The Man Who Hacked the Bank of France

First time accepted submitter David Off writes "In 2008 a Skype user looking for cheap rate gateway numbers found himself connected to the Bank of France where he was asked for a password. He typed 1 2 3 4 5 6 and found himself connected to their computer system. The intrusion was rapidly detected but led to the system being frozen for 48 hours as a security measure. Two years of extensive international police inquiries eventually traced the 37-year-old unemployed Breton despite the fact he'd used his real address when he registered with Skype. The man was found not guilty in court today (Original, in French) of maliciously breaking into the bank."

amazing

[masternerdguy]

i have the same combination on my luggage!

Re:amazing

In space, luggage combinations have 5 numbers.

Re:amazing

[smithmc]

It's from a movie!

Re:amazing

The surprising thing about this story is the court in France was found not guilty. In the United States of Amerika he would have been sentenced under the anti-terrorism laws. The person responsible for IS security at the Bank of France, however, should be terminated with prejudice.

Re:amazing

[girlintraining]

i have the same combination on my luggage!

It's a bit harder to defend breaking into your luggage than randomly dialing phone numbers and entering what is widely considered a "default" password in to get access. In the former case, it's reasonable to conclude that, regardless of password, if your luggage has a lock on it, it's meant to be private. In the digital world, however, access control mechanisms frequently are assigned a default password because the access mechanism itself is integral to the system -- ie, you can choose not to put a pad lock on a door, you can't disable the login screen. In the minds of a lot of people, assigning a password of "password", "1234" (or variant), "letmein", or "admin", is equivalent to not putting a pad lock on a door.

In other words, it's not breaking and entering if you leave the door to your house unlocked. It's simple trespass and there are numerous legal defenses and excuses for that. The French court merely (and correctly, IMO) said there is an electronic analogue to this legal reasoning. That said, change your luggage combo dude, or I'm klepto'ing that hawaiian shirt you love so much. :P

Re:amazing

[michelcolman]

Three digits on the lock on the left, and three on the lock on the right, makes 6 digits on my luggage. I had been trying to open it for years, unsuccessfully, and guess what!

Re:amazing

That seems a little Sheldon-esque: "Five pin tumbler system, single circuit alarm - child's play." I certainly wouldn't grant anyone recourse against someone who got in by guessing a weak password. But I'm not sure whether letting the "hacker" off the hook completely is right. A password prompt is as clear as an "authorized personnel only" sign. Do you go around checking if those doors are locked?

Re:amazing

[g0bshiTe]

1 2 3 4 5 6

In Hyper Space, luggage has 6 digits.

Re:amazing

[Guignol]

In death, luggage has a name, its name is Bob Paulson

Re:amazing

[cvtan]

You rat! I was going to post this! ARRRRGH! (with apologies to Talk Like a Pirate Day).

Re:amazing

[Vellmont]

Only on slashdot would an off handed Spaceballs reference be replied to not as the joke it is, but as if it were an analogy and critique of whether there was any real breakin or not.

In any case, the article is in French, and I'm sure as hell not going to trust an automated translation engine to interpret what happened. I will point out that in most countries (No idea about France) intent is required to commit a crime.

Re:amazing

In other words, it's not breaking and entering if you leave the door to your house unlocked. It's simple trespass and there are numerous legal defenses and excuses for that

That is incorrect. B&E does not require a locked door. If a reasonable person would consider the house not to be a place of public accommodation, then opening the door and walking in is sufficient for a B&E charge. The defendant can offer a defense by claiming he is an invitee or that he had reason to believe such, but he has the burden of proof if the act itself is not in dispute.

Trespass is a completely different animal. Trespass is the act of not leaving after having been notified that you are no longer an invitee.

Re:amazing

[girlintraining]

. If a reasonable person would consider the house not to be a place of public accommodation, then opening the door and walking in is sufficient for a B&E charge. The defendant can offer a defense by claiming he is an invitee or that he had reason to believe such, but he has the burden of proof if the act itself is not in dispute.

