my new workshop

For years I’ve wanted a decent-sized workshop in which to do my woodworking, electronics, and general tinkering, as well as preferably having a desk from which I can ‘do code’ in away from the distractions of the house.

When I moved into my new house in 2015, I purposefully bought a place with enough garden space in which I could have a good sized workshop, and in early 2016, this became a reality.

I spent weeks reviewing different sites offering sheds, log cabins, converted shipping containers, etc. and eventually decided to go with Tuin, because of the high number of quality instructional resources they supply on their products. These range from preparation, building foundations, log cabin assembly, roofing types, guttering and drainage, troubleshooting and common problems, and a thorough Q&A section.

Planning ✏️

So that part done, I had to figure out what size cabin I wanted, so I mapped out the area available, and started looking at available designs.

I figured 3m width was probably a good bet, as this seemed to be a fairly common width for cabin sizes, and this meant I could go between 3m and about 6m for cabin length while maintaining a good sized gateway/path area between the cabin and the house.

Eventually I settled on the ‘Julia’ cabin, at 3m x 5m was a decent size, with only one side window and central double-doors would give me plenty of wall space. The design of the log cabins on Tuin means opposite walls can be swapped, and flipped to either end of the cabin, so I could move the window from the position shown on the website.

So here’s the new map of the workshop area with the Julia cabin in-situ.

[supsystic-gallery id=’2′]

So then it came down to getting the specification right for my cabin – and I had some requirements.

  • The foundations must not be concrete – as I know that concrete is not environmentally friendly, nor cheap.
  • I wanted to build the log cabin myself.
  • I will get an extra layer of logs, so the height will be increased a little.
  • It needs to be properly weatherproof, so I can have computer equipment and such inside, and so my tools don’t rust.
  • The cabin must be pre-treated, as once built, I wouldn’t be able to access the outside far-side very easily because it would be up against the garden fence.
  • The cabin must have guttering, so I could collect it and use it on the garden.

Once I’d decided on these options, I put the spec together on the website, and placed my order. ?

Now the waiting.

Delivery ?

I received a good level of communication from the nice folks at Tuin, and the cabin was delivered about 10 weeks after I placed the order. This was mainly because the ‘painted logs’ pre-treatment option I wanted had an 8 week turnaround. It was worth waiting for though.

As my road is a cul-de-sac, I was hoping the delivery fork-lift would be able to come up the curb and deliver onto my front lawn, but this didn’t quite work out. The driver was concerned he’d damage the drains up the footpath if he tried, so we agreed to have the delivery left on the side of the road and I’d have to transport the pieces one by one up to my garden, a distance of about 40 yards.

sigh ?

So I got to work moving the pieces by hand. After about 10 minutes, the neighbours (who had been watching), started emerging from their houses to see what was going on. And one by one, they offered to help, and joined in the procession of collecting and migrating these pieces from the roadside, onto my lawn. In the end, we had about 10 people, even some of the youngest children on the street, all chipping in to help me get this giant jigsaw puzzle onto my front lawn… I’m very thankful for having wonderful neighbours 🙂

[supsystic-gallery id=’3′]

Foundations ?

I decided on environmentally-friendly reinforced plastic grids called ‘Probase’, made of 100% recycled materials. You can find out more on their Facebook page: ShedBaseUK.

This stuff turned out to be brilliant, and I won’t hesitate to use these again in the future. I’m not recommending the site I bought them from because they also supplied what they called “weed membrane”, and within a week there were weeds growing straight through it… ???

I used a straight piece of 2″x2″, a paving slab, and a spirit level, to make sure the base for my workshop was as level as possible.

[supsystic-gallery id=’4′]

The Build

Top Tip: Watch all the instructional videos from Tuin on how to build the cabin, they were very helpful in giving me hints and tips on how to go about building my workshop, and also the music in their videos is quite relaxing ?. One word of advice though, watch the videos on a PC or laptop – they use a lot of the YouTube ‘overlay text’ to describe whats going on in the videos, but these overlay text features aren’t even visible on mobile devices. (Tuin guys, if you’re reading this, please consider editing the videos and putting the comments directly into the videos themselves!)

I did learn that the door and window frames are difficult to put in late – I should’ve put the door frame in after about 5 layers, not 15 ?…

Also, don’t try to put the larger glazed window units in by yourself.. you need to hold it up in the air at a strange angle to hook it onto the hinge points – and it’s heavy…

[supsystic-gallery id=’8′]

Roofing ?

