Re: Proposal to have NDAs for sysadmins



2014-11-10 2:07 GMT+01:00 Olav Vitters <olav vitters nl>:

In case of weird stuff happening, I have posted IP addresses and ranges
in #sysadmin. Non-sysadmins are in that channel. This NDA is too black
and white. Sharing a few IP addresses during investigation is totally
different from sharing the entire access log.

Honestly that's a very bad habit, you should not post any IP address
on a public channel with or without a NDA in place. The idea is to
communicate that information privately to the user having difficulties
accessing the service itself. What I generally do is:

1. check the user experiencing difficulties is really the one it claims to be
2. ask for the IP to be sent privately to start diagnose
3. keep chatting privately or switch to the public channel for other
debugging comments

Another example is for instance the access that has been granted to
someone logging into webapps or e.g. bugzilla. They'll have access to
the apache logs as well. Did a sysadmin now disclose things to a
non-sysadmin? Is that person limited by an NDA?

Well, this is very limited now that logs aren't stored on
/var/log/httpd anymore. All logs are now sent to a main logging host
(log01-back) which is only accessible by sysadmins. Just one or two
services (l10n, ego, bugzilla) have their logs exposed to one or two
people I trust for debugging purposes. (or for scripts requiring the
file to be located on the same machine as the script itself for
obvious reasons)

In the time I was only a bugmaster (not a sysadmin), I regularly
downloaded the entire Bugzilla database. Including passwords, IP
addresses and all.

Yes, and that's legit as long as you don't disclose the private
contents of the database itself which is the point of the NDA.

all reasonable steps to protect the secrecy of and avoid disclosure or
use any of this confidential information. I will notify the board in

This is too vague vague. IP addresses aren't confidential, they can
affect someones privacy. I understand the reasoning behind the text, but
it is written in a way where I could pretend that I can disclose
confidential information. The text refers to "this confidential
information" with IP addresses.

No, please read the relevant text once again:

""" I agree and confirm that I will not publish, sell, transfer or
otherwise share any information gained in the scope of my sysadmin
work for the GNOME Foundation with anyone outside the sysadmin team
and the Foundation board without prior written approval from the
board. Amongst other things, this includes user passwords for GNOME
services and IP addresses of visitors to GNOME websites. """

IP addresses are part of the items you should not publish, sell or
trasfer to anyone.

Instead it should start with confidential and privacy related information and say that these things
should not be disclosed if learned during sysadmin work.

This is exactly what the text I quoted above says. Any information you
could gather during your sysadmin work should never be disclosed to
third parties, *including* IP addresses and user passwords.

-- 
Cheers,

Andrea

Debian Developer,
Fedora / EPEL packager,
GNOME Infrastructure Team Coordinator,
GNOME Foundation Board of Directors member,
GNOME Foundation Membership & Elections Committee Chairman

Homepage: http://www.gnome.org/~av


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]