Re: Fiber cut - response in seconds?
jcdill.li...@gmail.com (JC Dill) wrote: Why do they watch and monitor rather than proactively go out and say watch out, there's an unmarked cable here and keep them from cutting the cable in the first place? *snicker* You ever been to a construction site?
Re: Fiber cut - response in seconds?
Charles Wyble wrote: I do feel this might be the last post from Mr Pooser. :) Your on to them it seems. ;) A very interesting idea. I imagine it wouldn't be hard for foreign actors to get access to the data feed of construction, observe for signs of a cut and then splice in a tap. Though wouldn't that tap be found via the real response team? No. And here's why: If you're a naughty foreign intelligence team, and you know your stuff, you already know where some of the cables you'd really like a tap on are buried. When you hear of a construction project that might damage one, you set up your innocuous white panel truck somewhere else, near a suitable manhole. When the construction guy with a backhoe chops the cable (and you may well slip him some money to do so), *then* you put your tap in, elsewhere, with your actions covered by the downtime at the construction site. That's why the guys in the SUVs are in such a hurry, because they want to close the window of time in which someone can be tapping the cable elsewhere. At least that's what I heard. I read it somewhere on the internet. Definitely. Not at all a sneaky person. No sir. Dave W At least I'm in Britain. *Slightly* harder for the NSA to make me disappear ;-)
Re: Fiber cut - response in seconds?
On Mon, Jun 1, 2009 at 6:40 PM, Charles Wyble char...@thewybles.com wrote: http://www.washingtonpost.com/wp-dyn/content/article/2009/05/30/AR2009053002114_pf.html Not sure if I fully believe the article. Responding to a fiber cut in seconds? I suppose it's possible if $TLA had people monitoring the construction from across the street, and they were in communication with the NOC. Dig Safe, Miss Utility, etc. notify potential dig impacted entities when activity is occurring around their assets and coordinate the marking of the utilities and start of construction in proximity to the targeted dig zone. This is why calling the state utility locator services is the law (everywhere that I'm aware of). The government isn't exempt from these notifications FWIW. The programs may have a slight tweak in the national capitol area. http://www.ncs.gov/ Best, -M -- Martin Hannigan mar...@theicelandguy.com p: +16178216079 Power, Network, and Costs Consulting for Iceland Datacenters and Occupants
Re: Fiber cut - response in seconds?
On Jun 2, 2009, at 9:19 AM, Martin Hannigan wrote: On Mon, Jun 1, 2009 at 6:40 PM, Charles Wyble char...@thewybles.com wrote: http://www.washingtonpost.com/wp-dyn/content/article/2009/05/30/AR2009053002114_pf.html Not sure if I fully believe the article. Responding to a fiber cut in seconds? I suppose it's possible if $TLA had people monitoring the construction from across the street, and they were in communication with the NOC. Dig Safe, Miss Utility, etc. notify potential dig impacted entities when activity is occurring around their assets and coordinate the marking of the utilities and start of construction in proximity to the targeted dig zone. This is why calling the state utility locator services is the law (everywhere that I'm aware of). The government isn't exempt from these notifications FWIW. The programs may have a slight tweak in the national capitol area. http://www.ncs.gov/ What you're likely interested in is TSP: http://tsp.ncs.gov/ This is something that is placed on your service when it's ordered and alters the design and engineering of the services. - Jared
Re: Fiber cut - response in seconds?
Elmar K. Bins wrote: jcdill.li...@gmail.com (JC Dill) wrote: Why do they watch and monitor rather than proactively go out and say watch out, there's an unmarked cable here and keep them from cutting the cable in the first place? *snicker* You ever been to a construction site? Yes. We have a number here to call Before You Dig and they send people out to mark where underground utilities are. It would be trivially easy for one more set of jump-suited and hard-hat-wearing people to show up during this phase of the project and mark one more line. For the most part the construction teams don't know and don't care who is marking the lines or who is responsible for each, they just want the lines marked (location and type of line - gas, electric, telco) so they can avoid cutting them. In this way the marking team would be undercover and the previously unmarked/unmapped line would be No Big Deal. When an unmarked line is cut and black SUVs show up (the opposite of undercover), the line becomes A Big Deal which is the opposite of what is intended. jc
Re: Fiber cut - response in seconds?
In my experience they are required not only to mark the line, but to identify it with the initials of the owner. On Jun 2, 2009, at 10:44 AM, JC Dill wrote: Elmar K. Bins wrote: jcdill.li...@gmail.com (JC Dill) wrote: Why do they watch and monitor rather than proactively go out and say watch out, there's an unmarked cable here and keep them from cutting the cable in the first place? *snicker* You ever been to a construction site? Yes. We have a number here to call Before You Dig and they send people out to mark where underground utilities are. It would be trivially easy for one more set of jump-suited and hard-hat-wearing people to show up during this phase of the project and mark one more line. For the most part the construction teams don't know and don't care who is marking the lines or who is responsible for each, they just want the lines marked (location and type of line - gas, electric, telco) so they can avoid cutting them. In this way the marking team would be undercover and the previously unmarked/ unmapped line would be No Big Deal. When an unmarked line is cut and black SUVs show up (the opposite of undercover), the line becomes A Big Deal which is the opposite of what is intended. jc
Re: Fiber cut - response in seconds?
