The willingness of people to attack the BBC for this still disturbs me greatly. I have to wonder how many of these has complained about speeding tickets because they were only doing 33mph and 'he was doing at least 40'.
It's the same thing. Yes, there's a question over the legality of what they did, yes it could be picked up and chased through to the BBC being fined (who'll be paying for that? Us. Of course). But it comes down to the simple fact that attacking the big "easy to find" corporation is a lot easier than doing some genuine detective work and dealing with the real problem. If all these people spent HALF their efforts upturning the genuine criminals the world would be a better place.
I'm so sick of this modern world where the lynch mob can't even be arsed to leave their front room let alone get their torches and pitchforks...
BBC responds to botnet illegality claims
Summary
The BBC insisted that it had no intention of breaking the law by building and using a botnet - and its actions of had been in the public interest.
Topics
The BBC has said that it had no intention of breaking the law by building and using a botnet.
BBC Click acquired the means to build a botnet, used it to spam Gmail and Hotmail accounts it had set up, and launch a distrbuted denial of service attack against security company Prev-X.
In a statement on Monday, the BBC said that its actions had been "in the public interest".
"It was not our intention to break the law," the BBC told ZDNet UK on Monday. "There is a powerful public interest in demonstrating the ease with which such malware can be obtained and used; how it can be deployed on thousands of infected computers without the owners even knowing it is there; and its power to send spam e mail or attack other websites undetected."
The BBC said it had built and used a botnet in a news article on Thursday, bringing claims from security experts that this action had violated Section 1 of the Computer Misuse Act.
However, on Monday the BBC insisted that its actions had been in the public interest.
"This will help computer users realize the importance and value of using basic security techniques to defend their computers from such attacks," said the BBC statement. "The BBC has strict editorial guidelines for this type of investigation which were followed to the letter."
The BBC said that it had taken legal advice before making the progam. It makes me wonder about the quality of the legal advice the BBC took, and who they took it from.
The BBC declined to comment on exactly how much it had cost for the botnet, which criminals it had paid for access to the botnet, or indeed how it had acquired the botnet at all.
However, in the program Click reporter Spencer Kelly said the botnet had cost "a few thousand dollars", and that the BBC had no idea who it had paid.
The BBC added that the "demonstration was very much in the public interest. We believe that as a result of the investigation, general computer users are now better informed of the importance and value of using basic security techniques to defend their PCs from attacks."
I've already expressed my views about the BBC's actions in this case. Sophos security expert Graham Cluley told me on Monday that the BBC did not need to use real computers to launch the attack.
"It's just so unnecessary," said Cluley. "The BBC could have done a reconstruction under lab conditions to demonstrate how a computer sends out spam [and demonstrate Ddos]."
Cluley added that the BBC experiment could have caused trouble for the users of the computers.
"Imagine if you are filling in your tax return or uploading a prescription, and someone meddles with your computer," said Cluley. "What I'm concerned about is the recklessness of it."
This article was originally published on ZDNet.co.uk.
Talkback Most Recent of 10 Talkback(s)
-
junkmanuk17th Mar 2009 -
Some do both...
1. There was an organization reporting a crime.
2. There was an organization committing a crime.
BBC did both, which #2 was not required to report #1.
Put in selling tobacco to underage kids in place of running botnet (or any other crime for that matter). Same thing.
BBC would have much better served the public to have purchased the botnet time, then had it sit idle for the time bought, then report on the ability to buy botnet time. This would have been a grey area. What the BBC did was not.
EMonkIA18th Mar 2009 -
RE: BBC responds to botnet illegality claims
Just because you think an action is in the public
interest does not legalise an illegal act.
PaulJohnston17th Mar 2009 -
I rather think...
... the law is there to serve the public interest, not the other way around.
Sure they could have done this in a lab, but that would have been unconvincing of what is possible in the real world.