Convicting someone of a crime requires three elements: Intent, knowledge, and the act. All three ordinarily have to be proven before someone is guilty. If you were taking prescription drugs, for example, and experienced memory loss and confusion as a result, and through no fault of your own walked into the wrong building... there's no intent. No crime was committed. Then there's knowledge; Say you did intend to enter the building, but didn't know it was private or off limits (for example, at the mall you're looking for a bathroom and open an unmarked door into a private "secure" area. You're caught by a security guard. You intended to enter, but you couldn't have known it was wrong to do so. No crime was committed. And then there's the act of entering itself -- self-explanatory.

So that covers the three main elements of a crime: You have to prove all three for someone to be guilty. Now, let's say you've managed to prove all three elements. Good for you! Now we ge to discuss defenses and excuses. A defense is something where the act itself would normally be considered criminal, but the circumstances make it justified. For example, normally punching someone in the face is assault, but if you had reason to believe you were in imminent danger (whether or not this is true), you can (in most jurisdictions) strike first. You had no choice, you had to respond. An excuse is when you had a choice not to commit a criminal act, did so anyway, but the response was socially justified. For example, if you saw a child being attacked by an adult: You have no obligation to intervene, but most people would. What you did was socially acceptable then.

Now that we've finished my Really Condensed Intro To Criminal Law, let's discuss your assertion: Mere presence in someone's (unlocked) house is breaking and entering. Breaking and entering is not a crime of strict liability. Strict liability crimes are ones where only the act itself has to be proved; For example possession of stolen property. It requires intent -- intent in this case is the breaking part.

In some jurisdictions the use of force can be as simple as pushing open a door, in others it needs to be prying open a window or picking a lock, etc. It can also be threatening someone; The definition varies, but you get the idea. Typically, however, the room itself can't have been open to enter; a door without a lock mechanism, or a door left open, or a door left unlocked, in some jurisdictions it doesn't constitute a use of force to open it and enter.

Secondly, there has to be knowledge that the residence is used primarily for habitation -- not occasionally. There are many buildings you'd consider a home that people don't live in. Executives and CEOs often have houses that are used only to host parties, and are built as such. They are zoned residential, but that's not the purpose of the house. To constitute breaking and entering (also known as burglary), you have to been able to reasonably conclude it was primarily used for habitation. And then there's that pesky issue of it being unoccupied... and that in some jurisdictions it has to take place outside regular business hours.

All of those conditions have to be met for the act itself to be considered burglary; Otherwise, it's a different crime (or no crime at all).

If there was a sign saying "Private property", or "Authorized personnel only", or "By invitation only", then you'd be correct. But most people's homes have no such sign. It's just a building; And there's no way someone could know ahead of time the intent of the owner, or even whether it was public or private property

Re:amazing

[jrumney]

I think this proves your fears of being watched by the French government correct.

Re:amazing

The surprising thing about this story is the court in France was found not guilty

Why is that surprising? Are courts in other countries routinely found guilty?

Re:amazing

[heroid1a]

Had too. Or it would have broken the interweb.

Re:amazing

[aliquis]

Why the fuck is this moderated 5: insightful?

it's reasonable to conclude that, regardless of password, if your luggage has a lock on it, it's meant to be private

It had a fucking password in this case. Sure you may accidently notice that the device exist. But if it's not yours you've got no business connecting to it. Password or not, stupid password or not.

It's not very hard to understand. Whatever it's a door, luggage och Internet connected device.

Re:amazing

[kirinyaga]

fyi, 123456 was the wrong code. Problem was entering the wrong code triggered an alert in the system and noone knew where it originated from or what it meant. The contractors in charge of this thus shut the system down for 48h, while they were investigating on it, in fear of a hacker having broke in.

What is amazingly hilarious is the time it took them to understand what happened and who did it, and the disproportionated importance given to a rather innocuous alert.

Re:amazing

[kmoser]

He uses two locks: one has four digits, the other has two.

He just used a German name...

and the French bank raised its arms in defeat and let him right on in to loot and pillage.

Re:He just used a German name...

