Professionalism doesn’t mean a collared shirt and tie

(Originally published on my SQL Server blog.)

Working from home, consulting with companies all over the world, has changed how I interact with customers. The last time I was physically on site was seven months ago.

We deal almost exclusively with each other via conference call and video using Skype, LogMeIn or GoToMeeting, juggling webcams, headphones, microphones, email, text messages, phone calls, instant messaging, and so on and so forth …

Scott Hanselman wrote on Twitter recently about spending more than 20 minutes of a one-hour meeting getting microphones working for all meeting attendees, and this is in 2016!

 

Being professional means treating your customers and colleagues with the respect you think you deserve in return.

Put another way, if you treat other people with contempt, you can’t expect to be taken seriously.

Missing meetings, not having your equipment set up correctly, not wearing camera-friendly clothing (or any clothing at all!), having an inappropriate backdrop, or having an inappropriate desktop background if you’re sharing your screen, all amount to contempt.

Take the time to set up your work space correctly by keeping the webcam-visible area behind you friendly to anyone watching you on video.

Learn how to use your webcam or microphone or headphones correctly. If you have to share your computer screen, make sure you have turned off notifications. Even better, try to keep to one virtual desktop away from email, web browsers and social media.

Do you use a Mac? Did you know that there’s a way for you to set up your microphone to send clear and crisp audio through Skype or other tools? It’s called Loopback.

All that money you’re saving on gas? Buy a decent condenser microphone, over-ear headphones, and a high-definition webcam. Don’t rely on your laptop’s built-in speakers. You know what microphone feedback sounds like, and wearing headphones is a great way to avoid it.

Don’t pick your nose. Don’t get too close to the camera. Someone might have you on a giant television screen with lots of people in the room. Because you’re not physically in the room, perception is everything. Even I make some of these mistakes, which means I’m also guilty of behaving in an unprofessional manner.

This post is not only to let you know how to behave, but to remind me how I should behave. We’re in this together.

Gender Identity Diversity in Alberta Schools

Last week, the Alberta, Canada, Government released a document called Guidelines for Best Practices: Creating Learning Environments that Respect Diverse Sexual Orientations, Gender Identities and Gender Expressions.

You can download the document here in PDF format.

As I read through this document, I wished I would be going to school in this kind of open, accepting environment.

Imagine:

Schools and school authorities [should] proactively review existing dress codes to ensure they are respectful and inclusive of the gender identities and gender expressions of all members of the school community (e.g., rules apply equally and fairly to all students and are not gender-exclusive, such as implying that a certain type of clothing, such as skirts, will be worn by one gender only).

Or how about this:

All students, regardless of their sexual orientation, gender identity or gender expression, have the right to participate in all curricular and extra-curricular activities. These learning and recreational activities need to occur within inclusive and respectful environments, and in ways that are safe, comfortable and supportive of students’ sexual orientations, gender identities and gender expressions.

I wanted to spend time with the girls at school, playing their sports and doing the same classes as them. I remember a large number of girls wanting to wear pants instead of skirts. This was at primary school already.

This kind of inclusivity and openness towards a diverse identity of self is incredible.

Thinking about the implications makes me wonder why it took so long to come about. Not only that, but what might have been possible for everyone who has attended school up to now, forced to fit into a certain role according to the genitals they were born with?

This will fundamentally change society.

School is where we learned that girls and boys were different, that girls were delicate and boys were rough and played harder sports. Girls learned how to cook, clean, sew, and boys were taught … I don’t even remember. Was it how to program computers? Kick a ball?

Imagine instead a formative environment where you are encouraged to do whatever you want, physical gender aside.

I should also note that this has nothing to do with sexual orientation or romantic attraction. The guidelines specifically reference that fact, which in itself is remarkable.

This will allow people to embrace the idea that not all effeminate men are gay, that not all butch women are lesbian, and that perhaps a gender binary is an old-fashioned idea that should go away.

Look at this footnote regarding human sexuality:

If a human sexuality class is organized by gender, students are able to choose which class they participate in.

This is blowing my mind, and I’ve been an activist for queer rights for nearly two decades.

