Lantern Three Approved as Registered Education Provider by Project Management Institute


Project Managers: we would appreciate your feedback

to our 2015 PM Leadership Survey: [Respond]


Lantern Three Logo PMOLeader Logo PMI REP Logo


San Diego, CA, USA – October 01, 2015 – Lantern Three announced today that the Project Management Institute (PMI), the world’s largest project management member association, has named it as a Registered Education Provider (R.E.P.). R.E.P.s are organizations that have been approved by PMI to help project managers achieve and maintain the Project Management Professional (PMP)®, Program Management Professional (PgMP)® and other PMI professional credentials. These organizations have met PMI’s rigorous quality criteria for course content, instructor qualification, and instructional design.

Project managers are increasingly turning to R.E.P.s for certification in training and maintenance, especially since median salaries for the profession now exceed $100,000. Through its PMOLeader initiative, Lantern Three aims to reduce the alarmingly high failure rate of projects over $1 million by developing the leadership skills of project managers (PMs). In PMOLeader’s research, PMs with leadership skills are highly correlated to successful projects, and PMs who lack leadership skills are highly correlated to projects who are late, over budget, or do not deliver the promised scope.

“In a recent CIO Magazine ranking of the top 10 project management certifications, the first two spots belong to the Project Management Institute”, said John Eisenschmidt, a Managing Member of Lantern Three. “As a PMI-certified PMP for nearly 10 years, I have seen projects deliver much greater value with a credentialed PM, but have even greater outcomes with PMs who have credentials and leadership skills. With our PM Leadership Development Program (PMLDP), we are excited to offer critical skill development to those already working to deliver projects on time and on budget.”

Lantern Three joins more than 1,500 R.E.P.s in more than 80 countries. These organizations include commercial training providers, academic institutions, and corporate training departments within corporations and government agencies.

About Lantern Three

Lantern Three is a consultancy that provides pragmatic solutions at the intersection of people, process, and technology. Since 2009, our certified professionals have successfully led dozens of projects, designed and implemented large enterprise systems, reengineered business processes, delivered business intelligence and disaster recovery solutions. Our PMOLeader initiative is committed to cultivate leadership skills in project managers. Our principals also offer mentoring, one-on-one coaching, and a number of assessments.

Visit us on the web at,,, and on Twitter @LanternThree and @PMOLeader

About Project Management Institute (PMI)

Project Management Institute is the world’s leading not-for-profit professional membership association for the project, program and portfolio management profession. Founded in 1969, PMI delivers value for more than 2.9 million professionals working in nearly every country in the world through global advocacy, collaboration, education and research. PMI advances careers, improves organizational success and further matures the profession of project management through its globally recognized standards, certifications, resources, tools academic research, publications, professional development courses, and networking opportunities. As part of the PMI family, Human Systems International (HSI) provides organizational assessment and benchmarking services to leading businesses and government, while and create online global communities that deliver more resources, better tools, larger networks and broader perspectives.

Visit us at, and on Twitter @PMInstitute.

# # #

Teamwork – What Does it Take?

A team is greater than the sum of its parts. As individuals our contributions are limited to a singular effort. As a team we can accomplish so much more. Teamwork requires more than technical competency.

On teams that I have lead, character and temperament often matter more than technical competency. From character and temperament comes the foundation of great teams; integrity, accountability, reliability, identity, empathy, loyalty, camaraderie, compassion, and optimism. These attributes will empower a team to do great things together and supports them to achieve any mission, or objective placed before them – not just that defined in the moment.

If technical competency is the measure of a teams success, then we are not doing enough on our teams; we are not striving to fulfill the goals of the organization and the mission and vision, and we are not endeavoring to achieve all that is possible and continuously improve that which we do to attain our goals.

Some may believe that all we can be is predicated on what we have already learned, and experienced in life. I submit that if one limits their view of the world and their ability to grow and succeed to what learning and experiences occurred in the past, that’s exactly where they will end up – in the past. There are an enumerable number of tools and skills that can be carried forward from learning and experiences of the past.  The key is to carry forward the best tools and skills, and adapt them for new challenges. As with any tool box, tools and skill sets are added as new jobs are tackled that require different tools and skills. Leadership is composed of an ever changing set of tools and practices that build and support individual and team foundations. A progressive vision includes continually adding the best tools and best skills to our individual and collective tool boxes in order to embody the spirit of continuous improvement in service to ourselves, our customers, and our organizations.