When it stops being funny. No one laughs about William of Orange.

Re:He just used a German name...

[smithmc]

Although I laughed at your joke I do wonder if or when we'll let that go.

That meme will be around as long as human beings need someone to feel superior to. I.e., forever.

Re:He just used a German name...

So you're more of a San Francisco gay bar macho man, eh?

Re:He just used a German name...

[HornWumpus]

When the frogs repel an invasion. So never.

Re:He just used a German name...

[pnot]

Heaven forfend that anyone should resort to stereotypes in a thread about a "the French always surrender LOL" joke.

Re:He just used a German name...

Probably when they develop a record of standing up for themselves.

Re:He just used a German name...

[TechMouse]

You don't have to be British to appreciate the phrase cheese-eating surrender monkeys. (But it helps).

Re:He just used a German name...

Napoleon was French, right? While it didn't last, he had many victories. They also won WWI without any major surrendering. They only reason why the french are so 'dispised' is that right winger on the radio have been filling up air time for the last 30 years whining about them. When the Dems are in power they leave the french largely alone, but once the GOP is in full control, they have hours of airtime to fill.

Re:He just used a German name...

[pnot]

I'd say last time French got a heavy victory was Poitiers (732).

<cough>Napoleon</cough>

Re:He just used a German name...

[drkim]

If these ignoramuses would read a little history, they would learn you should mock the French for relying on the Maginot line, not for surrendering.

Yeah, but they set the admin password to the Maginot line to "123456."

Re:He just used a German name...

[Talderas]

Napoleon was Corsican and was born a year after the Genoans transferred the island to France. His parent's weren't French. He wasn't of French stock.

Re:He just used a German name...

[pnot]

Phew, at least it wasn't the same as the top secret US nuclear missile lock code of 00000000.

Re:He just used a German name...

[Concerned+Onlooker]

There were a lot of people in France that did more than that. They stood up for other people. I was called the French underground.

Re:He just used a German name...

[Artifakt]

You might want to check out either the video or book version of "Sharpe's Waterloo".

Re:He just used a German name...

[pnot]

I'm not sure what your point is. Are you saying that, say, the Battle of Austerlitz was not in fact a victory for the French, because the parents of the French emperor had not been French? If you don't consider that the French were the victors at Austerlitz, then who were the true victors? The Genoans, perhaps?

Re:He just used a German name...

[Opportunist]

Dunno, with that name he cannot even complain if someone calls him a fruit.

Re:He just used a German name...

[Opportunist]

Oh yeah, right, an Italian war hero. What's next? A British Chef? A US diplomat? A female Russian athlete? A Chinese able to pronounce an 'R'? Or a German comedian? A Mexican worker? Or a quick witted Canadian?

Did I forget a stereotype or does that cover most of it?

Re:He just used a German name...

[Opportunist]

May I be present when you discuss that with a Corsican?

Re:He just used a German name...

[Opportunist]

Underground? Great. Even when they resist occupation they keep their heads down.

Re:He just used a German name...

[Sique]

France was involved in about 1400 wars since the High Middle Age. And it managed to survive until today. (Next in line is Austria with about 600 and Brandenburg-Prussia with 550).
They wouldn't have if they didn't score one or two victories.

Re:He just used a German name...

[Sique]

Especially if there is no real support for feeling superior, it's always nice to have a stereotype to fall back to. The part of the U.S. that makes jokes about France surrendering seems to be in a dire need to feel superior.

Re:He just used a German name...

[Sique]

France survived 1400 wars in the last 600 years. The french obviously know how to standing up for themselves.

Re:He just used a German name...

[Howitzer86]

I wonder how well you'd do under a fascist occupation.

Re:He just used a German name...

[Neil+Boekend]

The most reliable way to survive a war is to keep you head down and do what you are told.
But that's besides the point. The French underground did exist, if I can believe 'Allo 'Allo.

Re:He just used a German name...

[Psychophrenes]

Anonymous funny guy eh?
I'd wager you're an american ignorant with a notion of history that dates back rougly 70 years, but I'm afraid the US would raze half of Europe to find me, with accusations of terrorism and possession of mass destruction weapons to back them up.