For all its wondrousness, these guidelines will not be implemented overnight. Each school and district will have to create and adopt its own policies, and some parents and school boards, particularly in religious-based schools, will refuse.

That is to be expected, and those schools will be left behind, in the past, where they belong.

I cannot express how grateful I am to the province of Alberta, in the country of Canada, my new home, for making inclusion a priority at the school level. I cannot wait for these kids to grow up with tolerance and acceptance as a guiding principle.

Clipboards, Rednex, and being German

I’ve had an interesting weekend.

On Friday night, we hosted nearly fifty people in our house, for the year-end function for some of the hospitalists in town. The hardwood floors took some damage.

On Saturday night, I performed at another private year-end function, for actual money.

My role in Friday night’s affair was to be affable and humorous, based on my real self. I think I succeeded.

My role in Saturday night’s affair was to be a German ski instructor, with flashbacks to the 1980s. I was one of four performers in total, and each of us had a character and had to arrange a dance for the attendees to perform.

I coloured my hair with chalk spray. There were three colours to choose from: blue, pink and green, so I chose all three.

I walked around with a clipboard, a measuring tape, and a giant pink pen. The clipboard had black letter writing on the front page, where I’d written the German word for “clipboard”. It looked menacing.

Klaus Wunderlift

When introducing myself to attendees, I wrote name tags for them with my giant pen, and a pad of yellow sticky notes. For some reason, these were a huge hit. I naturally didn’t use their real names, preferring to make them up as I went along. Some of the more popular names were Loud, Cute Smile, Tall, Awesome and Fab.

I had to call a square dance. Because I’ve never called a square dance in my life, I searched through (many) YouTube clips, and finally settled on a circle dance (as opposed to a square dance), set to the Rednex version of Cotton Eye Joe. Before the dance, I gave a dramatic reading of the chorus, which a friend had translated into “the original” German, about Baumwollaugen-Johannes*.

My German accent has been used in many performances, including as Hubert Gruber from the stage production of ‘Allo! ‘Allo!, to a rewrite of the stage play Night Call, where I play a socialist librarian. Most recently, I’ve been cast in a voice role as a German scientist for an independent game. I’d stop using it if people stopped wanting to hear it. If only I could do an American accent as convincingly.

One thing I’ve learned as a live performer (which includes teaching and presenting, for what it’s worth), is that it doesn’t matter if you don’t know what you’re doing, as long as you can fake it or make it at least look like your ineptitude is intentional.


  • If you’re curious, this is how Cotton Eye Joe looks in German:

Wär’ Baumwollaugen-Johannes nicht gewesen,
wär’ ich schon lang verheiratet.
Wo bist du hergekommen?
Wo bist du hingegangen?
Wo bist du hergekommen, Baumwollaugen-Johannes?

Filmmaking as a Metaphor for the DBA

This post was originally published on my SQL Server blog.

I worked on four films in 2015, three shorts and one feature-length movie, all shot in Calgary where I live. That has resulted in seven IMDb credits for me, someone who earns a living as a DBA.

If nothing else, that experience has scratched an itch I’ve had since I was old enough to wonder what it would be like to act in a movie.

But acting isn’t filmmaking. It’s a very small part of the big picture, along with directing, producing, set building, makeup, lights, cameras, craft services, animal trainers, and so on.

DBAs also do a lot of work behind the scenes to make sure everything works the way it should. The sign of a good DBA is a system that works as expected. The sign of an excellent DBA is recovering from failure, affecting anyone else as little as possible.

Like being an excellent DBA, making films is hard work. Purely from an acting perspective, there are lots of lines to learn, repeating them over and over again, and then having to wait for someone to reset the camera, move some lights or the boom mic, and then do it all over again.

Exactly the same way.

Acting is the antithesis of automation. For example, it can take nine hours to film five pages of a script. Each page in a screenplay equates roughly to one minute of screen time. When I directed our last short, we shot eighteen pages in seven hours. That’s almost unheard of.

In information technology, we are encouraged to automate any repetitive task.

In front of the camera, we can’t automate our lines. Continuity is critical, so that the cup you’re holding at 8:15am during the master shot, is in the same hand at the same line, with the same level of liquid, as the close-up shot at 11pm.

