My 7 rules for remote-work sanity

If I need to get out of my office, I’ll take the dog for a walk

I work remotely, and have done, on and off, for a good percentage of the past 10-15 years.  I’m lucky that I’m in a role where this suits my responsibilities, and in a company – Red Hat – that is set up for it.  Not all roles – those with many customer onsite meetings, or those with a major service component – are suited to remote working, of course, but it’s clear that an increasing number of organisations are considering having at least some of their workers doing so remotely.

I’ve carefully avoided using the phrase either “working from home” or “working at home” above.  I’ve seen discussion that the latter gives a better “vibe” for some reason, but it’s not accurate for many remote workers.  In fact, it doesn’t describe my role perfectly, either.  My role is remote, in that I have no company-provided “base” – with chair, desk, meeting rooms, phone, Internet access, etc. – but I don’t spend all of my time at home.  I spend maybe one and a half weeks a month, on average, travelling – to attend or speak at conferences, to have face-to-face (“F2F”) meetings, etc..  During these times, I’m generally expected to be contactable and to keep at least vaguely up-to-date on email – though the exact nature of the activities in which I’m engaged, and the urgency of the contacts and email, may increase or reduce my engagement.

Open source

One of the reasons that I can work remotely is that I work for a company that works with open source software.  I’m currently involved in a very exciting project called Enarx (which I first announced on this blog).  We have contributors in Europe and the US – and interest from further abroad.  Our stand-ups are all virtual, and we default to turning on video.  At least two of our regulars will participate from a treadmill, I will typically actually stand at my desk.  We use github for all of our code (it’s all open source, of course), and there’s basically no reason for us to meet in person very often.  We try to celebrate together – agreeing to get cake, wherever we are, to mark special occasions, for instance – and have laptop stickers to brand ourselves and help team unity. We have a shared chat, and IRC channel and spend a lot of time communicating via different channels.  We’re still quite a small team, but it works for now.  If you’re looking for more tips about how to manage, coordinate and work in remote teams, particularly around open source projects, you’ll find lots of information at the brilliant Opensource.com.

The environment

When I’m not travelling around the place, I’m based at home.  There, I have a commute – depending on weather conditions – of around 30-45 seconds, which is generally pretty bearable.  My office is separate from the rest of the house (set in the garden), and outfitted with an office chair, desk, laptop dock, monitor, webcam, phone, keyboard and printer: these are the obvious work-related items in the room.

Equally important, however, are the other accoutrements that make for a good working environment.  These will vary from person to person, but I also have:

  • a Sonos, attached to an amplifier and good speakers
  • a sofa, often occupied by my dog, and sometimes one of the cats
  • a bookshelf, where the books which aren’t littering the floor reside
  • tea-making facilities (I’m British – this is important)
  • a fridge, filled with milk (for the tea), beer and wine (don’t worry: I don’t drink these during work hours, and it’s more that the fridge is good for “overflow” from our main kitchen one)
  • wide-opening windows and blinds for the summer (we have no air-conditioning: I’m British, remember?)
  • underfloor heating and a wood-burning stove for the winter (the former to keep the room above freezing until I get the latter warmed up)
  • a “NUC” computer and monitor for activities that aren’t specifically work-related
  • a few spiders.

What you have will depend on your work style, but these “non-work-related” items are important (bar the spiders, possibly) to my comfort and work practice.  For instance, I often like to listen to music to help me concentrate; I often sit on the sofa with the dog/cats to read long documents; and without the fridge and tea-making facilities, I might as well be American[1].

