Is this some new trend or have I just gotten lucky in the past? Wouldn't someone like AT&T be better served by giving their employees some company issued ID that they can submit to secure facilities? I know it wouldn't be government
I am shocked that the ATT employee did not have an ATT ID. In our facilities, we require all visiting telcos to produce company identification, and between telcove/level 3, Verizon, MCI, and several others, we have never had an issue. I'd be a bit more suspicious that he didn't have ATT ID. -- Alex Rubenstein, AR97, K2AHR, alex@nac.net, latency, Al Reuben Net Access Corporation, 800-NET-ME-36, http://www.nac.net
Alex Rubenstein wrote:
Craig Holland wrote:
Is this some new trend or have I just gotten lucky in the past? Wouldn't someone like AT&T be better served by giving their employees some company issued ID that they can submit to secure facilities? I know it wouldn't be government issued, but would at least be a step in the right direction.
I'm a little surprised by all this, truthfully. I *know* that AT&T has to work inside certain facilities that are government run, and they are *required* to provide government issued ID, company issued ID, and social security number (really!) at a minimum. They must also state whether or not they are a US citizen, and if not, what country they hold citizenship in.
I am shocked that the ATT employee did not have an ATT ID. In our facilities, we require all visiting telcos to produce company identification, and between telcove/level 3, Verizon, MCI, and several others, we have never had an issue. I'd be a bit more suspicious that he didn't have ATT ID.
Me too. In my former life, I was involved with such requirements (but only at what the fedgov lovingly refers to as contractor sites), and we always had the alternative for anyone objecting to our requirements for ID. No problem. They could just sit in the lobby (or outside) and wait. I used to object to our method of gathering social security numbers (since it was on a form that anyone adding a name could see), but I can tell you that it was much more onerous than your standard telco. -- This above all: to thine own self be true, And it must follow, as the night the day, Thou canst not then be false to any man. William Shakespeare
In article <453CF993.9020002@deaddrop.org>, Etaoin Shrdlu <shrdlu@deaddrop.org> writes
I used to object to our method of gathering social security numbers (since it was on a form that anyone adding a name could see)
Now that you need a Social Security number to get a US Drivers licence (and I doubt many telco engineers walk to work), would the traceability issues be satisfied by taking the details from one of those? I assume the Feds can ask the State which SSN goes with which DL, if the need arises. -- Roland Perry
Alex Rubenstein wrote:
I am shocked that the ATT employee did not have an ATT ID.
In our facilities, we require all visiting telcos to produce company identification, and between telcove/level 3, Verizon, MCI, and several others, we have never had an issue.
I'd be a bit more suspicious that he didn't have ATT ID.
He may have indeed had ATT ID. But the colo security people wanted a government ID. "Company" ID is relatively meaningless and trivially forged, particularly for small values of "company". If I were to show up in a truck with "Jay's Telco" on the side, produce "Jay's Telco" ID, and refuse to show a driver's license or government ID I would expect datacenter security to be a bit suspicious. Why should AT&T be treated any differently? -- Jay Hennigan - CCIE #7880 - Network Administration - jay@west.net NetLojix Communications, Inc. - http://www.netlojix.com/ WestNet: Connecting you to the planet. 805 884-6323 - WB6RDV
In fact he did have an AT&T badge which he was not allowed to hand over either. The fellow I chatted with at AT&T said they are not allowed to hand over their badge because it would compromise their security. I'm assuming the badge was of the keycard variety. My thought was that they could have an AT&T id of some sort that was specifically used for this kind of access; one that is not a keycard and doesn't have any proprietary information on it that would make their security people uncomfortable if it was handed over at a collocation. craig
-----Original Message----- From: Alex Rubenstein [mailto:alex@corp.nac.net] Sent: Monday, October 23, 2006 10:06 AM To: Craig Holland; nanog@nanog.org Subject: RE: Collocation Access
Is this some new trend or have I just gotten lucky in the past? Wouldn't someone like AT&T be better served by giving their employees some company issued ID that they can submit to secure facilities? I know it wouldn't be government
I am shocked that the ATT employee did not have an ATT ID.
In our facilities, we require all visiting telcos to produce company identification, and between telcove/level 3, Verizon, MCI, and several others, we have never had an issue.
I'd be a bit more suspicious that he didn't have ATT ID.
-- Alex Rubenstein, AR97, K2AHR, alex@nac.net, latency, Al Reuben Net Access Corporation, 800-NET-ME-36, http://www.nac.net
On Mon, 23 Oct 2006, Craig Holland wrote:
In fact he did have an AT&T badge which he was not allowed to hand over either. The fellow I chatted with at AT&T said they are not allowed to hand over their badge because it would compromise their security.
My tech said the same thing. That keycard could grant central office access so he couldn't surrender it. -- John A. Kilpatrick john@hypergeek.net Email| http://www.hypergeek.net/ john-page@hypergeek.net Text pages| ICQ: 19147504 remember: no obstacles/only challenges
In article <20061023103731.W56322@iama.hypergeek.net>, John A. Kilpatrick <john@hypergeek.net> writes
The fellow I chatted with at AT&T said they are not allowed to hand over their badge because it would compromise their security.
My tech said the same thing. That keycard could grant central office access
On its own? No keycode or anything. What if he lost it?
so he couldn't surrender it.
But presumably it would need to be stolen. Wouldn't the tech notice that happening... Or is there some way the colo security guy can clone it undetected? -- Roland Perry
On Mon, 23 Oct 2006, Roland Perry wrote:
But presumably it would need to be stolen. Wouldn't the tech notice that happening... Or is there some way the colo security guy can clone it undetected?
While your point is valid, arguing something like that with an AT&T tech would be like arguing with the TSA. Logic and reasoning are of no value in the conversation. The policy is the policy and you deal with it. -- John A. Kilpatrick john@hypergeek.net Email| http://www.hypergeek.net/ john-page@hypergeek.net Text pages| ICQ: 19147504 remember: no obstacles/only challenges
In article <20061023112018.F56322@iama.hypergeek.net>, John A. Kilpatrick <john@hypergeek.net> writes
But presumably it would need to be stolen. Wouldn't the tech notice that happening... Or is there some way the colo security guy can clone it undetected?
While your point is valid, arguing something like that with an AT&T tech would be like arguing with the TSA. Logic and reasoning are of no value in the conversation. The policy is the policy and you deal with it.
I don't seek to argue it with an individual tech, but with whoever sets the corporate security policy. -- Roland Perry
On Oct 23, 2006, at 10:57 AM, Roland Perry wrote:
In article <20061023103731.W56322@iama.hypergeek.net>, John A. Kilpatrick <john@hypergeek.net> writes
The fellow I chatted with at AT&T said they are not allowed to hand over their badge because it would compromise their security.
My tech said the same thing. That keycard could grant central office access
On its own? No keycode or anything. What if he lost it?
so he couldn't surrender it.
But presumably it would need to be stolen. Wouldn't the tech notice that happening... Or is there some way the colo security guy can clone it undetected?
These are trivial to clone -- all you need is a reader hooked up to a PC and you can read the number off the card. You can then buy a batch of cards that cover the serial numbers that you are interested in (no, I don't really understand WHY you can buy numbered ranges, but you can...) The other alternative is something like: http://cq.cx/proxmark3.pl This device will read and clone a large number of proximity cards -- you don't even need real access to the card, all you need to do is brush up against the cardholder with the antenna cincealed in your pocket....
