home – Alice, Eve and Bob – a security blog

On holiday – no post this week

Uninterrupted power for the (CI)A

I’d really prefer not to have to restart every time we have a minor power cut.

Regular readers of my blog will know that I love the CIA triad – confidentiality, integrity and availability – as applied to security. Much of the time, I tend to talk about the first two, and spend little time on the third, but today I thought I’d address the balance a little bit by talking about UPSes – Uninterruptible Power Supplies. For anyone who was hoping for a trolling piece on giving extra powers to US Government agencies, it’s time to move along to another blog. And anyone who thinks I’d stoop to a deliberately misleading article title just to draw people into reading the blog … well, you’re here now, so you might as well read on (and you’re welcome to visit others of my articles such as Do I trust this package?, A cybersecurity tip from Hazzard County, and, of course, Defending our homes).

Years ago, when I was young and had more time on my hands, I ran an email server for my own interest (and accounts). This was fairly soon after we moved to ADSL, so I had an “always-on” connection to the Internet for the first time. I kept it on a pretty basic box behind a pretty basic firewall, and it served email pretty well. Except for when it went *thud*. And the reason it went *thud* was usually because of power fluctuations. We live in a village in the East Anglian (UK) countryside where the electricity supply, though usually OK, does go through periods where it just stops from time to time. Usually for under a minute, admittedly, but from the point of view of most computer systems, even a second of interruption is enough to turn them off. Usually, I could reboot the machine and, after thinking to itself for a while, it would come back up – but sometimes it wouldn’t. It was around this time, if I remember correctly, that I started getting into journalling file systems to reduce the chance of unrecoverable file system errors. Today, such file systems are custom-place: in those days, they weren’t.

Even when the box did come back up, if I was out of the house, or in the office for the day, on holiday, or travelling for business, I had a problem, which was that the machine was now down, and somebody needed to go and physically turn it on if I wanted to be able to access my email. What I needed was a way to provide uninterruptible power to the system if the electricity went off, and so I bought a UPS: an Uninterruptible Power System. A UPS is basically a box that sits between your power socket and your computer, and has a big battery in it which will keep your system going for a while in the event of a (short) power failure and the appropriate electronics to provide AC power out from the battery. Most will also have some sort of way to communicate with your system such as a USB port, and software which you can install to talk to it that your system can decide whether or not to shut itself down – when, for instance, the power has been off for long enough that the battery is about to give out. If you’re running a data centre, you’ll typically have lots of UPS boxes keeping your most important servers up while you wait for your back-up generators to kick in, but for my purposes, knowing that my email server would stay up for long enough that it would ride out short power drops, and be able to shut down gracefully if the power was out for longer, was enough: I have no interest in running my own generator.

That old UPS died probably 15 years ago, and I didn’t replace it, as I’d come to my senses and transferred my email accounts to a commercial provider, but over the weekend I bought a new one. I’m running more systems now, some of them are fairly expensive and really don’t like power fluctuations, and there are some which I’d really prefer not to have to restart every time we have a minor power cut. Here’s what I decided I wanted:

a product with good open source software support;
something which came in under £150;
something with enough “juice” (batter power) to tide 2-3 systems over a sub-minute power cut;
something with enough juice to keep one low-powered box running for a little longer than that, to allow it to coordinate shutting down the other boxes first, and then take itself down if required;
something with enough ports to keep a a couple of network switches up while the previous point happened (I thought ahead!);
Lithium Ion rather than Lead battery if possible.

I ended up buying an APC BX950UI, which meets all of my requirements apart from the last one: it turns out that only high-end UPS systems currently seem to have moved to Lithium Ion battery technology. There are two apparently well-maintained open source software suites that support APC UPS systems: apcupsd and nut, both of which are available for my Linux distribution of choice (Fedora). As it happens, they both also have support for Windows and Mac, so you can mix and match if needs be. I chose nut, which doesn’t explicitly list my model of UPS, but which supports most of the product lower priced product line with its usbhid-ups driver – I knew that I could move to apsupsd if this didn’t work out, but nut worked fine.

Set up wasn’t difficult, but required a little research (and borrowing a particular cable/lead from a kind techie friend…), and I plan to provide details of the steps I took in a separate article or articles to make things easier for people wishing do replicate something close to my set-up. However, I’m currently only using it on one system, so haven’t set up the coordinated shutdown configuration. I’ll wait till I’ve got it more set up before trying that.

What has this got to do with security? Well, I’m planning to allow VPN access to at least one of the boxes, and I don’t want it suddenly to disappear, leaving a “hole in the network”. I may well move to a central authentication mechanism for this and other home systems (if you’re interested, check out projects such as yubico-pam): and I want the box that provides that service to stay up. I’m also planning some home automation projects where access to systems from outside the network (to view cameras, for instance) will be a pain if things just go down: IoT devices may well just come back up in the event of a power failure, but the machines which coordinate them are less likely to do so.

15 steps to prepare for (another) lockdown

What steps can we be taking to prepare for what seems likely now – a new lockdown?

The kids are back in school, there are people in shops and restaurants, and traffic is even beginning to get back to something like normal levels. I’m being deployed as a CFR (community first responder) to more incidents, as the ambulance service gets better at assessing the risks to me and patients. And the colds and sneezes are back.

Of course they are: it’s that time of year. And where are they spreading from? Where do they usually spread from? School pupils. Both of mine have picked up minor cold symptoms, but, luckily nothing suggesting Covid-19. The school they attend is following government advice by strongly recommending that pupils wear masks in communal areas, encouraging social distancing and providing hand sanitiser outside each classroom, to be used on entry. Great! That should limit Covid-19. And it should… but the sore throats, coughing and sneezing started within days of their return to school. I’m no expert but it seems likely (and many experts agree) that schools will be act as transmission vectors, and that the rates of infection of Covid-19 will start rising again. And yes, the UK already has an R figure well above 1.

