World Bank risks attack from net protesters

Those who protest online can be much harder to silence

By BBC News Online technology correspondent Mark Ward

Plans by the World Bank to avoid protests by moving a controversial conference on to the internet could backfire.

The net-based conference is likely to draw the attention of computer savvy activists and could encourage far more people to join the protests than could make it to Barcelona in person.

Widely known techniques for bombarding sites with bogus data could be used to disrupt the conference and scupper plans to hold e-mail debates on the speeches being webcast.

In the past the World Bank has been targetted by web-based activists who tried to swamp its site with e-mails protesting about its policies.

Net protest

This week the World Bank announced that a conference due to be held next week in Barcelona is being moved to cyberspace to head off protests.

Thousands of activists were threatening to turn up and disrupt the event. The Barcelona authorities were planning a heavy police presence to stop protests getting out of hand.

"To have 200 academics protected by 4,000 police would have been absurd," said a spokeswoman for the World Bank. Now the World Bank's Third Annual Conference on Development Economics will go ahead online.

During the two-day conference, presentations will be webcast and questions will be put to the speakers via e-mail.

However, moving the conference to the web might make it much easier for protesters to disrupt the meeting.

Already many of the groups previously planning street protests in Barcelona are circulating registration details for the conference and encouraging people to sign up and put difficult questions to the speakers.

Unwelcome guests

But activists could find it much easier to take a more direct way of making their views felt.

Tools to set up so-called denial-of-service attacks are widely available on the net that make it possible to effectively sever a websites links with the web by bombarding it with bogus packets of data. The hard part of setting up such an attack is compromising enough otherwise innocent PCs to launch the bogus packets on behalf of the protester or malicious hacker.

In the past some groups protesting about the World Bank's activities have simply bombarded the institution with thousands of requests for information.

In May 2000 a French activist group called the Federation of Random Action created a chat program that fired off a mail request to the World Bank every time those chatting with the software typed words such as "poverty", "finance", and "investment".

Embedded in the bogus requests were phrases such as "Our life is not for sale", "Please crush us too!" and "Do you sell sheep shavers?".

Hack attack

Far larger protests have been organised by electronic activist groups such as Electrohippies which reportedly managed to draft over 400,000 people into deluging the website of the World Trade Organisation with messages.

But there could be an even easier way for computer-literate protesters to disrupt the online conference. Both the World Bank website and the Canalweb.net site is hosting the conference, run the Microsoft IIS web server that has many widely publicised security holes.

Only this week the Computer Emergency Response Team issued an alert about the versions of Microsoft's IIS server being used by both the World Bank and Canalweb.

Detailed information about which versions of software are being run on particular websites, when they were last rebooted and which other sites reside on the same machines are easy to find online.

Malicious hackers often use this information and sniffing tools that look for well-known vulnerabilities when preparing to attack.

Older versions of the same software are used by many of the other servers run by both organisations. Malicious hackers often find a backdoor route into a site by exploiting vulnerabilities in old releases of software that have not been properly patched up.