-- Roland Perry
-- If the bad guys have copies of your MD5 passwords, then you have way bigger problems than the bad guys having copies of your MD5 passwords. -- Richard A Steenbergen
That is true for strip card (credit card style) and simple prox cards. But what I have been seeing more often is that companies are using the smart card and wireless smart card variety for high security areas. So instead of having a card that will always return the same value (making it easy to duplicate) the smart cards will use good old fashion PKI to mutually authenticate the card to the reader and the reader to the card. This way, the card won't give out its security information until the card reader is verified to be a legit member of the security system. In addition to this, I am seeing a push to go with 2 factor authentication, so you need the card plus some sort of biometrics. This way, if you lose the card, it is useless unless the criminal also managed to chop off your thumb. But if you are AT&T and have spend millions of dollars on equipping all your COs with swipe readers because you got sick of having rekey the locks every time someone lost a key; so when stuck with the choice of replacing all of your COs' security equipment with something more secure, or creating blanket polices, creating a policy is cheaper. My $.02 Adam Stasiniewicz -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Warren Kumari Sent: Monday, October 23, 2006 1:34 PM To: Roland Perry Cc: nanog@merit.edu Subject: Re: Collocation Access On Oct 23, 2006, at 10:57 AM, Roland Perry wrote:
In article <20061023103731.W56322@iama.hypergeek.net>, John A. Kilpatrick <john@hypergeek.net> writes
The fellow I chatted with at AT&T said they are not allowed to hand over their badge because it would compromise their security.
My tech said the same thing. That keycard could grant central office
access
On its own? No keycode or anything. What if he lost it?
so he couldn't surrender it.
But presumably it would need to be stolen. Wouldn't the tech notice that happening... Or is there some way the colo security guy can clone
it undetected?
These are trivial to clone -- all you need is a reader hooked up to a PC and you can read the number off the card. You can then buy a batch of cards that cover the serial numbers that you are interested in (no, I don't really understand WHY you can buy numbered ranges, but you can...) The other alternative is something like: http://cq.cx/proxmark3.pl This device will read and clone a large number of proximity cards -- you don't even need real access to the card, all you need to do is brush up against the cardholder with the antenna cincealed in your pocket....
-- Roland Perry
-- If the bad guys have copies of your MD5 passwords, then you have way bigger problems than the bad guys having copies of your MD5 passwords. -- Richard A Steenbergen
On Mon, Oct 23, 2006 at 14:26:53PM -0500, Stasiniewicz, Adam wrote:
That is true for strip card (credit card style) and simple prox cards. But what I have been seeing more often is that companies are using the smart card and wireless smart card variety for high security areas. So instead of having a card that will always return the same value (making it easy to duplicate) the smart cards will use good old fashion PKI to mutually authenticate the card to the reader and the reader to the card. This way, the card won't give out its security information until the card reader is verified to be a legit member of the security system. In
However, speaking of smart (non-simple-proximity) card security: Linkname: Researchers See Privacy Pitfalls in No-Swipe Credit Cards - New York Times URL: http://www.nytimes.com/2006/10/23/business/23card.html?ex=1319256000&en=5ecec83b0ac06bd8&ei=5088&partner=rssnyt&emc=rss
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Warren Kumari Sent: Monday, October 23, 2006 1:34 PM
[ mild snippage ]
These are trivial to clone -- all you need is a reader hooked up to a PC and you can read the number off the card. You can then buy a batch of
-- Henry Yen Aegis Information Systems, Inc. Senior Systems Programmer Hicksville, New York
On Mon, 2006-10-23 at 18:57 +0100, Roland Perry wrote:
But presumably it would need to be stolen. Wouldn't the tech notice that happening... Or is there some way the colo security guy can clone it undetected?
I've been in and out of several colos that require you to leave your ID (passport/DL, and business card) up at the front desk throughout your visit. This could be for hours, or even for the whole day. During that time I imagine my ID could have been photocopied, transcribed, photographed, etc, without me ever knowing. -Jim P.
On Mon, 2006-10-23 at 18:57 +0100, Roland Perry wrote:
I've been in and out of several colos that require you to leave your ID (passport/DL, and business card) up at the front desk throughout your visit. This could be for hours, or even for the whole day. During that time I imagine my ID could have been photocopied, transcribed, photographed, etc, without me ever knowing.
-Jim P.
Several states make it illegal to possess another person's driver's license. Many make it illegal to lend your driver's license to someone else or to trade it for something. As for passports, violating 18 USC 1544 for profit is a terrorism offense. Even the guys who rent paddleboats at the lake have learned that it is usually illegal to possess another person's identification. Maybe I've just been lucky, but I've been to some of the most secure facilities in the world, and I've never been asked to allow someone else to retain my passport or driver's license. Possession includes receipt, according to the DOJ. 18 USC 1028 makes it a Federal crime to transfer someone else's identification with intent to violate a state felony statute. This is a minefield. Have companies really run this past their legal departments? DS
At 12:40 AM 10/24/2006, David Schwartz wrote:
On Mon, 2006-10-23 at 18:57 +0100, Roland Perry wrote:
I've been in and out of several colos that require you to leave your ID (passport/DL, and business card) up at the front desk throughout your visit. This could be for hours, or even for the whole day. During that time I imagine my ID could have been photocopied, transcribed, photographed, etc, without me ever knowing.
-Jim P.
Several states make it illegal to possess another person's driver's license. Many make it illegal to lend your driver's license to someone else or to trade it for something. As for passports, violating 18 USC 1544 for profit is a terrorism offense.
Even the guys who rent paddleboats at the lake have learned that it is usually illegal to possess another person's identification.
Maybe I've just been lucky, but I've been to some of the most secure facilities in the world, and I've never been asked to allow someone else to retain my passport or driver's license.
Possession includes receipt, according to the DOJ. 18 USC 1028 makes it a Federal crime to transfer someone else's identification with intent to violate a state felony statute.
This is a minefield. Have companies really run this past their legal departments?
From what I've seen, there's a complete lack of awareness of the risks associated with retention of identification or information. I even had a long argument with the local US Post Office, who wanted to record numbers from two forms of ID in order for me to retain my PO Box. Their claim was that postal inspection service requires it. I objected due to my local postoffice storing this information on index cards which all employees of the post office can access. While I understand the postal inspection service's interest in being able to track down box holders, I asked the postmaster if he'd sign a document accepting personal responsibility if the information was released or used by any of his employees. I think it's time to show up with such a statemant of acceptance of liability whenever asked for such information. I have to wonder if company lawyers would then give it some thought.
From what I've seen, there's a complete lack of awareness of the risks associated with retention of identification or information. I even had a long argument with the local US Post Office, who wanted to record numbers from two forms of ID in order for me to retain my PO Box. Their claim was that postal inspection service requires it. I objected due to my local postoffice storing this information on index cards which all employees of the post office can access. While I understand the postal inspection service's interest in being able to track down box holders, I asked the postmaster if he'd sign a document accepting personal responsibility if the information was released or used by any of his employees.
.. and how did that go?
I think it's time to show up with such a statemant of acceptance of liability whenever asked for such information. I have to wonder if company lawyers would then give it some thought.
Being recently on a large, well known military station, the opposite happened to me. While yes, when originally being vetted I had to supply certain information that most would cringe at supplying, when onsite I was asked for two forms of government issued identification (I chose drivers license and passport) which was just reviewed (not copied), immediately handed back to me and then asked to pose for a picture and signed an electronic pad. A minute later I was handed a new government issued ID. During my stay, I had the need to access certain restricted areas. As I entered restricted area buildings, I was handed a restricted area badge to wear over my new picture ID to let people know immediately what areas I had access to (the alternative is shoot first, ask questions later; I'll pass, thanks). On the other hand, I've visited many data center, collocation facilities, and even foreign military bases (both US and others), and since AT&T sparked this conversation, I've actually been to nearly 40 of their facilities throughout the US. In recent memory, I can think of two large collocation centers that retain your ID. One is in Miami and one in New York (I don't think I need to name names, most of you know to which I refer). All others (including AT&T) have never asked to retain my ID. I'm not exactly sure why these sites want to retain ID, but I think it goes along with the big weight that is connected to the gas station bathroom key. They want to make sure you return your cabinet keys (if any), temporary pass (if any), etc. Legal risk or not, can you think of a better way to get someone to return to the security desk to sign out? Until then, these sites will continue this practice. Randy
I'm not exactly sure why these sites want to retain ID, but I think it goes along with the big weight that is connected to the gas station bathroom key. They want to make sure you return your cabinet keys (if any), temporary pass (if any), etc. Legal risk or not, can you think of a better way to get someone to return to the security desk to sign out? Until
then,
these sites will continue this practice.
