Technology Practice Tips Podcasts

Practical law practice technology concepts in an accessible, conversational manner with Phil Brown and David Whelan

Social Engineering

 Permanent link
Phil and David talk about social engineering and how it can threaten your law practice.  Scams like phishing, vishing, and smishing, and criminals accessing your accounts by using personal information to bypass your account and other security, are disabling law practices all the time.  Learn about what these threats are and how you can avoid being socially engineered.
View Transcript

Speaker Key:      PB Phil Brown, DW David Whelan

 

PB :      Hi, it's Phil Brown and I'm here with David Whelan and today we're going to talk about social engineering.

DW :     Oh, wait I thought I we were talking about an engineering social life, so engineers getting together and stuff.

PB :      No, we're going to talk about more how this might affect lawyers and paralegals.

DW :     Okay. So, social engineering is maybe not a term you've heard of, but you will have heard of what it is. Social engineering involves people, maybe not even using technology, maybe just using telephones, to use your emotions and your normal inclinations to be helpful and share in order to pry out information from you like your credit card number, like your passwords, like information that you wouldn't otherwise divulge. And so the social part is really the human interaction that leverages that information out of you.

PB :      And it could be as simple as someone arriving at your office with a stack of 10 pizzas for your staff and saying that they're there and everyone's supposed to gather in the conference room. And they think it's a party and everyone goes into the conference room including the receptionist to get their pizza. And the person who delivered the pizzas now walks over and plugs into their server and could possibly insert some sort of Malware or Trojan or whatever through one of the USB ports and it's essentially just been a two minute interruption of service.

DW :     Yeah, it's a funny area because there's so many different things that go on and you'll have heard of phishing, you may have heard of vishing and smishing, farming, water holing. They're all sorts of interesting terms that pop up in the media. But really all of these fall under social engineering.

PB :      And it all has to do with our need to see what's in that email or our need to respond to something. Or someone has told us something's wrong with our accounts so we need to figure out what that is quickly.

DW :     And some of it's very random. Phishing for example, spelled p-h-i-s-h tends to be emails that come in but they're sent to thousands and thousands of people on the hope that someone will see "Oh my bank account has been breached and I need to click through." And when they click on that link they go to a site that either downloads malware to their computer and infects them, or they are prompted to put in information like their user name and their password for their bank but they're not actually on the bank's site.

             That is escalated with things like water-holing or spear-fishing where the email isn't sent to lots of different people it's sent to very specific people. And so, the email feels even more authentic because it's true to the sort of email that that person would expect to get.

             I know recently I've been receiving a lot of emails that have to do with court filings. And so, inside the email there's a document or it looks like it's supposed to be a document that if I clicked it, would appeal to me. So, they are varying levels of tailoring but they're all meant to have you do something to give up some piece of information.

PB :      And vishing, although we both don't like that term, has become more common because of things like VOIP, which is the voice over internet protocol system of telephony.

DW :     There have been some terrible examples this year, it's 2015, in the U.K. two lawyers have gotten in trouble and suffered discipline when they received a phone call from what they thought was their bank, they then took actions based on that phone call. Often, what would appear to be legitimate, but it ended up moving huge sums of money in their trust accounts from one place to another. And, unfortunately, the other place was controlled by the scammers. And so, they were then able to remove all of the money. So, it really is, even on phones where there's no technology involved, it's a matter of using common sense and really thinking about what kind of information am I giving up or what am I doing based on requests from someone who I actually can't see.

PB :      And I think in one of the English examples there's one with a loss of over £700,000.

DW :     Right, yeah, it was really huge numbers.

PB :      And now we need to look at it from the perspective of when you get that email and this is another thing that's common with VOIP, you might have a voicemail, but you're able to access it through your computer and click on that voicemail file that, WAV file to listen to the voicemail that's been left for you.

DW :     Right, you should really be very cautious with anything that looks like it's sending you a link that is taking somewhere else, whether to listen to a voicemail message or to fill out a form or an attachment that looks like it should be something that you should download and listen to or open.

             Go through your same process that you would normally do, even if it's a voicemail and even if you're in a hurry, rather than double clicking on that file "right click" on it and save it as an attachment to your drive and run your virus checker on it because the emails that are coming in are extremely good at - I mean we're well beyond the days when you had typos or people who are addressing you as an Nigerian Prince, although I do sometimes get requests for barristers from the U.K, which I think is quite funny. But the emails have gotten very sophisticated and again, if it's been tailored to you it's going to be something that's going to be very difficult for you to watch. So, without becoming too paranoid, you do really need to watch every email that comes in.

PB :      And you'll get a lot of phone calls now from people claiming to be - the popular one this year was the Revenue Canada call or the CRA call saying there was a warrant out for your arrest and if you paid a certain amount of money by such and such a time, which you could do immediately of course by giving up a few of your credit card numbers. And it was usually a small amount. It was a few hundred dollars or a thousand dollars and if you paid that amount immediately that would be the end of the warrant you could go on your way. I mean CRA doesn't call anyone, but, again, it's that sort of panic response you have when someone calls and says, "We are an authority and you need to deal with this now." And that's what plays into that social engineering aspect.

DW :     Another story that I heard recently is really interesting. Someone who pretends to be your tech support and just randomly calls people at the office and says you had a tech support call, I'm just returning the call and trying to help. And they'll often get someone who doesn't realize that maybe, you know, they hadn't put in a call very recently or they just had a question and so they start to talk to this person and they'll give up their username and then maybe they'll give up their password and thinking that they're dealing with a co-worker.

             And, of course, when you want to get along with your co-workers like Phil and I do, you're willing to give up information that you might not otherwise do. And if that person's now outside the organization in our modern environments where they're often employee portables that you can lock into from remotely or remote networks that you can log into remotely. A username and a password from inside a corporation can be very valuable.

PB :      And it's very easy, not to pick on VOIP, but with a modem and a magic box, very quickly - I mean I received phone calls from my own phone number while I've been on my own phone. So, it's obviously not me calling me. But they can spoof any phone number, they can spoof any organization. So, you'll get a call that purports to be from the Royal Bank, it's not necessarily from the Royal Bank and you still need to zealously guard your information and not just give it up to someone on the phone because they purport to be from a particular agency. None of these agencies and the banks, even the cable companies, none of them will call you up and start asking for your personal information.

DW :     And that's a good point. Both you, and the staff that you train, so that they are as aware as you are about how to deal with these problems should never give up something like a password over the phone or even over email. Those are just not the sorts of things anyone ever will ask for. They'll always reset it if they have a password issue so that they can go and get into your account that way.

             But that is just the sort of normal response where someone calls up and is it's a real emergency I've got to get my password or I'm calling for somebody who you know is out of the office and I need to get their password. That's the time when you slow down and you hang up the phone or delete the email and you don't send that kind of information. You find a different way to accommodate their request or to confirm really that the person who is on the other end of the phone or email is actually the legitimate person.

PB :      And another aspect of this that lawyers were seeing in a different form earlier this year and over the last couple of years have been with regard to collection. And they're getting certified cheques sent to them by someone who's paying off this collection and the instruction will be to put it through their trust account immediately and take a piece of it for their fees and so on. And this certified cheque is often stolen. But quite often the number on that cheque that the lawyer would call to confirm the account and confirm the amounts of the payor or the payee and so on, those would be added to the cheque after the cheque had been stolen.

             And you're really just calling the fraudsters to confirm that the funds are there and to confirm that everything's fine when you should be picking up the phone and looking for and looking on your computer to find out who's behind this? What's their main phone number and let me go through it that way to confirm things or deal with your local banker. You shouldn't just accept things at face value because it's printed on the cheque.

DW :     Yeah, particularly if you're talking - the case of the U.K solicitor who moved almost a million Canadian, that's the time when you're dealing with large sums that you really need to slow down and take as many precautions as you can. If you're getting emails that come in and say your account's been locked or your credit card's been denied or whatever, please click on this link and change it, then instead of clicking on that link go to your bank's website by typing it in your web browser and making sure you're going to the place you think you're going and then attempting to log in and attempting to see if that message is actually under your account. Because it's much safer and it's so easy to click on the link and go somewhere and think that you've arrived and it's just a false facsimile of the place that you thought you were.

PB :      And that's - I mean is really important I think to not click on attachments if you get attachments from someone you weren't expecting or this is different, as David said, that plea for money from a foreign country, this is they know human behaviour, they're working on that human behaviour, they expect you to click on something and if you click on something and maybe it looks like nothing happens on your computer and gee, I guess that's a bad file. But what's really happened is a Trojan or a worm has been downloaded onto your computer that will activate later and you might be sending out all your clients' information or banking information back to someone else. Or it may just be ransom and your computer will be encrypted and you'll be notified by email saying "Oh, by the way, $500 U.S and we'll decrypt your computer, otherwise we'll delete everything in a week."

DW :     So, hopefully that's made some sense to you. And if you have any additional questions, please just send four million dollars in unmarked cash to the Great Library and I will back to you as soon as I can.

PB :      And that's our look at social engineering. Thanks, David.             

DW :        Thanks, Phil.

Lawyers Working with PDFs

 Permanent link
Portable Document Format (PDF) is a default document format in the legal profession, whether you're downloading government documents, providing e-discovery, or just sharing with clients and counsel.  Phil and David talk about PDF tools, how to use mobile tools to capture documents and save them as PDF, and archival standards like PDF/A.
View Transcript

Speaker Key:      PB Phil Brown, DW David Whelan

PB :  Hi, it's Phil Brown and I'm here with David Whelan and today we're going to talk about PDFs.

DW :  PDFs are ubiquitous in the legal world, the portable document format, which is actually kind of funny because pretty much everything is portable these days. But the portable document format is the base for a lot of information sharing. Courts and governments use it on their websites to deliver information. It's a great way to take a document that you might have created in a word processor that would change if you sent it to someone else if they opened it up in their word processor. You can fix it so that it will always look the same. And both the fonts and the pictures and the lay-out, everything will stay the same. So, it's very useful.

PB :  And it makes it a little more hard to edit. So, for instance if you sent something to a client to review, and a little word of advice you should never send a client an open Word document, or anything like that because they can clip your letter head from it and your signature block and all sorts of things and use it nefariously. Because the PDF is a locked down version of that document that you've created in a word processing program, that's the one you want to send to clients.

DW :  Right, there's a great post on the lawyerist.com site about why you should always use PDF for your final documents. And so, essentially, you can consider everything in your practice work product if it's in a Word document, not work product as evidence goes, but work product as work goes and then all your finals now are PDFs. So, when you get to the point of closing a file, you know really that you just have to go through and find all the PDFs because that's what you've been sharing with the client, that's what you've been sending to the court or to opposing counsel and now that's what you need to incorporate into your closed file.

PB :  So, it's like a snapshot, but it's not a snapshot.

DW :  Right. It can also capture a lot of information about the file so that if you put metadata into your Word documents that metadata can get transferred over into your Adobe Acrobat or your PDF files. And I just made the terrible slip that we were talking about earlier. Adobe Acrobat is almost synonymous as you can tell from the way I said it with PDF. Because Adobe developed the format and the Adobe Acrobat Reader is ubiquitous. Practically everywhere I think I've seen a reader, they use the Acrobat Reader. But they also are the creators of the Adobe Acrobat product, which is different from the reader. It costs money and allows you to edit or create PDFs. And so when you're dealing with PDFs you really have a lot of tools that you can use to work on them. And Adobe Acrobat is just one of those.

PB :  And the PDF is the cornerstone of the paperless office.

DW :  Absolutely, yes. I mean if you really want to be able to share documents, you don't have to worry about whether the person has Word or Word Perfect or what version they have and how the document will look on the other end. You can be almost 100% confident that the document they get will be something they can open.

PB :  And you mentioned metadata and metadata is created whether you want to or not with a Word document it tells when that document was created and which machine it was created on and at what time it was modified and any number of key words might be pulled from that document and incorporated in the metadata. And a lot of that is removed automatically when you convert it to PDF but you can also remove more.

DW :  Right. And so, that gives you the option then of when you create your PDFs to have as little metadata transported over from a document. So, if you're reusing a precedent you don't want to have metadata that may reflect on the other clients that you've used that precedent for. So, the PDF can help you to clear that out. And the PDF can also have information so that when you have to use it later or other people need to use it, it's easier to find it so you can add keywords or descriptions or properties in the same way you would with a Microsoft Word document.

PB :  And that is one of the beauties of the PDF is you're able to tag all sorts of unique information within it. So, if it's about forensic information, you might put in a forensic keyword or a file keyword or there's a number of things you can put in there. Maybe it's forensic and blood spatter and when you go and do your sort of global searches throughout your stored information you're going to be able to pull up these specific documents.

DW :  That's right. That's particularly useful if you have scanned in the document. And so, the document doesn't actually exist as text. You know, you have created it from a word processor, if I scan it directly in and I don't bother to do any character recognition on it, then it's really just an image. So, although I can read the words if I open up the file, the computer can't read the words because it doesn't know the words in the image mean anything. So, adding metadata particularly to scanned files that are on the images can make those PDFs very rich.

PB :  And maybe while we're talking about scanning, a number of scanners actually come with a program that's a reader or an editor as well.

DW :  Right, you can save a tonne if you find a bundle of Adobe Acrobat, the actual Acrobat editor, with a scanner you can save an awful lot on the overall licence to that software.

PB :  Now Adobe like many other companies is starting to go to a cloud model so you don't get a big box of software anymore if you were to buy the full Adobe Pro or whatever you would get a Creative Cloud license and you'd be paying by the month for that service and you get it automatic updates and things like that.

DW :  It's one of the reasons why I think the cloud's a rip-off. In the old days, you used to have a shelf full of all the old software that you either didn't implement or hadn't implemented in a long time. And now you don't get anything for your shelf.

PB :  You don't get any for your shelf, but you do get regular and automatic updates for your software, which in the old days when you paid $600 or $500 for a chunk of software, you didn't want to spend that again the next year to get your updates for the next version. And you usually didn't know what the big updates were anyway.

DW :  Right. Yeah and it's important to keep the software up to date. So, it's important to understand where you might be able to create or modify PDFs and the kinds of software that you use. Phil and I were talking about a couple of different areas and really I think it's fair to say they fall into the reader category, the writer category or the printer category, and the editor category. Do you want to talk about the reader?

PB :  Sure. So, readers, a PDF reader, there are a number of open source ones. And then of course there's the Adobe Reader and the Adobe Reader comes with just about every device out there. If you're using a laptop you probably have some version of Adobe Reader on it. Or if you're using a tablet, probably has a version of Adobe Reader. And it just enables you - a lot of browsers now come with an add-on so you can just read a PDF file or open it up on your browser and you're able to read it. You're just not able to edit any of those files necessarily with the reader versions. And as I said there's open source versions as well, not just Adobe; there's lots of other players in the game.

DW :  Yeah. Sumatra's a nice one. It's kind of ugly but it's a good open source one. I think the real benefit on the reader side because it is such a baseline, is the ability for people to be able to sign a document or PDF from within the reader. So, if you're looking at readers or whether your client has a particular reader and you're sending them a PDF to sign just be aware that in Adobe Reader you can do it, in Nitro PDF Reader there are ways to attach a digital signature, whether it's a picture of a signature or a little digital stamp or finger drawing on a tablet. That's one of the real benefits of the readers.

PB :  And the writers and editors are more robust.

DW :  Yes, the writers actually, it used to be a big deal to get a PDF writer but now it's built into the Microsoft operating system. So, that if you're ready to save your file, your PDF, and send it off to your client, you just do file save as and choose PDF format instead of .docx and it will generate a PDF file that's new and different from your .docx file, with the same contents but with all the information that you got in at that time. So, the writer really is something you can do file print as.

PB :  And they're also smaller files and take up less space.

DW :  Yes, yeah they'll be compressed over the Word doc. And they're useful too - I just misspoke, what I meant to say was file "save as" in Word. But if you have a printer installed, again I use Nitro PDF, but there are lots of them out there. Many free PDF printers when you go to a website or when you go to something else that doesn't have a "save as" capability into PDF then you just do file print and you print directly to your PDF printer and then you end up with a PDF of whatever the website is or whatever you're looking at.

PB :  And a lot of programs also have an export option as well.

DW :  Yeah.

PB :  Where you would export that document as a PDF.

DW :  Yeah, there's some really interesting tools. And we're going to talk about editors in just a second. But I think there's some other useful ones. One I wanted to mention because it's similar to, although not as powerful as the functionality in the Adobe Acrobat Editor, is something called PDF SAM. And if you Google PDF Sam, it's an open source tool that uses Java, which I'm not really thrilled about, but it allows you to split and merge, that's what the SAM is in PDF Sam. So, you can split and merge an PDF. So, if you receive a PDF you can split it into multiple pages or into parts so that if you only want to share or keep a couple of pages you can do that. Or if, for example, you're doing an expense report and you have multiple receipts from somewhere you can merge them into a single PDF. If you're closing a file, you can merge them into a single closed file for your client.

PB :  Sure. And just before you talk about editors I wanted to mention a lot of tablets and phones now you can download a program for scanning documents. And it's great for things like receipts and other documents, where you can actually just take a snapshot of it; it's immediately converted into a PDF. It's framed. Even if you did it crooked, it will be framed up nicely by the app and there's a number of apps for your phones that are a buck, two bucks, three bucks. And there's free ones as well. But you can convert something, a snapshot of something on a tablet and convert it to a PDF and export it to a client if you need to. And they can presumably sign it and send it back to you.

DW :  Yeah, it's great. I keep my office paperless that way. I use Microsoft Office Lens, which is free on Android and also Genius Scan, both of them are great. Genius Scan is actually a paid app, although I'm so cheap I think I got it free. [laughs] so, editors.

PB :  Yeah, let's talk about editors. What's the difference between an editor and a reader?

DW :  An editor will allow you to read a PDF but it will also allow you to actually make changes to it. So, say I saved a document out of Microsoft Word and I open it up in my PDF reader and I see that there's a typo, I could go back into a Microsoft Word, make the change and do the "save as" again, or now I can go into my Adobe Editor, my Adobe Acrobat Editor. And I think it's called Adobe Acrobat DC now for the latest iteration, the one that sort of quasi-cloud. And I could actually click on the word and use the tools inside it to change the letter from the typo to the correct. So, there's an awful lot of extra functionality built into it. Not just things where you're dealing with the text, but you can add forms, you can create what's called in Adobe it's, only in Adobe Acrobat, portfolios where you bring in a bunch of different PDFs or video or audio into a single PDF file. So, it allows you to do some really fantastic things within the document.

PB :  And if you're worried about a client having a PDF editor on their desktop and altering your document, you should know you can also lock down that PDF so it's a read-only version and it cannot be edited no matter what.

DW :  You can even go beyond that, you can stop cutting and pasting, you can stop printing. I will say, and I won't tell you where I heard it, but there are ways to get around those sorts of restrictions. But I don't know if there's a way to get around a password if someone has just locked down the cutting and pasting. There are ways to get around that. But it really gives you some excellent options. Another thing is the bookmarks or the index, the Table of Contents that's generated with the PDF. If you're in Microsoft Office it will often generate that for you if you're using Microsoft Office styles. But if you're in the document and say you've got 12 exhibits you've all put together into a PDF after your factum. Now you can create that Table of Contents within the PDF editor so that when someone else opens it up they have a nice Table of Contents on the side so they don't have to just page through and see what you have, they can very quickly see all if it in one little screen.

PB :  So, the last thing we can talk about is maybe a bit about archival PDFs and the differences.

DW :  Yeah, there's a long-term concern about how to hold onto these digital files. I mean we were talking on a recent podcast about the yottabyte and whether a practitioner will have all of his or her files on a single disc for his or her entire career. So, how long do you keep these files and what sort of format are you going to keep them in? If you've got old Word Perfect files you're probably already struggling to be able to open them in anything. PDFs will have a longer life and then in the PDF world there are the archivists who are worried about PDF/A and I know you're an expert on PDF/A.

PB :  Maybe not an expert. But PDF/A is something that came in, as David said, to archive documents and still be able to retrieve them a number of years later and I think the standard they were shooting for was six years. And the question is if you save something now in a particular format and you mentioned one product, WordPerfect, some of those documents you can't open now because you may have had an older version that it was created in, you don't have any version now in trying to open it in Word. You will might be able to open it but you might lose a lot of the formatting and possibly some of the content. So, the goal with PDF/A was to come up with something you could open six years from now and wouldn't lose any data. You'd still be able to read it in the form it was saved in and so on.

DW :  The funny thing is I talked to the Law Society archivist about this and he said that there's a real split of opinion over whether that's good because you do lose some of the functionality that makes the PDF useful like embedded links and things like that in order to get that longer preservation. So, even in the real nitty-gritty world they're not 100% sure about how to do it.

PB :  And that's why they've continued to work on versions, a PDF/A version 3, which has a much longer name is the latest iteration of PDF/A and you are able to embed links and things like that within it and images and all sorts of things that you weren't able to do in version one. And there was a bit of a transition through PDF/A2. And I think we'll see a fourth version and a fifth version and so on because archivists are always tweaking with the next piece. And now it's a six year standard. But more and more law firms and libraries and so on are archiving material digitally and I think you're going to look at, because of the cost of physical storage is so high now, more law firms will be struggling to convert to paperless. And they don't want their data to disappear. And they still want to be able to recover it if they have to protect themselves from a lawsuit 10 years from now.

DW :  So, if you're not using PDF, now's a great time to start using it in your practice and hopefully we'll have outlined some of the tools that you'll be able to use.

PB :  Thanks very much David.

DW :  Thanks Phil

Technology Jargon: R through Z

 Permanent link
Join Phil and David for the fourth - and final - technology jargon podcast, where we cover topics from R to Z:  two factor authentication, yottabyte, SMTP, and rooting phones.  Our other jargon podcast - A to F , G to L , and M to Q - are also worth a listen.
View Transcript

 

Speaker Key:       PB Phil Brown, DW David Whelan

PB :  It's Phil Brown and I'm here with David Whelan and welcome to part four of our Jargon 2015 podcasts. And I would suggest you go back and listen to the rest which would be from A to Q and now we're going embark on the letter R. David what do you have for the letter R?

 DW :  Alright Phil. We're going to get a little bit into the dark depths; we're going to talk about rooting. So you can root your phone or, in the case of Apple devices, you call it jail breaking. And what it allows you to do is to take control of the operating system. Currently, when you buy a device, an Android device or an iOS device, the operating system is actually administered by the operating system or the device. And so you can't make changes, you can't get down into the internal innards in the same way that in Windows you might open a command prompt and then be able to type commands. It limits some of the access that you have to your own device and so if you root your device or jailbreak it, you can apply additional rights, administrator rights that allow you to get access to these other things and in some cases to install additional software and that's why I do it on all of my Android devices. I will root my device and then I will apply a firewall and I'll use the firewall then to block all of the incoming and outgoing traffic that I don't want to have happen on my phone, so that I always know which apps are communicating. So, from that perspective, I like having that extra control. It will invalidate your warranty in almost every case, so I don't know that I'd recommend it for everybody, but, at least you know now that when people talk about rooting a device or jailbreak, really all they're doing is taking administrative control of their actual device.

 

PB :  And you're also doing the letter T after and I'm wondering if that's going to turn out to be tinfoil hat. But let's talk about the letter S, which is mine. And for the letter S, I have SMTP, which everyone uses and no one really pays much attention to its operating in the background of all of our emails and it's simple mail transfer protocol. It is not the part that actually determines how you receive emails and how they're displayed and so on, but, it really sets up the coordinates to say you know this is the email you've constructed in your computer, now sent it out this particular port, send it over the internet and this is the destination that it's headed to.

 

DW :  And the S really does mean simple. When I set up my first email server, it will send anything that it receives and so if you don't secure it, you can end up as a spamming source on your email server. So make sure even if it's simple it's not Simple Simon.

 

PB :  Right, and I think we've talked about in the past in fact we have a podcast about how email works and we've talked about things like POP and IMAP before. So if you're interested in POP and IMAP you might want to listen to our podcast on how email works because we talk a little bit more about the delivery and how you actually receive and display the emails and what happens if you delete one kind and not the other kind.

 

DW :  Alright so no tinfoil hats for T unfortunately. I'm going to talk a little bit about two-factor. Two-factor authentications are exploding in interests now in part because people are more fearful of people tampering with their accounts online. So we're starting to see that with our online accounts. It started with Google and with a number of the online professional services systems. Now we're seeing it on sites like Amazon. And what it allows you to do is to supplement your user name and your password on these online sites with an additional piece of information. That additional piece of information is usually a number that is texted to you or is generated in an offline app like Microsoft Azure Authenticator, or Google's Authenticator app and so if you've got your phone or your tablet with you, you just open up your device, you open up the app and it will show you the code that you then need to type in and that will assist you in logging into these sites and also slow down the ability of other people to change information about your account or to access your account merely by trying to guess your user name and password.

 

PB :  And I know we both use two-factor authentications. One of the things I really like about it is if you sign in to your device, or your account rather from a different device or from a different location it notifies you as well by email to say: "Hey you have a new log in from this iPhone which is never been used before into your account. Did you do that?"

 

DW :  Yeah, it's great to have them watching for you because again you will get surprises sometimes about which devices are accessing it and sometimes it's a kid or somebody else that you intended to get in there and sometimes it isn't. One thing to keep in mind with the apps if you use the Microsoft account app, the only way to get those account numbers is via text. One of the nice things about the Google and the Microsoft Azure Authenticator is that it's totally offline, so you don't need to be able to get a phone signal in order to be able to get your code to put it into your system.

 

PB :  And since this is an alphabetical jargon podcast, how's the Microsoft app spelled?

 

DW :  A-Z-U-R-E Authenticator.

 

PB :  And that's a zed for the Canadians out there listening.

 

DW :  Alright what do you have for U?

 

PB :  For U, I have URL. Everybody talks about URL's or has heard the term URL, but might not know that it stands for one of two different things. They couldn't decide. One is the Universal Resource Locator and the other is the Uniform Resource Locator and it's basically the address of the webpage. So, when you type at the top www.lsuc.com [www.lsuc.on.ca], it actually points at a particular four component series of numbers which is the internet protocol address that is out there somewhere that connects your URL to the actual computer that you're trying to connect with.

 

DW :  Right, and it's uniform because if that number changes, if the Law Society got up and moved all of its servers to a different company. Say they left Bell, for example, and went to a different provider that URL would continue to work even though all those IP addresses had changed.

 

PB :  It's uniform and it's unique as well, although there are often sub addresses and so on. And each device you're using has a unique address as well.

 

DW :  Alright for V I've got VPN. The virtual private network. VPN's are great, lawyers should use them whenever they leave their offices and they are using devices that have client confidential information on them. It allows you to have a protected connection over the Internet. It's like a little encrypted pipe that only you can access and between you and wherever the VPN terminates, you can get to other places without having to worry about people eavesdropping on you. Some people will use it to get past geo blocks so that they can watch Hulu or Netflix in the US, but it's really good for making sure that when you're doing online transactions and you are in a public place, that you've got a secure connection. You might also use it, you can set up a VPN endpoint in your office so that when you're on the road, you can actually connect back to your office and have a secure connection from wherever you are back to your office and so you don't have to worry about anybody in between.

 

PB :  And we've talked before about clean devices and things like that and this is the perfect opportunity to use a VPN because if you are on the road quite likely you don't have anything other than a public network to use whether it's a hotel Wi-Fi connection or even a hotel wired connection, it still would be considered to be somewhat public and using that VPN within the public network will protect your data or your clients data, more accurately.

 

DW :  That's the most important part. Alright what about W?

 

 

 

PB :  And you can see a lot of that coding if you go up to the in your browser and check out the source which no one ever does, but, you can see a lot of that XML coding that's built into that webpage to see what's kind of hidden there if I can put it that way.

 

DW :  But why would you? What do we have for Y Phil?

 

PB :  Y; Yottabyte. Y-O-T-T-A-B-Y-T-E. It's unlikely you will ever run across the term Yottabyte other than it being the largest measurement possible for an amount of data which is two to the eightieth power. You may see it someday in terms of the amount of memory available, but, you know laptops have gone up more and more and more and a megabyte used to be a lot. Now it's pretty common to see five and ten terabyte drives available. And I think eventually you'll see a drive that big, one of the things to remember of course is the bigger the drive, the more information you have on it and if it fails you've lost a lot more information than you intended and I don't know if we'll ever see a Yottabyte drive.  It won't be much bigger than the terabyte drives in terms of size, but, the thing to remember is the amount of data you have on there. Especially without any partitions, if you have a drive failure, you're going to lose all of your information which could be more than you expected.

 

DW :  It's funny to think about too because if we think about a new call this year coming out of law school or a new paralegal coming to the profession, their entire career will be something that is stored on a hard drive where a lot of us have a good amount stored on hard drives, but not everything. So they might actually need a single yottabyte drive to last them their entire career.

 

PB :  And it's funny to see even if, I'm dating myself here, but, to see how much computers have changed. I know you know at one point the Macintosh classic was considered to be a portable computer. And I think they weighed about sixteen pounds, but, they did fit under an airline seat. If you zipped them in their little bag, but, just barely. And they had a floppy drive and that was pretty much it and then you know we've lost our five and a quarter inch floppies, but, even now if you look at some of the newer machines, they're getting rid of optical drives, they're getting rid of even USB ports. Apple's gone to a new proprietary port that they have on their machines that's meant to replace the USB.

 

DW :  It's all portable, everything.

 

PB :  And now you have the letter ZEE or the letter ZED; take your pick. And what does Z stand for?

 

DW :  Z stands for Zero-day and Zero-day is getting a lot of press in part because I think everybody's much more aware about how computers are attacked on a regular basis or under threat on a regular basis. A zero-day is short for zero-day exploit and what it means is that someone has identified a problem within a software application. Something that they can use to exploit, to attack, and nobody knows about it. And so, they will save that up. It's been documented that governments saved this up for their attacks and, of course, the criminals do it as well and then when the first attack happens, that's the zero-day, that's the announcement that oh we've got this problem and often a zero-day, the problem with a zero-day is that there isn't any patch for it, there's not fix for it. So if you like many people will use Adobe Flash which was patched on this last Tuesday, it's December 2015 and it had seventy eight patches, a lot of those were in response to exploits that they had found on their own. But, the zero-days happen outside of that world and are things that really are of a concern for all of us because it often means that even though we've patched and done everything we can to make sure our law-firm computers are up to date, that these zero-days suddenly put everything at risk.

 

PB :  And there's a bunch of websites that you or your tech people should be looking at all the time to figure out you know what's going on out there in the world. It's not just enough to do a virus check every day or a malware check every day. You really need to be looking at sites like Symantec, and Krebs and things like that to figure out what's going on out there.

 

DW :  Right. It really is, it's making using technology practice a lot more complicated.

 

PB :  And if you're using a computer and you're on a network, you should be doing a tech audit every year to see you know, make sure your licences are up to date; make sure your software's up to date. That you have all the patches for your browsers, your routers and you mentioned recently having your routers up to date because they do eventually become obsolete.

 

DW :  Yes. And if you don't want to update them then just throw them away and buy a new one, but, definitely don't hold onto the old hardware.

 

PB :  So that is the end of our look at our Jargon podcast for 2015 and we hope you've enjoyed them as much as we have and thanks very much, David.

 

DW :  Thanks, Phil.

 

Technology Jargon: M through Q

 Permanent link
This is our third swipe at jargon, covering M through Q:  open source, queries, and the wireless N standard, among others.  If you haven't listened to our podcasts on A to F and G to L , you can add them to your list.
View Transcript

Speaker Key:      PB Phil Brown

                                DW David Whelan

 

PB :  Hi, It's Phil Brown and I'm here with David Whelan and today we're going to start part three of our Jargon 2015 podcast.

DW :  Yes, if you've missed them, go back and listen to A through L on the previous two jargon podcasts and today we are going to start with M. What do you have for M?

PB :  M is for megabyte, so we all talk about a megabyte, but, very few people I think understand what the unit represents. It's just over a million bytes, the byte being the smallest unit I suppose available for memory and storage. To ball park it, one byte would be equivalent to about one typed character if we're using text. So if you're thinking about how much storage this is going to take up, you can equate it more or less depending on spacing and things like that on a one-to-one kind of ratio. So, how many pages would that be? Roughly, depending on your font and characters and whether you have any images, a megabyte would be somewhere between two hundred and fifty and five hundred pages of information. What do you have for N David?

DW :  N I have the letter N. When you buy wireless routers or get on wireless networks you used to buy wireless routers that had the letter B and that was the standard at the time so you'd get Wi-Fi 802.11b and that was where it began. And that was sort of a slow speed and then it slowly grew to 802.11a which seems a little bit backwards. And then a few years ago we went to 802.11n and that was the speed that you aimed for or the hardware that you tried to buy. And now we are going beyond N finally. N which never really stood for anything I always thought it meant new, but, it never stood for anything and it was a big leap up from the A's and the B's. And now we're going to AC, so if you're going looking for new wireless hardware, you want to make sure it's going be compatible with the AC protocol that's coming along which is promising and you know hundreds and hundreds of megabits per second throughput which is great if you are using it in your internal network inside your office.

PB :  And hopefully most of the routers and modems are backwards compatible.

DW :  Yes, I think from that perspective you should be fine. The trick or the thing to remember really with Wi-Fi hardware is even if it says you're going to get 800 megabits per second throughput, as soon as it hits your internet connection which is only 1 megabit per second, you lose 799, so it's great as far as internal use if you want to stream files from your server or if you want to stream movies from your server, it's great, but, you need to just keep that in mind that although you're getting higher, it is good, it's positive for internal use, it won't necessarily mean that your internet access gets better.

PB :  And it also just the last one last point I think is if you have a device on your network at home or on your Wi-Fi network, that is an 802.11b, even though you have an N router it's not going to go to that N protocol because it goes to the lowest common denominator on that network.

DW :  Right, yes, if you got 802.11b's or 802.11a's out there you want to make sure that you toggle them so they go to N if they can or frankly just update them because you're got that kind of old equipment you'd get a speed boost if you update it.

DW:  Okay, what's there for O?

PB :  O, I've chosen open source. It's software where the programming code is available to anyone. And you will see one of the advantages is that you're not working with proprietary software so there's no bowing down to one of the big guys if I can put it that way. And the other thing is there is sort of a lot of crowd-sourced improvements to open source software and you can either make your own improvements if that's possible, if you have the knowledge, or you can rely on others to tweak things as the software goes and there's regular updates and in theory can improve things quite a bit.

DW :  And I've heard though the flip side and the reason that law firms might not use it is "Well, I don't have anybody to call if order to get support because since it's open source in its community then I have to rely on the goodness of other people."

PB :  And that matter, I suppose, is one of the major downsides of open source is in terms of the tech support available. You're really going on you know Google searches and looking at boards and trying to find out fixes and workarounds that other people have worked out. Or you can throw your problem out there on one of these boards on the Internet and other people might be able to solve the problem for you as opposed to going through some thirty page FAQ from Microsoft or Apple or someone like that and then the little proviso at the bottom saying "Did this help you with your problem?"

DW :  I think the interesting thing about open source is how much of it we use without really realizing it and so if we use the Mozilla Firefox browser for example we're using open source software and I think we're going to see a trend. Certainly with Microsoft embracing Android and other environments Linux, we will see that they will be open sourcing more of their code as well and so that's the nice sort of sweet spot where you got an organization supporting it that's big enough to actually support it, but, it's still free to us to use or to play around with.

PB :  And I think there will be quite a bit more talk about open source software given some of the concerns people have these days with the larger companies potentially giving up encryption keys to various governments.

DW :  Right. So we'll have both free beer and free puppies.

PB :  That's right. And now the letter P. What do you have for P?

DW :  P: I like the word proxy, proxy is good, lawyers know what proxies are. In the terms of technology, a proxy really does the same thing that a proxy does in real life. It stands in the place of you. And a proxy can do some good things for you; it can allow you to route all of your network traffic through the proxy which will then protect your systems from behind that proxy by filtering out information that may be unique to those web browsers or computers. It will allow you to control how your traffic flows in and out of your environment. So it's a little bit like a security tool where you can funnel things and control what gets to the web and what doesn't. One of the benefits of using a proxy is that you can set it up so that it blocks out inappropriate sites. Web filtering is an obvious one and from a parent's perspective you might do it. But, even more importantly frankly is not the contents so much as the malware sites and bad sites like that where you just don't, you want to eliminate the ability of your staff or people in your law firm to even click out and potentially download malware and things like that. A proxy server can allow you to funnel everything through that and make sure that anything that's leaving your law firm or coming back into your law firm is coming from a place you want it to come from.

PB :  And the proxy doesn't have to be a physical server, it can be a virtual identity.

DW :  Yes. You can actually buy a computer and run all of your connections through it or you can buy a piece of hardware that acts as a proxy or you can just have this virtual identity, so it runs through it and then runs back.

PB :  Right.

DW :  All right. What's up for S? I'm sorry Q, we always forget Q.

PB :  Q is a tough one. And the best I could do was query. Queries are the sorts of things you would use to make inquiries of software for your computer to find out things like which of my ports are open? What's my IP address? Things like that.

DW :  Yeah and it's amazing really, it's one of those terms of art that I think lawyers would probably understand. It really is just asking, you're just asking things and so in Excel you may be using the Excel query language in order to ask what is in different cells and how to manipulate those? Of course, when you use a web search engine like Google you're obviously doing a query there so it's interesting really how many query languages we're surrounded by.

PB :  And that's part three of our jargon podcast. Stay tuned for part four.

DW :  Sounds good.

10 Serious E-mail Tips for Lawyers

 Permanent link
Here are ten - or maybe 11 - tips on how you can use e-mail more effectively in your law practice.  Have you listened to our other e-mailpodcasts ?  This one will take you further in, looking at disclaimers, auto-responders, and where your e-mail service is.
View Transcript

 

Speaker Key:    PB: Phil Brown, DW: David Whelan

 

PB:  Hi, it's Phil Brown and I'm here with David Whelan, and today we're going to talk about ten serious email tips.

 

DW: Serious, not jokey ones. We're not going to get into things like how to be appropriate on email and proper etiquette and things. We are going to talk about some things that you probably should be thinking about. The first one we are going to start off with is to get a professional email address. You do not want to have emails going out from your firm that are from "gmail.com", "yahoo.com", "bell" or "rogers.com". You want your email address to reflect your firm, and so it is a bit of branding, but it is also a bit of professionalism. So the basic way to do that is to buy a domain name, or register a domain name, and it would be something like "davidandphilslawfirm.com" and then you would use that with your email system. You may host your own email system, your own email server, or you can use a remote one, and you can use Google.

 

Google Apps for business will give you Google Mail and the web, but also use your domain name. Zoho (zoho.com) has a free email server for up to five users, so if you have a smaller solo practice you might be able to apply your domain name to that. That way, you have to run your own email servers, but you will at least look as though you are an actual business.

 

PB: And I was just going to say, with those domain names, you do not have to have a website behind it.

 

DW: Right.

 

PB: So you can have "david.com", but you do not have to have the "david.com" website. You can just use the domain for email.

 

DW: It gives people a bit of a sense that you are in it for the long haul, that you have made a commitment to your business.

 

PB: And the other thing I would say about that is, just from the fraud perspective, and this is just a small reminder, if you are getting an email from someone purporting to be retaining you from some large business, but their email domain is "yahoo.com", "gmail.com" or "hotmail.com", they are not really emailing you from that large business.

 

DW: That's a good tip.

 

PB: And it is just something to watch for. Our second tip, consider using email software.

 

DW: What email software do you use?

 

PB: I am not going to tell. I use about six different email software. I use Outlook mostly.

 

DW: And I guess we should probably distinguish for everybody what we mean by email software. Is that the same as logging on to Google Mail or something through your web browser?

 

PB: No. The web-based stuff is different and you are really, kind of, just borrowing time on a server somewhere else.

 

DW: Right. The most common software that you will find in law firms is Microsoft's Outlook. It used to be confused with Outlook Express but hopefully, if you have finally gotten off Windows XP, you have also gotten off Outlook Express. Windows 10 does come with a mail application - it is terrible - so you really should look at something like Outlook, which will cost you a bit of money, or you can look at some free email programs like Mozilla's Thunderbird, by the makers of Firefox. There is another good one called Inky, which requires an account with Inky, but it runs multiple email accounts all within one system. These tools come with additional productivity benefits, where you can start to really manage your folders and manage your files in different ways. Export your emails on your computer and also have some sense that if you want to, you can have all of your emails stored on your computer rather than sitting on a server somewhere else.

 

PB: And speaking of storing those emails, we get to tip number 3, which I suppose you could characterize as using your inbox as a file cabinet.

 

DW: Absolutely. Keep everything in your inbox. You know, when you hit 20,000 emails in your inbox then you know you have really been practicing for a long time. There are pros and cons and, in fact, there are a lot of cons to using your inbox for all of your emails but, in some cases, it can be done.

 

PB: And one of the reasons, I suppose, it could be done is because of the search tools that are available now, so that you can nuance them and find just about anything anywhere on your computer.

 

DW: Right. It really comes down to how you are going to manage it. If you are storing all of your emails in your inbox, and we are not kidding when we say we have heard of lawyers with more than 10,000 emails in an inbox. If you have not done anything to them and they are really just sitting there in the order that they came in, that is not an effective way to manage your information. But if you are in something like Google Mail, Thunderbird or Outlook, and you are applying labels so that you can sort and filter your emails, or do things that are "folder-ish", then that can actually be a pretty effective way to manage all of your emails. Otherwise you would need to be looking at doing searches that are specific, that will do the filtering for you, or use folders, the good old folders. Most email applications still support folders.

 

PB: And as I would say, from a practice management perspective and the best practices method, it is probably not a great idea to have your inbox filled with every email you have ever received because it is so easy, in that environment, to miss an email. And it might be an email that you should have dealt with, that was time-sensitive, and you skipped over it because you had another 30 emails to deal with, and when you go back it gets lost in the mix.

 

DW: It could be hard and, I guess, if you have something happen to you, it could be hard for people to come in and look at your inbox and figure out what is going on.

