Banged-up Brit hacker hacks into his OWN PRISON'S 'MAINFRAME' A UK hacker behind bars for computer fraud hacked into his prison's computer system during an IT lesson. Nicholas Webber, 21, of Southsea, Hampshire, was able to access the network after being allowed to join the jail's technology classes. Webber was sent down for five years in May 2011 for masterminding the infamous …
When I was a contractor I worked for a 3rd party vendor that looked after the prisons. I believe they run a two tier system. One for the doors and other security and an internal system that just sits and blink lights.
I think the reason that the prison had a mainframe (more likely windows server environment) is because some think tank had suggested it. I doubt that anything of worth would be stored on the closed network.
The 3rd party service provider only had access to the external infrastructure. From memory they were quite poor with their security and let anyone work on the system. That was the reason that I stood down, as I have a criminal record as a political activist.
I've been inside more nicks than the hardest of prisoners.. door control will never be on the same physical network as the PCs; they used to have a proper mainframe-based system called LIDS which couldn't be on the same physical network as the rest of the prison IT (given that it ran on VT-100 sort of terminals). Then you'd have the 4x4 Access-based prisoner records system (the pet project of a PCO from HMP Preston that got used so widely it became a de facto standard)
But that all changed when EDS took control of the Home Office, fucked up the system they were supposed to be delivering, and from the sound of it managed to get prison training PCs on the same network as their IT systems - IMHO the people who should be disciplined in this are not the course trainers, but whoever set up a training room for inmates that actually hooks up to the same network as the rest of the prison IT... some numpty at EDS, no doubt, not realizing that IT training rooms in prisons are not the same as IT training rooms in normal companies.
About the only believable bit of IT in Skyfall was that the security service would put a highly dangerous terrorist, known to have compromised their systems, inside a 'prison cell' with just an electronic lock rather than, oooh, a £5 padlock securing the door from the outside.
When I was at EDS they never had any computers that the inmates used, granted I didn't spend too much time on that account as mentioned in my previous post. No CRB check and a whole list of passwords that could lock down courts or open prison doors.
But computers in the prison on the same network - nope (although I am not saying that a numpty culture didn't exist )
@Simon Westerby 1
>" ... IT training rooms in prisons are not the same as IT training rooms in normal companies."
>Yes they are, and neither should allow access to ANY other network... (interwebs included!)
..in an ideal world, you're probably right; in practice, most places I've worked have their IT training rooms on the same network.
@AC 09.28
>When I was at EDS they never had any computers that the inmates used, granted I didn't spend too much
>time on that account as mentioned in my previous post. No CRB check and a whole list of passwords that
>could lock down courts or open prison doors.
My experience of EDS in prisons was uniformly bad: including them showing up at a private prison (not one they were contracted for) and informing the IT staff there that they now "owned" all their PCs; charging surreal costs for support which rarely materialized; and not being entirely honest to the prisons about what their remit was.
..Confict of Interest warning: EDS spent years telling Home Office prisons that they weren't allowed to buy the system I'd written, because they were going to be supplying one to do the same job. If EDS had been half-way ethical (e.g. in admitting that they didn't have a working system, and were utterly inept when it came to writing one), I'd be if not rich, then finanically secure. Life's a bitch, ain't it?
Wasn't COBOL (Capitalization Of Boilerplate Oriented Language) classified as cruel and unusual punishment under the Geneva Convention (or the declaration of human rights, I forget which one)
One the one hand, the point of prison is surely the rehabilitation. He deserves as much chance to make good as anyone else.
On the other, who would not have been wary of a convicted computer criminal asking to be in on the computer classes? This is a classic "should have seen it coming" premise.
I could not say for sure what I would have done, were it my decision to let this happen or not... :/
"Fox said he was not aware of Webber's crimes when the hacker joined the prison's IT class. Fox also maintained that it wasn't his decision to admit the lad to the course, which aims to give young offenders skills that will give them a better chance of finding gainful employment once they leave prison"
Sounds like they sacked the wrong person -- who was in charge of the paper shuffling?
Since the replies are tongue in cheek I'll post a serious one.
