'Virtual sit-in' tests line between DDoS and free speech
Civil disobedience in the digital age
A University of California professor who organized a "virtual sit-in" that targeted the university president's website has been told he may face criminal charges for mounting a distributed denial of service attack.
UC San Diego Professor Ricardo Dominguez spearheaded the March 4 digital protest by calling on demonstrators to visit a webpage that sent a new page request to the UC president's website every one to six seconds. A separate function automatically sent 404 queries to the server. A "spawn" feature allowed participants to run additional pages in another window, multiplying the strain on the targeted website.
"Okay, now just sit back and relax, or open a new browser window and do anything else you need to do, BUT LEAVE THE ACTION WINDOW OPEN IN THE BACKGROUND, THE LONGER THE BETTER," a help page for the protest instructed.
Dominguez, an associate professor in UC San Diego's visual arts department, said the demonstration was an act of "electronic civil disobedience," a field he's been studying for more than a decade and for which he earned tenure in 2006. He said he's organized or participated in at least 16 similar protests and until now has never been accused of criminal hacking.
One in 2008 protesting the weaponization of nanotechnology even won him a fellowship from the university administrators, he said.
But that's not how campus officials see things now. In a March 9 email, UC San Diego Senior Vice Chancellor Paul Drake informed Dominguez that in response to the action, network administrators were disconnecting the professor's server.
"On March 4, 2010, I received a report from Administrative Computing and Telecommunications (ACT) that you, using the computing resources of CALIT2, launched a denial of service attack against the computer servers at the Office of the President of the University of California," Drake wrote. "I have instructed ACT not to reconnect the server pending a decision from the Office of the President as to whether they intend to initiate criminal or other charges related to this denial of service attack."
University officials declined to comment on the matter.
Dominguez said the virtual sit-in, which coincided with statewide demonstrations protesting some $900m in budget cuts to California education, was the digital equivalent of the types of civil disobedience championed by Henry David Thoreau, Mohandas Gandhi, and Martin Luther King. He said the protests were designed to generate dialogue about social issues and would have only a minor slowing effect on a website with typical resources.
"It's not as if you're a cracker DDoS and using a botnet and then launching, unknown to anybody who is using that machine, an action that effectively takes down the system," Dominguez told The Register. "This, as a hacker once said, is technologically inefficient and ineffective. It is like being pecked to death by a duckling."
Mark Rasch, a former federal prosecutor who is the founder of Secure IT experts in Bethesda, Maryland, said it would be hard to bring a case under US hacking laws.
"In order for there to be a computer crime, there has to be either an intentional denial-of-service or some form of trespass, which would be an unauthorized access," he told The Register. "The problem you have here is if this is a public website, merely going to the website repeatedly is many, many authorized accesses, not an unauthorized access."
Dominguez said he was scheduled to meet with university officials Thursday so they could begin proceedings to determine if there was criminal intent behind the protest. The professor wasn't available at time of writing to discuss the outcome. No criminal charges have been filed in connection to the sit-in. ®
It seems to me the key issue is whether the protest was calibrated to actually disable the web site in question, or merely be noticed. Much like a real sit-in could either try to blockade a building or just attract attention.
On the other hand if he's calling it civil disobedience, he shouldn't exactly be surprised if it turns out to be illegal. That's kind of the point, isn't it?
It will be interesting to see the outcome of this and what (if any) precedents it sets.
Sadly, if the University have any sense they will just let this whole thing die. If the central authority have so little control they cant resolve this without recourse to the Criminal Justice System then we might see something interesting.
If it goes to trial and he is found not to have broken any laws it opens the doors to DDoS as surely the principle should ignore the technological aspects - denial of service is a denial of service if 100 machines do it or 10 gazillion.
If he goes to jail then it shows criminal laws can be used to stifle some forms of protest (what a surprise that would be....). It would mean that effectively a sit in was criminal and all participants should be jailed.
If he goes to jail, surely everyone else who took part in the "attack" should as they were willing participants (rather than zombie machines) who contributed in equal measures to the criminal damage caused.
".....the digital equivalent of the types of civil disobedience championed by....<etc>"
Total fucking bollocks that is too. There's a world of difference between motivating a sufficiently large group of people to go out at personal risk on a regular basis to get in the faces of authority and getting a load of couch-potatoes to fire up a browser session to leave running while they go out on the lash.
The first requires as a prerequisite a seriously worthwhile cause that a large number of people care deeply about, plus the motivation and organisation to get 'em to do something about it . For the second, you only need something that can raise the interest level above "meh" amongst lazy arsehats and a tame s'kiddie.
He's a pompous prat and deserves everything he gets.