 

PB: Again, that is the other thing, I suppose, is if you have to go back and build a trail, or if there is some sort of a contingency plan that activates because you have been hit by a car, they may not be able to use that desktop search function that you have relied upon for all that time.

 

DW: Okay, tip number 4, we all love robots, so how much of my email can I automate?

 

PB: That is a good question, and it is probably a good idea to have an auto-response that says things like, "Thanks for your email, I have received it, I will respond to your email within 24 hours". It might not be such a good idea to have the auto address function enabled, so that as you start to type in an address to a client it automatically gets filled in.

 

DW: There are some really good productivity tools, and most email clients (whether you are on the web or you have software like Outlook on your computer), at any time you use automation you should really think about what they are doing. I think the one about notifying the clients makes so much sense it should almost be like a permanent "out of office", but you will not actually be out of the office permanently. Letting people know what the expectations are about communication are great, but so many people have gone awry when they have used other tools like the address functionality or other things that are auto-inserted or auto-addressed. You can even get into problems where emails come in that you auto-filter into a folder, and because they are not in your inbox you forget that they have come in and you do not go and check that folder. You could miss a deadline or something like that.

 

PB: Yes, the auto-address thing, for me, is something I turn off immediately because it is probably one of the biggest sources of sending emails off to people you never intended them to receive.

 

DW: This is an extra tip for the Outlook folks. There are two different types of auto-address features in Outlook. One is where it guesses and tries to put in the best one, based on your typing, and then there is another one where it will essentially ask you whether this is the right one. You will want to turn off the first and you can, potentially, keep the second, but you may want to think about not doing your addressing of emails until you have actually finished the email and so you can really concentrate on the name of the person who is going in that email.

 

PB: And I would say, for tip number 5, you should consider using encryption in your emails.

 

DW: Yes, that is a tricky one, isn't it, because when you are on the web, typically when you are communicating with the email site, like Google Mail, that traffic is encrypted, but when you send the email it is not encrypted after that, is it?

 

PB: No and one of the problems, I guess, that could come up quite frequently is that there has to be a key exchange with you and whoever you are sending that email with, so that they are able to decrypt on their end, and you will find some clients just do not want to deal with that. They do not want to take the time to secret squirrel your email when they receive it. But there are clients, on the other hand, who want to make sure everything is encrypted. Documents are encrypted and, of course, clients who will not even consider using email.

 

DW: Right. Is there a reason that you want to encrypt the everyday emails?

 

PB: I don't think so, but I think it is getting so much easier now, with emails. You used to have to cut and paste them and generate random numbers and letters, and now there are a number of different encrypted emails available. I just think that if you want to keep an eye on confidentiality, it is not a bad thing to consider. I am not suggesting it is mandatory, by any stretch, or that people should use it with all of their emails but keeping things with another layer of security is not a bad idea.

 

DW: Google is working on end-to-end encryption for its email and I think when it finalizes that and it comes out we will probably see encryption made available through lots of other clients who are trying to keep up with that.

 

PB: The use of web form emails as a point of first contact for clients.

 

DW: Yes, so imagine going to your law firm website and a client wants to reach out and talk to you, do you give them your email address or do you give them a form that they can fill out?

 

PB: The danger of having your email address on your website, for a first point of contact, is that people can send you all sorts of things and attachments and they can make attempts to create some sort of solicitor-client relationship by sending you confidential information and things like that. I think it is a good idea to have those web forms (e.g. give me your name, give me your address, or where I can contact you), but they cannot send any attachments.

 

DW: It is a good idea, too, when you think about our tip number 7, which is what happens when you get emails from people who you do not know or are not expecting to get emails from, that have things in them that you, perhaps, should not open or should not click on, and so we are talking about phishing.

 

PB: And you can receive an email from an address that you know, and it could be something simple like what looks like an email fax from that person, with their address attached, but when you scroll over that email, and I would suggest people scroll over every attachment before they open it, and be very careful and not open an attachment you were not expecting to receive, because it may end up putting something on your computer that later encrypts everything on your drive and, possibly, in the Cloud, and holds you hostage.

 

DW: Lawyers in particular, I think, need to be exceptionally wary of, pretty much, every email that comes in. Even if it does not look suspicious, even if it looks like it is coming from a person you know and it has a file that you were expecting, I think you should still be very wary. There was a lawyer in Pennsylvania who thought he had been emailed a voice message, by his voice message system, and when he double-clicked on it to listen to it, it did encrypt his entire computer. So when you are getting email attachments, download them and scan them before you open them. When you have links that are in the emails, do not just click on them. If someone is saying to reset a password or go somewhere, then open up your web browser and go there through the web browser, but not by clicking on the link.

 

PB: And I probably get three or four emails a week from organizations that I am supposedly banking with, that I am not, telling me I have to reset my password and I have to give them some personal information or I will lose my ability to use that account which, of course, I do not have in the first place.

 

DW: Yes, they are getting smarter and smarter.

 

PB: And let's talk about disclaimer. Should you be using a disclaimer?

 

DW: Disclaimers are funny because on the one hand, they make a lot of sense that you would want to have a disclaimer, particularly for issues related to privilege and things like that, and if you are in an area of law where there are regulatory requirements for you to have a disclaimer, obviously, you should have one. But for the most part, because of where they are placed in an email, they are pretty useless. And unless you have a particular need for them, I would not bother to put a disclaimer on your email. Similarly, here at the Law Society, we have disclaimers in both English and French, just because of the amount of text that it involves. If you are only emailing with a person who speaks English, you probably do not need to have your disclaimer in both languages. So it is really about keeping your email nice and clean, keeping out what does not need to be in there and thinking about just having the information that is really useful.

 

So instead of a disclaimer, think about having a really good signature block, where you have your contact information, including your email address, so that if the email, as it invariably is, is ever printed off, all of the information about how to contact you is included in that. It is not just a name, it is not just part of your contact information, it is all the stuff that someone would need to get in touch with you.

 

PB: Sure and I don't think you are going to find lawyers or paralegals getting away from those disclaimer block signatures at the bottom of an email. I think they are here to stay. I am not aware of all that much litigation over them, but I would also refer people to the Rules of Professional Conduct , which deal with things like inadvertent disclosure and the email that is mistakenly sent to you which contains, potentially, all sorts of privileged information.

 

DW: So, really, what we need is a disclaimer that comes at the beginning of the email, and that has a little "okay" button before you can actually read the email.

 

PB: And that might not be a bad idea in the future either. Return receipts and recalling messages.

 

DW: Return receipts and recalls are one of my favourite things, mostly because I block them. A return receipt is something that an email server will send. You set it up with your account, mostly with Outlook, but you can do it with others, so that if I send a message to Phil and Phil opens it, I get a message back that says that Phil has received my email. The problem with return receipts is that they can be blocked, and so having it turned on does not necessarily mean that you are going to get any information about the emails that were sent.

 

PB: And I think, with recalls. If you are not in the same email system that the other person is using, the fact that you are trying to recall it might not actually do any good. It is more important to think, "Do I really want to send that message?" before you send it.

 

DW: That's right. It is better to think about it in advance before you send that email. Google has a feature on Google Mail that does something like a five minute pause, so that after you hit send, it is still somewhere in the system so that you can get it back. But the reality is, once it is out of the barn door, it is gone. With return receipts too, from your own perspective, you are probably better off blocking them, because you do not want to be sending back information from people who are emailing you that maybe creates a paper trail that you do not want to create, about when emails are being accessed.

 

PB: And our tenth email tip, and I am going to add an 11, but at 10 I just want to say, once you send that email you have to be aware that you have lost control of that email.

 

DW: Right, so do not put anything in there that you do not want other people to see. Maybe, in some cases, you do not want to put in anything that could be confidential, because once it has gone to the other person, and hopefully it is to the right person, they can forward it, share it, and do other things with it that you may not want them to do.

 

PB: It might be published. It might be part of evidence later. It could be passed on to someone that has unintended consequences. Especially be careful if you are sending off an email to a list server or something like that, because you really have to consider that once you push the send button on an email, it might turn up on the front page of the Globe.

 

DW: Not a good place for your law firm to be.

 

PB: No.

 

DW: So what is #11?

 

PB: When using emails, if you are going to attach something to an email, do not ever attach just regular Word documents or anything like that in the email because not only does it contain a ton of metadata, the other problem is they can now take that document and add or subtract various things in that email and then publish it as if it were their own.

 

DW: Right. So formats, what are better formats?

 

PB: PDF being one of the big ones. Locked down and metadata removed so that it is essentially, just an image of something.

 

DW: Good tip.

 

PB: That's it for our ten serious email tips. Thanks, David.

 

DW: Thanks, Phil.

 

Technology Jargon: G through L

 Permanent link
We return to cover six more jargon topics - giga (as in gigabyte), Heartbleed, the Internet of Things, juice-jacking, kernel, and Linux - in our series of technology terms of art that lawyers may run into while practicing law.
View Transcript

 

Speaker Key:    PB: Phil Brown, DW: David Whelan

 

PB:  Hi, it is Phil Brown, and I am here with David Whelan. We are embarking on part two of our jargon podcast for 2015.

 

DW: Right. If you have not heard the first six letters of the alphabet, A through F, you will find them on our website. Let's start with G now, Phil. What have you got for G?

 

PB: G is for GIG (GB), or gigabyte, and one of the questions is how big a gigabyte is. It can be a billion bytes, but that still does not tell us much. I guess the big question is, how much information can you store in a gigabyte? It really depends on the kind of information you are storing and, for instance, different versions of Word. You can store a different number of documents. In the newest version of Word you can store about 7,000 Word files, and that is because there is quite a bit of compression that is done. Using the old "doc" version of Word, you would be able to store about 4,500 documents.

 

DW: Wow that is a huge difference.

 

PB: It is quite a difference, quite a bit of zipping going on in some of those files.

 

DW: So if I want to buy a new computer, how many GBs do I need in it?

 

PB: I think, now, a lot of the computers have gone from worrying about how much internal storage there is. They expect you to get some external storage, or to store most of your information in the Cloud. Of course, that has potential inherent risks, but I am not sure how much. I guess the amount is the amount that is going to allow you to run your operating system efficiently.

 

DW: It is probably one of those "more is better" things.

 

PB: More is always better. I guess not all memory is equal either, and some of it is going to be slower than other memory, in terms of storing and being able to access that memory later.

 

DW: Alright, what about H?

 

PB: H is for Heartbleed. Heartbleed is, sort of, a pesky little thing that has been around for quite a while, a couple of years. It is related to the Open SSL system, or secure socket layer system, and it is on about 70% of the internet. Open SSL, used with Apache servers, is really something that is used in just about everything, whether it is chat, instant message, email, or accessing web servers. The only way to guard against it is having the most up to date versions of open SSL running.

 

DW: Now, are most lawyers going to have SSL running on their computers?

 

PB: It is going to be running on most of the web that they are accessing, as opposed to their own computers, hopefully. Although, I suppose it could be running on their firm website servers.

 

DW: Right. I guess one thing they could do, if they have this Heartbleed vulnerability, is that they could test their SSL connections. But I guess they should also be aware of when they are connecting to a bank or something that uses SSL, they should know whether that one uses something that might have Heartbleed.

 

PB: Yes and then also, the banks running Windows XP and things like that. I is for the internet of things.

 

DW: Ooh, the internet of things, I love the internet of things.

 

PB: And the internet of things is going to play a bigger part in the next five to ten years, with some of the Bluetooth and Wi-Fi stuff that is out there, connecting your homes so you can initialize your coffee maker from work on your way home, or turn lights on and off and heat up and down and air-condition management, and a number of things like that. Of course, it potentially comes with a number of vulnerabilities, in terms of the security. A lot of these things really do not have the ability to update the security within them.

 

DW: Right and what I have heard is that a lot of these are coming with a version of Linux or a free operating system on them, because that makes the device cheaper to produce and distribute. But it makes it older software, in some cases or, as you say, software that cannot be updated. So you can potentially have a bunch of things for example, the latest one I have heard about is the toaster, an internet connected toaster. I do not know how that works if you are not there to put the bread in it though. You have all these devices that have passwords that you have to worry about, and connectivity issues that you are going to have to worry about.

 

PB: And I think one of these things is going to come back to managing your network. When you unwrap that network for the first time, make sure you change your administrative name and administrative passwords, and set your Mac permissions so that other devices cannot connect. Also keep an eye on your Wi-Fi and make sure it is updated often and that you have the most up to date security software that you can manage.

 

DW: Do you think internet of things is going to be more of an issue for lawyers in their firm or in their homes where they are doing work?

 

PB: I think it is more likely to be in their homes, especially where they are sharing networks and might have other less secure devices on that home network. Sort of a mishmash of bring your own device problems. So, your nanny cam, for instance, which might have been handed down from someone else, might not be very secure versus a newer version, or might be exposing a vulnerability to your home office computer, where you access your banking information.

 

DW: Sounds like a great time to go live in a cave.

 

PB: It is one of those things. Maybe you want to disconnect some of those devices that are great for convenience. Do you really need an internet enabled toaster or coffee maker in your home?

 

DW: I am thinking you do. What about J?

 

PB: J, juice jacking is just a term I am going to toss out. We have an entire podcast about it. It is really about when you go and see one of those kiosks where you can plug in your device to charge it while you are spending some spare time. Maybe you have noticed your phone is almost dead and you are running through the path or in a mall somewhere and you see one of these stands where you can just plug it in - it is brought to you by the local camera store or whoever. It may not be and you just have to be very wary that one of the things that you are potentially doing is exposing all of your information for download while you are plugging your device in to recharge.

 

DW: A USB port has four little pieces of metal inside, if you look inside. Two of those are for data and two of them are for power, so you should be aware that when you stick it in there, and you are getting the power over those two, you could also be receiving data over the other two.

 

PB: And then that is the other thing, you might be receiving a virus or something connected to a bot that is going to download your information later at some other time.

 

DW: But is it always safe to plug in as long as it is an actual plug and not a USB?

 

PB: As long as it is a plug that is physically located in the wall I suppose, but, again, there is also some potential vulnerabilities with power bars and things like that, which might not be what they seem.

 

DW: Yes, I love those. Okay, we were talking about the internet of things, devices that are hard to update. Why are they hard to update? I think that is our letter K.

 

PB: That is because of the kernel, which is not related to popcorn. It is really about the base level of your operating system. Operating systems are done in multi layers so that you have one layer that deals with your port connections, another layer that deals with how it handles visual objects, and another one that might deal with printer connections, and so on. The kernel is that base layer that, sort of, helps start up your computer and determines what memory is allocated to each little thing at that base layer. The more efficient the kernel is, the better your operating system is going to work.

 

DW: So Windows has a kernel and Mac OS has a kernel, and I guess that is why, with Linux, you have so many different types of Linux. They all share the Linux kernel, but then they have other stuff that is layered on top of it.

 

PB: Which brings us to -

 

DW: L.

 

PB: - L and Linux. Maybe you can tell us a little bit about Linux, because it is another operating system that is out there that is different. It is quite distinct from Mac OS and Windows.

 

DW: Linux is an operating system that was developed by a guy named, I think it is Linus, but it is definitely spelled L, I, N, U, S. Similar to the operating system, and the great idea behind that was, it was this open source operating system. Over the decades now, I guess, it has been out there, many people have adopted it, and it has become a core element of the web. It runs a lot of web servers that are out there. It runs a lot of application servers. It might even be running file servers in your law firm. The one place it has not gotten to is the desktop. So you probably have not seen it, but it has gotten a lot of press recently because it has some features that you may prefer over Windows 10, but it also has some of the same features that we are starting to see in Windows 10. It is interesting that this open source system, that has been out for so long, now has some traits that we are starting to see in the mainstream.

 

PB: And maybe another podcast will be devoted to talking about the differences between proprietary software and open source software, and advantages and disadvantages of each.

 

DW: Yes, I love Linux. I do not think it is for most lawyers, but it certainly is an option out there. I know that there are some diehards and, just like in the old WordPerfect days, they will have their Linux machines pulled from their cold dead hands.

 

PB: That is our look at letters 6 through 12 in the jargon podcast part two. Thanks a lot, David.

 

DW: Thanks, Phil.

 

Technology Jargon: A through F

 Permanent link
One obstacle to lawyers understanding technology is the jargon that invariably comes up when selecting hardware or software.  Phil and David take you through 6 jargon topics - API, bot, containers, DDoS, epub, and firewall - in the first of our jargon podcasts.
View Transcript

 

Speaker Key:    PB: Phil Brown, DW: David Whelan

 

PB:  Hi, it's Phil Brown, and I am here with David Whelan. Today we are going to do our jargon podcast for 2015.

 

DW: We thought we would take a look at the letters of the alphabet in particular because Google has just reorganized itself into The Alphabet Corporation. So, starting with A, we have the API, which is also the application programming interface, and you may have heard of APIs being tossed about and wondered what they are. There is some concern that the federal courts in the US do not really understand what they are either, because they called them software, and an API is not software. An API is a connector that allows different systems to communicate with each other. So what you might find is a company, like Dropbox, has an API, and then other developers can write software that talks to that API, to display files that are in your folders or to enable you to work on your Dropbox files without actually being in Dropbox, working through other things. It is an enabler between two different types of software systems.

 

PB: And you see APIs being bandied about when you go to a tech conference and you hang out with the vendors for a bit. Everyone is running around trying to figure out how they can get their software, in their packages, to run with someone else's, on their platform. So everyone is running around discussing API synergies and things like that when they are at these conferences.

 

DW: That's right. David Weinberger did a great book called Small Pieces Loosely Joined , and that is really where the API is. It allows you to make your program available to other things, to build it out, rather than building, as we did in the old days, monolithic programs that did everything all by themselves.

 

PB: And I suppose this is for another podcast topic, at some other time, but APIs could possibly create unique security situations as well.

 

DW: Right, absolutely.

 

PB: So B is for bot.

 

DW: B is for bot. Bots used to be nice warm fuzzy things, but bots increasingly come up in conversations about security and malware and computers that are infected. A bot is a computer that has been taken over by a remote system, and is then used for nefarious purpose, often an attack where the bot herder (as they are known) communicates to all of the bots in his herd or her herd, and tells them all to attack a particular website, or to send out a particular kind of message, or to do some sort of coordinated activity. So all the bots all respond at the same time.

 

PB: And bots are one of the reasons we have to type in all of that extra stuff when we are completing forms and trying to send it off. You will see that little photo of some letters, random letters and numbers that you have to fill in to show that you are a human and not a bot.

 

DW: Right. You want to make sure that the computers in your law firm are not part of a bot network, so make sure that you are running antivirus software and malware watching software, so that you can eliminate the ability for other people to plant software on your computer without you knowing about it.

 

PB: Right, containers.

 

DW: Yes. C is for containers, and containers are an obvious thing. If you do a Google search for a container you get a box, cardboard box, that sort of thing. This is a similar sort of thing, and it is going to become more and more popular, particularly in people who are dealing with vendors in the Cloud. You might go to a company and say that you want them to host your law firm technology in the Cloud, and how do you do that? They will say, "Well, we virtualize it", and, increasingly, the virtualization is something called containers. What happened in the bad old days of right now, is that you would virtualize a system and it would have an operating system like Windows, and it would have applications on top of that, and then your data would be on top of that, and for each customer, the Cloud provider would repeat the operating system and the applications over and over again across the entire system.

 

The thing with containers, and one of the leading types of container comes from a group called Docker, is that you do not have to have the operating system repeated over each virtualization anymore. In the future, if the Cloud providers use containers, there will be a single operating system across the entire platform, a single set of applications across the platform, and then the only enclosed area will be that container, which will have your stuff in it and separate from the container for, say, Phil's stuff.

 

PB: Right, D.

 

DW: D is for DDoS. You are all familiar with the old operating system DOS, MS-DOS. The DOS that we talk about these days is the denial of service, and then the more common one now is the DDoS, the distributed denial of service, and this comes into where those bots are. It is very easy to crash a website or to do an attack, by sending so many requests to it, that it can no longer respond to all the requests, and it stops doing so. That is what a denial of service is. It is the denial of the ability for that server to respond. The distributed denial service means that the attack is coming from many, thousands, in most cases, of computers at the same time, so that it is not only difficult for the server to respond, but it is difficult to figure out where the attack is coming from, and to then block it.

 

PB: And is there any way for the average small website owner to stop a denial of service attack?

 

DW: There is not. There are services you can use, like CloudFlare. Cloudflare.com has a free service, as well as a paid service, where they will intercept the DDoS attack and try to block it and filter it out, so that is one way you can do it. Most larger firms and larger corporations will have more than one connection to the internet, and so if a DDoS or a DOS attack happens on one set of addresses on the internet, it can turn those off and go to another one, so that it is still able to interact with and communicate with it, but otherwise you could see law firms going offline if their email servers or their web servers or other internet connections are being attacked.

 

PB: And you would have to have a somewhat sophisticated client who has you in their sites, to be a victim of this sort of thing. It is much more common for larger companies and they can have these, sort of, broad based attacks happening, and they can be shut down for a day, two days at a time.

 

DW: It is interesting, we may see that change. I think you are right that it is an individualized attack. They need to be aiming just for you, but we are seeing now that these bot herders are making themselves available so, for $20 or $30 and a credit card you can do a DDoS attack for an hour, and it has now become commoditized, like so many things are with technology.

 

PB: E.

 

DW: E is for EPUB. EPUB is a format that is common for eBooks. It is the most common eBook format, other than the Kindle format, which is proprietary to the Kindle platform. EPUB is interesting because it is one that you can actually open up and edit with a set of text tools that are available for free from groups like Sigil. The EPUB format is really nice. If you ever wanted to create an eBook, you could save it as an EPUB, but when people are talking about EPUB, they mean a particular type of format like Word documents and docx or doc in the old days. If they are talking about EPUBs, they are talking about eBooks.

 

PB: And a number of different readers can handle EPUB natively.

 

DW: Right. EPUB is probably the most common format, because you can read those on IOS devices, Apple devices, and Android devices. You can open them up on Windows and Mac computers and read them on your computer. It is great and they are often very flexible, and often come without DRM, the digital rights management.

 

PB: And our last letter for this podcast, F.

 

DW: F is a firewall. Firewalls are exactly what they sound like. In fact, if you come down to The Great Library, we have a physical firewall in the basement, which was meant to protect things from fire. It is a brick wall, and you can store things behind it. The firewalls that we have nowadays tend to be on our desktops and our hardware that we have attached to our networks. They are meant to prevent external people from getting in, who should not be, but also for your internal applications not to communicate outside of your firewall, without you knowing that they are doing it.

 

PB: And sometimes they are software firewalls, sometimes they are hardware firewalls which contain software, some of those security devices that are matched with routers and so on.

 

DW: Right. The Windows firewall comes with all the Windows operating systems and if you hit your Windows key and type "Windows firewall", it will pop up, and it will show you all of the rules that have been created, both the ones that block people from accessing, but also the ones that allow access. And particularly if you are on Windows 10, I would take a look at the rules that are allowing access because Microsoft has included a lot of new rules that allow all of its products to bypass the firewall and share information and things like that. You may want to disable them or delete them.

 

PB: And it is probably one of the most ignored security features for personal computers, the firewall. I mean, you can really tighten down the security on your computer so that things are not randomly sending cookies back and forth and checking out your computer and sniffing your ports and so on, and people just do not turn on those features.

 

DW: Right, you definitely want to try and have them. You can find firewalls for Android devices. I do not believe them for IOS, like iPhones and things but, in particular, if you have a home network where you are doing work or, for sure, at your firm, you should also use a hardware firewall that is at the connection between the internet and your firm network so that you are protecting not only on a machine-by-machine basis, but for every potential probe that comes in from the internet itself.

 

PB: Right. Thanks, David. That is the first six letters of our jargon podcast, thanks.

 

DW: Thanks, Phil.

 

Internet Service Providers

 Permanent link
Phil and David take a look at how lawyers connect to the internet.  What type of internet service provider do you use?  And what are some networking hardware and security topics you might need to know about?  We'll walk you through what a router is and why it's important in this podcast.
View Transcript

 

Speaker Key:    PB: Phil Brown, DW: David Whelan

 

PB:  Hi, it is Phil Brown and I'm here with David Whelan. Today we are going to talk about ISPs.

 

DW: ISPs are internet service providers. They are the people who sell you the access to the internet, that provide you with the technology that allows you to connect to your home and your law firm offices and other devices, to the internet.

 

PB: So not to prefer any particular companies, but we are talking about Rogers, Shaw, Bell, etc.

 

DW: Right. It is interesting, the types of technology that they use, and you will come across this, and I am not sure that we will ever get to the point where we can say one is better than another, but it used to be that you would get a connection called ISDN. If you wanted a nice dedicated line and dedicated throughput to the internet, but pretty much, these days, most law firms will be looking at either a cable connection or a DSL connection or, if you are big enough, what is known as a T1 or part of a T1. That is like a timeshare, a fractional T1, where you can have a certain amount of speed, but depending on what kind of wiring they are using, and what kind of system they are using, you are really talking about cable or DSL.

 

PB: Right. And we are not going to talk about dry loops and things like that, but there are lots of terminology out there, in terms of is "this a voice only line", "this is a voice and internet line", etc. But there are differences between DSL and cable. Some of them are shared in neighbourhood, and some of them are not. Your speeds can fluctuate, depending on what kind of line you are using, but let's talk about things like consumer versus business.

 

DW: Right. You will find, with most of the providers, that they will have business level speeds and services that are different from your home user. So you may have bought a package for your house and that works great for the films that you are streaming on Netflix or Show Me, and the files that your kids are downloading for their Xbox, but that may not be the sort of stability or speeds and bandwidth that you need to be providing for your law firm, especially if you are hosting your own email server inside the firm, or your own web server. All of those create traffic and you need to be thinking about paying for the additional overhead that all those things provide.

 

PB: That's right. Speaking of overhead, business prices tend to be quite a bit more than consumer prices and consumer systems, but you would definitely need a business enterprise system for a large office.

 

DW: Right, so shop around. I think you will find both from the cable providers and the DSL providers, and the real difference between those is that the cable system tends to be a shared system and the DSL is a line directly from your office or your home to the Telco, so it is a slightly different type of carrier but, at the end of the day, you will be able to get the same types of speeds, both upload and download speeds, and they are different, but can you say a word about how they are different?

 

PB: In terms of the speeds? Upload speed is typically much slower than download speed. A lot of the companies range (and you will get a range when you start shopping for packages) from 1 megabyte upload versus 10 or 20 megabytes download, and I am not sure why they make those distinctions, but they benchmark them and tell you if you pay $100 a month, this is what the minimums you can expect are. You really have to determine what it is you are doing. Are you uploading a lot of information, a lot of large files, or are you more likely to be downloading those files? You can shop around for an appropriate speed. The other thing is that some of them now have limited bandwidth, and you may be limited to a certain price, where you can only download 100 or 200 megabytes or 300 megabytes. You will see this with phone data plans, but now you will see it also with other packages. You might have a gigabyte of download available a month, and then you are going to start paying, on top of that, for every megabyte you use after that.

 

DW: It is something to be aware of. I think we are more aware of it with our phones than we are with our computers, but as these sorts of caps come into play, it may impact what you do and, certainly, there have been complaints already, for Windows 10 users, where Windows 10 is now doing automatic mandatory updates of its system, that you may have gigabyte downloads coming to all of your computers in your firm, coming over your internet connection, and then eating up some of that data cap. One of the things to look for is that some of the internet providers will have times of day, particularly between 2 a.m. and 6 a.m., where they may give you free access or free transmission times, so that if you have large downloads you can schedule them for that time of day to either upload or to download.

 

PB: That strikes me as the sort of thing where you will be populating those offices with students, to make sure that there is someone there at four in the morning to do those big uploads and downloads.

 

DW: That's right. I wanted to mention something called power line networking as well. This is sort of, an add-on. Once you have your ISP, you are connected to the internet, but then how do the devices in your office connect to the router or the modem that connects you to the internet? In many cases you will have category 5 network cable in the walls that allows you to just plug in and go. You may have wireless as well, but if you do not have one of those two, or you have computers that are in awkward places, you can use something called power line networking, to connect over the electrical wiring of your house or your office, so particularly in older buildings or in houses that where you might want to work in your basement but it has either bad wireless connectivity or no network wiring. You buy these power line adaptors. One goes next to the modem, to the internet, and one goes in the power outlet, and you just plug into that and you can get networking anywhere in your building.

 

PB: And this sounds very voodoo, are these things expensive?

 

DW: They are not expensive. You are probably looking at $30 to $40 per plug-in adapter, and many of them will have more than one plug, so you could run more than one computer off of it.

 

PB: And maybe we could just say a word or two about redundant connections and how many lines you need and things like that?

 

DW: Right. The issue of redundancy comes up. Some people believe that you should have redundant internet connections, just like you do backups and other things in your environment. That can become expensive unless you have a really good need for it, if you have problems of, for example, being attacked. If you are attacked on one of your internet addresses, if you have a redundant one you can quickly flip your firm over to the redundant one. In most cases it is not going to make sense for the solo or small firm lawyer who is out there to have more than one internet connection. It really is not going to be cost-effective to do that.

 

PB: Security with ISPs, is it something the average user needs to be concerned about?

 

DW: The ISP is really just providing you the connection to the internet, so you should be aware that they are probably not doing anything to protect you in particular, as far as people trying to get to your email server or your web server in your office. They are doing some things though. They are able to block attacks going out or coming into their network, and they may be also monitoring some of the traffic that you send out, if it is potentially going to a source of malware and things like that.

 

PB: And some ISPs offer additional services like email addresses and some of them offer free antivirus software and things like that, to use within your environment. That is something that you should be aware of, is if they are providing you with ten free email addresses on their servers, on their domain, that is information that might later be handed over to a lawful authority who is making a request.

 

DW: Yes and since it is an ISP-based email, it can be very useful. It is great for home users, but for a business user, you probably want to think about getting an email system that is intended for business users.

 

PB: And that is one of the things you need to look at in the beginning when you pick your ISP. What are your business needs now and what are your business needs going to be in five years? You have to figure out what it is they are selling you, and you have to ask questions.

 

DW: Exactly. You made a good point before we started, which is that a lot of the ISPs are actually piggybacking on other ISPs, so while I use TekSavvy myself, for DSL at home, it is actually on top of the Bell network, and so I could potentially get DSL from Bell just the same. I think you really need to shop around and see which providers will give you the speeds at the costs that you are willing to pay, and if you have done that assessment of what your business needs are, you will be better prepared when you are sitting down and trying to compare the packages that are all very similar.

 

PB: And I would say that if you are looking at home systems and things like a home business system, speak to your neighbours. Find out what they are using and what kind of reliable speeds they have, because I know, from my personal experience, a few different times that I have had packages sold to me, but the infrastructure would not support the speeds they were promising.

 

DW: And many of the ISPs will rent to you or sell you hardware, the modem and the router and other things for your network. You should cost check those against Best Buy and other technological things, because you can often get that same hardware on your own without renting it, for much less than you would pay over the life of the rental.

 

PB: You are going to be looking at user agreements and things like that, and I would say it is important that you read those over the same as you would any banking agreement and things like that, because there are various responsibilities and liability issues when they lose all of your information, or you drop a connection for weeks at a time, and you want to make sure you know who is liable for what.

 

DW: Right. ISPs are a little bit of a boring topic, but they are key and particularly as the legal profession relies so heavily on the internet, for communication and other things, you want to make a good choice

 

PB: Right. It is getting bigger and bigger. I mean, whole firms are moving to the Cloud and storing information in the Cloud and being reliant upon the ability to access that information at any time.

 

DW: And the daily show too.

 

PB: And the daily show as well. That's our look at ISPs. Thanks, David.

 

DW: Thanks, Phil.

 

Voice Recognition

 Permanent link
Lawyers using voice recognition can find a new way to productively create and edit documents, send messages, and more.  How do voice tools like Apple's Siri and Nuance's Dragon Dictate fit into a law practice?  Phil and David discuss voice recognition and provide tips on making it work for you.
View Transcript

Speaker Key:    PB: Phil Brown, DW: David Whelan

PB:  Hi, it's Phil Brown and I'm here with David Whelan. Today we're going to talk about voice recognition.

DW: Voice recognition has been a little bit of a holy grail, I think, for lawyers, because it offers an opportunity for them to use one of their primary tools, their voice, to record information more quickly than they can type or write it. But voice recognition has had a mixed past and I think the best news is that it is getting better and better, and almost to the point of magic it seems when you use certain devices.

PB: It is not your grandpa's voice recognition.

DW: For sure.

PB: Back in the old days, you downloaded a very large package of software onto your desktop and spent hours training that software to recognize the various nuances of your voice, and there were certain words it was never able to recognize.

DW: It was particularly difficult, I think, because it meant that you were recording it in a particular way. I did a demonstration of it after having trained it my voice, but I was a little stressed out during the presentation, so my voice actually went up and all the training was no longer any good because it had been trained for a slightly lower toned voice. And so, it was very, very finicky. But now when you open up your phone or your desktop device, as long as you have the software on there, it's really remarkable how close the technology has come to matching most of the words that we use.

PB: Since you mentioned phones, let's talk a bit about Siri, which might be what a lot of people are familiar with. Is that true voice recognition?

DW: Oh, for sure, it's definitely voice recognition and Android has some add-on apps that do a similar sort of thing. But I think it's not the voice recognition that most lawyers would think of. Siri and other voice apps tend to be good at giving you directions or responding to a particular query because that query has gone into a very large database of other people who have asked the same information or asked for the same kind of detail.

PB: And, as we found out recently, people are listening to the recordings of your voice that are made when you talk to Siri.

DW: Right, that's kind of creepy.

PB: So there's no real confidentiality there and you wouldn't necessarily want to be using Siri for anything sensitive.

DW: We have talked about it on another podcast, but there was a recent case with a television company where the television was able to pick up your voice command so that it would change channels and do other things, but all of that information was also being sent off to a third party voice recognition service. So there are these large databases now being put together, obviously to help the people who are using voice recognition so that it becomes better for all of us, but it does mean that the things that you are saying into microphones may not only be recorded by you, but being stored elsewhere.

PB: Right, so there are a couple of big players and bigger software out there, and I'm sure a lot of people have heard of Dragon Dictates, and it's available for a number of different professions. They have special packages for doctors and lawyers and so on. It has come a long way since they started.

DW: It's incredible. Nuance is really a juggernaut when it comes to voice recognition and they have absorbed a lot of the smaller players, I think, along the way and it's a very, very strong tool. Even just right out of the box, you can start to have your words translated right onto your screen, but I think that the key item, if you can find it with voice recognition and, of course, Dragon Dictates has it, is this legal dictionary, because we have lots of terms of art that don't appear properly unless you've trained your package to do that. I found this with my daughter. Her name comes out as Chilean when you record it and so, even though it is a common name, it is not in the database, and so, when you think about Latin terms and other terms of art you might have in your practice area, having those built into a dictionary where it's already available will just mean that you're up and running faster when you get started and you won't have to trip and watch as you're transcribing your voice.

PB: And it can be a very useful tool for Smart phones. I have a free version of Dragon Dictates for my iPhone and you can dictate a large amount of text and then decide which platform you want to send it out on, whether it is an email, an SMS, a text, or any different way you want to send it - you just select after you've made the recording.

DW: It's remarkable how accurate it is. I've been really impressed. Even Windows has some accessibility options, which are really not intended for the general user, but the speech recognition in Windows is very, very strong. It takes a very small amount of training and you can be up and running, again, doing basic things. One of the key things to remember with voice recognition, whether it's on your desktop or on your phone, is that you always get a word and so if you're speaking into it, it never stops and asks, "Did you mean this word or that word?", instead it interprets it as "It sounded like you said X, so I'm going to put X in there." And so you really need to go back and read what you have transcribed or recorded because it may not include the words you expected. It's a little bit like your keyboard on your phone and sometimes we get words that we don't intend.

PB: No, for sure, there has to be, if this is going to be used to document, a lot of proof-reading and it's probably a good idea to have, if you're not a particularly good proof-reader, a second set of eyes go over it to make sure you're not sending something out that had a particular value in it and it goes out under a completely different number.

DW: Yes, that million dollar contract going out as a ten dollar one would be a problem.

PB: I'm sure, and so using it for things like a settlement and things like that, I mean, no matter how many times you've done it, I think you want to carefully read it a few times to make sure that things have gone well.

DW: What you'll find with some of the paid voice recognition packages too is that you can use a digital recorder, so, say you're driving up to see a client or off to court and you're recording on your digital recorder for a different matter or whatever, you can then upload that sound file later when you get back to your office and it will go through the recognition process from that digital file. You don't actually have to be sitting in front of the computer all the time or you can send that file to someone else who can then do the recognition for you, so it doesn't necessarily have to be something that you have to do yourself and to tie yourself to new technology. You can use the tools that you're comfortable with and then just have that digital file turned into the document that you're trying to create.

PB: Sure, and you can make notes using these various voice recognition applications, to make notes for yourself, and send yourself emails. You can get a lot of work done while you're driving, for instance, if you're dictating things to yourself that become emails later or documents later. You can certainly dictate a bunch of them in one file and then split them up and send them out as a number of different emails if you wanted to, so you're not messing with it while you're in your car.

DW: Keep in mind that if you're dictating on the road or outside your office, that your voice may carry and so it's even more so than with conversations. You may be getting the benefit of voice recognition, but if other people recognize your voice as well and what you're talking about, that could lead to some uncomfortable consequences.

PB: Sure, it's not the sort of thing you want to do in a public place and, I suppose, the other thing that tends to play into voice recognition is background noise.

DW: Yes, a coffee shop for example, not only is it not a good place to dictate loudly, but the clanking of plates and other things can definitely distract the technology.

PB: Sure, so have a look at voice recognition. There are a number of options out there and it might be a time-saver for your practice.

DW: Thanks, Phil.

PB: Thanks, David.

Cloud Location

 Permanent link
You're a lawyer with obligations to protect your client's data and you're putting it in the cloud.  Do you know where your cloud servers are located?  This podcast will talk about some of the issues lawyers might face in knowing where their client confidential information is, and some things, like pre-encryption, they can do to further protect law practice information in the cloud.
View Transcript

Speaker Key:    PB: Phil Brown, DW: David Whelan

PB:  Hi, it's Phil Brown. I'm here with David Whelan and today we are going to talk about Cloud location.

DW: Location, location, location. We all know how important that is, but you may not think about it when you go to your Google website and log into your apps, or check your email, or when you go to your Microsoft One drive and upload or download a file. You may not think about where that Cloud actually is.

PB: It is not that easy, necessarily, to find out where that Cloud is. When we talk about the Cloud, we are talking about where those massive servers are kept by those thirds parties that are holding your information.

DW: The Cloud is a set of different layers and the layer that most of us interact with is called the software as a service layer, SAS, and so, in some cases, when you are dealing with Google or Microsoft or a really big company, you may be dealing with the company both at the software level and also at the platform level or the infrastructure level, which is the physical piece of the whole Cloud. If you are dealing with other smaller companies, you may actually only be dealing with the software piece of it, and so you may be dealing with, say, a Canadian company that has a software product in the Cloud who is using an Amazon or Windows as your Cloud platform that is based somewhere entirely differently in the east coast or west coast of the US or an entirely different continent.

PB: And they are often redundant as well. There may be an east coast and a west coast, and then maybe it is a server farm in Texas as well.

DW: That is a good sign, actually, because then if one of those goes down, your practice does not go down with it. But, yes, you really have no sense of knowing where those are and you can contact your vendor, Google or Microsoft, or certainly the smaller companies may be more amenable to telling you where their data centers are and how redundant they are, but it can be very tricky to know for sure. And the bigger the company, the more likely they are to say that they are really not going to disclose where their data centers are for the security of everybody.

PB: And even a company like Cleo, for instance, which does practice management software, they deal with a third party themselves: Amazon. So, somewhere there is an Amazon with Cleo information which, of course, is your information and it could be anywhere.

DW: We have sort of gotten past the point where lawyers in Canada are worried about the USA Patriot Act . They still may be worried about USA servers, US based servers, but it is not so much the Patriot Act that is the bug-a-boo. So, how much do you need to worry about where your Canadian client documents, the Canadian client confidential information, is being stored and what can you do about it?

PB: That is a good question and I think part of that goes back to your terms of use and knowing where your information is going to be stored. Some of it has to do with encryption, both on the way to your service provider and later on when it is stored.

DW: That is a good example, really, of two of the issues that you have. There are some faculty at the University of Windsor who have done a regular review of the terms of transmission that internet service providers in Canada have. You may have gone to the effort of finding a Canadian-based Cloud computing company, so that all of your information is being stored in Canada, but you may find that the transmission of your data is actually traversing into the United States and then back into Canada because most of the ISPs, internet service providers, in Canada do that. Most of them send your information across the border, even if you are going to a Canadian server.

PB: Sure, and I know I have exchanged information with the Law Society servers before and I live a few miles away or a few kilometers away, and I can track my information and know it has travelled through the US and other countries before it gets to the destination three kilometers away.

DW: It is one of the reasons you have to be really certain that you are sending your information in an encrypted format and having it stored in an encrypted format. It does not mean you actually have to apply encryption yourself, but you need to be using a web-browser and a secure connection and making sure that your Cloud provider is also secure. It does not get you away from the issue of where the location is, but at least the transmission then is being protected.

PB: And there has been some litigation already about Cloud locations.

DW: Yes, one of the interesting things that has come up, and it is interesting from a Canadian perspective, because the case does not involve Canada or the US directly. Microsoft was asked to divulge some emails of an Outlook or Hotmail user, but the user was based on Microsoft's servers in Ireland, and so Microsoft told the US government that it was not going to disclose it. You can follow the case, it is in New York and I think the latest briefs and things were filed at the Second Court of Appeals or Court of Appeals for the Second Circuit for the Federal level. But you will find that the EU data protection laws have essentially, Microsoft saying, they trump the ability of the American government to reach out to Ireland and pull that document out.