My expectations for my project and organizational teams:

What I want to see-

  • Embody the principles and spirit of teamwork – an esprit de corpse
  • Finish the project on time and within the financial constraints defined
  • Attention to detail
  • Own what’s yours
  • If you are responsible, provide due diligence and take initiative
  • If you are not responsible, take the initiative if you have a suggestion for a better way, see a potential problem or material weakness, etc.
  • Direct positive communication, resolution of issues in a professional and adult manner – this is non-negotiable. Find your voice.
  • Respect for your coworkers
  • Timely & detailed response
  • Be in service to others
  • Attention, give them what they ask for
  • Anticipate their needs and be proactive
  • Celebrate the success of your coworkers and help those who need it
  • Learn from this experience and all subsequent ones
  • Learn the technical aspects
  • Learn how to work together and value your co-workers’ contributions
  • Learn how to embrace continuous learning and continuous improvement
  • I expect authenticity and realize that we do not check our emotions at the door when we come to work.  At the same time, I expect each member or our teams to behave professionally with each other and our customers.

What I don’t want to see-

  • Making excuses and counterproductive questioning, which undermines the project and you. They do not go unnoticed and these behaviors are not acceptable.
  • Treating other coworkers with disrespect, verbal or in writing.
  • If you are determining your value on technical competency alone then you better make sure your level of expertise is compliant with industry standards and best practices and is top notch.
  • Hiding behind email, solitary confinement, and silence.
  • Unprofessional behavior such as gossip, whining, beefing, stewing, getting upset, inability to control your emotions, negativity and relying on others to get your  work done, or using others to undermine what we do as a team is unacceptable

To that end, effort, energy, and optimism mean a lot to my teams. The relationships you have with each other and that a leader has with each member of a team is predicated on these foundational aspects. We all have the capability to embody that effort, energy, and most importantly optimism. I have seen it in every member of my organizational, and project teams. It’s now up to each of you individually to ensure that your teams work as a TEAM.

Protect Yourself: Half of Americans Hacked this Year!

This morning, CNN Money reported research from the Ponemon Institute that in the last 12 months, Hackers accessed personal information of 110 million Americans.

Half of Americans hacked — in the last 12 months — up to 432 million accounts compromised!!

How can you protect yourself?

Begin by:

Be diligent in protecting your online identity to ensure your peace of mind, and digital reputation.

Benchmarking my Verizon iPhone 5 on AT&T


AT&T and Verizon are the two largest wireless providers in the US, and their respective marketing focuses on differentiation. 

Apple’s iPhone 4s was their first handset built to work on all US carriers, supporting CDMA (Verizon, Sprint) and GSM (AT&T, TMobile). In the US, customers typically “buy” phones with 2-year contracts, the wireless carrier subsidizes the cost of the phone (e.g. $649 unlocked vs. $199 carrier-locked), and charges an early termination fee if the customer does not fulfill their 2-year commitment:

Screen Shot 2014-05-22 at 11.12.17 AM

My Story

I purchased my iPhone 5 unlocked, but currently use Verizon wireless.  I divorced AT&T over issues providing coverage to my iPhone 3GS and iPhone 4, and wanted to share is my brief reconsideration of their network — which, I admit, is an apples vs oranges comparison (no pun intended). Others have written more detailed analysis of the technologies, transition, and how to switch SIM cards, so I won’t repeat that.

This week, Verizon announced a faster Long-Term Evolution (LTE) network, called XLTE. While both AT&T and Verizon support LTE, they use different frequencies; a Verizon iPhone that supports LTE will not work on AT&T’s LTE network, but will work on AT&T’s HSPA+ network.

My Verizon iPhone 5  has and uses a SIM card, when it’s installed my Settings -> About looks like this:


 Using the Speedtest app for iOS at my home in San Diego, I got the following results:


35ms ping, 14.06 mbps download, 4.27 mbps upload — pretty respectable.