a) cash deposit b) heavy weight attached to cabinet keys and temporary pass c) bulky object attached to cabinet keys and temporary pass In high school, our "data centre" keys were attached to a few links of chain bolted onto a chunk of 2 x 4. I never mislaid them. I remember at least one place where I received a plastic card key similarily attached to a few links of chain welded to an broken wrench. Why couldn't ID cards be treated the same way? For that matter, in these days of RFID badges, why can't colo centers issue "magic wands", 3 foot long rods tipped with an embedded RFID tag? They would not fit in pockets or briefcases etc. They would function identically to the RFID tags embedded in credit-card sized plastic but they would never "get lost". Perhaps what we have here is another "failure of imagination" like the one cited in the 9/11 report. --Michael Dillon
In article <00bd01c6f753$ac542620$3401a8c0@D3M1BS91>, Randy Epstein <repstein@chello.at> writes
I'm not exactly sure why these sites want to retain ID, but I think it goes along with the big weight that is connected to the gas station bathroom key. They want to make sure you return your cabinet keys (if any), temporary pass (if any), etc. Legal risk or not, can you think of a better way to get someone to return to the security desk to sign out?
Ask for a $100 deposit in cash? -- Roland Perry
In recent memory, I can think of two large collocation centers that retain your ID. One is in Miami and one in New York (I don't think I need to name names, most of you know to which I refer). All others (including AT&T) have never asked to retain my ID.
Then you broke the law, assuming you had a Florida license and you presented it to the Miami facility. Florida law, Title 13 section 322.32(2), "Unlawful use of license" says "[i]t is a misdemeanor of the second degree ... for any person ... [t]o lend his or her driver's license to any other person or knowingly permit the use thereof by another." DS
On Tuesday 24 October 2006 07:51, David Schwartz wrote:
In recent memory, I can think of two large collocation centers that retain your ID. One is in Miami and one in New York (I don't think I need to name names, most of you know to which I refer). All others (including AT&T) have never asked to retain my ID.
Then you broke the law, assuming you had a Florida license and you presented it to the Miami facility.
Florida law, Title 13 section 322.32(2), "Unlawful use of license" says "[i]t is a misdemeanor of the second degree ... for any person ... [t]o lend his or her driver's license to any other person or knowingly permit the use thereof by another."
DS
Hmmm, I read quite a bit of difference between "retain your ID" and "permit the use of" - maybe one of us is reading something that isn't there. Quite a few places "retain" your ID while you are on the premises, to include places "holding" your passport while you are there, etc, etc... -- Larry Smith SysAd ECSIS.NET sysad@ecsis.net
Then you broke the law, assuming you had a Florida license and you presented it to the Miami facility.
Florida law, Title 13 section 322.32(2), "Unlawful use of license" says "[i]t is a misdemeanor of the second degree ... for any person ... [t]o lend his or her driver's license to any other person or knowingly permit the use thereof by another."
Hmmm, I read quite a bit of difference between "retain your ID" and "permit the use of" - maybe one of us is reading something that isn't there.
Intentionally receiving a document is usually sufficient to establish possession. Some statutes say "possess", some say "use", some say use for specific purposes. If they say "possess", you're definitely potentially screwed -- if you ask for it and receive it, you possess it. If they say, "use for purposes of [x]", then you're definitely safe (since you're probably not using it for any of the prohibited purposes). If the statute just says "use", then ask a lawyer. Use is more than possession, but it's not clear exactly how much more. With luck, rational courts will hold that "use" means to use it as a means of identification and you'll be okay. This Florida statute makes it a crime to "lend" your driver's license to any other person (punishable by up to 60 days in jail). I can't imagine how permitting someone to retain something temporarily does not constitue lending, but I suppose courts might hold that unless you use it, I haven't really lent it to you. This is murky stuff, definitely not someplace you want to go without talking to a lawyer. If you possess or transfer any government-issued identify document without lawful authority in order to facilitate any violation of Federal law, 18 USC 1028(a)(7) puts you in jail for a very long time. Are you getting into that facility to facilitate breaking some obscure intellectual property or electronic privacy law?
Quite a few places "retain" your ID while you are on the premises, to include places "holding" your passport while you are there, etc, etc...
In that case, they definitely possess it, you probably lent it to them, and they may or may not be using it. Read your laws carefully. Some jurisdictions really do make it a crime to possess someone else's official identification. Receiving something intentionally usually is sufficient to establish possession. IANAL. DS
In article <MDEHLPKNGKAHNMBLJOLKOEKPPEAB.davids@webmaster.com>, David Schwartz <davids@webmaster.com> writes
Florida law, Title 13 section 322.32(2), "Unlawful use of license" says "[i]t is a misdemeanor of the second degree ... for any person ... [t]o lend his or her driver's license to any other person or knowingly permit the use thereof by another."
Use as *what*? I allowed liquor stores to "use" my licence to prove I was over 21. There were even signs which suggested this was compulsory. And while they were "using" it like that, had I "lent" it to them, or does some other verb more accurately describe the situation? -- Roland Perry
On Tue, 2006-10-24 at 05:51 -0700, David Schwartz wrote:
Florida law, Title 13 section 322.32(2), "Unlawful use of license" says "[i]t is a misdemeanor of the second degree ... for any person ... [t]o lend his or her driver's license to any other person or knowingly permit the use thereof by another."
That statute deals with someone else _using_ my license, but in no way implies that my license can't be _held_ by someone else. The title clearly states "use". ;-) -Jim P.
Florida law, Title 13 section 322.32(2), "Unlawful use of license" says "[i]t is a misdemeanor of the second degree ... for any person ... [t]o lend his or her driver's license to any other person or knowingly permit the use thereof by another."
That statute deals with someone else _using_ my license, but in no way implies that my license can't be _held_ by someone else. The title clearly states "use". ;-)
The definition of "use" may be very key, as others have pointed out: - They are "using" it for collateral. - They are "using" it to keep track of who is in their facility at any given time in a manner convenient to them Also, in english this sentence as parsed as: ( condition_1 ) OR ( condition_2 ) which would mean ( you lend ) OR ( you permit the use of ) which then asks "what's the definition of 'lend'"? Merriam-Webster includes among its many definitions, "to put at another's temporary disposal," which it certainly seems would apply, as the ID *is* at their disposal temporarily. So don't kid yourself that it's really all that clear-cut.... Get a lawyer. :-) Cheers, D -- Derek J. Balling Manager of Systems Administration Vassar College 124 Raymond Ave Box 0406 - Computer Center 217 Poughkeepsie, NY 12604 W: (845) 437-7231 C: (845) 249-9731
In article <1161701455.21851.8.camel@localhost>, Jim Popovitch <jimpop@yahoo.com> writes
Florida law, Title 13 section 322.32(2), "Unlawful use of license" says "[i]t is a misdemeanor of the second degree ... for any person ... [t]o lend his or her driver's license to any other person or knowingly permit the use thereof by another."
That statute deals with someone else _using_ my license, but in no way implies that my license can't be _held_ by someone else. The title clearly states "use". ;-)
At the risk of being over-pedantic, the licence cannot be "used" by another person for the purposes of driving a car because it clearly does not apply to them (but only to the named and pictured person upon it). So I'll ask again: what sort of "use" does this statute prohibit? -- Roland Perry
On Tue, 24 Oct 2006, Roland Perry wrote:
In article <1161701455.21851.8.camel@localhost>, Jim Popovitch <jimpop@yahoo.com> writes
Florida law, Title 13 section 322.32(2), "Unlawful use of license" says "[i]t is a misdemeanor of the second degree ... for any person ... [t]o lend his or her driver's license to any other person or knowingly permit the use thereof by another."
