Home > Geeky, Security > More abandoned-data follies

More abandoned-data follies

January 1, 2007

Picture this: a Unix guru finds a Sun Ultrasparc server at the Goodwill store for $12.  How could he resist taking a look at it?  What would he find?

I found a lot. A scary amount. Whomever previously owned the box hadn’t cleaned up very well. The ultrasparc had been used to run oracle databases for several large companies that you all have no-doubt heard of. Yes, the databases were intact. But this is only the surface. Deep within the vaults of the /opt directory, I noticed a ‘backup’ directory. Turns out one of the admins for this box made a complete backup of his personal windows computer, including his Palm-OS-powered cell phone, blueprints for his house, family pictures, plain-text password lists for the companies he worked for, and the greatest gem of the entire collection: 1200dpi scans of his and his wife’s US passports. I mean, what can I say?
Elliott Writes: Sun Ultrasparc with 9 Ethernet ports

Wow!  A very unfunny assortment of data to leave lying around. Lucky the system was found by someone with a conscience.  After erasing the data Elliot went on to beef up the system with eight more Ethernet ports and NetBSD (it would make one hell of a firewall in this configuration – why buy a router when you have a *nix box with that many ports?  Very, very cool. )

I have written about this issue before, but that was about personally-owned machines.  It makes you wonder, what are the equipment-disposal policies of your company’s IT department?  And since there were several companies’ data on the machine, the same question applies to the data storage, offsite backup, or transaction hosting subcontractors your company uses.  I’m sure there’s something about this in the SarbOx law – individual network administrators could try to push awareness at the corporate level if the CIO is sans-clue.

Categories: Geeky, Security
  1. January 3, 2007 at 22:43 | #1

    Wow, and this is not Joe Sixpack, who might not know any better. Anyone with root access to this surely knows about dd and /dev/null. The closest I’ve come to scoring anything like that at the thrift shop is some manuals for an RS/6000.

  2. January 12, 2007 at 09:53 | #2

    This almost sounds like some act of sabotage.  I mean are there any system admins out there that are truly stupid enough to let something like this get out.  What the hell!  I thought all geeks new about the importance of client data, and for that matter company private data.

Comments are closed.