back to article TalkTalk attack: Lad, 15, cuffed by UK cyber-cops

A 15-year-old boy has been arrested by police probing the hacking of Brit ISP TalkTalk. The internet provider admitted on Thursday last week that someone had waged "a significant and sustained cyberattack," upon its website, and potentially swiped copies of sensitive information on four million subscribers. This info could …

  1. Anonymous Coward
    Anonymous Coward

    As it's that season,

    fall guy

    https://en.wikipedia.org/wiki/Autumn

    https://en.wikipedia.org/wiki/Guy_Fawkes_Night

    1. Rono666
      Holmes

      Re: As it's that season,

      Yet another false flag

      1. Anonymous Coward
        Anonymous Coward

        Re: As it's that season,

        Why so hastily involve neocons or zionists? It may be what it appears to be...

        1. Anonymous Coward
          Anonymous Coward

          Re: As it's that season,

          "Why so hastily involve neocons or zionists?"

          Could you explain the difference and what exactly is a zionist?

          I heard a Bob Marley song about it once but couldn't get the jist.

          1. Anonymous Coward
            Anonymous Coward

            Re: As it's that season,

            "and what exactly is a Zionist"

            It means that you support the establishment of a terrorist state by force on someone else's land.

    2. Anonymous Coward
      Anonymous Coward

      Re: As it's that season,

      I bet he only gets charged with sending the 'ransom' email using info leaked to the web.

  2. Destroy All Monsters Silver badge
    Trollface

    Bobby Tables, 15, cuffed by TalkTalk hacking probe cops

    Yep, it's him alright! He's going down!!

    1. Anonymous Coward
      Anonymous Coward

      Re: Bobby Tables, 15, cuffed by TalkTalk hacking probe cops

      They are suggesting that TalkTalk's security was so bad it could be compromised by a school child?

      How does that square with "We'd like to reassure customers that we take the security of your data very seriously."

      1. Trigonoceps occipitalis

        Re: Bobby Tables, 15, cuffed by TalkTalk hacking probe cops

        Squares quite happily on planet PR.

      2. Anonymous Coward
        Anonymous Coward

        Re: Bobby Tables, 15, cuffed by TalkTalk hacking probe cops

        Or anyone who can type:...

        sqlmap -u http://www.talktalk.co.uk --dump-all

        OMG LEETHACKZORZ

        1. Dr Dan Holdsworth
          WTF?

          Re: Bobby Tables, 15, cuffed by TalkTalk hacking probe cops

          Seeing as how the flaw was probably as old as the hills, who says that it was just one individual who was onto it? The fact that assorted Black Hats have been conducting social engineering attacks on Talktalk customers for a couple of weeks now suggests the following:

          1) The flaw is an easily-exploited one.

          2) The flaw was either widely known in the Black Hat communities, or was easily discovered.

          3) Insufficient information could be gleaned from the attack to compromise credit or bank accounts using just that information, hence the extra social engineering seen.

          What we may well be seeing is the aftermath from a series of different attackers. The kid so far collared will be just one of many, and the DDOS attack may well be only slightly connected with the other attacks. Black Hats are not all geniuses, indeed many are as thick as two short planks. The DDOS may well be down to one of the stupid outfits who were unable to understand that an SQL injection attack didn't need a noisy cover to succeed.

          Indeed, the DDOS might well have been an attempt at extortion, when the SQL injection didn't yield the vast treasures that someone was told it would yield.

      3. MR J

        Re: Bobby Tables, 15, cuffed by TalkTalk hacking probe cops

        It def wasn't a child, or him... The inlaw phoned me to say that it was Russian jihad ISIL hackers who were cloning bank accounts and buying things from Tesco and stuff from Shoe Shops. The newspapers never get it wrong.

      4. LucreLout

        Re: Bobby Tables, 15, cuffed by TalkTalk hacking probe cops

        They are suggesting that TalkTalk's security was so bad it could be compromised by a school child?

        Yes, quite. It's even worse when you consider that the exploit he used (Sql Injection) is actually a lot older than he is!

        How on earth can we be nearly 20 years down the line since Sql Injection was first openly discussed and still we have people writing utter utter garbage and calling it code? When does it end? How much more damage has to be done?

        If you qualified with a degree in politics & economics, well, go do that. You didn't qualify with a degree in software engineering. If you qualified with a degree in accountancy, well, guess what? You are not a coder.

        I'll freely admit some of the best programmers I've worked with had no formal qualifications, but they almost universally have their own children older than TalkTalks own Little Bobby Tables. If we as an industry are going to be able to move forward then we have to regulate who is and who isn't capable of practicing the profession.

