RE: Collocation Access

Is it enough of a problem, network operators would be interested in
publishing some Practical Common Practices (I hesitate to call it a BCP)
collocation facilities could follow for some common access control
scenarios? Tenent access, pre-screened carrier, unscreened vendor, etc.

  i can see the reg headline now... ISPs and BOFH's now pushing PCP!

http://www.ncs.gov/nstac/reports/2005/Final%20TATF%20Report%2004-25-05.pdf

I wouldn't be surprised if most co-lo's don't actually have good reasons
why they do some things, and if presented with a reasonable industry
agreed practice, would adopt it.

  colo's live/die based on paying customers. getting input from
  customers is not a bad idea. tempering customer feedback w/
  legal and liability concerns is always a trick.

--bill

Edward Lewis wrote:

But, I always thought that the purpose of most security was psychological
reassurance anyway...

Reacting to this and the story of just walking through the backdoor to get in -

I think there's an element of self-fulfilling prophecy here. If the

Classical NANOG OT thread. Cant resist.

There is no doubt about it. 90% of security systems that were introduced following september 11 are knee jerk reactions to the threat of terroism.

Especialy when implemented by the private sector.

Case in point.

Pre 9/11, in WTC, you had to wait in line at the lobby and show ID and be issued a visitor badge with your picture taken and stored and/or be escorted up.

This was a knee jerk reaction to the previous bombings. (As if car bombs in the garage has something to do with ID passes in the lobby)

We all know what happens next. Very effective security if you ask me. They couldnt get in throught the lobby, so.....

Entry to 7WTC now requires.....bag searches.

The conspiracy theory states that people simply like to pretend that they are in control. That it is just a power trip.

Funny, entry to the crowded streets of manhattan requires.....nothing.

The only legit reason to take down peoples ID is to discourage theft/vandalism. And in an ideal world, we would be as concerned with the buldings privacy policy as we are with our online web vendors.

And judging by timing, that was not their intention.

Security by its nature is not fun, not productive, a drain on
resources and time. Security is something we need only because there
are bad things out there - nefarious activity, inadvertent neglect,
design flaws, etc. At best you have to "put up with security," don't
expect to enjoy it.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis +1-571-434-5468
NeuStar

  "[Security] is like the weather, you can't do anything about it
  so you might as well lay back and enjoy it" - paraphrase of Clayton Williams

--bill

That is true for strip card (credit card style) and simple prox cards.
But what I have been seeing more often is that companies are using the
smart card and wireless smart card variety for high security areas. So
instead of having a card that will always return the same value (making
it easy to duplicate) the smart cards will use good old fashion PKI to
mutually authenticate the card to the reader and the reader to the card.
This way, the card won't give out its security information until the
card reader is verified to be a legit member of the security system. In

However, speaking of smart (non-simple-proximity) card security:

   Linkname: Researchers See Privacy Pitfalls in No-Swipe Credit Cards - New York Times
   URL: http://www.nytimes.com/2006/10/23/business/23card.html?ex=1319256000&en=5ecec83b0ac06bd8&ei=5088&partner=rssnyt&emc=rss

From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of
Warren Kumari
Sent: Monday, October 23, 2006 1:34 PM

[ mild snippage ]

If it's the one I'm thinking of, they closed it and moved everything out
to Ashburn for just that reason - insufficient security. [I had worked
in that building decades before they moved in, and it was NOT designed
with a data center in mind.]

Several states make it illegal to possess another person's driver's license.
Many make it illegal to lend your driver's license to someone else or to
trade it for something. As for passports, violating 18 USC 1544 for profit
is a terrorism offense.

Even the guys who rent paddleboats at the lake have learned that it is
usually illegal to possess another person's identification.

Maybe I've just been lucky, but I've been to some of the most secure
facilities in the world, and I've never been asked to allow someone else to
retain my passport or driver's license.

Possession includes receipt, according to the DOJ. 18 USC 1028 makes it a
Federal crime to transfer someone else's identification with intent to
violate a state felony statute.

This is a minefield. Have companies really run this past their legal
departments?

DS

From what I've seen, there's a complete lack of awareness of the risks associated with retention of identification or information. I even had a long argument with the local US Post Office, who wanted to record numbers from two forms of ID in order for me to retain my PO Box. Their claim was that postal inspection service requires it. I objected due to my local postoffice storing this information on index cards which all employees of the post office can access. While I understand the postal inspection service's interest in being able to track down box holders, I asked the postmaster if he'd sign a document accepting personal responsibility if the information was released or used by any of his employees.

I think it's time to show up with such a statemant of acceptance of liability whenever asked for such information. I have to wonder if company lawyers would then give it some thought.

Sean, I agree on "industry agreed practice", yet simply can not understand
why colos that have lacking physical security are our concerns. Obviously
they need professional security help.

As most of them don't take care of data security, which us bunch actually
understand, how can we get them to care about physical security?

