back to article TalkTalk hacker gets iPhone taken away by Norwich Youth Court

The 17-year-old lad who confessed to hacking crimes against UK ISP TalkTalk was today slapped with a 12-month rehabilitation order and had his iPhone confiscated. The teen received the sentence, of sorts, at Norwich Youth Court, in east England, where chairman of the bench Jean Bonnick reportedly told the unnamed individual …

  1. Anonymous Coward
    Anonymous Coward

    iPhone...DENIED

    had his iPhone confiscated

    A fate worse than a fate worse than death

    1. Aladdin Sane Silver badge

      Re: iPhone...DENIED

      Shame there's no Wayne's World or Blackadder icons.

    2. SW10
      Trollface

      Re: iPhone...DENIED

      Has anyone confiscated Dido Harding's iPhone?

      1. Voyna i Mor Silver badge

        Re: iPhone...DENIED

        "Has anyone confiscated Dido Harding's iPhone?"

        More to the point, how long before the Republican Party confiscates the iPhone from someone who does severe damage to large companies almost every time he uses it?

    3. macjules Silver badge
      Gimp

      Re: iPhone...DENIED

      Sheer Fanboi hell. The judge could have been REALLY nasty and banned him from every AppleStore in the UK for 12 months ... but our judges are not so vindictive.

      1. Steve Davies 3 Silver badge

        Re: iPhone...DENIED

        This happened in Norfolk. Nothing good comes out of that County.

        The people are a bit strange as well. I should know as my Mother's family are from Fakenham.

        1. David 132 Silver badge
          Windows

          Re: iPhone...DENIED

          This happened in Norfolk. Nothing good comes out of that County.

          I believe there's a medical acronym that local doctors put on patients' case notes - NFN, meaning "Normal, for Norfolk".

          Still, Sussex is stranger, as anyone who's read "Cold Comfort Farm" will attest. I saw something nasty in the woodshed, Robert Poste's child!

    4. 2+2=5 Silver badge
      Joke

      Re: iPhone...DENIED

      > and had his iPhone confiscated.

      But does that mean he can legally end his contract with TalkTalk or will they still try to charge him a termination fee?

    5. Dave 15

      Re: iPhone...DENIED

      was he hacking from an iphone?

      I suspect this is just out of touch judges having less clue than a 2 year old and thinking it says it has the internet so thats that.

      Anyway, if he was half sensible he already had the hard drive backed up somewhere suitable, borrowed a computer form his friend and shared the whole good news around.

      Frankly a stupid prosecution from a stupid law. The real criminal in this is talk talk for not protecting their systems and data... they are the ones that should be on trial NOT the guy that proved they were incompetent. Same for those who hack into the US military systems, it is NOT the hacker who needs prosecuting. And if someone hacks into my computer because MS has fouled up their security I should be able to sue MS for any loss or inconvenience caused, not my fault (beyond buying their product of course) and frankly not the hackers fault.

      When are they going to start en masse prosecution of the companies who actively try hacking in order to show vulnerabilities and ensure they are fixed?

      Absurd, ill thought through, typical idiot law making

  2. wyatt

    I'm interested to know what is the difference between a 'budget' ISP and one which isn't?

    1. Anonymous Coward
      Anonymous Coward

      I'm interested to know what is the difference between a 'budget' ISP and one which isn't?

      I guess one with more work done on service security may forego the tag "budget" (also "crap", "dangerous", "irresponsible" and "avoid at all cost").

    2. phuzz Silver badge
      Paris Hilton

      "what is the difference between a 'budget' ISP and one which isn't?"

      I'm going out on a limb here, but maybe, the price?

      1. Danny 14 Silver badge

        zen - good, not budget

        talktalk - bad, budget

      2. wyatt

        That would be the obvious answer, but you can get Plus.net broadband for the same price. Most I know consider the service to be better, whilst they've had downtime, they've not had as many security issues?

        So they're also 'budget' with better support, security and reliability.

  3. Andy Non
    Coat

    TalkTalk hacker told 'you're a very naughty boy'

    So he wasn't the Messiah then. ;-)

    1. Aladdin Sane Silver badge

      Re: TalkTalk hacker told 'you're a very naughty boy'

      I regret that I have only one upvote to give.

