By Greg Hluska, IT Coordinator
You’ve heard the term, perhaps wondered what it really meant and maybe even worried about it. ‘The cloud’ is just a marketing term that means the internet. So, if you see the term ‘cloud storage’, it means ‘store your documents on the internet’.
There are many benefits to using the cloud properly. If you pick the right providers, it will be easier to keep, manage and restore backups. You can also seriously expand your office – if you’re careful, you can have access to all your most important files anywhere you have an internet connection. And perhaps most helpful, some services will even handle security updates and patches for you.
Benefits aside, there are some important pitfalls to be aware of before you make any kind of cloud investment. Ultimately, transitioning to something cloud based involves getting many small details right. And, it is helpful to learn about best practices from people who have been through these types of business transitions before.
The Law Society of British Columbia developed guidelines for best practices in using the cloud back in 2012. The Prairie Law Societies adapted these guidelines into a checklist to help members use the cloud securely. Our Cloud Computing Guide contains some important information, helpful best practices and a comprehensive checklist that will help you steer clear of the most common pitfalls. It is available now in our Practice Resources section.
For the last two years, some of the best legal research and technology tips from our Legal Sourcery team have also been featured on SlawTips. Every Tuesday, Wednesday and Thursday, SlawTips features advice you can use on technology, practice and research. If you want to receive these tips directly, you can sign up with email or RSS, and you can follow @SlawTips on Twitter. Excerpts also appear each Tuesday on Slaw.ca for the week’s most recent entries.
Recent SlawTips include:
A full list of all 125 of our legal research tips so far can also be found under the ‘Tip of the Week’ category on the right hand side of our blog or by following this link. Our technology tips are listed under ‘Technology’ or can be found here.
By Ken Fox
You know what really grinds my gears? When I open a PDF file containing what appears to be digitally-formatted text and find that it is non-copyable and non-searchable. The ability to search, copy and paste text are essential functions of digital communications – so the idea that a text is born digitally and therefore ASCII (American Standard Code for Information Interchange) encoded, and that somebody wittingly or unwittingly should remove that functionality – it leads to much weeping and wailing and gnashing of teeth on my part.
Well just last week I was sent a large PDF document with more than 70 pages of text. So I opened it in Adobe Acrobat, and tried to execute a search for a key term, and found that it was (you guessed it) another one of those documents that had signs of ASCII-formatted text in its progeny, but through the manipulations of some kind of monster, been reduced to the mere semblance of text, no more searchable than a stack of paper.
So naturally I commenced with my usual process of wailing and gnashing, but after a few minutes of that I got a notion that maybe I should try something different. In near desperation, I got the idea that – just maybe – if I “select all” and paste it into a text editor then some hitherto-hidden ASCII-encoded text might appear. Worth a try, right?
So I hit control-A, and THIS happened:
“Why yes,” I said out loud, “in fact I WOULD like to run text recognition to make the text on this page accessible – THANKS for asking!”
I clicked Yes.
Then I got asked for some settings, which I ignored and just clicked OK – opting for the default option in my excitement.
Adobe Acrobat then leapt through my document, systematically performing the miracle of breathing life into the dead letters at the rate of about a page a second – slightly faster for the “born digital” main portion, and a bit slower for some appendices that bore the stigmata of pre-digital technology.
The result was perfectly copyable, pastable, searchable text in the main body of the document. As for the typewritten appendices, Acrobat almost flawlessly converted them into digital text as well, while maintaining the visual features of the original typed text. Basically, the document looked identical to how it had looked prior to the procedure but was now digitally functional. The only letters and numbers that resisted the resurrection were data from a single table with a very small typeface – those few characters remained a heretical community of graphics in the midst of a near-universal mass conversion.
Optical text recognition technology has come a long way in a few short years.
