On 26/12/2023, 13:21:18, "Christopher Hawker" <[email protected]>
wrote:
If "paying money is usually a good enough sign of being legit" for
the purpose of ordering a cross-connect, then one needs to significantly
consider the security and processes of their network and their DC
provider's operations. I'd never use a DC provider who would accept cash as
proof of a cross-connect request being legitimate.
But you do accept a letter provided by the attacker and not confirmed by
the
victim? To me one is no more trustworthy than the other.
I prefer instead the Z confirms by email/portal method, if you want
security
then it needs to involve the victim and give them an opportunity to
defend.
You already trust cash as proof of legitimacy, allowing an attacker to
enter the
facility and gain access to the area around your rack where they could
connect to
your equipment with less chance of anyone knowing who did it.
Ordering an xcon puts on record who did it (or was compromised to enable
it) and
puts their DC presence at stake if found out so they are staking
everything on that
one attack, if you are worth that you probably need more than a LOA to
defend you.
Further, a DC operator should never be accepting and processing an order
for a cross-connect without confirming the request with the Z-side. That's
just common netsec process, and I'd be highly surprised if it were not.
Agreed, if they bothered confirming then the LOA would not be needed.
brandon
