
A hacker's mom broke into a prison and the warden's computer - professor_panic
https://www.wired.com/story/hackers-mom-broke-into-prison-wardens-computer/
======
nkrisc
These stories always make me wonder how many malicious infiltrations occur
that are never discovered or reported? It could happen all the time,
especially at places much less secure. It's certainly far riskier to
infiltrate a prison (where all the guards have guns) than a corporate office.

~~~
Shivetya
Well in Georgia we have had a few reports from the prison system about what
they confiscate from prisoners. [0]. Look at what they are finding just among
the prisoners so imagine how much easier it is to smuggle into the staff areas
anything you want. Nearly two thousand cell phones, four times that number in
make shift weapons, and of course drugs.

Cell phones are a particular problem because it has been shown that some in
prison continue to engage in criminal activities with those outside including
witness intimidation or worse.

[0] [https://allongeorgia.com/georgia-state-news/ga-dept-of-
corre...](https://allongeorgia.com/georgia-state-news/ga-dept-of-corrections-
seized-9657-contraband-items-from-jan-march-2019/)

~~~
aaomidi
Is it wrong that I find it a terrible thing that people aren't allowed
computers with internet or cellphones in prison?

How do we expect people to join back to society when they can't use literally
the number one most important thing?

Maybe give them phones with no cameras and monitoring of use, but just nothing
seems very inhumane.

~~~
ska
In the US sometimes the evidence isn't clear that facilitating "join back to
society" is an actual goal (it's often a stated goal). It often doesn't seem
to be a policy priority.

~~~
Broken_Hippo
It most definitely isn't a priority: If it were, the US would look at other
countries with lower recidivism rates and spend a bit more on things like
mental health care, halfway houses, job placement, and so on.

~~~
zoonosis
While I agree that the US prison system has many issues, recidivism rates
can't really be compared between countries because of differences in time
frames and rearrest vs re-conviction.

[https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4472929/](https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4472929/)

~~~
robocat
The issue is not about comparing recidivism rates.

It is whether the US is looking at the results achieved by other countries and
whether the US is trying to emulate successful strategies.

As a sweeping generalisation, I see that the US says "that doesn't apply to
us", always finding some weird excuse. Your invalid response is kind of an
example.

~~~
wahern
How do you "[look] at the results achieved by other countries" if those
results aren't reported?

It's a fairly common sentiment that the U.S. penal system is heavily skewed
toward retribution than reformation.[1] But identifying a problem on the one
hand, and quantifying and addressing it on the other, are two entirely
separate tasks. The latter is typically much more difficult.[2]

[1] Justice Anton Scalia admitted as much in court, "Well, I thought that
modern penology has abandoned that rehabilitation thing, and they--they no
longer call prisons reformatories or--or whatever, and punishment is the--is
the criterion now. Deserved punishment for crime." Oral argument, Miller v.
Alabama, 2012.

[2] Thus the quip, "Everybody complains about the weather, but nobody does
anything about it." A reformulation of a Charles Dudley Warner quote, who,
interestingly, also seems to have been an advocate for prison reform in his
time, among many other civic and political reforms. See
[https://en.wikipedia.org/wiki/Charles_Dudley_Warner](https://en.wikipedia.org/wiki/Charles_Dudley_Warner)
and
[https://books.google.com/books?id=ktwRAAAAYAAJ&q=+%22little+...](https://books.google.com/books?id=ktwRAAAAYAAJ&q=+%22little+done%22#v=snippet&q=%22little%20done%22&f=false).

------
zenpaul
Just listened to the Darknet Diaries Courthouse podcast about the pentest gone
wrong that was referenced in the article. Highly recommended.

[https://darknetdiaries.com/episode/59/](https://darknetdiaries.com/episode/59/)

~~~
jessaustin
That wasn't a good look for their employer, "Coalfire", and not only because
no one answered when they got their jail phone call. How did Coalfire not
notice that the target was owned by a completely different entity than the
organization that signed the contract?

~~~
throwaway3157
> How did Coalfire not notice that the target was owned by a completely
> different entity than the organization that signed the contract?

The courthouse was owned by who? The sherriffs? I thought the ownership was
okay, but it was the over-eager law enforcement that refused to budge because
they weren't informed.

