Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Kids With Operators Manual Alert Bank Officials: "We Hacked Your ATM"

samzenpus posted about 3 months ago | from the protect-ya-neck dept.

Security 378

An anonymous reader writes "Two 14-year-olds hacked a Bank of Montreal ATM after finding an operators manual online that showed how to gain administrative control. Matthew Hewlett and Caleb Turon alerted bank employees after testing the instructions on an ATM at a nearby supermarket. At first the employees thought the boys had the PIN numbers of customers. 'I said: "No, no, no. We hacked your ATM. We got into the operator mode,"' Hewlett was quoted as saying. Then, the bank employees asked for proof. 'So we both went back to the ATM and I got into the operator mode again,' Hewlett said. 'Then I started printing off documentations like how much money is currently in the machine, how many withdrawals have happened that day, how much it's made off surcharges. Then I found a way to change the surcharge amount, so I changed the surcharge amount to one cent.'"

cancel ×

378 comments

Sorry! There are no comments related to the filter you selected.

Not surprising. (5, Insightful)

Z00L00K (682162) | about 3 months ago | (#47197351)

I'm not even mildly surprised that this was possible.

Re: Not surprising. (1)

Anonymous Coward | about 3 months ago | (#47197467)

Way to go kids

+1 for hacking although I'm surprised they didn't make withdrawals first

Re: Not surprising. (5, Funny)

Pieroxy (222434) | about 3 months ago | (#47197885)

I'm actually surprised they're not yet in jail...

Re: Not surprising. (3, Insightful)

fustakrakich (1673220) | about 3 months ago | (#47198105)

Exactly, they took a big chance there. Honesty does not go unpunished in this business. The only safe way is to report it anonymously, and then take some money if they ignore the report and don't fix the problem. The point is to make sure it remains their problem, not yours.

Re: Not surprising. (4, Insightful)

CaptainLard (1902452) | about 3 months ago | (#47202553)

and then take some money if they ignore the report and don't fix the problem.

This sterling nugget of wisdom would accomplish the opposite of:

The point is to make sure it remains their problem, not yours.

I'll add your sig is not short on irony (not sure if its the ./ approved or the Alanis Morrisette variety) given the content of your post. Good luck with your internal conflicts!

Re: Not surprising. (5, Funny)

StrangeBrew (769203) | about 3 months ago | (#47198167)

Jail would only have been a concern if they weren't in Quebec and changed the default language to english, as part of their 'proof'.

Re: Not surprising. (4, Funny)

StrangeBrew (769203) | about 3 months ago | (#47198193)

What a shame that Slashdot spent so much time on a 'beta' site instead of adding an option to retract or edit a comment. I saw further down that someone made the same joke, and don't want to get sued for infringement.

Re: Not surprising. (4, Funny)

ls671 (1122017) | about 3 months ago | (#47198347)

> and don't want to get sued for infringement.

No problems. You can only be accused of ignorance since Winnipeg is a little far from Quebec.

Re: Not surprising. (1)

StrangeBrew (769203) | about 3 months ago | (#47198441)

I stated that it 'would only have been a concern if...' that should have indicated that I was aware it wasn't in Quebec.

Re: Not surprising. (3, Insightful)

mfh (56) | about 3 months ago | (#47198187)

Canada doesn't do stupid shit like that. They probably will get an internship out of it and become security experts for the banking industry.

Re: Not surprising. (0, Flamebait)

Anonymous Coward | about 3 months ago | (#47198411)

Canada does indeed do that stupid shit. The people who call the shots up here want to be just like america in every way possible.

Re: Not surprising. (-1, Offtopic)

mfh (56) | about 3 months ago | (#47198461)

I hear ya. Hopefully it will get better in Ontario, after this provincial election. I think the NDP has a real chance to win it this time. It's a perfect storm. Wynne's debate was awful... libs are losing support. Hudak seems like Mike Harris cloned as Stephen Harper.

NDP seems to be pulling ahead in a major way in Canada overall. I really think they could make a difference if they can get into office and hold office for a few terms minimum.

Re: Not surprising. (0)

Anonymous Coward | about 3 months ago | (#47198909)

You're high: the Conservatives and the Liberals are neck-and-neck while the NDP continues to languish. -- Plus you're clearly forgetting that Bob Rae's Premiership has ensured that the NDP will NEVER win an Ontario election for AT LEAST a generation, maybe even three... Then when Horwath decided to run an election to the political-RIGHT of the Liberals (including indicating that she'd be willing prop up a Hudak minority-government!) a very-much chagrined, embarrassed and shocked NDP-base started jumping ship...

With the mess that Liberals have made of things these past few years, it SHOULD have been a simple task to oust them. So it's actually a stark and clear indication of just how bad these other two parties are that, together, they're only barely able to make this election a horse-race... For better or worse, it's coming down to the simple fact that, on Friday, voting NDP will be the surest way to end up with an arch-neo-Conservative government in Toronto...

-AC

Re: Not surprising. (1)

mfh (56) | about 3 months ago | (#47208307)

The NDP is the official opposition in Canada federally. Bob Rae became an MP for the Liberals so your argument is invalid.

As for the rest of your astroturf, you should consider watching this video: http://www.youtube.com/watch?v... [youtube.com]

The Liberals say the same thing every time because they are pretty corrupt and simply want to do the least amount of work. If we decide to elect them they don't have to do much at all because they were the party voted for not because of what they said they would do but rather because they were not the evil Conservatives. That's a huge cop-out and the political climate in Canada is shifting more towards what a party will do instead of what it says its rival will do.

Re: Not surprising. (0)

Anonymous Coward | about 3 months ago | (#47201189)

Quit smoking weed eh.

The NDP will , NEVER, EVER, EVER Win. An analogy for Americans: Imagine going full inverted Ayn Rand communism. That is the NDP in a nutshell. Tax and Spend. Nobody will have incentive to work, and those that do will see all their wages disappear into taxes.

NDP want Canada to be like Sweden where they pay 75% of their income in taxes (about 50% payroll and 25% sales VAT) Where as in Canada we currently are around 50% payroll tax if you make 130K/yr and live in Nova Scotia, plus 15% HST. So we're just 10% shy of Sweden and nowhere equitable on healthcare or education for that cost.

In the US, the maximum tax bracket only kicks in at 400k, which is 39.6% + 10.55% (California) State income tax + 7.5% sales tax (California) = 57.65% total. Keep in mind that the US also is in the transition to a health care system and is currently underfunding all education and welfare systems while having the highest military spending because it acts like the world police force.

Re: Not surprising. (0)

Anonymous Coward | about 3 months ago | (#47201347)

Why would you add percentages up like that?2

Re: Not surprising. (2)

stealth_finger (1809752) | about 3 months ago | (#47201239)

Canada does indeed do that stupid shit. The people who call the shots up here want to be just like america in every way possible.

The Canadian gov even has a copyright on it's own flag, they can and will issue a takedown if you use it in a way they don't like.

internship in juvenile detention if lucky (0)

Joe_Dragon (2206452) | about 3 months ago | (#47199019)

internship in juvenile detention if lucky if not they may goto the full adult prison.

That's why we have 'extraordinary renditions' (2)

dcooper_db9 (1044858) | about 3 months ago | (#47204139)

By which I mean sanctioned kidnapping. I know; you were picturing 200 lumberjacks drunk on maple whiskey, performing a line dance while singing 'O Canada'.

Re: Not surprising. (5, Insightful)

Lumpy (12016) | about 3 months ago | (#47198735)

If this was in the USA, the kids would have been shot several times by cops and the bodies taken to Gitmo for waterboarding.

Kids in the USA, DO NOT try and be a white hat unless you can do it untraceable and anonymously. You will be severely punished for doing something good here.

Re: Not surprising. (5, Insightful)

zeugma-amp (139862) | about 3 months ago | (#47200307)

Kids in the USA, DO NOT try and be a white hat unless you can do it untraceable and anonymously. You will be severely punished for doing something good here.

Damn. I had mod points yesterday. This is absolutely true, and I would hope that everyone understand that by now. Sadly, many don't see the police state until it's boot is stomping them.

Re: Not surprising. (0)

Anonymous Coward | about 3 months ago | (#47211735)

Not even then. Maybe they had a right to stomp me.

Re: Not surprising. (2)

bukowski90210 (252368) | about 3 months ago | (#47198879)

Of course they aren't in jail, in Canada we don't send 14 yr olds to jail.

Re: Not surprising. (1)

Anonymous Coward | about 3 months ago | (#47199343)

Steven Murray Truscott

Re: Not surprising. (1)

bukowski90210 (252368) | about 3 months ago | (#47201613)

In 1959?....Steven's arrest and incarceration were a supreme miscarriage of justice and he was acquitted.

Re: Not surprising. (1)

bukowski90210 (252368) | about 3 months ago | (#47201615)

He was an exception....After Steven's aquittal in 2007, he was awarded 6.5 million dollars by the Ontario government

Re: Not surprising. (0)

Anonymous Coward | about 3 months ago | (#47199705)

They are in free country, not a fascist police state like the USA. The kids broke no laws, rather whomever set up the software and lack of security used in the ATM are the ones who should be held accountable.

Re: Not surprising. (0)

Anonymous Coward | about 3 months ago | (#47199765)

I'm actually surprised they're not yet in jail...

It's Canada, not the US.

Re: Not surprising. (1)

slugstone (307678) | about 3 months ago | (#47200725)

That not funny, but sad.

Re: Not surprising. (0)

Anonymous Coward | about 3 months ago | (#47209125)

they said sorry

Re: Not surprising. (1)

silent-listener (3457453) | about 3 months ago | (#47210345)

Why in jail ? For putting the ATM in administrator mode ? The bank CIO should be jailed as it looks there was no unique password, only the standard one.

Re: Not surprising. (5, Informative)

Anonymous Coward | about 3 months ago | (#47197963)

If the ATM is anything like what was at the various gas stations I worked at, they wouldn't be able to make any withdrawals. Yes we could get into Admin mode with just a code that was punched into the keypad. There was an option to test the bill dispenser, but the bill that got pulled from the cartridge during the test never left the inside of the safe, it just got dropped into another compartment inside the safe for us to pull out later when we changed the cartridge. I would imagine that hackers would have to gain access to the computer inside the ATM to be able to get it to spit out bills to be grabbed, but hacking being what it is, I'm sure someone will figure out how to do it from just the outside keypad eventually.

Re: Not surprising. (5, Informative)

Ingenium13 (162116) | about 3 months ago | (#47198817)

There was a post on here several years ago about this same issue on Tritan and Tranax ATMs where the operators never changed the default passwords. What they would do is change the denomination that's in the drawer, so the ATM thinks it has $1 bills instead of $20 bills. They would then use a prepaid credit/debit card (like the Greendot ones you can get pretty much anywhere) to withdraw say $200. Rather than giving 10 $20 bills like it's supposed to, the machine would spit out 200 $20 bills.

Re: Not surprising. (0)

Anonymous Coward | about 3 months ago | (#47203891)

"What they would do is change the denomination that's in the drawer, so the ATM thinks it has $1 bills instead of $20 bills."

Most modern ATM's here in Canada such as those made by NCR and Diebold have cash "cassettes" that are configurable via physical buttons on it that tell the ATM machine the denomination of the bank notes. It is a security feature designed to prevent what you just described from happening.

The only way would be to get inside the safe itself. You'd have better luck digging your way to China using a wooden spoon.

Re: Not surprising. (1)

rew (6140) | about 3 months ago | (#47200849)

Getting into "admin" mode is a big deal. Even if you don't see a direct way of making money off that, someone else might. (see ingenium's post).

And even then, it should be "confidential information" how much money is in there. If the crooks get to check on the amount that's in there over a period, they can decide to crack it open at "just" the right time. Should improve their "profits" by a factor of two on average.

If you're right and absolutely the only thing they can do is to dispense bills into the "not-dispensed" basket, there is a "denial-of-service" attack: Dispense all bills into the wastebasket just after the machine has been filled. Now the machine will be empty until the next refill. VERY annoying for the people who out-of-habit only go to one ATM.

Re: Not surprising. (5, Insightful)

Bitbyte (3688405) | about 3 months ago | (#47199279)

Wouldn't go about using the media's term "hacking" the kids followed the operating manual the bank was just silly in not restricting their end devices properly It would be hacking if they ran some kind of exploit and found a zero day but they didn't they just followed easy to obtain documents

Re: Not surprising. (4, Insightful)

rioki (1328185) | about 3 months ago | (#47201059)

I would disagree with you, the classical term hacking is used for any mode penetration. The difference between the late 80s/early 90s and today is that companies have started to implement reasonable procedures, like changing default passwords... Remember most hacks are still done through some sort of social engineering.

Re: Not surprising. (0)

Anonymous Coward | about 3 months ago | (#47201513)

Agreed about this being hacking. Was once challenged to 'hack' a colleagues home Linux server which he connected to from the office via VPN.

When we (me+friend) finally told him how we did it (after two days :) ) he said that we had 'cheated'. (He left his laptop unlocked at lunchtime and we installed a keylogger. We told him we had hacked it and when he logged in to check we got the access, we left a nice little .txt file in his root directory as proof and left).

Re: Not surprising. (3, Insightful)

pjt33 (739471) | about 3 months ago | (#47201529)

Having the interest to look for the operating manual, read it, and test it, all with the aim of learning and having fun rather than under any obligation, seems rather close to the Jargon File definition of a hacker.

Re: Not surprising. (0)

Anonymous Coward | about 3 months ago | (#47199861)

This is not what I would call hacking. If you know the right keys to hold down then bingo you are in.

Re: Not surprising. (3, Insightful)

mcvos (645701) | about 3 months ago | (#47201085)

+1 for hacking although I'm surprised they didn't make withdrawals first

They'd definitely go straight to prison in that case. It's hard enough to warn about serious security leaks these days without getting treated like a criminal.

These are good kids. Let's hope they get rewarded and not punished.

Re:Not surprising. (2)

Penguinisto (415985) | about 3 months ago | (#47197775)

I'm not even mildly surprised that this was possible.

Not at that I'm not... what I am surprised at is the fact that the bank didn't immediately have the kids locked-up and headed for a lifetime of prison.

Re:Not surprising. (4, Insightful)

PRMan (959735) | about 3 months ago | (#47197847)

It's Canada, not the US.

Re:Not surprising. (5, Funny)

NotDrWho (3543773) | about 3 months ago | (#47197867)

Okay, a lifetime of prison with the signs also in French.

Re:Not surprising. (4, Funny)

Minwee (522556) | about 3 months ago | (#47197923)

Not just in French, but with the French on top and in a larger typeface so that it is markedly predominant.

It's the law.

Re:Not surprising. (4, Funny)

Darinbob (1142669) | about 3 months ago | (#47198195)

We need some moderation to mark a post Sad instead of Funny.

Re:Not surprising. (0)

Anonymous Coward | about 3 months ago | (#47198407)

It's only the law in Quebec, where French is the main language and English is secondary.
Any other province can put French in tiny characters, if at all on their signs.

Re:Not surprising. (2)

theshowmecanuck (703852) | about 3 months ago | (#47200493)

Any other province a business can put ANY language they want on their signs at any size they want. In Richmond B.C. there are blocks where there are only Chinese signs. In Quebec one is not free to conduct business in the language of your choice, so you are not allowed to put anything except French on the outside of your business and can only put very small non-French words on interior signs (under larger French words). The government forces employees of companies to speak French, and children are not allowed to speak any language except French at school, even at recess. There are no non-French public schools. Can you say NAZI state. Even the world court said it was a violation of fundamental freedoms, and the Quebec separatist government that enacted the law ignored it. Even the Canadian courts said it was unconstitutional and Quebec used the not-withstanding clause to veto that ruling.

