… Only outlaws will use Lynx

BoingBoing is reporting that a man trying to donate to Tsunami relief was arrested because BT thought he was trying to hack their site:

For donating to a Tsunami appeal using Lynx on Solaris 10. BT [British Telecom] who run the donation management system misread an access log and saw hmm thats a non standard browser not identifying it’s type and it’s doing strange things. Trace that IP. Arrest that hacker.

Armed police, a van, a police cell and national news later the police have gone in SWAT styley and arrested someone having their lunch.

Everyone is understandably skeptical about this. Cory is standing behind his post, and we do know that someone was arrested for a “hacking attempt.” I was incredulous at first too, but I’m starting to believe it.

mosch on MetaFilter found the page in question. If you go to the site you can see that 75% of the code is JavaScript, mostly to validate the form. Judging from the fact that they try to block right-clicking, they probably put too much faith in the security of JavaScript.

You can also find in the source of the form this: <input type="hidden" name="p_platform_id" value="F"> and in the JavaScript form validation, if the form passes their checks, this: p_platform_id.value='C';//THIS ID WILL evaluate JS IS OK

When a browser without JavaScript like Lynx submits this form, it won’t perform the check and change p_platform_id from “F” to “C“. If their “security” (and I use the term loosely) is checking for that value, then a submission from Lynx would set off whatever alarm bells and flashing lights they have on their advanced hacker detector.

I have a little experience with people freaking out over security non-breaches. In college I got a legitimate account on the science department’s Sun system, but the login script used a crappy menu that let you choose between using email or logging out. I used Pine to edit the .cshrc (why the menu wasn’t the shell for the account, I don’t know) to do something like removing source /etc/cshrc so that it would dump me to a shell. I didn’t have a lot of Unix experience at this point, but I figured an account on a shared server at college was the way to learn. On a properly secured system there should be no difference in security between having a shell or a menu.

My mistake wasn’t so much getting to a Unix shell, but documenting it on my (GeoCities!) website. I figured that other students who wanted to learn Unix would find this useful. Long story short, I lost my school computer accounts when they found the site.

Let me be clear here — what I did was not equivalent to the Lynx user. I actively tried to skirt the rules and was punished mildly. If his story is true he did nothing wrong (in fact, by trying to help the Tsunami victims he was doing something very right) and was arrested. My point is that people who understand the threats to their security the least are most likely to overreact. Judging from the “security” on this donation form BT doesn’t understand the threats to their security.

Leave a Reply