Re:He just used a German name...

[Nikker]

Hey I'm Canadian and umm.. ya I'll shut up now.

Re:He just used a German name...

[Sigg3.net]

Or perhaps they keep up the barricades for 11 hours, only for the US to enter at the 12th..

The US constitution would not exist as we know it without the French.

This reminds me of the time

[The+MAZZTer]

At high-school, someone set a network share as IE's homepage and when I logged in and launched IE I got in trouble for it.

Oh, and permissions weren't even properly configured on the share, but they could read logs apparently.

Re:This reminds me of the time

I really hoped you learned your lesson after that. Do not ever use IE.

Re:This reminds me of the time

Boy, that escalated quickly.

Re:This reminds me of the time

I got into trouble at a job once (customer service), because I shared a folder on my hard drive with read-only access for everyone. Somehow, they noticed it was being accessed from the Internet. They suspected me of stealing valuable company data. I had to point out that the contents of the folder were publicly available, and I had only shared them as a convenience for my coworkers. I also tried to point out the idiocy of allowing MS file sharing protocols across the firewall, and assigning public IPs to end-user workstations, but they didn't listen. They had an MSCE on staff who knew all about that sort of thing, and I was just a customer service rep. I quit a short time later.

I still get kind of mad thinking about it, but I am sure they are long gone, as the entire industry moved overseas shortly thereafter. This was in the 90s.

Re:This reminds me of the time

I got suspended for a week for deleting some 2000+ expired cookies from a machine. A librarian/student saw me, thought God knows what, and reported me for "hacking" and the like.

Naturally that was a more severe punishment than the time I found spreadsheets of all the district's students' and teachers' information - names, addresses, birthdates, SSNs... On a public share, of course. Reported it to a teacher I trusted and I'll bet the files are still there today.

Re:This reminds me of the time

[Quirkz]

A buddy of mine once got detention because he took a teacher's documents folder and placed it about five layers deep inside a set of folders with names like "look inside" "click me" and "keep going". The top level folder was put exactly where the old documents folder was, and other than being nested nothing was renamed, harmed, or anything else. The teacher still went ballistic when she couldn't figure out how to click through a couple of extra folders to find her documents.

I once got a stern talking-to by the journalism teacher when I replaced the standard Mac OS startup screen with a custom image of a badly-drawn bomb (we're talking paintshop in the early 90's here) and the message "this system will self destruct in 10 seconds." Someone outside the department had sat down to use the computer for a minute and apparently panicked when they thought the computer had been turned into an actual bomb.

Re:This reminds me of the time

Reminds me of when in high school, I right clicked a page, then selected 'view page source'. At the time, I didn't even know what the hell I was doing at the time... this was just shortly after being introduced to what the internet is, and I was just clicking and seeing what options did what. The teacher started freaking out, thinking we were breaking things and changing stuff. I showed her what I did, and she dropped it, but was quite leery.

Course, on the other side of the spectrum, when a different computer teacher found out that I had written a few cheap QBasic games and was running them on the school's computers, he wasn't mad... he was impressed, and said to the class that if anyone had any computer questions, to ask me (not that anyone did, and I have no clue if he was being serious, but it did a lot for my self confidence back then). I was later running the computer room in my spare time, under his tutilage.

Re:This reminds me of the time

[Opportunist]

Well, you have to admit, the logical leap from "using IE" to "getting some wood stuffed up your arse" isn't that big.

Re:This reminds me of the time

[Opportunist]

He didn't get detention for messing with the teachers file, his crime was much more serious: Exposing teacher stupidity.

Re:This reminds me of the time

[Velex]

While we're waxing nostalgic, I remember when I was in middle school and wanted to start a computer club. And so I did. There were only 3 or 4 of us, and things went ok for the first year.

Next year rolls around and we have to find a different teacher to sponsor the club, and so we do. So we showed him how we were accessing qbasic, and he sat in every meeting (more like coding session) for a whole semester.

