don't talktalk about it

CBBC star Hacker T Dog.
The current hack into TalkTalk's website creates an interesting taste of living in the cloud. The perpetrators are now claiming to have 4 million customer records and apparently have even issued a ransom note like something from a TV plot.

We've all got far more data than we care to think about lodged away in systems which increasingly work in the cloud. Part of that is because we all also want to be able to access these systems from smartphones and browsers, rather than sit on interminably long calls to so-called help desks.

Another reason is because industry is all being persuaded that it is economically sound to put their systems into cloud computing environments.

Systems like Google also progressively tie all our data together, so that even if you want to have a separate personal and professional appearance in the internet, the G+ robots will eventually catch up.

I use one of those automatic password generators for my own access to systems. It comes up with passwords along the lines of:

ryeX-Uc-bEv-jaw-oD-fIn-inG

And nope, I'm not actually using that one and I've selected randomised lengths too, so the syntax of my actual passwords will differ.

Of course I can't remember them all, and have to use 1Password to wrangle them.

The problem comes when people use passwords like -er- qwerty12345 or asdfg-0987 or password1992 or CFC4evva. It's because there's a high social engineering probability that this type of user will be using the same password elsewhere. So browsing through an unencrypted list of users, there'll be some that are probably easier to target, simply based upon the type of password they use.

Back to TalkTalk. The story goes that the hackers used a denial of service attack first as a diversionary tactic, whilst the slurping of data was taking place. The thieves even put up an extract of the data they stole onto a website to illustrate what they've done.

The data (if genuine) was still being displayed today, Saturday, some four days after the attack.

If I was John who drives taxis, Hadyn, Norma, Fraser, Catherine, Dolph or Amanda, amongst many others, I'd be pretty annoyed that my record was still on public display. If I was Ben or Rahmet, I'd be even more annoyed that my entire TalkTalk order was listed (update it's all still there on 26 Oct)

I'm not buying it though. Getting into a website is one thing. Like that opening sequence in Homeland the other day when the dodgy internet club managed to hack into the CIA. Then they immediately started downloading files that were at the core of the CIA's best secrets in Germany.

Yeah, right. It's sometimes hard enough finding files on one's own systems, let alone on a secret CIA station in Berlin.

But that seems to be what these hackers claim to have done as well.

Not only did they flood the TalkTalk system to make it run slowly, they then claim to have used this same period to get inside, and somehow find the exact files where the cellphone and SIM orders were kept, in clear (i.e. not encrypted format), and all comma delimited.

The method of intrusion as described is all a bit too tidy.

This smacks to me more of something purposeful conducted from inside TalkTalk's walls. It could be a whole lot simpler too. The conditions: Someone with access to the right files runs/introduces a pre-formed SQL query generating an Excel CSV (comma separated values) file and then downloads it to a memory stick, or via bluetooth to a phone.

This could be in a central location (operations or development), or possibly even from a helpdesk if there's local copies of the customer file. No wonder the class of tools to do these kind of dubious things are called Mole, Pangolin (scaly burrowing anteater) and Injector.

I guess it will all play out over the forthcoming days and weeks. It might also explain why the note accompanying the upload of the stolen data contains a message which says things like:

"We Have Made Our Tracks Untraceable Through Onion Routing, Encrypted Chat Messages, Private Key Emails, Hacked Servers."

Why bother to say These Things And With So Many Capital Letters? It's a bit like the villain's speech to explain the next logic jump to James Bond.

There's more, but it starts getting into a more lurid and fundamentalist area which I won't document here. The slightly juvenile style looks quite different from the increasingly common attacks on casino sites with distributed denial of service and BitCoin as ransom.

The eventual after-effect of this TalkTalk attack will probably be to create even more layers of security for not just TalkTalk's site, but everyone else.

Coincidentally, a few days ago I described a situation where a big commercial site had mis-transcribed my address in a way that meant they would only send things to a (wrong) address to Plot (wrong Number) in (wrong town) Shellsea in order to identify me.

A few days later I saw a different example on television, where (wrong name) Dr.Occupier was being incorrectly billed for electricity but could not change it because the security questions needed his/her name "Dr.Occupier" to be specified.

I suppose we can't have all this smartphone cloud access without the attendant security, so cue those sayings about the indolent falling prey to the active or about freedom, liberty and vigilance - I'm sure we'll be hearing them all over the next few days.

Lightroom and Aperture along a cloudy edge

Since I set up Lightroom 5 as a test replacement for Aperture for my photographs, I've had to rethink my backup strategy. Lightroom backs up its catalog, but not the related photos. Aperture backs everything into its vaults. So I needed an additional backup regime for the Lightroom photos.