My rules

How does it work, then?  Well, first of all, most of us like human contact from time to time.  Some remote workers will rent space in a shared work environment, and work there most of the time: they prefer an office environment, or don’t have a dedicated space for working a home.  Others will mainly work in coffee shops, or on their boat[2], or may spend half of the year in the office, and the other half working from a second home.  Whatever you do, finding something that works for you is important.  Here’s what I tend to do, and why:

  1. I try to have fairly rigid work hours – officially (and as advertised on our intranet for the information of colleagues), I work 10am-6pm UK time.  This gives me a good overlap with the US (where many of my colleagues are based), and time in the morning to go for a run or a cycle and/or to walk the dog (see below).  I don’t always manage these times, but when I flex in one direction, I attempt to pull some time back the other way, as otherwise I know that I’ll just work ridiculous hours.
  2. I ensure that I get up and have a cup of tea – in an office environment, I would typically be interrupted from time to time by conversations, invitations to get tea, phyiscal meetings in meeting rooms, lunch trips, etc..  This doesn’t happen at home, so it’s important to keep moving, or you’ll be stuck at your desk for 3-4 hours at a time, frequently.  This isn’t good for your health, and often, for your productivity (and I enjoy drinking tea).
  3. I have an app which tells me when I’ve been inactive – this is new for me, but I like it.  If I’ve basically not moved for an hour, my watch (could be phone or laptop) tells me to do some exercise.  It even suggests something, but I’ll often ignore that, and get up for some tea, for instance[3].
  4. I use my standing desk’s up/down capability – I try to vary my position through the day from standing to sitting and back again.  It’s good for posture, and keeps me more alert.
  5. I walk the dog – if I just need to get out of my office and do some deep thinking (or just escape a particularly painful email thread!), I’ll take the dog for a walk.  Even if I’m not thinking about work for all of the time, I know that it’ll make me more productive, and if it’s a longish walk, I’ll make sure that I compensate with extra time spent working (which is always easy).
  6. I have family rules – the family knows that when I’m in my office, I’m at work.  They can message me on my phone (which I may ignore), or may come to the window to see if I’m available, but if I’m not, I’m not.  Emergencies (lack of milk for tea, for example) can be negotiated on a case-by-case basis.
  7. I go for tea (and usually cake) at a cafe – sometimes, I need to get into a different environment, and have a chat with actual people.  For me, popping into the car for 10 minutes and going to a cafe is the way to do this.  I’ve found one which makes good cakes (and tea).

These rules don’t describe my complete practice, but they are an important summary of what I try to do, and what keeps me (relatively) sane.  Your rules will be different, but I think it’s really important to have rules, and to make it clear to yourself, your colleagues, your friends and your family, what they are.  Remote working is not always easy, and requires discipline – but that discipline is, more often than not, in giving yourself some slack, rather than making yourself sit down for eight hours a day.


1 – I realise that many people, including many of my readers, are American.  That’s fine: you be you.  I actively like tea, however (and know how to make it properly, which seems to be an issue when I visit).

2 – I know a couple of these: lucky, lucky people!

3 – can you spot a pattern?

The most important link: unsubscribe me

No more (semi-)unsolicited emails from that source.

Over the past few days, the much-vaunted[1] GDPR has come into force.  In case you missed this[2], GDPR is a set of rules around managing user data that all organisations with data about European citizens must follow for those citizens.  Which basically means that it’s cheaper to apply the same rules across all of your users.

Here’s my favourite GDPR joke[3].

Me: Do you know a good GDPR consultant?

Colleague: Yes.

Me: Can you give me their email address.

Colleague: No.

The fact that this is the best of the jokes out there (there’s another one around Santa checking lists which isn’t that bad either) tells you something about how fascinating the whole subject is.

So I thought that I’d talk about something different today.  I’m sure that over the past few weeks, because of the new GDPR regulations,  you’ve received a flurry[4] of emails that fall into one of two categories:

  1. please click here to let us know what uses we can make of your data (the proactive approach);
  2. we’ve changed our data usage and privacy policy: please check here to review it (the reactive approach).

I’ve come across[5] suggestions that the proactive approach is overkill, and generally not required, but I can see what people are doing it: it’s easier to prove that you’re doing the right thing.  The reactive approach means that it’s quicker just to delete the email, which is at least a kind of win.

