tips – Alice, Eve and Bob – a security blog

How not to make a cup of tea

This is an emotive topic.

A few weeks ago, I wrote an article entitled “My 7 rules for remote-work sanity“. This was wildly successful, caused at least one email storm on our company servers, and caused a number of readers to ask me to tackle the question of how to make a cup of tea. Because that isn’t contentious at all.

I’ve resisted that, partly because this is (supposed to be) mainly a security blog, and partly because it would be too easy. Instead, I’ve written this article, which is full of advice and guidance about how not to make a cup of tea or, more accurately, how to make a bad cup of tea. This isn’t hugely related to security either, but as I’ve been writing it, it’s reminded me of how strong the idea of “anti-patterns” is, particularly in security. Sometimes it’s hard to explain to people how they should apply security controls to system, and it’s easier to explain what not to do, so that people can learn from that. This is my (very tenuous) link to security in this article. I hope it (and the rest of the article) serve you well.

I am British, but I travel quite frequently to the United States and to Canada. During my travels, I have been privileged to witness many, many attempts to make tea which have been catastrophic failures. This article is an attempt to celebrate these failures so that people, like me, who have learned over many years how to make tea properly, can celebrate the multitude of incorrect ways in which tea can be ruined.

This is an emotive topic. There are shades of opinion across many issues (upon some of which we will touch during this article), across class lines, geographical lines and even moral lines (I’m thinking here in particular of the question of whether to use cow’s milk – an ethical point for vegans). And, so you understand that I’m not overstating the divides that can occur over this important skill, I’d point out that an entire war was started solely over the belief of a certain group of people who believed that the correct way to make tea was to dump an entire shipment of leaves into a salt-water harbour[1] in a small settlement named after a town in Lincolnshire[2].

Without further ado, let us launch into our set of instructions for how not to make tea (by which I mean “hot black tea” in this context), but with a brief (yet important) digression.

De minimis

There are certain activities associated with the making of tea which I am going to declare “de minimis” – in other words, of minimal importance to the aim of creating a decent cup of tea. These may be areas of conflict within the tea drinking community, but I would argue that the majority of Real Tea Drinkers[tm] would accept that a cup of tea would not be ruined by following any of the options for any of the practices noted below. As this article aims to provide a beginner’s guide to how not to make tea, I contend that your choice of any of the options below will not (at least on its own) cause you to be making not-Tea.

Milk, not milk or lemon: I drink my tea with milk. Some drink it without, and some with lemon. Tea can be tea in any of these states.
Sugar or not sugar: I used to drink my tea with sugar, but now do not. Tea can be tea with or without sugar.
Cup or mug: I prefer a mug for most tea drinking opportunities, but a cup (with saucer) can make a nice change.
Bag or loose leaf: we’re getting into contentious territory here. I have recently moved to a strong preference for loose leaf, partly because it tends to be higher quality than bags, but if bags are what you’ve got, then you can make a decent cup of tea with them.
In the pot or in the mug: if you’re using loose leaf tea, then it’s in the pot. If it’s in a mug, then it’s a bag. You can, however, make tea in a pot with a bag.
Milk first or afterwards: there’s evidence to suggest that putting the milk in first means that it won’t scald, but I’m with George Orwell[3] on this: if you put the tea in first, you can add milk slowly to ensure the perfect strength.
Warming the pot: you only need to warm the pot if you’re using bone china. End of.

You might think that I’ve just covered all the important issues of contention above, and that there’s not much point in continuing with this article, but please remember: this article is not aimed at those who wish to make an acceptable cup of tea, but to those who do not wish to make the same. Those who wish to make a cup of non-tea will not be swayed by the points above, and neither should they be. If you belong in this group: whether (for example) a person of North American descent looking to cement your inability to make a cup of tea, or (again, for example) a person of British descent looking for guidance in how to be accepted into North American society by creating a representative cup of non-tea, then, dear reader, please read on.

