A former prison inmate has been ordered to serve 18 months for hacking the facility's computer network, stealing personal details of more than 1,100 of its employees and making them available to other inmates. Francis G. Janosko, 44, received the sentence earlier this week in federal court in Boston after pleading guilty to the …
would love to know the sophistication of his hack.
was it just holding down the shift key when turning on the client or did it involve some cleverness?
I think the guy got it wrong.
Aren't lags supposed to spend their time planning to break out, not in.?
Hah, nice move, Francis! Cheers!
Yes, he 'hacked' a prison service computer but knowing what I do about public service tech solutions, I very much doubt it was a tough job. Child pornography and harassing an underage girl, however, not quite such a nice move (and best not to advertise your business with those sorts of comments, eh Deneva?)
Who set this system up?
Prison full of criminals? Who'da thought that?
Prehaps the sys admin might have taken that into account?
Add a few more years to his sentence
Looks like a career criminal to me that needs to spend more time in prison than 18 months.
The inmates just wanted to send the employees a few Christmas cards.
Seriously, considering the potential for harm I think he got off very lightly.
Like all Govt run/funded organisations, anything is always done on the cheap and this is the result - false economy.
That they would have anything that inmates had access to hooked up to the internal network... Pretty bloody obvious security risk!
Why is it...
... that governments across the world create mostly "open" systems, and then blame everyone else for getting access to it?
Why are they not going after the guys who are maintaining their prison servers / clients, and making sure those *idiots* go behind bars. That would server the IT community right, getting rid of nitwits.
OK, the guy should not have paraded the details around, espec to prison folks, but hey, you can't blame him for getting access to poorly secured data...
I wonder what the hack was?
I mean, in prison, no internet access, thin client, this is going to be a pretty crap 'hack' I expect - URL manipulation and network topology guessing?
No, that was naughty, he oughtn't have done it, and he oughtn't've shared the results, but by golly it was a bit of mental stimulation at least. I admit I'd probably have done the same once I had realised I could in the smae position. And assuming people won't explore one of the few terrains available to them to explore is hardly responsible security for sensitive data.
TBH if i'm bored and happen to be sitting in front of a computer system, i tend to have a little poke around the network as well out of curiosity over how well set up it is...
if someone was able to gain unauthorised access to sensitive data without having to authenticate, blame the network admins/software provider/whoever set up the system (and if they got someones password, blame the user whose password he got... as well as the idiots who allowed that password to work from inmate computers)
that a prison system, accessed by inmates, would be locked down like a naughty gimp in a box, & the inmates would be on a separate network with powerless user accounts etc.
Security is expensive
There is a trade off:
- Cheap, insecure system
- Expensive, secure system
People say "Oooh, my PC at home cost £299 from Tesco and I have £10/month broadband, why should a [prison/business/NHS/national identity database] system cost any more?". And it's very hard to sell people on the benefits of security - they say (perhaps correctly) "it's unlikely to be a problem".
And if it _is_ a problem, then it's blamed on the "hacker", or the poor underfunded sysadmin. It's never the fault of the people in charge, who didn't provide funding for a secure system.
A copy of the indictment can be found at http://www.securityprivacyandthelaw.com/uploads/file/Janosko%20Indictment.pdf and has a more detailed description.
Among other things, a piece of paper was found in his cell containing a username and password to the prison management system.
Because it was stated that the servers he accessed were "used in interstate and foreign communications", it became a felony offence.
You see a lot of dumb terminal or remote access setups where you just access a windows machine through rdp or citrix, and are only supposed to gain access to certain applications. I have never encountered a situation where it wasn't possible to easily run other programs... the windows interface and userland apps were never designed with any sort of security in mind, they were mostly inherited from the 9x series of windows and bolted on top of the nt kernel (which by itself had a pretty decent security model).
@ Why is it...
If they fired the company in charge of network administration, they would probably have to hire the company in the number two position in the original bid who, naturally, would charge more money for their services.
As it stands, said company will most likely fire some low-level tech from their staff, plug the security hole which was exploited, and keep rolling along - business as usual.
Escape key 'cuz - well, what does anyone in a prison want to do?
Welcome to Mass.
The IT contract either went to the nephew of someone at the prison, or the IT firm that has been bribing State Senators for contracts :)
Most prisons are underfunded, it's no surprise that their network security model would be underfunded. I'd likely prefer that over, oh, I dunno, a massive prison breakout?
Then again, all those prison workers gotta be pissed at their employer, because now they're liable if any kind of identity theft comes out of it, as it was their system that exposed them to risk. Let's see here... we can spend $100,000 on a secure network, or $5,000,000 cleaning up the mess because we didn't.
It's hard to put that kind of perspective into upper management's heads. They always look at the short-term bottom line. When you try to sell them on a $5,000 printer that will last 10 years, they don't understand why you can't just go to office depot and get one that costs $40.
18 more months to do a truly inhouse security survey. Thumbs up!
Why do inmates have access to any computers at all? Shouldn't it just be a telephone, toilet and bed? I thought the point of them going to prison is so that they could reflect on what theyve done.
Was it just a JailBook status update?
- banged up
- still banged up
- the hairy guy winked at me in the shower block
Prison governor denies responsibility
Reuters: In a press conference yesterday, prison governor O. Pensesame denied responsibility for the gaffe and put the blame on a "small criminal element" that had "somehow got into into our prisons and is intent on causing trouble."
Mine's the one with the file in the pocket.
Janosko parole violation
> Janosko was imprisoned in 2006 for a parole violation following a conviction on child pornography charges ..
Is there any verifiable citation for this or are they merely trashing his reputation on top of the hacking charge ?
- Nokia: Read our Maps, Samsung – we're HERE for the Gear
- Ofcom will not probe lesbian lizard snog in new Dr Who series
- Kaspersky backpedals on 'done nothing wrong, nothing to fear' blather
- Too slow with that iPhone refresh, Apple: Android is GOBBLING up US mobile market
- Episode 9 BOFH: The current value of our IT ASSets? Minus eleventy-seven...