The Man Who Hacked the Bank of France

← Back to Stories (view on slashdot.org)

The Man Who Hacked the Bank of France

Posted by timothy on Thursday September 20, 2012 @05:33AM from the whereas-6-5-4-3-2-1-would-have-stopped-him dept.

First time accepted submitter David Off writes "In 2008 a Skype user looking for cheap rate gateway numbers found himself connected to the Bank of France where he was asked for a password. He typed 1 2 3 4 5 6 and found himself connected to their computer system. The intrusion was rapidly detected but led to the system being frozen for 48 hours as a security measure. Two years of extensive international police inquiries eventually traced the 37-year-old unemployed Breton despite the fact he'd used his real address when he registered with Skype. The man was found not guilty in court today (Original, in French) of maliciously breaking into the bank."

41 of 184 comments (clear)

Min score:

Reason:

Sort:

amazing by masternerdguy · 2012-09-20 05:34 · Score: 5, Funny

i have the same combination on my luggage!

--
To offset political mods, replace Flamebait with Insightful.
1. Re:amazing by Anonymous Coward · 2012-09-20 06:09 · Score: 5, Insightful
  
  The surprising thing about this story is the court in France was found not guilty. In the United States of Amerika he would have been sentenced under the anti-terrorism laws. The person responsible for IS security at the Bank of France, however, should be terminated with prejudice.
2. Re:amazing by girlintraining · 2012-09-20 06:15 · Score: 5, Insightful
  
  i have the same combination on my luggage!
  It's a bit harder to defend breaking into your luggage than randomly dialing phone numbers and entering what is widely considered a "default" password in to get access. In the former case, it's reasonable to conclude that, regardless of password, if your luggage has a lock on it, it's meant to be private. In the digital world, however, access control mechanisms frequently are assigned a default password because the access mechanism itself is integral to the system -- ie, you can choose not to put a pad lock on a door, you can't disable the login screen. In the minds of a lot of people, assigning a password of "password", "1234" (or variant), "letmein", or "admin", is equivalent to not putting a pad lock on a door.
  In other words, it's not breaking and entering if you leave the door to your house unlocked. It's simple trespass and there are numerous legal defenses and excuses for that. The French court merely (and correctly, IMO) said there is an electronic analogue to this legal reasoning. That said, change your luggage combo dude, or I'm klepto'ing that hawaiian shirt you love so much. :P
  
  --
  #fuckbeta #iamslashdot #dicemustdie
3. Re:amazing by michelcolman · 2012-09-20 06:19 · Score: 5, Funny
  
  Three digits on the lock on the left, and three on the lock on the right, makes 6 digits on my luggage. I had been trying to open it for years, unsuccessfully, and guess what!
4. Re:amazing by g0bshiTe · 2012-09-20 06:52 · Score: 3, Funny
  
  1 2 3 4 5 6
  In Hyper Space, luggage has 6 digits.
  
  --
  I am Bennett Haselton! I am Bennett Haselton!
5. Re:amazing by Guignol · 2012-09-20 07:07 · Score: 3, Funny
  
  In death, luggage has a name, its name is Bob Paulson
6. Re:amazing by Vellmont · 2012-09-20 07:49 · Score: 2
  
  Only on slashdot would an off handed Spaceballs reference be replied to not as the joke it is, but as if it were an analogy and critique of whether there was any real breakin or not.
  In any case, the article is in French, and I'm sure as hell not going to trust an automated translation engine to interpret what happened. I will point out that in most countries (No idea about France) intent is required to commit a crime.
  
  --
  AccountKiller
7. Re:amazing by girlintraining · 2012-09-20 09:59 · Score: 3, Informative
  
  . If a reasonable person would consider the house not to be a place of public accommodation, then opening the door and walking in is sufficient for a B&E charge. The defendant can offer a defense by claiming he is an invitee or that he had reason to believe such, but he has the burden of proof if the act itself is not in dispute.
  Convicting someone of a crime requires three elements: Intent, knowledge, and the act. All three ordinarily have to be proven before someone is guilty. If you were taking prescription drugs, for example, and experienced memory loss and confusion as a result, and through no fault of your own walked into the wrong building... there's no intent. No crime was committed. Then there's knowledge; Say you did intend to enter the building, but didn't know it was private or off limits (for example, at the mall you're looking for a bathroom and open an unmarked door into a private "secure" area. You're caught by a security guard. You intended to enter, but you couldn't have known it was wrong to do so. No crime was committed. And then there's the act of entering itself -- self-explanatory.
  So that covers the three main elements of a crime: You have to prove all three for someone to be guilty. Now, let's say you've managed to prove all three elements. Good for you! Now we ge to discuss defenses and excuses. A defense is something where the act itself would normally be considered criminal, but the circumstances make it justified. For example, normally punching someone in the face is assault, but if you had reason to believe you were in imminent danger (whether or not this is true), you can (in most jurisdictions) strike first. You had no choice, you had to respond. An excuse is when you had a choice not to commit a criminal act, did so anyway, but the response was socially justified. For example, if you saw a child being attacked by an adult: You have no obligation to intervene, but most people would. What you did was socially acceptable then.
  Now that we've finished my Really Condensed Intro To Criminal Law, let's discuss your assertion: Mere presence in someone's (unlocked) house is breaking and entering. Breaking and entering is not a crime of strict liability. Strict liability crimes are ones where only the act itself has to be proved; For example possession of stolen property. It requires intent -- intent in this case is the breaking part.
  In some jurisdictions the use of force can be as simple as pushing open a door, in others it needs to be prying open a window or picking a lock, etc. It can also be threatening someone; The definition varies, but you get the idea. Typically, however, the room itself can't have been open to enter; a door without a lock mechanism, or a door left open, or a door left unlocked, in some jurisdictions it doesn't constitute a use of force to open it and enter.
  Secondly, there has to be knowledge that the residence is used primarily for habitation -- not occasionally. There are many buildings you'd consider a home that people don't live in. Executives and CEOs often have houses that are used only to host parties, and are built as such. They are zoned residential, but that's not the purpose of the house. To constitute breaking and entering (also known as burglary), you have to been able to reasonably conclude it was primarily used for habitation. And then there's that pesky issue of it being unoccupied... and that in some jurisdictions it has to take place outside regular business hours.
  All of those conditions have to be met for the act itself to be considered burglary; Otherwise, it's a different crime (or no crime at all).
  If there was a sign saying "Private property", or "Authorized personnel only", or "By invitation only", then you'd be correct. But most people's homes have no such sign. It's just a building; And there's no way someone could know ahead of time the intent of the owner, or even whether it was public or private property
  
  --
  #fuckbeta #iamslashdot #dicemustdie
8. Re:amazing by Anonymous Coward · 2012-09-20 19:54 · Score: 2, Funny
  
  The surprising thing about this story is the court in France was found not guilty
  Why is that surprising? Are courts in other countries routinely found guilty?
He just used a German name... by Anonymous Coward · 2012-09-20 05:35 · Score: 4, Funny

and the French bank raised its arms in defeat and let him right on in to loot and pillage.
1. Re:He just used a German name... by HornWumpus · 2012-09-20 06:16 · Score: 3, Funny
  
  When the frogs repel an invasion. So never.
  
  --
  John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
2. Re:He just used a German name... by pnot · 2012-09-20 06:23 · Score: 4, Funny
  
  Heaven forfend that anyone should resort to stereotypes in a thread about a "the French always surrender LOL" joke.
3. Re:He just used a German name... by Concerned+Onlooker · 2012-09-20 08:40 · Score: 3, Informative
  
  There were a lot of people in France that did more than that. They stood up for other people. I was called the French underground.
  
  --
  http://www.rootstrikers.org/
4. Re:He just used a German name... by Howitzer86 · 2012-09-20 18:09 · Score: 2
  
  I wonder how well you'd do under a fascist occupation.
This reminds me of the time by The+MAZZTer · 2012-09-20 05:39 · Score: 4, Interesting

At high-school, someone set a network share as IE's homepage and when I logged in and launched IE I got in trouble for it.
Oh, and permissions weren't even properly configured on the share, but they could read logs apparently.
1. Re:This reminds me of the time by Anonymous Coward · 2012-09-20 05:47 · Score: 5, Funny
  
  I really hoped you learned your lesson after that. Do not ever use IE.
2. Re:This reminds me of the time by Anonymous Coward · 2012-09-20 06:42 · Score: 4, Interesting
  
  I got into trouble at a job once (customer service), because I shared a folder on my hard drive with read-only access for everyone. Somehow, they noticed it was being accessed from the Internet. They suspected me of stealing valuable company data. I had to point out that the contents of the folder were publicly available, and I had only shared them as a convenience for my coworkers. I also tried to point out the idiocy of allowing MS file sharing protocols across the firewall, and assigning public IPs to end-user workstations, but they didn't listen. They had an MSCE on staff who knew all about that sort of thing, and I was just a customer service rep. I quit a short time later.
  I still get kind of mad thinking about it, but I am sure they are long gone, as the entire industry moved overseas shortly thereafter. This was in the 90s.
3. Re:This reminds me of the time by Anonymous Coward · 2012-09-20 06:52 · Score: 2, Interesting
  
