back to article TalkTalk hackhack duoduo thrownthrown in the coolercooler: 'Talented' pair sentenced for ransacking ISP

Two miscreants were sent down by the Old Bailey yesterday for their role in the 2015 hacking of UK ISP TalkTalk. Matthew Hanley, 23, and Connor Allsopp, 21, both of Tamworth in Staffordshire, were jailed for 12 and eight months, respectively, by the judge, Anuja Dhir QC. The pair pleaded guilty last year to various charges …

  1. Anonymous Coward
    Anonymous Coward

    Any room in there for Dido as well ?

    1. Solarflare

      There's always room for a bit more Dildo...

      1. Anonymous Coward
        Anonymous Coward

        >There's always room for a bit more Dildo...

        Ew, now I need to to go and put my brain in the washing to rid my mind of that graphic image, just praying the stain will come out.

    2. Sandtitz Silver badge
      Joke

      Di-do'h

      "Any room in there for Dido as well ?"

      Not exactly my cup of tea, but I don't think her music was that bad.

      1. Aladdin Sane
        Joke

        Re: Di-do'h

        White Flag is still #1 in France.

        1. Anonymous Coward
          Anonymous Coward

          Re: Di-do'h

          White Flag is still #1 in France.

          To judge by Bagpuss's "exit agreement", it's actually still top of the pops in Westminster.

  2. sabroni Silver badge

    "individuals of extraordinary talent."

    Weird, I always thought they were run of the mill script kiddies who found a load of badly secured and out of date systems. But I guess that'd mean TalkTalk were culpable.

    1. bombastic bob Silver badge
      Devil

      Re: "individuals of extraordinary talent."

      "I always thought they were run of the mill script kiddies"

      I was about to say something like that, too. what makes them 'script kiddies' is (from what I got from the article) how it started [apparently] with a 17 year old using "toolz" on his "p00ter" to check for SQL injection vulnerabilities. And when he found them, he (apparently) did some thieving and BRAGGED! ABOUT! IT! to others, some of whom were also arrested and convicted [hence the sentencing].

      that's kinda what the definition of "script kiddie" is, using things written by others like any miscreant would, in essence having NO real knowledge of computers, or networks, or security, but having those "toolz" so he can look like a 1337 h4x0r to his script-kiddie buddies and online "friends".

      REAL hackers, of course, get jobs as engineers, and in IT (and often become security experts). Or they do the 'mad science' thing and invent stuff, work on kernels and device drivers and really cool features in commercial software, because real hackers are curious, inventive, think outside of the box, and typically find unique creative solutions to problems that others would just wheel-spin trying to solve.

      1. Anonymous Coward
        Anonymous Coward

        "REAL hackers, of course [...]"

        Still there are some who uses their talent to do nasty and criminal things...

      2. drewley

        Re: "individuals of extraordinary talent."

        Came here to say this. Why do courts rub the egos of people like this?

        Do they understand there are plenty of people with this "talent" who actually choose to follow the law..

        1. The Nazz

          Re: "individuals of extraordinary talent."

          Or indeed, that many of the victims are hardworking, law abiding and extraordinarily talented themselves, such as for eg Intensive Care Nurses.

          Perhaps whilst serving time (what little they will actually do) they could be bombarded with calls from scammers with an overseas accent. Multiple times a day and night.

          AND a daily letter from Dido Harding (better still a daily visit) "explaining" that although they've been hacked, they are at no risk, whatsoever, of having their very precise and personal details misused. No sireee, whatsoever,

      3. StargateSg7

        Re: "individuals of extraordinary talent."

        "......"script kiddie" is, using things written by others like any miscreant would, in essence having NO real knowledge of computers, or networks, or security, but having those "toolz" so he can look like a 1337 h4x0r to his script-kiddie buddies and online "friends"....."

        ---

        TRUE...A Real Hacker knows how to bypass the OS and go right to the modifying the BIOS of the Drive Controller firmware, can inject a cutom JMP/RET/RETN/RETF assembler instruction set into the memory allocation handler, the USB Stick's onboard micro-OS, the BASEBAND OS of the cell phone communications chip (Modem), the graphics card BIOS/firmware and the network card BIOS so we can slurp IP address and DNS requests at the firmware level and BEFORE the AES-256 packet encryption, slurp and save the data into pre-reserved sectors of storage media and into unused portions of IP4/IP6 packet headers and Ethernet/ATM/SONET Frames. We can screenshot the desktop and/or use IRQ's to record the keyboard scan-codes and touchscreen and/or mouse coordinates to get a direct recording of what you did during your online or offline session!

