Re: Collocation Access
At 12:15 AM -0500 12/28/06, Jim Popovitch wrote: At the risk of dragging this to the nth degree... it's already been established that the ID yahoos have no idea on what a real ID looks like vs a false ID (esp considering all the possible combinations of ID). That's certainly true in many cases, but not always. For those folks that do an offline verification of state-issued drivers license/photo ID's, they provide a relatively solid anchor for authentication. Again, this doesn't imply anything about authorization, but you've at least got a strong basis for believing that you are dealing with person so named. /John
Re: Collocation Access
On 27-Dec-2006, at 18:22, Mark Newton wrote: On Thu, Dec 28, 2006 at 12:13:07AM +0100, Leo Vegoda wrote: My driving license doesn't have a photograph on it, so using it as an identity document is pointless. There's no way for a minimum-wage security grunt to verify the particulars of my passport, so using it as an identity document is pointless. Which makes it hard for me to understand why they bother, and why they go to such great lengths to enforce arbitrary rules about what is acceptable and what isn't. I gave my Ontario drivers licence to Equinix security in LA, once, and they refused to accept it as proof of ID since it wasn't government issued. I said it was; they disagreed. I tried to explain that there was more than one government in the world, but I got blank looks, and had to head out back past building security and up to the roof in the adjacent parking garage to get my passport. For some reason it seemed a good idea to get all my various passports while I was there (I have three), and when I made it back inside I handed them all over together. I realised about two seconds after handing them over that I was probably doing a stupid thing. A whole group of them appeared, and huddled around my passports with their backs to me. They seemed on the verge of calling the FBI. They gave the passports back, eventually, and I didn't go to jail. So it could have been worse. :-) Joe
Re: Collocation Access
On Dec 28, 2006, at 4:49 PM, Joe Abley wrote: [...] My driving license doesn't have a photograph on it, so using it as an identity document is pointless. There's no way for a minimum-wage security grunt to verify the particulars of my passport, so using it as an identity document is pointless. Which makes it hard for me to understand why they bother, and why they go to such great lengths to enforce arbitrary rules about what is acceptable and what isn't. Indeed. I'm surprised the market hasn't produced facilities with better thought through and executed security and access controls. Is there not enough competition in each metro area for anything other than lowest common denominator? Leo
Re: Collocation Access
Joe Abley wrote: On 27-Dec-2006, at 18:22, Mark Newton wrote: On Thu, Dec 28, 2006 at 12:13:07AM +0100, Leo Vegoda wrote: My driving license doesn't have a photograph on it, so using it as an identity document is pointless. There's no way for a minimum-wage security grunt to verify the particulars of my passport, so using it as an identity document is pointless. Which makes it hard for me to understand why they bother, and why they go to such great lengths to enforce arbitrary rules about what is acceptable and what isn't. Especialy when their customer who is onsite, has already been identified and authenticated and authorized is vouching for you, and presumably, contractually bound to pay for any damages caused by you.
Re: Collocation Access
Indeed. I'm surprised the market hasn't produced facilities with better thought through and executed security and access controls. Is there not enough competition in each metro area for anything other than lowest common denominator? From what I've seen? No. At the moment, the top priority of colocation customers is power availability, followed swiftly by price. It is slowly turning into a seller's market - IF the facility has available power (and I pity those facilities who are at their limits), but the customer is still primarily picking on $s alone. WRT security process and procedures, most customers seem to be just interested if they exist. Of course they want them applied very strictly to everyone else but THEM. --chuck
Re: Collocation Access
On 12/28/06, Joe Abley [EMAIL PROTECTED] wrote: They gave the passports back, eventually, and I didn't go to jail. So it could have been worse. :-) of course all this happened *after* you passed the first handscan. oh Equinix...
Re: Collocation Access
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Dec 28, 2006, at 3:49 PM, Joe Abley wrote: I gave my Ontario drivers licence to Equinix security in LA, once, and they refused to accept it as proof of ID since it wasn't government issued. I said it was; they disagreed. I tried to explain that there was more than one government in the world, but I got blank looks, and had to head out back past building security and up to the roof in the adjacent parking garage to get my passport. Hmm!! may be folks in San francisco don't care so much. last time i went to a San Francisco facility, i handed them my Nepalese driving license (no, wasn't carrying my passport), and they didn't blink at all. though when i came back, they did ask me what the hell an 'auto rickshaw' was :-). Generally, as long as i had a pre-authorized ticket open for access to equipment, any form of ID with a picture has worked. thanks For some reason it seemed a good idea to get all my various passports while I was there (I have three), and when I made it back inside I handed them all over together. I realised about two seconds after handing them over that I was probably doing a stupid thing. A whole group of them appeared, and huddled around my passports with their backs to me. They seemed on the verge of calling the FBI. They gave the passports back, eventually, and I didn't go to jail. So it could have been worse. :-) Joe -- gaurab /+9779851038080 gaurab at lahai dot com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (Darwin) iD8DBQFFlBFOSo7fU26F3X0RApKKAKD9E+ZZre2lpN33JZdhsx4DUBYeLQCgmRAQ cVwe2M8yPMwu6eA7n0ZIDO0= =sko+ -END PGP SIGNATURE-
Re: Collocation Access
Here is a true story. Pardon me for being a little vague about details. Client in argument about (large) expense payments with former employee (FE) (not me, BTW). FE wants payment, client says money is not owed. I am in no position to judge correctness of either argument. FE used to have collation access in remote location (at least, remote from the client, but close to the FE). One fine Friday evening of a long weekend, quite late, FE goes to colo (where he has been removed from the access list). Shows ID to guards, who knew him well, and is let in, list or no list. FE goes to cage and removes router from colo, leaving a note, saying he will exchange router for money's owed. Takes router to a secure location. Alarms go off at client HQ. People puzzle over dropped circuits, spend time trouble-shooting, other people are woken up. Eventually, as no progress is being made, warm hands are desired. With all this confusion and the late night weekend, it takes a number of hours before the warm hands reach the colo. When they open the rack door, they are asked to read off some status lights. What lights ?, they say. On the router. What router ?, they say. [long silence] There is an envelope with a note, though, report the warm hands. The FE got the money he wanted. The client got their router back. I am not sure if the guards were reprimanded or not. Regards Marshall On Dec 28, 2006, at 1:47 PM, Gaurab Raj Upadhaya wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Dec 28, 2006, at 3:49 PM, Joe Abley wrote: I gave my Ontario drivers licence to Equinix security in LA, once, and they refused to accept it as proof of ID since it wasn't government issued. I said it was; they disagreed. I tried to explain that there was more than one government in the world, but I got blank looks, and had to head out back past building security and up to the roof in the adjacent parking garage to get my passport. Hmm!! may be folks in San francisco don't care so much. last time i went to a San Francisco facility, i handed them my Nepalese driving license (no, wasn't carrying my passport), and they didn't blink at all. though when i came back, they did ask me what the hell an 'auto rickshaw' was :-). Generally, as long as i had a pre-authorized ticket open for access to equipment, any form of ID with a picture has worked. thanks For some reason it seemed a good idea to get all my various passports while I was there (I have three), and when I made it back inside I handed them all over together. I realised about two seconds after handing them over that I was probably doing a stupid thing. A whole group of them appeared, and huddled around my passports with their backs to me. They seemed on the verge of calling the FBI. They gave the passports back, eventually, and I didn't go to jail. So it could have been worse. :-) Joe -- gaurab /+9779851038080 gaurab at lahai dot com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (Darwin) iD8DBQFFlBFOSo7fU26F3X0RApKKAKD9E+ZZre2lpN33JZdhsx4DUBYeLQCgmRAQ cVwe2M8yPMwu6eA7n0ZIDO0= =sko+ -END PGP SIGNATURE-
Re: Collocation Access
At 3:03 PM -0500 12/28/06, Marshall Eubanks wrote: ... FE goes to colo (where he has been removed from the access list). Shows ID to guards, who knew him well, and is let in, list or no list. ... The FE got the money he wanted. The client got their router back. I am not sure if the guards were reprimanded or not. Client informs colo provider that they were negligent by allowing the theft, and deducts the replacement cost from next invoice? /John
Re: Collocation Access
Marshall Eubanks wrote: Here is a true story. Pardon me for being a little vague about details. They should have retained his id. That would have helped.
Re: Collocation Access
On Thu, 28 Dec 2006, Daniel Golding wrote: Time for a colocation reality check. Why would facilities need to have tight security? Lets count off the reasons... Don't forget the biggie. These are shared use facilities. People who buy space in collocation facilities already have lower security requirements. The only thing keeping the bad guys out is whether their payment clears. Security by poverty?
