A few weeks ago at the University of Pittsburgh, John Vranesevich, a freshman and founder of AntiOnline, a Web site about Internet security,stayed up well into the night trying to figure out why no one could access his site. Through a deal with the university, he paid for Ethernet access in his dorm room that allowed him to connect to the Net on a high-speed data network. He set up his site, www.antionline.com, to highlight security leaks or holes in certain major programs such as Windows 95. But on November 14, the site went down.
“Thing is, I thought at first it was a denial-of-service attack from a hacker,” says Vranesevich. “We get some of those sometimes.” In the ever-evolving world of hackers, Vranesevich considers himself a “computer security enthusiast” who uses his powers for good: Anti-Online divulges hacker secrets to protect people’s privacy. And some hackers find this annoying. It’s a modernization of a classic good-versus-evil, Luke Skywalker fights Darth Vader scenario.
But the truth in Anti- Online’s case wasn’t quite so dramatic or binary. Apparently, Vranesevich’s Ethernet connection was cut off by the university. Lee Bannister, the University of Pittsburgh’s coordinator for residential networking, disconnected Vranesevich’s Net link and left him a voice mail message the following morning telling him that the university was about to take”judicial action for improper use of university resources.” Vranesevich tried to contact Bannister, but the university refused to explain its actions in detail.
According to Ken Service, the university’s spokesperson, AntiOnline broke rules that “prohibit the use of computer facilities for purposes other than research or instructional use.” The rules also prohibit using computers for commercial gain. “They clearly violated the rules of the agreement they signed for use of the Ethernet ports,” Service says. “And that is why the university is taking action.”
Vranesevich, however, claims that his site was not used for commercial gain there is no advertising, and he does not charge anyone for access and that AntiOnline is used explicitly for instructional purposes. He believes the university took down the site because it assumes it’s a tool for destructive hackers. No one from the university questioned him about his site or his intentions. “All we really do is look for newhacks, or ways to break into certain types of systems or programs, andreport them,” Vranesevich says. “And we are usually able to create a patch for these problems.” A “patch” is a new set of codes that plugs the hole in a program.
AntiOnline’s most famous bug discovery and patch creation was “Win Nuke,” which discovered a glitch in the Windows 95 code that allowed anyone to force someone else’s computer to freeze up if linked to the Net. Microsoft released an official patch, and Windows 98 will be programmed without the glitch. But it’s not just corporate America that Vranesevich helps. “I rely on these types of sites for my job,” says Chris O’Ferrell, a senior systems engineer for the U.S.Treasury TCS Network. “I’m responsible for the security for the entire network, and without these people who report new ways to hack systems,I’d be at a loss. Most security people would.”
Vranesevich and his staff at AntiOnline will face a university hearing in a few months, which maylead to a possible expulsion. They have already been cut off fromInternet access, e-mail, and use of the university’s computer facilities. “It’s really unfortunate that they haven’t been able to talk to the system’s administrator regarding the charges he made againstthem,” says Shari Steele, staff attorney for the Electronic Frontier Foundation, who helped Vranesevich find representation. “It shows acertain ignorance people have about computers and the Internet. AntiOnline is constitutionally protected. It could set a bad precedent if the university goes through with this.”