Re: [ISN] Web hoster takes security to extremes

From: InfoSec News (isnat_private)
Date: Tue Jan 15 2002 - 22:02:45 PST

  • Next message: InfoSec News: "[ISN] Capita 'unaware of ILA security breach'"

    Forwarded from: "Stanislav N. Vardomskiy" <stanyat_private>
    
    On Fri, 11 Jan 2002, InfoSec News wrote:
    
    > http://news.cnet.com/news/0-1005-200-8436310.html?tag=mn_hd
    >
    > By Larry Dignan
    > Staff Writer, CNET News.com
    > January 11, 2002, 4:00 a.m. PT
    >
    > Web-hosting company Advanced Internet Technologies is big on
    > security.
    >
    > Not necessarily the firewall, virtual private network, virus
    > detection type of thing. More like the barbwire, munitions closet
    > and paratrooper type of security.
    >
    > The Fayetteville, N.C.-based company has razor-wire fences,
    > windows painted black in some areas, and even a munitions closet
    > with 12-gauge shotguns and 9-millimeter Beretta pistols. Its data
    > centers are protected by 8-inch reinforced concrete and 24-hour
    > guards. And those precautions were taken before the Sept. 11
    > terrorist attacks.
    >
    > "Unless we put in anti-aircraft missiles, there's not a lot more
    > we can do," said AIT CEO Clarence Briggs. "We don't screw around
    > with security."
    
    
    The approach to data security that AIT takes is definitely
    commendable, although it seems to me that it is somewhat misdirected.
    
    Many things were told about network security, firewalls, IDSes, etc,
    so I will address the issue of physical security, that AIT is using as
    a selling point:
    
    
    Being on constant alert dulls one's alertness, and effectiveness, and
    people have a tendency to settle into routine after a period of
    inactivity.
    
    Second, if one's expecting an attack by small army, would it not be
    more realistic to expect a truck full of explosives detonated near the
    building, or someone using a crude directional EMP device?
    
    2 years ago, I was in NYC, NY, fulfilling a contract with a dot.com.
    Part of the job was to go to the dot.com's data facilities, which were
    located in the Exodus co-location facility in Weehawken, New Jercy.  
    We drove through the tunnel, made it to the location, and parked
    underneath the building in a ground level parking.
    
    At the time I remember thinking that a design of a building like this
    would never have been approved in Israel, and most likely would not
    have been approved in Russia in the last few years either - chances of
    someone parking a truck full of fertilizer underneath the building,
    wandering off, and detonating the truck, and collapsing the entire
    building would have been too great.
    
    Can you imagine the lawsuits?  Can you imagine the number of dot.coms
    that are not insured against terrorism?
    
    Ontario government is rolling out it's "Smart Capital" initiative,
    which you can learn about at http://www.smartcapital.ca/ Part of the
    deal is running ~90km of fiber in Ottawa, interconnecting some
    government and educational institutions and connecting them to ORION
    (Ontario Research and Innovation Optical Network).  About half of
    fiber is meeting at a fiber junction in a manhole in the middle of a
    one of the seedier nighbourhoods in Ottawa (Byward Market area).  If
    someone is really determined, nothing prevents him from tapping into
    that fiber, or, if one's a low tech vandal, from throwing into the
    well a Molotov Coctail.
    
    All it would probably take is giving a beggar on a street 20$ or a
    small bag of crack (it's that kind of "seedy" hood).
    
    I wonder how well AIT's infrostructure is protected - what prevents me
    (besides having to actually get drivers license) from stopping by a
    manhole in a van with telco logo, putting a number of red cones
    around, getting out a manhole tool, and getting access to the
    fiber/copper that AIT uses?
    
    If I am sufficently determined and have adequate funding, what
    prevents me from bribing an employee, or just buying the company
    outright?  We are talking about governments here, after all, or people
    rich enough to afford a small army.
    
    I wonder how AIT compartmentalizes the access to hardware of the
    colocated systems.  There is alot to be said for HavenCo's "no, we
    will not colocate the hardware you provide, as we can't be sure you
    haven't planted a listening device or a bomb inside" policy.
    
    All you can really do is lift the plank high enough that 99% of the
    people would not get in.  Then all you can do is pray that the
    remaining 1% would not find you interesting or worth their time.
    
    Lastly, a good question is: Are there companies/people that understand
    the value of good security at a higher cost, as opposed to paying less
    to a guy with an E1 to colocate a system in his basement?
    
    After all, many people haven't yet realized that you always get what
    you've paid for.
    
    
    Stanislav N. Vardomskiy
    
    
    P.S  Dear law enforcement agencies, and other TLAs.
    
    I've debated submitting this anonymously, and decided that I am better
    off telling you exactly who I am, and that I know that you are out
    there, and listening and paying attention.
    
    I realize that 09/11 made you all paranoid, and you feel that what I
    am saying is subversive and anti-American, but I would really
    appreciate, if you would learn from the various flaws and fix them
    instead of hiding information from the public (I am sure you all are
    twitching now to remove cabeling plans from public records, as you
    already did with plans of some buildings), or trying to silence me.  
    After all 09/11 already happened, and all of us need to learn with it,
    instead of pretending that it never happened, or reversing to
    activities more befitting Stalinist era NKVD.
    
    Love, stany.
    
    --
    +-------+ Stanislav N Vardomskiy - Procurator Odiosus Ex Infernis[TM] +-------+
    | "Backups we have; it's restores that we find tricky." Richard Letts at ASR  |
    | This message is powered by JOLT!  For all the sugar and twice the caffeine. |
    +-+ 10570 + My words are my own.  LARTs are provided free of charge + 10533 +-+
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Jan 16 2002 - 02:50:07 PST