98 comments

[ 2.9 ms ] story [ 153 ms ] thread
These stories always make me wonder how many malicious infiltrations occur that are never discovered or reported? It could happen all the time, especially at places much less secure. It's certainly far riskier to infiltrate a prison (where all the guards have guns) than a corporate office.
I had the same thought ... having a "get-out-of-jail-free" card lowers the risk for authorized pen-testers but how do you calculate the risk-to-reward ratio if you're actually a criminal? You have to figure that it's less than (e.g.) performing an armed robbery at a bank. So which of the service workers that come into our offices are legitimate? No idea.
Well in Georgia we have had a few reports from the prison system about what they confiscate from prisoners. [0]. Look at what they are finding just among the prisoners so imagine how much easier it is to smuggle into the staff areas anything you want. Nearly two thousand cell phones, four times that number in make shift weapons, and of course drugs.

Cell phones are a particular problem because it has been shown that some in prison continue to engage in criminal activities with those outside including witness intimidation or worse.

[0] https://allongeorgia.com/georgia-state-news/ga-dept-of-corre...

There is such a demand for phones in prisons that there are companies that manufacturer "prison phones" that easily fit into a prison wallet.
Does prison wallet mean what I think it means?
Ugh, I hadn't thought about that, but I'm sure it probably does.
I took one for the team and looked it up to confirm. I can report that yes, it’s exactly what you think it is.
Also, I used DuckDuckGo to look this up, because I do not want targeted ads based on that search.
Is it wrong that I find it a terrible thing that people aren't allowed computers with internet or cellphones in prison?

How do we expect people to join back to society when they can't use literally the number one most important thing?

Maybe give them phones with no cameras and monitoring of use, but just nothing seems very inhumane.

There are prisons charging per minute for calls and e-readers. I really doubt they would be humane enough to allow that
I think this is a understatement... Every US prison/jail/detention center has a "pay-to-play" program administered by profit driven private companies who (IMU) overcharge for these basic services. $5.99 a minute is outrageous! I feel like these companies are allowed to prey on the most vulnerable people and no one cares because there not what society considers "good people".
In the US sometimes the evidence isn't clear that facilitating "join back to society" is an actual goal (it's often a stated goal). It often doesn't seem to be a policy priority.
It most definitely isn't a priority: If it were, the US would look at other countries with lower recidivism rates and spend a bit more on things like mental health care, halfway houses, job placement, and so on.
I'm hedging a bit because I don't have a good sense of how things are country wide, but there are some clear cases where it is not.
While I agree that the US prison system has many issues, recidivism rates can't really be compared between countries because of differences in time frames and rearrest vs re-conviction.

https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4472929/

The issue is not about comparing recidivism rates.

It is whether the US is looking at the results achieved by other countries and whether the US is trying to emulate successful strategies.

As a sweeping generalisation, I see that the US says "that doesn't apply to us", always finding some weird excuse. Your invalid response is kind of an example.

How do you "[look] at the results achieved by other countries" if those results aren't reported?

It's a fairly common sentiment that the U.S. penal system is heavily skewed toward retribution than reformation.[1] But identifying a problem on the one hand, and quantifying and addressing it on the other, are two entirely separate tasks. The latter is typically much more difficult.[2]

[1] Justice Anton Scalia admitted as much in court, "Well, I thought that modern penology has abandoned that rehabilitation thing, and they--they no longer call prisons reformatories or--or whatever, and punishment is the--is the criterion now. Deserved punishment for crime." Oral argument, Miller v. Alabama, 2012.

[2] Thus the quip, "Everybody complains about the weather, but nobody does anything about it." A reformulation of a Charles Dudley Warner quote, who, interestingly, also seems to have been an advocate for prison reform in his time, among many other civic and political reforms. See https://en.wikipedia.org/wiki/Charles_Dudley_Warner and https://books.google.com/books?id=ktwRAAAAYAAJ&q=+%22little+....