Apart from ranting about how this was always likely to happen, and that the relevant authorities should have taken more steps to reduce the impact) both true), what steps can we be taking to prepare for what seems likely now – a new lockdown?

Physical steps

There are a number of things that I’ve done or plan to do to prepare. Some of them aren’t because I necessarily expect a full lockdown, but some because, if I feel ill and unable to leave the house, it’s best to be ready.

get provisions – what do we need in for food and drink? We should obviously not go overboard on alcohol, but if you like a glass of wine from time to time, get a few bottles in, maybe a nice one for a special occasion. Get dried food in, cooking oil, and the rest stock the freezer. Oh, and chocolate. Always chocolate.
household supplies – remember that run on random items at the beginning of the first lockdown? Let’s avoid that this time: get toilet paper, kitchen roll, cleaning materials and tissues (for when we feel really poorly).
work supplies – most of us are used to working at home now, but if you’ve got a dodgy monitor, a printer in need of paper, or a webcam that’s on its last legs, now is a good time to sort them out there’s a good chance that these might become difficult to get hold of (again).
fitness preparations – if the gyms close again, what will you do? Even if we’re allowed outside more for exercise this time round, those warm jogging shorts that you wore in the spring and summer are not what you want to be wearing in the sleet and snow, so buy whatever gear you need for indoor or outdoor use now.
get a haircut – or get hold of some hairdressing supplies. Many of us discovered that we or our family members had some skills in this department, but better to get a cut in preparation, right?
books – yes, there are alternatives to physical books: you can read on your phone or another device these days. But I like a physical book, and I wish I’d stocked up last time. Go to your friendly neighbourhood book store – they need your business right now – and buy a few books.
wood – we live in an old house, and have wood-burning stoves to supplement our heating. Get wood in now to avoid getting cold in the winter!
pay the bills – you may want or need some extra luxuries later, as the weather sets in and lockdown takes hold. Get the bills paid up front, so there are no nasty surprises and you can budget a few treats for yourself later.

Psychological steps

Just as important as the physical – more, probably – is psychological preparation. That doesn’t mean that the steps above aren’t important: in fact, they’re vital to allow you to have space to consider the psychological preparation, which is difficult if you’re concerned or unsure about your physical safety and environment.

Prioritise – if you can, work out now what you’re going to prioritise, and when. Sometimes work may come first (barring an emergency), sometimes family, sometimes you. Thinking about this now is a good plan, so that you can set some rules for yourself and for those around you.

Prepare your family – this isn’t just about the priorities you’ve already worked on in the previous point, but also more generally. Many of us struggled with lockdown, and although we might think that it’ll be easier second time round, the very fact that it’s happened again is likely to cause us more stress in some ways.

Sleep – sleep now: bank it while you can! Sleep when lockdown happens, too. This was something which was a surprise to me: how tired I got. Not going out is, it turns out, tiring. This is because stress – which was a clear outcome from the first lockdown, and stress can make you very tired. So sleep when you can, and don’t just try to “power through”.

List what you can control and what you can’t – a classic stressor is feeling overwhelmed with things that we can’t control. And there will definitely be things that we really can’t – how long it takes, which of my friends get sick, issues such as that. But equally, there are things that we can control: when I stop for a cup of tea (or coffee, I suppose), who I call to catch up with on the phone, what I have for supper. In order to reduce stress, list things that you can control, and which you can’t, and try to accept the latter. Doing so won’t remove all stress, but it should help you manage your response to that stress, which can help you reduce it.

Be ready to feel weak – you will feel sad and depressed and ill and fed up from time to time. This is normal, and human, and it does not make you a failure or a bad employee, family member, friend or person. Accept it, and be ready to move on when you can.

Think of others – other people will be struggling, too: your family, friends, colleagues and neighbours. Spare them a thought, and think how you can help, even if it’s just with a quick text, a family videochat or a kind word from time to time. Being nice to people can make you feel good, too – and if you’re lucky, they’ll reciprocate, so everyone wins twice!

Be ready to put yourself first – sometimes, you need to step back and say “enough”. This isn’t always easy, but it’s sometimes necessary. If you begin to realise that things are coming unstuck, and that you’re going to have to disengage, let others around you know if you can. Don’t say “I hope it’s OK if…” or “I was thinking about, would it be OK for me to…”. Instead, let them know your intentions: “I’m going to need 5 minutes to myself”, or “I need to drop from this meeting for a while”. This won’t always be easy, but if you can prepare them, and yourself, for taking a little time, it’s going to be better for everyone in the end: you, because you will recover (if only for a while), and them, because they’ll get a healthier, more efficient and less stressed you.

Bringing your emotions to work

An opportunity to see our colleagues as more “human”.

We’ve all seen the viral videos of respected experts, working from home, who are being interviewed for a news programme, only to be interrupted by a small child who then proceeds to embarrass them, whilst making the rest of us laugh. Since the increase in working from home brought on by Covid-19, it has become quite common to see similar dramas acted out on our own computer screens as colleagues struggle with children – and sometimes adults – turning up unexpectedly in front of the camera. We tend to laugh these occurrences off – quite rightly – and to be aware that they are often much more embarrassing for the affected party than for the rest of the participants. In all of the situations that I have witnessed where this has happened, the other members of the video conference have been shown understanding both of the fact that the incident occurred at all, but also of the frustration and embarrassment of the affected party.

This is all as it should be, but I think that we have a larger lesson to learn here. The emotions evidenced by this sort of incident are obvious and, what is more, it is usually entirely clear what has caused them: we have, after all, just seen the drama unfold in front of us. What I think I am also seeing, partly due to the broadly shared experiences of lock-down, is a better understanding that there are frustrations and emotions that occur due to events which occur off-camera, and that people need to be given space to manage those as much as any other, more obvious issue. Taking time at the beginning of a call to ask a colleague – or even someone from a different organisation – how things are going, how they’re coping, and what’s on their mind – has become much more commonplace than it was when most of us spent most of our time in offices. An acknowledgement of the impact of these trials and tribulations that everybody is facing has become much more acceptable in a work context, because the separation between the work context and the home context is become, for many, so blurred that that are almost indistinguishable.

