Friday, 28 January 2005

On the Dangers of Being a Geek

The BBC has a short article about a police investigation in the alledged hacking of the DEC web site, that was set up after the Asian tsunami. This hacking apparently happened on New Year's eve.

Another article on Boing Boing quotes an article on a mailing list written by a user who alledgedly accessed the DEC site on New Year's eve to donate money to the appeal. He accessed the site using the Lynx browser running on Solaris. Apparently, such an unusual setup was misread by BT, who run the donation management system, as a hack attack. Said staff alledgedly then called the police and got him jailed.

Slashdot also has the same story with links to the other two sites.

Now the question is: was he really trying to hack the site or did he actually want to make a donation using a little know browser? In the former case, it would mean BT staff did exactly what they should have done and got a hacker jailed. In the latter, they misread the unusual browser agent information in the logs and seriously overreacted. Let's assume the latter: BT staff were inexperienced enough to understand their server's logs and this guy got in jail just for using this web site with an unusual browser and operating system combination. Surely this is not possible? BT staff should be trained professionals who can extract all the necessary information out of a web server log and understand this information? Well, experience tells that large organisations like BT have such a large number of IT staff that the skill levels in the IT department varies widely. Also, as it was New Year's eve, the staff contingent at BT was surely reduced and it is likely that the people on duty were more junior than would normally have been the case. Add to this the fact that reading and understanding web server log files is a skill that is better acquired through experience than courses and sometimes require significant general knowledge about IT and the systems that can potentially have access to the web server. It is sometimes surprising how many alledgedly professional IT staff only have vague general knowledge on anything other than Microsoft Windows, so Sun Solaris and Lynx could very well have been unknown from the staff on duty at BT. Finally, they might have wanted to err on the side of caution when faced with a log they didn't understand and assume it was a hack that needed to be dealt with immediately, rather than lose time in trying to understand the file completely. So the overreaction scenario that put an innocent geek in jail is not that far fetched after all.

But, even if BT really cocked up, why do we care? We care because it could mean that BT staff might not have the experience and knowledge that an ISP should have. As a consequence, they can act based on information they don't understand, with potentially dramatic consequences. Having someone jailed is extremely heavy handed, especially before that person has been proven guilty of any crime. Does it mean that to be safe we should all use a browser and operating system combination that is well known by the staff at all the major ISP? I am not going to go into the freedom infringement implications of this question, let's just say that if I want to use Lynx on Solaris, I should be able to do so without fearing reprisals of any sort. But at least, I have the choice to use what I want. Other people don't. Lynx, and other text browsers are typically used by people with disabilities or people with limited bandwidth. Let's just hope it was all a stupid mistake and BT staff have learnt something in the process.

No comments: