Security Bullet In
Communiques from the security front, sir
Thursday 12 March 2009, 5:40 PM
BBC bought botnet
Using 22,000 computers that had already been infected, the BBC bought software that enabled it to control the botnet. It spammed itself and by prior agreement launched an attack against security firm Prev-X. I can't believe they could have been so stupid.
Legally, the Beeb is on very shaky ground, according to Pinsent Masons senior associate Struan Robertson. Speaking to me on Thursday, Robertson said that in his opinion Auntie had broken the law.
"I think it's a breach of the Computer Misuse Act," said Robertson. "It looks to me like an offence under Section 1, which deals with unauthorised access."
It doesn't matter that the spam emails were sent to BBC accounts or that the distributed denial of service attack against Prev-X was pre-arranged, said Robertson. The Beeb acquired a means of controlling a botnet, which, in Robertson's opinion, is an offence.
Computer security expert Richard Clayton wrote on the Crypto mailing list that he too thought it was a section 1 offence, and that "doubtless the "Click" programme makers will be handing themselves in, to save the time of overworked [police] officers of going out to White City to find them..."
The Met Police told me on Thursday that it had talked to the BBC.
"The Met police have spoken to the BBC in relation to a news report by BBC Click," said a Met Police statement. "Advice has been given and no further action will be taken at this stage."
I wonder what the "at this stage" bit means. Normally the police will investigate a crime because of criteria which include whether a complaint has been made, and/or whether it is in the public interest to investigate.
I suspect whether further action will be taken will very much depend on whether any, or a proportion of, the 22,000 affected people make a complaint to the Met.
Quite aside from the potential illegality of what the BBC did, there is also the potential damage to its reputation, which is deservedly very good. How could a world class broadcaster allow its staff to control a botnet? It doesn't matter where the infected PCs are, it's a very deeply silly thing to have done, and I suspect the BBC doesn't want to be thought of as being deeply silly.
PreviousComments on this post
This is a piece of totally inexcusable stupidity.
After all the gaffes in recent years, I've come to the conclusion that the BBC is an EX world-class broadcaster :(
I don't know - probably illegal, yes, but why so "silly"? I haven't seen the program but it sounds to me like it could have been educational for a lot of people.
If they'd distribted a virus to create their own botnet, *that* would have been silly, but they didn't.
I'm with @dpririe.
However the thing you don't mention from the article is that "owning" the botnet allowed the Click team to let the owners of the PC's affected know and take corrective action to better protect their computers.
If its as easy as this why are the police not doing a similar thing? After all, the trouble most of the time is end users don't know they're infected.
This article is total trash, if Tom has a problem with the BBC maybe he should find something he can report on accurately before taking a pop at them.
1) The BBC used the botnet to demonstrate their danger, by attacking a security company do you not think they also gave that company some invaluable data?
2) No policeman, judge, or half decent journalist who knows anything about this sort of thing would ever suggest they be prosecuted, they did no damage, they educated people AND they are helping all 22,000 people clean up their computers, so you tell me, is it in the public interest to prosecute them?
I've read this article from a number a news sources and quite how a someone working in technology can give such an ill informed and biased view of what actually likely to be an interesting program escapes me.
Nice one Tom, I think i'll be skipping your blogs from now on.
Thank you for your comments,
dpirie: I agree the programme could have been educational, but you don't have to buy a botnet to let people know they are a bad thing.
Nick: I agree that letting people know their computers were infected is a good idea. However, sending a screen saver to the computers, especially when we don't know where those computers are, isn't a guarantee that people will understand the screensaver, or take action.
Marc Fielding: The reason I was concerned is because the BBC bought a botnet, and used those computers to launch attacks without the affected people knowing their computers were being used.
Yes, it's educational. One of the things it's taught the viewing public is that the BBC did it and no action was taken against them.
Simon