Re:Not surprising. (1)

static0verdrive (776495) | about 3 months ago | (#47202269)

Not sure where you get your information from, but find a new source. Any language can be on the outside as long as the French is bigger OR on top (or both), and I'm from Quebec but barely speak French; we only ever spoke English outside of class. I don't deny they're pretty stupid with some of the language laws though... For example, considering the laws are to protect their culture from erosion due to the overwhelming English majority in North America, which makes sense, doesn't it also make sense to assume that road signs for tourists should be in English because a) tourists don't speak French and b) the locals already know where they're going?!

Re:Not surprising. (2)

theshowmecanuck (703852) | about 3 months ago | (#47203351)

I actually read the news. No recess from French as Montreal schools to scan playground chatter [nationalpost.com] . You need to stop drinking the cool aide. Free speech is free speech. One of the worst excuses for regulating speech and other civil liberties is "to keep our culture pure." It has slippery slope written all over it.

Re:Not surprising. (1)

rtb61 (674572) | about 3 months ago | (#47208723)

I seems they are too stupid to realise they are no longer teaching French, they are now teaching censorship, correct speech and by inference correct thought. All who disobey will be singled out and reminded they are monitored at all times within the school and not even the slightest deviance from the defined norm will be tolerated. Really dangerous stuff, if the parents approved it, they are really rather foolish.

Re:Not surprising. (1)

Rinikusu (28164) | about 3 months ago | (#47199353)

Is the font comic sans?

Re: Not surprising. (0)

Anonymous Coward | about 3 months ago | (#47214215)

Sacré! You are using French (sans) again!

Your turn soon yankee (0)

Anonymous Coward | about 3 months ago | (#47199475)

Get back to me when Spanish becomes predominent in florida and texas.

You see who will laugh then.

Not just the English, but with the English on top and in a larger typeface so that it is markedly predominant.

It will be the law.

Re:Your turn soon yankee (3)

TheTerseOne (2447418) | about 3 months ago | (#47200097)

The day I knew this was inevitable was the day I saw "Made in China" written in Spanish on something from a US company. (Yeah - I could have looked up "Made in China" and put it on here in Spanish, but I don't really care.)

Re:Not surprising. (3, Funny)

vic-traill (1038742) | about 3 months ago | (#47198185)

[ ... Snorts Repeatedly ... ] That is the funniest gdamn post I've read in quite a while. Maybe you have to be Canadian for it to be funny. Even worse, maybe you have to a Canadian in Ontario (which I am). But that was damn funny. Thanks for the Laugh of the Day.

Re:Not surprising. (0)

Anonymous Coward | about 3 months ago | (#47203705)

I'm not Canadian and actually live in Montreal. It was pretty funny :)

Re:Not surprising. (1)

ls671 (1122017) | about 3 months ago | (#47198389)

Guys, the ATM is in Winnipeg, Manitoba, 1,440 miles away from Montreal, Quebec. For US citizens, that's about 150 more miles than Miami to New York at 1,290 miles.

Re:Not surprising. (0)

Anonymous Coward | about 3 months ago | (#47198859)

Still if it werent for us Brits - it would be a life under the NSA's beady eye and if your a naughty anti corporations are good type a life in Jail but either way youd still be speaking French.

Re:Not surprising. (0)

Anonymous Coward | about 3 months ago | (#47205027)

They will probably get into trouble, but not as much as they alerted the officials. Unless they can prove that they stole from the machine.

Re:Not surprising. (4, Funny)

alexo (9335) | about 3 months ago | (#47198353)

It's Canada, not the US.

Yet...

Re:Not surprising. (0)

Anonymous Coward | about 3 months ago | (#47204259)

It's Canada, not the US.

Yet...

I've already done it. Not that big of a deal.

Re:Not surprising. (4, Funny)

PPH (736903) | about 3 months ago | (#47198555)

It's Canada, not the US.

Well that explains them reading the manual. Or anything, for that matter.

Re:Not surprising. (0)

Anonymous Coward | about 3 months ago | (#47204985)

It's Canada, not the US.

Well that explains them reading the manual. Or anything, for that matter.

Ha, it's funny 'cause it's racist.

Re:Not surprising. (0)

Anonymous Coward | about 3 months ago | (#47201105)

BMO owns Harris bank. The US BMO Harris banks are located around Chicago and the Northeast US.

Re:Not surprising. (0)

Anonymous Coward | about 3 months ago | (#47201137)

Yes ... obviously not American kids .... they've been taught to read.

Re:Not surprising. (2)

ThatsNotPudding (1045640) | about 3 months ago | (#47201605)

It's Canada, not the US.

Good for them, as in the US they would have shot on sight or would already be in Gitmo.

Re:Not surprising. (0)

Anonymous Coward | about 2 months ago | (#47274221)

It's Canada, not the US.

Good for them, as in the US they would have shot on sight or would already be in Gitmo.

Or hailed as a celebrity as they hit the talk show circuit..

Re:Not surprising. (0)

Anonymous Coward | about 3 months ago | (#47197875)

Montreal is in Canada...

Re:Not surprising. (0)

Anonymous Coward | about 3 months ago | (#47198849)

Yes, but the Bank of Montreal [bmo.com] , their official name notwithstanding (they prefer to be called "BMO" nowadays), is a National Institution (one of the "Big 5" Canadian banks). This particular ATM was apparently in Winnipeg, MB which is almost 1500 miles from Montreal, QC...

-AC

Re:Not surprising. (1)

mysidia (191772) | about 3 months ago | (#47198581)

Not at that I'm not... what I am surprised at is the fact that the bank didn't immediately have the kids locked-up and headed for a lifetime of prison.

Perhaps the kids were smart enough to get permission?

Re:Not surprising. (0)

Anonymous Coward | about 3 months ago | (#47205899)

Are you retarded? No one is going to give random kids permission to try to hack their ATM. Won't happen, not in human nature. It would have been stupid for the kids to ask permission.

Re:Not surprising. (2)

nospam007 (722110) | about 3 months ago | (#47198261)

"I'm not even mildly surprised that this was possible."

I'm surprised that teens RTM, the ones I know, don't ever!

Re:Not surprising. (1)

stoatwblr (2650359) | about 3 months ago | (#47226139)

Nor am I surprised that the admin password was left at defaults.

Security by obscurity seldom works for long.

Hacked? (3, Insightful)

Anonymous Coward | about 3 months ago | (#47197355)

So....
they had the manual with passwords....

this is hacked.... how?

Re:Hacked? (2)

Shatrat (855151) | about 3 months ago | (#47197391)

The default passwords shouldn't be used, and without a key someone shouldn't be able to gain management access to the device.

Re:Hacked? (2)

ganjadude (952775) | about 3 months ago | (#47197485)

it is insane how many devices out there are still using default passwords. It seems to me that th eonly items im seeing ship with unique PWs by default these days are cheap WIFI routers surprisingly. I cant tell you how many coke machines out there can be taken over by simple keypresses. My best friend was a cooke distributer, and none of their machines were on a different default PW, always made getting a coke trivial for him however

Re:Hacked? (4, Insightful)

PopeRatzo (965947) | about 3 months ago | (#47197845)

I cant tell you how many coke machines out there can be taken over by simple keypresses.

I notice you're not sharing the password with us thirsty readers.

C'mon, bro.

Re:Hacked? (0)

Anonymous Coward | about 3 months ago | (#47198321)

"It's the REAL Thing(TM)" :)

Re:Hacked? (2, Interesting)

Anonymous Coward | about 3 months ago | (#47198775)

It's 1-3-2-4 as in "first selection button, third selection button..." etc. That'll often get you into service mode. Then you can do all kinds of useful stuff. The most useful, in my experience, is to do a soft reset of the machine that often gets it to start accepting money again when it's being stupid and rejecting everyone's change. Sometimes, but not very often, you can get it to dispense whatever you want, but I've only gotten that to work once before.

Re:Hacked? (1)

Kalriath (849904) | about 3 months ago | (#47200213)

I once encountered a Coke machine that upon pressing a selection, it would proceed to vend the entire stock on that row, then reject the supplied money and drop it into the change dispenser. At which time you could get it to vend another row, and get another refund. 8 keypresses cleared out the entire machine.

Re:Hacked? (0)

Anonymous Coward | about 3 months ago | (#47198875)

To get into the admin menu I believe its (in order from top down) 4 2 3 1. From there you're on your own.

Re:Hacked? (0)

Anonymous Coward | about 3 months ago | (#47199261)

Older models? snapple etc... 4231 man, just 4231

Re:Hacked? (0)

Anonymous Coward | about 2 months ago | (#47303687)

Re:Hacked? (2)

mythosaz (572040) | about 3 months ago | (#47197907)

I've seen one discussion after another discussing passwords and button press combinations on soda machines, but have never, ever, seen one work.

I call shenanigans.

Soda machines are mostly electro-mechanical rather than computer controlled. Either the switch is active to allow button presses to dispense soda, or they're not. You don't program them from the outside. You set the DIPs to the vend prices per column (if it's multi-price) and lock it back up.

Re:Hacked? (1)

ChrisSlicks (2727947) | about 3 months ago | (#47198009)

They can work if the owner forgets to lock out that mode. I have tried and tested it successfully on one machine and another machine said "feature disabled".

Modern vending machines are hybrids, they have their electro-mechanical component but there is a basic CPU that collects statistics and also can control the vend prices depending on the model. Modern vending machines can also be USB, serial and Ethernet connected which only increases their hackability.

Re:Hacked? (2)

Jarik C-Bol (894741) | about 3 months ago | (#47198497)

Which is interesting, because even the old "electromechanical" machines would suffer from hiccups. There was an old machine at my school that, quite reliably, after you paid for one, would give you two Dr. Peppers when you pushed the button for it. It also would give you as many diet cokes as you cared to own, assuming you kept pressing the button as quickly as possible after you fed it your change; if you stopped, it would reset and lock out. If you pushed the Dr Pepper button and the Diet Coke button at the same time, about 1 time in 5 you would get 2 Dr Pepper and a Diet Coke.
the point is, this was an old machine, while you mashed the buttons, it made this horrendously loud clicking and clattering, so you could only get so many from it before you attracted the attention of the people in the office nearby. I gave up at 6 Diet Cokes, partially because who wants to drink 7 Diet Cokes, and partially because the secretary was glaring at me.

Re:Hacked? (1)

dacaldar (614951) | about 3 months ago | (#47205449)

I used to rejoice at stuff like this - like when you could get more than one chocolate bar from a vending machine because of the way they were stacked.

But in my older years I have got to wondering about the ethics of it. You wouldn't steal a pop or a chocolate bar from a convenience store, even if you were 100% sure there were no video cameras, no other customers or cops around, and you saw the only employee walk into a bathroom at the far end of the store and leave you completely unattended (and heard him doing something nasty that would surely take a long time).

So when it came to the chocolate bars, fine, I could rationalize that if I didn't take the free one that came out (maybe after an extra hip-check to the side of the machine), the next person would. But for the more obvious case of mashing buttons to intentionally get a free one, how is it different than stealing?

(BTW, I don't think I'm better than you, I've done this too - just re-visiting it mentally now)

For some reason, for myself and many others, if something is on the honour system, we would never steal from it, but the more defenses people try to put up to prevent me from getting something free, the more I want to circumvent those defenses and take something for free anyway.... it's very weird.

Re:Hacked? (1)

Jarik C-Bol (894741) | about 3 months ago | (#47206545)

Agreed, at this stage in my life, I would probably call the service number on the sticker on the machine and tell them there shits broken.
In my younger years, the thought was "Hey! free stuff!" because you would expect that they would realize the machine was making far less money than the inventory they fed it should result in, and investigate. That lends itself to the thought that, if they don't care enough to fix an obviously malfunctioning machine, then who cares if I get a free soda from it sometimes. Back then anyways. Now that i'm older and more jaded, stealing makes me mad. Mainly because i've finally lived long enough to be stolen from, and understand that it really sucks.

Re:Hacked? (0)

Anonymous Coward | about 3 months ago | (#47198551)

I've seen it work, but it just prints out diagnostic information. You cannot use button press combinations to deliver product.

Re:Hacked? (0)

Anonymous Coward | about 3 months ago | (#47198773)

They used to have a data port on them, in the lower bottom corner. Had a roommate that spent the summer jumping two contacts together to get free soda.

Re:Hacked? (1)

Kalriath (849904) | about 3 months ago | (#47200225)

The majority of the ones I've encountered nowadays (in New Zealand) are computer controlled, and internet connected (so that they can do realtime validation of credit card transactions or respond to online vending instructions issued via the smartphone apps for handling prepaid balance transactions). I can imagine these very much being programmable.

Re:Hacked? (1)

Joe_Dragon (2206452) | about 3 months ago | (#47200227)

your stuck in the past the way past. 90's and 00's one are computer controlled. Maybe in the 80's ones as well.

Re:Hacked? (2)

JaredOfEuropa (526365) | about 3 months ago | (#47197977)

I'm surprised such changes can be made from the front panel of the machine. I'd say that any administrative mode should only be accessible by a switch or keypad inside the machine's strongbox.

by defalt you need door open on coke machines (1)

Joe_Dragon (2206452) | about 3 months ago | (#47200191)

by default you need door open on coke machines to do any thing like get free stuff / change prices / run tests.

by default with door closed you can only look at some error codes / other stats.

Now that are settings that let you make changes with door closed also can change the code as well.

Re:Hacked? (2)

Jarik C-Bol (894741) | about 3 months ago | (#47198455)

Exactly.
This is another device, but the principles involved are the same. Where I work we have a coin sorting machine, sort of like a coin star. This particular model dispenses cash instead of a receipt that you take to the counter to cash in, the way a lot of the bigger chains are. With our machine, there is a keyed lock that opens a little flipper door that houses a separate physical keypad that controls all the admin functions. Public user access to the machine is restricted to a touch screen with a extremely limited interface (basically language choice, start, and finish, once the machine is done counting).

I'm surprised that ATM's don't use a similar setup. In my mind, it should be another step obfuscated by being a port behind a little locked door that allowed the operator to plug in a customized interface. (say, a non standard USB port that matched to a non standard keyboard/pointing device that the operator would plug in, preventing a successful lock pick from having quick general access to the machine, as a specialized hardware attachment would be needed.

Remember, this device reads bank cards and conducts financial transactions, protecting your customers saves a lot of money in the long run.

Re: Hacked? (0)

Anonymous Coward | about 3 months ago | (#47203169)

Great, now how do you send a technician out to do routine checks on all of the ATMs scattered throughout the city? Do they all have the same password, or does he refer to a huge ledger to look up the correct password, and if so, what will you do in the inevitable case that the ledger gets misplaced? Should it be possible to reset the password remotely on a network-connected ATM, and if so, what security measures need to be in place to ensure that hackers don't discover how to do this? And just what do you do when someone who knows the passwords is terminated, or quits? Or, for that matter, what will prevent a current employee from doing anything bad?

The service mode that's accessible from the outside keypad shouldn't allow them to do anything bad, so it's really a moot point. Yes, it's leaking information that could be useful to thieves, such as how many people are using the ATM and when it is normally filled, but then again they could also get that information just by covertly watching the ATM.

Hacked? (3, Informative)

Anonymous Coward | about 3 months ago | (#47197393)

It's "hacked", because they did something that (in theory) only administrators are supposed to be able to do. That's really all the definition anyone needs.

Similarly, if an admin leaves the root passwords as "admin:admin", and someone logs in, that someone has hacked the system.

