On the topic of sniffing I found out one day at an internship just how trusting the internal network was. I was setting up a Linux box basically to use for monitoring of customers with problems (see also: for the hell of it) and for some reason I figured it would be good to install Ethereal just in case it was needed(was interning at an ISP just for some background), so naturally it needed to be tested as well... wow was that a scare when it suddenly started showing up all the internal traffic and passwords galore!
I don't think I've ever wanted to close a window so fast in my life. Came to find out later that the internal network actually had two freaking hubs as the center points of it all; I wouldn't have believed the guy when he told me except for the fact we were standing right next to the two boxes! Sounds like its a rare occasion but this was an ISP with on the order of 35-40,000 customers. More on-topic we used telnet for managing the ERX, probably the Juniper M10i, and also a few of our more ancient DSLAMs out in the field, so I can only imagine that learning the admin passwords to all the core gear would have been a trivial matter of waiting for someone to login to it. I might have been a level-headed non-douche intern during my time there but I'm sure there were some wanna-bes there that would have not taken the high road when presented with such a tempting target.