It's beyond our scope, but I'm game on helping this happen if you feel it
would make a difference.

  Gadi.

From what I've seen, there's a complete lack of awareness of the
risks associated with retention of identification or information. I
even had a long argument with the local US Post Office, who wanted to
record numbers from two forms of ID in order for me to retain my PO
Box. Their claim was that postal inspection service requires it. I
objected due to my local postoffice storing this information on index
cards which all employees of the post office can access. While I
understand the postal inspection service's interest in being able to
track down box holders, I asked the postmaster if he'd sign a
document accepting personal responsibility if the information was
released or used by any of his employees.

  .. and how did that go?

I think it's time to show up with such a statemant of acceptance of
liability whenever asked for such information. I have to wonder if
company lawyers would then give it some thought.

  Being recently on a large, well known military station, the opposite
happened to me. While yes, when originally being vetted I had to supply
certain information that most would cringe at supplying, when onsite I was
asked for two forms of government issued identification (I chose drivers
license and passport) which was just reviewed (not copied), immediately
handed back to me and then asked to pose for a picture and signed an
electronic pad. A minute later I was handed a new government issued ID.
During my stay, I had the need to access certain restricted areas. As I
entered restricted area buildings, I was handed a restricted area badge to
wear over my new picture ID to let people know immediately what areas I had
access to (the alternative is shoot first, ask questions later; I'll pass,
thanks).

  On the other hand, I've visited many data center, collocation facilities,
and even foreign military bases (both US and others), and since AT&T sparked
this conversation, I've actually been to nearly 40 of their facilities
throughout the US. In recent memory, I can think of two large collocation
centers that retain your ID. One is in Miami and one in New York (I don't
think I need to name names, most of you know to which I refer). All others
(including AT&T) have never asked to retain my ID.

  I'm not exactly sure why these sites want to retain ID, but I think it
goes along with the big weight that is connected to the gas station bathroom
key. They want to make sure you return your cabinet keys (if any),
temporary pass (if any), etc. Legal risk or not, can you think of a better
way to get someone to return to the security desk to sign out? Until then,
these sites will continue this practice.

Randy

Is it enough of a problem, network operators would be interested in publishing some Practical Common Practices (I hesitate to call it a BCP)
collocation facilities could follow for some common access control scenarios? Tenent access, pre-screened carrier, unscreened vendor, etc.

It's something which is being looked at in the UK right now as well (as LLU expands, as well as non-PTT/CO housing locations).

So, I think it's probably worth doing, and maybe try to harmonise as much as possible internationally, so that we don't have the ID "xenophobia" Joa eluded to.

I wouldn't be surprised if most co-lo's don't actually have good reasons why they do some things, and if presented with a reasonable industry agreed practice, would adopt it.

Totally agree with that assertion. Some just do things because it seemed like the right thing to do at the time, and the history of "why?" is often lost along the way, so that when someone challenges it later, no one can substantiate why the rule exists.

Cheers,
Mike

  I'm not exactly sure why these sites want to retain ID, but I think it
goes along with the big weight that is connected to the gas station

bathroom

key. They want to make sure you return your cabinet keys (if any),
temporary pass (if any), etc. Legal risk or not, can you think of a

better

way to get someone to return to the security desk to sign out? Until

then,

these sites will continue this practice.

a) cash deposit
b) heavy weight attached to cabinet keys and temporary pass
c) bulky object attached to cabinet keys and temporary pass

In high school, our "data centre" keys were attached to a few
links of chain bolted onto a chunk of 2 x 4. I never mislaid them.

I remember at least one place where I received a plastic card key
similarily attached to a few links of chain welded to an broken
wrench. Why couldn't ID cards be treated the same way?

For that matter, in these days of RFID badges, why can't colo
centers issue "magic wands", 3 foot long rods tipped with an
embedded RFID tag? They would not fit in pockets or briefcases
etc. They would function identically to the RFID tags embedded
in credit-card sized plastic but they would never "get lost".

Perhaps what we have here is another "failure of imagination"
like the one cited in the 9/11 report.

--Michael Dillon

Certainly in the UK, the co-lo security staff employed at Telehouse Europe are properly accredited and licensed by the UK SIA - http://www.the-sia.org.uk/home - and have to visibly wear their SIA license card while on duty (along with their company ID).

Telehouse's access and security procedures seem to just work these days, certainly from my experience. So, training and accreditation seems to have worked here.

I don't know if other co-lo's in the UK comply to this, as in some cases, if the "front door" security is often being provided by a NOC tech rather than a dedicated guard so then there is probably some get out anyway.

Cheers,
Mike

In article <00bd01c6f753$ac542620$3401a8c0@D3M1BS91>, Randy Epstein <repstein@chello.at> writes

I'm not exactly sure why these sites want to retain ID, but I think it
goes along with the big weight that is connected to the gas station bathroom
key. They want to make sure you return your cabinet keys (if any),
temporary pass (if any), etc. Legal risk or not, can you think of a better
way to get someone to return to the security desk to sign out?