I'm using Chronosync which requires individual folder hierarchies to be nominated for backup. It can be scheduled and will only copy changes, set by user preference. It seems very reliable and will retry if a disk or machine is offline. The end result is also a recognisable folder and file format, which is reassuring when thinking about recovery.

The initial backup of Lightroom took a few hours across the home network. I also made a further backup of Aperture using Chronosync. Aperture's backup took 2-3 days, but the way that Aperture stores the individual photos in its folder structure meant there were over 2 million items to copy. Given there are around 100,000 images, that's a lot of extra objects.

The files are now stored in a workspace, on a fileserver and on a separate backup server. Everything is RAID5 and I've added dual disk redundancy to the two server environments.

It got me thinking about my early home computer systems, back in the days of proper floppy disks. That's the type that do actually bend. Type in 'floppy disk' nowadays to google and most of the images that come back are of the IBM-style 1.3MB diskettes.

My original hard-disk enabled computer had two drives with a total capacity of 30MB. That's about the size of a single photograph as a raw file from a fancy camera nowadays. Back in the day, the 30MB seemed like a decent amount of space, although the Apps were 'green screen' and the games were retro blocky graphics. Even in the early PC days, it was commonplace to have a pile of 15-20 diskettes to load to install, say, MS Office.

Fast forward to now. No DVD drives (let alone CD or diskette drives) on many modern systems. Storage being measured not in Megabytes, not even Gigabytes, nowadays its Terabytes and discussion of Exabytes. As iPhones start to use 128GB storage, it's with over 4000 times the storage of that ancient home computer.

when did hi-fi become A/V?

An unexpected diversion, what with de-snowing the cars and the drive. I was surprised how much time it took, a function of it being an unusual occurrence. Little things like finding the proper snow boots, not seen since last time at Jungfraujoch.

Having abandoned the day's original plans, it was an excuse to practice Being Idle.

I flipped on some music and let the system select the tracks for me, which was perfectly fine, within the limits I had given it.

My idleness led me to doodle a quick picture of what used to be called Hi-Fi (does anyone still say that?) and nowadays is probably called 'Audio Visual' or similar.

So here we are. Probably of no interest to anyone but me, but it somehow illustrates the demise of the Gramophone.

There used to be a simple path from a record shop to a record player and then to a listening experience. I still use that route for occasional purchases.

I still like the artwork of 12 inch LP albums, which could be quite special. Not so with most CDs, which bang a cover shot of the band on the front and big words in the top third that can be read from across the store.

Of course, that's dying out too, with digital downloads. If I'm honest, I used to surprise people quite a few years ago because I didn't keep those little brittle plastic boxes that most CDs came in. I'd always thrown away the outer packaging, just keeping the CD and the booklet.

OK, except for properly created artworks, of which there are still some around. I do still keep that type of CD intact.

So I guess I've been heading to digital for quite a few years.

Cue digital downloads, which signalled the potential demise of HMV and Blockbuster. Canals and railways.

Nowadays even the amplifiers are network attached. My last amplifier came with a little cardboard box in it containing a USB stick with the latest firmware upgrade to be applied before use. Of course I downloaded the more recent one online.

To be honest, I'm not sure how many people even bother nowadays with amplifiers and receivers, instead using little speaker units into which they can drop iPhones and similar.

My scribbly diagram illustrates some of the listening routes available now.

Buy from:

• (a) an independent band or store. Still get physical product, good artwork, usually a download as well and some personal engagement.
• (b) a record shop or store. Harder to find, yet places like Fopp and Rough Trade in London are still jam-packed with people.
• (c) online, from Amazon or iTunes, or via a broker like Last.fm which will point to the cheapest source. Amazon still gives a choice of CD or online product, but increasingly it's becoming online biased on price.
• (d) Supermarkets. Xfactorish. Nope.

Then there's all the cloud services. Everyone wants to suggest that you don't need the physical product at all.

Even with my throwing away of CD boxes, I find this one step too far. T'interweb is strewn with failed companies. It would be a tragedy to see all the licences to listen go up in a puff of Chapter 11. I download everything. And back it up.

What it means, though, is that nowadays, there's both the stuff you own and also a good range of relevant listening suggestions from the likes of last.fm or spotify.

And they do work quite well, suggesting and playing music of the type I like, rather than just blanding me out with 'Top of the Pops' pap.

So I'm with the direction. Even if it does take a bit longer to wire up than an old Dansette.