The Technology at QPDC
by mmx3
This article is for information purposes only and is not intended to be misused in any way to compromise the security of the facility.
This article was inspired by the 29:3 article on the BOP technology.
Should you ever find yourself in here, you'll have knowledge of what is available to play with, though obviously I advise against doing so as a disclaimer. I have had no luck in the discoveries written here in terms of something useful like getting free calls or accessing the Internet, but hopefully in sharing this, if any reader does end up in this place (more likely than you think if you're caught federally and then "cooperate" - I am uncooperative), you'll have a starting point to try and further my discoveries.
Queens Private Detention Center (QPDC) is owned by The GEO Group, Inc. (Internet search things that look interesting here for more information), a company that is building more and more jails in more and more countries.
It mainly houses rats, some of whom are "criminals with hacker capabilities," not hackers, a distinction most people seem to not be able to make. The rest are gang bangers telling on their friends and immigrants awaiting deportation.
So if you end up "cooperating" with the feds, you'll likely come here to this old postal storage warehouse converted to a makeshift jail with seven dorms and a small total of 245 detainees. They do not read incoming or outgoing mail here, just a quick little look at what comes in when they open it in front of you.
Let's begin with the phones.
Phones - Mukinabaht
The phones are not labeled with any kind of model number or such, but have the traditional handheld unit that you find on payphones everywhere. That connects to a silver housing about 8x20 inches and extending four or so inches out from the wall. There's a blue button for volume levels at the top-left, next to a sign that says "1 - English, 2 - Spanish, and 3 - Vietnamese" (an option not actually available), and "All calls are subject to monitoring and recording - Global Tel*Link."
Picking up the handset, you hear: [GOTO here when you read "Resets Call"]
"For English, press 1 (place Spanish here), numero dos." So that's 1 and 2.
Let's press 9!
"One hundred seven, one hundred seven" - depending on what phone you're on, the number will be different; three phones in a row, three sequential numbers.
[Resets call, pressed 1 for English]
"For a collect call, press 0. For a debit call, press 1 (and in a different woman's voice). For debit card information, press 8."
That's 1, 0, and 8.
[Pressed 3]
"Enter the card you want to transfer funds from now." This option allows you to enter an eight-digit detainee ID number (i.e., 12345-053, where 053 is Eastern District and 054 is Southern, etc. Entering any detainee number you happen to know will allow you to know how much money they have in their account.
After that information is spoken, the phone states "Enter the card you want to transfer funds to now."
[Enters next ID]
It tells the amount remaining, then (in a third and sinister woman's voice) "Transfer funds... is not allowed. Goodbye." (The kind of goodbye you'd hear before receiving a fatal bullet to the head.)
This promptly freezes the second phone account (apologies to test subject) until the next day!
In short, this function is disabled and is only "useful" for spying on someone else's remaining funds. The second ID number I used for testing is 12346578, which, I'm assuming is a test account which always has one dollar, and no registered numbers that I know of.
[Resets call, 1 - English, pressed 2 - nothing, pressed 4]
The phone pretends to transfer a call somewhere, and then says "No calls are allowed at this time."
[Pressed 5 - same as 0, pressed 6]
"That is not an authorized number. Please try again later." (Yeah. Because with time, it might suddenly become authorized. No.)
Brief digression: Way back in the beginning of MP3 file sharing on Audiogalaxy (remember it?), you could put MP3s in your shared folder of songs that weren't available on search (such as personally recorded projects) and make them appear on search simply by searching it after putting it in the folder, instead of going through the upload process which could take not only a long time, but not even work as well. So they would "suddenly become authorized" by using my method. Right. Anyway.
[Pressed 7]
"Thank you for using Global Tel*Link's inmate phone services."
[Pressed 8]
"Local debit calls will cost $1.35 for the first minute, 6 cents each additional minute. Intra-LATA calls are 28 cents a minute, 49 cents each additional minute..."
[Pressed 9, then *, then #]
"No calls are allowed at this time." All responses are the same in the Spanish menu.
[Resets call, 1 - English, pressed 0 - collect call]
"Enter your ID and 4-digit PIN number now." [complies] "Enter phone number..." [pressed #777] [new woman's voice] "Thank you for calling the U.S. Department of Homeland Security of the Inspector General's Hotline. Press 1 for English." [Pressed 1]
This allows you to report allegations of employee corruption, misuse of (place list here), abuse, PREA, etc.
