RE: Collocation Access Control
On Mon, 23 Oct 2006, Alex Rubenstein wrote: (They let me in eventually with a passport. But if they're going to trust a foreign-issued passport as photo id, it's not really that obvious to me why they wouldn't trust a foreign-issued driving licence. It's not like they can really tell whether either of them are forged.) What I've never understood is, that, how a gov't issue ID (for the purposes of allowing entry) is of any use whatsoever. It's not as if someone is doing a instand background check to know if the person is a criminal, or wanted, or whatever. It's trivial to forge a gov't ID. I see the frustration, but not the problem. 1. Verify with your supplier that they are sending somebody. 2. Get names and other identifying details to your satisfaction. 3. And this is the tricky part - identify them. Identification: --- There are many solutions for #3 to happen. Any badge-based security system can be broken with 5 minutes worth of operational intelligence gathering, if you are that much of a target for someone to care. All you need is to actually have security with a beurocratic system for admitting people and enforcing others don't get in, and then work it out with your supplier/whoever else you want to let in. In-doors: - Once you identify them, depending on your concerns, make sure they are escorted through-out their stay or just let them roam. Conclusions: I think that although your concerns are justified, they are msiplaced with ATT, they should be with your own security, if it is of importance - which may not be the case. Gadi.
Re: Practical Common Practice for Collocation Access
On Mon, 23 Oct 2006, Sean Donelan wrote: Is it enough of a problem, network operators would be interested in publishing some Practical Common Practices (I hesitate to call it a BCP) collocation facilities could follow for some common access control scenarios? Tenent access, pre-screened carrier, unscreened vendor, etc. http://www.ncs.gov/nstac/reports/2005/Final%20TATF%20Report%2004-25-05.pdf I wouldn't be surprised if most co-lo's don't actually have good reasons why they do some things, and if presented with a reasonable industry agreed practice, would adopt it. Sean, I agree on industry agreed practice, yet simply can not understand why colos that have lacking physical security are our concerns. Obviously they need professional security help. As most of them don't take care of data security, which us bunch actually understand, how can we get them to care about physical security? It's beyond our scope, but I'm game on helping this happen if you feel it would make a difference. Gadi.
RE: Collocation Access
From what I've seen, there's a complete lack of awareness of the risks associated with retention of identification or information. I even had a long argument with the local US Post Office, who wanted to record numbers from two forms of ID in order for me to retain my PO Box. Their claim was that postal inspection service requires it. I objected due to my local postoffice storing this information on index cards which all employees of the post office can access. While I understand the postal inspection service's interest in being able to track down box holders, I asked the postmaster if he'd sign a document accepting personal responsibility if the information was released or used by any of his employees. .. and how did that go? I think it's time to show up with such a statemant of acceptance of liability whenever asked for such information. I have to wonder if company lawyers would then give it some thought. Being recently on a large, well known military station, the opposite happened to me. While yes, when originally being vetted I had to supply certain information that most would cringe at supplying, when onsite I was asked for two forms of government issued identification (I chose drivers license and passport) which was just reviewed (not copied), immediately handed back to me and then asked to pose for a picture and signed an electronic pad. A minute later I was handed a new government issued ID. During my stay, I had the need to access certain restricted areas. As I entered restricted area buildings, I was handed a restricted area badge to wear over my new picture ID to let people know immediately what areas I had access to (the alternative is shoot first, ask questions later; I'll pass, thanks). On the other hand, I've visited many data center, collocation facilities, and even foreign military bases (both US and others), and since ATT sparked this conversation, I've actually been to nearly 40 of their facilities throughout the US. In recent memory, I can think of two large collocation centers that retain your ID. One is in Miami and one in New York (I don't think I need to name names, most of you know to which I refer). All others (including ATT) have never asked to retain my ID. I'm not exactly sure why these sites want to retain ID, but I think it goes along with the big weight that is connected to the gas station bathroom key. They want to make sure you return your cabinet keys (if any), temporary pass (if any), etc. Legal risk or not, can you think of a better way to get someone to return to the security desk to sign out? Until then, these sites will continue this practice. Randy