What is astonishing about this is that we all know, and have always known, if we are honest with ourselves, that these trials and tribulations have always been there. What we seem to have believed is that because there are two separate spaces for most people who are not remote workers – the work environment and the home environment – then everybody should somehow magically be able to compartmentalise their feelings and emotions into corresponding separate boxes.

This was always a fiction, and, more, a self-evident one, which only ever worked in one direction. All families and partners know that there are occasions when a frustrating day at work will leave someone annoyed and upset on their return home. Equally, we expect to celebrate work successes when we arrive back with our families. But while telling work colleagues about the birth of niece, or the arrival of a new puppy, has been seen as just about acceptable, “burdening” them with news about a sick child or the impact of a major flood in the bathroom, both of which may be a major stressor in our lives, has often been seen as “unprofessional”.

Yesterday, my wife and I had to take our dog for emergency surgery[1]. Not only did this have an impact on my ability to attend a meeting, but I was also aware that my ability to function fully at work was impaired. I’m very fortunate to work at a company (Red Hat) where the culture is strongly supportive in dealing with such emergencies, and so it was: colleagues were ready to go out of their way to help, and this morning, one in particular was very forgiving of a rather confused technical question that I asked yesterday evening. I’m pretty sure that the same would have been the case outside the Covid-19 lockdown, but I was cheered (and helped) by their reactions. My emotions and ability to function in this case were due to an obvious and acute event, rather than a set of less visible or underlying conditions or events. Instances of the latter, however, are no less real, nor any less debilitating than instances of the former, but we are generally expected to hide them, at least in work context.

My plea – which is not new, and not original – is that as we fashion a “new normal” for our working lives, we create an environment where expressing and being honest about all parts of our lives – home, work and beyond – is welcomed and encouraged. I am not asking that we should expect colleagues to act as unpaid councillors, or that explosions of anger in meetings should suddenly become acceptable, but, instead, that we get better at not pretending that we are emotionless automata at work, able (and required) to compartmentalise our home lives from our work lives.

There are benefits to such an approach, not the least of which are the positive mental health effects of not “bottling up” our emotions[2]. But an opportunity to see our colleagues as more “human” can lead to better, more honest and empathetic relationships, as well as an increased resilience for businesses and organisations which are able to flex and bend to accommodate tensions and issues in people’s lives as the norm becomes to “chip in” and support colleagues who are struggling, as well as celebrating with them when they are joyful.

There are tensions here, limits of behaviour, and support structures which need to be put in place, but a honest and more rounded person, I believe, is a better and more understanding colleague, and leads to better, more diverse and higher-functioning workplaces.

1 – to fix a slipped disk. Initial signs are that the operation went well.

2 – I want to acknowledge and note that mental health issues are complex and need special management and treatment: something I have neither the expertise nor space to address in this article. I am, however, strongly in favour of more openness and less stigmatising of mental health issues, by which the vast majority of us will be affected – first or second hand – at some point in our lives. I know that I have.

9 tips for new home workers

Many workers are finding that they are working from home for the first time.

I wrote an article a few months ago which turned out to be my most popular ever, called My 7 rules for remote work sanity (it’s also available in Japanese). It was designed for people who are planning to work remotely – typically from home, but not necessarily – as a matter of course. With the spread of coronavirus (Covid-19), many workers are finding that they are working from home for the first time, as companies – and in some cases, governments – close offices and require different practices from workers. Alternatively, it may be that you suddenly find that schools are closed or a relative becomes ill, and you need to stay at home to be with them or care for them. If you are one of those people – or work with any of them – then this post is aimed at you. In it, you’ll find some basic tips for how to work from home if it’s not something you’re used to doing.

1 Gather

In order to work from home, you may need to gather some infrastructure pieces to take home with you. For many of us, that’s going to be a laptop, but if there are other pieces of hardware, then make sure you’re ready to bring them home. If you don’t have a laptop normally, then find out what the rules are for using your own devices, and whether they have been changed to account for the period when you’ll be working from home. Download and install what you need to do – remember that there are open source alternatives to many of the apps that you may typically be using in the office, and which may provide you with a sufficient (or better!) user experience if you don’t have access to all of your standard software.

2 Prepare

What else do you need to do to make sure everything will work, and you will have as little stress as possible? Making sure that you can connect to work email and VPN may be important, but what about phones? If you have a work-issued phone, and it’s the standard way for colleagues or customers to contact you, then you may be OK, as long as you have sufficient coverage, but you may want to look at VoIP (Voice over IP) alternatives with your employer. If you have to use your own phone – mobile or landline – then work out how you will expense this and with whom you will share this information.

3 Agree

If you have been told that you may (or must) work from home by your employer, then it is likely that they will be providing guidance as to what your availability should be, how to contact colleagues, etc.: make sure that any guidelines are plausible for you, and ask for clarity wherever possible. If you are having to work from home because of family commitments, then it’s even more important to work out the details with your employer. Rules to support this sort of situation vary from country to country, and your employer will hopefully be aware that their best chance of maintaining good output and commitment from you is to work with you, but if you don’t come to an agreement up front, you may be in for a shock, so preparatory work is a must.

4 Educate

Just because your employer has agreed that you should work from home, and has agreed what your work-time should look like, it doesn’t mean that your boss and colleagues will necessarily understand how this change in your working life will impact on how they relate to you, contact you or otherwise interact with you. Let them know that you are still around, but that there may be differences in how best to reach you, when you are available, and what tasks you are able to perform. This is a courtesy for them, and protection for you!

