Douglas Havard hacks jail's network where he's an inmate



  • Why waste money on honest (but probably expensive) IT professionals when you can get one of the inmates to do it for free? Sounds brillant, right?

    A UK prison computer system was left in lockdown after jail bosses gave a convicted cybercriminal the task of reprogramming it, the Sunday Mirror reports.

    Source: http://www.theregister.co.uk/2009/09/29/inmate_hacker/



  •  Hey, why not get them to change the locks too?

     



  • I presume they give murderers the task of sharpening their kitchen knives and cleaning their guns, and employ paedophiles to look after employees' children.



  • @Wrongfellow said:

     Hey, why not get them to change the locks too?

    I assume you noticed this sentence hidden in TFA?:

    Another inmate at Ranby Prison recently managed to get a key cut that was capable of opening every door at the jail.



  • @NSCoder said:

    I presume they give murderers the task of sharpening their kitchen knives and cleaning their guns, and employ paedophiles to look after employees' children.
     

    I think next is well-built men in for beating people to death acting as prison guards. I mean they know how to keep people in line eh?



  • @TFA said:

    Another inmate at Ranby Prison recently managed to get a key cut that was capable of opening every door at the jail.

    Why is there a key that works on every door in a prison house? Did some retarded conversation happen?
    @Contractor said:
    ... So this key opens the door to the pantry, this one to the arm-

    @PHB said:
    Why do we have to have so many keys?

    @Contractor said:
    Because what happens if a prisoner gets the key to the bathrooms? Do you want him to have access to the armory and ammo closet too?

    @PHB said:
    What if he needs to get to those rooms, eh? He'd only have the key to the bathroom, and that'd be horrible.

    @Contractor said:
    Why don't I just make a key that opens fucking everything!?

    @PHB said:
    That's brillant!

    @Contractor said:
    ... I want that in writting.



  • Alas, the article is short on details. These details are needed to make a judgement. If the inmate hacked prison administration computers, the governors were stupid. If the computers were set aside for prisoner use, the inmate was a douchebag who ruined the system for his fellow inmates. Rehabilitating prisoners involves trusting them with something, such as not stabbing the prison farm animals. That the governors were confident he didn't access records suggests he never touched the admin computers. I'm going with the douchebag hypothesis.



  •  

    Douglas Havard hacks jail's network where he's an inmate

    If I was an inmate in a jail's network, I'd probably hack it too.

     



  • Lots of large institutions have keys that can open just one door or multiple doors, depending on how they're cut. Otherwise the guards would need to lug around a different key for each door.



  • @Lingerance said:

    Why is there a key that works on every door in a prison house? Did some retarded conversation happen?
    Uh, no?



  • @bstorer said:

    @Lingerance said:

    Why is there a key that works on every door in a prison house? Did some retarded conversation happen?
    Uh, no?


    Filed under: The Atlantic Ocean cannot stop curses, Master keys are pretty fucking common
    A sane individual would expect that in a secure environment there isn't a "golden ticket" or master key to everything.



  • @Lingerance said:

    @bstorer said:

    @Lingerance said:

    Why is there a key that works on every door in a prison house? Did some retarded conversation happen?
    Uh, no?


    Filed under: The Atlantic Ocean cannot stop curses, Master keys are pretty fucking common
    A sane individual would expect that in a secure environment there isn't a "golden ticket" or master key to everything.
    Just like it's insecure for root to have power over everything on a computer, right?  Having everyone control the site-wide master key is certainly a terrible security hole, but having one such key really isn't.  There's negligable difference in the security risk of having one master key compared to a set of keys, unless you store each key in that set in a different place.



  •  Phishing isn't a tricky, technical exploit. The real WTF is they confused a schemer with a geek

     I'm kind of offended actually.

     "Oh, you were arrested for pyramid selling on the internet? Well, then! You'll definitely be capable of coding a J2EE shower scheduler for us!"



  • @bstorer said:

    Just like it's insecure for root to have power over everything on a computer, right?  Having everyone control the site-wide master key is certainly a terrible security hole, but having one such key really isn't.  There's negligable difference in the security risk of having one master key compared to a set of keys, unless you store each key in that set in a different place.
    Not really. If a person had root on one machine it doesn't guarantee ey could get root on another, nor is there a one stop way to get root on any given system, unless the admin failled to take basic sec measures to heart (eg: one would need physical access and the root passowrd, or for network access a username that can get root and their password). In a network setup with the principle of least priviledge each admin would only have access to what they need, and the root password (or means to get the root password) would require multiple people, root shells could be gotten with sudo and have the shell specially configure to log each command and only given if necessary. Having a key that works on multiple locks isn't itself entirely bad, it could even work on multiple sites. However having one key that works on the entire site breaks that security mechanism completely should it ever fall into the wrong hands, it's easier to do more damage. In this case the prisonner could've freed every other prisoner, or just snuck out on eir own. Having to use a set of keys isn't all that difficult, and if there are enoguh keys on the keychain it will impede someone who doesn't know how to use it.



