BART Police Website Hacker Claims to Be French Girl Doing First Hack
Categories: Tech
[13:42] <Lamaline_5mg> For starters, this is my first attack on any system.
[13:43] <sfweekly800> I see. So what called you to action today?
[13:44] <Lamaline_5mg> What called me to action? Look around you. People trying to stand for themselves in peaceful protest ends up being such a big deal that the police has to shut down cell phone and wifi access.
[13:45] <Lamaline_5mg> This is exactly like the beginning of the tahrir protests.
[13:46] <Lamaline_5mg> But let me tell you to important things: I learned how to Inject databases *ONLY* because I wanted to get these passwords and infos.
[13:46] <sfweekly800> I see. You see this as a better attack that the MyBART one?
[13:46] <sfweekly800> makes more of a statement?
[13:47] <Lamaline_5mg> Most important thing is, it was not a hack: They had 0 security.
[13:47] <Lamaline_5mg> I just exploited a gaping hole.
[13:47] <Lamaline_5mg> what?
[13:47] <Lamaline_5mg> A better attack?
[13:48] <Lamaline_5mg> Listen, don't ask questions.
[13:48] <Lamaline_5mg> I'll tell you what's important to know first.
[13:48] <sfweekly800> Ok, go for it.
[13:50] <Lamaline_5mg> I did it for the lulz.
[13:51] <Lamaline_5mg> This is a key phrase that any pirate says to the media when it is obvious that they do not care about the movement.
[13:51] <Lamaline_5mg> Really, this is no big deal.
[13:51] <Lamaline_5mg> Yet another leak.
[13:51] <Lamaline_5mg> Yet another cyber attack.
[13:52] <Lamaline_5mg> You want to sell a dream of cyber attacks like in the movies.
[13:52] <Lamaline_5mg> Do it without me.
[13:52] <Lamaline_5mg> Now, let's get to facts about me.
[13:52] <Lamaline_5mg> I am not american.
[13:52] <Lamaline_5mg> I am a girl.
[13:53] <sfweekly800> How was it so easy to get into the site?
[13:53] <sfweekly800> Care to disclose your nationality?
[13:53] <Lamaline_5mg> two python scripts of ~50 lines.
[13:54] <Lamaline_5mg> yeah, sure. How about you give me your adress so I can send you a DNA sample?
[13:55] <sfweekly800> Was it sql injection on the login fields?
[13:55] <@n0pants> lol
[13:56] <Lamaline_5mg> No. Here's the security hole: http://bartpoa.com/forms/contact_form.asp?i=0%27%20UNION%20ALL%20SELECT%201,2,3,4,5,%28%27%3C%28%20%27%2buserId%29,%28firstname%2b%27%20%27%2blastname%29,%28address%2b%27%20city:%27%2bcity%29,9,10,11,12,13,14,15,16,%28email%2b%27%20--Password:%20%27%2buserpwd%2b%27%20%29%3E%27%29,18,19,20,21,22,23,24,25,26,27,28,29,30%20FROM%20%2
[13:56] <Lamaline_5mg> Don't click unlesss you want the feds in your house tomorrow morning.
[13:56] <@n0pants> how did you figure out that query?
[13:57] <@n0pants> just guess the column names?
[13:57] <Lamaline_5mg> Yes.
[13:57] <Lamaline_5mg> it took a list of common tables and columns, and a loop.
[13:58] <Lamaline_5mg> Then, my nice terminal would kindly tell me, quote: "SUCCESS ON userpwd field name."
[13:59] <sfweekly800> Is the BART POA website still vulnerable right now?
[13:59] <Lamaline_5mg> Yeah.
[13:59] <Lamaline_5mg> You have no Idea.
[14:00] <sfweekly800> Are you planning to grab more from the site?
[14:00] <@n0pants> as a programmer, I'll agree, that's a pretty straightforward attack
[14:00] <Lamaline_5mg> Somebody more experienced could have gotten the admin password. That would have been way more lulzy.
[14:00] <sfweekly800> Are you doing this for the lulz or because you think BART overstepped its bounds? You've said both.
[14:01] <Lamaline_5mg> This is a cyber guerilla is what it is.
[14:02] <Lamaline_5mg> I got pissed.
[14:02] <Lamaline_5mg> I learned som stuff.
[14:02] <Lamaline_5mg> They didn't have protections.
[14:02] <Lamaline_5mg> I won.
[14:02] <Lamaline_5mg> As simple as that.
[14:02] <sfweekly800> You are very dramatic, Lamaline!
[14:02] <Lamaline_5mg> then again, I had some lulz.
[14:03] <sfweekly800> How long did it take you to figure out how to get in?
[14:05] <Lamaline_5mg> A one page PDF tutorial, and this google search: «site:bartpoa.com inurl:.asp?»
[14:05] <Lamaline_5mg> It took me no time, really.
