BoingBoing is reporting that a man trying to donate to Tsunami relief was arrested because BT thought he was trying to hack their site:
For donating to a Tsunami appeal using Lynx on Solaris 10. BT [British Telecom] who run the donation management system misread an access log and saw hmm thats a non standard browser not identifying it’s type and it’s doing strange things. Trace that IP. Arrest that hacker.
Armed police, a van, a police cell and national news later the police have gone in SWAT styley and arrested someone having their lunch.
Everyone is understandably skeptical about this. Cory is standing behind his post, and we do know that someone was arrested for a “hacking attempt.” I was incredulous at first too, but I’m starting to believe it.
You can also find in the source of the form this:
p_platform_id.value='C';//THIS ID WILL evaluate JS IS OK
I have a little experience with people freaking out over security non-breaches. In college I got a legitimate account on the science department’s Sun system, but the login script used a crappy menu that let you choose between using email or logging out. I used Pine to edit the .cshrc (why the menu wasn’t the shell for the account, I don’t know) to do something like removing
source /etc/cshrc so that it would dump me to a shell. I didn’t have a lot of Unix experience at this point, but I figured an account on a shared server at college was the way to learn. On a properly secured system there should be no difference in security between having a shell or a menu.
My mistake wasn’t so much getting to a Unix shell, but documenting it on my (GeoCities!) website. I figured that other students who wanted to learn Unix would find this useful. Long story short, I lost my school computer accounts when they found the site.
Let me be clear here — what I did was not equivalent to the Lynx user. I actively tried to skirt the rules and was punished mildly. If his story is true he did nothing wrong (in fact, by trying to help the Tsunami victims he was doing something very right) and was arrested. My point is that people who understand the threats to their security the least are most likely to overreact. Judging from the “security” on this donation form BT doesn’t understand the threats to their security.