An investigation by the BBC into cybercrime may itself have broken UK computer crime law. BBC Click got its hands on a botnet of 22,000 compromised PCs from an underground forum. It used these machines to send spam to two accounts it had established with Gmail and Hotmail. The programme also used these zombie machines to show …
Dear WinTard user...
So how many of the 22,000 hijacked machines were running OS X?
No further questions ;)
offense under the Computer Misuse Act ..
"Even if it was done with the best intentions and in the public interest, that is unauthorised modification of a computer and an offence under the Computer Misuse Act,"
What's even more offensive is not prosecuting the company that supplied the OS that was so easily compromised in the botnet attack. Now what was the name again, I notice how it was never mentioned in the original article.
"These are not attacking any kind of vulnerability in the computer .. They are attacking the vulnerability of people's brains"
gmail and hotmail
Did they also get permission from these companies to send thousands of emails to there servers?
I dont think so.....
"We were just seeing how easy it is to do" ...
similar to that McKinnon blokes defence imo , he was just looking ......
Dodgy corporation thinking that the laws don't apply to them as per usual even though they actually helped the infected users by advising them how easy they were to infect .... the fact remains that they illegally took control of those machines .... and if the owners of said machines have unpatched/protected machines in the first place the chances are that they won't know/care about patching them now...
The only way to prevent machines being incorporated into botnets would be for a law to be passed where ISP detect if machines are fit to be used on the Internet , patched , secure etc .and block them if they aren't .... similar to an M.O.T that automobiles have to pass.
Paris 'cos she loves to be serviced !
Am I missing something here?
The BBC contravene the computer misuse law in the name of education and seemingly walk away scott free.
Forgive me if I'm mistaken but I remember similar instances whereby 'joe bloggs' has attempted similar feats in the name of education for the common good which resulted in jail time.
Why can't lawyers just grow up!!! Are they just bored at work?? Idiots...
[B]ritish [B]roadcasting [C]retins
How very naive.
Watching the BBC item at lunchtime, I did wonder
a) whether it was strictly legal
b) where Gray Cluley was
Both questions have now been answered.
Clearly a case where ...
... the law is an ass!
Such action is probably the only way to make some people aware that their PCs have been compromised. It's certainly the most efficient, and ISPs should be encouraged to take similar action, or at least notify their customers, when they detect suspicious activity on their networks.
Saw this this morning
I was quite astonished to see the BBC's excuse for its intrusion into 22000 (!!) computers. I wonder if Gary McKinnon would agree.
Sorry, I thought I had stumbled into "have your say" for a minute.
:) ho hum
Well that did'nt take long for the Mac peeps to pipe up.
The BBC has crossed the lin there, The modifications to peoples computers was not needed. They should of simply passed the info on to the ISP's, and asked them to contact their customers.
Dear Mr McKinnon
WE ARE THE BBC AND WE DO WHAT WE WANT.
enjoy your nasa jail.
Will USA want to extradite BBC reporter?
Do we know where the compromised PCs are based in the world?
What if some of those botnet computers were in the US military? The Pentagon? NASA?
Will the USA try and extradite the BBC's Spencer Kelly just like Gary McKinnon?
I'm running a poll on my blog if anyone wants to give their opinion on whether the Beeb were justified or not in what they did.
Graham Cluley, Sophos
You live under the erroneous impression that you are somehow superior.
Show me something more than you're impotent claims and meaningless jibes.
<getting my coat>
I think Shakespeare put it best.
Some people may say that lawyers rake-up the mud as an attempt to pursue fatuous legal cases, I couldn't possibly comment.
No mention of wasting the licence fee?
BBC Bashing (Again)
Is it still flavour of the month to bash the BBC?? I cant think of a better company that could get the message out and highlight the problem which ultimately is a benefit to everyone.
As for lawyers, its like asking a gardener if your lawn needs cutting......the answer will always be yes, cheque is fine....
Maybe there should be an international taskforce that collects botnets, disables them and alerts the user.
Wait wait wait...
