The Man Who Hacked the Bank of France 184
First time accepted submitter David Off writes "In 2008 a Skype user looking for cheap rate gateway numbers found himself connected to the Bank of France where he was asked for a password. He typed 1 2 3 4 5 6 and found himself connected to their computer system. The intrusion was rapidly detected but led to the system being frozen for 48 hours as a security measure. Two years of extensive international police inquiries eventually traced the 37-year-old unemployed Breton despite the fact he'd used his real address when he registered with Skype. The man was found not guilty in court today (Original, in French) of maliciously breaking into the bank."
amazing (Score:5, Funny)
Hacking? (Score:5, Insightful)
If this is "hacking" then opening an unlocked front door by turning the handle is lock-picking
Re: (Score:2)
No, it is not lock-picking
But it still is unlawful entry (depending on the circumstances).
Actually depends on the jurisdiction for example here in the UK it's not a crime as long as no damage is done. Look up squatters rights if you don't believe me.
Re: (Score:2)
The UK isn't really a jurisdiction (it's 3). And they're not so much "squatters' rights" as "things are legal unless expressly illegal". There aren't any specific "squatters' rights", although there is the issue of adverse possession (see below). In this case, it would still be trespass, but not automatically a crime (if no damage is done) and if there wasn't any squatting.
In England, squatting in a building being used as a dwelling has been a crime since at least the 70s. Due to issues of squatters in peop
Re:amazing (Score:5, Insightful)
The surprising thing about this story is the court in France was found not guilty. In the United States of Amerika he would have been sentenced under the anti-terrorism laws. The person responsible for IS security at the Bank of France, however, should be terminated with prejudice.
Re: (Score:2, Funny)
The surprising thing about this story is the court in France was found not guilty
Why is that surprising? Are courts in other countries routinely found guilty?
Re:amazing (Score:5, Insightful)
i have the same combination on my luggage!
It's a bit harder to defend breaking into your luggage than randomly dialing phone numbers and entering what is widely considered a "default" password in to get access. In the former case, it's reasonable to conclude that, regardless of password, if your luggage has a lock on it, it's meant to be private. In the digital world, however, access control mechanisms frequently are assigned a default password because the access mechanism itself is integral to the system -- ie, you can choose not to put a pad lock on a door, you can't disable the login screen. In the minds of a lot of people, assigning a password of "password", "1234" (or variant), "letmein", or "admin", is equivalent to not putting a pad lock on a door.
In other words, it's not breaking and entering if you leave the door to your house unlocked. It's simple trespass and there are numerous legal defenses and excuses for that. The French court merely (and correctly, IMO) said there is an electronic analogue to this legal reasoning. That said, change your luggage combo dude, or I'm klepto'ing that hawaiian shirt you love so much. :P
Re: (Score:3)
Only on slashdot would an off handed Spaceballs reference be replied to not as the joke it is, but as if it were an analogy and critique of whether there was any real breakin or not.
In any case, the article is in French, and I'm sure as hell not going to trust an automated translation engine to interpret what happened. I will point out that in most countries (No idea about France) intent is required to commit a crime.
123456 = no password intended (Score:4, Insightful)
I can tell you're one of the people who simple don't get the IE/Apache "do not track" square dance.
If the client has no ability to suppress the password screen, it's not much different than Microsoft setting a global "do not track" attribute that was intended to reflect an explicitly activated user preference, which renders it meaningless.
The closest you can come with many software packages to explicitly leave the door ajar (since you can't disable the password screen completely) is to set the password to 123456 or ftp. The later is considered obscure.
Among those with strong presumptions of security competence, typing 123456 is the moral equivalent to checking whether This Door Is Intentionally Left Ajar
Among those with no presumptions of security competence, no signal exists which reflects end-user discretion. This of course soon degenerates to the tyrany of the social machine. Check out the Barry Schwartz TED talk if you don't believe me for the episode on Mike's Hard Lemonade. Social services terrorized the child and they all knew (or strongly suspected) that it was all a big mistake.
Re: (Score:2)
Re: (Score:2)
The closest you can come with many software packages to explicitly leave the door ajar (since you can't disable the password screen completely) is to set the password to 123456 or ftp.