  4. Aladdin Sane Silver badge

    “Your IT skills will always be there - just use them legally in the future.”

    Now, this gentleman from the government would like to speak to regarding your future career...

    1. Doctor Syntax Silver badge

      Re: “Your IT skills will always be there - just use them legally in the future.”

      "Now, this gentleman from the government would like to speak to regarding your future career."

      Which department? Given that he's just a skiddie he has very little skill to offer. On second thoughts he sounds just right for GDS, Universal Credit and quite a few other projects.

  5. Aitor 1 Silver badge

    Ridiculous

    I am fed up with this.

    You cause extreme financial pain on thousands of people, some of whom might die out of stress related illneses when their identites are usurped and he gets a slap.

    But hey, if he had dope, then off to jail, right? or "extreme porn" or whatever.... but not if you attack somebody, etc.

    1. m0rt Silver badge

      Re: Ridiculous

      You sound upset.

      Hug?

    2. Def Silver badge

      Re: Ridiculous

      Who caused it?

      Was it the hacker? Or the hackers who used this information afterwards? Or was it the developer who didn't understand simple security procedures? Or the testers who validated the systems with an equally poor understanding of security? Or the development manager who signed off on the code and decided it was safe to push live?

      TalkTalk are ultimately to blame here. They are the ones who should be fined.

      1. Anonymous Coward
        Anonymous Coward

        Re: Who caused it?

        Was it the hacker? Or the hackers who used this information afterwards?

        The real damage was caused by the hackers who used the information afterwards. However, as the original hacker made the information available (and had no legitimate reason to do so) then I reckon that a good legal eagle could make a case for aiding and abetting.

        1. Wensleydale Cheese Silver badge

          Re: Who caused it?

          "However, as the original hacker made the information available (and had no legitimate reason to do so) then I reckon that a good legal eagle could make a case for aiding and abetting."

          To use an analogy, this is a bit like someone leaving a house key in a flowerpot by the door.

          Anyone who goes looking will find the way in pretty easily.

          IANAL but any unauthorised person who uses that key to gain entry won't be doing the "breaking" bit of "breaking and entering". The victim will probably get all or part of an insurance claim denied (if the insurance company finds out).

          What the young laddie did here was the equivalent of announcing the location of the key in the pub.

          Applying this analogy to the "homeowner", well it's not a home here, but a business, and TalkTalk not only left the key in the flowerpot but left personal details of customers in unlocked filing cabinets.

        2. nijam

          Re: Who caused it?

          > ... a good legal eagle could make a case for aiding and abetting

          Irrelevant. A good legal eagle (for some definition of "good", obviously) could make a case for anything.

      2. Aitor 1 Silver badge

        Re: Ridiculous

        It was the hacker.

        if I have a frontdoor made of cardboard (not the case) and somebody kicks it and nicks my stuff, it is the burglar who is responsible. Not the victim.

        Yes, they were negligent and ignored security, but the criminal is a criminal, or is it only a crime if it is really really difficult? Murdering people requires people to defend themselves properly and put up a nice fight to be a crime?

        1. Anonymous Coward
          Anonymous Coward

          Re: Ridiculous

          ah yes but this guy didn't kick your cardboard door in. He just told the world you had a door made from cardboard, then some big boys came along and kicked it in (and presumably ran away)

        2. magickmark

          Re: Ridiculous

          "if I have a frontdoor made of cardboard (not the case) and somebody kicks it and nicks my stuff, it is the burglar who is responsible. Not the victim."

          How about the builder who installed said cardboard door, which was then signed off by the project manager both of them telling you, the customer, "its cheap so you save money but its as safe as houses"? Or you happily accepting the cardboard door without further questioning?

          Yes the hacker deserves a slap on the wrist but its TalkTalk who really are responsible for for not putting proper security in place.

        3. NBCanuck

          Re: Ridiculous

          @Aitor 1

          "if I have a frontdoor made of cardboard (not the case) and somebody kicks it and nicks my stuff, it is the burglar who is responsible. Not the victim."