So, I think one of the interesting things is, in the past we have had the discussion with lawyers: do you place your content only in Canada or can you place it in the US or other places? And really, the other places option is becoming a viable alternative. You might find that putting your client confidential information in an EU data centre, Ireland or wherever, could be a better alternative than putting it onto an American server, and you could still use something like Microsoft's Windows or Amazon web services and the company that uses that, but use the data center in those locations. When you sign up for Office 365 from Microsoft, you can choose which data center you want too, so the location stops being a binary one of, "Do I put it in Canada or do I put it in the US?" You really can start to choose a little bit more because we are seeing more technology for lawyers being available in different jurisdictions with, in some cases, better laws.

PB:  And, you know, people get a little fussed about information being in the Cloud and that sort of seeming lack of control over that information because it is in someone else's hands, but, of course, if it is supposed to be encrypted and it is encrypted from your point to their point, it should be somewhat safe.

DW: It should be and if you are really worried, you can always do the pre-encryption to encrypted getting up. That can be a hassle when you are trying to interact with it, but again, it really is a matter of what your clients are comfortable with and what you are comfortable with. I know that I have heard from one law firm here in Ontario that said that they had a client who said if you have my data, it has to be on a server that is physically located in Canada. You will have some clients or maybe some practice areas where that becomes a mandatory step, but I think the interesting thing is that the location option, you should know where your files are as much as possible and I think that is something that is one of those easy questions to ask and hopefully is an easy one to get an answer for, at least down to the continent. But, with companies like Open Text opening a data centre in Australia, and Microsoft having data centres in the EU, I think there really are other options that you can think about where you might find better protection than just leaving it in Canada or just leaving it in the US.

PB: Sure, and there are other options as well. I mean, you mentioned pre-encryption, which would be encrypting the information yourself at your desktop or mobile device before you upload it into the Cloud, so it is encrypted by you. Then it travels through an encrypted path to get to their server and then is encrypted there as well, so it is almost a double, if not triple, protection and, I suppose, one wonders is encryption safe or do the various governments have all the keys to all the encryption and some people would say yes, they do. But at least you are making the efforts to store that data safely and you have taken steps along the way to protect your clients.

DW: Right. I was at a Montana bar session and a fellow said, "But can you protect me from the NSA?" and this was before Snowden had brought it up, and I was, like, "Well, you know what, I'm not sure that being able to outdo the NSA is really your professional obligation. You may still want to do that, but I think it's different from your professional obligation."

PB: And we did talk about this in another podcast on retainer letters. It is probably not a bad idea to discuss with your client where you are going to store their confidential information because you probably will get clients who want to opt out of storing their confidential information in the USA, perhaps, if they have business interests there or maybe in the EU because they have some issues there.

DW: If you are able to get information from your vendor about the standards that it has for security for encryption and for the location of your data, that can be really useful information to share right up front with your clients or at least have, if the question comes up later on.

PB: Absolutely, and let your clients know what steps you take to store their information, if they are interested, and what it is going to cost them to recover that information at some point if that is necessary.

DW: So, now you know all you need to know about Cloud locations.

PB: And at least that's part one. Thank you, David.

DW: Thanks, Phil.

More on File Management

 Permanent link
Lawyers have lots of files.  So many, that we're talking about it again!  In this second look at file management in a law office, Phil and David talk about storing your files (not naming and folder conventions, which we touched on last time), using PDF both because it's better to protect your documents and for keeping them long term, and topics related to document retention.
View Transcript

Speaker Key: PB: Phil Brown, DW: David Whelan 

PB:  Hi, it’s Phil Brown and I’m here with David Whelan. Today we are going to talk about file management again.

DW: If you listen to our other podcast you’ll hear about how you can organize your files using file names and folder structures, using document management systems. Today we’re going to spend some time talking about actually manipulating the files so that they’re easier for you to use, store, interact with, and send to other people, whether it is to the court or your clients.

PB: So, we’re talking about electronic files, some of which were electronic to begin with, and some of which may be converted from paper.

DW: We’re not really going to look at paperless offices, but if you look at the documentation that’s out there about paperless you’ll find a lot of things that are relevant to managing electronic files. One of them is how to process paper that is coming in so that it is scanned, turned into a digital file, and then ready for you to use in whatever way you plan to in your office.

PB: And there are a number of different ways to scan paper files into electronic files, and different formats are used.

DW: Right, the ABA has a technology buyersguide that they put out each year that talks about some nice small scanners that you can put on your desk for making sure that all of the materials that come in for you and your staff are getting scanned in and processed. And then, the output can be turned into a Word document or a PDF, whatever you want. The one step you want to make sure you do if you scan something though, because normally it would scan as an image and that is not really very much use to you, is to scan it in and use what is called "optical character recognition (OCR)" to turn it into a document that you can then search, re-use if it is a precedent or something else that you want to re-use, cut and paste, and that sort of thing.

PB: Right, and we don’t want to actually save files as Word files necessarily, because not only do they contain a bunch of meta-data, they may also be changed.

DW: Right.

PB: For instance, when you call up a Word document on your computer, it will change it to today’s date.

DW: That’s right, and there is a good rule of thumb, and a good blog post about it at the Lawyerist website, that PDF is a great option for your final documents. That way you know that it was, sort of, locked in place and that can be your final document. So if you use Word documents, even if you scan into Word, then be prepared to use that as a draft or a work in progress and then focus on having PDF as your final outcome. A PDF document that has been OCR’d will still be searchable if you are using desktop or other search tools and can be organized and manipulated almost as well as a Word document, but not so much that it is actually going to change the document.

PB: And you can also tag these files as you are saving them. We talked before about having a very consistent and robust naming system so that you could find the files by name, but you can also find them by tags when you are searching.

DW: That’s right. In Microsoft Word especially, as you are saving the document, although it is actually a hassle that a lot of people will avoid, but there is something called document properties that you can turn on so that document properties always prompts you when you save a document to add these properties. One of them is the title of the document, and if you do not put a title in your document and then save it to PDF, the title of your document essentially is "Microsoft Word document" and then some other rubbish after it. So, it’s a really good opportunity to add keywords or information to the document that will not appear in the document itself, the meta-data that Phil was talking about, and you can then have these keywords appear in search. So if you have a lot of documents that are all forms, you can add a tag or a keyword called "forms" so that when you do a search, all of these documents will come up, even if the word "form" is not in the document itself.

PB: Now, after we have saved these files into a digital format, do we just throw out the paper files right away or should we keep them for a bit?

DW: Oh, absolutely, throw them right in the trash, same day. I’m guessing that that is not your answer, though.

PB: My answer would be to consider having a day box or something like that, so that after you have done your daily backup, which is always a good idea, you can then go and check to make sure that the files that you have recently saved are somewhere within the system.

DW: Yes, that makes a lot of sense. The thing that you will realize once you start making these documents into electronic and you have this second copy in paper is that it is the same thing that happens in records management. A lot of your documents really aren’t records. They are not things that you need to keep. They are just things that are used for the day-to-day operations of your law practice or the court or whatever, and so you will start to differentiate those things that need to be kept long-term and those things that really can just be in the day box or, at the end of the week, purged or shredded. You do not put them in a place that they can be re-used or re-found. There was a law firm in Minneapolis where one of their employees was taking the discarded documents to her kid’s school and they were using the other side for drawing and stuff, and they were medical records and things like that, so you really want to make sure that you are disposing of them properly.

PB: And speaking of file retention and file destruction, you should also have a policy in place on how to destroy these electronic files eventually, and a time-frame for doing that.

DW: That’s right. Even if they are documents you need right now for the case, they may not be things that you want to keep long-term for whatever reason. Making that distinction between Word documents and PDF can be really useful because that can actually be an easy way to quickly sort the files that you have saved on a particular client matter. At the end of the client matter, if all of your files are those PDFs, then you can quickly remove them for longer term storage and maybe get rid of some of the work product you have had in the middle.

PB: And there are a number of different ways to secure these electronic files with permissions to look at certain files that you can set within your operating system or within your file management system. You can also encrypt them. You can have password protection on certain files. There are a number of different ways to handle how those files are dealt with.

DW: It is also good to think about whether you are keeping lots of copies of the same thing. So if you have a document that you are re-using and have multiple copies across your file system or your document management system, you may want to think about starting with a single document and linking to it, and you can do that in Windows by just right-clicking on the document and creating a short-cut from the little menu. It will say "create short-cut." Or if it is web-based, you can actually create links. But that allows you to then get access to a document that is in a different folder in a different part of the system without actually having multiple copies of the same document appearing everywhere.

PB: And I know people tend to think of electronic data as being very cheap to store, but, when you are looking for a particular file, it makes no sense to have 12 copies of that file. You know, the email that you have saved from your inbox into a file folder and that file folder then going into a client file folder. When you are looking for that piece of correspondence again or some documents that were attached, you do not want to find it in six different places.

DW: That’s right. The cheapness of the storage is offset by the cost you will have in hunting around and making sure that you have the actual copy of the actual document you are looking for, so anything you can do to de-duplicate or find the duplicates and either remove them or just limit yourself to the actual number you need, will be beneficial to you and your staff.

PB: And the one place I would talk about redundancy being important would be your storage locations.

DW: Right.

PB: Having a physical location, maybe with a hard drive or backing up all of your files, as well as possibly, depending on your practice and your preferences and your clients, deciding whether or not you also want to backup securely in a Cloud.

DW: Right. One of the benefits of having your documents in the Cloud is that you can then share them directly to the client if you want to without having to email. You can essentially send him a link and password protect it, which provides them with secure access to the files that you have, but you do have to take into account that those files are then out and available to anybody who has the username and password that that client is using to access that file.

PB: Right, and we are not suggesting DropBox or anything like that necessarily, but either an intranet or some way to share those files with a client securely.

DW: Right, and having both that physical drive internally and some sort of off-site Cloud or otherwise, hosted storage system, can really give you some nice redundancies in case something happens to that hard drive or your office. You can keep working even when you can only get to things over the internet.

PB: And we’ve talked before about ransomware and people have had ransomware on their office computers, but the backups they have in the Cloud have been safe.

DW: Right, yes, I think that is still an issue for a lot of lawyers, this issue of ransomware and encrypting and making your files inaccessible. So if you have backups, the more the better, although, I guess you can have too many backups too.

PB: Yes, you can have too many backups. That is our second look at file management. I am going to guess that we are going to revisit it again at some point, but that is it for today.

DW: Thanks, Phil.

PB: Thanks, David.

Desktop Search

 Permanent link
Phil and David are back with tips on using your computer, phone, or tablet's search and metadata tools to find your stuff.  If you don't know where something is, or can't browse to it, desktop search can be a third method of retrieving information.  Windows search is much improved and there are other apps and add-ons you can use to find information on your computer and across your network much faster.
View Transcript

Speaker Key:    PB: Phil Brown, DW: David Whelan

PB:  Hi, it's Phil Brown. I'm here with David Whelan and today we are going to talk about the desktop search.

DW: Once you have put stuff on your computer or device, that's great. Even if you have a great organizing system you are going to spend time trying to get back to wherever it was. The more information you store, and the more different places you store it - in the Cloud, on your local computer, on your phone - the bigger challenge that becomes. LexisNexis has done some surveys in the past. They are called workplace surveys and you can find them on the web. They have done two and one of the recurrent themes about lawyers is how much time they waste trying to find stuff that they know they have, but they just can't figure out where it's gone.

PB: Now, there are a number of different ways to do these desktop searches. Often it is as simple as starting with a little magnifying glass somewhere on your computer.

DW: That's right. The Windows search used to be terrible and people would do almost anything to avoid it, but it has really come along. If you are on Windows 7 or Windows 8 and have turned on the indexing for your computer, it will go through and index all of the locations where it thinks you are storing files. And if you are storing them in different places, you can add those too so that all of those files then become easier to search right from what used to be the run bar. You just click on your Windows key, start typing, and it will start to bring back matching results.

PB: And your index thing, let's talk a little bit more about that. What happens if you do not turn on indexing?

DW: Well, if you do not turn on indexing, then it just looks at what it can find in the file system, e.g. the file name, date it was created - the basic meta-data about the document. But if you turn on the indexing, it will actually go in and look at the contents of those documents and return that, and that can really make it much more functional. And with Windows in particular, you have to go into the advanced settings for the Windows search and turn that on, because otherwise it will just default to indexing file names.

PB: And you can also search for a particular type of file as well.

DW: Right, you can limit it to file type and size so that you can look for really big files or really little files, PDFs versus Word documents, files that were created or modified on a particular date. There are a lot of ways to do that and you can do those searches from pretty much anywhere in Windows. And you can do it in Mac too, can't you?

PB: You can do it in Mac as well. Mac has a function called find and it has gotten better. I don't know if it is particularly scalable or changeable, but you can do a few things. You can tweak it a little bit to perform a batch search and rename a function. It has some other aspects built in, but, again, you have to go into the settings to change things around to get a different kind of search.

DW: The challenge with desktop search is that it is searching just your desktop. It is not searching your phone as well. It is not searching those files in the Cloud. If you use Dropbox, Box, or OneDrive and those files are synchronized to your local machine, then, of course, they will be picked up in that search. But if you are using other services that are in the Cloud and you do a search on your local desktop, it will not necessarily find that. I think that is one of the remaining challenges for desktop search. We are starting to see some of that integration happen, so that, instead of just searching the file system and bringing back those documents that you have properly indexed, you can actually search through your Outlook PST folder of stored emails and some applications, I think, are trying to start to bridge, so that they will also search out onto the web or if they are web-based, they will search back down onto your machine. But I think we went through a high point of some of those things, Cloud-based search, and most of those have disappeared now and so we are still hunting around for the right answer.

PB: Yes, there are some other tools that are (not the Windows search or the Mac find), but there are some other tools out there that have been designed that you can upload to your computer or use in the Cloud.

DW: Right, the interesting one has been the pivot of some of these search tools. X1 is a really good example. X1 is http://www.x1.com, and they were really a desktop search tool that has now become an e-discovery tool because they are so heavily focused on search. Copernic is another one. It's like Copernicus without the "us" on the end. And a lot of lawyers like that one, but you should go for the paid version because the free version is only for personal use. And you need to also watch that some of these will have limitations on how large a document that they will index and so, if you have X1 or Copernic or some of these other tools, make sure that they are indexing the full body, because if you have a long brief it may not get all the way to the end of that document and find the match that you think should be there.

PB: And X1 is also pushing some forensic tools as well for e-discovery to find social media searches and different searches on the internet and, I mean, some of these tools are very scalable. They vary all over the map in terms of price.

DW: Right, one of my favorites, and I will plug it here just because it is free and open-source, is called DocFetcher. It is freely available on the web, but to give you a good idea of how this sort of thing works: it will search over your local drive, it will search over your network drives inside your office, and it can also search inside Outlook PST files all at once. It is not a very nice looking tool - you can get nicer looking search tools, for sure - but it will at least give you a sense of whether there are more productive ways to look for files than merely browsing through your file structure or using the built-in operating system searches.

PB: Right, I like that some of the open-source tools still have that MS-DOS feel to them.

DW: Yes, they are a little on the rough side.

PB: Now, you can also search on your mobile devices as well. I know that the Mac, iPhones, and iPads all have a built-in function where you essentially just pull your screen down towards the bottom and there is a magnifying glass where you can type in a search, and it will search through your music, emails, the web, and any document that you have downloaded to your phone. I am guessing that Android and others have the same.

DW: Right, Android does, for sure. They seem to be going through the same arc of challenges, which is that they are really good at finding things by the name of the file and not necessarily digging as far into the files themselves. But I am sure that that will change, particularly in the Android universe where you have Google powering the operating system. I am sure that they are going to figure out a way to get search down to the nitty-gritty of the files too.

PB: And a lot of those files on your phone, you can tag as well.

DW: Right.

PB: If it is an image, you can tag it. If it is a particular file, PDF, or a document that you have scanned into your phone, those are also tagged, and you can tag them to search them.

DW: Right, and we have talked about tagging on the file management podcast, but it really cannot be overstated. It may sound a little bit social media, web 3.0, but adding that kind of information to the document, words or phrases that are not actually in the document when you are creating or working with the document, can make it so much easier when you are trying to retrieve it later on.

PB: And then the whole idea of saving documents, typically, is that at some point in time you may have to find them again.

DW: Right.

PB: So, it just makes sense to give yourself some memory aids along the way, tie some strings to some posts, just to make that search a little easier later.

DW: And we use search so frequently on the web anyway, that the more you can use it and the more you can become used to using it as a tool on your desktop or device, the better you will be at retrieving that information quickly.

PB: So, I guess the key is to find one of these applications that works best for you, that is within the right price point, that you do not forget to use, and to read the terms of use and things like that so you know if they are selling your information that you have been searching for.

DW: Right, and then use it all the time and you will really find that as your comfort level with it goes up, it will help you to find more information.

PB: Great, that is our look at the desktop search. Thanks, David.

DW: Thanks, Phil.

Cloud Computing Introduction

 Permanent link
Cloud computing is a new way for lawyers to use technology, shifting the hardware and software out of their offices and onto systems hosted by others.  Cloud computing creates different challenges about where cloud companies put lawyer data, how they update their systems, and how you maintain control of your client information and work product.  Listen while we discuss what cloud computing is - and isn't - and some of the things you might want to know as you decide how it fits in your law practice.
View Transcript

Speaker Key:  PB: Phil Brown, DW: David Whelan

PB: Hi, it's Phil Brown. I'm here with David Whelan and we're going to talk about cloud computing. So, the first question, I guess, would be what is cloud computing?

DW: Well, it depends, I guess, on what you define as the cloud. Most people will come out with a basic definition that the cloud is something that's hosted outside of your network on someone else's computers. So it could be your Flickr photos, it could be your legal research with LexisNexis or Westlaw, but it's something that you used to have inside your office and now you're hosting outside.

PB: And would that include e-mail and other things like that?

DW: Absolutely. And I think people probably don't realise that they're using the cloud already when they are using Google Mail or they're using Hotmail. But that really is the same sort of thing, where before they might have had the e-mail system on their computer and the e-mail would download, now they access it through a web browser.

PB: So essentially, just to clarify the bit about the e-mail, their e-mail is stored on a server outside their office, which is essentially what makes it part of the cloud.

DW: Right, and that's really one of the benefits. I think one of the other ways you can look at the cloud is that if you use Microsoft Office on your desktop and people have suggested using the cloud for creating documents, you don't really need to do that, you can continue to use Microsoft Office but you might use Dropbox for storage into the cloud. So the cloud can act as a place where you put things as a backup to your in-office technology.

PB: And when you put it in the cloud, I mean, one of the benefits of putting something in the cloud or storing something in the cloud is essentially you can access it from anywhere in the world if you had an internet connection.

DW: Right.

PB: And of course to go along with that theory is the issue of potential security and other people might be able to access that same information.

DW: Yes, and I think that's the big hang-up, is that lawyers with confidentiality issues and privacy issues with the information they're putting out into the cloud, really have to have a good understanding of where that information is sitting. 

PB: And, I guess, the other issue is not just where it's sitting but how did it get there?

DW: Right.

PB: Because it could be routed through 40 other countries before it actually arrived at its storage location.

DW: Exactly, and I think in some ways you can say it's safe to go with the big names, going with Google or going with Microsoft and its Web Apps or Office 365 because at least you know it's a brand name that is well known. As you get to smaller companies, or particularly when you start to deal with cloud technology that has been built specifically for lawyers, you're dealing with smaller companies that may be hard to know exactly where they keep their information, how you are accessing it and how they are taking care of it when you're not accessing it.

PB: One of the things, David, I want to talk about is software, the concept of software as a service, instead of loading software onto your computer. What's that about?

DW: Well, you can compare it to sites like Dropbox where all you're doing is uploading files and you're storing them. There is nothing really going on. With software as a service you are really taking software from your computer and taking those features and accessing them on a website. So your word processor, your case management program, your calendar, all of those sorts of things, and then the software exists out on the server. You don't keep any software on your local computer and you primarily access it through a web browser.

PB: And one of the advantages of that would be, you're not loading any software onto your computer, you're not subscribing to updates, get buying new software the next year and uploading the newest thing. All of that's done on the back end by the company maintaining the software.

DW: Right. And that can be a real advantage for a solo or small firm because you don't have to find yourself falling behind on the benefits or the features in a particular application. It's always kept up to date for you.

PB: And typically, I should mention, there's a monthly fee associated per lawyer or per assistant who is using that sort of service.

DW: Right. And I think that's probably one of the bigger changes for lawyers buying technology, is that normally you pay a price and then you own that information or that technology. Now you would be paying a subscription. The benefit of that, though, is that if you have a technology budget, or even more importantly if you haven't, this will help you to plan your technology budget because you will have subscription costs for each month for your year.

PB: Right, and one of the things we should talk about, I guess, is the potential downside of the software as a service kind of subscription. 3

DW: Right, and it's not just your internet connection isn't available some day or that the provider is out of contact for a day or two; their servers go down, for example, but it's really what happens if there is a catastrophe or the business is gone.

PB: There are a number of practice management software businesses out there that provide this service and a lot of fairly new players who have just come up in the last year or two who might be under-capitalised, and I guess that's one of the things you don't know about initially.

DW: Yes, and I think that it's a real challenge because on the one hand you can take advantage of being out in the cloud. I think it provides practitioners a lot of flexibility in how they practise, but when you start to get away from the bigger name companies or the better known companies, or the companies even who maybe aren't as well known but have been around for a number of years, it begins to become more and more difficult to find out which companies are going to be around for the long term.

PB: And then, of course, if the company does fold, you need to know what's happening to your information and how you can recover it and what it's going to cost you.

DW: Right. Software terms like Data Escrow and Third Party Storage are becoming more popular with legal technology cloud systems because you really want to make sure that someone else has that information in case the company that is holding it for you in the first place disappears.

PB: And so, just to end, I guess, a possible advantage of it would be something like the ability to travel with a clean laptop.

DW: Absolutely, yes, you could go across the border and you wouldn't have to have anything but a web browser.

PB: Right, so you'd be able to access all of your information and all of your programs through the software as a service over your internet, into the cloud but nothing is stored on your computer.

DW: Right.

PB: Thanks.

DW: Thank you, Phil.

New Look, Organization

 Permanent link
Phil Brown and I have recorded more than 30 podcasts on law practice technology topics.  They are all still here but, to make them easier to follow, we have moved to a blog format.  You'll notice there is an RSS feed here that you can follow and click on a category to see related podcasts.  All of the future podcasts will be posted in chronological order.  Thanks for your support of the podcast and if you have any suggested topics, shoot us an e-mail.  pbrown@lsuc.on.ca or dwhelan@lsuc.on.ca

Writing Apps for Your Mobile Device

 Permanent link
You have a new tablet or phone and want to write on it.  It can be tricky turning your information consumption device into one where you can create your own information.  Listen while we discuss some of the writing apps you might use to capture your written notes on your mobile device.
View Transcript
Speaker Key:   PB Phil Brown, DW David Whelan

 

PB:  Hi, it’s Phil Brown, and I’m here with David Whelan. Today we are going to talk about note-taking applications for tablets and iPads, and things like that.

DW:  Lawyers like to write. We are a profession that focuses on documents, and we are all accustomed to writing on yellow pads or legal pads. So how do you take that note-taking information and move it to electronic devices? Fortunately, there are some really interesting opportunities to capture the information that you have been writing down and stashing away in paper files, and putting them into an electronic format that is going to be much easier to reuse in the future.

PB:  Right. So at the outset, I want to say that we are not endorsing any particular product. We are going to name some of the well-known ones at the beginning, but it is really just to give lawyers and paralegals an idea that there are a bunch of different ones out there and you should examine what’s available and find out what’s right for you.

DW:  Right, because it really can fit exactly how you want to use technology or how you want to capture information. We can start off with the research notebooks, which are tools where you capture images and text and then you synchronise them and organise them online. For example, Evernote, which you have probably heard of, or Microsoft’s OneNote. Both are very light apps that work either through a web browser on your computer, tablet, or phone, and allow you to record notes very quickly, synchronise them and put them into a larger framework like a notebook.

PB:  Right. As an example, Evernote, which I use quite a bit, can make a note on my phone or computer. It is stored on the Internet or synchronised on the Internet, and then I can access it from any of my devices.

DW:  One of the challenges when you start taking electronic notes is, are you a typist? Most devices now have an onboard keyboard if it is not a laptop where you can actually type on the screen. Would you rather still do handwriting? I am a handwriting person. My fingers are too big for most of the onscreen keys, so you can still do that. Most devices will have an option for you to handwrite on the screen. I use a Samsung tablet. And it actually allows me to write with a little stylus that comes with the tablet, or I can write with my fingertip. So whichever I prefer, and then whichever note-taking tool you use, things like Evernote or OneNote, you can save the image of your writing, just like you would save a scan of your handwriting if you scanned in a piece of paper that you’d written on.

PB:  Right. And some of them will just take the image of your writing. Some of the apps will actually convert that writing to text.

DW:  Yes, and it is really kind of creepy to see it happen. I don’t claim to have better writing than a typical doctor’s scrawl, but it does a really good job of figuring out what I’ve written. And having that converted immediately to text means that I don’t have to go back and try to dig through information. If I’m sharing the information with somebody else, it’s easy for them to quickly read what I’ve got and then to cut and paste it, if necessary, into another document.

PB:  Right. And then the next step up, I suppose, if I could put it that way, are apps that you can actually record sound and make notes at the same time. And then later on, tap on those notes that you’ve made, and it will take you back to the recorded audio that was playing or that was being recorded at the time.

DW:  Right. This is a great alternative to doing dictation and then having someone else type it up. You can actually convert it into text on the spot.

PB:  And now, some of those apps are Notability, which I know is available for iPads and iPhones, and I’m not sure what other devices it might be available for.

DW:  And even apps like Evernote or the Samsung S Note will allow you to do a recording, but they won’t do the transcription. They will save the recording as a note though so that you have it as part of your note-taking environment.

PB:  Right. And I’m just going to mention another one. There’s also NoteBook, which might be a little more expensive, from a company called Circus Ponies. They have that ability as well, where you can record audio and annotate that audio while you’re recording it and then later on go back and click on the note you had made, and it will play the section of audio that you were listening to.

DW:  You can also have the old-school paper experience. There’s a Papyrus app, which I believe is on iOS but is certainly on Android. It looks and feels just like a piece of paper, and you just keep writing on it. And unlike a lot of the notebook tools, where you have to create a new page or you have the feeling of dealing with a notebook, Papyrus just goes on and on and on like a very long scroll. So there are really lots of options for making the note-taking experience be exactly the way you’re comfortable doing it in the paper world.

PB:  Sure. And we haven’t touched on a lot of the other features that they have. You can create file folders that are different colours for each kind of note. You can change the look of the paper that you’re creating. It can be buff or white, or it can be legal-sized or a regular page format; lined, unlined, grids. The options on all these apps are almost unlimited.

DW:  Two of the options that you might consider looking for when choosing a note app is the ability to synchronize it, and so things like Evernote or OneNote, Google’s Keep are all note-taking tools that have a synchronized option where they will store copies somewhere else. Not only can you synchronize it to another computer, you create a backup of what your notes are. So if your device or your phone is damaged, you still have a copy. The other option you might consider is the ability to export, so that if, for example, I’ve been writing in my note tool and I want to share that with someone right away, and if I don’t have the ability to export it or send it as an email, I can actually save it as a PDF and send that PDF to someone who can then use it.

PB:  Right. And as well as exporting, a number of them have an import function. I know that Evernote does. You can import PDFs and things and note them up.

DW:  Yes. It’s a great option.

PB:  So we’ve just touched on a few of them. There are probably hundreds of them out there, depending on whatever platform you’re using. We just want people to know that you are not necessarily limited to a piece of paper and a pen or pencil. That’s our look at writing apps for various devices. Thanks, David.

DW:  Thanks Phil.

Secure Your Wireless Network

 Permanent link
Wireless networks are commonplace and many lawyers have one or more in place at their law firm offices or home offices.  A wi-fi network can be accessible by unintended users, however, and you should secure yours so that you know who is accessing it, and potentially, your office or home network.  Listen while we talk about some of the ways you can secure your wireless network.
View Transcript
Speaker Key:   PB Phil Brown, DW David Whelan

 

PB:  Hi it’s Phil Brown and I’m here with David Whelan and we’re going to talk about wireless security tips.  We’re hearing a lot about wireless and Wi-Fi so maybe we should just talk about what is it?

DW:  The basic technology is wireless networking and it sometimes becomes confusing because we now call cell phones wireless phones but they’re not really wireless in the same way that we’re talking about wireless networking, which is also known as Wi-Fi.  It allows you to have high speed connections from your computer across your network or to other computers on your network.

PB:  And it’s really just a radio signal that’s being broadcast back and forth by a transmitter.

DW:  Exactly. The quality of that transmission can vary so if you’re inside an old-fashioned building with heavy, thick walls the signal might not actually leave your building, but if you’re in a modern building or if you have a lot of windows your wireless signal could actually penetrate out into the open world.  Or conversely, if you’re outside a building that has a lot of open glass windows or thin walls you might pick up a wireless signal from somebody else who might not intend to transmit it. 

PB:  So the term Wi-Fi is really just a trademark name.

DW:  Yes, it’s for marketing.

PB:  In theory, I suppose for making regulations also so they can certify things as being a certain standard.

DW:  Right and that is part of the alphabet soup that comes with wireless.  You have wireless speeds of A, B, G and N.  So when you hear about Wi-Fi N or Wi-Fi B those refer to particular speeds of the wireless networking technology.

PB:  So in other words, how fast or how slowly you could transfer a file.

DW:  Yes, and some of those speeds are aspirational.

PB:  So let’s talk about some of the potential dangers of a Wi-Fi connection being open.

DW:  Open really means there’s no security on it and this is most commonly discussed in the area of coffee shops where you go in and you sit down in the coffee shop.  Starbucks is a good example where they have free wireless and you can get it at McDonalds as well if you’re at the McCafe.  You log onto their network and you can do things on the internet, send files, download files, check your email, but there’s no real security, it’s just a checkbox saying that you agree to follow the terms and services and then you’re off and running and so is everybody who is sitting around you.

PB:  Also if you set up a home Wi-Fi network or even an office Wi-Fi network without setting any security protocols it would be an open network too.

DW:  Yes.  A good story I have on that is my sister went to a coffee shop in Maryland and every morning there would be a lineup of cars next door and next door was the police department and all of the people in these cars were connecting to the police department’s unsecured wireless network.

PB:  Now those people who are receiving those signals or picking up those signals from maybe your computer or anyone else’s computer. There’s a recent Illinois decision saying that’s not wire tapping.

DW:  Yes and I think that should give everyone pause for concern if they are sending anything related to clients.  It doesn’t even have to be confidential information, it can just be addresses, any sort of data they’re sending related to their clients and even more basic they should be worried about their user names and passwords being picked up by people who are using software that’s freely available and can watch transmissions that are sent from a computer to a wireless connection or access point.

PB:  So we’ve talked a little bit about the potential dangers of leaving connections open.  Let’s talk a bit about standard encryption that’s available.

DW:  There are two ways of encrypting your transmissions.  The basic one is if you’re using a web browser, make sure that the web sites that you’re visiting use the https or security sockets standard.  You can tell because if you go to a web site and there is no s after the http, your connection isn’t encrypted.  But if you go to your bank or if you go to certain online social media sites - your Facebook account, you’ll notice that in most cases the service wants to provide you with a secure connection and they convert that.  You can see it by seeing the s in the https location in your web browser.

PB:  Right and it’s available for Firefox and for Chrome.  I don’t think it’s available for Safari.

DW:  In some cases, the web site provides a secure connection for you and then there are additional add-ons.  One of the great add-ons is called https everywhere and that is a Firefox only add-on.  It will automatically turn on https if the service is available, whether or not you are aware of the service being available.  Many sites will turn it on for any web browser including for portable or mobile phones.

PB:  And just to be clear on what’s being encrypted - it’s your information being sent to that web site and from that web site to you.

DW:  Yes, and I think one common misconception is the information on the other end is anonymous or somehow is protected.  They may still be gathering information about your visit and where you came from and so on so it’s not really a privacy protection it’s really a matter of blocking eavesdroppers from seeing the information.  There’s also ability to use virtual private networks or VPNs and that allow you to encrypt not only what’s going on in your web browser but if you’re using your email account through Microsoft outlook or something like that or some other software, you can actually connect to your office and securely create a tunnel or a pipe directly to your office over the internet and no one would be able to access your transmissions at that time.

PB:  And that’s an option if you’re on an open network like a Starbucks or a Timothy’s or a Timmy’s or any of those. You could use a VPN, this virtual private network or pipeline to connect to your office.  There are a number of different services available out there to set up a VPN for free.

DW:  You may find that if you’ve got an internet router, which is the piece of hardware that connects your office to the internet, it has VPN support built in, in which case you could use this software.  Otherwise, there are open standards like Open VPN, which you can download on the web and use and there are other free services that allow you to download a piece of software to your phone or to your computer and then provide you the network to connect to. 

PB:  One of the things that makes using wireless devices, phones, computers and wireless routers potentially dangerous is that every device has a Mac address and a Mac address is just a physical location address that you can punch into a piece of software and you can communicate with it.

DW:  Right, and another misconception is that it only applies for Apple computers but every device that connects to the computer has this device specific piece of information and it can be spoofed but in many cases it can be used by you to secure your own network.  So if you have your own wireless network in your office you can set it up so that only certain devices with certain Mac addresses will be able to connect up to your access point and that can help you to limit people who are wandering by or people who shouldn’t be accessing your system from getting access. 

PB:  Another tip on that is if you do have employees in a law office who are accessing your wireless network in the office to de-authorize their Mac addresses from whatever device they were using when they leave the office.

DW:  That’s a great tip.  Mac addressees don’t provide permanent or total security for your access points; it’s just one of the ways that you can secure an access point.  Law firm access over Wi-Fi should really include passwords so that no one can get onto your network without having a password and they should have an encryption as well so that transmissions from the access point are encrypted, it’s not open to anybody who can see it.

PB:  Another tip in terms of passwords is changing the administrative password on your router when you set up the wireless network.

DW:  Yes, unfortunately if you type in the name of your router in Google and type in admin password you can probably find the admin password, which is the default for your system.  So make sure that you have changed that password and maybe change the name of your router.  In many cases, when you are trying to connect to a wireless network, it will tell you the name of the piece of hardware that you’re going to connect to and it usually has either the provider’s name or the company’s name.  So if you buy a Linksys router for Wi-Fi it may say that you’re connecting to the Linksys network.  So change that to something that doesn’t scream the name of the product or the name of your law firm so that it helps to de-identify or maybe make you less of an attractive target for people who want to hack your wireless.

PB:  I know there were some suggestions in some of the tech magazines that you call your network the virus generating network to make it less attractive to join.

DW:  That’s right - scary can be good.

PB:  What about turning off your Wi-Fi network when you’re not using it?  Is this an option or no?

DW:  I think it can be an option. It tends to be more complicated than just flipping a switch.  I would definitely suggest that you turn off Wi-Fi on your phone or on your tablet or laptop because at least that means you’re not broadcasting without realizing it or connecting to a network without realizing it and sharing information from your device and obviously that has battery benefits as well.

PB:  It’s also probably a good idea to maintain all of your usual firewalls and things on your other devices.

DW:  Absolutely.  Be aware of what your device is sharing.  If you’ve got a Windows computer you may have file sharing turned on.  You may also have Windows Media that are looking for people to share your music work.  To the extent that you can turn those off and take advantage of the public versus private networking distinctions in your operating system you can stop broadcasting information about who you are and what’s available.

PB:  Great.  Thanks a lot.

PB:  Thanks Phil.

Tips for Your New Web Site

 Permanent link
Your law firm is getting a Web site.  Or is refreshing its current one.  Listen while we discuss some of the things you might consider as you put information on the Web and ask potential clients to provide you with theirs.
View Transcript
Speaker Key:  PB Phil Brown, DW David Whelan

 

PB: Hi, it’s Phil Brown. I’m here with David Whelan and we’re going to talk about some tips for having your own website.

DW: If you have a website for your law firm you can put all sorts of information on it that will help people to find you faster and learn a little bit more about the sorts of services you provide. So, it gives you a great opportunity to have something working for you 24 hours a day that if people type in a search in Google, or if a friend refers you to them, they can quickly find out a little bit about you.

PB: It would be a good idea to have information about where your law office is, the languages spoken in your law office, the type of service you provide, things like that.

DW: If you have other content too, if you are blogging for your practice or blogging for your practice area you can have that incorporated into your website. If you’ve got newsletters and other content it’s a great way to take something that you have shared with your clients or potential clients through mail or in a physical format and put that up on your website as well.

PB: It can also be part of your branding with your website name. It could be www.davidwhelan.com. If you have your own domain, you could also run an intranet in the background and give clients secret access to that site that no one else would have access to.

DW: Exactly, that’s a great example of resources that are available now to any sized law firm. You don’t have to be a big law firm to have a so-called extranet. You can create a secure place for your clients to log in and either look at information you want to provide them or have a place where they can share information with you in a secure way at any firm size.

PB: So, let’s talk about some of the other things that should be included in your website that maybe are less exciting, things like a Terms Of Use document.

DW: There are a number of documents that you should probably have accessible on your website and like your email confidentiality statement. It may not be that effective, because like your email confidentiality statement, it’s probably at the bottom of your email. These documents are often linked in at the bottom of your website, but they’re still important to provide so that you are able to define for people who visit your website what they should be expecting from you and from the information that is on your website, and also have an understanding of the sorts of information that you’re capturing from their visit, both the information that they give you voluntarily and the information that you’re capturing about when they visited, where they came from, that sort of thing.

PB: And so it’s a good idea to have things in your terms of use statement like, the information provided on your website is as is and might not be updated, and the fact that it’s not legal advice.

DW: Exactly. I think having a public face on the web means that you are essentially standing on a street corner and greeting everybody who walks by. And the issues that will arise from creating a lawyer-client relationship with people who you won’t actually have interacted with.

PB: When we say "lawyer", it’s interchangeable with paralegals or legal services firms that have websites as well. So, in terms of other documents, the privacy statement that is also usually embedded at the bottom of a website covers what sorts of things?

DW: Well, when people visit a website they leave information about where they’ve come from. They sometimes leave information about where they go to next. They might have come to your website using a particular keyword in Google or a search that they used, and all that information may be captured by you. It’s usually a good idea to let people know that you have got that information about them so they understand what you’re capturing on that website.

PB: Right, and there are also statements with respect to things like IP, as to who keeps that information and if there is some sort of a dispute, who they would contact and so on. In terms of people emailing your website, there’s a few tips that we might include there.

DW: You had a great suggestion which was to use an email form, and I’ll let you talk about that. I think another good reason not to put your email address on your website is that the email will then be harvested by people who will start to spam you and that will give you increased opportunity to have problems coming to you via email, whether it’s a worm or a virus or some other bad information that’s coming through those emails.

PB: I guess my point is, it’s a good idea to have an email form on your website instead of just your email. And these are forms, it’s a fill-in-the-blank type form on your website, and the person or prospective client would contact you, they would fill in information, their name and address and how you could get hold of them to discuss their legal problem and that sort of form prevents them from sending you an attachment and as David mentioned, it might have a virus or a malware attached to an email. You avoid all that with a fill in the blank form.

DW: The other great thing about the form is that it allows you to link back in your terms of use, your privacy statement, any of the other disclaimers you’re providing, so that even if they haven’t gotten to the bottom of your website and clicked on those links or read those documents, by the time that they’ve filled out that form, you’ll have had given them an opportunity to understand that you have not created the lawyer-client relationship.

PB: One of the provisos that should be on the same page as your email form would be some sort of information to tell them that they’re not a client until they have retained you in the usual way to become a client, and no information that they send you will be considered confidential until they have formed that solicitor-client relationship.

DW: That’s great.

PB: And it also prevents a conflicts of interest situation. You don’t want that person giving you information about the case and creating a relationship until you’ve been able to do a conflicts check. You want to be able to protect them as well.

DW: And we’ve seen an increase in people using websites to interact with lawyers and ask them to engage in collections or other activities on their behalf that are actually frauds. There are things that don’t end up doing anything other than hurting the lawyer and the lawyer’s trust account.

PB: And that’s happening a lot lately. Lawyers in small and small to mid-size firms are being targeted as part of a fraud, just because they have an email and someone will email them and say, hey, look, someone referred you to me and can you do this kind of work for me. And that’s how it all starts, and where you really need to be diligent in doing the client ID and verification requirements to make sure that they’re not setting up a relationship with a fraudster.

DW: The use of an email form can also slow down the fraudster so that if they are just harvesting email addresses that are out there and then contacting lawyers, if they have to go through your form, they may not take the time to do that. It is a fraud of opportunity. So, that’s another good way to give yourself a little bit of protection. And also, if it sounds too good to be true, it probably is.

PB: And that’s great advice because, you know, if you’ve been in business for 20 years and no one’s ever come to you with a collection and all of a sudden here’s a collection and you don’t have to do anything and the next thing you know, there’s a $200 000 cheque in the mail to you, you really need to think twice and maybe call some people to find out, you know, could this be a fraud?

DW: We’ve been talking about some of the policies you should have on your website and some of the content that you should have on your website. What do you think, Phil, about making the website a really personal place, something that tells them more about you as a person as opposed to you as a lawyer?

PB: A lot of lawyers have a tendency to do that. They will personalise the website and have photos of somewhat casual poses with the lawyers in their office and things. It’s a great idea, it certainly personalises the lawyer a little more and makes them more accessible, but the danger is what is in that photo, or what information is available? And I’ve seen some lawyer websites where you can see all of their family photos in the background, you can maybe see the kids up in front of the house in a photo, and lawyers have to be aware that that information could be out there and anyone could have access to it. It’s not too hard to figure out where you live if you  have a photo like that, or what your kids look like, and it’s a potential danger for people.

DW: That’s a great point, Phil.