They usually hand out tin foil hats to the dig crew. A clear give away and easy to spot too. Next? On 6/2/09, JC Dill jcdill.li...@gmail.com wrote: Elmar K. Bins wrote: jcdill.li...@gmail.com (JC Dill) wrote: Why do they watch and monitor rather than proactively go out and say watch out, there's an unmarked cable here and keep them from cutting the cable in the first place? *snicker* You ever been to a construction site? Yes. We have a number here to call Before You Dig and they send people out to mark where underground utilities are. It would be trivially easy for one more set of jump-suited and hard-hat-wearing people to show up during this phase of the project and mark one more line. For the most part the construction teams don't know and don't care who is marking the lines or who is responsible for each, they just want the lines marked (location and type of line - gas, electric, telco) so they can avoid cutting them. In this way the marking team would be undercover and the previously unmarked/unmapped line would be No Big Deal. When an unmarked line is cut and black SUVs show up (the opposite of undercover), the line becomes A Big Deal which is the opposite of what is intended. jc -- Martin Hannigan mar...@theicelandguy.com p: +16178216079 Power, Network, and Costs Consulting for Iceland Datacenters and Occupants
Re: Fiber cut - response in seconds?
They usually hand out tin foil hats to the dig crew. A clear give away and easy to spot too. Next? On 6/2/09, JC Dill jcdill.li...@gmail.com wrote: Elmar K. Bins wrote: jcdill.li...@gmail.com (JC Dill) wrote: Why do they watch and monitor rather than proactively go out and say watch out, there's an unmarked cable here and keep them from cutting the cable in the first place? *snicker* You ever been to a construction site? Yes. We have a number here to call Before You Dig and they send people out to mark where underground utilities are. It would be trivially easy for one more set of jump-suited and hard-hat-wearing people to show up during this phase of the project and mark one more line. For the most part the construction teams don't know and don't care who is marking the lines or who is responsible for each, they just want the lines marked (location and type of line - gas, electric, telco) so they can avoid cutting them. In this way the marking team would be undercover and the previously unmarked/unmapped line would be No Big Deal. When an unmarked line is cut and black SUVs show up (the opposite of undercover), the line becomes A Big Deal which is the opposite of what is intended. jc -- Martin Hannigan mar...@theicelandguy.com p: +16178216079 Power, Network, and Costs Consulting for Iceland Datacenters and Occupants
Re: Fiber cut - response in seconds?
On Tue, 2 Jun 2009, JC Dill wrote: Why do they watch and monitor rather than proactively go out and say watch out, there's an unmarked cable here and keep them from cutting the cable in the first place? Because if they DON'T hit the line, it is still a secret. Then again, if they DO hit the line, it's pretty obvious what the line is for and at least one place it runs. I wonder if the Gov't schedules a move of the line once it's operational security is comprimised by an accidental cut. Beckman --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: Fiber cut - response in seconds?
On Tue, Jun 2, 2009 at 11:19 AM, Peter Beckman beck...@angryox.com wrote: On Tue, 2 Jun 2009, JC Dill wrote: Why do they watch and monitor rather than proactively go out and say watch out, there's an unmarked cable here and keep them from cutting the cable in the first place? Because if they DON'T hit the line, it is still a secret. Then again, if they DO hit the line, it's pretty obvious what the line is for and at least one place it runs. I wonder if the Gov't schedules a move of the line once it's operational security is comprimised by an accidental cut. putting fiber in the ground isn't a quiet task...
Re: Fiber cut - response in seconds?
sro...@fattoc.com (Shane Ronan) wrote: In my experience they are required not only to mark the line, but to identify it with the initials of the owner. Hell yeah - but that's not the point I wanted to make. For any given construction project, the main goal is to build something without destroying something else (unless it's planned to be destroyed). Unfortunately, this goal has to be broken into easy tasks for the people executing the work. And what leaks to them is dig a hole. They definitely don't care whether they _will_ hit something. They do care after they hit something... (sometimes they'll try to cover up like someone did here; after cutting a whole bunch of fibre trunks, they decided to fill the just-dug hole with a ton of concrete...)
RE: Fiber cut - response in seconds?
-Original Message- From: Charles Wyble [mailto:char...@thewybles.com] Sent: Monday, June 01, 2009 7:10 PM To: nanog@nanog.org Subject: Re: Fiber cut - response in seconds? Joel Jaeggli wrote: It's pretty trivial if know where all the construction projects on your path are... How so? Setup OTDR traces and watch them? I've seen this happen on a university campus several times. no black helicopters were involved. Care to expand on the methodology used? A campus network is a lot different then a major metro area. Something like Fiber SenSys (http://www.fibersensys.com/) is probably used. Measures miniscule changes in light levels to tell whether or not fiber has been tampered with. As for the response in seconds, I would have to say that the suits were parked right there watching, assuming the story is true. Not sure if anyone has ever tried to get anywhere in Tysons Corner during roadside construction (or during an afternoon drizzle for that matter), but I can guarantee you that it would be impossible without someone already being stationed onsite.
RE: Fiber cut - response in seconds?
