BART Police Website Hacker Claims to Be French Girl Doing First Hack

Categories: Tech
[13:42] <Lamaline_5mg> For starters, this is my first attack on any system.
[13:43] <sfweekly800> I see. So what called you to action today?
[13:44] <Lamaline_5mg> What called me to action? Look around you. People trying to stand for themselves in peaceful protest ends up being such a big deal that the police has to shut down cell phone and wifi access.
[13:45] <Lamaline_5mg> This is exactly like the beginning of the tahrir protests.
[13:46] <Lamaline_5mg> But let me tell you to important things: I learned how to Inject databases *ONLY* because I wanted to get these passwords and infos.
[13:46] <sfweekly800> I see. You see this as a better attack that the MyBART one?
[13:46] <sfweekly800> makes more of a statement?
[13:47] <Lamaline_5mg> Most important thing is, it was not a hack: They had 0 security.
[13:47] <Lamaline_5mg> I just exploited a gaping hole.
[13:47] <Lamaline_5mg> what?
[13:47] <Lamaline_5mg> A better attack?
[13:48] <Lamaline_5mg> Listen, don't ask questions.
[13:48] <Lamaline_5mg> I'll tell you what's important to know first.
[13:48] <sfweekly800> Ok, go for it.
[13:50] <Lamaline_5mg> I did it for the lulz.
[13:51] <Lamaline_5mg> This is a key phrase that any pirate says to the media when it is obvious that they do not care about the movement.
[13:51] <Lamaline_5mg> Really, this is no big deal.
[13:51] <Lamaline_5mg> Yet another leak.
[13:51] <Lamaline_5mg> Yet another cyber attack.
[13:52] <Lamaline_5mg> You want to sell a dream of cyber attacks like in the movies.
[13:52] <Lamaline_5mg> Do it without me.
[13:52] <Lamaline_5mg> Now, let's get to facts about me.
[13:52] <Lamaline_5mg> I am not american.
[13:52] <Lamaline_5mg> I am a girl.
[13:53] <sfweekly800> How was it so easy to get into the site?
[13:53] <sfweekly800> Care to disclose your nationality?
[13:53] <Lamaline_5mg> two python scripts of ~50 lines.
[13:54] <Lamaline_5mg> yeah, sure. How about you give me your adress so I can send you a DNA sample?
[13:55] <sfweekly800> Was it sql injection on the login fields?
[13:55] <@n0pants> lol
[13:56] <Lamaline_5mg> No. Here's the security hole: http://bartpoa.com/forms/contact_form.asp?i=0%27%20UNION%20ALL%20SELECT%201,2,3,4,5,%28%27%3C%28%20%27%2buserId%29,%28firstname%2b%27%20%27%2blastname%29,%28address%2b%27%20city:%27%2bcity%29,9,10,11,12,13,14,15,16,%28email%2b%27%20--Password:%20%27%2buserpwd%2b%27%20%29%3E%27%29,18,19,20,21,22,23,24,25,26,27,28,29,30%20FROM%20%2
[13:56] <Lamaline_5mg> Don't click unlesss you want the feds in your house tomorrow morning.
[13:56] <@n0pants> how did you figure out that query?
[13:57] <@n0pants> just guess the column names?
[13:57] <Lamaline_5mg> Yes.
[13:57] <Lamaline_5mg> it took a list of common tables and columns, and a loop.
[13:58] <Lamaline_5mg> Then, my nice terminal would kindly tell me, quote: "SUCCESS ON userpwd field name."
[13:59] <sfweekly800> Is the BART POA website still vulnerable right now?
[13:59] <Lamaline_5mg> Yeah.
[13:59] <Lamaline_5mg> You have no Idea.