PB: And the other thing is what if you have personal phone numbers instead of business phone numbers on your website, people should be aware of things like reverse lookup tools on the website. It’s not hard to find out where you live. And maybe just a few last points… updates and why it’s good to have them.

DW: You really need to make sure your website is up to date. People will realise if something isn’t current, so if you’re not willing to keep content up to date, at least make sure that your phone number is accurate, that your email address and your other information that you might have available for contacting is all up to date.

PB: And if lawyers and paralegals don’t currently have websites?

DW: If you don’t have a website, you’re in a minority and it’s a great opportunity now to think about all of these things so that when you turn on your website and you start to use it to bring in clients, that you’ve already got the terms of use and the privacy statements and these forms in place so that you’re not playing catch up or finding yourself in an awkward position.

PB: Thanks, David.

DW: Thanks, Phil.

Protect USB Drives or Don't Use Them

 Permanent link
Portable media can contain, literally, every document you have created in your law practice since being called to the bar.  We discuss why using USB, flash, and thumb drives can be risky with confidential client information, and how you can protect your drives.
View Transcript
Speaker Key:   PB Phil Brown, DW David Whelan

 

PB: Hi, it’s Phil Brown. I’m here with David Whelan, and today we’re going to talk about USB drives and backups.

DW: USB drives come in all sorts of sizes and shapes; you might think about the ones that you’ve picked up at conferences or expos and you might even have a Darth Vader USB key in your collection. You might also have a big flash drive, and the interesting thing about these drives is that they all use the same sort of memory. It’s called flash memory, and so you might have heard them called flash drives or thumb drives, but you’ll also see in the big removable drives, flash memory as well.

PB: Basically we are talking about a drive that has no moving parts.

DW: Right, so you may have thought about the thumb drive, but it comes in various sizes. We will be talking today about the smaller drives - the ones that are more prone to be picked up for free or at minimal cost, and that you may be relying on to back up information in your practice.

PB: Right, one of the reasons we are talking about this today is that we’ve heard that a lot of lawyers are using USB drives or thumb drives to back up their entire practice.

DW: And the amazing thing is that you really could do this as the flash storage on these little thumb drives is getting bigger and bigger; you can now have tens and soon, hundreds, of gigabytes on these very small drives. It is interesting to think that I can store my entire practice onto this little device which I can then put into my pocket.

PB: There are different kinds of backups, and we should touch on that - whether they are copying new files or doing an entire backup of their drive. And then there’s also something called an image.

DW: The most basic is the backup where you’re really just copying files from your main computer over to the storage, wherever that is, and in this case we’d be talking about flash. This way you could then go onto the flash drive and actually see each of those individual files. The backup is a backup software program that looks at all of your files and sees what has changed and makes a backup file that you can’t actually look at; you need to use the backup software to restore it to get access to those files. And then the image is really a snapshot – a picture – of exactly where all the files are on your computer at a given time, and you store it in a single file called an image. Then if something happens to your computer or to your information, you can use imaging software to bring back that image, and then your computer will look exactly the same way it did – all the software will be in the same place and configured in the same way as it was when you made that image.

PB: There are a number of programs out there (some free and some pay programs) that will actually image a small law firm’s business onto a thumb drive.

DW: The interesting thing is that we couldn’t come up with any really good reasons why you shouldn’t use flash memory for your backups. It seems to be getting more useful and it seems to be able to handle more writes, which means that each time you send something over to the USB drive, it is considered writing to that drive. But still, there’s something a little bit awkward about having your law firm on a device that’s small enough to lose between the seat cushions in your couch.

PB: Losing the thumb drives would certainly be one reason. Another reason might be the quality of the drives – there are so many of these out there that the quality of the different thumb drives vary.

DW: In many cases with computers, you can’t see what’s inside your computer anyway, but there certainly seems to be a lot more scope in pricing and quality of these drives that, if you end up with cheap components – even if you buy a brand-name drive – you may end up with something that isn’t going to last as long or that may have more defects in its hardware than you would have if you were using a mechanical drive or something that is a little bit more strong technology-wise.

PB: You are basically entrusting your practice to one of these little things that might cost $1 or $10 or $15 or you could drop one and step on it, and then you might not recover any of your practice.

DW: That’s the challenge - if you lose one of these devices, you really don’t know what’s going to happen to it. Researchers have been able to recover substantial amounts of data off USB drives that people think they have deleted all the content from, so that’s one of the issues. Even if you are meticulous about managing the location of your USB drives and cleaning them off on a regular basis, you still may find that there’s confidential information on there. If you lose it, when you’re no longer using it as a backup device, there may be content on there. The other issue is that, if you do lose it, and you haven’t taken any plans to encrypt the data and there’s client data on there, you may now have a real issue because you will have a hard time finding out where that drive is going.

PB: That’s right. There is no built-in location software for these drives. There’s no way to necessarily find out where they’ve gone if you do lose them; it’s a little different than a cell phone, where you might be able to find out where it was because of the GPS capability built-in. But once these things are lost, they’re gone.

DW:Where do you think USB drives or flash drives fit into the law practice?

PB: I think they could be part of a backup plan. The key to any sort of backup plan has to be redundancy, so it might be a good idea if you have a cloud backup or a backup onto an external hard drive that you could take away from the office and have an USB key or something that has the kernel of your practice mirrored somewhere regularly in the event of an emergency. One of the points I like to make is that if you’re going to do this sort of thing, you should encrypt it.

DW: Yes, for sure. If you’ve got the content on a portable device that allows you to encrypt it, you should do so. If you’re burning a CD on a regular basis or saving your information to something you can’t necessarily encrypt. Obviously, that’s a challenge. But if you’ve got an external drive, and larger external flash drives may actually be great as they are portable and they’ve got a lot of space for backups and they’re unlikely to be lost because you’re not going to put them in your pocket. However, then you should really be thinking about either getting one that has encryption built-in to the hardware of the device or applying encryption software to it.

PB: And the other thing we always talk about in terms of backups is if you’re going to back up something, you have to do test restores.

DW: That’s right, otherwise you may think that you’ve got a process that’s working, and then when the calamity happens, you’re unable to get back any of the information that you thought you had.

PB: So, while you can use a USB thumb drive to do a backup for your office, there are a collection of different reasons why you might not want to.

DW: That’s right. Thanks Phil.

PB: Thanks very much.

Lawyers and Twitter

 Permanent link
Twitter is a short-form social media tool and many lawyers wonder why on Earth they'd want to use it.  It's a good question.  We are both on Twitter and we talk about how it works, some ways to get more out of it, and some software you can use to monitor Twitter more productively.
View Transcript

Speaker Key: PB Phil Brown, DW David Whelan

PB        Hi. It's Phil Brown and I'm here with David Whelan, and today we're going to talk about Twitter.

DW      Hey, Phil. Twitter is one of the communications or social media applications that you can use to share information or learn about information from other people. Twitter is known as micro-blogging because when you send a message or receive a message, it usually has just 140 characters including the spaces.

PB        There are a couple of different ways that you can expand it so that it can be longer than 140 characters, but that's, pretty much the standard message on Twitter. One of the questions I have is why might a lawyer be interested in using Twitter?

DW      One of the obvious reasons is to promote themselves or information that they want to share. The obvious flip-side is that if people are sharing information, then you can use Twitter to receive information. Some of the messages will be statements about something that a person has done, but many of the messages that come out on Twitter that are really valuable will have a link to information that you may not have known about so it can be good for learning about companies, potential clients and research topics or other information related to your practice.

PB        So a research tool is one aspect of Twitter and another might be increasing their profile and engaging clients.

DW      Absolutely. Certainly the increasing profile part. One of the challenges with Twitter is that you don't really get to decide who follows you or finds you. As you start to use Twitter or other micro-blogging platforms and sharing messages, the people will start to follow you based on the content that you send out. The more authentic you are and the more information that you share that is valuable to others, the greater your likelihood of having people follow you.

PB        And one of the things we should mention about Twitter is the ability to access or read everyone's Tweets if they're unprotected - you don't have to be a follower.

DW      That’s correct.

PB        It's a wide-open platform in that sense. You can read anyone's, not just current Tweets, but you can also go back through an archive and read anything they've ever sent out.

DW      A follower on Twitter is similar with a Like or a Friend on Facebook. Once you start to follow someone on Twitter, or someone starts to follow you, they receive every message that you send out, or if you're following them you receive everything that they share. So as you start to follow people you'll need to select the people who send the number of messages that you can handle because obviously people who are sharing heavily during the day might swamp your ability to actually follow all of the information coming through on Twitter.

PB        So maybe one of the things we can talk about is the potential for information overload with Twitter.

DW      I think it's very easy to do and part of it comes down to your approach to using social media. Some people prefer to follow thousands of people and be followed by thousands of people without the intent of seeing every message that comes by. So if your intent is to see all of the information that is being sent out by people you're following then you really need to follow a relatively small number of people to make that manageable.

PB        And another way to manage that would also be the creation of lists.

DW      Right. Twitter allows you to use lists from within their software but you can also use third-party applications like HootSuite. A list allows you to aggregate or identify a number of people who are talking about a particular topic. It might be your practice area or a particular case, and then you can set up a list of those people so that all of that traffic is essentially sidelined out of your main Twitter stream - your main flow of messages so that when you have time, you can go and look at all of the posts that are specifically from those people or on a given topic if you're creating a list based on a keyword or some other search term.

PB        There's a number of different ways you can search the Internet for Twitter messages or Tweets as they call them; something like Topsy, or any if the Internet archives or Tweet Archivist. They all would work in terms of being able to bring up archival Tweets.

DW      Another great way that Twitter allows you to aggregate is that if you're searching on Google for a keyword it will obviously return all sorts of content and then if you go to Topsy.com, which is a social search engine, you can narrow it down to particular elements of social media. But if you want to find information on Twitter or Twitter posts that are all related, people who are sending out messages often use what's called a hash tag, and they use the little pound sign followed by a term, and then if you search on that hash tag later, you can bring back all the messages that have used that same piece of information. This allows you to follow a conversation without actually following all the people who are having the conversation.

PB        So let's pick a hash tag, for instance, ethics because Twitter might raise some of the issues related to ethics, and I'm thinking because it's such an immediate platform and more lawyers might be using it than sitting down to create a blog which is going to take a considerable amount of time in comparison. What are some of the ethical issues?

DW      I think the very first one is when you decide to sign up for Twitter or some other site and you create your handle; your online name, you need to make sure that it is a name that identifies you and not necessarily “best lawyer in Ontario” or whatever the other handle might be, so I think your name choice is your very first step.

PB        Hopefully people aren’t using Twitter to give legal advice, so perhaps building in a proviso into their identity might be a good idea as well.

DW      I think that you need to be very careful about following clients or sharing information about who your clients are in the same way that you wouldn't share the information outside your office in a coffee shop or at the courthouse.

PB        So confidentiality is a key concept to remember using Twitter. I can say that I have seen some Tweets out there where lawyers have identified the client that they're acting for, that very morning.

DW      Absolutely. Twitter has the same issue that your documents do. There is metadata in your Tweets, so if you're using an iPhone or another device that says where you are when you send your Twitter message, that location information might actually be passed on. So say, for example, you're at your client's office, and you've just acquired the client; they've retained you, and you send out that Twitter message, you may actually be sending out that information without it actually being in the message that you send out to Twitter.

PB        That's the same with any, kind of, social media or using smartphones these days. A lot of time you have your location turned on, and people know where you are and might know you're not at home.

DW      One of the things you can do is to protect yourself. Obviously, if you're using Twitter as a marketing tool then you need to make your account as open as possible, so that people who are interested in following your messages, whether they are actually your followers or not, can do so. But if you're not interested in using it for marketing but just want to share information or to create an online environment you can protect your account so that only people who you authorise to access your Twitter messages can then see the messages that you're sharing.

PB        Right. There's a little checkbox when you start your Twitter account, or it's in your preferences, and you can actually check off that box to protect your Tweets. And you could use it just as an internal social media communication tool as well.

DW      Just set it up for you and your staff or other colleagues that you want to interact with.

PB        And I was just going to say, you'd have to approve each one and you could look at each other's streams and share things within the office. Sort of a small Intranet, I guess.

DW      Yes, and be aware that just like with e-mail and other platforms where you communicate, once you sent out that Twitter message, whether it's public or in a locked account, that Twitter message can then be passed on to others outside that protected environment. So, say you share a message or send out a message to your Twitter followers, but it's a protected group, if they then re-Tweet it, which is essentially a forwarding message, that message then goes out beyond the protected environment.

PB        Another thing I'd mention in regard to that is the concept of civility. If you are sending out messages or re-Tweeting; passing on other people's messages you still have to keep an eye on civility as a concept.

DW      Yes. One of the interesting challenges for lawyers is that since they're supervising others, if they have staff who are using Twitter whether it's in a locked environment or open, and particularly for marketing purposes, they still have a responsibility for supervising the Tweets that that person sends out.

PB        So direct supervision; another one of the rules; a good one to mention. And, I suppose, one of the other things that you might consider in your office, as part of a social media policy, would be who owns all of these accounts when your employees leave, if they're using them?

DW      Right. That's been an interesting development, which is employers then looking at their employees private accounts or what started as private accounts but then have morphed into valuable resources for the company because the person who is connected both to the company and to the concept and the followers now has a valuable portfolio of information, and whether that goes with the employee if they leave the firm, or if the firm can somehow hold onto that?

PB        So that's more than 140 characters, but that's our snapshot of Twitter. Thanks David.

DW      Thanks Phil.

To Text or Not to Text

 Permanent link
Texts and SMS are common ways to communicate using phones without actually making a call.  Listen as we discuss why you should be careful texting with clients, how to make sure you keep a record, and what you should avoid talking about.
View Transcript
Speaker Key:   PB Phil Brown, DW David Whelan

 

PB: Hi, it’s Phil Brown, and I’m here with David Whelan, and today we’re going to talk about texting.

DW: You might’ve thought that texting was just something that teenagers did, but it’s an interesting way to send short messages from one person to another, and it’s a very common thing for people with smartphones and devices to use in order to have quick conversations. It can also be a really tricky thing for lawyers if their clients start to reach out to them using the technology that they’re accustomed to on their smartphone, but that may not actually be very useful for lawyers who are interacting with their clients.

PB: Texting, also known as SMS, is a little different than email for a few different reasons.

DW: Yes, one thing is that you don’t have the same big application to send email, so you’re losing some of that functionality. So, the basic part of a text is obviously the text, and you can only type a certain number of characters, so it’s an abbreviated message. You may be able to attach something from your smartphone or your device, like a photograph that you’ve taken, that can be attached to the SMS message and then sent to your contact.

PB: And you can also send a short video, but sometimes when you try and attach a video to a text message, the video gets abbreviated, and you may only get half of that video or a quarter of the video sent along. Of course, some people have multimedia turned off on their phones so they’re not able to accept the video on the other end and it may just vanish into space. You won’t ever know whether that video has been received.

DW: That’s a great point. If you don’t have data enabled or the right plan on your phone you may find that while you can send and receive text messages, you may not necessarily receive any of the rich attachments that are linked to them.

PB: Yes, and a number of smartphones and other devices have built-in texting applications.

DW: In most cases, when you turn on your phone you will have an ability to phone someone. The phone will also have some sort of messaging application which will allow you to type a message and then choose someone from your contacts in the same way you would’ve chosen them to make a telephone call, and you would send the message that way.

PB: Just like email or sending faxes, you can send them to the wrong recipient.

DW: Yes, and you wouldn’t necessarily know unless you went back and checked to see who you’d sent it to and looked at the message. The other challenge is with the lack of encryption that surrounds most of the texting apps as well as texting on Android phones and Apple phones. When you send a text message, you’re essentially sending plain text so you are potentially exposing it as it’s being transmitted; this is probably the same low concern that most lawyers would have about email. But when it gets to the other end, if you have someone whose phone is accessible to other people or which is then lost, then that text message can then be accessed by other people.

PB:We also have to at least mention the fact that these texts (just like emails) are going through company servers; maybe it’s your law firm server, and/or your cell phone provider’s server along the way, so there are a number of points of vulnerability.

DW: The one device that seems to have a little bit more complicated or rich environment for texting is the BlackBerry. You can use what’s known as BBM or BlackBerry messaging, in order to transmit in an encrypted format. You can also use something called PIN-to-PIN messaging on the BlackBerry.

PB: This built-in encryption protects your information travelling from one device to the next, even though it’s flowing through a provider. However, one of the potential vulnerabilities is BlackBerry’s encryption key, which my understanding is it’s essentially available to BlackBerry, and they can decrypt your messages anywhere along the way. That’s one thing to be aware of - your provider typically holds the keys even if they’re offering you encryption in whatever application you’re using.

DW: One of the things that has become common with texting on phones is to skip the app that was put in by the actual phone maker and to download an app from the app store, either for your iPhone or for your Android phone, and to use something that has many more features. One of the interesting things with this is that you can do things and send text messages that are much more like an email – much richer – but could actually increase the potential problems if you were sending or receiving information from a client using those apps.

PB: Yes, there’s more hands in the pie with some of these third party apps. And again, potentially confidential information is vulnerable in other places.

DW: If you have a teenager, you can ask them which one they use, and that may be a good list of apps to avoid. Some, like textPlus, use a third party server for the message and if you send an attachment like a picture, they use an additional server that doesn’t use their own domain name to store that image. So you are actually starting to spread your information out over a number of different places.

PB: We’re talking about lawyer and client communications, which traditionally is one of the vulnerabilities in terms of lawyer negligence in the sense that clients may say they’ve changed instructions and the lawyer didn’t do what they were asked to do or told to do or whatever. So, let’s talk a bit about backups.

DW: Assuming that you are not actually texting with your clients, one of the things that you can do is this – you might end up texting with your client, but even if you don’t, you can use a backup app – an SMS backup app – from the app store (there tends to be free versions available), but you can pay for one if you require certain features. The SMS backup app will allow you to go into the SMS messages, or the text messages you’ve received, and back these up as a text file which you can store on your computer. So that, if the client says, “I sent you a text message and this is what I said...”,  which wasn’t actually what was in the text message, you will have a file so that you can show the client the text message and it doesn’t require you to have responded to the text message.

PB: Not everyone is going to be using a backup app or has the technical ability to get the right app to convert things to text and so on, so there are other options.

DW: One of the options is to take a screenshot, just like you might on your computer. What it does is it makes a picture of whatever is on your screen. So you would open up your phone to your text message so that you can see the message that the client sent, and then you would use the screenshot or screen capture function on your phone.

PB: I think you should caution your client that you don’t plan on talking to them via text message, first of all, because it’s going to be hard to get a record of the texts later. I suppose, if it ever gets to the point of litigation, you would be able to subpoena those records from the phone companies because all of the phone companies have a record of all of your texts. The other point is because we’re dealing with lawyer client communication and you do get the occasional text, if you’re not taking a screenshot or you’re not backing up your texts, at a minimum you should probably be doing a memo, either to file or a memo to your client confirming what that conversation was.

DW: That’s a great idea. Lawyer client communication is a huge issue, and the more you can communicate with your clients, the better. Texting is probably not one of the tools that you want to use on a regular basis, and if you do use it or receive texts from your client, try to keep them to things as simple as, sure, I’ll call you at 3:00, or basic information about when you will interact with them, rather than talking about details of the actual matter.

PB: Great, thanks very much.

DW: Thanks, Phil.

Do You Know What Tech Your Law Firm Has?

 Permanent link
Clients may want to audit your technology to see if it meets certain standards.  You should be proactive in making sure that your law firm knows what it is using - software with the appropriate license keys, backed up data, properly maintained hardware - to ensure your practice has what it needs to run well.  Listen as we discuss some of the things you should look at in your law practice to make sure you don't have gaps.
View Transcript

Speaker Key:   PB Phil Brown, DW David Whelan

PB:  Hi, it’s Phil Brown and I’m here with David Whelan. Today we’re going to talk about tech audits.

DW:  What do you think a tech audit means for most law firms?

PB:  I think for most law firms, the idea of a tech audit would be, how many computers do I have, what kind of software do I have, and where do I store my information?

DW:  And I think that really gets to the nub of what a tech audit could be about. It is a way that you can think about going through all the technology that you have and making sure that you know in a sense what your inventory of technology is. And one of the reasons you might want to do that is so that you’re prepared in case you need to do an upgrade or make changes or respond to a client who asks you, can you do something that requires a certain type of technology?

PB:  And a tech audit can obviously do more than that. It can also be useful to plan for contingencies and I think also to make sure that you have the right policies in place so that you can use the Internet safely and know what your staff are doing so you can properly supervise them.

DW:  That’s a great point. I think policies are one of those things that we sometimes overlook or we assume that everybody knows. But if you’re using technology with staff or if you’re in the cloud and using things that are online, making sure that everybody knows how to set a strong password can be a really simple policy to start off with. And then you can also talk about the other policies that are common in firms like appropriate email use, appropriate Internet use, and things like that.

PB:  Sure – whether or not they can pay their home cable bill from the office, whether or not they can access various social media sites from the office, and possibly whether or not they can actually plug in a device or media from home, like a USB key into one of the computers in the office.

DW:  Right. It’s surprising sometimes when you do your technology audit and you go through and see where these gaps are. The audit can really help you to understand if there is an issue that you need to address and maybe suggest where you or how you could address it.

PB:  So safe to say, I think one of the things that should be top in the audit would be, do I have all of my policies in place to protect my law office?

DW:  Right.

PB:  Moving on from there, I briefly mentioned contingencies, but that’s obviously one of the reasons you would look at technology in your office. In the event that something disastrous happened to your office – a zombie apocalypse, for instance. How would you get your office back up and running?

DW:  Well, one of the basic things you want to make sure you have is the software and the serial numbers that you would need in order to reinstall everything in case your computer crashed or a particular application died. And I think that is something that is becoming a little bit more difficult as we move forward. You may no longer buy an actual disk with the software on it, and so if you have downloaded it or installed it over the web, then you should really make sure you have a backup copy of that software so that if you need to, you can install it again.

PB:  So having the backup software and copies of licenses and so on is key. I suppose the other key thing is, in the event that your office was flooded or there was a fire, that software should be stored somewhere safely offsite.

DW:  Absolutely, yes. You don’t want to find yourself having to recover a backup tape or restore a backup tape and find that all the software that you need is on that backup tape. You need to have it in a way that’s accessible so you can get up and running.

PB:  Right. So some of the other things – the standard questions I suppose – on a tech audit would be things like, is your information stored in the cloud? Do you have onsite or offsite backups? How often do you back up your information? Things like that.

DW:  For sure. And I think one of the things about the tech audit is not so much to identify whether you’re doing things right or wrong, because how a practice uses technology, how a lawyer uses technology is going to vary based on your own preferences, your practice areas, things like that. The tech audit can really help you to highlight where you might not have covered the bases that you wanted to cover, rather than saying you should do it one way or another.

PB:  Right. And when we are talking about a tech audit, we are really talking about you doing an audit of your law firm to see what your technical requirements are.

DW:  Right. The other benefit of a tech audit is that it can highlight issues that you know you have and you’ve never really gotten around to solving, and can help you to perhaps write down or to clarify what those problems are so that you can then identify new technology to fill that gap.

PB:  Right. And so one of the important questions would be, what are my needs for technology in the next year or two and are they worked into the budget?

DW:  Right.

PB:  Another thing might be, how much hard drive space have I used in the last year, two years, three years? Is there a trend that’s showing me I’m going to need more space and to budget for it?  Also, to figure out what form that is going to be – whether it is going to be discrete hard drives in your office or whether it is going to be transitioning into a cloud environment.

DW:  Right. And sometimes the cloud looks like a panacea for planning about technology, because essentially you are offloading a lot of your support issues, software installation and upgrade issues. But you still have things like maintaining your passwords and knowing what those passwords are, because if you have a problem with your computer and you can’t get back to your systems because you don’t know your passwords, then you’re stuck. So you really need to look at each element, even if it looks like it doesn’t have issues or technology components related to it to make sure that you are covering all those bases.

PB:  Right. Also, the tech audit would be a good time to make sure that you haven’t had gaps when employees have left and you haven’t disabled passwords or home access to computers, things like that.

DW:  One of the challenges with a tech audit is that you can really get down into the weeds. There are lots and lots of options. For example, if you wanted to monitor changes to files on your file server, you can download apps that will help you to do that. If you want to monitor things like whether your email or web servers are staying up, you can do those. If you want to find utilities that warn you when your hard drive is running out of space, all of those things are available. So at some level you may say, well, that’s too much detail. But you can do a high-level audit and identify issues, and then if there is a particular issue you’re worried about or a particular area, you can drill down further and look for tools or utilities to help you to cover the gaps.

PB:  Right. So it’s important to have policies in place. It’s important to have a global look at your needs over the next year or so. It is also important to know what your staff are doing and how the technology is being used, and really important just to do a tech audit at least once a year.

DW:  I think that once a year is a great opportunity.

PB:  And if in doubt, you could always bring in someone externally to have a look at your law office and what your requirements might be in the future and how you are doing so far with respect to security policies and hardware.

DW:  For sure. And if you’re budgeting for technology, then that can be part of your budget. You can budget for bringing that consultant in to have them look at it. And there are lots of consultants who would be happy to come in and talk to you about how you are using technology. There are many who focus on the legal profession, so they would understand issues relating to confidentiality and your other obligations.

So if you have budgeted for that, it can be a great way for you to not have to worry as much about staying up to date on the technology as you would otherwise.

PB:  Right. That’s our view on tech audits. Thanks very much, David.

DW:  Thanks Phil.

How to Get Started with Social Media

 Permanent link
Social media has a number of potential pitfalls for the cautious lawyer.  Unsure whether it is a way to build and communicate with your client base, it can be frustrating to figure out where to get started.  Listen as we discuss social media, where you might want to start, and some of the things to watch out for in your online social interactions.
View Transcript

Speaker Key :  PB: Phil Brown, DW: David Whelan

 PB: Hi, it’s Phil Brown. I’m here with David Whelan and we’re going to talk about social media. I guess the first question would be what is social media?

 DW: It’s a funny category because I think some people immediately think of Twitter and Facebook and even some old school people will think of My Space but it seems to be such a broader category including things like blogs as well.

 PB: And it’s obviously not just the purview of lawyers. It’s going on all over the world.

DW: Absolutely. Journalists are in it and doctors are in it. Everybody’s out there.

PB: And I guess some of the stuff that might be more in the news would be things like jurors who have been sending out micro-blogs or tweets from a courtroom about what’s going on in terms of jury deliberations and there’s been some cases recently about that.

DW: Absolutely. And there was a Twitter incident yesterday where a satirical newspaper sent out a tweet that suggested something was going on and the police department in the location actually responded as if it was a crisis.

PB: Okay. So let’s talk about some of the social media tools. I mean, one of the aspects of social media, I guess, is that people are able to get out their message without any sort of filtering by anyone.

DW: Exactly. And I think the type of social media that you use will need to fit into both how you want to communicate with your clients or with others, and also how that audience is going to be willing to communicate with you. And I think that that’s part of it. Because you can promote your practice or promote your activities in many different ways and you can also raise awareness by not necessarily talking about yourself but talking about things that would be of interest to your audience, so that once you start to think about which of those directions you want to go, it will help you to find out which technology or which sort of social media you would want to use.

PB: And this is one of the things, presumably, that makes it attractive or possibly attractive to lawyers and paralegals, would be being able to promote their practice as a marketing tool, communicate with clients, things like that.

DW: Right. And you and I were talking about these topics before and one of the things that came up was how much time do you need to spend in order to do these sorts of things and are there technologies or are there sorts of media that would make more sense and I mentioned Facebook as an example earlier. But Facebook is useful because many people have experience with it in their personal lives and so if you start to use it from a professional perspective, then it can give you the opportunity of not having to learn a new technology and use something that you might already be familiar with.

PB: A lot of law firms have developed a Facebook page for their law firm, whether they’re solos or whether they’re large firms and I just want to mention one of the potential dangers here is client confidentiality. And of course, it’s been said a number of times, it’s never a great idea to friend your clients because everyone can see, for instance, who your friends are.

DW: Exactly. It can make it very tricky and I think the issue that even though it makes it more comfortable for you to use Facebook, if you know it from your personal life, you have to realise that there… it can be difficult to manage a distinction between your personal Facebook and your professional Facebook experience.

PB: Right. One of the other things that people are considering using, or that a lot of lawyers do use, is blogging. Maybe you could just, sort of, outline what a blog is or what blogging is.

DW: Blogging is a longer form of writing online. It’s a little bit like an article. A little bit less formal of a method of writing, it will include links, often, to other sources of information on the web. It might be an opinion piece or it might just be a tip or a practical piece of information but it tends to be something that is very much geared to the author’s own interests or the author’s own audience.

PB: And so there’s a lot of people out there doing personal blogs about maybe what they’ve done that day or what restaurants they’ve eaten in. But, presumably, the idea for a lawyer would be to make it more like a newsletter covering some of the types of work they do, or articles that might be of interest to clients, things like that.

DW: Right, and it’s a great opportunity, I think, to take information that you’re finding or you’re coming across, or things that matter to you and sharing that with a potential audience. And the best blogs that are out there engage people who visit the posts by asking them to leave comments and to contribute, essentially having an asynchronous conversation with you, so that once you’ve posted your article or your blog post, people can then interact with that blog post and leave information that you might then also want to follow up and look into.

PB: And that sort of opens up another can of worms. But another thing that enables other people to do besides sending in comments which you might not have appreciated or expected, they can also copy links to your blog and disseminate it in places you might never have dreamt of.

DW: That’s right, yes. Blogging can be really useful. It is probably the most time consuming of the social media tools that you could use but if it is done well and if it’s done on something that you have a lot of passion about, it can actually become a relatively easy thing to do. And if you’re posting a blog post every week or every other week and your audience is continuing to respond to that amount of time, or that number of posts in a particular time period, then that’s a great way for you to interact with those people.

PB: And of course you can gather statistics if you use Wordpress or Blogger or one of those other services. You can also gather statistics on how many people visit, what time of day they visit your site, that sort of thing.

DW: Right. The benefit of using a blog for that sort of promotion or as a replacement for your newsletter is not only do you get rid of the cost of mailing out a newsletter to people you know, you start to reach people you had no idea would be interested in the topic you’re writing about or perhaps even in your services.

PB: And I guess a couple of things to note here for lawyers and paralegals would be, first of all, things posted on the internet are forever, and the other thing being, you know, you would have to be careful not to present any legal advice and maybe have a proviso on your blog that these are only your opinions and so on.

DW: Now, what do you think about Twitter, Phil?

PB: I like Twitter, I use it a lot. Twitter is a micro-blogging service, or it’s been referred to that way. It’s all the words you can get out there in 140 characters. So you can cover various topics and I know a lot of lawyers, in Toronto at least, are using Twitter to mention that they might be at a particular court house doing a bail hearing, or there might be a case mentioned in the newspaper involving one of their court appearances or clients. It’s getting very popular amongst lawyers, probably because you can say a lot in a very short number of characters.

DW: It’s a great example, I think, of how lawyers need to make decisions about how they want to interact, because Twitter is a very fast-paced information tool, it’s great if you are sending out messages to people, to an audience that you know you are going to reach. But because Twitter is a fast-paced environment, and people send out links, you can send out a link to your blog, for example, and a Twitter message so people can then link back to your blog post, but the life of that link is very short, and a survey that was done recently said that the life of that link is about three hours. So, if someone isn’t already listening in or monitoring your Twitter messages, they may miss a link that you send out. So, if you’re trying to promote yourself in a way that’s a little bit longer term, Facebook or a blog or a LinkedIn profile or you doing professional networking might be a better option.

PB: Right. And I would just say as a word of caution along the way that because Twitter is such an immediate sort of thing and you don’t necessarily have to put in the two hours that you would have to put in, or three hours that you’d have to put into a blog post which would be longer and more thoughtful, perhaps, Twitter is so immediate that people often don’t think about things like confidentiality and privacy issues and may be disclosing client names and things because they’re so excited about a recent case or an appearance and they might send something out there without getting the proper permissions from clients to disclose confidential information.

DW: And these micro-blogging services are still new enough. We’ve only got a few years, for example, of Twitter messages that have been made available or searchable. There is sometimes an appearance that the Twitter message, once it goes out, because you can’t find it - it’s no longer on Twitter.com, for example - that it’s gone somewhere. But I think what we have to be aware of is that all those Twitter messages are being stored somewhere, by someone and that sometime in the future, even though it may not be accessible now, we might start to see the ability to search far back into the past of messages you hadn’t planned to share with people.

PB: And I guess one last proviso to add here is that, besides the Internet being forever, would be the professionalism issue and you’re always a lawyer or a paralegal and you can never take that hat off, so depending on the information you’re disseminating through a blog or Twitter or Facebook page, you’re still responsible for that content and your actions.

DW: Yes, in that case it’s good to think of things like Twitter almost like you used to think about email, which is don’t send that message until you’re absolutely sure that what you’ve put into that message is what you want to send. So, maybe you don’t address it, but you don’t want to fling, you don’t want to send out nasty information in an email, it’s even easier with Twitter because you’ve got the Reply button and you send something and you regret it a moment later but that has then been transmitted to a huge audience.

PB: Absolutely. Thanks.

DW: Thanks, Phil. 

Smartphone Security

 Permanent link
Your phone is a miniature computer in your pocket.  It may carry client private and confidential data and its loss could be devastating to your clients and your practice.  Listen as we talk about some of the things you might try to secure your phone.
View Transcript

Speaker Key:  PB Phil Brown, DW David Whelan

PB: Hi, it’s Phil Brown, I’m here with David Whelan and we’re here to talk about smartphones.

DW: It seems to be the one piece of technology that every lawyer is going to have, although I guess there are still some lawyers who don’t have a wireless phone, cell phone, smartphone, whatever you want to call them.

PB: And I saw a sign recently as I was walking past a Bell store, they’ve started calling them super phones, at least the new ones they’re calling super phones. I don’t know if they do anything much more than a smartphone, but let’s talk about what a smartphone does.

DW: It’s an interesting topic because smartphones used to be a phone that did a couple of extra things – maybe it had a calendar, maybe it had contact management – but the phones that are coming out now, whether it’s the iPhone or an Android powered phone, are essentially small computers. You can do documents on them, you can synchronise documents out to your cloud based file servers, you can do all sorts of things on these smartphones.

PB: And a lot of them you have the ability to connect over a server. For instance, all of the RIM devices or Blackberrys you can connect over a Blackberry enterprise server so your whole firm, if you have a slightly larger firm, can be all on the same server.

DW: Exactly. Actually, funnily about the Blackberrys there’s something called pin to pin communication and it’s the one way that you can send a message to another Blackberry that’s unencrypted, so it’s the one way you don’t really want to send any information in your law practice.

PB: But those types of messages don’t go through the server though, so no one at the server would be able to see that information.

DW: Good point.

PB: And I think that becomes a problem later in terms of the security and that’s why a few other countries got really upset at Blackberry, or RIM rather, a while ago. So let’s talk about some of the advantages I guess we just covered. You can do virtually anything on them, whether it’s surfing the internet or accessing files or storing files. Let’s talk about a few of the possible disadvantages. 2

DW: I think the disadvantages go hand in hand. We say "there’s an app for that", which started with the iPhone, but now really we can download an app to do almost anything on our smartphones but we don’t really know who developed that app and what it will do when we download it. So there’s an element of risk that we probably haven’t had before and I don’t think we even have with laptops, where we could be downloading an app just to try it out and it will be accessing information on our smartphone, which now includes our contact with our clients, it includes documents we’re working on, it might include trial information, and it could be doing things with that information that we’re just not aware of.

PB: And I should say that usually when you’re using those applications there’s that click through agreement that you would click through without actually reading, typically, and that agreement may disclose that you’re sharing all that information with that third party, but most people ignore it.

DW: That’s true. And I think one of the things to keep in mind is that if you are using a smartphone and you’re downloading apps, make sure you’re using one of the well known app stores, whether it’s iPhones with iTunes, whether it’s the Android marketplace from Google or Amazon. If you know that you’re downloading a supported application or through a supported store there’s a good chance that they will already have vetted those apps for any malware, any viruses or other things that might be in them.

PB: So let’s talk about basic smartphone security. At a minimum you should have a strong password on your device.

DW: Right, I would almost even start further back, which is that you should have good habits for handling that smartphone. If you put it in a different pocket each day you’re likely to not realise when you haven’t put it in any pocket and you’ve left it on a counter or at someone’s desk or you’ve dropped it in a taxi. So if you start it off with good physical security and thinking about where you’re putting it each day, and I always put mine in the exact same pocket just so that I know where it is, then you can move on to actually securing the device. But you’re right, a great password is going to be a good way to secure it.

PB: And do most of the smartphones have an ability to encrypt information on them?

DW: That’s still an iffy issue. It will depend on which device you use. In the same way that with the passwords some devices allow you to put a real password in, some will have a little pattern that you draw on the screen, so you should really be keeping your smartphone as up to date as you can so that you’re able to take advantage of the security aspects that are on there. If your phone doesn’t already support encryption, you should be looking to upgrade to a phone that does support encryption so that if you’re putting information on there that needs to be encrypted you’ve got the right tools for it.

PB: And I know with the Blackberry enterprise servers there’s an ability to locate that smartphone in the event that you lose it and also you could wipe all of that information remotely from the device. 3

DW: And this is a great thing to think about early on because you can do it with iPhones and Androids as well as the Blackberrys. Download these apps, set up the accounts that you need so that you can do a remote wipe or that you can do a remote locate of your device.

PB: And I guess the other piece that goes along with that in the event that you’ve lost your device, it’s probably a good idea to have a daily backup of the information on your device.

DW: That was an interesting issue with the T-Mobile Sidekick where they had been doing a backup but the only backup you could do was to their servers and their servers all died, so people who had done backups not only lost everything on their phone but they lost everything on the backup. So to the extent you can synchronise it with a laptop or synchronise it with other site or, again, in the realm of using cloud computing, work with sites that store the information remotely all the time. That way you at least know that if that phone disappears or breaks or dies you’ve still got access to the information that you need.

PB: And I guess in terms of physical security with a phone, knowing where it is at all times would be the prime consideration. Other people in the office or other people having access to the information on your phone could also be a problem.

DW: For sure. And I think one of the things that a lot of people don’t think about is what they’re doing with their phone when it’s just a phone and you’re sitting in a coffee shop or you’re sitting somewhere and you’re talking about your client’s case. It’s amazing what people say when they’re on a phone in a public environment that they really shouldn’t be sharing with others.

PB: And I’m just going to expand the conversation a little bit because it’s bigger than a smartphone but still not a whole computer, and that would be something like an iPad. I’ve seen people on the subway reading client files and I can just look over their shoulder and see information I probably shouldn’t see.

DW: Exactly. The tablet is going to really make this a little bit more problematic because people are using it to consume information, it’s very much a consumer device, and so they’re going to be comfortable with it in ways that they might not have been as comfortable with laptops. So they will have it out in the open, they will be trying to read it, they might even be holding it up in the air like a book and suddenly information that would have been more difficult to read over their shoulder is now right out there in the front.

PB: Right, and that’s a great piece of advice, to know what you’re using and what the vulnerabilities are and especially even just having a conversation on a phone, it could be subject to interception just because someone’s standing beside you.

News Feeds and RSS

 Permanent link
News apps will show you the latest news but if you really want to dig into a topic and follow content like cases and legislative updates, as well as blogs and news sites, you should give RSS a look.  Listen while we chat about some of the tools and RSS feeds a busy lawyer might want to try.
View Transcript
Speaker Key:   PB: Phil Brown, DW: David Whelan

PB:
  Hi, it’s Phil Brown. I’m here with David Whelan, and today we are going to talk about RSS feeds.

DW:
  RSS feeds are one of those typically geeky things that you hear about, and you might wonder what those letters stand for.

PB:
  They stand for a couple of different things.

DW:
  They sure do. I think the most common one is Really Simple Syndication. So there is your R, S, and S.

PB:
  They also seem to stand for Rich Site Summary, which is probably from the early days of RSS when it first came out.

DW:
  I think that’s probably true. What RSS does is it takes the content from a website and chops it into small chunks that are machine readable, which means that you can then point your phone or your computer at the RSS feed and read the RSS feed using software. The software then chops it up into the headline, author, date, and other parts of the news item.

PB:
  And all of that information when you finally set up the link or the app to get that RSS feed is embedded. That means that when you get the article returned to you it has all of that information within it.

DW:
  Right, and that’s the benefit. RSS is a format just like Microsoft Word has Word documents. RSS is a file format that is standardized, so once you get the software that allows you to read the RSS feed you can go to any website that has an RSS feed, or create your own RSS feeds, put them into your reader, and be able to read them and see all these elements.

PB:
  They seem to be getting more traction now, but they have been around since about 1999.

DW:
  That’s right. They were, sort of, an expert researchers tool for many, many years and seemed to be going through some death throes a couple of years ago when people were announcing, as they often do with technology, that RSS is dead. But it has had a bit of resurgence, and you might not even realize that you are using it if you are using one of the non-RSS newsreaders that just do news aggregation, but they might still be relying on RSS feeds.

PB:
  And just to be clear on the differentiation, newsreaders, which we may talk about in another podcast, are for aggregating news articles and new news articles, while RSS feeds aggregate any new content from blogs, video sites, from almost anything.

DW:
  That’s right, and RSS feeds are much more customized. The news aggregators tend to take a generic approach and rely on publishers, but with RSS you can actually go to the site and choose what you want to follow. Two of the sites that are of particular interest to Ontario lawyers would be the RSS feeds that you can get from CanLII, which will update every time there’s a new case from Ontario posted into the database, and those same types of RSS feed that you can get straight from the Ontario courts. So if you go to the Ontario courts websites, you can follow news that they are posting - if there are new practice directions, you’ll get an RSS update with those directions, but also the cases and opinions that they post to their own website.

PB:
  So let’s talk about the simple versatility of it. Once you get a link or create a link to an RSS feed it will send you new content only since the last time you’ve checked the feed. Is that right?