That statute deals with someone else _using_ my license, but in no way implies that my license can't be _held_ by someone else. The title clearly states "use". ;-)
At the risk of being over-pedantic, the licence cannot be "used" by another person for the purposes of driving a car because it clearly does not apply to them (but only to the named and pictured person upon it). So I'll ask again: what sort of "use" does this statute prohibit?
At the risk of being anti-over-pedantic: Ask a lawyer, not a list of network ops. Duh. - d. -- Dominic J. Eidson "Baruk Khazad! Khazad ai-menu!" - Gimli ------------------------------------------------------------------------------- http://www.the-infinite.org/
In article <Pine.LNX.4.33.0610241045540.7587-100000@morannon.the-infinite.org>, Dominic J. Eidson <sauron@the-infinite.org> writes
At the risk of being anti-over-pedantic:
Ask a lawyer, not a list of network ops.
That's what I usually do, but it sometimes helps to get the ordinary user's perspective as well. -- Roland Perry
I'd check with a Lawyer, but that statute contains an "or", not an "and". Jamie Bowden -- "It was half way to Rivendell when the drugs began to take hold" Hunter S Tolkien "Fear and Loathing in Barad Dur" Iain Bowen <alaric@alaric.org.uk>
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Jim Popovitch Sent: Tuesday, October 24, 2006 10:51 AM To: nanog@merit.edu Subject: RE: Collocation Access
Florida law, Title 13 section 322.32(2), "Unlawful use of
"[i]t is a misdemeanor of the second degree ... for any
On Tue, 2006-10-24 at 05:51 -0700, David Schwartz wrote: license" says person ... [t]o lend
his or her driver's license to any other person or knowingly permit the use thereof by another."
That statute deals with someone else _using_ my license, but in no way implies that my license can't be _held_ by someone else. The title clearly states "use". ;-)
-Jim P.
On Tue, Oct 24, 2006 at 05:51:17AM -0700, David Schwartz wrote:
In recent memory, I can think of two large collocation centers that retain your ID. One is in Miami and one in New York (I don't think I need to name names, most of you know to which I refer). All others (including AT&T) have never asked to retain my ID.
Then you broke the law, assuming you had a Florida license and you presented it to the Miami facility.
Florida law, Title 13 section 322.32(2), "Unlawful use of license" says "[i]t is a misdemeanor of the second degree ... for any person ... [t]o lend his or her driver's license to any other person or knowingly permit the use thereof by another."
David, it's clear you're not a lawyer, or have ever done anything that requires that you interpret what a law means, other than the normal everyday requirements of a citizen. -- Joe Yao ----------------------------------------------------------------------- This message is not an official statement of OSIS Center policies.
On Tue, Oct 24, 2006 at 05:51:17AM -0700, David Schwartz wrote:
Then you broke the law, assuming you had a Florida license and you presented it to the Miami facility.
Florida law, Title 13 section 322.32(2), "Unlawful use of license" says "[i]t is a misdemeanor of the second degree ... for any person ... [t]o lend his or her driver's license to any other person or knowingly permit the use thereof by another."
David, it's clear you're not a lawyer, or have ever done anything that requires that you interpret what a law means, other than the normal everyday requirements of a citizen.
Joe Yao
I am way too familiar with several cases where people were charged and convicted with violating obscure laws clearly intended for another purpose just for doing their jobs in a normal, reasonable way. Intel v. Schwartz (no relation) is a great example. http://www.eff.org/legal/cases/Intel_v_Schwartz/schwartz_case.intro It's quite possible (even likely, IMO) that when Florida makes it illegal to lend your driver's license to any other person, it actually means precisely that. DS
On Tue, Oct 24, 2006 at 05:38:05PM -0700, David Schwartz wrote: ...
I am way too familiar with several cases where people were charged and convicted with violating obscure laws clearly intended for another purpose just for doing their jobs in a normal, reasonable way. Intel v. Schwartz (no relation) is a great example.
http://www.eff.org/legal/cases/Intel_v_Schwartz/schwartz_case.intro
It's quite possible (even likely, IMO) that when Florida makes it illegal to lend your driver's license to any other person, it actually means precisely that. ...
Ah, THAT is what you meant by your obscure reference to IvS. Merely that lawyers can twist anything to mean anything. Well, yes, that's what they get paid to do. Another facet of that, though, is that one needs to ask a lawyer to make sure what a law might mean [deliberate phrasing, that won't say what it DOES mean, that's the judge's job, and it might and will differ from the lawyer's interpretation in different ways depending on which judge and when]. It depends on precedent, including what judges declared they meant every other time they used the same phrasing. So it's a waste of bits for us to declare what it DOES mean, unless one of us is the judge in a case deciding this, in which case it's merely illegal or ill- advised, depending on other circumstances. [This is why Microsoft is still one company.] -- Joe Yao ----------------------------------------------------------------------- This message is not an official statement of OSIS Center policies.
Randy Epstein wrote:
throughout the US. In recent memory, I can think of two large collocation centers that retain your ID. One is in Miami and one in New York (I don't think I need to name names, most of you know to which I refer). All others (including AT&T) have never asked to retain my ID.
I dont mind naming names. telex. I left.
Savvis wants to retain your ID if they issue a cage-key to you. Owen On Dec 27, 2006, at 8:52 AM, Joe Maimon wrote:
Randy Epstein wrote:
throughout the US. In recent memory, I can think of two large collocation centers that retain your ID. One is in Miami and one in New York (I don't think I need to name names, most of you know to which I refer). All others (including AT&T) have never asked to retain my ID.
I dont mind naming names. telex. I left.
Does that equate to a "take it or leave" standpoint? Suppose you dont need a key cause your client is already there? Owen DeLong wrote:
Savvis wants to retain your ID if they issue a cage-key to you.
Owen
On Dec 27, 2006, at 8:52 AM, Joe Maimon wrote:
Randy Epstein wrote:
throughout the US. In recent memory, I can think of two large collocation centers that retain your ID. One is in Miami and one in New York (I don't think I need to name names, most of you know to which I refer). All others (including AT&T) have never asked to retain my ID.
I dont mind naming names. telex. I left.
On Wed, 2006-12-27 at 09:06 -0800, Owen DeLong wrote:
Savvis wants to retain your ID if they issue a cage-key to you.
If they (or others) asked you to let them hold $50 cash to cover their key/lock replacement costs would you feel more comfortable? -Jim P.
On Dec 27, 2006, at 3:42 PM, Jim Popovitch wrote:
On Wed, 2006-12-27 at 09:06 -0800, Owen DeLong wrote:
Savvis wants to retain your ID if they issue a cage-key to you.
If they (or others) asked you to let them hold $50 cash to cover their key/lock replacement costs would you feel more comfortable?
Very much so. I realize this may not be a universally held preference. I also realize the trouble in having low-paid security guards, frequently "outsourced" so they are not even your employees, handling cash from random people at all hours of the day, night, and weekends. But I'd much rather lose $50 and argue about getting that back than my passport. ESPECIALLY since I would only be giving my passport when I am out of the country. To open a totally separate can-of-worms, why not take my driver's license? Easier to replace than a passport and much less trouble when crossing borders. And before someone says "they don't know what a DL from $COUNTRY looks like", realize that they really don't know what a passport looks like either. -- TTFN, patrick
On Dec 27, 2006, at 11:20 PM, Patrick W. Gilmore wrote: [...]
To open a totally separate can-of-worms, why not take my driver's license? Easier to replace than a passport and much less trouble when crossing borders. And before someone says "they don't know what a DL from $COUNTRY looks like", realize that they really don't know what a passport looks like either.
My driving license doesn't have a photograph on it, so using it as an identity document is pointless. Some organisations use it that way, but... Passports should at least follow the MRTD standard published by ICAO. I suspect the issue is the difficulty with verifying the authenticity of a passport rather than knowing what the passport ought to look like. Leo
On Dec 27, 2006, at 6:13 PM, Leo Vegoda wrote:
On Dec 27, 2006, at 11:20 PM, Patrick W. Gilmore wrote:
[...]