Now if you work anywhere in the legal industry (or do any kind of office work), then there is a good chance you have been able to follow right along, and to some of you, this is already old news and why am I boring you. But if there are any among you who don’t know what I’m talking about with text that can be searched and copied – you need to learn a few tricks that will make your life a whole lot easier. Begin with learning these commands, which work on almost all text-editing software:
CTL-F … Find text in document
CTL-A … Select All
CTL-X … Cut selected text
CTL-C … Copy selected text
CTL-V … Paste the last text you cut or copied
CTL-Z … Undo last operation
CTL-Y … Redo undone operation
CTL-H … Find all identified text in document and replace with other text
You can use point-and-click menus for these operations as well, but I find the keyboard shortcuts easier. These features, and many others, are now standard practice in office work – so learning them will not get you ahead so much as get you caught up with the rest of us.
And if you ever come across a text, especially a longish one, for which the above commands do not work, try to do minimal weeping & wailing and tooth-gnashing. And when you are done that, wipe the tears off your keyboard and try the simple operation described above. Failing that, try something else. And if all else fails, ask your friend in IT to perform a miracle. Because there is no reason to tolerate text in a digital file that cannot function as digital text.
By Greg Hluska
Everyone has heard the phrase “don’t reuse your password”, but that is such an abstract warning that it’s hard to understand why password reuse is such a dangerous thing. However, I know a lot about security and password reuse is honestly one of the threats that keeps me awake at night. I would like to take this opportunity to help provide a better understanding of how a password breach can occur and how criminals exploit the information obtained with a view to encouraging everyone to use best practices with their passwords, so we can all sleep a little bit better.
Despite the fact that we are all told not to reuse passwords, we are all, in the interests of short-term convenience, tempted to do exactly that. Many websites impose rather onerous password requirements. You need a password that is at least eight characters with at least one upper and lowercase letter, a number and a special character. It is hard enough to come up with and remember one password like that. It’s nearly impossible to do that for 25 different websites.
Passwords themselves aren’t even a very logical way to secure a system. Good passwords are good because they’re hard to guess, but to be hard to guess, a good password must be hard to remember. Following the best practices (set out below) for password management is hard, but it is vital to lessening the ever-growing risk. Fortunately, there are ways to make implementing best practices more manageable.
But first, let’s look at an example of a major password breach and how criminals gain access to an exploit personal information.
LinkedIn Breach – 2012/2016
LinkedIn was hacked on June 5, 2012 and cybercriminals were able to steal what was first reported as 6.5 million passwords. This leak was particularly dangerous for two reasons:
1.) Because of LinkedIn’s nature, many people use their work addresses to sign up for their LinkedIn accounts.
2.) LinkedIn used a very weak hashing algorithm to scramble their passwords so they did not appear in plaintext. They used an algorithm called SHA-1, which was deprecated by the United States National Institute of Standards and Technology (NIST) in 2011. However, SHA-1 was considered unsafe against well-funded opponents as early as 2005.
Because LinkedIn stored their passwords using a very weak hashing algorithm, the net effect was that by June 6, 2012 cybercriminals had access to millions of plain text passwords alongside work email addresses.
Then things got much worse. In 2016, the mainstream security community learned that the attack on LinkedIn was far worse than feared. Researchers discovered that criminals had actually stolen over 100 million email addresses and password combinations. A massive file of greater than 100 million email addresses and poorly hashed passwords had been available for almost four years. This was an absolute disaster from a security perspective.
Exploiting the Data
How would criminals respond to a breach like that? First off, they’re keenly aware that 80 percent of people reuse one password across multiple sites. Armed with a set of work email addresses and passwords, they would likely start trying to access those work email accounts with the plaintext passwords from the LinkedIn breach.
To illustrate the danger of this, let’s consider a fictitious example. John Smith is an IT Coordinator with a major national law firm. His email address is firstname.lastname@example.org. John Smith wanted to be able to network, so he set up a LinkedIn account under that email address, and he secured it with a really good password – 123+pa$$worD. Because it was a really good password, John Smith also used that password on his email account.
Then, the LinkedIn attack happened.
A criminal started off by finding the webmail login for the firm and tried to access the account using that email address and password – success. John Smith used the same password for LinkedIn that he used for his email account. That one hack however, lead to other types of equally dangerous information. You see, John Smith used email@example.com to sign up for a web hosting account, a domain registration account and for administrative access to the firm’s Office 365 subscription.