          True, the police would charge the burglar. Even if the door was accidentally left open the crime is the same. (but good luck getting your insurance company to pay up)

          Personally throwing the book at him would have been too harsh, but this was too little. Some community service or something a little more severe is warranted. The current young generation is far too used to getting things handed to them and not being held accountable for their actions. They have a sense of entitlement from getting things without earning them (no chores, no job) and mommy and daddy rescuing them when they misbehave. Once upon a time parents would ground take ownership of the punishment (grounding, deprive them of privileges), but unfortunately now the courts need to step it up a bit as the parents no longer want to parent.

        4. Def Silver badge

          Re: Ridiculous

          if I have a frontdoor made of cardboard (not the case) and somebody kicks it and nicks my stuff, it is the burglar who is responsible. Not the victim.

          That's a bad analogy.

          If the cardboard door was the door to a vault you owned where you kept other people's private stuff (and claimed it was perfectly secure), who would be to blame then?

          1. Anonymous Coward
            Anonymous Coward

            Re: Ridiculous

            "if I have a frontdoor made of cardboard (not the case) and somebody kicks it and nicks my stuff, it is the burglar who is responsible. Not the victim."

            Don't run a hotel with that mindset or you'll suffer far worse than TalkTalk.

        5. John H Woods Silver badge

          Re: Ridiculous

          "if I have a frontdoor made of cardboard (not the case) and somebody kicks it and nicks my stuff, it is the burglar who is responsible. Not the victim." --- Aitor

          Allow me to fix your analogy:

          You have offered to look after other people's stuff for them. You have a cardboard front door. Somebody says, hey, look, Aitor's got a cardboard front door. Somebody kicks it in and nicks not YOUR stuff but the stuff that other people have trusted you to store for them.

          Any clearer? I would say that the person who said "Hey, Aitor's got a cardboard door" is probably less guilty not just than the person who kicked it in, but also than you yourself.

        6. Voland's right hand Silver badge

          Re: Ridiculous

          if I have a frontdoor made of cardboard (not the case)

          As far as I know nearly all jurisdictions make a difference between using no tools at all, using basic tools and using professional tools.

          So the law actually makes a difference between you having a cardboard door, basic Yale POS Euro single barrel lock and a proper door with a proper lock.

          So yes, a criminal is a criminal, but the LAW provides different penalty for walking in through a piece of cardboard, pushing and shoving the door a bit and using a proper bumping tool or a crowbar. Crowbar by the way is considered a professional burglary tool in all jurisdictions.

        7. Cynic_999 Silver badge

          Re: Ridiculous

          "

          if I have a frontdoor made of cardboard (not the case) and somebody kicks it and nicks my stuff, it is the burglar who is responsible. Not the victim.

          "

          However, if you have a Ming vase on a low table, and a 2 year-old deliberately picks it up and drops it, who is to blame? How about a 3 year-old? 4? 5? The law in England and Wales says the magic age is 10. It's a different age in Scotland and other countries.

          But criminal responsibility is not something that magically appears at the age of 10. It develops over time. Sure, a teenager should know that hacking is wrong - but how seriously wrong? Could he have foreseen that the consequences would be quite so serious? Driving at 45MPH in a 40MPH zone is also criminal, but is only seen as serious if it results in someone being killed or seriously injured. Should we lock up everyone who drives 5MPH over the speed limit?

          1. Doc Ock

            Re: Ridiculous

            Well an update on the story and one of his cronies or users of information is facing gaol time (good), I'll do the Reg Journo's job* for them:

            http://www.bbc.co.uk/news/technology-38300106

            *Get me pictures of Spiderman !

          2. Doc Ock
            FAIL

            Re: Ridiculous

            >Driving at 45MPH in a 40MPH zone is also criminal, but is only seen as serious if it results in someone being killed or seriously injured. Should we lock up everyone who drives 5MPH over the speed limit?

            It's actually 10% + 2MPH according to APCO guidelines, so that's 46mph.

            http://www.cps.gov.uk/legal/p_to_r/road_traffic_offences_guidance_on_fixed_penalty_notices/

            Fail.

        8. nijam

          Re: Ridiculous

          > somebody kicks it and nicks my stuff, it is the burglar who is responsible

          To extend your analogy, all he did was publish the fact that an idiot had a cardboard door.

      3. Doctor Syntax Silver badge

        Re: Ridiculous

        They are also the ones who should be fined.

        FTFY

    3. phuzz Silver badge

      Re: Ridiculous

      What about the bods in charge of TalkTalk's website? No blame for them having SQl injection vulnerabilities that were so easy to exploit that literally a child could do it?

    4. Anonymous Coward
      Anonymous Coward

      Re: Ridiculous

      I actually agree.

      He should have been hit with a slap as it is the adequate means of punishing him.

      The real criminals - the ones who are running an ISP without investing into securing its infrastructure are walking away as victims. It is after all the same ISP which is supplying router zombies to botnets at present so this is not one off - it is systemic. Rather not surprising too, when Harding was interviewed in their "innovation center" there was a Windows 98 (yes 98, not even XP or 2000) and a VCR behind her. Says everything you need to know about Talk Talk innovation.

    5. ElReg!comments!Pierre Silver badge

      Re: Ridiculous

      I think it's a remarkably appropriate sentence. He only used a security scanner on a website and published the result. In itself not a very nice conduct, but if someone is to blame for loss of life because of stress (seriously?), it would mostly be the ISP's (lack of) security.

      1. This post has been deleted by its author

    6. Doc Ock

      Re: Ridiculous

      >Ridiculous

      Agreed, just because you have weak locks doesn't make burglary any less of a crime, should have been gaol time. We all don't mind the odd bit of prank sticking it to the man but this is sticking it to the thousands of innocent people out there who suffered financial loss and harassment. Just think, one of those could have been your vulnerable elderly grandparents.

      This is a punishment only slightly more severe than having to sit on the naughty step for five minutes, justice has failed.

      Oh and by the way folks this adds to Gov ammo as justification for spying on you, so be pissed at this type for disrupting your porn and pirating habits.

      1. ElReg!comments!Pierre Silver badge

        Re: Ridiculous

        > Just think, one of those could have been your vulnerable elderly grandparents.

        When you're wrong on the principle, bring in the affect factor.

    7. MR J

      Re: Ridiculous

      He has taken more of a penalty than anyone we know of in TT.

      Sure they got a "big fine", but that cost was just passed back down to the consumer.

      There's another topic going on at the moment about a Netgear exploit that is going around where users can issue admin commands through a simple URL request. I know of a WAN side exploit where you can gain admin/root login on Netgear routers (late 11n, early 11ac) circa2014 routers. If I published that info now then you rekon I am a criminal... But I spoke to netgear about it in June 2014 and TO THIS DAY the majority of units that can be exploited are still able to be exploited, patching May or May not fix it. So Me talking about this info in detail would make me a criminal..

      But I am not overly good at modern coding and such (Assembly4Life) so I can be sure that others out there have found and exploited this bug... But hold on... Netgear still don't care to fix it... So perhaps I would release the info to force NG's hand into issuing a fix?. Criminal now, or something else?

      TalkTalk has - lets be honest - probably invested little more than what they were told they legally had to invest at a minimum when it comes to data security, storage, and management. Their own staff could see and copy out whole chunks of the user database without it ever raising a flag. Their routers were hacked just a week or so ago, the passwords and other details were released allowing Wi-Fi connection AND admin console. Would someone directly target Wi-Fi connections?.. I bet they wold. Heck, the police even helped with this when they made the NMPR database harvestable... You can be sure that that database is still floating around in some high-tech circles. TT's advice for having the router admin and wifi password stolen - Just leave it alone, your data is not compromised!. In essence what they are saying is that THEY are not liable for the loss so they really don't give a shit.

      Something like 4 major hacks in less than two years, and that's only what we know about. The way that their security system keeps getting reset internally tells me that there must still be a ton of turmoil. You can be sure that within 6 months any extra security details outside of the stock name/address/birthday/birthplace will be deleted and reset to be back to only those values again.

      If this "kid" caused TT to get kicked in the nuts then I say Good.

      If this "kid" cause Users to view a provider a "Unsecure", "Unreliable", and "Untrustworthy" then that's good too. It is time Consumers learn that the people on the other side are a weak link.

    8. Dave 15

      Re: Ridiculous

      Oh bull, stress related deaths... rot, why do people not have any sense of proportion any more?

