Join 3,375 readers in helping fund MetaFilter (Hide)


Hacker or Lynx user?
January 27, 2005 3:27 PM   Subscribe

Boing Boing says he's a Lynx user, but British Telecom declared him a hacker and that's what the BBC is carrying. There's no way to tell who's right yet, but I'd say the Bloggers are betting on Lynx user. Anyone got an update?
posted by krisjohn (30 comments total)

 
Now that's curious..it's hard to imagine how a single(?) connection with lynx was connected to misappropriation of money ? Could it be a smoke and mirrors to keep investigators from investigating on the organizers ...a la "evil hacker ate donations" or blame the terrorist ?
posted by elpapacito at 3:42 PM on January 27, 2005


I doubt he was just a Lynx user.
posted by Count Ziggurat at 3:47 PM on January 27, 2005


Am I the only one who thinks there must be more to this story than was written in that short account? It just makes very little sense as is.
posted by Sheppagus at 3:48 PM on January 27, 2005


Those are pretty sparse links, there's no way to tell whether this was an actual hack attempt that was thwarted or a security drone with an overactive imagination and underdeveloped security skills.

The link provided by BoingBoing provides none of the details that they mention. They could've provided a couple of links, one to the BBC and another link corroborating what BoingBoing asserts.

As much as I love BoingBoing this was craptacular blogging.

Basically the BBC says it was a person with nefarious intent, BoingBoing says it was a person with an alternative browser lifestyle. Nobody feels the need to provide supporting evidence.

Maybe he just forgot to comment out the


defraud_relief_organization: true


line in his .lynxrc
posted by substrate at 3:57 PM on January 27, 2005


substrate:
ROFL.
posted by dougunderscorenelso at 4:03 PM on January 27, 2005


From a mailing list:

From what mailing list?

Also, I wonder if he made his donation. It would be unlikely that he would be 'hacking' and make a donation with a traceable electronic payment.
posted by Steve_at_Linnwood at 4:38 PM on January 27, 2005


I'm guessing it's inbetween.

Lynx, being that it doesn't support a LOT of (mis)"features" probably submitted data the CGI at the other end was too stupid to understand. This got flagged as a bad/incomplete transaction, and the dumbass looking over the logs noticed that and saw the browser name. Probably they're used to seeing exceptions like that for other lesser-known browsers, like Opera, but this one stuck out because the moron didn't know about Lynx. So he phoned up the security department, and set the wheels of stupidity in motion.

That's my guess. I wouldn't think it was *just* the name of the browser; there's plenty of people either hiding that on purpose or are just behind a proxy that doesn't pass that data.
posted by shepd at 4:41 PM on January 27, 2005


Substrate nailed it. Hence my update question. I was stunned to see the Lynx story pop up on Boing Boing last night, but equally surprised to not find any more information in the morning. (This is less odd than it sounds, I'm in Australia so most of the world's news happens while I'm asleep.)

As such, it went from being a cock up not really worthy of Metafilter to an interesting story/discussion about the he said she said nature of the relationship between mainstream media and weblogs.

Also, I'd really like to know more.
posted by krisjohn at 4:48 PM on January 27, 2005


I pulled up the page page in question here. I'm now more inclined to believe that they're just incompetent ninnies.

The page is "protected" from right-clicks, and the javascript code... is kind of crap. Lord knows how much the server side sucks, if it did something stupid like count on the javascript to clean up submissions... something which wouldn't happen if you used lynx as your browser.
posted by mosch at 5:14 PM on January 27, 2005


The other possibility is that lynx uses a libhttp, and the default client identifier string for libhttp is (wait for it) "libhttp". So, somebody saw that and thought to herself "perl scriptkiddie". This happened to a blind staff member where I work when they tried to surf a certain site. We got cut of for "systematic downloading" even though there hadn't been any.
posted by djfiander at 5:20 PM on January 27, 2005


Oh. Your. God. It does some credit card validation in Javascript.
posted by krisjohn at 6:02 PM on January 27, 2005


I love Lynx. Was pretty happy using that still after the first 2 demos of a graphical browser i saw failed miserably. I think it is still installed on my mom's computer...better take it off before she gets arrested or something.
posted by th3ph17 at 6:11 PM on January 27, 2005


Frell...there are 682 lines of javascript out of 928 total lines...thats 75% js folks...yeesh! 10x the necessary code for such a simple task.

It is not surprising at all that the people responsible for this have a great need to be hit by the cloo-by-four...or at least portscanned from work ;¬)
Thanks mosch for the original donate page
posted by gren at 6:56 PM on January 27, 2005


Yeah, they're doing form validation in JavaScript! If they were stupid enough to think that they don't need to duplicate all the validation on the server side, then they probably think that anyone who doesn't execute their JavaScript is attempting fraud.

FWIW, Lynx's user-agent string, at least from my machine, is:

Lynx/2.8.5rel.2 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/0.9.7d
posted by hattifattener at 7:05 PM on January 27, 2005


Oh yeah...blessed be thy CLI Text WWW Browsers...

When cometh the day we lowly ones,
Through quiet reflection, and great dedication
Master the art of karate,
Lo, we shall rise up,
And then we'll make the bugger's eyes water.

posted by gren at 7:29 PM on January 27, 2005


So a rumor is posted on teh internets that someone was arrested for trying to break into the BT tsunami donation site, all the blogs pick up the rumor, and of course some crummy Javascript coding means that BT was totally inept and the Metropolitan police didn't do so much as the most basic due diligence to verify the claim before arresting a hapless Lynx user?