[14:00] <sfweekly800> Are you planning to grab more from the site?
[14:00] <@n0pants> as a programmer, I'll agree, that's a pretty straightforward attack
[14:00] <Lamaline_5mg> Somebody more experienced could have gotten the admin password. That would have been way more lulzy.
[14:00] <sfweekly800> Are you doing this for the lulz or because you think BART overstepped its bounds? You've said both.
[14:01] <Lamaline_5mg> This is a cyber guerilla is what it is.
[14:02] <Lamaline_5mg> I got pissed.
[14:02] <Lamaline_5mg> I learned som stuff.
[14:02] <Lamaline_5mg> They didn't have protections.
[14:02] <Lamaline_5mg> I won.
[14:02] <Lamaline_5mg> As simple as that.
[14:02] <sfweekly800> You are very dramatic, Lamaline!
[14:02] <Lamaline_5mg> then again, I had some lulz.
[14:03] <sfweekly800> How long did it take you to figure out how to get in?
[14:05] <Lamaline_5mg> A one page PDF tutorial, and this google search: «site:bartpoa.com inurl:.asp?»
[14:05] <Lamaline_5mg> It took me no time, really.
[14:06] <Lamaline_5mg> I learned a lot from this attack, though.
[14:06] <Lamaline_5mg> And I learned a lot about dumping infos.
[14:06] <Lamaline_5mg> Morality: Use the infos First.
[14:06] <Lamaline_5mg> then dump.
[14:07] <sfweekly800> Are you planning to get into get into any other systems?
[14:08] <Lamaline_5mg> I don't know. I am an opportunist in this matter. But I will never attack unless something is wrong with the actions of the victim.
[14:09] <Lamaline_5mg> Victim is not the right word: Opponent.
[14:10] <sfweekly800> You aren't American, but are you in the United States?
[14:10] <Lamaline_5mg> No.
[14:11] <sfweekly800> When did you hear about the opBART?
[14:12] <Lamaline_5mg> I don't remember. I'll be right back.
[14:15] <Lamaline_5mg> I learned about it 4 days ago.
[14:15] <Lamaline_5mg> I heard* about it.
[14:16] <Lamaline_5mg> Ok. I can't resist telling you my nationality.
[14:16] <Lamaline_5mg> I'm french.
[14:16] <Lamaline_5mg> Humiliating, huh?
[14:16] <@n0pants> heh
[14:17] <sfweekly800> and when you say girl, are we talking like teenage?
[14:17] <@n0pants> sfweekly800: see privatemesg (n0pants tab) at some point
[14:18] <Lamaline_5mg> Not a teenage stricto-sensus.
[14:20] <Lamaline_5mg> Now, no more private infos.
[14:20] <sfweekly800> OK.
[14:21] <sfweekly800> do you know anything about how the mybart.org hack happened?
[14:24] <Lamaline_5mg> I did not take part in this operation.
[14:24] <Lamaline_5mg> Lack of information, I guess.
[14:26] <sfweekly800> are you pleased with your attack?
[14:28] <Lamaline_5mg> I would say I'm satisfied because it really shows how bad the cyber defense of the enemies of free speech and free movement is. I would say it's promissing.
[14:29] <Lamaline_5mg> And, that is an encouragement to all those who want to join the cyber guerilla.
[14:32] <sfweekly800> Is Lamaline always your online handle?
[14:33] <Lamaline_5mg> No, I made it up for this occasion. I don't know If I'm gonna keep it.
[14:35] <sfweekly800> All right. Well, thanks for chatting!
[14:35] <Lamaline_5mg> You're welcome.
[14:35] <Lamaline_5mg> Thank you. 

