[jcims]

Not even limited to 'the government'. Improperly sanitized network gear shows up in second-hand markets all around the world. Happened at a former employer of mine and a 'finder' attempted to extort us over it. VPN PSKs on the equipment were still in use in the field (no PFS either, so years of captured content could ostensibly have been decrypted).

Even equipment that appears to have been cleared out is probably hiding secrets in flash. The vendor of the equipment in this case had a separate command to wipe file contents. Deleting files just unlinked them in the flash fs.

[jlgaddis]

Yep, I personally bought a Cisco firewall off of eBay several years ago that still had its entire configuration on it, including the PSKs for several IPSec VPN connections as well as SNMP (v2) communities, weak "type 7" hashes for local user accounts, the shared secrets for a pair of RADIUS servers, and so on.

Pretty much all of them (with the exception of the VPN PSKs) were sufficiently "generic" enough that I was convinced that they weren't device-specific, i.e., they were probably shared across many such devices.

According to the login banner, the firewall came from a casino.

I'm certain that my experience was not a unique one.