Friday, 30 September 2011

Every Application and Device Needs a Retirement Plan

Here's a great headline that grabbed my attention this morning:
Air traffic control data found on eBayed network gear

Turns out this fellow in the UK bought a Cisco switch on Ebay for £20.    When he saw the sticker on the back that said NATS (National Air Traffic Services), he started poking around.

He found internal VLAN estate data, information about the SNMP community strings (read and write, named after aircraft funnily enough), some ideas about password composition, VTP Trunk info and password, and details of upstream switching.   Enough that it would allow you to plug it into a port connected to the NATS network and 'become' part of the network, allowing you access to all the network traffic.

My first thought after reading this article?    How does the NATS in the UK not have a retirement/decommissioning plan that would have addressed this?    After all, the UK was the country that developed the ITIL framework, and system decommissioning is a core part of the service lifecycle.

Reference: http://www.theregister.co.uk/2011/09/30/nats_switch_fail/