Follow us on Twitter at @TheSnitchSF and @SFWeekly.


My Voice Nation Help
79 comments
Jack_s
Jack_s

I'm sorry, but in which world do you live in? In this one, the one I live in, a website has clearly much more value than human life... Well, actually pretty much everything has more value than human life.  Sad, right? Wake up people! You are deviating the subject here!On the other hand, i do NOT approve releasing that data to the wild, that was a wrong move. <a href="http://techphonesnews.blogspot.com" title="Mobile Phones Reviews">Mobile Phones Reviews</a>

Brad
Brad

Media Workflow is running acontest on Facebook that can net you a really cool website designed by ourtalented team. The only requirement to enter is to like us on Facebook; nopurchase is necessary.

 The winner gets a fantastic WordPress website,fully customized with advanced photo gallery functionality and other WordPressfunctions including social sharing. The contest winner will receive a 1-hourconsultation to design the website. We will provide your customized design

 

with up to four revisions.You supply the content and we integrate it into the web site for you.

 

Win a Free Website and 1 Year Free Hosting

http://mediaworkflow.com.au/wi...

 

Just like  facebook.com/MediaWorkflow

 

song jia
song jia

 Valuable information and excellent design you got here! I would like to thank you for sharing your thoughts and time into the stuff you post!! Thumbs up. www.cheapbeatsearphones.com

Burnaby Lawyers
Burnaby Lawyers

Hacking is a illegal practice,have no way to make fun of it.It should be punished and investigated.

Kassandra G Rodriguez
Kassandra G Rodriguez

 Wonderful blog! Do you have any hints for aspiring writers? I’m planning to start my own website soon but I’m a little lost on everything. Would you advise starting with a free platform like WordPress or go for a paid option? There are so many choices out there that I’m totally confused .. Any recommendations? Thank you!http://www.myblogcelebrities.b...

Payton_vege
Payton_vege

Amazing write-up! This could aid plenty of people find out more about this particular issue. Are you keen to integrate video clips coupled with these? It would absolutely help out. Your conclusion was spot on and thanks to you; I probably won’t have to describe everything to my pals. I can simply direct them here!

colon therapist boston
colon therapist boston

TheONLY colon therapist who is delivering a message supportive of a specialhealing relationship between the brain and colon.

Granite Countertops Toronto
Granite Countertops Toronto

Avalon granite andmarble is a full granite and marble company. Avalong Granite and marblespecializes in granite countertops fabrication and installations for thegreater Toronto Area, including Toronto, Thornhill, Richmond Hill, Burlington,Oakville, Newmarket, and surrounding. Avalon granite is a leader in thefabrication and installation process working only with best tradesman in thierfield. They offer many different stones and materials including granite,marble, quartz, limestone, glass2 and much more. Please contact them today byvisiting www.avalongranite.comor by emailing their CEO Uri Nachim, at uri@avalongranite.comor by calling 1-866-919-0516. 

lora
lora

i can write and speak english easily

Digital Cameras
Digital Cameras

I would like to meet a girl hacker, we would have a lot of things in common, except I'm a male :D

Guest
Guest

French fries are from Belgium. With a name like Fleming (which means Vlaming, originally someone from Flanders/Vlaanderen in Belgium) you should know that and take offense when someone labels fries as French.Tera Account

Mas621
Mas621

An assault leading directly to the death of a victim at Balboa Station mid platform on Nov 21 1991 at 11:30 PM have never been investigated.  BART tried to pass this 38 year old man, my friend of 12 years, Frank Alan Day,  off as a homeless person by removing part of his ID than putting him under a train after pulverizing his skull in 3 places.  He was not robbed  I was the  last person to see him alive and he had all his ID with him in the early evening of the night he was assaulted and in Balboa Station then died in SFGH of multiple subdural hematomas.  There are no witnesses of course.    No one ever interviewed me though why this is so since I was last person who knows him to see him alive is unfathomable.  I volunteered all information and no one was interested.  The SFGH medical reports are not in agreement with BART.   His injuries were not consistent with being hit by the coupler on a A slope-nosed train and thrown 60 feet; the coupler was removed, according to BART officials, because it was the wrong coupler for that train.  Other evidence was also destroyed;  in the BART report there are numerous enormous discrepancies. Obviously  the pubic,  his family and friends were never intended to have a copy of Day's 30 page BART report detailing many different versions of his death under a 15 car  BART train with passengers at the time and it was very difficult to procure this report.  Though news of his being found badly injured under a BART train and then the news when he was identified and then again the news of his death were all sent by SFGH to the Bay Area News Service which promptly delivered it to all news publications and radios, nothing was ever published or aired on radio or TV.  He was my best friend.  I still miss him greatly and think about him every single day though I have got on with my life finally.