To open a totally separate can-of-worms, why not take my driver's license? Easier to replace than a passport and much less trouble when crossing borders. And before someone says "they don't know what a DL from $COUNTRY looks like", realize that they really don't know what a passport looks like either.
My driving license doesn't have a photograph on it, so using it as an identity document is pointless. Some organisations use it that way, but...
Sorry, I thought we were discussing something to be held by the staff to ensure you return an access card. That does not have to be the same document used to verify identity. Last time I checked, the $50 (or £20, or ¥5000 or whatever) bill didn't have my picture on it either. Although I admit the $50 bill gets me into more places than my DL. ;) -- TTFN, patrick
On Thu, Dec 28, 2006 at 12:13:07AM +0100, Leo Vegoda wrote:
My driving license doesn't have a photograph on it, so using it as an identity document is pointless.
There's no way for a minimum-wage security grunt to verify the particulars of my passport, so using it as an identity document is pointless. Even if they could verify it, my passport says nothing about whether or not I'm authorized to enter any colocation facilities, so using it as an identity document would *still* be pointless. Lets keep our eyes on the real issue here, which is that requiring handover of an "identity document" usually has very little to do with actual identification. These places are making you hand over something of value to lessen the likelihood that you'll leave without following their sign-out procedures. They're basically using security window-dressing (identification requirements) to solve a procedural/business issue. It makes no difference to them whether you hand over your passport, drivers license, car keys, marriage license or firstborn son, as long as you sign-out and hand back your visitors pass on the way out of the building when you're finished. - mark -- Mark Newton Email: newton@internode.com.au (W) Network Engineer Email: newton@atdot.dotat.org (H) Internode Systems Pty Ltd Desk: +61-8-82282999 "Network Man" - Anagram of "Mark Newton" Mobile: +61-416-202-223
On 27-Dec-2006, at 18:22, Mark Newton wrote:
On Thu, Dec 28, 2006 at 12:13:07AM +0100, Leo Vegoda wrote:
My driving license doesn't have a photograph on it, so using it as an identity document is pointless.
There's no way for a minimum-wage security grunt to verify the particulars of my passport, so using it as an identity document is pointless.
Which makes it hard for me to understand why they bother, and why they go to such great lengths to enforce arbitrary rules about what is acceptable and what isn't. I gave my Ontario drivers licence to Equinix security in LA, once, and they refused to accept it as proof of ID since it wasn't government issued. I said it was; they disagreed. I tried to explain that there was more than one government in the world, but I got blank looks, and had to head out back past building security and up to the roof in the adjacent parking garage to get my passport. For some reason it seemed a good idea to get all my various passports while I was there (I have three), and when I made it back inside I handed them all over together. I realised about two seconds after handing them over that I was probably doing a stupid thing. A whole group of them appeared, and huddled around my passports with their backs to me. They seemed on the verge of calling the FBI. They gave the passports back, eventually, and I didn't go to jail. So it could have been worse. :-) Joe
Joe Abley wrote:
On 27-Dec-2006, at 18:22, Mark Newton wrote:
On Thu, Dec 28, 2006 at 12:13:07AM +0100, Leo Vegoda wrote:
My driving license doesn't have a photograph on it, so using it as an identity document is pointless.
There's no way for a minimum-wage security grunt to verify the particulars of my passport, so using it as an identity document is pointless.
Which makes it hard for me to understand why they bother, and why they go to such great lengths to enforce arbitrary rules about what is acceptable and what isn't.
Especialy when their customer who is onsite, has already been identified and authenticated and authorized is vouching for you, and presumably, contractually bound to pay for any damages caused by you.
On Dec 28, 2006, at 4:49 PM, Joe Abley wrote: [...]
My driving license doesn't have a photograph on it, so using it as an identity document is pointless.
There's no way for a minimum-wage security grunt to verify the particulars of my passport, so using it as an identity document is pointless.
Which makes it hard for me to understand why they bother, and why they go to such great lengths to enforce arbitrary rules about what is acceptable and what isn't.
Indeed. I'm surprised the market hasn't produced facilities with better thought through and executed security and access controls. Is there not enough competition in each metro area for anything other than lowest common denominator? Leo
Indeed. I'm surprised the market hasn't produced facilities with better thought through and executed security and access controls. Is there not enough competition in each metro area for anything other than lowest common denominator?
From what I've seen? No. At the moment, the top priority of colocation customers is power availability, followed swiftly by price. It is slowly turning into a seller's market - IF the facility has available power (and I pity those facilities who are at their limits), but the customer is still primarily picking on $s alone. WRT security process and procedures, most customers seem to be just interested if they exist. Of course they want them applied very strictly to everyone else but THEM. --chuck
On Dec 28, 2006, at 11:14 AM, Leo Vegoda wrote:
On Dec 28, 2006, at 4:49 PM, Joe Abley wrote:
[...]
Which makes it hard for me to understand why they bother, and why they go to such great lengths to enforce arbitrary rules about what is acceptable and what isn't.
Indeed. I'm surprised the market hasn't produced facilities with better thought through and executed security and access controls. Is there not enough competition in each metro area for anything other than lowest common denominator?
Leo
Time for a colocation reality check. Why would facilities need to have tight security? Lets count off the reasons... - Federally mandated - For some government and gov contractor work, there are high security requirements. There are a few data centers, run by defense contractors, that cater to this sector. It is highly specialized. - Customer demand for higher security - In light of the lack of security issues that we've encountered so far, most customers are unwilling to pay anything more for higher security. - Need for colocation facilities to differentiate themselves - Right now, having available power and cooling is differentiation enough. For those who haven't noticed, its a very "tight" colocation market - demand growth exceeds supply growth overall, and in several areas (London, Chicago) there is effectively no available high quality carrier neutral colocation. Given this, why beef up security, which will eat into colocation provider margins? What constitutes tougher security anyway? - Armed guards? - Outside facility video surveillance? (as well as inside), more careful reception of incoming hardware (explosive swabs, anyone?), - Mandated biometric authentication? (yes, we have hand geometry readers, but their use isn't mandated for all), The current fetish for ID checking is "security as theatre" rather than true security. However, some aspects of the colocation experience ARE, in fact, perceptual. Neon, cool mantraps, snap glass, anyone? Until supply catches up to demand, only price and power will matter to most folks, along with an acceptable level of facility redundancy (Tier III for most). - Daniel Golding
On Thu, 28 Dec 2006, Daniel Golding wrote:
Time for a colocation reality check. Why would facilities need to have tight security? Lets count off the reasons...
Don't forget the biggie. These are "shared use facilities." People who buy space in collocation facilities already have lower security requirements. The only thing keeping the "bad guys" out is whether their payment clears. Security by poverty?
On 12/28/06, Sean Donelan <sean@donelan.com> wrote:
Don't forget the biggie. These are "shared use facilities." People who buy space in collocation facilities already have lower security requirements. The only thing keeping the "bad guys" out is whether their payment clears.
Security by poverty?
Very true. If you have an application that requires a high level of security, in a perfect world you'd have the budget to put it in your own facility where you control physical access, not outsourced security from a colo vendor. -- Brandon Galbraith Email: brandon.galbraith@gmail.com AIM: brandong00 Voice: 630.400.6992
On Thu, Dec 28, 2006 at 02:06:30PM -0500, Daniel Golding wrote: [snip]
Time for a colocation reality check. [snip] Until supply catches up to demand, only price and power will matter to most folks, along with an acceptable level of facility redundancy (Tier III for most).
One 'reality check' that is required is that some of the time, everything fails. Can we please have redundant facilities rather than just facility redundancy? Part of the whole packet-based, layer-services communications model is the simple "avoid central hardened SPoF". Joe -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Dec 28, 2006, at 3:49 PM, Joe Abley wrote:
I gave my Ontario drivers licence to Equinix security in LA, once, and they refused to accept it as proof of ID since it wasn't government issued. I said it was; they disagreed. I tried to explain that there was more than one government in the world, but I got blank looks, and had to head out back past building security and up to the roof in the adjacent parking garage to get my passport.