DW:
  That’s right, and that’s the nice thing. It really saves you the time from having to go and visit all those websites - where you might have opened up the tab and gone to look at a site to see if there’s anything new, gone to another site to see if there’s anything new, on to the next one and so on. With RSS you go into your RSS reader and all of the RSS feeds that you’ve set up will automatically update. So if there’s new content it will appear and if there isn’t any news, particularly if there’s not any news on the content you’re looking for, it won’t appear in your RSS feed.

PB:
  And how would we know if a particular site like CanLII, for instance, had an RSS feed available?

DW:
  There are two ways, and unfortunately some of the really rich sites hide their RSS feeds so you can’t find them, but in general when you go to a site that has RSS on it you’ll see a little orange icon appear somewhere on your web browser, usually after the domain name. Where it says news.com for example, there might be an orange symbol, or somewhere else on your browser, and it looks like a little white waterfall on an orange background. That will tell you that there’s an RSS feed there. But if it’s not there, and you’ll find this particularly with newspaper organizations, I don’t know why, but that seems to be the one that it’s hardest to find, scroll down to the bottom where they have all the links to the different bits and pieces of their website. You’ll often find a link to RSS, and if you click that, then you can see all the different RSS feeds you have.

PB:
  Now is it as easy to set up as clicking on that little orange icon, or is there more to it?

DW:
  Well there’s a little bit more to it. The first thing you want to do if you’re going to follow RSS is to have an RSS reader. You need to select something like Feedly or Old Reader, which are web-based RSS readers that you view through your web browser, or you can download software to your Macintosh or Windows computer and read the RSS feeds locally, or have something on your device.

PB:
  So it’s almost as simple as clicking on the link. The link just has to have somewhere to go if you do click on it.

DW:
  Exactly. Once you’ve got that reader and you click on that link, it should ask where you want the link sent to, you’ll tell it you want it to go into your reader, and then you’re golden.

PB:
  So something like Feedly which you mentioned, which I think is F E E D L Y…

DW:
  Right.

PB:
  … you would be able to find on the Internet a number of browsers like Internet Explorer, Chrome and things like that, that usually have an extension or an add-on that you can add to the browser so that it will aggregate the content for you automatically once you start your account.

DW:
  Right. The great thing about RSS particularly right now as we’re coming to the end of 2013 is that Google Reader was one of the most popular RSS readers that was out there and had really sucked a lot of the air out of the RSS world. Google decided it didn’t want to support it any longer, so it killed it off this year, and that has meant that, if you go to Google and do a Google search for RSS reader, you will see great lists of really, really good RSS readers that have survived the Google reader debacle and also developed further. So there are some really good starting points if you’re trying to figure out which RSS reader you want to use.

PB:
  And there were a number of articles I recall seeing just before the demise of the Google reader on how to transfer over your RSS feeds from the Google reader to whatever new reader you might be using.

DW:
  Yes, the benefit of RSS is that it’s meant to be machine readable, and it’s standardized, so you can export it from one reader and import it into another. And if you have a list of feeds from somewhere else, or if you have a buddy who has been using RSS for a while, you can ask him or her to download their file, what’s called an OPML file, and then you could import it and use all the same things that they’re already following.

DW:
  So you can share RSS links and send them back and forth. It’s really a good timesaver if it saves you from scanning 20, 50, or 100 sites a day to see if there’s any new content when there might not be any.

PB:
  And RSS is truly flexible, so if you’ve got really unusual things that you want to follow, it’s not just a newspaper, and it’s not just a blog. There are things like Google Alerts where you can set up at google.com/alert so that it will send you an RSS feed when something new has popped up in the Google index that matches your key words. There are all sorts of RSS feed options that are out there, so once you get started following basic content you can actually get pretty creative with what you follow.

PB:
  So a handy research tool for lawyers to have in their pocket and whether they use it or not is certainly something to keep them up to date whenever they go and check it.

DW:
  Absolutely. I couldn’t live without it.

PB:
  Perfect. Thanks very much, David.

 

DW:  Thanks, Phil.

Remote Access and Virtual Private Networks

 Permanent link
A secure way of staying in touch with your law practice - even working on things in your office while you're out of it - is remote access.  Whether it is a virtual desktop or virtual private networking, we discuss some of the tools you can use to stay in touch securely while you are away from the office.
View Transcript
Speaker Key:   PB: Phil Brown, DW: David Whelan

 

PB:  Hi, it's Phil Brown and I'm here with David Whelan. Today we are going to talk about remote access.

DW:  Remote access is pretty clear. What you want to do is connect to a server or a computer that is back in your office or in your home, but you want to do it remotely. So when you are at court, or when you are on the go, you want to be able to get access to it whenever you want to. In some ways we are already doing that with tools like the Cloud, where I can synchronize a file up to Dropbox or something like that and I can remotely access it through the web or by downloading it to my device, but that is not really what we mean by remote access.

PB:  One of the things we are going to be concerned about with remote access is security and how to keep that information safe between your device and your computer at home.

DW:  That's right because it is using the same internet as the Cloud, but it is a direct connection to the device that you are trying to connect to. Remote access means that you are going to somehow dial in or plug into the computer that you are going to be using. There are really two ways to do that. One of the ways is VPN, which is virtual private networking, and a second way is to use something called RDP, remote desktop protocol, or VNC, virtual network computing.

PB:  Let's talk a bit about the differences and what they mean. VPN, for instance, the virtual private network, is really just a pipeline - a private pipeline, within the public network.

DW:  That's right. It secures everything that is transmitted through that pipe, and that means that everything that you do on your device, both at the end where you start and the end where you come out of that virtual private pipe - that virtual private network - is encrypted. Some people may know that if you use a VPN to connect to another country you can connect to resources that are in that country because it makes it look like you are coming from wherever that country is. But in your case, you would be using it for your office, so you would be connecting to a virtual private network client sitting on your computer in your office, or onto virtual private network hardware that is in your office.

PB:  I guess the first question would be: Does that mean that I can go back to using public Wi-Fi in Starbucks?

DW:  I think yes, as long as the VPN is turned on before you start to transmit any information. Everything after you have connected to the Starbucks Wi-Fi - after you have agreed to whatever your terms of service are - just flip to your VPN to make sure everything is encrypted past that. The traffic is encrypted even though you are on a public WiFi. No one should be able to see what is going on inside that VPN.

PB:   One of the (disadvantages) of using VPNs and RDPs tends to be a loss in speed sometimes.

DW:  Absolutely. If you think about it, it is like having one of those really big straws for your Slurpee and then going down to, like, a coffee stirrer and still trying to slurp the Slurpee through the coffee stirrer. It is not quite that bad, but you will definitely notice that it is slower. So you will not necessarily want to use a VPN all the time for your encrypted traffic, and that may take you over to something like RDP or VNC. The difference really is that although both of them or all of these use encrypted communications, where VPN is a pipe and you are just transmitting across the encrypted pipe, RDP and VNC connect you up to a remote computer and you use that computer as if you were sitting in front of it. So I would not necessarily be using anything on my tablet if I was on RDP. What I would see is my Windows screen and I would move my mouse as if I was sitting in front of that Windows computer, and I would do things on that computer as if I was sitting there. So really it is just the activity that I am doing on that computer that is encrypted. Nothing that is going on in my laptop or my tablet is encrypted through that connection.

PB:  Right, and neither of these concepts is particularly new. They have been around for years. pcAnywhere, GoToMyPC - some of those are the more common ones that people have been using for access. There are other companies as well that do this same sort of thing as the ones I mentioned, and there is also some mention of things like personal cloud these days.

DW:  Yes, and personal cloud is really similar to VNC. What you have is a server listening for connections. In the case of VNC, or even RDP, you would set up your computer inside your office so that it would be listening for people connecting and then you would use a client. In the case of the personal cloud it is usually a specific app, but in the case of VNC or RDP, you would use a specific app that uses that technology to connect up, and then the system that is listening would accept the connection once you gave the user name and password. You would then be into whatever the system is.

PB:  Right. So you could use your computer in the office even though you are not sitting in front of it. And you could also limit access to certain files if you wanted; maybe there were ten files that you thought were not secure enough to view from outside the office.

DW:  Right. The personal cloud ones are nice because it gives you the option to not use the cloud like Dropbox, but still have access to files, folders, and other information. And again, it is different from VNC or RDP where you actually see the computer you are in front of. Personal cloud tends to be giving you file-level access to whatever those resources are.

PB:  And we talked a bit about this in another podcast when we were talking about clean computers and clean devices. There is nothing on your device other than the ability to log on with a VPN.  You are not actually storing anything on the device you are using to access your home or office computer.

DW:  Right. I use VNC within my home. I think it is really good for an internal process. Frankly, I use it because I am lazy. When one of my kids has a problem on their computer, I will VNC down to it and fix it remotely without getting off the sofa. So, you know, maybe not the best example of how to use it, but that's the way it is. I think the thing to keep in mind if you are going to a VPN or any sort of remote access technology for your law practice, is that you should probably use hardware, rather than software alternatives. Otherwise you have to open up your network connection to the internet so that it allows the listening to happen with that server that is inside your office. And if you do not know how to secure, or cannot keep up to date on the security for that network connection, then you may actually be opening up your remote access to other people accessing it.

PB:  An example of one of those software issues was Windows XP, which had a very simple setup for VPN, so the user could easily do it themselves with the software. But of course, Microsoft has stopped supporting XP, so there are a number of security vulnerabilities for people who might still be using it.

DW:  Right, and you can get VPN built into your router and built into other systems. So when you are buying hardware for your office or you home if you want to have VPN connectivity, you can get it built into that hardware. And then when the hardware is updated with new software called firmware, then security vulnerabilities that have been found will be patched and you can be pretty confident that the security is still there.

PB:   Right, and there are a number of apps out there. I mentioned Tonido, something I am not sure if it is just for Macs, but it is one of the ones I use to access my computer when I do not have it with me. I was also using something earlier this year called Cloak 2, which is an app for the iPhone - I can turn a Starbucks network in to a trusted network for me, and turn it into a VPN, so every time I want to access that network, Cloak 2 says, "Oh, look - we've used this one before and I'm going to create the VPN for you now." And you can connect seamlessly through a VPN just using the app on your phone or iPad.

DW:  Yes. If you are on Windows or Linux, TightVNC is a great option, and then you can use any open source VNC client to connect to it. If you are primarily a Windows environment look for the RDP apps, which are put out by Microsoft. They are free, and I believe both IOS and Android have those. You would be amazed at how nice your Windows computer will look using RDP on an Android tablet. It really is just like being there, although on a slightly smaller screen.

PB:  So again, a safer way to use public WiFi and a good way to wander around with a clean computer.

DW:  That's right.

PB:  Okay. That's our look at remote access and VPNs and RDPs. Thanks very much, David.

DW:  Thanks, Phil.

Law Firms and Ransomware

 Permanent link
Lawyers have been among the many people succumbing to ransomware.  It is a type of malware where, when downloaded, it encrypts all of your files so that you can no longer access them.  The decryption key is available for a fee.  Listen as we discuss how to avoid getting ransomware and what some other law firms have done after having their files ransomed.
View Transcript

Speaker Key:   PB: Phil Brown, DW: David Whelan

PB:  Hi, it’s Phil Brown and I’m here with David Whelan. Today we are going to talk about ransomware.

 

DW:  Ransomware is an attack that has been around for quite a while, and it is really what it sounds. It is a mixture of the word ransom and software.  It is software that will do something to your device, your computer, phone or tablet, and then requires you to pay a ransom in order to get it back to where it was before.

PB:  Ransomware is not new; it has been around for a few years and I guess technically would be classed as a type of malware.

DW:  Right. It just seems to have gotten very popular in the last six to eight months and I think part of what has happened is that people have developed ransomware kits, just like when you would build models when you were a kid, that are available for sale.  If you have the money, you can buy a kit and implement it or tweak it, and make it your own. Or you can just use it out of the box and infect peoples’ computers with the ransomware software.

PB:  They are not all the same so you cannot stop it with just one particular malware blocker built into your system.

DW:  Right, and we have talked on other podcasts about being wary where you click.  This is a really good example of being wary where you click and where you visit because it is a piece of software that has to be downloaded. In order to get Criptolocker or Simplelocker or one of the other ransomware applications on your device, you would have to be doing something proactive to make it start.

PB:  They can be disguised in a simple email in a number of different ways.  We recently spoke to someone who had one disguised as what looked like an emailed fax.

DW:  Right, and when he clicked on the fax to open it, “Bob was your uncle”.

PB:  His entire hard drive, perhaps not the entire one but certain types of documents were encrypted, and the only person who had the key was whoever was at the other end of that ransomware Trojan.

DW:  Right. And they are pretty pernicious - they will go through your entire hard drive and encrypt all the files. They tend to be what is called “network aware” so that if you are connected to a network, even if you just have an external drive that you connect to over the network, or it is plugged into your laptop, it will go through and encrypt all of those files too.  Then, if any of those files are synchronized up to the Cloud, this synchronization to drop box or whatever, will upload the newly encrypted file and replace your open file. So everything you have will be locked down by this ransomware.

PB:  So chances are, if you had a Cloud-based backup as your only backup, and this infected your computer and was network aware, there is a very good chance that the entire backup for your firm could be encrypted.

DW:  If you think you have clicked on something and started the transfer process, then one of the things to do is disconnect yourself from the network so you limit yourself to whatever damage is happening on your local drive. If you have a good backup of your documents or the files that it is encrypting, then you can probably just throw those encrypted files away. In other words, reinstall your operating system, reinstall your applications and then pull the files from your backup over and you won’t have to pay for the ransomware.

PB:  Right. Let’s talk a little bit about paying for the ransomware because we know that a number of people have been paying for the ransomware for quite some time.

DW:  Yes, the ransomware is interesting. I think it is very interesting to think of them not as evil-doers behind masks with little hoodies sitting in their mom and dad’s basement, but as business people. What happened with the original ransomware is that once it was installed on computers, the people whose files had been infected did not have enough time to figure out how to pay. The files were being wiped out and the ransom people were losing money, so they said “Hey, this isn’t working. We’re going to move from a three-day window to a seven-day window because we want to give these people enough time to pay.” It is tricky and not just a matter of getting out a credit card and walking down the street to pay. In most cases you have to pay using something called “bit coin”.  This is an encrypted money that exists only on the internet.

PB:  Right, and typically, with some of the ransomware that we have heard about, they are looking for $300-400 US converted into bit coin.

DW:  So it is a matter of figuring out how to pay, getting the money to the right place, buying the bit coin and then transferring it.  Once you have transferred it you will receive a key that allows you to unlock and decrypt all of the files that have been encrypted.

PB:  And desktop computers are not the only devices that are vulnerable.

DW:  Right. It is very interesting because a lot of these ransomware will get around your antivirus and malware software, so you need to keep those up-to-date anyway. If it does get around your software then you will need to look for a way to unlock.  Some devices, like android devices, have downloads available, for example Avast simple locker. Avast is an antivirus tool but it also has a way to unlock the simple locker ransomware.  That is the sort of thing you will have to do. Although, the first thing is, you should really be proactive about locking down your computer to block the software from getting there in the first place. There are sites like foolishit.com which has a free download and will make some sub changes to your Windows computer so that if the Criptolocker is ever downloaded it is not able to execute.

PB:  Right, and earlier this year there was also a hole exploited in the “find my iPhone” app with iPhones.

DW:  Yes, that is an interesting one, a problem masquerading with ransomware.  Someone got a hold of a bunch of iCloud accounts from some Australian iPhone users and probably just figured out what their passwords were or otherwise how to gain access to their accounts. They logged in, set their phones as being lost, and then sent them a message over the screen. They were able to totally control the phone without actually downloading any software; they were just using software built into the iPhone. Those people just had really poor passwords so they were subject to this attack.

PB:  Right, and they could not really do anything with their phone other than wipe it, start forward, or pay somebody I suppose.

DW:  Yes, and those people were pretty reasonable too. I think they only wanted about $100.

PB:  Now, again, the message here is to think before you click.

DW:  Yes, and with ransomware you really need to plan in advance.  It is not even enough to just do training to make sure that you are thinking about it and aware that it is happening.  You really need to plan in advance and make sure that your NFR malware software is up-to-date. You may also want to consider whether you have a firewall turned on and whether it is watching for these sorts of things. You will want to make sure that you are aware of tools that will block things like Criptolocker from downloading. The good thing is that security experts think that we are sort of past the big blowup of ransomware and that we are moving on to other, different attacks that still will put your information at risk, but ransomware is hopefully something that will just be bubbling on the horizon rather than the big issue it is right now.

PB:  Right, so I guess one of the parting messages would be that even if you know the source of the email and it purports to be from someone you know, you should still ask yourself, “Was I expecting any sort of attachment from this person?” or “Why would this person be sending me a link to go to a particular website?”.

DW:  Right. And if you end up on a website where you really ought not to be, and I am not suggesting that anyone go to a porn site but those tend to be common sites that are exposed this way, and click on an advertisement or something on one of the sites, you may find that that has done the damage and downloaded the ransomware.

PB:  Right. So anytime you are out there looking at untested sites and something odd is happening on your computer, it is a good idea to disconnect from the network. That is our look at ransomware. Thanks very much David.

DW:  Thanks Phil.

Can You Use Public Wi-Fi?

 Permanent link
American Bar Association surveys show that most lawyers work at the office and at home.  But if you are away from the office, should you use publicly accessible wireless?  Listen while we discuss confidentiality issues relating to public wireless and how, while you're getting your coffee or checking out your book, you can protect your communications even in public places.
View Transcript
Speaker Key:  PB Phil Brown, DW David Whelan

 

PB: It’s Phil Brown, I’m here with David Whelan, and we’re going to talk about the public internet - using the internet in public.

DW: Yes, and one of the favorite topics is the hot spot and whether to use the hot spot or not. And when we talk about a hot spot we’re not talking about sick dogs, we’re talking about open, available, wireless or Wi-Fi connections that you can get at a coffee shop, or at a courthouse, or at the public library. It’s a place where the access is always on and you really just have to connect your device to it.

PB: And this would be different, I suppose, from home Wi-Fi where people would be encouraged to have some sort of password on their access.

DW: Absolutely. And in offices as well you can start to see that if you open up a device that supports Wi-Fi and you browse for the available networks. I think, certainly, in my experience is that I’m starting to see more and more of those home networks and those office networks being secured, requiring some sort of password before you can get onto them.

PB: And, in terms of using them, it’s a radio frequency.

DW: Right. So anybody who’s in the physical vicinity of that antenna could potentially see the network and then get access to whatever’s available on it.

PB: Right. So Wi-Fi is really just your computer is acting as a transmitter and receiver, and there’s another transmitter or receiver somewhere within the area that you’re getting access to.

DW: Right.

PB: And that has some down sides.

DW: It does have some down sides because you can’t always be sure that the wireless antenna that you think you’re connecting to is actually a wireless antenna at all. And you may just be connecting to a person who is looking for people who have interesting information on their devices, whether it’s a hand-held device or a laptop.

PB: And this is just a word of caution and we weren’t really going to talk about things like file sharing, but a lot of computers have a default file-sharing switch turned on so that other people can see some of the information on your computer if you’re on a Wi-Fi node. 

DW: Right. And in the older versions of Windows, in order to share files in your office, you probably have done some sort of file sharing, and so those folders would be accessible to other people when you’re outside the office as well. Windows 7 has improved that so that you can actually select which of your wireless connections are office connections and which are public and that public connection will turn off that access.

PB: And I should mention that I typically use a Mac, and I can tell you when I plug into a... or virtually plug into a Wi-Fi access point I can usually see the other Macs and the other computers in the room listed on my computer and I can play music from someone else’s Mac.

DW: That’s a scary concept!

PB: I can also download their music to my Mac, and that’s because they have file sharing turned on. I would suggest to people that they be very careful about that sort of thing and knowing that other people have access to that information if you don’t have the proper controls in place.

DW: Right. And that’s a great point, because I think a lot of people think about sitting down with their laptop in a coffee shop and the web browser being the issue where you’re typing in a user name and a password and people can find that user name and password. But there really are a number of things that your laptop or your device is sharing when you’re on that Wi-Fi network.

PB: And people, when they carry their laptops and other devices around, you really need to think of it as if you have client information on there. It’s just really a big briefcase full of files.

DW: Exactly. And, in fact, you can now carry your entire practice around on a very small device. So it’s a huge risk if you suddenly lose access to that device or, worst case, someone else picks it up. I think we often focus on the confidentially issues that raises if someone else gets access to your files, but you also have privacy issues now where you might have credit card information from your clients or other information that is not necessarily confidential in the way that lawyers think about it, but it’s certainly private information that doesn’t need to be shared.

PB: And if you lose that information, there’s going to be a number of people you’re going to have to notify. If you have client information it’s going to be each and every client you’re going to have to notify. You’re going to have to give them information about how they would get independent legal advice about what their next course of action might be, they might have to get new counsel, and you might be contacting LawPRO.

DW: Right. There are a couple of basic things you can do to make sure that, if that happens, your information doesn’t walk away. So if you’ve left your laptop out, you can make sure that you’re using better passwords on your laptop or on your device and, if you can, to encrypt the contents on your device so that, if someone gets access to the device, they can’t necessarily get access to the contents.

PB: And one of the other things we spoke about before was the idea of encryption whilst you’re surfing, or whilst you’re browsing the internet.

DW: Right. You’ll notice that, when you go to a website, the website address starts http:// and then goes on with the address. When you’re going to an online bank or a secure site, there’s an s that’s added to https:// and that tells you that you’re connecting in a secure way. So if you can use sites online that use secure sockets - https - in order to communicate, then at least you know that when you are transmitting information to and from that site, nobody else in that coffee shop or in that courthouse will be able to access that information, it’s all encrypted. For those of you who use the Firefox web browser, there’s a plug-in called HTTPS Everywhere, and it’s a free download that automatically turns on https if you go to one of the sites that it supports.

PB: And that would prevent one of these man-in-the-middle attacks where someone’s actually accessing your information whilst it’s traveling from your computer to another.

DW: Right. And these attacks are going to be based on what’s available. People are probably not going to be focussing on lawyers as targets. They’re just looking for information flowing by. They’re looking for credit cards and passwords and that sort of thing. And the tools for monitoring your traffic in a coffee shop or monitoring your traffic on any open Wi-Fi are remarkably easy to download and install and see what’s going on and notice when people are going to Dropbox or notice when people are going to their Google mail account and then start to see if they can pull out information.

PB: One of the other tools said, that we’re not going to elaborate on, necessarily, but the concept of a virtual private network.

DW: Right.

PB: Which is just a small internet pipe connection between you and the computer you’re using maybe in your office.

DW: That’s right. So if you’re using resources in your office, this is probably the best way to make sure that there isn’t any straggling information going by. One of the benefits of using cloud computing - if you do use it in your practice - is that in most cases not only is your connection to that cloud system encrypted, but also all the activity on that system is encrypted. So you have an encrypted experience when you use those systems from a public site.

PB: And another option to get, I suppose, even more secure would be the idea of using anair card or a mobility stick.

DW: Right. If you can avoid Wi-Fi entirely, then that is probably your best option for making sure that the information that you’re transmitting and receiving is not going to be overheard by somebody else.

PB: Those are available through your phone company provider, whoever it may be, and you would pay a monthly fee and it’s, essentially, instead of using Wi-Fi it’s using a data connection over a phone-like service.

DW: Right. You can also see if your smartphone does what’s called wireless tethering, in which case, you can connect your smartphone up to your laptop and use that smartphone as your stick or your air card.

PB: Which is a great idea, and I would just mention as an aside that there tends to be some fairly high data rate costs associated with that. So it’s a good idea to have a pretty robust data plan if you’re going to use your phone as a hot spot or tethering your phone to your computer.

DW: Yes, that’s a great point. When you’re going over the web, it’s been customised to make sure the data stays low. But when you’re sending things directly, it could be a Word file or something else could really rack up those charges.

PB: So I guess the last point would be should lawyers and paralegals ever be using public internet access data points?

DW: I think it’s fine to, but I do think that you need to think about it in the same way that you would lock your door in your office at the end of the day. You need to make sure you’re using strong passwords and encryption on the device so that, if it walks away, you don’t lose any information or you haven’t breached any confidentiality or privacy obligations. And then if you’re surfing the web or you’re transmitting information over the wireless network, you’re using secure connections wherever possible.

PB: Okay. Thanks.

DW: Thanks, Phil!

Don't Go Phishing

 Permanent link
E-mail is an easy way to attack a law practice.  Whether it's targeted at you specifically or you or your staff just receive an email sent to thousands of others, be wary of clicking or responding to unknown e-mails.  Listen while we discuss the different types of attacks - including phishing, spearfishing, water holing - and some easy ways to avoid giving up information or downloading malware to your computer.
View Transcript
Speaker Key:   PB: Phil Brown, DW: David Whelan

PB:  Hi, it’s Phil Brown and I’m here with David Whelan. Today we are going to talk about phishing, whaling, spear fishing and water holing.

DW:  That’s right. And you do not have to have a boat to do any of them. These are all things that could come in your email, and depends on what type of threat you are receiving and on which category you fall into.

PB:  So before we get into what each term might mean to a lawyer or a paralegal, one of the things we always need to be aware of is managing our email - emails coming into the firm or coming into your home.  I guess one question would be, “Would a spam filter be enough?”

DW:  It probably will not be enough.  The interesting thing about all of these techniques is that they are not really spam. Some of them might sound like spam when we talk about them. The interesting thing that is happening with these emails is that they are being customized in a way that they look a little bit like a real email, and the more deliberate emails will actually look as though it comes from somebody you know. For example, it has an attachment you are expecting and that sort of thing.  So it really is something that your spam filter, and probably antivirus and other things, would not necessarily catch.

PB:  So let’s start with the one that most people might know, phishing with a “ph”.

DW:  Yes. Phishing with a “ph”, just like the jam band from North America.  Phishing is the most generic version of this thing.  It is an email that is sent to lots of addresses, has a subject line and some text inside that is asking you to do something.  For example, you can think of it along the lines of your bank account information has to be updated, and the instructions to “please click on this link to confirm your username and your password for your bank account”.  It is a pretty generic sort of thing and they are guessing that the bank in their email will hit a certain number of customers that actually bank at that bank, and a certain percentage of those people will click through the link and go to a page that looks like they have arrived at the bank.
PB:  When you look at the page and the URL that you are being taken to, there are usually some significant differences.

DW:  Right. The actual page itself could look identical to a page that you have logged into many times on the actual bank’s website. So if you ever do click through a link like that, and there is no reason you shouldn’t because you might actually have a link from a bank.  But do look at what the URL, the address of the web page is, for the site that you have been directed to because in most cases it will not be the bank address - it will be an address sent somewhere else.

PB:  Right. And there are usually some other links on the same page which might be, “contact us” or “update your information”, or any of another number of links.  If you click on those other links instead of just updating your info, you will often find they do not work.

DW:  That’s right. Because the people have just copied the actual website and moved it over. They are often too lazy to fill it out so it works like the real site.  And again, phishing is typical of your Nigerian print scam where you often have a sense that something is not quite right there.  But phishing starts to look a little bit like something you would want to do because it is an account or it feels like an account you think you have.  You should still be looking at the email to see if it is your bank of course, and also look for spelling errors and things like that, things that you would not expect from a corporate email or the kind of email you received.

PB:  Anyone is vulnerable to these sorts of invitations. Recently, the Canadian Department of Justice had an experience with phishing emails which they had generated internally just as a security check.

DW:  It was a great story because almost 2,000 staff at the Department of Justice clicked on the link and activated the phishing scam so it was a good test to see how many people… what was it?  It was a high percentage of the people who received it.

PB:  It was about 37%.  Now just as an example, there is one statistic that suggests there is almost 160 million of these emails floating out there every year globally.

DW:  Yes it is a staggering number.  I look in my spam folder and often find these emails in there. I look at the source, and the addresses are coming from all over the place.

PB:  So that is phishing in a nutshell. Let’s talk about some of the other ones, spearfishing, water holing, whaling and what those might be about.

DW:  Spearfishing and whaling are really the same thing.  Spearfishing is a targeted email where they have actually figured something out about you.  So if you have a LinkedIn profile for example and you talk about the company that you work for, or the types of clients that you deal with, then you might find someone who has targeted you. The email you receive looks like it is coming from those clients or it looks like it is from someone else at your company talking about those clients, so it has more details where they have actually picked you out.  It is not just the “drive-by”, “I hope someone clicks on the link” that you get in normal phishing.  Whaling is a subset of spearfishing where if you are really, really important like a CEO or something, then not only are you targeted but you are targeted in a very specific way, and essentially those are the same two categories.

PB:  Sure. So they could be partners in a law firm versus an associate or someone else.

DW:  For sure, and that is what happened to a lawyer in Pennsylvania very recently.  They received an email that looked like it was from their firm, and it had an attachment that looked like a voicemail that came from their voicemail system. When the person clicked on it, it infected their computer with ransomware.

PB:  We will talk about ransomware in another podcast, so stay tuned for that.  What about water holing?

DW:  Waterholing is an interesting mixture. It is similar to spearfishing in that they have identified you as a target but rather than sending you an email and hoping that you click on a link, they infect a website that they would expect you to go to.  So for example, lawyers in Ontario perhaps go to the “Canadian Lawyer” website to read the magazine online or some other legal publication, or perhaps visit the Law Society’s website.  Someone who is interested in water holing would actually infect that website so when you went there you would be infected by merely visiting the website. It is not the same as email but they have still targeted you in the same way.

PB:  So how best to combat these types of problems?

DW:  Well, in most cases it is common sense. And it all sounds like good common sense now, but when you are in the moment you may mistake it.  It is really a matter of thinking about what you click on. A lawyer at a recent seminar I was in asked whether it could happen just by opening an email, and in fact, it can.  If you open an email and it is displayed as a web page in HTML, and if something is running or is called from within that email, then it can immediately access and begin to download without you knowing it.  So one of the things you can do is turn off HTML emails, attachments or pictures so that you can read an email when it comes in but do not necessarily activate it.  The second thing you can do is watch those links that you click on.  If you get an email, even if it is from someone you know, move your mouse pointer over the link so that you can see the little tool tip that will pop up and tell you where it is going to go. If it does not look like where you think it is supposed to go, then do not click on it.  The other thing to do is if it is something significant, like a bank, and it is telling you that they want to verify your username and a password (it is very seldom a bank will actually do that in an email) but if it is, then close your email, go over to your web browser and type the URL to the bank and see if you can log into your account there and get the same prompt to update you information.  Do not go through the link that has been provided to you so that you do not end up on a phishing web site.

PB:  Right. And I know we spoke about this in other podcasts, this is where your internet usage policy for your law firm comes in handy. 

DW:  That’s right. It is amazing really, to think that training more than anything else will save you from phishing or a spearfishing attack, or even suffering water holing.  By training yourself and your staff to be very wary about clicking on links, and even weird links on weird web pages.  I was listening to music on my PC and a link popped up and said your player is out of date, so I clicked on the link that took me to a web page that looked just like an Adobe Flash download page. I looked at the URL and it was actually nothing to do with Adobe, but they had copied the entire page.  I am still not sure exactly where that link came from other than it came from the website that was sending me the music.  You have to be vigilant any time that something like that happens - to look at all of the indicia of the website and where you are, and that you are going where you expect to be.

PB:  That’s great. So think before you click.

DW:  There’s the answer.

PB:  Alright, that is our look at phishing, whaling, spearfishing and waterholing.  Thanks very much David.

DW:  Thanks Phil.

What Are You Doing About Passwords?

 Permanent link
Passwords.  So simple and yet so often the undoing of people trying to protect important information.  Listen while we discuss how you can manage lots of strong passwords and why you should have unique passwords everywhere you log in.
View Transcript

Speaker Key: PB Phil Brown, DW David Whelan

PB: I’m here with David Whelan, it’s Phil Brown, and we’re going to talk a bit about password protection in the context of confidentiality and protecting client information. A lot of client information is stored these days on things like desktop computers, laptops, and smartphones. So let’s talk a little bit about password protection.

DW: Password protection is important because it’s the gateway to all of your information. If you don’t have a password on a file, people can open it up and look at it. If you don’t have a password on your computer or your email account, people can get into those devices or accounts and see, perhaps, things that you wouldn’t want them to see and, certainly, your clients probably wouldn’t want them to see.

PB: And people tend to be human and try to find, sort of, the simplest kind of password they can use.

DW: Absolutely. It’s interesting, each year goes by and there is always a new survey or a new study on the passwords or the most common passwords that are out there and, invariably, the passwords are 123456, or other things that are just crazily-obvious passwords. You really want to get away from passwords that are easy to guess.

PB: And people tend to use passwords that they’ll have a connection to; their mother’s name, their wife’s name, their pet’s name, or a pet’s name from their childhood, or something like that.

DW: Absolutely. And I think what’s interesting is that those are the sorts of questions that your bank account, your online bank account or other services that you use online are going to ask you. They’re going to ask you if you’ve lost your password, what was the name of your dog when you were six, or what street did you live on at a certain age, or what’s your spouse’s name - things like that. And if you’re using Facebook, or if you’re using other services, or if you know people who are using those services, that information may actually be out there. You may have shared it yourself, or people may be sharing it on your behalf. So it’s not a safe way to create a password even though it may feel warm and fuzzy.

PB: And there are a number of password-generating tools available for free on the internet.

DW: I really like Password Meter, passwordmeter.com, because it tells you what you’re missing. It has a number of categories and it gives you colors - green, yellow, or red - based on how good or poor your password is. And it suggests the types of characters or the types of things you should do to your password to make it stronger.

PB: And a couple of different things... I know the last time I changed my password internally I realised I had to have an alpha character and a numeric character and it had to be a certain length.

DW: Right.

PB: And that’s getting more common. But to make passwords even stronger, it’s usually suggested that you have upper and lowercase letters as well as numerals.

DW: Right. I think that the trick to making a good password is making something that isn’t in the dictionary. And when people attack passwords or try to break them, they often start with what’s called the dictionary attack, which is, literally, they just go through all the words in the dictionary. So if you’re using a password made of up words that are in the dictionary, they have a good opportunity to find it. And if you’re using special characters or upper and lowercase, it starts to make that password less distinct, further away from what a dictionary attack can uncover.

PB: And we’re not talking about someone necessarily sitting there with a dictionary. There’s a lot of software that will do this in milliseconds.

DW: Absolutely, yes. I can’t imagine anyone sitting down with the OED and going through it.

PB: Every volume. Some of the things about passwords - and I know you and I might differ on this particular point - whether or not you write your password down in a, so-called, secure place.

DW: Right. I used to be of the mind that you shouldn’t, but I’ve come around to the idea that, really, you should write down your password. There are two good reasons for that, from my perspective. One is that I can then have a really difficult password because, if it’s written down, I don’t have to remember how many qs and how many uppercase letters or special characters are in it, and I can make it a very long password. Now, if you write down your password that doesn’t mean that you just tape it onto your computer or put it under your desk, because I think that’s where the insecurity of the password comes in. If you’ve got a difficult password and you want to keep it written down, you should really put it with other things that you value, like your credit cards, or some other environment; perhaps a safe if you really need to put it somewhere but you don’t want to carry it. But I think writing it down is not a problem. It’s the lack of security about how you take care of where it’s written down.

PB: And, similarly, in terms of changing your password, I know internally, if you’re working in an organisation, I think the standard is every 90 days or so they make you change your password to a new one. With the perspective of having a very strong password and it’s written down somewhere, would you bother changing it or no?

DW: I wouldn’t. And, in fact, I was thinking that as you said 90 days. Because I think a lot of people do this, and unless your network administrator has changed this or unless you’re forced to do it, you probably start off with password and then the number one for the first time and then, 90 days later, you change that one to a two. So you’re probably using, essentially, the same password over and over again. Because, face it, after two or three years at a company you’ve probably run out of all the good passwords that you can remember. So you might as well have a good password and not refresh it on a regular basis. I would still refresh it on at least a yearly basis, but write it down and make it a really strong one.

PB: And just in terms of writing it down, I know there’re a couple of programs out there like Password Safe and a few other programs on the internet where you can actually securely store your passwords. Good idea or no?

DW: I’ve always been leery of it. I think that your comfort level is really what you should take into account there. I don’t keep any passwords out on the web, and I’m always a little leery about saving passwords, even in my web browser. There’s an interesting tool for Firefox web browser users called Web Developer’s Toolkit, I believe it’s called. It’s an add-in and it actually... if you go to a web page and you have saved your password in the form, it will change the password from the little asterisks to what your password really is. So I think one of the things to keep in mind is that, if you’re saving your password somewhere, anywhere, you really need to be sure that’s a secure environment.

PB: And that might be another tip. If you’re sharing a computer with anyone or your computer’s accessible, don’t use the automatic form fillers.

DW: Right. When you go to a public library it warns you, but you may forget if you’re working in a firm or sharing someone’s laptop that you might have just logged in for a moment and then forgotten to get rid of the information that saved your password.

PB: And then I think this probably states the obvious, but never give out your password.

DW: Absolutely. Giving out your password is one of the worst ideas. If you have something that you want to share with a person and you need to give them access to the file in an account that you have online, take Dropbox.com for example. Say you uploaded a file to Dropbox, you’re better off giving them access to the file through sharing it through the service’s secured share folders, by putting it in a public folder if it’s not something that is confidential, but don’t give your password out to Dropbox so that they can log in and see the information in the same setting. You need to control their access and make sure that they have their own password or other access to that account.

PB: Okay. So that’s a bit about passwords, and there’ll be resources available as well you can check out after the podcast. Thanks!

DW: Thank you!

News Readers

 Permanent link
You can control some of the information flowing past you by using a news reader.  You subscribe to news or RSS feeds and use the reader, often an app, to grab the latest.  Listen while we discuss some of the tools you can use to stay on top of whatever topics you want to follow.
View Transcript
Speaker Key:   PB Phil Brown, DW David Whelan

PB:
  Hi, it’s Phil Brown, and I’m here with David Whelan. Today we are going to talk about newsreaders.

DW:
  You may have heard the term news feeds before, and that is a slightly different technology. Today we are talking about apps that bring you news that have been aggregated from publisher-provided news feeds; these are your newspapers and magazines - things like that rather than specific topics that you would follow.

PB:
  When we say apps, they are not just available on a smart phone or a tablet. They are also available on desktops and computers.

DW:
  Right. The difference is that they tend to be things that are provided for you. You subscribe like you would subscribe to a magazine rather than customizing using key words and other topics.

PB:
  So how do they work?

DW:
  The easiest way to describe it is that you get the app or visit a website that has the news on it, choose the subscriptions that you want to use, and start to read the news. The next time you come back, the information inside the newsreader will have updated by pulling down information from your subscriptions so that you always get the latest information on your topic from those particular magazines or newspaper sites.

PB:
  And the obvious question would be, aren’t they the same as an RSS feed?

DW:
  In some cases you will find that an RSS feed and a newsreader will have the same content because the publisher is providing the same information. The difference is that the RSS is something that you can customize and sometimes drill down further into a website with. Typically with the publisher-provided aggregate news you are getting a slice that they want to provide to you. You may be able to choose not to have sports, for example, or not to have entertainment, but for the most part you will get whatever the publishers decided they want to push out through that channel.

PB:
  One of the formerly popular newsreaders was Google reader.

DW:
  Right, and I think newsreaders have really come into their own, especially on smart phones and tablets. You can access them on your desktop, but thinking about your smart phone or tablet as a consumption device where you are consuming information from places using apps like Zirca, Pulse or Zite will be an easy way for you to subscribe once and then have news sent to you. It may allow you to receive news you would not otherwise come across because it is not selected by you so much as it’s selected by the publisher.

PB:
  Right, you’re selecting the topic type. Maybe it’s a technology feed that you’re following or a law feed that you’re following, and that’s most of the choice that you get, but what gets aggregated is actually chosen by someone else.

DW:
  That’s right. Flipboard does it a little more fine-tuned than others. With Flipboard you get the subscriptions that you would normally sign up for with any news tool, but then you can also add RSS feeds if you want to and mix those into your information. And then you can also sign in with a social media account like Twitter or Facebook and the people that you follow, the sorts of things that they’re sharing will appear in your Flipboard feed, so it’s another way to get access to your social media accounts.

PB:
  And Flipboard is a fairly common or fairly popular application that is on various tablets, phones and so on.

DW:
  Right. They have partnerships with some major publishers. Just this week - it’s December 2013 - they announced a partnership with Thompson Reuters, so they’ll be pulling in all the information that Thompson Reuters has decided to put into their channel.

PB:
  Right, and one of the things with Flipboard is that it is a very visual newsreader. There is a lot of video content and visual content as well.

DW:
  There is another newsreader called News360, which is not as fancy. Flipboard is one of the nicest apps you can use to read news, but I like News360 because it allows you to get into very nitty-gritty topics like data mining and privacy, which aren’t as easy to access through some of the other newsreaders. The News360 staff is actually hand curating all its information in addition to their machine algorithm, so you really get some news and topics that you wouldn’t necessarily expect to get from your standard news feed.

PB:
  Right. Will any of these readers get you behind the paywall?

DW:
  Some of them seem to. For example, you can follow some of the paywall content using Google Currents, which is a Google app, and you subscribe to the channels that have been provided by publishers, and there aren’t a whole lot. There are only a few hundred, but some of those are paywall content, and they’ve just rolled out a new product called Google Play Newsstand, which replaces their old magazine product. In addition to the limited channel that you can get through Google Currents you can almost get a full website from paywall content sites like the New York Times and the Economist Financial Times. The difference is that once you get to the snippet or the teaser for the content when you click through, if you don’t have an account, then they’ll get you.

PB:
  They’ll offer you a subscription.

DW:
  There you go.

PB:
  Now, these can be quite useful for aggregating content and, as you said, you can often come up with content that you wouldn’t have thought to have searched for.

DW:
  Right. The real benefit of a newsreader like this, and again contrasting it with the RSS feeds where you’re selecting most of the content pretty finely, the news app or the news tool can expose you and get you outside your filter bubble so that things that you hadn’t even thought would appear in a particular publisher’s channel will appeal to you merely because you didn’t realize the content was there.