Setting the password to blank is probably a tad bit closer.
Re: (Score:2)
Re: (Score:2)
Perhaps the error is in the password output itself. It just asks for a password, it doesn't provide any warnings, it doesn't sufficiently suggest a restricted site, keeping in mind this is going to casual end user often not paying much attention to what they are doing. Often sites poorly designed stick up password screens and tell people to use the default password as part of a free trial, with the free access default often 'password' or '123456'.
Poor security is inherent in design and application, lack
Re:amazing (Score:4, Informative)
. If a reasonable person would consider the house not to be a place of public accommodation, then opening the door and walking in is sufficient for a B&E charge. The defendant can offer a defense by claiming he is an invitee or that he had reason to believe such, but he has the burden of proof if the act itself is not in dispute.
Convicting someone of a crime requires three elements: Intent, knowledge, and the act. All three ordinarily have to be proven before someone is guilty. If you were taking prescription drugs, for example, and experienced memory loss and confusion as a result, and through no fault of your own walked into the wrong building... there's no intent. No crime was committed. Then there's knowledge; Say you did intend to enter the building, but didn't know it was private or off limits (for example, at the mall you're looking for a bathroom and open an unmarked door into a private "secure" area. You're caught by a security guard. You intended to enter, but you couldn't have known it was wrong to do so. No crime was committed. And then there's the act of entering itself -- self-explanatory.
So that covers the three main elements of a crime: You have to prove all three for someone to be guilty. Now, let's say you've managed to prove all three elements. Good for you! Now we ge to discuss defenses and excuses. A defense is something where the act itself would normally be considered criminal, but the circumstances make it justified. For example, normally punching someone in the face is assault, but if you had reason to believe you were in imminent danger (whether or not this is true), you can (in most jurisdictions) strike first. You had no choice, you had to respond. An excuse is when you had a choice not to commit a criminal act, did so anyway, but the response was socially justified. For example, if you saw a child being attacked by an adult: You have no obligation to intervene, but most people would. What you did was socially acceptable then.
Now that we've finished my Really Condensed Intro To Criminal Law, let's discuss your assertion: Mere presence in someone's (unlocked) house is breaking and entering. Breaking and entering is not a crime of strict liability. Strict liability crimes are ones where only the act itself has to be proved; For example possession of stolen property. It requires intent -- intent in this case is the breaking part.
In some jurisdictions the use of force can be as simple as pushing open a door, in others it needs to be prying open a window or picking a lock, etc. It can also be threatening someone; The definition varies, but you get the idea. Typically, however, the room itself can't have been open to enter; a door without a lock mechanism, or a door left open, or a door left unlocked, in some jurisdictions it doesn't constitute a use of force to open it and enter.
Secondly, there has to be knowledge that the residence is used primarily for habitation -- not occasionally. There are many buildings you'd consider a home that people don't live in. Executives and CEOs often have houses that are used only to host parties, and are built as such. They are zoned residential, but that's not the purpose of the house. To constitute breaking and entering (also known as burglary), you have to been able to reasonably conclude it was primarily used for habitation. And then there's that pesky issue of it being unoccupied... and that in some jurisdictions it has to take place outside regular business hours.
All of those conditions have to be met for the act itself to be considered burglary; Otherwise, it's a different crime (or no crime at all).
If there was a sign saying "Private property", or "Authorized personnel only", or "By invitation only", then you'd be correct. But most people's homes have no such sign. It's just a building; And there's no way someone could know ahead of time the intent of the owner, or even whether it was public or private property
NEVER NEVER NEVER (Score:1)
The lesson to be gained from this is:
Never hire someone who has a degree.
Their heads are wedged up their asses, and held in place with sheets of parchment.
Re: (Score:2)
Re: (Score:2)
Re: (Score:1, Funny)
In space, luggage combinations have 5 numbers.
Re:amazing (Score:4, Funny)
In Hyper Space, luggage has 6 digits.
Re:amazing (Score:4, Funny)
Sure it is (Score:5, Funny)
Luggage is four numbers. You cannot have six numbers.
Sure it is. You just start working backwards after you reach the fourth number.
