Re: Contact for va.gov

[Mike <mike-nanog () tiedyenetworks com>]

On 04/14/2011 07:54 PM, Nathan Eisenberg wrote:
> > Is tracking down the original user and letting them know about the
> > config leak a standard practice, necessary or "the right thing to do"?
>
> Municipal networks often provide some emergency services, and we all know what the VA provides.  Once you know whose gear it is, 
> I guess you have to decide if you'd be willing to have a little bit of that organization's (or their patrons) blood on 
> your hands.
>
> Especially in the case of the VA, for me, the answer is 'hell no'.  If it was "Joes defunct sprocket startup", I'd 
> likely just format flash: and move on.

A few months back I had exactly this situation - I bought a switch off 
ebay that was still loaded with it's config, and it had come from 
yahoo.com. Now, I am the good netizen and I flagged them about this and 
was able to help them find the source which I assume they 'fixed' this 
leak. The data in the fig file could have been (mis)used to yahoo's 
network security disadvantage and wherever you stand I think we all can 
agree that cluing them in was the right thing to do. But for someone 
else's startup, probably would not have bothered.

Mike-