        OH YEAH! A .....REAL....HACKER......would put in a pressurized tap into a gas-enveloped fibre optic cables and put in a pure optical switch to slurp and inject NEW photon pulses at just the right frequencies at the right times for ALL channels so the spooks CANNOT use reflectivity/reflectometry to figure out where line delays occur in their fibre optic lines!

        KABOOM !!!! A real hacker can secretly put in a micro thermal emissions and surface wave acoustic sensor ONTO the CPU/GPU chip itself so I can directly record what memory cells, circuit paths and pins are being activated at ANY given time and record them as a virtualized/emulated CPU/GPU instruction set which I can playback and slow down to my heart's delight on a hardware emulator!

        AAAAAAAHHHHH !!!! A REAL HACKER takes your fingerprints from an acoustic scan of your ENTIRE finger prints along with thermal, pressure and olfactory data so I can make a 3D printed silicon glove version of your hand that will have the right temperature, pressure gradients, proper sweat chemicals and proper physical texture to fool even the NEWEST smartphones and high-security-banking fingerprint scanning systems. That 10 Million Euro SWIFT bank transfer is NOW MINE !!!!

        HOT DAMN!!! AM I EVER GOOD !!!!!! I know this scheisse INSIDE and Out from the EARLIEST days of global networking! How many people even KNOW what Interrupt 0x13 and 0x21 are? I DO !!! DO YOU?

      4. Phil Endecott

        Re: "individuals of extraordinary talent."

        I wonder if he would describe e.g. joyriders caught doing 90 in a 30 zone as “extraordinarily talented drivers”?

    2. SVV

      Re: "individuals of extraordinary talent."

      Over 10 years ago, I used to do consultancy type work on web based systems of this type for companies of this size. I always did a general code review as it's the best way to flag up possible security, performance and maintainability problems. These were generally so obvious that they were simple to spot, and the few times I found SQL injection vulnerabilities I was amazed that they had such stupid developers who had such little experience writing public facing code in such large organisations - one time the "senior developer" on a project that turned over hundreds of millions per week had an impressive 18 months development experience.

      The thing that wore me down most though, and eventually made me to decide to stop reviewing other people's work and go back to coding again where I was able to insist on doing things properly, was the sheer inertia and disinterest of managers when I produced reports detailing the problems and the required solutions to them. "Oh, that doesn't sound too important". "We can't change it now or we'll miss the go live date (and I won't get my bonus), "the developers say it's not really a problem", "you've only been hired to produce a review, we'll decide whether we want to act on the recommendations" and countless other examples of stupid made me feel like I was wasting my time and experience on idiots, and it doesn't surprise me one bit to learn that things have not improved at all since then. I doubt whether they ever will.

      1. Mark 85

        Re: "individuals of extraordinary talent."

        and it doesn't surprise me one bit to learn that things have not improved at all since then. I doubt whether they ever will.

        Things won't improve until IT managers have an IT background instead of a business background and then prioritize the IT issues over everything else. Most IT managers seem to only have a business background and no insight into IT. One can be driven by profit motivation or security motivation, but not both. Security costs money and profit trumps spending.

    3. Anonymous Coward
      Anonymous Coward

      Re: "individuals of extraordinary talent."

      This.

      They probably just ran:

      sqlmap -u https://www.talktalk.co.uk?id=1 --batch --level=3 --risk=3 --dump-all

  3. Valeyard

    "legacy" issues

    -cost of fixing "legacy" issues (called such even though they're actually "current" issues): weeks to months of dev-time with no new shiny to show the top brass

    -cost of not fixing: ~£77m, more after loss of reputation, custom and future custom

    lessons learned industry-wide: probably 0

    1. tiggity Silver badge

      Re: "legacy" issues

      @Valeyard

      lessons learned industry-wide: That you get away lightly - minimal fine, folk still use Talk Talk as its cheap & they do not care about its history of insecurity

      Nobody at the top of Talk Talk personally jailed, fined, meanwhile young kids who found the IT equivalent of a wallet bulging with cash on the pavement & nobody around to see you pick it up , get harshly treated for a minimal skill data exfiltration act.