Re:Hacked? (4, Funny)

Richy_T (111409) | about 3 months ago | (#47197539)

That's the password on my luggage.

Re: Hacked? (0)

Anonymous Coward | about 3 months ago | (#47197669)

12345

Re: Hacked? (1)

Cryacin (657549) | about 3 months ago | (#47199037)

No-one could possibly guess mine. It's Password1.

So simple, no-one could possibly pull that rabbit out of a hat.

Re: Hacked? (1)

niftymitch (1625721) | about 3 months ago | (#47199191)

No-one could possibly guess mine. It's Password1.

So simple, no-one could possibly pull that rabbit out of a hat.

There must be one word that tells me you told
me and I no longer have to guess. Since I no longer
have to guess I cannot guess.

I guess I should finish reading this: http://www.fallacyfiles.org/lo... [fallacyfiles.org]

Re:Hacked? (1)

cheesybagel (670288) | about 3 months ago | (#47197779)

Last time I traveled to the US I left my luggage unlocked but the lovely people at the TSA - hi folks - still had to break them open by force probably for 'inspecting' my aftershave.

Re:Hacked? (1)

Richy_T (111409) | about 3 months ago | (#47198213)

It's a problem. I have a piece of luggage (quality, has last me many years) which would be possible to lock accidentally very easily. Also leaving it unlocked means the latch could pop easily and get broken off. It's annoying.

Re:Hacked? (0)

Anonymous Coward | about 3 months ago | (#47200791)

Um, IIRC this is because you were not using a "TSA Approved" lock perhaps? Yes, such things exist. Whether there is any meaning to it is totally open for debate amongst the /. community, but I can cite what I am referring to:

http://lmgtfy.com/?q=TSA+approved+lock

Re:Hacked? (0)

Anonymous Coward | about 3 months ago | (#47200965)

Uh, so unlocked locks need to be TSA-approved as well now?
And if you don't lock your luggage at all they blow it up directly, after all it had no approved lock or how?

Re:Hacked? (1)

NoImNotNineVolt (832851) | about 3 months ago | (#47202645)

I've heard of people traveling with a "gun case" as checked luggage to avoid TSA meddling. Something about the gun case being illegal for anyone else to open, as long as you declare it as a gun case, even if there's no actual firearm inside. I've never tried this myself, and I recommend reading up on this before trying it yourself.

Re:Hacked? (-1)

Anonymous Coward | about 3 months ago | (#47198285)

That's the password on my luggage.

Condition A: Slashtard lemmings like you keep regurgitating these old-as-hell recycled memes. Condition B: Slashtard lemming mods keep modding it up to +5 Funny no matter how repetitive and boring it is.

That both conditions are true is a bitchslap-worthy indictment against the intelligence of everyone involved. Malda showed great judgment when he decided that Funny mods don't contribute to karma. Too bad a meme detector wasn't made part of the lameness filter.

Re:Hacked? (0)

Anonymous Coward | about 3 months ago | (#47198631)

Wow, who crapped in your corn flakes?

Re:Hacked? (1)

ahaweb (762825) | about 3 months ago | (#47199015)

You mean who hacked his luggage.

Re:Hacked? (1)

Cryacin (657549) | about 3 months ago | (#47199225)

He's just annoyed that someone beat him to his obligatory reference.

Re:Hacked? (1)

ArcadeMan (2766669) | about 3 months ago | (#47199775)

AC: ...and then of course I keep seeing all these lame posts which give me this terrible pain down my left hand side...
Me: No? Really?
AC: Oh yes, I mean I've asked Slashdot to fix their website but no one ever listens.
Me: I can imagine.

Re:Hacked? (1)

Richy_T (111409) | about 3 months ago | (#47202981)

Doesn't matter. My Karma is so huge they stopped counting years ago. Sometimes you just gotta roll with it.

Re:Hacked? (2)

laird (2705) | about 3 months ago | (#47197589)

True, it's a "hack" but it's a pretty trivial hack.

Re:Hacked? (5, Insightful)

Yakasha (42321) | about 3 months ago | (#47197695)

True, it's a "hack" but it's a pretty trivial hack.

They are the ultimate script kiddies. Kids, using a script published by the manufacturer.
Even putting "trivial" in front diminishes the glory of hacking.

Re:Hacked? (2)

unrtst (777550) | about 3 months ago | (#47199771)

True, it's a "hack" but it's a pretty trivial hack.

They are the ultimate script kiddies. Kids, using a script published by the manufacturer.

Even putting "trivial" in front diminishes the glory of hacking.

Isn't this all very similar to the phreaking of the 70's/80's, or hacks resulting from simply reading IBM manuals or the rainbow series? Or is everyone too old to remember that?
FWIW, I do think this is trivial, and it's simply a poorly setup ATM, but taking advantage of obscure weaknesses is a time honored tradition AFAIK, and I bet the kids even learned a fair bit from doing this (unlike a script kiddie that just downloads and blindly executes other peoples work).

Re:Hacked? (1)

DarthVain (724186) | about 3 months ago | (#47202413)

Exactly. This has far more to do with "hacking" than probably 90% of the crap that is out there.

People used to dumpster dive corporate headquarters looking for user manuals to pour over looking for vulnerabilities. Trying to understand the system intimately better than anyone else and taking advantage of that using clever hacks.

It is pretty much the definition. However like anything involving "hacking", I would be this story is being blown out of proportion. The kids found a manual, were able to get into an admin mode that let them change some trivial settings, and output some machine statistics, but that was about it, no money, etc... Just sensationalism, probably because they are 14.

Re:Hacked? (1)

davester666 (731373) | about 3 months ago | (#47200531)

What it really means is that the bank president and the person who configured it should both be kicked extra hard in the groin. then tell the president that every single terminal will be tested for this "hack" soon and he and the person who configured each one will get kicked extra hard in the groin, for each terminal which can still be "hacked" in this manner.

Then we would see some action on actually fixing the problem [all the atm's, not just that one].

Re:Hacked? (0)

Anonymous Coward | about 3 months ago | (#47207099)

Exactly why they felt it important to notify the bank that their ATM was vulnerable to a trivial hack.

Re:Hacked? (2)

meerling (1487879) | about 3 months ago | (#47197737)

The neither hacked nor cracked it, they used the built in an approved method as outlined in the Operators Manual. The only questionable part was that they were not authorized to do so, except maybe when they demonstrated it to the bank personnel because they were requested to by an authorized person.

Re:Hacked? (4, Informative)

Pieroxy (222434) | about 3 months ago | (#47197953)

The definition of hacking, the legal one, in many places at least in europe is defined pretty much as the following: Being somewhere you're not supposed to, while knowing you're not supposed to, and then snooping around instead of just leaving. I guess it's the digital alternative of 'breaking and entering'. Just because you found a post-it with the lock of the front door on the ground, it doesn't make it right to go in. Common sense should kick in at some point, so if you do it anyways, justice assumes common sense did kick in and you entered willfully. THAT makes it illegal.

That's pretty much common sense.

Re:Hacked? (1)

Jeremy Erwin (2054) | about 3 months ago | (#47198661)

Maybe you should read Hackers: Heroes of the Computer Revolution [wikipedia.org] before you blindly accept an outsider's definition of "Hacking".

Re:Hacked? (0)

Anonymous Coward | about 3 months ago | (#47198891)

you dont get prosecuted based on the definition found in "Hackers: Heroes of the Computer Revolution" and you dont get points with the judge when you enlighten him with that knowledge

Re:Hacked? (0)

Anonymous Coward | about 3 months ago | (#47201083)

The definition of hacking, the legal one

There isn't a legal definition of hacking. The legal term is "gaining unauthorized access to a computer system", or something like that.

Just like when calling unwanted e-mail spam, and someone bursts in with "no, the legal definition of spam is..." - nope, that's the legal definition of unsolicited commercial e-mail. The legal definition of spam is canned something somewhat not unlike meat, and falls under trademark law.

Re:Hacked? (0)

Anonymous Coward | about 3 months ago | (#47201339)

Nah. They found a key and opened the door, and alerted the homeowner. When said person didn't believe them, then they went inside. They did nothing wrong, and in fact, did BoM customers a huge service by bringing this to the attention of the bank and the public.

Hacking? (0)

Anonymous Coward | about 3 months ago | (#47202145)

My definition of "hacking" is creative improvisation.

It has nothing to do with "breaking into computers" per se, although breaking into computers could certainly require use of creative improvisation.

The old TV show "McGyver" was about an incredible hacker.

Re:Hacked? (3, Insightful)

TheCarp (96830) | about 3 months ago | (#47197491)

A better question is: This is secured.....how?

Having access to a manual shouldn't provide access to the machine if it has been configured properly. Any passwords in the manual should sure as shit not work after the machine is installed and open to the public.

It may be fair to say these kids are not really much of hackers....but if that is the case then there are a few things the ATM designers or bank administrators (or both) are not either.

Re:Hacked? (2)

geekoid (135745) | about 3 months ago | (#47197529)

You have 100s of machines, dozens of employees, who need legitimate access. How do you share the passwords on all those machine?
Is your solution cost effective? Does it account for areas with bad reception?
Plus, if you made 10K a week keeping your front door open, but you spent 30K a year replacing any stolen item, would you lock your door?

Re:Hacked? (0)

Anonymous Coward | about 3 months ago | (#47197675)

How about telling your employees to change the password when they install it, and update a master list at the bank it's installed at for future maintenance issues. What about after installing it the tech makes the password follow a set pattern that all techs use, like the default password+last four digits of the machine serial number? It doesn't seem too difficult a task to accomplish, but YMMV.

Re:Hacked? (2)

Jarik C-Bol (894741) | about 3 months ago | (#47198517)

Hell, the company can use the same password on all the machines, as long as its not the default password sure, its not great security, but its better than leaving all the machines on the password in a publicly available book.

Re:Hacked? (1)

ArcadeMan (2766669) | about 3 months ago | (#47199787)

Unfortunately, the administrators are huge nerds and usually change the default password to luggage12345.

Re:Hacked? (1)

Jarik C-Bol (894741) | about 3 months ago | (#47201381)

still better than "admin" and "password" by a small margin.

Re:Hacked? (1)

rickb928 (945187) | about 3 months ago | (#47197701)

1. The solution is cost effective if it costs substantially less than the losses, both immediate and cumulative.

2. How many times would I be anticipating replacing that $30k item? More than 17 times a year, I lose. That's more than once a month. Indeed, if I take just 2 weeks to replace the item, I may come out ahead, but I don;'t have the item for almost 50% of the time, so why do I bother replacing it? Oh, actually, I lock the door the second time the item is taken. My effort replacing items is worth it.

3. That was a stupid analogy. Lax security due to cost is an argument to discontinue the service and shut down the business.

Re:Hacked? (1)

Anonymous Coward | about 3 months ago | (#47197709)

These are banks we're talking about. Using a real system like physical or physical-digital keys would cost money, yes, but it would simply mean that greedy fuck execs can get paid a billion dollars minus one. More likely though, it would just mean they pay their underlings less.

wrong and trivial solutions (4, Interesting)

raymorris (2726007) | about 3 months ago | (#47197747)

First, dozens of people shouldn't have administrative access to a particular ATM at once. Where I work, most systems have one or two people with passwords. If both people get hit by a bus, you can boot from a USB stick and proceed from there, but only two people have admin accounts.

Regarding the logistics of controlling who has access to what, every organization with more than a very few employees needs to manage who has access to what, and that's been true for thousands of years. It's very much a solved problem. Most companys use Active Directory for this purpose. Since ATMs already have card readers, an obvious answer for routine maintenance is to have the employee swipe their employee ID card. The ATM then uses its existing network connection to authorize access via AD. Back in the days of Benjamin Franklin, the solution was a key rack held by a designated employee. Other remployees would check out the keys they needed to use that day. It's kind of an interesting problem, but one that has been solved since roughly the Roman empire or so.

Re:wrong and trivial solutions (1)

Jarik C-Bol (894741) | about 3 months ago | (#47198535)

You know, having a swipe card for access by the employees is actually a good idea, and it amazes me that they don't already use something like that, combined with a keyboard passcode. 2 factor authentication is always smart, especially with machines that deal with other peoples money.

techs / armored car people are outsite partys (1)

Joe_Dragon (2206452) | about 3 months ago | (#47200275)

techs / armored car people are outside party's so they may not have an employee ID card with swipe and or an AD log on.

neither do most users. Here's a card for you. (1)

raymorris (2726007) | about 3 months ago | (#47201477)

99.99% of the people who swipe their card in an ATM are not employees. Yet, they are still able to swipe their card and even do two-factor authentication by entering their pin.

If you have a contract with First Bank to maintain their ATMs, your techs carry their First Bank card to do so. How hard is that? Remembering of course that the most of your employees don't need, and shouldn't have, access cards for the ATMs. Only a couple of field techs need them.

Re:neither do most users. Here's a card for you. (1)

Joe_Dragon (2206452) | about 3 months ago | (#47203915)

But we sub out the field tech work and it's to much paper work / cost to keep up with all of them.

Re:wrong and trivial solutions (2)

matria (157464) | about 3 months ago | (#47200329)

When I was in the Navy, there was a key rack in the wachstander's office (barracks watch). Oncoming watchstanders called in to base security to report status, including the presence of all keys, at regular intervals. One petty officer who was a good friend of the barracks chief kept the keys to the barracks back door in her room so she could let her boyfriends in. I was always getting in trouble when I stood watch because I refused to falsify my reports. I would report the key missing, and base security would come blasting into the barracks to find the key, and I had no trouble telling them where it was. I still have the scars, after more than 40 years, from the several times I was assaulted in the barracks because of it.

Re:wrong and trivial solutions (1)

pspahn (1175617) | about 3 months ago | (#47200485)

Anecdotes such as these remind me of how terrible of a military person I would have been.

I thank you for your service.

Re:wrong and trivial solutions (0)

Anonymous Coward | about 3 months ago | (#47200827)

Since ATMs already have card readers, an obvious answer for routine maintenance is to have the employee swipe their employee ID card. The ATM then uses its existing network connection to authorize access via AD.

Great idea. However, convenience tends to be our worst enemy. A company can more easily manage its employees by "something you know" than by "something you have", [the card] which can be stolen, demagnetized or wear out and need replacement (or be reported lost maliciously). Some of these all pull in different directions, but on paper it sounds like training 35 low wage guys to go out on the field to fix all of one state's ATMs is easier if you can provide knowledge of a password instead of maintaining the auth token database current. After all, Guys 14 and 27 are on vacation / leave / probation / fired an they'd still have these tokens, and full access. I know, I know, "something you know" cannot be revoked, so it's still tons worse under the same situation with rogue employees.

My guess is we're working with one of those social vs. technical issues where the defaults win unless you work hard to change said defaults by some major monopolization.

Other remployees would check out the keys they needed to use that day. It's kind of an interesting problem, but one that has been solved since roughly the Roman empire or so.

Employee # 11 is sick for the day, so Employee #0 needs access to make a temporary change. "Something you know" is much easier on paper than having to show the keybearer that you have some special permission / situation by which you'd require the keys in an emergency. If employee churn is high, the key bearer will be leaking the key to some people who may not be actual employees. Like you said, it's interesting.

Re:wrong and trivial solutions (0)

Anonymous Coward | about 3 months ago | (#47212987)

"...and that's been true for thousands of years. It's very much a solved problem. Most companys use Active Directory for this purpose."

Yes, i've heared several people refer to Active Directory as pre-civilization technology.