Instructions

Tea (actual)

The easiest way to fail to make a cup of tea is to choose something which isn’t tea. I’m going to admit to a strong preference to black tea here, and this article is based on how to make a cup of black tea, but I admit to the existence of various other tea types (yellow, white, green, oolong). All of them, however, come from the tea plant, Camellia sinensis. If it doesn’t, then it isn’t tea. Retailers and manufacturers can label it “herbal tea”[4]. Anything which doesn’t come from from the tea plant is an infusion or a tisane.

To be clear, I absolutely include Rooibos or “Red Bush” tea. I tried this once, under the mistaken belief that it was actual tea. The experience did not end well. I’m sure there’s a place for it, but not in my mug (or cup), and it’s not tea. I mean: really.

There are some teas which are made from the tea plant, and have flavourings added. I’m thinking in particular of Earl Grey tea, which has oil of bergamot added to it. I’m not a fan, but that’s partly due to a very bad experience one morning after the imbibing of a significant amount of beverages which definitely weren’t ever pretending to be tea, the results of which also lead to my not drinking gin and tonic anymore[5].

To clarify, then:

tea: yes, tea.
Earl Grey: yes, tea.
rooibos: not tea.
fruit tea: not tea.
lemon tea: not tea.
rhubarb and orange tea: not tea
raspberry and old sticks tea: not tea.
vanilla tea: not tea.
etc., etc.

The very easiest way not to make tea, then, is to choose something which isn’t derived directly from the Camellia sinensis plant. If you’re looking for more adventurous or expert ways not to make tea, however, carry on.

Use non-boiling water

Beyond the obvious “not actually using tea” covered above, the easiest way to fail to make a cup of tea is to use water which is not sufficiently hot. And by “sufficiently hot”, I mean “has just come off the boil”. There’s actual science[6] showing that lots of the important tea-making processes cannot take place at temperatures below 90°C (194°F). To be sure that you’re going to make a cup of bad tea, just be sure not to go with boiling water.

I’ve recently visited a number of establishments in the USA where they offered to make tea with water designed for coffee-making at temperatures of 175°F and 183°F. That’s 79.4°C and 83.9°C. A member of staff at one of these establishments explained that it would be “dangerous” to use water at a higher temperature. I kid you not. They knew that they didn’t need to aim for just off the boil: well under 99°C should do nicely for something almost but not quite like a cup of tea. A warning: many (but not all) outlets of Peet’s Coffee do provide water which is hot enough (often 211-212°F) , if you ask them. You are in significant danger of getting a proper cup of tea if you’re not very careful. This, in my experience, is entirely unique for a coffee chain anywhere in the USA.

Many US hotels will offer to make you a cup of tea in the morning, if you ask nicely enough and sound (passive-aggressively) British enough. You might think that you would be guaranteed a proper cup, but worry not: they will almost certainly use really bad tea, the water will be insufficiently hot and they will definitely not bother to pour it directly over the tea-bag anyway. Hotels are great places to find a really bad cup of tea in the USA.

As a minor corollary of this, another way to fail to make a cup of tea is to boil the water at altitude (e.g. up a mountain) or in an airplane. Because air pressure is reduced in both cases, the boiling point of water is reduced, and so you’re not likely to be able to get the water hot enough, so that’s another great option.

Boil the water incorrectly

What: you didn’t know that you could boil water incorrectly? Oh, but you can. Proper tea is made from water boiled once in a kettle, because if you boil it more than once, something happens: you’ve removed oxygen that was originally dissolved in the water, and this turns out to make it taste bad.

Use the wrong type(s) of milk

The easy way out is to use 2% (semi-skimmed) or 4% (whole fat) cow’s milk, but you don’t want to do that: that’ll give you proper tea. In order not to make tea properly, try UHT milk, almond milk, soy milk or similar. I haven’t tried ewe’s or goat’s milk, but I’m sure it’s easy to mess up a good cup of tea with those.

Condensed milk is an interesting option. I’ve had this in India – where I think they add it instead of sugar – and, well, it didn’t taste like tea to me.

Let it go cold

I’m not even talking about so called “iced tea” here. I’m just talking about tea which has been brewed, then poured, then left to go cold. Yuck.