        A 15 year old school boy using an 18 year old technique just rooted the hell out of a company in what is likely to be a matter of minutes to get in and days or weeks to extract the data. Things have got to change.

        1. Anonymous Coward
          Anonymous Coward

          It's unfair to blame Cassandra for ignoring her.

          I think your conclusion is a little unfair.

          A process which puts nothing between worker Bob shoddy code and production deployment is a strategic business decision to save money on IT, it's a gamble and one that has paid off for TalkTalk year on year.

          I've sat in an all-hands meeting about a year ago, and witnessed a platform change (routing) causing an api call go from sub millisecond (approx 350 mu) to 400+ milliseconds, raising the AWS cost drastically, unfortunately I had no influence there as it was outside of my remit. The chap presented a solid business case, a sound technical argument, and he was summarily overruled.

          So like everybody else, I watched them do something completely unwise against the advice of their staff.

          Would I be totally far from the mark to suggest you've seen analogous situations?

        2. Kubla Cant

          Re: Bobby Tables, 15, cuffed by TalkTalk hacking probe cops

          If you qualified with a degree in politics & economics, well, go do that. You didn't qualify with a degree in software engineering. If you qualified with a degree in accountancy, well, guess what? You are not a coder.

          @LucreLout: You appear to believe that acquiring a degree in something is the way to learn how to do it professionally. I'm afraid I have unwelcome news for you.

          1. LucreLout

            Re: Bobby Tables, 15, cuffed by TalkTalk hacking probe cops

            @Kubla Cant

            You appear to believe that acquiring a degree in something is the way to learn how to do it professionally

            Not at all, but it is the best way to ensure a bare minimum foundation of knowledge and capability before beginning acquiring professional experience. IT has never had apprenticeships (real ones, liek the shipyards had).

            I do not have a law degree, and so I am prohibited from practicing law. And yet I may produce all of the software upon which they depend.

            I do not have a medical degree, and so I am prohibited from practicing medicine. And yet there is nothing stopping me from writing the software for the medical machinery or robot surgeon.

            I do not have a pilots licence and years of experience, and so I am prohibited from flying a 777. And yet, I can write the engine control software that keeps it in the sky.

            It is illogical not to have a regulator ensuring minimum standards in IT are met. Why must our industry be plagued with the low quality output of failed accountants or politics students, who know as little about professional software as I do about professional accountancy?

            If IT is to deliver its potential to the world, we have to purge the cowboys. Sql Injection is now old enough to vote. Do we, as a profession, wish to wait for it to collect its pension before we deal with the woeful lack of minimum ability with which our industry is beset? We have to start making progress or we won't be a profession much longer.

            So, you tell me how you'd see that happening that doesn't involve minimum educational requirements and a professional regulator, and I'm all ears?

            1. Anonymous Coward
              Anonymous Coward

              Re: Bobby Tables, 15, cuffed by TalkTalk hacking probe cops

              I do not have a law degree, and so I am prohibited from practicing law. And yet I may produce all of the software upon which they depend.

              As a Lawyer you would find the framework of what is acceptable set by other lawyers.

              As a Doctor, you would find the techniques and standards set by other doctors.

              As a programmer you would find the techniques and practices set by people blessedly free from the most cursory understanding of the issues.

              How does a regulator for software / IT professionals help with that?

              Ultimately TalkTalk made a business decision to take the risk of some temporary bad PR in exchange for savings on IT.

              How do minimal educational standards for practitioners stop them being overruled. The only sanction that exists is to withdraw ones' labour, that's what has to change.

              1. LucreLout

                Re: Bobby Tables, 15, cuffed by TalkTalk hacking probe cops

                @sed gawk

                As a programmer you would find the techniques and practices set by people blessedly free from the most cursory understanding of the issues.

                How does a regulator for software / IT professionals help with that?

                Take the GMC as an example. They strike you off and you're done. That is underpinned by requirements of professional behaviour and clinical competency. The foundation of these is the educational component, though life long learning and improvement is expected.

                Why would that not work with IT? We have well established patterns and practices within software development that if adhered to will almost always produce better outcomes than not doing so. Produce code of sufficiently appauling quality and your colleagues will raise a complaint with the regulator who will audit your work and determine if this is the field for you.

                Shrugging our shoulders and saying "Well, there's always been cowboys" hasn't got us very far in the 20+ years I've been doing this. An 18 year old hack by a 15 year old boy that knocks out a 12 year old company rather signifies that it is time for change. The cowboys have got to go. If not now, when?

