How to keep your ISP’s nose out of your browser history with encrypted DNS | Ars Technica

Source: How to keep your ISP’s nose out of your browser history with encrypted DNS | Ars Technica

Using Cloudflare’s 1.1.1.1, other DNS services still require some command-line know-how.

Encrypting DNS traffic between your device and a “privacy-focused” provider can keep someone from spying on where your browser is pointed or using DNS attacks to send you somewhere else.

The death of network neutrality and the loosening of regulations on how Internet providers handle customers’ network traffic have raised many concerns over privacy. Internet providers (and others watching traffic as it passes over the Internet) have long had a tool that allows them to monitor individuals’ Internet habits with ease: their Domain Name System (DNS) servers. And if they haven’t been cashing in on that data already (or using it to change how you see the Internet), they likely soon will.

DNS services are the phone books of the Internet, providing the actual Internet Protocol (IP) network address associated with websites’ and other Internet services’ host and domain names. They turn arstechnica.com into 50.31.169.131, for example. Your Internet provider offers up DNS as part of your service, but your provider could also log your DNS traffic—in essence, recording your entire browsing history.

“Open” DNS services provide a way of bypassing ISPs’ services for reasons of privacy and security—and in some places, evading content filtering, surveillance, and censorship. And on April 1 (not a joke), Cloudflare launched its own new, free high-performance authoritative DNS service designed to enhance users’ privacy on the Internet. This new offering also promised a way to hide DNS traffic completely from view—encryption.

Named for its Internet Protocol address, 1.1.1.1 is the result of a partnership with the research group of APNIC, the Asia-Pacific Internet registry. While it’s also available as an “open” conventional DNS resolver (and a very fast one at that), Cloudflare is supporting two encrypted DNS protocols.

While executed with some unique Cloudflare flare, 1.1.1.1 isn’t the first encrypted DNS service by any means—Quad9, Cisco’s OpenDNS, Google’s 8.8.8.8 service, and a host of smaller providers support various schemes to encrypt DNS requests entirely. But encryption doesn’t necessarily mean that your traffic is invisible; some encrypted DNS services log your requests for various purposes.

Cloudflare has promised not to log individuals’ DNS traffic and has hired an outside firm to audit that promise. APNIC wants to use traffic data to point to the IP address, which has the unfortunate legacy of being a dumping ground for “garbage” Internet traffic, for research purposes, according to APNIC’s Geoff Huston. But APNIC won’t have access to the encrypted DNS traffic in this case, either.

For users, taking advantage of encrypted DNS services from Cloudflare or any other privacy-focused DNS services is not as easy as changing a number in network settings. No operating system currently directly supports any of the encrypted DNS services without the addition of some less-than-consumer-friendly software. And not all of the services are created equal in terms of software support and performance.

But with consumer data as product all over the news as of late, I set out to see just how to get Cloudflare’s encrypted DNS service working. And overcome by my inner lab-rat, I ended up testing and dissecting clients for multiple DNS providers using three of the established protocols for DNS encryption: DNSCrypt, DNS over TLS, and DNS over HTTPS. All of them can work, but let me warn you: while it’s getting easier, choosing the encrypted DNS route is not something you’d necessarily be able to walk Mom or Dad through over the phone today. (Unless, of course, your parents happen to be seasoned Linux command-line users.)

How DNS works.
How DNS works.
Sean Gallagher

Why are we doing this, again?

There are plenty of reasons to want to make DNS traffic more secure. While Web traffic and other communications may be protected by cryptographic protocols such as Transport Layer Security (TLS), almost all DNS traffic is transmitted unencrypted. That means that your ISP (or anyone else between you and the rest of the Internet) can log the sites you visit even when you use another DNS service and use that data for a number of purposes, including filtering access to content and collecting data for advertising purposes.

What a typical DNS conversation between a device and a DNS resolver looks like.
What a typical DNS conversation between a device and a DNS resolver looks like.

“We have a ‘last mile’ problem in DNS,” said Cricket Liu, Chief DNS Architect at the network security company Infoblox. “Most of the security mechanisms we have dealt with server-to-server issues. But we have this problem where we have stub resolvers on various operating systems and don’t really have any way to secure them.” That’s particularly a problem, Liu said, in countries that have a more hostile relationship with the Internet.

Just using a non-logging DNS service helps to some degree. But it doesn’t prevent someone from filtering those requests based on content or capturing the addresses within them with packet capture or deep packet-inspection gear. And in addition to simple, passive eavesdropping attacks, there’s also the threat of more active attacks against your DNS traffic—efforts by an ISP or a government on the wire to “spoof” the identity of a DNS server, routing traffic to their own server to log or block traffic. Something similar (albeit apparently not maliciously) appears to be happening with AT&T’s (accidental) misrouting of traffic to Cloudflare’s 1.1.1.1 address, based on the observations of forum posters on DSLReports.

The most obvious way to dodge monitoring is by using a virtual private network. But while VPNs conceal the contents of your Internet traffic, connecting to a VPN might require a DNS request first. And once you’ve launched a VPN session, DNS requests may occasionally get routed outside of your VPN connection by Web browsers or other software, creating “DNS leaks” that expose which sites you’re visiting.

That’s where encrypted DNS protocols come in—the DNSCrypt protocol (supported by Cisco OpenDNS, among others), DNS resolution over TLS (supported by Cloudflare, Google, Quad9, and OpenDNS), and DNS resolution over HTTPS (currently supported by Cloudflare, Google, and the adult-content-blocking service CleanBrowsing). Encrypted traffic both ensures that traffic can’t be sniffed or modified and that requests can’t be read by someone masquerading as the DNS service—eliminating middle-man attacks and spying. Using a DNS proxy for one of these services (either directly on your device or on a “server” inside your local network) will help prevent VPN DNS leaks, since the proxy will always be the fastest-responding DNS server.

That privacy does not come packaged for mass consumption, however. None of these protocols is currently supported natively by any DNS resolver pre-packaged with an operating system. All of them require the installation (and probably compilation) of a client application that acts as a local DNS “server,” relaying requests made by browsers and other applications upstream to the secure DNS provider of your choice. And while two out of three of the technologies are proposed standards, no option we tested is necessarily in its final form.

So if you choose to dive into encrypted DNS, you will probably want to use a Raspberry Pi or some other dedicated piece of hardware to run it as a DNS server for your home network. That’s because you’ll find that configuring one of these clients is more than enough hackery. Why repeat the process multiple times when you can just query your local network’s dynamic host configuration protocol (DHCP) settings to point everything at one successful installation as a DNS server? I asked myself this question repeatedly as I watched clients crash on Windows and fall asleep on MacOS during testing.

The DNSCrypt community has tried to make this tool available to the non-command line public with tools like DNSCloak (left) on iOS and Simple DNSCrypt (right) for Windows.
The DNSCrypt community has tried to make this tool available to the non-command line public with tools like DNSCloak (left) on iOS and Simple DNSCrypt (right) for Windows.
DNSCloak / Simple DNSCrypt

Get Crypty

For the sake of completeness, let’s start with the original encrypted-DNS option, DNSCrypt. First introduced in 2008 on BSD Unix, DNSCrypt wasn’t originally intended as a privacy tool but as a way to protect against DNS “spoofing.” However, it can be used as part of a privacy solution—particularly when paired with a non-logging DNS provider. And as DNSCrypt developer Frank Denis pointed out, there are many more DNSCrypt-enabled servers out there than any other sort of encrypted DNS.

“DNSCrypt is a bit more than a protocol,” Denis said. “At this point, the community and the projects being worked on define it better than my weekend project protocol.” The DNSCrypt community has built easy-to-use clients such as Simple DNSCrypt for Windows and an Apple iOS client called DNS Cloak, making encrypted DNS more accessible to non-technical people. And others have set up an independent network of privacy-aware DNS servers based on the protocol that helps users evade corporate DNS systems.

“DNSCrypt is not about connecting to a specific company,” Denis said. “We encourage everybody to run their own servers and make it very cheap and easy to do so. Now that we have privacy-aware resolvers, one thing I’m trying to address right now is privacy-aware content filtering.”

For those looking to build a DNSCrypt-enabled DNS server for their whole network, the best client available is DNSCrypt Proxy 2. An earlier version of DNSCrypt Proxy is still available as a package for most of the major Linux distributions, but you’ll want to download the binary of the new version directly from the project’s GitHub site. There are versions for Windows, MacOS, BSD, and Android as well.

The experience that the DNSCrypt community has built up around privacy is evident in DNSCrypt Proxy. The software is highly configurable, with support for time-access restrictions, pattern-based domain and IP address blacklisting, query logging, and other features that make it a fairly powerful local DNS server. But it requires only the most basic of configuration to get started. There’s a sample configuration file, formatted in TOML (Tom’s Obvious Minimal Language, created by GitHub co-founder Tom Preston-Werner), which you can simply rename to be the working configuration file before firing DNSCrypt Proxy up.

By default, the proxy uses Quad9’s open DNS resolver as a bootstrap to find and obtain a curated list of open DNS services from Github, then it connects to the server with the fastest response time; you can change the configuration and select a service by name if desired. Server information in the list is encoded as a “server stamp” that includes the provider’s IP address, public key, whether the server supports DNSSEC, whether the provider keeps logs, and whether the provider blocks some domains. (If you’d rather not depend on a remote file for setup, you can also use a JavaScript-based “stamp calculator” to build your own local static list of servers using this stamp format.)

For my testing with the DNSCrypt protocol, I used Cisco’s OpenDNS as the remote DNS service. DNSCrypt’s performance was a little slower than conventional DNS on first-time requests, but DNSCrypt Proxy caches results after that. The slowest queries were in the 200-millisecond range, while the average responses were more in the 30-millisecond range. (Your mileage may vary, depending on your ISP, the recursion required to find the domain, and other factors.) On the whole, I didn’t notice the speed hit while Web browsing.

The DNSCrypt’s main advantage is that it acts the most like “normal” DNS. For good or ill, it uses UDP traffic—on port 443, the same port used for secure Web connections. That makes for relatively fast address resolutions and makes it less likely to be blocked by a network provider’s firewall. To further decrease the likelihood of being blocked, you can change the configuration of your client to force it to use TCP/IP for queries (with minimal impact on response times, based on my testing), which makes it look like HTTPS traffic to most network filters—at least on the surface.

DNSCrypt traffic revealed, along with DNSCrypt Proxy local traffic. Wireshark says it's HTTPS traffic here, because I forced it to use TCP. Over UDP, Wireshark thinks it's Chrome's QUIC traffic.
Enlarge / DNSCrypt traffic revealed, along with DNSCrypt Proxy local traffic. Wireshark says it’s HTTPS traffic here, because I forced it to use TCP. Over UDP, Wireshark thinks it’s Chrome’s QUIC traffic.

On the downside, DNSCrypt doesn’t rely on trusted certificate authorities for its encryption—the client has to trust the public signing key issued by the provider. That signing key is used to verify certificates that are retrieved via conventional (unencrypted) DNS requests and used for key exchange, using the X25519 key-exchange algorithm. In some (older) implementations of DNSCrypt, there’s a provision for a client-side certificate that can be used as an access-control scheme—allowing them to log your traffic regardless of what IP address you come from and associate it with your account. This isn’t used in DNSCrypt 2.

Working with the DNSCrypt protocol as a developer is a bit of a challenge. “DNSCrypt is not particularly well documented, and there are not a lot of implementations of it,” said Infoblox’s Liu. DNSCrypt Proxy is the only client in active development that we could find, and OpenDNS has stopped supporting development.

DNSCrypt’s interesting cryptography choices (at least from the point of view of developers used to web crypto) may spook some developers. The protocol uses Curve25519  (RFC 8032), X25519 (RFC 8031), and Chacha20Poly1305 (RFC 7539) cryptography. One implementation of the  X24419 algorithm is labeled as “cryptographic hazmat” in the Pyca Python cryptography libraries because it is so easy to misconfigure. But the underlying cryptographic algorithm DNSCrypt uses, Curve25519, is “one of the easiest elliptic curves to use safely,” said Denis.

DNSCrypt was never considered an Internet Engineering Task Force standard, Denis said, because it was built by volunteers and didn’t have corporate sponsorship. Submitting it “would have required dedicated time, as well as defending it at IETF meetings,” he said. “I can’t afford that and neither can other developers who are working on this on their spare time. Virtually all the ratified DNS-related specifications are effectively written by people from a handful of companies, always the same year after year. Unless you work at a DNS company, it’s effectively hard to have a say.”

While there are a number of DNS services that use DNSCrypt (such as CleanBrowsing, which blocks adult content domains, and Cisco OpenDNS, which blocks malicious domains), newer privacy-focused DNS providers (including Google, Cloudflare, and Quad9) have eschewed DNSCrypt and opted for the other, IETF-blessed contenders: DNS over TLS and DNS over HTTPS. DNSCrypt Proxy now supports DNS over HTTPS, and it includes Cloudflare, Google, and Quad9 in its configuration defaults.

TLS was once <a href="https://arstechnica.com/information-technology/2014/02/making-nsa-style-spying-harder-cloudflare-offers-more-robust-web-crypto/">CloudFlare's focus</a> when it came to strengthening encryption for Web traffic against snooping.
Enlarge / TLS was once CloudFlare’s focus when it came to strengthening encryption for Web traffic against snooping.

Hashing it out with TLS

DNS over TLS (Transport Layer Security) has a few advantages over DNSCrypt. For one, it’s a proposed IETF standard. It’s also pretty straightforward in its approach—it takes standard-format DNS requests and encapsulates them in encrypted TCP traffic. Aside from the TLS-based encryption, it’s essentially the same as running DNS over TCP/IP instead of UDP.

There are few functioning clients for DNS over TLS. The best option I found, called Stubby, was developed by the DNS Privacy Project. Stubby is available as part of a Linux package, but there’s also a MacOS version (installable with the Homebrew tool) and a Windows version—though the Windows code is still a work in progress.While I got Stubby working reliably after wrestling with some code-dependency problems on Debian, it failed regularly on Windows 10 and has a tendency to hang on MacOS. If you’re looking for a good how-to on installing Stubby on Linux, the best documentation I found was a Reddit post by Frank Santoso, who also wrote a shell script that can handle the task of installation on a Raspberry Pi.