No. And here's why: If you're a naughty foreign intelligence team, and you know your stuff, you already know where some of the cables you'd really like a tap on are buried. When you hear of a construction project that might damage one, you set up your innocuous white panel truck somewhere else, near a suitable manhole. When the construction guy with a backhoe chops the cable (and you may well slip him some money to do so), *then* you put your tap in, elsewhere, with your actions covered by the downtime at the construction site. That's why the guys in the SUVs are in such a hurry, because they want to close the window of time in which someone can be tapping the cable elsewhere. At least that's what I heard. I read it somewhere on the internet. Definitely. Not at all a sneaky person. No sir. And if you were a naughty foreign intelligence team installing a tap, or a bend, or whatever in the fiber contemporaneously with a known cut, you could also reamplify and dispersion compensate for the slight amount of affect your work is having so that when its tested later, the OTDR is blind to your work. Ah, the fun of Paranoia, Inc. Deepak Jain AiNET
Re: Fiber cut - response in seconds?
It would also be cheaper to add an additional layer of security with encryption vs. roving teams of gun toting manhole watchers. YMMV, Best! Marty On 6/2/09, Deepak Jain dee...@ai.net wrote: No. And here's why: If you're a naughty foreign intelligence team, and you know your stuff, you already know where some of the cables you'd really like a tap on are buried. When you hear of a construction project that might damage one, you set up your innocuous white panel truck somewhere else, near a suitable manhole. When the construction guy with a backhoe chops the cable (and you may well slip him some money to do so), *then* you put your tap in, elsewhere, with your actions covered by the downtime at the construction site. That's why the guys in the SUVs are in such a hurry, because they want to close the window of time in which someone can be tapping the cable elsewhere. At least that's what I heard. I read it somewhere on the internet. Definitely. Not at all a sneaky person. No sir. And if you were a naughty foreign intelligence team installing a tap, or a bend, or whatever in the fiber contemporaneously with a known cut, you could also reamplify and dispersion compensate for the slight amount of affect your work is having so that when its tested later, the OTDR is blind to your work. Ah, the fun of Paranoia, Inc. Deepak Jain AiNET -- Martin Hannigan mar...@theicelandguy.com p: +16178216079 Power, Network, and Costs Consulting for Iceland Datacenters and Occupants
Re: Fiber cut - response in seconds?
Cheaper? To quote sneakers were the united states govt. we don't do that sort of thing. Martin Hannigan wrote: It would also be cheaper to add an additional layer of security with encryption vs. roving teams of gun toting manhole watchers. YMMV, Best! Marty On 6/2/09, Deepak Jain dee...@ai.net wrote: No. And here's why: If you're a naughty foreign intelligence team, and you know your stuff, you already know where some of the cables you'd really like a tap on are buried. When you hear of a construction project that might damage one, you set up your innocuous white panel truck somewhere else, near a suitable manhole. When the construction guy with a backhoe chops the cable (and you may well slip him some money to do so), *then* you put your tap in, elsewhere, with your actions covered by the downtime at the construction site. That's why the guys in the SUVs are in such a hurry, because they want to close the window of time in which someone can be tapping the cable elsewhere. At least that's what I heard. I read it somewhere on the internet. Definitely. Not at all a sneaky person. No sir. And if you were a naughty foreign intelligence team installing a tap, or a bend, or whatever in the fiber contemporaneously with a known cut, you could also reamplify and dispersion compensate for the slight amount of affect your work is having so that when its tested later, the OTDR is blind to your work. Ah, the fun of Paranoia, Inc. Deepak Jain AiNET
Re: Fiber cut - response in seconds?
On Tue, 02 Jun 2009 13:54:44 EDT, Martin Hannigan said: It would also be cheaper to add an additional layer of security with encryption vs. roving teams of gun toting manhole watchers. Even if encrypted, you can probably do an amazing amount of traffic analysis to tell when something is afoot. Ask any pizzeria near State Dept or Pentagon. ;) (That, plus it's easier to break an encryption if you have gigabytes of data to work with, than if you don't have any data to work with...) pgp4gdgklll7X.pgp Description: PGP signature
Re: Fiber cut - response in seconds?
Encryption is insufficient - if you let someone have physical access for a long enough period, they'll eventually crack anything. Encryption makes the period of time longer, but let them try? As regards roving, we are talking about Tyson's Corner here: that's pretty close ( 5km) to major offices of lots of folks who would care deeply about such matters. David Barak Need Geek Rock? Try The Franchise: http://www.listentothefranchise.com --- On Tue, 6/2/09, Charles Wyble char...@thewybles.com wrote: From: Charles Wyble char...@thewybles.com Subject: Re: Fiber cut - response in seconds? To: nanog@nanog.org nanog@nanog.org Date: Tuesday, June 2, 2009, 1:57 PM Cheaper? To quote sneakers were the united states govt. we don't do that sort of thing. Martin Hannigan wrote: It would also be cheaper to add an additional layer of security with encryption vs. roving teams of gun toting manhole watchers. YMMV, Best! Marty On 6/2/09, Deepak Jain dee...@ai.net wrote: No. And here's why: If you're a naughty foreign intelligence team, and you know your stuff, you already know where some of the cables you'd really like a tap on are buried. When you hear of a construction project that might damage one, you set up your innocuous white panel truck somewhere else, near a suitable manhole. When the construction guy with a backhoe chops the cable (and you may well slip him some money to do so), *then* you put your tap in, elsewhere, with your actions covered by the downtime at the construction site. That's why the guys in the SUVs are in such a hurry, because they want to close the window of time in which someone can be tapping the cable elsewhere. At least that's what I heard. I read it somewhere on the internet. Definitely. Not at all a sneaky person. No sir. And if you were a naughty foreign intelligence team installing a tap, or a bend, or whatever in the fiber contemporaneously with a known cut, you could also reamplify and dispersion compensate for the slight amount of affect your work is having so that when its tested later, the OTDR is blind to your work. Ah, the fun of Paranoia, Inc. Deepak Jain AiNET
Re: Fiber cut - response in seconds?