PB:
  And it will… I know from playing with Flipboard a bit that you can pull down content from Facebook or people’s blogs. I mean, you can get the content from almost anywhere.

DW:
  Right, and because these tools have been conceived in a social media kind of environment, almost all of these have ways for easily sharing to other people you know and sending out to your Twitter, Facebook or other social media accounts.

PB:
  All right. Thanks, David.

DW:
  Thank you, Phil.

 

PB:  That’s our look at newsreaders.

Man in the Middle Attacks

 Permanent link
Lawyers are used to using middlemen but we don't always want one that we can't see.  Your Internet communications can be intercepted, encryption cracked, and then re-transmitted without you knowing it happened.  Listen while we discuss what man-in-the-middle attacks are, and why things like public wi-fi can be a perfect environment for someone to pull off a hack on your e-mail and Web activity.
View Transcript
Speaker Key:   PB: Phil Brown, DW: David Whelan

PB:   Hi, it’s Phil Brown and I’m here with David Whelan. Today we are going to talk about Man in the Middle attacks.

DW:  Man in the middle attacks are really tricky because you often have no idea that they are happening.  The idea is that you take on some role - you try to get to a web site or send an email, or something of that nature, and you do it the same way you would normally do it but then the man in the middle intercepts whatever you send or whatever click you send - your username or password that you typed in.  They then extract it from the flow and it continues on to where it was going in the first place so you are not aware that anything has happened to your transmission. The email arrives where it is supposed to, you arrive at the right website that you are supposed to, but during the whole process, someone is intercepting everything that you are sending and receiving, and is pulling it out of this stream.

PB:  So nothing is really happening on your computer that you would be able to notice.

DW:  Right, and it’s funny because man in the middle actually sounds pretty invasive - and it is - but some of the better known mobile platforms, for example, Nokia and Amazon Fire’s silk browser, are essentially doing a man in the middle attack on every web page you visit; not to extract anything but in order to optimize, speed up and cache all of the information that you are sending backwards and forwards. So this is happening on some devices by default in order for the browser to be fast and optimized for the mobile web.

PB:  And particularly vulnerable if you are using a Wi-Fi connection.

DW:  Yes. Any time you are away from your home or office network on what are called “trusted connections” where there is good security, and maybe have it attached so it only allows your phone or your laptop to connect to it, you are at risk of some really interesting attacks, all of which have really cool names.

PB:  Let’s talk about side jacking.

DW:  Side jacking is neat. Side jacking is also known as session jacking and it allows someone to monitor all of the things that you are doing in a session with your web browser.  A web browser session typically has you arrive at a web site, the web site will then download a piece of software onto your computer called a cookie, and the cookie will often hold information about your preferences for that web site and perhaps your username. That cookie is then intercepted and side jacked by the person who is listening, the man in the middle.

PB:  Right. So there are good cookies and bad cookies.

DW:  That’s right. You should always eat the healthy cookies, not the chocolate chip ones.

PB:  Now pretty much every web site you go to has some sort of a cookie interface with you and your browsing.

DW:  Right. It is incredible how many cookies are being saved onto your device when you visit a site. There is an awful lot of information that can be grabbed there.  The other thing that is often happening with a man in the middle attack is sniffing.  I have to throw this in because there is an interesting open source tool called “Snort”.  Someone may use Snort to sniff packets that are going past from your device.  A packet is a little piece of information. When the internet was developed, rather than sending huge chunks of information slowly over the web, everything you send (i.e. email, voicemail, web page, username and password) is broken up into little chunks called packets.  As they are sent across the web, those packets are sniffed like a dog sniffing a scent, and as it goes by, they sniff and inhale it, and pull it out of the stream. They can grab all of the packets that you are sending.  So if they are watching you closely on a public Wi-Fi for example, they can grab all of the packets that belong to a particular document or email and potentially put them all back together.

PB:  Right. And potentially steal all of your clients’ confidential information.

DW:  Right. Yes, it really is tricky.  Public Wi-Fi, hotels, court houses, and any place that you can log in but don’t control the network, you should be concerned about people getting in the middle because they may not be securing their network as well as you do at the office.

PB:  So the last cool label we will talk about is the evil twin.

DW:  Yes, the evil twin. You have been playing around with one called the Wi-Fi pineapple.  It is really interesting because when you connect to a public Wi-Fi that is using an evil twin, the evil twin is made to look just like the public Wi-Fi.  So if you think you are sitting down at Starbucks and connecting to a Bell Canada hotspot but you have to log in and click the little button that says “I agree to the terms”, you have no idea that it is an evil twin.

PB:  Right. You are still using their network but you are going through the man in the middle.

DW:  Right. And the man in the middle in this case could be a little box that is attached to the wall, it could be someone who is actually sitting in the coffee shop or the courthouse with you and is monitoring the communications, or it can also be entirely automated.  So someone may have set it up days or months in advance and then just downloads things that are captured. They are then able to search for the word password or the word username and other information that can be grabbed.

PB:  One of the main reasons man in the middle attacks are used is to retrieve all of your passwords and logins from various sessions.

DW:  Right. And you do not even need to log in if your laptop or your phone is connected to a box account and automatically syncs every couple of minutes or it is checking to make sure that there is nothing to synchronize. It may be sending information backwards and forwards that is susceptible to being grabbed. It is not even a matter of you doing anything proactively that puts your information at risk - it could be happening in the background from things you have set up in the past.

PB:  So the best way to avoid the side jacking, sniffing, evil twin?

DW:  You have two choices.  One is to use a VPN, a virtual private network, and that is usually an app that you can put on your tablet or on your laptop.  You have to connect to the public Wi-Fi (that first step where you click the “I agree to the terms” button or whatever it is, which may or may not be an evil twin at that point) but then you start up your VPN app.  The VPN creates an enclosed, encrypted pipe between you and the other end of the virtual private network so even if you are going across an evil twin, the encryption that surrounds your connection is sort of like the hard shell of an M&M candy and blocks out the ability of the man in the middle to see what is going on inside the VPN.

PB:  And the second way?

DW:  A remote desktop also known as RDP.  You may be familiar with the app “Log Me In”, “Ignition”, or “Go To My PC”. And there are other free downloads you can get for phones and tablets that will do the same thing.  Essentially, you are opening up a desktop on the remote computer you are getting to, and that connection itself is encrypted. You are essentially working on that remote computer so you are not really sending information across the connection at all.  Even if you were to do that, or cut and paste something, it is still going across an encrypted connection.

PB:  Right. I’m going to toss out a few more. There is a personal hotspot which you can purchase from one of the internet providers, such as Rogers or Bell.  It is a secure setup that you can use over 3G or 4G.

DW:  That is an alternative to using your phone isn’t it?  It is almost like a little network device, the only reason of which is to transmit backward and forward - to secure data. And then the other method which you have just mentioned or alluded to is tethering your phone to your computer so you are using the 3G or 4G capabilities of your phone, and that is not going to be vulnerable to a man in the middle attack.

DW:  Right. And if you are sending confidential information related to your law firm, tethering or a portable… what did you call it?

PB:  The hotspot.

DW:  A portable hotspot is probably the best way because then you are certain that you are not going over Wi-Fi; you are sending it across your data plan.  You need to have a good data plan if you plan to be sending a lot of information. It really is one of the best ways.  Tethering seems to be very common now on both android and iPhones.

PB:  It is very simple to set up for people.  The only thing is to be mindful of the data plans.  It does not hurt to boost your data plan and spend the extra $20-30 to get a lot more security.

DW:  And if you have not secured your home Wi-Fi yet, make sure you do because your home Wi-Fi can be just as susceptible to man in the middle as Wi-Fi out in the wild.

PB:  And that is our look at man in the middle attacks.  Thanks David.

Mobile Device Charging and Juice Jacking

 Permanent link
Mobile devices need power.  If you are charging them using a USB cable and plugging into free charging stations, you may be inadvertently making a data connection as well.  Listen while we discuss juice jacking and other hacking tools that might come between you and your data.
View Transcript
Speaker Key:   PB: Phil Brown, DW: David Whelan

 

PB:  Hi, it's Phil Brown and I'm here with David Whelan. Today we are going to talk about juice jacking, rubber duckies, and mobile device broadcasting.

DW:  You probably thought we were going to talk about technology, and we will get there, but there are some really wonderful terms that come along in the technology world. One of the interesting ones that has come around recently is juice jacking. Do you want to tell them what it is?

PB:  Sure. Juice jacking is really seemingly innocent enough. Charging stations in malls and at various conventions you might go to. There is an opportunity to add some juice to your mobile device.

DW:  When you plug your device in with your USB cable, in most cases, you are plugging in a cable that can also take in data. Juice jacking is the activity where, once you have plugged in and you are starting to get that charge from the charging station, you are also receiving some sort of download of software onto your phone, tablet, or other device that you may not be aware is appearing.

PB:  Right. This is not normally what happens when you plug your device in to charge it at home or at the office, but that cable has capabilities with the pins that are in the part that plugs into your device and you could be downloading something that could compromise all of your client data.

DW:   A well-known security expert named Brian Krebs has talked about this going as far back as 2011, so it has been around, but I think we are seeing more charging stations in public places. That could give you problems if you have not brought along your own power pack and decide to use someone else's.

PB:  And they are often brought to you by a <name friendly organization here>, which is fine and I suppose 99% of the time they might be safe and innocuous. But of course, just because they are branded by someone does not mean that is the organization who is behind it all.

DW:  One of the interesting developments coming out is the new NFC charging, which you will start to see in Starbucks, I think, soon. You put your device down on the countertop and it will actually charge without you having to connect. And that is a nice way to get a charge without risking being juice jacked.

PB:    Right. A lot of people do not invest in a second charging cable. They always just hang onto the one that comes with their phone or their tablet, so they do not often have it handy when they need one. And there are, of course, a few ways to avoid a situation where you need juice jacking, which is basically just having a cable you can plug in somewhere yourself.

DW:  Right. I actually carry a portable battery now, and it will charge my phone or my tablet usually two or three times before I need to recharge the battery itself. Sometimes I will have both the battery and the phone in my pocket and they will be hooked up and charging while I am just walking along. So it is a good way to have juice on the go and not worry about having someone loading software onto your device.

PB:  Right. I have one of those as well, and there are a number of different companies that make them. You can buy them almost anywhere, in any electronics store or stationary store that happens to sell computers and such. They range anywhere from about $20 to about $150, depending on how much power you want in that battery. You charge them up and they are good for anywhere from two charges to ten charges without having to recharge the battery itself.

DW:  Right. If you get a tablet, or if you have a tablet you are going to charge, you are going to want one of those higher-end ones, but for a phone the inexpensive ones are plenty.

PB:  Right. Let's talk about rubber duckies.

DW:  Yes. We won't sing the "Ernie and Bert" song about rubber duckies in bathtubs. Rubber duckies are a little USB device that you can buy on hacker websites - and I am not suggesting that you would buy it - but particularly, a hacker might and then bring it into your office. It plugs into your laptop and acts as if it is a keyboard. So your laptop will say, "Oh, I've got a keyboard" and it will try to load a keyboard driver so that it can be used like your normal plug-in keyboard.

PB:  Right, so you can actually turn on the security in your laptop and other devices that take a USB port to prevent things, but the reason the rubber ducky is able to get into your system is because it emulates a keyboard and most devices are set up to accept keyboards no matter what.

DW:  Right, because you do not want to plug in USB hard drives or other flash drives that you do not know what is on them. It is a good way to be able to block those sorts of things, but the rubber ducky has been able to get by because it does emulate what is normally a piece of dumb software. And when you plug it in, it is not a piece of dumb software and a keyboard, it actually has a payload that it then loads into your computer, and your computer is infected with whatever software it is.

PB:  Right. Someone would need physical access to your computer to use a rubber ducky. And when you are talking about a payload, it could be ransomware; a Trojan that leaves your computer open so that someone is able to copy your passwords; a keystroke logger so that they are able to see everything you type on your keyboard. It could be anything.

DW:  Yes, it is real "Girl with the Dragon Tattoo" sort of stuff.

PB:  Right, and it takes all of about ten seconds to access your computer. For instance, if you were at a location like a Starbucks or a Tim's using their free WiFi and had to go off to the bathroom, someone could plug one of these in for ten seconds and then unplug it and walk out of the store, and you would never know the difference.

DW:  Right, and it would start broadcasting or doing whatever it is going to do.

PB:  Speaking of broadcasting, let's talk about mobile device broadcasting.

DW:  I love mobile device broadcasting mostly when other people do it because it usually means I can see stuff that they did not anticipate that they were sharing. This is particularly true with Windows devices. Laptops, but even desktops in a corporation - if they have Windows sharing turned on, you may find you are sharing music, photos, and other information that is on your computer that you did not intend to.

PB:  And not just Windows devices because I have had my sharing settings on my Mac changed, but at various times that I have been working away in the library or somewhere like that, and not only can I see what is on other people's computers, I can actually play music on my computer from their computer.

DW:  So they had good taste.

PB:  So they had good taste. You can actually download things from other people's computers if they have sharing, and you can do this via Bluetooth or through WiFi even if you are not necessarily connected, but you are both on the same network.

DW:  A basic rule then is to make sure that when you are out and about and you have your device - and you are not actually using the Bluetooth or the WiFi - turn it off. That is usually a pretty simple command or a simple button to press on your device. Although, I was updating my own Android over the weekend and I was surprised to see an option in the advanced settings that said that you can have apps continue to scan for WiFi, even when your WiFi is turned off. So you really need to know what your operating system is doing. If it is scanning for WiFi connections without you knowing it, you may want to figure out how to block those or turn off that feature.

PB:  Right, and another thing about mobile broadcasting: it is a good way for people to see where you have connected to previously. So while your mobile device is casting about looking for a network to connect to, it is also showing what other networks it has been connected to.

DW:  Right.

PB:   And someone might get information about your home network from that broadcasting that you did not intend to broadcast.

DW:  Yes. It can really be an eye-opener when you see all the different information that is stored. You can see that even by going into your phone, tablet or laptop and look at all the networks that you have connected to, which you may not have connected to in months, are still listed there.

PB:  Right. So that is our look at juice jacking, rubber duckies, and mobile device broadcasting. Thanks, David.

DW:  Thanks.

Print Over the Internet

 Permanent link
The document-centric world of the lawyer means that, even in an otherwise paperless environment, you may need to print.  How do you do that without always having a printer with you?  Listen as we talk about using Internet printing, a useful tool when you're out of the office and using a phone or tablet and need to print.
View Transcript

Speaker Key:   PB Phil Brown, DW David Whelan

PB:  Hi, it’s Phil Brown. I’m here with David Whelan, and today we’re going to talk about Internet printing.

DW:  Internet printing is one of those niche areas that is perfectly suited to a short podcast like this one. It’s not something that you’re going to do every day, but it’s a nice thing to have in your toolbox when you’re out and about and trying to get information sorted out or being more productive.

PB:  So Internet printing, just to be clear, is not when I print something on one of my networked printers in the office and then have to run around to various places to see where it ended up, is it?

DW:  No, but it’s the same concept. Essentially what you’re doing is taking that print job and putting it out somewhere on the Internet, and I’m assuming you’ll also be somewhere else outside of your network, so that you’re really using the Internet to send the print job back to your office. And it may be worth talking about what a print job is right now so that you get a sense of how that shifts out to the Internet. When you sit down at your computer in your office and you press the print button, the information is sent from your computer to a print server somewhere. In general you’re not printing directly to the printer unless that printer is actually connected to your computer. So that print job is sent out. It’s spooled up, in the terminology of the print world, and then it comes out on the pieces of paper at your printer.

And so you take all those concepts with you onto the Internet. When I’m on my tablet or my phone or laptop, and I’m away from the office, I can press the print button, have that information sent to a print server somewhere on the Internet, it will spool up, and then it will be spooled out of my printer, wherever that printer is.

PB:  And it goes to the location you tell it to go to.

DW:  Right.

PB:  And just to be clear on the process, as it’s spooling up and essentially just preparing that print job to print, is that being held by some third party? Is your information being held by a third party somewhere?

DW:  Absolutely. And it’s one of the things you really need to think about when you’re sending that print job. Two of the better-known Internet printing options are Google Cloud Print, where you set up a printer through your Google Chrome web browser and then print through the browser back to your office. You can do this on tablets and on laptops. Another is to use the printing options from your printer. HP, for example, has HP ePrint. And so HP, then, is the server, the print server, that you’re sending the job to. So you really need to know that that document, which may be confidential information, is being sent to a print server, and while it is on that print server and being spooled up, it is essentially on a third-party server out in the Internet. Sometimes it’s called cloud printing, but that’s not really what it is. It’s really just a print server like the one in your office.

PB:  Right. So do we need to worry about things like confidentiality?

DW:  Probably not. It’s probably the same challenge you have with email, which is that at some point, as long as the documents aren’t being stored permanently on those servers, and they’re just spooled up, it’s pretty much the same as what happens on your printer back in your office. Once the spooled document is spat out, it is often deleted from that printer, and so there’s no way to get to it. And so even if it’s on a third-party server, like an email, there’s no real way to get to it, unless someone’s really digging, or perhaps it’s been backed up at that moment.

PB:  Right. And we briefly alluded to it, although it is a slightly different animal, but printing on your own network – for a lot of people using home offices and wireless devices at home, how does that work with air printing and things like that?

DW:  It’s pretty much the same. If you have an Internet printing option, you can use it if you’re sitting in your office just as easily as sending it over the Internet. In fact, some of the concerns you might have about doing that are that if you have a Wi-Fi printer, a wireless printer where you can send the print job to your printer in your home office or your home, that printer should probably be secured – well, should definitely be secured – against other people also being able to print to it. And that’s one of the options that you’ll find in your wireless printing, is whether to allow just anybody to print to it, or to allow just people who have set up a secure connection to it to print to it.

PB:  Right. So the Internet printing that we’re talking about, you’re not actually ending up with a print copy in your hand on the spot.

DW:  No. And one of the interesting things about Internet printing, and one of the reasons that I think it is worth having in your toolbox is, I think of it as a productivity tool. If I’m out on the road or away from my office, and we can use the courtroom or a coffee shop as a good example, or I may just be sitting with my client and I have my wireless device open and we are talking about a document or we’ve agreed that a document is something that we want to investigate or follow up on further, and a document could be a Word document or it could be pictures, or it could be whatever, if I can send it back to my office through the printer and have it sitting there when I get back, it’s one less thing that I don’t have to think about organizing electronically on my device. And when I get back to the office or if I have staff waiting back at the office, they can start to triage and work on that information as soon as it gets into the stack. Or when I get back to the office, I’ve got essentially a to-do list of printed-off material that’s waiting for me.

PB:  Right. So it’s about efficiencies.

DW:  Right.

PB:  Anything else that we have to say about Internet printing?

DW:  Not really. I think it’s one of those little nice-to-haves. But you have to set it up in advance. So if you’re thinking about using Internet printing, go ahead and download the apps, configure whatever settings you need to, both on your printer, on your print server, which may be Google or it may be your printing company or your printer company’s site, and make sure that you’ve tested it out so that when and if you do need it, it actually works.

PB:  Right. And obviously we don’t endorse any particular products, but there are a lot of big names out there doing it and there are a lot of smaller companies doing it as well.

DW:  For sure.

PB:  All right. Thanks. That’s our look at Internet printing. Thanks, David.

DW:  Thanks Phil.

Are You On the Internet of Things?

 Permanent link
TVs sending back information to the manufacturer about your watching habits.  Thermostats and lights that can be controlled remotely over the Internet.  The Internet of Things (a/k/a the Internet of Everything) means that more law firms and homes where you may be working may also have devices that are connected to the Internet.  Listen as we discuss some concerns about the Internet of Things, and what these devices might transmit or receive.
View Transcript

Speaker Key:   PB: Phil Brown, DW: David Whelan

PB:  Hi, it’s Phil Brown, and I am here with David Whelan. Today we are going to talk about the Internet of Things.

DW:  It is a funny name and I have even heard it called the Internet of Everything, and I think that describes what we are talking about.  In the past, we have had client server networks.  You had a PC, or a telephone, or a tablet that you connect to the Internet or to your local home network or office network, and then you would communicate or use that device to communicate with other similar devices or servers.

But now we are seeing everything being connected to the Internet. You may have received advertisements for having your home turned on so you can connect over the Internet and see if your home lights or security are turned on. You may check your baby monitor or your child at their kindergarten class over a webcam. More and more devices are now being connected either to an internal network or to the Internet itself.

PB:  Right, so these are the so-called smart objects with interconnectivity built into them. It could be anything from your door lock, which is opening with a Bluetooth command from your phone, to, as you say, a baby monitor or a fire alarm, or anything like that.

DW:  Yes, it is really remarkable. You can see on the one hand the convenience that you would get by having things turned on. For example, if I am on my way home from work and I have set up the oven to start my dinner, I can send a command from my phone over the Internet and have that device turn on and start cooking so that by the time I get home, if my house has not burnt down, then I can have a nice, cooked dinner. So there are really a lot of convenience factors built into this Internet of Things.

PB:  Now, you have actually had an inconvenience factor in your own home: an experience with your television.

DW:  Yes, it is one of those things that you wonder about what your devices are doing. In our case, and I think this is pretty common, you buy a TV that is called a smart TV.  Samsung’s brand is Smart TV, but we do not have a Samsung brand. They are “smart” in that they have Wi-Fi connected, or have network connections so that you can share information from your home media server and display it on the television or use Bluetooth and connect.

What they found was that with some of these televisions, the television was actually connecting back to the servers for the television maker, and I think in this case it was LG, and so I immediately got on my network to see if my LG TV was phoning home, because what they were finding was that some of these TVs were indexing and sending back information about the media files that you shared with the TVs - that you displayed on the TV - but also they were just going through all the network resources they could find and sending back indexes of all those files, too.

So if I had photos on a server and had not shown them on the TV, they would still have been trying to send this information back to LG.

PB:  Right, and that is one of the things about the Internet of Things that makes this of interest to lawyers and paralegals: the potential vulnerability to hacking, and that a lot of different points in your home now need some sort of security that you might not have considered.

DW:  Right. There is a book, if you have a moment to read it, called “How Gadgets Betray Us”. It is a very interesting book because it really talks about the problems we have. There are a lot of companies who are rushing products to market that are going to be part of this Internet of Things, which means that they have server software on them, are network aware, and may be connected to the Internet over Wi-Fi.  You can even buy Wi-Fi cameras and all sorts of things now; pretty much everything now can have Wi-Fi in it.

But the software that they are using is most likely going to be open source, so if they are not using a modern version of the software, it could actually already be out of date and have security holes in it. Because it is free, that reduces the cost of making it network aware, but there is not necessarily going to be any way to patch those devices once they have been purchased.

So you might be used to buying a device and putting it in your house, for example, a coffeepot that has Wi-Fi. However, two years later, if you have not updated the software of that device in the same way that you have been updating the software in your phone or laptop, there may be vulnerabilities that have been discovered since then that actually make your coffeepot be used in a way to jump over to your network-attached storage, or to your email server and then extract information that you would not want them to use.

PB:  Right, and we know of a lawyer in the Toronto area who was away and someone was able to get in. They gained access to his office network through his home network, but the point of entry was his nanny cam, which was Wi-Fi enabled and not protected.  They gained access to his Wi-Fi network at home, where his home computer was connected to his office computer, and they were able to jump onto his office computer through this vulnerability. When they were in the process of checking out some of his bank accounts, someone in the office happened to hear the computer buzzing and turned it off because they knew he was away, but I think that was the only thing that prevented him from having to notify a lot of clients and the Law Society to say, “Oh, by the way, we just had a whole bunch of confidential information leave the office and possibly some trust funds.”

DW:  Yes, the nice thing about the Internet of Things is that you already know how to secure it. The solutions that you need are the ones that you are already using. So if you add a device to your network, e.g. your home or office network, and, in essence, anywhere that it could potentially get access to private or confidential information for your practice, it needs to have a password, and it needs to be a strong password.

So that may reduce some of the convenience factor for having whatever that device is on your network, but even if it is lights or a coffeepot, you need to make sure that you have secured it so that people cannot gain access to it without your knowledge. There is a great article by Kashmir Hill - her name starts with a K - in Forbes, and she talks about how she went in and turned lights on and off for peoples’ houses, and how the control panels for their light switches were freely available over the Net because no one had changed the default passwords for their switches.

PB:  And I think this is one of the things people do not think about. You are setting up a home network, it is in your home, but you can see that network outside the home.

DW:  Right.

PB:  And that is why it has to be secure. When setting up their home network from Bell or Rogers or whomever, a lot of people do not change the passwords from admin, useradmin, passwordadmin; they just leave them there because it is simple.

DW:  Right, and you may be creating a device that needs to be used by more than one person, and so then, everybody can agree that the password 123456 is a great one for everyone to remember, but it is also great for the people who are trying to get access to it too. Even when you have been really careful, too, about separating your home environment (where you are more likely to find these Internet of Things devices) from your office.

If I have a computer in my home that has no practice material on it but I VPN or connect in remotely to my office, anything that has access to that computer can then do the same thing; so it is not a matter of having your home and office segmented properly, it is that if there is any connectivity between the devices on one side to the devices on the other, then there is a potential route.

PB:  And perhaps as an aside in terms of Wi-Fi networks at home, you should definitely amp up the security, but it is also a good idea to activate things like approval of MAC addresses and things like that.

DW:  Right.

PB:  That way, a device is not going to be able to get on your network unless you pre-approve their MAC address, and the MAC address is just the individual address that each device is assigned when it leaves the factory.
DW:  Right, yes, the other thing you can do too, once you have blocked the devices by their MAC address or in some other way, you can do the same thing that you are doing with your computer, which is to have a firewall between you and the Internet. So really, only the devices that should have to connect to the Internet or be connected to the Internet should have access to that.

So if you are not already using a firewall in your Internet router in your office or in your home, and really you should have them in both places, then turn them on and look and see what kind of traffic is going by; because that is where you would see if your TV was sending things to LG and you had not been doing any surfing to LG; you can see that in the traffic logs.

The other thing you could also look at is open DNS, which we use in our house. It is a Web filter and Web security tool.  It is free for home users (corporations have to pay), but this sort of thing allows you to essentially filter out sites that are known to be part of scams or other nefarious things. So even if you were not aware that your coffeepot was emailing back your credit card data to some company in a country where hackers are prevalent, you could have this DNS service that would sit between you and that service that would be doing that sort of blocking for you, that sort of prevention.

PB:  Right. That is our look at the Internet of Things.

DW:  Yes, be safe out there on the Internet of Things.

More Encryption: 5 Questions

 Permanent link
We talk about encryption in an earlier podcast.  Now we look at a few specific questions - do you have to use it? how strong does it have to be - as we dig a bit deeper into encryption.
View Transcript

Speaker Key:      PB Phil Brown, DW David Whelan            

PB:  Hi, it’s Phil Brown, and I’m here with David Whelan. Today we’re going to answer five questions on encryption. So, question number one, what is encryption?

DW:  Encryption is a way of wrapping the information, both the program’s and the data that is on your computer. It is information that you send over the internet and information that is stored in other places. It’s a way of wrapping all of that with a secure layer that can’t be broken by other people. I like to compare it to a candy, like an M&M or a Smartie, which has a hard outer shell that you can’t see through; you can’t tell at the moment when you hold the M&M in your hand that it’s got a brown centre. And it’s not until you put the password in – and you have to have a user name and a password in order to get into your encryption – that you are able to open up that shell and see what’s inside. And then, from your perspective as a lawyer, to be able to use the content that’s in there. When you’re finished, different from an M&M, you want to make sure that you turn the encryption back on; you close that shell back around the information so that when you’re not using it and it’s just sitting on the device or sitting in the cloud, no one else can access it either.

PB:  And that little bin or M&M that holds that information in the file, you can often label it with any label you want.

DW:  Right, so you can hide the encrypted device or the encrypted content. In many cases what you’ll do is apply encryption to your entire computer so that as soon as you turn it on in the morning you’ll put in your user name and password, decrypt your device, and do your work during the day. You don’t have to do anything else at that point; you’re not putting in user names and passwords all day long. And then at the end of the day, when you turn off your computer, by closing down your computer, the encryption will reset and re-secure all the information on your system. 

PB:  Question number two: how strong does the encryption have to be?

DW:  Encryption of data is described in numbers – the numbers of bits – and so you may have heard of 120-bit encryption and 256-bit encryption, and so on. The number should be as high as you can possibly have, and the more numbers you have, the less likely that it will be cracked by anybody. Some levels of encryption have been cracked; one of the questions I once received was whether the NSA – the National Security Agency – would be able to break into the encryption that this particular lawyer was thinking about using. I said, “You know what? They might be able to, but not everybody’s going to have the tools that the NSA has.” So you still want to have the highest level of encryption that you can, and that will stop most people. In many cases it will stop everybody from getting access to your information.

PB:  Question three, and one of the questions often asked is, what’s the difference between bank level encryption and military level encryption?

DW:  That’s a really good question. I don't know that there’s a really good answer for that. When you speak to somebody about the encryption that they use for their product and they say, “We use military grade encryption” or “We use bank grade encryption.” I don’t think that’s very helpful. What you should ask them is, “How many bits of encryption do you use?” My rule of thumb is to not take what they say at face value necessarily, but take that number and put it into Google and Google it. See if you can find any information that shows that that level of encryption has been cracked. But typically, if they say 138-bit encryption, which is very low, that’s probably not enough. If they say something that’s over 2,000 bits of encryption, you’re in great shape.

PB:  When we’re talking about bits of encryption, these are all formulas built on algorithms that just endlessly randomize numbers.

DW: One of the things with encryption and law practice is that we know we need to protect the information that clients share with us. And encryption is a bit of a scary tool because there are all these acronyms about which type of encryption to use, how strong it needs to be and so on. I think if you get caught up in that, it can slow you down from just using the technology, and I really suggest using a web search. If you know the term related to the product that you’re going to use, or the term that the vendor you’re going to use is referring to, go ahead and Google it. You will find lots of information that describes that particular type of encryption, the number in particular, and the strength of the encryption.

PB:  Most encryption programs are fairly simple to use, which brings us to our next question, question number four: how much should you spend on encryption?

DW:  Fortunately, encryption now has become so common that you can really avoid spending anything for it. On most business versions of Windows, and on Apple MacIntosh computers, you will find that either in Windows you’ve got BitLocker, or on MacIntosh you’ve got FileVault 2. Those come with the operating system; it’s just a matter of turning them on. Now, if you want to use something different you can use something like TrueCrypt from truecrypt.org. That is a free software that will run on either Windows or on MacIntosh. But really, the encryption tools that you need to use in order to properly secure your information are free.

PB:  Question number five, and I’ll answer part of the question, does a lawyer or a paralegal have to use encryption? And the short answer to that is, no, you don’t have to; there’s no requirement. You don’t have to use it, but the other question to ask is, who are you protecting your information from?

DW:  That’s right. The big bugaboo is that we’re somehow securing our technology against hackers and other people who are trying to attack us. And I think for the most part, you’re more likely to have problems caused either by your staff or by theft or other things beyond your control – but not things that are really geared for someone who’s looking for information that you actually have. They are more interested in selling the device that your information is on. There was a lawyer in Scotland who is a really great example of this: she had a laptop, did her work on it and left it on a table. It was closed, turned off, and then she went on holiday. She wasn’t travelling with the laptop, even though it was portable. While she was on holiday, her laptop was stolen. All of the information that was on it went with it. It wasn’t encrypted, and now she had a problem of inadvertent disclosure. It’s unlikely that the thief wanted the information that was on it, but it didn’t help the lawyer at that point who hadn’t encrypted it in advance with the obligations that she had for her clients.

PB:  Right, and if that happened here, the next steps would be notifying all of those clients that you had breached their confidentiality, advising them that they should speak to a lawyer to see if they wanted to sue you and/or contacting LawPro to see what steps they wanted you to take after that.

DW:  A couple of years ago, encryption was a difficult technology in some cases to implement; it might even have been costly to implement. These days it’s very, very simple to turn on for Windows and MacIntosh computers, desktops and laptops. It’s easy to put onto your Smartphone. It’s easy to ensure that you’re using it when you’re transmitting information to and from cloud-based services or web-based services, or even using email. So, if you have the opportunity or if you’re using technology, you should really be using encryption on whatever devices you’re using your data on.

PB:  A quick word about using any of those third-party services and providers: if your information is encrypted on their end when they’re storing your information, and if they get a legitimate and lawful request from a police agency, quite likely they are going to hand over their encryption keys, and any information that they hold that’s encrypted will be given to the authorities.

DW:  That’s right. You can avoid some exposure in that instance by using something called a pre-encryption tool, and those work with file synchronization in the cloud. So if you’re copying files from your computer to a site like Dropbox or box.net, you can use something like Cloudfogger or Viivo – V I I V O – to encrypt the information on your computer before it gets uploaded to the remote server. Even if they have to give their encryption keys over to the law enforcement agencies, they won’t be able to get through your encryption. They will only be able to decrypt the outer shell of that piece of candy.

PB:  There’s our look at five questions on encryption. Thanks, David.

DW:  Thanks, Phil.

Organize and Find Your Files

 Permanent link
A recurring complaint for lawyers is the time wasted managing and retrieving files and documents.  Listen as we discuss some basic ways to create and organize your files, and then tools like search that enable you to quickly find them again.
View Transcript

Speaker Key: PB Phil Brown, DW David Whelan

PB        Hi. It's Phil Brown and I'm here with David Whelan, and today we're going to talk about file management.

DW      Hey Phil. This is obviously one the most exciting topics we have ever discussed, but files are an important part, a physical component, of every law practice and as you are taking your files and thinking about how are you going to manage that information on your computer or on your devices, it's important to think about how you're doing it right now so that you've got the best possible processes that you can move over to your technology.

PB        So we have two different worlds; we have the physical file world, and then we have paperless or electronic file world.

DW      Right.

PB        And I guess one of the things to note to begin with is if you're an absolute mess in terms of organization with your physical files, it's going to be a great leap for you to get into the electronic world.

DW      There are really two ways that people tend to go out about organizing their information in law practices. One way is to try and emulate, in their technology, the filing system they have in their office. So, for example, if you have a client folder and inside that client folder you have multiple file folders; one for pleadings and one for correspondence and so on, it's relatively easy to take that system and create a folder structure on your computer or on your device that reflects that same folder structure, so that you can you can go into a client folder on your computer and within that client folder there are sub-folders.

PB        One of the key things there, the key word that you mentioned, is structure.

DW      Exactly.

PB        And you have to have a very robust naming convention for all those electronic files or you may never find them again.

DW      That's a great point because if you start out with a very simple structure, say, you use the last name of client, you can very quickly get the point where, if you get a second client with that same name and have to create a new folder, of having to back through your system and fixing that. So the more complete your naming convention, both for the folders, as well as the documents that go in them, the better. The other approach is something that requires a little bit of flexibility. Think of a big pile of paper on your desk that has no organization at all, and some people like that on their computer too. So they'll just create a big folder and throw everything into it, and then they rely on search or some other technology in order to help them get it out. If you are the sort of person who likes to browse through folders and organise your information in that way, folders are a great way to go. If you don't browse but you're comfortable using search you can actually create a single folder with everything in it, but then you really need to focus on your naming conventions for all those files, so that when you do a search and retrieve all that information, you know what you're looking at.

PB        And one of the things related, of course, to file management is backups. It's a good idea to have some redundancy in the electronic world as well.

DW      Yes. If you've got all these folders in a particular location on your computer, it can actually make your backups much easier because now you know where all of your files are, and if you're sharing those files with other people in your office they know how to get around the same folder structure. Or, if you put it out on your network server they know how to get to the same information and also to create new files and folders in the system.

PB        Before we get into the concept of searching, one of the things I should mention is that if you're making this conversion from a physical file management system to an electronic file management system or a paperless office, one of the things you have to keep an eye on is to develop this system moving forward, and not going back and recreating and copying everything.

DW      That's a good point. I think one of the interesting things about moving your files onto technology, onto computers, is that you can start to get benefits that you can't realize with a piece of paper. So if you have a client folder, and inside that client folder you have a document that actually needs to go in multiple sub-folders, on your computer you can actually place that file in multiple locations. Now, you wouldn't actually want to place multiple copies there because if someone changed one copy that might not actually impact the other files, but what you can do is once you put a file into a sub-folder, you can create shortcuts to that file in other sub-folders. And that way, if you've organised your files in a certain way and a staff person or another lawyer comes along and wants to find information in that client folder but is thinking about it differently from how you organized it, they might still be able to find it because they can find the shortcut to the document even if that's not where the actual document exists.

PB        So one of the other things we can talk about at this point is limiting access to those files as well, electronically.

DW      When you put your files onto a system, you can change the properties of the folders and of the individual files, so that only the people that need to get access to those files are able to. In many cases you'll want to have larger access, broader access, so that you don't have to open a file or share a file every time someone needs access to it, but it allows you to really control access. If you have an issue like a Chinese wall to keep people from looking at particular content, you can use the security to help to block.

PB        And you can change security when employees leave as well.

DW      Right.

PB        So let's talk about finding these files now that you've created them and saved them in various places. Presumably you have backup copies which are off-site in case you have some sort of business interruption, but how are we going to find these files again?

DW      Well, the most obvious way is browsing, and that is really the digital version of what you're already doing. You're walking to a shelf, you're opening a folder, and then you're looking at sub-folders and the papers that are inside them. You can still do that in a digital world, but the benefit of having your content digitally is that you can now start to search for the information and not have to go and browse and try and remember how a document was filed. You can use search both on your computer and on the web to find information that you've stored.

PB        Do you need other software or can you search from the software itself?

DW      At a very basic level you can do search within your operating system - with Windows 7.  Windows search has finally gotten to the point where it's reliable enough that you can pull back information very, very quickly. With earlier versions of the Windows operating system it wasn't always that good. Windows 7 users should also make sure that they look at their Indexing Options in their Control Panel, and this is a little geeky, but Windows, when it comes out of the box, doesn't automatically index the contents of all the documents you would want to search. It often will only index the file name, so you need to go into your index options, and make sure that it is indexing the contents for all the files that you are looking for particularly if you use WordPerfect or something that is not a Microsoft file.

PB        And the Mac has the similar function with Finder and those are the built-in options. There are also some search apps that you can add to your computer.

DW      Two of the best-known ones are X1 and Copernic and they are software applications that you download and install on your local computer and they provide you powerful search options and the ability to do keyword searching and other things on your computer. There is a free version of Copernic, but that is only for personal use, so if you use Copernic make sure you're paying for the business license.

PB        Some people are storing information in the Cloud which is basically just... we've talked about this in other podcasts; servers that aren’t within your organisation. How would you search information stored in the Cloud?

DW      When you load information up to Dropbox or to Google Drive or one of these other Cloud sites they typically will have a search interface built into the website, so when you go to your Dropbox account at Dropbox.com you can do a keyword search and it will automatically search all the files that are out there. One of the interesting things about using Cloud search or Cloud storage is that even if you don't want to put all of your client files up there... say you've got a large number transcripts related to litigation or to some other large set of text documents, you can load those into the Cloud, and then use the search in the Cloud to, very rapidly, pull back files that might take longer to look for if you're using just your operating system or a local search application.

PB        And there's a couple of different apps built specifically so that you can search all of your social media applications as well.

DW      Right. One of the best known is CueUp which used to be known as Greplin. CueUp.com and CloudMagic.com is another one, and what that allows you to do is that if you have a Dropbox account and a Twitter account and Google mail account, you can search all of those systems all at once. So the benefit of using search in addition to browsing is that you can have a way to pull back information from multiple locations without having to remember where the information was stored before you start looking for it.

PB        And you alluded a bit to tweaking Windows 7 to be able to turn on the indexing. Do you want to talk a little bit about indexing and how it works?

DW      Sure. Indexing is a shortcut for search programmes so when you type in a search it usually isn’t actually looking at all of the files on computer right then. It has built an index prior to your search, and the index is a file of information about the files that are on your computer, and that makes the search go faster. So when you do a search the search application looks at the index, finds the files that have the attributes, the  keywords, or whatever you're looking for that match and then returns those matches. So the index is stored on your computer somewhere. You won't necessarily see it but it allows you to have a faster search on your computer. If you're using Cloud-based storage or Cloud-based search like CueUp or CloudMagic then that index is also stored in the Cloud, and you'll want to make sure that it is protected and secured in the same way as the actual documents are.

PB        Great. That's our quick look at file management. Thanks, David.

DW      Thanks, Phil.

Technology and the Engagement Letter

 Permanent link
When you take on a new client, you use a retainer or engagement letter, right?  What if your client wants to know the type of technology you use: where you store her confidential information, what your business continuity plans are, and so on.  Listen as we talk about the types of technology considerations you might address at this crucial stage of your client relationship.
View Transcript
Speaker Key:      PBPhil BrownDWDavid Whelan

 

PB:  Hi, it’s Phil Brown. I’m here with David Whelan, and today we’re going to talk about retainer agreements and engagement letters.

DW:  One of the things you may want to think about when you’re starting to set out your relationship with your client is how you are going to explain to them the types of technology you use, and how the technology that you use will impact their information and their communications with you.

PB:  The first thing a lawyer or a paralegal should consider is, “Am I going to use an engagement letter or a retainer letter?”, and the answer is, yes you should. It is the contract that you have that sets out what is expected of you and the client, and how that whole relationship is going to be treated.

DW:  One of the debates that seems to arise is, “Do I really need to tell my clients about the technology I’m using?” You’re wondering, “Isn’t that the same as describing where I keep my money in my bank account and other aspects of my practice? What do you think about that?”

PB:  Those are all things that you don’t necessarily want to share with your client. For example, how often do I restock the photocopier, how often do I buy new technology, and how up to date are my computers? Those are things that I don’t think you should necessarily share with a client. It is more reasonable that your client is going to want to know where their confidential information is going to be stored, how you are going to communicate with them, if you will be sending them emails, if you use a service like Gmail and the cloud, and if you have your own server-based email with your own domain. I think those are all important information for a client to have so that they can make a choice and/or possibly opt out of that means of communication.