                1. Anonymous Coward
                  Anonymous Coward

                  Re: Bobby Tables, 15, cuffed by TalkTalk hacking probe cops

                  Take the GMC as an example.

                  A surgical team runs operations, with no higher authority during that operation. The GMC is staffed by doctors who understand the issues.

                  Why would that not work with IT?

                  No large technical operation of my recent experience has had the same autonomy, as is extended to other regulated professions. While you can force someone out of the door for refusing to adhere to bad practice, bad practice will be endemic.

                  We have well established patterns and practices within software development that if adhered to will almost always produce better outcomes than not doing so. Totally agree, and being told to disregard such practices or find another job, is the issue.

                  Do you suggest that a large ISP has nobody who raised this issue? How's this for a possible scenario.

                  PM: in this sprint you will deliver x features, resulting in modifications to the database.

                  DEV: we'll only be able to do x / factor in this sprint as we need time to review and refactor.

                  PM: The business only finds values in the specified feature set, any extra effort is waste, do the feature as quickly as possible, and raise all other work as items for the backlog, to be prioritized accordingly.

                  Produce code of sufficiently appauling quality and your colleagues will raise a complaint with the regulator who will audit your work and determine if this is the field for you.

                  The rub is "quality" means different things to different people.

                  I think "quality" is a process that results in an artifact being built, tested, packaged and deployed automatically. That doesn't mean your code looks nice, to some extent the code is not really the point here.

                  For example, why are all user facing urls not crawled and basic fuzzing performed e.g. curl "http://somehost/webapp/${url}?data"';select 1 from 1' && logwrite "SQL INJECTION FOUND"

                  Shrugging our shoulders and saying "Well, there's always been cowboys" hasn't got us very far in the 20+ years I've been doing this. An 18 year old hack by a 15 year old boy that knocks out a 12 year old company rather signifies that it is time for change. The cowboys have got to go. If not now, when?

                  I agree but think the cowboys are much further up the chain than the shop floor, and until that is addressed meaningful change will collectively elude us.

                  1. Vic

                    Re: Bobby Tables, 15, cuffed by TalkTalk hacking probe cops

                    I agree but think the cowboys are much further up the chain than the shop floor, and until that is addressed meaningful change will collectively elude us.

                    That is exactly the problem.

                    Vic.

                2. This post has been deleted by its author

            2. Vic

              Re: Bobby Tables, 15, cuffed by TalkTalk hacking probe cops

              So, you tell me how you'd see that happening that doesn't involve minimum educational requirements and a professional regulator, and I'm all ears?

              You need to throw a few suits to the lions.

              As someone posted above, it is comparatively rare for the coders on the ground to write such shite unless they are shielded from criticism by their management. The bigger problem is when management decide to cur corners in spite of advice against such action by people who know what they're talking about.

              So far, when such problems occur, the blame lands on the shoulders of the poor geek who warned about the problem in the first place. What needs to happen is for a high-profile case or two - this one would do nicely - to be shown for the management failure it so clearly is, and for that management to take some personal pain for their actions. I'm not talking about a witch-hunt; merely the pain that someone will feel to be directed at the right person.

              Formal qualifications in software are frequently useless. I've had hundreds of high-scoring grads in front of me who can trot out all the buzzwords they think I'll be looking for - but when asked to do a trivial OO design, are entirely incapable. This needs fixing long before we can start requiring such qualifications for work...

              Vic.

              1. LucreLout

                Re: Bobby Tables, 15, cuffed by TalkTalk hacking probe cops

                @Vic

                it is comparatively rare for the coders on the ground to write such shite unless they are shielded from criticism by their management

                I wish it were so, but it isn't. Every time I have to deal with an inexperienced developer they pull the same shite as the last one, and it takes years to get them up to speed and still longer to eradicate their technical debt.

                Every time I deal with someone who only got into the field for the money, at whatever level of experience, I'm met with an utter shambles to which no professional would put their name. How many civil engineers would you allow to continue building bridges if, the second they weren't there to shore it up, the whole shakey edifice collapsed?

                Come to think of it, how many doctors or lawyers would you allow to build bridges?

                What needs to happen is for a high-profile case or two - this one would do nicely - to be shown for the management failure it so clearly is...

                Now I'm not defending management here, I agree they are culpable too.....

                Formal qualifications in software are frequently useless. I've had hundreds of high-scoring grads in front of me who can trot out all the buzzwords they think I'll be looking for - but when asked to do a trivial OO design, are entirely incapable.

