Network: Political activism goes online

Sit-ins and marches are old hat. Civil disobedience is becoming electronic, but governments are wising up.
Click to follow
The Independent Culture
Cyberspace has become the latest forum for direct political activism. Over the last few months, Net-based organisations have shown that "electronic civil disobedience" can achieve newsworthy results.

The principal weapon in their electronic arsenal is "mobile code" - any Java or Active X-style applet that "pushes" files on to your computer. Once inside, the code can access your computer's innards in the same way as any other application. These are the Stealth bombers of e-conflict: small, efficient and extremely difficult to detect.

A few weeks ago, Electronic Disturbance Theatre (EDT), a Mexican political group allied to the pro-Zapatista movement, launched a Java-based attack on several websites: the Frankfurt Stock Exchange, the Pentagon, and the site of the President of Mexico. The applet, activated when casual surfers visited the EDT page, subjected the targets to "denial-of-service" attacks, which would - if successful - have prevented access to any of their password- protected files.

EDT announced the planned date of its supposed raid, leading observers to believe that it was more of a publicity stunt than a serious attempt to penetrate the Pentagon. However, the method of attack holds serious implications for the "innocent" Web surfer. The target regards the hostile applet as having originated from the visitor, rather than the visited site. Anyone logging on to such a site therefore could, theoretically, be held responsible for his or her inadvertent actions.

The EDT campaign marks the first time a Java applet has been used in a live "cyber-attack" by techno-literate political rebels - the first instance of electronic civil disobedience. The group says more attacks are planned.

Less than a week later, the online news service news.com reported a similar offensive against the website of Sweden's main opposition party. With an election imminent, the hackers sabotaged a portrait of the Moderate Party's leader, Carl Bildt, a former Swedish prime minister.

As well as direct action, the Internet is a useful tool for political activists. In Indonesia, student protests have been co-ordinated across campuses by e-mail and Web-based news groups.

Mobile code attacks are not exclusively directed at commercial or political organisations. During the summer of 1998, hackers attacked the free Internet e-mail service Hotmail, embedding JavaScript code in E-mail messages. When the victim opened the message, the JavaScript code created an apparently legitimate dialogue box that asked the user to log in again to the Hotmail account. Users who entered their names and passwords ended up sending that confidential information to the intruder.

The Chaos Club, a German hacker group, also programmed an Active X control that skimmed personal banking information from customer websites. The group publicly demonstrated how millions of pounds could be transferred from bank accounts to their account using mobile code.

Fortunately, there are several methods of defence against such intrusions. The easiest way to combat mobile code interference is to configure the browser to block all incoming applets, a solution currently being adopted by many US organisations in the wake of the EDT's activities. However, this poses a significant challenge to the developers of e-commerce applications, which rely on mobile code functions. Web sites can also suffer under such restrictions - almost 80 per cent contain some form of mobile code.

Specialised security programs, such as SurfinGate from the US security specialist Finjan (http// www.finjan.com), can automatically block hostile applets by detecting suspect activities. When tested with the same ZapNet Tactical code that was launched by the EDT, SurfinGate's security content inspection processes were triggered by the applet's attempts to access network connections.

Finjan is speculating that mobile code "misuse" could be to the late Nineties what the macro virus was to the mid-Eighties. Being object-orientated and easy to use, mobile code does not require the same technical knowledge as virus programming, and the scope for damage is far higher. A recent report by the US software analyst house Hurwitz (http://www.hurwitz.com.) concluded: "The market for the prevention of malicious applets is in its infancy... it will begin to mature as more destructive applets are found and the nature of the problem becomes more widely recognised."

Despite rising hysteria over its misuse, however, the majority of mobile code applications are positive. The potential exists for mobile code "weapons" to become an important tool for tracking illegal Net activity, as illustrated by a recent moneymaking scam. Visitors to a pornographic site inadvertently triggered a piece of Active X code that used their desktops to dial long-distance calls to Moldavia, racking up huge phone bills. Telephone companies were forced to nullify more than $2m in phone charges, and more than 38,000 "enthusiasts" were affected. If a similar principle were applied to child porn sites, for example, such users could be closely monitored.

Of course, this could have far-reaching implications regarding Internet privacy. Programmers at Within Reach Software took an existing attack program called Back Orifice and designed a Java applet that could deliver it to desktops. Once inside the desktop, Back Orifice can access and use anything the typical user can.

With hard drive contents open to such scrutiny, it looks as though time is running out for even the most casual electronic offender.

Comments