~~~
jessaustin
They had a contract with some office in the state government. The courthouse
is owned by a county, as most courthouses in USA are. Later the fig-leaf of
"they use a state-administrated computer program there" was constructed so as
to limit the injustice inflicted on two humans, but county buildings are no
more owned by the state than state buildings are owned by the feds.

And yes, stipulated, the sheriff is an asshole, but even he would have honored
a contract between Coalfire and Dallas County, Iowa.

~~~
throwaway3157
Thanks for the clarification

------
bilekas
This is a great article, and one of the obvious but brilliant advice from the
write up is :

> Don’t blindly assume.

I know I would be way more willing to allow a pleasant lady of mature
mothering age and demeanor than a middle aged guy.

Its the stereotypes we subconsciously build up unfortunately.

~~~
prostheticvamp
In the same vein:

It’s not young thugs that come in to medical centers trying to score
painkillers; it’s middle-aged suburban moms.

The former know where to buy on the street. It’s the latter that think of
trying to lie to their doc.

But in practice we tend to be more suspicious of the former.

~~~
ralusek
Young adults (age 18 to 25) are the worst offenders of prescription abuse, the
largest increase in opioid abuse has been in rural America, and men are 140%
as likely to die from opioid abuse.

So you have classified the greatest threat as female, suburban, and adult, but
the statistics seem to indicate male, rural, and young adult. You are in
danger of being pen tested.

~~~
jefftk
Your parent was talking about people who try to convince their doctor to
prescribe them painkillers, while you're talking about all people who abuse
opioids.

------
throwaway55554
> In 2016, Rita died of pancreatic cancer; she never had a chance to do
> another pen test. Strand declined to say which prison his mother
> infiltrated, only that it has since shut down.

After reading the rest of the story, that was a gut punch!

~~~
lastres0rt
Well, you've heard of burner phones -- welcome to 'the burner hacker'.

~~~
dang
Could you please stop posting unsubstantive comments to Hacker News? You've
been doing it repeatedly, and we're trying for a bit better than that here.

[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)

------
maerF0x0
This also demonstrates an uncomfortable situation. There are certain types of
bias in favor of women that help out with these kinds of situations. His mom
likely was benefitting from a positive bias that she was harmless and
fulfilled the presumption about what an inspector may look like... Something
like this "Women are wonderful effect"[1].

[1]:
[https://en.wikipedia.org/wiki/Women_are_wonderful_effect](https://en.wikipedia.org/wiki/Women_are_wonderful_effect)

~~~
oceanghost
This is absolutely a thing.

I worked at a fortune small-cap where the IT department was absolutely
insidious. They would undermine anyone who they didn't like, or who opposed
their nonsense. I wrote a lot of backend stuff, and they would spend far more
effort and money denying us servers and resources than it would have taken to
simply get those things for us. They'd tell us developers we couldn't use the
OS's our products targeted, and yet they'd be using them.

They undermined their own CIO time after time; most lasted about 18 months.

Then, the company hired a sociable, intelligent, woman as CIO.

Within six months, she'd (rightly) fired the ENTIRE department. They just
didn't see it coming.

~~~
krilly
Wait, what was your point here? That women actually are wonderful?

~~~
soneca
I assumed the point is that the combative developers saw the new CIO as
harmless and didn't fight her as with the others CIOs.

~~~
oceanghost
That was the point, thank you.

------
vsareto
Articles like these are a great anecdote of the ease of getting people into
security.

Despite the need for people, you'll still encounter a lot of barriers to
getting a job.

It doesn't make sense to have a bunch of hoops to jump through when the demand
is there, you can train people easily, and there are people willing to learn.

You can disregard 99% of calls-to-action regarding security hiring and talent
demand.

~~~
jcims
I think you're disregarding the fact that Rita was almost certainly better
than anyone in that company at playing the role of state health inspector
specifically and getting into that prison without stink eye from anyone. She
brought the interest (she asked for the job) and a deep domain expertise that
the company was able to directly leverage into an engagement. This is
something the industry is begging for and will trip over themselves to invest
in.

It's not clear that you're describing that kind of situation. Taking someone
with essentially zero relevant experience and training them up to be someone
that can deliver a skilled service to a client is a much different ask. There
are companies that are willing to make that bet, I work for one now that is
hiring pure developers in a security role, but they have the resources to play
the long game. Little infosec consulting firms can't do that.

This comes across as me disagreeing with you. I'm not, I agree security is
easy to get into and there is way too much black box bullshit surrounding it.
I just have been involved with companies along the full spectrum of services
and capabilities and feel that not everyone is in the position to make the bet
you're laying out as a sure thing.