Then one day, we're all in deep doo-doo. We're being told we're lucky that they didn't call the FBI on us. Our crime: using a netware command to allow a file to be opened by multiple users (or something inane like that). Well, so it seemed logical to appeal to the teacher sponsor since he had just spent 5 months watching us "hack the network," and suddenly he didn't know anything about it.

Lying bastard.

The real kick to the nuts was years later there was a blurb in the newspaper about how a girl (omg a woman in computers!) had founded that school's first computer club. The netware administrators who had their panties in a bunch about my club's activities were all female. I guess I just didn't have the right body parts back then. Just goes to show that men aren't the only gender capable of being sexist pigs.

Re:This reminds me of the time

[Macgrrl]

Modern flutes are rarely wood.

Re:This reminds me of the time

[sabt-pestnu]

The sad thing is: it ain't so.

Don't confuse ignorance with stupidity.

Or do, if you like. But in the mean time, how about you program my VCR for me with this unmarked remote? It won't matter that the UI is in mandarin, will it?

That is not reasonable security

[MickyTheIdiot]

In the US I think we'd have class action lawyers going after them immediately for lack of security due diligence. They would deserve it, too.

What's the EU equivalent action?

Re:That is not reasonable security

[AGMW]

In the US I think we'd have class action lawyers going after them immediately for lack of security due diligence. They would deserve it, too.

Oh, you mean like when Gary McKinnon, who similarly walked into unsecured US military and NASA computer. The difference - oh yes, no one noticed for ages!

Re:That is not reasonable security

[drummerboybac]

What that Gary McKinnon wiki proves to me is that NASA reads /.

In 2006, a Freedom of Information Act request was filed with NASA for all documents pertaining to Gary McKinnon. NASA's documents consisted of printed news articles from the Slashdot website, but no other related documents. This is consistent with NASA employees browsing internet articles about Gary McKinnon; the records of such browsing activity are in the public domain. The FOIA documents have been uploaded to the internet for review, and can be downloaded.[45]

Re:That is not reasonable security

[Schmorgluck]

I don't know about the rest of the EU, but in France there's basically no equivalent to class actions. There have been talks about putting them into law, but it has been deemed "bad for the economy" (under the previous administration - maybe the new one will bring it back on the table). There's still ground for individual action, though, if only on the basis of privacy protection.

Re:That is not reasonable security

[jittles]

Well if the claims are true, then he intentionally caused damage, deleted files, and otherwise caused mayhem to the US Government. IT wasn't like he logged in, had a quick look around and then GTFO'd. No he left threats and harassing messages. I'd say there is a world of difference.

Re:That is not reasonable security

[stephanruby]

A strike!

Re:That is not reasonable security

[Opportunist]

Knowing the EU, I guess the equivalent action is to pass a law (sorry, a "guideline") immediately that makes it illegal to try default passwords on machines, and doing so makes you a hacker immediately, essentially turning the table around and making the culprit the victim and vice versa.

Why! These thieving banksters....

[140Mandak262Jamuna]

Not only they stole all my money, they stole my secret password too. 1 2 3 4 5 6 is mine. Now go away thieves. I am not giving it back to you.

Re:Why! These thieving banksters....

Hah! My precious "hunter2" is safe!

NSFW link

[jdastrup]

I guess "Original, in French" should have warned me

Re:NSFW link

I wouldn't have followed the link without having seen your warning. I know it isn't, today, but the pictures of topless french women waging a naked war should be safe for work - we are still way to puritanical in the US (I don't know where you are)...

Re:NSFW link

Damn you! I couldnt resist opening the link now that I know it is NSFW. Now I have sinned by RTFAing.

Re:NSFW link

[Cormacus]

Yup, whups... I wanted to read the French language version to see if I could follow what the article was saying. Got a few lines in then I saw the sidebar. D'oh.

Re:NSFW link

[phme]

Really, this is NSFW for you guys? Time to move back across the pond...