How does one test a Verizon iPhone 5 on AT&T? I went to a corporate AT&T store, and purchased a prepaid SIM with 1 month of unlimited voice, text, and 2.5GB of data for $60. A Verizon iPhone with an AT&T SIM card:




So despite naming it “Verizon iPhone”, my iPhone 5 is using the AT&T HSPA+ 4G network, and the latest baseband firmware. When I first purchased the SIM card, I ran a quick Speedtest from the parking lot:


117 ms ping time, 6.66 Mbps download, 1.08 Mbps upload. I tried again a few minutes after running the Verizon Speedtest above, and here were my results:


97 ms ping time, 9.02 Mbps download, 1.18 Mbps upload. Better, but not great.


This is a very unscientific test, not intended to compare AT&T and Verizon’s network overall, but to compare the experience using an unlocked Verizon iPhone 5 on the AT&T network. Given the changes in both carrier’s family plan pricing, we briefly considered keeping our phones but switching carriers. Even if there is a slight cost savings, I’ll gladly pay more for 1/3 the latency, 2x the download speed, and 4x the download speed.

OmniFocus 2 Public Beta

OmniFocus 2 logo


The OmniGroup is running a free public beta of their productivity software, OmniFocus2:


Not for the faint of heart! These unstable and untested builds are snapshots of our development, updated every few hours. This means that you might actually be the first person to try a particular build and discover that it eats your system. (We hope that doesn’t happen, of course, but since we won’t have tested the app before giving you access we can’t make any guarantees.)


If you’d like to join us on the bleeding edge of our development process, please select a download from below. If you’d prefer to work with something a little less risky, grab the latest stable release from our main site.


We recommend always using the latest build, but if you experience Major Issues you can come back here and download another recent version.


The OmniFocus 2 Public Beta is incredibly well-run, with precise communication and transparency. It’s a great opportunity to try out this product for free. But please tell us: who is the weirdo that wrote the video script?


“If it’s a place – nearby has a map – to show you which your location contexts are close to you – so you can finally pick up that bow-tie – you’ve been meaning to get – for your cat.”


Update 22-May-2014: OmniFocus 2 was released today (early!), here’s a great review of the history, previous beta, and how the product came out:

Protecting Data

The Case for Protecting Data

Previously, I discussed the importance of protecting your digital identity, and offered some best practices to follow.

Protecting your digital identity — the keys to the safe — is important, but it is equally important to protect any data –the contents of the safe, especially if you can render any data unreadable if lost or stolen.

Financial Exposure

Security software maker Symantic commissioned a study to estimate the cost of data breaches. The research was conducted independently by the Ponemon Institute, and surveyed 277 global companies. They estimated that data breaches in the US during 2013 cost an average of $188 per record!

Benchmark research sponsored by Symantec, Independently Conducted by Ponemon Institute
Benchmark research sponsored by Symantec, Independently Conducted by Ponemon Institute

Using the 2010 hacking of Ohio State University as an example, a hacker stole the personal information of 760,000 current and former faculty, students, and applicants. At the time, OSU estimated the cost at $4 million dollars, or $5.26 per record. Whether the OSU example is the low-end of the extreme, or the Symantec study is the high-end, the fact is that lost data is a high dollar cost, and a high reputation cost.

Keep your Job

Lose data? Lose your job. Just a few examples of Information Technology leaders who resigned or were fired following data breaches:

Stay out of Jail

Provisions in HIPAA — the Health Insurance Privacy and Accountability Act — make it illegal to share patient information. The first known prosecution was reported in February of 2012. In the event that someone storing patient information (e.g. an insurance company) wants to share data with someone (e.g. a wellness program management company for those insured), a business associate agreement (BAA) must be signed between the two companies that clarifies what data will be shared and how it will be protected. In the event of a data breach, the signers of the agreement are subject to federal criminal charges in the United States.

Peace of Mind

The examples above were all in a work context, and involved multiple actors. But what about you? Do you have a spreadsheet on your home computer with the personal information of your partner and children? How about with all of your bank account information? What if a hacker lifted that off of your computer while you were sleeping, and undid years of planning and sacrifice in moments? With a modest amount of time and education, you can leverage some amazing tools and technologies to protect yourself to the best of your ability, and drastically reduce your personal risk of lost data.