Alice
Alice

 I thank you should make a office 2007 key

dantsea
dantsea

I doubt anyone has ever died under a 15-car BART train, with or without passengers. If someone died, then I truly am sorry, but your story is incredible. BART has nothing to gain and everything to lose by not reporting deaths in its stations for any reason, has never heard of this person. Additionally, no one named Frank Alan Day, Alan Day, Frank Day or Francis Day can be located as having died anywhere in California in 1991.

Mas621
Mas621

And why do you mention his mother if you are so in doubt?

Mas621
Mas621

he died in SFGH 38 hours after having been taken from under the BART train at Balboa station  do you want excat date and time too?

Mas621
Mas621

i have his death certificate issued at SFGH

Tina Shontz
Tina Shontz

Did no one pick up on the fact that "La Maline" in French means "bad/evil one (female)"? LOL!

David
David

How it was done...it really is simple if you spend a few moments of your time. Let me show you how.

Technique used: SQL Injection.

Tools: Hajiv & WebCruiser & XCodeXploitScanner

Steps:

1. XcodeXploitScanner: use this to scan websites which can be attacked, from google search.2. Once you find the site, copy the link into Webcruiser.3. Webcruiser will find and automate the attack for you. Bingo....3 clicks.....

Im not going to explain in detail here...because it really is that easy!!! Just go ahead and spend a few moments exploring the above FREE SQL exploit tools.....

Hajiv (is just live WebCruiser)http://itsecteam.com/en/projec...

Webcruiserhttp://sec4app.com/

XCodeXploitScannerhttp://ferdianelli.wordpress.c...

These tools are free...you can use them safely with your antiviruses....not problems at all....These are popular free sql scanners..there are more expensive one's that do a better job with more advanced attacks....first practice with the above...

untitled
untitled

unless the hacker is really stupid he's not french, and that was all for more lulz.

i'm half inclined to think his chat character was based on the protagonist in the Girl with Dragon Tattoo. ...then again, like the character in that book, she sounds pretty stupid.

...i suppose it also could have been a guy carefully channeling his blonde gf, or a stupid girl hacker. either way, who cares? lock her/him up and throw the keys away. reckless geeks are pathetic.

Willy
Willy

Thanks so much for share this information.I like it.It's good.

Elizabeth Frantes
Elizabeth Frantes

I love those Anonymous kids.  Time someone fought back.  And ya know, I've been thinking what BART Spokemodel Champion said, about how when BART began, there were no cellphones, so shut up already.  Yeah, and back then, there was no internet, and computers weren't all hackable because they had actual people keeping track of records, answering phones, sending mail.  So, if BART don't like hacking, dump the 'net and shut up.

ElRonbo
ElRonbo

Except this wasn't Anonymous.  I miss the old days when people actually read an article before they commented.  Oh Elizabeth, you poor ignorant attention deficit challenged fool. 

Ann Bross
Ann Bross

In this day and age a lack of security like that is inexcusable, that said, leaking all that information may not have been the right way to go about punishing BART.

She has a point that BART's actions do seem a form a censorship, and a violation of free speech, and David Cameron suggested similar action during times of crisis after social media was used to organize criminal activity during the London riots - and met with an equal measure of outrage. This seems to be a pattern... http://ct.necs.la/rwsmle

Lamaline_5mg
Lamaline_5mg

"[It] may not have been the right way to go about [...]"Yeah, I think this also applies to the use of a lethal weapon against a handcuffed man.

ElRonbo
ElRonbo

How does releasing the passwords of customers promote justice?  All it does is enable other criminals to commit fraud, as many people re-use passwords. 

How does endangering the families of those police officers achieve justice?  It is almost inevitable that someone, whether out of vengeance or just mental illness, will track down the home of an officer, and could hurt spouses or children.  That's a very real danger, and that's why law enforcement officers in California are afforded extra privacy rights - for example, their home addresses don't come up on a motor vehicle department computer. 

I get that you're trying to shame the organization, and that's a reasonable response.  What you did has very bad side-effects, making possible hundreds of other crimes, from fraud to murder.

And if any of those crimes do occur, you deserve to be prosecuted as an accomplice. Read up on California's felony murder law: if someone uses that information to track down and kill an officer or a member of his/her family, you go away for murder. 

