Forwarded from: "Stanislav N. Vardomskiy" <stanyat_private> On Fri, 11 Jan 2002, InfoSec News wrote: > http://news.cnet.com/news/0-1005-200-8436310.html?tag=mn_hd > > By Larry Dignan > Staff Writer, CNET News.com > January 11, 2002, 4:00 a.m. PT > > Web-hosting company Advanced Internet Technologies is big on > security. > > Not necessarily the firewall, virtual private network, virus > detection type of thing. More like the barbwire, munitions closet > and paratrooper type of security. > > The Fayetteville, N.C.-based company has razor-wire fences, > windows painted black in some areas, and even a munitions closet > with 12-gauge shotguns and 9-millimeter Beretta pistols. Its data > centers are protected by 8-inch reinforced concrete and 24-hour > guards. And those precautions were taken before the Sept. 11 > terrorist attacks. > > "Unless we put in anti-aircraft missiles, there's not a lot more > we can do," said AIT CEO Clarence Briggs. "We don't screw around > with security." The approach to data security that AIT takes is definitely commendable, although it seems to me that it is somewhat misdirected. Many things were told about network security, firewalls, IDSes, etc, so I will address the issue of physical security, that AIT is using as a selling point: Being on constant alert dulls one's alertness, and effectiveness, and people have a tendency to settle into routine after a period of inactivity. Second, if one's expecting an attack by small army, would it not be more realistic to expect a truck full of explosives detonated near the building, or someone using a crude directional EMP device? 2 years ago, I was in NYC, NY, fulfilling a contract with a dot.com. Part of the job was to go to the dot.com's data facilities, which were located in the Exodus co-location facility in Weehawken, New Jercy. We drove through the tunnel, made it to the location, and parked underneath the building in a ground level parking. At the time I remember thinking that a design of a building like this would never have been approved in Israel, and most likely would not have been approved in Russia in the last few years either - chances of someone parking a truck full of fertilizer underneath the building, wandering off, and detonating the truck, and collapsing the entire building would have been too great. Can you imagine the lawsuits? Can you imagine the number of dot.coms that are not insured against terrorism? Ontario government is rolling out it's "Smart Capital" initiative, which you can learn about at http://www.smartcapital.ca/ Part of the deal is running ~90km of fiber in Ottawa, interconnecting some government and educational institutions and connecting them to ORION (Ontario Research and Innovation Optical Network). About half of fiber is meeting at a fiber junction in a manhole in the middle of a one of the seedier nighbourhoods in Ottawa (Byward Market area). If someone is really determined, nothing prevents him from tapping into that fiber, or, if one's a low tech vandal, from throwing into the well a Molotov Coctail. All it would probably take is giving a beggar on a street 20$ or a small bag of crack (it's that kind of "seedy" hood). I wonder how well AIT's infrostructure is protected - what prevents me (besides having to actually get drivers license) from stopping by a manhole in a van with telco logo, putting a number of red cones around, getting out a manhole tool, and getting access to the fiber/copper that AIT uses? If I am sufficently determined and have adequate funding, what prevents me from bribing an employee, or just buying the company outright? We are talking about governments here, after all, or people rich enough to afford a small army. I wonder how AIT compartmentalizes the access to hardware of the colocated systems. There is alot to be said for HavenCo's "no, we will not colocate the hardware you provide, as we can't be sure you haven't planted a listening device or a bomb inside" policy. All you can really do is lift the plank high enough that 99% of the people would not get in. Then all you can do is pray that the remaining 1% would not find you interesting or worth their time. Lastly, a good question is: Are there companies/people that understand the value of good security at a higher cost, as opposed to paying less to a guy with an E1 to colocate a system in his basement? After all, many people haven't yet realized that you always get what you've paid for. Stanislav N. Vardomskiy P.S Dear law enforcement agencies, and other TLAs. I've debated submitting this anonymously, and decided that I am better off telling you exactly who I am, and that I know that you are out there, and listening and paying attention. I realize that 09/11 made you all paranoid, and you feel that what I am saying is subversive and anti-American, but I would really appreciate, if you would learn from the various flaws and fix them instead of hiding information from the public (I am sure you all are twitching now to remove cabeling plans from public records, as you already did with plans of some buildings), or trying to silence me. After all 09/11 already happened, and all of us need to learn with it, instead of pretending that it never happened, or reversing to activities more befitting Stalinist era NKVD. Love, stany. -- +-------+ Stanislav N Vardomskiy - Procurator Odiosus Ex Infernis[TM] +-------+ | "Backups we have; it's restores that we find tricky." Richard Letts at ASR | | This message is powered by JOLT! For all the sugar and twice the caffeine. | +-+ 10570 + My words are my own. LARTs are provided free of charge + 10533 +-+ - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Jan 16 2002 - 02:50:07 PST