Contact for va.gov
Mike
mike-nanog at tiedyenetworks.com
Fri Apr 15 03:28:00 UTC 2011
On 04/14/2011 07:54 PM, Nathan Eisenberg wrote:
>> Is tracking down the original user and letting them know about the
>> config leak a standard practice, necessary or "the right thing to do"?
>
> Municipal networks often provide some emergency services, and we all know what the VA provides. Once you know whose gear it is, I guess you have to decide if you'd be willing to have a little bit of that organization's (or their patrons) blood on your hands.
>
> Especially in the case of the VA, for me, the answer is 'hell no'. If it was "Joes defunct sprocket startup", I'd likely just format flash: and move on.
>
>
A few months back I had exactly this situation - I bought a switch off
ebay that was still loaded with it's config, and it had come from
yahoo.com. Now, I am the good netizen and I flagged them about this and
was able to help them find the source which I assume they 'fixed' this
leak. The data in the fig file could have been (mis)used to yahoo's
network security disadvantage and wherever you stand I think we all can
agree that cluing them in was the right thing to do. But for someone
else's startup, probably would not have bothered.
Mike-
More information about the NANOG
mailing list