On Thu, Aug 6, 2009 at 4:28 PM, Corey<co...@bitworthy.net> wrote: > On Thursday 06 August 2009 01:19:35 Robert Raschke wrote: >> On Thu, Aug 6, 2009 at 8:52 AM, Corey <co...@bitworthy.net> wrote: > <snip> >> > That wasn't a rhetorical question. Why bother locking your door? >> > >> > Any intruder worth his weight in salt can circumvent such a simple >> > security mechanism with ease. >> >> Why lock your door, when you're living in a gated community? >> > > A few possible answers: > > Because I'm convinced that multiple redundant layers of security is > most effective. > > Because I _don't_ live in a gated community. > > Because anyone can hop a fence, the silly pathetic lock (password) on > my front door (auth server) is my last line of defense; and it will be > immediately and clearly obvious that someone broke in because... well.. > they _broke_ in (turned off and dismantled the server)... they didn't > just walk in without further ado (began issuing commands as hostowner > on the open terminal) and leave without immediate and clear evidence > (no broken/missing case, no powered off server and missing drives, etc) > > >> Your cpu/auth/filesystem machines can be somewhere safe, with as much >> physical safety as you need (physical barriers are much easier to set up >> and administer that electronic ones). If all is set up properly, you will >> never have to touch those machines again. Unless the machines break and >> you need to look at the hardware. >> > > Meanwhile, here on terra firma, I would like to be able to have my > Plan 9 servers sitting on a rack in a common affordable co-lo somewhere. > > > I think the actual root of the situation, is simply that Plan 9 currently > tends to reside within domains with much more strict and secure > or trustworthy environments vs. being prevalent within the sphere of > the great unwashed masses of the industry where strong physical > security is either unobtainable, unaffordable, and/or unreliable at best. > > _Within_such_environments_, simple passwords remain an effective and > proven means of _deterrent_ from the most common, random, unforeseen > encounters that may occur on a near every day situation. > > > The phone guys have to enter the server room - you trust them with bootes? > > Various contractors have to enter the server room - you trust them with > bootes? > > The sysadmin forgets to lock the door to the server room before heading > out for lunch - you trust all your visitors, customers, affiliates and > employees with a terminal sitting at a bootes prompt? > > The hosting provider has all number of people walking in and out of the > server room constantly, every day - you trust each and every one of these > random unknown people with a bootes prompt to your co-lo'd cpu server? > > Now here's the important part -- in each of these cases (those are just a few, > it doesn't take much of an imagination - or much actual experience - to come > up with countless more), the _real_ concern is _not_ over that rare motivated, > focused, risk-taking bad guy with a plan who's come prepared with a > screwdriver and usb rootkit and assorted bootdisks... the concern is all the > ad-hoc opportunistic, curious and/or malicious passer-by's, armed with > nothing more than their fingers, who just might take up the chance to goof > around with that open terminal connected to the server. > > I have a much higher level of trust that X person won't walk off with or > dismantle a server vs. the level of trust I have that X person won't execute > commands on an open terminal. It's really quite simple. > > If your servers aren't under you direct control, and they're not guaranteed > continually locked behind a bio-metrically secured room under constant video > surveillance - then you don't have physical security. > > If you don't operate within a contained, peer-based trusted environment (lab, > research center, spec. dept., etc), then you don't have physical security. > > Most of the industry at large... does _not_ have trusted physical security. > > And if you don't have trusted physical security, then an open terminal is > beyond the pale of recklessness. > > Passwords make an excellent form of _additional_deterrent_ under the sort > of lowest common denominator environment that tends to comprise the > industry at large. (from AnyTec, to Bob's coffee house, to Standford & Son's > automotive repair, to The Law Offices Of Larry H. Parker, to Data Entry Inc.) > > I honestly can't believe that this is even up for debate! <grin> > > It's just bizarre. >
Oh, if we're just protecting against people wandering by who are obviously there by mistake--since we're discounting anyone coming prepared for serious maliciousness--how about just not having a terminal connected to your file server? My cpu/auth/file servers don't have anything connected except an ethernet cable and a remote serial console. Oh, sure, there's a crash cart over in the corner that you could drag over and plug in, but you've decided that we're only talking about opportunists who see a prompt and decide to type some stuff, so it's not a problem. The whole friggin' point of a colo is that you trust the people running it--also, that they don't leave terminals connected to every single one of their hundreds of customer machines. It's a locked room in a corporate building... this ain't your little brother banging on keys (a far more realistic reason for password-protecting a cpu server, if you're going to be dumb enough to leave the head attached). I have a Plan 9 server sitting in a lab at my university. Over the last 2+ years, it has been in the same place, powered on, connected to a keyboard, mouse, and monitor. The only deterrent to unauthorized users has been that I keep the monitor off, and in those 2 years I have not found a single sign that anyone has so much as touched the keyboard, much less done "rm -r /" or whatever it is you're afraid of. I'm afraid you'll have to forgive me if I find the probability of someone improperly accessing your headless colo'd box rather low. I invite you, though, to create some form of logging protection system for the box. Put the box in a colo, and then in 3 years send us your logs. I guess we'll see how many people tried to get into your cpu server. John -- "Object-oriented design is the roman numerals of computing" -- Rob Pike
