Re: [9fans] a few Q's regarding cpu/auth server

[Corey <corey@bitworthy.net>]

On Thursday 06 August 2009 01:19:35 Robert Raschke wrote:
> On Thu, Aug 6, 2009 at 8:52 AM, Corey <corey@bitworthy.net> wrote:
<snip>
> > That wasn't a rhetorical question.  Why bother locking your door?
> >
> > Any intruder worth his weight in salt can circumvent such a simple
> > security mechanism with ease.
>
> Why lock your door, when you're living in a gated community?
>

A few possible answers:

Because I'm convinced that multiple redundant layers of security is
most effective.

Because I _don't_ live in a gated community.

Because anyone can hop a fence, the silly pathetic lock (password) on
my front door (auth server) is my last line of defense; and it will be
immediately and clearly obvious that someone broke in because... well..
they _broke_ in (turned off and dismantled the server)... they didn't
just walk in without further ado (began issuing commands as hostowner
on the open terminal) and leave without immediate and clear evidence
(no broken/missing case, no powered off server and missing drives, etc)


> Your cpu/auth/filesystem machines can be somewhere safe, with as much
> physical safety as you need (physical barriers are much easier to set up
> and administer that electronic ones). If all is set up properly, you will
> never have to touch those machines again. Unless the machines break and
> you need to look at the hardware.
>

Meanwhile, here on terra firma, I would like to be able to have my
Plan 9 servers sitting on a rack in a common affordable co-lo somewhere.


I think the actual root of the situation, is simply that Plan 9 currently
tends to reside within domains with much more strict and secure
or trustworthy environments vs. being prevalent within the sphere of
the great unwashed masses of the industry where strong physical
security is either unobtainable, unaffordable, and/or unreliable at best.

_Within_such_environments_, simple passwords remain an effective and
proven means of _deterrent_ from the most common, random, unforeseen
encounters that may occur on a near every day situation.


The phone guys have to enter the server room - you trust them with bootes?

Various contractors have to enter the server room - you trust them with
bootes?

The sysadmin forgets to lock the door to the server room before heading
out for lunch - you trust all your visitors, customers, affiliates and
employees with a terminal sitting at a bootes prompt?

The hosting provider has all number of people walking in and out of the
server room constantly, every day - you trust each and every one of these
random unknown people with a bootes prompt to your co-lo'd cpu server?

Now here's the important part -- in each of these cases (those are just a few,
it doesn't take much of an imagination - or much actual experience - to come
up with countless more), the _real_ concern is _not_ over that rare motivated,
focused, risk-taking bad guy with a plan who's come prepared with a
screwdriver and usb rootkit and assorted bootdisks... the concern is all the
ad-hoc opportunistic, curious and/or malicious passer-by's, armed with
nothing more than their fingers, who just might take up the chance to goof
around with that open terminal connected to the server.

I have a much higher level of trust that X person won't walk off with or
dismantle a server vs. the level of trust I have that X person won't execute
commands on an open terminal. It's really quite simple.

If your servers aren't under you direct control, and they're not guaranteed
continually locked behind a bio-metrically secured room under constant video
surveillance - then you don't have physical security.

If you don't operate within a contained, peer-based trusted environment (lab,
research center, spec. dept., etc), then you don't have physical security.

Most of the industry at large... does _not_ have trusted physical security.

And if you don't have trusted physical security, then an open terminal is
beyond the pale of recklessness.

Passwords make an excellent form of _additional_deterrent_ under the sort
of lowest common denominator environment that tends to comprise the
industry at large. (from AnyTec, to Bob's coffee house, to Standford & Son's
automotive repair, to The Law Offices Of Larry H. Parker, to Data Entry Inc.)

I honestly can't believe that this is even up for debate!  <grin>

It's just bizarre.

> I think the bit you are leaving out is the fact that a "proper" Plan 9
> installation "needs" terminals.
>
> Your terminal, on the other hand is ephemeral and you have go through the
> usual security checks if you want to access your cpu and filesystem
> servers.
>

That's understood; and I'm well impressed by the way that particular portion
of the model works.


Ok, well I think I've said all I can possible say -- so unless I get any
direct questions I won't follow up on this; I don't want to annoy the list -
9fans is my only means of assistance for this interesting os - plus, I've
already been provided with solutions from which I can roll my own.


Cheers,

Corey