Students acting maliciously – often for fun – are increasingly the cause of cyber attacks affecting schools and colleges in the UK, according to new data from the Information Commissioner’s Office, which today warned that the culprits may be setting themselves up for a life of cyber crime.
Britain’s data protection regulator probed over 200 insider data breach reports in the education sector between January 2022 and August 2024, and found that over half, 57% in total, were caused by students, and almost a third, 30% all told, were caused by stolen login details, with students responsible for 97% of those.
The ICO’s warning comes amid a national conversation on the teenage, English-speaking hackers involved in the prolific cyber crime collective referred to variously as Scattered Spider, ShinyHunters, Lapsus$, and sometimes all three. This gang has been linked to a spate of incidents this year, including attacks on Marks & Spencer and, more recently, Jaguar Land Rover.
It also follows a recent National Crime Agency report that found a fifth of 10 to 16 year-olds had engaged in illegal activity online, and 5% of 14 year-olds had engaged in outright hacking. In 2024, according to the NCA, a seven year-old was referred to its Cyber Choices digital crime prevention programme.
“Whilst education settings are experiencing large numbers of cyber attacks, there is still growing evidence that ‘insider threat’ is poorly understood, largely unremedied and can lead to future risk of harm and criminality,” said Heather Toomey, principal cyber specialist at the ICO.
“What starts out as a dare, a challenge, a bit of fun in a school setting can ultimately lead to children taking part in damaging attacks on organisations or critical infrastructure.
“It’s important that we understand the next generation’s interests and motivations in the online world to ensure children remain on the right side of the law and progress into rewarding careers in a sector in constant need of specialists,” said Toomey.
There are many reasons why children and young people might be tempted into hacking – some do it for dares, some for notoriety in their peer group, out of revenge or as a result of rivalries, and in a few cases for financial gain.
In one incident reported to the ICO, three Year 11 students accessed their school’s information management system containing pupil data, having downloaded tools from the internet specifically designed to break passwords and security protocols. Two of the children involved were members of an online hacking forum, and when questioned, all admitted to an interest in cyber security and said that they had wanted to test their skills and knowledge.
In a different and rather more damaging case, a student accessed their college’s information management system and proceeded to view, amend or delete personal information belonging to staff, students and course applicants. Some of the data contained in this system included names and addresses, academic records, health and safeguarding data, pastoral logs, and emergency contacts.
In the second instance, the student stole and used a staff login to access the system, but a deeper analysis of the 215 insider breach reports revealed that about a quarter of the incidents arose through poor data protection practices by teaching staff – including devices being left unattended or students being allowed to use staff devices.
A further fifth of the observed incidents were caused by staff sending data to personal devices, and about 17% were caused by technical failings, such as incorrect system setups or poor access management practice.
Only 5% of incidents were identified as insiders using “sophisticated techniques” to bypass security and network controls, once again highlighting the importance of paying close attention to basic security measures.
Be part of the solution
The ICO today called on schools to be part of the solution to insider threat by taking steps to improve their overall security practices, and remove the temptation to hack from students.
Among other things, school leadership should be conducting and refreshing GDPR training to raise standards and awareness among staff of the need to do better, said the ICO. The regulator also reaffirmed the obligation to report incidents when they go wrong.
For parents and guardians, the ICO highlighted the need to keep channels of communication open with their offspring – hard as this may be with teenagers – to have regular check-ins on their online activity and to discuss the choices they are making before what might feel like harmless fun escalates to criminality.
Parents may also wish to consider engaging with the NCA-coordinated Cyber Choices programme, which contains resources to help families explore tech skills, and understand the devastating consequences of becoming involved in cyber crime.
SpaceX is planning to raise tens of billions of dollars through an initial public offering next year, multiple outlets have reported, and Ars can confirm. This represents a major change in thinking from the world’s leading space company and its founder, Elon Musk.
The Wall Street Journal and The Information first reported about a possible IPO last Friday, and Bloomberg followed that up on Tuesday evening with a report suggesting the company would target a $1.5 trillion valuation. This would allow SpaceX to raise in excess of $30 billion.
This is an enormous amount of funding. The largest IPO in history occurred in 2019, when the state-owned Saudi Arabian oil company began public trading as Aramco and raised $29 billion. In terms of revenue, Aramco is a top-five company in the world.
