Comment by treesknees

He had already graduated when he wrote his blog post and told them, he was still a student when he performed the hacking.

I realize this is conjecture but I'm giving an example. Speaking from experience receiving "security reports" from users and students, often times they fail to understand the full picture of IT. As a student with no buy-in from the stakeholders, the risk isn't worth it.

For example, let's say this IoT network was managed by a vendor who, while having sloppy configuration practices, also had network monitoring looking for APT/anomalies (such as new connections in off-hours or unusual connection rates or bandwidth usage.)

While the student thinks they're being sneaky and hacking the system at night, opening ssh connections to a hundred devices from his laptop, there are now reports and alarms going off on a monitoring system. Some basic timestamps and VPN access logs would be enough to point to the student. So this student thinks they're creating an anonymous harmless prank, but the IT department is already investigating a malicious actor on their network. How do you think this would end?