My 7 rules for remote-work sanity

If I need to get out of my office, I’ll take the dog for a walk

I work remotely, and have done, on and off, for a good percentage of the past 10-15 years.  I’m lucky that I’m in a role where this suits my responsibilities, and in a company – Red Hat – that is set up for it.  Not all roles – those with many customer onsite meetings, or those with a major service component – are suited to remote working, of course, but it’s clear that an increasing number of organisations are considering having at least some of their workers doing so remotely.

I’ve carefully avoided using the phrase either “working from home” or “working at home” above.  I’ve seen discussion that the latter gives a better “vibe” for some reason, but it’s not accurate for many remote workers.  In fact, it doesn’t describe my role perfectly, either.  My role is remote, in that I have no company-provided “base” – with chair, desk, meeting rooms, phone, Internet access, etc. – but I don’t spend all of my time at home.  I spend maybe one and a half weeks a month, on average, travelling – to attend or speak at conferences, to have face-to-face (“F2F”) meetings, etc..  During these times, I’m generally expected to be contactable and to keep at least vaguely up-to-date on email – though the exact nature of the activities in which I’m engaged, and the urgency of the contacts and email, may increase or reduce my engagement.

Open source

One of the reasons that I can work remotely is that I work for a company that works with open source software.  I’m currently involved in a very exciting project called Enarx (which I first announced on this blog).  We have contributors in Europe and the US – and interest from further abroad.  Our stand-ups are all virtual, and we default to turning on video.  At least two of our regulars will participate from a treadmill, I will typically actually stand at my desk.  We use github for all of our code (it’s all open source, of course), and there’s basically no reason for us to meet in person very often.  We try to celebrate together – agreeing to get cake, wherever we are, to mark special occasions, for instance – and have laptop stickers to brand ourselves and help team unity. We have a shared chat, and IRC channel and spend a lot of time communicating via different channels.  We’re still quite a small team, but it works for now.  If you’re looking for more tips about how to manage, coordinate and work in remote teams, particularly around open source projects, you’ll find lots of information at the brilliant Opensource.com.

The environment

When I’m not travelling around the place, I’m based at home.  There, I have a commute – depending on weather conditions – of around 30-45 seconds, which is generally pretty bearable.  My office is separate from the rest of the house (set in the garden), and outfitted with an office chair, desk, laptop dock, monitor, webcam, phone, keyboard and printer: these are the obvious work-related items in the room.

Equally important, however, are the other accoutrements that make for a good working environment.  These will vary from person to person, but I also have:

  • a Sonos, attached to an amplifier and good speakers
  • a sofa, often occupied by my dog, and sometimes one of the cats
  • a bookshelf, where the books which aren’t littering the floor reside
  • tea-making facilities (I’m British – this is important)
  • a fridge, filled with milk (for the tea), beer and wine (don’t worry: I don’t drink these during work hours, and it’s more that the fridge is good for “overflow” from our main kitchen one)
  • wide-opening windows and blinds for the summer (we have no air-conditioning: I’m British, remember?)
  • underfloor heating and a wood-burning stove for the winter (the former to keep the room above freezing until I get the latter warmed up)
  • a “NUC” computer and monitor for activities that aren’t specifically work-related
  • a few spiders.

What you have will depend on your work style, but these “non-work-related” items are important (bar the spiders, possibly) to my comfort and work practice.  For instance, I often like to listen to music to help me concentrate; I often sit on the sofa with the dog/cats to read long documents; and without the fridge and tea-making facilities, I might as well be American[1].

My rules

How does it work, then?  Well, first of all, most of us like human contact from time to time.  Some remote workers will rent space in a shared work environment, and work there most of the time: they prefer an office environment, or don’t have a dedicated space for working a home.  Others will mainly work in coffee shops, or on their boat[2], or may spend half of the year in the office, and the other half working from a second home.  Whatever you do, finding something that works for you is important.  Here’s what I tend to do, and why:

  1. I try to have fairly rigid work hours – officially (and as advertised on our intranet for the information of colleagues), I work 10am-6pm UK time.  This gives me a good overlap with the US (where many of my colleagues are based), and time in the morning to go for a run or a cycle and/or to walk the dog (see below).  I don’t always manage these times, but when I flex in one direction, I attempt to pull some time back the other way, as otherwise I know that I’ll just work ridiculous hours.
  2. I ensure that I get up and have a cup of tea – in an office environment, I would typically be interrupted from time to time by conversations, invitations to get tea, phyiscal meetings in meeting rooms, lunch trips, etc..  This doesn’t happen at home, so it’s important to keep moving, or you’ll be stuck at your desk for 3-4 hours at a time, frequently.  This isn’t good for your health, and often, for your productivity (and I enjoy drinking tea).
  3. I have an app which tells me when I’ve been inactive – this is new for me, but I like it.  If I’ve basically not moved for an hour, my watch (could be phone or laptop) tells me to do some exercise.  It even suggests something, but I’ll often ignore that, and get up for some tea, for instance[3].
  4. I use my standing desk’s up/down capability – I try to vary my position through the day from standing to sitting and back again.  It’s good for posture, and keeps me more alert.
  5. I walk the dog – if I just need to get out of my office and do some deep thinking (or just escape a particularly painful email thread!), I’ll take the dog for a walk.  Even if I’m not thinking about work for all of the time, I know that it’ll make me more productive, and if it’s a longish walk, I’ll make sure that I compensate with extra time spent working (which is always easy).
  6. I have family rules – the family knows that when I’m in my office, I’m at work.  They can message me on my phone (which I may ignore), or may come to the window to see if I’m available, but if I’m not, I’m not.  Emergencies (lack of milk for tea, for example) can be negotiated on a case-by-case basis.
  7. I go for tea (and usually cake) at a cafe – sometimes, I need to get into a different environment, and have a chat with actual people.  For me, popping into the car for 10 minutes and going to a cafe is the way to do this.  I’ve found one which makes good cakes (and tea).

These rules don’t describe my complete practice, but they are an important summary of what I try to do, and what keeps me (relatively) sane.  Your rules will be different, but I think it’s really important to have rules, and to make it clear to yourself, your colleagues, your friends and your family, what they are.  Remote working is not always easy, and requires discipline – but that discipline is, more often than not, in giving yourself some slack, rather than making yourself sit down for eight hours a day.


1 – I realise that many people, including many of my readers, are American.  That’s fine: you be you.  I actively like tea, however (and know how to make it properly, which seems to be an issue when I visit).

2 – I know a couple of these: lucky, lucky people!

3 – can you spot a pattern?

3 laptop power mode options

Don’t suspend your laptop.

I wrote a post a couple of weeks ago called 7 security tips for travelling with your laptop.  The seventh tip was “Don’t suspend”: in other words, when you’re finished doing what you’re doing, either turn your laptop off, or put it into “hibernate” mode.  I thought it might be worth revisiting this piece of advice, partly to explain the difference between these different states, and partly to explain exactly why it’s a bad idea to use the suspend mode.  A very bad idea indeed.  In fact, I’d almost go as far as saying “don’t suspend your laptop”.

So, what are the three power modes usually available to us on a laptop?  Let’s look at them one at a time.  I’m going to assume that you have disk encryption enabled (the second of the seven tips in my earlier article), because you really, really should.

Power down

This is what you think it is: your laptop has powered down, and in order to start it up again, you’ve got to go through an entire boot process.  Any applications that you had running before will need to be restarted[1], and won’t come back in the same state that they were before[2].  If somebody has access to your laptop when you’re not there, then there’s not immediate way that they can get at your data, as it’s encrypted[3].  See the conclusion for a couple of provisos, but powering down your laptop when you’re not using it is pretty safe, and the time taken to reboot a modern laptop with a decent operating system on it is usually pretty quick these days.

It’s worth noting that for some operating systems – Microsoft Windows, at least – when you tell your laptop to power down, it doesn’t.  It actually performs a hibernate without telling you, in order to speed up the boot process.  There are (I believe – as a proud open source user, I don’t run Windows, so I couldn’t say for sure) ways around this, but most of the time you probably don’t care: see below on why hibernate mode is pretty good for many requirements and use cases.

Hibernate

Confusingly, hibernate is sometimes referred to as “suspend to disk”.  What actually happens when you hibernate your machine is that the contents of RAM (your working memory) are copied and saved to your hard disk.  The machine is then powered down, leaving the state of the machine ready to be reloaded when you reboot.  When you do this, the laptop notices that it was hibernated, looks for saved state, and loads it into RAM[4].  Your session should come back pretty much as it was before – though if you’ve moved to a different wifi network or a session on a website has expired, for instance, your machine may have to do some clever bits and pieces in the background to make things as nice as possible as you resume working.

