[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Trust rack space provider?

Richard Welty wrote:

On Tue, 25 May 2004 19:00:44 -0400 "Marsh J. Ray" <marsh-obsd_(_at_)_mysteray_(_dot_)_com> wrote:

Write the root password on the front of the CPU box. Put it on the back of a business card and tape it on upside down and backwards so you can flip it up to read it.

that's fine as long as there is decent access control to the password, but
you'll never catch me doing that.

Access control to the password is pointless if you don't control access to a the box itself that can be compromised with a boot floppy.

i'm familiar with an incident where a "friendly" foreign power infiltrated agents
onto the staff of a janitorial firm that did the outsourced service for a US Army
research facility. they got quite a lot of data out of the trash cans.

And how hard would it have been for them to use a boot medium to vacuum the data, insert a backdoor, etc., and explain later that they accidentally "tripped" over the power cord or something?

from http://text.staticfree.info/computer.folklore.from.net.rumors.html :
   Reminds me of the Arpanet site that used to crash frequently
   right around the end of the day.  Seems the cleaner plugged the
   floor buffer into a convenient 100AC outlet - the one inside the
   IMP cabinet.

this is why i'm hell on people who put passwords on postits on their monitors.


I didn't suggest putting them on the user's monitor, I said the server box itself.
Your physical safe idea is a good one, too.

I guess this is security related, maybe a little off-topic, but a serious question.

Question: how (or even) can I host a server at a "rack space" provider without complete trust in their staff?

- Marsh