~~~
vsareto
Many physical pentesters have gotten into places where they didn't have
requisite deep domain knowledge because they can research particulars or just
rely on regular social engineering. If someone is able to breach a prison
without the deep domain knowledge, then it's not actually that important. It's
good for demonstrating the damage an insider threat could pose. This article
doesn't have a comparison engagement with someone lacking domain knowledge
though.

I don't think the industry is tripping over themselves to get talent in any
aspect. It just isn't what I've encountered. None of my prior domain knowledge
counted (what little there is). Only certs and recent activity.

~~~
jcims
Depends on where you’re looking. Companies like the one in the article are not
going to be in a position to do a lot of staff development unless they have no
other choice..you need to be able to hit the ground running in many cases.

Depending on what experience you do have you might find good luck in hiring on
at larger firms like insurance, financial, healthcare where they are going to
need in-house staff and can make use of other skills that you might bring
while they train you up on the security side.

~~~
vsareto
I personally am going back to a dev job. It pays better and there's work to be
done (incl. security). I got OSCP and 5 months later eventually landed a
security job and ended up sitting on my hands for 3 months doing nothing. It
isn't what the industry sold to me as "needing talent".

I know there's smart people doing good work, but it could not deliver for me
within a reasonable time despite putting in the work, and that was enough to
realize most of the call-to-action was bullshit. If anyone asks me for career
advice (no one should), I just tell them to learn to code and do code reviews
in their spare time. Don't even bother with the pentesting side of it.

~~~
jcims
I blame it on the security industry because we are terrible at communicating,
but your idea of how this works isn't aligned with reality. Think of it as a
dumbed down version of the current staffing situation with healthcare. We have
a huge talent gap, but that doesn't mean we put fresh grads to work on
surgery.

Pen tests and red teaming are about both skills _and_ decision making, both of
which have very high potential for significant damages if carried out
incorrectly. For me personally, getting the OCSP would just tell me you have
very basic skills and have demonstrated some interest. I would then have to
fold you into the engagement pipeline, which would involve some thumb-warming,
as basically a water person until i get feedback from the rest of the team
that you are asking the right questions and are making good decisions. You
would then get progressively more responsibilities and operate under scrutiny
for a couple of years before you would be asked to lead anything. The fact
that you did nothing for three months just tells me they were too busy to
figure out how to get you started on that ramp...or they were idiots. Who
knows.

Again, it's a communication issue and your expectations were set too high, but
that definitely doesn't mean the industry is secretly flush with talent.

~~~
vsareto
OSCP has too high of a fail rate to only demonstrate very basic skills, it's a
bit more than that (if so, that puts CISSP, CEH, etc. way futher down yet you
see those as job requirements all the time). There are plenty of people
without it and employed still doing pentesting. This was my reality, I don't
know how actually going through that situation qualifies it as anything but
reality.

This is another thing: people value those certs really differently and it's
almost worth not doing them at all, again going back to: just learn to code.
And to your point: more communicating badly.

There's not a single more valuable qualifier than experience and yet that's
the hardest thing to get when it really shouldn't be. Med students assist with
surgeries but they aren't put in charge, I don't see why pentesting can't be
the same.

I think you've taken the rare, good, working parts of the industry and believe
that to be a baseline, and I don't think it's realistic.

~~~
jcims
Thanks for the exchange. Your experience with trying to enter a field that I'm
probably all too complacent about at this point has been very informative and
I'll definitely incorporate it when I'm encountering those that are trying the
same.

------
timwis
Anyone interested in this stuff should check out the Darknet Diaries podcast
for similar stories. They’re great!!

------
ddtaylor
AFAIK this talk aas given at DerbyCon in 2018 and there might be video.