With that one breach, criminals would have complete access to the firm’s website, domains and every single email that the entire organization received. Thankfully, this is only a made-up example, but it demonstrates the power that one password can yield when it is used across multiple platforms.
How can we protect ourselves?
In general, there are a few best practices that you can employ to protect yourself from this kind of an attack.
1.) Do not reuse or duplicate your passwords across platforms. Using different passwords across platforms will ensure that if one platform is breached (be it LinkedIn or your fitness tracker) the damage will be contained to the data lost in that breach, and it will not be able to be reused to further compromise other platforms.
2.) Do you really need that account? Here is an unfortunate truth about data and data breaches. The more accounts that you sign up for, the higher the probability that one account will be breached. And, the more breaches that your data is caught up in, the higher the probability that one will yield dangerous information, like a plaintext password. Consequently, before you sign up for anything, ask yourself if you really need to sign up for that service. If the answer is no, you might be happier (and you will be significantly more secure) if you don’t sign up for it. And it will be one less password you have to remember.
3.) Use multiple email addresses. The LinkedIn breach would have been much less dangerous if people did not use their work email accounts. If you decide that you do need to sign up for a new service, ask yourself if you need to use your work email account. In some cases, yes you should. In other cases, it’s just as useful if you sign up with an alternate email account that you use for less sensitive information.
4.) Use a password manager. Critics rightly point out that password managers do not protect against every kind of attack. However, all password managers make it easy to use strong, unique passwords on every website and service that you use.
5.) Change your passwords regularly. Most organizations will force password resets every two or three months on their systems. Why not force password resets on all your accounts every two or three months? Good password managers can automate this process for you. The point of changing your passwords regularly is that if you are breached (and you will be), the probability that you will be victimized in a new breach is relatively low.
6.) Use two factor authentication for extra sensitive accounts. Two factor authentication (2FA) is a system where you will enter something you know (ie – a password) and then receive another challenge. Most commonly, this second challenge is that you will receive a temporary PIN number to your mobile device. Or, other services use an app called Google Authenticator to generate a unique six-digit PIN number on your mobile phone. The point of 2FA is to make it more difficult for criminals to gain access to your most sensitive accounts.
7.) Hack yourself…sort of. A security researcher and educator named Troy Hunt runs a wonderful service called “Have I Been Pwned”. The premise is simple. You can go to their website, type in an email address and find out if that email address is included in an ever-growing collection of breaches. The address is https://haveibeenpwned.com/ and I strongly encourage everyone to try it out, particularly with highly sensitive accounts.
Password reuse is such a major issue in our society because hackers can easily steal passwords from data breaches and use that information to get access to many other services. Because of this, it is important to use unique, strong passwords for every service that you sign up for. It’s hard to come up with a good password for every website that you use, creating a need for password managers, which make it easier to track your passwords and change them regularly. You can also use a second factor to authenticate for access into particularly sensitive accounts. By applying these practices and by simply being aware of the associated risks the likelihood of a breach will not cease to exist but can be minimized by a considerable amount.
A quick scan of the Law Society CPD Past Activities webpage reveals the extent technology has influenced our programming in the past few years.
The use of new and innovative technologies in the practice of law has provided the opportunity for educating our members on how their time, money and resources may be better spent if they are properly informed of the technologies that exist to aid their daily operations and processes. To this end, we have utilized specialists in these matters to share their expertise with our members. These sessions have always been well attended and received as our members recognize the necessity of embracing the changes to the profession that advancements in technology will always yield.
Some examples of these activities, which are available to purchase on-demand through the CPD Recorded Versions webpage, are offered below with a brief description:
Webinar – The Use of Technology in Evidence:
Technology is an integral part of our lives and the legal profession. It has become critical to understand what technology exists, how it can be used and the value it presents in the Courtroom. Technology can be the evidence as well as the tool to present the evidence. This presentation discusses the impact of technology on evidence and how technology can be used to fulfill the role of advocate.