Why would it be, when your donors are the private prison owners?
prison isn't designed for reintegrating back into society!

If you look at this recent paper[1] by the lancet on "The psychological impact of quarantine and how to reduce it: rapid review of the evidence" (coincidentally it's about the corona virus) then you might notice that the effects of isolation are exactly what prisons are designed to do[2]. For quarantines it's a huge dilemma ofc.

[1] https://www.thelancet.com/journals/lancet/article/PIIS0140-6...

[2] https://en.wikipedia.org/wiki/Panopticon

So long as there is a permanent criminal record and jobs can not hire people based on that no real change will come.
I saw a youtube video recently about the extensive use of cell phones to play old school runescape. Like it’s everywhere in every prison in the last couple of years. People not only play it but also use it’s currency for real world trading. Apparently violent behavior is down wherever people are playing.

I’d love to find corroborating evidence for this, because I find it completely facinating.

If I were in jail I'd love to play Runescape. It's pretty much the only time I'd actually enjoy Runescape.
The sad thing about this is that it's still contraband and really bad for the prisoner if they're caught with it.
In the federal system you get automatically moved up one security level. Minimum to low to medium to high. There are very, very few cell phones beyond a lot. There's probably 1 for every 5 people in a minimum.
They should definitely not be locked into expensive for profit comms, but they do need to be censored a bit in case they either harass victims or carry on organized crime.
> Is it wrong that I find it a terrible thing that people aren't allowed computers with internet or cellphones in prison?

I also think they should be allowed to grow their own weed.

Are you being facetious? If so, letting people access information which could help them establish some grounding in the outside world is not exactly a ridiculous idea.
No, I'm serious. Information wants to be free. So does weed.
> Is it wrong that I find it a terrible thing that people aren't allowed computers with internet or cellphones in prison?

Yes, you are wrong. These communication devices are taken away because the nature of the reason you are typically holding folks (violent crimes, gang activity, etc).

> How do we expect people to join back to society when they can't use literally the number one most important thing?

A lot of these people will not being rejoining society. They will spend the rest of their days in their cage. Let's not be rose-colored about this.

> Maybe give them phones with no cameras and monitoring of use, but just nothing seems very inhumane.

No thanks. They can use the monitored computer center.

I completely agree and at the same time see the other side: think of the typical drug kingpin or monster still directing 'business' and hits from prison. And you can't give phones to some and not to others because prisoners obviously interact with each other.
I understand wanting to surveil prisoners but denying them access to the outside world completely is wrong and a waste of everyone’s time.

Maybe require only open source software and no crypto except for authentication but confiscating phones is stupid and lazy.

(comment deleted)
> I understand wanting to surveil prisoners but denying them access to the outside world completely is wrong and a waste of everyone’s time.

Counter-argument: seeing the world pass you by is a good way to become suicidal, and the state (at least here in the US) has an obligation to protect those in their custody.

Receiving broadcasts e.g. radio signals etc. is fairly low risk (exceptions include coded one-way transmissions), but bidirectional communication is a good way to increase the risk that a prison may face a life-critical challenge at some point.

So then the realization that the world passed them by hits them shortly after release, potentially escalating into an existential crisis, and ensuing recidivism.
Do you have any source whatsoever for that claim? Personally, I don't believe for a minute that additional freedom for prisoners would increase suicide, but I'm no expert.
you just need one corrupt guard, or somebody who is willing to close their eyes. guards are only people and being on shift talking with and being exposed to those confined will eventually make them empathic, as they realize many of the prisoners (majority but not all) are just people who never had a chance (grew up in orphanages or on the street, or often just homeless looking to escape the cold of the winter by doing a small crime to get there on purpose). There is one common theme among all of them: poverty and/or trauma. Once you see it (and being a guard exposed to them all the time you will see it unless you're a heartless or dumb sh!t) all the binary thinking and indoctrination starts cracking. This is where the bribe comes in since the person bribing also just fulfills a need (addiction, social interaction or whatever).

