On Fri, May 10, 2013 at 5:50 AM, John Macleod <jcdmacleod@me.com> wrote:

I see the points on both sides here. Is what is being sent an issue, from what I see, no.

However, the fact it is has at least breached one of my contractual agreements, and even being an Observium user for a long time, I wasn't aware of this either and I have read much of what is online docs wise. I haven't read the contents of all files as I shouldn't need to. At least if I get a security team RFI I can reply with knowledge vs finding out the hard way - now that I wouldn't have been happy with.

I think your complaint is legit -- but I think if your contract terms cover this kind of thing strictly, you should probably set up firewalling on the server to prevent outgoing connections except to whitelisted hosts. That way you aren't depending on software playing nice.

I do this with many of our servers; a web or database server that accepts connections from the Internet shouldn't be connecting *outward*, except to a small set of update servers and the like. If something breaks it's pretty easy to determine from the firewall log what I need to whitelist.

David Brodbeck

System Administrator, Linguistics

University of Washington