Re: Collocation Access
On 12/28/06, Sean Donelan [EMAIL PROTECTED] wrote: Don't forget the biggie. These are shared use facilities. People who buy space in collocation facilities already have lower security requirements. The only thing keeping the bad guys out is whether their payment clears. Security by poverty? Very true. If you have an application that requires a high level of security, in a perfect world you'd have the budget to put it in your own facility where you control physical access, not outsourced security from a colo vendor. -- Brandon Galbraith Email: [EMAIL PROTECTED] AIM: brandong00 Voice: 630.400.6992
Re: Collocation Access
On Thu, Dec 28, 2006 at 02:06:30PM -0500, Daniel Golding wrote: [snip] Time for a colocation reality check. [snip] Until supply catches up to demand, only price and power will matter to most folks, along with an acceptable level of facility redundancy (Tier III for most). One 'reality check' that is required is that some of the time, everything fails. Can we please have redundant facilities rather than just facility redundancy? Part of the whole packet-based, layer-services communications model is the simple avoid central hardened SPoF. Joe -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE
Re: Collocation Access
Randy Epstein wrote: throughout the US. In recent memory, I can think of two large collocation centers that retain your ID. One is in Miami and one in New York (I don't think I need to name names, most of you know to which I refer). All others (including ATT) have never asked to retain my ID. I dont mind naming names. telex. I left.
Re: Collocation Access
Savvis wants to retain your ID if they issue a cage-key to you. Owen On Dec 27, 2006, at 8:52 AM, Joe Maimon wrote: Randy Epstein wrote: throughout the US. In recent memory, I can think of two large collocation centers that retain your ID. One is in Miami and one in New York (I don't think I need to name names, most of you know to which I refer). All others (including ATT) have never asked to retain my ID. I dont mind naming names. telex. I left.
Re: Collocation Access
Does that equate to a take it or leave standpoint? Suppose you dont need a key cause your client is already there? Owen DeLong wrote: Savvis wants to retain your ID if they issue a cage-key to you. Owen On Dec 27, 2006, at 8:52 AM, Joe Maimon wrote: Randy Epstein wrote: throughout the US. In recent memory, I can think of two large collocation centers that retain your ID. One is in Miami and one in New York (I don't think I need to name names, most of you know to which I refer). All others (including ATT) have never asked to retain my ID. I dont mind naming names. telex. I left.
Re: Collocation Access
throughout the US. In recent memory, I can think of two large collocation centers that retain your ID. One is in Miami and one in New York (I don't think I need to name names, most of you know to which I refer). All others (including ATT) have never asked to retain my ID. I dont mind naming names. telex. I left. ATT's colocation facility in mid town retains your ID. So do a lot of others I've been to. And that happens whether or not they give you a cage key. -Don
Re: Collocation Access
On Wed, 2006-12-27 at 09:06 -0800, Owen DeLong wrote: Savvis wants to retain your ID if they issue a cage-key to you. If they (or others) asked you to let them hold $50 cash to cover their key/lock replacement costs would you feel more comfortable? -Jim P.
Re: Collocation Access
On Oct 23, 2006, at 9:40 PM, David Schwartz wrote: Maybe I've just been lucky, but I've been to some of the most secure facilities in the world, and I've never been asked to allow someone else to retain my passport or driver's license. The best, no :-) But Exodus used to do this. And hell, most US hotels make you do this to borrow a luggage carrier. -- Jo Rhett senior geek Silicon Valley Colocation
RE: Collocation Access
ATT's colocation facility in mid town retains your ID. So do a lot of others I've been to. And that happens whether or not they give you a cage key. Maybe this is a recent feature. From what I've seen, ATT's security policy differs from site to site, employee to employee, no matter what they claim. -Don Randy
Re: Collocation Access
On Dec 27, 2006, at 3:42 PM, Jim Popovitch wrote: On Wed, 2006-12-27 at 09:06 -0800, Owen DeLong wrote: Savvis wants to retain your ID if they issue a cage-key to you. If they (or others) asked you to let them hold $50 cash to cover their key/lock replacement costs would you feel more comfortable? Very much so. I realize this may not be a universally held preference. I also realize the trouble in having low-paid security guards, frequently outsourced so they are not even your employees, handling cash from random people at all hours of the day, night, and weekends. But I'd much rather lose $50 and argue about getting that back than my passport. ESPECIALLY since I would only be giving my passport when I am out of the country. To open a totally separate can-of-worms, why not take my driver's license? Easier to replace than a passport and much less trouble when crossing borders. And before someone says they don't know what a DL from $COUNTRY looks like, realize that they really don't know what a passport looks like either. -- TTFN, patrick
Re: Collocation Access
On Dec 27, 2006, at 6:13 PM, Leo Vegoda wrote: On Dec 27, 2006, at 11:20 PM, Patrick W. Gilmore wrote: [...] To open a totally separate can-of-worms, why not take my driver's license? Easier to replace than a passport and much less trouble when crossing borders. And before someone says they don't know what a DL from $COUNTRY looks like, realize that they really don't know what a passport looks like either. My driving license doesn't have a photograph on it, so using it as an identity document is pointless. Some organisations use it that way, but... Sorry, I thought we were discussing something to be held by the staff to ensure you return an access card. That does not have to be the same document used to verify identity. Last time I checked, the $50 (or £20, or ¥5000 or whatever) bill didn't have my picture on it either. Although I admit the $50 bill gets me into more places than my DL. ;) -- TTFN, patrick
Re: Collocation Access
On Thu, Dec 28, 2006 at 12:13:07AM +0100, Leo Vegoda wrote: My driving license doesn't have a photograph on it, so using it as an identity document is pointless. There's no way for a minimum-wage security grunt to verify the particulars of my passport, so using it as an identity document is pointless. Even if they could verify it, my passport says nothing about whether or not I'm authorized to enter any colocation facilities, so using it as an identity document would *still* be pointless. Lets keep our eyes on the real issue here, which is that requiring handover of an identity document usually has very little to do with actual identification. These places are making you hand over something of value to lessen the likelihood that you'll leave without following their sign-out procedures. They're basically using security window-dressing (identification requirements) to solve a procedural/business issue. It makes no difference to them whether you hand over your passport, drivers license, car keys, marriage license or firstborn son, as long as you sign-out and hand back your visitors pass on the way out of the building when you're finished. - mark -- Mark Newton Email: [EMAIL PROTECTED] (W) Network Engineer Email: [EMAIL PROTECTED] (H) Internode Systems Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: Collocation Access
I've never been asked to allow someone else to retain my passport or driver's license. Exodus used to do this. ...and look where that got them! They (Exodus) also had, at least here in Seattle at the 12301 Tukwila facility, the grungiest palm scanner in the world. Thankfully I never had to use it. I'm not a paranoid germ-phobe, but that thing looked downright dangerous. I often wonder if anyone from CW, and now Savvis have ever cleaned it. These places are making you hand over something of value to lessen the likelihood that you'll leave without following their sign-out procedures. Indeed. The usual rent-a-cop (or as I recently heard them called by another Seattle facility: Techno-guard(!)) could care less about actually identifying you so much as make sure you don't abscond with company preoperty or pull your equipment if your invoices aren't paid. --chuck
Re: Collocation Access
On Dec 27, 2006, at 12:42 PM, Jim Popovitch wrote: On Wed, 2006-12-27 at 09:06 -0800, Owen DeLong wrote: Savvis wants to retain your ID if they issue a cage-key to you. If they (or others) asked you to let them hold $50 cash to cover their key/lock replacement costs would you feel more comfortable? -Jim P. Um, no. I would, however, be willing to have them inform the primary contact that the key had not been returned and then bill the customer appropriately for whatever remedy was chosen by the primary contact. Owen
Re: Collocation Access
On Wed, 2006-12-27 at 18:58 -0800, Owen DeLong wrote: On Dec 27, 2006, at 12:42 PM, Jim Popovitch wrote: On Wed, 2006-12-27 at 09:06 -0800, Owen DeLong wrote: Savvis wants to retain your ID if they issue a cage-key to you. If they (or others) asked you to let them hold $50 cash to cover their key/lock replacement costs would you feel more comfortable? -Jim P. Um, no. I would, however, be willing to have them inform the primary contact that the key had not been returned and then bill the customer appropriately for whatever remedy was chosen by the primary contact. How would they know who to bill? -Jim P.