Now SpaceX is poised to potentially match or exceed this value. That SpaceX would be attractive to public investors is not a surprise—it’s the world’s dominant space company in launch, space-based communications, and much more. For investors seeking unlimited growth, space is the final frontier.
But why would Musk take SpaceX public now, at a time when the company’s revenues are surging thanks to the growth of the Starlink Internet constellation? The decision is surprising because Musk has, for so long, resisted going public with SpaceX. He has not enjoyed the public scrutiny of Tesla, and feared that shareholder desires for financial return were not consistent with his ultimate goal of settling Mars.
Data Centers
Ars spoke with multiple people familiar with Musk and his thinking to understand why he would want to take SpaceX public.
A significant shift in recent years has been the rise of artificial intelligence, which Musk has been involved in since 2015, when he cofounded OpenAI. He later had a falling out with his cofounders and started his own company, xAI, in 2023. At Tesla, he has been pushing smart-driving technology forward and more recently focused on robotics. Musk sees a convergence of these technologies in the near future, which he believes will profoundly change civilization.
Raising large amounts of money in the next 18 months would allow Musk to have significant capital to deploy at SpaceX as he influences and partakes in this convergence of technology.
How can SpaceX play in this space? In the near term, the company plans to develop a modified version of the Starlink satellite to serve as a foundation for building data centers in space. Musk said as much on the social media network he owns, X, in late October: “SpaceX will be doing this.”
Weatherproofing. Every model needs a weatherproof rating to survive outside, so if you don’t see one, don’t buy it. There’s usually a lower rating for the control box compared to the rest of the lights, so be sure you can put that somewhere that’s a little less exposed to the elements. (As mentioned above, make sure you have an outdoor outlet, and check if there’s only one on a certain side of your home in case it limits your installation options.)
A range of installation options. You’ll want a set that comes with plenty of options for your own installation, including adhesive and drilled mounting options. What you need will vary based on your home design and materials; e.g., you’ll want adhesive for homes you can’t drill into. WIRED reviewer Kat Merck, who tested a couple different permanent lights, especially liked sets that had holders you screw onto your home that the puck-style permanent lights can slide onto.
Controls for individual lights. This should be a no-brainer, but some cheaper lights won’t give you this ability or have more roadblocks for customized control. Make sure you’ll have easy individual controls, or you might find yourself frustrated with the design results of these lights. It’s similar to design controls that you’d see on smart bulbs and smart string lights.
A great app. This goes hand in hand with the need for individual light control—a good app determines whether that and other features are accessible. Govee and Eufy, two of our favorite permanent outdoor lights we’ve tried, both have good apps that are easy to use and come with preloaded designs. These tech companies make more than just outdoor lights and make other favorite gear of ours, so they’re a good brand to trust to make a usable product and app. We also like Lepro’s more affordable lights, though the app had some extra hoops to jump through to get to controls, while Lumary’s app was a brutal experience for our tester.
Our Favorite Permanent Outdoor Lights
We’ve tested a handful of permanent lights on different homes, and have a few clear favorites. These options are all ones we recommend, provided your home exterior meets the constraints mentioned above.
Govee
Permanent Outdoor Lights Pro
This model from Govee has been one of our top picks in our smart Christmas lights review for a reason, and it’s still one of our favorite models at this price point for everything you’ll get with it. WIRED reviewer Simon Hill tested the 100-foot string that came with six sections, plus an extension code. He used adhesive and screw clips to secure the light pucks and cables, and found installation easy. This is a set that you can cut and splice, but he says that isn’t a task for the faint of heart. It has an IP67 rating, and an IP65 rating for the control box. The busy companion app has everything you could want within it: color controls, tons of Scenes (Govee’s lighting effects), scheduling abilities, and even a music sync option (though that felt a little gimmicky). There’s Matter support, and Govee can connect to Alexa and Google’s ecosystems for voice control. Simon says he’d like these lights to be closer together and the design to be a little more subtle, as you can see the cords pretty easily.
Eufy
Permanent Outdoor Lights S4
WIRED reviewer Kat Merck has tested two different sets of permanent outdoor lights on her home, and Eufy’s S4, incorporating RGB with both warm and cool whites, is by far her favorite. She’s found the app incredibly easy to navigate and find the features she wants, from preset holiday scenes (120!) and colors to schedules and brightness adjustments. There’s even an AI feature that lets you create customized light shows based on moods and scenarios. They were relatively easy to install on her home, which has nonstandard architectural features, as this set has extensions and can be cut and spliced. She says the lights aren’t quite as bright as the Lumary Max set below, but the brightness is adjustable. There’s also a radar motion sensor included, which she’s still testing. The Eufy S4 set also works with the Matter protocol, so it will work with Apple, Google, and Alexa’s smart home ecosystems. It’s got a waterproof rating of IP67 like the Govee set above.
