From: Valdis.Kletnieks@vt.edu
Date: Sun, 02 Nov 2003 22:12:20 -0500> You'd think after three previous disruptions, that Qwest would
> have enabled some form of redundancy.Redundancy hell. How about a *PADLOCK*?
You mean that these places aren't even locked? Who has (had) the key?
That'd be the first place I looked.
Oh well... Back to lurk mode.
The article says:
"While the FBI scrambles to find a suspect, KIRO Team 7 Investigators went to
check out security measures at the Qwest routing station.
We walked straight through an unlocked gate, a wide-open door, and then mapped
the interior of the building with our hidden camera. Nobody asked for ID or
questioned our motives.
KIRO Team 7 Investigators then headed to Qwest Corporate Headquarters in
downtown Seattle. Ironically, it was lots tougher getting in there."
Either the KIRO guys are lying through their teeth, or somebody dropped the ball
BIG time. The bio of the guy who wrote it is here;
http://www.kirotv.com/station/1868106/detail.html
Either that's fibs too, or the guy is credible. Draw your own conclusions. 
I wonder has he ever tried walking into the transmission hut next to the
tower of a major broadcast television or radio station? Usually when the
revolution arrives, the first thing you take over is the television and
radio outlets.
The reality is there are a lot of weak points everywhere. Remember, part
of the Internet design is the assumption that individual points of failure
exist everywhere; the goal is to avoid single points of failure. There
were (and are) alternate communication paths in the region, and several
people pointed out during the last couple of attacks their data centers
and Internet connections kept working even while the telephone and cell
phones didn't.
The quesiton isn't so much how someone cut a fiber strand, but why the
failure of a single fiber strand had such an impact on the telephone
service in the region.
"The revolution will NOT be televised
The revolution will not be brought to you by Xerox
In 4 parts without commercial interruptions"
I'm fairly certain that the telco huts or CO's have to accomodate multiple
groups having access, so I'd bet that a padlock probably is a tough sell
Its very interesting that the 'critical infrastructure' has seemingly
loose security on such vital parts.
lets not even begin to talk about American Towers Inc cell
tower and relay facilities
same combo on about 60 towers I know of
security comes down to the "human condition"
its a bitch to remember all those combo's, keep them
updated, or install wiggle wire card readers, bad readers
lost cards, etc.
like current and voltage, we take the path of least resistence.
just like padlocks at Fairfax County Public Schools... all are key #1345
(or where when I went through that system) I assume they do similar things
in most similar situations in the telco world.
There are special latches that accommodate multiple padlocks, where unlocking any one padlock opens the latch. They are routinely used on private gates in remote areas where each property owner (and the local fire department) have individual locks on the gate and opening any one lock allows access.
One such device is shown on here:
<http://www.tayhope.com/mlus.htm>
jc
Indeed many places have multiple padlocks locked together and then
hooked to a chain. Any padlock opened unlocks the chain. This really
only works for chained shut gates, but it's works rather well, and you
can revoke access with the key from an adjacent lock and a pair of
boltcutters.
This is how the cell companies seem to do it around here in East
Michigan, and it seems to work quite well. Point being, they should have
-some- way to lock the place up so not just anyone can waltz in and cut
fibers. It can't really be that hard.
-Paul
The quesiton isn't so much how someone cut a fiber strand, but why the
failure of a single fiber strand had such an impact on the telephone
service in the region.
I'd be willing to bet it wasn't a single "strand". More likely the press or
whoever got it wrong and it was an entire cable or maybe just a tube.
-vb
I'm fairly certain that the telco huts or CO's have to accomodate multiple
groups having access, so I'd bet that a padlock probably is a tough sell
loose security on such vital parts.
Actually padlocks are quite common. When multiple organizations need
entrance into a single gated area, its standard practice to have each of
them put a padlock onto a string, separated by only one or two links of
chain. When you want access you just unlock your padlock. Low tech but
works pretty well considering the weak point in a chain-link fence is
usually the chain-link, at least where a serious saboteur is concerned. We
are collocated in about a hundred ROW huts and the security is usually aimed
at preventing casual vandalism.
-vb
Not having seen the entire cut, I would have to imagin the entire bundle was
cut and the poor splicers had their hands full.
-Henry
Not having seen the entire cut, I would have to imagin the entire bundle
was
cut and the poor splicers had their hands full.