Re: Collocation Access
On Wed, Dec 27, 2006, Jim Popovitch wrote: Um, no. I would, however, be willing to have them inform the primary contact that the key had not been returned and then bill the customer appropriately for whatever remedy was chosen by the primary contact. How would they know who to bill? Um, The ID you presented but didn't have to surrender? (My colocation provider actually has photos of us all on-hand and only requires drivers licence or passport to verify we are who we say we are. Names, company and photo has to match or they say no. And if we fail to return the key they know who to bill. Now, what'll happen when I decide to shave..) Adrian
Re: Collocation Access
On Thu, 2006-12-28 at 12:36 +0800, Adrian Chadd wrote: On Wed, Dec 27, 2006, Jim Popovitch wrote: Um, no. I would, however, be willing to have them inform the primary contact that the key had not been returned and then bill the customer appropriately for whatever remedy was chosen by the primary contact. How would they know who to bill? Um, The ID you presented but didn't have to surrender? At the risk of dragging this to the nth degree... it's already been established that the ID yahoos have no idea on what a real ID looks like vs a false ID (esp considering all the possible combinations of ID). Secondly, say that they do accept your ID as valid, what ties that to your company (please don't say your business cards). I know a guy on 5th street who can make me an ID saying I work for pretty much any letterhead I bring him. ;-) (My colocation provider actually has photos of us all on-hand and only requires drivers licence or passport to verify we are who we say we are. Names, company and photo has to match or they say no. And if we fail to return the key they know who to bill. Now, what'll happen when I decide to shave..) ;-) OK, that's a one-to-one relationship, one tech, one destination. On the other end of the spectrum are very large companies with many field techs visiting data centers all over the world who maintains the list of approved pictures and valid names and where do they keep it? -Jim P.
Re: Collocation Access
On Tue, Oct 24, 2006 at 05:38:05PM -0700, David Schwartz wrote: ... I am way too familiar with several cases where people were charged and convicted with violating obscure laws clearly intended for another purpose just for doing their jobs in a normal, reasonable way. Intel v. Schwartz (no relation) is a great example. http://www.eff.org/legal/cases/Intel_v_Schwartz/schwartz_case.intro It's quite possible (even likely, IMO) that when Florida makes it illegal to lend your driver's license to any other person, it actually means precisely that. ... Ah, THAT is what you meant by your obscure reference to IvS. Merely that lawyers can twist anything to mean anything. Well, yes, that's what they get paid to do. Another facet of that, though, is that one needs to ask a lawyer to make sure what a law might mean [deliberate phrasing, that won't say what it DOES mean, that's the judge's job, and it might and will differ from the lawyer's interpretation in different ways depending on which judge and when]. It depends on precedent, including what judges declared they meant every other time they used the same phrasing. So it's a waste of bits for us to declare what it DOES mean, unless one of us is the judge in a case deciding this, in which case it's merely illegal or ill- advised, depending on other circumstances. [This is why Microsoft is still one company.] -- Joe Yao --- This message is not an official statement of OSIS Center policies.
RE: Collocation Access
I'd check with a Lawyer, but that statute contains an or, not an and. Jamie Bowden -- It was half way to Rivendell when the drugs began to take hold Hunter S Tolkien Fear and Loathing in Barad Dur Iain Bowen [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jim Popovitch Sent: Tuesday, October 24, 2006 10:51 AM To: nanog@merit.edu Subject: RE: Collocation Access On Tue, 2006-10-24 at 05:51 -0700, David Schwartz wrote: Florida law, Title 13 section 322.32(2), Unlawful use of license says [i]t is a misdemeanor of the second degree ... for any person ... [t]o lend his or her driver's license to any other person or knowingly permit the use thereof by another. That statute deals with someone else _using_ my license, but in no way implies that my license can't be _held_ by someone else. The title clearly states use. ;-) -Jim P.
RE: Collocation Access Control
On Mon, 23 Oct 2006, Alex Rubenstein wrote: (They let me in eventually with a passport. But if they're going to trust a foreign-issued passport as photo id, it's not really that obvious to me why they wouldn't trust a foreign-issued driving licence. It's not like they can really tell whether either of them are forged.) What I've never understood is, that, how a gov't issue ID (for the purposes of allowing entry) is of any use whatsoever. It's not as if someone is doing a instand background check to know if the person is a criminal, or wanted, or whatever. It's trivial to forge a gov't ID. I see the frustration, but not the problem. 1. Verify with your supplier that they are sending somebody. 2. Get names and other identifying details to your satisfaction. 3. And this is the tricky part - identify them. Identification: --- There are many solutions for #3 to happen. Any badge-based security system can be broken with 5 minutes worth of operational intelligence gathering, if you are that much of a target for someone to care. All you need is to actually have security with a beurocratic system for admitting people and enforcing others don't get in, and then work it out with your supplier/whoever else you want to let in. In-doors: - Once you identify them, depending on your concerns, make sure they are escorted through-out their stay or just let them roam. Conclusions: I think that although your concerns are justified, they are msiplaced with ATT, they should be with your own security, if it is of importance - which may not be the case. Gadi.
RE: Collocation Access
From what I've seen, there's a complete lack of awareness of the risks associated with retention of identification or information. I even had a long argument with the local US Post Office, who wanted to record numbers from two forms of ID in order for me to retain my PO Box. Their claim was that postal inspection service requires it. I objected due to my local postoffice storing this information on index cards which all employees of the post office can access. While I understand the postal inspection service's interest in being able to track down box holders, I asked the postmaster if he'd sign a document accepting personal responsibility if the information was released or used by any of his employees. .. and how did that go? I think it's time to show up with such a statemant of acceptance of liability whenever asked for such information. I have to wonder if company lawyers would then give it some thought. Being recently on a large, well known military station, the opposite happened to me. While yes, when originally being vetted I had to supply certain information that most would cringe at supplying, when onsite I was asked for two forms of government issued identification (I chose drivers license and passport) which was just reviewed (not copied), immediately handed back to me and then asked to pose for a picture and signed an electronic pad. A minute later I was handed a new government issued ID. During my stay, I had the need to access certain restricted areas. As I entered restricted area buildings, I was handed a restricted area badge to wear over my new picture ID to let people know immediately what areas I had access to (the alternative is shoot first, ask questions later; I'll pass, thanks). On the other hand, I've visited many data center, collocation facilities, and even foreign military bases (both US and others), and since ATT sparked this conversation, I've actually been to nearly 40 of their facilities throughout the US. In recent memory, I can think of two large collocation centers that retain your ID. One is in Miami and one in New York (I don't think I need to name names, most of you know to which I refer). All others (including ATT) have never asked to retain my ID. I'm not exactly sure why these sites want to retain ID, but I think it goes along with the big weight that is connected to the gas station bathroom key. They want to make sure you return your cabinet keys (if any), temporary pass (if any), etc. Legal risk or not, can you think of a better way to get someone to return to the security desk to sign out? Until then, these sites will continue this practice. Randy
RE: Collocation Access
I'm not exactly sure why these sites want to retain ID, but I think it goes along with the big weight that is connected to the gas station bathroom key. They want to make sure you return your cabinet keys (if any), temporary pass (if any), etc. Legal risk or not, can you think of a better way to get someone to return to the security desk to sign out? Until then, these sites will continue this practice. a) cash deposit b) heavy weight attached to cabinet keys and temporary pass c) bulky object attached to cabinet keys and temporary pass In high school, our data centre keys were attached to a few links of chain bolted onto a chunk of 2 x 4. I never mislaid them. I remember at least one place where I received a plastic card key similarily attached to a few links of chain welded to an broken wrench. Why couldn't ID cards be treated the same way? For that matter, in these days of RFID badges, why can't colo centers issue magic wands, 3 foot long rods tipped with an embedded RFID tag? They would not fit in pockets or briefcases etc. They would function identically to the RFID tags embedded in credit-card sized plastic but they would never get lost. Perhaps what we have here is another failure of imagination like the one cited in the 9/11 report. --Michael Dillon
Re: Collocation Access
On Mon, 23 Oct 2006, Roland Perry wrote: Sounds to me like NSTAC ought to be worried about a scheme to accredit co-lo operator security staff, as well as the visiting telco engineers. Certainly in the UK, the co-lo security staff employed at Telehouse Europe are properly accredited and licensed by the UK SIA - http://www.the-sia.org.uk/home - and have to visibly wear their SIA license card while on duty (along with their company ID). Telehouse's access and security procedures seem to just work these days, certainly from my experience. So, training and accreditation seems to have worked here. I don't know if other co-lo's in the UK comply to this, as in some cases, if the front door security is often being provided by a NOC tech rather than a dedicated guard so then there is probably some get out anyway. Cheers, Mike
Re: Collocation Access