On the upside, Stubby does allow for configurations that use multiple services based on DNS over TLS. Stubby’s configuration file, written in YAML, allows for multiple IPv4 and IPv6 services to be set up, and it includes settings for SURFNet, Quad9, and other services. The YAML implementation used by Stubby is spacing-sensitive, however, so use caution when adding a new service (such as Cloudflare). I used a tab in my first attempt, and it blew the whole thing up.

DNS-over-TLS clients authenticate the service they connect to using Simple Public Key Infrastructure (SPKI). SPKI uses a locally stored cryptographic hash of the provider’s certificate, usually based on the SHA256 algorithm. In Stubby, that hash is stored as part of the YAML description of the server in the configuration file, as shown below:

upstream_recursive_servers:
#IPv4
#Cloudflare DNS over TLS server

- address_data: 1.1.1.1
  tls_auth_name: "cloudflare-dns.com"
  tls_pubkey_pinset:
  - digest: "sha256"
    value: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=
- address_data: 1.0.0.1
  tls_auth_name: "cloudflare-dns.com"
  tls_pubkey_pinset:
  - digest: "sha256"
    value: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=

After the client establishes a TCP connection to the server over port 853, the server presents its certificate and the client checks it against the hash. If everything is fine, then the client and server do a TLS handshake, passing keys and starting an encrypted session. From there on, the data within the encrypted session follows the same rules as DNS over TCP.

After getting Stubby up and running, I changed my network settings for DNS to make requests to 127.0.0.1 (localhost). The change at the moment of the switchover, captured by the Wireshark packet capture tool, tells the story: my DNS traffic went from being readable to invisible.

Throwing the switch, from conventional DNS traffic to TLS encrypted.
Enlarge / Throwing the switch, from conventional DNS traffic to TLS encrypted.

While DNS over TLS may function just like DNS over TCP, the TLS encryption takes a little bit of a toll on its performance. “Dig” queries to Cloudflare via Stubby took an average of about 50 milliseconds for me (your mileage may vary) as opposed to the sub-20-millisecond responses I got from naked DNS requests to Cloudflare.

Part of the performance problem is on the server-side because of the added weight of using TCP. DNS typically uses UDP because of its connectionless nature—a UDP message is fire-and-forget, while a TCP message requires the negotiation of the connection and verification of receipt. A UDP-based version of DNS over TLS—called DNS over Datagram Transport Layer Security (DTLS)—is in its experimental phase and could increase the protocol’s performance.

There’s also a certificate-management issue here. If a provider retires a certificate and starts using a new one, there’s currently no clean way to update the SPKI data on clients other than cutting and pasting it into the configuration file. Before this approach becomes fully baked, some sort of key-management scheme would be helpful. And since it operates on port 853—a port that isn’t frequently opened up by firewalls—DNS over TLS gets voted “most likely to be blocked.”

That’s not a problem for the last stop on our protocol hit parade, though: DNS over HTTPS passes through most firewalls like they aren’t even there.

Google and Cloudflare seem to be on the same page with the future of encrypted DNS.
Enlarge / Google and Cloudflare seem to be on the same page with the future of encrypted DNS.
Aurich / Thinkstock

DNS over HTTPS: DoH!

Google and Cloudflare both appear to favor DNS over HTTPS, also known as DoH, as the future of encrypted DNS. A draft IETF standard, the DoH protocol encapsulates DNS requests with secure HTTP—turning DNS requests into encrypted Web traffic.

Requests are sent as an HTTP POST or GET with queries in DNS message format (the datagram used in conventional DNS requests) or as an HTTP GET request using JSON (if you like your DNS with extra overhead). And there’s no issue here with certificate management. Just as with normal HTTPS Web traffic, no authentication is required to connect over DoH, and certificate validity can be verified by a certificate authority.

A capture of a DNS transaction over DoH. HTTPS, TLS. That's all there is; there isn't any more.
Enlarge / A capture of a DNS transaction over DoH. HTTPS, TLS. That’s all there is; there isn’t any more.

HTTPS is a pretty chunky protocol to be sending DNS requests with—especially with JSON along for the ride—so there’s a little bit of a performance hit. The server-side resources required would almost certainly make a conventional DNS server admin’s eyes water. But the ease of working with well-understood Web protocols makes developing both client and server code for DoH a lot more approachable to developers who’ve cut their teeth on Web applications. (Engineers at Facebook coded a proof-of-concept DoH server and client in Python in just a few weeks earlier this year.)

As a result, even though the pixels are barely rezzed on the RFC for DoH, there’s already a raft of ready-to-run DNS-over-HTTPS clients, though some of them are built specifically for one DNS provider. The size of the performance hit your DNS resolution will take depends a lot on the server you point at and how well those developers did their job.

Take Cloudflare’s Argo tunneling client (aka “cloudflared“), for example. Argo is a multipurpose tunneling tool intended primarily to provide a secure channel for Web servers to connect to Cloudflare’s content delivery network. DNS over HTTPS is just another service that got bolted on.

By default, if you start Argo from the command line (which, in Linux and MacOS requires superuser privileges and on Windows requires execution from Powershell as an administrator), Argo directs DNS requests to https://cloudflare-dns.com/dns-query. That causes a small problem if there’s no conventional DNS server configured—if it can’t resolve that address to 1.1.1.1, then it will fail to start.

This can be fixed in one of three ways. The first option is to configure your device with the local host (127.0.0.1 for IPv4 and ::1 in IPv6) as the primary DNS server for your network configuration and then add 1.1.1.1 as a secondary resolver. This will work, but it’s not ideal for privacy or performance. A better option is adding the server’s URL at the command line at startup:

$ sudo cloudflared proxy-dns --upstream https://1.0.0.1/dns-query

If you’re convinced you want to make Cloudflare your way to roll—which gives you the benefit of automatic updates—you can set it up as a service in Linux, using a YAML-based configuration file that contains the IPv4 and IPv6 addresses of Cloudflare’s DNS service:

proxy-dns: true
proxy-dns-upstream:
- https://1.1.1.1/dns-query
- https://1.0.0.1/dns-query

When configured with the proper upstream addressing, Argo’s dig-query performance varied widely—from 12 milliseconds (for popular domains) to as much as 131 milliseconds. Pages with a lot of cross-site content took… a little longer than usual to load. Again, your mileage may vary, and it probably will be based on your location and peerage. But this is about what I expected from the lugubrious DoH protocol.

Like <a href="https://blog.cloudflare.com/argo-tunnel/">Cloudflare</a>, we opted for tunnels rather than Affleck to illustrate Argo.
Enlarge / Like Cloudflare, we opted for tunnels rather than Affleck to illustrate Argo.
Wikimedia

To confirm this was, in fact, a DoH issue and not a Cloudflare issue, I tried two other DoH “stubs.” The first was a Go-based proxy for Google’s DNS over HTTPS service called Dingo, a tool written by Pawe? Foremski, an Internet researcher at the Institute of Theoretical and Applied Informatics of the Polish Academy of Sciences. Dingo works exclusively with Google’s DoH implementation, but it can be tuned to use the nearest instantiation of Google’s DNS service. That’s a good thing—before tuning, the Dingo ate my DNS performance. Queries with dig averaged well over 100 milliseconds.

By checking how dns.google.com resolved from a standard DNS request, I got an alternate address to Google’s default 8.8.8.8 IP address (172.217.8.14, if you must know). I appended that IP address to Dingo on the command line:

$ sudo ./dingo-linux-amd64 -port=53 -gdns:server=172.216.8.14

This cut response times down by about 20 percent—in the same ballpark, average-wise, as Cloudflare’s Argo.

The best DoH performance, however, came from an unexpected source: DNSCrypt Proxy 2. With the recent addition of Cloudflare’s DoH service to the stub’s curated list of public DNS services, DNSCrypt Proxy will almost always connect to Cloudflare by default because of the server’s low latency. To make sure, I even manually configured it for Cloudflare’s resolver over DoH before throwing my battery of dig queries at it.

All of the queries were resolved in less than 45 milliseconds—faster than Cloudflare’s own service by a wide margin. Using Google’s DoH service, performance slowed a bit—queries averaged around 80 milliseconds. That speed came without tuning it to a more local Google DNS server.

On the whole, DNSCrypt Proxy’s DoH performance was virtually indistinguishable from that of the DNS-over-TLS resolver I tested. In fact, it was faster. I’m not sure if this was because of how DNSCrypt Proxy implemented DoH—using the standard DNS message format encapsulated in HTTPS instead of the JSON format—or if it was related to how Cloudflare handled the two different protocols.

We are not Batman. But my threat model is still a bit more complicated than most.
Enlarge / We are not Batman. But my threat model is still a bit more complicated than most.

Was this trip really necessary?

I am a professional paranoiac. My threat model is different from yours, and I would prefer to keep as much of my online activity as secure as possible. But given the number of current privacy and security threats that leverage manipulation of DNS traffic, there’s a strong case for many people to use some form of DNS encryption. As I pleasantly discovered, there are implementations of all three of the protocols I looked at that don’t have a profound negative impact on network traffic speeds.However, it’s also important to note that these services alone do not ensure your browsing is concealed. The Server Name Indicator (SNI) extension of TLS, used in HTTPS connections, can still reveal in plain text the name of the site you’re visiting if the server it is on hosts multiple sites. For total privacy, you’ll still need to use a VPN (or Tor) to encapsulate your traffic in a way that your ISP or some other party monitoring your traffic can’t scrape metadata from (and none of these services work with Tor). And if you’re dealing with a state-funded adversary, all bets are off.

The other problem is that while the fine folks in the DNSCrypt community have done great work, this kind of privacy is still too hard for average people. While I found it relatively easy to configure some of these encrypted DNS clients, none of them is exactly easy for normal Internet users to implement. For these services to become really useful, they have to be better integrated into the stuff people buy—home routers and desktop and mobile operating systems.Conventional DNS traffic is going to be increasingly monetized by Internet providers, and it will remain a tool of both states and criminals to steer Internet users into harm’s way. But it’s unlikely that major operating-system developers are going to embrace armoring up DNS in a way that’s accessible to most users, because they’re often in the same monetization game as ISPs. On top of that, those developers could face resistance to making changes from some governments that want to preserve DNS-monitoring capabilities.

So for now, these protocols are going to remain the tool of the few who care enough about privacy to go the extra mile. Here’s hoping that the privacy community around DNSCrypt continues to care enough to push things forward.

Are vegan milks healthier than dairy? The truth about almond, soy – TODAY.com

Source: Are vegan milks healthier than dairy? The truth about almond, soy – TODAY.com

The truth about almond, soy, rice and flax: Decoding dairy and vegan milks

Whether you’re vegan, vegetarian or just thinking about creamy beverages, it’s impossible to avoid the many new milks (or “mylks”) popping up in or near the dairy aisle these days.

Buying soy and rice milks once meant venturing to a hole-in-the-wall health food store, but now, milk shelves in large supermarkets are more crowded than ever, so it can be pretty hard to know which milk is really right for you.

Getty Images

Home-made hemp milk with whole seeds and shelled seeds

Bonnie Taub-Dix, RDN, creator of BetterThanDieting.com and author of “Read It Before You Eat It: Taking You From Label to Table“, shed some light on the latest information about the many milks on the market. Milk substitutes can be a great option if you’re avoiding animal products, counting calories, love trying different flavors, or need to abstain from dairy due to food allergies. Taub-Dix said all varieties hydrate well but each has different pros and cons.

Madelyn Fernstrom, NBC News Health and Nutrition Editor, added, “When it comes to choosing milk products, decide what nutrients are most important to you to include — or remove. There is no single perfect product, and ‘one size does not fit all’.”

Here’s what to look for when choosing the right option to buy or — if you’re feeling adventurous — to make at home yourself.

Cow’s milk

Cow’s milk has muscle-strengthening protein and bone-building calcium, as well as phosphorous and vitamin D. The downside to real dairy is that it contains a sugar called lactose that can be difficult for some to digest. But at every fat percentage, a serving of cow’s milk contains 30 percent of your recommended daily calcium needs.

Nutrition info for 1 cup of milk (8 ounces):

Skim

80 calories; 8 grams of protein; no fat

1 percent

100 calories; 8 grams of protein; 2 grams of fat

2 percent

120 calories; 8 grams of protein; 5 grams of fat

Whole milk

150 calories, 8 grams of protein; 8 grams of fat

Food myths debunked: Whole milk may be healthier than skim

Play Video – 9:19

Food myths debunked: Whole milk may be healthier than skim

Play Video – 9:19

Almond milk

Almond milk is naturally free of cholesterol, saturated fat and lactose. It’s rich in calcium, vitamins D, E and A, and has far fewer calories than other milks. Almond milk has a smooth, nutty flavor, which Taub-Dix says will “shine in recipes,” including muffins, soups, smoothies and stews. Almond Breeze is available cold and in shelf-stable varieties, so it’s great to store in bulk. Like any beverage made from tree nuts, almond milk is not suitable for those with nut allergies.

Nutrition info for 1 cup (unsweetened, plain): 30 to 50 calories; up to 1 gram of protein; 2 to 2.5 grams fat. Many commercially available varieties of almond milk contain 30 to 45 percent of the recommended daily value of calcium per serving.

Almond Milk Hot Chocolate

Almond Milk Hot Chocolate

Chef Dan Churchill, Under Armour Chef for Lindsey Vonn

(51 rated)
Cook time:

Servings:

2

Get the recipe

Soy milk

Soy milk has been around for a long time but has been made more popular in the last decade due to big brands like Silk. Taub-Dix says it’s best to choose a soy milk that’s fortified with calcium and vitamin D, but be sure to shake it well before drinking since these nutrients can settle to the bottom of the container. Soy is a solid substitute for those with nut or dairy allergies, but many people suffer from soy allergies, too.