      Are you one of those who complained that the idea of using old tin cans to make music might cause some kid to cut their finger... Frankly it is well beyond time that people were left able to make up their own minds about risk and danger and take appropriate action.

      The people that caused the problem are those in talk talk, if there is a financial problem created by their inability to protect data then they should be forced to compensate.

  6. Dan 55 Silver badge
    WTF?

    So iPhones do SQL injection, do they?

    I suppose this judge must be normal for Norfolk.

  7. Dwarf Silver badge

    Someone give him a job

    So, at 17, he is employable. It sounds like he will have a fruitful career in penetration testing,

    Get him on an ethical hacking course and mentor him a bit. He might even be "lucky enough" to get a call from the people that live in the doughnut up north..

    Alternately, perhaps Talk Talk's systems are just like the rest of their systems and he has absolutely no technical skills.

    1. LesB
      Happy

      Re: Someone give him a job

      Obviously a definition of "up north" I was previously unaware of. Unless you're Australian, in which case, ignore me and carry on,

      1. Dwarf Silver badge

        Re: Someone give him a job

        Obviously a definition of "up north" I was previously unaware of. Unless you're Australian, in which case, ignore me and carry on,

        Fair cop. It is North of North London though, just not as much as I thought it was ¯\_(ツ)_/¯

  8. Your alien overlord - fear me

    No iPhone, no hard drive. Best get him a Chromebook for Christmas then.

  9. NBCanuck

    One more analogy

    So a person cases a neighborhood and reports in to a burglary ring to tell them the houses that would be would be easiest to break into...which doors and windows are unlocked and no dogs or alarms.

    Slap on the wrist?

  10. nsld

    The real crime

    Is that Talk Talk can get bent over and data reamed, not once, not twice, but three times and yet its still bonuses all round for Dido and the executive.

    Whilst the ICO has at least got some dentures it needs real teeth and the criminal negligence of the talk talk leadership should be the focus and not some idiot with access to a vulnerability scanner.

  11. Doctor Syntax Silver badge

    So this lad has learned that doing this sort of thing carries fairly minor penalties. Will he be deterred from repeating it, maybe going a bit further next time, and being more careful about being caught?

    1. ElReg!comments!Pierre Silver badge
      Meh

      Running a security scanner on a public website ain't no offence. Publishing the results for all to see is maybe a bit ungentlemanly, but hardly a major crime, especially given that had he told TT in advance, they would not have fixed the flaws (and probably would have come for him all guns blazings regardless. Lawyers are cheaper than good security these days). Actually there's a serious chance that the data pilfering happened independently, only this young'un got caught and the real criminals got away... the tool used is hardly difficult to come by.

      Throw the book at him so that he learns that sec testing is a crime and get accointed with real crims? Is that really what should have happened? Maybe he should have been ordered to help TT fix they stuff, but given that all he did was use a readily available tool on a public website, I doubt he has the gorm to fully understand, let alone fix, the vulns. With a minor penalty for his minor misdemeanor, he might wish to further dig into these matters, and, why not, use his powers for good. It's not like the world is crumbling under the weight of able infosec people.

      1. Adam 52 Silver badge

        Which does raise the question, if he is a criminal for doing this why aren't Google's Project Zero team?

        1. ElReg!comments!Pierre Silver badge

          > Which does raise the question, if he is a criminal for doing this why aren't Google's Project Zero team?

          Two answers, one philosophical and one practical:

          - they shouldn't, as increasing awareness about security is a Good Deed

          - the Chocolate Factory has pockets deep enough to sue TT -or pretty much anyone, save a few Big Ones-into oblivion, should the need arise, and execs around the world do know that

        2. MrDamage

          2 reasons

          He doesn't have millions of dollars to spend on lawyers, or bribeslobbyists.

          He didn't say beforehand he won't be evil, and then forget he said it.

  12. Anonymous Coward
    Anonymous Coward

    Brexit is so bad... cardboard doors are a thing in the UK!

    HAHA! Just joshing ya, limeies!

    This kid did the right thing and got burnt. He told them. He should have hid, and released the info anyway when TT failed to fix it the first two times. He'll do better next time.

