BBC, BotNets and legal hacking

On Monday I remarked on the BBC Click botnet investigation. I slightly regret my post because, in fact, I think they did a great job in bringing to life the potency of botnets. Legalities aside, let’s focus on the fact that it only took 60 PCs to cause a denial of service situation. That’s very disturbing and we all need to sit up and consider the consequences of that.

I was chatting with the CISO of an investment bank earlier today. He was wondering whether or not we should have in place a legal framework that would allow “researchers” a better way to test system security without fear of being accused under the Computer Misuse Act. It’s dangerous territory but I take his point. If somebody discovered a gaping hole in my own organisations’ network security then I’d be grateful for the information. Many of the third parties I legitimately employ to do discovery work do little more than run Nessus and then post a report, so the hackers view would be invaluable. But where do you draw the line between “hacking” and “research” and what assurance can be gained from an unsolicited security report?

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

The BBC have gone too far with this one. To make my point..... I don't need to take a gun and shoot it at a car to know that the windscreen isn't bullet proof. There are far more scientific and methodical ways to draw the same conclusion without wreaking or damaging anything. 'Auntie' should have known better.
Surely eveybody is being a little too precious over what the Beeb did? The gun analogy isn't really valid because they did nothing dangerous, volatile or malicious with the botnet.
This wasn't exactly research. It was a simulation using a real botnet which proved nothing new and could have been done just as effectively without infringing the law. As for the 60 PC DDoS, I think it's unlikely that a security company's server would have collapsed so easily if it hadn't been set up to do so beforehand, for the purposes of demonstration. There -is- a legal way for a researcher to probe a site's defences. A penetration test doesn't -have- to be weak. If you're opening the door for a freelancer to probe any site he likes, though, that's a get-out-of-jail card for any blackhat who gets caught.