Instead of Prisons: https://www.prisonpolicy.org/scans/instead_of_prisons/chapte...

Anyone looking for some Netflix/Chill which is also edutainment about prisons and that doesn't paint the problem as binary (good vs evil) I highly recommend Oz https://www.imdb.com/title/tt0118421/ or (a more recent show about the streets and problems in LE) The Wire https://www.imdb.com/title/tt0306414/ <-- needs at least 2 or 3 times watching because it's incredibly dense!

Edit: this is also an incredibly good read https://mises.org/library/defending-undefendable

Oz is the most horrific thing I have ever seen on screen. Just thinking about it makes me shudder.
Your comment got me thinking and I can’t decide which is worse; so many harrowing moments to choose from. But still, great show.
Is there an article to this article? I just see a 3 sentence blurb and an unrelated video.
keep scrolling down....
Nothing. I see 3 sentences. A short bio about the author. An unrelated "Featured" video. And then "More for You".

Screenshot here. Safari on the left. Firefox on the right. https://i.imgur.com/Qgqiywc.png

Just listened to the Darknet Diaries Courthouse podcast about the pentest gone wrong that was referenced in the article. Highly recommended.

https://darknetdiaries.com/episode/59/

That wasn't a good look for their employer, "Coalfire", and not only because no one answered when they got their jail phone call. How did Coalfire not notice that the target was owned by a completely different entity than the organization that signed the contract?
> How did Coalfire not notice that the target was owned by a completely different entity than the organization that signed the contract?

The courthouse was owned by who? The sherriffs? I thought the ownership was okay, but it was the over-eager law enforcement that refused to budge because they weren't informed.

They had a contract with some office in the state government. The courthouse is owned by a county, as most courthouses in USA are. Later the fig-leaf of "they use a state-administrated computer program there" was constructed so as to limit the injustice inflicted on two humans, but county buildings are no more owned by the state than state buildings are owned by the feds.

And yes, stipulated, the sheriff is an asshole, but even he would have honored a contract between Coalfire and Dallas County, Iowa.

This is a great article, and one of the obvious but brilliant advice from the write up is :

> Don’t blindly assume.

I know I would be way more willing to allow a pleasant lady of mature mothering age and demeanor than a middle aged guy.

Its the stereotypes we subconsciously build up unfortunately.

In the same vein:

It’s not young thugs that come in to medical centers trying to score painkillers; it’s middle-aged suburban moms.

The former know where to buy on the street. It’s the latter that think of trying to lie to their doc.

But in practice we tend to be more suspicious of the former.

That reminds me of Allison (a super uptight soccer mom) in Orphan Black - But Alison had worked out how to find a supplier.
Young adults (age 18 to 25) are the worst offenders of prescription abuse, the largest increase in opioid abuse has been in rural America, and men are 140% as likely to die from opioid abuse.

So you have classified the greatest threat as female, suburban, and adult, but the statistics seem to indicate male, rural, and young adult. You are in danger of being pen tested.

Your parent was talking about people who try to convince their doctor to prescribe them painkillers, while you're talking about all people who abuse opioids.
Initial opioid overdose numbers favored men over women a long time ago, but that hasn't been the case for a while: in the period of 1999 to 2010, male opioid ODs climbed in men by about 240%, in women by 400% (CDC 2013 Prescription Painkiller Overdoses).

It's also worth noting that "who dies from opioid overdose" and "who is more likely to use a doctor to get their fix" are two different discussions, not least of all because "who dies from opiate overdose" is unrelated to "source of opioid." In the period 2005 to 2015, the likelihood of a prescription drug being the initiating drug dropped in half, while the likelihood of it being heroin went up about four-fold (Cicero, Ellis, Kasper 2017).

