BBC's Click botnet special was irresponsible and illegal

| 7 Comments
| More
The BBC's Click programme investigation into Cybercrime has caused a massive stir by doing a special on botnets whereby it took control of 22,000 home computers.

You can catch up with Click's investigation here




While I have no doubts that the BBC's programme highlights the relative ease of acquiring a botnet and then committing cybercrime and this is valuable for public awareness of security threats, it is its methods of investigation that have been called into question and the legality of its actions is in doubt.

Via one of our bloggers, David Lacey, who writes our IT security blog, I was put in touch with Robert Carolina, a US lawyer and an English solicitor who specialises in information technology. He is also a Senior Visiting Fellow with the Information Security Group, Royal Holloway University of London, where he teaches information security to MSc students.

Robert agreed to write us an excellent piece of opinion, which calls the BBC's botnet special illegal and irresponsible.




Robert also sent us some background, which those of you interested in this, might want to take a read of

For those of you who have not seen it yet, here's a summary of the BBC Click programme. BBC journalists arranged to pay "thousands" of US dollars to an anonymous criminal in exchange for control of more than 21,000 computers infected with a botnet trojan.

The team used the compromised machines to send spam to a Google mail account registered by the BBC. Then they used the bots to launch a distributed denial of service attack against a web server operated by an independent security consultant who was assisting them.

They modified the wallpaper on all 21,000 machines with a public service announcement explaining that the BBC had taken control of the machine and urging owners to take more care with security. Finally, the journalists ordered the botnet to self-destruct: attempting to wipe the trojan from all of the infected machines.

The BBC was keen to point out that they did not access or retrieve any data on the compromised machines. They also were keen to point out that the DDOS attack was ramped up slowly and only to the point of choking the targeted server, and then ramped down. They conducted three separate DDOS attacks on the same server.


7 Comments

This is outrageous behavior and to hide behind journalism or ignorance does not hide the fact that the act was unethical and probably illegal in many countries. I would surely file suit if my system was compromised and would encourage others to do so. I can't imagine any IT security person or lawyer who would advise BBC journalists that this ok. The BBC accessed private computer systems without authorization, plain and simple. They also have no way to prove that they did not access personal information on those systems. And the icing on the cake is that they boldly and blatantly documented what they did and identified their violation by changing desktop colors and displaying text on the compromised systems. Very stupid.

The BBC were probably rather ill advised to take this approach but nevertheless the article strikes of 'shoot the messenger' rather than address the issues.

As we are all aware bots have been around for a considerable time and there are still vast numbers of the public unaware of their potential problems.

An approach other than sensational could be deemed ineffective and the suggestion that '.. Any number of current or past law enforcement professionals could have confirmed in interviews how these networks operate ..' would have undoubtedly covered the issues. Unfortunately the delivery would probably have been so turgid as to render everyone asleep/comatose by the end of the program

Quite frankly the law as it stands is for the most part unenforceable and really only catches people by mistake; whilst at the same time pillorying those who try to draw attention (albeit sensationally) to the problem.

One could equally well say that anyone whose computer harbours one of these bots is instrumental (and a party to) attacking other computers; in which case those who own host computers are equally culpable and should be prosecuted.

Of course everyone has their own opinions on the subject but the real questions need to be:

- why has nothing been done to address the issue of bots; real solutions and not rhetoric

- why has there been no constructive public education or enforcement

- why are ISP's allowed to get away with being carriers for all manner of 3rd party attacks - Ddos, spam etc

Until these issues are addressed in an informed and sensible manner we can pass all the legislation in the world but realistically it is a waste of time because it will not do the job

Whilst not a great fan of the BBC, it serves no real useful purpose to chastise them for trying to make the public aware of some of the dangers associated with computers.

Finally, it is very easy to 'bury' someone with questions - but to what purpose? Is it to demonstrate how astute or clever we are ourselves or for some other reason? As for asking permission from ISP's or Google (one of the most invasive organisations on the planet) well don't forget that Google kowtow'd to China - if IPS were called to account for trafficing spam in the first place then there would be some reference point for the question otherwise why ask it?

Thanks JC and MTan for your responses, which seem to sum up how divisive this story is...some quite rightly feel that a public service body has responsibility to uphold the law and not break it. Others like JC see that the problem with botnets hasn't been addressed and if the Beeb's story highlights the seriousness, albeit sensationally, then this is a price worth paying. I personally feel that both sides have their merits, but the BBC has to uphold high standards, because we all fund it. I'm not sure these standards were upheld on this occasion.

I ,for one, praise the BBC in their journalistic efforts to highlight such a major flaw in the provisions we are served by our I.S.P.'s.
Having read all the Computer Weekly articles and the comments that followed, it left me with only one question!
Why is the BBC taking so much flak for this ?
Journalist's the world over should start to worry now.
In this age of pc-insecurities, I certainly feel it is right and proper that Countries should be informed of ways that the 'criminals' and 'Terrorist's can gain footholds in 'private' computer space, and Click's programme on Bot-Nets fulfilled this belief.
Cyber espionage is no longer a work of 'fiction' and affects many thousands, possibly millions, of bot-net infected P.C.'S and networks the world over.
Some bot-nets are just 'hovering' in cyberspace, sitting on our unwitting computers, waiting for input from an unknown source.
Thankfully the Security industry are aware of probably most of them, the most prolific one of late being the 'sleeping' Conficker!
A 'terrorist' group, no longer needs to attack a country physically, with bombs and armour, they just need the right access priviliges, which can be gained by bot-nets, which can have potentially catastrophic effects , and hence obviously a focus should be placed on those 'service's' which we depend on, ie. the National Grid and Transport networks.
Recently we have seen journalists board aircrafts, with all manner of items that are considered 'illegal' (fake bomb's)(knive's) etc.
Should we jail these journalists and label them 'irresponsible' as has happened in the case of Martin and the team at Click?

I ask AGAIN - Why is the BBC taking so much flak for this ?

cliffsull
http://www.pc-insecurities.com
info@pc-insecurities.com

Fantastic BBC work which should be finalized by handing the h4x0r that was paid for the botnet over to the police.

However, everyone here is talking about the "root" of the issue.

Well, the root of the problem is the lack of ability, or criminal negligence, by Micro$oft, to address the faults in its operating system. This could be easily fixed by a system called "peer review", which is the oldest method used by the medical and scientific academia for centuries, and used nowadays by the open source community.

I use unix/linux, and I know my email and my passwords are not public domain !

Yes, this action by BBC was "irresponsible."

Of course, it couldn't have been some kind of test, or even self-promotion by their "guest," right? Or maybe something that already had a "green light" from somewhere else.

Just saying it was a simple tv show ploy or stunt shows how naive many people are...

To offset this method of bot-placed Trojan programs in your personal computer primed for a DDOS (denial of service) attack go to your e-mail contact list.

Type in AAAA@AAAA

This will go to the top of your mailing list and be the first e-mail that the trojan will try to send out.

It will fail and your system will inform you of that failure, at which point you clean your machine.


Leave a comment

Have you entered our awards yet?

Archives

Recent Comments

  • Tom Dennen: To offset this method of bot-placed Trojan programs in your read more
  • mIKE: Yes, this action by BBC was "irresponsible." Of course, it read more
  • Robert Hoffmann: Fantastic BBC work which should be finalized by handing the read more
  • Cliffsull: I ,for one, praise the BBC in their journalistic efforts read more
  • James Garner: Thanks JC and MTan for your responses, which seem to read more
  • jc: The BBC were probably rather ill advised to take this read more
  • MTan: This is outrageous behavior and to hide behind journalism or read more

Dilbert

 

 

-- Advertisement --