                ....As are the educational establishments, but box fresh graddies wouldn't be allowed to architect code anyway - you'd not let a newly qualified surgeon whip out a kidney - they'd have a more experienced professional to hold their hand through the process a few hundred times.

                I let my graddies do an OO design, but then I replace theirs with one of my own or someone else better at it, and have them populate that. Code reviews form an integral part of their lives, as does a pretty lengthy reading list I expect them to get through.

                And so to the old hands - some people were once good but have long since stopped keeping pace. Some just never "got it" and carried on producing crap of a stadard I'd expect from a grad. They all have to go too.

                If we want our profession to hold no more regard and command no greater compensation than an estate agent, then we need change nothing. If we want IT to have a seat at the top table, and in my view the world very much needs that to happen if humanity is to achieve its potential, then we as a whole have to raise our game. If that shakes loose the cowboys, the arts grads, and the dinosaurs, well, that's all good.

                1. Vic

                  Re: Bobby Tables, 15, cuffed by TalkTalk hacking probe cops

                  I wish it were so, but it isn't. Every time I have to deal with an inexperienced developer they pull the same shite as the last one, and it takes years to get them up to speed and still longer to eradicate their technical debt.

                  OK, let me re-phrase what I said :-

                  "it is comparatively rare for the coders on the ground to write be permitted to commit such shite unless they are shielded from criticism by their management"

                  You will always get inexperienced devs producing rubbish. The reason for a team hierarchy is to enable the seasoned hands to train the new recruits. But, from time to time, you will find teams where one member - often categorised as "highliy productive" or somesuch - just keeps committing petabytes of utter crap, but will be fiercely defended by management who believe that kLOC is better that quality...

                  I let my graddies do an OO design, but then I replace theirs with one of my own or someone else better at it, and have them populate that

                  I've met innumerable grads who can't get that far. At interview, they'll spout the buzzwords - but when called on it, couldn't even begin to do a 2-class exercise. No understanding whatsoever of the process. And these are the people with the qualifications.

                  And so to the old hands - some people were once good but have long since stopped keeping pace. Some just never "got it" and carried on producing crap of a stadard I'd expect from a grad. They all have to go too.

                  I *mostly* agree. The difficulty is that many of them "stopped keeping pace" because they disagree with the direction in which that pace is travelling. And they are often right as well[1]. It's only with hindsight that we can see what really goes on...

                  If we want IT to have a seat at the top table, and in my view the world very much needs that to happen if humanity is to achieve its potential, then we as a whole have to raise our game. If that shakes loose the cowboys, the arts grads, and the dinosaurs, well, that's all good.

                  I'm completely with yoou there - it's your implementation with which I disagree :-) The formal education we currently offer in the field is frequently - nearly universally - useless. If all we did was to require such qualifications, we'd get code every bit as bad - or even worse. To change that state of affairs, we'd need to make a step-change in the quality of grads coming out of university - and that's going to take 20 years to filter through, with all those interim graduates getting a useful education, but a qualification that will be seen as useless for that period. That's hardly fair.

                  My solution would require companies and individual managers to be held responsible (to some extent) for their code - so when it goes wrong, they can't brush it under the carpet, they can't just blame some peon, they have to take the responsibility for which they've been paying themselves. A couple of rounds of that, and TPTB will actually start to take code quality seriously, because it will cost *them* personally not to do so. So when a dev tells them that the hack they're suggesting will definitely cause the code to fail, there might at least be a few seconds of reflection on whether or not to do it...

                  Vic.

                  [1] A customer of a customer of mine has a venerable - and *very* profitable - application written in Forth. It is very robust. But a new broom has come in, and they have set up a group to re-write the whole thing in C#, because it's more modern. That task began at least 8 years ago, and to date has produced *nothing at all*, despite having a much bigger team than is working on the "ancient" codebase. It turns out for them that the old way is indeed very much more effective than the new...

                  1. LucreLout

                    Re: Bobby Tables, 15, cuffed by TalkTalk hacking probe cops

                    @Vic

                    But, from time to time, you will find teams where one member - often categorised as "highliy productive" or somesuch - just keeps committing petabytes of utter crap, but will be fiercely defended by management who believe that kLOC is better that quality...

                    I recently worked with a prime example of this. Within 24 months of leaving the team, which was less time than he'd been in it, every single thing he developed had needed a ground up rewrite. He's still out there, in the industry, doing his thing. And no matter what you tell him, he won't learn, because he doesn't listen. Ultimately, while he may appear productive, all he is really doing is building technical debt - the industry would have less work to do if he were not in it.

                    My solution would require companies and individual managers to be held responsible (to some extent) for their code - so when it goes wrong, they can't brush it under the carpet, they can't just blame some peon, they have to take the responsibility for which they've been paying themselves. A couple of rounds of that, and TPTB will actually start to take code quality seriously

                    No they won't. I've been with my current company for about 6 years and in that time I've had 7 bosses. Trying to identify which one is responsible for a given feck-up isn't trivial. Since 4 of them are no longer with the company, assigning any responsibility to them would be challenging.

                    The only way it gets better is to make the developers better - management will always be inept. While you can roll a turd in glitter, you can't really polish it, so ultimately the quality control has to begin with who is allowed to practice software development professionally, and who isn't.

                    1. Vic

                      Re: Bobby Tables, 15, cuffed by TalkTalk hacking probe cops

                      No they won't. I've been with my current company for about 6 years and in that time I've had 7 bosses. Trying to identify which one is responsible for a given feck-up isn't trivial.

                      No, but that's because there is no personal responsibility; they can all just play on the blame-go-round until nothing happens. But if the CEO or MD were to be personally responsible unless he can prove who actually is, that would cease; when the big boss doesn't get paid this year, he's going to find out what really happened...

                      The only way it gets better is to make the developers better - management will always be inept. While you can roll a turd in glitter, you can't really polish it, so ultimately the quality control has to begin with who is allowed to practice software development professionally, and who isn't.

                      Both are required. It's no use having a superb set of devs if the management force them to cut corners. And Management are going to cut corners if they think it will gain them some advantage because they will get away with it every time. They need to be held responsible for their actions if code quality is going to improve. And once that's happened, they will seek out a talented group of devs, rather than just a cheap set...

                      Vic.

              2. Anonymous Coward
                Anonymous Coward

                Re: Bobby Tables, 15, cuffed by TalkTalk hacking probe cops

                Totally agree, the qualifications don't cover the basics, fundamentally being able to design and test something on the bench is not a skill that is taught and it needs to be before software qualifications become meaningful.

      5. TheOtherHobbes

        Re: Bobby Tables, 15, cuffed by TalkTalk hacking probe cops

        >They are suggesting that TalkTalk's security was so bad it could be compromised by a school child?

        You can't seriously expect one of the UK's bigger ISPs to know anything about infosec, surely.

  3. Rod 6

    title

    Oh, I thought is was meant to be a 'sophisticated' attack by 'cyber criminals'.

    1. Jimboom

      Re: title

      Funny, the way I read it this was meant to be some big Islamic state sponsored cyber terrorism hack based out of Russia from the site of a missile factory.

  4. Ken Moorhouse Silver badge
    Joke

    Cuffed Cuffed

    If he is convicted will he be serving a double sentence?

    1. Ben Tasker

      Re: Cuffed Cuffed

      No, but as anyone who's dealt with TalkTalk's billing can attest, there's a high probability he'll be ChargedCharged

  5. frank ly

    Difficult to guess password?

    He was probably trying to get past the 'child protection' filters and ended up mashing the keyboard in frustration. Next thing he knows, there's an unencrypted database spewing up onto his hard drive.

    1. Ben Tasker

      Re: Difficult to guess password?

      So it's his parents fault fir choosing a passwird beginning with UNION

  6. Duffaboy

    Are we to believe this is the work of a 15yr old ?

    Really...?

    1. Anonymous Coward
      Anonymous Coward

      Re: Are we to believe this is the work of a 15yr old ?

      It was 4 of them so 60 years old.

      1. Anonymous Coward
        Anonymous Coward

        Re: Are we to believe this is the work of a 15yr old ?

        It was 4 of them so 60 years old.

        I think that was used and failed as defence in opreation yewtree, so I don't think it works like that.

    2. PrivateCitizen

      Re: Are we to believe this is the work of a 15yr old ?

      On a serious note, why not?

      If the attack was fundamentally an SQLi, then yes - it is pretty easy for a 15 year old to manage that (metasploit + YouTube tutorials + Computer + broadband = pwnage).

      The reality is that most times a company gets popped, despite all the claims about how sophisticated the attacks are, it really boils down to a bored kid with a good imagination and access to a computer. Nothing more, nothing less.

      1. Dadmin
        Linux

        Re: Are we to believe this is the work of a 15yr old ?

