Is this some new trend or have I just gotten lucky in the
past? Wouldn't someone like AT&T be better served by giving
their employees some company issued ID that they can submit
to secure facilities? I know it wouldn't be government
I am shocked that the ATT employee did not have an ATT ID.
In our facilities, we require all visiting telcos to produce company
identification, and between telcove/level 3, Verizon, MCI, and several
others, we have never had an issue.
I'd be a bit more suspicious that he didn't have ATT ID.
Alex Rubenstein wrote:
Craig Holland wrote:
Is this some new trend or have I just gotten lucky in the past? Wouldn't someone like AT&T be better served by giving their employees some company issued ID that they can submit to secure facilities? I know it wouldn't be government issued, but would at
least be a step in the right direction.
I'm a little surprised by all this, truthfully. I *know* that AT&T has to work inside certain facilities that are government run, and they are *required* to provide government issued ID, company issued ID, and social security number (really!) at a minimum. They must also state whether or not they are a US citizen, and if not, what country they hold citizenship in.
I am shocked that the ATT employee did not have an ATT ID. In our facilities, we require all visiting telcos to produce company identification, and between telcove/level 3, Verizon, MCI, and several others, we have never had an issue. I'd be a bit more suspicious that he didn't have ATT ID.
Me too. In my former life, I was involved with such requirements (but only at what the fedgov lovingly refers to as contractor sites), and we always had the alternative for anyone objecting to our requirements for ID. No problem. They could just sit in the lobby (or outside) and wait. I used to object to our method of gathering social security numbers (since it was on a form that anyone adding a name could see), but I can tell you that it was much more onerous than your standard telco.
Alex Rubenstein wrote:
I am shocked that the ATT employee did not have an ATT ID.
In our facilities, we require all visiting telcos to produce company
identification, and between telcove/level 3, Verizon, MCI, and several
others, we have never had an issue.
I'd be a bit more suspicious that he didn't have ATT ID.
He may have indeed had ATT ID. But the colo security people wanted a government ID. "Company" ID is relatively meaningless and trivially forged, particularly for small values of "company". If I were to show up in a truck with "Jay's Telco" on the side, produce "Jay's Telco" ID, and refuse to show a driver's license or government ID I would expect datacenter security to be a bit suspicious. Why should AT&T be treated any differently?
In fact he did have an AT&T badge which he was not allowed to hand over
either. The fellow I chatted with at AT&T said they are not allowed to
hand over their badge because it would compromise their security. I'm
assuming the badge was of the keycard variety. My thought was that they
could have an AT&T id of some sort that was specifically used for this
kind of access; one that is not a keycard and doesn't have any
proprietary information on it that would make their security people
uncomfortable if it was handed over at a collocation.
craig
My tech said the same thing. That keycard could grant central office access so he couldn't surrender it.
In article <453CF993.9020002@deaddrop.org>, Etaoin Shrdlu <shrdlu@deaddrop.org> writes
I used to object to our method of gathering social security numbers (since it was on a form that anyone adding a name could see)
Now that you need a Social Security number to get a US Drivers licence (and I doubt many telco engineers walk to work), would the traceability issues be satisfied by taking the details from one of those? I assume the Feds can ask the State which SSN goes with which DL, if the need arises.
In article <9FA71E73BF462E4C96C3A9C074D50F7093BDE5@DHOST001-39.DEX001.intermedia.net
>, Craig Holland <cholland@rnmd.net> writes
The fellow I chatted with at AT&T said they are not allowed to
hand over their badge because it would compromise their security.
Sounds to me like NSTAC ought to be worried about a scheme to accredit co-lo operator security staff, as well as the visiting telco engineers.
In article <20061023103731.W56322@iama.hypergeek.net>, John A. Kilpatrick <john@hypergeek.net> writes
The fellow I chatted with at AT&T said they are not allowed to
hand over their badge because it would compromise their security.