Re: Practical Common Practice for Collocation Access
On Mon, 23 Oct 2006, Sean Donelan wrote: Is it enough of a problem, network operators would be interested in publishing some Practical Common Practices (I hesitate to call it a BCP) collocation facilities could follow for some common access control scenarios? Tenent access, pre-screened carrier, unscreened vendor, etc. It's something which is being looked at in the UK right now as well (as LLU expands, as well as non-PTT/CO housing locations). So, I think it's probably worth doing, and maybe try to harmonise as much as possible internationally, so that we don't have the ID xenophobia Joa eluded to. I wouldn't be surprised if most co-lo's don't actually have good reasons why they do some things, and if presented with a reasonable industry agreed practice, would adopt it. Totally agree with that assertion. Some just do things because it seemed like the right thing to do at the time, and the history of why? is often lost along the way, so that when someone challenges it later, no one can substantiate why the rule exists. Cheers, Mike
RE: Collocation Access
I'm not exactly sure why these sites want to retain ID, but I think it goes along with the big weight that is connected to the gas station bathroom key. They want to make sure you return your cabinet keys (if any), temporary pass (if any), etc. Legal risk or not, can you think of a better way to get someone to return to the security desk to sign out? Until then, these sites will continue this practice. a) cash deposit b) heavy weight attached to cabinet keys and temporary pass c) bulky object attached to cabinet keys and temporary pass In high school, our data centre keys were attached to a few links of chain bolted onto a chunk of 2 x 4. I never mislaid them. I remember at least one place where I received a plastic card key similarily attached to a few links of chain welded to an broken wrench. Why couldn't ID cards be treated the same way? For that matter, in these days of RFID badges, why can't colo centers issue magic wands, 3 foot long rods tipped with an embedded RFID tag? They would not fit in pockets or briefcases etc. They would function identically to the RFID tags embedded in credit-card sized plastic but they would never get lost. Perhaps what we have here is another failure of imagination like the one cited in the 9/11 report. --Michael Dillon
Re: Collocation Access
On Mon, 23 Oct 2006, Roland Perry wrote: Sounds to me like NSTAC ought to be worried about a scheme to accredit co-lo operator security staff, as well as the visiting telco engineers. Certainly in the UK, the co-lo security staff employed at Telehouse Europe are properly accredited and licensed by the UK SIA - http://www.the-sia.org.uk/home - and have to visibly wear their SIA license card while on duty (along with their company ID). Telehouse's access and security procedures seem to just work these days, certainly from my experience. So, training and accreditation seems to have worked here. I don't know if other co-lo's in the UK comply to this, as in some cases, if the front door security is often being provided by a NOC tech rather than a dedicated guard so then there is probably some get out anyway. Cheers, Mike
Re: Collocation Access
In article [EMAIL PROTECTED], Randy Epstein [EMAIL PROTECTED] writes I'm not exactly sure why these sites want to retain ID, but I think it goes along with the big weight that is connected to the gas station bathroom key. They want to make sure you return your cabinet keys (if any), temporary pass (if any), etc. Legal risk or not, can you think of a better way to get someone to return to the security desk to sign out? Ask for a $100 deposit in cash? -- Roland Perry
RE: Collocation Access
In recent memory, I can think of two large collocation centers that retain your ID. One is in Miami and one in New York (I don't think I need to name names, most of you know to which I refer). All others (including ATT) have never asked to retain my ID. Then you broke the law, assuming you had a Florida license and you presented it to the Miami facility. Florida law, Title 13 section 322.32(2), Unlawful use of license says [i]t is a misdemeanor of the second degree ... for any person ... [t]o lend his or her driver's license to any other person or knowingly permit the use thereof by another. DS
