[ad]
The BBC has made an odd move recently by buying/seeding a botnet of 22,000 computers under the guise of investigative journalism.
They claim it’s not illegal as they caused no harm and only sent spam to e-mail accounts used by themselves. Technically I think it’s still breaking the law under the Computer Misuse Act but most likely nothing would happen as they caused no damage or losses (According to lawyer Struan Robertson BBC did violate the act).
Software used to control thousands of home computers has been acquired online by the BBC as part of an investigation into global cyber crime.
The technology programme Click has demonstrated just how at risk PCs are of being taken over by hackers. Almost 22,000 computers made up Click’s network of hijacked machines, which has now been disabled.
The BBC has now warned users that their PCs are infected, and advised them on how to make their systems more secure. Click managed to acquire its own low-value botnet – the name given to a network of hijacked computers – after visiting chatrooms on the internet.
The programme did not access any personal information on the infected PCs. If this exercise had been done with criminal intent it would be breaking the law.
The whole thing has created quite a furor in the computer security scene, with people debating the legality and ethics involved.
Which was probably what the BBC wanted in the first place, the more people talk about it the better right?
SMH even claim the whole thing back-fired.
By prior agreement, Click launched a Distributed Denial of Service (DDoS) attack on a backup site owned by security company Prevx. Click then ordered its slave PCs to bombard its target site with requests for access to make it inaccessible.
Amazingly, it took only 60 machines to overload the site’s bandwidth. DDoS attacks are used by extortionists who threaten to knock a site offline unless a hefty ransom is paid. Jacques Erasmus from Prevx said that high-traffic websites with big revenues are a “massive target” for this kind of attack.
“Cyber criminals are getting into contact with websites and threatening them with DDoS attacks. “The loss of trade is very substantial so a lot of these websites just pay-up to avoid it,” he explained.
But well pushing the boundaries, that’s what investigative journalism is about right? We’ve had enough programs about pimps, triads and drugs – why not some about cybercrime and the underbelly on the Internet.
I hope I manage to view the show, it sounds like it’ll be interesting (even if ethically questionable).
But well aren’t all the best things on that thin grey line?
Source: BBC
james says
Yeah we just blogged about the same program and how it could be used in the SEO world to take down competitors websites.
The scariest thing was how cheap they can buy the computers for!!
As long as they have not caused any damage to computers but their own, I would of thought this is common practice for security or anti virus companies? Surely they need to do these tests in order to understand how the cyber criminals work?
erik says
I like Lenny Zelter’s name for this: British Botnet Corp … lol
Linky: http://www.eweek.com/c/a/Security/The-British-Botnet-Corporation-324874/?kc=rss
ashish says
good article, thanks for this useful info, I have dug and stumbled this article. I will keep visiting for more useful information.
Bogwitch says
There is a possibility that this was an offence under Paragraph 3, subsection (1)(b), Subsection (2)(b) applies that ‘to impair the operation of any computer;’ of the Computer Misuse Act 1990
it can be argued that the actions taken by the BBC may have impaired the operation of computers by way of reduced bandwidth available or CPU cycles available.
That said, the act stipulates that there must be ‘an intent to cause a modification of the contents of any computer’
OK, where do you draw the line at modification? The action the BBC took would cause a modification to the volatile ram of the systems running, it is even possible that some code was swapped to the hard disk, although I doubt there would be an intention to cause the data to be swapped.
By the BBC lawyer definition, if I were to take over a botnet and use if for e.g. massively parallel hash cracking would I not be breaking the law?
ethicalhack3r says
You also need to consider which laws were broke in the countries in which the computers resided.
If the BBC can get away with it, why cant the average citisen? Its completely illegal and unethical.
gVibe06 says
I was hoping this was the angle you would take. I kind of have this fishy feeling that the BBC did a little more than they reported. Would you be able to resist spending a pile of cash if no one was watching and guaranteed getting away with it?
navin says
For those interested in this story:
Man behind BBC botnet defends decision:
http://www.techradar.com/news/internet/man-behind-bbc-botnet-defends-decision-586251
While Expert Says Its Unjustifiable:
http://www.techradar.com/news/internet/bbc-botnet-is-unjustifiable-says-expert-586256
dio says
I have blogged extensively about this on www(.dot)conanthedestroyer(.dot)net
Arguments about how they broke the law are a complete farce. Security researchers do this all the time but do not want people to know about it because they want to reserve that right for themselves. All the while they sell products to fix the problem, but in actuality they are wholly ineffective.
I applaud and completely stand by the BBC action. What did they do? They took 22k bots off the network. What did any of the security companies do lately? Watch, monitor, report. Doesnt sound like action to me guys. Better luck next time.
Read my blog for more on cyberwar and cybercrime aspects of this nefarious scourge.
Bogwitch says
After reading more in-depth, it does appear that the BBC is in breach of the Computer Misuse Act insofar as they installed a wallpaper. The accusation that the BBC is more responsible than security researchers carries little weight with me – security researchers will try always attempt to keep within the law – something that the BBC decided not to.
I have been trying to find a sample of the wallpaper that the BBC distributed but I have not been successful thus far, if anyone has a source, please provide it!
As for the suggestion that the BBC explained to users that they were infected with a trojan, it is worth noting that the BBC intentionally picked non-UK/USA based computers for this demonstration, where the use of the English language will be less. They did nothing to prevent the computers from being re-infected via the same vectors.
The cynic in me thinks that they selected non-UK/USA computers to prevent posible litigation. It is noted that the Police in the UK will not act unless a complaint is made by a victim…