Is it acceptable to do a security test on a company's open WiFi before an interview?

Question

I was invited to an interview for an IT position in an organization called XYZ.

While waiting in the lobby, I found an open WiFi network called XYZ. I connected to it and was greeted with a web page requesting for a username and a password. I ran a scan of the connected devices using Fing (an app on android) and found that there are some laptops with names XYZ-HR-1 and XYZ-FN-1.

In the interview, I told them that since my position entails some security aspects, I found that the open network is a security vulnerability in their network.

The IT manager was impressed but the HR representative was not, and acted defensively and said that I am not hired yet to check out their network security. I told them that this is a serious issue and should not wait until I or anyone else be hired.

Was I right in telling them that I did that? Did I kill my chances with them? Should I do it again with other job opportunities (if something is discovered by accident)? How can I gain an edge in the interview with this kind of information?

Comments are not for extended discussion; this conversation has been moved to chat. — Jane S, May 21 '18 at 06:37
When you ask if it is acceptable do you mean if it helps your chances to get the job or if it is legal? — Mr Me, May 22 '18 at 10:18

score 296 · Accepted Answer · edited May 21 '18 at 16:46

296

A stunt like this would - in most environments - be a show-stopper from HR. The reason for this is very simple: You knew what you were doing, and it was none of your responsibilities to perform the test.

If you happened to come across the issue in a "The shares showed up in the windows explorer" way it would probably have been ok. But a security professional needs to know that running a network scanner on a network, where this was not agreed to by the admin of the network, is definitely under the category "not nice" to "hostile". It may also cause real cost e.g. when you trigger a false alarm. I once wasted a few hours trying to find the source of a scan which some punk from some other department ran without our permission (or anybody else on the internal network).

Depending on the circumstances, one could also imagine that the network is not visible until you are inside the company area. I once worked on a site large enough that you would not see a wifi signal from the outside (without very special measures). In that case there would even be a breach of trust. (I know that it's still not a good idea to run an open wifi, you know, IT guys know, but I don't know if management and HR knows or wants to hear).

edited May 21 '18 at 16:46

answered May 20 '18 at 14:17

Sascha

17,910
2
39
67

2

Comments are not for extended discussion; this conversation has been moved to chat. – Monica Cellio May 22 '18 at 16:40
6

OP doesn't mention what country this was in, but in the US you should be very careful. Even a simple Fing scan could be considered a violation of the Computer Fraud and Abuse Act (CFAA) and unlawful access of a computer system. See first line of wikipedia description https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act "The law prohibits accessing a computer without authorization, or in excess of authorization" – JesseM May 24 '18 at 23:23
27

@Gabe Sechan: No. The attitude of "anything that is not successfully secured is fair game" is a telltale sign of either the kind of security idealist that will spend hours improving a lock leaving the hinges broken, or of someone who has a cavalier attitude towards the property of those who should especially be expected to trust them - which isn't good. As an IT person, if involved in a hiring decision, I would at best be asking far more questions before giving any vote. – rackandboneman May 24 '18 at 23:24
2

@rackandboneman we'd have hired him at any company I've worked at in my 17 year career, except maybe hp. I'd rather have proactive than passive. I think you've worked at horrible places. I'd he'd attempted to respond this, he'd be a non hire, but telling us about it would elevate him above the pack – Gabe Sechan May 24 '18 at 23:33
3

It's foolishly arrogant to just assume an open network is any issue at all. It's entirely possible the network and XYZ-HR-1 and XYZ-FN-1 are setup exactly as intended. – DTRT May 28 '18 at 18:38

Kate Gregory · Answer 2 · 2018-05-21T15:07:54.247

Imagine I invited you to my house for a backyard bar be que and you arrived and, while we were in the kitchen, said

I stopped by yesterday while you were at work. That fence doesn't keep anyone out. I noticed that your swing set isn't properly anchored into the ground - that could be unsafe if larger children swing really hard. Also, the spacing on your deck rails is too wide, these days code specifies X inches and you have Y.

I would be standing there with my mouth open staring at your rudeness. Nobody asked you, you didn't check if it was ok, you just intruded and now you're criticizing. Sure, children's safety on swing sets and back deck is really important. But so are the rules of polite society. A better guest wouldn't invade the back yard without consent and wouldn't blurt out an inspection report early in a conversation. Instead that guest would wait until reaching the back yard with a glass of lemonade and then say

Ooooh, a swingset. I know a little about these. Is it anchored properly? May I check?

and

You know these days deck rails are supposed to be Y inches ... It looks like yours might be older ... I can grab my measuring tape and confirm if you like?

Now you're showing your deep knowledge of backyard safety and that you possess tools, but you're not hurting anyone.

Now the point of this metaphor/analogy is not to correspond perfectly with the act of checking out an open wifi and discovering some machine names. It is to show you the emotional response this behavior can elicit. They invited you to their offices for an interview. You did something that is outside the norm of an interview, without permission or invitation, when they were not there to see you do it. And you criticized their operations in the same paragraph in which you told them what you had done. At least one of them was shocked and upset. The thought experiment above is to lead you to an understanding of those feelings of being shocked and upset.

To leave the metaphor/analogy behind, how could you have handled this better? Instead of blurting out your results early in the interview, you could have waited until discussing the security aspect and then said "a lot of good companies have no idea that their networks are vulnerable to some of the newer attacks. I could run a 5 minute scan on your guest wifi if you like." You could of course make this offer with confidence because you already did it in the lobby :-). Now you're showing your skills and your tools, in the right context, and with permission. You even set them up a face-save that it doesn't mean they're idiots if you find something. When you find it, you can tell them that you know how to change things so that vulnerability will be closed. Now they want to hire you instead of being offended.

Comments are not for extended discussion; this conversation has been moved to chat. — Jane S, May 21 '18 at 22:25
Disagreed. The correct analogy would be inviting someone to check out your house for issues (like the ones you mentioned), but before getting to know your guest or getting a chance to talk about the job, your guest already checked everything out, more than you expected. OP wasn't invited for a chit-chat, he was invited for a job. — John Weisz, May 24 '18 at 18:11
I like this answer best because the fundamental flaw is doing this without permission. "Mind if I connect to your open wifi?" "Mind if I poke around and show you what I can find?". Do that before showing off and it's much less hostile. Also, insisting that it's a security failure when you don't actually know what is being secured is a newbie mistake as bad as insisting my backyard fence is failing to secure my front lawn. — candied_orange, May 26 '18 at 11:56
Take it to chat. I have left one comment from each "side" in this argument (based on votes and convenience, 'cause I'm not digging through all that again), as an indicator of the longer discussion that was moved to chat where it belongs. Further discussion will be summarily deleted. — Monica Cellio, May 28 '18 at 18:19

score 77 · Answer 3 · answered May 20 '18 at 12:18

77

I told them that this is a serious issue and should not wait until I or anyone else be hired.

