zlacker

[return to "IoT hacking and rickrolling my high school district"]
1. belval+j2[view] [source] 2021-10-12 19:50:56
>>revico+(OP)
The fact that the administration didn't choose to sue them to oblivion is refreshing. I hope we'll see a trend in the future of educator being smart enough to admit that they made a mistake and to encourage the students to develop their talent.

One can only hope.

◧◩
2. nielsb+B4[view] [source] 2021-10-12 20:02:59
>>belval+j2
Probably helps that "We prepared complete documentation of everything we did, including recommendations to remediate the vulnerabilities we discovered. We went a comprehensive 26-page penetration test report to the D214 tech team and worked with them to help secure their network."
◧◩◪
3. IshKeb+C5[view] [source] 2021-10-12 20:08:29
>>nielsb+B4
That hasn't helped in the past. Frankly I think they were naive to reveal themselves no matter what the authorities said. It hasn't gone nearly as well for other people.
◧◩◪◨
4. treesk+d7[view] [source] 2021-10-12 20:17:08
>>IshKeb+C5
The students were extremely lucky.

The advice given to me in high school (I was working on tech projects after school for several teachers and groups) was to not even try or explore poking around the IT networks it no matter how good my intentions were. All it takes is one grumpy school administrator to feel undermined or to misunderstand your report and you could be expelled.

When you're in a position like a student, you're still working your way up and building credibility. No need to risk it all for an IT group that doesn't want your security advice and didn't ask for your help.

◧◩◪◨⬒
5. colinm+Ye[view] [source] 2021-10-12 21:00:58
>>treesk+d7
He had already graduated, so expulsion wasn't an option.
◧◩◪◨⬒⬓
6. treesk+Jr5[view] [source] 2021-10-14 14:50:38
>>colinm+Ye
He had already graduated when he wrote his blog post and told them, he was still a student when he performed the hacking.

I realize this is conjecture but I'm giving an example. Speaking from experience receiving "security reports" from users and students, often times they fail to understand the full picture of IT. As a student with no buy-in from the stakeholders, the risk isn't worth it.

For example, let's say this IoT network was managed by a vendor who, while having sloppy configuration practices, also had network monitoring looking for APT/anomalies (such as new connections in off-hours or unusual connection rates or bandwidth usage.)

While the student thinks they're being sneaky and hacking the system at night, opening ssh connections to a hundred devices from his laptop, there are now reports and alarms going off on a monitoring system. Some basic timestamps and VPN access logs would be enough to point to the student. So this student thinks they're creating an anonymous harmless prank, but the IT department is already investigating a malicious actor on their network. How do you think this would end?

[go to top]