As to women being the ones who walk into the medical center, note that the CDC's Drug Abuse Warning Network shows that the leading age groups to walk into an ED are women 25-34, 45-54, and 35-44 in that order (though the downward bump for 35-44 isn't really that big - it really is the center of the bell curve).

The big increase in "rural" areas is messy. The actual data shows "non-major urban", and lumps together "small urban" and "rural". Given how medically underserved rural areas are in the US, however, I'd say the anecdata that it's suburban is more consistent with "non-urban growth favoring the non-urban areas that actually have prescription-writers in them." (Cicero et al 2014)

The shift went from very-young inner city males getting heroin as their first drug to white middle-aged currently-as-many-women-as-men (but the velocity of growth is much higher in women) using scripts to, now, going back to heroin as scripts are harder to come by.

Lastly, the previous comment compared "young thugs" (15 yo inner-city males were the predominant opioid abusers in the 80s and 90s, and are traditionally the stereotype for opioid abuse) to the unsuspected-but-common addict that walks in the door today, analogous to the Mom PenTester in the original article. And, indeed, the opioid abuser of yester-year was not prescription-based: they weren't hitting up their physician. It seems like they were saying "the old stereotype that we suspect leads us to ignore this common and inconspicuous thing that is actually the risk." Which you've taken to mean "this common thing we don't adequately suspect is the defining description of what opioid abusers look like."

eh, as a former "young thug" i definitely knew how, thought to, and did score painkillers benzos from doctors. they know where to buy on the street, but they're also broke. so the appeal is the money to be made from selling the pills. starting price for hydro/oxycodone is $1/mg, so 90*30mg will net you nearly 3k. if we provided addicts with clean drugs and access to help there would be no need for a black market, and doctors would be able to treat pain adequately. we can dream at least.
thanks for sharing. hope you're good, I believe in u hahaha
I'm a squidgy middle aged woman with a technical bent. I look and style like a librarian basically. I've thought about getting into pen-testing because people are bigly surprised when I casually mention setting up a pie-hole or whatever last weekend. The blinders are real.
Articles like these are a great anecdote of the ease of getting people into security.

Despite the need for people, you'll still encounter a lot of barriers to getting a job.

It doesn't make sense to have a bunch of hoops to jump through when the demand is there, you can train people easily, and there are people willing to learn.

You can disregard 99% of calls-to-action regarding security hiring and talent demand.

I think you're disregarding the fact that Rita was almost certainly better than anyone in that company at playing the role of state health inspector specifically and getting into that prison without stink eye from anyone. She brought the interest (she asked for the job) and a deep domain expertise that the company was able to directly leverage into an engagement. This is something the industry is begging for and will trip over themselves to invest in.

It's not clear that you're describing that kind of situation. Taking someone with essentially zero relevant experience and training them up to be someone that can deliver a skilled service to a client is a much different ask. There are companies that are willing to make that bet, I work for one now that is hiring pure developers in a security role, but they have the resources to play the long game. Little infosec consulting firms can't do that.

This comes across as me disagreeing with you. I'm not, I agree security is easy to get into and there is way too much black box bullshit surrounding it. I just have been involved with companies along the full spectrum of services and capabilities and feel that not everyone is in the position to make the bet you're laying out as a sure thing.

Many physical pentesters have gotten into places where they didn't have requisite deep domain knowledge because they can research particulars or just rely on regular social engineering. If someone is able to breach a prison without the deep domain knowledge, then it's not actually that important. It's good for demonstrating the damage an insider threat could pose. This article doesn't have a comparison engagement with someone lacking domain knowledge though.

I don't think the industry is tripping over themselves to get talent in any aspect. It just isn't what I've encountered. None of my prior domain knowledge counted (what little there is). Only certs and recent activity.

Depends on where you’re looking. Companies like the one in the article are not going to be in a position to do a lot of staff development unless they have no other choice..you need to be able to hit the ground running in many cases.