  I got suspended for a week for deleting some 2000+ expired cookies from a machine. A librarian/student saw me, thought God knows what, and reported me for "hacking" and the like.
  Naturally that was a more severe punishment than the time I found spreadsheets of all the district's students' and teachers' information - names, addresses, birthdates, SSNs... On a public share, of course. Reported it to a teacher I trusted and I'll bet the files are still there today.
4. Re:This reminds me of the time by Quirkz · 2012-09-20 07:15 · Score: 4, Interesting
  
  A buddy of mine once got detention because he took a teacher's documents folder and placed it about five layers deep inside a set of folders with names like "look inside" "click me" and "keep going". The top level folder was put exactly where the old documents folder was, and other than being nested nothing was renamed, harmed, or anything else. The teacher still went ballistic when she couldn't figure out how to click through a couple of extra folders to find her documents.
  
  I once got a stern talking-to by the journalism teacher when I replaced the standard Mac OS startup screen with a custom image of a badly-drawn bomb (we're talking paintshop in the early 90's here) and the message "this system will self destruct in 10 seconds." Someone outside the department had sat down to use the computer for a minute and apparently panicked when they thought the computer had been turned into an actual bomb.
  
  --
  The Quirkz Handbook of Self-Improvement for People Who Are Already Pretty Okay
5. Re:This reminds me of the time by Opportunist · 2012-09-20 10:00 · Score: 3, Insightful
  
  He didn't get detention for messing with the teachers file, his crime was much more serious: Exposing teacher stupidity.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
6. Re:This reminds me of the time by Velex · 2012-09-20 11:04 · Score: 3, Interesting
  
  While we're waxing nostalgic, I remember when I was in middle school and wanted to start a computer club. And so I did. There were only 3 or 4 of us, and things went ok for the first year.
  Next year rolls around and we have to find a different teacher to sponsor the club, and so we do. So we showed him how we were accessing qbasic, and he sat in every meeting (more like coding session) for a whole semester.
  Then one day, we're all in deep doo-doo. We're being told we're lucky that they didn't call the FBI on us. Our crime: using a netware command to allow a file to be opened by multiple users (or something inane like that). Well, so it seemed logical to appeal to the teacher sponsor since he had just spent 5 months watching us "hack the network," and suddenly he didn't know anything about it.
  Lying bastard.
  The real kick to the nuts was years later there was a blurb in the newspaper about how a girl (omg a woman in computers!) had founded that school's first computer club. The netware administrators who had their panties in a bunch about my club's activities were all female. I guess I just didn't have the right body parts back then. Just goes to show that men aren't the only gender capable of being sexist pigs.
  
  --
  Join the Slashcott! Stay away entirely Feb 10 thru Feb 17! Close all tabs to prevent autorefresh!
That is not reasonable security by MickyTheIdiot · 2012-09-20 05:41 · Score: 3, Interesting

In the US I think we'd have class action lawyers going after them immediately for lack of security due diligence. They would deserve it, too.
What's the EU equivalent action?
1. Re:That is not reasonable security by AGMW · 2012-09-20 06:00 · Score: 5, Informative
  
  In the US I think we'd have class action lawyers going after them immediately for lack of security due diligence. They would deserve it, too.
  Oh, you mean like when Gary McKinnon, who similarly walked into unsecured US military and NASA computer. The difference - oh yes, no one noticed for ages!
  
  --
  Eclectic beats from Leeds, UK
  handmadehands.co.uk
2. Re:That is not reasonable security by drummerboybac · 2012-09-20 06:24 · Score: 3, Interesting
  
  What that Gary McKinnon wiki proves to me is that NASA reads /.
  
  In 2006, a Freedom of Information Act request was filed with NASA for all documents pertaining to Gary McKinnon. NASA's documents consisted of printed news articles from the Slashdot website, but no other related documents. This is consistent with NASA employees browsing internet articles about Gary McKinnon; the records of such browsing activity are in the public domain. The FOIA documents have been uploaded to the internet for review, and can be downloaded.[45]
Why! These thieving banksters.... by 140Mandak262Jamuna · 2012-09-20 05:42 · Score: 2

Not only they stole all my money, they stole my secret password too. 1 2 3 4 5 6 is mine. Now go away thieves. I am not giving it back to you.

--
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
NSFW link by jdastrup · 2012-09-20 05:45 · Score: 4, Funny

I guess "Original, in French" should have warned me
1. Re:NSFW link by phme · 2012-09-20 07:38 · Score: 3, Insightful
  
  Really, this is NSFW for you guys? Time to move back across the pond...
2. Re:NSFW link by Velex · 2012-09-20 11:29 · Score: 2
  
  You're forgetting that the female breast is a highly offensive body part. In fact, if children under the age of 2 are exposed to the uncovered female breast, they could be traumatized for life.
  
  --
  Join the Slashcott! Stay away entirely Feb 10 thru Feb 17! Close all tabs to prevent autorefresh!
1 2 3 4 5 6 by ackthpt · 2012-09-20 05:45 · Score: 2

Ha! Another chapter in great security waitasec, that's my password, too...
I remember back when some clowns in Milwaukee , the 414's, who wanted to sell their story to Hollywood for a movie, books, etcs. All they did was use default passwords on DEC systems to log in ([1,2] was SYSTEM unless you changed it on first day.) Even our Digital field techs would set the Field Service operator account password to DECAPR, DECMAY or whatever the month was.

--

A feeling of having made the same mistake before: Deja Foobar
NSFW by Anonymous Coward · 2012-09-20 05:47 · Score: 3, Informative

NSFW photo in sidebar, thanks to Femen.
Why is there no liability on the part of the Bank? by macbeth66 · 2012-09-20 05:58 · Score: 3, Interesting

The idiot that initially typed in that password should be the one charged in this matter. It would have been more secure with 'Joshua' or 'CPE1704TKS'.
And yes, I am being sarcastic. Those passwords suck too.
Sure it is by SuperKendall · 2012-09-20 05:59 · Score: 5, Funny

Luggage is four numbers. You cannot have six numbers.
Sure it is. You just start working backwards after you reach the fourth number.
It's a brilliantly easy way to remember
1265

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Re:This guy should get a meddle for showing stupid by RenderSeven · 2012-09-20 06:00 · Score: 4, Funny

Why would you give someone a Pink Floyd album for that?
Sartre Cipher? by Penurious+Penguin · 2012-09-20 06:09 · Score: 2

Maybe they expected all attempts would be foiled by eternal debates on the meaning of each digit and whether they really existed or not. If so, (Infinity ^6) is pretty strong and they were probably on to something, at least existentially.

--
Forward! -- Emperor Norton, 2012
Hacking? by Anonymous Coward · 2012-09-20 06:09 · Score: 5, Insightful

If this is "hacking" then opening an unlocked front door by turning the handle is lock-picking
654321 by Anonymous Coward · 2012-09-20 06:36 · Score: 2, Interesting

A note to Timothy
> from the whereas-6-5-4-3-2-1-would-have-stopped-him dept.
actually 654321 was an alternative password that also worked !
Note to editors: how to get /. to read the article by Overzeetop · 2012-09-20 06:52 · Score: 3, Insightful

Just knowing the article (sidebar?) is NSFW probably resulted in an order or magnitude more /.ers clicking through the link.

--
Is it just my observation, or are there way too many stupid people in the world?
Re:Why is there no liability on the part of the Ba by purpledinoz · 2012-09-20 06:54 · Score: 4, Funny

Well, at least he didn't use '12345'. But he could have put in a bit more effort and used '1234567'...
The Banque de France was not hacked by Anonymous Coward · 2012-09-20 07:38 · Score: 2, Informative

Read in French : http://www.pcinpact.com/news/73975-non-systeme-informatique-banque-france-na-pas-ete-pirate.htm
He phoned to a technical service used a bad code that resulted an alarm.
Due to this overrated alarm the site was closed during 48h...
123456 = no password intended by epine · 2012-09-20 09:01 · Score: 3, Insightful

A password prompt is as clear as an "authorized personnel only" sign. Do you go around checking if those doors are locked?
I can tell you're one of the people who simple don't get the IE/Apache "do not track" square dance.
If the client has no ability to suppress the password screen, it's not much different than Microsoft setting a global "do not track" attribute that was intended to reflect an explicitly activated user preference, which renders it meaningless.
The closest you can come with many software packages to explicitly leave the door ajar (since you can't disable the password screen completely) is to set the password to 123456 or ftp. The later is considered obscure.
Among those with strong presumptions of security competence, typing 123456 is the moral equivalent to checking whether This Door Is Intentionally Left Ajar
Among those with no presumptions of security competence, no signal exists which reflects end-user discretion. This of course soon degenerates to the tyrany of the social machine. Check out the Barry Schwartz TED talk if you don't believe me for the episode on Mike's Hard Lemonade. Social services terrorized the child and they all knew (or strongly suspected) that it was all a big mistake.
Nothing was hacked. by damaki · 2012-09-20 18:06 · Score: 2

I know that truth is not really popular around Slashdot, but nothing was actually hacked, as said here
A software alarm popped up for unauthorized login and that's all. It's just that it looked like a hack attempt of a critical national institution.
BTW, looking at the comments, it seems like people did not understand that Banque de France is not a real bank. It's a national administration, just printing money, loaning money to banks and insurance for collateral and managing over-indebtedness.

--
Stupidity is the root of all evil.