Some studies have shown that increased soy consumption can increase tumor growth at the cellular level, while others say it may have a protective effect on breast cancer. Overall, it’s a healthy option, Taub-Dix told TODAY, but recommends that consumers look for “whole soy in products like tofu and edamame [which is] preferable to processed soy often found as soy protein isolates that are found in many snack products.” In other words, eating soy beans in their raw form (or drinking fresh soy milk) is preferable to consuming a refined soy product that has been stripped of its natural (and nutritionally beneficial) fat and fiber, which can be found in protein powders and junk food.

Nutrition info for 1 cup (low-fat, plain): 60 to 90 calories; 4 to 6 grams protein; 1.5 to 2 grams fat and 20 to 45 percent of the recommended daily value for calcium.

People are going crazy for these over-the-top milkshakes

Play Video – 1:07

People are going crazy for these over-the-top milkshakes

Play Video – 1:07

Rice milk

Made by combining partially milled rice and water, rice milk has a sweet flavor and comes in a variety of flavors. The downside? Most varieties barely contain any protein.

Nutrition info for 1 cup: 90 to 130 calories; 1 gram protein; 2 to 2.5 grams fat and 30 percent of the recommended daily value for calcium.

Coconut milk (canned)

If you’re someone who enjoys a fuller fat, super creamy milk experience, this alternative may be right for you. Taub-Dix reminds shoppers not to confuse coconut milk with its lower-calorie relative, coconut water. Sweetened versions can pack almost 450 calories per cup, and it packs in a lot of saturated fat. Lighter versions are available with 60 percent fewer calories and fat than regular coconut milk. This milk is not to be consumed like dairy milk but should be considered more like a substitute for heavy creams.

Nutrition info for 1 cup: 445 calories, 4 grams of protein; 48 grams of fat and 4 percent of the recommended daily value for calcium.

Kale, Spinach and Coconut Soup

Cynthia Chea Pean

(12 rated)
Servings:

6

Get the recipe

Hemp milk

Derived from hemp seeds rich in plant-based omega-3 fatty acid called alpha-linolenic acid (ALA), this milk is beneficial for reducing risk of heart disease and inflammation, says Taub-Dix. Hemp milk is higher in fat content than other milk alternatives but it makes up for it with a hefty dose of calcium.

Nutrient info for 1 cup: 140 calories; 3 grams of protein; 5 grams of fat; 50 percent of the recommended daily value of calcium.

Peanut milk

Peanut milk is one of the newer varieties of nut milks (such as Elmhurst’s milked peanuts) and has a strong flavor of — you guessed it — peanuts. This milk can be a very tasty choice for those seeking an extra nutty kick in their cereals or certain dishes, but it should definitely be avoided by anyone with a nut allergy. It’s also on the higher end when it comes to fat grams per serving.

Nutrition info for 1 cup: 150 calories; 6 grams of protein; 11 grams of fat and 2 percent of the recommended daily value of calcium.

Flax milk

Flax seeds are tiny but pack a lot of nutritional punch. They are a great source of plant-based protein, have plenty of calcium, protein and omega-3 healthy fats, which our bodies do not create naturally. An unsweetened box of a brand like Good Karma can be stored in the pantry for months before it’s opened and has a very creamy taste.

Nutrition info for 1 cup: 70 calories; 8 grams of protein; 3.5 grams of fat and 30 percent of the daily value of calcium.

Oat milk

This milk is naturally sweet and can be used in recipes ranging from gravy to cupcakes, but it’s also fine by itself in coffee, cereal and more. For those who like a sweeter taste, this is a nice option, even without added sugars or flavorings such as vanilla. It’s also incredibly low in fat.

Nutrition info for 1 cup: 130 calories; 4 grams of protein; 2.5 grams of fat; 35 percent of the recommended daily value of calcium.

(78 rated)
Cook time:

Prep time:

Servings:

8

Get the recipe

Cashew milk

This nut milk is one of the more similar plant-based alternatives to cow’s milk, as it has a creamy texture and mild taste. It makes great smoothies and is a delicious accompaniment to cereal. But most commercially available varieties don’t have much calcium.

Nutrition info for 1 cup (unsweetened): 70 calories; 2 grams of protein; 4 grams of fat; 4 percent of recommended daily value of calcium.

Pea milk

Ripple

This milk isn’t made from nuts and it doesn’t come from an animal.

Many milk alternatives containing nuts present issues for individuals with both a dairy intolerance and a nut allergy. Enter pea milk. Ripple, one of the biggest players in the relatively new pea-milk game, says its product is gentle on the body and the planet. This milk is vegan and it’s totally free of dairy, nuts, lactose and gluten. It’s surprisingly creamy but the truth is, in its unflavored form, there is a very real, faint pea-like taste that may be difficult for traditional milk lovers to swallow.

Nutrition info for one cup: 100 calories; 8 grams of protein; 4.5 grams of fat and 45 percent of the recommended daily value of calcium.

Interested in trying more vegan foods? Here are TODAY Food’s favorite dairy-free recipes.

TODAY has affiliate relationships, so we may get a small share of the revenue from your purchases. Items are sold by the retailer, not by TODAY.

Step-By-Step Guide to Migrating Your WordPress Website To A New Host

Moving your WordPress website to a new host can be a stressful experience, but it doesn’t need to be. Use this easy guide to help you through the process.

Source: Step-By-Step Guide to Migrating Your WordPress Website To A New Host

Moving your website to a new host can be a daunting and stressful experience, but it doesn’t need to be.

Many people are faced with the need to move to a new host because of problems with their current provider and have just had enough. But all too often, migrating to a more reliable host is delayed time and again for fear of making a mistake and damaging your site(s).

To get around the problem, people will either pay a professional to move their site for them, find a new host that offers the service as part of a new hosting package, or take the third option of having a go at it themselves.

If you spend a little time preparing your own website, migrating is nothing to be concerned about. It can be a very straightforward project if approached correctly and can easily be reversed out of should any problems occur.

Let’s run through the steps required to move your WordPress website to a new host.

Step 1: Back Up Your Website’s Files

FTP-Transfer

The very first step of any project such as this is to back up every aspect of your site. This step is good practice before any major change but it is also a requirement of migrating your WordPress installation.

There are many plugins out there that will completely backup your site for you. This backup however, requires a more manual approach. Using an FTP program (such as FileZilla), connect to your web host and copy all files under your website’s directory to a folder on your local computer.

This includes the .htaccess file that is set to be hidden. Consult your FTP program’s help file to have it display hidden files if you are unable to see this file.

Depending on the number of media uploads you have in your site, this could take some time. While this download is underway we can begin step two and make a copy of your database.

Step 2: Export The WordPress Database

Database Export

Exporting your database is a simple process that only requires a few steps to complete. Login to the cPanel account of your web server and open the phpMyAdmin application. Select the database that contains your WordPress installation from the list on the left hand sidebar and once selected click on the Export tab on the navigation menu.

The default settings of a Quick export and the SQL format for the export are sufficient for what we need. Click the Go button and the database export process will begin and a file will be downloaded to your local computer.

Once the database export and the FTP transfer of your files have both completed, you are ready to move onto the next stage.

Step 3: Create The WordPress Database On Your New Host Server

Before we can begin the migration to the new web host, we need to create an environment for a WordPress installation. To do this you must create a database that you can import your SQL data into.

Login to your new web host with the user credentials they have supplied you and connect to the cPanel software. For our guide we will be using the MySQL Databases application. If your web host doesn’t have that application running then you will should contact their support team to discover their method of creating new databases.

The steps to create a database are quite simple:

  • Open MySQL Database and create a new database with an appropriate name for your website.
  • Create a new MySQL user (with a secure password).
  • Add this user account to the new database and grant it All Privileges.

Write down the database name, the new MySQL username and its password. You will need them soon.

Step 4: Edit the wp-config.php File

Browse to the folder on your local computer where you downloaded your website files to. In that folder there is a file called wp-config.php that controls the access between WordPress and your database.

Make a copy of this file and store it in another folder on your local computer. This is necessary for restoring the changes we are about to make should something go wrong later.

Open the original version of the file with your favorite text editor and make the following three changes:

1. Change The Database Name

Locate the following line:

define('DB_NAME', 'db_name');

The db_name portion of this line will currently be set to the MySQL database name of your old web host. This must be changed to the name of the new database you have just created.

2. Change the Database Username

Below this you will find the line:

define('DB_USER', 'db_user');

In this line you need to change the db_user portion from the username of your old host to match the new username you have just created.

3. Change The Database User Password

Finally, edit the third line:

define('DB_PASSWORD', 'db_pass');

As with the others the db_pass section of this line must be changed to the new secure password you created for your MySQL user.

Save wp-config.php and close the file.

Step 5: Import Your Database

Database Import

Now that you have a new database to work with we can begin the import process.

Launch phpMyAdmin from the cPanel software on your new server and select your new database from the list on the left hands sidebar. Once it opens select the Import tab from the navigation menu.

In the File to Import section click the Choose File button and select the SQL file you exported previously.

Un-tick the Partial Import check box, make sure the format is set to SQL and then click the Go button. The database import will now begin.

The time this import takes varies depending on the size of your database. You should receive a message informing you of the success of the import when it has finished.

Step 6: Upload The WordPress Files To Your New Host

Now that you have the new database prepared and you’ve reconfigured the wp-config.php file, it is time to begin uploading your website’s files.

Connect to your new web host using your FTP program and browse to the folder that your website is going to be held. If this is the primary, or only site being installed on this web server then uploading the files to the public_html folder is the usual directory.

With the remote directory selected you can upload your website files that should now include the updated version of wp-config.php. As with the earlier download, this process can take some time.

Don’t delete these files from your local computer once the upload finishes. They are still needed until the final steps have been completed.

Step 7: Linking to New URL & Defining New Domain

If you are moving to a new/different domain then you should read over this step, if not, then you can skip this because you don’t have to update your site to point to a different domain.

One issue people always seem to have when moving their site is that they’ve added links to other posts on their site or inserted images directly by pointing to a URL on the server, causing these to break when moved over to a new domain. If you want to quickly and easily search for any instances of your old domain name and replace with the new name we suggest you take a look at the Search Replace DB script on github. This will allow you to do this with great ease. Just make sure you DELETE it when your are done (for security reasons) and don’t place it in your root domain, create a temp folder with a random name to host the script.

Changing Site URL: By doing a search and replace for the old domain and replacing with the new domain you’ll also be altering the site_url and home url values in the database (Changing the Site URL) which will ensure that when you try to log into your site on the new domain it doesn’t try and redirect you over to the old domain.

Step 8: The Final Touches

This step actually includes two separate things with (potentially) several days between them.

Before you can use the site on your new host you will need to reconfigure your domain’s DNS settings. They will be set to point to your old host and you will need to point the correct records to the new server IP address.

This process will depend on where you have your domain registered. The details of completing this process are too varied to discuss in this post, but your domain registrar should have all of the details you need to make this change.

DNS changes can take up to 48 hours to fully propagate. It’s best to do this at a period when you expect lower levels of traffic. During this 48 hour window you should avoid making any changes to your website as you may be changing the old version of the site.

After the 48-hour period has expired you should now be accessing the new web host when you go to your website. It’s at this point you can connect to your old web host to delete the files and database. You should still have a local backup copy of these files and the database export, along with the original wp-config.php file in case you need to roll back the migration. It can be a good idea to hold onto these files for a an extended period just to be on the safe side.

Conclusion

As you can see, when broken down into the above simple steps, the process isn’t that difficult. All it really requires is for you to be careful at each step and give yourself the option to go back to the original version until the last possible moment (in case of any problems).

19 Great Truths My Grandmother Told Me on Her 90th Birthday

When my grandmother was diagnosed with terminal cancer on her 90th birthday, I sat with her in a hospital room for the entire day, in silence, in laughter, in tears, and in awe. She spoke softly and passionately about her life and all the lessons she learned along the way.

Source: 19 Great Truths My Grandmother Told Me on Her 90th Birthday

“I have seen and touched and danced and sang and climbed and loved and meditated on a lifetime spent living honestly.  Should it all end tonight, I can positively say there would be no regrets.  I feel fortunate to have walked 90 years in my shoes.  I am truly lucky.  I really have lived 1,000 times over.”

Those are the opening lines of the final entry in my grandmother Zelda’s journal—a 270-page leather-bound journal she wrote small entries in almost every morning during the final decade of her life.  In it, she reflected on lessons she had learned, lessons she was still learning, and the experiences that made these understandings possible.

When my grandmother was diagnosed with terminal cancer on her 90th birthday, I sat with her in a hospital room for the entire day, in silence, in laughter, in tears, and in awe.  Although her body was weak, her mind was intensely strong.  The terminal diagnosis inspired her to think about her life, everything she had journaled about over the years, and reflect aloud.  So, I gave her the stage—my undivided attention—from sunrise until sunset.

As I sat beside her hospital bed, she thumbed through her journal one page at a time, reading dozens of specific entries she wanted me to hear.  She spoke softly and passionately about her life, her loves, her losses, her pain, her dreams, her achievements, her happiness, and all the lessons that embodied these points of reference.  It was without a doubt one of the most enlightening and unforgettable days of my life.

My grandmother passed away exactly two weeks later, peacefully in her sleep.  The day after her passing I found out she formally left her journal for me in her will.  Since then, I have read it from cover to cover countless times.