In article [EMAIL PROTECTED], Randy Epstein [EMAIL PROTECTED] writes I'm not exactly sure why these sites want to retain ID, but I think it goes along with the big weight that is connected to the gas station bathroom key. They want to make sure you return your cabinet keys (if any), temporary pass (if any), etc. Legal risk or not, can you think of a better way to get someone to return to the security desk to sign out? Ask for a $100 deposit in cash? -- Roland Perry
RE: Collocation Access
In recent memory, I can think of two large collocation centers that retain your ID. One is in Miami and one in New York (I don't think I need to name names, most of you know to which I refer). All others (including ATT) have never asked to retain my ID. Then you broke the law, assuming you had a Florida license and you presented it to the Miami facility. Florida law, Title 13 section 322.32(2), Unlawful use of license says [i]t is a misdemeanor of the second degree ... for any person ... [t]o lend his or her driver's license to any other person or knowingly permit the use thereof by another. DS
Re: Collocation Access
On Tuesday 24 October 2006 07:51, David Schwartz wrote: In recent memory, I can think of two large collocation centers that retain your ID. One is in Miami and one in New York (I don't think I need to name names, most of you know to which I refer). All others (including ATT) have never asked to retain my ID. Then you broke the law, assuming you had a Florida license and you presented it to the Miami facility. Florida law, Title 13 section 322.32(2), Unlawful use of license says [i]t is a misdemeanor of the second degree ... for any person ... [t]o lend his or her driver's license to any other person or knowingly permit the use thereof by another. DS Hmmm, I read quite a bit of difference between retain your ID and permit the use of - maybe one of us is reading something that isn't there. Quite a few places retain your ID while you are on the premises, to include places holding your passport while you are there, etc, etc... -- Larry Smith SysAd ECSIS.NET [EMAIL PROTECTED]
RE: Collocation Access
Then you broke the law, assuming you had a Florida license and you presented to the Miami facility. Actually, I handed them an Austrian license. Maybe I violated some EU directive! DS Randy
Re: Collocation Access
In article [EMAIL PROTECTED], David Schwartz [EMAIL PROTECTED] writes Florida law, Title 13 section 322.32(2), Unlawful use of license says [i]t is a misdemeanor of the second degree ... for any person ... [t]o lend his or her driver's license to any other person or knowingly permit the use thereof by another. Use as *what*? I allowed liquor stores to use my licence to prove I was over 21. There were even signs which suggested this was compulsory. And while they were using it like that, had I lent it to them, or does some other verb more accurately describe the situation? -- Roland Perry
RE: Collocation Access
Most list members here will probably find difficulty fathoming this, but during the Cold War years of the Nineteen Sixties, many telco employees, depending on the type of work they were engaged in, were actually issued government Civil Defense ID's for the purpose of gaining access to their workplaces and for transit to contingency assignments during natural disasters and acts of war. Long Lines staff and local operating company switching and transmission staff were given high priority in those days. I'm not sure exactly when, but I think the practice was suspended around 1968-9, or so. Do you suppose that telecoms and Internet is critical enough to the nation's infrastructure today that it should carry this level of regard by government? Say, qualified personnel working in critical sectors be issued Homeland Security ID's? Would such ID's issued by Homeland Security satisfy the clearance requirements for gaining access to collocation centers? On Tue Oct 24 8:51 , David Schwartz sent: In recent memory, I can think of two large collocation centers that retain your ID. One is in Miami and one in New York (I don't think I need to name names, most of you know to which I refer). All others (including ATT) have never asked to retain my ID. Then you broke the law, assuming you had a Florida license and you presented it to the Miami facility. Florida law, Title 13 section 322.32(2), Unlawful use of license says [i]t is a misdemeanor of the second degree ... for any person ... [t]o lend his or her driver's license to any other person or knowingly permit the use thereof by another. DS
RE: Collocation Access
Then you broke the law, assuming you had a Florida license and you presented it to the Miami facility. Florida law, Title 13 section 322.32(2), Unlawful use of license says [i]t is a misdemeanor of the second degree ... for any person ... [t]o lend his or her driver's license to any other person or knowingly permit the use thereof by another. Hmmm, I read quite a bit of difference between retain your ID and permit the use of - maybe one of us is reading something that isn't there. Intentionally receiving a document is usually sufficient to establish possession. Some statutes say possess, some say use, some say use for specific purposes. If they say possess, you're definitely potentially screwed -- if you ask for it and receive it, you possess it. If they say, use for purposes of [x], then you're definitely safe (since you're probably not using it for any of the prohibited purposes). If the statute just says use, then ask a lawyer. Use is more than possession, but it's not clear exactly how much more. With luck, rational courts will hold that use means to use it as a means of identification and you'll be okay. This Florida statute makes it a crime to lend your driver's license to any other person (punishable by up to 60 days in jail). I can't imagine how permitting someone to retain something temporarily does not constitue lending, but I suppose courts might hold that unless you use it, I haven't really lent it to you. This is murky stuff, definitely not someplace you want to go without talking to a lawyer. If you possess or transfer any government-issued identify document without lawful authority in order to facilitate any violation of Federal law, 18 USC 1028(a)(7) puts you in jail for a very long time. Are you getting into that facility to facilitate breaking some obscure intellectual property or electronic privacy law? Quite a few places retain your ID while you are on the premises, to include places holding your passport while you are there, etc, etc... In that case, they definitely possess it, you probably lent it to them, and they may or may not be using it. Read your laws carefully. Some jurisdictions really do make it a crime to possess someone else's official identification. Receiving something intentionally usually is sufficient to establish possession. IANAL. DS
RE: Collocation Access
On Tue, 2006-10-24 at 05:51 -0700, David Schwartz wrote: Florida law, Title 13 section 322.32(2), Unlawful use of license says [i]t is a misdemeanor of the second degree ... for any person ... [t]o lend his or her driver's license to any other person or knowingly permit the use thereof by another. That statute deals with someone else _using_ my license, but in no way implies that my license can't be _held_ by someone else. The title clearly states use. ;-) -Jim P.
Re: Collocation Access
In article [EMAIL PROTECTED], Jim Popovitch [EMAIL PROTECTED] writes Florida law, Title 13 section 322.32(2), Unlawful use of license says [i]t is a misdemeanor of the second degree ... for any person ... [t]o lend his or her driver's license to any other person or knowingly permit the use thereof by another. That statute deals with someone else _using_ my license, but in no way implies that my license can't be _held_ by someone else. The title clearly states use. ;-) At the risk of being over-pedantic, the licence cannot be used by another person for the purposes of driving a car because it clearly does not apply to them (but only to the named and pictured person upon it). So I'll ask again: what sort of use does this statute prohibit? -- Roland Perry
RE: Collocation Access
On Tue, 24 Oct 2006, Daniel Senie wrote: I think it's time to show up with such a statemant of acceptance of liability whenever asked for such information. I have to wonder if company lawyers would then give it some thought. I have been considering this for some time. A small piece of paper you hand over with the piece of ID that the security droid needs to sign, print their name, and hand back. And for good measure you could ask them to show you *their* ID, to make sure that they're signing their real name. -- John A. Kilpatrick [EMAIL PROTECTED]Email| http://www.hypergeek.net/ [EMAIL PROTECTED] Text pages| ICQ: 19147504 remember: no obstacles/only challenges
Re: Collocation Access
On Tue, 24 Oct 2006, Roland Perry wrote: In article [EMAIL PROTECTED], Jim Popovitch [EMAIL PROTECTED] writes Florida law, Title 13 section 322.32(2), Unlawful use of license says [i]t is a misdemeanor of the second degree ... for any person ... [t]o lend his or her driver's license to any other person or knowingly permit the use thereof by another. That statute deals with someone else _using_ my license, but in no way implies that my license can't be _held_ by someone else. The title clearly states use. ;-) At the risk of being over-pedantic, the licence cannot be used by another person for the purposes of driving a car because it clearly does not apply to them (but only to the named and pictured person upon it). So I'll ask again: what sort of use does this statute prohibit? At the risk of being anti-over-pedantic: Ask a lawyer, not a list of network ops. Duh. - d. -- Dominic J. Eidson Baruk Khazad! Khazad ai-menu! - Gimli --- http://www.the-infinite.org/
Re: Collocation Access
In article [EMAIL PROTECTED], Dominic J. Eidson [EMAIL PROTECTED] writes At the risk of being anti-over-pedantic: Ask a lawyer, not a list of network ops. That's what I usually do, but it sometimes helps to get the ordinary user's perspective as well. -- Roland Perry
Re: Collocation Access
On Tue, Oct 24, 2006 at 05:51:17AM -0700, David Schwartz wrote: In recent memory, I can think of two large collocation centers that retain your ID. One is in Miami and one in New York (I don't think I need to name names, most of you know to which I refer). All others (including ATT) have never asked to retain my ID. Then you broke the law, assuming you had a Florida license and you presented it to the Miami facility. Florida law, Title 13 section 322.32(2), Unlawful use of license says [i]t is a misdemeanor of the second degree ... for any person ... [t]o lend his or her driver's license to any other person or knowingly permit the use thereof by another. David, it's clear you're not a lawyer, or have ever done anything that requires that you interpret what a law means, other than the normal everyday requirements of a citizen. -- Joe Yao --- This message is not an official statement of OSIS Center policies.