The Three States of Data

Electronic information can exist in three separate states, just as water’s state can be changed to ice or steam:

Data In Use

This is data you are currently working on, for example Word documents, Excel spreadsheets, or a photo you are editing. This includes both files on a disk drive, and their representation in the computer’s memory.

Data In Transit

Simply put: information moving between two places. If you email someone an Excel workbook, that is an example of data in transit. Filling out a form on a website and pushing ‘submit’ is another example.

Data At Rest

When data is not being used or moved, it is considered to be at rest. This is your Excel workbook sleeping soundly on your home computer. It might also be a backup tape containing a database, which could contain customers, patients, partners, or taxpayers.

Technologies and Practices to Protect Data

Even smart technologists can make dumb mistakes using great tools. Understanding how to protect data in all three states, and following a few best practices, can drastically improve security.

The examples are not intended to be exhaustive, but a starting point as you investigate categories of tools and technologies.

Transport Encryption

Transport encryption is designed to protect data in transit, as it moves between systems, by making the information unreadable to any nosy third parties (foreign or domestic). Many tools are preloaded on computers and mobile devices, like support for the SSL/TLS protocol which secures our web browsers. Most websites (HTTP) work by sending plain text over the Internet, to your browser, which reads the information sent and renders it to look as it was intended. When no encryption is used, everything is sent as clear text, and every single system between the source and destination can read the contents. If you are ever given the option to use SSL/TLS, always say yes. Even in the face of a bug like Heartbleed, transport encryption with a gaping security hole is better than no transport encryption at all. The overhead of using secure transport like SSL is so nominal in 2014, there is absolutely no reason to opt out. On the projects that I manage, I require systems  with any meaningful information — sensitive or not — to require SSL for all communication. Since the Heartbleed bug was discovered, Google has required HTTPS to use GMail.

Secure File Transfer

Just as HTTP (hypertext transfer protocol) sends information between systems in plain-text, so too does FTP (file transfer protocol) and Telnet (remote terminal session). In 2000, when people would say, “we’ll exchange data with the bank over FTP”, cold chills would run down my spine. In 2014, when people talk about sending files over FTP, or using Telnet, I want to take their computer away from them, replace it with an Etch-a-sketch, and ban them from ever using one. FTP and Telnet the most irresponsible technology decision you could ever make. There is no excuse for it, and no practical application for it. For more than 15 years, operating systems have shipped with comparable tools that support encrypted communication, with absolutely no learning curve compared to their insecure cousin:

  • Secure Shell (SSH) is a secure replacement for Telnet. Unless you are a systems administrator using Telnet to test if a server is listening on a particular port, you have no reason to ever, ever, ever use that command.
  • Secure Copy (SCP) and Secure FTP (SFTP) encrypt the communication between systems as files are exchanged, ensuring the contents cannot be read by a third party.

The overhead incurred by using the secure version of each tool is nearly zero, and should not factor into your decision. Stop using Telnet and FTP. Stop saying Telnet and FTP — it’s the equivalent of yelling “mug me” in Times Square, even if you’re talking to yourself.

File and Disk Encryption

File and Disk Encryption are designed to protect data in use and data at rest. If you lose custody of your file or disk (e.g. your transport encryption was  hacked, or your laptop was stolen), this ensures that whomever has your data cannot read your data.

File Encryption

PGP (pretty good privacy) is just one popular tool used to encrypt and decrypt files. Exporting sensitive information from a system of record (e.g. patient information) into something like MS Excel is so egregious, you should be banned from ever using a computer again. That is a very common way in which data breaches happen. If you absolutely must keep sensitive information in a text file or Excel, they should be encrypted to ensure they are unreadable if you lose them (or a copy of them). Find a tool you like, learn it, and use it. Chances are there is at least one such tool on your computer.

