WingNews logo WingNews
top | item 33963789

(no title)

Dedime | 3 years ago

I applied for a job at a medical cannabis operation in Canada right before legalization hit.

I was curious to see if they had checked out my personal website, so I grabbed my webserver logs and I recognized one IP from the city the job was based in. More than likely, the public IP of the business in question.

On a whim, I ran the IP through Shodan.io and it showed that 47808 was open - The BACNet protocol. I had no idea what this protocol was, but I was able to download some odd enterprisey software that had the ability to speak BACnet. I connected to the IP:Port and found a long list of connected things - water levels, temperatures, lights, and more.

I wasn't interested in doing anything questionable with this information. I'm not even certain it allowed me to do anything more than look, but I like to think I could have e.g. turned off lights or adjusted temperatures in the grow rooms. I made the (risky) executive decision to let the hiring manager know that their public IP had an important port open to the world. I wound up getting hired by that business, and the first task I was assigned was to fix the open port.

I'm not sure if that counts as "hacking", but I was proud of finding the vulnerability / misconfiguration nonetheless.

discuss

order

techdragon|3 years ago

Reminds me of the time I found a “warm introduction” referral, an open invitation to potential network management positions at a company, buried in their BGP/ASN infrastructure information. (It’s been about a decade so I don’t remember exactly what specifics the info was in, but you wouldn’t have found this specific email and opening line without mucking round with their BGP and ASN info.)

I emailed but they weren’t hiring and I was mainly curious if the job would be better than what I had at the time.

comprev|3 years ago

Bandcamp once had an advert for recruiting a developer - it simply said "Check the headers" .... and this is where the trail began.

Although I didn't apply for the role it was a fun challenge solving steps along the way and I appreciate the effort put in making it.