RE: Collocation Access
On Tue, Oct 24, 2006 at 05:51:17AM -0700, David Schwartz wrote: Then you broke the law, assuming you had a Florida license and you presented it to the Miami facility. Florida law, Title 13 section 322.32(2), Unlawful use of license says [i]t is a misdemeanor of the second degree ... for any person ... [t]o lend his or her driver's license to any other person or knowingly permit the use thereof by another. David, it's clear you're not a lawyer, or have ever done anything that requires that you interpret what a law means, other than the normal everyday requirements of a citizen. Joe Yao I am way too familiar with several cases where people were charged and convicted with violating obscure laws clearly intended for another purpose just for doing their jobs in a normal, reasonable way. Intel v. Schwartz (no relation) is a great example. http://www.eff.org/legal/cases/Intel_v_Schwartz/schwartz_case.intro It's quite possible (even likely, IMO) that when Florida makes it illegal to lend your driver's license to any other person, it actually means precisely that. DS
Re: Collocation Access
On 23-Oct-2006, at 11:54, Craig Holland wrote: I just ran into something for the first time, and apparently it isn’t that uncommon. ATT was asked to install a circuit into a collocation facility where, like any I’ve been into, required them to show a government ID. In a similar vein, it'd be nice if colo facilities who require government-issued ID could be taught that there is actually more than one government in the world, and that if they mean US-federal-or- state-government-issued they should say so. (They let me in eventually with a passport. But if they're going to trust a foreign-issued passport as photo id, it's not really that obvious to me why they wouldn't trust a foreign-issued driving licence. It's not like they can really tell whether either of them are forged.) Joe
Re: Collocation Access
On Mon, 23 Oct 2006, Craig Holland wrote: I just ran into something for the first time, and apparently it isn't that uncommon. ATT was asked to install a circuit into a collocation facility where, like any I've been into, required them to show a government ID. They refused claiming it was against policy. After making some calls, I found out there are union regulations which restrict ATT from asking their union employees to hand over personal property, ID's included. I rant in to this situation recently. When I placed my order I made sure that the sales droid understood that it was in a datacenter facility and that ID was required to enter. When the tech called the day of the install he said that they can't surrender their ATT ID (which the colo would accept, I guess) and that company policy prohibited him from surrendering his personal ID. I said fine, whatever, meet me outside the facility and I'll go do the needful and let you know if the circuit is good. I then called my sales droid and told him about it and said that we would not be paying the install fee for the circuit since their tech wouldn't be doing any work. The sales droid was unfamiliar with the policy and asked me to have the tech call him to confirm. So I get to the datacenter and meet the tech. I give him the number of the sales droid and ask him to call and explain the policy - I wasn't paying for the install and he needed to know why. The tech got all mad and then proceeded to give his ID datacenter security folks. I told him I didn't want him violating company policy and he then admitted that it wasn't company policy - they had just been told that they didn't have to use their personal ID if they didn't want to. He proceeded to lecture me about how he works for ATT and thus shouldn't have to provide his personal ID. Never mind that I do the same thing every time I go there. Basically, in my opinion, ATT sent me a tech that had personal objections to the requirements of the job at hand, requirements that I had made clear to the sales droid up front. So if you're running in to a situation like this make sure your sales droid knows that this could happen and that making sure the install happens smoothy is his job, not yours. -- John A. Kilpatrick [EMAIL PROTECTED]Email| http://www.hypergeek.net/ [EMAIL PROTECTED] Text pages| ICQ: 19147504 remember: no obstacles/only challenges
Re: Collocation Access
On Mon, 23 Oct 2006, Craig Holland wrote: Is this some new trend or have I just gotten lucky in the past? Wouldn't someone like ATT be better served by giving their employees some company issued ID that they can submit to secure facilities? I know it wouldn't be government issued, but would at least be a step in the right direction. Or, they ask the unions to amend their policies considering it is a requirement of the job to do these kinds of installs to present a government ID. Every ATT employee on company business is issued an official company employee card with the employee's name and photograph. Employees must show the card while working on company business. It is up to the co-location facility operator whether to accept the company issued ID card or not. Although it varies by person, and sometimes the security guard is on a powertrip and the telephone person will suddenly become stickler on the rules, the LECs and USPS tend to the most resististant to most landlord special rules. I've heard similar complaints from government agents that some facilities wouldn't accept their government issued law enfocement badge, and wanted to see their state issued driver's license or state ID card. Part of the problem is there are thousands of different official IDs, and minimum wage security guards can barely detect forgeries of common state ID cards and have no experience with credentials issued by other groups. On the other hand, some state ID cards have a lot of the information someone could use for identity theft, and you don't always know what the guard or the facility will do with the information. The US NSTAC group has been studying the issue of Trusted Access to telecommunications facilities, and whether we need a better method to credential people for co-location access. http://www.ncs.gov/nstac/reports/2005/Final%20TATF%20Report%2004-25-05.pdf
RE: Collocation Access
Is this some new trend or have I just gotten lucky in the past? Wouldn't someone like ATT be better served by giving their employees some company issued ID that they can submit to secure facilities? I know it wouldn't be government I am shocked that the ATT employee did not have an ATT ID. In our facilities, we require all visiting telcos to produce company identification, and between telcove/level 3, Verizon, MCI, and several others, we have never had an issue. I'd be a bit more suspicious that he didn't have ATT ID. -- Alex Rubenstein, AR97, K2AHR, [EMAIL PROTECTED], latency, Al Reuben Net Access Corporation, 800-NET-ME-36, http://www.nac.net
RE: Collocation Access
(They let me in eventually with a passport. But if they're going to trust a foreign-issued passport as photo id, it's not really that obvious to me why they wouldn't trust a foreign-issued driving licence. It's not like they can really tell whether either of them are forged.) What I've never understood is, that, how a gov't issue ID (for the purposes of allowing entry) is of any use whatsoever. It's not as if someone is doing a instand background check to know if the person is a criminal, or wanted, or whatever. It's trivial to forge a gov't ID. -- Alex Rubenstein, AR97, K2AHR, [EMAIL PROTECTED], latency, Al Reuben Net Access Corporation, 800-NET-ME-36, http://www.nac.net
Re: Collocation Access
Alex Rubenstein wrote: Craig Holland wrote: Is this some new trend or have I just gotten lucky in the past? Wouldn't someone like ATT be better served by giving their employees some company issued ID that they can submit to secure facilities? I know it wouldn't be government issued, but would at least be a step in the right direction. I'm a little surprised by all this, truthfully. I *know* that ATT has to work inside certain facilities that are government run, and they are *required* to provide government issued ID, company issued ID, and social security number (really!) at a minimum. They must also state whether or not they are a US citizen, and if not, what country they hold citizenship in. I am shocked that the ATT employee did not have an ATT ID. In our facilities, we require all visiting telcos to produce company identification, and between telcove/level 3, Verizon, MCI, and several others, we have never had an issue. I'd be a bit more suspicious that he didn't have ATT ID. Me too. In my former life, I was involved with such requirements (but only at what the fedgov lovingly refers to as contractor sites), and we always had the alternative for anyone objecting to our requirements for ID. No problem. They could just sit in the lobby (or outside) and wait. I used to object to our method of gathering social security numbers (since it was on a form that anyone adding a name could see), but I can tell you that it was much more onerous than your standard telco. -- This above all: to thine own self be true, And it must follow, as the night the day, Thou canst not then be false to any man. William Shakespeare
RE: Collocation Access