link-layer encryption for sonet/atm quite resistant to traffic analysis... The pipe is full of pdus whether you're using them or not. valdis.kletni...@vt.edu wrote: On Tue, 02 Jun 2009 13:54:44 EDT, Martin Hannigan said: It would also be cheaper to add an additional layer of security with encryption vs. roving teams of gun toting manhole watchers. Even if encrypted, you can probably do an amazing amount of traffic analysis to tell when something is afoot. Ask any pizzeria near State Dept or Pentagon. ;) (That, plus it's easier to break an encryption if you have gigabytes of data to work with, than if you don't have any data to work with...)
Re: Fiber cut - response in seconds?
David Barak wrote: Encryption is insufficient - if you let someone have physical access for a long enough period, they'll eventually crack anything. Really? I don't think so. I imagine it would be much more dependent on the amount of computing power the attacker has access to. More encrypted blobs won't help. If that was the case then the various encryption schemes in wide use today would be cracked already. Bad guys can setup networks and blast data through it and have complete access. I don't see them cracking encryption.
Re: Fiber cut - response in seconds?
--- On Tue, 6/2/09, Charles Wyble char...@thewybles.com wrote: David Barak wrote: Encryption is insufficient - if you let someone have physical access for a long enough period, they'll eventually crack anything. Really? I don't think so. I imagine it would be much more dependent on the amount of computing power the attacker has access to. More encrypted blobs won't help. If that was the case then the various encryption schemes in wide use today would be cracked already. Bad guys can setup networks and blast data through it and have complete access. I don't see them cracking encryption. Paranoia 101 teaches us that any given encryption approach will eventually fall before a brute-force onslaught of sufficient power and duration[1]. I'm not trying to argue that the attacker in this case could necessarily detect a flaw in the algorithm; rather, they'll get an effectively infinite number of chances to bang against it with no consequences. Once it's cracked, the attacker will *still* have the physical access which is thus compromised, and then has free access to all of the transmissions. Physical security is a prerequisite to all of the other approaches to communication security. Those cases where physical security is presumed to be non-existant have to rely on a lot of out-of-band knowledge for any given method to be resistant to attack, and it's very hard to make use of a connection of that type for regular operations. Pretty much all security eventually boils down to people with firearms saying don't do that. David Barak Need Geek Rock? Try The Franchise: http://www.listentothefranchise.com
RE: Fiber cut - response in seconds?
Really? I don't think so. I imagine it would be much more dependent on the amount of computing power the attacker has access to. More encrypted blobs won't help. If that was the case then the various encryption schemes in wide use today would be cracked already. Bad guys can setup networks and blast data through it and have complete access. I don't see them cracking encryption. Without getting into the math involved, Vlad (and others) are correct. This is why there is key migration (regeneration/renegotiation/repudiation) along these multi-gigabit/multi-terabit streams. Your obfuscation strength (I don't care how many digits you have in your key, your cipher, what have you) is computed against the amount of data you are obfuscating. If I am obfuscating 1 byte of data, my math functions do not need to be as large as obfuscating 2^128 bits. There are plenty of non-classified books regarding COMSEC, INFOSEC and all their related interworking bits (even COMINT, SIGINT and HUMINT). Plenty of NANOG folks have been in these communities and that is why they say things that make sense regarding physical and network security. Even if you haven't been in these groups, the non-classified books are sufficiently sophisticated as to give even a layperson a respect for the layers of security (and the discipline behind it) needed to provide even the most minimal level of protection. The h4x0r kids who think magnets on their doorways, tin foil hats, or willy-nilly encryption using their email-exchanged PGP keys are protected are welcome to their sandbox too -- let's just keep it away from those of us who like things that provably work [most of the time ;)]. DJ
Re: Fiber cut - response in seconds?