Yes, its rather creepy to think that BBC money went to some criminals, but that also shows it only takes a bit of spare dosh to become a cyber-terrorist or spam merchant. The same would happen if their report went out to buy an illegal firearm on the street, to show how easy it might be.
Investigative journalism often has to cross such lines to bring an issue into the open. Thats REAL journalism, not the "Here is my opinion based on second hand reports" that we see on a lot of blogs these days. Sadly, the latter seems to pay as much as the former, so is attractive to a lot of "journalists".
A.Sinic17th Mar 2009 -
RE: BBC responds to botnet illegality claims
Demonstrations outside the lab are absolutely necessary. BBC should be commended. But at the end of the experiment, they should have had their 'bots reveal themselves to the host computer owners and advise them to get protection.
jirving@...17th Mar 2009 -
Public Interest?
Buying part of a botnet for a demo? OK, I can agree with that being in public interest
Spamming their own address? Again, no problem.
DDOSing a company? No, sorry. The previous two are enough to show the problem.
rpmyers117th Mar 2009 -
Pre-arranged
The BBC pre-arranged the DDoS attack - the company is a security company and this was their test server
philip.lane@...17th Mar 2009 -
Yes it is in the public interest
I look after the IT for several small companies. Many of the users really do not believe that it is the Wild West out there. I had one user who when I warned her that the web site she thought was her bank was a fraudulent one that had captured her details refused to believe me. She is no longer with us, but 20% of the enire company email is spam to her.
When it is demonstrated on TV on mainstream news, then ordinary people see that there is more to it than me just trying to keep the company systems and data safe.
So in my view, a technical infringement by the BBC provided it was done without malicious intent, as appears to be the case here, is in the public interest. The only losers are the spammers and conmen out there who might now find a few more of their botnets reduced in size.
If technology was the solution to the problem, we would not have spam, viruses and trojans. Technology doesn't stop my users going to bad sites (it can, but at a price a small business cannot justify), especially as some users access from home, where I have no control. Only education will make a significant difference, and that can only start when ordinary people realise it is real, and not another "Year 2000" where because of planning, nothing went wrong, so many people saw it as a case of crying "wolf".
We educate out kids not to take sweets from strangers, yet how many adults do the equivalent by downloading stuff from strangers.
At times it is necessary to go to the fringes of legality to show the situation for what it is.
tony@...17th Mar 2009 -
RE: BBC responds to botnet illegality claims
No problem with DDOSing company either - it was done
with prior arrangement with that security company to be
the target. Again, a picture worths thousand words...
drorharari17th Mar 2009 -
RE: BBC responds to botnet illegality claims
I take it that no-one who's commented here has
actually seen the programme - www.bbc.co.uk/click
jirving: "at the end of the experiment, they should
have had their 'bots reveal themselves to the host
computer owners and advise them to get protection".
They did exactly that, and shut the botnet down
afterwards, removing the control software.
rpmyers: "DDOSing a company? No, sorry. The previous
two are enough to show the problem." You should be
aware that this was an online security company which
helped to make the programme and got some great
publicity out of it, and *agreed* to let the BBC take
down its backup website. I'm not sure how their
hosting company felt about this - being a security
company I suspect they have their own servers and use
this "spare" website to demonstrate dangers to
potential customers; but that's just my own
conjecture.
As for BBC money going to criminals, well it was only
$2500 (so it seemed from the programme), and from the
awareness raised, they've certainly stopped more than
that going to spammers in the future.
BUT one thing about the programme is concerning - they
kept on saying how easy it was to control a botnet,
and how much easy money could be made from doing so.
They even said that, faced with a DDOS threat, most
companies will simply pay a ransom. So I wonder how
many new cyber-criminals were born when watching.
It was a remarkable programme, however, and I was
rivetted to it.
steve_jonesuk@...17th Mar 2009
Talkback - Tell Us What You Think
The best of ZDNet, delivered
ZDNet Newsletters
Get the best of ZDNet delivered straight to your inbox
Facebook Activity