I know of an open prison that has links with a particular network equipment manufacturer, they give them books/equipment (pretty good stuff too, not old crap)/visits to their sites and the prisoners get a chance to study for some of the qualifications offered by this particular manufacturer.
Fox:
1) said he was not aware of Webber's crimes when the hacker joined the prison's IT class,
2) maintained that it wasn't his decision to admit the lad to the course,
3) was blamed for the hack and excluded from the prison, and
4) was cleared of any wrongdoing at a disciplinary hearing last March.
Another public circus fustercluck. No doubt those in charge at HMP Isis are still there. That's the real crime.
My mom has worked for the county jail for close to 20 years now, the stories about mistakes in the paper shuffle would blow your mind.
Once recent case involved a guy my sister went to school with. He committed an armed robbery in Austin, was arrested in Dallas, but was shipped to the county of his residence which my mom happens to work at. Dallas county didn't send the felony arrest paperwork with him, he just just had a traffic warrant at the county here. The officer in charge was getting the court paperwork ready for the traffic ticket (in which he would have likely been bonded out the same day) when my mom recognized him and looked at the paperwork and noticed the serious problem. She quickly got the original warrant from the NCIS and reclassified him as a high risk inmate. Had it been her day off, or she was on vacation, the guy would have walked (which he was a flight risk because of an attempt to flee to Mexico).
Events like this are pretty common. : (
"One the one hand, the point of prison is surely the rehabilitation. He deserves as much chance to make good as anyone else."
Well, he's not showing much likelihood of that is he? Banged up for computer fraud, and he can't stop himself hacking the prison system as well? That looks to me like somebody who doesn't give a fuck and will simply re-offend as soon as he gets out.
I believe these kinds of sociopaths who don't give a fuck that their activities ruin people's lives cannot be rehabilitated. You can't force someone to have a conscience if they don't have one. A psychologist of my acquaintance described a victim reparation meeting between a home invader and the family he robbed, and when confronted firsthand with the trauma he'd inflicted, he showed no emotion or remorse whatsoever. This hacker is probably similar - he doesn't give a fuck whose lives he ruins, as long as he gets what he wants.
I'm strongly opposed to the death penalty, but at the same time I don't believe these sociopathic creatures can ever be returned to society, no matter how long they are "rehabilitated." We don't let lions run around loose in our streets for much the same reasons as these fraudsters and scammers shouldn't be let loose. You can't stop a lion acting like a lion, and you can't stop a sociopath acting like a sociopath. They are what they are, and what they are is incompatible with the behaviours required to function in civilisation.
So what I advocate is a kind of "Coventry", or gulag, like that described in the second part of Robert Heinlein's Revolt in 2100. This is not like transporting convicts to Australia, that still functioned as a regulated prison. Instead, you simply drop these sociopaths into the "Coventry" area, and leave them to fend for themselves, no guards, no cells, no rules. They have the absolute freedom to do as they want, limited only by their capacity to take it from each other. Like a lion safari park. I'd sterilise them first though. You don't want Darwinian selection breeding for the perfect sociopath...
The problem with this is that from reading what you've written I would consider you sociopathic. In that you have made completely unsubstantiated claims about a human their motivations and their redeemability based on almost nothing. Then proceeded to hand out life term punishments. It's people like you who I see as a threat to the good order of society. You see the problem. Harsh punitive power is always going to be in the hands of some clique of thought - maybe not yours.
"Seems he's a skilled hacker but not that bright." I doubt if the prison employs the equivalent of the NSA's anti-hacking team, which would seem to imply Nicholas Webber is actually not a very good hacker if he got caught by them. And going by the fact that the class teacher got blamed, I'm guessing Webber's "skillz" amounted to peeking over the teacher's shoulder to pinch his login details.
Now, I don't doubt that the prison service may have a mainframe, which runs the software to monitor prisoners, do payroll etc. but I seriously doubt that it would be on a closed network used for education in a particular prison. In fact, I seriously doubt that any "production" system would be internally connected in any way to the machines used for education.
Is there any more information available? because I just can't see what's being reported as being accurate.
VB6, for those who are interested, has a 'CURRENCY' datatype for just this kind of situation.