5 Video-conference

If you can, use video-conferences for meetings with colleagues, customers, partners and the rest. Yes, it means that you need to change out of your pyjamas, brush your hair, get at least partly dressed (see some of the tips from my semi-jokey seasonal post The Twelve Days of Work-life Balance) and be generally presentable, but the impact of being able to see your colleagues, and their being able to see you, should not be underestimated. It can help them and you to feel that you are still connected, and make a significant positive impact on teamwork.

6 Protect

During the time that you are working from home, you need, if at all possible, to protect the workspace you will be using, and the time when you will be working, from encroachments by other tasks and other people. This can be very difficult when you are living in a small space with other people, and may be close to impossible when you are having to look after small children, but even if it is just room for your laptop and phone, or an agreement that the children will only come to you between television programmes, any steps that you can take to protect your time and space are worth enforcing. If you need to make exceptions, be clear to yourself and others that these are exceptions, and try to manage them as that, rather than allowing a slow spiral to un-managed chaos[1].

7 Slow down

One of the classic problems with working from home for the first time is that everything becomes a blur, and you find yourself working crazily hard to try to prove to yourself and others that you aren’t slacking. Remember that in the office, you probably stop for tea or coffee, wander over to see colleagues for a chat – not just work-related – and sit down for a quiet lunch. Take time to do something similar when you’re working from home, and if you’re having video-conferences with colleagues, try to set some of the time on the call aside for non-work related conversations: if you are used to these sorts of conversations normally, and are missing them due to working at home, you need to consider whether there may be an impact on your emotional or mental health.

8 Exercise

Get up from where you are working, and go outside if you can. Walk around the room, get a drink of water – whatever it is you do, don’t stay sat down in front of a computer all day. It’s not just the exercise that you need – though it will be beneficial – but a slight change of scene to guard against the feeling that you are chained to your work, even when at home.

9 Stop

Another common pitfall for people who work from home is that they never stop. Once you allow your work into your home, the compartmentalisation of the two environments that most of us manage (most of the time, hopefully) can fall away, and it’s very easy just to “pop back to the computer for a couple of emails” after supper, only to find yourself working away at a complex spreadsheet some two and a half hours later. Compartmentalising is a key skill when working from home, and one to put into your daily routine as much as possible.

Finally…

It’s likely that you won’t manage to keep to all of the above, at least not all of the time. That’s fine: don’t beat yourself up about it, and try to start each day afresh, with plans to abide by as many of the behaviours above as you can manage. When things don’t work, accept that, plan to improve or mitigate them next time, and move on. Remember: it is in your employer’s best interests that you work as sensibly and sustainably as possible, so looking after yourself and setting up routines and repeatable practices that keep you well and productive is good for everybody.

1 – I know this sounds impossible with small kids – believe me, I’ve been there on occasion. Do your best, and, again ensure that your colleagues (and manager!) understand any constraints you have.

リモートワークをするときの7つのマイルール

もしオフィスをでなければいけないのであれば、犬の散歩に行きますね！

この記事は
https://aliceevebob.com/2019/08/13/my-7-rules-for-remote-work-sanity/
を翻訳したものです。

この10年から15年の間、ほとんど時間、リモートで仕事をしています。
ラッキーなことに私の仕事はリモートワークがぴったりで、勤めているRed Hatもその環境を整えてくれています。

例えばお客様とオンサイトの会議が多くあったり、主要なサービスコンポーネントに従事しているなど、全ての仕事がリモートワークに合うわけではもちろんないですが、多くの組織がリモートワークを検討しています。

また、なるべく「家から働く」「家で働く」などのフレーズをなるべく避けるようにしています。
後者のフレーズの方が良さそうだ、と聞いたこともありますが、多くのリモートワーカーにとっては正確な言い方ではないでしょう。

実際、私の職種にぴったり合う言い方でもありません。
私の仕事はリモートで、会社によって机や椅子、会議室やインターネットアクセスが準備された仕事場はないのですが、いつも家で過ごしているわけではありません。

一ヶ月に平均して3日から1週間ほどは出張です。カンファレンスで講演したり、実際会っての打ち合わせだったりがあるのです。
この間、大体は連絡のつく状態であり、メールをチェックできることになっています。緊急の連絡やメールにも関わらず出張の機会は増えたり減ったり、です。

オープンソース

私がリモートで働ける理由の一つに、勤めているのがオープンソースソフトの会社であることもあります。
今、Enarxというとてもクールなプロジェクトに従事しています。そのソフトに貢献している仲間は欧米にいて、それ以外にも世界中から問い合わせがきます。

スタンドアップ会議はバーチャルでビデオを使います。
プロジェクトからは少なくとも二人は参加し、私は大体はデスクの横で実際立って参加します。

コードは全てgithub（もちろんオープンソースです！訳注：ブログの発信当時は、です。今はマイクロソフトに買収されています）を使っていて、頻繁に顔を合わせる必要も特にありません。
例えば特別な機会にはどこにいてもケーキを買って一緒に祝い、ステッカーをラップトップにつけて、ブランドとチーム感を大切にしています。
チャットとIRCのチャネルがあって色々な方法でコミュニケーションをしています。
まだ小さなチームですが今の所うまくいっています。
リモートチームとどのように働くかのアドバイスはOpensource.comにたくさん載っています。

環境

出張していないときは基本、自宅にいます。天気にもよりますが通勤もします。30〜45秒の短い通勤です。
私のオフィスは家とは別れていて庭にあり、オフィスチェアやデスク、ラップトップのドッキング、モニター、ウェブカメラ、電話、キーボードとプリンターがあり、部屋の中ははっきりと仕事関連のものだけです。