Although I have shared some of her insights and quotes with blog subscribers and course students in the past, today would have been my grandmother’s 100th birthday, so I’d like to honor her.  To do so, I’m going to share excerpts from the journal entries she shared with me in that hospital room ten years ago.  I’ve done my best to sort, clean up, copyedit and reorganize her wisdom into 19 inspiring bullet points.  I hope you find value in them, too:

  1. There are thousands of people who live their entire lives on the default settings, never realizing they can customize everything. – Don’t settle for the default settings in life.  Find your loves, your talents, your passions, and embrace them.  Don’t hide behind other people’s decisions.  Don’t let others tell you what you want.  Design YOUR journey every step of the way!  The life you create from doing something that moves you is far better than the life you get from sitting around wishing you were doing it.
  2. The right journey is the ultimate destination. – The most prolific and beneficial experience in life is not in actually achieving something you want, but in seeking it.  It’s the journey towards an endless horizon that matters—goals and dreams that move forward with you as you chase them.  It’s all about meaningful pursuits—the “moving”—and what you learn along the way.  Truly, the most important reason for moving from one place to another is to see what’s in between.  In between is where passions are realized, love is found, strength is gained, and priceless life-long memories are made.
  3. The willingness to do hard things opens great windows of opportunity. – One of the most important abilities you can develop in life is the willingness to accept and grow through times of difficulty and discomfort.  Because the best things are often hard to come by, at least initially.  And if you shy away from difficulty and discomfort, you’ll miss out on them entirely.  Mastering a new skill is hard.  Building a business is hard.  Writing a book is hard.  A marriage is hard.  Parenting is hard.  Staying healthy is hard.  But all are amazing and worth every bit of effort you can muster.  Realize this now.  If you get good at doing hard things, you can do almost anything you put your mind to.
  4. Small, incremental changes always change everything in the long run. – The concept of taking it one step at a time might seem absurdly obvious, but at some point we all get caught up in the moment and find ourselves yearning for instant gratification.  We want what we want, and we want it now!  And this yearning often tricks us into biting off more than we can chew.  So, remind yourself: you can’t lift a thousand pounds all at once, yet you can easily lift one pound a thousand times.  Tiny, repeated efforts will get you there, gradually.  (Angel and I build tiny, life-changing rituals with our students in the “Goals and Growth” module of the Getting Back to Happy course.)
  5. No one wins a game of chess, or the game of life, by only moving forward. – Sometimes you have to move backward to put yourself in a position to win.  Because sometimes, when it feels like you’re running into one dead end after another, it’s actually a sign that you’re not on the right path.  Maybe you were meant to hang a left back when you took a right, and that’s perfectly fine.  Life gradually teaches us that U-turns are allowed.  So turn around when you must!  There’s a big difference between giving up and starting over in the right direction.
  6. The biggest disappointments in life are often the result of misplaced expectations. – When we are young our expectations are few, but as we age our expectations tend to balloon with each passing year.  The key is to understand that tempering unrealistic expectations of how something “should be” can greatly reduce unnecessary stress and frustration.  With a positive attitude and an open mind, we often find that life isn’t necessarily any easier or harder than we thought it was going to be; it’s just that “the easy” and “the hard” aren’t always the way we had anticipated, and don’t always occur when we expect them to.  This isn’t a bad thing—it makes life interesting, if we are willing to see it that way.
  7. Our character is often most evident at our highs and lows. – Be humble at the mountaintops, be strong in the valleys, and be faithful in between.  And on particularly hard days when you feel that you can’t endure, remind yourself that your track record for getting through hard days is 100% so far.
  8. Life changes from moment to moment, and so can you. – When hard times hit there’s a tendency to extrapolate and assume the future holds more of the same.  For some strange reason this doesn’t happen as much when things are going well.  A laugh, a smile, and a warm fuzzy feeling are fleeting and we know it.  We take the good times at face value in the moment for all they’re worth and then we let them go.  But when we’re depressed, struggling, or fearful, it’s easy to heap on more pain by assuming tomorrow will be exactly like today.  This is a cyclical, self-fulfilling prophecy.  If you don’t allow yourself to move past what happened, what was said, what was felt, you will look at your future through that same dirty lens, and nothing will be able to focus your foggy judgment.  You will keep on justifying, reliving, and fueling a perception that is worn out and false.
  9. You can fight and win the battles of today, only. – No matter what’s happening, you can resourcefully fight the battles of just one day.  It’s only when you add the battles of those two mind-bending eternities, yesterday and tomorrow, that life gets overwhelmingly difficult and complicated.
  10. Not being “OK” all the time is normal. – Sometimes not being OK is all we can register inside our tired brains and aching hearts.  This emotion is human, and accepting it can feel like a small weight lifted.  Truth be told, it’s not OK when someone you care about is no longer living and breathing and giving their amazing gifts to the world.  It’s not OK when everything falls apart and you’re buried deep in the wreckage of a life you had planned for.  It’s not OK when the bank account is nearly at zero, with no clear sign of a promising income opportunity.  It’s not OK when someone you trusted betrays you and breaks your heart.  It’s not OK when you’re emotionally drained to the point that you can’t get yourself out of bed in the morning.  It’s not OK when you’re engulfed in failure or shame or a grief like you’ve never known before.  Whatever your tough times consist of, sometimes it’s just NOT OK right now.  And that realization is more than OK.
  11. Sensitivity can be a super power. – Although sensitivity is often perceived as a weakness in our culture, to feel intensely is not a symptom of weakness; it is the characteristic of a truly alive and compassionate human being.  It is not the sensitive person who is broken, it is society’s understanding that has become dysfunctional and emotionally incapacitated.  There is zero shame in expressing your authentic feelings.  Those who are at times described as being “too emotional” or “complicated” are the very fabric of what keeps the dream alive for a more thoughtful, caring and humane world.  Never be ashamed to let your feelings, smiles and tears shine a light in this world.
  12. Opening up to someone who cares can heal a broken heart. – Deep heartbreak is kind of like being lost in the woods—every direction leads to nowhere at first.  When you are standing in a forest of darkness, you can’t see any light that could ever lead you home.  But if you wait for the sun to rise again, and listen when someone assures you that they themselves have stood in that same dark place, and have since moved forward with their life, oftentimes this will bring the hope that’s needed.
  13. Solitude is important, too. – Speaking to someone can help, but in moderation.  Sometimes the moments you feel lonely are the moments you may most need to be by yourself.  This is one of life’s cruelest ironies.  We need solitude, because when we’re alone we’re detached from obligations, we don’t need to put on a show, and we can hear our own thoughts and feel what our intuition is telling us.  And the truth is, throughout your life there will be times when the world gets real quiet and the only thing left is the beat of your own heart.  So you’d better learn the sound of it, otherwise you’ll never understand what it’s telling you.
  14. Most of the time you don’t need more to be happier—you need less. – When things aren’t adding up in your life, begin subtracting.  Life gets a lot simpler and more enjoyable when you clear the emotional and physical clutter that makes it unnecessarily complicated.  (Angel and I guide our readers though this process of simplifying and getting back to happy in our brand new book.)
  15. Beginning each day with love, grace and gratitude always feels better than the alternative. – When you arise in the morning think of what an incredible privilege it is to be alive—to be, to see, to hear, to think, to love, to have something to look forward to.  Happiness is a big part of these little parts of your life—and joy is simply the feeling of appreciating it all.  Realize that it’s not happiness that makes us grateful, but gratefulness that makes us happy.  Make a ritual of noticing the goodness that’s already yours first thing in the morning, and you will see more goodness everywhere you look throughout the day.
  16. Who we choose to be around matters immensely. – Spend time with nice people who are smart, driven and likeminded.  Relationships should help you, not hurt you.  Surround yourself with people who reflect the person you want to be.  Choose friends who you are proud to know, people you admire, who love and respect you—people who make your day a little brighter simply by being in it.  Ultimately, the people in your life make all the difference in the person you are capable of being.  Life is just too short to spend time with people who suck the happiness out of you.  When you free yourself from these people, you free yourself to be YOU.  And being YOU is the only way to truly live.
  17. Relationship boundaries are life-savers. – When someone treats you like you’re just one of many options, again and again, help them narrow their choices by removing yourself from the equation.  Sometimes you have to try not to care, no matter how much you do.  Because sometimes you can mean almost nothing to someone who means so much to you.  It’s not pride—it’s self-respect.  Don’t give part-time people a full-time position in your life.  Know your value and what you have to offer, and never settle for anything less than what you’ve earned.
  18. It’s during the toughest times of your life that you’ll get to see the true colors of the people who say they care about you. – Notice who sticks around and who doesn’t, and be grateful to those who leave you, for they have given you the room to grow in the space they abandoned, and the awareness to appreciate the people who loved you when you didn’t feel lovable.
  19. New opportunities are always out there waiting for you. – Nobody gets through life without losing someone they love, something they need, or something they thought was meant to be.  But it is these very losses that make us stronger and eventually move us toward future opportunities.  Embrace these opportunities.  Enter new relationships and new situations, knowing that you are venturing into unfamiliar territory.  Be ready to learn, be ready for a challenge, and be ready to experience something or meet someone that just might change your life forever.

Afterthoughts & Promises

As I’m wrapping up this short tribute to my grandmother, I’m reminded of a poem by Christian D. Larson that she used to have hanging on her refrigerator when I was a kid.  As soon as I was old enough to understand the poem, my grandmother made a photocopy of it for me, and, nearly 30 years later, I still have that same photocopy laminated and hanging on my office bulletin board.  These are words I do my best to live by:

“Promise Yourself…

To be so strong that nothing
can disturb your peace of mind.
To talk health, happiness, and prosperity
to every person you meet.

To make all your friends feel
that there is something in them
To look at the sunny side of everything
and make your optimism come true.

To think only the best, to work only for the best,
and to expect only the best.
To be just as enthusiastic about the success of others
as you are about your own.

To forget the mistakes of the past
and press on to the greater achievements of the future.
To wear a cheerful countenance at all times
and give every living creature you meet a smile.

To give so much time to the improvement of yourself
that you have no time to criticize others.
To be too large for worry, too noble for anger, too strong for fear,
and too happy to permit the presence of trouble.

To think well of yourself and to proclaim this fact to the world,
not in loud words but great deeds.
To live in faith that the whole world is on your side
so long as you are true to the best that is in you.”

Which firms profit most from America’s health-care system – Schumpeter

Source: Which firms profit most from America’s health-care system – Schumpeter

It is not pharmaceutical companies

EVERY year America spends about $5,000 more per person on health care than other rich countries do. Yet its people are not any healthier. Where does all the money go? One explanation is waste, with patients wolfing down too many pills and administrators churning out red tape. There is also the cost of services that may be popular and legitimate but do nothing to improve medical outcomes. Manhattan’s hospitals, with their swish reception desks and menus, can seem like hotels compared with London’s bleached Victorian structures.

The most controversial source of excess spending, though, is rent-seeking by health-care firms. This is when companies extract outsize profits relative to the capital they deploy and risks they take. Schumpeter has estimated the scale of gouging across the health-care system. Although it does not explain the vast bulk of America’s overspending, the sums are big by any other standard, with health-care firms making excess profits of $65bn a year. Surprisingly, the worst offenders are not pharmaceutical firms but an army of corporate health-care middlemen.

Latest stories

  • Electric vehicles are poised to unleash a cobalt boom

  • Retail sales, producer prices, wages and exchange rates

  • Foreign reserves

See more

In crude terms, the health-care labyrinth comprises six layers, each involving the state, mutual organisations and private firms. People and employers pay insurance companies, which pay opaque aggregators known as pharmacy-benefit managers and preferred provider organisers. They in turn pay doctors, hospitals and pharmacies, which in turn pay wholesalers, who pay the manufacturers of equipment and drugs. Some conglomerates span several layers. For example on March 8th Cigna, an insurance firm, bid $67bn for Express Scripts, a benefit manager. A system of rebates means money flows in both directions so that the real price of products and services (net of rebates) is obscured.

To work out who is stiffing whom, Schumpeter has examined the top 200 American listed health-care firms. Excess profits are calculated as those earned above a 10% return on capital (excluding goodwill), a yardstick of the maximum that should be possible in any perfectly competitive industry. For drugmakers the figures treat research and development (R&D) as an asset that is depreciated over 15 years, roughly the period they have to exploit patents on discoveries. The data are from Bloomberg.

Total excess profits amount to only about 4% of America’s health-care overspending. But this still makes health care the second biggest of the giant rent-seeking industries that have come to dominate parts of the economy. The excess profits of the health-care firms are equivalent to $200 per American per year, compared with $69 for the telecoms and cable TV industry and $25 captured by the airline oligopoly. Only the five big tech “platform” firms, with a figure of $250, are more brazen gougers.

Everyone hates pharmaceutical firms, but their share of health-care rent-seeking is relatively trivial, especially once you include the many midsized and small firms that are investing heavily. Across the economy, average prices received by drug manufacturers have risen by about 5% per year, net of the rebates. But their costs have risen, too. As a result, even for the 15 biggest global drugs firms, returns on capital have halved since the glory days of the late 1990s, and are now barely above the cost of capital. As employer schemes get stingier, employees are being forced to pay more of their drug costs; they are price-conscious.

Meanwhile the effectiveness of R&D seems to have fallen. Richard Evans of SSR, a research firm, tracks the number of high-quality patents (defined as those cited in other patent applications) that drug firms generate per dollar of R&D. This metric has dropped sharply over the past decade. Shareholders may groan, but for the economy overall the system seems to be working. Big pharma is still splurging on R&D but not making out like a bandit.

As the drug industry has come back down to earth, the returns of the 46 middlemen on the list have soared. Fifteen years ago they accounted for a fifth of industry profits; now their share is 41%. Health-insurance companies generate abnormally high returns, but so do the wholesalers, the benefit managers and the pharmacies. In total middlemen capture $126 of excess profits a year per American, or about two-thirds of the whole industry’s excess profits. Express Scripts earns billions while having less than $1bn of physical plants and no disclosed investment in R&D. This year the combined profits of three wholesalers that few outsiders have heard of are expected to exceed those of Starbucks.

The dark view is that pockets of rent-seeking have become endemic in America’s economy. Wherever products are too complex for customers to understand, and where subsidies and complex regulation add to the muddle, huge profits can opaquely be made. Remember mortgage-backed securities?

In the case of health care, consolidation has probably made things worse by muting competition. There are now five big insurance companies, three big wholesalers, three large pharmacy chains and three big benefit managers. The current vogue is for “vertical mergers” in which firms expand into different layers. As well as Cigna and Express Scripts, Aetna, another insurer, and CVS, a pharmacy and benefits manager, are merging. All these firms insist competition will be boosted. But they are also projecting the deals will boost their combined profits by $1.4bn.

