The BBC’s Click programme investigation into Cybercrime has caused a massive stir by doing a special on botnets whereby it took control of 22,000 home computers.
You can catch up with Click’s investigation here
While I have no doubts that the BBC’s programme highlights the relative ease of acquiring a botnet and then committing cybercrime and this is valuable for public awareness of security threats, it is its methods of investigation that have been called into question and the legality of its actions is in doubt.
Via one of our bloggers, David Lacey, who writes our IT security blog, I was put in touch with Robert Carolina, a US lawyer and an English solicitor who specialises in information technology. He is also a Senior Visiting Fellow with the Information Security Group, Royal Holloway University of London, where he teaches information security to MSc students.
Robert agreed to write us an excellent piece of opinion, which calls the BBC’s botnet special illegal and irresponsible.
Robert also sent us some background, which those of you interested in this, might want to take a read of
For those of you who have not seen it yet, here’s asummary of the BBC Click programme. BBC journalists arranged to pay”thousands” of US dollars to an anonymous criminal in exchange forcontrol of more than 21,000 computers infected with a botnet trojan.
Theteam used the compromised machines to send spam to a Google mailaccount registered by the BBC. Then they used the bots to launch adistributed denial of service attack against a web server operated byan independent security consultant who was assisting them.
Theymodified the wallpaper on all 21,000 machines with a public serviceannouncement explaining that the BBC had taken control of the machineand urging owners to take more care with security. Finally, thejournalists ordered the botnet to self-destruct: attempting to wipe thetrojan from all of the infected machines.
The BBC was keen topoint out that they did not access or retrieve any data on thecompromised machines. They also were keen to point out that the DDOSattack was ramped up slowly and only to the point of choking thetargeted server, and then ramped down. They conducted three separateDDOS attacks on the same server.