Sheesh, I'm a firm believer in "innocent until proven guilty", but this is a bit out of hand. Even the Technorati listing just shows a gigantic echo chamber of blogs picking up on the suspiciously non-specific accusation. "From a mailing list"... nice. You'd think they'd have a little more to back up what they've got.

I don't doubt that there are inept network security people at BT -- I work in network security at a different phone company and run into ineptness every day -- but some junior analyst or admin (typically the type of person tasked with reviewing records like this) would have to make a case to someone more senior, probably several, and if LE got involved, they'd want to see something with some substance before wasting their time arresting someone. There are overzealous cops, sure, and it's even possible that these are some of them, but until there's something a little more substantial, I remain highly skeptical.
posted by elvolio at 7:50 PM on January 27, 2005


So, let me get this straight: Something appears on boing-boing , with nil backing support ("from a mailing list") , and it's automatically considered true?


That is too funny for words.
posted by Ayn Marx at 7:58 PM on January 27, 2005


elvolio, Ayn Marx: I'm still absolutely positive that I don't know what's going on.

But, come on, Javascript validation on a payment form?
posted by krisjohn at 8:01 PM on January 27, 2005


krisjohn: it would allow them to validate before the user hits submit, thus saving bandwidth and processing costs on the server. What's wrong with that?

You don't know if they have another validator on the server or not
posted by delmoi at 8:31 PM on January 27, 2005


delmoi: Javascript validation is completely untrustworthy. You'd have to run exactly the same validation on the posted information with or without the Javascript. And the code is so large that the page is four times larger than it need be.

This is for a secure payment form.

It's simply poor practice. Having built a heavily used Javascript validated form myself, only to rewrite it for server-based validation because dud data still made it in, no matter what you tried, I tend to think I know what I'm talking about.

However, it means nothing in relation to the Lynx vs Hacker story -- which still hasn't been updated beyond the BBC and Boing Boing. (I'm just seeing the two sides echoed over and over.)
posted by krisjohn at 8:50 PM on January 27, 2005


krisjohn:

What I mean is, if you validate in javascript, you can notify the user that he made a mistake without sending him another HTML page. It would reduce the number of mistakes a user would actualy end up submitting to the server, and therefore reduce the number of pages that the server needs to send out.

I didn't say it was trustworthy, all I'm saying is that it might be usefull, and isn't and indication that the sites code is sloppy.
posted by delmoi at 9:17 PM on January 27, 2005


I'm hoping he was a lynx user.
posted by Kempt at 9:22 PM on January 27, 2005


delmoi:

Possibly. I had one side effect of my Javascript validation and that's that the session was timing out. Some users were making so many mistakes and taking so long to produce a form that the javascript would let through that the server would give up on them and close the session.

Also, server-side processing makes it easier to tell the user exactly what's wrong -- particularly if they've made multiple errors. You can draw the page with extra hints and detailed information about the problems.

There's also the whole "encrypting a page 4x times larger than it would otherwise be" overhead.
posted by krisjohn at 9:26 PM on January 27, 2005


It's simply poor practice. Having built a heavily used Javascript validated form myself, only to rewrite it for server-based validation because dud data still made it in, no matter what you tried, I tend to think I know what I'm talking about.

Client-side validation complements server-side validation. It's more user-friendly and places less demand on your server and network. It is not meant to replace server-side validation.

I had one side effect of my Javascript validation and that's that the session was timing out. Some users were making so many mistakes and taking so long to produce a form that the javascript would let through that the server would give up on them and close the session.

Perhaps you need longer session timeouts, rather than more HTTP requests.

Also, server-side processing makes it easier to tell the user exactly what's wrong -- particularly if they've made multiple errors. You can draw the page with extra hints and detailed information about the problems.

There's no reason you can't supply just as much information using Javascript. You're not limited to using window.alert, you know.
posted by me & my monkey at 9:48 PM on January 27, 2005


Before accusing Cory of craptastic blogging, read his update:

Update:: The source that told me about this has corroborated it with more detail in private email, but is leery of going public. I hope that more publicly available details appear soon, and will post them when I have them.

IMNSHO, it's better to get out some details on a story like this earlier rather than later, so we frenzied researchers can try to turn up more information. I don't like sensationalistic journalism or blogging, but I saw Cory's post as a heads-up (containing both sides of the story, if biased toward the lynx explanation) and in general trust him to post more info if and when he gets it, as he has done before.
posted by sninky-chan at 2:06 AM on January 28, 2005


I just surfed the page in question with my lynx and links browser. Lets see if I get arrested.
posted by dabitch at 3:45 AM on January 28, 2005


Mmmmmmmmm, chod-tastic code wallpaper.

I know Britsh Telecom have standards to uphold, but seriously. I wonder if they did all that without regular expressions as a dare.
posted by NinjaPirate at 7:00 AM on January 28, 2005


These days, with the amount of readily available and easy-to-use tools which can be used for malicious purposes, no one shows up at your door for something so minor. As a person who does network security for a living, I can say you see people up to no good _all_ the time.

The story above doesn't wash. Either the person was up to something far more reaching than this, or else it's just not true
posted by poppo at 8:56 AM on January 28, 2005


I don't know poppo, I see cops over reacting all the time. All you need is a shrill person with some pull to fly of the handle and you'd think the queen was visiting or something.
posted by Mitheral at 10:05 AM on January 28, 2005


I totally agree that the authorities can overreact. We see stories in the news all the time about it. But this one doesn't fly, IMHO
posted by poppo at 11:18 AM on January 28, 2005


« Older PublishAmerica is having a rough month. After be...  |  This is, quite possibly, the f... Newer »


This thread has been archived and is closed to new comments