The editorial frames the story as one of the cleanest real-world case studies in defense-in-depth failure, noting that an unused switch port was live, a retired contractor's credentials were never deactivated, and e-waste recycling lacked parts accounting. Every layer that should have caught the intrusion — physical security, account lifecycle management, network segmentation, and egress monitoring — failed independently.
By submitting the BBC story to Hacker News, the poster surfaced it as a compelling caper: inmates scavenged hard drives, RAM, NICs, and a monitor from a prison e-waste program, smuggled them across the compound, and assembled working PCs hidden above ceiling tiles. The framing emphasizes the audacity and cleverness of building functional machines under constant surveillance.
The BBC reporting highlights that the RET3 Green Initiative was designed as a job-training and recycling program, but the lack of parts accounting turned it into a supply chain for contraband hardware. The story implicitly argues that rehabilitation programs offering technical access require the same rigorous controls as any other privileged operation.
In July 2015, technicians at Marion Correctional Institution in Ohio got a Websense alert: a user account was blowing past the daily internet threshold. That was odd on its own. Odder still: the account belonged to a contractor who hadn't worked there in years. Odder still: the traffic was coming from a network switch in a training-room closet that wasn't supposed to have any machines attached to it.
When investigators pulled the ceiling tiles, they found two working desktop PCs hidden on a plywood board above the drop ceiling. The inmates had built them from parts pulled out of the prison's own e-waste recycling program — a well-intentioned job-training initiative called the RET3 Green Initiative, which let inmates disassemble donated computers for reclamation. Instead of disassembling, they'd been quietly pocketing hard drives, RAM, NICs, and a monitor, smuggling them across the compound, and assembling two fully functional machines inside a training room they had legitimate access to.
The computers were connected to the prison's production network via an unused switch port in that room, and the inmates logged in using credentials belonging to a retired contractor whose account had never been deactivated. Ohio's Office of the Inspector General eventually published a 50-page report (April 11, 2017) documenting what the inmates did with the access: they researched tax fraud and credit card schemes, generated fraudulent access passes to restricted areas of the prison, applied for credit cards using other inmates' identities, and — because they are human beings with a working internet connection — looked at a lot of pornography. They also had Kali Linux, a password cracker, and tools for self-signed certificates.
Half of tech Twitter reads this story as a heist caper. The other half reads it as one of the cleanest real-world case studies in defense-in-depth failure you'll ever find, because every single control that should have stopped this was either missing or misconfigured.
Start with physical-to-logical: the prison had an e-waste program with no chain-of-custody ledger. Drives and components walked out of one room and into another over the course of weeks without anyone counting parts in versus parts out. If your org can't reconcile inputs and outputs of a supply chain — even a supply chain for scrap — you don't have inventory control, you have vibes. The same failure mode shows up in datacenter decommissioning, returned laptops, and third-party vendor e-waste contracts. The Ohio report specifically flagged that RET3 had no tracking mechanism for components removed from donated equipment.
Then the network. The inmates plugged into a wall jack and got a DHCP lease on the production VLAN. No 802.1X. No MAC-address allowlist. No port security shutting down a switch port when an unknown device appeared. The prison had two network segments — a secured one for corrections staff and an "offender" segment for inmate-facing kiosks — but the training room jack was on the wrong segment, and nobody had audited it. In 2026, shops that still treat the wall jack as a trusted zone are running the same architecture that let two inmates onto a live corrections network in 2015.
Then identity. The compromised account belonged to a contractor who had left years earlier. Account lifecycle is the oldest security hygiene problem in the industry, and the reason it persists is that deprovisioning is nobody's KPI — HR thinks IT owns it, IT thinks HR owns it, and the account sits there accruing permissions until something like this happens. The inmates didn't phish anyone or crack a password. They logged in with a valid username/password that should have been nuked on someone's last day.
Then detection. The only reason this got caught was that Websense — a content filter, not an NDR — hit a daily byte cap on a single user. The prison had no anomaly baseline, no EDR on endpoints (there weren't supposed to be any endpoints there), no NetFlow review, no alerting on a ghost device suddenly appearing on the LAN. Detection-by-accident is not a detection strategy; it's a reminder that you are only catching the attackers who are noisier than your quietest legitimate users. The inmates were online for, by the OIG's reconstruction, several months before the cap tripped.
If you work on corp IT, read the OIG report like a postmortem, because it's the same architecture most mid-size shops still run. Concrete things to go audit on Monday:
1. Switch port controls. Every access port on your physical network should either be disabled, tied to a specific MAC via port security, or gated by 802.1X. A live wall jack in a conference room that hands out a DHCP lease on your prod VLAN is a Marion Correctional waiting to happen. If you've been putting off NAC because it's annoying, the inmates at Marion would like a word.
2. Deprovisioning as a runbook, not a ticket. Tie account deactivation to the HRIS record, not to a Jira ticket someone is supposed to remember to file. Run a quarterly reconciliation of active AD/IdP accounts against current employee and contractor rosters. Every identity that survives a role change or a departure is a future foothold.
3. Physical supply chain. If you have e-waste, returned hardware, or decommissioning workflows, track components — not just assets. A "laptop" checked in as destroyed can be missing a drive. The cheapest control here is a two-person integrity rule on destruction and a logged weight or component count.
4. Detection coverage for the thing you'd never expect. The prison's blind spot was that nothing was watching for the appearance of a new device on an internal VLAN. Most corp shops have the same blind spot. Passive tools like Arkime, Zeek, or even a RADIUS log review catch ghost endpoints that EDR can't see because EDR isn't installed.
The story is a decade old, which is what makes it worth reposting: the controls that failed in 2015 — port security, account lifecycle, supply-chain reconciliation, internal anomaly detection — are the exact same controls that fail in the breach reports we'll read in 2026. The inmates didn't use a zero-day. They used a retired contractor's password and an unused Ethernet jack. If your threat model doesn't cover "motivated insiders with ceiling access and spare time," it probably doesn't cover your actual insiders either.
previously https://news.ycombinator.com/item?id=14093970
Excellent lateral thinking, and result driven mindset. I’m not being sarcastic either
Nearly a decade old story now
I wonder if the those articles are from textfiles.com?
Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.
That's some fine problem solving, albeit not the problems the prison wanted to be solved.I sometimes wonder if these sorts of people who "succeed" in these odd ways on the wrong side of the criminal fence, would have had rather successful careers had just a couple of things gone diffe