Brew for too long

Quite apart from the fact that it may go cold, it’s possible to make tea just too strong. There’s a range that most people will accept as proper tea, but you can leave most tea too long, and it will be too strong when you pour it. How long that is will depend partly on preference, and partly on the type of tea you’re using. If you want to ensure you make a bad cup of tea, tune these carefully.

Don’t brew for long enough

Again, it’s easy to get this wrong. Some types of tea brew very quickly, and you’re in danger, for these types, of pouring a decent cup despite your best interests. Use this technique with care, and preferably in conjunction with others of the approaches listed.

Use a little strainer

It is possible to make a decent cuppa with one of those little strainers into which you place your tea leaves, but it’s difficult. The problem seems to be that in order to make a properly strong cup of tea, you’re going to need to put quite a lot of tea leaves into the strainer. This means that the water won’t be able to interact with most of them, as they’ll be stuffed in, and not able to circulate properly. You can try swishing it around a bit, but by the time you’ve got to this, the water will probably be too cold (see above).

Microwave

Microwave your water. This is wrong on so many levels (do a search online).

Use bad tea

Mainly, I think, because most US citizens have no idea how to make a cup of tea properly, they are willing to accept the stuff that passes for “tea bags” in the US as actual tea. There are exceptions, but the standard fare that you’ll find on supermarket shelves isn’t anything like actual tea, so it’s very simple to make a bad cup even if you’ve done everything else right.

My preferred cup of tea

After all of the above, you may be wondering what my preferred cup of tea looks like. Here’s a brief algorithm, which I’m happy to open source:

freshly drawn water in the kettle
kettle boiled
a teaspoon of tea into a small pot (how heaped depends on the type), current favourites include:
- English Breakfast Single Estate (Lost Malawi) by the Rare Tea Company – a lovely breakfast or mid-morning cuppa
- Royal Air Forces Association Tea for Heroes by the Rare Tea Company – for those mornings when things are looking a little bleak
- Ceylon Orange Pekoe by Whittard of Chelsea – a refreshing mid-morning or post-lunch cup
- Honde Valley Tea by TWG – a strong afternoon tea to get you through to the end of the day
pour the boiling water into pot (I tend to use pots with built-in strainers)
allow to brew (how long depends on the type of tea)
pour from the pot into a large mug (not too large, or the tea will get too cold to drink before you get to the bottom)
add semi-skimmed (2%) milk (not UHT)
drink as soon as its cooled enough not to blister the inside of the mouth
leave the bottom few millimetres to avoid ingesting any leaves which may have made their way into the mug.

So there you have it. That’s how I make a cup of tea.

1 – yes, that’s how to spell it.

2 – I’m assuming this was the sole reason. I’m a little hazy on the details, but it all seems to have turned out OK for both sides.

3 – who, given that he wrote both the books Animal Farm and 1984, knew a thing or two about how not to do things.

4 – yes, there’s an “h”, yes it’s aspirated. “‘erbal?” Not unless dropping aitches is part of your general dialect and accent, in which case, fine.

5 – I still drink gin, only not with tonic. It’s the tonic water that I’ve managed to convince my taste buds was the cause of the resulting … problem.

6 – Really, look!

My 7 rules for remote-work sanity

If I need to get out of my office, I’ll take the dog for a walk

リモートワークをするときの7つのマイルール

I work remotely, and have done, on and off, for a good percentage of the past 10-15 years. I’m lucky that I’m in a role where this suits my responsibilities, and in a company – Red Hat – that is set up for it. Not all roles – those with many customer onsite meetings, or those with a major service component – are suited to remote working, of course, but it’s clear that an increasing number of organisations are considering having at least some of their workers doing so remotely.

I’ve carefully avoided using the phrase either “working from home” or “working at home” above. I’ve seen discussion that the latter gives a better “vibe” for some reason, but it’s not accurate for many remote workers. In fact, it doesn’t describe my role perfectly, either. My role is remote, in that I have no company-provided “base” – with chair, desk, meeting rooms, phone, Internet access, etc. – but I don’t spend all of my time at home. I spend maybe one and a half weeks a month, on average, travelling – to attend or speak at conferences, to have face-to-face (“F2F”) meetings, etc.. During these times, I’m generally expected to be contactable and to keep at least vaguely up-to-date on email – though the exact nature of the activities in which I’m engaged, and the urgency of the contacts and email, may increase or reduce my engagement.

