Two University of Pittsburgh computer-science majors have been abruptly barred from accessing the Net by campus officials, physically banned from all the college's computing labs, ordered not to contact the staff member who shut down their access, and threatened with expulsion.
Their offense? Building a free online resource for those on the cutting edge of computer-security issues, the students say.
Last Friday, freshmen John Vranesevich and Rob Dailey found that the Ethernet connection in their dorm room had been disabled. Assuming that their site, AntiOnline, was being subjected to a denial-of-service attack from some hacker targeting a site devoted to protecting others from malicious hacks, the two began the usual drill of reinstalling TCP/IP software and "pinging out" to verify their connection to the Net at large.
After working nearly all night, they found a message on their voice mail from Lee Bannister, coordinator of residential computer services at the university. Bannister's message: Their Ethernet access had been terminated for violations of Pitt's code of responsibility for use of on-campus computing resources.
Bannister also said AntiOnline violated rules prohibiting use of campus facilities "for purposes other than research or instructional purposes." The code also prohibits use of campus server space and bandwidth "for commercial purposes or commercial gain," and bans hacking or any activity that "interferes with the operation of the university's technical resources by deliberately attempting to degrade or disrupt resource performance, security, or administrative operation."
Vranesevich and Dailey assert that research and instruction were the very things they were offering at AntiOnline, which Vranesevich launched when he was in 10th grade. They also point out that AntiOnline was completely non-commercial, with no fees, no ads, and no banners. Content was closely monitored, Vranesevich says, to prevent posting of inappropriate materials such as porn or "warez" (which can include pirated software or cracking programs). To those interested in computer-security issues, the site offered free Net access, email, and space on Vranesevich's server, Dailey said, in hopes that even the uninitiated could learn from the experts.
"It was educational," Dailey said, "so that even people who were new to all this could learn to protect themselves."
AntiOnline was a crucial resource for Net security news, said "RLoxley," who operates the "hackphreak" channel on IRC and is the webmaster of another hackproofing resource, X-Treme. "If you wanted to know what the latest exploit [operating-system defect] was, and you wanted to patch it, you went to that site - bottom line," he said.
Vranesevich claimed that the hacker assaults on AntiOnline - which he admitted numbered in the "hundreds" - were no threat to the campus computing system as a whole. "They were smart attacks" aimed specifically at his site, "nothing that would degrade a network this size," Vranesevich explained. He also noted the campus network is heavily firewalled.
AntiOnline was one of the first sites to examine a security hole in the Windows operating system that surfaced in Spain as "Muerte" - ported into English as the infamous WinNuke bug. Vranesevich was inspired to create a site devoted to security issues, he said, when a bank of NeXT computers at his high school in Beaver, Pennsylvania, was used as a telnet "bounce point" to gain access to a protected computer at NASA.
While still a sophomore in high school, Vranesevich and a friend negotiated with the Beaver Chamber of Commerce to, as he puts it, "get the whole town online." The two spun out Web pages for local merchants - netting themselves US$3,000 each for a summer's work - and schmoozed the town library and the Beaver Area School District into installing free machines in the library and free dialup access to the Net for local residents. By the time Vranesevich got AntiOnline up and running in his tower room at the University of Pittsburgh, he said, it was a very popular site.
On Tuesday, Vranesevich and Dailey found an ISP willing to host a page about their plight, and the two posted Bannister's phone number and email address on the page, and on IRC, with a plea for statements of support.
Later that day, their email and shell accounts were shut down, their dialup access to the Net was cut off, and the two were informed that they would be subject to more serious charges, to be specified at a later date. On Thursday morning, they received a "no-contact order" from the assistant vice-chancellor for student affairs, forbidding them from communicating with Bannister by email or phone, even "through any intermediary, including users of AntiOnline.com or other Internet users at large, or similar types of association." Should any such contact occur, the letter warned, the freshmen would be "subject to disciplinary sanctions up to and including dismissal from the university."
"They expect us to tell anyone who's ever been on AntiOnline to not email him," Vranesevich said, "when we have no access to the Internet whatsoever."
Bannister refused to talk to the press, but university director of communications Ken Service said that "it was felt that the use of the site was in violation of the policy" the students signed at the beginning of the semester. Service declined to discuss the details of the case, citing student confidentiality. But as to the further charges, Service said "the kindliest version of it is that they seemed to have been encouraging harassment" of Bannister by posting his email and phone number on the Net.
The case will go to the campus judicial board this afternoon.