Was I right in telling them that I did that?

Lecturing an interviewer is seldom a good way to get a job.

Did I kill my chances with them?

There's no way to know the answer to that unless you hear from them directly.

Should I do it again with other job opportunities (if something was discovered by accident)?

Wait until your assessment is specifically solicited, or until you are hired.

answered May 20 '18 at 12:18

Joe Strazzere

382,456
185
1,077
1,492

1

Wanted to verify, "lecturing an interview is seldom a good way to get a job"... is this sarcasm or a typo? Maybe an explanation would be clearer? I don't think interviewers like being lectured... – Kevin Xu May 24 '18 at 21:28
6

@KevinXu Seldom means rarely so that Sentence could say "Lecturing an interviewer is rarely a good way to get a job." While an odd phrasing it is still a correct way to say Interviewers won't like a lecture. – James Khoury May 24 '18 at 23:02
In either case, its light sarcasm. Lecturing an interviewer will almost always get you rejected from the job. – Shawn V. Wilson May 29 '18 at 04:31
@ShawnV.Wilson - Lecturing an interviewer may (rarely) yield some positive points if the lecture is correct in every point and super relevant in the context; and if the interviewer has time and excellent resources to be able to verify and appreciate the facts involved post-interview, before sharing their evaluation of the candidate internally. But communication skills including politeness will be evaluated, too. "He lectured me near-rudely, he'll tend to lecture colleagues and customers on everything. Will I be able to control that risk?" – Jirka Hanika May 29 '18 at 08:07
@JirkaHanika Exactly right. That's why I said "almost". – Shawn V. Wilson May 29 '18 at 15:15

score 63 · Answer 4 · answered May 20 '18 at 19:09

63

Running a scan on their network was very ill-advised, and in some locations could have gotten you charged with a crime.

You may want to read up on the case of Randall Schwarz, a well known tech author. In the 1990's he was a contract system administrator for the super computer group at Intel. He was concerned about security in the group, so he ran a password cracker on some of his colleague's accounts. Though he was an Intel contractor, security and penetration testing were not officially in his duties, and he ended up being convicted of two felonies for his activities. Many thought the convictions were an injustice, and in 2007 the convictions were sealed. Regardless, it shows you the kind of deep water you can end up in, when you decide to help out with security vulnerabilities, without actually being asked to do so.

answered May 20 '18 at 19:09

Charles E. Grant

8,313
4
25
32

There is more to the Schwarz story than described on Wikipedia. See https://www.nytimes.com/1995/11/27/business/technology-net-intel-computer-security-expert-runs-afoul-law-so-much-for-hacker.html – May 20 '18 at 20:45
18

ran a password cracker While I sort of sympathize with Schwarz, there's no comparison with running a password cracker (invasive and dumb without authorization) and scanning an open network because, (surprise) the sole purpose of leaving a network open is to let people scan it. – StephenG - Help Ukraine May 21 '18 at 02:08
18

@StephenG Yes there is, those are about the same level of invasiveness and dumbness. – user253751 May 21 '18 at 04:17
26

@StephenG the only purpose of leaving a network open you can be sure of is to let its intended users connect to it. That may be because any member of the public is invited to connect to it but simply providing the network is not an explicit invitation. Not to connect, and certainly not to use the network for every possible purpose. It is up to the network operator how robustly they prevent unwanted uses of the network. Using a network in a way you can't reasonably assume the network's owner to have invited still crosses an ethical line. – Will May 21 '18 at 10:43
1

@StephenG So leaving the wifi open is something very different to leaving a login screen open, because.. ? In both cases there are legitimate use cases for doing so and in both cases they were used for something that was clearly not intended by the creator. This is 101 of pen testing. Either everyone who's arguing against this never took courses on the topic or some universities do a grave disservice to their students by not going through basic ethical and legal requirements for pentesting. – Voo May 21 '18 at 18:06
9

I remember in highschool a classmate cracked the easily guessed password to a teacher's computer and accessed a sensitive excel containing all of the student's grade. He told her and got suspended for a week since while he had good intentions, she had no way to know if he modified anything. It's sort of like telling a friend he got a weak door and should by a 2 inch door screw by kicking in his back door to show him. Does it make the point? Yes, but now you committed a crime. – Dan May 21 '18 at 18:30
1

@Will It is up to the network operator how robustly they prevent unwanted uses of the network. Does it then not follow that they did not want to prevent network scanning, if they chose to not prevent it? – Flater May 22 '18 at 14:21
2

@Dan Guessing a trivial password guarding something secure is: "I walked up to your door and pressed the 'quick lock' button on your door. It unlocked. You installed the locking mechanism upside down, and now it has quick-unlock instead of quick-lock. You should fix that." Nothing in what you did made the door easier to exploit nor did it to damage; it made the person aware of the damage already done by the badly installed lock. And yes, the person in the house has no idea if the person noticing the problem walked into the house and stole stuff in this case either. – Yakk May 22 '18 at 17:32
2

@Flater just because someone doesn't "want to prevent" something doesn't mean it's acceptable to do the thing that's not prevented. A hotel could escort all guests to their rooms if they "wanted to prevent" wannabe pentesters from walking down the corridor trying every door handle, but you're still not getting your deposit back if you try that nonsense in my hotel. – Will May 23 '18 at 08:32
7

In most parts of the U.S., it's illegal to "access" any network for any "unauthorized" use. Most courts interpret that to mean either the network advertises itself as open to all users, or else there's some non-electronic permission required. People have been convicted of using restaurants' open WiFi from their cars in the parking lot, because only people inside the restaurant were considered authorized users. – Jeffiekins May 23 '18 at 17:35
1

@Jeffiekins how are you even supposed to know that you not are authorized? – njzk2 May 24 '18 at 05:50
1