" 'The BBC appears to have broken the Computer Misuse Act by causing 22,000 computers to send spam,' said Struan Robertson, editor of out-law.com and legal director at solicitors Pinsent Masons. 'It does not matter that the emails were sent to the BBC's own accounts and criminal intent is not necessary to establish an offence of unauthorised access to a computer.' "
If SPAM is defined as "Unsolicited email of a commercial nature" (and I am reasonably certain that it is [meat-like products not withstanding]) then you cannot, by definition, SPAM yourself. Because then it isn't unsolicited.
The unauthorized access to a computer bit is still valid though.
a new show?
"a) whether it was strictly legal"
How about Celebrity Strictly Legal where we can vote on desperate ex-celebs fighting dramatic courtroom dramas? no?
Why do the BBC think they have the right?
Great, so now a hacker can get into people's computers, put a screensaver on saying this is the BBC, you need to install some software to fix this, cue download more malware. This is exactly the kind of thing we are told not to trust, 'you bank will never ask for your password' etc, you would think the BBC wouldn't hack inot your computer!
They will get off scott free but they deserve a massive fine for this, what were they thinking????
Oh, come on people.
Again and again in these forums, and I'm thinking of the ones that relate to botnets and spam and viruses, commenters are arguing over the rights and wrongs of using a 'good' virus or some other techniques to expose users vulnerability to hijacking and prompting them to fix it.
Now someone has actually gone and done that and you're all jumping up and down, shouting 'It's wrong! It's wrong!' Make you're chuffing minds up peeps. What is it you actually want?
A spam reduced world or the one that we've got where we all sit around bitchin about how botnets and spam are the incarnation of Satan but actually doing fuck all to fix anything more than our own spam filters?
Personally, I think the BBC have probably done us a service by, hopefully, reducing by a few thousand the number of machines capable of spewing out the shit that we all have to filter from our inboxes 24/7.
Yes, it was probably illegal. But FFS surely that has to be weighed against the positive end result.
IMHO I don't think they went far enough by half.
Botnet tards AKA Bell Ends
Im still bemused knowing that thousands of folk out there dont even notice that there computer runs like a 20 year old one legged dog,with slow to useless web speeds and busy hard drives thats sending out spam everyday?
Do these tards not know what a smooth un infected pc should be like?
"Oh i thougth that was normal" "Whats task manager?"
Aims Anti Webtard rifle
Ill vote for a licence to use a computer any day,whenever if ever a petition arises.
Now forgive me if im wrong and feel free to persecute me if im being bloody stupid, but the headline :
"BBC team exposes cyber crime risk "
does lend itself to intimating that this is something the beeb has uncovered. Now I can accept the argument that the BBC news website is read by a large audience which is not particularly knowledgeable about botnets and so an article is newsworthy on the website, however, compounding a lack of research into cybercrime law with sending oneself up for 'exposing' something that has been well known to be in existence is very shoddy journalism.
Even the simplest of investigations would show how well known this is and also would show how easy it is to gain access to a 'botherd' without having to then very probably break the law in doing so. The arguement that it was in the public interest is particularly weak here as I cannot see how they can demonstrate that they needed to perform a mass email send.
My own opinions of BBC technology reporting aside, I think that If Daniel Cuthbert can be prosecuted for his "offence" then the Click team should be worried. At least he wasn't trying to grandstand! It would be nice if the BBC could articulate just how they decided this was a wise thing to do even if it was a good thing to make the masses more aware.
Bill - because most of this is his fault.
Usefulness of legal redress
Well, if the BBC acted unlawfully it shows how useful this law is. If it doesn't stop the public broadcaster it's not exactly going to stop someone whose motives are less wholesome.
If your system has been compromised, the fact that it's against the law isn't going to help. It's like the hunt master reassuring the police that he will say "Stop" when the hounds have picked up a scent.
Take the machines offline
Well as far as I'm concerned if the BBC had altered the machines so that they were taken offline then I would have been applauding the action.
Often machines that have been participating in botnets have been doing so for far to long and need to be shutdown, updated and fixed and then regularly updated and maintained from that point onwards instead of becoming spam generation machines.
Shh... don't feed the troll. He's been amusing himself posting this identical comment on other news websites and, I suspect, doesn't have much of a life.
I wasn't doing anything wrong....
Can I use that an excuse next time I'm found in a strangers house in the middle of the night?