    Shorter version: Master key is a factor of authentication, it is a physical object and can be misplaced. A set of zone keys could be together and still impede someone who isn't familliar with which key does what, especially if some of the locks are "tricky".



  • @Lingerance said:

    Not really. If a person had root on one machine it doesn't guarantee ey could get root on another, nor is there a one stop way to get root on any given system, unless the admin failled to take basic sec measures to heart (eg: one would need physical access and the root passowrd, or for network access a username that can get root and their password). In a network setup with the principle of least priviledge each admin would only have access to what they need, and the root password (or means to get the root password) would require multiple people, root shells could be gotten with sudo and have the shell specially configure to log each command and only given if necessary.
      This is a tedious aside that has nothing to do with the matter at hand.  I spoke only of root on a given system, not of an entire network.  You've altered the analogy in your attempt to invalidate what I've said, and thus missed the point completely.  However, while we're on the subject, there's no reason you can't have zoned masters.  There are many multilevel key systems available.

     @Lingerance said:

    Having a key that works on multiple locks isn't itself entirely bad, it could even work on multiple sites.
    Multiple sites?  It's a prison.  Please try and focus here.

    @Lingerance said:

    However having one key that works on the entire site breaks that security mechanism completely should it ever fall into the wrong hands, it's easier to do more damage.
    Easier, but not by much.  Losing any key in a prison is a serious problem, if only for the systematic breakdown it implies.  Yes, losing the master is more serious, which is why they are more closely guarded.  You don't just hand a copy to every guard, just as you wouldn't make every user a network admin.  The fact that you don't immediately take this fact for granted is troubling.  What other basic concepts are you ignoring in your pursuit of splitting hairs?

    @Lingerance said:

    In this case the prisonner could've freed every other prisoner, or just snuck out on eir own.
    Locks aren't the only security measure in place in a prison.  Why are you forcing me to go over basic concepts here?  Freeing every other prisoner requires a more significant breakdown than acquiring a master key.

    @Lingerance said:

    Having to use a set of keys isn't all that difficult,
    And you will probably find that guards have to do just that.  Again, nobody is suggesting that everyone be handed a master key.  That's why it's a master key: so that you can still have a bunch of subkeys to control access.

    @Lingerance said:

    if there are enoguh keys on the keychain it will impede someone who doesn't know how to use it.
    If the time it takes to go through a set of keys is even considered in your security design, you have already failed.  Luck of the draw shouldn't dictate whether or not a prisoner can escape.  There is, however, one case where such impediments are an issue: rapid response.  In that case, you'll definitely want a master key to move in as quickly as possible.

    @Lingerance said:



    Shorter version: Master key is a factor of authentication, it is a physical object and can be misplaced.
    Any key can be misplaced.@Lingerance said:
    A set of zone keys could be together and still impede someone who isn't familliar with which key does what
    Prison use zoned keys.  Nobody is suggesting that they don't.  Don't be stupid.@Lingerance said:
    especially if some of the locks are "tricky"
    WTF?  "Tricky" locks?  They're locks.  Key goes in, door opens, end of story.  I'm not even sure what the hell you mean by that.  Is there some sort of Sphinx lock of which I am unaware that asks you a riddle before it'll open?




  • @Lingerance said:

    A sane individual would expect that in a secure environment there isn't a "golden ticket" or master key to everything.

    Presumably they rely on the expectation that the master key isn't actually prominently marked "Master Key", anodised in gold and encrusted in precious jewels. It probably looks like a very ordinary key that opens a janitor's cupboard.

    However, if you throw it into a fire, then an inscription appears, in roman letters but <ethnic> language:

    One key to rule them all, one key to find them,

    One key to bring them all and in the darkness unbind them.

     



  • @Paddles said:

    but <ethnic> language
    That's racist.



  • @Lingerance said:

    Shorter version: Master key is a factor of authentication, it is a physical object and can be misplaced. A set of zone keys could be together and still impede someone who isn't familliar with which key does what, especially if some of the locks are "tricky".

    Ahh, security through obscurity.  I've heard it's a good idea, but I'd like your insights into leveraging it successfully.

     

    bstorer did a good job of ripping your naive argument to shreds, but I'd just like to point out that having a single master key is not inherently more or less secure than a lot of things.  Even with your convoluted security setup I can just jam a shiv into a guard's neck, take his gun and make the other guards open all the doors for me at gunpoint.



  • @bstorer said:

    @Paddles said:

    but <ethnic> language
    That's racist.

    Nah, just bad use of the word 'ethnic'. It's a crap LOTR reference anyway.



  • @Flatline said:

    @bstorer said:

    @Paddles said:

    but <ethnic> language
    That's racist.

    Nah, just bad use of the word 'ethnic'. It's a crap LOTR reference anyway.

    Bad uses of the word 'ethnic' are racist, just like everything else that isn't me being given a large sum of money.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.