DW:  It seems that if you are trying to be clear about roles, obligations, and what the risks are, that you want to include that. There are a couple of choices. One, you can leave it out, and I wouldn’t recommend leaving out the discussion. But even if you decide to put it in, you really have two choices: one is to say, “These are the technologies that I use in my practice. I have developed my practice around using these technologies and either you are willing to have me use these technologies, or you won’t be able to have me as your lawyer.” The other way is to say, “I have all these technologies, but I also have another way to do some of these things. If you want to opt out of some of these elements, I can allow you to do so and we can work out different ways for me to communicate with you rather than using email, for example, or other ways to deal with your information.”

PB:  It is the client’s confidential information that you are storing. You are responsible for its confidentiality. One of the things that they will want to know is where the information is going to be stored. Is it in a bucket in your office? Is it in a safe? Is it electronically kept somewhere else?

DW:  It seems fair to say that the client should be able to choose. They may be uncomfortable, for example, with having their information moving from country to country or being stored on servers in a particular country. And I don't know that there’s really any good or bad country from that perspective, but there may be in particular cases, or particular matters, that there are certain countries where you don’t want to store your information. Letting the client know to the extent that you yourself are able to know where the information is being stored – that would be helpful.

PB:  And you bring up two points: (1) do you know where that information is going to be stored? I know with some law firms and lawyers and paralegals, the cloud service that they use may just be a front for a hosting service somewhere else. They may not have the information themselves; they may be renting space on servers in California or New York or England or someplace else.

DW:  If you use a service like Dropbox for example, which seems to be one of the common ones that you find lawyers using, there is a good chance that all of your information is actually being stored in the United States. So you have to have that discussion, or at least explain to your client. But that is a best case scenario, because you can find that information directly from Dropbox. With Google, if you ask them where their servers are, they won’t necessarily tell you where the servers are and which ones you’re using. If that is going to be a concern with your client in a particular matter, it is better to have that discussion up front than at the end when the client is complaining.

PB:  The second point is you might have a client who has a particular sensitivity with the country that your information is going to be stored in. For example, they may have assets in the US, or maybe they are under investigation in the US, and they will not want you to store their confidential information in that country’s servers.

DW:  Another thing to think about is how it is stored. What sort of encryption is applied to it? How is the information taken care of? How would you share that information with a client?

PB:  I would want the client to know whether or not the information was encrypted by a third party. For example, if I sent my information into a practice-management software system in the cloud, and the information, although it’s encrypted both on the way to that third party and on their site, there is no doubt that if they were subject to some sort of search warrant, they would give up that information. The other thing the client might want to know is if you are going to pre-encrypt that information before you upload it into the cloud. That is fair to put in a retainer agreement.

DW:  It will be tricky to include in an engagement letter - not to get too technical into the details - which might also change based on whether you change services in the middle of the matter. Those sorts of details may change too.

PB:  Right. So how the information is stored might be one thing you want to tell them. Also, how you’re going to access that information later. For example, if the file is closed will they still be able to access that information if it is stored someplace? Are there any costs associated with recovering that information? Those are important points to put in a retainer agreement as well.

DW:  Yes, and some of this you may not know, or it may change over time. But if you have an opportunity, and if you’ve really done your work as you’re setting up the technologies that you’re using in your practice, you probably have a sense of what these costs or what the considerations would be that you can incorporate. While you may not be able to give your client every detail, you can give them a sense of the scope of how you are using technology.

PB:  Right. And the retainer agreement does not necessarily have to be boilerplate. Depending on the client that you have, you can be flexible and change certain parts of it as you go, depending on the client’s needs.

DW:  That’s a great point.

PB:  The key to this whole thing is client communication; it’s engagement; it’s their understanding of what the relationship they have with a lawyer or paralegal is.

DW:  There is a spectrum; some may be reluctant, either because of the matter or because of their own technological skills, to use the technology or to agree to use it in the way that you want to. But you will also find clients at the other end who will really appreciate the technology that you’re using, the productivity gains that you’re getting out of it, and the ability for you to share with them using things like file sharing online or other tools that are built in to case management products so that they can stay up to date on the information that’s going on in their matter, without having to contact you.

PB:  It is a good idea to tell the client that you are using this technology, and it is going to reduce your costs. You will be more efficient. You are using technology, one of the requirements lawyers and paralegals have. It is also a good idea to tell them what your destruction policy is.

DW:  Yes. You should spell out how you’re going to do that. If you have all of this electronic data stashed out there, what are you going to do with it when the matter is over and how are you going to store it? Are you going to pull it down off of cloud servers if that is where you have it stored? Or if you have it in your office, are you going to delete it off of hard drives?

PB:  That’s our look at engagement letters and retainer agreements. Thanks David.

DW:  Thanks Phil.

Encryption Introduction

 Permanent link
Encryption gets easier to do, if not actually turned on by default when you use a computer or phone or visit a Web site.  Listen as we discuss encryption used while you're on the Web and communicating by e-mail, as well as what you should be encrypting in your office.
View Transcript

Speaker Key: PB: Phil Brown, DW: David Whelan

PB: Okay, I'm here with David Whelan and we're just going to talk a little bit about encryption. Why would a lawyer consider or why should a lawyer consider using encryption?

DW: It was easy when lawyers had all of their documents and other information inside their firm, but now that they're starting to use electronic records and electronic files and send e-mails, it's easier for people to get access to that information when they have sent it out of their office. It may not happen but it means that there is a greater likelihood that people will be able to get access to it. So you can use encryption to protect your clients’ confidentiality and you can use encryption to secure your information when it's being transmitted between you and another party.

PB: And presumably it would also protect information that's stored on someone's computer, even if their computer's not actually going anywhere or the information is not being transmitted anywhere?

DW: Right, that's for sure. If you are using a wireless network in your office you may not be aware of people who are trying to get into your office, and so you can actually make sure that the electronic records that are on your computer are secure against external intruders rather than the people who might be looking at them, at the data that you're sending across the internet.

PB: Right, and the internet is basically one giant information highway with information arriving and leaving all the time and a lot of people don't realise that their information, as it moves along that highway, is potentially vulnerable to intrusion or examination along the way.

DW: Absolutely, yes. I think a lot of people think of the internet as a direct connection between you and me. When I send you an e-mail, you receive it and it's essentially passed just between the two of us, but really it's hopping. It's using little stepping stones, hopping across the internet to get to you and each time it hops and puts its foot down, it's leaving an imprint of itself. So the e-mails that you send are actually being stored in multiple places as they're transmitted to the end user.

PB: And in fact could be read or examined at any of those nodes along the way, theoretically.

DW: Absolutely right. You're really relying on the security of each step of the network to make sure that the information you are sending is still secure. I think one of the interesting discussions that's happened on the web recently is that lawyers who use Google Mail, the free version, are having their e-mails indexed, and so if you have client confidential information in your e-mails and Google Mail, Google is indexing them so they can try and give you ads, but it shows that even at sites where you're using e-mail and perhaps you haven't sent anything from Google Mail, the e-mails that you receive are accessible, by technology at least, search engines in this case.

PB: And when we are talking about Google Mail we are talking about Gmail?

DW: Right, and if you get to Google Apps and pay the $5 or $6 a month, this is not an issue.

PB: Okay, so let's talk a little bit about how encryption would actually protect a file. How does it sort of work in general?

DW: Well, what it does is, it creates a wrapper around your file and so you create that wrapper and then you apply a password to it and then that password keeps it secure. When you send that information to someone else or when you transmit information across a secure connection, you're actually talking about passwords at both ends and so there has to be an agreement about the passwords or the keys that are used in order to transmit the information across the web. So whenever possible you want to use a secure connection. When you are in a web browser your web browser location turns from HTTP to HTTPS, but even when you're sending a file, you can send the file in an encrypted format over an unencrypted connection.

PB: And that HTTPS change is to, in theory, be a more secure or encrypted connection.

PB: Right, so instead of just having an encrypted file, if you think about the encrypted file being surrounded by a shell, and that shell is encrypted, so it makes the file inside it impervious to investigation by people who shouldn't look at it. The HTTPS connection, the secure socket, actually is a pipe and so everything you transmit up and down that pipe is also in a secured format.

PB: And we're not going to get into this in this podcast, but talking about things like Virtual Private Networks or VPNs, is one way of addressing that sort of private connection that you can have, that's more secure than just using the open internet.

DW: Right. If you use HTTPS you can actually just connect, or you can connect to websites without having to worry about it, but as you say, VPNs have a lot more power behind them.

PB: Right, and so you can encrypt files on your computer. I guess one of the downfalls of doing that is if you lose a password you're never going to get that information back.

DW: Absolutely, yes, and I think it plays into your strategy for how you use encryption in your practice. You can encrypt at the file level, so you just choose the files that you want to encrypt, and that puts a little bit of a burden on you to make sure that you are encrypting all the files that potentially could have confidential information. The other side of that is, you can encrypt your entire computer, which includes your operating system and everything else. And in that case when you start up your computer everything is encrypted automatically and you don't really have to think about it. So that can help from the perspective of how much work you have to do to remember to encrypt your information, but, as you say, if you lose that password then your computer is not starting because everything is within that encrypted shell.

 PB: Right, and obviously it's not a good idea to share that password for your encryption. I know a lot of different encryption software, some of which are expensive and some of which are free, offer you the option of creating your own password or having a system generated password. Any preference?

DW: I don't think so, although if you make an easy password, obviously that might be easy for you to remember but also easy for other people to figure out. So if you take a system-generated password, at least you have a certain sense that it will be a relatively random set of characters and harder to crack, but I tend to use passwords that are longer and a little bit more difficult, but also ones that I can remember or keep ready to hand, so that it's easy for me to get into the information I want. I don't have to look up that password in order to get access to my files.

PB: Maybe we can talk about password protection on a computer being different than encryption on your computer.

DW: The password, really, is just like a lock to a door. People can get around that lock in other ways, but if you've got that password then that allows you to unlock the door and get into the machine. And once you've unlocked it, once you've decrypted your encrypted files using your password, then they are accessible to anybody else who can get to that machine while they are decrypted, so it's not quite the same. The password is the gateway to get into the encrypted information.

PB: And encrypted files are not necessarily visible either at first glance on a computer.

DW: Oh, for sure. Right. You can hide them and because the encrypted content is essentially like a shell and there are things inside it, you can create what's called an encrypted volume, which is really like a big bucket and the bucket is the encrypted part and then you can throw whatever you want to inside it, so you can have folders and files all structured just like you would on your computer but all inside this encrypted wrapper. I think one of the things to keep in mind is that if you decrypt that encrypted wrapper, or you decrypt your computer, if someone is able to get physical control of that computer while it's decrypted, then they have the same access that you did. So it's important that if you are using a laptop or some other device that has encryption on it, that you remember to turn it off, power it off, or reactivate your encryption if you're going to be going away from that computer or travelling with it so that if it gets separated from you or stolen, that the information that is on your computer is inaccessible.

PB: That's our quick discussion about encryption. There will be a lot more resources attached to this podcast. If you'd like to have a look at those we'll direct you to some other information on encryption. Thanks very much.

DW: Thank you.

Encrypt Your E-mail

 Permanent link
E-mail is a foundational communications tool for lawyers.  If you use it to share confidential or private information, how do you ensure that others aren't intercepting or listening in to your conversation?  Listen as we discuss e-mail encryption, the 1999 ABA ethics opinion, the impact on clients, and emerging end-to-end e-mail encryption.
View Transcript
Speaker Key:   PB: Phil Brown, DW: David Whelan

PB:  It’s Phil Brown and I’m here with David Whelan. Today we are going to talk about email encryption.

 

DW:  Email encryption has always been something that is discussed by lawyers since it became a big part of how lawyers communicate with their clients and others. In 1999, the ABA came out with an email policy, maybe an ethics opinion, on whether lawyers needed to use encrypted email or not, and they decided in 1999 that they don’t.

I think part of that came about because encryption and email has been so difficult to do.  This is because you can use whatever software you want to send email, and in order to use encryption, your client or the person on the other side (e.g. the judge), needs to be able to then decrypt that email. In order to do that, it often requires them to put software on their systems that they may not understand how to use.

PB:  And that has always been, kind of, the weak link with email encryption - the person on the other end trying to figure out how to decrypt that email.

DW:  Right. The basics with email have been in order to secure it, we have required everybody to have strong passwords, and so you should have strong passwords for your email accounts.  Certainly, if you have an email server that is exposed to the Internet, and pretty much every email server is going to be, whether you are using Gmail, Bell, Rogers, your ISP, or you are using hosted Exchange, if someone else can get to it over the Web with a user name and password, then it needs to be a strong password to go with your user name. That should be the fundamental, the basic level of security that you have on your email.

PB:  And we have talked about strong passwords before, but some of the basics would be to use spaces, punctuation, a combination of capitals and numbers, and even phrases. But the idea is that it should be more than just something like your home phone number.

DW:  For sure, yes.  The next step you can do if you want to encrypt some of the content that you are sending is to send an encrypted file. For example, I could send Phil an email saying, “This is a really cool document but I don’t want everybody else to see it.” I could then attach a PDF that has been encrypted, and he can decrypt the PDF on the other side. So the email itself is not encrypted but the contents are. That is one way to handle it.

And we have seen that happen. They call it encrypted email but it is not really encrypted mail.  What you are doing is emailing or uploading a file to a server, encrypting the file on that server and then sending an email to the person who you want to send it to. That person can then go and download that file, and so it is not quite encrypted email, but it allows people to send encrypted information from one place to another.

And I think that has been the option for solos and smalls, certainly, or at least not big corporations where they could have encryption built into their entire email environment.

PB:  You have talked about a recent LexisNexis survey, which basically said that very few lawyers are using email encryption.

DW:  Right, yes, I think that is still the case. It is still beyond the general ability for people to figure out how to set it up at both ends. So even if the lawyer can figure it out, the problem is how to get the client to do it.  The challenge, I think, becomes you having this thing called public and private key security or encryption, and it means that there is a piece of information that you have to have on your side, and a piece of information that the person has to have on the other side from you.

So you have your private key that you control yourself, and then the public key information has to be available to the person who is going to decrypt that email, and making that work usually meant having the same piece of software on both ends. So in the old days, you would have PGP (Pretty Good Privacy), and you would install the Pretty Good Privacy piece of software on your computer, the other person would install PGP, and then you could send emails and encrypt and decrypt that way, but it really was a very cumbersome environment.

PB:  PGP has come a long way, but I can remember using PGP back in 2000. You used to compose your email as a text, cut and paste it, apply your private encryption key, and then you would paste the result back into the email and send it off to someone else.  And they had to have your public encryption key on the other end, cut and paste that email into the program, and then essentially apply the key and decrypt whatever it was you were saying, which was never very earth shattering when I was sending them out. But that was the way it worked at the beginning.  And it has come a long way since then, but there are a number of different programs now jumping into email encryption.

DW:  Yes, and I think the difficulty in using encryption was what the friction was, which is why we see so few lawyers using encryption right now, unless it can be automated in a way that really gets it out of the face of the person who is sending the email and the person who is receiving it, then it is going to be a challenge. Do you want to talk a little bit about Virtru, which is one of the up-and-coming tools?

PB:  Right, Virtru is free for single users, V I R T R U.  Again, we are not suggesting people use any particular program and we are certainly not endorsing any. This is just one that I have been playing with and it is an iPhone app - I don’t believe there is an Android app for it, but you can also use it on a desktop.  But the idea is that you can determine how long the life of that email is going to be, i.e. if you want it to expire in ten minutes, and people will not be able to read it after ten minutes; it vanishes from the server where it is resident. You can also determine if you want to call it back, and you can also protect it so that people cannot forward that email to anyone else.

It has a number of different options that are not available on regular email. And, as I say, there is an iPhone app and a desktop version.  I have used the iPhone app for about a week now, and I would say at various times it does have trouble connecting to the server. This is fairly early days, it seems, for this particular program, and they are asking users for feedback to tell them how it is working or not working.

DW:  One of the interesting things about Virtru – I have been testing it with Gmail, so far, because that is what the focus has been, and I think we will see that people who are using Google apps or Gmail will get the benefit of a lot of the change that is coming, because it is a big group of people, and so if someone is going to develop software, they might as well develop for Gmail.

But I liked that I could go into my Gmail account and send an email that was not encrypted, and then if I wanted to send an encrypted email, there was a little button at the top that I could toggle on. So I did not have to always send encrypted email when I was using my system - I could choose which emails needed to be encrypted and which couldn’t. That was a really nice benefit.

PB:  And fairly simple for the person on the other end to decrypt that email.

DW:  Right, yes, I liked how if the email account you are using is not set up for Virtru, you will get a link saying, “Create an account”, which is just clicking a link and setting up a user name and password. Then you can decrypt the email from the other person.  Because of the way the system works, you are encrypting it on your end so you are the only person to have the keys to encrypt the email.

The email is then sent encrypted, and wherever you send it to, whether I send it to an Exchange server or a Google server or whatever, it is encrypted in that form so it cannot be exposed, even if someone is getting access to that server improperly. The other person has to decrypt it in order to see it, so it is a really secure way of transmitting it.

And I was wondering whether it was a little too secure, because if I am using Gmail, I am already using a secure connection, right?  It’s “https://mail.google.com”, so I am on a secure connection there.  But once it is sent, it is no longer encrypted, and I lose that bit, so it really stretches that encryption chain all the way across the life of that email.

PB:  And with Gmail, you can claw back the email after you have sent it; probably does not work 100% of the time.

DW:  Yes, I expect that if I sent something to a non-Gmail user, I may have a problem getting it back.

PB:  And you are not able to prevent people from forwarding the email and things like that.

DW:  Right, yes.  I think what is interesting is that Google has already announced that it is going to have its own product which is called “End-to-End”, because the new language for computers and devices is to call them endpoints. So we are now going to be talking about sending from end to end, encrypted email, and so the Google work is currently under public scrutiny.  They have opened it up so that anybody who wants to can comment on it.  It is based on the open PGP standard.  And I think once that has been implemented, we will see their kind of idea applied across all of the Google products, and probably appearing in other places as well.

PB:  Outlook and Hushmail are a couple of other players in the world of encryption.

DW:  Right, yes. Hushmail is unusual because they are the app, both the email client and the encryption tool, all in one. Again, going back to your early days of PGP where you had to create the text and then paste it over, Hushmail sort of does all that in one environment.  And Outlook has the ability to encrypt from within the system, but again, you have got to be attached to an Exchange server that will support that encryption.  If I am using Outlook, which I could have bought with my Microsoft Office suite, but I am using it with Bell, I will not necessarily be able to do encrypted email that way.

PB:  Right, and some of these programs in their early days made you feel like you were extremely paranoid, because they would only display the email for the receiver one line at a time and things like that. It was almost like you had a special invisible ink spy pen that you were using to slowly decode that email; it would not show you the whole email at once.  But we have come, sort of, a long way since then.

DW:  Yes, and I think we really have to for it to work, and certainly with the NSA and Snowden discussions, everybody is much more focused on encryption, I think, than they ever have been. And to the extent that you receive an email and just press a button, or you send an email and by just pressing a button in order to encrypt or decrypt, I think that is the level it has to be for it to be in wide use, certainly by lawyers, but even by their clients.

PB:  So lawyers and paralegals should know that email as a tool of communication is certainly vulnerable from a security standpoint. There are some different things they could do, including opting out of using email with a client, but also that encryption is here - you can use it now, and it is certainly going to get more sophisticated and more common, I think, going forward.

DW:  Yes, I think that is a definite.

PB:  That is our look at email encryption.  Thanks, David.

DW:  Thanks, Phil.

Lawyers and E-mail

 Permanent link
Lawyers use e-mail every day.  Listen as we discuss how it works and ways you can use it more productively and efficiently.
View Transcript
Speaker Key:   PB: Phil Brown, DW: David Whelan

PB:  It’s Phil Brown and I’m here with David Whelan. Today we are going to talk about how email works.

 

DW:  Email is one of the fundamental communication tools for lawyers, and although we often hear that the end of email is coming, either through social media or texting or something else that is going to take over, it remains a fundamental way to communicate with your clients.

PB:  And it seems simple enough:  you write an email on your computer, send it off to someone, they receive it, presumably, and reply. But that is not all that is happening on your computer.

DW:  Right, and I think there is some real confusion, too, about the kinds of tools that you use. You can use, in the current world, Gmail or Yahoo! mail, open up your Web browser and go to a site and compose mail, or you can be using what is called an email client, a piece of software that sits on your computer.

A lot of people have used Outlook, although they sometimes confuse it with an old program called Outlook Express, which is not as good an email client, but both from Microsoft. Or they might be using Thunderbird from the same people who make Firefox, the Web browser.  So, you have a piece of software, and that is your editing tool for creating that email before you send it off.

PB:  Right, and before we get into things like hosting and who... where the email actually might be residing, let’s talk a little bit about TCP/IP and the language of emails.

DW:  Right. The way email works is that you create it either on the Web or through your email client just like you would create a Word document:  you just type it up and you can add attachments to it.  In some cases, you can actually put the attachment, the picture or whatever it is, into the email, and then you press your send button.  It needs to go somewhere, and your software or your Web connection has to know how to send it over the Internet.

PB:  Right, so TCP/IP is just the basic communication language that constructs the email and lets it travel through the Internet.

DW:  Right, and one of the things that has always been out there for lawyers and email is the confidentiality of what is in your email. The way TCP/IP works is that it breaks it into packets, which are little bursts of information that shoot out across the Internet. You are not actually sending a Word document in the same way that you would send it if it was an attachment; your email is being broken up into little chunks, and then it is sent over multiple different paths to wherever you are sending it to – to the email server that is going to receive it so that your recipient can then access the email.

PB:  Right, so even if your email is being sent from my office to your office across town, that email might actually go to China before it reaches you.

DW:  Exactly, so it is those little packets that are shooting out across the Internet and they may cross borders.  Certainly, a recent survey by some professors, I think from the University of Ottawa, found that most Canadian Internet traffic crosses into the United States, even if you are not sending anything to the United States, and then it comes back into Canada.

PB:  Which can be very convenient for people who want to look at those emails.

DW:  For sure, and when you think about all those little packets, in order to get where they are going, they are being routed over a bunch of different servers. So it is not like it is going from just your server to another computer directly; it is actually stopping and little copies could be made at any point of any of those small packets.

PB:  Right, so let’s talk about email host.  What is hosting an email, or what is an email host?

DW:  Well, an email host is the software that is behind the client. In terms of technology, you talk about client server networks, but your client is your computer and it is the email software that you write your email with. When you press send, that software does not actually do anything.  You have to have a server behind it that will receive the email, process it, and handle it properly.

So somewhere in your email environment, you have an email host.  It might be your ISP like Bell or Rogers, you might be using Microsoft Exchange inside your law firm, you may be using it through Office 365, or you could be using a variety of other email servers.  But you will have an email server out there somewhere which will both receive emails for you from people who are emailing you, and it will take your emails and send them off to the next people.

PB:  Right, and we have touched on this in other podcasts, but probably what a lot of people do not realize is that if they are using email, they are using the cloud.

DW:  That’s right, yes, because it has to go out and be handled by some server.  Now, you can have an entirely internal email environment where you have Exchange, for example, inside your law firm and you are only emailing to someone else in your law firm.  That email will actually stay inside your network and it will never leave, but if you are emailing anybody outside of your practice, then that will be going out into the Internet and probably living on a cloud somewhere.

PB:  So there are a number of points of vulnerability, if I can put it that way, in terms of the email on your desktop, the email while it is being transmitted somewhere, while it is sitting on a server, ending up on someone else’s desktop, and then that email gets forwarded somewhere else; just a number of different points where it could be travelling through other countries, and there is a chance for you to lose control of your confidential information.

DW:  For sure, because there are really a couple of services that you use when you send or receive email.  When you send email, you are using what is called the Simple Mail Transfer Protocol (SMTP), and it is really simple.  It receives your email and sends it, and then that is the end of your control over that email, because it is now travelling across the interwebs.

And you may have heard about someone who has sent out an email, and after you receive the email from that person, you then receive a recall notice that says, “Please disregard the email I just sent”, and that is because their system does not have the ability to recall a message. But when an email goes out to the Internet, those recall functions do not work.

PB:  Right, and SMTP is basically the protocol that says, “Ok, send this data or stop sending this data.  I am now going to stop because the data has been received.”  It is also what goes out and looks for the email address that you are sending to.

DW:  Right, to make sure that there is actually an address to send to. And it does not care if it is the wrong address. If there is an address, it will send it. I frequently receive emails from Ireland because there is a “David Whelan” there and I am in someone’s address book, so it comes to me but I am not the person they are expecting to send it to.

PB:  Right.

DW:  SMTP is also one of the vulnerabilities in your email environment, and it should be secured so that only people who are authorized to send through that SMTP server can do so.  Otherwise, you create what is called an open relay, and then spammers and other people will find that you have this open relay and will send email messages as if they were coming from you. There will be no way for you to stop them, because the SMTP server is not smart enough to check, other than with authentication and other setups.  If it receives an email and there is no security on it, then it will just forward that email, assuming that everything inside that email is okay.

PB:  Right. Let’s talk, briefly, about POP and IMAP and how they fit into the whole email system. POP means “Post Office Protocol” - how does that work?

DW:  Post Office Protocol and IMAP are two variations of how you get your email. In the case of POP, it downloads a copy of the email to your client so that you can then open up your email software, your app on your phone, for example, or your Outlook software on your computer.  If you use IMAP, it shows you the folders and the files that are in your email system, but it leaves all the emails and the folders on the server.

So what that means is that instead of downloading a copy, to perhaps multiple devices, or if you have downloaded your email with POP and you delete it, losing access to that email, IMAP allows you to leave your email in one location, and use multiple devices to access it. It will leave it on that server, so that you can use it in multiple ways without having to worry about having put the copy of that email on one particular device.

PB:  Right, and POP, I think, is more of a one-way street.  IMAP is more of a two-way street in terms of deleting emails.  If I delete an email from my BlackBerry or my iPhone or whatever, it will get deleted from the server as well.

DW:  Exactly, and that is why some people like POP - because it downloads a copy of everything and they can make sure they have a copy on their local machine, but yes, it becomes a preference, and it becomes a productivity tool.  If you are accessing your email using multiple devices, more than one computer, for example, or a computer and a tablet, then IMAP may make more sense for you. If you are only on one device, then POP is actually a good option.  If you are going to back up your information from your computer, you can have a backup locally of that, those POP files.

PB:  Right, and I would just say this:  all of those various things which are built into your computer have ports which are listening for POP emails and IMAP emails and waiting to see if something is coming towards your computer.

DW:  Right, yes, I always think of ports as a sieve.  If you think about your network connection to the Internet, normally we just think of plugging a wire into the wall and then suddenly, “Presto!” – There is the Internet. But if you really think about this sieve being in between you and the Web, or a colander if you want, and it has all of these little holes in it, all of those little holes are what are called ports.

And normally all of those holes should be closed, other than the holes that you need in order to communicate. Each of those holes will have a number, so Web traffic, for example, typically when you are connecting to the Web you use port 80. So that little hole in your colander or sieve needs to be open, and the same thing goes for all of these other systems.  POP is on 110, I think, and SMTP is on port 25.  IMAP, I forget now...

PB:  I cannot remember either.

DW:  It might be 443 or something. And then if you use secure versions of POP and IMAP with SSL or secure sockets, then you get slightly different numbers.

PB:  I think the lesson here for lawyers and paralegals, is that email, although typically secure, can be subject to various vulnerabilities, and you probably need to tell your clients, if you are using email to communicate with them, that it is a potential security risk.

DW:  For sure, yes, at least let them know that their expectations should be, maybe you won’t use email for confidential information, or you will send confidential information encrypted in some way.  Either the entire email or the attachment is encrypted so that if someone is listening on one of those ports, which you have to have open in order to connect to the Internet, and trying to capture the information as it goes by, you are at least providing additional protections for them.

PB:  That’s right, and it is probably a good idea to have in a retainer agreement, “This is how we are going to communicate….”, so that the client has an idea, in writing, on how it is going to happen.  Presumably they will also be able to opt out of that if they like.

DW:  That’s right.  There is always paper.

PB:  So that is our look at how email works.  Thanks, David.

DW:  Thanks, Phil.

Use a Clean Device Away from the Office

 Permanent link
Revelations about government spying on technology and communications combine with lawyers crossing borders to make one wary about what information we carry.  Listen while we discuss ways to use a clean device - one that carries no information on it - to connect back to your law office and systems while you're on the road and out of the country.
View Transcript

Speaker Key:      PB Phil Brown, DW David Whelan                            

PB:  Hi, it’s Phil Brown, and I’m here with David Whelan. Today we’re going to talk about clean devices.

DW:  Clean devices often come up when people think about crossing a border or going on a trip to visit a client in a different location and having to go through security, or potentially putting their client information that’s on their device at risk.

PB:  And the whole idea is, at least with border crossings and so on, you may be asked to reveal information on your computer.

DW:  Clean devices can also be used even if you’re just going around town and you want to have a device where you’re sure that you’re not carrying anything confidential; that if you lose your device, laptop or phone, that you won’t then inadvertently expose the client-confidential information that’s on it. 

PB:  In my 25 years or so, I’ve heard a number of lawyers have had their cars broken into next to a courthouse. That’s probably the worst place to leave your laptop or any other electronic devices.

DW:  The way you clean your laptop isn’t by dropping it in the sink and giving it a good lather. Think about how to remove all of the information that’s on it so that if someone was to get a hold of the device, there was only the hardware and basic software that was needed in order to run the computer.

PB:  It doesn’t mean you’re now walking around with a brick; there are a number of ways to access information.

DW:  One of the easiest is to buy a second laptop or a second device, and then use that only when you’re going to be travelling or in a place where you want to have a clean laptop. Don’t leave any passwords or any other client information on there.

PB:  So, rather than erasing information from a computer, you’re just never putting any confidential information on it.

DW: It’s a lot easier to leave the information off the device than to try and hunt it down, because information is often stored in hidden folders, particularly on Windows computers, and can be difficult for you to even know that you’ve saved something that you shouldn’t have.

PB:  And when we’re talking about a clean laptop, we’re talking about a laptop that doesn’t have any email going to it. There are no resident programs left over, your calendar is not on it, there’s nothing on it.

DW:  Right. A second way to do that, if you don’t want to spring for a second device or a second laptop, is to remove the media that you’re using in the laptop, like the hard drive in the laptop, or the SD card in your phone. If that is where you’ve stored the information that you use for your practice, you can pull the hard drive out of your device and then use an alternate media for booting up the computer, for having basic programs on it, and then make sure that you don’t leave any data on that.

PB:  And that could be either a hard drive or a USB key or anything that was bootable. Now, again, if you were travelling across the border, they would often ask you to boot up your computer for them.

DW:  Right. They would at least want to see that the computer was going to start up, and that it doesn’t have any other ulterior purpose. If you had a flash drive, for example, that you could pop in the side and use to turn it on and the computer started right up, then you’d be in good shape. And you still wouldn’t have any of your data on the machine.

PB:  Let’s talk about ways to work with that clean laptop so there’s a point to taking it on your trip to begin with.

DW: If you’ve made it so clean that it’s of no use, then it really does become a brick, and it might be good at wedging the door open, but not much else.

PB: One way would be to work in the cloud.

DW:  The cloud is an easy way to get into information that you made available, either before you left your office or is always out there. One of the most common things that lawyers use in the cloud is their email. So if your email is always in the cloud, which means that you use a web browser to get to your Google mail account, for example, or your Office 365 account from Microsoft, then you’ll be able to operate your clean device, use your web browser on that device, and still be able to get to your email without making any changes in how you practise.

PB:  As well, you could access a number of files that you have in your office as long as they’ve been loaded into the cloud and some sort of application.

DW:  Right. You may use the cloud in your practice anyway; you may be automatically synchronising your files to Dropbox. But even if you don’t, you can use one of those cloud tools, Dropbox, Box, and SkyDrive are examples. There are many different types you could use to just load them up while you’re going to visit with a particular client or on a particular trip. Then when you return to your office, you can remove them and leave your cloud empty.

PB:  And one of the cautions when using the cloud and using your device on the cloud, is to not download things onto your computer while you’re using it.

DW:  Right. The one thing you don’t want to do is have a clean laptop when you leave and then download or acquire information, store it on the device, and then have it on there when you’re crossing back over the border. Or, if it’s stolen, losing that information. So if you do download files from Dropbox, for example in order to print them, make sure that you delete them after you’ve done that. Try not to download any email because that will be very difficult to locate and delete later. You want to keep as little information on that device as possible.

PB:  A quick review: the cloud is essentially a computer server that’s not anywhere within your business; it’s held somewhere else by a third party.

DW:  Right, and you want to make sure it’s encrypted, but you really don’t have any other control over it.

PB:  There are other options besides working in the cloud. Let’s talk about some of those.

DW:  The cloud makes some people uncomfortable, so one of the ways you can get around that is using technology that allows you to get back into your primary computer. And this, again, is similar to the original – which is that you buy a second device. Working on your office computer while you’re using a clean device requires two devices. So you would leave your office computer alone; you would take your laptop or your smartphone with you, and it would be clean. And then you would connect back to your office using something that allows you to communicate with your computer but doesn’t itself actually require you to leave information on any other computer outside your office.

PB:  One of the keys here would be to make sure your computer was on before you left the country.

DW:  That is critical. One of the ones I like is called Tonido. Tonido actually calls itself a personal cloud, but it’s a bit of a marketing term. What it allows you to do is to install the Tonido software on your desktop computer or your computer back in your office, or even on a server. And once you have set it up, then Tonido’s site, Tonido.com, communicates with your Tonido server or your Tonido software, so that when you’re out on the road with your clean device, whether it’s a smartphone or a laptop, you can connect back through the Tonido server, using your user name and your password, and get back into the files on your computer. You don’t actually see everything that’s on there, but it’s a great way to access individual documents that you need to download or get to without having loaded them into the cloud.

PB:  Right. You set up virtual files on your computer; you’re not accessing the whole thing, but you’re accessing your private stash of files that you’ve set up on your computer before you go. Some other more traditional options might be things like LogMeIn, GoToMyPC – things like that.

DW:  Those are virtual desktops. They are easier to use on a laptop, although you can use them on a smartphone. It loads up a version of your desktop, so you would actually feel as if you were working back in your office, even though you were connected to it over the internet. The only downside to that compared to something like Tonido is really the amount of bandwidth – the speed – that it would take to load up that desktop so that you can see it. The upside is that if you aren’t really sure where you saved something, you have your entire operating system that you can work on as if you were sitting in your practice.

PB:  Right. It does tend to be a little bit slower, but you have the advantage of being able to access everything that’s on your desktop back in the office.

DW:  All of these have free versions as well as paid versions, so you can give it a try, get started with it, and then if you want some of the additional features, you can pay for the premium plans.

PB:  That’s our look at clean laptops. Thanks.

DW:  Thanks Phil.

Lawyer Regulation & Cloud Computing

 Permanent link
Can you practice law using cloud computing?  A big question.  A funny answer we have heard relates to the regulations relating to lawyer use of the cloud.  That don't exist.  Listen as we talk about some of the ethics opinions and other discussion involving lawyer regulators and cloud computing.
View Transcript
Speaker Key: PB Phil Brown, DW David Whelan

 

PB:  Hi it’s Phil Brown here and I’m with David Whelan and we’re going to talk about cloud regulations today.

DW:  Cloud computing is the technology that seems to be on everyone’s mind and whether they should use it and if they do what they have to be thinking about when they adopt it. 

PB:  So before we launch into the regulations and whether or not the Law Society has any, let’s talk a bit about the cloud.  What is it?

DW:  Well for a long time it was a marketing term and it allowed computer providers and software providers to say that they were doing something that was entirely internet based.  So if you logged onto your Google mail or to your Hotmail account you were working on a cloud system because it was out in the internet cloud, meaning that it was not locally installed on your computer and it wasn’t running on a server within your law firm.

PB:  So it’s running on someone else’s computer that technically you would not have control over, possibly in another jurisdiction.

DW:  Exactly and maybe in another country and maybe in multiple countries if they spread their services out so they are available all the time they might have to have coverage in different continents or at least different countries.

PB:  One of the reasons people should be aware of this is because most lawyers and paralegals are already using the cloud whether they’re aware of it or not.

DW:  In many cases, you’re using it for your personal life but you may be using it for some aspect of your professional life as well. 

PB:  For instance if you’re using Gmail or Hotmail or Sympatico mail, all of those are cloud based delivery.

DW:  Yes and if you’re not there’s a good chance your clients are because they may be receiving e-mail which you sent from inside the law firm on a web-based e-mail application in their house.

PB:  So one of the things that’s been coming up often in conversation amongst lawyers and paralegals is, does the Law Society have any regulations with respect to cloud computing?

DW:  The answer is no.

PB:  There are no regulations as such.  There are Rules of Professional Conduct however, which would apply to cloud computing situations.

DW:  They are the same rules that you’ve had all along and what we found with Bar Associations and other ethics groups that have looked at this and then come out with formal opinions, particularly in the United States, is that the expectation for lawyers and paralegals is that they continue to act reasonably and competently and follow the rules that they have been provided in the past.

PB:  Specifically with respect to Ontario lawyers and paralegals, rule 3.3 for lawyers and the equivalent rule for paralegals is that the lawyer or paralegal shall keep all of the client’s information confidential and that’s in all situations, whether it’s stored somewhere else or not. The other question that often comes up is does the Law Society regulate or approve of any particular cloud provider?

DW:  There are many cloud providers who would love to have a Law Society or a regulator sign off on the product that they provide but the answer is no, the Law Society does not certify or recommend any particular cloud provider.

PB:  In fact not just cloud providers, we don’t recommend or approve any particular software or vendor or anything.  So one of the fundamental issues here in dealing with cloud computing and confidentiality is you are trusting client information to someone other than yourself.

DW:  Right and it’s a threshold question. If you work in a particular area of law where it doesn’t make sense for your client information to be located on a computer, whether it’s a computer in your office or someone else’s computer, you need to avoid cloud computing.  And then if you do have client information, you may decide you have certain information you’re comfortable having in the cloud and certain information that you aren’t.  So it’s not an all or nothing decision to go into the cloud.  Whether you choose to put your to do list up in the cloud or your e-mail or whether you decide to synchronize documents that relate to the operations of your law firm and aren’t client confidential at all or whether you decide to put your entire practice up in the cloud, the rules that apply will still apply no matter which type of content you put out there.

PB:  So one of the things you have to be aware of when you’re putting anything in the cloud is the user agreement you have with this third party.  You need to own the information as the lawyer or the paralegal.

DW:  Yes, and it’s important that you have the ability to get access to that information at any time.  So if your cloud provider has a way for you to export or download the information, you should be doing so on a regular basis just in case they become unavailable for whatever reason.  And if they don’t have that, then you should be able to synchronize it down to your computer so you will always have a copy, whether you have internet access or not.

PB:  So within that use agreement there will be other information that will be very important which includes what happens if there’s a dispute with you about fees and the cloud provider? Who is their information being stored with? What happens to your information if their business goes under? What happens if you terminate your relationship with them? How long do you have to recover that information?

DW:  Those are critical aspects of the relationship you have with the provider and you should also be aware of how they’re going to be managing your information while it’s stored on their system. For example, if I upload files to a file storage site and those files are encrypted according to that provider then I want to make sure that they are encrypted until I download and access them and that their employees can’t access the server from within the organization and access files that I think are encrypted and therefore protected.

PB:  Right and in terms of the encryption, it’s really just protecting the information on site because an authority could come along with lawful authority and says “here’s my search warrant”, they’re going to turn over the encryption keys immediately.

DW:  Someone once asked me if the encryption used on one of the cloud providers I was discussing was enough to block the National Security Agency, the NSA in the US, from getting access to it.  The reality is probably not – this is the answer to almost any encryption utility on any cloud service, but we have a reasonable expectation that you will act competently and so you really have to approach it from that perspective.  What is reasonable? What is competent for your practice and for your confidential information? 

PB:  There’s also the option if you’re only using the cloud to store information, if you’re not using software as a service or something, you can encrypt the information on your end before you load it up into the cloud.

DW:  Yes and that would prevent anybody from being able to crack through the egg of encryption that is provided by the provider from the cloud site because you would have a belt and suspenders encryption approach.

PB:  You mentioned this at the beginning.  It’s really important to give clients the option if you’re using a cloud service to store their information. It’s important clients know that and they also have the option possibly to opt out of that if they want.

DW:  That’s a great idea and to put that in writing I think helps everybody to understand where that information is.  I’ve heard of a lawyer who has a drop box folder for each of his clients and so he is really committed to moving all of his clients out into the cloud and to have them interact with the cloud because those files are being synchronized to their computers.  I think one of the interesting things that cloud computing has raised is the idea that we are leaving confidential information, potential information that talks about the client matters and maybe client personal information on the web when we do searches using Google, which is now encrypting, but it does save search history or when we are sending e-mails and other things that we might now have thought about in the past.

PB:  When we say make client aware of it, it’s a good idea to put that information in a retainer agreement, which is your contract with the client so that they know what your policy is with respect to storing your information and protecting their information as well as what your policy is in terms of the disruption of that information later.

DW:  And that can help them to understand how they might already be interacting with a cloud or storing information out there - that although you are protecting it for them, they might be exposing it and hurting their own interests.

PB:  Thanks very much David.

DW:  Good seeing you Phil.

Backup Your Law Practice

 Permanent link
You want your law firm to continue to run over the life of your practice.  Backups are necessary to get you over disasters, natural and otherwise.  We talk about typical backups of data, on your law firm premises and in the cloud, as well as ensuring that file formats for documents you made when you started practice are accessible even when you retire.
View Transcript

Speaker Key:  PB is Phil Brown, DW is David Whelan

PB: I'm here with David Whelan. It's Phil Brown and we're going to talk about backing up your electronic information. So, for starters, why would someone back up their electronic information?

