Fiber cut in SF area

Sat Apr 11 12:31:55 UTC 2009

> JoÂ¢ wrote:
> > I'm confussed, but please pardon the ignorance. 
> > All the data centers we have are at minimum keys to access
> > data areas. Not that every area of fiber should have such, but
> > at least should they? Manhole covers "can" be keyed. For those of
> > you arguing that this is not enough, I would say at least itâ€™s a start.
> > Yes if enough time goes by anything can happen, but how can one
> > argue an ATM machince that has (at times) thousands of dollars stands
> > out 24/7 without more immediate wealth. Perhaps I am missing
> > something here, do the Cops stake out those areas? dunno
> 
> The nice thing about the outdoors is how much of it there is.

Cute, but a lot of people seem to be wondering this, so a better answer
is deserved.

The ATM machine is somewhat protected for the extremely obvious reason 
that it has cash in it, but an ATM is hardly impervious.

http://www.youtube.com/watch?v=4P8WM8ZZDHk

There are all sorts of strategies for attacking ATM's, and being
susceptible to a sledgehammer, crowbar, or truck smashing into the
unit shouldn't be hard to understand.

Most data centers have security that is designed to keep honest people
out of places that they shouldn't be.  Think that "security guard" at 
the front will stop someone from running off with something valuable?
Maybe.  Have you considered following the emergency fire exits instead?
Running out the loading dock?  Etc?

Physical security is extremely difficult, and defending against a
determined, knowledgeable, and appropriately resourced attacker out to
get *you* is a losing battle, every time.

Think about a door.  You can close your bathroom door and set the privacy
lock, but any adult with a solid shoulder can break that door, or with a 
pin (or flathead or whatever your particular knob uses) can stick it in 
and trigger the unlock.  Your front door is more solid, but if it's wood,
and not reinforced, I'll give my steel-toed boots better than even odds
against it.  What?  You have a commercial hollow steel door?  Ok, that 
beats all of that, let me go get my big crowbar, a little bending will
let me win.  Something more solid?  Ram it with a truck.  You got a
freakin' bank vault door?  Explosives, torches, etc.  Fort Knox?  Bring a
large enough army, you'll still get in.

Notice a pattern?  For any given level of protection, countermeasures are
available.  Your house is best "secured" by making changes that make it
appear ordinary and non-attractive.  That means that a burglar is going to
look at your house, say "nah," and move on to your neighbor's house, where
your neighbor left the garage open.

But if I were a burglar and I really wanted in your house?  There's not
that much you could really do to stop me.  It's just a matter of how well
prepared I am, how well I plan.

So.  Now.  Fiber.

Here's the thing, now.  First off, there usually isn't a financial
motivation to attack fiber optic infrastructure.  ATM's get some
protection because without locks, criminals would just open them and
take the cash.  Having locks doesn't stop that, it just makes it harder.
However, the financial incentive for attacking a fiber line is low.
Glass is cheap.  We see attacks against copper because copper is
valuable, and yet we cannot realistically guard the zillions of miles 
of copper that is all around.

Next.  Repair crews need to be able to access the manholes.  This is a
multifaceted problem.  First off, since there are so many manholes to
protect, and there are so many crews who might potentially need to access
them, you're probably stuck with a "standardized key" approach if you
want to lock them.  While this offers some protection against the average
person gaining unauthorized access, it does nothing to prevent "inside
job" attacks (and I'll note that this looks suspiciously like an "inside
job" of some sort).  Further, any locking mechanism can make it more
difficult to gain access when you really need access; some manholes are
not opened for years or even decades at a time.  What happens when the
locks are rusted shut?  Is the mechanism weak enough that it can be
forced open, or is it tolerable to have to wait extra hours while a
crew finds a way to open it?  Speaking of that, a manhole cover is 
typically protecting some hole, accessway, or vault that's made out of
concrete.  Are you going to protect the concrete too?  If not, what
prevents me from simply breaking away the concrete around the manhole
cover rim (admittedly a lot of work) and just discarding the whole
thing?

Wait.  I just want to *break* the cable?  Screw all that.  Get me a
backhoe.  I'll just eyeball the direction I think the cable's going,
and start digging until I snag something.

Start to see the problems?

I'm not saying that security is a bad thing, just a tricky thing.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.