      1. Commswonk

        Re: "legacy" issues

        ...meanwhile young kids who found the IT equivalent of a wallet bulging with cash on the pavement & nobody around to see you pick it up...

        It matters not whether anyone sees you pick up said bulging wallet or not, it is still "theft by finding" if you do not report the find with the intention of if being returned to its rightful owner.

  4. Crisp

    A dedicated hacker spends his days drinking too much coffee and cranking out code

    Any script kiddie can exploit a SQL injection vulnerability. (seriously? It's the 21st century.)

  5. Loyal Commenter Silver badge

    Earlier this year, Harding attributed the hack to legacy technology she described as "the IT equivalent of an old shed in a field that was covered in brambles."

    I don't know about you, but I don't keep anything of value in a shed.

    1. Anonymous Coward
      Anonymous Coward

      >I don't know about you, but I don't keep anything of value in a shed.

      Now that is what you want us to believe...

    2. Anonymous Coward
      Anonymous Coward

      I carry my lathe and mill in and leave them in the kitchen every night, it's true.

      1. Loyal Commenter Silver badge

        I carry my lathe and mill in and leave them in the kitchen every night, it's true.

        I certainly wouldn't keep either of those in a shed in a field. I'm thinking more like a properly secure warm, dry workshop attached to your house, and if it is anything other than a tatty old foot-operated pole lathe, a decent alarm system too.

    3. Anonymous Coward
      Anonymous Coward

      covered in brambles?

      "Brambles" suggests at least some sort of deterrent and/or security, however ad hoc. Was that the case here, I wonder?

  6. Dabooka

    Hmm, but Harding's description

    of the shed covered in brambles, sounds like it offered better security than anything they had at the time.

    1. Insert sadsack pun here

      Re: Hmm, but Harding's description

      were they ISO 27001-approved security brambles?

  7. Keith Oborn

    The shed--

    -had a faded "tiscali" sign. It was supposed to have been demolished and the contents stored safely but some bean counters objected to the cost.

    Not defending TT but I remember thinking "there but for the grace of god--"

    Find me a company that doesn't have at least one similar problem. I'll buy it.

  8. Anonymous Coward
    Anonymous Coward

    Obligatory XKCD comment

    https://xkcd.com/327/

  9. adam payne

    Dhir thought Hanley was a "dedicated hacker," and added that both he and Allsopp were apparently "individuals of extraordinary talent."

    Is that statement to make the general public feel better about TalkTalk and their stupidity?!? or is it to make the general public feel safer because the hardened hackers are being put behind bars?!?

    1. Anonymous Coward
      Anonymous Coward

      Dhir thought Hanley was a "dedicated hacker,"

      I have heard a QC tell me that if you want advice on computers go to a 14 year old kid. I am therefore quite unsurprised.

      1. Killfalcon Silver badge

        Re: Dhir thought Hanley was a "dedicated hacker,"

        I think the general aim is to suggest that they, and others like them, could do well in a legit career, and thus encourage other would-be criminals to instead do something else that doesn't land them in jail.

    2. Mark 85

      I think the judge hasn't a clue to what the terms "dedicated hacker" or "extraordinary talent" actually means.

  10. Anonymous Coward
    Anonymous Coward

    How did they get around the 2FA challenges. And encryption ?

    just wondering ....

  11. Anonymous Coward
    Anonymous Coward

    Go read "Masters of Deception" by Michelle Slatalla and Joshua Quittner.

  12. StuntMisanthrope

    Judge-Turing Test.

    A man that believes, he's never wrong, often is. #wittgenstein

    1. Anonymous Coward
      Anonymous Coward

      Re: Judge-Turing Test.

      Actually Wittgenstein wrote something even more appropriate:

      “Wovon man nicht sprechen kann, darüber muß man schweigen.”

      That of which one can't speak one must shut up about.

    2. The Nazz

      Re: Judge-Turing Test.

      Or Cheryl Wheeler's take on it, Frequently Wrong, But Never In Doubt. :

      https://www.youtube.com/watch?v=LMj47Fil6R4

  13. Anonymous Coward
    FAIL

    Individuals of extraordinary talent?

    Using a well known SQL injection bug and getting caught isn't the sign of extraordinary talent.

  14. Destroy All Monsters Silver badge
    Holmes

    "individuals of extraordinary talent"

    Sounds like a Harry Potter sidequest movie.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon