That feels like a choice for the victim.

If after the business owner sat down with the perpetrator they decided it is just some script kiddie playing at being a spy then that's up to them.

The wider issue remains that some script kiddie with $120 could have done this and got away with it for ever.

Do you have a suggestion for a change to treating network security?

1) 802.1x certificate based network security (The MDM configures each approved network device with a certificate so rogue devices can't get on the network) 2) Periodic security review (look at attached network devices and determine an owner and purpose for each one). 3) Configure SIEM to alert on long-lived outbound connections.

Can that (1) be done with windows/Mac clients?

Answering myself: yes, is industry standard, definitely a little odd to not have it configured on a corporate network past a handful of employees.

There's a decent amount of infrastructure involved in getting 802.1x authentication up and running in an efficient manner. While it does provide very good security, it's not widely used because of that.

Any idea on a good, at-home or small network alternative?

There really isn't one. 802.1x is the wired security standard, and almost never worth the hassle for home or small business networks unless you are really interested in learning the ins and outs.

Having a list of allowed MAC addresses, enforced per-port by a managed switch (or at least by the DHCP server and router), is a first step, though naturally it's easy to spoof a MAC address.

> though naturally it's easy to spoof a MAC address.

I used to live in an apartment that was within high gain antenna range of the local McDonalds Free WiFi. I had a antenna/wifi adaptor set up in promiscuous mode to listen to all traffic on their network, looking for MAC addresses that connected for a while, then stopped connecting. It'd then switch to that MAC address and BitTorrent until the 500MB daily cap per device ran out, then go back to monitoring mode looking for someone else who'd agreed to the captive portal T&Cs had their MAC address whitelisted and then left. I think I got pretty much all of Game Of Thrones that way...

For a little while, I was monitoring my own home network, and one thing I tried was running map against any reconnection of a known/allowed MAC address, to try and confirm it at least looked like the same device. A RaspberryPi connecting using the MAC address of a phone or a MacBook stood out like a sore thumb. That never turned out useful enough for me to bother wrapping it up into a project I kept running or would have shared.

MAC address filtering isn't a first step towards 802.1x, precisely because of the reason you mentioned. It's damn near pointless for all but the most basic security scenarios.

Obviously it's not a first step toward certificates, but it is a first step away from "anyone can casually plug in a hidden Pi."

Anyone who knows how to setup that RPi to do anything meaningful knows how to spoof mac

But would they be able to figure out a MAC to spoof without significant amounts of time in the data center/switch?

Treat every computer like it's connected to the internet.

Probably by actually connecting it to the internet. Since the idea that you can keep people out of your network is probably more dangerous in the long term.

Yep. Anything that can connect _out_ to the internet can be misused to connect _in from_ the internet. All it takes is a human or technology flaw on the inside to "breach" your outbound connections only security policy. As a whole bunch of unwitting Log4J users recently found out. Reverse SSH Tunnels aren't all that different from Remote Access Trojans.