David Barak wrote: Paranoia 101 teaches us that any given encryption approach will eventually fall before a brute-force onslaught of sufficient power and duration[1]. Of course. Hence my comment bout the likely hood of success depending on how much computing power they have access to. How much easier does my job get if I have access to thousands of encrypted e-mails vs 1 encrypted e-mail? Once I factor your PKI root private key, your toast. It was my impression that the various algorithms were designed to prevent traffic analysis attacks, or at least vastly reduce there effectiveness, and if some magical corner case is discovered it should be further mitigated by key rotation right? I'm an operations guy, not a math wizard. :) I'm not trying to argue that the attacker in this case could necessarily detect a flaw in the algorithm; rather, they'll get an effectively infinite number of chances to bang against it with no consequences. Once it's cracked, the attacker will *still* have the physical access which is thus compromised, and then has free access to all of the transmissions. Sure. However couldn't they do this in a lab environment? Various botnets give them access to massive amounts of computing power on an ongoing basis. I presume that the folks with sufficient expertise and knowledge to do these attacks use exploits / back doors that ensure continued access to this computing power, which won't be detected/patched by the little tykes doing spamming/phising/data correlation. Then there is the ability to buy a whole lot of specialized number crunching compute gear as well. Granted the US govt has there own (classified) encryption algorithms and as such that can't be replicated in a lab environment and requires access to the physical medium carrying traffic encrypted by said algorithms. Physical security is a prerequisite to all of the other approaches to communication security. Those cases where physical security is presumed to be non-existant have to rely on a lot of out-of-band knowledge for any given method to be resistant to attack, and it's very hard to make use of a connection of that type for regular operations. Really? The US Military uses a whole lot of wireless (satellite, ground baed, surface to air) links. Those links can be sniffed (by people with sufficient motivation/funding/gear to do so). They rely on encryption to protect them.
Re: Fiber cut - response in seconds?
On Jun 2, 2009, at 3:41 PM, Charles Wyble wrote: David Barak wrote: Paranoia 101 teaches us that any given encryption approach will eventually fall before a brute-force onslaught of sufficient power and duration[1]. Of course. Hence my comment bout the likely hood of success depending on how much computing power they have access to. How much easier does my job get if I have access to thousands of encrypted e- mails vs 1 encrypted e-mail? Once I factor your PKI root private key, your toast. Note that most PKI (such as RSA) may be breakable when and if Quantum computers become practical. http://en.wikipedia.org/wiki/Shor's_algorithm Storing large amounts of PKI encrypted data for that day I am sure would interest some organizations. Regards Marshall It was my impression that the various algorithms were designed to prevent traffic analysis attacks, or at least vastly reduce there effectiveness, and if some magical corner case is discovered it should be further mitigated by key rotation right? I'm an operations guy, not a math wizard. :) I'm not trying to argue that the attacker in this case could necessarily detect a flaw in the algorithm; rather, they'll get an effectively infinite number of chances to bang against it with no consequences. Once it's cracked, the attacker will *still* have the physical access which is thus compromised, and then has free access to all of the transmissions. Sure. However couldn't they do this in a lab environment? Various botnets give them access to massive amounts of computing power on an ongoing basis. I presume that the folks with sufficient expertise and knowledge to do these attacks use exploits / back doors that ensure continued access to this computing power, which won't be detected/patched by the little tykes doing spamming/phising/data correlation. Then there is the ability to buy a whole lot of specialized number crunching compute gear as well. Granted the US govt has there own (classified) encryption algorithms and as such that can't be replicated in a lab environment and requires access to the physical medium carrying traffic encrypted by said algorithms. Physical security is a prerequisite to all of the other approaches to communication security. Those cases where physical security is presumed to be non-existant have to rely on a lot of out-of-band knowledge for any given method to be resistant to attack, and it's very hard to make use of a connection of that type for regular operations. Really? The US Military uses a whole lot of wireless (satellite, ground baed, surface to air) links. Those links can be sniffed (by people with sufficient motivation/funding/gear to do so). They rely on encryption to protect them.
Re: Fiber cut - response in seconds?
Granted the US govt has there own (classified) encryption algorithms and as such that can't be replicated in a lab environment and requires access to the physical medium carrying traffic encrypted by said algorithms. Which is why they do things like this : http://en.wikipedia.org/wiki/Operation_Ivy_Bells Of course these days, it doesn't require nearly as much effort .. just a friendly phone call to ATT (who, ironically, also built the devices used in the above). Cheers, Michael Holstein Cleveland State University
RE: Fiber cut - response in seconds?
Really? The US Military uses a whole lot of wireless (satellite, ground baed, surface to air) links. Those links can be sniffed (by people with sufficient motivation/funding/gear to do so). They rely on encryption to protect them. Which is why, if you have a satellite, you often position DIRECTLY over the antenna you are sending to, and using lasers (rather than other RF) to communicate with it. Likewise, if you want to maintain this kind of security (and reduce the ability to sniff) you do this in space as well. Highly columnated photons are your friend. Encryption helps, but if it was sufficient in all cases, you wouldn't go to such extremes. This (in a much more NANOG related way) has ramifications for those selling/operating Wi-Fi, WiMax, P2P and FSO wireless links and trying to do *commercially important things* -- like finance. The idea here is that fiber is FAR more secure than copper because almost everything you want to do to fiber, you can do to copper, but from a further, less physically-in-contact distance. Another idea is that commercially operated networks have lower standards for data security (but not necessarily data *integrity*) that intelligence *oriented* applications/networks. The idea of installing a tap on an encrypted line to do traffic analysis is all very interesting, but no one mentioned the idea that at a critical time (such as an attack) you could easily DISRUPT vital communications links and prevent their function [and their protected paths]. Security cannot exist without a level of integrity. Most commercial networks only need to concern themselves with integrity and let their customers deal with the security of their own applications. Commercial networks are a great study of highly (in the commercial sense) secure data traversing over LSAs (lower sensitivity areas) with lower control thresholds [think poles, manholes, etc]. The data is highly secure to any particular customer, but in the commercial sense, it's almost always lost in the noise. When a business entity crosses that threshold (e.g. the Federal Reserve banks or a transaction clearinghouse) where their data is *worth* getting at no matter how much sifting has to go on... you see extraordinary measures (e.g. properly implemented obfuscation, or what have you) implemented. Deepak Jain AiNET
Re: Fiber cut - response in seconds?