In fact he did have an ATT badge which he was not allowed to hand over either. The fellow I chatted with at ATT said they are not allowed to hand over their badge because it would compromise their security. I'm assuming the badge was of the keycard variety. My thought was that they could have an ATT id of some sort that was specifically used for this kind of access; one that is not a keycard and doesn't have any proprietary information on it that would make their security people uncomfortable if it was handed over at a collocation. craig -Original Message- From: Alex Rubenstein [mailto:[EMAIL PROTECTED] Sent: Monday, October 23, 2006 10:06 AM To: Craig Holland; [EMAIL PROTECTED] Subject: RE: Collocation Access Is this some new trend or have I just gotten lucky in the past? Wouldn't someone like ATT be better served by giving their employees some company issued ID that they can submit to secure facilities? I know it wouldn't be government I am shocked that the ATT employee did not have an ATT ID. In our facilities, we require all visiting telcos to produce company identification, and between telcove/level 3, Verizon, MCI, and several others, we have never had an issue. I'd be a bit more suspicious that he didn't have ATT ID. -- Alex Rubenstein, AR97, K2AHR, [EMAIL PROTECTED], latency, Al Reuben Net Access Corporation, 800-NET-ME-36, http://www.nac.net
Re: Collocation Access
Alex Rubenstein wrote: I am shocked that the ATT employee did not have an ATT ID. In our facilities, we require all visiting telcos to produce company identification, and between telcove/level 3, Verizon, MCI, and several others, we have never had an issue. I'd be a bit more suspicious that he didn't have ATT ID. He may have indeed had ATT ID. But the colo security people wanted a government ID. Company ID is relatively meaningless and trivially forged, particularly for small values of company. If I were to show up in a truck with Jay's Telco on the side, produce Jay's Telco ID, and refuse to show a driver's license or government ID I would expect datacenter security to be a bit suspicious. Why should ATT be treated any differently? -- Jay Hennigan - CCIE #7880 - Network Administration - [EMAIL PROTECTED] NetLojix Communications, Inc. - http://www.netlojix.com/ WestNet: Connecting you to the planet. 805 884-6323 - WB6RDV
RE: Collocation Access
On Mon, 23 Oct 2006, Craig Holland wrote: In fact he did have an ATT badge which he was not allowed to hand over either. The fellow I chatted with at ATT said they are not allowed to hand over their badge because it would compromise their security. My tech said the same thing. That keycard could grant central office access so he couldn't surrender it. -- John A. Kilpatrick [EMAIL PROTECTED]Email| http://www.hypergeek.net/ [EMAIL PROTECTED] Text pages| ICQ: 19147504 remember: no obstacles/only challenges
RE: Collocation Access
What I've never understood is, that, how a gov't issue ID (for the purposes of allowing entry) is of any use whatsoever. It's not as if someone is doing a instand background check to know if the person is a criminal, or wanted, or whatever. It's trivial to forge a gov't ID. Welcome to token security. There's lots of silly procedures around now that add nothing to security but someone in an office dreamt them up as they have to be seen to be doing something. If you point out how dumb they are you're a terrorist too. So we al waste time following them (they can't reduce them as if something did happen they'd be blamed, who wants less security?) Colos full of rent-a-cops are just as bad, my passport says who I'm allowed to surrender it to and that doesn't include colo guards yet some want to retain it whilst you're on site. Company ID isn't acceptable to some of them either. I'd rather not trust them with either though I don't mind them looking. brandon
Re: Collocation Access
In article [EMAIL PROTECTED], Etaoin Shrdlu [EMAIL PROTECTED] writes I used to object to our method of gathering social security numbers (since it was on a form that anyone adding a name could see) Now that you need a Social Security number to get a US Drivers licence (and I doubt many telco engineers walk to work), would the traceability issues be satisfied by taking the details from one of those? I assume the Feds can ask the State which SSN goes with which DL, if the need arises. -- Roland Perry
Re: Collocation Access
In article [EMAIL PROTECTED] , Craig Holland [EMAIL PROTECTED] writes The fellow I chatted with at ATT said they are not allowed to hand over their badge because it would compromise their security. Sounds to me like NSTAC ought to be worried about a scheme to accredit co-lo operator security staff, as well as the visiting telco engineers. -- Roland Perry
Re: Collocation Access
In article [EMAIL PROTECTED], John A. Kilpatrick [EMAIL PROTECTED] writes The fellow I chatted with at ATT said they are not allowed to hand over their badge because it would compromise their security. My tech said the same thing. That keycard could grant central office access On its own? No keycode or anything. What if he lost it? so he couldn't surrender it. But presumably it would need to be stolen. Wouldn't the tech notice that happening... Or is there some way the colo security guy can clone it undetected? -- Roland Perry
Re: Collocation Access
On Mon, 23 Oct 2006 10:40:19 -0700 (PDT), John A. Kilpatrick [EMAIL PROTECTED] wrote: On Mon, 23 Oct 2006, Craig Holland wrote: In fact he did have an ATT badge which he was not allowed to hand over either. The fellow I chatted with at ATT said they are not allowed to hand over their badge because it would compromise their security. My tech said the same thing. That keycard could grant central office access so he couldn't surrender it. That's quite likely accurate. My ATT badge let me in via unattended entrances at a variety of facilities; I'd expect that a tech's badge would indeed work for many COs. A better answer is for the COLO management to supply a number, on request, to tenants; they'd pass this number on to their supplier, for one-time use by the tech. A government-issued ID (at most) proves your identity; it says nothing about your authorization to be somewhere. A company-issued ID (at most) proves that you work for some company that may or may not (a) be present at the COLO, and (b) may or may not be there for legitimate reasons. What's necessary here is *permission*. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb
Re: Collocation Access
On Mon, 23 Oct 2006, Roland Perry wrote: But presumably it would need to be stolen. Wouldn't the tech notice that happening... Or is there some way the colo security guy can clone it undetected? While your point is valid, arguing something like that with an ATT tech would be like arguing with the TSA. Logic and reasoning are of no value in the conversation. The policy is the policy and you deal with it. -- John A. Kilpatrick [EMAIL PROTECTED]Email| http://www.hypergeek.net/ [EMAIL PROTECTED] Text pages| ICQ: 19147504 remember: no obstacles/only challenges
Re: Collocation Access
Roland Perry wrote: In article [EMAIL PROTECTED] , Craig Holland [EMAIL PROTECTED] writes The fellow I chatted with at ATT said they are not allowed to hand over their badge because it would compromise their security. Sounds to me like NSTAC ought to be worried about a scheme to accredit co-lo operator security staff, as well as the visiting telco engineers. So what's next http://www.verichipcorp.com/ I recall back in the days of Exodus in Jersey City I walked in to go kick a Sun machine in one of the cages for a company I worked for. I had previously worked at a company that also had a cage there and had been to the Jersey City colo facility quite a few times. Anyhow when I went in they pulled up the keys for my prior company after giving them my ID. I stated No, I no longer work there. They gave me the correct key but a Hello My Name Is tag with my former company. Funny... -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams smime.p7s Description: S/MIME Cryptographic Signature
Re: Collocation Access
In article [EMAIL PROTECTED], Brandon Butterworth [EMAIL PROTECTED] writes my passport says who I'm allowed to surrender it to and that doesn't include colo guards yet some want to retain it whilst you're on site should not be passed to an unauthorised person [1], which raises the issue of who authorises who (and back to my idea for accrediting colo security guards). On the other hand there are many countries [even inside the EU] where a hotel receptionist will insist on holding your passport overnight so you can be registered with the police. Who authorised them, rather than gave them an obligation? [1] US passports don't contain a similar clause. -- Roland Perry
Re: Collocation Access
On Mon, 23 Oct 2006, Steven M. Bellovin wrote: A government-issued ID (at most) proves your identity; it says nothing about your authorization to be somewhere. The ID is just Authentication. Authorization and Accounting are handled by other procedures implemented by the colo security droids. -- John A. Kilpatrick [EMAIL PROTECTED]Email| http://www.hypergeek.net/ [EMAIL PROTECTED] Text pages| ICQ: 19147504 remember: no obstacles/only challenges
Re: Collocation Access
On Oct 23, 2006, at 10:57 AM, Roland Perry wrote: In article [EMAIL PROTECTED], John A. Kilpatrick [EMAIL PROTECTED] writes The fellow I chatted with at ATT said they are not allowed to hand over their badge because it would compromise their security. My tech said the same thing. That keycard could grant central office access On its own? No keycode or anything. What if he lost it? so he couldn't surrender it. But presumably it would need to be stolen. Wouldn't the tech notice that happening... Or is there some way the colo security guy can clone it undetected? These are trivial to clone -- all you need is a reader hooked up to a PC and you can read the number off the card. You can then buy a batch of cards that cover the serial numbers that you are interested in (no, I don't really understand WHY you can buy numbered ranges, but you can...) The other alternative is something like: http://cq.cx/proxmark3.pl This device will read and clone a large number of proximity cards -- you don't even need real access to the card, all you need to do is brush up against the cardholder with the antenna cincealed in your pocket -- Roland Perry -- If the bad guys have copies of your MD5 passwords, then you have way bigger problems than the bad guys having copies of your MD5 passwords. -- Richard A Steenbergen
