspecting visitors.  That Youth Hockey site forum or Spa website you frequent may be the source of your next computer virus!  If the site is being run over HTTPS, that traffic is not being filtered by the web filters, firewalls or Antivirus you have in place, letting the malware into your network and your computer unobstructed.

Even this silly Blog is encrypted over HTTPS.  I could be infecting your machine right now! Encryption is being used heavily throughout the hacker world to evade detection and for distributing their malware..

Why is everything being encrypted and how did we arrive at this point?

When Edward Snowden released his Wikileaks documents in June 2013, aside from the specific details and revelations, its greatest impact was that they shattered one of the basic operating principles of the Internet, there is privacy in numbers. It was always understood that the sheer volume of transactions and data on the Internet made the Internet relatively private for most of us.

Why would anyone care about a personal email to my grandma about my plans to meet her on New Year’s Eve?  This email is one of trillions and the subject is seemingly irrelevant to anyone else but Grandma. The amount of time, money and effort for some organization to find, catalog, store and correlate this one email was thought to be improbable if not impossible. It’s like walking through Times Square on New Year’s Eve picking my nose.  Who would notice or care?

But we learned how the U.S. Government had put systems in place to do just that, record huge amounts of data from all communications systems and the Internet, cataloging the information and making this data usable through artificial intelligence, analytics, pattern matching and targeted searches.  Content and data streams from large companies such as Google and Microsoft had also been intercepted and fed into these systems.

Learning of this made individuals, Google and other institutions mad.  People’s privacy and confidence had been breached!  But really, how does this affect me and my email to Grandma?

Our trust and privacy was violated!

Google, Microsoft and other large companies immediately began implementing greater encryption across all their systems.  In 2014, Google made news by modifying their search algorithm to make the results of encrypted sites appear higher in search results and by publishing statistics about ISPs and websites who did and did not encrypt their web and email traffic.  So now this silly blog site is encrypted because I want to be found on Google! Along with this trend, the technology progressed and the processing overhead of encrypting traffic and decryption no longer posed significant overhead for providers.

Now all your search requests to Google, increasing numbers of websites, emails and more are encrypted, making access to this information by the prying eyes of the government and other unwanted and dangerous actors much harder if not impossible to access.  There are even moves to encrypt more traffic on the internet including DNS and other communications.

But are we safer and is our information more secure?

Unfortunately we’re not any safer today. According to Symantec’s latest Threat Report, there were almost double the number of Zero-Day threats discovered in 2015 then in 2014, a record 9 mega data breaches in 2015, over 50% increase in Spear-Phishing campaigns targeted at employees and the list of troubling statistics goes on.  The unintended consequence of ubiquitous encryption has only made the detection and discovery of malware and hackers efforts even harder.

It may be true that the U.S. Government no longer has ready access to your data, but now the tools and solution we have to protect ourselves have been compromised by the use of encryption.  Our personal data has become the domain of private corporations such as Google, who have built walls around their systems with encryption with little oversight and transparency.  Hackers can now more easily and stealthily steal our information and avoid detection with the help of encryption.

Instead of the U.S. Government knowing about my email to my grandma and my plans to meet her in Times Square on New Year’s Eve, Google, their affiliated advertising partners and also anyone else who sees the geographical coordinates published by my photo on Instagram and Facebook know exactly what I’m up to.  Also, because the hackers have successfully installed a quiet keylogger on my machine that was downloaded from the secure Youth Hockey site, they have successfully co-opted my good credit rating and opened 5 credit cards in my name and have left me with $50k in loans. They also managed to rob my house while they knew I was out of town.

What’s a person to do?  I like the privacy encryption provides but I don’t want to be a victim.

I’m not saying encryption is bad or we should stop using it.  However, it does pose a particular challenge to people and businesses alike trying to stay safe on the Internet and protect their information.  There are some technological solutions available to help mitigate these risks including HTTPS inspection solutions, and software and hardware pattern matching solutions.  They are worth consideration for many businesses but they’re expensive and hard to implement effectively.

Also, Antivirus companies are releasing new products and technologies that are starting to address these challenges through sophisticated behavior analysis, so staying up-to-date and implementing their new solutions is important.  There are also some notable startups that are taking different approaches to identifying and fighting malware including Cylance and Barkley.

Keeping computers up-to-date with all their software including OS (Windows, Linux and Mac) and all third party software (Java, flash, browsers, plugins, Microsoft Office, etc.) is also critical in protecting yourself. There are lots of solutions for businesses to deploy updates and patches across a network.  Home users or small offices can use a free tool called Secunia PSI.

The most effective and important thing anyone can do to stay safe is follow Safe Internet Behaviors.  Companies should be testing and training their users by sending out malicious like emails and phone calls to try and trick them into giving out information or access that they shouldn’t. There are now many solutions like PhishingBox that can provide these services.