Once upon a time, Deepak Jain dee...@ai.net said: Which is why, if you have a satellite, you often position DIRECTLY over the antenna you are sending to Unless your target is on the equator, you don't position a satellite directly over anything. -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Re: Fiber cut - response in seconds?
On Tue, Jun 2, 2009 at 7:50 AM, Dave Wilson richard.wil...@senokian.com wrote: No. And here's why: If you're a naughty foreign intelligence team, and you know your stuff, you already know where some of the cables you'd really like a tap on are buried. When you hear of a construction project that might damage one, you set up your innocuous white panel truck somewhere else, near a suitable manhole. When the construction guy with a backhoe chops the cable (and you may well slip him some money to do so), *then* you put your tap in, elsewhere, with your actions covered by the downtime at the construction site. That's why the guys in the SUVs are in such a hurry, because they want to close the window of time in which someone can be tapping the cable elsewhere. Sounds like a lot of work to me. Wouldn't it be easier to just find the carrier neutral colo facilities where all the peering/transit between major networks happens, and pay them money to put up a fake wall that you can colo your optical taps behind? Drive Slow, and remember, don't open any doors that say This Is Not An Exit, Paul Wall
Re: Fiber cut - response in seconds?
Sounds like a lot of work to me. Wouldn't it be easier to just find the carrier neutral colo facilities where all the peering/transit between major networks happens, and pay them money to put up a fake wall that you can colo your optical taps behind? Yeah it's not like that's ever gonna happen! :) Drive Slow, and remember, don't open any doors that say This Is Not An Exit, ROFL
RE: Fiber cut - response in seconds?
Once upon a time, Deepak Jain dee...@ai.net said: Which is why, if you have a satellite, you often position DIRECTLY over the antenna you are sending to Unless your target is on the equator, you don't position a satellite directly over anything. I promise you that that is not the case for all applications. Geosynchronous satellites can be anywhere. For the applications you are considering (communications mostly), equatorial orbit is the most advantageous. There are books documenting other locations and reasons for other locations... and we are off topic. Best, Deepak Jain AiNET
Re: Fiber cut - response in seconds?
Once upon a time, Deepak Jain dee...@ai.net said: I promise you that that is not the case for all applications. Geosynchronous satellites can be anywhere. For the applications you are considering (communications mostly), equatorial orbit is the most advantageous. Geosynchronous are only over a particular longitude. They move up and down in latitude, so it isn't over a given point except twice per day (or only once at the extremes). -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
RE: Fiber cut - response in seconds?
Ok, while this is off-topic, let's just point people to Wikipedia: Other satellites (which are NOT in the same position at all times from the prospective of a spot on earth): http://en.wikipedia.org/wiki/Geosynchronous_orbit TV, and other fixed positioned (relative to the earth are geostationary): http://en.wikipedia.org/wiki/Geostationary_orbit perhaps further comments can go to the discussion pages on Wikipedia since I would wager a very small number of us push any serious number of bits via satellite. John van Oppen Spectrum Networks LLC Direct: 206.973.8302 Main: 206.973.8300 Website: http://spectrumnetworks.us -Original Message- From: Chris Adams [mailto:cmad...@hiwaay.net] Sent: Tuesday, June 02, 2009 3:36 PM To: Deepak Jain Cc: nanog@nanog.org Subject: Re: Fiber cut - response in seconds? Once upon a time, Deepak Jain dee...@ai.net said: I promise you that that is not the case for all applications. Geosynchronous satellites can be anywhere. For the applications you are considering (communications mostly), equatorial orbit is the most advantageous. Geosynchronous are only over a particular longitude. They move up and down in latitude, so it isn't over a given point except twice per day (or only once at the extremes). -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Re: Fiber cut - response in seconds?
I do 250 mbits on 21 transponders :) - Original Message - From: John van Oppen j...@vanoppen.com To: Chris Adams cmad...@hiwaay.net; Deepak Jain dee...@ai.net Cc: nanog@nanog.org nanog@nanog.org Sent: Tue Jun 02 14:51:59 2009 Subject: RE: Fiber cut - response in seconds? Ok, while this is off-topic, let's just point people to Wikipedia: Other satellites (which are NOT in the same position at all times from the prospective of a spot on earth): http://en.wikipedia.org/wiki/Geosynchronous_orbit TV, and other fixed positioned (relative to the earth are geostationary): http://en.wikipedia.org/wiki/Geostationary_orbit perhaps further comments can go to the discussion pages on Wikipedia since I would wager a very small number of us push any serious number of bits via satellite. John van Oppen Spectrum Networks LLC Direct: 206.973.8302 Main: 206.973.8300 Website: http://spectrumnetworks.us -Original Message- From: Chris Adams [mailto:cmad...@hiwaay.net] Sent: Tuesday, June 02, 2009 3:36 PM To: Deepak Jain Cc: nanog@nanog.org Subject: Re: Fiber cut - response in seconds? Once upon a time, Deepak Jain dee...@ai.net said: I promise you that that is not the case for all applications. Geosynchronous satellites can be anywhere. For the applications you are considering (communications mostly), equatorial orbit is the most advantageous. Geosynchronous are only over a particular longitude. They move up and down in latitude, so it isn't over a given point except twice per day (or only once at the extremes). -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
RE: Fiber cut - response in seconds?
