Re: Web hoster takes security to extremes

[InfoSec News <isn () c4i org>]

Forwarded from: "Stanislav N. Vardomskiy" <stany () NotBSD org>

On Fri, 11 Jan 2002, InfoSec News wrote:

> http://news.cnet.com/news/0-1005-200-8436310.html?tag=mn_hd
>
> By Larry Dignan
> Staff Writer, CNET News.com
> January 11, 2002, 4:00 a.m. PT
>
> Web-hosting company Advanced Internet Technologies is big on
> security.
>
> Not necessarily the firewall, virtual private network, virus
> detection type of thing. More like the barbwire, munitions closet
> and paratrooper type of security.
>
> The Fayetteville, N.C.-based company has razor-wire fences,
> windows painted black in some areas, and even a munitions closet
> with 12-gauge shotguns and 9-millimeter Beretta pistols. Its data
> centers are protected by 8-inch reinforced concrete and 24-hour
> guards. And those precautions were taken before the Sept. 11
> terrorist attacks.
>
> "Unless we put in anti-aircraft missiles, there's not a lot more
> we can do," said AIT CEO Clarence Briggs. "We don't screw around
> with security."


The approach to data security that AIT takes is definitely
commendable, although it seems to me that it is somewhat misdirected.

Many things were told about network security, firewalls, IDSes, etc,
so I will address the issue of physical security, that AIT is using as
a selling point:


Being on constant alert dulls one's alertness, and effectiveness, and
people have a tendency to settle into routine after a period of
inactivity.

Second, if one's expecting an attack by small army, would it not be
more realistic to expect a truck full of explosives detonated near the
building, or someone using a crude directional EMP device?

2 years ago, I was in NYC, NY, fulfilling a contract with a dot.com.
Part of the job was to go to the dot.com's data facilities, which were
located in the Exodus co-location facility in Weehawken, New Jercy.  
We drove through the tunnel, made it to the location, and parked
underneath the building in a ground level parking.

At the time I remember thinking that a design of a building like this
would never have been approved in Israel, and most likely would not
have been approved in Russia in the last few years either - chances of
someone parking a truck full of fertilizer underneath the building,
wandering off, and detonating the truck, and collapsing the entire
building would have been too great.

Can you imagine the lawsuits?  Can you imagine the number of dot.coms
that are not insured against terrorism?

Ontario government is rolling out it's "Smart Capital" initiative,
which you can learn about at http://www.smartcapital.ca/ Part of the
deal is running ~90km of fiber in Ottawa, interconnecting some
government and educational institutions and connecting them to ORION
(Ontario Research and Innovation Optical Network).  About half of
fiber is meeting at a fiber junction in a manhole in the middle of a
one of the seedier nighbourhoods in Ottawa (Byward Market area).  If
someone is really determined, nothing prevents him from tapping into
that fiber, or, if one's a low tech vandal, from throwing into the
well a Molotov Coctail.

All it would probably take is giving a beggar on a street 20$ or a
small bag of crack (it's that kind of "seedy" hood).

I wonder how well AIT's infrostructure is protected - what prevents me
(besides having to actually get drivers license) from stopping by a
manhole in a van with telco logo, putting a number of red cones
around, getting out a manhole tool, and getting access to the
fiber/copper that AIT uses?

If I am sufficently determined and have adequate funding, what
prevents me from bribing an employee, or just buying the company
outright?  We are talking about governments here, after all, or people
rich enough to afford a small army.

I wonder how AIT compartmentalizes the access to hardware of the
colocated systems.  There is alot to be said for HavenCo's "no, we
will not colocate the hardware you provide, as we can't be sure you
haven't planted a listening device or a bomb inside" policy.

All you can really do is lift the plank high enough that 99% of the
people would not get in.  Then all you can do is pray that the
remaining 1% would not find you interesting or worth their time.

Lastly, a good question is: Are there companies/people that understand
the value of good security at a higher cost, as opposed to paying less
to a guy with an E1 to colocate a system in his basement?

After all, many people haven't yet realized that you always get what
you've paid for.


Stanislav N. Vardomskiy


P.S  Dear law enforcement agencies, and other TLAs.

I've debated submitting this anonymously, and decided that I am better
off telling you exactly who I am, and that I know that you are out
there, and listening and paying attention.

I realize that 09/11 made you all paranoid, and you feel that what I
am saying is subversive and anti-American, but I would really
appreciate, if you would learn from the various flaws and fix them
instead of hiding information from the public (I am sure you all are
twitching now to remove cabeling plans from public records, as you
already did with plans of some buildings), or trying to silence me.  
After all 09/11 already happened, and all of us need to learn with it,
instead of pretending that it never happened, or reversing to
activities more befitting Stalinist era NKVD.

Love, stany.

--
+-------+ Stanislav N Vardomskiy - Procurator Odiosus Ex Infernis[TM] +-------+
| "Backups we have; it's restores that we find tricky." Richard Letts at ASR  |
| This message is powered by JOLT!  For all the sugar and twice the caffeine. |
+-+ 10570 + My words are my own.  LARTs are provided free of charge + 10533 +-+



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.