[storyinmemo]

Hey friends, use 802.1X for your datacenters and enterprise (certificate) wifi auth so you can audit and rotate credentials to prevent... exactly this problem. Everything else iot-like gets a very limited VLAN / alternate WiFi network.

[63]

From the OP on Reddit at the time:

Good points. The problem is, there are over 1000 people coming and going every day, the site has a BYOD strategy and the IT team is 4 people. We tried implementing 802.1X for LAN devices but it was soo much overhead that we dropped that.

The thing of this case is that the person was only able to place the Pi there because he had a key to the network closet. That's game over no matter how many security protocols you implement

We did change the server passwords though

[geek_at]

OP here. What I didn't mention in the article is that this actually happened in a public School (small-ish for US standards as there are just ~1000 students and 100 teachers)

Hard to get the budget for serious switching hardware, even harder to get people who know how to manage them as I'm just an external contractor but can't exceed the alotted budget for my work there