What I’ve found interesting, however, is the number of times that I’ve got an email of type 1 from a company, and I’ve thought: “You have my data?  Really?”  It turns out that more companies have information about me than I’d thought[6], and this has allowed me to click through and actually tell them that I want them to delete my data completely, and unsubscribe me from their email lists.  This then led me to thinking, “you know what, although I bought something from this company five years ago, or had an interest in something they were selling, at least, I now have no interest in them at all, or in receiving marketing emails from them,” and then performing the same function: telling them to delete and unsubscribe me.

But it didn’t stop there.  I’ve decided to have a clean out.  Now, when an email comes in from a company, I take a moment to decide whether:

  • I care about them or their product; OR
  • I’m happy for them to have my information in the first place.

If the answer to either of these questions is “no”, then I scroll down.  There, at the bottom of each mail, should be a link which says something like “subscription details” or “unsubscribe me”.  This has, I believe, been a legal requirement in many jurisdictions for quite a few years.  The whole process is quite liberating: I click on the link, and I’m either magically unsubscribed, or sometimes I have to scroll down the page a little to choose the relevant option, and “Bang!”, I’m done.  No more (semi-)unsolicited emails from that source.

I see this as a security issue: the fewer companies that have data about me, the fewer chances of misuse, and the lower the change of leakage.  One warning, however: phishing.  As I admitted in this blog last week, I got phished recently  (I got phished this week: what did I do?), and as more people take to unsubscribing by default, I can see this link actually being used for nefarious purposes, so do be careful before you click on it that it actually goes to where you think it should.  This can be difficult, because companies often use a third-party provider to manage their email services.  Be careful, then, that you don’t get duped into entering account details: there should be no need to log into your account to be deleted from a service.  If you want to change your mailing preferences for a company, then that may require you to log into your account: never do this from an email, always type go to the organisation’s website directly.


1 – I’ve always wanted to write that.

2 – well done, by the way.

3 – I’d provide attribution, but I’m not sure where it originated.

4 – or maybe a slurry?

5 – again, I can’t remember where.

6 – though I’m not that surprised.

I got phished this week: what did I do?

I was a foolish – but was saved by my forward planning.

The first thing I did was not panic.  The second was to move quickly.

But what happened to get to this stage, you may ask, and how could I have been so stupid?  I’ll tell you the story.

Every day, like most people, I suspect, I get lots of emails[1].  I have a variety of email accounts, and although I’m sure that I should be more disciplined, I tend to just manage them as they come in.  First thing in the morning, though, I tend to sit down with a cup of tea and go through what’s come in an manage what I can then.  Most work emails that require more than a glance and a deletion[2] will wait until later in the day, but I like to deal with any home-related ones before breakfast.

The particular email I’m talking about came in overnight, and I was sitting down with my cup of tea[3] when I noticed an email from a company with whom I have a subscription.  The formatting was what I’d expect, and it looked fine.  It was asking me to change my payment details.

“Danger!” is what you’ll be thinking, and quite rightly.  However, I had some reasons for thinking that I might need to do this.  I’ve recently changed credit cards, and I was aware that there was quite a high likelihood that I’d used the old credit card to subscribe.  What’s more, I had a hazy recollection that I’d first subscribed to this service about this time of year, so it might well be due for renewal.

Here’s where I got even more unlucky: I told myself I’d come back to it because I didn’t have my wallet with me (not having got dressed yet).  This meant that I’d given myself a mental task to deal with the issue later in the day, and I think that this gave it a legitimacy in my head which it wouldn’t have got if I’d looked at it in the first place.  I also mentioned to my wife that I needed to do this: another step which in my head gave the task more legitimacy.

So I filed the mail as “Unread”, and went off to have a proper breakfast.  When I was dressed, I sat down and went back to the email.  I clicked on the link to update, and here’s where I did the really stupid thing: I didn’t check the URL.  What I really should have done was actually enter the URL I would have expected directly into the browser, but I didn’t.  I was in a rush, and I wanted to get it done.

I tried my account details, and nothing much happened.  I tried them again.  And then I looked at the URL in the browser bar.  That’s not right…

This was the point when I didn’t panic, but moved quickly.  I closed the page in my browser with the phishing site, and I opened a new one, into which I typed the correct URL.  I logged in with my credentials, and went straight to the account page, where I changed my password to a new, strong, machine-generated password.  I checked to see that the rest of the account details – including payment details – hadn’t been tampered with.  And I was done.

There’s something else that I did right, and this is important: I used a different set of account details (username and password) for this site to any other site to which I’m subscribed.  I use a password keeper (there are some good ones on the market, but I’d strongly advise going with an open source one: that way you or others can be pretty sure that your passwords aren’t leaking back to whoever wrote or compiled it), and I’m really disciplined about using strong passwords, and never reusing them at all.

So, I think I’m safe.  Let’s go over what I did right:

  • I didn’t panic.  I realised almost immediately what had happened, and took sensible steps.
  • I moved quickly.  The bad folks only had my credentials for a minute or so, as I immediately logged into the real site and changed my password.
  • I checked my account.   No details had been changed.
  • I used a strong, machine-generated password.
  • I hadn’t reused the same password over several sites.

A few other things worked well, though they weren’t down to me:

  1. the real site sent me an email immediately to note that I’d changed my login details.  This confirmed that it was done (and I checked the provenance of this email!).
  2. the account details on the real site didn’t list my full credit card details, so although the bad folks could have misused my subscription, they wouldn’t have had access to my credit card.

Could things have gone worse?  Absolutely.  Do I feel a little foolish?  Yes.  But hopefully my lesson is learned, and being honest will allow others to know what to do in the same situation.  And I’m really, really glad that I used a password keeper.


1 – some of them, particularly the work ones, are from people expecting me to do things.  These are the worst type.

2 – quite a few, actually – I stay subscribed to quite a few lists just to see what’s going on.

3 – I think it was a Ceylon Orange Pekoe, but I can’t remember now.

Defending our homes

Your router is your first point of contact with the Internet: how insecure is it?

I’ve always had a problem with the t-shirt that reads “There’s no place like 127.0.0.1”. I know you’re supposed to read it “home”, but to me, it says “There’s no place like localhost”, which just doesn’t have the same ring to it. And in this post, I want to talk about something broader: the entry-point to your home network, which for most people will be a cable or broadband router[1].  The UK and US governments just published advice that “Russia”[2] is attacking routers.  This attack will be aimed mostly, I suspect, at organisations (see my previous post What’s a State Actor, and should I care?), rather than homes, but it’s a useful wake-up call for all of us.

What do routers do?

Routers are important: they provide the link between one network (in this case, our home network) and another one (in this case, the Internet, via our ISP’s network.  In fact, for most of us, the box we think of as “the router”[3] is doing a lot more than that.  The “routing” bit is what is sounds like: it helps computers on your network to find routes to send data to computers outside the network – and vice-versa, for when you’re getting data back.  But most routers will actual be doing more than that.  The other purpose that many will be performing is that of a modem.  Most of us [4] connect to the Internet via a phoneline – whether cable or standard landline – though there is a growing trend for mobile Internet to the home.  Where you’re connecting via a phone line, there’s a need to convert the signals that we use for the Internet to something else and then (at the other end) back again.  For those of us old enough to remember the old “dial-up” days, that’s what the screechy box next to your computer used to do.

But routers often do more things as, well.  Sometimes many more things, including traffic logging, being an WiFi access point, providing a VPN for external access to your internal network, child access, firewalling and all the rest.

Routers are complex things these days, and although state actors may not be trying to get into them, other people may.

Does this matter, you ask?  Well, if other people can get into your system, they have easy access to attacking your laptops, phones, network drives and the rest.  They can access and delete unprotected personal data.  They can plausibly pretend to be you.  They can use your network to host illegal data or launch attacks on others.  Basically, all the bad things.

Luckily, routers tend to come set up by your ISP, with the implication being that you can leave them, and they’ll be nice and safe.

So we’re safe, then?

Unluckily, we’re really not.

The first problem is that the ISPs are working on a budget, and it’s in their best interests to provide cheap kit which just does the job.  The quality of ISP-provided routers tends to be pretty terrible.  It’s also high on the list of things to try to attack by malicious actors: if they know that a particular router model will be installed in a several million homes, there’s a great incentive to find an attack, as an attack on that model will be very valuable to them.

Other problems that arise include:

  • slowness to fix known bugs or vulnerabilities – updating firmware can be costly to your ISP, so they may be slow to arrive (if they do at all);
  • easily-derived or default admin passwords, meaning that attackers don’t even need to find a real vulnerability – they can just log in.

 

Measures to take

Here’s a quick list of steps you can take to try to improve the security of your first hop to the Internet.  I’ve tried to order them in terms of ease – simplest first.  Before you do any of these, however, save the configuration data so that you can bring it back if you need it.

  1. Passwords – always, always, always change the admin password for your router.  It’s probably going to be one that you rarely use, so you’ll want to record it somewhere.  This is one of the few times where you might want to consider taping it to the router itself, as long as the router is in a secure place where only authorised people (you and your family[5]) have access.
  2. Internal admin access only – unless you have very good reasons, and you know what you’re doing, don’t allow machines to administer the router unless they’re on your home network.  There should be a setting on your router for this.
  3. Wifi passwords – once you’ve done 2., you need to ensure that wifi passwords on your network – whether set on your router or elsewhere – are strong.  It’s easy to set a “friendly” password so that it’s easy for visitors to connect to your network, but if it’s guessed by a malicious person who happens to be nearby, the first thing they’ll do will be to look for routers on the network, and as they’re on the internal network they’ll have access to it (hence why 1 is important).
  4. Only turn on functions that you understand and need – as I noted above, modern routers have all sorts of cool options.  Disregard them.  Unless you really need them, and you actually understand what they do, and what the dangers of turning them on are, then leave them off.  You’re just increasing your attack surface.
  5. Buy your own router – replace your ISP-supplied router with a better one.  Go to your local computer store and ask for suggestions.  You can pay an awful lot, but you can conversely get something fairly cheap that does the job and is more robust, performant and easy to secure than the one you have at the moment.  You may also want to buy a separate modem.  Generally setting up your own modem or router is simple, and you can copy the settings from the ISP-supplied one and it will “just work”.
  6. Firmware updates – I’d love to have this further up the list, but it’s not always easy.  From time to time, firmware updates appear for your router.  Most routers will check automatically, and may prompt you to update when you next log in.  The problem is that failure to update correctly can cause catastrophic results[6], or lose configuration data that you’ll need to re-enter.  But you really do need to consider doing this, and keeping a look-out of firmware updates which fix severe security issues.
  7. Go open source – there are some great open source router projects out there which allow you to take an existing router and replace all of the firmware/software on it with an open source alternative.  You can find a list of at least some of them on Wikipedia – https://en.wikipedia.org/wiki/List_of_router_firmware_projects, and a search on “router” on Opensource.com will open your eyes to a set of fascinating opportunities.  This isn’t a step for the faint-hearted, as you’ll definitely void the warranty on your existing router, but if you want to have real control, open source is always the way to go.

Other issues…

I’d love to pretend that once you’ve improved the security of your router, that all’s well and good, but it’s not on your home network..  What about IoT devices in your home (Alexa, Nest, Ring doorbells, smart lightbulbs, etc.?)  What about VPNs to other networks?  Malicious hosts via Wifi, malicious apps on your childrens phones…?

No – you won’t be safe.  But, as we’ve discussed before, although there is no “secure”, that doesn’t mean that we shouldn’t raise the bar and make it harder for the Bad Folks[tm].

 


1 – I’m simplifying – but read on, we’ll get there.

2 -“Russian State-Sponsored Cyber Actors”

3 – or, in my parents’ case, “the Internet box”, I suspect.

4 – this is one of these cases where I don’t want comments telling me how you have a direct 1 Terabit/s connection to your local backbone, thank you very much.

5 – maybe not the entire family.

6 – your router is now a brick, and you have no access to the Internet.