Amazon and the health-care jungle

Yet perhaps capitalism is not broken and new contenders will eventually be tempted in. Amazon has acquired wholesale pharmacy licences in multiple states. It is also teaming up with JPMorgan Chase and Berkshire Hathaway to create a new health system for their staff. These initiatives are at an early stage, but investors are sufficiently worried that they value the intermediaries on abnormally low multiples of profits, suggesting earnings may fall. People often get upset when conventional industries are hit by digital competition. Few would lament it in the case of health-care middlemen.

A healthcare algorithm started cutting care, and no one knew why – The Verge

Source: A healthcare algorithm started cutting care, and no one knew why – The Verge

What happens when an algorithm cuts your health care

For most of her life, Tammy Dobbs, who has cerebral palsy, relied on her family in Missouri for care. But in 2008, she moved to Arkansas, where she signed up for a state program that provided for a caretaker to give her the help she needed.

There, under a Medicaid waiver program, assessors interviewed beneficiaries and decided how frequently the caretaker should visit. Dobbs’ needs were extensive. Her illness left her in a wheelchair and her hands stiffened. The most basic tasks of life — getting out of bed, going to the bathroom, bathing — required assistance, not to mention the trips to yard sales she treasured. The nurse assessing her situation allotted Dobbs 56 hours of home care visits per week, the maximum allowed under the program.

For years, she managed well. An aide arrived daily at 8AM, helped Dobbs out of bed, into the bathroom, and then made breakfast. She would return at lunch, then again in the evening for dinner and any household tasks that needed to be done, before helping Dobbs into bed. The final moments were especially important: wherever Dobbs was placed to sleep, she’d stay until the aide returned 11 hours later.

Dobbs received regular reassessments of her needs, but they didn’t worry her. She wouldn’t be recovering, after all, so it didn’t seem likely that changes would be made to her care.

When an assessor arrived in 2016 and went over her situation, it was a familiar process: how much help did she need to use the bathroom? What about eating? How was her emotional state? The woman typed notes into a computer and, when it was over, gave Dobbs a shocking verdict: her hours would be cut, to just 32 per week.

Tammy Dobbs.

Dobbs says she went “ballistic” on the woman. She pleaded, explaining how that simply wasn’t enough, but neither of them, Dobbs says, seemed to quite understand what was happening. Dobbs’ situation hadn’t improved, but an invisible change had occurred. When the assessor entered Dobbs’ information into the computer, it ran through an algorithm that the state had recently approved, determining how many hours of help she would receive.

Other people around the state were also struggling to understand the often drastic changes. As people in the program talked to each other, hundreds of them complained that their most important lifeline had been cut, and they were unable to understand why.

Algorithmic tools like the one Arkansas instituted in 2016 are everywhere from health care to law enforcement, altering lives in ways the people affected can usually only glimpse, if they know they’re being used at all. Even if the details of the algorithms are accessible, which isn’t always the case, they’re often beyond the understanding even of the people using them, raising questions about what transparency means in an automated age, and concerns about people’s ability to contest decisions made by machines.

Planning for the cut in care, Dobbs calculated what she could do without, choosing between trips to church or keeping the house clean. She had always dabbled in poetry, and later wrote a simple, seven-stanza piece called “Hour Dilemma,” directed toward the state. She wrote that institutionalization would be a “nightmare,” and asked the state “to return to the human based assessment.”

The change left Dobbs in a situation she never thought she would be in, as the program she’d relied on for years fell out from below her. “I thought they would take care of me,” she says.

The algorithm that upended Dobbs’ life fits comfortably, when printed, on about 20 pages. Although it’s difficult to decipher without expert help, the algorithm computes about 60 descriptions, symptoms, and ailments — fever, weight loss, ventilator use — into categories, each one corresponding to a number of hours of home care.

Like many industries, health care has turned to automation for efficiency. The algorithm used in Arkansas is one of a family of tools, called “instruments,” that attempt to provide a snapshot of a person’s health in order to inform decisions about care everywhere from nursing homes to hospitals and prisons.

The instrument used in Arkansas was designed by InterRAI, a nonprofit coalition of health researchers from around the world. Brant Fries, a University of Michigan professor in the school’s Department of Health Management and Policy who is now the president of InterRAI, started developing algorithms in the 1980s, originally for use in nursing homes. The instruments are licensed to software vendors for a “small royalty,” he says, and the users are asked to send data back to InterRAI. The group’s tools are used in health settings in nearly half of US states, as well as in several countries.

In home care, the problem of allocating help is particularly acute. The United States is inadequately prepared to care for a population that’s living longer, and the situation has caused problems for both the people who need care and the aides themselves, some of whom say they’re led into working unpaid hours. As needs increase, states have been prompted to look for new ways to contain costs and distribute what resources they have.

States have taken diverging routes to solve the problem, according to Vincent Mor, a Brown professor who studies health policy and is an InterRAI member. California, he says, has a sprawling, multilayered home care system, while some smaller states rely on personal assessments alone. Before using the algorithmic system, assessors in Arkansas had wide leeway to assign whatever hours they thought were necessary. In many states, “you meet eligibility requirements, a case manager or nurse or social worker will make an individualized plan for you,” Mor says.

Arkansas has said the previous, human-based system was ripe for favoritism and arbitrary decisions. “We knew there would be changes for some individuals because, again, this assessment is much more objective,” a spokesperson told the Arkansas Times after the system was implemented. Aid recipients have pointed to a lack of evidence showing such bias in the state. Arkansas officials also say a substantial percentage of people had their hours raised, while recipients argue the state has also been unable to produce data on the scope of the changes in either direction. The Arkansas Department of Human Services, which administers the program, declined to answer any questions for this story, citing a lawsuit unfolding in state court.

When similar health care systems have been automated, they have not always performed flawlessly, and their errors can be difficult to correct. The scholar Danielle Keats Citron cites the example of Colorado, where coders placed more than 900 incorrect rules into its public benefits system in the mid-2000s, resulting in problems like pregnant women being denied Medicaid. Similar issues in California, Citron writes in a paper, led to “overpayments, underpayments, and improper terminations of public benefits,” as foster children were incorrectly denied Medicaid. Citron writes about the need for “technological due process” — the importance of both understanding what’s happening in automated systems and being given meaningful ways to challenge them.

Critics point out that, when designing these programs, incentives are not always aligned with easy interfaces and intelligible processes. Virginia Eubanks, the author of Automating Inequality, says many programs in the United States are “premised on the idea that their first job is diversion,” increasing barriers to services and at times making the process so difficult to navigate “that it just means that people who really need these services aren’t able to get them.”

One of the most bizarre cases happened in Idaho, where the state made an attempt, like Arkansas, to institute an algorithm for allocating home care and community integration funds, but built it in-house. The state’s home care program calculated what it would cost to care for severely disabled people, then allotted funds to pay for help. But around 2011, when a new formula was instituted, those funds suddenly dropped precipitously for many people, by as much as 42 percent. When the people whose benefits were cut tried to determine how their benefits were determined, the state declined to disclose the formula it was using, saying that its math qualified as a trade secret.

In 2012, the local ACLU branch brought suit on behalf of the program’s beneficiaries, arguing that Idaho’s actions had deprived them of their rights to due process. In court, it was revealed that, when the state was building its tool, it relied on deeply flawed data, and threw away most of it immediately. Still, the state went ahead with the data that was left over. “It really, truly went wrong at every step of the process of developing this kind of formula,” ACLU of Idaho legal director Richard Eppink says.

Most importantly, when Idaho’s system went haywire, it was impossible for the average person to understand or challenge. A court wrote that “the participants receive no explanation for the denial, have no written standards to refer to for guidance, and often have no family member, guardian, or paid assistance to help them.” The appeals process was difficult to navigate, and Eppink says it was “really meaningless” anyway, as the people who received appeals couldn’t understand the formula, either. They would look at the system and say, “It’s beyond my authority and my expertise to question the quality of this result.”

Idaho has since agreed to improve the tool and create a system that Eppink says will be more “transparent, understandable, and fair.” He says there might be an ideal formula out there that, when the right variables are entered, has gears that turn without friction, allocating assistance in the perfect way. But if the system is so complex that it’s impossible to make intelligible for the people it’s affecting, it’s not doing its job, Eppink argues. “You have to be able to understand what a machine did.”

Cash, Arkansas.

“That’s an argument,” Fries says. “I find that to be really strange.” He’s sympathetic to the people who had their hours cut in Arkansas. Whenever one of his systems is implemented, he says, he recommends that people under old programs be grandfathered in, or at least have their care adjusted gradually; the people in these programs are “not going to live that long, probably,” he says. He also suggests giving humans some room to adjust the results, and he acknowledges that moving rapidly from an “irrational” to a “rational” system, without properly explaining why, is painful. Arkansas officials, he says, didn’t listen to his advice. “What they did was, in my mind, really stupid,” he says. People who were used to a certain level of care were thrust into a new system, “and they screamed.”

Fries says he knows the assessment process — having a person come in, give an interview, feed numbers into a machine, and having it spit out a determination — is not necessarily comfortable. But, he says, the system provides a way to allocate care that’s backed by studies. “You could argue everybody ought to get a lot more care out there,” he says, but an algorithm allows state officials to do what they can with the resources they have.

As for the transparency of the system, he agrees that the algorithm is impossible for most to easily understand, but says that it’s not a problem. “It’s not simple,” he says. “My washing machine isn’t simple.” But if you can capture complexity in more detail, Fries argues, this will ultimately serve the public better, and at some point, “you’re going to have to trust me that a bunch of smart people determined this is the smart way to do it.”

Shortly after Arkansas started using the algorithm in 2016, Kevin De Liban, an attorney for Legal Aid of Arkansas, started to receive complaints. Someone said they were hospitalized because their care was cut. A slew of others wrote in about radical readjustments.

De Liban first learned about the change from a program beneficiary named Bradley Ledgerwood. The Ledgerwood family lives in the tiny city of Cash, in the Northeast of the state. Bradley, the son, has cerebral palsy, but stays active, following basketball and Republican politics, and serving on the city council.

When Bradley was younger, his grandmother took care of him during the day, but as he got older and bigger, she couldn’t lift him, and the situation became untenable. Bradley’s parents debated what to do and eventually decided that his mother, Ann, would stay home to care for him. The decision meant a severe financial hit; Ann had a job doing appraisals for the county she would have to quit. But the Arkansas program gave them a path to recover some of those losses. The state would reimburse Ann a small hourly rate to compensate her for taking care of Bradley, with the number of reimbursable hours determined by an assessment of his care needs.

Legal Aid attorney Kevin De Liban.

When the state moved over to its new system, the Ledgerwood family’s hours were also substantially cut. Bradley had dealt with the Arkansas Department of Human Services, which administered the program, in a previous battle over a dispute on home care hours and reached out to De Liban, who agreed to look into it.

With Bradley and an elderly woman named Ethel Jacobs as the plaintiffs, Legal Aid filed a federal lawsuit in 2016, arguing that the state had instituted a new policy without properly notifying the people affected about the change. There was also no way to effectively challenge the system, as they couldn’t understand what information factored into the changes, De Liban argued. No one seemed able to answer basic questions about the process. “The nurses said, ‘It’s not me; it’s the computer,’” De Liban says.

At the time, they knew it was some sort of new, computer-based system, but there was no mention of an algorithm; the math behind the change only came out after the lawsuit was filed. “It didn’t make any sense to me in the beginning,” De Liban says. When they dug into the system, they discovered more about how it works. Out of the lengthy list of items that assessors asked about, only about 60 factored into the home care algorithm. The algorithm scores the answers to those questions, and then sorts people into categories through a flowchart-like system. It turned out that a small number of variables could matter enormously: for some people, a difference between a score of a three instead of a four on any of a handful of items meant a cut of dozens of care hours a month. (Fries didn’t say this was wrong, but said, when dealing with these systems, “there are always people at the margin who are going to be problematic.”)

The Ledgerwood family.

De Liban started keeping a list of what he thought of as “algorithmic absurdities.” One variable in the assessment was foot problems. When an assessor visited a certain person, they wrote that the person didn’t have any problems — because they were an amputee. Over time, De Liban says, they discovered wildly different scores when the same people were assessed, despite being in the same condition. (Fries says studies suggest this rarely happens.) De Liban also says negative changes, like a person contracting pneumonia, could counterintuitively lead them to receive fewer help hours because the flowchart-like algorithm would place them in a different category. (Fries denied this, saying the algorithm accounts for it.)

But from the state’s perspective, the most embarrassing moment in the dispute happened during questioning in court. Fries was called in to answer questions about the algorithm and patiently explained to De Liban how the system works. After some back-and-forth, De Liban offered a suggestion: “Would you be able to take somebody’s assessment report and then sort them into a category?” (He said later he wanted to understand what changes triggered the reduction from one year to the next.)

Fries said he could, although it would take a little time. He looked over the numbers for Ethel Jacobs. After a break, a lawyer for the state came back and sheepishly admitted to the court: there was a mistake. Somehow, the wrong calculation was being used. They said they would restore Jacobs’ hours.

“Of course we’re gratified that DHS has reported the error and certainly happy that it’s been found, but that almost proves the point of the case,” De Liban said in court. “There’s this immensely complex system around which no standards have been published, so that no one in their agency caught it until we initiated federal litigation and spent hundreds of hours and thousands of dollars to get here today. That’s the problem.”

It came out in the court case that the problem was with a third-party software vendor implementing the system, which mistakenly used a version of the algorithm that didn’t account for diabetes issues. There was also a separate problem with cerebral palsy, which wasn’t properly coded in the algorithm, and that caused incorrect calculations for hundreds of people, mostly lowering their hours.

“As far as we knew, we were doing it the right way,” Douglas Zimmer, the president of the vendor, a company called the Center for Information Management, says about using the algorithm that did not include diabetes issues. New York also uses this version of the algorithm. He says the cerebral palsy coding problem was “an error on our part.”

“If states are using something so complex that they don’t understand it, how do we know that it’s working right?” De Liban says. “What if there’s errors?”