~~~
ayakura
Here's the video:
[https://www.youtube.com/watch?v=Upa6IEwnTTo](https://www.youtube.com/watch?v=Upa6IEwnTTo)

Here's another one from yesterday - RSA Conference:
[https://www.youtube.com/watch?v=yqOGuXcLdOA](https://www.youtube.com/watch?v=yqOGuXcLdOA)

~~~
ddtaylor
Also you're right it's from 2017 not 2018.

------
ebg13
Is there an article to this article? I just see a 3 sentence blurb and an
unrelated video.

~~~
ahmadss
keep scrolling down....

~~~
ebg13
Nothing. I see 3 sentences. A short bio about the author. An unrelated
"Featured" video. And then "More for You".

Screenshot here. Safari on the left. Firefox on the right.
[https://i.imgur.com/Qgqiywc.png](https://i.imgur.com/Qgqiywc.png)

------
haberdasher
Mr. Robot, S1.

------
mttjj
Off-topic but can someone please fix the lazy title? I detest misused (or
omitted) apostrophes. Even better would to just change the title to match the
linked article: "How a Hacker's Mom Broke Into a Prison—and the Warden's
Computer"

~~~
dang
Yes, fixed now.

Submitters: please don't rewrite titles unless they are misleading or
linkbait. This is in the site guidelines:
[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html).

(Submitted title was "Pen testers mom breaks into a state prison and infects
wardens computer")

~~~
Wowfunhappy
Dang, if I may use this opportunity to ask a question about titles, is it okay
to change a title because the original isn't descriptive enough within the
context of Hacker News?

Just to choose an example: There's a program called Retroactive which patches
Aperture, iPhoto, and iTunes to work again on macOS Catalina. The project's
github links to a medium article the author wrote, which is titled:

> Technical Deep Dive: How does Retroactive work?

If you arrive at this article from RetroActive's github, it's a fine title.
But if you just see it on Hacker News and _don 't_ know what Retroactive does,
the title is 100% useless noise. So when I submitted the article to HN[0], I
tried to make the title more descriptive while also changing as little as
possible. All I did was replace "work" with what Retroactive actually does:

> Technical Deep Dive: How Does Retroactive Patch Aperture for macOS Catalina?

Even though I did my best to change as little as possible, I felt quite guilty
about the title change. But in hindsight, by trying to "compromise", I ended
up with a title that's _still_ really bad! The first 6 words of my 11-word
title give the reader absolutely zero information.

This article didn't get much attention, and I can't help wondering if the
title is why (not to imply that this or any article somehow deserves
attention). The title really should have been:

> How Retroactive makes Aperture, iPhoto, and iTunes work again on macOS
> Catalina

0:
[https://news.ycombinator.com/item?id=22229101](https://news.ycombinator.com/item?id=22229101)

~~~
dang
What you're talking about is fine. We could construct an argument that it's
also within the site guidelines, but really the rules aren't meant to be
treated so formally.

The only thing I'd add is that it makes a huge difference to use language,
where possible, from the article itself, rather than come up with words that
aren't in the article. There's nearly always a subtitle or representative
phrase that is suitable. A title that consists of the article's own language
makes for a much better title than one that the submitter made up. We stick to
that principle when editing titles. It's not always doable, but 90% of the
time it is.

In the case of 22229101, though, I'd go for the subtitle: "The technical
backstory of Retroactive". It's true that it doesn't explain what Retroactive
is. But it explains what the article is, and it implies that readers will find
out what Retroactive is. Indeed, the very first thing you see if you click on
it is "If you need to run Aperture, iPhoto, or iTunes on macOS Catalina". It's
a great HN submission, so I've changed the title to that and emailed you a
repost invite.

p.s. I don't mind having these conversation on the site from time to time, but
it's random whether we end up seeing a post like yours or not, so if you want
to be sure to get a response, hn@ycombinator.com is better.

~~~
Wowfunhappy
Thank you! I have resubmitted (with that title).

I will say: my concern with not defining Retroactive is that the people who'd
likely be most interested in such an story (say, macOS programmers) won't be
any more likely to read it than, say, SQL programmers. But maybe that's less
big a deal than I think it is?

~~~
dang
That didn't work, and a bunch of users even flagged it, so let's try again
with your title. I put the submission
([https://news.ycombinator.com/item?id=22454069](https://news.ycombinator.com/item?id=22454069))
in the second-chance pool (described at
[https://news.ycombinator.com/item?id=11662380](https://news.ycombinator.com/item?id=11662380)).