I sent this to all of our transport people to.. Was quite curious as to what they'd use for this. However, they are the federal government - so anything is possible. -Original Message- From: Charles Wyble [mailto:char...@thewybles.com] Sent: Monday, June 01, 2009 2:41 PM To: nanog@nanog.org Subject: Fiber cut - response in seconds? http://www.washingtonpost.com/wp-dyn/content/article/2009/05/30/AR200905 3002114_pf.html Not sure if I fully believe the article. Responding to a fiber cut in seconds? I suppose it's possible if $TLA had people monitoring the construction from across the street, and they were in communication with the NOC.
Re: Fiber cut - response in seconds?
It's pretty trivial if know where all the construction projects on your path are... I've seen this happen on a university campus several times. no black helicopters were involved. joel Charles Wyble wrote: http://www.washingtonpost.com/wp-dyn/content/article/2009/05/30/AR2009053002114_pf.html Not sure if I fully believe the article. Responding to a fiber cut in seconds? I suppose it's possible if $TLA had people monitoring the construction from across the street, and they were in communication with the NOC.
Re: Fiber cut - response in seconds?
Joel Jaeggli wrote: It's pretty trivial if know where all the construction projects on your path are... How so? Setup OTDR traces and watch them? I've seen this happen on a university campus several times. no black helicopters were involved. Care to expand on the methodology used? A campus network is a lot different then a major metro area.
Re: Fiber cut - response in seconds?
I'm not sure why this sounds so surprising or impressive... given g$vt budgets. Monitoring software using a pair of fibers in your bundle. OTDR or similar digital diagnostics. You detect a loss, you figure out how many feet away it is. You look at your map. A simpler way to do it (if you don't mind burning lots of fiber pairs) would be to loop up a pair of fibers (or add a reflectance source every 1000 ft or so -- spliced into the cable). You can figure out to within a thousand feet once you know WHICH set of loops has died. Given it almost always involved construction crews, you drive until you see backhoes for your final approximation. If I were the gov't I'd have originally opted for #2, and then moved to #1. Seconds is just a function of how far away the responding agency's personnel ( monitoring the loop ) were from the cut. Obviously we are talking about a few miles tops. Plenty of people used to have a single pair in each bundle for testing. Its relatively trivial to make that a test pair live. This is all predicated on you actually keeping your toplogy up-to-date. Deepak Jain AiNET Charles Wyble wrote: Joel Jaeggli wrote: It's pretty trivial if know where all the construction projects on your path are... How so? Setup OTDR traces and watch them? I've seen this happen on a university campus several times. no black helicopters were involved. Care to expand on the methodology used? A campus network is a lot different then a major metro area.
Re: Fiber cut - response in seconds?
From nanog-bounces+bonomi=mail.r-bonomi@nanog.org Mon Jun 1 18:30:48 2009 Date: Mon, 01 Jun 2009 15:40:31 -0700 From: Charles Wyble char...@thewybles.com To: nanog@nanog.org nanog@nanog.org Subject: Fiber cut - response in seconds? http://www.washingtonpost.com/wp-dyn/content/article/2009/05/30/AR2009053002114_pf.html Not sure if I fully believe the article. Responding to a fiber cut in seconds? I *don't* believe it, _as_written_. If one takes 'in seconds' to mean single-digit quantities, they had to be: in the vehicle, with the engine running transmission in gear, starting from within a few hundred feet, with no interfering traffic AND no opposing traffic light. Now, change the 'facts' of the scenario slightly, and it becomes a bunch more believable. Allow 'double-digit' numbers of seconds, from the time the crew _noticed_ the cut, and it gets a bit less fantastic. Postulate some form of 'damage' to the cable -- maybe a kink, that stretched, but did not sever the cable, or more likely, a pressure rupture in an enclosing safety guard, -- such as a 'near miss' by a back-hoe might cause a few scoops before the cable was completely severed, plus allow for a little time between actual cable severance, and the cut cable becomes _visible_; now you're looking at 5-10 minutes from 'first warning' of a problem at the NOC (with TDR type gear giving approximate location) and the 'rapid response' team on site. They'd have to be on an alert status comparable to the old SAC first alert bomber crews, and probably based within 3-5 miles, but things are now within the realm of beleivability. Not saying I _do_ believe it, but we're into the range of might, maybe, possibly, happen that way, without having to postulate a TARDUS. grin I would have expected such a crew to be eqipped with, and need to _use_, 'lights and sirens', and *big* air horns, in dealing with traffic on the roadway -- *AND* I would have expected that 'minor detal' to have been noted by the work crew. As for the last part -- about the billing issue -- assuming that the construction contractor had called JULIE (The undergournd utilities marking service) and gotten the sign-off from all the carriers, they _were_ 'home free'. The carrier who 'failed to mark' their cable gets to pay the cost of replacement.