Fries later wrote in a report to the state that about 19 percent of all beneficiaries were negatively impacted by the diabetes omission. He told me that the swapped algorithms amounted to a “very, very marginal call,” and that, overall, it wasn’t unreasonable for the state to continue using the system that allotted fewer hours, as New York has decided to. In the report and with me, he said the diabetes change was not an “error,” although the report says the more widely used algorithm was a “slightly better” match for Arkansas. One item listed as a “pro” in the report: moving back to the original algorithm was “responsive to trial result,” as it would raise the plaintiffs’ hours close to their previous levels. It’s not clear whether the state has since started counting diabetes issues. As of December, an official said he believed they weren’t. The Department of Human Services declined to comment.

But in internal emails seen by The Verge, Arkansas officials discussed the cerebral palsy coding error and the best course of action. On an email chain, the officials suggested that, since some of the people who had their hours reduced didn’t appeal the decision, they effectively waived their legal right to fight it. (“How is somebody supposed to appeal and determine there’s a problem with the software when DHS itself didn’t determine that?” De Liban says.) But after some discussion, one finally said, “We have now been effectively notified that there are individuals who did not receive the services that they actually needed, and compensating them for that shortcoming feels like the right thing to do.” It would also “place DHS on the right side of the story.”

The judge in the federal court case ultimately ruled that the state had insufficiently implemented the program. The state also subsequently made changes to help people understand the system, including lists that showed exactly what items on their assessments changed from year to year. But De Liban says there was a larger issue: people weren’t given enough help in general. While the algorithm sets the proportions for care — one care level, for example, might be two or three times higher than another — it’s the state’s decision to decide how many hours to insert into the equation.

“How much is given is as much a political as a service administration issue,” Mor says.

Fries says there’s no best practice for alerting people about how an algorithm works. “It’s probably something we should do,” he said when I asked whether his group should find a way to communicate the system. “Yeah, I also should probably dust under my bed.” Afterward, he clarified that he thought it was the job of the people implementing the system.

Kevin De Liban after a visit to Tammy Dobbs.

De Liban says the process for people appealing their cuts has been effectively worthless for most. Out of 196 people who appealed a decision at one point before the ruling, only nine won, and most of those were Legal Aid clients fighting on procedural grounds. While it’s hard to know, De Liban says it’s very possible some had errors they weren’t aware of.

Eubanks, the author of Automating Inequality, writes about the “digital poorhouse,” showing the ways automation can give a new sheen to long-standing mistreatment of the vulnerable. She told me there is a “natural trust” that computer-based systems will produce unbiased, neutral results. “I’m sure it is in some cases, but I can say with a fair amount of confidence it is not as descriptive or predictive as the advocates of these systems claim,” she says.

Eubanks proposes a test for evaluating algorithms directed toward the poor, including asking whether the tool increases their agency and whether it would be acceptable to use with wealthier people. It doesn’t seem obvious that the Arkansas system would pass that test. In one sign officials have been disappointed with the system, they’ve said they will soon migrate to a new system and software provider, likely calculating hours in a different way, although it’s not clear exactly what that will mean for people in the program.

Dobbs has done well up until now. Her house sits off a winding road on a lakeside hill, dotted in winter with barren trees. When the sun sets in the afternoon, light pours in through the windows and catches the plant collection Dobbs manages with help from an aide. A scruffy, sweatered dog named Spike hopped around excitedly when I visited recently, as a fluffy cat jockeyed for attention. “Sometimes I like them better than humans,” Dobbs says. On the wall was a collection of Duck Dynasty memorabilia and a framed photo of her with Kenny Rogers from when she worked at the Missouri building then known as the Kenny Rogers United Cerebral Palsy Center.

Dobbs with Kenny Rogers.
Outside Dobbs’ home.

For the time being, she’s stuck in limbo. She’ll soon come up for another reassessment, and while it’s almost certain, based on what is known about the system, that she’ll be given a cut, it’s hard to say how severe it will be. She’s been through the process more than once now. Her hours were briefly restored after a judge ruled in the plaintiffs’ favor in the federal lawsuit, only for them to be cut again after the state changed its notification system to comply with the ruling and reimplemented the algorithm. As she went through an appeal, the Department of Human Services, De Liban says, quietly reinstated her hours again. This, he says, was right around the time the cerebral palsy issue was discovered. He says this may have been the reason it was dropped: to save face. But as many people grappling with the changes might understand, it’s hard to know for sure.

The Wild Pizzas of Southern Italy Have to Be Seen to Be Believed

A restaurant critic and two chefs go on a pie-in-the-sky adventure to find exactly how far you can stretch the idea of pizza.

By

Richard Vines

Source: The Wild Pizzas of Southern Italy Have to Be Seen to Be Believed

Pizzas at Di Gesù, a popular bakery in Altamura, Puglia.

Photographer: Carol Sachs for Bloomberg Businessweek

When do dough, tomato sauce, and mozzarella stop being mere ingredients and become pizza?

It’s a philosophical question that has divided chefs and diners for decades. For some, only pies in the Neapolitan and Roman styles are acceptable—Sicilian, at a stretch. Others extend the goal posts as far as Chicago deep dish.

But pizzas have been eaten in southern Italy for hundreds of years, and the rainbow of variations that can be found there—if you know where to look—rivals the rest of the world’s best efforts. Its proximity to North Africa means that flatbreads have been popular for centuries. Forget calzones—I’m talking about pizzas and pittas created specifically for breakfast, or marvels the size of entire tables, or baked spirals of crust begging to be torn into satisfying, savory chunks.

Francesco Mazzei (center), with locals from the town of Cerchiara di Calabria.

It’s not easy to discover these secret pizzas in the towns and villages; the economically troubled region doesn’t yet enjoy the number of tourists you find elsewhere in Italy. If you don’t speak Italian, you’re likely to struggle. When I go, I bring a guide: chef Francesco Mazzei, arguably the world’s leading ambassador for the cuisine of his native Calabria. His London restaurants include Fiume, Radici, and Sartoria, and he’s the author of Mezzogiorno (Preface Publishing, 2015), a celebration of southern Italian cooking. Even better, on this occasion he’s suggested bringing along Pierre Koffmann, the three-Michelin-starred French chef whose protégés include Marco Pierre White and Gordon Ramsay.

We pile into Mazzei’s Maserati for a road trip that starts in Calabria, winds through Basilicata, and ends in Puglia—the three southernmost provinces on Italy’s mainland. Our quest? To find the wondrous pizzas of his home culture, some of which have never been seen outside the region. We cover 250?miles over four days, sampling perhaps 20?versions. I’ll ultimately gain five?pounds. Koffmann will tell me later that it took him months to get the weight off. “The pizzas were so good, I kept on eating,” he says. “We think we know all about pizza, but I’m still surprised by the variety.”

Calabria

Our journey starts in the rugged and parched province that provides the toe of the Italian boot. It’s a wild region of mountains and remote villages that bear little resemblance to the sophisticated cities and resorts most visitors know. Mazzei grew up here and learned to make gelato in his uncle’s shop. His family owns a tiny cottage on a hillside, with views across sun-scorched land to the Mediterranean. “Mezzogiorno means noon, half-day, or lunchtime,” Mazzei says. “But for me, it just means home.”

When we visit, a forest fire is raging so fiercely, the billowing smoke brings traffic to a standstill on the highway. We join other travelers standing outside cars, watching the flames in awe.

Mpigliati con le sarde

An mpigliati con le sarde pie at the Petite Etoile hotel consists of dough coated with a mash of sardella, a rich fish sauce with red peppers, and tiny fish cured with salt and paprika.
Photographer: Carol Sachs for Bloomberg Businessweek

Deep in the countryside, at the Petite Etoile hotel in the town of Spezzano Piccolo, Gemma Constantino cooks us a salty, beautiful pie that looks like a bundle of bread roses. It consists of strips of dough coated with a mash of sardella, a rich fish sauce with red peppers, and pilchards (small, herring-like fish) cured with salt and paprika. The strips are rolled and stuck together before baking; to eat, you just tear off one of the rolls, which are great with an aperitivo. There weren’t many other patrons, but the staff laid out a feast for Mazzei, who’s a celebrity in the region. This pizza is a good example of the cucina povera of southern Italy, where humble local ingredients are used to create deeply flavored dishes. The sweetness of the bread and the spiky fish flavors make this a favorite of Mazzei’s. “You’ll find a lot of the best cooks we meet are women,” he says.

Cullura

Cullura uses dough made with pig fat, which is stuffed with broccoli raab; it’s generally served cold.
Photographer: Carol Sachs for Bloomberg Businessweek

The team at Petite Etoile also serves up a pizza dough made with pig fat, layered with cime di rapa (broccoli raab), rolled a bit like a strudel, and then formed into a circle. Cullura is generally consumed cold and works as an everyday snack for farmers to take up into the mountains. “This is like a meal in itself,” Mazzei says. “We Italians usually don’t eat breakfast, so around 10:30 a.m., you are just ready for something to keep you going until lunch time.”

Pitta

Pitta is a Calabrian flatbread that’s crunchy on the outside and soft on the inside; it includes toppings such as tomato, peppers, and herbs. We sample slices from one monster loaf served at a bakery in Castrolibero. When we arrive in the small town, the mayor and some residents turn out to greet us. About 25 people join us as we walk the narrow streets before finding ourselves in a room for a reception with pitta, cakes, and wine.

The city of Matera in Basilicata.
Photographer: Carol Sachs for Bloomberg Businessweek

Pizza al taglio

This square pizza has a variety of toppings. It can be baked for a whole family to share, or bought by the slice. The one we devour is from the Pan Caffè in Fontanesi-Santa Lucia, near Castrolibero, where large groups gather to share giant pies. “This is street food at its best,” Mazzei enthuses. “You go out with your friends and eat all you can eat.” Although remote, the room is filled with happy diners dividing their time between the food and the soccer match on a big screen. Mazzei steps into the open kitchen at one end of the room and rustles up a spaghetti dish with garum, an anchovy paste, and basil. Several diners abandon the match to film and photograph Mazzei on their phones. The wine flows: It’s party time.

Falagone

This half-moon-shaped treat, like a small calzone, is usually eaten cold, but we sample some fresh from the oven at a new roadside bakery, Il Forno dei Sapori di Martorano Vincenzo, outside the hillside town of Cerchiara di Calabria. It’s unusual to find such a spotless and well-equipped bakery beside a road out here, where your best hope in another country might be for a gas station with a convenience store. The owner greets us and describes his food with pride, though (as keeps happening) the actual chef is a woman. Falagones are popular in Calabria, where they’re allowed to rest so the juices seep into the bread. Parents pack them for a seaside trip or for children going to school. Ours are filled with Swiss chard, onion, and sweet paprika. Another one comes with roasted peppers, potato, and onion.

Pitta rustica

A pitta rustica with prosciutto, caciocavallo cheese, and salumi between pitta-style bread.
Photographer: Carol Sachs for Bloomberg Businessweek

Also at Il Forno dei Sapori di Martorano Vincenzo, we discover prosciutto, caciocavallo cheese, and salumi sandwiched between two discs of pitta-style bread. It’s popular for parties or as an afternoon snack. “This is a simple pizza made with whatever you find in the fridge,” Mazzei says. “Every mum makes this for the kids.” I retreat to a corner to drink some crisp, light wine made locally from the ancient Greco bianco grape. The Calabrians are so hospitable, it’s an all-you-can-eat pizza fest, over and over.

Pasta da forno

Pasta da forno, a popular breakfast food at Panificio Mauro in Calabria, has no tomato sauce, no mozzarella, and no onion—just crushed tomato with salt, oregano, and olive oil.
Photographer: Carol Sachs for Bloomberg Businessweek

Forget the “pasta” name; this is a pizza, and it’s popular for breakfast. There’s no tomato sauce atop the dough, no mozzarella, no onion. It’s just crushed tomato with salt, oregano, and olive oil. This one is served to us at the smart Panificio Mauro, also in Cerchiara di Calabria. (In Italian, panificio means bakery.) Traditionally, pasta da forno comes in a round, black tray and is served cold. The absence of sauce helps keep the base crispy, making this a perfect snack to carry to school or to work.

Puglia

The heel of Italy is developing a reputation for its wines, and the food isn’t far behind. Again, we’re struck by the beautiful countryside and the ramshackle historic towns, such as Altamura, with its narrow alleyways and medieval city wall. And then there is Bari, a buzzy port city second only to Naples in the south of Italy.

Focaccia altamurana

The thick focaccia altamurana is studded with tomato and green olives.
Photographer: Carol Sachs for Bloomberg Businessweek

We enter Di Gesù, a popular bakery in Altamura, to try this pizza with dough made only with semolina flour and baked in the city’s oldest oven. Di Gesù is a thriving business now but traces its history to a small shop that opened in 1838. You can sense the pride put into the bread as it’s pulled from the oven. This is thick, like a deep-dish pie, with tomato, green olives, and extra virgin olive oil. “People who haven’t spent time in the south of Italy don’t know how good the food is,” Mazzei says. “We have the best fish, the best meat, the best fruit. You don’t need fancy cooking or luxuries like foie gras. You need to keep it simple and cook from the heart.”

Basilicata

Basilicata, the instep of Italy’s boot, straddles two coastlines. It’s absolutely charming, for both its splendid beaches and ancient towns in which Greek, Spanish, French, and Arabian influences from the times of traders and invaders still remain.

Panzerotto di carne and panzerotto fritto

Panzerotto di Carne at Luale
Photographer: Carol Sachs for Bloomberg Businessweek

These two pie pockets look like calzones but smaller. The first is filled with minced pork and spices, then baked and seasoned with thyme, rosemary, and oregano while the melted fat is still hot. It’s popular as a street food and also comes in a fried version, panzerotto fritto. The one we wolf down contains rich strands of mozzarella, sweet tomato, and basil. Luale, a bakery on the edge of a shopping mall in Policoro, serves both. It looks like a fast-food joint, but the store is clean and efficient, the food rich and layered. It’s the kind of modern store you might easily pass as you hunt for?charm.

