
Datacenter Security: A Cautionary Tale from Last.fm - danw
http://russ.garrett.co.uk/2009/03/12/datacenter-security-a-cautionary-tale/
======
swombat
Having just been burgled last week (my flat, not my data centre) and lost 3
laptops, including a precious macbook pro, to it, I can certainly relate to
the feeling of insecurity.

After I was burgled I was reminded of a chinese proverb, that goes along the
lines of: "A room full of jade and gold, nothing can guard it." The point of
it is that if people know you have lots of precious stuff in your room, you
won't be able to stop them from breaking in eventually.

In my case, my laptops were visible from the street while I worked (my home
office faces the street), even though I normally close the curtains in the
evening, and that was probably the determining factor in drawing the burglars
in. They only needed to notice the laptops once and then keep hanging around
until they saw an opportunity.

As far as data centres are concerned, qualified thieves will obviously know
for a fact that there's good stuff to be had there. If you do have such
expensive, custom equipment, perhaps the only thing you can do to protect
yourself is to disguise it as something else. You can't disguise the whole
data centre, but you can disguise racks.

One possible way to do this on a large scale would be to render the server
cabinets opaque, so that there is no way to identify the high-price ones from
the lower price ones. This would make it harder for the thieves to "do
business", so to speak, so they may head elsewhere because it's just not
convenient.

~~~
kenver
I'm not sure if it's intentional, but the data center we use in Sheffield
looks like an absolute tip from the outside. Just looks like your average
inner city, run down, squatter filled mess. Inside it's another story though,
so I think you can disguise a data center!

------
jwb119
i'm curious as to how the black market on something like this would work. my
knowledge is limited on the chips themselves, but they seem like something
that would likely only be purchased by companies serving a high volume of
traffic (thereby making the chips hard to sell on the black market because of
the reluctance of large companies to deal with second hand goods of
questionable origin).

~~~
wmf
The market for Cisco equipment is large and diverse (not just Web 2.0s but
ISPs, enterprises, universities, etc.), there are plenty of vendors of used
Cisco equipment, and given the economic collapse more people are buying used
equipment. In particular, the Cisco 6500 is a _very_ popular family of
switches.

~~~
aminuit
Cisco frowns upon purchasing second hand equipment from "unlicensed" vendors.
They claim that their software is non-transferable meaning that you
technically don't own any of the IOS that comes with used routers. So if you
need an upgrade or security update you are basically screwed until you fork
over a ton of money.

[http://www.cisco.com/en/US/prod/hw_sw_relicensing_program.ht...](http://www.cisco.com/en/US/prod/hw_sw_relicensing_program.html)

~~~
forkqueue
But the thieves weren't stealing the routers - they were stealing parts to go
in the routers.

~~~
russss
The most valuable cards are the supervisor modules, which are the ones which
actually run the IOS. But I wouldn't be surprised if the Cisco licensing
agreements apply to all their cards.

All the cards have some pretty clever distributed forwarding smartness in
them.

------
bretthoerner
The most interesting thing to me was: "They were taken to court ___the
following day___ and pled guilty, sentencing to follow."

That's pretty speedy, but I guess it shows how little I know about the UK
judicial system / government.

~~~
russss
Believe me, I was surprised as you are :).

(I wrote the article)

------
bprater
As a network neophyte, what are the "cards" they are talking about in the
article?

~~~
tptacek
The line cards in the Cat6k. The Cat6k is Cisco's flagship product, a layer-3
switch. By itself, it's an refrigerator-sized empty chassis. Add a "SUP" card
to it, which is roughly the shape of an oblong pizza box, and you have
something you can run Cisco's OS on. Plug line cards into it and you have
places to plug networking cables of varying types. The line cards themselves
have processors and various ways of interfacing to the backplane in the
chassis.