My tech said the same thing. That keycard could grant central office access
On its own? No keycode or anything. What if he lost it?
so he couldn't surrender it.
But presumably it would need to be stolen. Wouldn't the tech notice that happening... Or is there some way the colo security guy can clone it undetected?
That's quite likely accurate. My AT&T badge let me in via unattended
entrances at a variety of facilities; I'd expect that a tech's badge would
indeed work for many COs.
A better answer is for the COLO management to supply a number, on
request, to tenants; they'd pass this number on to their supplier, for
one-time use by the tech.
A government-issued ID (at most) proves your identity; it says nothing
about your authorization to be somewhere. A company-issued ID (at most)
proves that you work for some company that may or may not (a) be present
at the COLO, and (b) may or may not be there for legitimate reasons.
What's necessary here is *permission*.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
Roland Perry wrote:
In article <9FA71E73BF462E4C96C3A9C074D50F7093BDE5@DHOST001-39.DEX001.intermedia.net
>, Craig Holland <cholland@rnmd.net> writes
The fellow I chatted with at AT&T said they are not allowed to
hand over their badge because it would compromise their security.
Sounds to me like NSTAC ought to be worried about a scheme to accredit co-lo operator security staff, as well as the visiting telco engineers.
So what's next....
http://www.verichipcorp.com/
I recall back in the days of Exodus in Jersey City I walked in to go kick a Sun machine in one of the cages for a company I worked for. I had previously worked at a company that also had a cage there and had been to the Jersey City colo facility quite a few times. Anyhow when I went in they pulled up the keys for my prior company after giving them my ID. I stated "No, I no longer work there." They gave me the correct key but a "Hello My Name Is" tag with my former company. Funny...
While your point is valid, arguing something like that with an AT&T tech would be like arguing with the TSA. Logic and reasoning are of no value in the conversation. The policy is the policy and you deal with it.
The ID is just Authentication. Authorization and Accounting are handled by other procedures implemented by the colo security droids.
In article <20061023103731.W56322@iama.hypergeek.net>, John A. Kilpatrick <john@hypergeek.net> writes
The fellow I chatted with at AT&T said they are not allowed to
hand over their badge because it would compromise their security.
My tech said the same thing. That keycard could grant central office access
On its own? No keycode or anything. What if he lost it?
so he couldn't surrender it.
But presumably it would need to be stolen. Wouldn't the tech notice that happening... Or is there some way the colo security guy can clone it undetected?
These are trivial to clone -- all you need is a reader hooked up to a PC and you can read the number off the card. You can then buy a batch of cards that cover the serial numbers that you are interested in (no, I don't really understand WHY you can buy numbered ranges, but you can...)
The other alternative is something like: A Test Instrument for HF/LF RFID
This device will read and clone a large number of proximity cards -- you don't even need real access to the card, all you need to do is brush up against the cardholder with the antenna cincealed in your pocket....
I once was going to a meeting at a colo in Tysons Corner, which will remain nameless (but you would know it).
Like most of them, it wasn't well marked, and we couldn't find it. Three of us wound up walking through an open door on the loading dock and onto the colo floor with no checks what-so-ever. We finally met somebody, asked where so-and-so's office was, and (after a very odd look) were told to go out again, walk around the building and go through security.
But, I always thought that the purpose of most security was psychological reassurance anyway...
Regards
Marshall
That is true for strip card (credit card style) and simple prox cards.
But what I have been seeing more often is that companies are using the
smart card and wireless smart card variety for high security areas. So
instead of having a card that will always return the same value (making
it easy to duplicate) the smart cards will use good old fashion PKI to
mutually authenticate the card to the reader and the reader to the card.
This way, the card won't give out its security information until the
card reader is verified to be a legit member of the security system. In
addition to this, I am seeing a push to go with 2 factor authentication,
so you need the card plus some sort of biometrics. This way, if you
lose the card, it is useless unless the criminal also managed to chop
off your thumb.