        Absolutely! It's not hard to see why this multi-million pound business is brought to it's knees by a kid with a laptop. They didn't bother to encrypt anything inside of HackHack, just plain text because it's cheaper that way, yes? Their CEO is a fucking moron who doesn't even know anything about the business they are running. If you ask me, send the fucking bobbies over to Dildo the CEOs house and arrest her for being an incompetent asswipe making way too much money and having ZERO skills to reference and only the lowest paid staff to mop up her bad decisions. This was almost as funny as the Ashley Maddison Hack! Bravo 15 year olds with laptops! Bravo!

        1. x 7

          Re: Are we to believe this is the work of a 15yr old ?

          "send the fucking bobbies over to Dildo the CEOs house and arrest her"

          they'll find nothing

          No hairs on this Dido, Dicky

          I wonder if she has a house in Bayswater???

          1. Anonymous Coward
            Anonymous Coward

            Re: Are we to believe this is the work of a 15yr old ?

            No and until the CEO/Directors/managers/ etc face either personal crippling fines or gaol then this crap (as history keeps proving) will keep on happening...

      2. Anonymous Coward
        Black Helicopters

        Re: Are we to believe this is the work of a 15yr old ?

        metasploit + YouTube tutorials + Computer + broadband = pwnage

        You know what that means, mere possession of these places you as a potential terrorist. I definitely need to place all my security related materials in encrypted containers. At least currently we (U.S.) can't be required to hand over our passwords.

        No point in anon, matching my wording is signature enough.

      3. Anonymous Coward
        Anonymous Coward

        Re: Are we to believe this is the work of a 15yr old ?

        The reality is that most times a company gets popped, despite all the claims about how sophisticated the attacks are, it really boils down to a bored kid with a good imagination and access to a computer. Nothing more, nothing less.

        Don't forget to add an Autism in there as a defence of not knowing right from wrong

      4. jerky_rs

        Re: Are we to believe this is the work of a 15yr old ?

        Seems like a lot of these replies seem to think a 15 year old boy is not capable of such things, probably due to most peoples lack of natural aptitude , Over 40 years ago by the age of 13 Bill Gates was already programming and hacking other systems, i think it is pretty obvious that any naturally bright youth could do this nowadays.

        I have no idea if it was him, but certainly one might assume its reasonable it could be a 15 year old boy or girl. Maybe he just had a compromised PC that was being used a proxy but who knows, certainly would not rule him out due to his age.

    3. a_yank_lurker

      Re: Are we to believe this is the work of a 15yr old ?

      I would believe it given what I have read the lack of security.

      1. omnicent
        Childcatcher

        Re: Are we to believe this is the work of a 15yr old ?

        To all the naysayers: do you not remember how bright you were at 15* - we all didn't suddenly become intelligent at [18/21/30/40]. Add to that how much spare time you had before uni/jobs/drinking/family/rest of the grown-up stuff

        * Life experience aside

    4. Tim Almond

      Re: Are we to believe this is the work of a 15yr old ?

      I've not used it, but look at videos on using SqlMap and I am certain a 15 year old who is a bit into computing could have done it.

      Like nearly all hacks, there's not some David Lightman level of hacking going on. It's nearly always someone leaving a port open or a SQL Injection attack. The idea that the government needs to protect incompetent twunts like Sony and TalkTalk is risible.

      1. werdsmith Silver badge

        Re: Are we to believe this is the work of a 15yr old ?

        The idea that the government needs to protect incompetent twunts like Sony and TalkTalk is risible.

        In the Gary McKinnon case, who protects the Government when the Government was the one getting pwned?

      2. SolidSquid

        Re: Are we to believe this is the work of a 15yr old ?

        I messed about with Metasploit on a test VM a while back (was looking at possibly doing security stuff as part of the day job, test VM was part of a learning series) and it's pretty damn easy to use. Avoiding detection when running it on someone's site and then actually using the exploit are the bits that might be fiddly, and a 15 year old would have plenty of spare time to work it out

        I do think it's less likely that a 15 year old would be doing a DDoS attack to cover his tracks along with the ransom threat though. It's possible, but it seems more likely a 15 year old would go the direct route of just hacking them rather than setting up a more coordinated scheme like this.

    5. Anonymous Coward
      Anonymous Coward

      Re: Are we to believe this is the work of a 15yr old ?

      At 16 I was doing some fun stuff with other people's computers that would probably have gotten me locked away for a few years if I had done it today. This was during the mid-to-late 90's though.

      Don't under-estimate intelligent, bored, curious teenagers with all the time in the world to figure stuff out and get up to mischief.

      This sort of thing needs to be redirected constructively instead of litigated or prosecuted though.

  7. Anonymous Coward
    Anonymous Coward

    there's a lolocopter flying about northern ireland right now.