The key thing about hibernating your laptop is that while you’ve saved state to the hard drive, it’s encrypted[3], so anyone who manages to get at your laptop while you’re not there will have a hard time getting any data from it.  You’ll need to unlock your hard drive before your session can be resumed, and given that your attacker won’t have your password, you’re good to go.

Suspend

The key difference between suspend and the other two power modes we’ve examined above is that when you choose to suspend your laptop, it’s still powered on.  The various components are put into low-power mode, and it should wake up pretty quickly when you need it, but, crucially, all of the applications that you were running beforehand are still running, and are still in RAM.  I mentioned in my previous post that this increases the attack surface significantly, but there are some protections in place to improve the security of your laptop when it’s in suspend mode.  Unluckily, they’re not always successful, as was demonstrated a few days ago by an attack described by the Register.  Even if your laptop is not at risk from this particular attack, my advice just not to use suspend.

There are two usages of suspend that are difficult to manage.  The first is when you have your machine set to suspend after a long period of inactivity.  Typically, you’ll set the screen to lock after a certain period of time, and then the system will suspend.  Normally, this is only set for when you’re on battery – in other words, when you’re not sat at your desk with the power plugged in.  My advice would be to change this setting so that your laptop goes to hibernate instead.  It’s a bit more time to boot it up, but if you’re leaving your laptop unused for a while, and it’s not plugged in, then it’s most likely that you’re travelling, and you need to be careful.

The second is when you get up and close the lid to move elsewhere.  If you’re moving around within your office or home, then that’s probably OK, but for anything else, try training yourself to hibernate or power down your laptop instead.

Conclusion

There are two important provisos here.

The first I’ve already mentioned: if you don’t have disk encryption turned on, then someone with access to your laptop, even for a fairly short while, is likely to have quite an easy time getting at your data.  It’s worth pointing out that you want full disk encryption turned on, and not just “home directory” encryption.  That’s because if someone has access to your laptop for a while, they may well be able to make changes to the boot-up mechanism in such a way that they can wait until you log in and either collect your password for later use or have the data sent to them over the network.  This is much less easy with full disk encryption.

The second is that there are definitely techniques available to use hardware and firmware attacks on your machine that may be successful even with full disk encryption.  Some of these are easy to spot – don’t turn on your machine if there’s anything in the USB port that you don’t recognise[5] – but others, where hardware may be attached or even soldered to the motherboard, or firmware changed, are very difficult to spot.  We’re getting into some fairly sophisticated attacks here, and if you’re worried about them, then consider my first security tip “Don’t take a laptop”.


1 – some of them automatically, either as system processes (you rarely have to remember to have to turn networking back on, for instance), or as “start-up” applications which most operating systems will allow you to specify as auto-starting when you log in.

2 – this isn’t actually quite true for all applications: it might have been more accurate to say “unless they’re set up this way”.  Some applications (web browsers are typical examples) will notice if they weren’t shut down “nicely”, and will attempt to get back into the state they were beforehand.

3 – you did enable disk encryption, right?

4 – assuming it’s there, and hasn’t been corrupted in some way, in which case the laptop will just run a normal boot sequence.

5 – and don’t just use random USB sticks from strangers or that you pick up in the carpark, but you knew that, right?

7 security tips for travelling with your laptop

Our laptop is a key tool that we tend to keep with us.

I do quite a lot of travel, and although I had a quiet month or two over the summer, I’ve got several trips booked over the next few months.  For many of us, our laptop is a key tool that we tend to keep with us, and most of us will have sensitive material of some type on our laptops, whether it’s internal emails, customer, partner or competitive information, patent information, details of internal processes, strategic documents or keys and tools for accessing our internal network.  I decided to provide a few tips around security and your laptop[1]. Of course, a laptop presents lots of opportunities for attackers – of various types.  Before we go any further, let’s think about some of the types of attacker you might be worrying about.  The extent to which you need to be paranoid will depend somewhat on what attackers you’re most concerned about.

Attackers

Here are some types of attackers that spring to my mind: bear in mind that there may be overlap, and that different individuals may take on different roles in different situations.

  • opportunistic thieves – people who will just steal your hardware.
  • opportunistic viewers – people who will have a good look at information on your screen.
  • opportunistic probers – people who will try to get information from your laptop if they get access to it.
  • customers, partners, competitors – it can be interesting and useful for any of these types to gain information from your laptop.  The steps they are willing to take to get that information may vary based on a variety of factors.
  • hackers/crackers – whether opportunistic or targeted, you need to be aware of where you – and your laptop – are most vulnerable.
  • state actors – these are people with lots and lots of resources, for whom access to your laptop, even for a short amount of time, gives them lots of chances to do short-term and long-term damage to you data and organisation.