Re:NSFW link

[Velex]

You're forgetting that the female breast is a highly offensive body part. In fact, if children under the age of 2 are exposed to the uncovered female breast, they could be traumatized for life.

1 2 3 4 5 6

[ackthpt]

Ha! Another chapter in great security waitasec, that's my password, too...

I remember back when some clowns in Milwaukee , the 414's, who wanted to sell their story to Hollywood for a movie, books, etcs. All they did was use default passwords on DEC systems to log in ([1,2] was SYSTEM unless you changed it on first day.) Even our Digital field techs would set the Field Service operator account password to DECAPR, DECMAY or whatever the month was.

Re:1 2 3 4 5 6

[AchilleTalon]

The actual password once typed on a phone keyboard appears to be encrypted as: 1CFGLO why is it considered unsecured?

NSFW

NSFW photo in sidebar, thanks to Femen.

Holy Crap . . . .

[sgt_doom]

. . . .that's the same password I always use????? I knew I should have banked with the Bank of France!

Why is there no liability on the part of the Bank?

[macbeth66]

The idiot that initially typed in that password should be the one charged in this matter. It would have been more secure with 'Joshua' or 'CPE1704TKS'.

And yes, I am being sarcastic. Those passwords suck too.

Sure it is

[SuperKendall]

Luggage is four numbers. You cannot have six numbers.

Sure it is. You just start working backwards after you reach the fourth number.

It's a brilliantly easy way to remember

1265

Re:Sure it is

Go watch Spaceballs you insensitive clod.

Re:Sure it is

[halcyon1234]

1265? That's the combination on my bank vault!

Re:Sure it is

[SuperKendall]

I was trying for neither, and succeeded in ways beyond your comprehension.

Re:This guy should get a meddle for showing stupid

[RenderSeven]

Why would you give someone a Pink Floyd album for that?

Sartre Cipher?

[Penurious+Penguin]

Maybe they expected all attempts would be foiled by eternal debates on the meaning of each digit and whether they really existed or not. If so, (Infinity ^6) is pretty strong and they were probably on to something, at least existentially.

Hacking?

If this is "hacking" then opening an unlocked front door by turning the handle is lock-picking

Re:Hacking?

No, it is not lock-picking

But it still is unlawful entry (depending on the circumstances).

Re:Hacking?

[Big+Hairy+Ian]

No, it is not lock-picking

But it still is unlawful entry (depending on the circumstances).

Actually depends on the jurisdiction for example here in the UK it's not a crime as long as no damage is done. Look up squatters rights if you don't believe me.

Re:Hacking?

[Grumbleduke]

The UK isn't really a jurisdiction (it's 3). And they're not so much "squatters' rights" as "things are legal unless expressly illegal". There aren't any specific "squatters' rights", although there is the issue of adverse possession (see below). In this case, it would still be trespass, but not automatically a crime (if no damage is done) and if there wasn't any squatting.

In England, squatting in a building being used as a dwelling has been a crime since at least the 70s. Due to issues of squatters in people's second/third homes, or unoccupied homes owned by property developers, there was a campaign to extend this to any residential home, and the new offence became law on 1st September 2012.

In theory, on unregistered land, squatters can get the title to the land revoked if they live there, in possession, for 12 years. In registered land (which most land is now, iirc), they have to wait 10 years, then apply for title, and the registered owner must be notified and can block with a simple objection.

Re:Why is there no liability on the part of the Ba

[characterZer0]

Maybe it was a random 6 character password from the entire UTF16 space?

The FEMEN land in Paris!

[hoggoth]

But more importantly, did you hear the Femen have landed in Paris?!

Re:The FEMEN land in Paris!

[TechMouse]

The Harkonnens must be nervous.

No... wait...

Re:The FEMEN land in Paris!

[tnk1]

And this is why my next vacation destination is going to be Paris.

Re:The FEMEN land in Paris!

[binarylarry]

Wuad'dib, hear us roar!

Re:Why is there no liability on the part of the Ba

[smithmc]

The idiot that initially typed in that password should be the one charged in this matter. It would have been more secure with 'Joshua' or 'CPE1704TKS'

Ah, but in the book, it was Joshua 5 , much more secure...