It's a brilliantly easy way to remember
1265
Re: (Score:1)
Go watch Spaceballs you insensitive clod.
Re: (Score:2)
Re: (Score:2)
Re:amazing (Score:5, Funny)
Three digits on the lock on the left, and three on the lock on the right, makes 6 digits on my luggage. I had been trying to open it for years, unsuccessfully, and guess what!
He just used a German name... (Score:4, Funny)
and the French bank raised its arms in defeat and let him right on in to loot and pillage.
Re: (Score:1)
When it stops being funny. No one laughs about William of Orange.
Re: (Score:2)
You might want to check out either the video or book version of "Sharpe's Waterloo".
Re: (Score:2)
Dunno, with that name he cannot even complain if someone calls him a fruit.
Re: (Score:2)
Although I laughed at your joke I do wonder if or when we'll let that go.
That meme will be around as long as human beings need someone to feel superior to. I.e., forever.
Re: (Score:2)
Especially if there is no real support for feeling superior, it's always nice to have a stereotype to fall back to. The part of the U.S. that makes jokes about France surrendering seems to be in a dire need to feel superior.
Re:He just used a German name... (Score:4, Funny)
When the frogs repel an invasion. So never.
Re: (Score:1)
So you're more of a San Francisco gay bar macho man, eh?
Re:He just used a German name... (Score:5, Funny)
Heaven forfend that anyone should resort to stereotypes in a thread about a "the French always surrender LOL" joke.
Re: (Score:2)
If these ignoramuses would read a little history, they would learn you should mock the French for relying on the Maginot line, not for surrendering.
Yeah, but they set the admin password to the Maginot line to "123456."
Re: (Score:2)
Phew, at least it wasn't the same as the top secret US nuclear missile lock code of 00000000 [blogspot.com].
Re: (Score:2)
I'd say last time French got a heavy victory was Poitiers (732).
<cough>Napoleon</cough>
Re: (Score:2)
May I be present when you discuss that with a Corsican?
Re: (Score:2)
France was involved in about 1400 wars since the High Middle Age. And it managed to survive until today. (Next in line is Austria with about 600 and Brandenburg-Prussia with 550).
They wouldn't have if they didn't score one or two victories.
Re: (Score:2)
Napoleon was Corsican and was born a year after the Genoans transferred the island to France. His parent's weren't French. He wasn't of French stock.
Re: (Score:2)
I'm not sure what your point is. Are you saying that, say, the Battle of Austerlitz was not in fact a victory for the French, because the parents of the French emperor had not been French? If you don't consider that the French were the victors at Austerlitz, then who were the true victors? The Genoans, perhaps?
Re: (Score:2)
Oh yeah, right, an Italian war hero. What's next? A British Chef? A US diplomat? A female Russian athlete? A Chinese able to pronounce an 'R'? Or a German comedian? A Mexican worker? Or a quick witted Canadian?
Did I forget a stereotype or does that cover most of it?
Re: (Score:2)
Re:He just used a German name... (Score:4, Informative)
There were a lot of people in France that did more than that. They stood up for other people. I was called the French underground.
Re: (Score:2)
Underground? Great. Even when they resist occupation they keep their heads down.
Re: (Score:3)
Re: (Score:2)
France survived 1400 wars in the last 600 years. The french obviously know how to standing up for themselves.
Re: (Score:2)
But that's besides the point. The French underground did exist, if I can believe 'Allo 'Allo.
This reminds me of the time (Score:5, Interesting)
At high-school, someone set a network share as IE's homepage and when I logged in and launched IE I got in trouble for it.
Oh, and permissions weren't even properly configured on the share, but they could read logs apparently.
Re:This reminds me of the time (Score:5, Funny)
Re:This reminds me of the time (Score:4, Interesting)
I got into trouble at a job once (customer service), because I shared a folder on my hard drive with read-only access for everyone. Somehow, they noticed it was being accessed from the Internet. They suspected me of stealing valuable company data. I had to point out that the contents of the folder were publicly available, and I had only shared them as a convenience for my coworkers. I also tried to point out the idiocy of allowing MS file sharing protocols across the firewall, and assigning public IPs to end-user workstations, but they didn't listen. They had an MSCE on staff who knew all about that sort of thing, and I was just a customer service rep. I quit a short time later.