Re:Hacked? (1)

Penguinisto (415985) | about 3 months ago | (#47197917)

You have 100s of machines, dozens of employees, who need legitimate access. How do you share the passwords on all those machine?
Is your solution cost effective? Does it account for areas with bad reception?

An RSA token and remote password server with a VPN tunnel connecting the two would suffice (all ATMs have to contact the bank *somehow* - even in a daily batch mode - else they cease to function as an ATM). Failing the VPN connection, just use a modem connection with strict ACLs at the bank's side. An initial setup can even be rigged to change the default passwords while're you're customizing the thing to add the bank's logo and suchlike.

You could have the ATM guy plug the USB stick in which updates/changes the passwords and suchlike every time he arrives to load the thing up with cash.

This isn't rocket science - it just takes a bit of forethought and execution.

Plus, if you made 10K a week keeping your front door open, but you spent 30K a year replacing any stolen item, would you lock your door?

Bad analogy for two reasons:
1) having a basic password/access policy in place wouldn't "lock your door" and keep customers out
2) customers would never notice that you have a secure password/access policy in place, but they'll damned sure know it when you don't and someone decides to exploit the lack thereof - this means $10k/wk would instantly drop to a fraction of that once a breach is known about (and banking regulations require that yes, you do inform your customers if you have one), and if the bank is small enough, would likely destroy the bank entirely.

Re:Hacked? (2)

AK Marc (707885) | about 3 months ago | (#47198243)

How do you share the passwords on all those machine?

The same way they do for WiFi routers (and have done for 10+ years). You put it on the machine. There are doors locked with keys, and you expect them to have the keys to the ATM, so have the password on the inside of the door. Only if someone is already inside can they see it.

Is your solution cost effective?

Yes.

Does it account for areas with bad reception?

Yes

Plus, if you made 10K a week keeping your front door open, but you spent 30K a year replacing any stolen item, would you lock your door?

And if it cost $0 to prevent all theft, how stupid would you have to be to not secure it?

The typical Slashdot response. "I can't think of an easy way to fix the problem so it must be impossible." No, you are just stupid. Putting the password on the machine, but locked where it would already be "compromised" to view is free, easy, and has been used in other areas for decades. My routers come with non-default passwords from the factory, with the randomly generated initial (and after reset) password on the device, where physical security is already compromised if someone sees it.

If it's as impossible as you imply, go ahead and tell me what's wrong with my idea. I can only presume you'll make up some fake physical security problem. But I've never seen an ATM that didn't require keys of some kind.

Better, You could have a card and PIN that identified the maintenance person. The ATMs are wired back and authenticate transactions, so why not authenticate the maintenance person, and only open for authorized maintenance people at times in the maintenance schedule?

I can think of lots of ways to do this that scale well to 10,000,000 ATMs. That you can't think of any just proves stupidity, not difficulty.

Re:Hacked? (1)

lgw (121541) | about 3 months ago | (#47198599)

You do realize all ATMs (from a given vendor) are keyed alike, right? You can buy the key for the front panel for most brands of ATM online. The money, of course, is in a vault inside the ATM with its own security, as the banks don't trust their service techs with access to the ATM vault. And, of course, the cost of managing a collection of per-ATM physical keys would (substantially) exceed the total cost of losses so that's not changing.

Re:Hacked? (1)

AK Marc (707885) | about 3 months ago | (#47199629)

So then, what's the problem? All ATMs have a single physical token, so why not have all ATMs have a single logical token? If a single logical key is not sufficient, then a single physical key wouldn't be sufficient. They are simply broken by design. At least it's not my money. If you hack the ATM to take $10,000 the bank has a loss. If you hack an account to steal $100 from the same ATM, the bank steals it from the account holder.

Re:Hacked? (1)

lgw (121541) | about 3 months ago | (#47200793)

Maybe the "simple right answer" for a datacanter just doesn't work I the world of stuff? I'm shocked that the answer you spent 5 minutes thinking about wasn't the brilliant solution to all the problems of an industry.

ATMs have 2 big problems right now: they're too easy to replace the firmware on, as they need strong signed boot images, and they're too easy to hack remotely. I saw a talk by a "security researcher" on this, and he mentioned the remote auth was a fundamentally flawed design, giving him 100% success in remote hacking all brands of ATMs. They've got deeper issues than the default password. These are fixable issues in the digital world. The key isn't - there's no good answer to that one.

Re:Hacked? (1)

AK Marc (707885) | about 3 months ago | (#47200939)

I don't care. It's trivial to solve, but obviously the banks don't care. Since they are the one footing the bill, it's their right to lose millions to fraud they could have prevented.

At least they are all on XP now. No more of that OS/2.

Re:Hacked? (1)

lgw (121541) | about 3 months ago | (#47204915)

Wait, you keep asserting the physical-world problem is trivial to solve, but that flies in the face of the evidence. The world is full of problems that could be "trivially" solved by writing a check with enough 0s on the end, but that's not often helpful. Solving a problem more cheaply than the problem is obviously important.

Re:Hacked? (1)

AK Marc (707885) | about 3 months ago | (#47206523)

Wait, you keep asserting the physical-world problem is trivial to solve, but that flies in the face of the evidence.

I've seen ATM repairmen with a large key ring they checked against the ATM before opening it. But you asserted that there's one key for all ATMs. I can't prove it wrong, but it didn't agree with my previous observations. What evidence do you have that all ATMs open with a single key?

You have no evidence that it'd be "hard" to solve. You just assert, without proof, your opinion as fact.

Since every ATM transaction is authenticated, why don't they have a card with PIN for every maintenance man, and then you'd have a unique physical key, and the only "authentication" would be the type already used? Simple, cheap, and much more effective than what you assert they do now.

Yes, Cisco routers come with the password "cisco" as the default. But you can change that to a more complex password, locked up tight, and set them up to do administration passwords through external AAA, and fail back to local, or even fail back to nothing (if you don't get the right AAA server, you have to reset the device to get in).

Hilarious how most networking equipment is more "secure" than ATMs.

Re:Hacked? (1)

MikeBabcock (65886) | about 3 months ago | (#47198319)

Smart cards with a per-user pin code of course. They're easy to distribute, easy to revoke remotely and cheap.

Re:Hacked? (1)

TheCarp (96830) | about 3 months ago | (#47202549)

I understand the argument, I don't understand why you would leave your door open in the first place. I 10k a week, 30k a year on stolen items....and you didn't think to install a $10 door lock? shit spring for the $30 one at that point.

And worst they didn't even need to spring for the lock. All they needed to do was choose anything OTHER than the example in the manual. Seriously, anything other than say "password" would be better. The word "donkey" would be better. "KeepOut" would be many times better than that even.

This isn't even a password that needs to be "open on the internet" secure....it needs to be "some guy standing there in public fiddling with it" secure. It needs to be like, your kid sister wouldn't guess it in 10 tries secure. Seriously "DoNotTouch" would be more than enough.

Re:Hacked? (5, Funny)

Yakasha (42321) | about 3 months ago | (#47197673)

So.... they had the manual with passwords....

this is hacked.... how?

Same way I hacked my VCR so it doesn't flash 12:00 anymore!

Re:Hacked? (4, Funny)

ThatsDrDangerToYou (3480047) | about 3 months ago | (#47198033)

So.... they had the manual with passwords....

this is hacked.... how?

Same way I hacked my VCR so it doesn't flash 12:00 anymore!

Wait.. what? You can do that?

Re:Hacked? (0)

Anonymous Coward | about 3 months ago | (#47198405)

Yes, you just have to unsolder the +5V wire going to the display.

Re:Hacked? (1)

Dak_Peoples (591544) | about 3 months ago | (#47198467)

Too much work. Black electrical tape over the clock.

Re:Hacked? (0)

Anonymous Coward | about 3 months ago | (#47200125)

I have a coffee machine with this same old problem. They must have gotten their firmware from a defunct VCR manufacturer for cheap.

Re:Hacked? (0)

Anonymous Coward | about 3 months ago | (#47200245)

Sure, just a scrap of black electrical tape over the clock display.

Re:Hacked? (0)

Anonymous Coward | about 3 months ago | (#47201713)

I fixed my VCR so it just says --:-- now.

Re:Hacked? (0)

Anonymous Coward | about 3 months ago | (#47212999)

I think he ment to say 'whacked' not 'hacked'...

Re:Hacked? (1)

Anonymous Coward | about 3 months ago | (#47198043)

Same way I hacked my VCR so it doesn't flash 12:00 anymore!

My VCR flashes 'admin:admin'. Anyone know how to fix that?

Re:Hacked? (2)

fustakrakich (1673220) | about 3 months ago | (#47198127)

my VCR

Wow, doesn't your neighborhood Blockbuster have DVDs yet?

Re:Hacked? (2)

sound+vision (884283) | about 3 months ago | (#47199747)

You have a Blockbuster?

Re:Hacked? (0)

Anonymous Coward | about 3 months ago | (#47198255)

You're going to jail, you evil hoodie wearing hacker you!

Re:Hacked? (0)

Anonymous Coward | about 3 months ago | (#47198369)

What's a VCR?

Re:Hacked? (1)

tomhath (637240) | about 3 months ago | (#47198465)

Does your hack work on Android phones too? If so I'm interested.

Re:Hacked? (0)

Anonymous Coward | about 3 months ago | (#47200257)

Wait.. what? You have a VCR?

Re:Hacked? (1)

AbrasiveCat (999190) | about 3 months ago | (#47202529)

So.... they had the manual with passwords....

this is hacked.... how?

Same way I hacked my VCR so it doesn't flash 12:00 anymore!

Covering the blinking clock with black tape doesn't count, sorry.

Re:Hacked? (3, Insightful)

rogoshen1 (2922505) | about 3 months ago | (#47197699)

because if they use the verb 'hacked' the authorities will be able to get the absolute maximum penalty, and throw the book at these kids.
Oh, Canada -- right, never mind. (Stuff like this would be punishable by 20+ years in the US more than likely.)

Re:Hacked? (2)

Jeremy Erwin (2054) | about 3 months ago | (#47197769)

I recently read Clifford Stoll's Cuckoo's egg and a good many of "Hunter's" exploits were based on nothing more than known service passwords. You'd think that things would have changed since 1989, but apparently the same mistakes are being made.

Re:Hacked? (1)

spire3661 (1038968) | about 3 months ago | (#47198397)

Most of 'hacking' in this context is actually social and/or reverse engineering. Its like David Lightman doing research on Professor Falken to find the backdoor in W.O.P.R. in the movie *War Games*

Re:Hacked? (1)

Artifakt (700173) | about 3 months ago | (#47200327)

Actually finding a new zero day exploit and figuring out how to exploit it, with maximum yield to chance of getting caught ratio, is very time consuming and involves a high level of luck, not just skill. David is shown as a bit more than just a script kiddie, but a lot of what he does in the movie has become simplifed to where script kiddees can easily get tools they don't understand to do the same things these days, so perhaps the movie doesn't feel the same from a modern perspective. It helps to remember that back in the era, seemingly simple things such as Wardialers weren't off the shelf items yet, and people who used them had to at least know a little about some Hayes AT commands and such beyond what was in the user manuals. David was hacking at a time when even getting advice about using social engineering meant going to a person who also had pure tech skills, and not from someone who only knew the social engineering side of it all. His use of social engineering to realize "Joshua" is a potentially likely backdoor in that particular case is actually the more skilled response, in that it takes a certain amount of analytical intelligence to look for something like it, but also more generalized intelligence to realize that doing it has a high chance of shortcutting trial and error methods that might take years in an era of 1200 baud modems, and that there was very little risk during the discovery phase. I would posit that the most skilled hackers working for the NSA, for example, are deliberately trained not to ignore biography shortcuts and such in favor of more seemingly LEET attacks. The people with nothing to prove most probably use social attacks, reverse engineering and insider information at the drop of a hat if it gets them results faster or safer.

Re:Hacked? (1)

dk20 (914954) | about 3 months ago | (#47198471)

Obviously the bar to use the word "hacked" is really low. Attracts more page clicks then "teens read manual and found default password to ATMs"

Re:Hacked? (1)

bbulkow (954499) | about 3 months ago | (#47199215)

Not hacked in the classic definition, but it would be "accessing a system without authority" or whatever the BS US legal term is --- highly illegal in the US. Zero tolerance, right ?

Let's do the math, shall we? (2)

justthinkit (954982) | about 3 months ago | (#47199217)

8B T/yr [hitachiconsulting.com] , times $2.22/T [howstuffworks.com] .

I think a problem with a potential downside of $17,760,000,000 is, well, a problem.

Re:Hacked? (0)

Anonymous Coward | about 3 months ago | (#47199619)

It's not hacked, but it's news that a bank cares so little about security that they're using the default passwords, and that an ATM vendor cares so little about security that they're shipping machines which will allow use of default passwords in a retail environment. Either that, or these were intended to be backdoor passwords available only to the manufacturer, in which case it's news that they're shipping retail machines with backdoors and with the backdoor printed in the manual.*

* (More likely than you think. A couple of decades ago, I worked for what was then a top-25 company on the US Fortune 500, and our routers had the backdoor passwords that were supposed to be for internal company use only printed plain as day in the manuals we handed out to customers. Big scandal when somebody finally noticed it, and a big scramble to issue firmware updates.)

Re:Hacked? - RTFA Please (0)

Anonymous Coward | about 3 months ago | (#47200199)

They did not have the passwords from the manual. They guessed the password and said it was a standard six character password that should not have been used.

"Hewlett and Turon were even more shocked when their first random guess at the six-digit password worked. They used a common default password."

Hacked? (0)

Anonymous Coward | about 3 months ago | (#47200379)

When I serviced DVD kiosks you needed a card and a PIN to enter the service mode so a random person who found the manual online could enter service mode.

Hacked? (0)

Anonymous Coward | about 3 months ago | (#47201801)

this is hacked.... how?

The ordinary way: By RTFM and walking straight through the most obvious hole.

Re:Hacked? (0)

Anonymous Coward | about 2 months ago | (#47277593)

Would you prefer they had shown up with an axe and started cutting the ATM?

In the US they'd have been charged (4, Insightful)

JohnnyComeLately (725958) | about 3 months ago | (#47197367)

Here lately, seems their day at school would have been moot as they are led to a waiting black SUV. Then, SWAT would move into their house and take everything that plugs into a wall and has Ethernet capabilities. Think I'm joking?

Re:In the US they'd have been charged (5, Insightful)

Anonymous Coward | about 3 months ago | (#47197407)

They also probably would have shot any of their pets on the way in. Dude isn't joking; this place is a fucking terror state and does this to people every day.

Re:In the US they'd have been charged (1)

s.petry (762400) | about 3 months ago | (#47198175)

Are you confusing USA cops with Canadian cops, or are they behaving the same in the "Great White North"? I have not seen any stories of "Mounties shoot 137 rounds into unarmed suspects vehicle killing both the driver and passenger" like was just saw in Cleveland, but that could just be how good the US Propaganda agencies are at hiding "news".

Re:In the US they'd have been charged (1)

UnknownSoldier (67820) | about 3 months ago | (#47198375)

Nah, they just taser people to death instead.

http://www.cbsnews.com/news/ai... [cbsnews.com]

Re:In the US they'd have been charged (0)

Anonymous Coward | about 3 months ago | (#47200169)

quiet you, in this article about something in canada we are picking on the USA. stay on topic

Re:In the US they'd have been charged (1)

grep -v '.*' * (780312) | about 3 months ago | (#47200361)

this place is a fucking terror state and does this to people every day.

But there's this annoying site that disagrees with you [slashdot.org] .

Oh, my mistake -- you said terror, not crime.

Re:In the US they'd have been charged (0)

Anonymous Coward | about 3 months ago | (#47197415)

Here lately, seems their day at school would have been moot as they are led to a waiting black SUV. Then, SWAT would move into their house and take everything that plugs into a wall and has Ethernet capabilities. Think I'm joking?

I agree!

Re:In the US they'd have been charged (1)

cdrudge (68377) | about 3 months ago | (#47197421)

Then, SWAT would move into their house and take everything that plugs into a wall and has Ethernet capabilities. Think I'm joking?

Of course you are. Why would they leave things that don't plug into a wall and/or have Ethernet capabilities? Take everything. Toaster, tooth brush, pet rock...it's all evidence of the crime and/or hacking tools. They'd probably search the houses of your friends, family, and the guy you looked at walking down the street a week ago too.

Re:In the US they'd have been charged (1)

CanHasDIY (1672858) | about 3 months ago | (#47197979)

Right - and any cash they happened to have laying around would also be seized under RICO, one of the most unconstitutional laws ever upheld.

Re:In the US they'd have been charged (1)

nytes (231372) | about 3 months ago | (#47198343)

And heaven help those kids if they had a copy of "GURPS Cyberpunk" sitting on a bookshelf.

They'd never see the light of day again.

Re:In the US they'd have been charged (0)

Anonymous Coward | about 3 months ago | (#47199289)

Not in that order man, they pretend to be your buddys take you on the "River trip" try to incite the woe B unto the children charge so it looks super juicy in court, then do the door kick in, im waiting on the last part to happen, hell at t his point ill just hand their ass the install and porno disks, because frankly there is no fucking way they are going to find them all, since the redeploy of the advanced mobile phone service didnt exist Amps 212 in subase Nlon didnt exist and the fuckers skulking around my ass dont "exist" im not gonna worry one damn bit anymore, if it aint on the fscking packaging i dont care, And its time for my happy pills.

Re:In the US they'd have been charged (0)

Anonymous Coward | about 3 months ago | (#47197451)

They will be, soon enough.

1984 eleventyoneone!!!! (1)

Hognoxious (631665) | about 3 months ago | (#47197497)

Could be worse. In Britain they'd have been fimed with cameras!

Re:1984 eleventyoneone!!!! (0)

Anonymous Coward | about 3 months ago | (#47197543)

They aren't using film anymore, pappaw.

Re:1984 eleventyoneone!!!! (0)

Anonymous Coward | about 3 months ago | (#47197943)

In Britain they'd have been mpegged with cameras?

Re:1984 eleventyoneone!!!! (0)

Anonymous Coward | about 2 months ago | (#47283541)

Don't ever walk into a grocery store here, then.

And other stuff (4, Interesting)

tekrat (242117) | about 3 months ago | (#47197519)

For example, if they find bleach AND draino under the sink, you're also charged with "Chemical Weapons Possession" if they find candles and matches and charcoal, you have "bomb making materials". The spooks can get you for anything.

Re:And other stuff (2)

SuricouRaven (1897204) | about 3 months ago | (#47197635)

Usually they'll use that to threaten the suspect into a plea bargin. Either admit guilt and go to jail for five years, or fight it and they'll do the best they can to send you for fifty.

Re:And other stuff (1)

myowntrueself (607117) | about 3 months ago | (#47204905)

Usually they'll use that to threaten the suspect into a plea bargin. Either admit guilt and go to jail for five years, or fight it and they'll do the best they can to send you for fifty.

What amazes me about this plea bargain system is that if you are, in fact, innocent and you 'plea bargain' to plead guilty and get off lightly aren't you purgering yourself (ie lying under oath about your guilt)?

Not that I'd expect a conversation to go like:
"If you plead guilty you get 5 years but if you fight we'll see you locked away for 50"
"But I'm innocent, wouldn't that be purgery?"
"Oh yeah true, you can go then."

Re:And other stuff (1)

meerling (1487879) | about 3 months ago | (#47197809)

Back when I was a kid in school, we used a lot of things for explosives in science class. Including flour and sugar. You'd also be amazed what you can do with steel wool and aluminum wool or powder.
Your entire house is composed of nothing but potential chemical weapons and explosive components. Face it, they are all chemicals and most of them can burn, only assholes totally trying to stretch laws way past stupid over-reach will try to arrest someone on something that flimsy.

Re:And other stuff (2)

CanHasDIY (1672858) | about 3 months ago | (#47197987)

... only assholes totally trying to stretch laws way past stupid over-reach will try to arrest someone on something that flimsy.

Have you ever met an American LEO?

"Assholes trying to stretch laws" is a fitting description.

Three reasons for this behavior (2)

ub3r n3u7r4l1st (1388939) | about 3 months ago | (#47198179)

1. LEO have a case "quota" to meet.
2. Government attorneys who are thinking of running for an elected political office, want to appear to be "tough on crime" (which is apparently want most voters want, unfortunately.)
3. The top 1% wants to suppress any tiny indication of an uprising. An citizenry that is armed with biological, chemical or nuclear capabilities threatens the existence of the elite class.

Re:Three reasons for this behavior (1)

CanHasDIY (1672858) | about 3 months ago | (#47198239)

You missed one:

4 - a lot of the people who get into law enforcement do so because either A) they were bullies in school and never grew out of it, or B) they got bullied in school and want revenge on society.

Re:Three reasons for this behavior (0)

Anonymous Coward | about 3 months ago | (#47198345)

1. Quotas are generally illegal, that does not mean that they don't have a certain number of contacts, etc as "performance criteria".
2. This is why attorneys, lawyers, paralegals should be barred from holding any public office other than district attorney (for example of barred offices: city council, town mayor, state senator, state representative, US Congress, ...)
3. Who needs biological, chemical, nuclear capabilities when you have rocks to hurl at them. Sorry, for next week's impassioned speech from Dianne Feinstein extolling the virtues of banning the terrifying assault rocks.

Re:Three reasons for this behavior (1)

aralin (107264) | about 3 months ago | (#47199431)

Throwing stuff at politicians seems to be ineffective. In my country we had this long tradition of throwing politicians at stuff. Like the manure pile down few stories below the window. We call this tradition defenestration. No weapons involved so nothing for Dianne to rant about.

Re:And other stuff (0)

Anonymous Coward | about 3 months ago | (#47197959)

The spooks can get you for anything.

Who you callin' spook, peckerwood!

Re:And other stuff (0)

Anonymous Coward | about 3 months ago | (#47198523)

Hey, we don't wanna mess with no reefer addicts!

Re:And other stuff (1, Interesting)

Anonymous Coward | about 3 months ago | (#47198201)

For example, if they find bleach AND draino under the sink, you're also charged with "Chemical Weapons Possession" if they find candles and matches and charcoal, you have "bomb making materials". The spooks can get you for anything.

Wow didn't know that, your country sure is heading into hell on a one way ticket rollercoaster. Outlawing those is like convicting you because you have an offensive weapon (Car)

So glad I don't live in that shit hole.

(Not trolling or flame-baiting - just speaking truth)

Re:And other stuff (1)

zeugma-amp (139862) | about 3 months ago | (#47200445)

Figured I'd respond to the AC in this little sub-thread just for the heck of it.

Somthing that I've found to be extraordinarily interesting over the years of watching the police state in America continually ratchet up their insanity, vindictiveness, and brutality is that it's being noticed in all quarters.

YOu see comments about the police killing chihuahuas on sites dedicated to political disccussion on both the left and right. Over the past ten years I've watched a major political discussion site on the conservaitive side go from having huge contingents of "cops can do no wrong" brigades, to those posters being a very, very tiny (though vocal) minority.

It has been fascinating to watch.

Re:In the US they'd have been charged (1)

geekoid (135745) | about 3 months ago | (#47197553)

seems. yes, seems. based on your echo chamber.
Not really likely.

Re:In the US they'd have been charged (2)

ColdWetDog (752185) | about 3 months ago | (#47197629)

Which is a sad (if a bit hyperbolic) reflection of things these days. In the early 1970's, we had a time sharing terminal at our high school. I noted the manuals for the system in my father's office at Boeing, 'borrowed' the manuals and we proceeded to have a fun couple of hours screwing around in admin land. We then got a nice little reply on said terminal to please stop doing that.

So we stopped.

The school got a phone call that asked them to supervise the children a bit better and that was that. No muss. No fuss. No SWAT teams. Ah, the 70's.

Re:In the US they'd have been charged (1)

rickb928 (945187) | about 3 months ago | (#47197745)

Damn. I got kicked off a timesharing system because I disagreed with the sysadmins over politics. They booted an entire state off the system until I promised to go away and never come back.

I came back 12 years later. They had been sold off.

Re:In the US they'd have been charged (2)

Jeremy Erwin (2054) | about 3 months ago | (#47197937)

That was Jerry Pournelle's excuse [art.net] , too.

Re:In the US they'd have been charged (0)

Anonymous Coward | about 3 months ago | (#47203231)

Feh. There is no cabal. BTW, wonder if Jerry ever figured out what happened to all the McCormack bill/SDI funds that were used to bluff the USSR into collapse when we could have had cheap fusion, 2 week Earth-Mars travel, AND kewl cheap pocket particle beam weapons by now? Is it concidence that the War on (some) Drugs and the Energy Crisis originated in the same Club of Rome, off the gold standard time frame? I don' thin' so.

--A Pournelle fan scratching his head at the LaRouche phenomenon.

Re:In the US they'd have been charged (1)

meerling (1487879) | about 3 months ago | (#47197835)

In the early 80s, a bunch of us taught ourselves how to use the computers using only their manuals and experimentation. We then had to teach the teachers, since they didn't know anything. Ironically, 3 years later those same computers were reserved for the teachers only.

Re:In the US they'd have been charged (1)

Ravaldy (2621787) | about 3 months ago | (#47197715)

For some reason I don't doubt that.

Same goes for the 24 year old who killed 3 federal officers last week in Moncton. In the US they probably would have shot him and asked questions later.

Re:In the US they'd have been charged (1)

arth1 (260657) | about 3 months ago | (#47199369)

Same goes for the 24 year old who killed 3 federal officers last week in Moncton. In the US they probably would have shot him and asked questions later.

True, but incomplete.
Here in the US, the police would indeed have shot him dead, then reloaded and shot him dead some more, while killing 3 innocent people in the process (those deaths are blamed on the suspect). Then they would put the city on lockdown for six hours, and send SWAT teams to his parents house.

Re: In the US they'd have been charged (1)

pchasco (651819) | about 3 months ago | (#47197749)

And they should be charged. What if they were caught in the act or otherwise before they had an opportunity to report the vulnerability? "No, officer. We weren't going to do anything malicious! We were just trying to help! I swear!" is not going to get them out of trouble. So if that excuse wouldn't fly, then any white hat hacker who isn't hacking with authorization runs the risk of getting caught and getting in deep shit. There's just no way to know who's got malicious intent and letting anyone off the hook who pinky swears they were just trying to help is just daft.

Re: In the US they'd have been charged (2)

mark-t (151149) | about 3 months ago | (#47197919)

They weren't caught in the act... they voluntarily came forward to state what they had done... if they had not done this, nobody would have been the wiser, and the kids would know how to unlock admin mode on said atms without anyone else knowing that they knew how to do that.

Re: In the US they'd have been charged (1)

Obfuscant (592200) | about 3 months ago | (#47198021)

They weren't caught in the act... they voluntarily came forward to state what they had done... if they had not done this, nobody would have been the wiser,

I think the bank would have noticed the reduced surcharge income from that machine, and I'm positive they'd have noticed the "this machine has been hacked" welcome message on the display.

Re: In the US they'd have been charged (1)

mark-t (151149) | about 3 months ago | (#47198215)

Indeed... but my point is that these kids weren't caught... They admitted to what they were doing as soon as they realized that it worked. They only did those things to demonstrate that they had actually successfully hacked it, since they didn't seem to initially believe them.

Re: In the US they'd have been charged (1)

Dega704 (1454673) | about 3 months ago | (#47197925)

Are you the guy who designed that ATM? Because that sounds like something they would say to save face from the fact that the security of their product was so hilariously inadequate that a couple of kids screwing around(which kids tend to do) were able to compromise it.

Re: In the US they'd have been charged (2)

pchasco (651819) | about 3 months ago | (#47198331)

No. I'm actually not concerned about the ATM company. I'm concerned about well-meaning hackers getting thrown in jail because they got caught hacking before they could prove they were just trying to help. If hackers are always punished for hacking regardless of the motivation, then there is no risk reward to hacking into a system with good intentions. You just wouldn't do it. However if there is a chance that the risk pays off, no one goes to jail and you get your warm and fuzzy, then people will take that risk. And some will inevitably get busted. I don't want good people to get thrown into jail or otherwise hassled by the authorities. Let's remove the incentive for engaging in risky behaviour.

Re: In the US they'd have been charged (2)

idontgno (624372) | about 3 months ago | (#47198539)

You're advocating against millennia of moral teaching and (perhaps genetic) altruism: the willingness to personally endanger one's self in order to help someone else.

I'd argue these youngsters, and other white hats, are modern Good Samaritans. Everyone familiar with the Parable of the Good Samaritan picks up on how the Samaritan was socially unlikely to help the Jew, and under no real obligation to do so, and therefore a moral exemplar. But one of the subtexts of the story is that the Samaritan put himself in personal peril to help the victim: the robbers that nearly killed the Jew could have still been in the vicinity, and the Samaritan (with travelling funds and a valuable donkey) could have been their next victim... and he had to know it.

The fact that modern robbers make being a good Samaritan dangerous is no reason to teach people to avoid helping others.

Re: In the US they'd have been charged (3, Insightful)

nmoore (22729) | about 3 months ago | (#47197955)

Before they did anything beyond twisting the doorknob (entering the default password), they got permission.

"He said that wasn't really possible and we don't have any proof that we did it.

"I asked them: 'Is it all right for us to get proof?'

"He said: 'Yeah, sure, but you'll never be able to get anything out of it.'"

That said, twisting the doorknob is probably an offense under the CFAA.

Re: In the US they'd have been charged (0)

Anonymous Coward | about 3 months ago | (#47198707)

So, to be clear, you believe that since, in a 'caught red handed' scenario such as you describe, the intent of he who has been caught can't be known, it then follows that in a scenario not at all of that nature, in which intent has been demonstrated by action, any penalty deriving from the unknown nature of intent in the first of these scenarios should apply also in the second, though in the second the condition giving rise to the penalty is not present? Because that's just fucking stupid, and so are you.

Re: In the US they'd have been charged (2)

pchasco (651819) | about 3 months ago | (#47197829)

Let's use a different example. What if you came home one day from work to find a brochure on your kitchen table advertising security and lock systems along with a business card and a note informing you that your house is insecure because you left your back bedroom window unlocked. Should yoga call the cops on the guy? He didn't steal or harm the residence in any way. He is just trying to help.

Re: In the US they'd have been charged (1)

nmoore (22729) | about 3 months ago | (#47198019)

Or if a kid knocked on your front door and said "excuse me, your car door is unlocked".

Re: In the US they'd have been charged (1)

pchasco (651819) | about 3 months ago | (#47198277)

Depends. Did he get into my car, or just notice it through the window from a public space which is perfectly legal to do?

Re: In the US they'd have been charged (1)

Dega704 (1454673) | about 3 months ago | (#47198051)

Fair enough, but there I have one question about that analogy. Are thousands of people's bank accounts potentially put at risk by an unlocked bedroom window?

Re: In the US they'd have been charged (1)

rogoshen1 (2922505) | about 3 months ago | (#47198091)

Can we move away from comparing physical spaces (Or really, any physical object) to computer systems?