@Yakk is right. Running a password cracker is a good idea. Everybody should do it occasionally, on their network and others'. Making it punishable is a terrible idea. Feynman already laughed about people fearing the messenger instead of the security flaws. It is utterly stupid. – Peter - Reinstate Monica May 24 '18 at 14:47
2

@njzk2 Legally, the owner of a network is afforded wide latitude to determine who is "authorized" to use their network, and for what. Many courts assume that, unless you are "authorized" by some positive action (like a sign on the wall, at least), you are not authorized. I'm guessing that calling a WiFi "Guest" or "Public" in the SID may be considered authorization to use the network for web browsing, but most courts would probably not extend "authorized use" to scanning the network in any case. And it's a principle of U.S. law that ignorance of the law is no excuse. – Jeffiekins May 24 '18 at 22:15

score 36 · Answer 5 · answered May 20 '18 at 16:26

36

I'll take a counter viewpoint to most of the answers here. The other answers are correct, from a strictly corporate viewpoint, you are in the wrong. However, I think you did what you did because you are confident in your abilities, and you go looking for issues to fix, which are great traits to have, but will not fit in every corporate culture.

There will be some places that will be fine with this, but such an independence streak is also great for entrepreneurship. You might be well suited to starting your own business.

So, I would say you are 3 options: 1. Try to conform more to corporate culture, 2. Don't conform, but risk not getting some jobs, 3. Go the small business route.

answered May 20 '18 at 16:26

Issel

1,254
8
8

3

most businesses still have clients though, and companies will probably not take kindly to this sort of thing just as much from a consultant as from a prospective employee – user371366 May 20 '18 at 17:08
40

This is the typical corporate mind set: Worried about how things appear, rather than the fact that those computers were a real liability to their clients. This is why large corporations constantly leak customer information. On the other hand, actually solving the problem is the type of great work that small businesses offer and makes them successful. – Issel May 20 '18 at 19:30
13

I think a lot of start ups would hire you on the spot. On the other hand, they probably wouldn't have multiple hr employees to Snoop on – sudo rm -rf slash May 21 '18 at 02:03
3

Said otherwise : what is good in terms of skills is bad in corporate terms. The eternal cultural problem of IT in the corporate world. What makes you good for the job means you're unfit to the environment, what makes you fit for the environment makes you bad for the job. – gazzz0x2z May 21 '18 at 10:17
13

Some people in IT have the social chops to do what we need to do without needlessly pissing people off, ya know. – Monica Apologists Get Out May 21 '18 at 19:18
1

Adonalsium - But those people already have the job. He was trying to prove he has technical skills above and beyond what they were looking for that will be of great value to the company. How would he have done that other than mention it? Besides, they shouldn't be mad, they should be embarrassed they left vulnerabilities open like that. – Issel May 21 '18 at 22:10
12

@Issel He could've done it in one of the ways recommended by the others. Kids fresh out of colleague always seem to think that the only important thing are technical skills and that good social skills are beneath them. In reality it doesn't matter how clever you are if you can't work well with others. – Voo May 22 '18 at 05:41
2
Keep doing this, and get hired by a company that tolerates and encourages the candidate's individualism. I think in that case he/she may just find a more satisfying job.

user3819867

May 22 '18 at 11:48

10

@Issel Or maybe they're worried about both. I know I would be. Were I sitting in on this interview, I'd have done two things: 1) Make sure that open network gets shut down or secured. 2) Make sure this guy is not hired. If he doesn't have the discretion not to perform network scans on someone else's network without permission while waiting for an interview with that company, what on Earth is he going to do without permission once he's hired?! If this is an IT position, is he going to pen test the CEO's e-mail account without permission? Maybe spear phish an executive, or worse, a customer? – reirab May 23 '18 at 22:18

1

Security, even in light of recent trends like the GDPR, is almost never AN END IN ITSELF in business IT. It is a tool for managing business risks and/or achieving business goals. – rackandboneman May 24 '18 at 23:29

2

@Issel "how things appear" is, strangely, what might actually matter at the end of the day. – rackandboneman May 24 '18 at 23:30

@Issel in my answer, I explained the reasons behind that "corporate mindset" that are more than sound. – ivan_pozdeev May 31 '18 at 00:49

score 34 · Answer 6 · edited Jun 16 '20 at 10:59

34

Short answer:

Don't test|access|hack anything without an explicit authorization.

Did I kill my chances with them?

Most certainly.

Ps: Downvote as much as you want, but the OP broke one of the first rules in IT/Pentesting and that's the only objective of my answer.

edited Jun 16 '20 at 10:59

Community

1

answered May 21 '18 at 09:14

Pedro Lobito

490
3
7

14

Hey, I was the one who downvoted as this answer is already given with much better explanation and argumentation. This one doesn't add anything meaningful here and is pretty low-effort. If you can update with some relevant resources and/or arguments that haven't been given yet I could retract the downvote. – Kevin May 21 '18 at 09:31
12

+1 I up-voted this because you give a great answer with much fewer words than others used to say the same thing. – May 21 '18 at 15:24
2

I don't think your comment "downvote as much as you want" has anything to do with answering the question and comes across as argumentative to me. I probably would've agreed with @gwp and not downvoted if it hadn't been for that, so I'd be happy to review this downvote if you decide to edit and @ a reply to me. – lukkea May 25 '18 at 07:16
2

Of course this is the correct answer. Good one. – Fattie May 25 '18 at 16:53

score 28 · Answer 7 · 2018-05-20T23:13:53.927

While waiting in the lobby I found an open wifi network called XYZ. I connected to it and was greeted with a web page requesting for a username and a password. I ran a scan of the connected devices using Fing (an app on android) and found that there are some laptops with names XYZ-HR-1 and XYZ-FN-1.

I think what you did was fine. It was an open network and you accessed it and took a look around. As long as what you did was within the scope of what the network was intended for. Scanning for devices might have been illegal in some places.

As a candidate preparing for a job interview. It's upon you to research the company, culture and background. Gather knowledge that you can use in the interview to explain why they should hire you.

You gathered knowledge but you didn't use it wisely.

Was I right in telling them that I did that?

In cases like this. Use what you've learned to ask compelling questions and provide compelling answers, but don't point fingers, make accusations or find fault with anything related to the business or people.

You can talk about risks of an open network without mentioning their network.
You can talk about risks of having devices on that network.
You can share how you would fix the problem.
You can share your idea of a better network.

You use what you know because it makes you relevant to their current challenges, but you do it in a nice, friendly and professional way.

Now, ask yourself if you still want the job based upon what you've discovered. Ask questions that reveal the nature of the culture of the company.

Ask, how do you handle the discovery of a security hole?
Ask, what freedoms will I have to implement changes?
Ask, who implemented your current IT system. Will I be reporting to that person?
Ask, how do you measure the success of my IT efforts?

You've uncovered that there are problems already in the company. Dig deeper to see if it's still the right fit for you.

As an improvement, you could offer to do what you did in the lobby during the interview. So now instead of "I found a security flaw", it is "may I demonstrate a probably security flaw in your open wifi?" — Yakk, May 22 '18 at 17:34

jmoreno · Answer 8 · 2018-05-28T16:05:54.827

16

Whether you get the job or not, and whether this helped or hindered your chances, what you did was unprofessional and possibly illegal. If you had looked at their public website or they had had a totally open network (no password), you would have been on firmer ground.

You hadn't been hired at the time, and you were in effect attacking their network looking for vulnerabilities. As a professional you should know not to do that without prior agreement and investigation of possible consequences.

There's a somewhat related question on the security stack -- asking if a pentest company should sign a contract promising no negative consequences of the test and to cover any damages incured. The accepted answer says "I've knocked systems over with a port scan". It's impossible to know what someone else's code is going to do, and thus what negative consequences of intracting with it might be. You put their organization at risk, without warning, agreement or justification.

Using their system the way it is meant to be used and seeing what happens, is justifiable, non-standard usage is not. That includes trying to guess a username/password -- standard usage is to HAVE a username and password, not try to find one.

edited May 28 '18 at 16:05

answered May 20 '18 at 16:54

jmoreno

11,845
29
55

you were in effect attacking their network looking for vulnerabilities The OP did no such thing. Open Network - simple rule - you don;t want people to look, don't open the network. HR should be firing the people who left it open and hiring the OP. – StephenG - Help Ukraine May 21 '18 at 02:26
11

@StephenG you're presenting this as an either-or, but if I found an interviewee wandering round an obviously restricted area because somebody had left a physical door open, I would be marching the interviewee off the premises and then firing the people who left the door open. – Will May 21 '18 at 13:55
1

@Will What would you do if you found the interviewee had tripped and fallen through a door that was supposed to be locked? What about if he just opened the door and went "Oh crap, that's not supposed to be open!". What if he pointed out a secure door that was propped open?
The problem with reasoning by analogy here is that this virtual trespass has no good physical-world analogy. You can compare it to opening a door that says "DO NOT ENTER", I can compare it to looking through a window to read a sign that says "DO NOT LOOK THROUGH WINDOW".
– Joe Cullinan May 21 '18 at 16:24
2

@JoeCullinan The problem is that you are right: there is no good analogy that someone who isn't familiar with network technology is likely to understand. Since the OP is dealing with someone from HR, who is almost certainly not an expert in network security, all of the defenses being offered on behalf of the OP are irrelevant. The explanations, not matter how technically accurate, are not translatable into something that would convince an layman. – Beofett May 21 '18 at 16:35
2

@Beofett That's a great point, and that's where I was heading before the comment limit stopped me; It doesn't matter if what OP did was wrong, it matters that HR at a prospective employer sees him as a liability.
Scanning the WiFi isn't a problem; if OP scanned and didn't say anything we wouldn't be having this conversation. So, the problem isn't that OP scanned the network, it's that OP gave someone at a prospective employer a reason to not hire them. That's always a problem.
– Joe Cullinan May 21 '18 at 16:51
2

@JoeCullinan in all the physical analogies discussed it's clear whether the person accessed or attempted to access something that they clearly didn't have the right to access. It really isn't that hard to distinguish which ones are good analogies. The ones where the unwanted access was accidental or not taken advantage of are fundamentally different from what OP did. – Will May 21 '18 at 19:10
7

@JoeCullinan Running a scanner is more like trying the handle on all of the doors that say "do not enter" just to see if any of them are unlocked. It's still considered bad to walk into a publicly accessible building (open network) such as a mall, and then try all the doors, even though the building is publicly accessible. – user253751 May 21 '18 at 23:17
1

@immibis `Running a scanner is more like trying the handle on all of the doors that say "do not enter".' Thats complete and utter bullshit !!! Running a scan is an exact equivalent of looking around. In a public network, it's like looking into every door [expecting to find a shop, toilet or whatever] in a large mall. If some doors are locked / require code, no entry attempt was made so far. – Miloslav Raus May 22 '18 at 10:55
5

@MiloslavRaus in a typical mall, all the doors a member of the public is expected to be interested in have prominent signage guiding you to them. The small unmarked doors leading to private facilities may still be open or have windows in but it's still intrusive to systematically walk round them all to see what you can see through them. The same applies to a public network. None of the typical uses for a public network require a scan of the network to discover the necessary services. – Will May 23 '18 at 10:57
1

@will Perhaps I should've written this explicitly, but in public network, open port means "Welcome". That's how I configure my networks, that's how i see it fair / reasonable. Of course, under fucked-up laws you can be basically prosecuted for mis-typing an URL, that i won't dispute. – Miloslav Raus May 28 '18 at 10:46
@Will ...except that without scanning a network, you have absolutely no idea what is available on it, so services like search engines and automatic directories absolutely must do the scanning, and many widely used protocols use broadcasts as a more efficient way to do that. – ivan_pozdeev May 31 '18 at 01:00
@Will and... hate to break it to you, but in a computer network, there's no such thing as a "prominent signage guiding you somewhere", and an open port doesn't have a sign attached to it. – ivan_pozdeev May 31 '18 at 02:05

taswyn · Answer 9 · 2018-05-24T21:14:08.577

There are some really good answers addressing why this was the wrong thing to do from an Infosec angle, and somewhat more generalized ones on the ethics of running a scan without authorization, but I'm going to try to address the "right way" to approach situations like this, based on how I would have considered addressing this in an interview if I found myself in a similar situation.

Was I right in telling them that I did that? Did I kill my chances with them? Should I do it again with other job opportunities (if something was discovered by accident)? How can I gain an edge in the interview with this kind of information?

There are a couple of things going on here, particularly when it comes to gaining an edge.

For one, do you have an ethical imperative to discuss security issues which you have noticed (and I think the ethics have already been generally addressed by others).

For the second, are you stepping on toes when pointing out something wrong.

Thirdly, are you possibly creeping people out.

Finally, is this going to create a negative impression of you as a candidate due to the related interaction, even if you are right.

Change should always come from a place of knowledge, and you don't know everything about the surrounding context in an interview

As an example, in software development interviews, I've had arguments made that we should be using language xyz.

From a technical standpoint, of course there is room for improvement, and one of those improvements might be a change in language. I could make arguments as to the value in moving to certain languages all day long. But arguing it as a job candidate makes the candidate look very naive as to the surrounding concerns that might have lead to the language we're using, not to mention the technical hurdles to switching to a different language now, and it also comes across as presumptuous and possibly indicative of shallow thinking.

You don't know why the WIFI was set up that way, so don't presume that it's without intent.

Questioning is fine. I value questions during interviews a lot. Noticing things is great. You could use that if a related opening appears:

"I noticed you had an open WIFI SSID, so I thought maybe it was meant as a guest network and I could check email on it and connected briefly. As soon as I did I saw the password page and realized it must be meant as an internal network so I disconnected, but couldn't help but noticing that it didn't seem secure. As someone who cares a lot about information security, I was curious if you knew why it's set up this way?"

Digging deeper uninvited is very much not great. I think that's been covered sufficiently in other answers, but to echo Kate Gregory's answer, it's going to come across as "creepy" at best. People can argue her analogy all they want (technicalities aside, I think it captured the heart of it), but it's close enough to how most lay people are going to feel, especially when you start rattling off machines you saw. That first psychological aversion response is going to sink you, no matter how "right" you are.

At most, if a related opening naturally occurs (i.e. only if the conversation actually continues when you bring up the first part) you might ask if they'd considered running some scans to check whether anyone is at risk via that WIFI, and what their preferred vulnerability testing tools are. That gives a clear window (and opportunity for them to ask related questions back about your own preferences) into your related skill… but don't push it. You are not the head of IT, you are here for an interview, and while you might disagree with what they're doing it's also not your place to argue for something different unless invited, because you could just as easily be making a fool of yourself in their specific context.

If asked "Oh, that's interesting, what would you do", that would be your opening to discuss the scans you might run to show the vulnerabilities and how you would then put forward a proposal for a change to the WIFI, assuming there were not externalities you weren't aware of as someone not part of the company related to the particular installation that necessitated it being set up like this: and if so, how you might mitigate them via VLANs, internal firewalling, etc, but it would really require knowing more particulars. Being open about what you don't know in terms of context is encouraging: with details about what you'd need to learn about the environment it can help show degrees of your related skill and knowledge, and your discerning flexibility to account for different situations.

Don't (even inadvertently or unintentionally) insult people

This goes along with the preceding, but I really want to focus on it for a moment: start from a presumption of intelligence in others. It's flattering. The opposite is insulting. If something doesn't appear "smart" from an outside perspective, begin with the assumption that there are other reasons with a foundation of intelligence and skill on the part of those involved. Even if you don't stick your foot in your mouth horribly by having overlooked something as a possibility, ultimately being right isn't going to matter after you've just finished trashing someone you're asking to hire you.

Don't lose sight of the goal

If you want to see change occur, be an advocate for yourself and your generalized views and outlooks and skills (and how they align with your interviewers/the company, which is going to require getting them to talk about that: so ask!), not for the specific change you want to implement when it is merely a single detail.

If seeing a likely security lapse fires you up, great. But you can't become so focused on that specific issue that you derail the interview in a way that leaves you looking weaker as an overall candidate. That won't get the problem solved. Getting hired might. So re-focus your related caring and intensity into advocating yourself, rather than a relatively less meaningful back and forth on one single security detail. You'll have plenty of time to advocate on that specific issue once you're hired.

Feel people out (and hopefully create natural openings)

Not only do you not know the technical context and surrounding constraints that lead to a situation like this open WIFI network, but you more importantly don't know the people you're talking to, their personalities, and their involvement and opinions on this and similar issues.

It's one thing to offer up your expertise and give examples, it's another thing to push. Confidence in yourself and your skills is good (it's great), but pushiness is rarely something an interviewer is looking for, in my own experience.

So just remember that these people are strangers who you've had a short amount of time to gain an acquaintance of in a very narrow, very constrained way. Don't push yourself on them: find out what they think instead.

Rather than reeling off on them about what your opinion is on a given technical topic (which can easily look negative to someone less technical, and can easily step you into landmines with someone more technical), ask them what they do currently in relation to that topic, and if necessary then ask what the individual's opinion is. It shows the sophistication of knowledge to know what to ask about without pushing your opinions and thoughts on them, and gives you some space to feel them out.

Ultimately, this provides the best openings, because you can do something like mention things like WIFI being difficult in mixed use environments (assuming the topic comes up) and then asking what they do as company, and what the interviewer's personal preferences are in relation to that. This perhaps provides possible openings for the earlier hypothetical statement I offered, but it also warns you if maybe it might be best to not say anything at all.

Even more than just the openings, this also helps expose dynamics between different interviewers. When you have multiple people interviewing you, you are the center of attention, and it's hard to gauge everything going on well. Asking questions and then asking opinions gives you room to (discretely, since your focus should be on whoever is talking while they are talking) watch what's going on. You'll have opportunities to switch (or even direct) focus between different people, or at least look around to gauge consensus/etc on answers given to you. This will depend, by degrees, on how "on rails" the interview format is.

Leave room for conversation to breath

Yes, you're here to advocate for you, but just you shouting how good you are doesn't necessarily do that effectively. Your resume should already speak for itself in technical and experiential terms, what you're really here for is to speak for yourself as someone to work with, as a coworker and colleague.

And here's the key to that: as they say in writing, "show, don't just tell".

If they ask for your opinion or stance on something, give it, certainly. But when it's not being asked, ASK theirs instead as your opening. Let that naturally lead back to them asking for your own opinion (or not). You'll show just as much related knowledge in asking about topics as you would trying to talk yourself up, but more importantly it comes across less pretentiously and gives you room to look more like someone who would be good to work with on related issues rather than someone who is just going to try to push over everyone else while thinking they already know everything that needs to be known.