Open source

One of the reasons that I can work remotely is that I work for a company that works with open source software. I’m currently involved in a very exciting project called Enarx (which I first announced on this blog). We have contributors in Europe and the US – and interest from further abroad. Our stand-ups are all virtual, and we default to turning on video. At least two of our regulars will participate from a treadmill, I will typically actually stand at my desk. We use github for all of our code (it’s all open source, of course), and there’s basically no reason for us to meet in person very often. We try to celebrate together – agreeing to get cake, wherever we are, to mark special occasions, for instance – and have laptop stickers to brand ourselves and help team unity. We have a shared chat, and IRC channel and spend a lot of time communicating via different channels. We’re still quite a small team, but it works for now. If you’re looking for more tips about how to manage, coordinate and work in remote teams, particularly around open source projects, you’ll find lots of information at the brilliant Opensource.com.

The environment

When I’m not travelling around the place, I’m based at home. There, I have a commute – depending on weather conditions – of around 30-45 seconds, which is generally pretty bearable. My office is separate from the rest of the house (set in the garden), and outfitted with an office chair, desk, laptop dock, monitor, webcam, phone, keyboard and printer: these are the obvious work-related items in the room.

Equally important, however, are the other accoutrements that make for a good working environment. These will vary from person to person, but I also have:

a Sonos, attached to an amplifier and good speakers
a sofa, often occupied by my dog, and sometimes one of the cats
a bookshelf, where the books which aren’t littering the floor reside
tea-making facilities (I’m British – this is important)
a fridge, filled with milk (for the tea), beer and wine (don’t worry: I don’t drink these during work hours, and it’s more that the fridge is good for “overflow” from our main kitchen one)
wide-opening windows and blinds for the summer (we have no air-conditioning: I’m British, remember?)
underfloor heating and a wood-burning stove for the winter (the former to keep the room above freezing until I get the latter warmed up)
a “NUC” computer and monitor for activities that aren’t specifically work-related
a few spiders.

What you have will depend on your work style, but these “non-work-related” items are important (bar the spiders, possibly) to my comfort and work practice. For instance, I often like to listen to music to help me concentrate; I often sit on the sofa with the dog/cats to read long documents; and without the fridge and tea-making facilities, I might as well be American[1].

My rules

How does it work, then? Well, first of all, most of us like human contact from time to time. Some remote workers will rent space in a shared work environment, and work there most of the time: they prefer an office environment, or don’t have a dedicated space for working a home. Others will mainly work in coffee shops, or on their boat[2], or may spend half of the year in the office, and the other half working from a second home. Whatever you do, finding something that works for you is important. Here’s what I tend to do, and why:

I try to have fairly rigid work hours – officially (and as advertised on our intranet for the information of colleagues), I work 10am-6pm UK time. This gives me a good overlap with the US (where many of my colleagues are based), and time in the morning to go for a run or a cycle and/or to walk the dog (see below). I don’t always manage these times, but when I flex in one direction, I attempt to pull some time back the other way, as otherwise I know that I’ll just work ridiculous hours.
I ensure that I get up and have a cup of tea – in an office environment, I would typically be interrupted from time to time by conversations, invitations to get tea, phyiscal meetings in meeting rooms, lunch trips, etc.. This doesn’t happen at home, so it’s important to keep moving, or you’ll be stuck at your desk for 3-4 hours at a time, frequently. This isn’t good for your health, and often, for your productivity (and I enjoy drinking tea).
I have an app which tells me when I’ve been inactive – this is new for me, but I like it. If I’ve basically not moved for an hour, my watch (could be phone or laptop) tells me to do some exercise. It even suggests something, but I’ll often ignore that, and get up for some tea, for instance[3].
I use my standing desk’s up/down capability – I try to vary my position through the day from standing to sitting and back again. It’s good for posture, and keeps me more alert.
I walk the dog – if I just need to get out of my office and do some deep thinking (or just escape a particularly painful email thread!), I’ll take the dog for a walk. Even if I’m not thinking about work for all of the time, I know that it’ll make me more productive, and if it’s a longish walk, I’ll make sure that I compensate with extra time spent working (which is always easy).
I have family rules – the family knows that when I’m in my office, I’m at work. They can message me on my phone (which I may ignore), or may come to the window to see if I’m available, but if I’m not, I’m not. Emergencies (lack of milk for tea, for example) can be negotiated on a case-by-case basis.
I go for tea (and usually cake) at a cafe – sometimes, I need to get into a different environment, and have a chat with actual people. For me, popping into the car for 10 minutes and going to a cafe is the way to do this. I’ve found one which makes good cakes (and tea).