Whole Disk Encryption

Encrypt your entire hard drive, making the contents unreadable unless you login and unlock it:

If you have a recent Apple or Windows laptop, I strongly recommend enabling whole disk encryption (WDE). If the IT folks in Washington State had enabled WDE, they would not be embarrassed to read on Consumerist that they sold laptops with personal information on them!

Transparent Data Encryption

When relational database engines like Oracle, SQL Server, and MySQL are shut down, the contents of those databases are stored on the server’s hard drive as a flat file. While there are some basic security counter-measures in place, a skilled DBA can easily crack those open and access the contents of the database.

Transparent Data Encryption (TDE) encrypts database and transaction log files in the background. When the database is shut down, the contents are unreadable and inaccessible, even when backed up to tape. In the event that a backup tape of your database is lost or stolen, your data cannot be read or recovered by anyone.

Both Oracle and Microsoft include tools that support TDE, and third-parties like Gazzang zNcrypt add TDE support for MySQL.

Data Backups

It’s one thing to have a recent backup of your computer, but where do you keep it, and is it encrypted or not? It’s one thing to have a recent backup of your computer, but where do you keep it, and is it encrypted or not?

Do you have recent backups?

When is the last time you backed up your mobile devices and computers? When is the last time you tested your backups to ensure they were readable and recoverable?

Where are your backups kept?

Ideally, one keeps a backup onsite in a fireproof safe, and one offsite. This could be two external hard drives, under $100 each, that you rotate between a small home fire safe and a safe deposit box at your bank.

Are your backups encrypted at rest?

Misplaced and stolen server backups are one of the greatest causes of identity theft. For businesses and individuals, it is important to use whole disk encryption on your backup drives, and transparent data encryption for your backups, rendering them unreadable to whomever finds them. Misplaced and stolen server backups are one of the greatest causes of identity theft. For businesses and individuals, it is important to use whole disk encryption on your backup drives, rendering them unreadable to whomever finds them.


The only thing worse than losing your data is discovering someone else has your data. Educate yourself on the merits of data protection, and the cost of ignoring those risks. There are numerous free and commercial tools to protect your data while in use, in transit, and at rest. Follow good data protection practices to minimize the chance of losing  data, and potentially losing your job or going to jail. 

Webinar: Leading Virtual Project Teams | 30-APR-2014 | 2:00pm Eastern

Shawn and John were invited to host a webinar for the Project Management Institute’s Leadership in PM Community of Practice. We will present Leading Virtual Project Teams: Research and Technology on Wednesday, April 30, 2014 at 2pm Eastern:
Webinar Overview

There are inherent challenges with leading virtual teams such as time, distance, and technology. Culture, trust, and leadership create the environment for virtual teams to collaborate and be successful. However, bridging cultural differences, building trust, and accommodating different learning and leadership styles are all aspects of virtual teaming that can result in differing outcomes.

In this webinar, we will explore:

  • the academic research about leading virtual teams,
  • the challenges of effectively leading virtual teams, and
  • how technology and tools can bridge communication and relational gaps, as well as foster trust among virtual teams

Don’t be left out! Space is limited. PMI members may Register Now.

What time is 30-April 02:00 PM EDT in my city? Click here.

Constant Contact’s Disaster Recovery Plan

The principals at Lantern Three have been collaborating on a newsletter for the past month. Our intention was to send it out this morning, but instead I discovered Constant Contact was down: (incidentally: terrible 404 page — this is where fail whales and exploding robots can pay off in spades):

Screen Shot 2014-04-18 at 10.07.18 AM

Shortly after 10am Pacific, it appeared their marketing website, applications, and APIs were down; I skimmed their whois record:

Screen Shot 2014-04-18 at 8.55.33 PM

Then I notified their admin email (which, in their shoes, I would appreciate):

Screen Shot 2014-04-18 at 8.38.15 PM

I never received a reply, which I understand. As it turned out, their website and services were crippled by a car that crashed into a power pole near their data center. This email marketing firehose — née spam cannon —  costs its customers no less than $15/month!