Believe it or not, I've actually used it - for hardware control, no less. You laugh, but in some ways, heavily-modded VB6 using OS-level timers and calls is kind of a nicer environment than some giant managed-code behemoth which turn something like 'int x' into 'universe.galaxy->parse.system->solar().planet->object.earth.system->things->otherthings->WTF->datatypes->common_datatypes->the_most_common_datatypes_of_all.int x' or some shit.
I mean, really.
> A UK hacker behind bars for computer fraud
So the guy wasn't smart enough to not get caught, which is how he ended up prison in the first place. Yet he thought (somehow) that a computer with the sole purpose of maintaining a secure environment would be a good target to hack. Even though once (inevitably) the intrusion attempt was flagged, the number of suspects who had the opportunity, the intent and the skills history of failure would land him in the spotlight before he could hit <RETURN>
Loser.
@Pete 2 - You identify an IT guy trait - To not know one's limits, to see one's personal skills as "leet", to not understand that one doesn't understand enough about a subject to comment.
How many people do you see commenting here who seem to know everything about Law enfocement, physics, chemistry, energy generation, national infrastructure, etc. etc. yet still seem to have a generic job only one or two steps up from helpdesk?
This post has been deleted by its author
He could of ordered himself an early release, but noooo. He had to change the prison menu to filet mignon, cracked snow crab, prime rib, and clams casino. It's hard to eat prison food after living the good life in the big town. Ten additional years hard labor for Homer Simson style stupidity. Doh !
Or the standard US prison job job of license-plate making - which is particularly poetic in the case of New Hampshire, which has its state motto on the plates: "Live Free Or Die".
Unfortunately I'm not sure they ever had their inmates making license plates.
They did, however, haul a member of the Jehovah's Witnesses to court for covering up 'or die' on his plates - it went to the Supreme Court before being thrown out for obvious reasons. The phenomenal irony of legally compelling someone to display a state philosophy with which he disagrees was apparently lost on the local prosecutors.
Actually, a bit of tape could make some nice modifications to that phrase...
LIVE FREE OR DIE
For existentialists:
LIVE OR DIE
For ER nurses:
IV OR DIE
For advocates of browser choice (with a partial letter cover-up):
F F OR IE
Yeah, yeah. I'll be here all week.
For those questioning how dumb the kid was for even trying to hack the prisons computer system: he is 21. That isn't exactly an age known for good judgement. And certainly not one known for thinking about consequences before jumping in.
Personally I'd like to know what constitutes "hacking" in this case. Did he use someone else's password? Although I'm not entirely sure why any training system would bother with user accounts or passwords. They should be stand alone machines as teaching an inmate how to do word processing or excel would be a much better skill than trying to learn any kind of mainframe interface.
Honestly, I'd say that blame fully falls on whoever set up a system in which anything worthwhile at all might even be remotely accessible via the training machines. That shows a distressigly high level of dereliction of duty.
This is a case of those really responciple for the HMP Isis computer shifting the blame onto an outside IT contractor. As in who in their right minds let criminals loose on a computer and don't expect it to be hacked. Lets deflect attention from this ...
"During the five day inspection, the fingerprint-based roll call systema broke every day."
I visited an open prison nearly thirty years ago where some interesting foliage was being grown in the greenhouses. It was seen as a good way to keep the prisoners nice and placid, so a blind eye was unofficially turned. The place was full of small time smugglers who'd been caught by customs, so not really the sort of place that was hard to manage.
In the grand tradition of putting the right lag in the wrong position, I know a a garden shed chemist who used his prison time to get an open university degree in...you guessed it.
I also know a guy who did a few years for money laundering for an ecstasy importer, who got his qualifications at her majesty's pleasure. He now makes a very decent (and honest) living doing tax avoidance wheezes.
The mastermind convict who effortlessly hacks his prison computer - and eventually penetrates all sorts of government and law-enforcement systems to remove his own records and falsely incriminate others? It's all there in the Inspector Morse episode "Masonic Mysteries" (highly recommended if you haven't seen it).
In case you're still in any doubt, the common factor isn't a lack of IT security. It's the twits who are put in charge of the computers.
This post has been deleted by its author
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