Hmm!! may be folks in San francisco don't care so much. last time i went to a San Francisco facility, i handed them my Nepalese driving license (no, wasn't carrying my passport), and they didn't blink at all. though when i came back, they did ask me what the hell an 'auto rickshaw' was :-). Generally, as long as i had a pre-authorized ticket open for access to equipment, any form of ID with a picture has worked. thanks
For some reason it seemed a good idea to get all my various passports while I was there (I have three), and when I made it back inside I handed them all over together. I realised about two seconds after handing them over that I was probably doing a stupid thing. A whole group of them appeared, and huddled around my passports with their backs to me. They seemed on the verge of calling the FBI.
They gave the passports back, eventually, and I didn't go to jail. So it could have been worse. :-)
Joe
-- gaurab /////////////////////////////////////////////////////+9779851038080 gaurab at lahai dot com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) iD8DBQFFlBFOSo7fU26F3X0RApKKAKD9E+ZZre2lpN33JZdhsx4DUBYeLQCgmRAQ cVwe2M8yPMwu6eA7n0ZIDO0= =sko+ -----END PGP SIGNATURE-----
Here is a true story. Pardon me for being a little vague about details. Client in argument about (large) expense payments with former employee (FE) (not me, BTW). FE wants payment, client says money is not owed. I am in no position to judge correctness of either argument. FE used to have collation access in remote location (at least, remote from the client, but close to the FE). One fine Friday evening of a long weekend, quite late, FE goes to colo (where he has been removed from the access list). Shows ID to guards, who knew him well, and is let in, list or no list. FE goes to cage and removes router from colo, leaving a note, saying he will exchange router for money's owed. Takes router to a "secure location." Alarms go off at client HQ. People puzzle over dropped circuits, spend time trouble-shooting, other people are woken up. Eventually, as no progress is being made, "warm hands" are desired. With all this confusion and the late night weekend, it takes a number of hours before the warm hands reach the colo. When they open the rack door, they are asked to read off some status lights. What lights ?, they say. On the router. What router ?, they say. [long silence] There is an envelope with a note, though, report the warm hands. The FE got the money he wanted. The client got their router back. I am not sure if the guards were reprimanded or not. Regards Marshall On Dec 28, 2006, at 1:47 PM, Gaurab Raj Upadhaya wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Dec 28, 2006, at 3:49 PM, Joe Abley wrote:
I gave my Ontario drivers licence to Equinix security in LA, once, and they refused to accept it as proof of ID since it wasn't government issued. I said it was; they disagreed. I tried to explain that there was more than one government in the world, but I got blank looks, and had to head out back past building security and up to the roof in the adjacent parking garage to get my passport.
Hmm!! may be folks in San francisco don't care so much. last time i went to a San Francisco facility, i handed them my Nepalese driving license (no, wasn't carrying my passport), and they didn't blink at all. though when i came back, they did ask me what the hell an 'auto rickshaw' was :-).
Generally, as long as i had a pre-authorized ticket open for access to equipment, any form of ID with a picture has worked.
thanks
For some reason it seemed a good idea to get all my various passports while I was there (I have three), and when I made it back inside I handed them all over together. I realised about two seconds after handing them over that I was probably doing a stupid thing. A whole group of them appeared, and huddled around my passports with their backs to me. They seemed on the verge of calling the FBI.
They gave the passports back, eventually, and I didn't go to jail. So it could have been worse. :-)
Joe
-- gaurab
/////////////////////////////////////////////////////+9779851038080 gaurab at lahai dot com
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin)
iD8DBQFFlBFOSo7fU26F3X0RApKKAKD9E+ZZre2lpN33JZdhsx4DUBYeLQCgmRAQ cVwe2M8yPMwu6eA7n0ZIDO0= =sko+ -----END PGP SIGNATURE-----
At 3:03 PM -0500 12/28/06, Marshall Eubanks wrote:
... FE goes to colo (where he has been removed from the access list). Shows ID to guards, who knew him well, and is let in, list or no list. ... The FE got the money he wanted. The client got their router back. I am not sure if the guards were reprimanded or not.
Client informs colo provider that they were negligent by allowing the theft, and deducts the replacement cost from next invoice? /John
On Dec 27, 2006, at 12:42 PM, Jim Popovitch wrote:
On Wed, 2006-12-27 at 09:06 -0800, Owen DeLong wrote:
Savvis wants to retain your ID if they issue a cage-key to you.
If they (or others) asked you to let them hold $50 cash to cover their key/lock replacement costs would you feel more comfortable?
-Jim P.
Um, no. I would, however, be willing to have them inform the primary contact that the key had not been returned and then bill the customer appropriately for whatever remedy was chosen by the primary contact. Owen
On Wed, 2006-12-27 at 18:58 -0800, Owen DeLong wrote:
On Dec 27, 2006, at 12:42 PM, Jim Popovitch wrote:
On Wed, 2006-12-27 at 09:06 -0800, Owen DeLong wrote:
Savvis wants to retain your ID if they issue a cage-key to you.
If they (or others) asked you to let them hold $50 cash to cover their key/lock replacement costs would you feel more comfortable?
-Jim P.
Um, no. I would, however, be willing to have them inform the primary contact that the key had not been returned and then bill the customer appropriately for whatever remedy was chosen by the primary contact.
How would they know who to bill? -Jim P.
On Wed, Dec 27, 2006, Jim Popovitch wrote:
Um, no. I would, however, be willing to have them inform the primary contact that the key had not been returned and then bill the customer appropriately for whatever remedy was chosen by the primary contact.
How would they know who to bill?
Um, The ID you presented but didn't have to surrender? (My colocation provider actually has photos of us all on-hand and only requires drivers licence or passport to verify we are who we say we are. Names, company and photo has to match or they say no. And if we fail to return the key they know who to bill. Now, what'll happen when I decide to shave..) Adrian
On Thu, 2006-12-28 at 12:36 +0800, Adrian Chadd wrote:
On Wed, Dec 27, 2006, Jim Popovitch wrote:
Um, no. I would, however, be willing to have them inform the primary contact that the key had not been returned and then bill the customer appropriately for whatever remedy was chosen by the primary contact.
How would they know who to bill?
Um, The ID you presented but didn't have to surrender?
At the risk of dragging this to the nth degree... it's already been established that the ID yahoos have no idea on what a real ID looks like vs a false ID (esp considering all the possible combinations of ID). Secondly, say that they do accept your ID as valid, what ties that to your company (please don't say your business cards). I know a guy on 5th street who can make me an ID saying I work for pretty much any letterhead I bring him. ;-)
(My colocation provider actually has photos of us all on-hand and only requires drivers licence or passport to verify we are who we say we are. Names, company and photo has to match or they say no. And if we fail to return the key they know who to bill. Now, what'll happen when I decide to shave..)
;-) OK, that's a one-to-one relationship, one tech, one destination. On the other end of the spectrum are very large companies with many field techs visiting data centers all over the world.... who maintains the list of approved pictures and valid names and where do they keep it? -Jim P.
At 12:15 AM -0500 12/28/06, Jim Popovitch wrote:
At the risk of dragging this to the nth degree... it's already been established that the ID yahoos have no idea on what a real ID looks like vs a false ID (esp considering all the possible combinations of ID).
That's certainly true in many cases, but not always. For those folks that do an offline verification of state-issued drivers license/photo ID's, they provide a relatively solid anchor for authentication. Again, this doesn't imply anything about authorization, but you've at least got a strong basis for believing that you are dealing with person so named. /John
throughout the US. In recent memory, I can think of two large collocation centers that retain your ID. One is in Miami and one in New York (I don't think I need to name names, most of you know to which I refer). All others (including AT&T) have never asked to retain my ID. I dont mind naming names. telex. I left.
