iPhone...DENIED
had his iPhone confiscated
A fate worse than a fate worse than death
The 17-year-old lad who confessed to hacking crimes against UK ISP TalkTalk was today slapped with a 12-month rehabilitation order and had his iPhone confiscated. The teen received the sentence, of sorts, at Norwich Youth Court, in east England, where chairman of the bench Jean Bonnick reportedly told the unnamed individual …
This happened in Norfolk. Nothing good comes out of that County.
I believe there's a medical acronym that local doctors put on patients' case notes - NFN, meaning "Normal, for Norfolk".
Still, Sussex is stranger, as anyone who's read "Cold Comfort Farm" will attest. I saw something nasty in the woodshed, Robert Poste's child!
was he hacking from an iphone?
I suspect this is just out of touch judges having less clue than a 2 year old and thinking it says it has the internet so thats that.
Anyway, if he was half sensible he already had the hard drive backed up somewhere suitable, borrowed a computer form his friend and shared the whole good news around.
Frankly a stupid prosecution from a stupid law. The real criminal in this is talk talk for not protecting their systems and data... they are the ones that should be on trial NOT the guy that proved they were incompetent. Same for those who hack into the US military systems, it is NOT the hacker who needs prosecuting. And if someone hacks into my computer because MS has fouled up their security I should be able to sue MS for any loss or inconvenience caused, not my fault (beyond buying their product of course) and frankly not the hackers fault.
When are they going to start en masse prosecution of the companies who actively try hacking in order to show vulnerabilities and ensure they are fixed?
Absurd, ill thought through, typical idiot law making
"Now, this gentleman from the government would like to speak to regarding your future career."
Which department? Given that he's just a skiddie he has very little skill to offer. On second thoughts he sounds just right for GDS, Universal Credit and quite a few other projects.
I am fed up with this.
You cause extreme financial pain on thousands of people, some of whom might die out of stress related illneses when their identites are usurped and he gets a slap.
But hey, if he had dope, then off to jail, right? or "extreme porn" or whatever.... but not if you attack somebody, etc.
This post has been deleted by its author
Was it the hacker? Or the hackers who used this information afterwards?
The real damage was caused by the hackers who used the information afterwards. However, as the original hacker made the information available (and had no legitimate reason to do so) then I reckon that a good legal eagle could make a case for aiding and abetting.
"However, as the original hacker made the information available (and had no legitimate reason to do so) then I reckon that a good legal eagle could make a case for aiding and abetting."
To use an analogy, this is a bit like someone leaving a house key in a flowerpot by the door.
Anyone who goes looking will find the way in pretty easily.
IANAL but any unauthorised person who uses that key to gain entry won't be doing the "breaking" bit of "breaking and entering". The victim will probably get all or part of an insurance claim denied (if the insurance company finds out).
What the young laddie did here was the equivalent of announcing the location of the key in the pub.
Applying this analogy to the "homeowner", well it's not a home here, but a business, and TalkTalk not only left the key in the flowerpot but left personal details of customers in unlocked filing cabinets.
It was the hacker.
if I have a frontdoor made of cardboard (not the case) and somebody kicks it and nicks my stuff, it is the burglar who is responsible. Not the victim.
Yes, they were negligent and ignored security, but the criminal is a criminal, or is it only a crime if it is really really difficult? Murdering people requires people to defend themselves properly and put up a nice fight to be a crime?
"if I have a frontdoor made of cardboard (not the case) and somebody kicks it and nicks my stuff, it is the burglar who is responsible. Not the victim."
How about the builder who installed said cardboard door, which was then signed off by the project manager both of them telling you, the customer, "its cheap so you save money but its as safe as houses"? Or you happily accepting the cardboard door without further questioning?
Yes the hacker deserves a slap on the wrist but its TalkTalk who really are responsible for for not putting proper security in place.
@Aitor 1
"if I have a frontdoor made of cardboard (not the case) and somebody kicks it and nicks my stuff, it is the burglar who is responsible. Not the victim."