仕事をする環境を作るのに、大切なものもあります。人によって違うでしょうが、私の場合はこんな感じです。

・ソノス。アンプと良いスピーカーに接続したホームサウンドシステム。
・ソファ。大体、飼っている犬に占領されています。時々猫。
・本棚。本が床に散らばらないように。
・紅茶を淹れるファシリティー。私はイギリス人なので、これは最重要。
・冷蔵庫。紅茶に入れるための牛乳、ビールとワインが入っています。（ご心配なく。就業時間中に飲酒はしません。メインキッチンの冷蔵庫に入らなかったんです）
・大きく開く窓と夏に必要なブラインド（エアコンはありません。先ほど言ったでしょう？私はイギリス人なので）
・床暖房と暖炉。冬に必要です。（床暖房は暖炉が暖まるまで必要なのです）
・NUCのパソコンとモニター。仕事にあまり関係ない作業をするため
・蜘蛛も少々

何が必要かはワークスタイルにもよりますが、仕事に関係ないものが実は大切です。まあ、蜘蛛は要らないかもしれませんが。
これは仕事場を心地よくするためなのです。
例えば集中するために音楽をよく聞きます。飼っている犬や猫とソファーに座って、大量のドキュメントを読みます。
お茶を淹れる場所と冷蔵庫がなければ、米国人になっちゃいます！

マイルール

どうやったらうまくいくでしょう。

まずは私たちのほとんどは、他の人と連絡をすることが好きですよね。

リモートワーカーの中にはシェアワークスペースを借りてそこで働く人もいるでしょう。そういう人はオフィスの環境が好きだったり、仕事に集中できる場所が自宅にないのかも知れません。

他にもコーヒーショップやボート（羨ましい！）で働く人もいるでしょう。一年の半分をオフィスで過ごし、残りを別荘で働く人もいるでしょう。

どのようにするにしろ、あなたにとって最適な場所を探すのが大切です。
以下は私がよくやること、その理由です。

1　なるべく仕事をする時間を決めましょう。
公式的には（同僚の皆さんへFYI、イントラに載っています）イギリス時間午前10時から午後6時まで働いています。
これは、多くの米国の同僚の働いている時間に重なっていて、朝はジョギングやサイクリングをしたり、犬と散歩しています。（下記参照）
最近はあまり時間はないですが、時間を柔軟的に前後させて、大体決まった時間を働くようにしています。

2　ちゃんと起床して紅茶を一杯頂く
オフィス環境にいると大体、他の人の会話やお茶のお誘い、会議室でのミーティングやランチに出かける、などでいい意味で邪魔が入ります。
このようなことは自宅ではありません。なので、ちゃんと体を動かしてデスクに3〜4時間座りっぱなしにならないようにしています。
座りっぱなしは健康によくないですし、作業が非効率になります。
もちろんお茶をもっと楽しめるようにするのも大切です。

3　体を動かさないでいると、通知してくれるアプリ
新しいものですがとても気に入ってます。
一時間体を動かさないと、時計（携帯やPCでもあるでしょうけど）がエクセサイズをするように、と教えてくれます。
他にも色々勧めてくれるのですが、大体無視して、紅茶をいただきます。（なぜだかは、もうわかるでしょう？）

4　デスクの上下稼働機能を有効活用
立ったり座ったりしながら、体勢を変えるようにしています。
姿勢にもいいですし、もっと体に気をつけるようになります。

5　犬の散歩
外に出て少し考え事をしたい時や少しメールの長いディスカッションから離れたい時には、犬の散歩に出かけます。
ずっと仕事のことを考えていないとしても、散歩に行くのは効率的な仕事にとても有効ですし、長目の散歩になってしまってもその日は少し多めに働いて調整します。

6　家族とのルール
私の家族は、私がオフィスにいるときは働いていると知っています。
電話で連絡することも、それが無視される可能性があることも、もしかしたら窓から今時間があるか覗きこむこともあります。でももし対応できなかったら、しません。
例えば紅茶用の牛乳がない！などの緊急事態には相談次第で調整するので、ケースバイケースですね。

7　カフェで紅茶を頂く、大抵はケーキも。
時々違った環境に行ったり、実際に人と話をしたいこともあります。
そんな場合には車に飛び乗って10分、カフェに行きます。
美味しいケーキと紅茶を出すお店を知っているんです。

上に挙げたものは全ての習慣ではないかもしれませんが、私の日常を保つのに大切な事です。

皆さんのルールは違ったものかもしれませんが、ルールを作り、同僚や友達、家族にそのルールがあることを知ってもらうことはとても大切です。

リモートワークは簡単なことではなく、規則化しなければいけないことがあります。でもそんな規則によって、8時間座りっぱなしを防いで、ゆとりが生まれるのです。

元の記事：https://aliceevebob.com/2019/08/13/my-7-rules-for-remote-work-sanity/
2019年8月13日　Mike Bursell

My 7 rules for remote-work sanity

If I need to get out of my office, I’ll take the dog for a walk

リモートワークをするときの7つのマイルール

I work remotely, and have done, on and off, for a good percentage of the past 10-15 years. I’m lucky that I’m in a role where this suits my responsibilities, and in a company – Red Hat – that is set up for it. Not all roles – those with many customer onsite meetings, or those with a major service component – are suited to remote working, of course, but it’s clear that an increasing number of organisations are considering having at least some of their workers doing so remotely.

I’ve carefully avoided using the phrase either “working from home” or “working at home” above. I’ve seen discussion that the latter gives a better “vibe” for some reason, but it’s not accurate for many remote workers. In fact, it doesn’t describe my role perfectly, either. My role is remote, in that I have no company-provided “base” – with chair, desk, meeting rooms, phone, Internet access, etc. – but I don’t spend all of my time at home. I spend maybe one and a half weeks a month, on average, travelling – to attend or speak at conferences, to have face-to-face (“F2F”) meetings, etc.. During these times, I’m generally expected to be contactable and to keep at least vaguely up-to-date on email – though the exact nature of the activities in which I’m engaged, and the urgency of the contacts and email, may increase or reduce my engagement.

Open source

One of the reasons that I can work remotely is that I work for a company that works with open source software. I’m currently involved in a very exciting project called Enarx (which I first announced on this blog). We have contributors in Europe and the US – and interest from further abroad. Our stand-ups are all virtual, and we default to turning on video. At least two of our regulars will participate from a treadmill, I will typically actually stand at my desk. We use github for all of our code (it’s all open source, of course), and there’s basically no reason for us to meet in person very often. We try to celebrate together – agreeing to get cake, wherever we are, to mark special occasions, for instance – and have laptop stickers to brand ourselves and help team unity. We have a shared chat, and IRC channel and spend a lot of time communicating via different channels. We’re still quite a small team, but it works for now. If you’re looking for more tips about how to manage, coordinate and work in remote teams, particularly around open source projects, you’ll find lots of information at the brilliant Opensource.com.

The environment

When I’m not travelling around the place, I’m based at home. There, I have a commute – depending on weather conditions – of around 30-45 seconds, which is generally pretty bearable. My office is separate from the rest of the house (set in the garden), and outfitted with an office chair, desk, laptop dock, monitor, webcam, phone, keyboard and printer: these are the obvious work-related items in the room.

Equally important, however, are the other accoutrements that make for a good working environment. These will vary from person to person, but I also have:

a Sonos, attached to an amplifier and good speakers
a sofa, often occupied by my dog, and sometimes one of the cats
a bookshelf, where the books which aren’t littering the floor reside
tea-making facilities (I’m British – this is important)
a fridge, filled with milk (for the tea), beer and wine (don’t worry: I don’t drink these during work hours, and it’s more that the fridge is good for “overflow” from our main kitchen one)
wide-opening windows and blinds for the summer (we have no air-conditioning: I’m British, remember?)
underfloor heating and a wood-burning stove for the winter (the former to keep the room above freezing until I get the latter warmed up)
a “NUC” computer and monitor for activities that aren’t specifically work-related
a few spiders.

What you have will depend on your work style, but these “non-work-related” items are important (bar the spiders, possibly) to my comfort and work practice. For instance, I often like to listen to music to help me concentrate; I often sit on the sofa with the dog/cats to read long documents; and without the fridge and tea-making facilities, I might as well be American[1].

My rules

How does it work, then? Well, first of all, most of us like human contact from time to time. Some remote workers will rent space in a shared work environment, and work there most of the time: they prefer an office environment, or don’t have a dedicated space for working a home. Others will mainly work in coffee shops, or on their boat[2], or may spend half of the year in the office, and the other half working from a second home. Whatever you do, finding something that works for you is important. Here’s what I tend to do, and why:

I try to have fairly rigid work hours – officially (and as advertised on our intranet for the information of colleagues), I work 10am-6pm UK time. This gives me a good overlap with the US (where many of my colleagues are based), and time in the morning to go for a run or a cycle and/or to walk the dog (see below). I don’t always manage these times, but when I flex in one direction, I attempt to pull some time back the other way, as otherwise I know that I’ll just work ridiculous hours.
I ensure that I get up and have a cup of tea – in an office environment, I would typically be interrupted from time to time by conversations, invitations to get tea, phyiscal meetings in meeting rooms, lunch trips, etc.. This doesn’t happen at home, so it’s important to keep moving, or you’ll be stuck at your desk for 3-4 hours at a time, frequently. This isn’t good for your health, and often, for your productivity (and I enjoy drinking tea).
I have an app which tells me when I’ve been inactive – this is new for me, but I like it. If I’ve basically not moved for an hour, my watch (could be phone or laptop) tells me to do some exercise. It even suggests something, but I’ll often ignore that, and get up for some tea, for instance[3].
I use my standing desk’s up/down capability – I try to vary my position through the day from standing to sitting and back again. It’s good for posture, and keeps me more alert.
I walk the dog – if I just need to get out of my office and do some deep thinking (or just escape a particularly painful email thread!), I’ll take the dog for a walk. Even if I’m not thinking about work for all of the time, I know that it’ll make me more productive, and if it’s a longish walk, I’ll make sure that I compensate with extra time spent working (which is always easy).
I have family rules – the family knows that when I’m in my office, I’m at work. They can message me on my phone (which I may ignore), or may come to the window to see if I’m available, but if I’m not, I’m not. Emergencies (lack of milk for tea, for example) can be negotiated on a case-by-case basis.
I go for tea (and usually cake) at a cafe – sometimes, I need to get into a different environment, and have a chat with actual people. For me, popping into the car for 10 minutes and going to a cafe is the way to do this. I’ve found one which makes good cakes (and tea).

These rules don’t describe my complete practice, but they are an important summary of what I try to do, and what keeps me (relatively) sane. Your rules will be different, but I think it’s really important to have rules, and to make it clear to yourself, your colleagues, your friends and your family, what they are. Remote working is not always easy, and requires discipline – but that discipline is, more often than not, in giving yourself some slack, rather than making yourself sit down for eight hours a day.

1 – I realise that many people, including many of my readers, are American. That’s fine: you be you. I actively like tea, however (and know how to make it properly, which seems to be an issue when I visit).

2 – I know a couple of these: lucky, lucky people!

3 – can you spot a pattern?

The most important link: unsubscribe me

No more (semi-)unsolicited emails from that source.

Over the past few days, the much-vaunted[1] GDPR has come into force. In case you missed this[2], GDPR is a set of rules around managing user data that all organisations with data about European citizens must follow for those citizens. Which basically means that it’s cheaper to apply the same rules across all of your users.

Here’s my favourite GDPR joke[3].

Me: Do you know a good GDPR consultant?

Colleague: Yes.

Me: Can you give me their email address.

Colleague: No.

The fact that this is the best of the jokes out there (there’s another one around Santa checking lists which isn’t that bad either) tells you something about how fascinating the whole subject is.

So I thought that I’d talk about something different today. I’m sure that over the past few weeks, because of the new GDPR regulations, you’ve received a flurry[4] of emails that fall into one of two categories:

please click here to let us know what uses we can make of your data (the proactive approach);
we’ve changed our data usage and privacy policy: please check here to review it (the reactive approach).

I’ve come across[5] suggestions that the proactive approach is overkill, and generally not required, but I can see what people are doing it: it’s easier to prove that you’re doing the right thing. The reactive approach means that it’s quicker just to delete the email, which is at least a kind of win.

What I’ve found interesting, however, is the number of times that I’ve got an email of type 1 from a company, and I’ve thought: “You have my data? Really?” It turns out that more companies have information about me than I’d thought[6], and this has allowed me to click through and actually tell them that I want them to delete my data completely, and unsubscribe me from their email lists. This then led me to thinking, “you know what, although I bought something from this company five years ago, or had an interest in something they were selling, at least, I now have no interest in them at all, or in receiving marketing emails from them,” and then performing the same function: telling them to delete and unsubscribe me.

But it didn’t stop there. I’ve decided to have a clean out. Now, when an email comes in from a company, I take a moment to decide whether:

I care about them or their product; OR
I’m happy for them to have my information in the first place.

If the answer to either of these questions is “no”, then I scroll down. There, at the bottom of each mail, should be a link which says something like “subscription details” or “unsubscribe me”. This has, I believe, been a legal requirement in many jurisdictions for quite a few years. The whole process is quite liberating: I click on the link, and I’m either magically unsubscribed, or sometimes I have to scroll down the page a little to choose the relevant option, and “Bang!”, I’m done. No more (semi-)unsolicited emails from that source.

I see this as a security issue: the fewer companies that have data about me, the fewer chances of misuse, and the lower the change of leakage. One warning, however: phishing. As I admitted in this blog last week, I got phished recently (I got phished this week: what did I do?), and as more people take to unsubscribing by default, I can see this link actually being used for nefarious purposes, so do be careful before you click on it that it actually goes to where you think it should. This can be difficult, because companies often use a third-party provider to manage their email services. Be careful, then, that you don’t get duped into entering account details: there should be no need to log into your account to be deleted from a service. If you want to change your mailing preferences for a company, then that may require you to log into your account: never do this from an email, always type go to the organisation’s website directly.

1 – I’ve always wanted to write that.

2 – well done, by the way.

3 – I’d provide attribution, but I’m not sure where it originated.

4 – or maybe a slurry?

5 – again, I can’t remember where.

6 – though I’m not that surprised.

I got phished this week: what did I do?

I was a foolish – but was saved by my forward planning.

The first thing I did was not panic. The second was to move quickly.

But what happened to get to this stage, you may ask, and how could I have been so stupid? I’ll tell you the story.

Every day, like most people, I suspect, I get lots of emails[1]. I have a variety of email accounts, and although I’m sure that I should be more disciplined, I tend to just manage them as they come in. First thing in the morning, though, I tend to sit down with a cup of tea and go through what’s come in an manage what I can then. Most work emails that require more than a glance and a deletion[2] will wait until later in the day, but I like to deal with any home-related ones before breakfast.

The particular email I’m talking about came in overnight, and I was sitting down with my cup of tea[3] when I noticed an email from a company with whom I have a subscription. The formatting was what I’d expect, and it looked fine. It was asking me to change my payment details.

“Danger!” is what you’ll be thinking, and quite rightly. However, I had some reasons for thinking that I might need to do this. I’ve recently changed credit cards, and I was aware that there was quite a high likelihood that I’d used the old credit card to subscribe. What’s more, I had a hazy recollection that I’d first subscribed to this service about this time of year, so it might well be due for renewal.

Here’s where I got even more unlucky: I told myself I’d come back to it because I didn’t have my wallet with me (not having got dressed yet). This meant that I’d given myself a mental task to deal with the issue later in the day, and I think that this gave it a legitimacy in my head which it wouldn’t have got if I’d looked at it in the first place. I also mentioned to my wife that I needed to do this: another step which in my head gave the task more legitimacy.

So I filed the mail as “Unread”, and went off to have a proper breakfast. When I was dressed, I sat down and went back to the email. I clicked on the link to update, and here’s where I did the really stupid thing: I didn’t check the URL. What I really should have done was actually enter the URL I would have expected directly into the browser, but I didn’t. I was in a rush, and I wanted to get it done.

I tried my account details, and nothing much happened. I tried them again. And then I looked at the URL in the browser bar. That’s not right…

This was the point when I didn’t panic, but moved quickly. I closed the page in my browser with the phishing site, and I opened a new one, into which I typed the correct URL. I logged in with my credentials, and went straight to the account page, where I changed my password to a new, strong, machine-generated password. I checked to see that the rest of the account details – including payment details – hadn’t been tampered with. And I was done.

There’s something else that I did right, and this is important: I used a different set of account details (username and password) for this site to any other site to which I’m subscribed. I use a password keeper (there are some good ones on the market, but I’d strongly advise going with an open source one: that way you or others can be pretty sure that your passwords aren’t leaking back to whoever wrote or compiled it), and I’m really disciplined about using strong passwords, and never reusing them at all.

So, I think I’m safe. Let’s go over what I did right:

I didn’t panic. I realised almost immediately what had happened, and took sensible steps.
I moved quickly. The bad folks only had my credentials for a minute or so, as I immediately logged into the real site and changed my password.
I checked my account. No details had been changed.
I used a strong, machine-generated password.
I hadn’t reused the same password over several sites.

A few other things worked well, though they weren’t down to me:

the real site sent me an email immediately to note that I’d changed my login details. This confirmed that it was done (and I checked the provenance of this email!).
the account details on the real site didn’t list my full credit card details, so although the bad folks could have misused my subscription, they wouldn’t have had access to my credit card.

Could things have gone worse? Absolutely. Do I feel a little foolish? Yes. But hopefully my lesson is learned, and being honest will allow others to know what to do in the same situation. And I’m really, really glad that I used a password keeper.

1 – some of them, particularly the work ones, are from people expecting me to do things. These are the worst type.