There's technical stuff thrown into most in person interviews, but ideally it's just there as a check of whether or not you live up to your resume, and really the ultimate goal of an interview at that stage is to figure out whether you'd be someone they want to work with. We've skipped otherwise technically competent people because of the way they acted during their interview, and how they approached (or even didn't) the related interaction. Because a job is about more than just paper knowledge and basic technical competence. Anyone can run a pen scanner. Not everyone can discern when is the right time to do so and how to effectively use the results if they do, and not step all over everyone's toes in the process so horribly that no one cares anymore and everyone just wants the project canceled and something else worked on.

In some environments, being able to effectively negotiate through project advocacy and related internal political life cycles is just as crucial as having the related technical knowledge. So show your competence at how you interact with your interviewers, make yourself out to be someone easy to work with and to communicate with, who is self confident in the best of ways, the one where they don't just need to blather continually about themselves. And someone discerning who knows when to push something, when not to, and how much.

The hardest thing to regain is trust

You're in an interview situation: you have been granted a basic level of trust in being invited to interview, but you are still a relatively unknown quantity, so it's very much provisional. Anything that puts the trust already given to you in question is absolutely poisonous to your chances as a candidate. You should always assume there are other candidates (for example, in my case, we do things like fail and rework searches that don't yield enough interview candidates to form an adequate comparison pool). You should always assume they are equally qualified in terms of technical qualifications.

Do not engage in actions during an interview that could lead anyone present to calling into question whether you are trustworthy. Actions which are normally associated with a higher level of trust than you have clearly—I would even say explicitly—been granted (you don't ask someone you don't trust to run a security scan, and by default you begin by distrusting someone who randomly runs a penetration scan against you without your express invitation and permission) fall under this. It's not that you are being distrusted, it's that you haven't yet been granted the levels of trust associated with actions of that nature. You need to earn that, and taking actions associated with higher levels of trust before doing so is often immediately seen as overstepping your bounds, in ways that call your decision making skills into question too, and in a first impression situation you can't afford that.

Even if you can regain the base level of trust you're interviewing with, having it ever questioned can quickly put you in jeopardy compared to other candidates. It's rarely spoken of directly, because we run things like background checks to try to ascertain whether we're correct in trusting someone, but the sense of individual and direct trust is a crucial one to not betray during an interview process, because it will easily loom over all other personality and skill impressions if someone at any point becomes "uneasy" with you over an action you take. Ultimately, ascertaining whether you can be trusted is really a core element of an interview, when you really think about it.

Tried "starting from a presumption of intelligence in others." Didn't work. The meaning of what I'm saying simply flies over their heads. So, if they were supposed to be flattered, they couldn't understand that :) — ivan_pozdeev, May 31 '18 at 02:34
Note that presuming intelligence is not the same as presuming knowledge ;) There's an art to inviting others to indicate how much they know on a topic to establish a common ground of communication related to it, but it still involves not giving the impression that you are presuming the other person lacks basic intelligence and generally good intent :p — taswyn, Jun 01 '18 at 21:18
I'm talking about things like formulating things very precisely, making every word meaningful, like in mathematical definitions. They only manage to grasp a few random bits from that and get the wrong picture. No obscure knowledge is needed here. — ivan_pozdeev, Jun 01 '18 at 23:41

score 13 · Answer 10 · answered May 21 '18 at 12:17

All answers are right IMHO, both those that encourage the behaviour and those that discourage it, but miss something important to me : the fact that interview was with different people, who happen to have different goals.

The IT boss wants someone able to think out of the box, someone able to take initiatives, and to identify easily any shortcomings that there might be. Of course he is interested in such a profile.

The HR boss wants to protect the firm against the employees. That's the job. Identify any harm that an employee could do, and protect the firm against it. Most of the time, it's more on the legal or relationship level, but if the HR feels there is a potential employee that could be clever enough to bypass standard securities, outside an audit controlled by the brass, then he will do what he's paid to do : protect the firm against the (not yet) employee.

Hence the diversity of answers. If you had been speaking only to the IT boss, then (legal issues notwithstanding) your behaviour would have been clever. That's what he needs. But as the HR was present, you should have taken in account his role : to preserve the corporation's natural order and hierarchy.

Be aware that most corporations will be more than willing to lose some efficiency to gain more control upon their employees. If you are looking for a job in the corporate setting, you shall at least fake respecting the rules in front of those who are paid to enforce them. And try to actually respect them as long as it's not obviously preventing you from doing your job. And the first rule is : don't look uncontrollable. In the corporate world, managers hold the power, and see management as the science of control(wether it's right or good is another debate I won't open).

The trap is that you had to format your speech to two different audiences with opposing needs and expectations. Try to think about both next time.

score 11 · Answer 11 · 2018-05-20T18:36:07.613

11

If I had a say in this hiring process this would be a mark against you. Not because you broke some rule, but because you are telling people they should do something without understanding their needs.

IT security is an exercise in risk management. Most of the time IT security practices are not absolute rules. You need to judge the risks of a particular practice against the costs to the business efficiency and then make a decision.

I don’t know the risks associated with the vulnerability you found. It may something thing a company should never do. However, before telling any business manager that they should not do something you should build some trust in your opinion by learning the circumstances in which the vulnerability exists.

edited May 20 '18 at 18:36

answered May 20 '18 at 18:29

3

In general this is true but having secure WiFi seems like a no brainer... Maybe someone can fill me in if there's a case for leaving this system as is – sudo rm -rf slash May 21 '18 at 02:05
6

@sudorm-rfslash, There may be no case for leaving the WIFI open. That doesn't matter; the point is you should always listen before giving advice. – May 21 '18 at 02:12

score 7 · Answer 12 · answered May 21 '18 at 16:15

When it comes to information or ideas that we possess, while to some it might seem counter-intuitive, it is sub-optimal to tell everyone everything. It took me longer than I would like to admit to fully internalize that I could just not say anything and keep it to myself.

HR is never going to take something like this any other way than what you describe. Anyone, who doesn't understand NetSec is likely to regard you and your commentary with extreme suspicion. Interactions both public and from stage and screen should illustrate the truth of this, there's a whole category of tropes related to "well-meaning specialist tries to alert people who don't understand about potential danger" who end up being punished by the unwashed heathens they attempted to help.

Keep it to yourself.

That said, you could have potentially brought up something tangentially related and steered the conversation over to where a highly edited version of your comments might be perceived as more organic.