I have also done a little bit of voice acting. Have you seen the film Singin’ in the Rain, starring Gene Kelly and Debbie Reynolds? She plays a voice-over actor who must redo all the voice parts for Jean Hagen’s character, in a process called ADR (automated dialogue replacement) or Looping.

There’s nothing automated about it. You see the scene and the current audio, and get a metronome counting you in for two or three beats, then you record your dialogue, trying to match against the picture. It’s expensive and time-consuming, and never quite matches.

Sometimes you have to do it in voice acting too. Except, excluding some very minor exceptions, there’s no picture to watch yet. You are in a booth, with headphones, a microphone, and pop filter in front of you. In my case, there’s also an HD web cam in there so that the outside world can see in. In other studios, the booth may be soundproof glass and have the recording equipment and director in view. It’s a very lonely space.

Either way, if I have to do ADR for a movie like Debbie Reynolds did, she’d have a picture to lip sync with. In voice acting, if you have to do ADR, there’s no picture. You hear the original track, you get counted in, and then you do your line while the old one is playing in your headphones.

Try recording yourself, playing it back, and then saying the same line over again, exactly the same way.

Being a DBA has a lot of similarities:

  1. Repetitive tasks
  2. Attention to detail
  3. Troubleshooting with no visual guides
  4. Trying to do something complicated while someone is talking in your ear
  5. Someone is always judging you
  6. You have to go with your instincts sometimes.

Someone asked me recently whether I would choose between being a SQL Server professional, or a filmmaker. I answered that I couldn’t choose. They complement each other and keep me sane.

Thanks for reading. If you’d like to comment on Twitter, find me under @bornsql or @rabryst.

Defensive SSL security in Windows and IIS

In my previous post, I wrote about how SSLMate has made my life easier.

I also mentioned how SSL-based attacks like POODLE and Heartbleed have forced us into using TLS.

Which is all very well, except that Microsoft’s whole premise in their product line is backward compatibility.

This means that a lot of older security protocols are on by default in Internet Information Service, even on Windows Server 2012 R2. As demonstrated by the recent vulnerabilities in the SSL protocol, this is not a good thing.

The recommended solution is to manually disable each of the older protocols using the registry editor.

IIS Crypto

Instead of this risky method, I discovered a free tool called IIS Crypto, by Nartac Software.

And so too, apparently, did @SwiftOnSecurity.

IIS Crypto is a free tool that allows configuring TLS protocols, ciphers, hashes and key exchange algos on WinServer https://www.nartac.com/Products/IISCrypto

This is how it looks:

iiscrypto

My recommended settings

I installed the .NET 4.0 GUI version. You can install the command-line version instead, but given that you’ll only run this application once or twice in the lifetime of the server, and you need to deselect some items, the GUI is easier to navigate.

Once you’ve installed IIS Crypto on your web server, run it and choose the Best Practices option (located under the Templates section).

You will then need to uncheck the Diffie-Hellman Key Exchange, on the top right, like so:

iiscryptodh(Click to enlarge)

Now you can click the Apply button, which will prompt you to restart your server.

In my own experimentation, I just issued an iisreset command to restart IIS, but it’s probably a good idea to restart the server anyway, as this tool makes changes to the Windows Registry.

Warning

According to the Qualys SSL Labs Test (which you can access from IIS Crypto in the URL field at the bottom of the screen), you will get a best score of an A-minus with these settings.

To achieve an A or higher, follow the instructions from the test result.

Coincidentally, because my company has more than one website served on the same IP address (common with virtual hosts), I achieved an A score by enabling SNI (Server Name Indication) on my website’s SSL bindings.

By default, this forces incompatibility with older browsers, who will be served a default SSL/TLS certificate, so keep this in mind.

Summary

I hope that this tool will make your life easier, by keeping only the most secure protocols and cyphers active on IIS.

This is just one aspect of security in depth. You should also look at the rest of the top 10 vulnerabilities, as collated by OWASP, to see how else you can protect your web applications.

SSLMate and IIS – a love story

I am a part-owner in a company based in South Africa. Our headline act, if you will, is a website that customers log into to manage certain aspects of their business.

