To this day I can get into pretty much any rack or room I feel like at datacenters everyone here has heard of. It just takes experience these days and a bit of charm. Plus having a million keys and staff rack combination codes doesn't hurt. These were freely given and simply added to my collection over time, nothing stolen or social engineered.
I've never done anything nefarious with these abilities, and no one I know has either. It's simply a matter of practicality when you staff a 150,000 square foot facility with 2 security guards who have no idea what they are doing.
If I (and many others) had wanted to, we could have caused multi-week/month outages you'd be reading about on the news with 5 minutes of effort. This is basically the status quo for any sensitive industry.
The world turns because 99.9999% of people want to give you a hug vs. hit you. Society falls when that ratio goes much lower.
That won't work everywhere. I've been to a datacenter in London around 2010 where the entry was similar to the automated airport passport booths. The doors would not open if you were not registered for a visit and there were no visible guards (I hope someone was around in case you got trapped...) I wanna say it was Telehouse West, but my memory is not great.
This is not my experience at all (frequently visiting datacenters for my job).
At the main entrance, anti-tailgating locks requiring an electronic badge + fingerprints are the norm. Once inside, electronic badges required at all doors and in the lifts to navigate in the building. Badge + fingerprint to enter server rooms.
Deliveries are only received under the supervision of a DC employee (or received directly by a DC employee) and must go through a lock to enter the building. No extern (delivery person or w/ever) is allowed in (if somebody sneaks into the lock, the guard never opens the second door obviously).
The biggest weakness imo (but still requires a bit of insider access, so it's not completely out in the open for anybody to exploit) is that the registration process for new access requests seems fairly weak security-wise.
It's usually a simple email from the client to the DC provider with the date of the intervention and the identity of the person. Will the DC provider notice if the access request is sent from a spoofed domain? or from a legitimate domain but by another person than the one who's accredited to issue access requests? Will they notice if the person who shows up for the intervention has a fake ID?
To this day I can get into pretty much any rack or room I feel like at datacenters everyone here has heard of. It just takes experience these days and a bit of charm. Plus having a million keys and staff rack combination codes doesn't hurt. These were freely given and simply added to my collection over time, nothing stolen or social engineered.
I've never done anything nefarious with these abilities, and no one I know has either. It's simply a matter of practicality when you staff a 150,000 square foot facility with 2 security guards who have no idea what they are doing.
If I (and many others) had wanted to, we could have caused multi-week/month outages you'd be reading about on the news with 5 minutes of effort. This is basically the status quo for any sensitive industry.
The world turns because 99.9999% of people want to give you a hug vs. hit you. Society falls when that ratio goes much lower.