From mboxrd@z Thu Jan 1 00:00:00 1970 MIME-Version: 1.0 In-Reply-To: <200908061628.14132.corey@bitworthy.net> References: <200908051920.10243.corey@bitworthy.net> <200908060052.55018.corey@bitworthy.net> <6a3ae47e0908060119s431551e1ge53d11bf0b2e477a@mail.gmail.com> <200908061628.14132.corey@bitworthy.net> Date: Thu, 6 Aug 2009 17:01:30 -0700 Message-ID: <7d3530220908061701t314fdc42i7bce59ad9ba7df9e@mail.gmail.com> From: John Floren To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [9fans] a few Q's regarding cpu/auth server Topicbox-Message-UUID: 3ae9d7ee-ead5-11e9-9d60-3106f5b1d025 On Thu, Aug 6, 2009 at 4:28 PM, Corey wrote: > On Thursday 06 August 2009 01:19:35 Robert Raschke wrote: >> On Thu, Aug 6, 2009 at 8:52 AM, Corey wrote: > >> > That wasn't a rhetorical question. =C2=A0Why bother locking your door? >> > >> > Any intruder worth his weight in salt can circumvent such a simple >> > security mechanism with ease. >> >> Why lock your door, when you're living in a gated community? >> > > A few possible answers: > > Because I'm convinced that multiple redundant layers of security is > most effective. > > Because I _don't_ live in a gated community. > > Because anyone can hop a fence, the silly pathetic lock (password) on > my front door (auth server) is my last line of defense; and it will be > immediately and clearly obvious that someone broke in because... well.. > they _broke_ in (turned off and dismantled the server)... they didn't > just walk in without further ado (began issuing commands as hostowner > on the open terminal) and leave without immediate and clear evidence > (no broken/missing case, no powered off server and missing drives, etc) > > >> Your cpu/auth/filesystem machines can be somewhere safe, with as much >> physical safety as you need (physical barriers are much easier to set up >> and administer that electronic ones). If all is set up properly, you wil= l >> never have to touch those machines again. Unless the machines break and >> you need to look at the hardware. >> > > Meanwhile, here on terra firma, I would like to be able to have my > Plan 9 servers sitting on a rack in a common affordable co-lo somewhere. > > > I think the actual root of the situation, is simply that Plan 9 currently > tends to reside within domains with much more strict and secure > or trustworthy environments vs. being prevalent within the sphere of > the great unwashed masses of the industry where strong physical > security is either unobtainable, unaffordable, and/or unreliable at best. > > _Within_such_environments_, simple passwords remain an effective and > proven means of _deterrent_ from the most common, random, unforeseen > encounters that may occur on a near every day situation. > > > The phone guys have to enter the server room - you trust them with bootes= ? > > Various contractors have to enter the server room - you trust them with > bootes? > > The sysadmin forgets to lock the door to the server room before heading > out for lunch - you trust all your visitors, customers, affiliates and > employees with a terminal sitting at a bootes prompt? > > The hosting provider has all number of people walking in and out of the > server room constantly, every day - you trust each and every one of these > random unknown people with a bootes prompt to your co-lo'd cpu server? > > Now here's the important part -- in each of these cases (those are just a= few, > it doesn't take much of an imagination - or much actual experience - to c= ome > up with countless more), the _real_ concern is _not_ over that rare motiv= ated, > focused, risk-taking bad guy with a plan who's come prepared with a > screwdriver and usb rootkit and assorted bootdisks... the concern is all = the > ad-hoc opportunistic, curious and/or malicious passer-by's, armed with > nothing more than their fingers, who just might take up the chance to goo= f > around with that open terminal connected to the server. > > I have a much higher level of trust that X person won't walk off with or > dismantle a server vs. the level of trust I have that X person won't exec= ute > commands on an open terminal. It's really quite simple. > > If your servers aren't under you direct control, and they're not guarante= ed > continually locked behind a bio-metrically secured room under constant vi= deo > surveillance - then you don't have physical security. > > If you don't operate within a contained, peer-based trusted environment (= lab, > research center, spec. dept., etc), then you don't have physical security= . > > Most of the industry at large... does _not_ have trusted physical securit= y. > > And if you don't have trusted physical security, then an open terminal is > beyond the pale of recklessness. > > Passwords make an excellent form of _additional_deterrent_ under the sort > of lowest common denominator environment that tends to comprise the > industry at large. (from AnyTec, to Bob's coffee house, to Standford & So= n's > automotive repair, to The Law Offices Of Larry H. Parker, to Data Entry I= nc.) > > I honestly can't believe that this is even up for debate! =C2=A0 > > It's just bizarre. > Oh, if we're just protecting against people wandering by who are obviously there by mistake--since we're discounting anyone coming prepared for serious maliciousness--how about just not having a terminal connected to your file server? My cpu/auth/file servers don't have anything connected except an ethernet cable and a remote serial console. Oh, sure, there's a crash cart over in the corner that you could drag over and plug in, but you've decided that we're only talking about opportunists who see a prompt and decide to type some stuff, so it's not a problem. The whole friggin' point of a colo is that you trust the people running it--also, that they don't leave terminals connected to every single one of their hundreds of customer machines. It's a locked room in a corporate building... this ain't your little brother banging on keys (a far more realistic reason for password-protecting a cpu server, if you're going to be dumb enough to leave the head attached). I have a Plan 9 server sitting in a lab at my university. Over the last 2+ years, it has been in the same place, powered on, connected to a keyboard, mouse, and monitor. The only deterrent to unauthorized users has been that I keep the monitor off, and in those 2 years I have not found a single sign that anyone has so much as touched the keyboard, much less done "rm -r /" or whatever it is you're afraid of. I'm afraid you'll have to forgive me if I find the probability of someone improperly accessing your headless colo'd box rather low. I invite you, though, to create some form of logging protection system for the box. Put the box in a colo, and then in 3 years send us your logs. I guess we'll see how many people tried to get into your cpu server. John --=20 "Object-oriented design is the roman numerals of computing" -- Rob Pike