    This story has the potential to be an extended version on blu-ray.

    On a serious note can't we just remove java from the web? xss is so last year.

    1. dogged
      Stop

      ITYM "javascript".

      Unless you mean "Java applets" and those are already mostly gone, thanks be to Glod.

  8. Anonymous Coward
    Anonymous Coward

    At 1620 BST Police

    Rolled a joint with the weed they discovered in the kid's sock drawer and got stoned.

    Kids are easy to pick on when a quick culprit must be found in order to save a troubled corporation.

  9. Doctor Syntax Silver badge

    In other news

    There's going to be an MPs' enquiry: http://www.bbc.co.uk/news/business-34635583

    Let's hope someone manages to brief an MP to ask pointed questions about encryption and why it's a Good Thing.

    1. Grubby

      Re: In other news

      The CEO's husband is an MP so I doubt it will be a very probing investigation.

      1. John Brown (no body) Silver badge
        Facepalm

        Re: In other news

        "The CEO's husband is an MP so I doubt it will be a very probing investigation."

        If you are referring the to husband of Baroness Harding of Winscombe, AKA Dido Harding, I suspect she won't need the help of her husband to get the establishment on side.

        1. TheOtherHobbes

          Re: In other news

          Raised on a pig farm, apparently.

          Oxford classmate of Cameron's on that famous PPE course, then a spell at McKinsey. So it's reasonable to have low expectations of common sense.

        2. This post has been deleted by its author

        3. John Brown (no body) Silver badge

          Re: In other news

          Dear downvoter,

          Are you her husband?

  10. Anonymous Coward
    Anonymous Coward

    I think that he's a perfectly dressed assburger sufferer with a lesbian sister, female middle eastern friend, imaginary father and someone else's dog.

    1. Anonymous Coward
      Anonymous Coward

      This is not the Animu or Mango channel.

      1. Anonymous Coward
        Anonymous Coward

        or Mr Robot

  11. Anonymous Coward
    Anonymous Coward

    I call bullshit.

    Sorry but If you're going to grab a lot of data you don't shit in your own back yard (i.e. ISP I.P. address)

    1. LucreLout

      @Scoot76

      Sorry but If you're going to grab a lot of data you don't shit in your own back yard (i.e. ISP I.P. address)

      You might if you were a bright 15 year old seeking an infosec career.

      You're below the age of criminal responsibility so its a clean record at 18, and given the likelihood of the courts protecting your identity, this will cause zero emigration concerns or visa problems. The only people that will know will be those to whom you send your postgrad CV.

      Equally, you might if you were a less than bright 15 year old who'd downloaded some script-kiddie tools from the interwebs and had at it, with no thought or knowledge of how to cover your tracks.

      1. Crisp

        The age of criminal responsibilty

        Is 10 apparently.

        1. LucreLout

          Re: The age of criminal responsibilty

          @Crisp

          Yes, so it is, and thanks for the correction. However it would appear that the child will, assuming they finish school, attend college and then university, leave with both a degree and a clean record, as it is declareable for a maximum 6 years from conviction (even on a DBS check).

          http://disclose.me.uk/question/how-long-will-my-conviction-stay-on-record/

          Assuming it is a first offence and he pleads guilty on day one in court, then he's looking at 2/3rds off any sentence the court may have considered, and if that gets him below 2 years then he'd only get a suspended tariff. If he hasn't sold or leaked too much data, he may only be fined, due to his age.

          I would be extremely surprised if this has any lasting negative affect on his career, and as I said earlier, he may be able to use it as a positive if he wants to work in infosec. There will be clients that want to hire "the guy that took down TalkTalk when he was only 15".

  12. vmistery

    I really really hope it is this chappie just so TalkTalk can stop it with the sophisticated attack rubbish they keep churning out and get their just desserts. My guess though is he was just the one who decided it would be funny to send the ransom email and actually knows nothing about the real attack.

    1. Duffaboy

      Probably hit the nail on the head there

      vmistery

      My thoughts is you're probably not far of the mark thinking that

    2. Anonymous Coward
      Joke

      > My guess though is he was just the one who decided it would be funny to send the ransom email and actually knows nothing about the real attack.

      Yeah, but he does deserve some credit for managing to find an email address that TalkTalk actually read.

    3. anonymous boring coward Silver badge

      My guess is that your guess is as good as mine.

  13. scrubber

    This hack may be recorded for quality and training purposes.