These rules don’t describe my complete practice, but they are an important summary of what I try to do, and what keeps me (relatively) sane. Your rules will be different, but I think it’s really important to have rules, and to make it clear to yourself, your colleagues, your friends and your family, what they are. Remote working is not always easy, and requires discipline – but that discipline is, more often than not, in giving yourself some slack, rather than making yourself sit down for eight hours a day.

1 – I realise that many people, including many of my readers, are American. That’s fine: you be you. I actively like tea, however (and know how to make it properly, which seems to be an issue when I visit).

2 – I know a couple of these: lucky, lucky people!

3 – can you spot a pattern?

3 laptop power mode options

Don’t suspend your laptop.

I wrote a post a couple of weeks ago called 7 security tips for travelling with your laptop. The seventh tip was “Don’t suspend”: in other words, when you’re finished doing what you’re doing, either turn your laptop off, or put it into “hibernate” mode. I thought it might be worth revisiting this piece of advice, partly to explain the difference between these different states, and partly to explain exactly why it’s a bad idea to use the suspend mode. A very bad idea indeed. In fact, I’d almost go as far as saying “don’t suspend your laptop”.

So, what are the three power modes usually available to us on a laptop? Let’s look at them one at a time. I’m going to assume that you have disk encryption enabled (the second of the seven tips in my earlier article), because you really, really should.

Power down

This is what you think it is: your laptop has powered down, and in order to start it up again, you’ve got to go through an entire boot process. Any applications that you had running before will need to be restarted[1], and won’t come back in the same state that they were before[2]. If somebody has access to your laptop when you’re not there, then there’s not immediate way that they can get at your data, as it’s encrypted[3]. See the conclusion for a couple of provisos, but powering down your laptop when you’re not using it is pretty safe, and the time taken to reboot a modern laptop with a decent operating system on it is usually pretty quick these days.

It’s worth noting that for some operating systems – Microsoft Windows, at least – when you tell your laptop to power down, it doesn’t. It actually performs a hibernate without telling you, in order to speed up the boot process. There are (I believe – as a proud open source user, I don’t run Windows, so I couldn’t say for sure) ways around this, but most of the time you probably don’t care: see below on why hibernate mode is pretty good for many requirements and use cases.

Hibernate

Confusingly, hibernate is sometimes referred to as “suspend to disk”. What actually happens when you hibernate your machine is that the contents of RAM (your working memory) are copied and saved to your hard disk. The machine is then powered down, leaving the state of the machine ready to be reloaded when you reboot. When you do this, the laptop notices that it was hibernated, looks for saved state, and loads it into RAM[4]. Your session should come back pretty much as it was before – though if you’ve moved to a different wifi network or a session on a website has expired, for instance, your machine may have to do some clever bits and pieces in the background to make things as nice as possible as you resume working.

The key thing about hibernating your laptop is that while you’ve saved state to the hard drive, it’s encrypted[3], so anyone who manages to get at your laptop while you’re not there will have a hard time getting any data from it. You’ll need to unlock your hard drive before your session can be resumed, and given that your attacker won’t have your password, you’re good to go.

Suspend

The key difference between suspend and the other two power modes we’ve examined above is that when you choose to suspend your laptop, it’s still powered on. The various components are put into low-power mode, and it should wake up pretty quickly when you need it, but, crucially, all of the applications that you were running beforehand are still running, and are still in RAM. I mentioned in my previous post that this increases the attack surface significantly, but there are some protections in place to improve the security of your laptop when it’s in suspend mode. Unluckily, they’re not always successful, as was demonstrated a few days ago by an attack described by the Register. Even if your laptop is not at risk from this particular attack, my advice just not to use suspend.

There are two usages of suspend that are difficult to manage. The first is when you have your machine set to suspend after a long period of inactivity. Typically, you’ll set the screen to lock after a certain period of time, and then the system will suspend. Normally, this is only set for when you’re on battery – in other words, when you’re not sat at your desk with the power plugged in. My advice would be to change this setting so that your laptop goes to hibernate instead. It’s a bit more time to boot it up, but if you’re leaving your laptop unused for a while, and it’s not plugged in, then it’s most likely that you’re travelling, and you need to be careful.

The second is when you get up and close the lid to move elsewhere. If you’re moving around within your office or home, then that’s probably OK, but for anything else, try training yourself to hibernate or power down your laptop instead.

Conclusion

There are two important provisos here.

The first I’ve already mentioned: if you don’t have disk encryption turned on, then someone with access to your laptop, even for a fairly short while, is likely to have quite an easy time getting at your data. It’s worth pointing out that you want full disk encryption turned on, and not just “home directory” encryption. That’s because if someone has access to your laptop for a while, they may well be able to make changes to the boot-up mechanism in such a way that they can wait until you log in and either collect your password for later use or have the data sent to them over the network. This is much less easy with full disk encryption.

The second is that there are definitely techniques available to use hardware and firmware attacks on your machine that may be successful even with full disk encryption. Some of these are easy to spot – don’t turn on your machine if there’s anything in the USB port that you don’t recognise[5] – but others, where hardware may be attached or even soldered to the motherboard, or firmware changed, are very difficult to spot. We’re getting into some fairly sophisticated attacks here, and if you’re worried about them, then consider my first security tip “Don’t take a laptop”.

1 – some of them automatically, either as system processes (you rarely have to remember to have to turn networking back on, for instance), or as “start-up” applications which most operating systems will allow you to specify as auto-starting when you log in.

2 – this isn’t actually quite true for all applications: it might have been more accurate to say “unless they’re set up this way”. Some applications (web browsers are typical examples) will notice if they weren’t shut down “nicely”, and will attempt to get back into the state they were beforehand.

3 – you did enable disk encryption, right?

4 – assuming it’s there, and hasn’t been corrupted in some way, in which case the laptop will just run a normal boot sequence.

5 – and don’t just use random USB sticks from strangers or that you pick up in the carpark, but you knew that, right?

7 security tips for travelling with your laptop

Our laptop is a key tool that we tend to keep with us.

I do quite a lot of travel, and although I had a quiet month or two over the summer, I’ve got several trips booked over the next few months. For many of us, our laptop is a key tool that we tend to keep with us, and most of us will have sensitive material of some type on our laptops, whether it’s internal emails, customer, partner or competitive information, patent information, details of internal processes, strategic documents or keys and tools for accessing our internal network. I decided to provide a few tips around security and your laptop[1]. Of course, a laptop presents lots of opportunities for attackers – of various types. Before we go any further, let’s think about some of the types of attacker you might be worrying about. The extent to which you need to be paranoid will depend somewhat on what attackers you’re most concerned about.

Attackers

Here are some types of attackers that spring to my mind: bear in mind that there may be overlap, and that different individuals may take on different roles in different situations.

opportunistic thieves – people who will just steal your hardware.
opportunistic viewers – people who will have a good look at information on your screen.
opportunistic probers – people who will try to get information from your laptop if they get access to it.
customers, partners, competitors – it can be interesting and useful for any of these types to gain information from your laptop. The steps they are willing to take to get that information may vary based on a variety of factors.
hackers/crackers – whether opportunistic or targeted, you need to be aware of where you – and your laptop – are most vulnerable.
state actors – these are people with lots and lots of resources, for whom access to your laptop, even for a short amount of time, gives them lots of chances to do short-term and long-term damage to you data and organisation.