Re: Collocation Access
On Tuesday 24 October 2006 07:51, David Schwartz wrote: In recent memory, I can think of two large collocation centers that retain your ID. One is in Miami and one in New York (I don't think I need to name names, most of you know to which I refer). All others (including ATT) have never asked to retain my ID. Then you broke the law, assuming you had a Florida license and you presented it to the Miami facility. Florida law, Title 13 section 322.32(2), Unlawful use of license says [i]t is a misdemeanor of the second degree ... for any person ... [t]o lend his or her driver's license to any other person or knowingly permit the use thereof by another. DS Hmmm, I read quite a bit of difference between retain your ID and permit the use of - maybe one of us is reading something that isn't there. Quite a few places retain your ID while you are on the premises, to include places holding your passport while you are there, etc, etc... -- Larry Smith SysAd ECSIS.NET [EMAIL PROTECTED]
RE: Collocation Access
Then you broke the law, assuming you had a Florida license and you presented to the Miami facility. Actually, I handed them an Austrian license. Maybe I violated some EU directive! DS Randy
Re: Collocation Access
In article [EMAIL PROTECTED], David Schwartz [EMAIL PROTECTED] writes Florida law, Title 13 section 322.32(2), Unlawful use of license says [i]t is a misdemeanor of the second degree ... for any person ... [t]o lend his or her driver's license to any other person or knowingly permit the use thereof by another. Use as *what*? I allowed liquor stores to use my licence to prove I was over 21. There were even signs which suggested this was compulsory. And while they were using it like that, had I lent it to them, or does some other verb more accurately describe the situation? -- Roland Perry
RE: Collocation Access
Most list members here will probably find difficulty fathoming this, but during the Cold War years of the Nineteen Sixties, many telco employees, depending on the type of work they were engaged in, were actually issued government Civil Defense ID's for the purpose of gaining access to their workplaces and for transit to contingency assignments during natural disasters and acts of war. Long Lines staff and local operating company switching and transmission staff were given high priority in those days. I'm not sure exactly when, but I think the practice was suspended around 1968-9, or so. Do you suppose that telecoms and Internet is critical enough to the nation's infrastructure today that it should carry this level of regard by government? Say, qualified personnel working in critical sectors be issued Homeland Security ID's? Would such ID's issued by Homeland Security satisfy the clearance requirements for gaining access to collocation centers? On Tue Oct 24 8:51 , David Schwartz sent: In recent memory, I can think of two large collocation centers that retain your ID. One is in Miami and one in New York (I don't think I need to name names, most of you know to which I refer). All others (including ATT) have never asked to retain my ID. Then you broke the law, assuming you had a Florida license and you presented it to the Miami facility. Florida law, Title 13 section 322.32(2), Unlawful use of license says [i]t is a misdemeanor of the second degree ... for any person ... [t]o lend his or her driver's license to any other person or knowingly permit the use thereof by another. DS
RE: Collocation Access
Then you broke the law, assuming you had a Florida license and you presented it to the Miami facility. Florida law, Title 13 section 322.32(2), Unlawful use of license says [i]t is a misdemeanor of the second degree ... for any person ... [t]o lend his or her driver's license to any other person or knowingly permit the use thereof by another. Hmmm, I read quite a bit of difference between retain your ID and permit the use of - maybe one of us is reading something that isn't there. Intentionally receiving a document is usually sufficient to establish possession. Some statutes say possess, some say use, some say use for specific purposes. If they say possess, you're definitely potentially screwed -- if you ask for it and receive it, you possess it. If they say, use for purposes of [x], then you're definitely safe (since you're probably not using it for any of the prohibited purposes). If the statute just says use, then ask a lawyer. Use is more than possession, but it's not