[Pressed 0, not an option given]
This will transfer you to an operator who, circa 2010, would not know where we were calling from and thus we could get her to give us an outside line. Free calls! I would imagine this does not work anymore because, like with all good exploits, everyone abused it and things change as a result.
In order to add a number to your phone list you must, stupidly, write it on an "Add Phone Number" request sheet which is then left in the podium that the CO occasionally sits at until the "phone guy" (I teach him how to fix problems, the idiot) picks it up and adds it into the server upstairs. So, if I know your four-digit PIN, I could (and this happened recently and got someone "box time," which is a lonely cell in segregation) add one of my numbers to your list, use the 3 option from above, check how much money you have on your account, then make some phone calls to some far away location.
Another exploit was having someone buy a Black Card (a calling card available at bodegas) with a local area code (i.e., 718) on it, and then the detainee would add that number to his list, call it, and be billed locally for calls anywhere because calling the card would bring you to a menu of its own options where you would enter a number to call. This too got around, was abused, and "phone guy" changed the settings in the server to disconnect calls where buttons were pressed during conversation (conversation is initiated upon connection of the original dialed number). No more calling cards.
Three-way calling occasionally works, but is not allowed. Sometimes the call will be recorded blatantly when the woman's voice announces such. I'm guessing trigger words are the cause but I have not experimented. When you call someone, what appears on their Caller ID is always different but, as a real example: 713.489.7846 Unavailable - which is a Texas area code.
When you hang up or disconnect, the phone woman says "Thank you for using PCS." (PCS?) Transferring funds to the phone is done with the commissary computer in each unit which we'll discuss shortly.
There is a small blue phone in each unit about 8x16 inches and extending out about four inches from the wall which the COs use to call each other and [Master] Control (more on Control later). They use two-digit numbers (i.e., 15). There are other line phones in other areas of the building (as an "employee" I see it all) which require you to dial 9 before the number you want to dial.
If you go to "phone guy" (write a request), you can get a print-out of your authorized phone numbers. On that sheet in the top-left corner it says "PCS/GTL."
The first column is "PAN" and shows all the numbers. The next column is "Blocked - Yes/No." Next is "Active - Yes/Disabled," then "Relationship," which says "Other" for all numbers.
Beautifully, at the bottom of the page is: http://10.200.103.25/pinpan/print_pin_basic_detail.asp?cmd=edit&pin=XXXXX053&PrintA
You know that the five X's are part of the detainee number and, as we're all savvy here, I don't need to bore you with explanations about the 10.200.103.25 or the print_pin_basic_detail.asp.
You can also have printed up recent call history which shows exactly what phone and dorm you're on/in, who terminated the call, call length, number, date and time, and of course the server's IP address, etc.
Computers - Telephasic Workshop
Starting with the commissary computers, of which there is one in each of the seven units here, I'll describe all that I'm able to about all the computers I've seen/played with.
So on the wall housed in a black/gray box with two black circular locks (similar to an elevator keyhole) is a 13-inch touchscreen which, when not in use, has an interesting screen saver. At one second intervals for a total of six, different colored portions of a circle are filled in until the fifth second when it displays Cobra Kiosk.
If you touch the top-left corner, you can freeze in place a nice color pattern, as I strangely like to do particularly when there are blue and green colors - which we do not see otherwise. Holding the top-left corner does not result in a menu. The satellite (I refer to any PC in a network connected to a server as a satellite - I just like to!) is powered by a three-pronged white cable which, if you unplug then plug in resets the machine which then reveals a black screen with Dell, then a Windows XP screen, then a blue screen with HP top-right, then a Windows XP Embedded screen, then a white screen with a Start button on the task bar below which cannot be engaged with touching.
So this is the Cobra Kiosk.
Underneath in part of the housing in a recess is a fingerprint scanner which says TouchChip on it.
So the order of operations to gain access is: touch the screen (displays two tabs - "Cobra Resident Services" and "Exit").
[Pressed "Cobra Resident Services"]
This goes to a language selection screen with date and time at top-left: English, Creole, French, Hmong, Spanish - a strange assortment. There should be Russian and Chinese since there are so many of them here.
[Pressed English]
You are presented with two tabs: "Facility Information" (unavailable) and "Cobra Kiosk Login".