From experience, I can say that its quite easy to sabatoge a fiber run. The
perfect example - a few years ago when I was a network admin, the whole NOC
where the bulk of our T1s were went out suddenly one morning. We discovered
that less then a block away a fiber seeking backhoe dug right through the
fibers - both the primary *and* secondary fibers - because Verizon burried
them both in the same trench rather then run them separate routes. So, the
supposed redundancy went right out the window.
The phone companies really aren't helping the situation one bit by doing
stuff like this.
What you describe is a folded ring and is indicative of either a temporary
solution or bad network design. As a rule, phone companies and capacity
suppliers build very robust systems.
Douglas S. Peeples
Technology Assurance Labs
> > You'd think after three previous disruptions, that Qwest would
> > have enabled some form of redundancy.
>
> Redundancy hell. How about a *PADLOCK*?You mean that these places aren't even locked? Who has (had) the key?
That'd be the first place I looked.
The most amazing things can be found on certain northern
cross-country fiber routes in areas where cellphones don't work - they
thought about everything putting hundred thousand dollar doors and locks to
prevent those who are not supposed to get into the huts from getting
there... Excellence to the nines.
Of course, since no one wants to carry keys to those super secure
entrances, the same time of cobination keyholders that S&D and some others
use to attach cabinet keys to the back of the cabinets themselves had been
placed right by those super secure doors.
Needless to say, it did not take long for every combination locked
to be popped, keys taken out and super-secure doors opened.
Alex
Maybe I'm missing something, but, if you have the bolt cutters, I don't
see why you need the key to an adjacent lock or any of the locks.
Additionally, most of these things are in remote enough locations that
you are unlikely to be observed using the bolt cutters to gain access
to the site. It's not like the requirement for a set of bolt cutters
is a high barrier to entry for a thug that wants into the site.
John is right about American Towers. They use the same combination at
ALL of their sites and their security company will happily tell anyone
that they think should have access what the "standard" combination is.
American Tower is one of the worst-run operations I have ever encountered.
Owen
Please tell me what phone companies you've been working with. As a rule,
the ones I've experienced build whatever is the path of least resistance
and often do stupid telco tricks like folded rings and single entries into
buildings unless you stand over them with a bull-whip and insist that
they do better.
I'd love to know of a telco that does this right without having to stand
over them.
Owen
Maybe I'm missing something, but, if you have the bolt cutters, I don't
see why you need the key to an adjacent lock or any of the locks.
If you want to reconnect the chain back together without replacing the
lock, you'll need a key from an adjacent lock so you can lock the lock
on the left back on the lock to the right, or vice versa.
Additionally, most of these things are in remote enough locations that
you are unlikely to be observed using the bolt cutters to gain access
to the site. It's not like the requirement for a set of bolt cutters
is a high barrier to entry for a thug that wants into the site.
Agreed, of course, to a determined criminal, even doors and locks won't
keep him out. But at bare minimum they could at least TRY to have some
semblance of security. Actually locking things would be a start.
John is right about American Towers. They use the same combination at
ALL of their sites and their security company will happily tell anyone
that they think should have access what the "standard" combination is.
haha. Sounds like a nice, high security operation.
-Paul
If you want to put the chain back together, you'll need to open one of the
locks, or add another lock in it's place.
This assumes a legit need to remove someones lock. If you just want to
get in, boltcutters will usually do it. Or even a pair of dykes can get
you past most chain-link fence..
...david
Owen DeLong wrote:
Maybe I'm missing something, but, if you have the bolt cutters, I don't
see why you need the key to an adjacent lock or any of the locks.
Additionally, most of these things are in remote enough locations that
you are unlikely to be observed using the bolt cutters to gain access
to the site. It's not like the requirement for a set of bolt cutters
is a high barrier to entry for a thug that wants into the site.
To lock somebody out, all you need is another of your own padlocks to
lockout the padloct you want to exclude. The owner of the locked-out
lock can then remove their lock if they want to without unlocking the
gate.
Bolt-cutters are the master key where you have no other key.
They are running a DS3 'through' our building, enters one side and exits the
other. They refused to run a spur but are adding a loop for us.
I'd love to know of a telco that does this right without
having to stand
over them.
Ray Burkholder
ray@oneunified.net
http://www.oneunified.net
704 576 5101