As analogies they usually don't work, and people who take them literally sometimes really write stupid, horrendous laws.
Is port scanning really in any universe like going to each house in turn throughout a neighborhood looking for unlocked windows or doors? Are the risks the same?

Re: In the US they'd have been charged (2)

pchasco (651819) | about 3 months ago | (#47198269)

Sometimes comparing computers to physical things is apropos, sometimes not. Just because some people make these comparisons when they are not truly demonstrative of a situation does not mean that every such comparison is fallacious. I have a lock on my front door. You finding a copy of the key under a rock is not implicit permission to enter my house, no matter how stupid I may have been to leave a spare key out for anyone to find.

Re: In the US they'd have been charged (0)

Anonymous Coward | about 3 months ago | (#47198763)

I think the analogy is quite apt. Consider that there are three parties involved: You, the owner of the house [the bank]; me, the finder of the key [the kids]; and Bob, your friend whose motorcycle is parked in your garage for safekeeping [the account holders].

I (finding a copy of your key under the rock) am prohibited by law from entering your house, and would probably get jail time for opening the door were I caught.

You, on the other hand, have no legal consequences for leaving your key out in the open. You have only an increased risk of losing your stuff, which is mitigated by insurance coverage and your ability to sue me should I be identified.

Bob's probably not happy that you left the key outside, but there's little he can do about it, other than not park his motorcycle in your garage. Well, I guess there's small claims court, but he's going to have to convince a judge.

Re:In the US they'd have been charged (0)

Anonymous Coward | about 3 months ago | (#47199805)

SWAT: an occupation where members of the Navy SEALs go to find employment. I'm waiting for someone to get "bin Laden'ed" for movie piracy.

Only surprise is,.. (1)

Selur (2745445) | about 3 months ago | (#47197373)

that they didn't scam the bank and bought a few nice gadgets.
(or may be they have and nobody noticed ;))

No Good Deed Goes Unpunished (1)

Tokolosh (1256448) | about 3 months ago | (#47197377)

In the USA anyway, the kids are looking at adult jail time.

Re:No Good Deed Goes Unpunished (1)

CrimsonAvenger (580665) | about 3 months ago | (#47197517)

Did "Bank of Montreal" not clue you in that this wasn't in the USA?

Re:No Good Deed Goes Unpunished (1)

Tokolosh (1256448) | about 3 months ago | (#47197581)

Did "In the USA anyway..." not clue you in.... Nevermind.

Re:No Good Deed Goes Unpunished (2)

CrimsonAvenger (580665) | about 3 months ago | (#47197783)

In the USA (and Canada, and the UK, and pretty much the rest of the world), we have something called "tenses".

Specifically, there are tenses that apply to counterfactual but hypothetical cases. For instance, if you're trying to say that in the USA someone would be subject to thus and so, one might say "in the USA, they WOULD BE charged".

Or one might add as a prequel to your statement that standard word for hypothetical but counterfactual "if"...Nevermind. I forgot this was /., where literacy is never an expectation of the technically inclined.....

Re:No Good Deed Goes Unpunished (1)

Anonymous Coward | about 3 months ago | (#47198625)

The 'tense' you refer to is not a tense, but a mood. Specifically, the subjunctive mood. Moreover, no five-dot ellipses exist in English. Contrary to apparent popular understanding of how the ellipsis operates in English, the number of dots does not indicate the desired duration of pause.

Re:No Good Deed Goes Unpunished (0)

Anonymous Coward | about 3 months ago | (#47200193)

boy, the mood got tense......

Re:No Good Deed Goes Unpunished (0)

Anonymous Coward | about 3 months ago | (#47197609)

Indeed. Just the fact that kids went to the bank and told them, and the bank politely followed them back to an ATM and waited while they demonstrated, should clue you in that this was Canada.

Hell the bank employees probably gave them a hearty hand shake and took them to Tim Hortons afterwards as a thank you. It'd be impolite not to.

Re:No Good Deed Goes Unpunished (1)

meerling (1487879) | about 3 months ago | (#47197863)

Yeah, in the USA they'd have probably called the cops afterward, pressed charges, and give interviews to the news station that they stopped a pair of bank robbers that might be linked to terrorists.

Re:No Good Deed Goes Unpunished (2)

rogoshen1 (2922505) | about 3 months ago | (#47198107)

then nancy grace would run a story about how al'qaeda has started recruiting sleeper agents out of the local grade schools.
we must clamp down on our schools, your kid might be a terrorist and you wouldn't even know.. until it's too late.

Nancy Grace (0)

Anonymous Coward | about 3 months ago | (#47199253)

She disgusts me. There's not even a pretense of a news show anymore, she gave up on that facade, it's 100% pandering to fear. The commercial for her television show actually says "What are you afraid of?" and goes on to suggest that your husband is going to beat you (or worse) and your kids are going to get kidnapped. You're so brave just letting your kids leave and go to school! It's so harrrd to be a woman!

She's a cunt and so is everyone who watches that shit.

Re:No Good Deed Goes Unpunished (1)

TangoMargarine (1617195) | about 3 months ago | (#47198045)

BMO Harris is short for Bank of Montreal, and they seem to have acquired about half the local banks in my neck of the (U.S.) woods, so no.

Re:No Good Deed Goes Unpunished (0)

Anonymous Coward | about 3 months ago | (#47198071)

Bank of Montreal owns some US banks like Harris Bank in Chicago.

Re:No Good Deed Goes Unpunished (1)

Minwee (522556) | about 3 months ago | (#47198095)

Did "Bank of Montreal" not clue you in that this wasn't in the USA?

Why should it have? [bmo.com] There are hundreds of BMO branches [usbanklocations.com] in the USA.

Re:No Good Deed Goes Unpunished (1)

MikeBabcock (65886) | about 3 months ago | (#47198327)

BMO operates in the USA as well, and also in the Caribbean.

Re:No Good Deed Goes Unpunished (0)

Anonymous Coward | about 3 months ago | (#47198527)

You know Bank of Montreal has BMO Harris right?

https://www.bmoharris.com/us [bmoharris.com]

Kids Guess Default Password "123456" (1)

horm (2802801) | about 3 months ago | (#47197381)

Breaking news!

Re:Kids Guess Default Password "123456" (2)

OS2toMAC (1327679) | about 3 months ago | (#47197817)

We're talking Canada. Password was probably "hockey".

Re:Kids Guess Default Password "123456" (2)

mythosaz (572040) | about 3 months ago | (#47197931)

C'mon. Even the Canadians know to use h0ckey.

Re:Kids Guess Default Password "123456" (0)

Anonymous Coward | about 3 months ago | (#47198383)

Breaking news!

HA HA HA!! Wow! I saw that movie too! And so did you! We are like brothers, you and I. Finally, after all those years of lonely isolation and social awkwardness, FINALLY we can feel like part of a shared culture. Now all we have to do is exaggerate the merits of every single instance of this meme, preferably by modding all of them up to +5 Funny. Then our desperate need to feel like we belong will be satiated and as human beings we will be fulfilled and complete.

Re:Kids Guess Default Password "123456" (0)

Anonymous Coward | about 3 months ago | (#47199205)

abc123

Too dangerous to keep digitally now? (1)

coastwalker (307620) | about 3 months ago | (#47197383)

Does anyone else think that its getting too dangerous to keep some information in a digital form? Is some information destined to forever be kept in a printed form?

Re:Too dangerous to keep digitally now? (1)

ClownPenis (1315157) | about 3 months ago | (#47197417)

No. Security through obscurity is worthless.
Keeping the default administrator password default is the problem.

Re:Too dangerous to keep digitally now? (2)

geekoid (135745) | about 3 months ago | (#47197569)

NO, it is not worthless. It is a layer of security, and a valid one.

Any single layer security process is foolish.
Risk, costs, effort these are all factor that need to be mitigated.

Re:Too dangerous to keep digitally now? (2, Insightful)

schwit1 (797399) | about 3 months ago | (#47197689)

If security through obscurity was worthless the military would be wearing fluorescent orange uniforms.

security through obscurity = camouflage

Re:Too dangerous to keep digitally now? (2)

lars_stefan_axelsson (236283) | about 3 months ago | (#47198323)

Sure, the warning should really be against "Security only though obscurity." But that doesn't scan. Or something.

Then again, there are times when obscurity will hinder your security. I.e. it's a better trade-off to publish your new crypto algorithm to try and attract the experts to tell you where you got it wrong, rather than relying on your own expertise. Unless you'er a government signals intelligence organisation you probably don't have it.

Also. Keeping a well defined secret, is not "obscurity". So having a crypto key, or (in this case) a password, is not a problem per se. That's not "obscurity" as such. Thinking that having it printed in a manual that "the wrong people won't ever get to look at" without making sure of that is putting too much trust in "obscurity" though.

Re:Too dangerous to keep digitally now? (0)

Anonymous Coward | about 3 months ago | (#47198433)

Security through obscurity is not worthless, but it does create a false sense of security.

A military leader would be stupid thinking herself safe wearing a private uniform, while people yet salute her all over the place.

In IT, if you rely on security through obscurity alone, you're probably already broken.

Re:Too dangerous to keep digitally now? (1)

Tom (822) | about 3 months ago | (#47198755)

Uh... no?

The military doesn't think that camouflage deflects bullets. That's the important difference.

Re:Too dangerous to keep digitally now? (0)

Anonymous Coward | about 3 months ago | (#47200787)

If security through obscurity was worthless the military would be wearing fluorescent orange uniforms.

security through obscurity = camouflage

http://en.wikipedia.org/wiki/Dazzle_camouflage

Re:Too dangerous to keep digitally now? (1)

BasilBrush (643681) | about 3 months ago | (#47197933)

Security through obscurity is worthless.

That stupid meme needs to die. Along with "correlation doesn't imply causation".

Re:Too dangerous to keep digitally now? (1)

MikeBabcock (65886) | about 3 months ago | (#47198335)

Except that the latter is very true and frequently needs saying.

Re:Too dangerous to keep digitally now? (1)

BasilBrush (643681) | about 3 months ago | (#47198531)

I didn't say it wasn't true. It's that people here usually used in a fallacious way. Addressing an argument where the causation has already been pointed out. Almost as if the fact that two things are correlated proves that one did not cause the other.

That's why it's similar to the security through obscurity meme. Security through obscurity is flawed, just as every other form of security is. But as one element of security it does indeed have positive not negative value.

Re:Too dangerous to keep digitally now? (1)

suutar (1860506) | about 3 months ago | (#47198431)

It's true, though. Security _plus_ obscurity is great, but if obscurity is an _important_ part of your security system, there's a problem.

Re:Too dangerous to keep digitally now? (0)

Anonymous Coward | about 3 months ago | (#47198975)

That stupid meme needs to die. Along with "correlation doesn't imply causation".

Well, except that correlation actually often does not imply causation. For instance, the fact that I have a headache and I didn't take my Thryroxine might well correlate temporally, but it certainly doesn't mean forgetting to take my Thyroxine in any way caused the headache. A failure to recognise that unrelated things do often happen at the same time can lead to a lot of chasing of wild geese.

Re:Too dangerous to keep digitally now? (1)

infogulch (1838658) | about 3 months ago | (#47197447)

With that sentiment, you'd never put *anything* online. This whole thing is just some asshat ATM admins leaving stuff in the *default configuration*. This is the equivalent of buying a home router and not changing the default password (though nowadays routers come with individualized passwords, but they didn't used to).

Re:Too dangerous to keep digitally now? (5, Interesting)

cdrudge (68377) | about 3 months ago | (#47197645)

though nowadays routers come with individualized passwords, but they didn't used to

When Verizon FiOS first came to my area, the autogenerated WEP password was based on a 5 character SSID. There were online tools [whatsmyip.org] that you could use to lookup what the default password would be and almost no one, relatively speaking, bothered to change it from the default. Came in handy on more than a few occasions to get free wifi as just about anywhere you go you were in range of someone that had FiOS.

Another brand used the wireless MAC as the WEP key. shm

Re:Too dangerous to keep digitally now? (0)

Anonymous Coward | about 3 months ago | (#47199379)

Another brand used the wireless MAC as the WEP key. shm

I'm sorry but you're going to have to surrender your Honorary Black Person card. Real black people know it's "smh" which stands for "shaking my head" and only authorized negroes may use this phrase.

Re:Too dangerous to keep digitally now? (0)

Anonymous Coward | about 3 months ago | (#47200785)

There's an Irish ISP called Eircom that, for a good while, shipped Netopia routers with a security flaw that would let you get the WEP key by knowing the device's MAC address.
Source: http://www.bacik.ie/eircomwep/howto.html

Re:Too dangerous to keep digitally now? (1)

Seranfall (680430) | about 3 months ago | (#47197455)

And what exactly are you using to create that printed document? Unless you typed it out on an old school typewriter it is already in digital form.

Re:Too dangerous to keep digitally now? (0)

Anonymous Coward | about 3 months ago | (#47197461)

Some things are better to just forget than record in any form.

Re:Too dangerous to keep digitally now? (1)

fermion (181285) | about 3 months ago | (#47197971)

This is one of those cases where security by obscurity should not be relied upon. So they answer to your question is yes and no. The owners manual should probably not be considered so secure that it should not be online. The password used for a specific machine or specific implementation of a generic hardware token probably should not be posted online.

Re:Too dangerous to keep digitally now? (1)

SethJohnson (112166) | about 3 months ago | (#47197983)

If you're referring to the documentation being in digital form, the referenced article does not explain where 'online' the kids found the operator's manual. It could very well, and probably was, a scanned document on a hackerz website or torrent.

Re:Too dangerous to keep digitally now? (1)

praxis (19962) | about 3 months ago | (#47198421)

Does anyone else think that its getting too dangerous to keep some information in a digital form? Is some information destined to forever be kept in a printed form?

Both digital and analogue information cannot be secured perfectly; because some banks know not to change the default administrator from the well-known one is not a statement on how best to store a particular piece of information.

In other news... (5, Funny)

Anonymous Coward | about 3 months ago | (#47197397)

In other news, domestic terrorist ringleaders Matthew Hewlett and Caleb Turon were arrested today in what Department of Homeland Security spokesman Peter Atriot called "a blow for freedom against Jihadists". The two men are believed to diverted funds vital to global banking, thereby aiding and assisting worldwide terror organisations.

Re:In other news... (1)

Anonymous Coward | about 3 months ago | (#47198249)

I know you were joking, but you just associated their full names directly with some very negative and untrue stuff in a place that is heavily indexed by search engines. In an age when people skim the blurbs in their Google results for the information they want (not to mention the known and presumed data mining/collecting practices of certain government agencies), one should be more careful with the things he writes online.

Post responsibly.

Not hacking this term is thrown so loosely (2, Insightful)

Anonymous Coward | about 3 months ago | (#47197401)

Reading a manual and following step by step instructions which tell you how to get into operator mode is NOT HACKING.. UGH.

Re:Not hacking this term is thrown so loosely (1)

Anonymous Coward | about 3 months ago | (#47197473)

Reading a manual and following step by step instructions which tell you how to get into operator mode is NOT HACKING.. UGH.

I dunno, FTFA:
Hewlett and Turon were even more shocked when their first random guess at the six-digit password worked.

They guessed the admin password. Sounds like hacking to me.

Re:Not hacking this term is thrown so loosely (1)

Cro Magnon (467622) | about 3 months ago | (#47197537)

Is it considered hacking if the admin password is "123456"?

Re:Not hacking this term is thrown so loosely (1)

ColdWetDog (752185) | about 3 months ago | (#47197655)

Is it considered hacking if the admin password is "123456"?

