The key message of this book is that appropriate planning and prioritisation is the key to managing time effectively.
Limoncelli offers a system called ‘The Cycle’ which is simple to implement straight away and tune to your workplace and methods. Small changes to your daily plan will result in more time to finish interesting projects. The key messages I took from this book are :
This system helps you meet deadlines, and also create better deadline estimates.
A close colleague of mine forwarded me an article (in jest – I am the departmental Apple advocate) citing information that a defacement attempt on a website served by a Mac Mini running OS X was successful after around thirty minutes.
Today, his Operating System of Choice should have been patched twice. Once because a logic error permits normal users to execute commands that they are not entitled to, with system-exclusive rights (or as Microsoft put it, default permissions are set by default to a level that may allow a low-privileged user to change properties associated with the service.). Another because six problems were found in the most popular desktop office suite that allowed naferious users to construct an Office or graphics file that allows unauthorised software (spyware, viruses, etc.) to run on a users pc. I can email you a photo that gives me control over your pc!
Yeah, good one.
Paul Estes writes to Nanog recently,
We have recently noticed a deluge of DNS requests for “ANYANY” records of x.p.ctrc.cc. The requests are coming from thousands of sources, mostly our own customers. [...] It would appear that ctrc.cc was the victim of some DNS hijacking. Whatever malware is attempting to lookup this name, however, is doing so at a horrific rate. I have some addresses that have made >250000
requests for this name in a short period of time.
A DNS based DDOS attack which has not been seen at this magnitude before. Sending thousands of very small, targeted, requests to resolvers around the world causes resolvers extra work, and in this case caused all of these requests to bear down on the .cc name servers.
The effectiveness of dns based DOS is clear – it is ‘relatively’ easy to spoof (as its udp) should appropriate filters not be in place to stop spoofing, and a small query can result in a very large reply. Querying for a 4k TXT resource record will be very effective, for instance. Rob Thomas made the point most effectively:
These attacks have reached 8Gbps at times, and that sort of figure does raise eyebrows. Perhaps we can capitalize on that and gain some attention to both the problems of DNS amplification attacks (yes, UDP can be abused in many ways, but not all UDP services offer a 1:73 return on investment).
In my mind, the benefits of using open resolvers as a ‘view’ of dns from other points on the internet becomes moot when open recursion permits attacks of this kind. In my mind, within the next twelve months, bind distributions which are shipped by your favourite distributions will be set to “recursion no” – preventing worldwide recursion access. Your ISPs customer-facing resolvers will sit in a walled garden – log off from their service, and you can’t use them.
It’s time for open dns resolvers to be as socially unacceptable as open dns relays. Turn yours off.
Turning everybody’s off will be no quick process; there are 580,000 open resolvers in the wild. Blocking dns servers which permit general recursion will turn horribly political, in the same way that email RBLs have.
There is the mindset that we can fix this problem by preventing spoofing (which would be good, but recursion abuse is still amplified the more dns servers an abuser has at his fingertips).
There’s also the mindset that support desks will be limited when nameservers are closed, they wont be able to view dns “as a customer”, but expect the larger ISPs to add dns views to their router looking glasses. These applications will be easier to lock down than a default bind install.