This webinar was presented by Loreley Berra, a Senior Crown Prosecutor with the Ministry of Justice. She has experience in prosecuting a wide variety of criminal matters and is currently the dedicated Crown for the Saskatchewan Integrated Child Exploitation Unit (ICE) in Regina. Saskatchewan ICE deals primarily with criminal offences committed with the use of electronic devices.
Webinar – Creating and Managing a Digital Practice:
Lawyers are swamped in paper. We generate and receive reams of it. We chase it, try to keep it organized, are slaved to our desks so we can access it and when it is no longer needed we store it, sometimes at pricey, downtown, lease rates. If you are tired of this drain on your resources then this is your opportunity to learn how to “kick the habit”. Not only will you learn how to actually create a paperless practice but also best practices for managing it. Who should view this webinar? Anyone who is finally tired of the daily paper-hunt.
The webinar was presented by Jeff Scott, Q.C., Practice Advisor and Colin Clackson, Q.C., Committee Member with the Electronic Office Working Group for the Law Society of Saskatchewan.
Panel Discussion on Technology and the Changing Legal Landscape:
The focus of this CPD session was technology and the changing legal landscape. We were fortunate to have a panel of esteemed lawyers from across the country who addressed the inevitability of change and the impact that technology will have on the legal profession, and more broadly, on the legal system. Fred Headon is Assistant General Counsel, Labour and Employment for Air Canada. As Chair of the Canadian Bar Association (CBA) Legal Futures Initiative, Fred discussed innovation in the practice of law and the role of technology in creating opportunities for the profession.
Karen Dyck is the Executive Director of the Manitoba Law Foundation, has been involved with various not-for-profit organizations, and is a member of the Futures Initiative Steering Committee. Karen discussed technology and the opportunities it can create from an access to justice perspective. We also heard from Dan Pinnington, President and CEO at LawPRO. Dan is a prolific writer, speaker and blogger on legal malpractice, risk management, legal technology and law practice management issues. The aim of this session was to leave attendees with a better understanding of what they and their firm will need to do to adapt to the changing legal landscape.
Recorded Seminar – Technology Academy for Saskatchewan Lawyers and Legal Professionals 2018:
Barron K. Henley is one of the most popular CPD instructors in North America and an expert on technology solutions for lawyers. Barron presented to Saskatchewan members of the bar in 2012, 2016 and in May 2018. Barron’s classes are designed by lawyers for legal professionals making them some of the most relevant training you and your staff can receive in the legal technology area.
In his 2018 program Barron took us back to basics in hopes of allowing members and their staff to fully utilize the software they work with (and pay for!) every day, with sessions titled:
• Microsoft Word Power Tips
• Using Outlook To Get Email Under Control
• A Lawyer’s Guide to PDF Files
He then switched gears to discuss that ever-present concern when considering technology for lawyers – security. His session Cyber Security – Legal Tech Security Measures Every Lawyer Should Take, provided practical measures members and their staff can take to manage their high-risk digital environments. Barron completed this seminar with a session entitled, 8 Things Hurting Your Law Firm – And How to Eliminate Them.
The flip side to any advancement in legal technology is the greater risk for security breaches. With ever increasing effort and imagination, hackers and fraudsters continue to target lawyers and law firms. Daily, phishing emails, bad cheque scams and other sophisticated frauds are being used in attempts to breach law firm systems and steal trust funds. The Law Society has been, and remains, cognizant of these very real issues. We have worked hard, with various partners, to offer CPD programming focused on how to recognize these threats and how to react to them in order to minimize the disruption to your practice.
The most recent programming offered in this area, including a description of the session, is listed below:
Webinar – “Surf the Net and Lose Your Trust Funds” – Cybercrime and Law Firms:
As the face of Claims Prevention and practicePRO at LawPRO, Ian Hu speaks, writes and blogs about practice management, claims prevention and lawyering issues. We worked with Ian in 2016 to offer a webinar designed to educate our members on:
• phising scams, cyber criminals and malware;
• horror stories from real firms;
• the steps you need to take to secure your data and systems;
• proper use of passwords;
• technology use policies;
• responding to a cyber breach; and
• tech tips to help manage your practice.