Re: Collocation Access
I once was going to a meeting at a colo in Tysons Corner, which will remain nameless (but you would know it). Like most of them, it wasn't well marked, and we couldn't find it. Three of us wound up walking through an open door on the loading dock and onto the colo floor with no checks what-so-ever. We finally met somebody, asked where so-and-so's office was, and (after a very odd look) were told to go out again, walk around the building and go through security. But, I always thought that the purpose of most security was psychological reassurance anyway... Regards Marshall On Oct 23, 2006, at 2:18 PM, J. Oquendo wrote: Roland Perry wrote: In article [EMAIL PROTECTED] .net , Craig Holland [EMAIL PROTECTED] writes The fellow I chatted with at ATT said they are not allowed to hand over their badge because it would compromise their security. Sounds to me like NSTAC ought to be worried about a scheme to accredit co-lo operator security staff, as well as the visiting telco engineers. So what's next http://www.verichipcorp.com/ I recall back in the days of Exodus in Jersey City I walked in to go kick a Sun machine in one of the cages for a company I worked for. I had previously worked at a company that also had a cage there and had been to the Jersey City colo facility quite a few times. Anyhow when I went in they pulled up the keys for my prior company after giving them my ID. I stated No, I no longer work there. They gave me the correct key but a Hello My Name Is tag with my former company. Funny... -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams
RE: Collocation Access
That is true for strip card (credit card style) and simple prox cards. But what I have been seeing more often is that companies are using the smart card and wireless smart card variety for high security areas. So instead of having a card that will always return the same value (making it easy to duplicate) the smart cards will use good old fashion PKI to mutually authenticate the card to the reader and the reader to the card. This way, the card won't give out its security information until the card reader is verified to be a legit member of the security system. In addition to this, I am seeing a push to go with 2 factor authentication, so you need the card plus some sort of biometrics. This way, if you lose the card, it is useless unless the criminal also managed to chop off your thumb. But if you are ATT and have spend millions of dollars on equipping all your COs with swipe readers because you got sick of having rekey the locks every time someone lost a key; so when stuck with the choice of replacing all of your COs' security equipment with something more secure, or creating blanket polices, creating a policy is cheaper. My $.02 Adam Stasiniewicz -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Warren Kumari Sent: Monday, October 23, 2006 1:34 PM To: Roland Perry Cc: nanog@merit.edu Subject: Re: Collocation Access On Oct 23, 2006, at 10:57 AM, Roland Perry wrote: In article [EMAIL PROTECTED], John A. Kilpatrick [EMAIL PROTECTED] writes The fellow I chatted with at ATT said they are not allowed to hand over their badge because it would compromise their security. My tech said the same thing. That keycard could grant central office access On its own? No keycode or anything. What if he lost it? so he couldn't surrender it. But presumably it would need to be stolen. Wouldn't the tech notice that happening... Or is there some way the colo security guy can clone it undetected? These are trivial to clone -- all you need is a reader hooked up to a PC and you can read the number off the card. You can then buy a batch of cards that cover the serial numbers that you are interested in (no, I don't really understand WHY you can buy numbered ranges, but you can...) The other alternative is something like: http://cq.cx/proxmark3.pl This device will read and clone a large number of proximity cards -- you don't even need real access to the card, all you need to do is brush up against the cardholder with the antenna cincealed in your pocket -- Roland Perry -- If the bad guys have copies of your MD5 passwords, then you have way bigger problems than the bad guys having copies of your MD5 passwords. -- Richard A Steenbergen
Re: Collocation Access
But, I always thought that the purpose of most security was psychological reassurance anyway... Reacting to this and the story of just walking through the backdoor to get in - I think there's an element of self-fulfilling prophecy here. If the legitimate power users of the security system (i.e., the royal we/us) don't take it seriously, the security system will be useless against the nefarious element. It might be that the reason security is often so poorly implemented is that the job is often left to the unmotivated or the untrained (or differently trained - I mean in a good way). Perhaps these folks realize that their tasks are scoffed at, further lowering their gruntlement. (As in disgruntled.) What would be different if, instead of exploiting the open back door, the open back door is pointed out to the folks responsible for the facility? I don't mean mentioning this to the security guards who may have interests in back doors remaining open and/or just not reported. Whether the door was left open on purpose or not, a guard may lose a job over it - if the facility management took it seriously. (What would happen if someone actually obeyed the speed limit in the US?) One personality trait I find strong in this community is that desire to be able to cut through formality and red-tape and to push convention aside. This can be good for quick and productive innovation but at the same time detracts from the importance of the task at hand. Security by its nature is not fun, not productive, a drain on resources and time. Security is something we need only because there are bad things out there - nefarious activity, inadvertent neglect, design flaws, etc. At best you have to put up with security, don't expect to enjoy it. Arguing about any policy with someone hired to follow it is not productive. The hired can't do much about it, and there is no incentive for them to fix their job. At worst they can lose it by wasting time questioning their supervisors. Concerns about policy have to be raised to the level of those who can do something about it and have an incentive to fix it. No one is going to lay out more money for no more revenue if there's no other upside to it, that has to be kept in mind too. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis+1-571-434-5468 NeuStar Secrets of Success #107: Why arrive at 7am for the good parking space? Come in at 11am while the early birds drive out to lunch.
Re: Collocation Access
In article [EMAIL PROTECTED], John A. Kilpatrick [EMAIL PROTECTED] writes But presumably it would need to be stolen. Wouldn't the tech notice that happening... Or is there some way the colo security guy can clone it undetected? While your point is valid, arguing something like that with an ATT tech would be like arguing with the TSA. Logic and reasoning are of no value in the conversation. The policy is the policy and you deal with it. I don't seek to argue it with an individual tech, but with whoever sets the corporate security policy. -- Roland Perry
Re: Collocation Access
In article [EMAIL PROTECTED], John A. Kilpatrick [EMAIL PROTECTED] writes In fact he did have an ATT badge which he was not allowed to hand over either. The fellow I chatted with at ATT said they are not allowed to hand over their badge because it would compromise their security. My tech said the same thing. That keycard could grant central office access so he couldn't surrender it. I have to admit (now I've been sent some information off-list) that I didn't realise the co-lo security were holding onto the badge (or access card or whatever) the whole time the tech was on the premises. Yes, that would give more opportunities for bad things to happen. In many years of gaining access to secured buildings I've only ever had that happen once (passport exchanged for a visitor's pass, and back again at the end of the day). -- Roland Perry
Re: Collocation Access
Edward Lewis wrote: But, I always thought that the purpose of most security was psychological reassurance anyway... Reacting to this and the story of just walking through the backdoor to get in - I think there's an element of self-fulfilling prophecy here. If the Classical NANOG OT thread. Cant resist. There is no doubt about it. 90% of security systems that were introduced following september 11 are knee jerk reactions to the threat of terroism. Especialy when implemented by the private sector. Case in point. Pre 9/11, in WTC, you had to wait in line at the lobby and show ID and be issued a visitor badge with your picture taken and stored and/or be escorted up. This was a knee jerk reaction to the previous bombings. (As if car bombs in the garage has something to do with ID passes in the lobby) We all know what happens next. Very effective security if you ask me. They couldnt get in throught the lobby, so. Entry to 7WTC now requires.bag searches. The conspiracy theory states that people simply like to pretend that they are in control. That it is just a power trip. Funny, entry to the crowded streets of manhattan requires.nothing. The only legit reason to take down peoples ID is to discourage theft/vandalism. And in an ideal world, we would be as concerned with the buldings privacy policy as we are with our online web vendors. And judging by timing, that was not their intention.