Depending on what experience you do have you might find good luck in hiring on at larger firms like insurance, financial, healthcare where they are going to need in-house staff and can make use of other skills that you might bring while they train you up on the security side.

I personally am going back to a dev job. It pays better and there's work to be done (incl. security). I got OSCP and 5 months later eventually landed a security job and ended up sitting on my hands for 3 months doing nothing. It isn't what the industry sold to me as "needing talent".

I know there's smart people doing good work, but it could not deliver for me within a reasonable time despite putting in the work, and that was enough to realize most of the call-to-action was bullshit. If anyone asks me for career advice (no one should), I just tell them to learn to code and do code reviews in their spare time. Don't even bother with the pentesting side of it.

I blame it on the security industry because we are terrible at communicating, but your idea of how this works isn't aligned with reality. Think of it as a dumbed down version of the current staffing situation with healthcare. We have a huge talent gap, but that doesn't mean we put fresh grads to work on surgery.

Pen tests and red teaming are about both skills and decision making, both of which have very high potential for significant damages if carried out incorrectly. For me personally, getting the OCSP would just tell me you have very basic skills and have demonstrated some interest. I would then have to fold you into the engagement pipeline, which would involve some thumb-warming, as basically a water person until i get feedback from the rest of the team that you are asking the right questions and are making good decisions. You would then get progressively more responsibilities and operate under scrutiny for a couple of years before you would be asked to lead anything. The fact that you did nothing for three months just tells me they were too busy to figure out how to get you started on that ramp...or they were idiots. Who knows.

Again, it's a communication issue and your expectations were set too high, but that definitely doesn't mean the industry is secretly flush with talent.

OSCP has too high of a fail rate to only demonstrate very basic skills, it's a bit more than that (if so, that puts CISSP, CEH, etc. way futher down yet you see those as job requirements all the time). There are plenty of people without it and employed still doing pentesting. This was my reality, I don't know how actually going through that situation qualifies it as anything but reality.

This is another thing: people value those certs really differently and it's almost worth not doing them at all, again going back to: just learn to code. And to your point: more communicating badly.

There's not a single more valuable qualifier than experience and yet that's the hardest thing to get when it really shouldn't be. Med students assist with surgeries but they aren't put in charge, I don't see why pentesting can't be the same.

I think you've taken the rare, good, working parts of the industry and believe that to be a baseline, and I don't think it's realistic.

Thanks for the exchange. Your experience with trying to enter a field that I'm probably all too complacent about at this point has been very informative and I'll definitely incorporate it when I'm encountering those that are trying the same.
Anyone interested in this stuff should check out the Darknet Diaries podcast for similar stories. They’re great!!
This also demonstrates an uncomfortable situation. There are certain types of bias in favor of women that help out with these kinds of situations. His mom likely was benefitting from a positive bias that she was harmless and fulfilled the presumption about what an inspector may look like... Something like this "Women are wonderful effect"[1].

[1]: https://en.wikipedia.org/wiki/Women_are_wonderful_effect

This is absolutely a thing.

I worked at a fortune small-cap where the IT department was absolutely insidious. They would undermine anyone who they didn't like, or who opposed their nonsense. I wrote a lot of backend stuff, and they would spend far more effort and money denying us servers and resources than it would have taken to simply get those things for us. They'd tell us developers we couldn't use the OS's our products targeted, and yet they'd be using them.

They undermined their own CIO time after time; most lasted about 18 months.

Then, the company hired a sociable, intelligent, woman as CIO.

Within six months, she'd (rightly) fired the ENTIRE department. They just didn't see it coming.

Wait, what was your point here? That women actually are wonderful?
I assumed the point is that the combative developers saw the new CIO as harmless and didn't fight her as with the others CIOs.
Sounds like society is so biased in favor of women that they can get away with breaking shit (whether accident or intentional).
> breaking shit

You mean fixing.