    He's going to get lots of job offers, and rightly so, if those skillz are for realz. I have a similar problem. I don't take crap from shitty mid-level managers and routinely tell them to fuck off, in those exact terms! Did I get fired, you bet! Now I'm making US$30 MORE an hour, and I'm lowballing my new middleman and could fetch another US$20 as hour on TOP of that. And the run up saw me getting two dozen emails/calls a day for my services, which I mostly ignore. Now I'm a independent contractor with my own LLC corporation.

    When will I learn? ;) I already have. Get skillz, do what you please, get fired, get new job without even trying. HAHAHAHAHAHAHAHAHAHAHA! All the way to the fucking BANK!

    1. Fred Dibnah
      WTF?

      Re: Brexit is so bad... cardboard doors are a thing in the UK!

      Obviously you've never stayed in a Travelodge.

      BTW, what are you smoking?

      1. Captain Badmouth
        Happy

        Re: Brexit is so bad... cardboard doors are a thing in the UK!

        "Obviously you've never stayed in a Travelodge."

        Class.

  13. Stevie Silver badge

    Bah!

    So the "Head Onna Pike" option was off the table then?

    Pah! I'd have expected at least a good flonking with dwile from a court in Norwich (a fine city).

    Falling standards, thin end of wedge, fought them on the beaches etc.

  14. DougS Silver badge

    Taking away a hacker's hard drive

    That might have suited back in the 90s, but these days when you can get terabytes of cloud storage for very little money, I'm pretty sure he had backups of all his tools. If he wants to keep hacking he'll find a way, even without his hard drive.

    As for taking away his phone, what was that supposed to prove? So hard to buy another phone. I didn't read anything in the article suggesting he was ordered not to have another phone, so taking his iPhone was probably something the judge thought up as a "that'll show 'im" thing that probably had the kid and his friends probably laughing at the old fool wearing a wig that night.

  15. Anonymous Coward
    Anonymous Coward

    Without knowing the full details like everyone else here

    I would say that the kid posting the details of a security scan on a company is equivalent to posting "company A has crap security". It might be suggested that if he had been an adult working in the internet security field then you could suggest that he was aware of the consequences of this pointing of fingers. However white hats have done exactly this in the past without criminal charges.

    So we are left with the fact that punishing this kid for the actions of TT, their security advisers and their exploiters was pure spiteful revenge, everyone involved wants to be seen to be productive but why did they not scan TT themselves first and save everyone the hassle.

    TT I imagine met the criteria suggested by those same people charged with protecting our data and security, the same now pushing for the whistle blower's punishment. They and TT are the ones that caused the problem, they presumably are adults working in the field and should have known better but instead after failing to be anywhere near an asset to the people who pay their wages they instead keep their jobs by thrusting the blaim upon a child.

  16. adam payne Silver badge

    There's a lot of blame flying around all over the place on this one. They are all responsible.

    Talk Talk are responsible for not securing their systems correctly and this lead to hackers getting in and taking customers details.

    The hackers who stole the information for financial gain are also responsible for causing numerous problems for people, be it identity theft or monetary loss etc etc

    The boy with the scanner is responsible is his own way as well as he had no business releasing the details of what he had found. That certainly doesn't absolve Talk Talk for being stupid or the hackers for using the information he released. Did he contact Talk Talk about what he found?

  17. Anonymous Coward
    Anonymous Coward

    That Dildo woman needs to go ASAP and other security staff (if they have any) must be brought to book.

    4 times hacked in 20 months is no Joke and NO ONE has been implicated from the company for negligence ! No one has been fired either !

    £7 million in annual package and bonuses all round for her. Whats going on here in blighty ? Mediocrity does pay.

  18. Walter Bishop Silver badge
    FAIL

    Bank account number and sort codes stolen

    "TalkTalk .. confirmed 15,656 of subscribers had had their bank account number and sort codes stolen in the incident and said the hack cost it £35m."

    In this day-and-age, what the f**k is this kind of information doing unencrypted on a server connected to the Internet?

    "The teen, who had used a hacking tool to reveal weak spots vulnerable to SQL injections on its website"

    In this day-and-age, what the f**k are TalkTalk doing, allowing client configurable SQL statements to be run on their servers? Has no one at TalkTalk ever heard of Stored Procedures. What idiot originally wrote the TalkTalk SQL database code?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019