ElRonbo
ElRonbo

"You do realise that it's probably easier for about 90% of the population to simply follow the officer back home rather than find the hacked information on the internet?"

Are you seriously that naive?  You actually think no drug lord or gang banger ever thought of this clever plan, or no cop ever pondered it? 

Here's a little history:  The Hell's Angels tried this, around 1973 IIRC, back when Sonny Barger was calling the shots.  It didn't work then.  Today, every SFPD employee parking lot has at least two exits, except for the one in North Beach (multi story parking garage, no options).  Every exit has video cameras.  If you lurk at one waiting for someone to leave, you will be followed as soon as you start tailing someone. And they plan for a primary tail as a decoy and a secondary to pick the officer up once the decoy has been pulled over. 

Also LEOs watch for someone tailing them when they leave the station, and can call in to the local agency or the CHP for an intercept. 

Bonus: Most SFPD live in Novato, and they carpool.  You'll be following a car with three or four cops in it.  They'll notice you tailing them, they'll lead you out to an isolated spot.  I don't think they'll be worried about the outcome. Somewhere in Marin, they'll pull off of 101, you'll follow, and you will discover that simple plan didn't work out well. 

I'm utterly amazed at how naive people in this thread are.  Have you never been in the real world? The rest of your derptastic post, I won't even waste time on, because I know it will make a whoosh sound as it goes over your head. 

Anonymous
Anonymous

You do realise that it's probably easier for about 90% of the population to simply follow the officer back home rather than find the hacked information on the internet?

And come on, hundreds of other crimes... Yeah, the whole american population is going to kill every officer on that list, and their families, and their pets too.How is it even possible to debate when someone isn't logical at all?What about UFOs? They could kidnap someone with that list!

NB : I do not condone in any way the release of personal information.

ElRonbo
ElRonbo

Our stupid state laws could result in a warrant that could apply to you.  You do realize people can be arrested on warrants internationally - even in France. Ask Ira Einhorn about that. But maybe you can afford the kinds of lawyers Roman Polanski had, you might need them. 

Sure, the BART POA screwed up.  That doesn't excuse your actions.  If some police officer's child is killed by a stalker, will you feel any remorse then?  Are you certain that no one in your life you've told about this wouldn't turn you in for a sufficiently large reward?  Perhaps you've hidden yourself behind enough proxies/Tor/whatever and not told anyone in your real life about this.  

But I suspect there are a hundred hackers out there who think it would be great to get a moment of fame by posting your home address.  And then you can wonder if some angry police officer will decide to hop on a plane.  He won't give a fuck about French law, Hope you don't have roommates, I'd hate to see them whack the wrong person. 

Lamaline_5mg
Lamaline_5mg

First of all, it wasn't customer passwords. It was police officers infos, including physical addresses, names, emails, passowrds and username. Read the article before commenting.

I don't give a fuck about "California's felony murder law": I am French. Your stupid state laws simply don't apply to me. Your federal laws however apply only to criminal acts. And I cannot be considered responsible for any action taken against a police officer or his family.

Again, I would like to see the FBI try to get information about me.

I advise you to think about how the media is messing with your head, on this matter. The BART police officers association  is the one who let anybody get infos from their database. They are to blame for having such a crapy system.

A guy got shot, by a BART police officer. I find it reasonably fair that they have an idea of what it is to fear for your family and for yourself.

I hope their houses gets TPed. That's all the bad I wish they get.

I would be deeply sorry if any of these officers family get hurt by any mean. That wouldn't make me feel any better about the death of Oscar Grant. And I wouldn't regret my actions at all.

ball
ball

have fun in prison :)

Lamaline_5mg
Lamaline_5mg

You can't arrest an idea.Also, they are out to get me.

ElRonbo
ElRonbo

Two wrongs don't make a right. 

Although four lefts do. 

Lamaline_5mg
Lamaline_5mg

Four lefts make a straight. Three lefts do make a right. Two wrongs make some kind of justice.