Cync
Dynamic Effects Outdoor Smart Eave Lights
Cync, which comes from appliance maker GE, makes affordable smart bulbs and other smart lights I like, so it’s not a huge surprise that I also liked the brand’s Smart Eave Lights. They were easy to install with 3M sticky strips already installed on the individual lights, and since my eaves are out of safe reach on my townhouse, I used the lights on my balcony railing with great success. One piece of the 100-foot set (it comes with four strings, plus an extension) was the perfect length to loop around my 9-foot-long railing. The set quickly connected to the Cync app, and the power cord is nice and long to make it easy to reach wherever your power outlet is. It has a waterproof rating of IP65.
If You Can’t Install Permanent Outdoor Lights
Not every home is a good fit for these types of lights. I haven’t yet found a permanent light set that works with my home, so here’s what I’ve used instead for a similar result.
Twinkly
Strings Multicolor
These lights are photographed on a tree, but they have a weatherproof rating of IP44 (for both the lights and the power supply) to be used outside. I love how much you can customize these lights. You’ll use the app to take a photo of however you’ve set up your lights, whether that’s around the tree, around your balcony’s railing, or along the front of your house, and then you’ll be able to customize the lights and pattern based on how you arranged it. There are tons of fun light designs already in the app, and you can make your own. It’s a good option if you can only do string lights but want smart capabilities. These lights are also compatible with Amazon’s, Google’s, and Apple’s ecosystems. Twinkly also makes an icicle-style smart light string ($110), which I love using outside too; they’re currently hanging above my garage door.
More Outdoor Lights We’ve Tested
Cync Outdoor Light Strip for $154: I was really hoping this would be a good solution for outdoor lights for my balcony, but this light strip is heavy and tall, and better designed to use to line a yard versus sticking onto the side of a railing. It comes with grass stakes to line it.
Lepro’s E1 AI for $153 (50 ft): These permanent outdoor lights are completely sold out right now, but they are another more affordable option. However, they aren’t as cheap as Cync and you will have to get around the app’s AI to really get the most out of it.
Lumary Outdoor Permanent Lights Max ($260 for 105 ft.): Lumary’s lights were frustrating and limiting for our tester. The app wasn’t intuitive or easy to use, and our tester actually had to have the power box replaced after she tried to connect the lights to a different phone. She liked how bright the lights were, and the fact there’s a physical remote, but the app, power box shutdown, and installation limitations compared with other sets (no splicing ability, installation recommended from the left) make this one we’d skip. Lumary has since released an updated version of its outdoor permanent lights, the Permanent Outdoor Lights 2, which includes a completely redesigned app, including the addition of custom-scene saving, but we haven’t tested them yet.
FAQs
What Are the Cons of Permanent Christmas Lights?
The only real downside to permanent Christmas lights, or permanent outdoor lights of any kind, is the cost. These sets usually cost significantly more than a light string, even the smart ones. That’s because they’re designed to last longer on your home, and the more expensive sets allow you to cut and splice the cords to perfectly fit your home instead of dangling strings and extra lights. It’s an investment, but one you can enjoy year-round.
Are Permanent Outdoor Lights Worth It?
Yes, because you’ll install them once and be good to go with every holiday in your future: Christmas! Halloween! Your fave sports team headed to a big championship match! Your kid’s graduation (or your own)! Similar to how smart bulbs can give you so many options inside your home, the possibilities are endless and something you’ll be able to use and enjoy year-round.
How Does WIRED Test Permanent Outdoor Lights? What Happens When We’re Done Testing?
WIRED tests permanent outdoor lights on the homes of our reviewers. We’ve tested these lights on three different homes in separate areas with serious weather: Washington state, Missouri, and Scotland. We’ve also tested a set in the more mild climate of Southern California. We install these on the homes themselves and leave them up for at least a few weeks, if not months and years (depending on performance), to see how they hold up. Our picks remain on our homes for long-term testing, as these lights are supposed to be permanent, and used sets are safely disposed of.
