Insecure Servers | Media | Chicago Reader

News & Politics » Media

Insecure Servers

A high-tech company gets ripped off for the fourth time in a decidedly low-tech fashion.

by

comment

We think we know cybercrime. Those white-collar scuzzballs Woody Guthrie sang about, the ones who used to rob us with a fountain pen instead of a six-gun, now tap a few computer keys instead.

But the October 2 heist at 900 N. Franklin was curiously old-fashioned. Instead of hacking into cyberspace, a crew of thieves sawed through a wall and carried away about 20 high-end servers worth tens of thousands of dollars. They probably even worked up a sweat.

This was the fourth time in just over two years that someone did a job at the colocation center operated in Chicago by the Dallas-based C I Host. Coverage of the latest crime was a lot more state of the art than the crime itself. For a month the news spread on Web forums as a slurry of facts and rumors. A formal news story finally appeared on November 2, written by Dan Goodin, a reporter in San Francisco, for the British e-magazine the Register. According to Goodin, C I Host clients were complaining that it took the company "several days to admit the most recent breach," telling them at first that their servers were merely inoperative "because the company had a problem with one of its routers."

A colocation center accommodates online businesses that want their servers off-site: it offers space, power, cooling, massive bandwidth, and high security. By comparison, Equinix, whose colocation center near McCormick Place is described as state of the art, occupies its own building and sends out guards to check any car parked alongside it for more than five minutes. The gauntlet clients must run to reach their servers combines biometrics with pass codes, more guards, and a series of locked doors. That kind of protection isn't cheap. James Ruffer, a C I Host client with a small start-up business, says he's been paying C I Host $3,800 a year to house his servers and believes Equinix would charge him twice to four times as much.

C I Host rents about 10,000 square feet of space on the third floor of an eight-story brick building. (The company's Web site lists "no signage, nondescript building" as a security feature.) Visitors are buzzed in from the street, but any tenant can do the buzzing. If they're at all brash, intruders can slip in as tenants come and go. And once they're inside the building—well, the plaster dust that's still on the hallway carpet outside C I Host's quarters tells a tale of the possibilities.

Some C I Host clients pay extra to keep their servers in locked cabinets, but far more sit on exposed racks. The company's Web site touts "proximity card readers, biometric access controls and key pads," but when I went in with a client, the guard checked the client's ID and paid no attention to me, let us into the server room, and disappeared into his office. Imagine a bank that checks your credentials before allowing you into the vault where the lock boxes are and then leaves you there. Further, imagine that most of the other lock boxes aren't locked.

And imagine a vault with plaster walls.

Police say no security guards were on hand at the time of the October 2 break-in, which happened after midnight. When an employee showed up in response to the burglar alarm he was Tasered by one of the intruders. A nondescript building is no protection against an inside job, which is the theory that seems to be favored by the police, clients, and C I Host itself.

"Where they cut the wall was very specific. If they'd cut a foot to the left or right they'd have hit something that wouldn't allow them in," says Ruffer, who lost "two high-end Dell servers and one high-end Sonic Wall router" he values at $20,000. "My servers were in a locked cabinet and the keys were locked up in a box that only the manager has. I don't even have keys. There were many more servers in my rack, but they only took the high-end servers."

A few days after the Register broke the story of the heist, a more in-depth account ran in another e-magazine, Web Host Industry [or WHIR] News. Reporter Anastasia Tubanos wrote that although C I Host's corporate counsel, James Eckels, described the robbers as sophisticated, familiar with the company's operations, and technologically savvy, he also argued that some responsibility for the security breach falls on the building's owners and even its environment—a "bad area of town." (A post attributed to Eckels on webhostingtalk.com asserted, "Please understand that the improvements we have made and will continue to make will not be released for security purposes." Skeptical readers wondered why not.)

Eckels was quoted by WHIR as advising clients who lost gear not to count on being compensated in dollars: "We don't have money to give them. We're just as victimized as our customers. They came to us because we offered them cheap colocation services. They think because we're a corporation we have lots of money, but we make our money through volume. If we had the money, we would give it to them."

Eckels went on, "We've got nothing to hide, even though people have been saying otherwise online. The forums have been a bed of misinformation—extortion compounded with defamation. One of the biggest mistakes is that people are talking about four robberies. A robbery means that property has been seized through violence or intimidation. C I Host has technically only been robbed twice in two years. The other two were break-ins where things were stolen, but not robberies."

Needless to say, this hair-splitting attempt to make matters sound not quite as bad as they were was promptly ridiculed on those same forums. I tried calling and e-mailing Eckels to ask if he'd been quoted accurately. I also tried to reach the company's vice president of communications. No one ever responded. The corporate leaders are apparently much harder to get to than the servers at 900 N. Franklin.

The earlier break-ins were in September 2006, September 2005, and August 2005. A C I Host client who's been there for the duration tried to explain to me why he's stayed. "Each outage or problem and cihost is quick to give bandaid fixes and/or compensation," he e-mailed me. "A free month of service here. They upgrade you from 1/4 rack to 1/2 rack free for your troubles. They keep you enticed so you'll stay and give them money and you get further in a hole that in the end makes you stay even when you should leave.

"Personally we lost 4 servers and just under $5,000 in equipment last year. Since then we have taken strong metal cable and literally cabled our servers into our cabinet with a padlock. This was our way of protecting our gear and it seemed to have worked so far. Unfortunately others were not so lucky.... I personally know one customer who had a full locking cabinet that was locked. They either busted the lock, used the employees key or just pried the cabinet open to steal his servers this last time."

James Ruffer's little start-up had only two contracts, and when he lost his servers he lost the bigger of the two, worth $10,000 a month. "We're still down," he says. He contacted a lawyer he'd done some work for a while back, and now the Loop firm of Kalcheim Haber & Kuzniar is preparing a suit on behalf of a dozen or more clients whose total loss, in equipment and business, Ruffer estimates at about three-quarters of a million dollars. "We're attacking the whole enchilada, not just this [latest] incident," says an attorney on the case. "It won't be an easy case, because C I Host has an agreement [clients sign] that says we're not responsible for anything even if we're negligent. It's probably not enforceable, but we'll see."

A-Rod Made Them Do It

Last month Yankees slugger Alex Rodriguez and his agent, Scott Boras, did something the press decided was shameless: the night of the fourth—and, it turned out, final—game of the World Series, they announced that Rodriguez wouldn't re-sign with the Yankees. He was declaring himself a free agent.

The press so quickly and universally condemned Rodriguez for this grandstand act that Boras was able to guarantee his client even more headlines by apologizing. An editorial in the Yakima Herald Republic denounced Rodriguez for a "tacky upstaging of professional baseball's premier event." A columnist at the Rochester Democrat and Chronicle managed to scold Rodriguez for "upstaging the game's biggest night" in the course of a piece on the lessons fathers teach their sons.

Headline at a CBS Web site: "MLB Irate at A-Rod for Upstaging World Series." Headline in Tampa's Sun Journal: "A-Rod's agent apologizes for upstaging World Series." And lest you think journalism was hopelessly wedded to the word "upstaging," Bill Madden of the New York Daily News found another way of putting it: Rodriguez was someone "who would blatantly put himself above the game."

You'd think Rodriguez and Boras had reduced the World Series to a couple of lines of agate type. Nothing like that happened. But if Rodriguez did get more coverage than he deserved, he didn't get it at gunpoint. Newspapers have a wonderful way of doing what they want to do, only to later complain that the devil made them do it, following up with a think piece lecturing the devil for setting a bad example.v

For more, see Michael Miner's blog, News Bites, at chicagoreader.com.

Add a comment