Lamaline_5mg
Lamaline_5mg

I find it shameful that the media do not condemn taking such drastic actions against a protest after the *killing* of an innocent citizen. He was not proven guilty, or do they actually judge people at their funeral? Implying this guy got a proper funeral.

I also find it disturbingly sad that the San Francisco Bay  Area local media is being so supportive of the right to remain anonymous of the BART police personnel, when they didn't give a shit about this man being killed.

Did they condemn the killing of this man?All I did was give them (the cops) a taste of their own medicine, ie 'Lamaline' which is an (anal) analgesic... (Look it up)It also means "The cunning", in french.Now, they will have to find another way of communicating. Exactly like the protesters. I encourage people to use any legal or illegal  action (If they cover their ass) to make communications between BART police officers impossible.

A fair retribution would be a cop being physically threatened, not even hurt: Threatened. I do not encourage this action and would be deeply sorry if it happened. I'm just pointing out the obvious: the release of these information was nothing compared to the killing of a man.

The citizens of America are being the victims of an obvious man-in-the-middle attack. I only used an SQL injection attack. My guess is that the effectiveness of this attack was only technical. I hoped my --almost-- victimless crime had a chance of actually making people wonder about the ability of the media to make independent critics.

I hope some of you shares that comment through twitter.  (I will post it on different articles.)

Vive la france des black hats.

Bess Potter
Bess Potter

You're an idiot.  Do you have a job ?  Do you ever take a bath?  Having been to France, you and your people literally stink.  Learn how to use a shower, a bathtub, and a bidet, and then come back and criticize the USA, lol.

Thibault
Thibault

Chère Lamaline_5mg,Je travaille pour le journal "Le Parisien".Votre histoire m'intéresse beaucoup. Et qu'on l'approuve ou non, ce hack reste une "performance". Bien sûr, le fait que vous soyez française, parfaitement bilingue, et - apparemment - plutôt jeune rajoute au mystère. Bref, j'aimerais beaucoup échanger avec vous quelques instants, par mail ou chat (j'imagine que l'option téléphone est exclue hein...). Je n'ai évidemment aucune piste pour remonter jusqu'à vous, je n'ai donc pas d'autres choix que d'espérer que vous me recontactiez : traisse@leparisien:twitter .fr Il va de soi que je respecterai scrupuleusement votre anonymat le plus total. En vous remerciant par avance (quelle que soit votre réponse...)Thibault

ElRonbo
ElRonbo

So if someone working for your employer does something despicable, I can show up at your house and threaten you.  That's some strange logic you have there. 

Lamaline_5mg
Lamaline_5mg

Did I show up at anyone's house and threaten anyone?Get your shit together man. You don't seem to have read anything on this page.

untitled
untitled

Yes, you came to my home (country) and caused chaos because we didn't behave as you saw fit.

You are an immature terrorist and you WILL be caught (and probably gang raped in prison).

Enjoy! :)

FBI Agent
FBI Agent

I am monitoring this conversation.

ElRonbo
ElRonbo

Also note that the folks at Anonymous don't approve of this either:" Please refrain from dropping anybody's private information anywhere on anonymous's behalf... not interested in breaching somebody's privacy... they have a right to it as much as you do"http://www.airdemon.net/gJmYcA...

Because, see they're adults.  They realize the difference between punishing BART and punishing BART employees. 

ElRonbo
ElRonbo

No, you enabled others to show up at someone's house and threaten them.  Gee, that's SO different.  Act like an adult and take responsibility.  If someone shows up at one of those officer's houses and hurts someone, you made it possible.  If you handed a loaded gun to a child, would you later stand over a dead body and say, "I didn't shoot anybody!" 

HacKan &amp; CuBa co.
HacKan &amp; CuBa co.

I'm sorry, but in which world do you live in? In this one, the one I live in, a website has clearly much more value than human life... Well, actually pretty much everything has more value than human life.  Sad, right? Wake up people! You are deviating the subject here!On the other hand, i do NOT approve releasing that data to the wild, that was a wrong move. 

Now Trending

From the Vault

 

©2014 SF Weekly, LP, All rights reserved.
Loading...