Ask for a $100 deposit in cash?

In recent memory, I can think of two large collocation
centers that retain your ID. One is in Miami and one in New York (I don't
think I need to name names, most of you know to which I refer).
All others
(including AT&T) have never asked to retain my ID.

Then you broke the law, assuming you had a Florida license and you presented
it to the Miami facility.

Florida law, Title 13 section 322.32(2), "Unlawful use of license" says
"[i]t is a misdemeanor of the second degree ... for any person ... [t]o lend
his or her driver's license to any other person or knowingly permit the use
thereof by another."

DS

Hmmm, I read quite a bit of difference between "retain your ID" and "permit
the use of" - maybe one of us is reading something that isn't there. Quite a
few places "retain" your ID while you are on the premises, to include places
"holding" your passport while you are there, etc, etc...

Then you broke the law, assuming you had a Florida license and you
presented to the Miami facility.

Actually, I handed them an Austrian license. Maybe I violated some EU
directive!

DS

Randy

In article <MDEHLPKNGKAHNMBLJOLKOEKPPEAB.davids@webmaster.com>, David Schwartz <davids@webmaster.com> writes

Florida law, Title 13 section 322.32(2), "Unlawful use of license" says
"[i]t is a misdemeanor of the second degree ... for any person ... [t]o lend
his or her driver's license to any other person or knowingly permit the use
thereof by another."

Use as *what*? I allowed liquor stores to "use" my licence to prove I was over 21. There were even signs which suggested this was compulsory. And while they were "using" it like that, had I "lent" it to them, or does some other verb more accurately describe the situation?

> Then you broke the law, assuming you had a Florida license and you
> presented it to the Miami facility.
>
> Florida law, Title 13 section 322.32(2), "Unlawful use of license" says
> "[i]t is a misdemeanor of the second degree ... for any person ... [t]o
> lend his or her driver's license to any other person or knowingly permit
> the use thereof by another."

Hmmm, I read quite a bit of difference between "retain your ID"
and "permit
the use of" - maybe one of us is reading something that isn't
there.

Intentionally receiving a document is usually sufficient to establish
possession. Some statutes say "possess", some say "use", some say use for
specific purposes. If they say "possess", you're definitely potentially
screwed -- if you ask for it and receive it, you possess it. If they say,
"use for purposes of ", then you're definitely safe (since you're
probably not using it for any of the prohibited purposes).

If the statute just says "use", then ask a lawyer. Use is more than
possession, but it's not clear exactly how much more. With luck, rational
courts will hold that "use" means to use it as a means of identification and
you'll be okay.

This Florida statute makes it a crime to "lend" your driver's license to any
other person (punishable by up to 60 days in jail). I can't imagine how
permitting someone to retain something temporarily does not constitue
lending, but I suppose courts might hold that unless you use it, I haven't
really lent it to you.

This is murky stuff, definitely not someplace you want to go without talking
to a lawyer.

If you possess or transfer any government-issued identify document without
lawful authority in order to facilitate any violation of Federal law, 18 USC
1028(a)(7) puts you in jail for a very long time. Are you getting into that
facility to facilitate breaking some obscure intellectual property or
electronic privacy law?

Quite a
few places "retain" your ID while you are on the premises, to
include places
"holding" your passport while you are there, etc, etc...

In that case, they definitely possess it, you probably lent it to them, and
they may or may not be using it. Read your laws carefully.

Some jurisdictions really do make it a crime to possess someone else's
official identification. Receiving something intentionally usually is
sufficient to establish possession.

IANAL.

DS

That statute deals with someone else _using_ my license, but in no way
implies that my license can't be _held_ by someone else. The title
clearly states "use".

-Jim P.

Florida law, Title 13 section 322.32(2), "Unlawful use of license" says
"[i]t is a misdemeanor of the second degree ... for any person ... [t]o lend
his or her driver's license to any other person or knowingly permit the use
thereof by another."

That statute deals with someone else _using_ my license, but in no way
implies that my license can't be _held_ by someone else. The title
clearly states "use".

The definition of "use" may be very key, as others have pointed out:

  - They are "using" it for collateral.
  - They are "using" it to keep track of who is in their facility at any given time in a manner convenient to them
  
Also, in english this sentence as parsed as:

  ( condition_1 ) OR ( condition_2 )
  
which would mean

  ( you lend ) OR ( you permit the use of )

which then asks "what's the definition of 'lend'"? Merriam-Webster includes among its many definitions, "to put at another's temporary disposal," which it certainly seems would apply, as the ID *is* at their disposal temporarily.

So don't kid yourself that it's really all that clear-cut.... Get a lawyer.

Cheers,
D