I still get kind of mad thinking about it, but I am sure they are long gone, as the entire industry moved overseas shortly thereafter. This was in the 90s.
Re: (Score:2, Interesting)
I got suspended for a week for deleting some 2000+ expired cookies from a machine. A librarian/student saw me, thought God knows what, and reported me for "hacking" and the like.
Naturally that was a more severe punishment than the time I found spreadsheets of all the district's students' and teachers' information - names, addresses, birthdates, SSNs... On a public share, of course. Reported it to a teacher I trusted and I'll bet the files are still there today.
Re:This reminds me of the time (Score:5, Interesting)
I once got a stern talking-to by the journalism teacher when I replaced the standard Mac OS startup screen with a custom image of a badly-drawn bomb (we're talking paintshop in the early 90's here) and the message "this system will self destruct in 10 seconds." Someone outside the department had sat down to use the computer for a minute and apparently panicked when they thought the computer had been turned into an actual bomb.
Re:This reminds me of the time (Score:4, Insightful)
He didn't get detention for messing with the teachers file, his crime was much more serious: Exposing teacher stupidity.
Re: (Score:2)
The sad thing is: it ain't so.
Don't confuse ignorance with stupidity.
Or do, if you like. But in the mean time, how about you program my VCR for me with this unmarked remote? It won't matter that the UI is in mandarin, will it?
Re:This reminds me of the time (Score:4, Interesting)
While we're waxing nostalgic, I remember when I was in middle school and wanted to start a computer club. And so I did. There were only 3 or 4 of us, and things went ok for the first year.
Next year rolls around and we have to find a different teacher to sponsor the club, and so we do. So we showed him how we were accessing qbasic, and he sat in every meeting (more like coding session) for a whole semester.
Then one day, we're all in deep doo-doo. We're being told we're lucky that they didn't call the FBI on us. Our crime: using a netware command to allow a file to be opened by multiple users (or something inane like that). Well, so it seemed logical to appeal to the teacher sponsor since he had just spent 5 months watching us "hack the network," and suddenly he didn't know anything about it.
Lying bastard.
The real kick to the nuts was years later there was a blurb in the newspaper about how a girl (omg a woman in computers!) had founded that school's first computer club. The netware administrators who had their panties in a bunch about my club's activities were all female. I guess I just didn't have the right body parts back then. Just goes to show that men aren't the only gender capable of being sexist pigs.
Re: (Score:1)
Boy, that escalated quickly.
Re: (Score:2)
Well, you have to admit, the logical leap from "using IE" to "getting some wood stuffed up your arse" isn't that big.
Re: (Score:2)
Modern flutes are rarely wood.
That is not reasonable security (Score:4, Interesting)
In the US I think we'd have class action lawyers going after them immediately for lack of security due diligence. They would deserve it, too.
What's the EU equivalent action?
Re:That is not reasonable security (Score:5, Informative)
In the US I think we'd have class action lawyers going after them immediately for lack of security due diligence. They would deserve it, too.
Oh, you mean like when Gary McKinnon [wikipedia.org], who similarly walked into unsecured US military and NASA computer. The difference - oh yes, no one noticed for ages!
Re: (Score:3, Interesting)
In 2006, a Freedom of Information Act request was filed with NASA for all documents pertaining to Gary McKinnon. NASA's documents consisted of printed news articles from the Slashdot website, but no other related documents. This is consistent with NASA employees browsing internet articles about Gary McKinnon; the records of such browsing activity are in the public domain. The FOIA documents have been uploaded to the internet for review, and can be downloaded.[45]
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
A strike!
Re: (Score:2)
Knowing the EU, I guess the equivalent action is to pass a law (sorry, a "guideline") immediately that makes it illegal to try default passwords on machines, and doing so makes you a hacker immediately, essentially turning the table around and making the culprit the victim and vice versa.
Why! These thieving banksters.... (Score:3)
Re: (Score:1)
NSFW link (Score:5, Funny)
Re: (Score:1)
Re: (Score:1)
Damn you! I couldnt resist opening the link now that I know it is NSFW. Now I have sinned by RTFAing.
Note to editors: how to get /. to read the article (Score:4, Insightful)
Just knowing the article (sidebar?) is NSFW probably resulted in an order or magnitude more /.ers clicking through the link.
Re: (Score:2)
Shit, that is the only reason I clicked on the french link, it's not like I can understand the language.
Re: (Score:2)
they're actually ukranian women.
Re: (Score:2)
Re: (Score:3, Insightful)
Really, this is NSFW for you guys? Time to move back across the pond...
Re: (Score:3)
You're forgetting that the female breast is a highly offensive body part. In fact, if children under the age of 2 are exposed to the uncovered female breast, they could be traumatized for life.
1 2 3 4 5 6 (Score:3)
Ha! Another chapter in great security waitasec, that's my password, too...
I remember back when some clowns in Milwaukee , the 414's, who wanted to sell their story to Hollywood for a movie, books, etcs. All they did was use default passwords on DEC systems to log in ([1,2] was SYSTEM unless you changed it on first day.) Even our Digital field techs would set the Field Service operator account password to DECAPR, DECMAY or whatever the month was.
Re: (Score:2)
NSFW (Score:3, Informative)
NSFW photo in sidebar, thanks to Femen.
Holy Crap . . . . (Score:2)
Why is there no liability on the part of the Bank? (Score:4, Interesting)
The idiot that initially typed in that password should be the one charged in this matter. It would have been more secure with 'Joshua' or 'CPE1704TKS'.
And yes, I am being sarcastic. Those passwords suck too.
Re: (Score:2)
Maybe it was a random 6 character password from the entire UTF16 space?
Re: (Score:2)
The idiot that initially typed in that password should be the one charged in this matter. It would have been more secure with 'Joshua' or 'CPE1704TKS'
Ah, but in the book, it was Joshua 5 , much more secure...
Re: (Score:2)
Ah, but in the book, it was Joshua 5 , much more secure...
Your sarcasm would be warranted, if he actually used a password cracker on the password. Since all he actually did was guess it, that password almost as effective as 8 random characters would have been.
Re:Why is there no liability on the part of the Ba (Score:5, Funny)
Re: (Score:2)
Where've you been the past few years? Banks can't do anything wrong, ever. And if they do, we get to pay for it.
Sartre Cipher? (Score:3)
The FEMEN land in Paris! (Score:2)
But more importantly, did you hear the Femen have landed in Paris?!
Re: (Score:2)
And this is why my next vacation destination is going to be Paris.
Re: (Score:2)
Wuad'dib, hear us roar!
654321 (Score:2, Interesting)
A note to Timothy
> from the whereas-6-5-4-3-2-1-would-have-stopped-him dept.
actually 654321 was an alternative password that also worked !
The Banque de France was not hacked (Score:2, Informative)
Read in French : http://www.pcinpact.com/news/73975-non-systeme-informatique-banque-france-na-pas-ete-pirate.htm
He phoned to a technical service used a bad code that resulted an alarm.
Due to this overrated alarm the site was closed during 48h...
Maybe it was random (Score:2)
Perhaps the password was 123,456 and came from a random number generator.
Re: (Score:2)
That's a pretty big number to have been chosen by a fair dice roll
Re: (Score:2)
Nothing was hacked. (Score:3)
A software alarm popped up for unauthorized login and that's all. It's just that it looked like a hack attempt of a critical national institution.
BTW, looking at the comments, it seems like people did not understand that Banque de France is not a real bank. It's a national administration, just printing money, loaning money to banks and insurance for collateral and managing over-indebtedness.
Re:This guy should get a meddle for showing stupid (Score:5, Funny)
Re: (Score:2)
(And a nice pair of animals obscured by clouds hitting the wall like the delicate sound of thunder)
Re: (Score:2)
I sincerely hope you're exaggerating on the outcome in the US, but yeah, as a French, I'm kinda proud of my country's courts on that one.
Even the prosecutor was pretty lenient, it seems: calling for 70 euros worth of community service is rather symbolic. Although, that's probably a case of misreporting. IANAL, but I'm familiar with French procedures (out of curiosity), and as far I know matters like community service is none of the business of a prosecutor: it's a substitution to classic penalties that must