No, it's considered packing. As in 'packing your luggage'.

Re:Not hacking this term is thrown so loosely (1)

Charliemopps (1157495) | about 3 months ago | (#47197733)

The AT&T hack was considered a hack and all the dude did was go to an url that was something like:
att.com/account/1234
and change the number at the end to: 1235
etc...
He got... 10yrs was it?

Re:Not hacking this term is thrown so loosely (0)

Anonymous Coward | about 3 months ago | (#47198087)

The AT&T hack was considered a hack and all the dude did was go to an url that was something like: att.com/account/1234 and change the number at the end to: 1235 etc... He got... 10yrs was it?

That's not all he did. He did that over and over and over. Millions of times. If he'd stopped at illegally accessing a few accounts, he wouldn't have gotten in the trouble he did.

Re:Not hacking this term is thrown so loosely (1)

X0563511 (793323) | about 3 months ago | (#47197781)

Yes, but it's a stupid and easy one.

Re:Not hacking this term is thrown so loosely (1)

RavenLrD20k (311488) | about 3 months ago | (#47197891)

Just as much as if the admin password was "toor", "god","dog","password", or "openSesame". A hack is still a hack even if it doesn't require a high level of skill. The skill required to successfully pull off a hack (and not get caught) only contributes to the degree of warm fuzzies a hacker would feel. It does not change the fact that it is a hack.

Re:Not hacking this term is thrown so loosely (0)

Anonymous Coward | about 3 months ago | (#47199545)

So how many tries at guessing the admin password does it take before this is considered hacking? 10? 100? 1000? 1000000?

Re: Not hacking this term is thrown so loosely (0)

Anonymous Coward | about 3 months ago | (#47204225)

"So how many tries at guessing the admin password does it take before this is considered hacking? 10? 100? 1000? 1000000?"

actually we call that cracking ;)

Re:Not hacking this term is thrown so loosely (0)

Anonymous Coward | about 3 months ago | (#47197585)

If guessing '123456' is hacking then I fear for computer security in the future. It said hacking is a loosely used term and that perspective is still unchanged.

Re:Not hacking this term is thrown so loosely (0)

Anonymous Coward | about 3 months ago | (#47197799)

I would still fear for future computer security even if guessing 123456 wasn't hacking. Might even fear it more.

Two kids could have stolen an ATM's worth of money, without even hacking it.

Car analogy time: How would you feel if some random kid could disable your cars brakes just by asking it to?

Re:Not hacking this term is thrown so loosely (0)

Anonymous Coward | about 3 months ago | (#47197997)

Car analogy, can already be done, usually requires custom hardware integrated after manufacturer though. The problem we have is the LACK of security and proper test-cases in products, considering this hacking makes it seem bolder than it really is which all it was is an improper setup of an ATM. It is just an opinion, sadly the broad definition of 'hacking' considers this as so, but I don't agree.

On the other hand with your car analogy, that is a much worse situation and potentially life threatening. There is a main BUS that lets the entire car communicate with each other and can be manipulated by external hardware. That is just a lack of security from the ground up by car manufacturers where the ATM was just a bad tech not doing his job.

Re:Not hacking this term is thrown so loosely (1)

ThePackager (562279) | about 3 months ago | (#47197843)

So we need a new term that refers to the, non-malicious sensible demonstration of system vulnerabilities. Hacking is a violent term and dredges up connotations of evil, or at least intense coughing. How about 'Slacking' - 'Door Pointing' - or 'Hewlett-Turoning' (give the kids some fame!)

Not hacking this term is thrown so loosely (0)

Anonymous Coward | about 3 months ago | (#47198799)

So they found a manual and read it, so what?

These are two kids. They gained admin control of an ATM, which should have significant hardening against any such attempts. Yes reading a manual makes it easier but it should still be difficult. I've been the admin for many systems (not ATMs). None of those systems would make it easy enough for 2 teenagers to break into. In fact they would vigorously resist most break-in attempts.

The OP makes it sound like it was little more than "hold down the Control key while rebooting."

Re: Not hacking this term is thrown so loosely (0)

Anonymous Coward | about 3 months ago | (#47202831)

Can we get out of 1990's "hacking":
Under 15, working with computers, doing something unauthorized.

Considering today kids have iphones at age 6, laptops by 11, and access to manuals and passwords online... all the time.

Relax, folks. (5, Insightful)

Anonymous Coward | about 3 months ago | (#47197413)

This is Canada. As long as they don't try to link good science to administrative policy, the government probably won't care.

I want to be shocked, but I just can't be. (4, Interesting)

Ghostworks (991012) | about 3 months ago | (#47197435)

Back before the internet, it was common practice to put hard-coded admin passwords in documentation, in case anyone should forget the real password. In some industries (say, construction road signs) it just never occurred to them that anyone would ever care to look it up for a prank. In other industries, like ATMs, the assumption was that documentation was obscure and difficult to lay hands on without writing to a real person who then had to mail a manual to a real address of an existing customer.

The fact that they still do this is depressing, but doesn't surprise me in the least.

Re:I want to be shocked, but I just can't be. (1)

TubeSteak (669689) | about 3 months ago | (#47197565)

These aren't hard coded admin passwords, just default passwords that were never changed.

Re:I want to be shocked, but I just can't be. (1)

X0563511 (793323) | about 3 months ago | (#47197791)

You'd think watching Mitnick do what he did to the telcos would have cured them of that assumption.

Guess not..

Re:I want to be shocked, but I just can't be. (0)

Anonymous Coward | about 3 months ago | (#47197929)

Nope, once they got Mitnick, they figured the problem was solved - after all, nobody else could figure it out, right ?

Re:I want to be shocked, but I just can't be. (2)

Darinbob (1142669) | about 3 months ago | (#47198271)

They thought Mitnick was some sort of super genius, like Lex Luthor.

What it really comes down to is money. It's more expensive to make things secure than to accept a 2% estimated loss per year. This is basically a convenience fee.

Re:I want to be shocked, but I just can't be. (1)

UnknownSoldier (67820) | about 3 months ago | (#47198435)

> (say, construction road signs) it just never occurred to them that anyone would ever care to look it up for a prank

Gee, kids don't respect authority? This has being going on since the beginning of time ...

"Our youth now love luxury. They have bad manners, contempt for authority; they show disrespect for their elders and love chatter in place of exercise; they no longer rise when elders enter the room; they contradict their parents, chatter before company; gobble up their food and tyrannize their teachers." -- misattributed to Socrates

City officials get butt hurt because somebody wanted a little humor with "Warning Zombies Ahead!" ... they need to chill out.
http://www.pressherald.com/201... [pressherald.com]

Kids these days. (1)

Rodness (168429) | about 3 months ago | (#47197453)

By "hacked" you mean "followed printed instructions from a user's manual". If that's the new "hacking" then I weep for mankind.

Re:Kids these days. (5, Insightful)

Ionized (170001) | about 3 months ago | (#47197587)

they were inquisitive, did some research, and experimented on a system, and succeeded in gaining unauthorized access. they then responsibly reported their findings to the device owner.

what these kids did, while perhaps not quite on par with hacking the gibson, still very much represents the (white hat) hacker ethos at work.

you, on the other hand, represent the asshat ethos, for downplaying what they did and trying to fiddle fart around with semantics.

Re:Kids these days. (1)

X0563511 (793323) | about 3 months ago | (#47197815)

He didn't fiddle-fart around with it... he just shat on it directly. At least he didn't screw around, and just came to the purpose without delay...

Re:Kids these days. (-1)

Anonymous Coward | about 3 months ago | (#47197899)

you, on the other hand, represent the asshat ethos, for downplaying what they did and trying to fiddle fart around with semantics.

Whereas you represent the asshole ethos by being an asshole.

Pissing in the snow does not make you an ice sculptor. Creating a wordpress page does not make you a web programmer. Picking up garbage does not make you a sanitation engineer.

Re:Kids these days. (1)

Rodness (168429) | about 3 months ago | (#47203513)

I didn't say anything at all about their actions, one way or another. I took issue with the use of "hacked". They didn't hack anything, they breached security by using the instruction manual.

You misunderstood what I meant, which was in fact literally what I said, and you were an asshole about it.

Have a nice day.

Re:Kids these days. (1)

Ionized (170001) | about 3 months ago | (#47204853)

you have a very narrow definition of what 'hacking' is. i disagree, and the mods seem to agree with me.

what these kids did definitely qualifies as hacking.

taking apart a transistor radio to figure out how it works, and putting it back together, is hacking.

talking someone into giving you their password over the phone, is hacking. (yes, it's social engineering. that's a form of hacking.)

there are very many other, very wildly different examples i could give if i had the desire.

it's an umbrella term. deal with it.

Re:Kids these days. (0)

Anonymous Coward | about 3 months ago | (#47205483)

Being inquisitive and acting responsibly does not a hacker make. A "white hat", but the hatted brigades are not filled with hackers, merely confused s'kiddies. The fact that they need hats to sort themselves speaks bundles already.

"Hacking" always was about outstanding creativity with technology, and what the kids did was take a few baby steps down that road perhaps. Good for them. That doing so they did about as well as the rest of the wannabe bunch in computer security speaks volumes for the level the "professionals" operate at, but even that does not a hacker make.

It makes about as much sense as call any talking head on the telly an "expert" just because his head was on the telly, or any random joe shmoe with a cool idea and a networked computer an "internet guru" as was de rigeur around the bubble and still is, by and large. So your confusion is par for the course but that doesn't make it justified.

If stating the obvious about a horribly abused term makes one an asshat, then make that an asshat weeping for humanity.

Re:Kids these days. (1)

alta (1263) | about 3 months ago | (#47197911)

Exactly, Title should be changed to
Kids With Operators Manual Alert Bank Officials: "We 'Hacked' Your ATM"

Additional quotes around the word "Hacked"

Since it's not hacking.

Re:Kids these days. (1)

John Bokma (834313) | about 3 months ago | (#47199729)

"Hewlett and Turon were even more shocked when their first random guess at the six-digit password worked. " Maybe you should start reading, you might become a real 733+ hacker ;-)

Re:Kids these days. (1)

freeze128 (544774) | about 3 months ago | (#47200507)

We need to come up with a phrase that fits what they did. Something like "Script Kiddies", but with printed books.

The real crime is... (3, Insightful)

g01d4 (888748) | about 3 months ago | (#47197481)

Their first random guess at the six-digit password worked. They used a common default password.

When does incompetence become criminal neglect?

Re:The real crime is... (2)

Wain13001 (1119071) | about 3 months ago | (#47197503)

When it uses the same combination as my luggage!

Re:The real crime is... (1)

Obfuscant (592200) | about 3 months ago | (#47197637)

Their first random guess at the six-digit password worked. They used a common default password.

When does incompetence become criminal neglect?

The Sun article was written by a moron. If they're using a common default password then it wasn't a random guess.

I'd be more impressed if they played the tune "Take Me Down to the Basement..." (sounds like 'Take me out to the ballgame") on the keypad and it gave them $400.

I think it becomes criminal neglect once a law is passed saying that forgetting to set a password on a device is a crime. You'd have a hard time getting from "human mistake" to "it's a crime!" otherwise.

Where the kids need a bit of education is in what they did to the machine after they "hacked" it. Setting the surcharge to 1 cent and changing the welcome message to tell people to go away was irresponsible. It didn't fix the problem, it didn't educate the bank, it just cost them money.

Re:The real crime is... (0)

Anonymous Coward | about 3 months ago | (#47199645)

Never!

We are going to make examples out of people who walk through open doors and tell people they found the door open.

Having the state prosecute them is cheaper than actually fixing the issue.

Operator Mode (1)

Destined Soul (1240672) | about 3 months ago | (#47197495)

I wonder what actually is accessible via operator mode. Changing text and the fees is one thing, but can it actually give the 'operator' any money by either changing the account where fees are deposited and/or by directly 'withdrawing' the money on the spot (without a bank account).

Re:Operator Mode (1)

Bob the Super Hamste (1152367) | about 3 months ago | (#47197579)

From what I understand you can change what the machine believes it is loaded with. So if it is physically loaded up with $20 bills then you tell it is loaded with $1 bills and let people make withdrawals. The person goes and makes a withdrawal for $40 dollars, so $40 gets subtracted from their account but instead they get $800 physical dollars because they got 40 $20 bills.

Re:Operator Mode (1)

zippthorne (748122) | about 3 months ago | (#47199281)

Why is this possible? You can hardly by a $50 printer that doesn't know exactly what ink cartridge has been placed, but ATM's need to be told by the operator?

Re:Operator Mode (1)

Joe_Dragon (2206452) | about 3 months ago | (#47200319)

bills are the same size and need to be able to use bills all over the world and I think most atms don't have a reader / scanner for loading the cassettes. Most are manual load.

Re:Operator Mode (1)

zippthorne (748122) | about 3 months ago | (#47220679)

I'm not suggesting it should read the bills themselves (although, when dispensing, it should probably read/scan them as a sanity check), but that it should read the cartridges, which should have encrypted IDs, moving the problem to the facility where the cartridges themselves are packed, but that's more manageable.

Re:Operator Mode (2)

Bob the Super Hamste (1152367) | about 3 months ago | (#47201645)

Well it has been done before [schneier.com] and this seems like something that would be accessible when in operator mode.

Re:Operator Mode (0)

Anonymous Coward | about 3 months ago | (#47198265)

Most ATMs these days run on Windows (usually XP) and a small number on other operating systems. The transaction interface as well as the ATM supervisory interface are software programs. They can be programmed to do anything.

In actuality the supervisory interface provides functions such as replenishment of supplies (cash cassettes, printer rolls, etc.), copying of electronic journal, uploading of data, etc. The ATM diagnostic mode is also accessed through the supervisory interface. The diagnostic mode does allow cash dispense as part of dispenser diagnostics. But this is only allowed if the safe is open (if the safe is open, you already have access to money).

However, there are multiple layers of security. Besides things like passwords, some applications require secure key cards for access to various levels or online login and verification, supervisory access only through ATM rear, etc.

It's really sad that they'll go to jail (0)

Anonymous Coward | about 3 months ago | (#47197501)

Obviously, they did nothing wrong, but they are going to end up in jail anyway. I find that very sad.

It's really sad that they'll go to jail (0)

Anonymous Coward | about 3 months ago | (#47197753)

This is Canada. They won't go to jail. They'll just get a stern talking to and inspire a lot of angry letter-writers.

Just wait ... (1)

Xciton (84642) | about 3 months ago | (#47197507)

Criminal charges pending in 3 ... 2 ... 1 ....

Demo Disks (5, Interesting)

Ronin Developer (67677) | about 3 months ago | (#47197521)

Years ago, when ATMs were first becoming available, someone I know worked as a security exec for a large bank. Seems back then, each ATM came with a demo disk hat, when inserted into a floppy disk port inside the ATM's housing (but, easily accessed) placed the machine into demo mode and allowed the operator full control of the device. The sales operator could then fully demonstrate ALL the features of the ATM - including the automatic dispensing of cash.

With furled eyebrows, he asked whatever became of all the demo disks after the ATM was installed..nobody knew...just assumed they were thrown out. He asked if they considered this a problem. And, he was told 'No'. At the time, stealing the ATM was all the rage and his concerns were discounted...until one day when money just started disappearing from ATMs. Seems, somebody else found or had one of those disks and realized what they had.

Pretty scary these kids could find a manual online and that the command sequence to place it into admin mode could be done from the user console vs a separate terminal. One has to wonder if they could have dispensed cash like a Pez dispensor like was possible with the old demo disks.