Re: Fiber cut - response in seconds?
In a message written on Mon, Jun 01, 2009 at 03:40:31PM -0700, Charles Wyble wrote: http://www.washingtonpost.com/wp-dyn/content/article/2009/05/30/AR2009053002114_pf.html Not sure if I fully believe the article. Responding to a fiber cut in seconds? Folks who dig call Miss Utility (in Virginia, anyway) befor they dig to have folks come out and spray paint where everything is lcoated. On the back end, folks with cables in the ground subscribe to a feed of address information to know if they should go out and mark cables. I have no doubt the men in black SUV's have a feed of this data, and thus know when someone is going to be digging near their cable. Indeed, I can think of at least two instances where I was out surveying fiber digs where black SUV's seemed to be across the street the entire time. With the location having features like a metro tunnel under a US Army classified microwave tower it would not surprise me that they have someone in the area watching. I suspect they were waiting nearby, and when it went down went in not to tell folks they cut something, but rather to tell them that they cut nothing. Wink wink. Nudge nudge. -- Leo Bicknell - bickn...@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ pgp7k2dO2yawl.pgp Description: PGP signature
Re: Fiber cut - response in seconds?
Joel Jaeggli wrote: Charles Wyble wrote: Joel Jaeggli wrote: It's pretty trivial if know where all the construction projects on your path are... How so? Setup OTDR traces and watch them? When you lose link on every pair in a bundle, but don't lose any of the buildings you're serving via diverse paths, you have a pretty good idea what happened. Knowing which of the three construction projects on that path is likely to be digging a trench is a facilities issue. Right. So why the near instant response time. If it's a diverse path, one would imagine that they could respond in a few hours or a day and not have any impact. The fact that they are so closely monitoring the construction and wanting to fix it that fast seems a bit over the top for redundant systems. I've seen this happen on a university campus several times. no black helicopters were involved. Care to expand on the methodology used? A campus network is a lot different then a major metro area. Given the location the guys in the blacks suvs likely have at least situational awareness of all of the contruction projects in their immediate vicinity. One would hope. Though given the archaic nature of many govt systems, that could involve a lot of manual paper pulling... or are the bid/reward/permit systems all automated on the east coast? :) they don't have to monitor everyone's cable, just their own and near instantaneous response implies proximity so it may well be more akin to a campus network. True.
Re: Fiber cut - response in seconds?
The fact that they are so closely monitoring the construction and wanting to fix it that fast seems a bit over the top for redundant systems. Even despite what we saw recently in the SF bay area? If black helicopters are involved, I suspect this is about par on the paranoia scale.
Re: Fiber cut - response in seconds?
Right. So why the near instant response time. If it's a diverse path, one would imagine that they could respond in a few hours or a day and not have any impact. Just a guess, but: A cut cable is one thing. A cut cable in which people wearing different suits and driving a different brand of SUV might splice in a fiber tap is something altogether different. -- Dave Pooser, ACSA Manager of Information Services Alford Media http://www.alfordmedia.com
Re: Fiber cut - response in seconds?
I do feel this might be the last post from Mr Pooser. :) Your on to them it seems. ;) A very interesting idea. I imagine it wouldn't be hard for foreign actors to get access to the data feed of construction, observe for signs of a cut and then splice in a tap. Though wouldn't that tap be found via the real response team? Dave Pooser wrote: Right. So why the near instant response time. If it's a diverse path, one would imagine that they could respond in a few hours or a day and not have any impact. Just a guess, but: A cut cable is one thing. A cut cable in which people wearing different suits and driving a different brand of SUV might splice in a fiber tap is something altogether different.
Re: Fiber cut - response in seconds?
Its all a sham. The construction was done by the cubans.. They're good at fiber taps - Original Message - From: Charles Wyble char...@thewybles.com To: nanog@nanog.org nanog@nanog.org Sent: Mon Jun 01 16:17:08 2009 Subject: Re: Fiber cut - response in seconds? I do feel this might be the last post from Mr Pooser. :) Your on to them it seems. ;) A very interesting idea. I imagine it wouldn't be hard for foreign actors to get access to the data feed of construction, observe for signs of a cut and then splice in a tap. Though wouldn't that tap be found via the real response team? Dave Pooser wrote: Right. So why the near instant response time. If it's a diverse path, one would imagine that they could respond in a few hours or a day and not have any impact. Just a guess, but: A cut cable is one thing. A cut cable in which people wearing different suits and driving a different brand of SUV might splice in a fiber tap is something altogether different.
Re: Fiber cut - response in seconds?
On Mon, 1 Jun 2009, Charles Wyble wrote: Right. So why the near instant response time. Extra budgets, job creation. Knowing ahead of time where and when work is going to be done (easily found out), have someone around the corner at a Starbucks so they can jump into action if/when something goes down. Just because you have a redundant path doesn't mean you shouldn't get the broken path repaired ASAP. Maybe there are only two paths. If the other goes down, and something happens and the Gov't can't mobilize in time, something bad happens. It's a perfect storm to be sure, but when you have the lives of 300 million people at stake, I appreciate the diligence. --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---