Screen Shot 2014-04-18 at 10.27.07 AM


The outage continued throughout the day, well into the evening:

Screen Shot 2014-04-18 at 7.29.41 PM

Until Constant Contact announced a partial service restoration at 11:15pm Eastern. They indicated email delivery capabilities would be down for another hour — on twitter and their blog:

Screen Shot 2014-04-18 at 8.33.10 PM

As a customer, Project Manager, and career IT professional, I appreciate the regular updates through their blog and Twitter, but I don’t think it was sufficient. Constant Contact should have tested that redundant systems failed-over properly, and drilled their DR plan to ensure they could quickly recover in just such an event. They owe their customers a full root-cause failure analysis, delivered publicly within 30 days. They should also consider a pro-rated refund for April service charges to each subscriber.

Screen Shot 2014-04-18 at 8.34.06 PM

Learn from Constant Contact’s oversight

  • Have a disaster recovery plan that covers the spectrum from neutron bomb to car vs power pole
  • Update your disaster recovery plan no less than quarterly
  • Drill your disaster recovery plan no less than once  year
  • If you do drop the ball, keep your customers up to date and resolve to their satisfaction


Constant Contact updated their blog with additional details on the outage:

UPDATE: 4/19/2014 at 5:32 p.m. EDT – Friday morning around 10:32 am ET, our primary service site experienced a major power disruption. Many of the redundant systems that should have kicked in immediately failed to do so. We do not yet know why but are working with our data center provider to get to the bottom of this. The power outage caused our systems, as well as the systems of other companies hosted at the site, to shut down.  Based on having 90 minutes of unstable power and the abruptness of the way our systems shut down, we had to completely restart all systems. We did this to ensure the integrity of our customers’ data, and because methodically restarting all applications was the best way to make sure we got everything running in a safe and stable way. We were able to restore our website first. The additional work of shutting down all other applications, restarting them, and verifying their status took us until 1 am Saturday morning. At all times, your account information and data was fully secure. We are actively working with the data center facility to learn what went wrong and plan a full assessment of our own systems to ensure that this does not happen again. We anticipate having more information in the coming days to share with you. We appreciate your patience.

Two Factor Authentication in 2014

Way back in January of 2011, I wrote a blog post evangelizing Two-factor authentication with Google Apps. At that time, what passed for two factor authentication (2FA) primarily involved RSA SecurID fobs, which made it impractical for all but large scale or well funded applications. Google was one of the first companies to add 2FA support to their security infrastructure by using SMS — the protocol used for text messages on mobile phones — greatly increasing security at a very small cost and inconvenience.

What is Two Factor Authentication?

2FA is a subset of multi-factor authentication (MFA). From Wikipedia:

Multi-factor authentication (also MFA, two-factor authenticationtwo-step verification, TFA, T-FA or 2FA) is an approach to authentication which requires the presentation of two or more of the three authentication factors: a knowledge factor (“something only the user knows“), a possession factor (“something only the user has“), and an inherence factor (“something only the user is”).


Three ways to prove who you are to a system:

  1. Something you know (e.g. a password)
  2. Something you have (e.g. an RSA SecurID, a text message sent to your mobile phone)
  3. Something you are (e.g. a biometric factor like a fingerprint or retina scan)

Typical implementations of 2FA involve something you know, and something you have.

Why is Two Factor Authentication Important?

Passwords need to be easy enough to remember, hard enough not to guess

Humans are not great at creating passwords that do both of these well. If you believe you are the exception, I invite you to try out zxcvbn – a realistic password strength estimator:

My 1337  password  h@rdT0GUe$s!   would only take 4 hours to crack:

password crack

Gizmodo began 2014 by sharing the 25 Most Common Passwords people use, which frankly are embarrassing.

I strongly recommend a tool like 1Password to help you create and manage strong passwords across your computers, tablets, and mobile phones.

Passwords move between systems across the Internet; systems are susceptible to exploits

Your password is a key to open a far away door. The forest along the road between you and this door is filled with robber-barons (blackhat hackers) who want to take your key, make a copy, and put it back in your pocket before you ever notice. There have been several significant security exploits in the first quarter of 2014:

gotofail – 22/FEB/2004

gotofail was a nasty bug in Apple’s implementation of the SSL client-side libraries. It permit a server to present another’s secure credentials as its own, and the Safari web browser on Mac computers, iPhones, and iPads would allow this even if the check proved the certificate was a forgery.