7 concrete suggestions

Don’t take a laptop. Do you really need one with you? There may be occasions when it’s safer not to travel with a laptop: leave it in the office, at home, in your bag or in your hotel room. There are risks associated even with your hotel room (see below), but maybe a bluetooth keyboard with your phone, a USB stick or an emailed presentation will be all you need. Not to suggest that any of those are necessarily safe, but you are at least reducing your attack surface. Oh, and if you do travel with your laptop, make sure you keep it with you, or at least secured at all times.
Ensure that you have disk encryption enabled. If you have disk encryption, then if somebody steals your laptop, it’s very difficult for them to get at your data. If you don’t, it’s really, really easy. Turn on disk encryption: just do.
Think about your screen. When your screen is on, people can see it. Many laptop screens have a very broad viewing angle, so people to either side of you can easily see what’s on it. The availability of high resolution cameras on mobile phones means that people don’t need long to capture what’s on your screen, so this is a key issue to consider. What are your options? The most common is to use a privacy screen, which fits over your laptop screen, typically reducing the angle from which it can be viewed. These don’t stop people being able to view what’s on it, but it does mean that viewers need to be almost directly behind you. This may sound like a good thing, but in fact, that’s the place you’re least likely to notice a surreptitious viewer, so employ caution. I worry that these screens can give you a false sense of security, so I don’t use one. Instead, I make a conscious decision never to have anything sensitive on my screen in situations where non-trusted people might see it. If I really need to do some work, I’ll find a private place where nobody can look at my screen – and even try to be aware of the possibility of reflections in windows.
Lock your screen. Even if you’re stepping away for just a few seconds, always, always lock your screen. Even if it’s just colleagues around. Colleagues sometimes find it “funny” to mess with your laptop, or send emails from your account. What’s more, there can be a certain kudos to having messaged with “the security guy/gal’s” laptop. Locking the screen is always a good habit to get into, and rather than thinking “oh, I’ll only be 20 seconds”: think how often you get called over to chat to someone, or decide that you want a cup of tea/coffee, or just forget what you were doing, and just wander off.
Put your laptop into airplane mode. There are a multitude of attacks which can piggy-back on the wifi and bluetooth capabilities of your laptop (and your phone). If you don’t need them, then turn them off. In fact, turn off bluetooth anyway: there’s rarely a reason to leave it on. There may be times to turn on wifi, but be careful about the networks you connect to: there are lots of attacks which pretend to be well-known wifi APs such as “Starbucks” which will let your laptop connect and then attempt to do Bad Things to it. One alternative – if you have sufficient data on your mobile phone plan and you trust the provider you’re using – is to set your mobile (cell) phone up as a mobile access point and to connect to that instead.
Don’t forget to take upgrades. Just because you’re on the road, don’t forget to take software upgrades. Obviously, you can’t do that with wifi off – unless you have Ethernet access – but when you are out on the road, you’re often more vulnerable than when you’re sitting behind the corporate firewall, so keeping your software patched and updated is a sensible precaution.
Don’t suspend. Yes, the suspend mode[2] makes it easy to get back to what you were doing, and doesn’t take much battery, but leaving your laptop in suspend increases the attack surface available to somebody who steals your laptop, or just has access to it for a short while (the classic “evil maid” attack of someone who has access to your hotel room, for instance). If you turn off your laptop, and you’ve turned on disk encryption (see above), then you’re in much better shape.

Are there more things you can do? Yes, of course. But all of the above are simple ways to reduce the chance that you or your laptop are at risk from

1 – After a recent blog post, a colleague emailed me with a criticism. It was well-intentioned, and I took it as such. The comment he made was that although he enjoys my articles, he would prefer it if there were more suggestions on how to act, or things to do. I had a think about it, and decided that this was entirely apt, so this week, I’m going to provide some thoughts and some suggestions this week. I can’t promise to be consistent in meeting this aim, but this is at least a start.

2 – edited: I did have “hibernate” mode in here as well, but a colleague pointed out that hibernate should force disk encryption, so should be safer than suspend. I never use either, as booting from cold is usually so quick these days.