654321

A note to Timothy
> from the whereas-6-5-4-3-2-1-would-have-stopped-him dept.

actually 654321 was an alternative password that also worked !

Note to editors: how to get /. to read the article

[Overzeetop]

Just knowing the article (sidebar?) is NSFW probably resulted in an order or magnitude more /.ers clicking through the link.

Re:Why is there no liability on the part of the Ba

[purpledinoz]

Well, at least he didn't use '12345'. But he could have put in a bit more effort and used '1234567'...

Re:Lucky Man

Solitary rape?

Re:Note to editors: how to get /. to read the arti

[Jeng]

Shit, that is the only reason I clicked on the french link, it's not like I can understand the language.

Re:Why is there no liability on the part of the Ba

[tnk1]

Ah, but in the book, it was Joshua 5 , much more secure...

Your sarcasm would be warranted, if he actually used a password cracker on the password. Since all he actually did was guess it, that password almost as effective as 8 random characters would have been.

I may be missing something

But the man was asked to give a password for HIS new login.

The system accepted 123456 (silly password for him to use, but if this was just to get in to see what rate he'd get then cancel, not a problem), but then changed his login credentials to one that gave him admin rights.

This is like opening the door on your own car and then it openeing, you driving off and then discovering that, despite a supposedly unique id and unlock, you have driven away with a bank managers own car with a sack full of money on the back seat, then being charged with bank robbery.

The Banque de France was not hacked

Read in French : http://www.pcinpact.com/news/73975-non-systeme-informatique-banque-france-na-pas-ete-pirate.htm
He phoned to a technical service used a bad code that resulted an alarm.
Due to this overrated alarm the site was closed during 48h...

Re:Lucky Man

[Schmorgluck]

I sincerely hope you're exaggerating on the outcome in the US, but yeah, as a French, I'm kinda proud of my country's courts on that one.

Even the prosecutor was pretty lenient, it seems: calling for 70 euros worth of community service is rather symbolic. Although, that's probably a case of misreporting. IANAL, but I'm familiar with French procedures (out of curiosity), and as far I know matters like community service is none of the business of a prosecutor: it's a substitution to classic penalties that must be approved by the condemned (otherwise it would be forced work), and it's up to the judges to supervise that, not the prosecutor. I suppose the prosecutor required a 70 euros fine as the official requisition of the public ministry (which is in their attributions) and advanced in their speach before the courts that it could be turned into community service (something a prosecutor is perfectly entitled to say if they feel so).

Anyway, I like the (overall) sanity of my country's courts.

Re:This guy should get a meddle for showing stupid

[RenderSeven]

After a momentary lapse of reason.

(And a nice pair of animals obscured by clouds hitting the wall like the delicate sound of thunder)

Maybe it was random

[slapout]

Perhaps the password was 123,456 and came from a random number generator.

Re:Maybe it was random

[Qzukk]

That's a pretty big number to have been chosen by a fair dice roll

Re:Maybe it was random

[Neil+Boekend]

No, the only problem is that one million sided dice are hard to read. You need a good level to do so. And that's after you've rolled it with a crane

123456 = no password intended

[epine]

A password prompt is as clear as an "authorized personnel only" sign. Do you go around checking if those doors are locked?

I can tell you're one of the people who simple don't get the IE/Apache "do not track" square dance.

If the client has no ability to suppress the password screen, it's not much different than Microsoft setting a global "do not track" attribute that was intended to reflect an explicitly activated user preference, which renders it meaningless.

The closest you can come with many software packages to explicitly leave the door ajar (since you can't disable the password screen completely) is to set the password to 123456 or ftp. The later is considered obscure.

Among those with strong presumptions of security competence, typing 123456 is the moral equivalent to checking whether This Door Is Intentionally Left Ajar

Among those with no presumptions of security competence, no signal exists which reflects end-user discretion. This of course soon degenerates to the tyrany of the social machine. Check out the Barry Schwartz TED talk if you don't believe me for the episode on Mike's Hard Lemonade. Social services terrorized the child and they all knew (or strongly suspected) that it was all a big mistake.

