Encryption is insufficient - if you let someone have physical access for a long enough period, they'll eventually crack anything. Encryption makes the period of time longer, but let them try? As regards "roving," we are talking about Tyson's Corner here: that's pretty close (< 5km) to major offices of lots of folks who would care deeply about such matters. David Barak Need Geek Rock? Try The Franchise: http://www.listentothefranchise.com --- On Tue, 6/2/09, Charles Wyble <charles@thewybles.com> wrote:
From: Charles Wyble <charles@thewybles.com> Subject: Re: Fiber cut - response in seconds? To: "nanog@nanog.org" <nanog@nanog.org> Date: Tuesday, June 2, 2009, 1:57 PM Cheaper?
To quote sneakers.... were the united states govt. we don't do that sort of thing.
It would also be cheaper to add an additional layer of security with encryption vs. roving teams of gun toting manhole watchers.
YMMV,
Best!
Marty
On 6/2/09, Deepak Jain <deepak@ai.net> wrote:
No. And here's why: If you're a naughty foreign intelligence team, and you know your stuff, you already know where some of the cables you'd really like a tap on are buried. When you hear of a construction project that might damage one, you set up your innocuous white panel truck somewhere else, near a suitable manhole. When
a backhoe chops the cable (and you may well slip him some money to do so), *then* you put your tap in, elsewhere, with your actions covered by the downtime at the construction site. That's why the guys in the SUVs are in such a hurry, because they want to close the window of time in which someone can be tapping the cable elsewhere.
At least that's what I heard. I read it somewhere on the internet. Definitely. Not at all a sneaky person. No sir. And if you were a naughty foreign intelligence team installing a tap, or a bend, or whatever in the fiber contemporaneously with a known cut, you could also reamplify and dispersion compensate for the slight amount of affect your work is having so that when its tested later,
Martin Hannigan wrote: the construction guy with the OTDR is blind to your
work.
Ah, the fun of Paranoia, Inc.
Deepak Jain AiNET
David Barak wrote:
Encryption is insufficient - if you let someone have physical access for a long enough period, they'll eventually crack anything.
Really? I don't think so. I imagine it would be much more dependent on the amount of computing power the attacker has access to. More encrypted blobs won't help. If that was the case then the various encryption schemes in wide use today would be cracked already. Bad guys can setup networks and blast data through it and have complete access. I don't see them cracking encryption.
Really? I don't think so. I imagine it would be much more dependent on the amount of computing power the attacker has access to. More encrypted blobs won't help. If that was the case then the various encryption schemes in wide use today would be cracked already. Bad guys can setup networks and blast data through it and have complete access. I don't see them cracking encryption.
Without getting into the math involved, Vlad (and others) are correct. This is why there is key migration (regeneration/renegotiation/repudiation) along these multi-gigabit/multi-terabit streams. Your obfuscation strength (I don't care how many digits you have in your key, your cipher, what have you) is computed against the amount of data you are obfuscating. If I am obfuscating 1 byte of data, my math functions do not need to be as large as obfuscating 2^128 bits. There are plenty of non-classified books regarding COMSEC, INFOSEC and all their related interworking bits (even COMINT, SIGINT and HUMINT). Plenty of NANOG folks have been in these communities and that is why they say things that make sense regarding physical and network security. Even if you haven't been in these groups, the non-classified books are sufficiently sophisticated as to give even a layperson a respect for the layers of security (and the discipline behind it) needed to provide even the most minimal level of protection. The h4x0r kids who think magnets on their doorways, tin foil hats, or willy-nilly encryption using their email-exchanged PGP keys are protected are welcome to their sandbox too -- let's just keep it away from those of us who like things that provably work [most of the time ;)]. DJ
participants (3)
-
Charles Wyble
-
David Barak
-
Deepak Jain