DW: The worst case is that you have all of this information you have gathered from your clients or on your clients behalf, you've got discovery materials, you've got all sorts of things stored and then one day they're all gone and how do you recreate your practise, recreate your billings, recreate your clients documents, without any of the files that you've collected over all that time?

PB: And just to remind everyone, there are various vehicles to lose that information. It could be a complete computer failure and you're not able to recover the data, it could be a fire, it could be someone has walked off with your computer. Just a reminder there that physical security is also important.

DW: Absolutely and I think that that's one of the interesting things we haven't worried about too much when we dealt with paper, although we probably have made copies of things or placed our paper records in different places, but the types of things that can happen to your electronic records are from all different directions and although a lot of people think well, you know, that'll never happen to me, I'm never going to be involved in a natural disaster or, you know, my office is never going to burn down. I saw a good post the other day that said, it's not your office burning down that you have to worry about, it's your 18 year old kid coming in and hitting the delete key and wiping out all the files that you have on your machine. So the opportunity for disaster is present from all sorts of places.

PB: Right and we have to look at this from a couple of different angles, one being client confidentiality of course and the other is being able to protect yourself in the event of a claim further down the road. It's one of the reasons that we bother with file retention and file retention rules to begin with.

DW: Right! And I think that is going to be a trick. With paper you always have the paper, you can pull it out and you can show it to people, unless you've had a fire or water damage to it, you probably have a pretty good copy of the document you might have gotten very early in your practice, but with electronic data it becomes a lot more problematic. You might have created a document 20 years ago on WordStar and now you're faced with, how do you get access to that information if you haven't printed it off? What software are you going to use in order to get access to it?

PB: So I guess one important thing to mention here is, there is no point in backing up your information electronically if you don't do test restores of that information.

DW: I think that's one of the steps that's most commonly missed, which is that you download the backup software or you buy a backup system, one of those devices where you press a button and it backs up all your information, but just backing it up isn't enough. You need to make sure that once it's been backed up, whatever format it's in, that you can get back the information that you've saved.

PB: And maybe we can talk a little bit about different types of backups. You mentioned tape. I know there are a number of law firms out there that still use tape and there is nothing wrong with that as long as, again, you have the hardware to restore that information in the event of a loss.

DW: Right, and I think the proliferation of devices that you can now attach to your computer, whether they are network attached storage or USB storage, has really broadened the types of backup media that we have to store our backups on. I think there was a period of time where a lot of people were backing up onto CD RWs, CD disks and DVDs but I think it's probably more common now that if you are backing up into your office and you're in a solo or small firm practice you're probably going to be looking at something that you can plug into your computer or hang off your network and then store that way.

PB: So it could be something like a USB key or it could be an external USB hard drive.

DW: One of the things to keep in mind when you're looking at a device that you can plug into your computer is that if it's using flash memory like a USB key there are only a certain number of rights that it will take, so you need to be sure that you are using different hardware after a certain period of time so that once you've done a certain number of backups you get yourself a new USB key. You're probably better off using a mechanical hard drive if you're going to be backing up to an external hard drive. But in both cases you want to make sure that, as Phil said earlier, if you've got something that can be removed from your computer, that probably means someone can pick it up, which means that they can pick up your backup files and walk out of your office and, again, that's something that you couldn't have happen in the past, where they could get everything that is in your office rather than just one file.

PB: And there's a couple of things that flow from that. One is that, who is the caretaker of your information within the office or outside the office? And I know people do different kinds of backups. Maybe they only back up the new information they have accumulated throughout that day or throughout that week, the so-called incremental backup or maybe it's a systemwide backup at the end of every week, but it's still important to know what happens to that information once it's backed up and who is responsible for taking care of it.

DW: I'm a big fan of, especially in small environments where you might not have IT staff or enough time to look at the technology and manage it yourself, to consider using backup that is out on the web or out on a cloud as they say, so that when you're doing a backup you're backing up in a secure manner, perhaps in an encrypted manner but you're backing up out onto the Internet so that if, for whatever reason, you have a failure in your office, that data is not located and that backup isn't located inside the office where the disaster happened.

PB: And again if we're talking about the cloud, one of the things we need to be concerned about is client confidentiality and you should know first of all who owns that data if it's stored in the cloud because certain user agreements might suggest that the company who is storing your data owns it and they don't and they shouldn't and you shouldn't sign an agreement like that. But the other thing is, is your information encrypted or do other people readily have access to that information?

DW: I think that's a good point and some of the sites like Mozy.com or Carbonite.com, that provide this sort of online backup may back it up in a way that it's essentially one big blob of information, so you only are really going to be accessing it when you have to restore your computer. Another way to think about doing backup is to use a site like Dropbox.com or SugarSync.com where you are actually backing up all the files in the same file or folder structure as you have on your computer. That can make it easier to access one by one and it also might allow you to provide an extra layer of encryption where you are sending all those files up in an encrypted format, so even if someone can get access to it, even if they are unauthorised to do so, at least you know that the files out there are encrypted.

PB: The four companies you named, I think, are all American and have American servers and there are probably equivalent Canadian companies as well that would have servers resident in Canada and the only reason I mention that is because I know there is a concern to potential vulnerability because of the Homeland Security Act in the US and whether or not someone else might have access to your information which you might not be able to control.

DW: Absolutely and I think that whenever you're dealing with information going out on the Internet you're better off encrypting it if you’re leaving it anywhere, because even if you're using a service that's very well known and is Canadian based, you may or may not actually be leaving it on a Canadian server or it may be passing through other servers, so it's always good to use encryption so that it diminishes your concerns about possible invasions by government agents or other folks.

PB: Whether here in Canada or the US.

DW: Right.

PB: I guess the other question is, how long is this information going to last? We all backup stuff on our hard drives or on DVDs or wherever and then we sort of forget about them forever and we may need to access them in 10 or 20 years. Will we still have access?

DW: I think that it's going to be a huge challenge and I'm not sure that we will have access. We've already seen difficulties when a lot of lawyers moved from Word Perfect to Microsoft Word and Word Perfect is still out there but it's no longer anywhere near as popular among lawyers as it was. I think we're going to have format problems going forward in the future. I think one of the things we may be able to dodge a little bit is that the hardware that we relied on in the past, which was local where you had to buy essentially a spare tape drive or a spare CD drive in order to read the media, I think that issue may be going away, but we're still going to have to be very wary about any data that we store and if you've got one of the first PCs you probably have more than 20 years’ worth of data stored from your practice. How are you going to get access to all of those files going forward?

PB: And I guess just to build on that, if you are using a third party company to do information storage for you, you need to know what happens if that company is not around later and how much it would cost to recover your information if you needed to recover it.

DW: That's right. You don't want to be found without access to your backup just because a company that you were relying on has gone out of business or for whatever reason is unavailable.

PB: Great! Okay, thanks very much.

DW: Thanks a lot Phil.

October 2011

Bring Your Own Device (BYOD)

 Permanent link
Solo and small firm lawyers frequently use consumer technology but even in large law firms, there is a trend towards lawyers and staff using their own technology to interact with the firm's systems.  "Bring Your Own Device" (BYOD) is impacting how client confidential and private information is accessed and managed, when the law firm may not have full control of the mobile device connecting to its network.  Listen to an explanation of the trend, and how it may impact your law firm and clients.
View Transcript
Speaker Key:   PB Phil Brown, DW David Whelan

 

PB:  Hi, it’s Phil Brown. I’m here with David Whelan, and today we’re going to talk about BYOD.

DW:  Why do we have to talk about liquor licenses, Phil?

PB:  Exactly. Bring your own dinner. Bring your own device. So what are we talking about when we’re talking about Bring Your Own Device?

DW:  BYOD is a concept that is sweeping enterprises, large law firms in places, and most solos and small-firm lawyers will already understand exactly what the concept is, which is that we are moving from an environment where all of the technology that’s used in a law firm is provided by the law firm. And now you can bring your own device. You can bring your own technology – BYOT – and use it at the firm with the firm’s resources but with the comfort level of having it set up and configured the way you want it to be.

PB:  Right. The firms are deciding that they are no longer going to buy technology for people; they can bring their own phones and tablets and so on, use them and store firm information on them. Of course that brings up some issues.

DW:  Yes, no problems to have everybody bring in things. The technology that is available now - maybe they use it at home for home or personal purposes. Those different worlds are starting to collide. You have to think about what your policies will be related to, the types of technology you will allow to access firm systems, and what happens to the data that’s put onto those systems if the person leaves the firm. Those sorts of policies need to be worked out when you’re starting to bring other people’s technologies to the firm’s technology base.

PB:  Right. So one of the things that we always go back to when we deal with technology is the human factor and policies – what is allowable, what is not allowable, and the security that needs to be brought in to protect everyone.

DW:  Right. The challenge with BYOD is that you can quickly create enough policies that it defeats all the benefits of having BYOD. So you really need to be a little bit flexible, perhaps more flexible than you would be if the person was using firm technology. But you do need to think about the eventualities. The nice thing about BYOD is that if you are already embracing cloud technology or web-based technology, whether it exists by a private provider or your law firm has Exchange and it is web-enabled email, you can get to these on all these devices and you don’t really need to make it more cumbersome than it needs to be for those people to use their own technology.

PB:  Right, but you still have to protect client confidentiality. And the law firm, or the lawyers at the law firm, still have to own the information that is on that device.

DW:  Right.

PB:  So that needs to be clear in the policies. I guess also within those policies, you should make it clear that a certain level of security has to be in place with respect to complex passwords that are being used, the ability to remote-wipe those devices if they’re lost or stolen, things like that.

DW:  And this has been a challenge, I think, and may have been one of the reasons that BYOD didn’t happen as fast as it might have, which is that in general, if you had a device, whether it was a laptop or a phone or a tablet, it was all or nothing. If someone had access to the device, they essentially had access to everything. Sure, you can create profiles, but that may not always have worked. If you have Windows profiles, perhaps you left your Windows profile open and your child got on and was able to access things through that profile. Now we have the ability to segment phones, tablets, and laptops much better, so that you can create a work profile and a personal profile and have different levels of security.

For example, if I use Divide, which is an app for Android, I can segment my Android tablet so that part of it is encrypted. It is secured with a password and part of it is open, so that if all I want to do is use Angry Birds, I can get to the Angry Birds app without using any security. But if I want to get to confidential information, I need to go through the security layers that are on the device.

PB:  Right. You mentioned encryption. That’s always one of the things that we do talk about. It’s a good idea if you have confidential information stored on a device to encrypt it as well.

DW:  For sure. The smaller the device, the greater chance you are likely to lose it or drop it, and if the information on it is encrypted already then you don’t need to worry about what happens to that device afterwards.

PB:  And synchronisation, in terms of firms’ being able to store and update information from their various employees or associates is a good idea as well.

DW:  Right. BYOD doesn’t mean that you have to give all the keys to the kingdom in order to enable people to bring their own technology; it’s about flexibility. You can create flexibility and still have requirements, like Phil said, about having strong passwords so that if the person is going to connect to your network, they have to perhaps install some apps so that they can do the remote wipe, or that they are meeting the encryption standards or password standards that you set.

PB:  Now, it used to be with a lot of firms that the BlackBerry was the standard, and part of the beauty of that was their Enterprise Server.

DW:  Right. And I think that that’s going away. But the nice thing is that where the BlackBerry Enterprise Server was perhaps the only server that really provided that security, we now have lots of other opportunities, whether it’s through cloud or through internal systems, to provide web interfaces that can be used on any device with the same levels of security.

PB:  Right. And for the longest time, and I don’t know how many are still out there, there were hosted servers as well, where you could buy some shared time on them with the same level of security.

DW:  Right.

PB:  So one of the keys, to sort of summarize, is the flexibility of BYOD and still being able to have policies in place.

DW:  Right. There may be an app or a website, a cloud service; some technology that your firm needs to use that requires you to have everybody using a Mac or everybody to use an iPhone or everybody to be in Windows or whatever. And so those limitations may restrict your flexibility a little bit, but BYOD is a great opportunity for staff and lawyers to have an environment which they’re familiar or comfortable with, with a little bit more flexibility than sometimes happens with standardized IT.

PB:  Sure. And you can still protect your client information and your firm’s information just by having policies and procedures in place.

DW:  Exactly. 

PB:  Perfect. That’s our look at BYOD. Thanks very much, David.

DW:  Thanks Phil.

Anonymous Browsing

 Permanent link
It used to be that, on the Internet, no-one knew you were a dog.  In the privacy arms race, your online activity is tracked using cookies and other tools.  You can attempt to anonymize your online Web browsing using your own privacy tools, like The Onion Router (TOR), to counteract and block attempts at tracking you online.
View Transcript
Speaker Key:   PB Phil Brown, DW David Whelan

PB: 
Hi, it’s Phil Brown. I’m here with David Whelan, and today we’re going to talk about anonymous web browsing.

DW: 
We are all much more aware than we might have been about a year ago about how governments are starting to look at everything that we are doing online, and it might be making you a little bit paranoid. Why should we be paranoid about our web browsing, Phil?

PB: 
Well primarily the reason why we are going to be paranoid is because we have an obligation to protect client confidentiality and, for instance, if we’re doing some research on behalf of a client, it would be nice to know that we are out there looking without necessarily leaving a trail.

DW: 
It’s funny how just a couple of years ago we were concerned about doing research in coffee houses because maybe people were watching our traffic, but now we realize that even if we secured it the government would have been sniffing at it as it went past anyway.

PB: 
I know a lot of the news that’s been out there about the things that the US government might be spying upon are related to emails and interception of emails, but I think it would be naïve to think that they’re not also looking at the browsing traffic that’s going on as well.

DW: 
That’s right. And it can be confusing. If you have a modern or current version of one of the major web browsers, meaning Microsoft’s Internet Explorer, Firefox from Mozilla, or Google’s Chrome, they actually have some modes that can make you think that you are browsing anonymously but you really aren’t. And the one I’m talking about is called “Incognito”. If you switch into “Incognito” mode in your web browser you are no longer leaving traces on your local computer, but you are still leaving traces out on the web for other people to find.

PB: 
So in spite of the little clever artistic impression of one of the spy-versus-spy guys that’s up in the corner of your web browser that makes it look like you have completely gone stealth, it is really just not tracking information on your computer in front of you.

DW: 
That’s right. You really need to be thinking about where you’re going and what you’re trying to do. So when you open up a web page in your web browser you are actually sending a request to a computer that has that web page sitting on it and then it sends it over the Internet to you.  When it sends that file over and any pictures that are related to it and so on, it will often track where you are coming from, the specific IP address of the computer you are on, and certainly the country and city that you are in. It will also probably know information about the type of web browser you are on, the type of computer or operating system that you are using and so on.

PB: 
Before we get into the idea of anonymous browsing, maybe it’s a good place to point out that everything that you put into your computer, for example, a password to sign on to Facebook, a password to sign on to Twitter, or even just logging into your computer, all of those passwords are resident in a file on that computer.

DW: 
That’s right, and depending on where they are stored, in Windows for example they are stored in a secured area, but in web browsers you can go into most modern web browsers, click on a button next to the password where it is saved, type something like “show me the password” and you can see it in plain text. So it is not always as secure as you might think, although it is very convenient to have them saved inside your web browser.

PB: 
So now let’s talk about the anonymous portion of web browsing as opposed to the incognito mode. One of the reasons you might want to be anonymous for example is that there is a statistic out there that suggests that if you visit the 50 most popular websites there is going to be over 3,000 tracking files installed on your computer.

DW: 
That’s right, and those are commonly known as cookies. There are lots of joke you can make obviously about having cookies on your computer, but they are little files that are put there in some cases when you click the button that says, “remember me”, and that’s the cookie that they use to remember who you are and when you logged in so that they can give you the same kind of experience or the same setup on the website that you had when you came the first time.

PB: 
And cookies are also used for security. For instance, if you are logging into your American Express account or your banking account they are used to confirm that you are who you say you are. Even though you are putting in a password it is checking to see if you are using the same computer you have used before, things like that.

DW: 
Right and those are the cookies that you really want to use because obviously they help you to be more efficient, more productive going to websites, and getting in and out of sites. But there are also cookies being downloaded that relate to the advertisements that appear on websites or that may track what you are doing during the session when you are at a particular website. That information is then aggregated and made available to people who might be advertisers or the owners of the site that you are visiting. It is probably a lot more information than you would want to share if you were working on a client matter.

PB: 
And a lot of this information is sold to people for marketing purposes and for sales.

DW: 
Right and there has been a big pushback against having all of these cookies saved. I think many of us are now seeing the ability to opt out from being tracked on the web and to block the cookies from being downloaded. Certainly the recommendations tend to be, block whatever cookies you can so that you are not leaving this tracking profile out there.

PB: 
As we know there is going to be a future without cookies and of course the threat detection companies and the marketing companies are already thinking, “how are we going to track people without cookies?”

DW: 
That’s right. Your phone has a particular ID, your web browser, and the combination of all the factors of how you interact with a website may be enough of a fingerprint that they don’t need to leave a cookie. They can tell based on other factors or other features that identify you.

PB: 
So there are ways to browse anonymously. There are a couple of specific browsers that we are going to mention without endorsing any, but these ones are just starting to come to the forefront or at least to our notice, that enable users to anonymously browse the web. One of them would be Tor. Can you tell us a little bit about Tor?

DW: 
Sure. Tor is an acronym for The Onion Router because it has layers of anonymity, and so it is almost like a separate network where you have to connect with it using a Tor client, which is a piece of software is sort of like a VPN, where you log into Tor and then you can surf through what is called the dark web. Your activity is anonymous when you want it to be, and it can also go across the public Internet or the wider Internet. An example of a client that will connect you to Tor is called Orweb.

PB: 
Is there a record anywhere of the searching that is being done?

DW: 
Well again, up until about a year ago people were pretty confident that when they were on the Onion Router, on Tor, it was pretty much secured and there wasn’t a trace of who you were or where you travelled from. You would essentially connect to Tor and pop out the other end, and that traffic was completely anonymous. But there is some concern now that some of the Tor computers may have been compromised, and so some of that tracking may still be traced.

PB: 
Another browser that is gaining some traction is called Epic, which is very similar to Tor. Again, you download it, add it to your computer, and are able to anonymously surf the web without picking up cookies and so on as you go. It also does a number of other things. It doesn’t, however, do the autofill for you that Chrome or Internet Explorer will often offer where it fills in links for you or come up with best guesses as to the website you might have been looking for. All of those things are based on cookies in your computer or the information that is held on the website because you have been there before and it is all profiling you as you go.

DW: 
Any time that your computer offers you information that is meant to help you usually means that you are balancing your convenience with your security. So if you are finding something to be very convenient, you should also be aware that it may be compromising your security.

PB: 
I don’t know if anyone has ever done a search to find out what their Google history is, but there is a history of every site that you have been to and how many times you have been to a particular site.

DW: 
Yes, it can be challenging to get rid of it too, particularly with Google Chrome. It seems to stay there a lot longer. And you can clean your Internet history from your browser and still find some disconcerting suggestions.

PB: 
And these browsers wipe out things like that, but you also give up some features: you don’t have web extensions, spell checking, autofills, and things like that.

DW: 
Yes, and so you may want to have one of these browsers available for those times when you do research that requires that you have that depth of security and anonymity. You can use your normal web browser while taking some care like using secured or anonymous search. Then you can have the best of both worlds.

PB: 
I just wanted to mention that there are a couple of different search engines you can use to anonymize your search for particular things.

DW: 
Yes, when you use Google these days, certainly if you have logged in with a Google account, but even if you haven’t, they are now trying to make your search information inaccessible to the site where you are visiting. So in the past if you went to your web browser, went to Google and typed in, “doughnuts Tim Hortons”, and ended up going to a Tim Hortons website, the website person at Tim Hortons would know that you had typed in “doughnuts Tim Hortons”, and they would value that information. Now when you type that in and go to their site they get something that says nothing about who you are or where you came from, from the perspective of the search terms you used. They would still know where you came from, the city or town, or the computer, but they wouldn’t know how you got there or the search terms you used to get there.

PB: 
But Google would still know.

DW: 
Google would still know, so yes that is definitely an issue, and you want to be aware that that’s being stored somewhere.

PB: 
And they’d be happy to sell that information to Tim Hortons as well, to tell them how their customers found them.

DW: 
Right. The only benefit there is that they probably wouldn’t sell the information about who you are or those sorts of details. So Tim Hortons wouldn’t be in the position of being able to know that you stopped by at eight o’clock looking for doughnuts.

PB: 
That’s right, and this is almost trite to say, but it is a good idea to look through those click-through privacy agreements to find out what information is being tracked, how long it is being kept, whether it gets sold off to anyone else, or held confidential.

DW: 
The laws in the EU have changed recently, and you will see this if you go to websites in the UK and other countries in the European Union where there is actually a little puppet at the top of the screen warning you that they are starting to track and use cookies, and that has been very helpful. You don’t get that as much in North America.

PB: 
All right. And that’s our brief look at anonymous browsers. I have a suspicion we will do another podcast about this as well.

DW: 
Surf carefully, Phil.

PB: 
All right. Take care, David.

Two Factor Authentication

 Permanent link
Two factor authentication takes a familiar concept - like your bank card and your bank PIN - and puts it in your online accounts.  It can mean that, even if your password is discovered in one of the ever-occurring online hacks, your account can still be protected.  Learn more about two factor authentication, how to use it, and what OpenID is.
View Transcript

Speaker Key:   PB: Phil Brown, DW: David Whelan

PB:  Hi, it's Phil Brown and I'm here with David Whelan. Today we are going to talk about 2Factor ID and OpenID.

DW:  2Factor ID is something you are already familiar with if you use a bank card and ATM. 2Factor requires you to have two things to present to authenticate yourself as being the owner of an account. In the case of a bank, these are usually a card and a PIN. You put the card in the machine, you type the PIN into the machine, 2Factor authenticates you and you are ready to go. If you do not have one of those pieces, you cannot go forward. We are starting to see more and more 2Factor authentication available on the web and it is making it safer, in most cases, to protect your accounts if you can turn on 2Factor authentication on your online services.

PB:  Right. The reason is because passwords alone will not protect you.

DW:  Right.

PB:  After you put in your password remotely for your email system or Dropbox (if you happen to be using that) it then comes back to you and says, "Okay, that's great. We're going to send you a number or you're going to have access to another number, which you're then going to have to put in, and then we'll let you into that account."

DW:  It gets you past the issue of: Do you have strong passwords or not? A lot of people still do not have strong passwords - they are using weak passwords. But even if you are using strong passwords and password managers and all that good stuff, 2Factor authentication gives you a little bit more protection in case either that password is divulged or discovered through a brute force attack or something along those lines, or worse, what has happened to a number of people - prominent journalists - where they were socially engineered. Not the journalist or the person who owned the account themselves, but the people who worked for the customer service for the particular web service. Someone calls in and says they have lost their account, and they are able to answer enough questions based on information from the web that they are able to get past that password block by itself. 2Factor authentication would then send out a request or a notification saying, "We need this extra piece of information, and that person wouldn't have it."

PB:  Right, and a strong password is a password that has lower case and upper case letters, numbers, symbols, spaces, things like that.

DW:  That's right. No one from your family, no children's songs.

PB:  No birth dates - that sort of thing. Even a strong password is potentially vulnerable to a so-called brute force attack, where someone is just, basically, plugged into your device or your system and is letting a computer run all the permutations and combinations of passwords.

DW:  Right. 2Factor authentication is still optional in many places. I do not know any sites that are actually requiring it that are typical consumer sites, but you will see it - you can turn it on for Google and Facebook and things like that. You can get a list of people who offer 2Factor authentication at twostepauth.org. That's T W O S T E P A U T H.org, and that will give you a list of who has it and how they have implemented it.

PB:  Right. Just as an example, a lot of things that lawyers and paralegals might use, like Evernote, LinkedIn, Dropbox, Facebook, and things like that - they all have 2Factor authentication.

DW:  So how do you get two step or 2Factor authentication on the web? It is actually not that tricky, but it usually requires you to have a mobile phone. What happens is that you log in, and the mobile phone will receive a text with the second piece of information that you need to type in. Now, if you are a cheapskate like me, and I do not have a really good cell phone plan or cell phone coverage - and sometimes you just aren't in a place where you have that kind of coverage - you can have that code generated for you by downloading an app when you're on the web and then using it when you are offline. It will then generate the code that you need so that you can plug that code in, regardless of whether you have cell phone access, or in fact, your mobile phone with you.

PB:  So if you lose your mobile phone you are not lost completely.

DW:  Exactly.

PB:  You will still be able to get into all of your accounts by either getting on the web or using one of these offline tools.

DW:  Right. Their free Google authenticator works on most platforms, but you can find other ones. I think you use Authy, is it?

PB:  Authy, yes, and they are even available, as David says, across platforms. You can use them (usually the same app) for Blackberry, Android and Apple. They are quite versatile and very simple-to-use apps.

DW:  I think the use of these sorts of authentications is the next progression. We obviously had passwords in order to protect our accounts, then we went to strong passwords, which are now starting to be broken. I think the 2Factor authentication is the next step: if you are putting client files in the Cloud or emailing them, or storing them in your online email, having 2Factor authentication is a sensible extra precaution that does not cost you anything except a couple of extra minutes, maybe, as you authenticate in and out of your accounts.

PB:  And a number of these authentications will default to a paper list of codes as well. I know Gmail gives you that option - once you sign in to 2Factor authentication, it will generate a list of ten codes that you can just fold and put in your wallet and use them any time. If you do not have access to your app at the time, or you do not have access to your phone at the time, you still have a paper back-up list and can use each one of these ten codes once and be able to use your 2Factor authentication.

DW:  That's great because it is just like the bank idea, then. You have this paper thing and the password in your head, and you put them together to get access to your account.

PB:  Right.

DW:  Social login is the other part of how you can manage your accounts online. 2Factor authentication allows you to get in and out of your accounts, but sometimes you may not want to create a user name and password for every website you go to. In part, that just means more passwords for you to manage and to be aware of, but also some of the sites you are using may not be as rigorous at protecting your information - your user name and password - as you would expect. One of the ways you can get around that is to use websites that use the social log-in, often called OpenID, which is a version of the social login. Instead of creating a user name and password there, you reuse a secure and potentially, a two-step or 2Factor authentication service in order to get access to multiple websites.

PB:  OpenID has been around a long time, and usually people just kind of ignore it when it pops up. You will notice sometimes that if you are signing into a website, it will say on the side, "Hey, do you want to sign in with your Google password or your Yahoo! Password?" That is an example of OpenID.

DW:  It means that if you trust the person or the company that has that social login or that OpenID to protect your user name and password, it makes it a much easier process to then reuse it over multiple websites. Of course, if you want to, when you grant access or sign in with that user name and password typically it is logging that information in your original account. So say I log in with my Google.com account into another website. When I go back to my Google.com account it will show who I have authorized or who I have got a login with, and I can terminate that access, or terminate that connection whenever I want to.

PB:  Right, and OpenID is an open source-based software. Problems with that, or no?

DW:  Not really, so long as the provider who is providing the OpenID database is someone you would trust. The fact that the software itself is open source is not insecure, but if, I mean, I could open up Dave's Passwords N' Stuff and run my own OpenID server. I do not know that I would feel comfortable as a lawyer using someone who is so fly-by-night as David's Passwords N' Stuff. So I think if you are going to use OpenID, either use a provider like Google or someone large, or make sure you really understand who is behind the security for that OpenID account.

PB:  Right, because everyone trusts Google.

DW:  Absolutely.

PB:  I will say this: OpenID is huge. There are over 50,000 sites, apparently, that use OpenID. It is something you stumble across every day and it is almost invisible to most people.

DW:  Right. The social login, I think, has really changed how people use multiple websites. I notice it really only when the social login only asks for, say, Facebook, and I am not going to use my Facebook account to log in there, so I really only notice it when my social login is not part of the list.

PB:  Right. So that is our look at 2Factor ID authentication and OpenID. Thanks very much, David.

DW:  Thanks, Phil.

Manage Your Electronic Files

(File Management) Permanent link
File management is critical to successful law practice.  Knowing where your client's information is stored, accessing it quickly, and being able to manage it after the matter is over and returning it to your client.  Here some tips on how solo and small firm lawyers can manage electronic files.
View Transcript
Speaker Key: PB Phil Brown, DW David Whelan

PB        Hi. It's Phil Brown and I'm here with David Whelan, and today we're going to talk about file management.

DW      Hey Phil. This is obviously one the most exciting topics we have ever discussed, but files are an important part, a physical component, of every law practice and as you are taking your files and thinking about how are you going to manage that information on your computer or on your devices, it's important to think about how you're doing it right now so that you've got the best possible processes that you can move over to your technology.

PB        So we have two different worlds; we have the physical file world, and then we have paperless or electronic file world.

DW      Right.

PB        And I guess one of the things to note to begin with is if you're an absolute mess in terms of organization with your physical files, it's going to be a great leap for you to get into the electronic world.

DW      There are really two ways that people tend to go out about organizing their information in law practices. One way is to try and emulate, in their technology, the filing system they have in their office. So, for example, if you have a client folder and inside that client folder you have multiple file folders; one for pleadings and one for correspondence and so on, it's relatively easy to take that system and create a folder structure on your computer or on your device that reflects that same folder structure, so that you can you can go into a client folder on your computer and within that client folder there are sub-folders.

PB        One of the key things there, the key word that you mentioned, is structure.

DW      Exactly.

PB        And you have to have a very robust naming convention for all those electronic files or you may never find them again.

DW      That's a great point because if you start out with a very simple structure, say, you use the last name of client, you can very quickly get the point where, if you get a second client with that same name and have to create a new folder, of having to back through your system and fixing that. So the more complete your naming convention, both for the folders, as well as the documents that go in them, the better. The other approach is something that requires a little bit of flexibility. Think of a big pile of paper on your desk that has no organization at all, and some people like that on their computer too. So they'll just create a big folder and throw everything into it, and then they rely on search or some other technology in order to help them get it out. If you are the sort of person who likes to browse through folders and organise your information in that way, folders are a great way to go. If you don't browse but you're comfortable using search you can actually create a single folder with everything in it, but then you really need to focus on your naming conventions for all those files, so that when you do a search and retrieve all that information, you know what you're looking at.

PB        And one of the things related, of course, to file management is backups. It's a good idea to have some redundancy in the electronic world as well.

DW      Yes. If you've got all these folders in a particular location on your computer, it can actually make your backups much easier because now you know where all of your files are, and if you're sharing those files with other people in your office they know how to get around the same folder structure. Or, if you put it out on your network server they know how to get to the same information and also to create new files and folders in the system.

PB        Before we get into the concept of searching, one of the things I should mention is that if you're making this conversion from a physical file management system to an electronic file management system or a paperless office, one of the things you have to keep an eye on is to develop this system moving forward, and not going back and recreating and copying everything.

DW      That's a good point. I think one of the interesting things about moving your files onto technology, onto computers, is that you can start to get benefits that you can't realize with a piece of paper. So if you have a client folder, and inside that client folder you have a document that actually needs to go in multiple sub-folders, on your computer you can actually place that file in multiple locations. Now, you wouldn't actually want to place multiple copies there because if someone changed one copy that might not actually impact the other files, but what you can do is once you put a file into a sub-folder, you can create shortcuts to that file in other sub-folders. And that way, if you've organised your files in a certain way and a staff person or another lawyer comes along and wants to find information in that client folder but is thinking about it differently from how you organized it, they might still be able to find it because they can find the shortcut to the document even if that's not where the actual document exists.

PB        So one of the other things we can talk about at this point is limiting access to those files as well, electronically.

DW      When you put your files onto a system, you can change the properties of the folders and of the individual files, so that only the people that need to get access to those files are able to. In many cases you'll want to have larger access, broader access, so that you don't have to open a file or share a file every time someone needs access to it, but it allows you to really control access. If you have an issue like a Chinese wall to keep people from looking at particular content, you can use the security to help to block.

PB        And you can change security when employees leave as well.

DW      Right.

PB        So let's talk about finding these files now that you've created them and saved them in various places. Presumably you have backup copies which are off-site in case you have some sort of business interruption, but how are we going to find these files again?

DW      Well, the most obvious way is browsing, and that is really the digital version of what you're already doing. You're walking to a shelf, you're opening a folder, and then you're looking at sub-folders and the papers that are inside them. You can still do that in a digital world, but the benefit of having your content digitally is that you can now start to search for the information and not have to go and browse and try and remember how a document was filed. You can use search both on your computer and on the web to find information that you've stored.

PB        Do you need other software or can you search from the software itself?

DW      At a very basic level you can do search within your operating system - with Windows 7.  Windows search has finally gotten to the point where it's reliable enough that you can pull back information very, very quickly. With earlier versions of the Windows operating system it wasn't always that good. Windows 7 users should also make sure that they look at their Indexing Options in their Control Panel, and this is a little geeky, but Windows, when it comes out of the box, doesn't automatically index the contents of all the documents you would want to search. It often will only index the file name, so you need to go into your index options, and make sure that it is indexing the contents for all the files that you are looking for particularly if you use WordPerfect or something that is not a Microsoft file.

PB        And the Mac has the similar function with Finder and those are the built-in options. There are also some search apps that you can add to your computer.

DW      Two of the best-known ones are X1 and Copernic and they are software applications that you download and install on your local computer and they provide you powerful search options and the ability to do keyword searching and other things on your computer. There is a free version of Copernic, but that is only for personal use, so if you use Copernic make sure you're paying for the business license.

PB        Some people are storing information in the Cloud which is basically just... we've talked about this in other podcasts; servers that aren’t within your organisation. How would you search information stored in the Cloud?

DW      When you load information up to Dropbox or to Google Drive or one of these other Cloud sites they typically will have a search interface built into the website, so when you go to your Dropbox account at Dropbox.com you can do a keyword search and it will automatically search all the files that are out there. One of the interesting things about using Cloud search or Cloud storage is that even if you don't want to put all of your client files up there... say you've got a large number transcripts related to litigation or to some other large set of text documents, you can load those into the Cloud, and then use the search in the Cloud to, very rapidly, pull back files that might take longer to look for if you're using just your operating system or a local search application.

PB        And there's a couple of different apps built specifically so that you can search all of your social media applications as well.

DW      Right. One of the best known is CueUp which used to be known as Greplin. CueUp.com and CloudMagic.com is another one, and what that allows you to do is that if you have a Dropbox account and a Twitter account and Google mail account, you can search all of those systems all at once. So the benefit of using search in addition to browsing is that you can have a way to pull back information from multiple locations without having to remember where the information was stored before you start looking for it.

PB        And you alluded a bit to tweaking Windows 7 to be able to turn on the indexing. Do you want to talk a little bit about indexing and how it works?

DW      Sure. Indexing is a shortcut for search programmes so when you type in a search it usually isn’t actually looking at all of the files on computer right then. It has built an index prior to your search, and the index is a file of information about the files that are on your computer, and that makes the search go faster. So when you do a search the search application looks at the index, finds the files that have the attributes, the  keywords, or whatever you're looking for that match and then returns those matches. So the index is stored on your computer somewhere. You won't necessarily see it but it allows you to have a faster search on your computer. If you're using Cloud-based storage or Cloud-based search like CueUp or CloudMagic then that index is also stored in the Cloud, and you'll want to make sure that it is protected and secured in the same way as the actual documents are.

PB        Great. That's our quick look at file management. Thanks, David.

DW      Thanks, Phil.

Remote Access

 Permanent link
View Transcript

This is a transcript of remote access, what it is and how it works.

Speaker Key:   PB: Phil Brown, DW: David Whelan

PB:  Hi, it's Phil Brown and I'm here with David Whelan. Today we are going to talk about remote access.

DW:  Remote access is pretty clear. What you want to do is connect to a server or a computer that is back in your office or in your home, but you want to do it remotely. So when you are at court, or when you are on the go, you want to be able to get access to it whenever you want to. In some ways we are already doing that with tools like the Cloud, where I can synchronize a file up to Dropbox or something like that and I can remotely access it through the web or by downloading it to my device, but that is not really what we mean by remote access.

PB:  One of the things we are going to be concerned about with remote access is security and how to keep that information safe between your device and your computer at home.

DW:  That's right because it is using the same internet as the Cloud, but it is a direct connection to the device that you are trying to connect to. Remote access means that you are going to somehow dial in or plug into the computer that you are going to be using. There are really two ways to do that. One of the ways is VPN, which is virtual private networking, and a second way is to use something called RDP, remote desktop protocol, or VNC, virtual network computing.

PB:  Let's talk a bit about the differences and what they mean. VPN, for instance, the virtual private network, is really just a pipeline - a private pipeline, within the public network.

DW:  That's right. It secures everything that is transmitted through that pipe, and that means that everything that you do on your device, both at the end where you start and the end where you come out of that virtual private pipe - that virtual private network - is encrypted. Some people may know that if you use a VPN to connect to another country you can connect to resources that are in that country because it makes it look like you are coming from wherever that country is. But in your case, you would be using it for your office, so you would be connecting to a virtual private network client sitting on your computer in your office, or onto virtual private network hardware that is in your office.

PB:  I guess the first question would be: Does that mean that I can go back to using public Wi-Fi in Starbucks?

DW:  I think yes, as long as the VPN is turned on before you start to transmit any information. Everything after you have connected to the Starbucks Wi-Fi - after you have agreed to whatever your terms of service are - just flip to your VPN to make sure everything is encrypted past that. The traffic is encrypted even though you are on a public WiFi. No one should be able to see what is going on inside that VPN.

PB:   One of the (disadvantages) of using VPNs and RDPs tends to be a loss in speed sometimes.

DW:  Absolutely. If you think about it, it is like having one of those really big straws for your Slurpee and then going down to, like, a coffee stirrer and still trying to slurp the Slurpee through the coffee stirrer. It is not quite that bad, but you will definitely notice that it is slower. So you will not necessarily want to use a VPN all the time for your encrypted traffic, and that may take you over to something like RDP or VNC. The difference really is that although both of them or all of these use encrypted communications, where VPN is a pipe and you are just transmitting across the encrypted pipe, RDP and VNC connect you up to a remote computer and you use that computer as if you were sitting in front of it. So I would not necessarily be using anything on my tablet if I was on RDP. What I would see is my Windows screen and I would move my mouse as if I was sitting in front of that Windows computer, and I would do things on that computer as if I was sitting there. So really it is just the activity that I am doing on that computer that is encrypted. Nothing that is going on in my laptop or my tablet is encrypted through that connection.

PB:  Right, and neither of these concepts is particularly new. They have been around for years. pcAnywhere, GoToMyPC - some of those are the more common ones that people have been using for access. There are other companies as well that do this same sort of thing as the ones I mentioned, and there is also some mention of things like personal cloud these days.

DW:  Yes, and personal cloud is really similar to VNC. What you have is a server listening for connections. In the case of VNC, or even RDP, you would set up your computer inside your office so that it would be listening for people connecting and then you would use a client. In the case of the personal cloud it is usually a specific app, but in the case of VNC or RDP, you would use a specific app that uses that technology to connect up, and then the system that is listening would accept the connection once you gave the user name and password. You would then be into whatever the system is.

PB:  Right. So you could use your computer in the office even though you are not sitting in front of it. And you could also limit access to certain files if you wanted; maybe there were ten files that you thought were not secure enough to view from outside the office.

DW:  Right. The personal cloud ones are nice because it gives you the option to not use the cloud like Dropbox, but still have access to files, folders, and other information. And again, it is different from VNC or RDP where you actually see the computer you are in front of. Personal cloud tends to be giving you file-level access to whatever those resources are.

PB:  And we talked a bit about this in another podcast when we were talking about clean computers and clean devices. There is nothing on your device other than the ability to log on with a VPN.  You are not actually storing anything on the device you are using to access your home or office computer.

DW:  Right. I use VNC within my home. I think it is really good for an internal process. Frankly, I use it because I am lazy. When one of my kids has a problem on their computer, I will VNC down to it and fix it remotely without getting off the sofa. So, you know, maybe not the best example of how to use it, but that's the way it is. I think the thing to keep in mind if you are going to a VPN or any sort of remote access technology for your law practice, is that you should probably use hardware, rather than software alternatives. Otherwise you have to open up your network connection to the internet so that it allows the listening to happen with that server that is inside your office. And if you do not know how to secure, or cannot keep up to date on the security for that network connection, then you may actually be opening up your remote access to other people accessing it.

PB:  An example of one of those software issues was Windows XP, which had a very simple setup for VPN, so the user could easily do it themselves with the software. But of course, Microsoft has stopped supporting XP, so there are a number of security vulnerabilities for people who might still be using it.

DW:  Right, and you can get VPN built into your router and built into other systems. So when you are buying hardware for your office or you home if you want to have VPN connectivity, you can get it built into that hardware. And then when the hardware is updated with new software called firmware, then security vulnerabilities that have been found will be patched and you can be pretty confident that the security is still there.

PB:   Right, and there are a number of apps out there. I mentioned Tonido, something I am not sure if it is just for Macs, but it is one of the ones I use to access my computer when I do not have it with me. I was also using something earlier this year called Cloak 2, which is an app for the iPhone - I can turn a Starbucks network in to a trusted network for me, and turn it into a VPN, so every time I want to access that network, Cloak 2 says, "Oh, look - we've used this one before and I'm going to create the VPN for you now." And you can connect seamlessly through a VPN just using the app on your phone or iPad.

DW:  Yes. If you are on Windows or Linux, TightVNC is a great option, and then you can use any open source VNC client to connect to it. If you are primarily a Windows environment look for the RDP apps, which are put out by Microsoft. They are free, and I believe both IOS and Android have those. You would be amazed at how nice your Windows computer will look using RDP on an Android tablet. It really is just like being there, although on a slightly smaller screen.

PB:  So again, a safer way to use public WiFi and a good way to wander around with a clean computer.

DW:  That's right.

PB:  Okay. That's our look at remote access and VPNs and RDPs. Thanks very much, David.

DW:  Thanks, Phil.