Strazzata

Strazzata, a summer-style pizza with peppers, tomato, and extra virgin olive oil, from Ristorante Pizzeria il Fosso, a small shack in a forest near the Basilicata village of Noepoli.
Photographer: Carol Sachs for Bloomberg Businessweek

We drive so deep into a forest, we feel certain we won’t find our way out, let alone the way to the small restaurant we’re seeking. But we do: Ristorante Pizzeria il Fosso is housed in what looks almost like a shack, yet it’s the most charming of the 20-plus spots we visit. Maria Ferrara is in charge of the kitchen, where children play inside and dogs run amok. Mazzei tucks into the strazzata, a fresh, crispy summer pizza with peppers, tomato, and extra-virgin olive oil, then delivers his verdict. “I love this place,” he says.

Tapes: A Ridiculously-Quick, Frictionless Screencasting Tool for Mac OS X.

Source: Tapes: A Ridiculously-Quick, Frictionless Screencasting Tool for Mac OS X.

AppIcon.175x175-75A while ago I wrote a post covering all the screencasting tools I could think of from expensive-and-complex at one end of the continuum to free-and-simple at the other. Since writing that post, I have discovered another screencasting tool that I am quite enamoured of.

Tapes is the simplest and fastest way to make a screencast I’ve ever seen. It’s quick. I mean really, really, quick to use.

Click on the Tapes menu bar item, choose “Record New Tape” and bang! you are recording. When you choose “Stop and Upload”, it instantly tells you that a link has already been placed on your clipboard. You can immediately paste that into an email or discussion thread, even as the video is still being uploaded in the background! It’s that easy and quick. Watch this little 1 minute demonstration to see what I mean. It’s really quite something.

 

It’s not the tool I’d use to make a full-featured screencast. But for a quick explanation, it just can’t be beat.

Tapes has a one-time purchase price of $12:99, which also gives you 60 minutes of recording each month (ongoing) but if you buy it from this promo code, you’ll get an extra 15 minutes per month.

If you are looking for a free alternative, QuickCast is similar but not so amazing.  For example, unlike Tapes, when you click to record, it gives you a 5 second count-in, whereas Tapes just starts recording.  Also with QuickCast, once you finish recording, you have to wait until the video has finished uploading before a share link becomes available. Furthermore, once your video has finished uploading in QuickCast you have to pull down the QuickCast menu and click on the video, to copy a share link, whereas Tapes does all that for you.

Those shortcomings in QuickCast might seem inconsequential, but they mean you’ll find yourself wasting minutes every time you make a screencast, whereas in Tapes – as soon as you’re finished recording, you can paste the link somewhere, and forget about it, moving on to the next task. That increase in efficiency is noticeable – and since efficiency is the core reason for wanting to use either of these apps in the first place, Tapes is the better choice.

The best screencasting software for teachers

As an edtech consultant, a common question I’m asked by teachers and school leaders these days is “Which screencasting software is best?” In this post I’m going to recommend…

Source: The best screencasting software for teachers

The best screencasting software for teachers

As an edtech consultant, a common question I’m asked by teachers and school leaders these days is “Which screencasting software is best?”

In this post I’m going to recommend the screencasting tool that I think is the best for the majority of teachers.  But first I’ve briefly reviewed each of 15 other contenders, in each case outlining it’s pros and cons – and pronouncing a verdict on it.

There is no single best tool to use.  So much depends on the type of computer you use (Mac or PC*), how comfortable you are with video-editing software, how much time you want to spend making your screencasts and how professional and fancy you want your screencasts to be. There’s also an element of personal preference regarding interface design. So my recommendation at the end of this post is no more than my professional opinion.

I’ve bought and used each of the software titles below, and I’ve run Professional Development workshops on each of them over the years, as well as making screencasts for my own students since 2006 and having students make and publish screencasts as part of their own learning journey.

[*NB. In this post I have focussed on computer screencasting tools – if you are interested in iPad tools have a look at this previous post]

1. Adobe Captivate

Like most Adobe software, this is a tool for über-professionals.  It’s adobeously expensive (@ $435 per license), and its interface and workflow is frustratingly non-intuitive for the uninitiated, and it takes me hours to do what I can do in other software in minutes, but you end up with very slick screencasts, and file sizes that are relatively small.  If you are a professional screencaster (Ie.If you’ve been employed to make screencasts and that is your whole job) then you should probably have a look at it. For everyone else, keep reading.

Verdict:  I don’t recommend it for teachers.

2. Camtasia Studio

Very powerful PC-only software that lets me do almost everything I would want to do in an educational screencast, but I rarely recommend it to teachers who are starting out in screencasting because it costs $179 per license (education pricing) and requires a very steep learning curve.

Verdict:  I recommend it only for teachers who have already done some screencasting, are quite comfortable with a PC and demand a professional result. 

3. Camtasia:Mac

Although also made by Techsmith, Camtasia:Mac is not the same as Camtasia Studio.  It has some really cool, but arguably superfluous features (special effects and filters), is less complicated to use than Camtasia Studio, is less expensive (but still costs $75) and is still somewhat fiddly to use until you get familiar with its tools.

Verdict:  I recommend it for teachers who are fairly comfortable with their Mac, have already made some screencasts and want to experiment with cool effects.

4. Screenflow

Telestream’s Screenflow is my personal favourite screencasting tool (by quite a margin) and the one I most often turn to for my own screencasts, but I seldom recommend it to teachers because like Camtasia:Mac it’s expensive ($110), is Mac-only and is so feature-rich that many teachers are likely to find it daunting and time consuming. However, if you are a Mac user and fairly comfortable with multi-track video editing software, I think it’s worth both the money and the learning curve.  It has a high power:complexity ratio. It punches well above it’s weight in that regard.  

Verdict:  I recommend it for Mac users who are pretty good with a computer, have made some screencasts and now want screencast super-powers.

5. CamStudio

Please don’t confuse CamStudio with Camtasia Studio.  It has almost nothing in common with Techsmith’s powerful offerings (except that it has shamelessly piggy-backed on Camtasia’s good name).  CamStudio is an ugly, basic, kludgy, PC-only, dinosaur.  There are no good reasons to use it. Even if you don’t want to spend a cent, you’ll find better choices below.  Keep reading.

Verdict:  Keep walking, there’s nothing to see here.

6. Screenr 

Screenr is a web-based, Java tool.  As such it doesn’t require you to install anything on your computer (you simply go to screenr.com and click the record button) but the downside is that you have to have an internet connection and it’s slow to use because you have to wait for the video to upload before you can then download and save it.  It doesn’t let you record your webcam, and only lets you record for 5 minutes. This is the sort of software that seems simple to use – but ends up creating frustration.

Verdict:  Maybe if your IT department won’t let you install software … but even then, there are better options. (See Screencast-O-Matic below.)

7. Jing

Jing is another screencasting tool by Techsmith. If you take all the pros and cons of Camtasia Studio and flip them, you have Jing.  It’s completely free, has a super-simple interface (probably the easiest of all the tools to use), but it lacks features: You can’t record your webcam, you can’t annotate your videos. It also has significant limitations: You can’t record for more than 5 minutes and worst of all, it only publishes videos in .swf format which won’t play natively on iOS devices.  That’s a deal-breaker for me.  What’s even worse, the particular .swf files produced can’t be converted to mp4 even with professional file-conversion utilities.  This means there is no way to edit them – unless you buy Camtasia Studio, which can edit Jing files.

Jing is free for a reason. Techsmith has positioned it as a gateway drug – it starts with Jing and before you know it you’re using SnagIt or Camtasia.  

Verdict: Friends don’t let friends use Jing.

8. SnagIt

Techsmith is smart.  They know that Jing is going to frustrate you.  So they provided yet another simple tool that is very similar to Jing in every way but without some of the frustrations: Ie. you can record for as long as you want and your videos are published in mp4 format.  But this time it’s not free. It costs $30.  It’s reasonably good but expensive for what you get.  It punches below it’s weight.  

Verdict: A nice program – but lacking features and expensive for what it is.  I think it’s worth $10, not $30. 

9. Microsoft Community Clips

Community Clips is a Microsoft labs experiment.  It’s available for free from various sites on the web (but not directly from Microsoft, anymore). It does a reasonable job of recording the screen, but that’s all it does. It’s probably about equal to SnagIt – except it’s free. The videos can, of course, be edited in Movie Maker if necessary.

Verdict: If you are a PC user, this is a better choice than Jing – at least the files can be edited in MovieMaker.  Still, there are better choices for features and flexibility.

10. Microsoft Expression Encoder

[Thanks to Thomas Gaffey for reminding me to include this one].  Expression Encoder is more full-featured than Community Clips and is still able to be downloaded from Microsoft. Like Community Clips it’s free – but unlike Community Clips it allows you to record both your screen and your webcam and it affords you basic editing options once recording is finished (you can cut sections out, for example).  The workflow is less obvious than some other apps.  You first record the video and then send it to a separate editor application.  This always feels a bit confusing to new users at first but don’t let that put you off. It’s not difficult to do once you’ve done it once. And doing this will stand you in good stead, should you decide later to upgrade to Camtasia Studio – because that is how Camtasia works, too.  It’s not hard to do once you understand the workflow.

Verdict: I’d recommend this to PC users as a good option. If you are a PC user, currently using Community Clips, SnagIt, Jing, Screenr, or CamStudio, you’d be better off with Expression Encoder. 

11. Apple QuickTime Player

[Thanks to Chris Russell @choirguy_ for pointing out that I had neglected this one in my original post – shame on me! ] QuickTime Player comes installed on every Mac.  What lots of people don’t realise is that it has a screen recording feature built right into it!  Simply go to File > New Screen Recording.  It actually works very well, though it’s fairly featureless – being about equal, feature-for-feature with Community Clips and SnagIt.  But it is free (unlike SnagIt) and a huge boon is that it’s already there on a teacher’s machine, installed and ready to go.  Unfortunately QuickTime Player for Windows does not have this feature – so it’s a Mac-only boon.

Verdict: For Mac users wanting to quickly make a screencast with no fuss and without even downloading / installing anything – QuickTime Player is already there at the ready.

12. Snapz Pro

Snapz Pro (Mac only) has been around for years. It’s the first screencasting tool I ever used. It has similar features to SnagIt or QuickTime Player but even more expensive ($65).

Verdict: Not my choice anymore, and too expensive. 

13. iShowU

iShowU by Shinywhitebox is an evolving platform.  It used to be too feature-poor for the price tag ($30) but now they have added the ability to record the webcam, editing and other power-user features similar to some of those in Screenflow and Camtasia.  So far though I’ve been disappointed with its performance. It seems to crash a lot and is a bit buggy.

Verdict: I think it will eventually be a great choice for Mac users, but I can’t recommend it at the moment – It’s still too buggy.

14. Voilá

I hear a lot of buzz around Voilá but personally I think it’s over-hyped at $32.  It’s a pretty handy screen capture tool (for still screenshots) but that is not what I am really reviewing in this post. As a screencasting tool, Voilá would not be my choice.  It allows you to record your screen like any screencasting tool does, or it allows you to record your webcam – but disappointingly, not both at the same time. So for screencasting I’d say it’s about as useful as SnagIt – at about the same price.

Verdict:  M’eh. 

15. Collaaj

Collaaj does something that no other platform discussed here does. Not only does it work on Mac or PC but there is also an iPad app.  It’s pretty good too – it lets you record your webcam as well as the screen, and all the video is handled by Collaaj’s servers which makes for very easy sharing with your students and vice versa.  It lets you record your webcam (or FaceTime camera on the iPad) – which is something SnagIt and Jing and several others don’t allow.  Unfortunately the free version only lets you record for 2 minutes which is just too short to be useful.  There are a range of paid plans (a subscription model) that range from $5 – $75 per month depending on your needs.  For some schools this might be a good choice but I think the subscription model is probably a deal-breaker for many.

Verdict: I may recommend it, especially in a BYOD school, depending on your budget.

16. Screencast-O-Matic

I think Screencast-O-Matic hits the sweet spot in terms of features, ease of use and price. It’s free. It records your webcam as well as your screen, it couldn’t be very much easier to use, and it has some really nice features that you don’t get in any other free screencasting software. For example, when you click your mouse, it inserts a visible and audible click.  There is a Mac version, a Windows version and you have the option of launching it as a Java applet from screencast-o-matic.com without installing any software on your computer.  This makes it really versatile and useful.  The huge advantage of it being free is that you can ask students to install it on their computers without worrying about hitting the pocket-nerve of their parents.

Screen Shot 2014-02-07 at 4.02.22 pm

Videos can be saved to your computer as an mp4, uploaded directly to YouTube or published to Screencast-O-Matic’s own video-sharing server (useful if YouTube has not yet been unblocked by your IT department).

While Sceencast-O-Matic is free to use, it will limit you to 15 minutes and puts a small “Screencast-O-Matic” watermark in the lower left corner of the final published video.  There is a Pro version which unlocks a LOT more features.  The pro version gives you video editing (delete that cough!), the ability to record system audio, and the ability to record for longer than 15 minutes.  It also records videos in higher definition, allows publishing in more video formats, removes the watermark – and more. I think most teachers will find that the free version is all they need. But for those who want to take it up a notch – without going all the way to Camtasia Studio or Screenflow, the Pro version of Screencast-O-Matic only costs $15/year.

Verdict: I’d recommend it to almost any teacher who is starting out in screencasting. The free version is better than any other free tool i’ve found and it’s even better than most of the paid tools.  The Pro version (for just $15) is better than anything except the really pro tools such as Screenflow and Camtasia, but much more affordable, and easier to use.

[Edit: January 19, 2017 – if you want to purchase Screencast-O-Matic Pro with a 20% discount, you can use this link.

[Edit: December 5, 2017]

17. Screencastify

Another really great, simple screencasting tool that I highly recommend to teachers – especially Chromebook users, is Screencastify.  It’s as easy to use as Screencast-O-Matic, and has many of the same features, but it runs as a Chrome plugin, and saves your recordings to Google Drive. Having said that, it doesn’t just let you record the browser window; you can record your entire desktop and optionally even your webcam (which, like Screencast-O-Matic will appear as a cameo picture-in-picture at the lower right of the video. Screencastify also allows you to annotate over a Tab recording, and has some basic editing features  which you can use in post (if you want to).