Heartbleed – 07/APR/2014


The open source library OpenSSL enables systems to communicate securely over the Internet using the SSL/TLS protocol. A recently discovered exploit in OpenSSL, called Heartbleed, could potentially allow a hacker to read the server’s private encryption key, which would allow them to monitor your communications encrypted over https. Mashable shared a list of popular sites and shared which were affected by Heartbleed, and if need to change your password.

The community response to Heartbleed has been mixed. The Electronic Frontier Foundation shared a guide for system administrators on how to recover from Heartbleed that further discusses changing passwords. Veracode’s blog included an insightful post: Heartbleed and the Curse of Third-Party Code. The lead developer of security-centric OpenBSD, Theo de Raadt, asserted that OpenSSL is not developed by a responsible team. The Association for Computing Machinery (ACM) posted a referendum: Please Put OpenSSL Out of Its Misery

Vulnerability in BlackBerry® 10 Smartphones – 08/APR/2014

I would make the “who still uses a BlackBerry” joke, but T-Mobile already went there, and my former client NantHealth just announced a partnership with BlackBerry to develop niche devices for health care.

It’s not branded like gotofail or Heartbleed, but RIM announced a Vulnerability in qconnDoor service affects BlackBerry 10 smartphones (bold is my emphasis):

A stack-based buffer overflow vulnerability exists in the qconnDoor service supplied with affected versions of BlackBerry 10 OS. The qconnDoor service is used by BlackBerry 10 OS to provide developer access, such as shell and remote debugging capabilities, to the smartphone.

Successful exploitation of this vulnerability could potentially result in an attacker terminating the qconnDoor service running on a user’s BlackBerry smartphone. In addition, the attacker could potentially execute code on the user’s BlackBerry smartphone with the privileges of the root user (superuser).

An attacker can exploit this vulnerability in the following ways:

Over Wi-Fi
In order to exploit this vulnerability, an attacker must send a specially crafted message to the qconnDoor service on a smartphone located on the same Wi-Fi network. The smartphone user must have also enabled development mode on the smartphone before an attack.

Over USB
In order to exploit this vulnerability, an attacker must gain physical access to a smartphone and then send a specially crafted message to the qconnDoor service over USB.

Even if a hacker takes your password (what you know), they don’t possess your second factor (what you have).

What Websites Support 2FA in 2014? provides an exhaustive list of sites, grouped by category, and if they currently support 2FA or are working on it. They provide a button to help visitors easily encourage the addition 2FA support, or to thank their developers if they are currently working to support it.

Three Years Later, how is Google’s Two Factor Authentication?

I’m proud to report that since I enabled 2FA on my Google Apps account: I have never disabled it, and I have taken advantage of additional safeguards that Google has added during that time:

Expanded 2FA Support for Free Google Apps and GMail Users

When Google first rolled out their 2-Step Verification, it only supported paid Google Apps for Domains accounts. They have since expanded support for free Google Apps accounts and GMail users, making it universally acceptable for their users. I am happy to report the functionality is identical for paid and free GMail accounts.

Support for Additional Second-Factors

Initially only SMS was supported, but now Google users can be verified with a phone call or using the Google Authenticator App — a free alternative to an RSA SecurID — and works on planes while you cannot receive text messages or phone calls. Configuration screens have become much easier to interact with.


What if I lose my phone?

Google will try your backup authentication factors, but in my example both are my phone (the Google Authenticator App, and an SMS message). If I need to access my account before I can replace my phone, I can download a set of predefined codes to tide me over.

What are App Specific Passwords?

Many applications that access your Google Account are ignorant that you enabled 2FA; for those, you can easily create an Application Specific Password. I use Application Specific Passwords  for the Mail accounts on my iPhone and iPad, and my instant messaging client, Adium. You can easily see which Apps you have created passwords for, and revoke any that should no longer have access to your account.

Screen Shot 2014-04-10 at 9.40.41 PM

Registered Computers

Once you authenticate, Google asks if you want it to remember this device for 30 days. A great new feature since introduction is the ability to forget those computers you asked Google to remember.