AT&T's colocation facility in mid town retains your ID. So do a lot of others I've been to. And that happens whether or not they give you a cage key. -Don
AT&T's colocation facility in mid town retains your ID. So do a lot of others I've been to. And that happens whether or not they give you a cage key.
Maybe this is a recent "feature". From what I've seen, AT&T's security policy differs from site to site, employee to employee, no matter what they claim.
-Don
Randy
On Tue, 24 Oct 2006, Daniel Senie wrote:
I think it's time to show up with such a statemant of acceptance of liability whenever asked for such information. I have to wonder if company lawyers would then give it some thought.
I have been considering this for some time. A small piece of paper you hand over with the piece of ID that the security droid needs to sign, print their name, and hand back. And for good measure you could ask them to show you *their* ID, to make sure that they're signing their real name. -- John A. Kilpatrick john@hypergeek.net Email| http://www.hypergeek.net/ john-page@hypergeek.net Text pages| ICQ: 19147504 remember: no obstacles/only challenges
On Oct 23, 2006, at 9:40 PM, David Schwartz wrote:
Maybe I've just been lucky, but I've been to some of the most secure facilities in the world, and I've never been asked to allow someone else to retain my passport or driver's license.
The best, no :-) But Exodus used to do this. And hell, most US hotels make you do this to borrow a luggage carrier. -- Jo Rhett senior geek Silicon Valley Colocation
I've never been asked to allow someone else to
retain my passport or driver's license.
Exodus used to do this.
...and look where that got them! They (Exodus) also had, at least here in Seattle at the 12301 Tukwila facility, the grungiest palm scanner in the world. Thankfully I never had to use it. I'm not a paranoid germ-phobe, but that thing looked downright dangerous. I often wonder if anyone from C&W, and now Savvis have ever cleaned it.
These places are making you hand over something of value to lessen the likelihood that you'll leave without following their sign-out procedures.
Indeed. The usual "rent-a-cop" (or as I recently heard them called by another Seattle facility: "Techno-guard"(!)) could care less about actually identifying you so much as make sure you don't abscond with "company preoperty" or pull your equipment if your invoices aren't paid. --chuck
On Mon, 23 Oct 2006 10:40:19 -0700 (PDT), "John A. Kilpatrick" <john@hypergeek.net> wrote:
On Mon, 23 Oct 2006, Craig Holland wrote:
In fact he did have an AT&T badge which he was not allowed to hand over either. The fellow I chatted with at AT&T said they are not allowed to hand over their badge because it would compromise their security.
My tech said the same thing. That keycard could grant central office access so he couldn't surrender it.
That's quite likely accurate. My AT&T badge let me in via unattended entrances at a variety of facilities; I'd expect that a tech's badge would indeed work for many COs. A better answer is for the COLO management to supply a number, on request, to tenants; they'd pass this number on to their supplier, for one-time use by the tech. A government-issued ID (at most) proves your identity; it says nothing about your authorization to be somewhere. A company-issued ID (at most) proves that you work for some company that may or may not (a) be present at the COLO, and (b) may or may not be there for legitimate reasons. What's necessary here is *permission*. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb
On Mon, 23 Oct 2006, Steven M. Bellovin wrote:
A government-issued ID (at most) proves your identity; it says nothing about your authorization to be somewhere.
The ID is just Authentication. Authorization and Accounting are handled by other procedures implemented by the colo security droids. -- John A. Kilpatrick john@hypergeek.net Email| http://www.hypergeek.net/ john-page@hypergeek.net Text pages| ICQ: 19147504 remember: no obstacles/only challenges
In article <20061023103731.W56322@iama.hypergeek.net>, John A. Kilpatrick <john@hypergeek.net> writes
In fact he did have an AT&T badge which he was not allowed to hand over either. The fellow I chatted with at AT&T said they are not allowed to hand over their badge because it would compromise their security.
My tech said the same thing. That keycard could grant central office access so he couldn't surrender it.
I have to admit (now I've been sent some information off-list) that I didn't realise the co-lo security were holding onto the "badge" (or access card or whatever) the whole time the tech was on the premises. Yes, that would give more opportunities for bad things to happen. In many years of gaining access to secured buildings I've only ever had that happen once (passport exchanged for a visitor's pass, and back again at the end of the day). -- Roland Perry
In article <9FA71E73BF462E4C96C3A9C074D50F7093BDE5@DHOST001-39.DEX001.intermedia.net
, Craig Holland <cholland@rnmd.net> writes The fellow I chatted with at AT&T said they are not allowed to hand over their badge because it would compromise their security.
Sounds to me like NSTAC ought to be worried about a scheme to accredit co-lo operator security staff, as well as the visiting telco engineers. -- Roland Perry
Roland Perry wrote:
In article <9FA71E73BF462E4C96C3A9C074D50F7093BDE5@DHOST001-39.DEX001.intermedia.net
, Craig Holland <cholland@rnmd.net> writes The fellow I chatted with at AT&T said they are not allowed to hand over their badge because it would compromise their security.
Sounds to me like NSTAC ought to be worried about a scheme to accredit co-lo operator security staff, as well as the visiting telco engineers.
So what's next.... http://www.verichipcorp.com/ I recall back in the days of Exodus in Jersey City I walked in to go kick a Sun machine in one of the cages for a company I worked for. I had previously worked at a company that also had a cage there and had been to the Jersey City colo facility quite a few times. Anyhow when I went in they pulled up the keys for my prior company after giving them my ID. I stated "No, I no longer work there." They gave me the correct key but a "Hello My Name Is" tag with my former company. Funny... -- ==================================================== J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams
I once was going to a meeting at a colo in Tysons Corner, which will remain nameless (but you would know it). Like most of them, it wasn't well marked, and we couldn't find it. Three of us wound up walking through an open door on the loading dock and onto the colo floor with no checks what-so-ever. We finally met somebody, asked where so-and-so's office was, and (after a very odd look) were told to go out again, walk around the building and go through security. But, I always thought that the purpose of most security was psychological reassurance anyway... Regards Marshall On Oct 23, 2006, at 2:18 PM, J. Oquendo wrote:
Roland Perry wrote:
In article <9FA71E73BF462E4C96C3A9C074D50F7093BDE5@DHOST001-39.DEX001.intermedia .net
, Craig Holland <cholland@rnmd.net> writes The fellow I chatted with at AT&T said they are not allowed to hand over their badge because it would compromise their security.
Sounds to me like NSTAC ought to be worried about a scheme to accredit co-lo operator security staff, as well as the visiting telco engineers.
So what's next....
I recall back in the days of Exodus in Jersey City I walked in to go kick a Sun machine in one of the cages for a company I worked for. I had previously worked at a company that also had a cage there and had been to the Jersey City colo facility quite a few times. Anyhow when I went in they pulled up the keys for my prior company after giving them my ID. I stated "No, I no longer work there." They gave me the correct key but a "Hello My Name Is" tag with my former company. Funny...
-- ==================================================== J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams
But, I always thought that the purpose of most security was psychological reassurance anyway...
Reacting to this and the story of just walking through the backdoor to get in - I think there's an element of self-fulfilling prophecy here. If the legitimate "power" users of the security system (i.e., the royal "we/us") don't take it seriously, the security system will be useless against the nefarious element. It might be that the reason security is often so poorly implemented is that the job is often left to the unmotivated or the untrained (or "differently trained" - I mean in a good way). Perhaps these folks realize that their tasks are scoffed at, further lowering their "gruntlement". (As in "disgruntled.") What would be different if, instead of exploiting the open back door, the open back door is pointed out to the folks responsible for the facility? I don't mean mentioning this to the security guards who may have interests in back doors remaining open and/or just not reported. Whether the door was left open on purpose or not, a guard may lose a job over it - if the facility management took it seriously. (What would happen if someone actually obeyed the speed limit in the US?) One personality trait I find strong in this community is that desire to be able to cut through formality and red-tape and to push convention aside. This can be good for quick and productive innovation but at the same time detracts from the importance of the task at hand. Security by its nature is not fun, not productive, a drain on resources and time. Security is something we need only because there are bad things out there - nefarious activity, inadvertent neglect, design flaws, etc. At best you have to "put up with security," don't expect to enjoy it. Arguing about any policy with someone hired to follow it is not productive. The hired can't do much about it, and there is no incentive for them to fix their job. At worst they can lose it by wasting time questioning their supervisors. Concerns about policy have to be raised to the level of those who can do something about it and have an incentive to fix it. No one is going to lay out more money for no more revenue if there's no other upside to it, that has to be kept in mind too. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis +1-571-434-5468 NeuStar Secrets of Success #107: Why arrive at 7am for the good parking space? Come in at 11am while the early birds drive out to lunch.