Re: Collocation Access
Security by its nature is not fun, not productive, a drain on resources and time. Security is something we need only because there are bad things out there - nefarious activity, inadvertent neglect, design flaws, etc. At best you have to put up with security, don't expect to enjoy it. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis+1-571-434-5468 NeuStar [Security] is like the weather, you can't do anything about it so you might as well lay back and enjoy it - paraphrase of Clayton Williams --bill
Re: Collocation Access
On Mon, Oct 23, 2006 at 14:26:53PM -0500, Stasiniewicz, Adam wrote: That is true for strip card (credit card style) and simple prox cards. But what I have been seeing more often is that companies are using the smart card and wireless smart card variety for high security areas. So instead of having a card that will always return the same value (making it easy to duplicate) the smart cards will use good old fashion PKI to mutually authenticate the card to the reader and the reader to the card. This way, the card won't give out its security information until the card reader is verified to be a legit member of the security system. In However, speaking of smart (non-simple-proximity) card security: Linkname: Researchers See Privacy Pitfalls in No-Swipe Credit Cards - New York Times URL: http://www.nytimes.com/2006/10/23/business/23card.html?ex=1319256000en=5ecec83b0ac06bd8ei=5088partner=rssnytemc=rss -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Warren Kumari Sent: Monday, October 23, 2006 1:34 PM [ mild snippage ] These are trivial to clone -- all you need is a reader hooked up to a PC and you can read the number off the card. You can then buy a batch of -- Henry Yen Aegis Information Systems, Inc. Senior Systems Programmer Hicksville, New York
Re: Collocation Access
On Mon, Oct 23, 2006 at 03:06:57PM -0400, Marshall Eubanks wrote: I once was going to a meeting at a colo in Tysons Corner, which will remain nameless (but you would know it). Like most of them, it wasn't well marked, and we couldn't find it. Three of us wound up walking through an open door on the loading dock and onto the colo floor with no checks what-so-ever. We finally met somebody, asked where so-and-so's office was, and (after a very odd look) were told to go out again, walk around the building and go through security. But, I always thought that the purpose of most security was psychological reassurance anyway... Regards Marshall If it's the one I'm thinking of, they closed it and moved everything out to Ashburn for just that reason - insufficient security. [I had worked in that building decades before they moved in, and it was NOT designed with a data center in mind.] -- Joe Yao --- This message is not an official statement of OSIS Center policies.
RE: Collocation Access
At 1:07 PM -0400 10/23/06, Alex Rubenstein wrote: What I've never understood is, that, how a gov't issue ID (for the purposes of allowing entry) is of any use whatsoever. It's not as if someone is doing a instand background check to know if the person is a criminal, or wanted, or whatever. It's trivial to forge a gov't ID. I'll disagree; it's rather challenging to create a state drivers license or state ID card which will also pass third-party database verification. Hence, a requirement for such an ID supplied in advance with enough time to verify it provides a very solid basis of identification. (As smb noted, it says nothing at all about authorization, but that's a different problem which one can address after you have a high enough certainty for identification). /John
Re: Collocation Access
On Mon, 2006-10-23 at 18:57 +0100, Roland Perry wrote: But presumably it would need to be stolen. Wouldn't the tech notice that happening... Or is there some way the colo security guy can clone it undetected? I've been in and out of several colos that require you to leave your ID (passport/DL, and business card) up at the front desk throughout your visit. This could be for hours, or even for the whole day. During that time I imagine my ID could have been photocopied, transcribed, photographed, etc, without me ever knowing. -Jim P.
RE: Collocation Access
Surprisingly on a recent visit to a large co-location facility I was required to leave my ID with the security staff at the front desk in exchange for a visitor's pass, for the entire time I was in the facility. Normally I would not have an issue with this, but any outside visitors are shadowed by an employee of the facility the entire time they are in the facility as well. It seems as though at this point there is little need for security to maintain control of the ID, again which could possibly leave it open to various activities already mentioned by some others. Nick Thompson -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roland Perry Sent: Monday, October 23, 2006 3:41 PM To: nanog@merit.edu Subject: Re: Collocation Access In article [EMAIL PROTECTED], John A. Kilpatrick [EMAIL PROTECTED] writes In fact he did have an ATT badge which he was not allowed to hand over either. The fellow I chatted with at ATT said they are not allowed to hand over their badge because it would compromise their security. My tech said the same thing. That keycard could grant central office access so he couldn't surrender it. I have to admit (now I've been sent some information off-list) that I didn't realise the co-lo security were holding onto the badge (or access card or whatever) the whole time the tech was on the premises. Yes, that would give more opportunities for bad things to happen. In many years of gaining access to secured buildings I've only ever had that happen once (passport exchanged for a visitor's pass, and back again at the end of the day). -- Roland Perry
RE: Collocation Access
On Mon, 23 Oct 2006, Nick Thompson wrote: It seems as though at this point there is little need for security to maintain control of the ID, again which could possibly leave it open to various activities already mentioned by some others. My impression is that the requirement to leave ID at the security desk is generally to provide an incentive to return the visitor badge at the end of the visit, rather than for any further verification of identity. Requiring deposits of car keys, transit passes, shoes (for those parts of the world where shoes are removed in datacenters out of respect for the routers), winter coats, or other articles necessary for leaving the datacenter might be even more effective. -Steve
Re: Collocation Access
On Mon, Oct 23, 2006 at 01:07:56PM -0400, Alex Rubenstein wrote: [snip] What I've never understood is, that, how a gov't issue ID (for the purposes of allowing entry) is of any use whatsoever. No matter how easy to forge, *requiring* them raises the risk/reward bar. Penalties for forging Q Random Company ID are less than those related to forging government issue IDs. Of course, it moves the bad guys' gamble to 'will there be a rent-a-cop that doesn't check the ID book or have they installed actual lookup facilities'? Cheers, Joe -- [EMAIL PROTECTED] * [EMAIL PROTECTED] RSUC / GweepNet / Spunk / FnB / Usenix / SAGE
RE: Collocation Access
On Mon, 2006-10-23 at 18:57 +0100, Roland Perry wrote: I've been in and out of several colos that require you to leave your ID (passport/DL, and business card) up at the front desk throughout your visit. This could be for hours, or even for the whole day. During that time I imagine my ID could have been photocopied, transcribed, photographed, etc, without me ever knowing. -Jim P. Several states make it illegal to possess another person's driver's license. Many make it illegal to lend your driver's license to someone else or to trade it for something. As for passports, violating 18 USC 1544 for profit is a terrorism offense. Even the guys who rent paddleboats at the lake have learned that it is usually illegal to possess another person's identification. Maybe I've just been lucky, but I've been to some of the most secure facilities in the world, and I've never been asked to allow someone else to retain my passport or driver's license. Possession includes receipt, according to the DOJ. 18 USC 1028 makes it a Federal crime to transfer someone else's identification with intent to violate a state felony statute. This is a minefield. Have companies really run this past their legal departments? DS
RE: Collocation Access
At 12:40 AM 10/24/2006, David Schwartz wrote: On Mon, 2006-10-23 at 18:57 +0100, Roland Perry wrote: I've been in and out of several colos that require you to leave your ID (passport/DL, and business card) up at the front desk throughout your visit. This could be for hours, or even for the whole day. During that time I imagine my ID could have been photocopied, transcribed, photographed, etc, without me ever knowing. -Jim P. Several states make it illegal to possess another person's driver's license. Many make it illegal to lend your driver's license to someone else or to trade it for something. As for passports, violating 18 USC 1544 for profit is a terrorism offense. Even the guys who rent paddleboats at the lake have learned that it is usually illegal to possess another person's identification. Maybe I've just been lucky, but I've been to some of the most secure facilities in the world, and I've never been asked to allow someone else to retain my passport or driver's license. Possession includes receipt, according to the DOJ. 18 USC 1028 makes it a Federal crime to transfer someone else's identification with intent to violate a state felony statute. This is a minefield. Have companies really run this past their legal departments? From what I've seen, there's a complete lack of awareness of the risks associated with retention of identification or information. I even had a long argument with the local US Post Office, who wanted to record numbers from two forms of ID in order for me to retain my PO Box. Their claim was that postal inspection service requires it. I objected due to my local postoffice storing this information on index cards which all employees of the post office can access. While I understand the postal inspection service's interest in being able to track down box holders, I asked the postmaster if he'd sign a document accepting personal responsibility if the information was released or used by any of his employees. I think it's time to show up with such a statemant of acceptance of liability whenever asked for such information. I have to wonder if company lawyers would then give it some thought.