This website needs to be secure for obvious reasons. The most basic requirement for a secure website is an SSL certificate (Secure Sockets Layer), or more accurately, TLS (Transport Layer Security). This is the padlock in the address bar of your browser, next to the https: the s means secure.

If you feel like exploding your brain, check the Wikipedia article about TLS and SSL.

For a number of reasons, which Troy Hunt is vastly more qualified to explain to you, we have to ensure that only the most recent browsers are supported by our website and its SSL/TLS certificate.

Older software was not designed with security in mind. The early Internet was about sharing information as easily as possible. Only with Microsoft’s security drive in the early 2000s did we start to see software becoming secure by default. Most recently, news about POODLE and Heartbleed means that even SSL isn’t secure anymore. That is why we have to focus on TLS instead.

It is therefore imperative that we at my company inconvenience users of older software in the best interest of keeping our website as secure as we can. Our SLA (Service Level Agreement) states a minimum version for operating system and web browser.

To this end, I will talk about my new favourite SSL/TLS certificate provider, SSLMate. They allow you to order and renew SSL/TLS certificates from the command line. Even better, unlike most other providers, they tell you when an SSL/TLS certificate is about to expire and renew it for you. I cannot even begin to tell you how convenient this is.

Last year I was travelling out of the country when one of my websites’ certificates expired. The issuer did not warn me (their position is that it’s not their responsibility, and I have to take blame). But, as evidenced by Apple, and Microsoft, and Google, we ALL make this mistake.

SSLmate takes the hassle out of remembering. I of course have created a new workflow to remind me a month before each of my certificates expires, but now that they are all managed by SSLmate, I know they have my back as well.

This all sounds great. I open up a command line prompt and type:

computer~$ sslmate buy example.com

That’s it. After an exchange of email to the appropriate approved address and a confirmation link, I can download four files:

  • example.com.chained.crt — Domain and Intermediate Certificate
  • example.com.chain.crt — Intermediate Certificate
  • example.com.crt — Domain Certificate
  • example.com.key — Private Key

Now comes the tricky part. Internet Information Server, or IIS, needs to import a PFX file. PFX stands for Personal Information Exchange Format and is also known as PKCS #12.

None of these files from SSLMate is in the right format. In fact, if you try importing one of the *.crt files, it will vanish from inside IIS. It needs to be signed by the Private Key.

Confused yet?

On my Mac (or on Windows), I need to use OpenSSL to sign the certificate with the private key, to generate a PFX file that I can import into IIS.

computer~$ openssl pkcs12 -export -out iis_cert.pfx -inkey example.com.key -in example.com.crt -certfile example.com.chain.crt

The output will be iis_cert.pfx, which I can then import into IIS and bind to the website I want to secure. In this example, there are two input files because SSLMate uses intermediate certificates in the chain.

Next time, I will tell you about an easy way to make sure IIS is the most secure it can be.

Paris

On Friday I posted an image that I found on Twitter, now quite famous, comprising a hastily sketched peace sign, which also includes a likeness of the Eiffel Tower.

It is an emotive image, capturing in art what is impossible to say in words. As my friend in Cape Town says, I don’t have answers.

Paris crystallised it for me because we were there just two months ago, but my empathy lies deeper than that. Many countries are under siege from terror, most significantly Syria, triggering a refugee crisis the likes of which we have not seen since the Second World War.

In the last few months I have discovered that I share very little in common with people I consider my friends. I feel in the minority because I want to invite discussion, and challenge the notion of xenophobia.

Considering our planet’s rich history of migration, very few people can lay claim to a particular territory.

Everyone is an immigrant.

I posted that peace sign image without any context, except for the date. It is powerful enough to symbolise what happened last week.

I will leave it there as a reminder, not of Paris itself, but what has led up to it, and what will surely follow.

Let’s stop fighting. Ideology cannot be fought with weapons. We need to put down the guns and speak to each other, to understand each other.

I am a capital-P Pacifist. War is stupid. Killing people is stupid. An eye-for-an-eye is stupid, especially if your retaliation is more deadly than that which you are avenging.

We should be talking to each other, not changing our Facebook avatars, blocking our ears, and singing “La la la” until the Others go away.

Let’s talk.