    1. Boris the Cockroach Silver badge
      Coffee/keyboard

      Icon

      Says it all

  14. Anonymous Coward
    Anonymous Coward

    plus ca change

    The British "security forces" are again arresting and imprisoning children. Not sure if this a hang over from the 1970s or if they have drawn new inspiration from their Australian brethren in the gaoling and abuse of minors.

    1. Anonymous Coward
      Anonymous Coward

      Re: plus ca change

      Just set up a rabbit proof fence, steal the children and give the people alcohol...

      Rinse and repeat.

  15. x 7

    He'll be a rejected trainee jockey who's fallen out with Dido.

  16. BlindProgrammer

    Sorted

    If it was him, that's his career in security and his pension sorted then

    1. Anonymous Coward
      Anonymous Coward

      Re: Sorted

      I doubt he's sorted in security, any script kiddie / moron who has even the most basic of knowledge can craft a basic sql injection with or without a tool.

      Of course some penetrations are much more complex but it could have been so simple as to run a pentest tool against the site.

  17. DaveB

    Homework

    Probably last week his teacher set him homework on "SQL injection"

  18. marcfielding

    HTTP://

    The web address talktalk is giving out is HTTP://www.talktalk.co.uk/secure - oh dear seems lessons are hard learned.

    1. Dadmin
      Pint

      Re: HTTP://

      HAHA! Does that landing page have a big picture of the smiling idiot CEO and a caption that says "wait for it..."?

      Brill!

    2. Two Posts

      Re: HTTP://

      It is also good to know that on this, at time of writing, landing page (https://myaccount.talktalk.co.uk/home/dashboard) you can contact

      Customer Services & Techinal (sic) Support

      for more information.

      Just about sums it up really.

  19. Anonymous C0ward

    You can't catch me

    I'm behind 7 proxies.

    1. Chozo
      Devil

      Re: You can't catch me

      Take the Panopticlick test and see how anon you are :)

  20. Tromos
    Joke

    "he will spend the evening being grilled by detectives"

    Wouldn't it be quicker to microwave him?

    1. dogged

      Re: "he will spend the evening being grilled by detectives"

      It's waterboarding these days. Sous Vide is terribly fashionable.

  21. chivo243 Silver badge
    Holmes

    Yes and No

    This is totally believable, but it seems a typical knee jerk reaction. Pick the low hanging fruit? It seems like this lad is one of those sacred goats? It all just smells a bit fishy.

    1. Maldax

      Re: Yes and No

      Make your mind up! goat or fish?

    2. Anonymous Coward
      Anonymous Coward

      Re: Yes and No

      so they should just let the actual perpetrators go free whilst looking for the person who had the idea, as he's guilty and needs suffer the wrath of the pitchfork mob

      talk talk about a twat

  22. anonymous boring coward Silver badge

    Video on youtube

    I want the good cop, bad cop video of the interrogation on YouTube, please!

    2015 version of course, with the finish your meal, or no ice cream, bad cop.

  23. x 7

    A 15-year old who could carry out that hack would most probably launch the DDOS from his schools network......many are surprisingly insecure and a bright kid could gain control easily

  24. Fullbeem

    History repeating

    Any one know if the teen that got arrested and charged back in 2011 for the Lulzsec/Anyonymous hacks now is working for BAE systems/GCHQ or was a fall guy for that.

    http://www.telegraph.co.uk/technology/news/8649621/Teen-accused-of-Anonymous-and-LulzSec-attacks.html

  25. WaveyDavey

    Disingenuous

    Their site says : "In the meantime, we have partnered with one of the three main credit agencies, Noddle, to provide our customers with 12 months’ free credit monitoring." - That phrasing looks like they are doing something useful and generous. Scumbags fail to mention Noddle is *already* free for credit checking, and monitoring add-on is only £20 for a year's worth of alerts. It seems to me like they want to think they are being generous offering a service like Experian, but on the cheap.

    1. GarethWright.com

      Re: Disingenuous

      Noddle is really good, but yes already a free service.

  26. The Quiet One

    I call bullshit....

    If a 15y/o kid can hack the Talk Talk Website single handedly, either their security was so laughably poor that they deserved it, or that kid needs a maths scholarship to Cambridge and a job at MI6.

    In reality, he probably send the ransom email for a joke and will get a slap on the wrist from the law and an absolute shoeing from his mum.

    More to come from this story I think.

  27. Anonymous Coward
    Anonymous Coward

    Splendid, on one side of the province, a teen breaks all the way into Talktalk, on the other side they can't even give my Dad sufficient speed to stream TV properly.

  28. wirehead

    it may be of interest to note that before becoming ceo of talk talk dido worked at Tesco (yeovil branch) make of that what you will

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon