Comment by treesknees
4 years ago
The students were extremely lucky.
The advice given to me in high school (I was working on tech projects after school for several teachers and groups) was to not even try or explore poking around the IT networks it no matter how good my intentions were. All it takes is one grumpy school administrator to feel undermined or to misunderstand your report and you could be expelled.
When you're in a position like a student, you're still working your way up and building credibility. No need to risk it all for an IT group that doesn't want your security advice and didn't ask for your help.
Seconded, the same advice has also been given to me back in India.
"Know where your boundaries are and who your stakeholders are, don't do anything that will make your stakeholders look bad." It's a life advice given to me by my high school teacher that served me well in my professional life.
Yep - I, like many of my friends and people who are naturally curious and work today in "Cybersecurity" had fun, poked around - but once you found little data troves - it reveals how inept alot of people can be.
And you just volunteer to be thrown under the bus as that "hacker."
Anonymous, maybe. As a student, under 18 - you're "immune" from many things - but it can be a stain.
It doesn't stop at the student level. Find something at the corp level with an arrogant IT dept, and you'll find yourself in uncomforatable situations as well.
It's always fascinating how dramatically different schools can be. When I was in high school, in the late 1990s, nobody would have cared so much about something along these lines. At worst it would have resulted in a three day suspension from school and lecture from the principle.
He had already graduated, so expulsion wasn't an option.
Expulsion is one of the friendlier outcomes. Federal prosecution and prison time are also very realistic options here. It's happened to other well-meaning kids on many occasions.
He had already graduated when he wrote his blog post and told them, he was still a student when he performed the hacking.
I realize this is conjecture but I'm giving an example. Speaking from experience receiving "security reports" from users and students, often times they fail to understand the full picture of IT. As a student with no buy-in from the stakeholders, the risk isn't worth it.
For example, let's say this IoT network was managed by a vendor who, while having sloppy configuration practices, also had network monitoring looking for APT/anomalies (such as new connections in off-hours or unusual connection rates or bandwidth usage.)
While the student thinks they're being sneaky and hacking the system at night, opening ssh connections to a hundred devices from his laptop, there are now reports and alarms going off on a monitoring system. Some basic timestamps and VPN access logs would be enough to point to the student. So this student thinks they're creating an anonymous harmless prank, but the IT department is already investigating a malicious actor on their network. How do you think this would end?