Station de télévision exposé its own passwords on l'air. A Franglais report

Stereotypical FrenchmanOh dear oh dear.

To save the embarrassment of TV5MONDE I have attempted to write the following story in Franglais, so only people with a loose understanding of the French language will be able to laugh at the TV station's ineptitude.

Malheureusement, le TV station Francaise TV5MONDE qui était hacked dernière semaine has had un autre grande cock-up.

Dans un interview avec TV5MONDE journaliste David Delos about le hack, vous can see les mots de passe (passwords en Anglais) de les accounts de social medias de TV5MONDE.

Password fail

Une énorme faux pas, n'est pas?

Another password fail

Oui. Le YouTube password de TV5MONDE est "lemotdepassedeyoutube", qui en Anglais est "the password of YouTube".

D'oh.

Je wonder que les passwords pour Instagram and Twitter might be?

Un autre password faux pas was seemingly accidentellement made public dans un news report de le TV5MONDE hack by le news gare BFMTV:

Yet another password fail

Sacre bleu.

Chapeau-tip: Ars Technica.

Tags: , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , ,

5 Responses

  1. Coyote

    April 12, 2015 at 1:04 am #

    "so only people with a loose understanding of the French language will be able to laugh at the TV station's ineptitude."

    Where is the fun in that ? Thankfully you solved the problem with that handy hyperlink. Which I appreciate because laughter is therapy, is it not ? While they have a horrible policy in place (if they didn't fix it by now … suggestions below for them!) they're not alone by any means. I suppose that makes it a lot better, at least for those who wish to abuse the fact (and it does allow for laziness, admittedly, and who doesn't like being lazy ?). As for those doing similar (even if laughing at the specific examples), hopefully you'll take this as an opportunity to improve things. The following steps could (but 'probably' shouldn't) be followed (shouldn't be followed literally, that is for sure), for example. If you don't speak gobbledegook, you might just want to fix your mistakes (but interestingly, and quite ironically, some of the logic below does work until you analyse it further) and ignore the below (perhaps that is best in any case) (although it is a good example of things not to do). Choose your poison.

    1. Save the passwords in a file on your computer (tip: prefer world-readable access, and make sure you have a guest account, so that in the case you forget the password – and forgot to store it elsewhere, such as the next step – you can still discover it with a little extra work) in a plain text file, instead. Label it PASSWD.LST (file name in all caps because it is easier to see and in any case, PASSWORD123 is the same thing as password123 – much like 123ABC being equal to 123abc – so it doesn't make a difference).
    2. When you have a visible list just make sure you have a fake list on top of the real list (you can still keep the real list though since it is now covered; notice that if they did this their passwords wouldn't have been leaked on a video). (Realistically this is better if you're going to have a list like this, but you shouldn't do that.)
    3. Alternatively just change your password daily. A possible method is the two digit day of the month and the month name (example 11april), or the day of the year (and if you want a little extra protection include this year or better yet yesteryear or next year). Hint: depending on location, today is 101 (which is easy to remember because this is 'bad password advice 101') or 102.

    I'll err on the side of caution and say 1 and 2 (combined: 1 + 2 = 3) are easier to implement than 3 alone but 3 is likely an equally as strong policy (of course 1 + 2 + 3 = 6 > 3 so all three is best). Either way, taking these steps would improve things, wouldn't they ? I'm fairly sure they're safer and more secure because they're not in plain sight (assuming you covered the real list); certainly it isn't as obvious as what this TV station did. Even better is that there are additional layers of protection (literally and figuratively) and that is actually a good thing (just not in this way).

    Then again… perhaps instead you should just fix your mistakes immediately, without fail, and immediately means now, not later. I think that's better, although no relevant party would be reading this (admittedly I can understand that if you consider the utter nonsense above!) but if they do hopefully they take it as what not to do (minus the part about correcting any mistakes).

    • Anonymous in reply to Coyote.

      April 12, 2015 at 2:43 pm #

      I like how you proved the strength of your proposal by adding up the numbers you used to list your points as a means of weighing them against themselves individually…

      • Coyote in reply to Anonymous.

        April 14, 2015 at 12:44 am #

        To be honest I didn't think anyone would appreciate my thoughts there, even though some of the logic works initially (and indeed that was the idea with weighing the strengths of the methods). Thanks for proving me wrong. Yes, I had amusing ideas (but it must be said that almost everything is amusing to me) but obviously none of it was meant to be serious, at least not literally (with perhaps the last paragraph). I'm glad that at least someone – anonymous as they might be – found it of some interest (however preposterous my suggestions were).

  2. Mika

    April 12, 2015 at 5:12 am #

    Je m'incline de rire Mr Graham.
    Thank you.

  3. PT

    April 13, 2015 at 5:57 pm #

    tres amusant, merci mon brave

Leave a Reply