2 – quite a few, actually – I stay subscribed to quite a few lists just to see what’s going on.

3 – I think it was a Ceylon Orange Pekoe, but I can’t remember now.

Defending our homes

Your router is your first point of contact with the Internet: how insecure is it?

I’ve always had a problem with the t-shirt that reads “There’s no place like 127.0.0.1”. I know you’re supposed to read it “home”, but to me, it says “There’s no place like localhost”, which just doesn’t have the same ring to it. And in this post, I want to talk about something broader: the entry-point to your home network, which for most people will be a cable or broadband router[1]. The UK and US governments just published advice that “Russia”[2] is attacking routers. This attack will be aimed mostly, I suspect, at organisations (see my previous post What’s a State Actor, and should I care?), rather than homes, but it’s a useful wake-up call for all of us.

What do routers do?

Routers are important: they provide the link between one network (in this case, our home network) and another one (in this case, the Internet, via our ISP’s network. In fact, for most of us, the box we think of as “the router”[3] is doing a lot more than that. The “routing” bit is what is sounds like: it helps computers on your network to find routes to send data to computers outside the network – and vice-versa, for when you’re getting data back. But most routers will actual be doing more than that. The other purpose that many will be performing is that of a modem. Most of us [4] connect to the Internet via a phoneline – whether cable or standard landline – though there is a growing trend for mobile Internet to the home. Where you’re connecting via a phone line, there’s a need to convert the signals that we use for the Internet to something else and then (at the other end) back again. For those of us old enough to remember the old “dial-up” days, that’s what the screechy box next to your computer used to do.

But routers often do more things as, well. Sometimes many more things, including traffic logging, being an WiFi access point, providing a VPN for external access to your internal network, child access, firewalling and all the rest.

Routers are complex things these days, and although state actors may not be trying to get into them, other people may.

Does this matter, you ask? Well, if other people can get into your system, they have easy access to attacking your laptops, phones, network drives and the rest. They can access and delete unprotected personal data. They can plausibly pretend to be you. They can use your network to host illegal data or launch attacks on others. Basically, all the bad things.

Luckily, routers tend to come set up by your ISP, with the implication being that you can leave them, and they’ll be nice and safe.

So we’re safe, then?

Unluckily, we’re really not.

The first problem is that the ISPs are working on a budget, and it’s in their best interests to provide cheap kit which just does the job. The quality of ISP-provided routers tends to be pretty terrible. It’s also high on the list of things to try to attack by malicious actors: if they know that a particular router model will be installed in a several million homes, there’s a great incentive to find an attack, as an attack on that model will be very valuable to them.

Measures to take

Here’s a quick list of steps you can take to try to improve the security of your first hop to the Internet. I’ve tried to order them in terms of ease – simplest first. Before you do any of these, however, save the configuration data so that you can bring it back if you need it.

Passwords – always, always, always change the admin password for your router. It’s probably going to be one that you rarely use, so you’ll want to record it somewhere. This is one of the few times where you might want to consider taping it to the router itself, as long as the router is in a secure place where only authorised people (you and your family[5]) have access.
Internal admin access only – unless you have very good reasons, and you know what you’re doing, don’t allow machines to administer the router unless they’re on your home network. There should be a setting on your router for this.
Wifi passwords – once you’ve done 2., you need to ensure that wifi passwords on your network – whether set on your router or elsewhere – are strong. It’s easy to set a “friendly” password so that it’s easy for visitors to connect to your network, but if it’s guessed by a malicious person who happens to be nearby, the first thing they’ll do will be to look for routers on the network, and as they’re on the internal network they’ll have access to it (hence why 1 is important).
Only turn on functions that you understand and need – as I noted above, modern routers have all sorts of cool options. Disregard them. Unless you really need them, and you actually understand what they do, and what the dangers of turning them on are, then leave them off. You’re just increasing your attack surface.
Buy your own router – replace your ISP-supplied router with a better one. Go to your local computer store and ask for suggestions. You can pay an awful lot, but you can conversely get something fairly cheap that does the job and is more robust, performant and easy to secure than the one you have at the moment. You may also want to buy a separate modem. Generally setting up your own modem or router is simple, and you can copy the settings from the ISP-supplied one and it will “just work”.
Firmware updates – I’d love to have this further up the list, but it’s not always easy. From time to time, firmware updates appear for your router. Most routers will check automatically, and may prompt you to update when you next log in. The problem is that failure to update correctly can cause catastrophic results[6], or lose configuration data that you’ll need to re-enter. But you really do need to consider doing this, and keeping a look-out of firmware updates which fix severe security issues.
Go open source – there are some great open source router projects out there which allow you to take an existing router and replace all of the firmware/software on it with an open source alternative. You can find a list of at least some of them on Wikipedia – https://en.wikipedia.org/wiki/List_of_router_firmware_projects, and a search on “router” on Opensource.com will open your eyes to a set of fascinating opportunities. This isn’t a step for the faint-hearted, as you’ll definitely void the warranty on your existing router, but if you want to have real control, open source is always the way to go.

Other issues…

I’d love to pretend that once you’ve improved the security of your router, that all’s well and good, but it’s not on your home network.. What about IoT devices in your home (Alexa, Nest, Ring doorbells, smart lightbulbs, etc.?) What about VPNs to other networks? Malicious hosts via Wifi, malicious apps on your childrens phones…?

No – you won’t be safe. But, as we’ve discussed before, although there is no “secure”, that doesn’t mean that we shouldn’t raise the bar and make it harder for the Bad Folks[tm].

1 – I’m simplifying – but read on, we’ll get there.

2 -“Russian State-Sponsored Cyber Actors”

3 – or, in my parents’ case, “the Internet box”, I suspect.

4 – this is one of these cases where I don’t want comments telling me how you have a direct 1 Terabit/s connection to your local backbone, thank you very much.

5 – maybe not the entire family.

6 – your router is now a brick, and you have no access to the Internet.