Webinar – Common Cyber Dangers and How to Avoid Them:
In order to keep our content current, we followed up Ian’s session a year later with a presentation from Dan Pinnington, President and CEO of LawPRO. He has been teaching lawyers about technology and malpractice dangers for almost 20 years. Dan provided an overview of the most common cyber dangers and showed how you and your staff can recognize and avoid cyber scams.
Free Webinar – Cybersecurity Webinar and Training Introduction:
In April we partnered with our information technology (IT) Support provider, MicroAge, and their cybersecurity training team, KnowBe4, to offer our members a short, free introduction webinar. This webinar introduced attendees to an intuitive, IT-focused approach to cybersecurity problems and how you can teach your entire company to spot the warning signs of a cyberattack, and how to train your users with safe, simulated attacks to avoid these threats before cybercriminals target you.
[Originally published in Benchers’ Digest, Summer 2018]
By Melanie Hodges Neufeld
The Law Society of Saskatchewan is currently updating its communication processes for members and the public to better meet information needs. Thank you to those members who took the time to complete the recent survey. There were 340 responses between May 4 and 18, 2018 and we are pleased to share some of the key findings:
Approximately 90 per cent of respondents noted they receive the information they need from the Law Society.
More than 90 per cent of respondents preferred to receive time sensitive information via the weekly email updates. For more detailed information, the top preference of respondents was email (85%), with Benchers’ Digest and the Legal Sourcery blog noted as good channels to continue.
Over 40% of the respondents visit the LSS website weekly, about 33% monthly, 12% other and about 10% daily. Some members have incorporated the LSS site or library page as their home page.
More than half of the respondents note the current website meets their needs well, emphasizing the importance of keeping the information current. More than 60 per cent felt the information on the website was either very easy or extremely easy to understand; and the vast majority found it somewhat or very easy to find what they were looking for. About half of the respondents use the site’s search function.
There were several examples of areas members wanted on the home page including: latest news, calendar of events, and a series of quick links. There were also suggestions to consider improving detail related to CPD, provide an improved search function, and enhance the Find a Lawyer function, to note a few.
The most frequently visited subpages off the LSS home page for respondents were: Members’ section, continuing professional development, lawyer regulation, library, publications and information for lawyers and students. Their most common comments focused on career opportunities and Casemail, as well as some recommendations on how to improve the login process for CPD members.
In terms of desired direct links off the home page, respondents’ suggestions included: CanLII, job postings, legal research, Legal Sourcery, and additional reference to CPD programming.
Slightly more than half of the respondents would recommend the website as a reference for a friend or colleague, that they typically spend about the expected amount of time finding detail they are looking for.
While there wasn’t significant interest in the visual aspect of the website, there were areas identified for consideration for any website renewal. This included making sure the site was presented in an organized way and making sure functionality and navigability were kept as priorities. Some members referenced the importance of the visual renewal to keep the process current and not to cause search delays with overuse of visual elements.
What is being done to better meet members’ communication and information needs?
Although not all comments can be addressed immediately, this insight will help to address communication channels and improvement as well as website renewal with the new site expected to be launched later this year. As part of the website renewal, we are looking forward to:
• Providing an improved “Find A Lawyer” link;
• Delivering enhancements to the CPD area of the website for members;
• Improving our weekly email bulletins to members and begin an archived area of this detail;
• Continuing to provide important professional information and trends through the Legal Sourcery blog;
• Scheduling the annual communication update survey of members for May 2019;
Over this year, we will also be updating our visual identity process which will include an updated logo, address numerous inconsistencies and provide for standardized print elements and templates.
All efforts align with our value of open communication and help to meet a goal of providing information in a manner that is in the preference of the user and in a most user-friendly format, whether for our members or the public. Thank you for your patience while we make these improvements. If you would like any further information throughout the process, please contact Melanie Hodges Neufeld at firstname.lastname@example.org.