"Its not illegal, your front door was open because you basically gave your keys to a stranger down the pub. So I've just come in to walk around and see what your house looks like, oh I and I might have used your computer to send a few emails. but I've not done anything really illegal like actually steal anything"
There really are some fuckwits at the BBC. I don't actually think its Illegal to leave your computer unpatched so it can be hijacked, it IS illegal to access those computers without permission and use them in a covert way
Preventing a Crime
On the grounds that the botnet has been created for the purposes of committing a crime, surely a defence of "Preventing a Crime" might have some standing.
"What's even more offensive is not prosecuting the company that supplied the OS that was so easily compromised in the botnet attack. Now what was the name again, I notice how it was never mentioned in the original article."
If you think non-windows OSs can't be compromised by stupid users running dodgy programs, you're asleep, and aren't paying attention to your secuirty mailing lists, and I hope to God you aren't responsible for computer security in your job.
"The BBC contravene the computer misuse law in the name of education and seemingly walk away scott free."
I'm not trying to say they _won't_ get away with it, but that news story was posted at 5am, 9 hours ago. It's hardly a huge miscarriage of justice that there hasn't been evidence collected and a decision to prosecute made at this stage, is it?
Metropolitan Police won't take a complaint
I found this story on The Register having already tried to make a complaint to the Met about the BBC. Because I am not a victim I am unable to, they will not take a complaint.
I will be making a complaint to the press complaints commision too.
My main beef with this is that the BBC are making this outrageous claim that because there was no criminal intent it is legal.
You've got potentially loads of script kiddies out there who may well want to do nothing more than spam their friends who may well now believe their acts are legal and may well end up prosecuted for doing something the BBC has told them is legal.
Talk about defeating the point..
"You are using the letter of the law to defeat the spirit of the law"
What they did probably removed a huge amount of computers from that botnet. Yes the BBC had control of these machines, and could have done massive amounts of damage - but considering how easilly the BBC got access to this botnet surely you'd be happy to see it removed from the internet rarther then still out there waiting for letters to filter through ISP's crappy legal dept's and then slowly out to the users in all those different countries?
If they had gone onto peoples computers, hunted for illegal material and then posted that information to law enforcement agencies - yes that would've gone too far - but they didn't. They acted IN the public interest, FOR the public good.
Seriously, get over ourselves, stop lapping up the Wackie Jackie hype and realise that there are exceptions to the rules and discretion should be used in some situations.
Pedantry strike back
OK so aunty was a bit naughty. But no puppies were harmed, some good was done and nobody is trying to conceal anything.
Why waste legal time on being offended?
Hang on a minute...
If changing someone's desktop wallpaper without permission is definitely illegal, doesn't that make the updated Windows Genuine Advantage's action illegal?
Best intentions or not - you do not break into someones house and steal all their stuff to show it was possible and with "the best intentions".. Bandwidth was used here that will never be gotten back and perhaps peoples computers crashed when the ddos attack took place. Maybe someone had an important message set as their screensaver like "Must remember to take my pills at 2.30pm to avoid dieing a painful death" and whilst their bandwidth was being throttled they could have been stopped from doing anything, ranging from having a wank to an important business conference.
And..... For future cases, if they are not prosecuted OR if they are prosecuted and the charges dismissed by "Experts" then how does this fair for future cases.
"In the case of the BBC it was argued that a denial of service attack or changing of screensaver did no harm to the computer and does not qualify as illegally modifying a computers contents"
"The BBC appears to have broken the Computer Misuse Act by causing 22,000 computers to send spam," said Struan Robertson, editor of out-law.com and legal director at solicitors Pinsent Masons. "It does not matter that the emails were sent to the BBC's own accounts and criminal intent is not necessary to establish an offence of unauthorised access to a computer."
If the emails sent were by the BBC to their own accounts, on what grounds are they 'spam' - surely that refers only to unsolicited emails?
That said, those responsible at the BBC seem very naïve if they think that what they did was in any way legal, or indeed ethical.
I agree with the screensaver change
Hopefully the shouty lawyer types will see this as a form of "ethical hacking" rather than a black & white Computer Misuse issue. Consider if the BBC had gone down the ISP info route:
1 - spend time tracking down names and contact details for each and every ISP involved
2 - ISPs then have to look-up who was using the IP at the time
3 - Letters get written (maybe) along the lines of "Dear Mr Smith. This is your friendly ISP warning you that you need to update your Windows XP security settings.... etc."