True story: I once worked at a place where a guy found a vulnerability in the company's intranet blog. While he was at home, he posted to the blog from outside the network using the vulnerability. Then when he came in the next day, he sent his brilliant find and proof that it was possible to IT. He was immediately given hero status and a huge bonus, raise and promotion. Just kidding, he was immediately fired.

You can disregard every word of this answer if you want to remember this five word phrase: "Being right rarely changes anything."

This doesn't really give any answers, so it's useless as an answer. — ivan_pozdeev, May 23 '18 at 16:18
"Keep it to yourself" is the answer. It even gets a paragraph to itself in order to emphasize this. It is then backed up with an example of not keeping it to yourself going horribly wrong, it's preceded with some insight into the perspective of the other side, and how they would not see it the same way. Finally, some life advice to apply generally to situations similar to this, conceptually, for the rest of your life. Thank you for your comment, tho. It allowed me to reiterate these points for anyone who may have had trouble comprehending what I wrote. — fearofmusic, May 30 '18 at 17:07
It's a good thing I didn't do either of those things. Thanks again for helping to clarify my points even further by accusing me of saying the opposite of what I said. Take care, Iva. — fearofmusic, May 31 '18 at 21:24

Benjamin Gruenbaum · Answer 13 · 2018-05-20T15:57:17.157

6

I'm going to try add another perspective.

Was I right in telling them that I did that?

There are countries where joining and scanning the network is illegal to begin with. Imagine you found a LAN port at the premise and used an ethernet cable to connect to their network.

It is possible HR knows this since they are more aware of laws involved.

It is the responsibility of HR is to manage such legal liabilities for the company. It is possible that's why they seemed less-than-enthusiastic about it.

edited May 20 '18 at 15:57

answered May 20 '18 at 14:10

Benjamin Gruenbaum

5,340
4
29
35

7

No comparison between plugging into a network port and using an open network. The entire purpose of making a network open is to allow access - the mere act of making a network open invites people to examine it. If you want a wifi network protected and hidden it's practically trivial to do so to a reasonable level short of a determined attack by well equipped pros. – StephenG - Help Ukraine May 21 '18 at 02:05
1

@StephenG Doing illegal stuff is still illegal even if there's no password. – user253751 May 21 '18 at 04:18
5

@immibis The OP did nothing illegal. Where did this nonsense come from ? It's an OPEN network. – StephenG - Help Ukraine May 21 '18 at 04:53
6

@StephenG In many jurisdictions it is illegal to scan someone else's network without their permission - full stop. Much like it's illegal to look over someone's shoulder at the confidential documents on their computer. It may be difficult to get caught, but if you get caught, you are still facing fines and/or prison. – user253751 May 21 '18 at 05:23
@StephenG I'm not telling you I agree with that law, but it is the law in many jurisdictions. I realise it is not very heavily enforced, I do not agree with it - I was raising (the very likely option) that HR were doing their job of managing legal liabilities here. – Benjamin Gruenbaum May 21 '18 at 08:41
4

@StephenG Where I live it's legal to join an open network, but running scans on it is like checking if someone's front door is unlocked, both of which are illegal. – Kevin May 21 '18 at 09:34
1

Does anyone actually have citations that it's illegal anywhere? – LateralTerminal May 21 '18 at 18:15
2

@LateralTerminal whether port scanning in itself is a criminal offense depends on the jurisdiction. However it is a complex legal issue. It is not illegal in and of itself in the US, but has been the subject of numerous civil actions. Here is an overview. – Charles E. Grant May 21 '18 at 19:10
https://arstechnica.com/uncategorized/2006/03/6447-2/ – Benjamin Gruenbaum May 21 '18 at 19:25
Related: https://en.wikipedia.org/wiki/United_States_v._Swartz – Matthew Read May 21 '18 at 21:22
Actually, since he ran the scan, telling them is the ethical thing to do. Doesn't really matter what the laws are. If he goes to prison, he goes to prison. – May 24 '18 at 13:37

score 5 · Answer 14 · answered May 21 '18 at 15:59

5

From the perspective of someone who runs information security: what you did was not clever.

Was it to show that you are an expert in security? In that case if you just show that you can

connect to an open WiFi
that some of their machines were on that network

If you tag this as a security issue then, sorry, you do not know much about security. This IT manager does not either. This will probably blow up one day.

So that move was not a good one.

Maybe it was to show proactivity? Well in that case you should really not work in security because you are going to hurt your company by doing such things. There are engagement rules in security and an employee is expected to follow them. You are not a hacker, you are not a bounty hunter. You must not do these things.

However you look at it, it was a stupid move if you wanted to get hired.

answered May 21 '18 at 15:59

WoJ

5,814
17
27

just googled "Discoverable"... – May 21 '18 at 16:21
Yes, if you can connect to a wifi access point, you're basically "on the network." There may be a pay wall or a sign up page, but there is nothing technical or flawed about connecting to a wifi, and running a scan to see who is on it. While it shows some technical knowledge, it shows nothing sophisticated in terms of hacking or finding a fatal flaw in a system, especially when the machines you found connected are unknown. Are they other guests? Or are they something sensitive like a financial system connected? Nothing the OP said suggested this type of investigation. – Dan May 21 '18 at 18:58
@Dan: OP said "In the interview I told them that since my position entails some security aspects I found that the open network in a security vulnerability in their network." An open network is not a security concern, the WiFi standards allow such networks and they are very fine. What you have on that network can make a difference, but just saying "you have an open network, there are devices over there and this is a security risk" shows that one does not understand security (risk assessment in that case). – WoJ May 22 '18 at 13:23
@James: I am not sure what you mean by this comment? – WoJ May 22 '18 at 13:23
@Woj in a legal context. Lawyers can go fishing for things that make you look bad, and use them in court. – May 22 '18 at 13:25
1

@James: you mean that having an open network is legally dangerous? Sure it can be (depending on the content of this network, from privacy to information disclosure) - but having one is not "a security vulnerability" as OP mentioned in his interview. It just shows that security is one area that person should not be involved in as apparently he does not know it very much. – WoJ May 22 '18 at 13:27
@WoJ agreed. the security vulnerability he found is 'meh' at best. – May 22 '18 at 13:30
1