Companies that pay ransom demands to cyber criminals in the hope of restoring their IT systems may be at risk of greater negative publicity than those that refuse.
An initial analysis of data seized by the National Crime Agency (NCA) in the takedown of the LockBit ransomware group suggests that the best way to avoid bad publicity may be to refuse to pay up.
Max Smeets, author of the book Ransom War, was given supervised access to data on LockBit 3.0 seized by the NCA during Operation Chronos, which took down the LockBit ransomware operation, and examined leaked data from LockBit 4.0.
Smeets compared press reporting of 100 companies that paid ransomware with reporting on 100 companies that refused to pay.
“It turns out that you are more likely to have a story written about you if you have paid than if you have not paid,” he said in an interview with Computer Weekly.
Smeets’ conclusions fly in the face of claims by criminal ransomware gangs that companies that pay up can avoid bad publicity. He calls it the Streisand effect, whereby in paying a ransom to avoid publicity, companies end up attracting the very publicity they are trying to avoid.
You are more likely to have a story written about you if you have paid [a ransom] than if you have not paid Max Smeets, ransomware expert
Law enforcement has long argued that companies should not pay ransom fees because it supports the ransomware ecosystem and there is no guarantee that they will get their data back.
“What the data also suggests is that you also shouldn’t pay if you are afraid of public exposure,” said Smeets, speaking to Computer Weekly at the Black Hat security conference in London.
The art of the bad deal
Smeets’ analysis also revealed just how ill-prepared many organisations were when negotiating ransomware payments with LockBit’s criminal affiliates.
Some companies told crime gangs upfront that they were desperate to get their data back as they had no backups, putting them instantly on the back foot in negotiations.
Others tried unsuccessfully to win sympathy with the hackers by claiming that they couldn’t afford to pay the ransom, or that they served the local community.
Smeets also found that some victims had sent ransomware gangs copies of their insurance documents to show how much they could afford to pay.
Ransomware victims that pay up are more likely to hit the headlines than those that refuse
His findings show that companies need to be better prepared for ransomware negotiations if the worst happens.
“There is a major opportunity, especially for small and medium-sized enterprises, to become better in understanding how to engage with these criminals without making extreme and obvious mistakes,” he said.
LockBit’s criminal affiliates follow a standard playbook for negotiating ransom payments, which typically involves demanding an initial ransom, offering to decrypt two files for free, and threatening to leak data if organisations don’t pay up.
Smeets found that the criminal groups have so many victims that they don’t spend time analysing the data they capture to look for compromising material that could push up the value of a ransom demand – they are more interested in the next victim.
If companies don’t pay up within a few weeks, affiliates may be inclined to assume that their victim’s lack of desperation may mean their ransomware attack did not cause much damage. They may be willing to accept smaller payments in return for an agreement not to publish the hacked data.
The trust paradox
Ransomware groups like LockBit deceive and steal, but somehow have to convince victims that they are trustworthy enough to restore their data in return for a ransomware payment, so reputation matters.
Operation Chronos not only destroyed the infrastructure of LockBit, but also destroyed its reputation, Smeets’ research shows.
In February 2024, the international police operation seized LockBit’s servers, its administrative hub, its public-facing website and its internal communications.
“The NCA not only went after their technical infrastructure, but also tarnished their reputation by disclosing their lies,” he said.
For example, the group said it would ban the affiliates that hit a children’s hospital in Toronto – it didn’t, said Smeets. LockBit also promised to delete victims’ data from its servers if they agreed to pay, but often didn’t.
When criminal gangs attempted to revive LockBit in December 2024, its reputation had been irretrievably damaged.
Before Operation Chronos, between May 2022 and February 2022, 80 affiliates of LockBit 3.0 received ransomware payments.
LockBit 4.0, an attempt to resurrect the ransomware operation after the police take-down, only received eight ransomware payments between December 2024 and April 2025, according to Smeets’ research.
“LockBit is so tarnished that even if it can put up its infrastructure again, it’s a shadow of its former self,” he said.
Operation Chronos could form a blueprint for future ransomware takedowns by destroying not just the infrastructure but also the reputations of ransomware gangs.
Smeets hopes to conduct further research into the relationship between paying ransoms and negative press coverage to test his initial findings.
Sports1 week ago
Politics6 days ago
Politics5 days ago
Entertainment1 week ago
Politics1 week ago
Fashion1 week ago
Fashion5 days ago
Tech7 days ago