The free version allows you to record up to 50, 10 minute videos (which in my opinion is long enough) per month, and watermarks your videos with a Screencastify message.  To remove these limitations, and to enable editing and cropping, Screencastify Pro costs just US$2 per month.

Because it runs as a Chrome extension, you need to have an internet connection to use Screencastify.

Verdict: I’d recommend it to any teacher – but especially to the growing number of teachers who use Chromebooks, for whom Screencast-O-Matic is not a good option.

 These are not the only choices of course.  This is an exploding market. Have you used one that you would recommend?

OneDrive, Dropbox, Google Drive and Box: Which cloud storage service is right for you? – CNET

Source: OneDrive, Dropbox, Google Drive and Box: Which cloud storage service is right for you? – CNET

If you’re ready to take the plunge into storing your files, photos and more in the cloud but need help deciding which service is right for your needs and wallet, we’ve got you covered with our in-depth cloud storage comparison.

by

Which cloud storage service is for you? Sarah Mitroff/CNET

Storing your files in the cloud has many advantages. You can view your files from any phone, tablet or computer that’s connected to the Internet, and the cloud can also provide backup for files so they’ll never disappear if your phone gets lost or your computer crashes. Using the cloud is a no-brainer, but picking which service to use is a bit more difficult.

For that reason, I’ve compiled a guide to the most popular cloud storage services, covering how they work and their strengths and weaknesses. I’ve also highlighted some lesser-known options if you want to get away from the mainstream.

Editors’ note, March 25, 2016: This guide originally include cloud storage service Copy, but we’ve removed it because it is shutting down on May 1, 2016.

Cloud storage comparison

OneDrive Dropbox Google Drive Box Amazon Cloud Drive
File size restrictions? 10GB 10GB with website, none with Dropbox apps 5TB 250MB for free plan, 5GB for paid personal plan 2GB*
Free storage? 5GB** 2GB 15GB 10GB No***
Can I earn extra free storage? No** Yes No No No
Paid plans $2/month for 50GB** $10/month for 1TB $2/month 100GB, $10/month for 1TB $10/month for 100GB $12/year for unlimited photos, $60/year for unlimited files
OSes supported Windows, Mac, Android, iOS, Windows Phone Windows, Mac, Linux, Android, iOS, Windows Phone, BlackBerry, Kindle Fire Windows, Mac, Android, iOS Windows, Mac, Android, iOS, Windows Phone, BlackBerry Windows, Mac, Android, iOS, Kindle Fire

*There is no file size limit with desktop apps.

**In early 2016, Microsoft will change its free storage from 15GB to 5GB and offer a $2 per month for 50GB paid plan instead of its earlier offerings. It will also no longer let you earn free storage.

***Amazon Cloud Drive offers limited free storage with an Amazon Prime subscription.


Before we get started, just a note about Apple’s iCloud Drive. I didn’t include it here because the service is not available for Android and it’s really meant to be used within the Apple ecosystem, meaning if you use Mac computers and iOS devices together. If you do use mostly Apple products, it’s a solid choice for cloud storage. For a full run-down of its features, pricing and availability, check out CNET’s guide to Apple iCloud Drive.

microsoftonedrive.jpg
OneDrive’s Android app. Screenshot by Sarah Mitroff/CNET

OneDrive

First up is OneDrive, Microsoft’s storage option. Those who use Windows 8 and 10 have OneDrive built into their operating system, where it shows up in the file explorer next to all of the files on your computer’s hard drive. However, anyone can use it on the Web, by downloading a desktop app for Mac and earlier versions of Windows, or the OneDrive Android, iOS, Windows Phone and Xbox apps.

You can store any kind of file in the service, including photos, video and documents, and then access them from any of your Windows PCs or mobile devices. The service organizes your files by type for you, so it’s easy to find what you need.

The Android, iOS and Windows Phone apps all have automatic photo uploads, meaning that when you shoot a photo with your phone, it’s automatically saved to your account. OneDrive’s biggest strength is that it works closely with Microsoft Office apps, such as Word or PowerPoint, so when you launch one of those applications you’ll see a list of recent documents saved to OneDrive. If you have an Office 365 subscription and open a document saved in OneDrive, you can collaborate on it in real time with other people. You’ll even be able to see the changes they make as they make them.

Microsoft is hoping that OneDrive will be the place where you store your photos, and the company is working on technology that will eventually sort all of the photos you take based on how important and meaningful they are. For instance, if you take a photo of your kids, a picture of a special meal and a shot of your parking space so you can find your car later, OneDrive would be able to understand the importance of each picture, save the ones it thinks are the most useful, and trash the rest. That’s still big-picture stuff for OneDrive, but it gives you an idea of the direction Microsoft is moving in.

In late 2015, Microsoft made an announcement that it would no longer offer unlimited cloud storage to Office 365 subscribers. Instead, they are limited to 1TB. Additionally, beginning in early 2016, the 100GB and 200GB paid storage plans will be discontinued, replaced with a 50GB for $1.99 per month plan. You will no longer get extra space if you allow the OneDrive apps to automatically backup photos on your phone. Finally, anyone with a Microsoft account will only get 5GB of free storage, instead of 15GB. We will update this guide in 2016 when those changes are made.

Where it excels

  • Works seamlessly with Windows devices because it’s built in to the Windows operating system.
  • It’s easy to open and edit files from OneDrive in Microsoft’s other applications, such as Word or Excel.
  • Signing up for OneDrive gets you a Microsoft account, which gives you access to Outlook, Xbox Live, and other Microsoft services.

Where it falls flat

  • OneDrive’s automatic file organization doesn’t always put files in the correct folders.

Best for: If you have a Windows PC, tablet and phone, and need to get to your files from any device with little effort.


dropboxdesktop082415121542pm.jpg
Dropbox on Windows. Screenshot by Sarah Mitroff/CNET

Dropbox

Dropbox is a favorite in the cloud storage world because it’s reliable, easy to use, and a breeze to set up. Your files live in the cloud and you can get to them at any time from Dropbox’s website, desktop applications for Mac, Windows and Linux (Ubuntu, Debian, Fedora or compile your own), or the iOS, Android, BlackBerry and Kindle Fire mobile apps.

You can store any kind of file in Dropbox, by either uploading to the website or adding it with the desktop apps. Those apps live in your file system so that you can easily move files from your computer to the cloud and vice versa by dragging and dropping them into your Dropbox folder. The service automatically and quickly syncs your files across all of your devices, so you can access everything, everywhere. There is no size limit on files you upload to Dropbox with the desktop or mobile apps, but larger files can take several hours to upload, depending on your connection speed.

Dropbox gets a lot of praise for its clean design, and rightfully so. Though I am not a fan of Dropbox’s website because the design is very basic and it doesn’t give you many options to view and organize your files, its mobile apps and desktop apps are beautiful and easy to navigate.

Dropbox gives its users plenty of opportunities to get extra storage to beef up the paltry 2GB you get when you sign up. If you participate in the quick Getting Started tutorial, you get 250MB. Turn on the automatic photo upload feature on any of the mobile apps to get 3GB of extra space (you can get only 3GB total, not per device). You can earn 500MB for each friend you refer to Dropbox who actually signs up for the service, up to 16GB total, or 32 referrals.

Where it excels

  • Dropbox works equally well on PCs and Macs, Android and iOS.
  • The service is so simple and elegantly designed, that it’s easy for anyone to master.
  • Its desktop applications seamlessly blend with your computer’s file system.

Where it falls flat

  • Dropbox’s website doesn’t let you control how your files are displayed.

Best for: Simple sharing when you use tons of different kinds of devices.


googledriveonline082415122028pm.jpg
Screenshot by Sarah Mitroff/CNET

Google Drive

Google combines a complete set of office tools with cloud storage in Drive. You get a little bit of everything with this service, including a word processor, spreadsheet application, and presentation builder, plus 15GB of free storage space.

If you already have a Google account, you can already access Google Drive. You just have to head to drive.google.com and enable the service. You get 15GB of storage for anything you upload to Drive, including photos, videos, documents, Photoshop files and more. However, you have to share that 15GB with your Gmail account, photos you upload to Google+, and any documents you create in Google Drive.

While you can access any of your files from the Drive Web site, you can also download the Drive desktop app for Mac and PC to manage your files from your computer. You can organize all of your files in the desktop app, and they’ll sync with the cloud so you can get to them anywhere.

Drive is built into Google’s Web-based operating system Chromium, so if you have a Chromebook, Google Drive is your best cloud storage option. Like other cloud storage services, Drive has apps for iOS and Android for viewing and managing your files from your phone.

Google Drive has the benefit of a built-in office suite, where you can edit documents, spreadsheets, and presentations, even if you created the document in another program. The service also a large collection of extras, such as third-party apps that can send faxes or sign documents.

Google also recently introduced Google Photos, an online photo locker, where you can organize photos into albums. Google Photos is built into Drive in a separate tab, but you’re really better off going straight to googlephotos.com to see and organize photos. However, you don’t need to download the Google Photos app on your phone or tablet to back pictures you take there. The Google Drive app can take care of that.

What I like most about Google Drive is that you can drag and drop files into the Drive Web site and they’ll be uploaded automatically. You can also preview attachments from Gmail in Google Drive, and save those files to your cloud.

Where it excels

  • Google Drive requires very little setup if you already have a Google account.
  • If you use Gmail, it’s easy to save attachments from your e-mail directly to Drive with just a few clicks.
  • The app can automatically back up your photos on its own, without the need for the separate Google Photos app.

Where it falls flat

  • If you use Google Drive’s tools to create documents, spreadsheets or presentations, you must export those files to edit them in another program.
  • You have to share your storage space with Gmail, so if you’re inbox is overflowing, you’ll get less cloud storage space.

Best for: Google diehards, or anyone who wants a few office tools with their cloud storage.


box.png
Box on Android. Screenshot by Sarah Mitroff/CNET

Box

Anyone can sign up for a free individual account on Box, but the service’s endless list of sharing and privacy features were built specifically for business and IT users. Beyond the basic cloud storage setup, where you can store just about any kind of file, Box lets you share files with colleagues, assign tasks, leave comments on someone’s work, and get notifications when a file changes.

You can preview files from Box’s website and even create basic text documents in Box. Like other cloud storage services, you can download a desktop app and sync your files between your hard drive and the cloud.

Box also gives you a lot of control over the privacy of your files. For example, you can decide who in your business can view and open specific folders and files, as well as who can edit and upload documents. You can even password-protect individual files and set expiration dates for shared folders.

Business users can also connect other apps, such as Salesforce and NetSuite, so that you can easily save documents to Box. There are also plug-ins for Microsoft Office and Adobe Lightroom that let you open and edit files saved to Box from those applications.

Where it excels

  • Box comes with tons of tools for businesses, including collaboration and file privacy control.

Where it falls flat

  • The service’s endless list of sharing and privacy features can be lost on someone who’s just using the service for personal storage.
  • Because of all those features, it can feel overwhelming to navigate the Box website if you’re only trying to manage a few files and folders.

Best for: Teams of employees working together on projects, and large companies that need a place to securely share documents with everyone.


amazonclouddrive-2015041315025433pm.jpg
Amazon Cloud Drive’s website. Screenshot by Sarah Mitroff/CNET

Amazon Cloud Drive

Amazon already sells you nearly anything under the sun, and it wants to be the place you store all of your music, photos, videos and other files too. Amazon Cloud Drive has been around for a few years, but the company introduced new storage plans in March 2015; one just for photos and one for all other kinds of files.

Neither plan is free, but both have three-month trials. Unlimited Photos is available for free for all Amazon Prime members or anyone with a Fire device. If you don’t have a Prime subscription or a Fire phone or tablet, you’ll need to pay $12 per month for the storage.

True to its name, Unlimited Photos gets you unlimited storage for your photos (GIF, JPEG, BMP, TIFF and so on) and 5GB of free storage for other file types, including videos, PDFs and documents.

Unlimited Everything gets you storage for an unlimited number of files of any type, for $60 per year. There is no limit for how many files you can upload, but each file needs to be under 2GB unless you use the Cloud Drive desktop apps.

The Cloud Drive desktop apps are available for PC and Mac, and let you upload or download files. However, unlike other cloud storage services, the Amazon Cloud Drive app doesn’t let you view your files from a folder on your computer. You can upload individual files and download your entire library, but if you want to view them or make changes, you’ll need to go to Amazon’s website.

Amazon Cloud Drive has apps for iOS and Android with automatic upload so videos and photos you take with your phone get saved to the cloud right after you shoot them. The service is also baked into Amazon’s Fire tablets and phone.

Where it excels

  • If you already have an Amazon account, you don’t need to sign up for a new service, you can simply sign into Cloud Drive.

Where it falls flat

  • The desktop app doesn’t work with your file system, you can only use it upload or download files.
  • You can only view and manage files from the Cloud Drive website, but you cannot upload files larger than 2GB there.

Best for: Anyone with an Amazon Fire tablet or Fire phone, because it’s part of the operating system. Unlimited Photos is good for Amazon Prime members, because you get it for free as part of that subscription.


Extra cloud options

Of course, OneDrive, Dropbox, Google Drive and Box aren’t your only options for cloud storage.

One is SugarSync, a Dropbox-like alternative with apps for every mobile platform. The catch is that after your 90-day free trial, where you can play around with 5GB of storage, you need to pay at $7.50 per month for 60GB to keep using the service (you can upgrade to more storage for extra money).

There’s also Space Monkey , which has an entirely different take on cloud storage. For $200, you buy a 2-terabyte (TB) hard drive from the company. You get to use 1TB of the drive’s space to store any and all of your files as a local backup. Your files also get encrypted and broken into bits that are sent to other Space Monkey users’ hard drives, so that you can access your files from another computer or mobile device. That’s where that extra 1TB of space on your drive comes in — it’s used to store bits of other people’s files. The service is free for the first year, then costs $49 per year to keep storing your files in the cloud.