Screen Shot 2014-04-10 at 9.47.41 PM


Security is everyone’s problem, not just the security conscious. Following best practices to protect your digital identity will reduce the risk that your accounts fall into the wrong hands.

Use Strong Passwords that Humans can’t possibly remember

One huge step toward protecting yourself from digital muggers is to take responsibility for using a different, strong password on every system you login to (not just one password “for the banks and credit cards”). There are tools and password safes that can help you generate strong passwords and keep track of them in a secure manner. If you password is misappropriated, the potential damage to you is contained.

Enable Multiple Factors of Authentication

If a system you use supports 2FA, enable it. It is much, much more difficult to clone something you have (e.g. your phone) than something you know, like your password. This includes email providers like Google, social networks like Facebook (after all, how many websites have you used your Facebook account to authenticate with?) and Twitter, banks like Bank of America and Chase.

Have a Disaster Plan

Hacking is a reality of the digital age that we all live in, and even luddites cannot hide from it. Invest the time to ensure your digital identity is as secure as you can make, and have a plan in case it suddenly isn’t.

Do you have a list of all the systems you sign-in to? Just the critical ones?

I don’t recommend a piece of paper with every website and password on it, because losing that is the keys to the castle. I do recommend keeping a list of important sites you access, even if it’s a backup copy of your web browser bookmarks. For the most critical sites, ensure you know where to find their contact information just in case.

Do you have a list with your banking information (e.g. credit cards and their phone numbers)?

This might be a photocopy of the front and back of every card in your wallet, or something far more sophisticated. If one of your accounts is compromised, and it has the ability to transact on your behalf (e.g. Amazon, Paypal, your bank account website), you may need to act quickly to mitigate your risk.

Wikihow’s How to Report a Stolen Social Security Card is a great step-by-step to follow in potential identity theft situations.

Be Prepared to Change your Passwords and any Cryptographic Keys

If someone stole a copy of your house key, you’d re-key your locks. Have the same standard when a breach (or potential breach) occurs.

Enemy At The Gates: The Corporate Psychopath and Delusional Leadership

In Steve Jobs, Walter Isaacson relates Job’s penchant for distorting reality calling it the reality distortion field. I call it delusional leadership. Steve Jobs created a powerhouse company, and a lot of collateral damage along the way.

I have seen leaders that distort reality of an event, outcome or situation. The impact this has on satisfaction, motivation, engagement, individual self-efficacy and a host of other factors of individual and organizational success is significant.

Leaders who operate from a delusional state could be considered psychopaths, Machiavellian or narcissistic. In the book Snakes In Suits, Paul Babiak and Robert Hare refer to this as the dark triad of subclinical psychopathy, discuss the differences, and note that psychopaths are at the mean end of the spectrum. The methods of the corporate psychopath make it difficult at times to assess the difference between the ordinary use of power and influence by leaders, and the psychotic underpinnings of manipulation and exploitation used by corporate psychopaths.

One key ingredient of leadership lacking in psychopaths is empathy. They have a total lack of empathy and are cold-hearted, but could make you think otherwise.  Impression management is one way leaders manage persona and corporate psychopaths use impression management to ingratiate themselves to those that they view can help them. The stories of the corporate psychopath are designed to manipulate others to their own end. Delusional leaders use a distortion of reality, historical reallocation of facts and telling the distorted story to others to validate their distorted reality.

I have observed leaders create a detailed story that builds their identity around other people’s work, or a delusional perception of the history around an event or outcome.  The validation of their reality is achieved by conning bystanders that may have group influence with a story that is patently false or at a minimum distorted as to reality thus making the distorted reality “real”.

The impact this has on those involved can create a culture of mistrust along with feelings of helplessness, resentment and resignation.

How do you manage delusional leaders? It is a challenging prospect since there is a significant amount of organizational trauma that can occur and much of the mechanics of delusional leadership relies on subtly changing perceptions. From my experience, what usually worked for me: authenticity, mindfulness, a support system, and integrity. These will eventually realign reality and shift perceptions. Crafting your own stories and producing an identity consistent with the positive end of the authenticity spectrum will help blunt delusional leadership.