 

7 concrete suggestions

  1. Don’t take a laptop.  Do you really need one with you?  There may be occasions when it’s safer not to travel with a laptop: leave it in the office, at home, in your bag or in your hotel room.  There are risks associated even with your hotel room (see below), but maybe a bluetooth keyboard with your phone, a USB stick or an emailed presentation will be all you need.  Not to suggest that any of those are necessarily safe, but you are at least reducing your attack surface.  Oh, and if you do travel with your laptop, make sure you keep it with you, or at least secured at all times.
  2. Ensure that you have disk encryption enabled.  If you have disk encryption, then if somebody steals your laptop, it’s very difficult for them to get at your data.  If you don’t, it’s really, really easy.  Turn on disk encryption: just do.
  3. Think about your screen. When your screen is on, people can see it.  Many laptop screens have a very broad viewing angle, so people to either side of you can easily see what’s on it.  The availability of high resolution cameras on mobile phones means that people don’t need long to capture what’s on your screen, so this is a key issue to consider.  What are your options?  The most common is to use a privacy screen, which fits over your laptop screen, typically reducing the angle from which it can be viewed.  These don’t stop people being able to view what’s on it, but it does mean that viewers need to be almost directly behind you.  This may sound like a good thing, but in fact, that’s the place you’re least likely to notice a surreptitious viewer, so employ caution.  I worry that these screens can give you a false sense of security, so I don’t use one.  Instead, I make a conscious decision never to have anything sensitive on my screen in situations where non-trusted people might see it.   If I really need to do some work, I’ll find a private place where nobody can look at my screen – and even try to be aware of the possibility of reflections in windows.
  4. Lock your screen.  Even if you’re stepping away for just a few seconds, always, always lock your screen.  Even if it’s just colleagues around.  Colleagues sometimes find it “funny” to mess with your laptop, or send emails from your account.  What’s more, there can be a certain kudos to having messaged with “the security guy/gal’s” laptop.  Locking the screen is always a good habit to get into, and rather than thinking “oh, I’ll only be 20 seconds”: think how often you get called over to chat to someone, or decide that you want a cup of tea/coffee, or just forget what you were doing, and just wander off.
  5. Put your laptop into airplane mode.  There are a multitude of attacks which can piggy-back on the wifi and bluetooth capabilities of your laptop (and your phone).  If you don’t need them, then turn them off.  In fact, turn off bluetooth anyway: there’s rarely a reason to leave it on.  There may be times to turn on wifi, but be careful about the networks you connect to: there are lots of attacks which pretend to be well-known wifi APs such as “Starbucks” which will let your laptop connect and then attempt to do Bad Things to it.  One alternative – if you have sufficient data on your mobile phone plan and you trust the provider you’re using – is to set your mobile (cell) phone up as a mobile access point and to connect to that instead.
  6. Don’t forget to take upgrades.  Just because you’re on the road, don’t forget to take software upgrades.  Obviously, you can’t do that with wifi off – unless you have Ethernet access – but when you are out on the road, you’re often more vulnerable than when you’re sitting behind the corporate firewall, so keeping your software patched and updated is a sensible precaution.
  7. Don’t suspend.  Yes, the suspend mode[2] makes it easy to get back to what you were doing, and doesn’t take much battery, but leaving your laptop in suspend increases the attack surface available to somebody who steals your laptop, or just has access to it for a short while (the classic “evil maid” attack of someone who has access to your hotel room, for instance).  If you turn off your laptop, and you’ve turned on disk encryption (see above), then you’re in much better shape.

Are there more things you can do?  Yes, of course.  But all of the above are simple ways to reduce the chance that you or your laptop are at risk from


1 – After a recent blog post, a colleague emailed me with a criticism.  It was well-intentioned, and I took it as such.  The comment he made was that although he enjoys my articles, he would prefer it if there were more suggestions on how to act, or things to do.  I had a think about it, and decided that this was entirely apt, so this week, I’m going to provide some thoughts and some suggestions this week.  I can’t promise to be consistent in meeting this aim, but this is at least a start.

2 – edited: I did have “hibernate” mode in here as well, but a colleague pointed out that hibernate should force disk encryption, so should be safer than suspend.  I never use either, as booting from cold is usually so quick these days.