[Pressed "Cobra Kiosk Login"]
You are shown a keypad with 0-9 arranged like a phone pad with tabs under it for Cancel, Continue, and Backspace. Here you will enter your eight-digit ID number, hit "Continue," then place your finger (one that you've assigned to the machine's memory) for verification, then do your business. But ahh..., not so fast. We were given the opportunity to enter numbers on a screen! Albeit entirely useless to do so, here is what I've found.
The keypad allows you to enter up to 15 numbers. That's 15 zeroes through 15 nines - one quadrillion possible entries! Ouch! Well, I found a few after months of endless boredom. If you enter eight zeroes, or seven zeroes and a one, then hit continue, it says "Account has been suspended!"
These used to take you to an "Enter Date of Birth" screen - which seven zeroes and a two now does. The format is XX/XX/XXXX and is satisfied by means of entering numbers with the pad, obviously. I've found no birthday which allowed me access, but the computer will allow infinite guesses.
Seven zeroes and a three takes you to the fingerprint scan screen. Presumably, none are registered as I receive a "No Match" screen.
Entering 15 ones used to go to the fingerprint screen, but that is now suspended as well. I've found nothing else worth mentioning. I told "phone guy" about all these, thinking he would be in the know, so of course he wasn't and thought I was smart for finding it - duh-weeb.
I'm guessing that the satellites are connected to the same server as the phones as this is how you transfer funds to your phone account.
The option to "Order Commissary" is offline from midnight Tuesday until noon that day. Commissary comes from Swanson Services Corp., the Delaware Service Center, and this time offline is when the orders "go out" - which tells me that some work is done manually to facilitate the transfer of accumulated orders through the Internet.
One time they were updating pricing and on the screen in the unit we could see exactly what the programmer (assumed) saw on the server's desktop. He flew through the folders until he got to some script which appeared to be SQL (too quick to get a good look), scrolled down, and edited it at light speed, then issued a reset. I did not have pen or paper at the time, so I have no notes for this.
Logging in normally (finally), allows you to do one other very useless thing. On any screen if you touch the top-left and slide your finger slightly, everything becomes highlighted in blue as if "Select All-ed." You can then drag everything up about half an inch, allowing you to do absolutely nothing else! I know, such excitement. We don't need to detail what you can buy as that's very boring, but you can view receipts for past purchases and deposits, buy food, notepads, sundry, blah, blah, blah...
Next!
There are five computers in the law library. Three are wall-mounted touchscreens (satellites!) connected to a Dell PowerEdge T110 standalone server in the next room which we don't go in. On those screens appears TST Touch Sonic Technologies, subsidiary of Touch Legal, Inc. running on Windows 7 Professional.
The touchable tabs on the screen are LexisNexis Law Library, Lexis/Nexis Video Tutorial, reference tools, and an inmate reference document tab.
If we touch on the video tutorial, it brings up a Windows Media Player on the right with one choice of video on the left. If we hold a finger to the screen on the player, a menu appears, at the bottom of which are Options, Details, Help, etc. When Help is tapped, it brings you to the WMP help dialog screen, where you then click on an online link, then interrupt it to go to the desktop. All sorts of fun to be had when you can access everything in the computer unhinged. Unfortunately, none of it equals Internet capabilities. It is physically not connected to the Internet.
There is a desktop for printing legal and personal letters. Some people try to hide their files by changing the viewable files in folder options. Bums! There is another desktop for viewing discoveries (evidence pertaining to your case). The two desktops end up getting messed up from idiots who don't know how to do anything with a computer, but proceed to play with it anyway, and get switched out often, so to describe anything about them is senseless. Right now, there is a Dell and a Compaq that look like they came straight from the shelf at the local Best Buy, running Windows 7 and XP. There's nothing fantastic, no connections or special programs. The discovery computer though, thanks to the best exploit pulled yet - which I've shared with no one but you dear reader - has been instrumental to my sanity. Details in a moment ("patience, Iago").
Around the facility are a few more Dell Dimensions with Internet access (medical, intake, etc.), none of which I've been able to play on.
There are two printers in the law library - a Brother HL-2270DW Series with 802.11b/g Wi-Fi and an HP LaserJet P2035. Boring. You probably know all about the Brother printers and the minimal fun you can have with it.
Cable Boxes - Chromakey Dreamcoat
Each unit has two cable boxes, Samsung SMT-H3050s. They suck. When you use the "B' button on the remote to try and search for shows, pressing the "D"-cursor too quickly sends the box into panic mode, where it brings up a diagnostics screen. Here you can scroll through 22 screens of information, including the box's IP address and uber-tons of other I-don't-know-data.
