Feeds

'Virtual sit-in' tests line between DDoS and free speech

Civil disobedience in the digital age

Reducing security risks from open source software

A University of California professor who organized a "virtual sit-in" that targeted the university president's website has been told he may face criminal charges for mounting a distributed denial of service attack.

UC San Diego Professor Ricardo Dominguez spearheaded the March 4 digital protest by calling on demonstrators to visit a webpage that sent a new page request to the UC president's website every one to six seconds. A separate function automatically sent 404 queries to the server. A "spawn" feature allowed participants to run additional pages in another window, multiplying the strain on the targeted website.

"Okay, now just sit back and relax, or open a new browser window and do anything else you need to do, BUT LEAVE THE ACTION WINDOW OPEN IN THE BACKGROUND, THE LONGER THE BETTER," a help page for the protest instructed.

Dominguez, an associate professor in UC San Diego's visual arts department, said the demonstration was an act of "electronic civil disobedience," a field he's been studying for more than a decade and for which he earned tenure in 2006. He said he's organized or participated in at least 16 similar protests and until now has never been accused of criminal hacking.

One in 2008 protesting the weaponization of nanotechnology even won him a fellowship from the university administrators, he said.

But that's not how campus officials see things now. In a March 9 email, UC San Diego Senior Vice Chancellor Paul Drake informed Dominguez that in response to the action, network administrators were disconnecting the professor's server.

"On March 4, 2010, I received a report from Administrative Computing and Telecommunications (ACT) that you, using the computing resources of CALIT2, launched a denial of service attack against the computer servers at the Office of the President of the University of California," Drake wrote. "I have instructed ACT not to reconnect the server pending a decision from the Office of the President as to whether they intend to initiate criminal or other charges related to this denial of service attack."

University officials declined to comment on the matter.

Dominguez said the virtual sit-in, which coincided with statewide demonstrations protesting some $900m in budget cuts to California education, was the digital equivalent of the types of civil disobedience championed by Henry David Thoreau, Mohandas Gandhi, and Martin Luther King. He said the protests were designed to generate dialogue about social issues and would have only a minor slowing effect on a website with typical resources.

"It's not as if you're a cracker DDoS and using a botnet and then launching, unknown to anybody who is using that machine, an action that effectively takes down the system," Dominguez told The Register. "This, as a hacker once said, is technologically inefficient and ineffective. It is like being pecked to death by a duckling."

Mark Rasch, a former federal prosecutor who is the founder of Secure IT experts in Bethesda, Maryland, said it would be hard to bring a case under US hacking laws.

"In order for there to be a computer crime, there has to be either an intentional denial-of-service or some form of trespass, which would be an unauthorized access," he told The Register. "The problem you have here is if this is a public website, merely going to the website repeatedly is many, many authorized accesses, not an unauthorized access."

Dominguez said he was scheduled to meet with university officials Thursday so they could begin proceedings to determine if there was criminal intent behind the protest. The professor wasn't available at time of writing to discuss the outcome. No criminal charges have been filed in connection to the sit-in. ®

Mobile application security vulnerability report

More from The Register

next story
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Microsoft: You NEED bad passwords and should re-use them a lot
Dirty QWERTY a perfect P@ssword1 for garbage websites
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
Crooks fling banking Trojan at Japanese smut site fans
Wait - they're doing online banking with an unpatched Windows PC?
NIST told to grow a pair and kick NSA to the curb
Lrn2crypto, oversight panel tells US govt's algorithm bods
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.