Feeds

'Virtual sit-in' tests line between DDoS and free speech

Civil disobedience in the digital age

SANS - Survey on application security programs

A University of California professor who organized a "virtual sit-in" that targeted the university president's website has been told he may face criminal charges for mounting a distributed denial of service attack.

UC San Diego Professor Ricardo Dominguez spearheaded the March 4 digital protest by calling on demonstrators to visit a webpage that sent a new page request to the UC president's website every one to six seconds. A separate function automatically sent 404 queries to the server. A "spawn" feature allowed participants to run additional pages in another window, multiplying the strain on the targeted website.

"Okay, now just sit back and relax, or open a new browser window and do anything else you need to do, BUT LEAVE THE ACTION WINDOW OPEN IN THE BACKGROUND, THE LONGER THE BETTER," a help page for the protest instructed.

Dominguez, an associate professor in UC San Diego's visual arts department, said the demonstration was an act of "electronic civil disobedience," a field he's been studying for more than a decade and for which he earned tenure in 2006. He said he's organized or participated in at least 16 similar protests and until now has never been accused of criminal hacking.

One in 2008 protesting the weaponization of nanotechnology even won him a fellowship from the university administrators, he said.

But that's not how campus officials see things now. In a March 9 email, UC San Diego Senior Vice Chancellor Paul Drake informed Dominguez that in response to the action, network administrators were disconnecting the professor's server.

"On March 4, 2010, I received a report from Administrative Computing and Telecommunications (ACT) that you, using the computing resources of CALIT2, launched a denial of service attack against the computer servers at the Office of the President of the University of California," Drake wrote. "I have instructed ACT not to reconnect the server pending a decision from the Office of the President as to whether they intend to initiate criminal or other charges related to this denial of service attack."

University officials declined to comment on the matter.

Dominguez said the virtual sit-in, which coincided with statewide demonstrations protesting some $900m in budget cuts to California education, was the digital equivalent of the types of civil disobedience championed by Henry David Thoreau, Mohandas Gandhi, and Martin Luther King. He said the protests were designed to generate dialogue about social issues and would have only a minor slowing effect on a website with typical resources.

"It's not as if you're a cracker DDoS and using a botnet and then launching, unknown to anybody who is using that machine, an action that effectively takes down the system," Dominguez told The Register. "This, as a hacker once said, is technologically inefficient and ineffective. It is like being pecked to death by a duckling."

Mark Rasch, a former federal prosecutor who is the founder of Secure IT experts in Bethesda, Maryland, said it would be hard to bring a case under US hacking laws.

"In order for there to be a computer crime, there has to be either an intentional denial-of-service or some form of trespass, which would be an unauthorized access," he told The Register. "The problem you have here is if this is a public website, merely going to the website repeatedly is many, many authorized accesses, not an unauthorized access."

Dominguez said he was scheduled to meet with university officials Thursday so they could begin proceedings to determine if there was criminal intent behind the protest. The professor wasn't available at time of writing to discuss the outcome. No criminal charges have been filed in connection to the sit-in. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Arts and crafts store Michaels says 3 million credit cards exposed in breach
Meanwhile, Target investigators prepare for long process in nabbing hackers
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.