True, the police would charge the burglar. Even if the door was accidentally left open the crime is the same. (but good luck getting your insurance company to pay up)
Personally throwing the book at him would have been too harsh, but this was too little. Some community service or something a little more severe is warranted. The current young generation is far too used to getting things handed to them and not being held accountable for their actions. They have a sense of entitlement from getting things without earning them (no chores, no job) and mommy and daddy rescuing them when they misbehave. Once upon a time parents would ground take ownership of the punishment (grounding, deprive them of privileges), but unfortunately now the courts need to step it up a bit as the parents no longer want to parent.
This post has been deleted by its author
"if I have a frontdoor made of cardboard (not the case) and somebody kicks it and nicks my stuff, it is the burglar who is responsible. Not the victim." --- Aitor
Allow me to fix your analogy:
You have offered to look after other people's stuff for them. You have a cardboard front door. Somebody says, hey, look, Aitor's got a cardboard front door. Somebody kicks it in and nicks not YOUR stuff but the stuff that other people have trusted you to store for them.
Any clearer? I would say that the person who said "Hey, Aitor's got a cardboard door" is probably less guilty not just than the person who kicked it in, but also than you yourself.
if I have a frontdoor made of cardboard (not the case)
As far as I know nearly all jurisdictions make a difference between using no tools at all, using basic tools and using professional tools.
So the law actually makes a difference between you having a cardboard door, basic Yale POS Euro single barrel lock and a proper door with a proper lock.
So yes, a criminal is a criminal, but the LAW provides different penalty for walking in through a piece of cardboard, pushing and shoving the door a bit and using a proper bumping tool or a crowbar. Crowbar by the way is considered a professional burglary tool in all jurisdictions.
"
if I have a frontdoor made of cardboard (not the case) and somebody kicks it and nicks my stuff, it is the burglar who is responsible. Not the victim.
"
However, if you have a Ming vase on a low table, and a 2 year-old deliberately picks it up and drops it, who is to blame? How about a 3 year-old? 4? 5? The law in England and Wales says the magic age is 10. It's a different age in Scotland and other countries.
But criminal responsibility is not something that magically appears at the age of 10. It develops over time. Sure, a teenager should know that hacking is wrong - but how seriously wrong? Could he have foreseen that the consequences would be quite so serious? Driving at 45MPH in a 40MPH zone is also criminal, but is only seen as serious if it results in someone being killed or seriously injured. Should we lock up everyone who drives 5MPH over the speed limit?
>Driving at 45MPH in a 40MPH zone is also criminal, but is only seen as serious if it results in someone being killed or seriously injured. Should we lock up everyone who drives 5MPH over the speed limit?
It's actually 10% + 2MPH according to APCO guidelines, so that's 46mph.
http://www.cps.gov.uk/legal/p_to_r/road_traffic_offences_guidance_on_fixed_penalty_notices/
Fail.
I actually agree.
He should have been hit with a slap as it is the adequate means of punishing him.
The real criminals - the ones who are running an ISP without investing into securing its infrastructure are walking away as victims. It is after all the same ISP which is supplying router zombies to botnets at present so this is not one off - it is systemic. Rather not surprising too, when Harding was interviewed in their "innovation center" there was a Windows 98 (yes 98, not even XP or 2000) and a VCR behind her. Says everything you need to know about Talk Talk innovation.
I think it's a remarkably appropriate sentence. He only used a security scanner on a website and published the result. In itself not a very nice conduct, but if someone is to blame for loss of life because of stress (seriously?), it would mostly be the ISP's (lack of) security.
This post has been deleted by its author
>Ridiculous
Agreed, just because you have weak locks doesn't make burglary any less of a crime, should have been gaol time. We all don't mind the odd bit of prank sticking it to the man but this is sticking it to the thousands of innocent people out there who suffered financial loss and harassment. Just think, one of those could have been your vulnerable elderly grandparents.