Safe Internet Behaviors

Clicking on the wrong website links, wrong advertisement links, wrong email attachments and filling in the wrong online forms can expose you, your colleagues, your family, your employer and your friends to significant risk of:

  • Identity theft
  • Stolen online funds
  • Lost data
  • Lost access to online accounts
  • Future unknown risks

1. Email

  • Never open attachments from anyone you don’t know or don’t expect to receive something from.
  • Confirm with the sender what an attachment is before opening if it is unexpected.  If you hit reply to the message, does the To: address look correct? Malicious emails will spoof the sending address so when you reply, the recipient often will not look correct.
  • Never “Enable Macros” or download or install Plugins if ever prompted without fully knowing the validity of file. Malicious PDF and Office documents may try and trick you into running malicious code.
  • Never click on links within emails without confirming them with the sender.  Emails with fake links often report to take you to a GoogleDrive, DropBox or Banking sites but instead send you to a malicious site that will prompt you to download, run or outright infect your machine.
  • Be very suspicious of emails from your bank, IRS, FedEx, USPS and other institutions with links and requests for information. If there is any doubt about the legitimacy of an email or link, go directly to the institution’s website or contact them directly by phone.
  • Do not “unsubscribe” to unwanted emails unless it is from a trusted source that you are aware you signed up for.

2. Web browsing

  • Be very careful about clicking on Sponsored links and advertisements when performing web searches (Google, Bing, Yahoo, etc.). Perpetrators of malware buy ads and insert malicious code and links to try and get more exposure for their malware. Google search results, which appear below the paid advertisements, are safer as they cannot be as easily manipulated to show up on the first page.
  • Be very cautions about clicking on and opening files and programs downloaded from the Internet and only open those from known legitimate sites.
  •  Don’t install or open any files and links that pop up on the screen unexpectedly. Sometimes malicious software will purport to be an update to valid software like Adobe Flash. If you think your software may need to be updated, close the window and go directly to the software publisher’s web site itself.
  • Full screen prompts about your computer being Infected should be treated with great caution. This is frequent technique to get users to click on or run files that will infect your machine. See if the window can be closed and reboot the computer if necessary and contact someone who can help evaluate if your machine has actually been compromised.
  • Never search for license key generators, movie downloads, music downloads, free software, torrents, etc. as they are almost always gateways to malware. 

3. Phone

  • Never accept calls from Microsoft, government agencies, your bank or any other institution that you’re not expecting, that are looking for information, login info or access to your computer. This is a common tactic to gain access to your computer and other information to defraud you.

4. Wire Policy

  • All wire instructions should always be independently verified by outbound phone call.  Secure emails, emails or inbound phone calls should be considered sufficient to process wire instructions. 

If you ever have any doubt or question regarding the legitimacy of an email, attachment, or website, please feel free to reach out to Mantra Computing. If you do have an instance where you feel your computer is infected, the best course of action is to turn off your computer and give Mantra Computing a call to assess the situation and help determine the appropriate next steps.

Cyber Insurance, it’s worth another look for most businesses

In the course of life I find all sorts of reasons to worry.  It really doesn’t take much to get me going.  But technology is my business and it takes a lot to shake me, but recently I’ve been shaken.  The rise of high profile and continued data breaches, the widespread and evolving threat of ransomeware and other cyber threats, it seems nothing is really safe.  Our personal, financial and social lives are all so connected to the Internet and it seems like there is no where to hide.

Is the risk real, am I really a target?

The truth is these concerns are real, not some boogieman.  They are not abstract theoretical risks and I’ve been working with clients over the last few years dealing with their impacts and helping them try to avoid them.

Some of these experiences have included the following:

  • Ransomware attacks including Cryptolocker, Locky, Cryptowall, etc. Costs involve cleanup (removing the infection), restoring lost data (either from backups and/or paying ransom) and down time caused by systems being taken offline and made inaccessible.  These costs add up ranging from a few thousand dollars to tens of thousands of dollars.
  • Online store fronts being compromised by foreign attackers who compromise sites and code to steal CC and other info.  Even in situations where these compromises take place with 3rd party services, culpability and responsibility have been murky and has caused significant cost to clients. Costs range in Notifications requirements, cleanup and due diligence, legal fees, etc. and can range from a few thousand dollars to tens of thousands of dollars.
  • Disclosure of Personal Information (Legally protected by State and Federal laws) through accidental disclosure (Laptop lost, accidental email, etc.) and from flawed 3rd party software/services that become compromised or flaws allow unauthorized access. Costs for these types of situations can range from a few thousand dollars to tens of thousands of dollars due to disclosure/notification requirements, software/service changes, legal fees, state and federal enforcement actions and potential liability implications
  • Lost funds due to Compromised/Hacked network computers and equipment caused by accidental user actions or faulty unpatched software solutions. Many times these bank funds can’t be retrieved and are lost forever.  Other costs include disruption to business, interruption to line of business resources, and other mitigating efforts.

Businesses must take these risks seriously and protect themselves like they do for any other risks. Cyber Insurance is now a real and effective tool for protecting businesses against real and significant financial losses.

What are the options and costs?

Cyber Insurance policies used to be cost prohibitive, poorly defined and confusing to understand.  However, today there are lots of good options.  A good policy should cover the below items, which are not included in Professional Liability solutions:

  • Access to or Disclosure of Nonpublic Files
  • Breach Notification and Credit Monitoring
  • Lost Business Income
  • Reputational Damage
  • Loss or Damage of Computer Systems

Costs can range starting from a couple thousand dollars for a business with a million dollars in gross revenue.

What about all the technology I’ve put in place to protect my business?

In addition to good layered security solutions including Next Generation firewalls, network/computer monitoring, security software, user training and an up-to-date Written Information Security Plan, Cyber Insurance is a good tool that all businesses should be considering.

No matter how good your protections are, mitigating all the risks is impossible.  The risks are constantly changing and Cyber Insurance is there to help fill that gap.