[14:06] <Lamaline_5mg> I learned a lot from this attack, though.
[14:06] <Lamaline_5mg> And I learned a lot about dumping infos.
[14:06] <Lamaline_5mg> Morality: Use the infos First.
[14:06] <Lamaline_5mg> then dump.
[14:07] <sfweekly800> Are you planning to get into get into any other systems?
[14:08] <Lamaline_5mg> I don't know. I am an opportunist in this matter. But I will never attack unless something is wrong with the actions of the victim.
[14:09] <Lamaline_5mg> Victim is not the right word: Opponent.
[14:10] <sfweekly800> You aren't American, but are you in the United States?
[14:10] <Lamaline_5mg> No.
[14:11] <sfweekly800> When did you hear about the opBART?
[14:12] <Lamaline_5mg> I don't remember. I'll be right back.
[14:15] <Lamaline_5mg> I learned about it 4 days ago.
[14:15] <Lamaline_5mg> I heard* about it.
[14:16] <Lamaline_5mg> Ok. I can't resist telling you my nationality.
[14:16] <Lamaline_5mg> I'm french.
[14:16] <Lamaline_5mg> Humiliating, huh?
[14:16] <@n0pants> heh
[14:17] <sfweekly800> and when you say girl, are we talking like teenage?
[14:17] <@n0pants> sfweekly800: see privatemesg (n0pants tab) at some point
[14:18] <Lamaline_5mg> Not a teenage stricto-sensus.
[14:20] <Lamaline_5mg> Now, no more private infos.
[14:20] <sfweekly800> OK.
[14:21] <sfweekly800> do you know anything about how the mybart.org hack happened?
[14:24] <Lamaline_5mg> I did not take part in this operation.
[14:24] <Lamaline_5mg> Lack of information, I guess.
[14:26] <sfweekly800> are you pleased with your attack?
[14:28] <Lamaline_5mg> I would say I'm satisfied because it really shows how bad the cyber defense of the enemies of free speech and free movement is. I would say it's promissing.
[14:29] <Lamaline_5mg> And, that is an encouragement to all those who want to join the cyber guerilla.
[14:32] <sfweekly800> Is Lamaline always your online handle?
[14:33] <Lamaline_5mg> No, I made it up for this occasion. I don't know If I'm gonna keep it.
[14:35] <sfweekly800> All right. Well, thanks for chatting!
[14:35] <Lamaline_5mg> You're welcome.
[14:35] <Lamaline_5mg> Thank you.
[13:43] <sfweekly800> I see. So what called you to action today?
[13:44] <Lamaline_5mg> What called me to action? Look around you. People trying to stand for themselves in peaceful protest ends up being such a big deal that the police has to shut down cell phone and wifi access.
[13:45] <Lamaline_5mg> This is exactly like the beginning of the tahrir protests.
[13:46] <Lamaline_5mg> But let me tell you to important things: I learned how to Inject databases *ONLY* because I wanted to get these passwords and infos.
[13:46] <sfweekly800> I see. You see this as a better attack that the MyBART one?
[13:46] <sfweekly800> makes more of a statement?
[13:47] <Lamaline_5mg> Most important thing is, it was not a hack: They had 0 security.
[13:47] <Lamaline_5mg> I just exploited a gaping hole.
[13:47] <Lamaline_5mg> what?
[13:47] <Lamaline_5mg> A better attack?
[13:48] <Lamaline_5mg> Listen, don't ask questions.
[13:48] <Lamaline_5mg> I'll tell you what's important to know first.
[13:48] <sfweekly800> Ok, go for it.
[13:50] <Lamaline_5mg> I did it for the lulz.
[13:51] <Lamaline_5mg> This is a key phrase that any pirate says to the media when it is obvious that they do not care about the movement.
[13:51] <Lamaline_5mg> Really, this is no big deal.
[13:51] <Lamaline_5mg> Yet another leak.
[13:51] <Lamaline_5mg> Yet another cyber attack.
[13:52] <Lamaline_5mg> You want to sell a dream of cyber attacks like in the movies.
[13:52] <Lamaline_5mg> Do it without me.
[13:52] <Lamaline_5mg> Now, let's get to facts about me.
[13:52] <Lamaline_5mg> I am not american.
[13:52] <Lamaline_5mg> I am a girl.
[13:53] <sfweekly800> How was it so easy to get into the site?
[13:53] <sfweekly800> Care to disclose your nationality?
[13:53] <Lamaline_5mg> two python scripts of ~50 lines.
[13:54] <Lamaline_5mg> yeah, sure. How about you give me your adress so I can send you a DNA sample?
[13:55] <sfweekly800> Was it sql injection on the login fields?