This is a punishment only slightly more severe than having to sit on the naughty step for five minutes, justice has failed.
Oh and by the way folks this adds to Gov ammo as justification for spying on you, so be pissed at this type for disrupting your porn and pirating habits.
He has taken more of a penalty than anyone we know of in TT.
Sure they got a "big fine", but that cost was just passed back down to the consumer.
There's another topic going on at the moment about a Netgear exploit that is going around where users can issue admin commands through a simple URL request. I know of a WAN side exploit where you can gain admin/root login on Netgear routers (late 11n, early 11ac) circa2014 routers. If I published that info now then you rekon I am a criminal... But I spoke to netgear about it in June 2014 and TO THIS DAY the majority of units that can be exploited are still able to be exploited, patching May or May not fix it. So Me talking about this info in detail would make me a criminal..
But I am not overly good at modern coding and such (Assembly4Life) so I can be sure that others out there have found and exploited this bug... But hold on... Netgear still don't care to fix it... So perhaps I would release the info to force NG's hand into issuing a fix?. Criminal now, or something else?
TalkTalk has - lets be honest - probably invested little more than what they were told they legally had to invest at a minimum when it comes to data security, storage, and management. Their own staff could see and copy out whole chunks of the user database without it ever raising a flag. Their routers were hacked just a week or so ago, the passwords and other details were released allowing Wi-Fi connection AND admin console. Would someone directly target Wi-Fi connections?.. I bet they wold. Heck, the police even helped with this when they made the NMPR database harvestable... You can be sure that that database is still floating around in some high-tech circles. TT's advice for having the router admin and wifi password stolen - Just leave it alone, your data is not compromised!. In essence what they are saying is that THEY are not liable for the loss so they really don't give a shit.
Something like 4 major hacks in less than two years, and that's only what we know about. The way that their security system keeps getting reset internally tells me that there must still be a ton of turmoil. You can be sure that within 6 months any extra security details outside of the stock name/address/birthday/birthplace will be deleted and reset to be back to only those values again.
If this "kid" caused TT to get kicked in the nuts then I say Good.
If this "kid" cause Users to view a provider a "Unsecure", "Unreliable", and "Untrustworthy" then that's good too. It is time Consumers learn that the people on the other side are a weak link.
Oh bull, stress related deaths... rot, why do people not have any sense of proportion any more?
Are you one of those who complained that the idea of using old tin cans to make music might cause some kid to cut their finger... Frankly it is well beyond time that people were left able to make up their own minds about risk and danger and take appropriate action.
The people that caused the problem are those in talk talk, if there is a financial problem created by their inability to protect data then they should be forced to compensate.
So, at 17, he is employable. It sounds like he will have a fruitful career in penetration testing,
Get him on an ethical hacking course and mentor him a bit. He might even be "lucky enough" to get a call from the people that live in the doughnut up north..
Alternately, perhaps Talk Talk's systems are just like the rest of their systems and he has absolutely no technical skills.
Is that Talk Talk can get bent over and data reamed, not once, not twice, but three times and yet its still bonuses all round for Dido and the executive.
Whilst the ICO has at least got some dentures it needs real teeth and the criminal negligence of the talk talk leadership should be the focus and not some idiot with access to a vulnerability scanner.
Running a security scanner on a public website ain't no offence. Publishing the results for all to see is maybe a bit ungentlemanly, but hardly a major crime, especially given that had he told TT in advance, they would not have fixed the flaws (and probably would have come for him all guns blazings regardless. Lawyers are cheaper than good security these days). Actually there's a serious chance that the data pilfering happened independently, only this young'un got caught and the real criminals got away... the tool used is hardly difficult to come by.
Throw the book at him so that he learns that sec testing is a crime and get accointed with real crims? Is that really what should have happened? Maybe he should have been ordered to help TT fix they stuff, but given that all he did was use a readily available tool on a public website, I doubt he has the gorm to fully understand, let alone fix, the vulns. With a minor penalty for his minor misdemeanor, he might wish to further dig into these matters, and, why not, use his powers for good. It's not like the world is crumbling under the weight of able infosec people.