I had to trim the edges of my cabin roof, to prevent it overhanging the boundary of my property, so I lost about 4″ of roof on each side. This didn’t really have any negative effect on the build as far as I can see.

Top Tip: If you’re going to do this, cut all of the roof planks before putting them on the roof. I decided to nail them all in place before I cut them, and it would have been much easier to cut them beforehand.

Working with the felt shingle was probably the most difficult part of the build, unexpectedly so. The reason for this is basically because it involves lots of kneeling or sitting down, shuffling about constantly, in the wind, in the rain, in the sun, with no shelter, for hours.

I got sunburnt at least once doing this.

If doing this yourself, I would recommend taking regular breaks, don’t spend more than an hour at a time on it. The workshop won’t be affected in the long term by a little bit of rain.

[supsystic-gallery id=’7′]

Flooring ⛏

I didn’t manage to take any pictures of me installing the flooring, partly because I was rushing to get it finished so I could put stuff inside it out of the coming rainstorm, but mostly because I forgot.

I chose the 27mm flooring option as an upgrade, as I wanted a nice strong floor for my woodworking and potentially for any heavier equipment I might buy in the future ?

Guttering ?

Here’s some photos of my guttering, along with a 1000L IBC Water container I bought to collect rainwater – because those 200L green water butts are just not good enough ?.

I wanted to filter the roof-debris from the water going into the tank, and keep it as sealed as possible to prevent nasties from breeding in there – I’m going to use it for watering the plants, and possibly flushing the toilet at a later date.

So I set up the guttering, and directed the down-pipes into buckets that I’d hung up, although one of the buckets can just sit on the water tank, which is simpler. From each bucket, there is a pipe connecting to the top of the tank – and I have used a glue-gun to seal the tube into the base of each bucket.

The tank will be gravity-fed, so the buckets only have to be as high as the top of the tank.

Into each bucket, I have put some thick aquatic-grade filter foam (this is the same stuff I use in my cats’ drinking fountain – because they’re spoilt beasts).

[supsystic-gallery id=’1′]


I’d recommend anyone who wants to put electrics in their cabin to get a qualified electrician to do it – Luckily for me the guy who used to live in this house was a qualified electrician, and he’d put electrics into the shed that was here before I tore it down ? So I just re-used that connection, fed it into the cabin, and hooked it up to a distribution box I wired up myself.

In order to meet building regulations for the electrical safety aspect, I fed the house feed directly into a wall-mounted socket – so everything that I plug into the socket isn’t actually counted as part of the house wiring, which means I can wire my distribution box and everything else attached to it to my hearts content, so long as it all plugs into the house via a 13A socket ?.

**Disclaimer: I do have a fair amount of experience in electrical wiring though, and I have the relevant equipment to test the stuff I wired up – I will always recommend anyone else get an electrician to do their wiring, and I’m not going to do yours for you either ?

[supsystic-gallery id=’6′]

Internal Setup ?

Inside my workshop, I have a main workbench, which I built using scaffolding, key-clamps, 9″x2″ structural beams left over from an earlier project, and topped with 18mm plywood.

This is the best workbench I’ve ever had, it’s solid as a rock, and cheaper than most workbenches I’ve seen, especially for the size.

Into the bench, I mounted my router table (router fence is a future project), a mean looking bench-vice with mini-anvil (I mounted this above a corner so as to direct any impacts directly into the floor), and my faithful Axminster scroll-saw, which is undoubtedly my favourite piece of equipment.

Opposite this bench, I have an older bench made from a dresser unit topped with more 18mm plywood, on which sits my trusty DeWalt bandsaw.

At the far end of the workshop I have my computer setup, which I will describe in depth in a future post.

[supsystic-gallery id=’5′]

Workshop Review ✅

I love my workshop – and wouldn’t hesitate recommending Tuin to everyone – they are a friendly and helpful bunch that even sent me free guttering when I didn’t buy enough because I can’t read properly ?.

They always quickly replied to my questions via email, and have even responded outside of normal working hours.

Their products are brilliant – and are sourced from FSC sustainable sources, which is something everyone should be looking for when buying wooden buildings.

all your secrets are belong to us

One of the first, most obvious security practices that users are taught, is not to write down your password.

However, I have often come across code that contains secrets – written by developers who don’t know better.

  • A session cookie is a password.
  • A secure token is a password.
  • An API key is a password.
  • Anything called a ‘secret’ is a password.