Is it enough of a problem, network operators would be interested in publishing some Practical Common Practices (I hesitate to call it a BCP) collocation facilities could follow for some common access control scenarios? Tenent access, pre-screened carrier, unscreened vendor, etc. http://www.ncs.gov/nstac/reports/2005/Final%20TATF%20Report%2004-25-05.pdf I wouldn't be surprised if most co-lo's don't actually have good reasons why they do some things, and if presented with a reasonable industry agreed practice, would adopt it.
On Mon, Oct 23, 2006 at 04:39:30PM -0400, Sean Donelan wrote:
Is it enough of a problem, network operators would be interested in publishing some Practical Common Practices (I hesitate to call it a BCP) collocation facilities could follow for some common access control scenarios? Tenent access, pre-screened carrier, unscreened vendor, etc.
i can see the reg headline now... ISPs and BOFH's now pushing PCP!
http://www.ncs.gov/nstac/reports/2005/Final%20TATF%20Report%2004-25-05.pdf
I wouldn't be surprised if most co-lo's don't actually have good reasons why they do some things, and if presented with a reasonable industry agreed practice, would adopt it.
colo's live/die based on paying customers. getting input from customers is not a bad idea. tempering customer feedback w/ legal and liability concerns is always a trick. --bill
On Mon, 23 Oct 2006, Sean Donelan wrote:
Is it enough of a problem, network operators would be interested in publishing some Practical Common Practices (I hesitate to call it a BCP) collocation facilities could follow for some common access control scenarios? Tenent access, pre-screened carrier, unscreened vendor, etc.
http://www.ncs.gov/nstac/reports/2005/Final%20TATF%20Report%2004-25-05.pdf
I wouldn't be surprised if most co-lo's don't actually have good reasons why they do some things, and if presented with a reasonable industry agreed practice, would adopt it.
Sean, I agree on "industry agreed practice", yet simply can not understand why colos that have lacking physical security are our concerns. Obviously they need professional security help. As most of them don't take care of data security, which us bunch actually understand, how can we get them to care about physical security? It's beyond our scope, but I'm game on helping this happen if you feel it would make a difference. Gadi.
On Mon, 23 Oct 2006, Sean Donelan wrote:
Is it enough of a problem, network operators would be interested in publishing some Practical Common Practices (I hesitate to call it a BCP) collocation facilities could follow for some common access control scenarios? Tenent access, pre-screened carrier, unscreened vendor, etc.
It's something which is being looked at in the UK right now as well (as LLU expands, as well as non-PTT/CO housing locations). So, I think it's probably worth doing, and maybe try to harmonise as much as possible internationally, so that we don't have the ID "xenophobia" Joa eluded to.
I wouldn't be surprised if most co-lo's don't actually have good reasons why they do some things, and if presented with a reasonable industry agreed practice, would adopt it.
Totally agree with that assertion. Some just do things because it seemed like the right thing to do at the time, and the history of "why?" is often lost along the way, so that when someone challenges it later, no one can substantiate why the rule exists. Cheers, Mike
Edward Lewis wrote:
But, I always thought that the purpose of most security was psychological reassurance anyway...
Reacting to this and the story of just walking through the backdoor to get in -
I think there's an element of self-fulfilling prophecy here. If the
Classical NANOG OT thread. Cant resist. There is no doubt about it. 90% of security systems that were introduced following september 11 are knee jerk reactions to the threat of terroism. Especialy when implemented by the private sector. Case in point. Pre 9/11, in WTC, you had to wait in line at the lobby and show ID and be issued a visitor badge with your picture taken and stored and/or be escorted up. This was a knee jerk reaction to the previous bombings. (As if car bombs in the garage has something to do with ID passes in the lobby) We all know what happens next. Very effective security if you ask me. They couldnt get in throught the lobby, so..... Entry to 7WTC now requires.....bag searches. The conspiracy theory states that people simply like to pretend that they are in control. That it is just a power trip. Funny, entry to the crowded streets of manhattan requires.....nothing. The only legit reason to take down peoples ID is to discourage theft/vandalism. And in an ideal world, we would be as concerned with the buldings privacy policy as we are with our online web vendors. And judging by timing, that was not their intention.
Security by its nature is not fun, not productive, a drain on resources and time. Security is something we need only because there are bad things out there - nefarious activity, inadvertent neglect, design flaws, etc. At best you have to "put up with security," don't expect to enjoy it.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis +1-571-434-5468 NeuStar
"[Security] is like the weather, you can't do anything about it so you might as well lay back and enjoy it" - paraphrase of Clayton Williams --bill
On Mon, Oct 23, 2006 at 03:06:57PM -0400, Marshall Eubanks wrote:
I once was going to a meeting at a colo in Tysons Corner, which will remain nameless (but you would know it).
Like most of them, it wasn't well marked, and we couldn't find it. Three of us wound up walking through an open door on the loading dock and onto the colo floor with no checks what-so-ever. We finally met somebody, asked where so-and-so's office was, and (after a very odd look) were told to go out again, walk around the building and go through security.
But, I always thought that the purpose of most security was psychological reassurance anyway...
Regards Marshall
If it's the one I'm thinking of, they closed it and moved everything out to Ashburn for just that reason - insufficient security. [I had worked in that building decades before they moved in, and it was NOT designed with a data center in mind.] -- Joe Yao ----------------------------------------------------------------------- This message is not an official statement of OSIS Center policies.
On Mon, 23 Oct 2006, Roland Perry wrote:
Sounds to me like NSTAC ought to be worried about a scheme to accredit co-lo operator security staff, as well as the visiting telco engineers.
Certainly in the UK, the co-lo security staff employed at Telehouse Europe are properly accredited and licensed by the UK SIA - http://www.the-sia.org.uk/home - and have to visibly wear their SIA license card while on duty (along with their company ID). Telehouse's access and security procedures seem to just work these days, certainly from my experience. So, training and accreditation seems to have worked here. I don't know if other co-lo's in the UK comply to this, as in some cases, if the "front door" security is often being provided by a NOC tech rather than a dedicated guard so then there is probably some get out anyway. Cheers, Mike
participants (43)
-
Aaron Glenn
-
Adrian Chadd
-
Alex Rubenstein
-
bmanning@karoshi.com
-
Brandon Galbraith
-
chuck goolsbee
-
Craig Holland
-
Daniel Golding
-
Daniel Senie
-
David Schwartz
-
Derek J. Balling
-
Dominic J. Eidson
-
Donald Stahl
-
Edward Lewis
-
Etaoin Shrdlu
-
Gadi Evron
-
Gaurab Raj Upadhaya
-
Henry Yen
-
J. Oquendo
-
Jamie Bowden
-
Jay Hennigan
-
Jim Popovitch
-
Jo Rhett
-
Joe Abley
-
Joe Maimon
-
Joe Provo
-
John A. Kilpatrick
-
John Curran
-
Joseph S D Yao
-
Larry Smith
-
Leo Vegoda
-
Mark Newton
-
Marshall Eubanks
-
Michael.Dillon@btradianz.com
-
Mike Hughes
-
Owen DeLong
-
Patrick W. Gilmore
-
Randy Epstein
-
Roland Perry
-
Sean Donelan
-
Stasiniewicz, Adam
-
Steven M. Bellovin
-
Warren Kumari