But if you are AT&T and have spend millions of dollars on equipping all
your COs with swipe readers because you got sick of having rekey the
locks every time someone lost a key; so when stuck with the choice of
replacing all of your COs' security equipment with something more
secure, or creating blanket polices, creating a policy is cheaper.
My $.02
Adam Stasiniewicz
I've been in and out of several colos that require you to leave your ID
(passport/DL, and business card) up at the front desk throughout your
visit. This could be for hours, or even for the whole day. During that
time I imagine my ID could have been photocopied, transcribed,
photographed, etc, without me ever knowing.
-Jim P.
But, I always thought that the purpose of most security was psychological
reassurance anyway...
Reacting to this and the story of just walking through the backdoor to get in -
I think there's an element of self-fulfilling prophecy here. If the legitimate "power" users of the security system (i.e., the royal "we/us") don't take it seriously, the security system will be useless against the nefarious element. It might be that the reason security is often so poorly implemented is that the job is often left to the unmotivated or the untrained (or "differently trained" - I mean in a good way). Perhaps these folks realize that their tasks are scoffed at, further lowering their "gruntlement". (As in "disgruntled.")
What would be different if, instead of exploiting the open back door, the open back door is pointed out to the folks responsible for the facility? I don't mean mentioning this to the security guards who may have interests in back doors remaining open and/or just not reported. Whether the door was left open on purpose or not, a guard may lose a job over it - if the facility management took it seriously.
(What would happen if someone actually obeyed the speed limit in the US?)
One personality trait I find strong in this community is that desire to be able to cut through formality and red-tape and to push convention aside. This can be good for quick and productive innovation but at the same time detracts from the importance of the task at hand.
Security by its nature is not fun, not productive, a drain on resources and time. Security is something we need only because there are bad things out there - nefarious activity, inadvertent neglect, design flaws, etc. At best you have to "put up with security," don't expect to enjoy it.
Arguing about any policy with someone hired to follow it is not productive. The hired can't do much about it, and there is no incentive for them to fix their job. At worst they can lose it by wasting time questioning their supervisors. Concerns about policy have to be raised to the level of those who can do something about it and have an incentive to fix it. No one is going to lay out more money for no more revenue if there's no other upside to it, that has to be kept in mind too.
In article <20061023112018.F56322@iama.hypergeek.net>, John A. Kilpatrick <john@hypergeek.net> writes
But presumably it would need to be stolen. Wouldn't the tech notice that happening... Or is there some way the colo security guy can clone it undetected?
While your point is valid, arguing something like that with an AT&T tech would be like arguing with the TSA. Logic and reasoning are of no value in the conversation. The policy is the policy and you deal with it.
I don't seek to argue it with an individual tech, but with whoever sets the corporate security policy.
Is it enough of a problem, network operators would be interested in publishing some Practical Common Practices (I hesitate to call it a BCP)
collocation facilities could follow for some common access control scenarios? Tenent access, pre-screened carrier, unscreened vendor, etc.
http://www.ncs.gov/nstac/reports/2005/Final%20TATF%20Report%2004-25-05.pdf
I wouldn't be surprised if most co-lo's don't actually have good reasons why they do some things, and if presented with a reasonable industry agreed practice, would adopt it.
In article <20061023103731.W56322@iama.hypergeek.net>, John A. Kilpatrick <john@hypergeek.net> writes
In fact he did have an AT&T badge which he was not allowed to hand over
either. The fellow I chatted with at AT&T said they are not allowed to
hand over their badge because it would compromise their security.
My tech said the same thing. That keycard could grant central office access so he couldn't surrender it.
I have to admit (now I've been sent some information off-list) that I didn't realise the co-lo security were holding onto the "badge" (or access card or whatever) the whole time the tech was on the premises. Yes, that would give more opportunities for bad things to happen. In many years of gaining access to secured buildings I've only ever had that happen once (passport exchanged for a visitor's pass, and back again at the end of the day).