Don’t store these in source control – and NEVER store these anywhere public searchable.

To access AWS (Amazon Web Services), Amazon provides you with an AWS key and secret. Together, these are equivalent to a username and password, used to access your AWS server instances.

If a malicious entity gets hold of your AWS key, they can potentially control your AWS instances, destroy them, re-purpose them, or use them in a CPU farm (which costs you money – potentially a LOT of money).

In the past few years there have been instances of AWS instances being hijacked and used as nodes in CPU farming, either used for distributed crypto attacks, DDoS attacks, mining for BitCoins, or sold on a timeshare basis on the dark-web. (See here, here, and here.)

If you have put any secrets onto GitHub at any point, consider them compromised and reset them as soon as possible. Don’t think for a second that just committing more code to replace your credentials will save you in any way – it most likely won’t. Your git commit history is still there. Git does that. (Yes there is a way to permanently remove commits from Git history, but it’s not a simple process, and your secrets have still been exposed.)

Also consider that if a nefarious entity has managed to get hold of your keys for just a minute, would that have given them access to your server, or your database, or even write-access to your codebase, to install some nefarious code for granting them access once again when you change your keys?

Keep your secrets in a separate config file on your server. Keep a copy of this config file somewhere safe, and private. Add this file to your `.gitignore` file so it doesn’t accidentally get added to Git.

Keep your secrets, secret.

office365 calendar link vulnerability

In November 2015 I noticed that Microsoft Office 365’s calendar sharing option used an HTTP permalink.

the calendar link shown in Office365 settings is a HTTP link, not HTTPS

I reported this to Microsoft, and they have since fixed the issue. The rest of this article was written before the issue had been fully resolved.

what is the issue?

Before December 2016, the “share calendar” link Office 365 was giving to users to access their calendars is a bog-standard HTTP GET request permalink to your calendar, which, depending on your settings, can be used by anyone who has the link, to access:

  • all of your calendar details
  • some of your calendar details
  • just your availability
  • or nothing

If, like me, you use your calendar for work, to organise and attend video-conferences, online meetings, or discuss anything sensitive, then you will probably at some point have URLs, usernames, passwords, conference IDs, VOIP call numbers and passwords, within the details of your calendar appointments.

If your calendar sharing option is set to “Full Details”, then anyone with the generated URL can get full read-only access to your entire calendar, and also access to all of these details.

The above is all expected behaviour, because you’re supposed to keep the URL secret – the problem is that the generated URL is not prefixed with HTTPS…. (at least it didn’t used to be.)

So all the standard MITM attack stuff applies – anyone with access to see any raw otherwise unprotected network traffic between your browser and the Microsoft Office 365 server will be able to see the content of this GET request.

Microsoft have even done 99% of the work required to fix this issue – when the link is accessed, the following happens:

shows the HTTP request being redirected to HTTPS

So the request is immediately upgraded to HTTPS using a 301 Moved Permanently response, with exactly the same URL content.

But the problem is that the GET request has already been sent over HTTP, which contains the secret permalink key (which I have redacted) that you need in order to access the data. Even though an attacker wouldn’t be able to see the second request being made or the content being downloaded over HTTPS, they could just follow the HTTPS redirect themselves to see the content, and then repeat that request when they want to see your latest calendar content.

There is no tracking available through Office 365 to see what devices are using this link, how often, where from, or anything of that nature. It also doesn’t give you the option of resetting the link in case you think someone else might have gotten access to it.

At some point between November 2015 and April 2016, Microsoft have changed the default links being generated, so they default to HTTPS – but this still leaves any existing links vulnerable, and Microsoft haven’t informed users of the problem (to my knowledge).

what can i do?

If the link in your calendar sharing settings begins with HTTP://, then do this:

  1. Disable calendar sharing completely
  2. Save the changes
  3. Re-load the options window
  4. Re-enable calendar sharing

Your link will now be different, and the old link will now be dead.

so what did Microsoft do?

They changed all new links to be HTTPS instead of HTTP, but they didn’t change any existing links, or provide a nice easy button to press to do this.

what does the content of an ics file look like anyway?

ICS files just contains structured plaintext. So your usernames, passwords, phone numbers, email addresses, dates, times and locations are all sent in a very easy to read format. Any typical off-the-shelf network traffic scanning tool will be able to easily pick out your sensitive information from the data for later abuse.