The case of the secured server

Saturday 1 May 2010

When Tabblo was being acquired by HP, we had a bunch of different HP people talking to us about all different aspects of the acquisition. The security guys were a special treat.

We were in a small rented office in Cambridge, and were going to move to a large existing HP facility in Marlborough. But we still had a month or so of being in the Cambridge office, and the security guys wanted to make sure everything was locked down. Our founder Antonio spent a couple of hours on the phone with an HP guy from Australia who wanted all sorts of details about the physical security of the office: when entering from the street, how many different doors are there? How many are secured by locks? What kind of locks? When you get off the elevator, are there ceiling tiles above you? Could you lift the tiles and climb into the offices, etc, etc, etc. We joked that this guy was going to pop out of an air duct as a surprise visit some day.

Ultimately, though, the thing that concerned the security guys the most was our Subversion server. We were a tight-fisted startup, conserving money. That means our office space was the cheapest dump we could find, and our furniture was from Ikea. Our Subversion server was some junky Dell desktop machine stuck in the phone closet.

The security guys were very worried about the safety of this server, more than anything else we had. They asked us how we were going to move the server to the new office.

Us: "We'll put it on the van."

Them: "You can't do that."

Us: "We'll take it in one of our cars?"

Them: "Nope."

They insisted that we use a bonded mover (whatever that is) to move the server. Everything else in the office would be loaded up by regular movers onto vans and driven the 30 minutes or so to the new offices. But the server had to be moved by a bonded mover. You know, for security.

For some reason, we couldn't get a bonded mover for the day of the big move. So the regular movers came and took everything else, and left the server for later.

The next day was our first in the Marlborough office, and much of the morning was taken up with orientation, tours, unpacking and so on. I got there late, and when I did, everyone was all abuzz: the Subversion server wasn't reachable, did I know anything about it? I didn't, and calls were placed to the Cambridge landlord. Security tapes were inspected, theories abounded.

Turns out, the building janitor had taken the server.

Of course he did: put yourself in his place. He comes to the office to clean, sees that the tenants have moved out and taken absolutely everything with them, except for an old crappy computer in the phone closet. They must not have wanted it.

As it happens, we knew the janitor closet in the old building had a child's pink bike in it, so we figured it was where the janitor stashed "found" stuff. Sure enough, our server was in there with the bike. Antonio went back and got the server, put it in his car, and drove it to Marlborough.

The security guys had fits about us unilaterally executing plan B, but what could they do about it?

Comments

[gravatar]
Dan Dunn 4:40 PM on 1 May 2010

Oh, what a day that was. We need DCS to provide the pictures of the servers ultimate delivery. As I recall, it came in via the helicopter pad.

[gravatar]
Leon Matthews 3:16 AM on 2 May 2010

Silly... What could be more secure than an employee delivering it themselves?

In the day of multi-gigabyte flash drives we implicitly trust employees anyway -- the physical server is nothing but a few hundred dollars worth of hardware...

[gravatar]
Ned Batchelder 9:35 AM on 2 May 2010

@Leon, yeah, I never understood their obsession with the Subversion server when the entire source tree was also on every developer's laptop...

[gravatar]
Bob 12:10 AM on 3 May 2010

The corporate policy of the three-letter-acronym company I used to work for was that any local copy of your email had to be encrypted. They had no such policy about source code on the same machine.

[gravatar]
mikey 8:47 AM on 4 May 2010

Great story!

Add a comment:

name
email
Ignore this:
not displayed and no spam.
Leave this empty:
www
not searched.
 
Name and either email or www are required.
Don't put anything here:
Leave this empty:
URLs auto-link and some tags are allowed: <a><b><i><p><br><pre>.