Fiber cut in SF area

Shane Ronan sronan at fattoc.com
Sat Apr 11 09:59:05 CDT 2009


An easy way to describe what your saying is "Security by obscurity is  
not security"

On Apr 11, 2009, at 8:31 AM, Joe Greco wrote:

>> Jo¢ wrote:
>>> I'm confussed, but please pardon the ignorance.
>>> All the data centers we have are at minimum keys to access
>>> data areas. Not that every area of fiber should have such, but
>>> at least should they? Manhole covers "can" be keyed. For those of
>>> you arguing that this is not enough, I would say at least it’s a  
>>> start.
>>> Yes if enough time goes by anything can happen, but how can one
>>> argue an ATM machince that has (at times) thousands of dollars  
>>> stands
>>> out 24/7 without more immediate wealth. Perhaps I am missing
>>> something here, do the Cops stake out those areas? dunno
>>
>> The nice thing about the outdoors is how much of it there is.
>
> Cute, but a lot of people seem to be wondering this, so a better  
> answer
> is deserved.
>
> The ATM machine is somewhat protected for the extremely obvious reason
> that it has cash in it, but an ATM is hardly impervious.
>
> http://www.youtube.com/watch?v=4P8WM8ZZDHk
>
> There are all sorts of strategies for attacking ATM's, and being
> susceptible to a sledgehammer, crowbar, or truck smashing into the
> unit shouldn't be hard to understand.
>
> Most data centers have security that is designed to keep honest people
> out of places that they shouldn't be.  Think that "security guard" at
> the front will stop someone from running off with something valuable?
> Maybe.  Have you considered following the emergency fire exits  
> instead?
> Running out the loading dock?  Etc?
>
> Physical security is extremely difficult, and defending against a
> determined, knowledgeable, and appropriately resourced attacker out to
> get *you* is a losing battle, every time.
>
> Think about a door.  You can close your bathroom door and set the  
> privacy
> lock, but any adult with a solid shoulder can break that door, or  
> with a
> pin (or flathead or whatever your particular knob uses) can stick it  
> in
> and trigger the unlock.  Your front door is more solid, but if it's  
> wood,
> and not reinforced, I'll give my steel-toed boots better than even  
> odds
> against it.  What?  You have a commercial hollow steel door?  Ok, that
> beats all of that, let me go get my big crowbar, a little bending will
> let me win.  Something more solid?  Ram it with a truck.  You got a
> freakin' bank vault door?  Explosives, torches, etc.  Fort Knox?   
> Bring a
> large enough army, you'll still get in.
>
> Notice a pattern?  For any given level of protection,  
> countermeasures are
> available.  Your house is best "secured" by making changes that make  
> it
> appear ordinary and non-attractive.  That means that a burglar is  
> going to
> look at your house, say "nah," and move on to your neighbor's house,  
> where
> your neighbor left the garage open.
>
> But if I were a burglar and I really wanted in your house?  There's  
> not
> that much you could really do to stop me.  It's just a matter of how  
> well
> prepared I am, how well I plan.
>
> So.  Now.  Fiber.
>
> Here's the thing, now.  First off, there usually isn't a financial
> motivation to attack fiber optic infrastructure.  ATM's get some
> protection because without locks, criminals would just open them and
> take the cash.  Having locks doesn't stop that, it just makes it  
> harder.
> However, the financial incentive for attacking a fiber line is low.
> Glass is cheap.  We see attacks against copper because copper is
> valuable, and yet we cannot realistically guard the zillions of miles
> of copper that is all around.
>
> Next.  Repair crews need to be able to access the manholes.  This is a
> multifaceted problem.  First off, since there are so many manholes to
> protect, and there are so many crews who might potentially need to  
> access
> them, you're probably stuck with a "standardized key" approach if you
> want to lock them.  While this offers some protection against the  
> average
> person gaining unauthorized access, it does nothing to prevent "inside
> job" attacks (and I'll note that this looks suspiciously like an  
> "inside
> job" of some sort).  Further, any locking mechanism can make it more
> difficult to gain access when you really need access; some manholes  
> are
> not opened for years or even decades at a time.  What happens when the
> locks are rusted shut?  Is the mechanism weak enough that it can be
> forced open, or is it tolerable to have to wait extra hours while a
> crew finds a way to open it?  Speaking of that, a manhole cover is
> typically protecting some hole, accessway, or vault that's made out of
> concrete.  Are you going to protect the concrete too?  If not, what
> prevents me from simply breaking away the concrete around the manhole
> cover rim (admittedly a lot of work) and just discarding the whole
> thing?
>
> Wait.  I just want to *break* the cable?  Screw all that.  Get me a
> backhoe.  I'll just eyeball the direction I think the cable's going,
> and start digging until I snag something.
>
> Start to see the problems?
>
> I'm not saying that security is a bad thing, just a tricky thing.
>
> ... JG
> -- 
> Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
> "We call it the 'one bite at the apple' rule. Give me one chance  
> [and] then I
> won't contact you again." - Direct Marketing Ass'n position on e- 
> mail spam(CNN)
> With 24 million small businesses in the US alone, that's way too  
> many apples.
>





More information about the NANOG mailing list