4 - I susect Mr Smith will get as far as "ISP" before adding the letter to the other 21,999 in the paper recycling bins around the UK.
5 - 22,000 compromisable PCs will remain compromisable.
6 - Just maybe a small percentage of people will take the letter to their PC and follow the instructions.
At least this way the BBC threw a bloody great bitmap in front of the users. with a URL containing instructions on how to fix the problem. How many are going to ignore that after a few days?
This is not ethical hacking
An ethical approach would have notified the users immediately, and reported the botnet operator to the police.
BBC did not notify users first, did not ask for consent to use the resources of their computers, and exploited those machines regardless.
CMA is a criminal offence.
In other news, BBC launches its own version of 'Who Wants to be a Millionaire'. Contestants are given a balaclava and handgun, and get 10 minutes to steal as much cash as possible from a high street bank (all money returned, banks advised about security measures etc etc)
Is there a wallet in this coat?
Is this be setting precedent so that in future cases, could a defence of 'in the public interest' be used successfully in Computer Misuse Act trials?
Well there were probably more infected MAC's than GNU/Linux machines in that test...:P
@Thought About IT
It's also probably an example where the only valid kind of test is an in-the-wild test. And an in-the-wild test will have to involve a degree of blindness (preferably double-blindness) or the test becomes biased. How would the BBC be able to perform a test like this unbiased and not break the law?
@Mactards and Freetards
As the BBC pointed out (well they didn't metion Linux,), that you need to update your software.
See how many securtiy fixes have been released for Mac and Linux....oh look there are some, best ignore them and pretend it doesn't happen coz Dave down the park told me so, so it must be true.
I don't give a flying f**k which software is the best, I left the playground a long time ago.
You my friends are the stupid sort of f**kwits that this article is trying to enlighten.
NO OS IS 100% secure. Get over it and keep updated.
I only installed that key logging software to survey how many people were using strong passwords and educate them if they weren't.... honestly!
If there isn't at the very least a criminal investigation into what the BBC did then that in itself will be criminal. I am also exceedingly Pro-BBC under normal circumstances too for the record.
dear mactard, like you could find 22000 osx machines......
Time for action!
Its time the ISPs and AV companies took direct action against these botnets by at the very least keeping them off the Internet until they clean up their act. This is the way the Internet has to police itself, does anyone really expect national governments or police forces to be able to do anything about this? Of course not, don't be stupid. Those dullards who let themselves be compromised need some tough love, instead of this precious pontificating. The BBC is to be commended for at least daring to do something positive - unlike the bloody US lawyers who defend the spam bandits for example!
We need direct action now against the spammers, hackers and fraudsters that are blighting the internet.
Got to love how taxpayers money is spent
With thier form of logic, if I comit a crime I can say it was to show the negative effects and otherwise would be breaking the law.
>> BBC Click claimed that "If the exercise had been done with criminal intent it would be breaking the law".
The intentionally broke the law, but it is okay because they didn't intend to break the law, therefore no law was broken. Sounds a lot like mind over matter. Are they able to bend laws with the power of their minds. Simply be thinking strongly enough, they can make the illegal legal. It all makes my brain hurt. Although, I don't suppose they invented the idea; it's not that different from the filesharing freetard* mantra.
*BTW I hate that word
Ok I'm on the fence about one issue - alerting the user...Its in thier interest!
BUT using those machines to ddos a site (no matter which) and to send mail (no matter where)was clearly NOT in the INTEREST of the computer OWNER.
This is deffinatly a breach of the misuse act... There is no way of painting that...
Surely if its that easy to infect machines - then why are MS not in trouble? They are the ones who make the stupid easy to hack software.
Some xbot will say otherwise - but its my view and your love fests with Balmer and Gates wont change my mind.
Is that the sound
of something hitting a fan that I can hear?
- Xmas Round-up Ten top tech toys to interface with a techie’s Christmas stocking
- Google embiggens its fat vid pipe Chromecast with TEN new supported apps
- NSFW Oz couple get jiggy in pharmacy in 'banned' condom ad
- Exploits no more! Firefox 26 blocks all Java plugins by default
- Shivering boffins nail Earth's coldest spot