clear exactly how much more. With luck, rational courts will hold that use means to use it as a means of identification and you'll be okay. This Florida statute makes it a crime to lend your driver's license to any other person (punishable by up to 60 days in jail). I can't imagine how permitting someone to retain something temporarily does not constitue lending, but I suppose courts might hold that unless you use it, I haven't really lent it to you. This is murky stuff, definitely not someplace you want to go without talking to a lawyer. If you possess or transfer any government-issued identify document without lawful authority in order to facilitate any violation of Federal law, 18 USC 1028(a)(7) puts you in jail for a very long time. Are you getting into that facility to facilitate breaking some obscure intellectual property or electronic privacy law? Quite a few places retain your ID while you are on the premises, to include places holding your passport while you are there, etc, etc... In that case, they definitely possess it, you probably lent it to them, and they may or may not be using it. Read your laws carefully. Some jurisdictions really do make it a crime to possess someone else's official identification. Receiving something intentionally usually is sufficient to establish possession. IANAL. DS
Re: Need help explaining in-addr.arpa to Limelight
Hi all, (And especially to those emailing privately, Joe Abley and Adam Rothschild... I never disappeared... ;) ) Yes, I've misspoke. Bad on me #1. You can subdomain IN-ADDR.ARPA. I understand that if you do more than just simply put NS records in, it can be done. The issue still stands though, that according to my latest dig +trace of it, I see : 185.28.69.in-addr.arpa. 86400 IN NS dns.iad.llns.net. 185.28.69.in-addr.arpa. 86400 IN NS dns.lax.llns.net. 185.28.69.in-addr.arpa. 86400 IN NS dns.lga.llns.net. 185.28.69.in-addr.arpa. 86400 IN NS dns.sjc.llns.net. ;; Received 138 bytes from 192.35.51.32#53(dill.ARIN.NET) in 2880 ms 185.28.69.in-addr.arpa. 7200IN SOA ns8.zoneedit.com. soacontact.zoneedit.com. 1115928761 14400 7200 950400 7200 ;; Received 105 bytes from 69.28.156.99#53(dns.iad.llns.net) in 970 ms Which still is wrong I believe. If nothing else, it should point to the ns13 and ns8 servers at zoneedit.com . Jeroen said he saw : ;; ANSWER SECTION: 185.28.69.in-addr.arpa. 7200IN NS ns13.zoneedit.com. 185.28.69.in-addr.arpa. 7200IN NS ns8.zoneedit.com. from a dig, but I'm not sure how. And yes, I'm using zoneedit for diversity for this reverse. As for my bad #2, I incorrectly used SWIP. I guess I should have said that if you do : whois -h rwhois.llnw.net -p 4321 69.28.185.1 It shows up as that I am the contact for that. Howerver, it still remains that after telling them twice EXACTLY what to do, it seems like they are still wrong. I would think I'd need to see something like what WCG did for me for another subnet : 164.193.64.in-addr.arpa. 86400 IN NS ns8.zoneedit.com. 164.193.64.in-addr.arpa. 86400 IN NS ns13.zoneedit.com. ;; Received 126 bytes from 64.200.255.12#53(tuldns1.wcg.net) in 1030 ms Am I still wrong, or are they? Thanks, Tuc
New IPv6 allocation from IANA to LACNIC
Hello, We would like to inform the community that LACNIC received the IPv6 address block 2800::/12 from IANA in October 2006 for further distribution to organizations in the Latin America and Caribbean region. The previous IPv6 address block being used by LACNIC (2800:::/23), is included in this new allocation from IANA. And the minimum prefix allocation in this block will be /32 Complete information about IP address block under LACNIC responsibility can be found at: http://lacnic.net/en/registro/index.html Regards Ricardo Patara Registration Service Manager LACNIC - Latin American and Caribbean IP Address Registry --
Firefox ASNumber extension updated for FF2.0
We've updated the Firefox ASNumber extension for FF2.0, fixed some bugs and added a couple of features (no IPv6 lookups yet though): http://asnumber.networx.ch/ Enjoy. About: The ASNumber extension displays the Prefix, AS Number and a couple of interesting statistics about them in the Firefox statusbar panel. Feedback, comments, feature requests welcome. -- Andre
RE: Collocation Access
On Tue, 2006-10-24 at 05:51 -0700, David Schwartz wrote: Florida law, Title 13 section 322.32(2), Unlawful use of license says [i]t is a misdemeanor of the second degree ... for any person ... [t]o lend his or her driver's license to any other person or knowingly permit the use thereof by another. That statute deals with someone else _using_ my license, but in no way implies that my license can't be _held_ by someone else. The title clearly states use. ;-) -Jim P.