Re:Demo Disks (0)

Anonymous Coward | about 3 months ago | (#47202383)

... he asked whatever became of all the demo disks after the ATM was installed..nobody knew...just assumed they were thrown out. He asked if they considered this a problem. And, he was told 'No'. At the time, stealing the ATM was all the rage and his concerns were discounted...until one day when money just started disappearing from ATMs. Seems, somebody else found or had one of those disks and realized what they had.

I wonder how long it will be before a disc image of one of those floppies surfaces again.

Re:Demo Disks (0)

Anonymous Coward | about 3 months ago | (#47205019)

Nothing about the manual being available online, or the ATM being controllable from the front panel is actaully scary. What really irritates me is the fact that the ATM does not force the user to change the password before it enables any "consumer" access at all.

It's a (c)apostrophe! (1)

necro81 (917438) | about 3 months ago | (#47197541)

I know that proper spelling and grammar don't mean shit to most people these days, but would it really have been so difficult for the submitter or editors to include an apostrophe here and there.

Kids With Operators Manual Alert Bank Officials: "We Hacked Your ATM"

I had to read this a few times to figure out what was going on. Why do I care about "kids with operators"? How does one "manual alert" someone? Then I realized that we were talking about an Operator's (or Operators') Manual, and that the submitter and editors were just illiterate.

Re:It's a (c)apostrophe! (1)

Anonymous Coward | about 3 months ago | (#47197765)

I know that proper spelling and grammar don't mean shit to most people these days, but would it really have been so difficult for the submitter or editors to include an apostrophe here and there.

Kids With Operators Manual Alert Bank Officials: "We Hacked Your ATM"

I had to read this a few times to figure out what was going on. Why do I care about "kids with operators"? How does one "manual alert" someone? Then I realized that we were talking about an Operator's (or Operators') Manual, and that the submitter and editors were just illiterate.

I know that proper spelling and grammar don't mean shit to most people these days, but would it really have been so difficult for this commentator to include a question mark at the end of his rhetorical question?

Re:It's a (c)apostrophe! (0)

Anonymous Coward | about 3 months ago | (#47198393)

I think you mean "the submitter and editors were just AMERICANS", because they sure as hell can't cope with basic spelling and grammar... They don't even know what the words 'then', 'that' and 'than' mean. Nor do they know what more prepositions mean, and just them at random.

Stop Assuming Appliances Can DropIn Without Config (3, Interesting)

infogulch (1838658) | about 3 months ago | (#47197603)

From this to Highway Sign Hacking [slashdot.org] to that researcher that made a botnet of home routers with default config to ping the whole of ipv4, I really hope admins are getting the point that you can't just drop appliances in public places without adjusting the default configuration. What critical infrastructure is left out there just begging for someone with an operator's manual to wreck it, or even worse, exploit it? Can we get a wake-up call to the administrators of these appliances?

Re:Stop Assuming Appliances Can DropIn Without Con (3, Interesting)

Anonymous Coward | about 3 months ago | (#47197807)

Honestly, I don't think even a wake-up call would do anything. Prime example from my life:

I went to a community college for a few years to get gen-eds out of the way cheap before going to a real college. In one of the buildings, there was a break room that was really popular with students despite not really being anything special - some tables and chairs, and that was about it. I had no idea why it was so popular when there were other break rooms on campus that had TVs and better Wi-Fi access and the like.

A few days in, I found out why. There was an older soda machine in the back of the room, and every so often I'd buy one. Almost every time, I'd wind up getting two (or sometimes three) sodas when I paid for one. At first I thought I was just really lucky, but then I found out that the machine was badly secured. There was a default button combination you could press that would take the machine into admin mode, where you could do things like get it to dispense free drinks. Doing this would cause a bottle to be loaded into position as if someone had paid for it, so the next person to buy a drink would get two.

Apparently, this was a well-known 'secret' on campus. Even the professors did it. I can't tell you how much money the vending machine owner probably lost, and I'm sure they knew that something was up based on how quickly the stuff was disappearing and how the money didn't add up. This was about seven years ago.

I went back to the same school to sign up for some classes just a month ago. On my way back, I stopped at that break room, and sure enough, that machine still hasn't had the password changed.

Re:Stop Assuming Appliances Can DropIn Without Con (3, Interesting)

shadowrat (1069614) | about 3 months ago | (#47198355)

The owner of the machine was probably a genius. The markup on soda is so astronomical that he could probably sell 7 or 8 each time and still come out ahead. He was just shrewdly undercutting his competition on campus.

Re:Stop Assuming Appliances Can DropIn Without Con (0)

Anonymous Coward | about 3 months ago | (#47198967)

You'll never fix that if you consider it a user education problem and not a usability design problem. The right fix is not telling users to change the default password: it's to not allow the user to use the default password. Require it to be changed on the initial setup or have the default be random like new wireless routers do. The user can still make poor security choices, but the system design should not make poor choices be the easy default that a user might not even be aware of. (Also, why does the ATM have an admin mode that doesn't require physical access to the cash box to activate?)

This is surprising... (1)

Anonymous Coward | about 3 months ago | (#47197621)

because I didn't think kids today read anything more complex than the Twilight and Shades of Gray books.

Re:This is surprising... (1)

rickb928 (945187) | about 3 months ago | (#47197759)

Let's they don't read any more Slender Man stories.

No charges (2, Informative)

Anonymous Coward | about 3 months ago | (#47197643)

They had permission from an employee. Whether the employee had the authority to grant that permission is another issue altogether, but they were acting with the bank's permission.

Is that really hacking? (1)

GodfatherofSoul (174979) | about 3 months ago | (#47197653)

n/t

How are they not in prison? (1)

Anonymous Coward | about 3 months ago | (#47197703)

Oh. Canada.

Almost the perfect non-crime (1)

rickb928 (945187) | about 3 months ago | (#47197755)

Right up to the "I found a way to change the surcharge amount" part.

Darn.

Kids? (3)

meta-monkey (321000) | about 3 months ago | (#47197767)

Kids?! More like cybercriminal financial terrorists! Time for a no-knock SWAT raid! Flashbangs, go go go and shoot the dog, too!

Kids? (1)

dont_jack_the_mac (2882103) | about 3 months ago | (#47204319)

Remember to re-educate them while they are young and turn them into government agents!

Feynman lives on (2)

Deadstick (535032) | about 3 months ago | (#47197797)

Seems like an echo of Richard Feynman's famous "I can open your safe" hobby at Los Alamos. Same method: guessing at obvious combinations like birthdates, in the 50% of cases where the lock wasn't still on the factory combination.

Re:Feynman lives on (0)

Anonymous Coward | about 3 months ago | (#47199615)

Almost as clever as Feynman's famous "I can shag your wife" hobby.

Re:Feynman lives on (0)

Anonymous Coward | about 3 months ago | (#47205077)

Guessing, the default combination and being able to brute-dorce the combination while the safe was open. It's arather entertaining story [openculture.com]

And yet (2)

Hamsterdan (815291) | about 3 months ago | (#47197871)

When there's an ATM fraud in a customer's account, the customer is accounted responsible for his own account.

Admin control is usually a customer requirement (2, Interesting)

Anonymous Coward | about 3 months ago | (#47197881)

I worked on a device that acted as a security gateway within major ISP networks. We read material/took courses/interviewed the various security best practices, guidelines and design suggestions gurus before coming up with the general architecture. We had one-time-use passwords, 2-factor auth, admin mode pw reset that required special hw dongles etc.

The ISPs liked it initially, but their admins kept perma-locking the console, because they'd failed to enter the creds enough times. That forced the key-holder to fetch the dongle to reset the pw. It turned out, the "admins" were often high school dropouts who'd taken some remedial IT courses. Their qualifications were primarily that they'd do shift work for minimum wage, not any particular skill. As such, following printed, step-by-step instructions that required they enter the 2-factor random pw was *far* too complicated. They'd mix the pw order (secure card digits first vs. adminpass), screw up the capitalization etc etc. All the key-holder interventions st them too much downtime and paid overtime

In the end, we ended up implementing the industry standard, 6-8 character alphanumeric + !@#...) fixed string password. No 2-factor, no admin lockout with a default password that could be reset by holding certain keys down during startup. All the cutting edge stuff was tossed, because the freakin' ISPs' admins were smeg heads.

Argh!

Re:Admin control is usually a customer requirement (1)

iggymanz (596061) | about 3 months ago | (#47198479)

and your managers changed security to pander to smeg heads. what does that make them?

Re:Admin control is usually a customer requirement (0)

Anonymous Coward | about 3 months ago | (#47199445)

Not out of business.

Ironically... (0)

Anonymous Coward | about 3 months ago | (#47197935)

Viewing that article (after viewing 10 other articles on that site) appears to require "hacking" the site:

- Use NoScript.
- Use a User Style with: .visuallyhidden { clip:auto; position:static !important; }

Good to see! (1)

MoonlessNights (3526789) | about 3 months ago | (#47198057)

Good to see on many fronts:
1) kids looking into how things actually work and wondering about what that means
2) kids acting to fix the problem, as opposed to exploiting it
3) a company actually thankful for the help without "shooting the messenger"

In terms of the ATM configuration, I am a little surprised that it was so easy to get in. It reminds me of when I used a similar technique to get configuration access to a heated timer cabinet at a McDonald's, when I was in my teens (It meant I could use it to solve some additional problems which had no ideal solutions - as well as add my name as a food item). That wasn't changed from its factory defaults but that one was at least behind the counter so it was physically protected. I am a little surprised that there isn't some kind of physical locking switch to enable that mode, on these devices. Banks are usually pretty good about that.

Still, at least I am happy to see that they were thankful for the help.

APB for John Conner (0)

Iniamyen (2440798) | about 3 months ago | (#47198061)

Eeeeeeasy money!

"do the right thing" (0)

Anonymous Coward | about 3 months ago | (#47198133)

give those kids some money - they deserve it for finding what highly paid security personell did not

Land of the Free (tm) (1)

Bitbeard (1665499) | about 3 months ago | (#47198183)

I'm 100% sure that in the Land of the Free (tm) this would get you arrested. Just ask Shane Becker [iamshane.com] .

Re:Land of the Free (tm) (0)

Anonymous Coward | about 2 months ago | (#47285141)

If not granted permission, it would be "unauthorized access of a system", which is indeed illegal. Just as elevating an account's rights and going places you weren't intended to go is illegal. Sort of like the difference between breaking and entering. Gaining access to the system without authorization would be the breaking, and of course wandering about while you're there would be the entering.

And, as in most cases, if some one finds your keys and tells you about it, it doesn't cause harm. When they drive your car to your house and puts them on you kitchen counter for you is when most people start getting upset...

Double Liver Transplant? (1)

forty-2 (145915) | about 3 months ago | (#47198505)

"Matthew has endured serious health issues since an early age and had a double-liver transplant three years ago..."
We have two livers?! And all this time I've been drinking like I've got just the one...

Canadian politeness (0)

Anonymous Coward | about 3 months ago | (#47198511)

This is Canada. Those kids were politely letting the bank know that they were being fleeced.

Change the surcharge (0)

Anonymous Coward | about 3 months ago | (#47198639)

Come on down to australia, where our criminal banks are charging up to $4.00 to use a competing bank's ATM.

You know what must be done. Fix our ATMs for us, would you kids?

Canadian Banks Are Criminals (1)

HannethCom (585323) | about 3 months ago | (#47199101)

It is illegal in Canada for a bank to charge any money for use of an ATM machine. (All Canadian banks I know of illegally charge for use of their ATM machines) The account at the bank may have a transaction fee that applies if using a teller, ATM from the bank, or ATM from another bank. The fee must be the same for all 3 transaction types. This is in the banking charter.

There are companies that are not banks that provide ATM service that are allowed to charge fees because they do not fall under the banking charter.

Also Credit Unions can have ATM machines, and they can charge fees, as they do not fall under the banking charter. As far as I know, all credit unions work together in Canada, at least BC and they have agreed not to charge for use of their ATM machines.

The banking charter provides protection to the banks and their customers in exchange for some restrictions. Credit Unions have more freedom in how they operate, but there is little government protection of them.

Oddly enough, all credit unions I know of follow all the statues of the banking charter, so that they have the option of applying for bank status. Banks are supposed to loose their bank status and charges laid on the people responsible for breaking the law. That being said, I read though the charter a while back and found that every bank I know of breaks every law in the charter daily. In the case of transaction fees, millions of times a day.

Why aren't they called on their illegal operations? I'd like to know that myself.

Re:Canadian Banks Are Criminals (1)

Overzeetop (214511) | about 3 months ago | (#47199717)

That's an easy one - the fee is charged in all three cases, but for customers of the bank the fee is automatically refunded. QED. It's like not being allowed to charge a surcharge for Visa/MC transactions, so vendors jack the prices up 3% and then offer a discount for cash. (This has mostly ended as V/MC got wise and changed the wording to close that loophole, but governments are much slower to catch such things, and politicians are well paid to not close those loopholes)

Uh, oh (0)

Anonymous Coward | about 3 months ago | (#47198681)

Ift his was in the USA, they'd already be in jail.

I'm surprised (1)

Kazoo the Clown (644526) | about 3 months ago | (#47198935)

- an administrator mode is accessible from the customer interface? And if they really insisted on doing that, they don't even require some kind of special admin credit card or key to be inserted? What moron designed that?

good lord (0)

Anonymous Coward | about 3 months ago | (#47199031)

if that had happened in america they would have been prosecuted 6 ways across time, thats not shit you tell the bank you put that crap on IRC and let nature take its course.

If this happened in the US (1)

ka9dgx (72702) | about 3 months ago | (#47199345)

If this were a couple of kids in the US... they would both be on their way to Gitmo, the anti-rejection drugs the kid probably needs to stay alive wouldn't be addressed... then the remaining kid would probably go on a hunger strike in Solitary.

Oh... and someone at the Bank would be put in charge of a new "cyber security" division, with a big bonus and a corner office.

I wish we could be more like Canada some times.

BMO ATM's hacked (1)

Clived (106409) | about 3 months ago | (#47199519)

Good thing I don't bank with BMO ..:P

If you don't change the default password... (1)

phillymjs (234426) | about 3 months ago | (#47199935)

...you deserve what you get, and any liability for a resulting "security breach" should be on you-- not on someone who can find a copy of a user's manual online.

Like previous commenters have said, these kids are damn lucky they're in Canada. In the US they'd have been fucking crucified.

Sadly (0)

Anonymous Coward | about 3 months ago | (#47200297)

Im sad for these kids... Usual corporate response in such is shoot the messenger instead fix the damn problem...

Any bets how long until these two kids are charged by FBI for what ever they can think of them being guilty of...

Comments (0)

Anonymous Coward | about 3 months ago | (#47200465)

If were going to have the same stories after slashdot, can't we just import all the comments so there'll be something to talk about?

surcharges (1)

Khashishi (775369) | about 3 months ago | (#47200955)

So how much is made off of surcharges? I want to know!

Not in the USA.. (1)

h8sg8s (559966) | about 3 months ago | (#47201591)

Wouldn't our bizarre laws here in the good old USA have charged these kids with a 'crime' and put them away for 5 years in the slammer? This is what happens when you let luddites write laws affecting technology. We need to elect more engineers and fewer lawyers.

Haha (0)

Anonymous Coward | about 3 months ago | (#47205097)

They did not hack. What they did was simply read an operator's manual. A far cry from hacking.

They should have copied the 3DES keys (1)

marcgvky (949079) | about 3 months ago | (#47249647)

And posted them onto the Internet. There's your proof. Now go re-inject every device on your bank network LOL
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>