[13:55] <@n0pants> lol
[13:56] <Lamaline_5mg> No. Here's the security hole: http://bartpoa.com/forms/contact_form.asp?i=0%27%20UNION%20ALL%20SELECT%201,2,3,4,5,%28%27%3C%28%20%27%2buserId%29,%28firstname%2b%27%20%27%2blastname%29,%28address%2b%27%20city:%27%2bcity%29,9,10,11,12,13,14,15,16,%28email%2b%27%20--Password:%20%27%2buserpwd%2b%27%20%29%3E%27%29,18,19,20,21,22,23,24,25,26,27,28,29,30%20FROM%20%2
[13:56] <Lamaline_5mg> Don't click unlesss you want the feds in your house tomorrow morning.
[13:56] <@n0pants> how did you figure out that query?
[13:57] <@n0pants> just guess the column names?
[13:57] <Lamaline_5mg> Yes.
[13:57] <Lamaline_5mg> it took a list of common tables and columns, and a loop.
[13:58] <Lamaline_5mg> Then, my nice terminal would kindly tell me, quote: "SUCCESS ON userpwd field name."
[13:59] <sfweekly800> Is the BART POA website still vulnerable right now?
[13:59] <Lamaline_5mg> Yeah.
[13:59] <Lamaline_5mg> You have no Idea.
[14:00] <sfweekly800> Are you planning to grab more from the site?
[14:00] <@n0pants> as a programmer, I'll agree, that's a pretty straightforward attack
[14:00] <Lamaline_5mg> Somebody more experienced could have gotten the admin password. That would have been way more lulzy.
[14:00] <sfweekly800> Are you doing this for the lulz or because you think BART overstepped its bounds? You've said both.
[14:01] <Lamaline_5mg> This is a cyber guerilla is what it is.
[14:02] <Lamaline_5mg> I got pissed.
[14:02] <Lamaline_5mg> I learned som stuff.
[14:02] <Lamaline_5mg> They didn't have protections.
[14:02] <Lamaline_5mg> I won.
[14:02] <Lamaline_5mg> As simple as that.
[14:02] <sfweekly800> You are very dramatic, Lamaline!
[14:02] <Lamaline_5mg> then again, I had some lulz.
[14:03] <sfweekly800> How long did it take you to figure out how to get in?
[14:05] <Lamaline_5mg> A one page PDF tutorial, and this google search: «site:bartpoa.com inurl:.asp?»
[14:05] <Lamaline_5mg> It took me no time, really.
[14:06] <Lamaline_5mg> I learned a lot from this attack, though.
[14:06] <Lamaline_5mg> And I learned a lot about dumping infos.
[14:06] <Lamaline_5mg> Morality: Use the infos First.
[14:06] <Lamaline_5mg> then dump.
[14:07] <sfweekly800> Are you planning to get into get into any other systems?
[14:08] <Lamaline_5mg> I don't know. I am an opportunist in this matter. But I will never attack unless something is wrong with the actions of the victim.
[14:09] <Lamaline_5mg> Victim is not the right word: Opponent.
[14:10] <sfweekly800> You aren't American, but are you in the United States?
[14:10] <Lamaline_5mg> No.
[14:11] <sfweekly800> When did you hear about the opBART?
[14:12] <Lamaline_5mg> I don't remember. I'll be right back.
[14:15] <Lamaline_5mg> I learned about it 4 days ago.
[14:15] <Lamaline_5mg> I heard* about it.
[14:16] <Lamaline_5mg> Ok. I can't resist telling you my nationality.
[14:16] <Lamaline_5mg> I'm french.
[14:16] <Lamaline_5mg> Humiliating, huh?
[14:16] <@n0pants> heh
[14:17] <sfweekly800> and when you say girl, are we talking like teenage?
[14:17] <@n0pants> sfweekly800: see privatemesg (n0pants tab) at some point
[14:18] <Lamaline_5mg> Not a teenage stricto-sensus.
[14:20] <Lamaline_5mg> Now, no more private infos.
[14:20] <sfweekly800> OK.
[14:21] <sfweekly800> do you know anything about how the mybart.org hack happened?
[14:24] <Lamaline_5mg> I did not take part in this operation.
[14:24] <Lamaline_5mg> Lack of information, I guess.
[14:26] <sfweekly800> are you pleased with your attack?
[14:28] <Lamaline_5mg> I would say I'm satisfied because it really shows how bad the cyber defense of the enemies of free speech and free movement is. I would say it's promissing.
[14:29] <Lamaline_5mg> And, that is an encouragement to all those who want to join the cyber guerilla.
[14:32] <sfweekly800> Is Lamaline always your online handle?
[14:33] <Lamaline_5mg> No, I made it up for this occasion. I don't know If I'm gonna keep it.
[14:35] <sfweekly800> All right. Well, thanks for chatting!
[14:35] <Lamaline_5mg> You're welcome.
[14:35] <Lamaline_5mg> Thank you.
Follow us on Twitter at @TheSnitchSF and @SFWeekly.
<< Previous Page | 1 | 2
Email to Friend
Write to Editor
Print Article