No i mean breaking. I didn't say ALL women, but clearly my point is proven because you want to defend ALL women. That is the problem. Had I mentioned men break shit, I would have received upvotes.
Those social skills black magic, I should have been drinking more in high school instead of programming.
A little off topic, but the controversy section of that article raises some interesting points, though Wikipedia tends to be a little behind mentioning latest research in social science articles.
That's exactly why social engineering works: biases and assumptions. People are absolutely generally more willing to help a woman than a man for a variety of reasons (perception of harmlessness as you point out; people assuming women are incompetent; guys wanting to help to increase sex appeal; etc). Men can exploit different social vectors (eg large, imposing men being demanding or aggressive will get obeyed more than other people because we automatically associate size with authority).

It's not the pentester's job to fix social policy, merely to point out that threats can come from a variety of vectors that people don't expect.

> In 2016, Rita died of pancreatic cancer; she never had a chance to do another pen test. Strand declined to say which prison his mother infiltrated, only that it has since shut down.

After reading the rest of the story, that was a gut punch!

Off-topic but can someone please fix the lazy title? I detest misused (or omitted) apostrophes. Even better would to just change the title to match the linked article: "How a Hacker's Mom Broke Into a Prison—and the Warden's Computer"
Yes, fixed now.

Submitters: please don't rewrite titles unless they are misleading or linkbait. This is in the site guidelines: https://news.ycombinator.com/newsguidelines.html.

(Submitted title was "Pen testers mom breaks into a state prison and infects wardens computer")

Dang, if I may use this opportunity to ask a question about titles, is it okay to change a title because the original isn't descriptive enough within the context of Hacker News?

Just to choose an example: There's a program called Retroactive which patches Aperture, iPhoto, and iTunes to work again on macOS Catalina. The project's github links to a medium article the author wrote, which is titled:

> Technical Deep Dive: How does Retroactive work?

If you arrive at this article from RetroActive's github, it's a fine title. But if you just see it on Hacker News and don't know what Retroactive does, the title is 100% useless noise. So when I submitted the article to HN[0], I tried to make the title more descriptive while also changing as little as possible. All I did was replace "work" with what Retroactive actually does:

> Technical Deep Dive: How Does Retroactive Patch Aperture for macOS Catalina?

Even though I did my best to change as little as possible, I felt quite guilty about the title change. But in hindsight, by trying to "compromise", I ended up with a title that's still really bad! The first 6 words of my 11-word title give the reader absolutely zero information.

This article didn't get much attention, and I can't help wondering if the title is why (not to imply that this or any article somehow deserves attention). The title really should have been:

> How Retroactive makes Aperture, iPhoto, and iTunes work again on macOS Catalina

0: https://news.ycombinator.com/item?id=22229101

What you're talking about is fine. We could construct an argument that it's also within the site guidelines, but really the rules aren't meant to be treated so formally.

The only thing I'd add is that it makes a huge difference to use language, where possible, from the article itself, rather than come up with words that aren't in the article. There's nearly always a subtitle or representative phrase that is suitable. A title that consists of the article's own language makes for a much better title than one that the submitter made up. We stick to that principle when editing titles. It's not always doable, but 90% of the time it is.

In the case of 22229101, though, I'd go for the subtitle: "The technical backstory of Retroactive". It's true that it doesn't explain what Retroactive is. But it explains what the article is, and it implies that readers will find out what Retroactive is. Indeed, the very first thing you see if you click on it is "If you need to run Aperture, iPhoto, or iTunes on macOS Catalina". It's a great HN submission, so I've changed the title to that and emailed you a repost invite.

p.s. I don't mind having these conversation on the site from time to time, but it's random whether we end up seeing a post like yours or not, so if you want to be sure to get a response, hn@ycombinator.com is better.

Thank you! I have resubmitted (with that title).

I will say: my concern with not defining Retroactive is that the people who'd likely be most interested in such an story (say, macOS programmers) won't be any more likely to read it than, say, SQL programmers. But maybe that's less big a deal than I think it is?