Sunday, November 06, 2005

The Death of Student-Run Websites

This recent Scholars' Avenue chaos has resulted in a new rule that students are not allowed to run websites on institute servers. The Kshitij, Springfest and Gymkhana sites (as well as hall and dep websites) have either been taken down or has been passed into the control of faculty members. To make any changes, for example in the Kshitij site, we have to go through a lengthy process involving writing stuff to a CD which the rector nominee (technology) or the SCom chairman (Kshitij), as well as the president gymkhana, will approve, put in a sealed envelope, and then forward to the faculty in charge of the institute website (now also in control of gymkhana webserver). He will then upload those new files if he gets time in between lectures, and the entire process would take 2 weeks by which time a new sponsor would be crying "contract violation", for not putting their logo on the site.

Although this has come in the wake of the Sholars' Avenue deal, I think it was coming for a long time now. The institute seems to believe, perhaps correctly, that Indian "cyber laws" hold the administrator of a server is responsible for all the content on it. Even if he is hosting a public, unmoderated, forum under a disclaimer saying these aren't necessarily his views. Even, it seems, if a cracker defaced the website and put some rhetoric on it - Indian laws seems to require that admins will have to take responsibility for the cracker's rants. Which, by the way, would probably fall foul of laws against sedition which I never new existed in "liberal democratic" India.

In the context of IIT Kharagpur, it seems the gist of the new "IT policy" is this: the diro will be responsible for whatever is hosted on an insti server; they can't take the risk of allowing students, or even faculty, to set up any publicly accessible pages. All content will be vetted by institute bigshots. In one stroke it kills any chance of introducing the so-called "Web 2.0" technologies - collaborative content creation, open discussion boards, the like.

Needless to say, none of the ancient professors that drafted the "IT policy" can tell you what a web browser does, if their lives depended on it.

What takes the cake is this: the institute wants us to believe that this decision was taken because of a couple of defacements of student run sites. They cannot be convinced that security and censorship are different things - every time i meet a professor about this, the conversation alternates randomly between "hackers writing anti-national things" and "what if u people also start abusing the institute, like that newspaper of yours?" Even if they think that CIC can secure webservers better than students (which is a laughable idea), why not get the CIC to administer the servers, and perform security audits on the sites we host on it? Geocities allows millions of people to host sites on their servers, and their server never gets hacked! Neither does David Filo or Jerry Yang get arrested for any of the hundreds of geocities sites openly supportive of Al-Qaeda.

For every student-run site that gets defaced (happened twice as far as i know, both low-profile for-kgp-only sites) ten CIC-run servers get defaced. The much touted

More on those defacements: apparently the intelligence bureau (the world's oldest independent intelligence agency, i hear) is done catching all the militants in kashmir so they are now spending taxpayers' money on sending letters to IIT's diro, every time a website hosted in the institute is defaced. a couple of those letters concerned student-run sites: the alankar website was defaced by a pakistani group in april, although the alankar team got it restored within a day; the V.S. hall website was defaced later. They (profs) did not tell us how many websites run by the "trained professionals" in CIC were also defaced. Having had the opportunity to work on several of the servers they have set up, each running archaic software and terribly misconfigured security settings, I can make a guess that the number would be quite a lot higher. In fact, for a week last month, coinciding almost exactly with the mid sems, the video lectures website was one page of bold chinese text (which i am sure read something like "fuck you, indian imbeciles who don't know what SQL injections are!"). And they took over 7 days to find and fix it!

Quite possibly, when the institute got all those letters from IB, it was left to CIC engineers to assign blame for all the misconfigured servers lying around - and they found a quick way out by blaming voiceless students.

There is one thing that continued to puzzle us - both the instances of defacement happened several months ago. Why the sudden burst of activity after all those moths of foot-dragging on this "IT policy"? We had assumed that it was the Scholars' Avenue chaos - however there seems to be something else as well, although i got only hints. Some site admin somewhere complained that IIT kgp proxy servers were being used to attack his site/server; Law enforcement people and/or institute authorities assumed it was a student here who was responsible. I don't deny that this is a possibility; but it is not the only one and this is why: a friend of mine found out, while he was home, that the new proxy servers - apparently configured by MORONS - accept anonymous connections from the internet! Their ip's are apparently on every hackers' list of such servers; it was waiting to be taken advantage of by malicious hackers, from anywhere in the world, out to cover their tracks. Since there are more hackers in the rest of the world than in IIT Kharagpur, whoever was responsible for the attack is more likely to be from St. Petersburg than from Kharagpur.

The CIC is meticulous in blocking proxy servers from the hostels during daytime... but apparently they forgot about the rest of the whole wide world!

And guess what takes the cake? This friend of mine, the guy who found this out, went and told an engineer in CIC about it - and guess what? He was told very rudely to stop trying to hack the institute proxies, or he will get into a lot of trouble!

BTW... I won't be listing those ip's here.