Re: Collocation Access
In article [EMAIL PROTECTED], Jim Popovitch [EMAIL PROTECTED] writes Florida law, Title 13 section 322.32(2), Unlawful use of license says [i]t is a misdemeanor of the second degree ... for any person ... [t]o lend his or her driver's license to any other person or knowingly permit the use thereof by another. That statute deals with someone else _using_ my license, but in no way implies that my license can't be _held_ by someone else. The title clearly states use. ;-) At the risk of being over-pedantic, the licence cannot be used by another person for the purposes of driving a car because it clearly does not apply to them (but only to the named and pictured person upon it). So I'll ask again: what sort of use does this statute prohibit? -- Roland Perry
RE: Collocation Access
On Tue, 24 Oct 2006, Daniel Senie wrote: I think it's time to show up with such a statemant of acceptance of liability whenever asked for such information. I have to wonder if company lawyers would then give it some thought. I have been considering this for some time. A small piece of paper you hand over with the piece of ID that the security droid needs to sign, print their name, and hand back. And for good measure you could ask them to show you *their* ID, to make sure that they're signing their real name. -- John A. Kilpatrick [EMAIL PROTECTED]Email| http://www.hypergeek.net/ [EMAIL PROTECTED] Text pages| ICQ: 19147504 remember: no obstacles/only challenges
Re: Collocation Access
On Tue, 24 Oct 2006, Roland Perry wrote: In article [EMAIL PROTECTED], Jim Popovitch [EMAIL PROTECTED] writes Florida law, Title 13 section 322.32(2), Unlawful use of license says [i]t is a misdemeanor of the second degree ... for any person ... [t]o lend his or her driver's license to any other person or knowingly permit the use thereof by another. That statute deals with someone else _using_ my license, but in no way implies that my license can't be _held_ by someone else. The title clearly states use. ;-) At the risk of being over-pedantic, the licence cannot be used by another person for the purposes of driving a car because it clearly does not apply to them (but only to the named and pictured person upon it). So I'll ask again: what sort of use does this statute prohibit? At the risk of being anti-over-pedantic: Ask a lawyer, not a list of network ops. Duh. - d. -- Dominic J. Eidson Baruk Khazad! Khazad ai-menu! - Gimli --- http://www.the-infinite.org/
Re: Collocation Access
In article [EMAIL PROTECTED], Dominic J. Eidson [EMAIL PROTECTED] writes At the risk of being anti-over-pedantic: Ask a lawyer, not a list of network ops. That's what I usually do, but it sometimes helps to get the ordinary user's perspective as well. -- Roland Perry
Re: Collocation Access
On Tue, Oct 24, 2006 at 05:51:17AM -0700, David Schwartz wrote: In recent memory, I can think of two large collocation centers that retain your ID. One is in Miami and one in New York (I don't think I need to name names, most of you know to which I refer). All others (including ATT) have never asked to retain my ID. Then you broke the law, assuming you had a Florida license and you presented it to the Miami facility. Florida law, Title 13 section 322.32(2), Unlawful use of license says [i]t is a misdemeanor of the second degree ... for any person ... [t]o lend his or her driver's license to any other person or knowingly permit the use thereof by another. David, it's clear you're not a lawyer, or have ever done anything that requires that you interpret what a law means, other than the normal everyday requirements of a citizen. -- Joe Yao --- This message is not an official statement of OSIS Center policies.
Re: state of the world...Re: Need help explaining in-addr.arpa
On Tue, Oct 24, 2006 at 11:26:08AM -0400, Edward Lewis wrote: At 22:43 -0400 10/23/06, Joseph S D Yao wrote: I've noticed of late less understanding of DNS in the people charged with maintaining it out there. Sad. Sad? I don't think so, it's natural and a sign of the technology's promise. As the work load grows, the percentage of the workers who are pioneers will fall. If a system requires pioneer experience and knowledge to operate correctly there is more work to be done by the pioneers. I'm not asking them to know how to put together a Conestoga wagon and feed and maintain oxen. I'm asking them to know that when you see a stop sign you stop, and when you come to a right turn, you turn into the right-hand lane if it's safe and not no right turn on red. Then again, they don't know that, either. A person who does RFC 2317 delegation should know how to communicate that. -- Joe Yao --- This message is not an official statement of OSIS Center policies.
Re: Need help explaining in-addr.arpa to Limelight
On Tue, Oct 24, 2006 at 09:40:24AM -0400, Tuc at T-B-O-H.NET wrote: ... The issue still stands though, that according to my latest dig +trace of it, I see : 185.28.69.in-addr.arpa. 86400 IN NS dns.iad.llns.net. 185.28.69.in-addr.arpa. 86400 IN NS dns.lax.llns.net. 185.28.69.in-addr.arpa. 86400 IN NS dns.lga.llns.net. 185.28.69.in-addr.arpa. 86400 IN NS dns.sjc.llns.net. ;; Received 138 bytes from 192.35.51.32#53(dill.ARIN.NET) in 2880 ms 185.28.69.in-addr.arpa. 7200IN SOA ns8.zoneedit.com. soacontact.zoneedit.com. 1115928761 14400 7200 950400 7200 ;; Received 105 bytes from 69.28.156.99#53(dns.iad.llns.net) in 970 ms Which still is wrong I believe. If nothing else, it should point to the ns13 and ns8 servers at zoneedit.com . ... What they APPEAR to be doing is delegating, individually, each element of 0.185.28.69.in-addr.arpa - 255.185.28.69.in-addr.arpa to ns8.zoneedit.com and ns13.zoneedit.com. Try these: dig ns 185.28.69.in-addr.arpa dig any 1.185.28.69.in-addr.arpa @dns.lax.llns.net dig any 0.185.28.69.in-addr.arpa @dns.lax.llns.net dig any 255.185.28.69.in-addr.arpa @dns.lax.llns.net dig any 256.185.28.69.in-addr.arpa @dns.lax.llns.net Anything 0-255 returns the delegated name servers. I only tried 256 outside that range, but it returns an SOA as authority rather than the delegated name servers. dig ptr 1.185.28.69.in-addr.arpa - gw.house.tucs-beachin-obx-house.com. This is not how you or I would do it. But add a few more PTR records and see how well it works. -- Joe Yao --- This message is not an official statement of OSIS Center policies.
Earthlink people? - 207.69.195.103
Any Earthlink mail admins around? This server - 207.69.195.103 - has been on SORBS for some time now and I can't get any response from normal channels at Earthlink. A lot of your customers end up using that outgoing mail server and anyone that uses SORBS obviously may be blocking them.. and your customers are frustrated as well as mine that can't receive mail due to your SORBS listing. Thank you, SR
Re: Blogger.com posts still fails when posting to the NANOG list!
Hi, Apparently there is still some silly [f|s]oul who has to forward NANOG to blogger and blogger still doesn't handle multipart/signed and thus very nicely and totally anonymously reports that it fails. snip Google seems to say that this might be the one: http://www.gossamer-threads.com/lists/nanog/users/ No, this isn't us. We don't forward any mail to blogger or anyone else. Cheers, Alex -- Alex Krohn [EMAIL PROTECTED]
RE: Collocation Access
On Tue, Oct 24, 2006 at 05:51:17AM -0700, David Schwartz wrote: Then you broke the law, assuming you had a Florida license and you presented it to the Miami facility. Florida law, Title 13 section 322.32(2), Unlawful use of license says [i]t is a misdemeanor of the second degree ... for any person ... [t]o lend his or her driver's license to any other person or knowingly permit the use thereof by another. David, it's clear you're not a lawyer, or have ever done anything that requires that you interpret what a law means, other than the normal everyday requirements of a citizen. Joe Yao I am way too familiar with several cases where people were charged and convicted with violating obscure laws clearly intended for another purpose just for doing their jobs in a normal, reasonable way. Intel v. Schwartz (no relation) is a great example. http://www.eff.org/legal/cases/Intel_v_Schwartz/schwartz_case.intro It's quite possible (even likely, IMO) that when Florida makes it illegal to lend your driver's license to any other person, it actually means precisely that. DS
Mzima Networks.
Does anyone on the list have experience as either a vendor or customer with Mzima Networks? Feel free to contact me off list if you do… Thanks in advance, Rob
