Max security inmates help lock down prison network

With 23 hours a day to test the system, inmates serve as a red team

When the Colorado Department of Corrections designed a high-speed network to deliver services to the cells of prisoners who are locked up for most of the day, they needed to make sure it was secure.

“We kept it very open and simple,” said John Jubic, the Department of Corrections’ end-user solutions manager. “The security behind it isn’t simple.”

As it turned out, when the facility opened in September 2010, the prisoners were both a security liability and asset. “They were our beta testers,” Jubic said. “With 23 hours a day to work on it, they broke it a lot.”


Related coverage:

IP network delivers services to max-security prisoners, without having to move them

NC city mixes access with authentication


At the user end of the system is a hardened, metal kiosk that houses a thin-client computer in each cell, with a keyboard, mouse and headset for the prisoner. It connects to a 1 gigabit/sec network and authenticates through a RadiantOne Virtual Directory Server that authorizes access for each prisoner based on a profile in the prison’s management system. The network is isolated from the Internet, and services hosted outside are delivered through reverse proxy servers. Prisoners receive virtual visits in their cells from friends and family through the kiosks.

The Department of Corrections stripped functionality from applications such as a soft phone for voice-over-IP telephone service. Keyboards functions were locked down through group policies for prisoners. But prisoners found holes in the system.

Although the prison is a maximum security facility for administrative segregation — basically, solitary confinement — not all of the prisoners are violent offenders. “They have done something” within the corrections system “to earn their way here,” Jubic said. They also have a lot of time on their hands. “You give somebody 23 hours a day to bang on that keyboard.”

For instance, the inmates discovered that if they opened more than 200 windows in Internet Explorer at a time, it would cause a buffer overflow, Jubic said. “Once they caused the buffer overflow, group policy stopped completely,” and access was restored to additional function keys on the keyboards.

At one point, the prisoners accessed the virtual visitation system and made video visits to one another.

The prisoners never got outside the system to access the Internet, and new scripts were written to harden security. It has been several months since prisoners have breached system security, Jubic said.

The Colorado Corrections Department learned a number of lessons from standing up its in-cell services program. On the security side, keep the client thin to minimize the impact of security breaches. The Colorado system uses a Citrix Provisioning Server to load a fresh operating system image every time the computer is booted up. “You don’t want to do it any other way,” Jubic said. “If they beat you they can change things,” and refreshing the OS limits the impact.

Also, put functionality in the hardware when possible rather than the software. The initial solution for delivering television service to the kiosks was browser based and downloaded an executable to display the video. “I would not buy a product that works like that,” Jubic said. “Put the executable on the PC itself.”

On the administrative side, leverage existing systems so that administrators do not have to duplicate records or migrate data. Any extra work created by a new system will create resistance from the staff, Jubic said.

And finally, “take your time building it,” he said. Test everything and keep applications separate. This is an area where virtualization is a virtue. “If you virtualize your apps, it makes it a lot easier.”

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Thu, Jan 10, 2013

I agree, Texas. For then to be able to watch movies and play in the commuter like I do, and I pay for is ridiculous. I just read an article about an Ohio prison showing violent movies and i just don't thing they should get that PRIVELEDGE at all! Some law avoiding people can't even afford TV. I think this is pure crap.

Mon, Jun 6, 2011 Gary

I guess none of you read the part about not being connected to the internet. Inmates are still allowed by law access to visits, law libraries, libraries in general. It makes their incarceration cost less since people don't have to staff their movements to services and libraries, and CO DOC doesn't have to pay guards to watch libraries. Given the proper safeguards and lack of internet connectivity, I think it's a great idea, improves prisoner's demeanor, saves money and meets legal requirements. If you read the article, you'd realize we aren't teaching them how to hack, nor are they being employed to do so, it was CO DOC's learning lessons from them. Think outside the box on occasion, it doesn't hurt.

Thu, May 26, 2011 Rusty

These are maximum security prisoners, the worst of the worst. Most of them are killers or baby rapers and they get TV, video conference with the people they want to. So soon they will be stealing peoples ID's and hacking into peoples Credit cards and just more mayhem like they did before they were jailed, also these people did things in prison just to get sent here. I can see bad stuff happening soon.

Thu, May 26, 2011 Mark Belton, Tx

Why are these losers in life getting computers? They need to have a sledge hammer to make rocks into gravel or something like that. We, the people, have to work too hard to have computers & internet, where these criminals get them for free. Complete BS.....

Thu, May 26, 2011

So these criminals get experience hacking systems so when they return to society they can put these skills back into use, for good or bad?

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above