Other dorms have different boxes, some with USB 2.0 slots. Some people have had flash drives with cheap Dominican porn on them that used to circulate. That covers the cable.
Control - Into the Rainbow Vein
Control is a well-guarded room in the center of the building.
In it is a row of monitors for the 60 plus cameras around the building and three touchscreens with Windows interfaces. These control the doors and cameras in the entire facility, except for one door - the front one - which is manually opened with a large, flat key. On a CO's radio (walkie-talkie) he/she will announce "Control, door 30" and an officer in Control will touch door 30 on the screen and it will open. The lock mechanism slides downward on an angle, retracting into the door frame. It will pause and then extend back into locking position. If you miss it, you radio again or press a button next to the door on a silver intercom box and Control will hit the door.
The computers in Control and the Dell in the Tour Commander's office (where the T110 is next to the library) are connected to each other, allowing them to review footage of fights or whatever else they need to look at.
As far as I know, the system to control the doors is closed to outside connections. However, as mentioned (I did mention it, I think?) the TC's PC is Internet accessible and it is connected to Control. The only link unknown is whether it connects to the touchscreens controlling the doors. If so, and this wouldn't surprise me, then the system can be compromised and controlled externally.
Now wouldn't that be ridiculous if suddenly all the doors just started constantly unlocking? The chief of security here watches the cameras from home via the Internet. It's not unrealistic to think that someone outside could take control of the doors and cameras and arrange one's escape. However, there two armed marshals in a white van 24 hours a day that patrol the perimeter.
Do not screw around with this information, lest ye cross the line from hacker to criminal, feel me?
Best Exploit - Open The Internal Eye
"Dear discovery computer, me and you have shared some very intimate and secret times together. Thank you."
No one knows what I am about to write about. The discovery computer is where one goes to review text, audio, and video of evidence in their cases, usually recordings made by informants who were wired. They come on DVDs or CDs which go to classifications where they sit until they call the detainee to come to the library to review it. You bring your headphones and plug into the 1/8-inch jack and get busy.
Of course, you know where I'm going with this, right? What? Review other people's discoveries that were automatically or idiotically added to the computer's memory? Hell no! Who the hell cares about that?
In this wasteland, all we have is a radio; no MP3 players or CD players.
So I simply had a friend outside make an MP3 disc of my favorite new and old music (Boards of Canada - Geogaddi, Wormed - Exodromos, Autechre - T ess xi, Cryptopsy, Arovane, Iron & Wine, just to name a few for you to check out), had him label the disc with my full name, my ID number, and "discovery" on it, put it in an envelope that was labeled with my attorney's return address, the address of the facility with my full information, and the words "legal mail" all over it.
When this "legal mail" comes in, only I can view the contents of the disc. So here I am writing this article for ya'll, in jail, listening to the new Ulcerate album (which is maniacally technical, abrasive, and brutal). Anyone who comes in here while I'm doing this thinks I'm taking notes on my case!
One Very Important Thought
I cannot end this piece without mentioning a more consistent variable that helps me get through this time.
The radio, diminutive though it may seem, provides me with Off The Hook, which is brought to us all by WBAI and WBAI.org. Everyone outside the New York tri-state area can listen online, and so technically can those of us within range, but, radio is an extremely important medium in reaching people more broadly. It is more easily accessible while walking, working, or driving and carries more of a punch when political, conspiratorial, medical, etc., views that are not shared on mainstream radio can still come across New York City because of WBAI.
The things that we all read and write about in these very pages and more are always discussed on air here. Therefore, as a community, it becomes our responsibility to help support platforms that provide stages for the sharing of important topics and issues.
WBAI is listener supported radio and depends on the contributions of its listeners for it to continue to provide coverage of topics that will never be discussed elsewhere. Right now the radio station is in some very tough financial times and I'm sure that Big Brother is trying its hardest to get it off the air as well somehow.
Knowledge is power, the kind of power that the feds do not like.
This station is a hacker's platform on many levels. I ask the readers of this article, which of course was inspired by 2600 but even more so by WBAI and Off The Hook and the weekly reminder it is to me to be a functioning part of its existence, to consider making a contribution - even if you haven't listened to the station - at WBAI.org.
Support the scene however you can! Thanks for reading!