John PescatoreBack in the day, I spent 11 years working for GTE. For those of you who don’t remember back in the day, GTE was a telephone company back in the regulated days when phone companies had to provide reliable dial tones and were measured on the availability of their services. Back in the day, telephone people sneered at the Internet and its lack of availability guarantees or service level agreements. Of course, they also sneered at how unreliable cable TV was – and absolutely guffawed at the idea that the Internet or cable TV could every carry reliable data services, let alone voice services.
What the telephone people couldn’t accept was the idea that “ooh, error 404 – I better try again” might become acceptable. But it did – today’s Internet users accept pretty crappy voice and data service because it is cheap. It is basically the “buffet mentality” – the food isn’t very good but it is all you can eat!!
So, given that every Internet user has gotten used to error 404 when web browsing, and never once blames the IT shop, I’d like to see some innovative use of other HTTP error codes. If a web server was smart enough to have some doubts about the legitimacy of a connection, why not send something like Error 408 (Request Timeout) and see if the user tries again? Something like that could help differentiate bots or spiders from humans at least – or at least until the bad guys caught on and then maybe we would switch to Error 418 (You are Ugly and Your Mother Dresses You Funny) until they figured out that one, then we would switch to Error 420 (Meet Me Behind the High School), etc.
I’m sort of over-simplifying here but the idea is to take advantage of how accepting users are of crappy Internet service as long as it does not appear to be the fault of IT. Automated code isn’t so tolerant – do you think a bot every actually tried to click on the duck flying by in a banner ad?
Category: Uncategorized Tags:
4 responses so far ↓
1 Stiennon December 3, 2008 at 3:52 pm
OK, now I understand. You are using this blog to expurgate zany ideas from your mind so you can get on to regular thinking.
-RS
2 John Pescatore December 4, 2008 at 7:19 am
Ah, grasshopper – you are obviously not hearing with your eyes or seeing with your ears.
There is a long history of sacrificing quality of service to add security or control. Watermarks in digital documents, inline signalling in the old analog voice telephone systems, error correcting codes, anti-lock brakes, many more examples. Seriously, this is an underutilized area in the way security is thought about on the web.
I leave you with this, from Technology Haiku:
Chaos reigns within.
Reflect, repent, and reboot.
Order shall return.
3 Dr.InfoSec December 8, 2008 at 10:47 am
How about 5xx additions as well:
506 – Server under Denial of Service Attack – We had no sys admin
507 – Server under Denial of Service Attack – Failed to pay extortion request
510 – Server Was Hacked – Start ID Theft Recovery Service Now
511 – Server Now Serving Malware – Please come again
4 John Pescatore December 9, 2008 at 5:51 am
I like it – that Error 511 will be especially popular.
Leave a Comment