Re:123456 = no password intended

[ais523]

Whenever I have something which naturally has a password prompt, but I want arbitrary people to be able to log in, I set the password equal to the username (especially as the username itself tends to be guessable). That's probably more common than using a default password like 123456.

Re:123456 = no password intended

[chrismcb]

The closest you can come with many software packages to explicitly leave the door ajar (since you can't disable the password screen completely) is to set the password to 123456 or ftp.

Setting the password to blank is probably a tad bit closer.

Re:123456 = no password intended

[rtb61]

Perhaps the error is in the password output itself. It just asks for a password, it doesn't provide any warnings, it doesn't sufficiently suggest a restricted site, keeping in mind this is going to casual end user often not paying much attention to what they are doing. Often sites poorly designed stick up password screens and tell people to use the default password as part of a free trial, with the free access default often 'password' or '123456'.

Poor security is inherent in design and application, lack of real notification and warning and poor implementation of security. We are not talking about opening a door into someone private home, that is clear, the reality is, the password screen is equal to jumping a fence.

Re:123456 = no password intended

[ArsenneLupin]

Many systems do not allow to set blank passwords.

123456

[GigaBurglar]

Some people just need to be shot. ..And how exactly does it take two years to tack down a suspect that used absolutely no methods to hide his tracks?

Re:Why is there no liability on the part of the Ba

[Opportunist]

Where've you been the past few years? Banks can't do anything wrong, ever. And if they do, we get to pay for it.

Re:Note to editors: how to get /. to read the arti

[Archon-X]

they're actually ukranian women.

Nothing was hacked.

[damaki]

I know that truth is not really popular around Slashdot, but nothing was actually hacked, as said here
A software alarm popped up for unauthorized login and that's all. It's just that it looked like a hack attempt of a critical national institution.
BTW, looking at the comments, it seems like people did not understand that Banque de France is not a real bank. It's a national administration, just printing money, loaning money to banks and insurance for collateral and managing over-indebtedness.

Thank you AFP for spreadding fake news again

1 2 3 4 5 6 does not seem to be the actual code (source in french : http://www.pcinpact.com/news/73975-non-systeme-informatique-banque-france-na-pas-ete-pirate.htm), just what the guy typed in.

While looking for the non-premium equivalent of some premium phone numbers (which he admits to), the guy randomly dialed a phone service provided by Bank of France to a limited number of banks and insurance companies for information about indeptedness.

The guy heard a recorded voice asking for a code, tried the sequence of numbers and got nothing, so he just hung and continued doing whatever he was doing.
Note that the recorded message was not saying what the phone service was for or who provided it, so the guy tried to get in just out of curiosity. While typing tht numbers, the guy certainly did not expect such a shitstorm to fall upon him.

Typing in a bad code triggered a security alarm at Bank of France, which went paranoid about it, shut down its systems for two days trying to figure out what happened and reported the incident to the police, which just went as crazy and chased the guy. Somehow that took them two years, when the guy never hid his identity!

The AFP article is full of errors (not unusual for them) and other journalists just paraphrased it without checking the information, which drove to many bad news articles.

Oh, and Bank of France is not a "bank", it's the national reserve (like the Fed in USA).

The correct password wasn't 123456 !

[GuB-42]

Here is what most probably happened (investigation is underway, so we can't be sure) :
In fact the guy entered a wrong password and wasn't given access to anything.
However his action triggered an intrusion alert and as a result the system was shut down for two days as a safety measure. Time to understand what happened.

Moreover, only an outsourced call center was shut down.

Source (in French) : http://www.pcinpact.com/news/73975-non-systeme-informatique-banque-france-na-pas-ete-pirate.htm

and the bank was ofcourse

[KingBenny]

not found guilty of failing to secure everyones goodies and assets in a way befitting a bank?
you know round here you can get a fine for not locking your car since you're inviting thieves like hey come on in guys according to ze law.