> Which does raise the question, if he is a criminal for doing this why aren't Google's Project Zero team?
Two answers, one philosophical and one practical:
- they shouldn't, as increasing awareness about security is a Good Deed
- the Chocolate Factory has pockets deep enough to sue TT -or pretty much anyone, save a few Big Ones-into oblivion, should the need arise, and execs around the world do know that
HAHA! Just joshing ya, limeies!
This kid did the right thing and got burnt. He told them. He should have hid, and released the info anyway when TT failed to fix it the first two times. He'll do better next time.
He's going to get lots of job offers, and rightly so, if those skillz are for realz. I have a similar problem. I don't take crap from shitty mid-level managers and routinely tell them to fuck off, in those exact terms! Did I get fired, you bet! Now I'm making US$30 MORE an hour, and I'm lowballing my new middleman and could fetch another US$20 as hour on TOP of that. And the run up saw me getting two dozen emails/calls a day for my services, which I mostly ignore. Now I'm a independent contractor with my own LLC corporation.
When will I learn? ;) I already have. Get skillz, do what you please, get fired, get new job without even trying. HAHAHAHAHAHAHAHAHAHAHA! All the way to the fucking BANK!
That might have suited back in the 90s, but these days when you can get terabytes of cloud storage for very little money, I'm pretty sure he had backups of all his tools. If he wants to keep hacking he'll find a way, even without his hard drive.
As for taking away his phone, what was that supposed to prove? So hard to buy another phone. I didn't read anything in the article suggesting he was ordered not to have another phone, so taking his iPhone was probably something the judge thought up as a "that'll show 'im" thing that probably had the kid and his friends probably laughing at the old fool wearing a wig that night.
I would say that the kid posting the details of a security scan on a company is equivalent to posting "company A has crap security". It might be suggested that if he had been an adult working in the internet security field then you could suggest that he was aware of the consequences of this pointing of fingers. However white hats have done exactly this in the past without criminal charges.
So we are left with the fact that punishing this kid for the actions of TT, their security advisers and their exploiters was pure spiteful revenge, everyone involved wants to be seen to be productive but why did they not scan TT themselves first and save everyone the hassle.
TT I imagine met the criteria suggested by those same people charged with protecting our data and security, the same now pushing for the whistle blower's punishment. They and TT are the ones that caused the problem, they presumably are adults working in the field and should have known better but instead after failing to be anywhere near an asset to the people who pay their wages they instead keep their jobs by thrusting the blaim upon a child.
There's a lot of blame flying around all over the place on this one. They are all responsible.
Talk Talk are responsible for not securing their systems correctly and this lead to hackers getting in and taking customers details.
The hackers who stole the information for financial gain are also responsible for causing numerous problems for people, be it identity theft or monetary loss etc etc
The boy with the scanner is responsible is his own way as well as he had no business releasing the details of what he had found. That certainly doesn't absolve Talk Talk for being stupid or the hackers for using the information he released. Did he contact Talk Talk about what he found?
That Dildo woman needs to go ASAP and other security staff (if they have any) must be brought to book.
4 times hacked in 20 months is no Joke and NO ONE has been implicated from the company for negligence ! No one has been fired either !
£7 million in annual package and bonuses all round for her. Whats going on here in blighty ? Mediocrity does pay.
"TalkTalk .. confirmed 15,656 of subscribers had had their bank account number and sort codes stolen in the incident and said the hack cost it £35m."
In this day-and-age, what the f**k is this kind of information doing unencrypted on a server connected to the Internet?
"The teen, who had used a hacking tool to reveal weak spots vulnerable to SQL injections on its website"
In this day-and-age, what the f**k are TalkTalk doing, allowing client configurable SQL statements to be run on their servers? Has no one at TalkTalk ever heard of Stored Procedures. What idiot originally wrote the TalkTalk SQL database code?