Seems to me the real issue here isn't whether it demonstrates real skill, but the question of permission. I recall Sean-Philip Oriyano's book on the CEH9 qualification - he emphasises to always obtain clear and specific written permission before doing anything with their systems. Even if you quickly produce interesting results, it doesn't reflect well on you that you just jumped right in. – Max Barraclough May 22 '18 at 16:44
2

@MaxBarraclough: for me it's both, this is why I mentioned them in my answer. Someone who comes and say "I will work in infosec and you have a serious vulnerability" when there is none shows that he is clueless. Then comes the hip shooter approach which sooner or later will not end well for the company. – WoJ May 22 '18 at 17:36
@WoJ Correct, that is my point. Connecting to a network and then running a scan to see who is on it is not a security concern. Connected machines may in fact be other guests who did connect to the network. Telling the HR interviewer that it is a security concern shows a lack of understanding. – Dan May 22 '18 at 17:55
@WoJ The OP further stated erronously that the network was "secure" because it asks for a sign on to view the internet. What I'm trying to say is that once you're connected to a network, it's considered a "open" network although you may further have to authenticate before browsing or using the network. The OP is calling it "secure" and a "security risk" which demostrate triple failures in assessment. – Dan May 22 '18 at 18:07
@Dan ah ok, sorry - I misunderstood your comment – WoJ May 22 '18 at 18:22

score 2 · Answer 15 · answered May 24 '18 at 21:03

So, let's see. From my point of view you:

Discovered an open network; (OK)
Connected to it; (OK)
Discovered it needed a userid/password; (OK)
Interrogated devices around you in an apparent hacking attempt; (NOT OK)
Bragged about it (STUPID!)

Now, let's cover your questions individually:

Was I right in telling them that I did that? Not if you had any desire to work for that company. Also note that most companies I've worked for display a warning when you connect or log in which says something like "Unauthorized access is not permitted. We will contact the authorities and prosecute you if you try it". Also note that ignorance is not an excuse.
Did I kill my chances with them? If I was the hiring manager I wouldn't touch you with a 10 foot pole. You're an admitted hacker, proud of it, and a security incident waiting to happen.
Should I do it again with other job opportunities (if something is discovered by accident)? That depends. Do you want to get a job, or do you want to show off? If the former, don't ever do this again. If the latter - well, it's your life, buddy...
How can I gain an edge in the interview with this kind of information? You can't. All you can do is make people nervous, and people who are nervous about what you've done, can do, or might do will not hire you. Look at the news - every few weeks another company gets hacked, credit cards and other personal info gets stolen, and they look like idiots, and their customers may turn around and sue them. As someone who works in the IT department of a major retailer I can tell you that this is one of the things that worries people like me. If we think you even might be a problem, you will not be hired. End of story.

Best of luck.

score 1 · Answer 16 · answered May 22 '18 at 12:57

Regarding your chances, it strongly depends on the powers of the IT manager and the HR manager. It also depends on the way how you presented it. If it was "I saw several computers with XYZ-whatever names connected to an unsecured network" it was more an insult to the one who alowed the owners to connect to the network. If it was "I saw your computer, mr. Averagejoe, connected to the unsecured network" it was straight insult to mr. Averagejoe.

If you are about to be a security guy, a paranoia is not mandatory, but it helps. Your check who is there with you (in the open network) clearly shows your attitude towards your possible position. That's why the IT manager was impressed.

On the other hand your presentation of your findings was quite rude. That's why the HR manager backs up and counter you.

Maybe you poured oil in an open fight between IT guys pushing the security issues to stop and the others with the attitude "What the hell the weird ones are talking about?" Something like Moss' talk on not disabling the firewall in IT Crowd S2E1.

Next time, do this check preferably when asked in the interview. If you can't resist, hold the findings to the moment, where the breachers are out of vocal range and you are discussing the IT staff only.

ivan_pozdeev · Answer 17 · 2018-06-29T11:03:28.417

This will hurt your chances because you have demonstrated a failure to understand the concept of area of responsibility. You:

failed to explain how you were authorized to do that (regardless of what laws may say: you need to convince them, not the judge) and the impact of your actions in non-technical terms
started telling them (as opposed to merely suggesting) how they should do things without being the person responsible for those things or a contracted consultant

In established environments, every area and task has a person responsible for it (virtually always, a single person; group decisions are typically only warranted for complex, strategic matters rather than everyday tasks). That person is the sole one who can make decisions in that area. This is to ensure that they have the whole picture and a unified vision is applied to it.
If you are not that person and see a problem, your job is to report it to them and leave it up to them if something needs to be done about it.
- That's because even if you know this is a problem, you don't have the whole picture to be able to weigh all the pros and cons, and you won't carry the responsibility for your actions. As others have said, security is an exercise in risk management: something is only worth doing if doing it is less costly than not doing it.
- (Anticipating comments from would-be rebels:) Going over their head is possible and sometimes may be the way to go to get anything done, but it's serious and risky business since you need to somehow convince the higher-ups to incur the rather hefty costs of questioning the competence of an imporant subordinate (doing an independent assessment of their skills and work is time, money and lasting discontent of that person, regardless of the method and the outcome).

What you told them about the scan basically sounded to a non-tech person: "I breached your network and potentially disrupted your business -- all just because I felt like it".
- This is what provoked a defensive reaction. "No, our business is certainly protected well enough if we're still in business, and you certainly couldn't breach it this easily! What you're claiming can't be true and is plain libel ('cuz this would damage our reputation if others believe it (regardless of whether it's true), so we're definitely not taking kindly to that)!"
- And a person with such a mindset is certainly not someone who they want to see within a mile's radius of their critical intrastructure.
- Now, that's of course not what you did. But you failed to convey that in a way they can understand.
- You should've put this something like: "When I was waiting in the lobby, I noticed an open wifi network with your company's name. Since my job will include information security, I took an opportunity to get an idea of your current practices. Noticed this and this, which is potentially a vulnerability, though it depends."¹ If they still look terrified, add something like: "I can say with confidence (and your colleagues would confirm) that this absolutely couldn't disrupt anything with a stability of, like, a stock Windows installation."
  - This would show that you were authorized to do that because good candidates are supposed and expected to be proactive about researching the company; you did weigh the risks and made an informed decision; and you're merely suggesting that this could be a problem rather than outright stating that since you're not the one responsible and thus don't have the full information to be able to make such categorical statements.

¹_{on the outreach of the network, how long and how often machines stay on it, what kind of information and/or functionality they contain and how well they are secured.}