BBC zombie caper slammed by security pros
A controversial BBC Click documentary which involved researchers obtaining access to a botnet and sending spam is due to screen this weekend despite a growing storm of criticism. Security experts - including McAfee, a firm whose representatives appear in the programme - have described the exercise as misguided and unnecessary. …
What is the issue here?
What public interest would be served by a prosecution (if there was in fact any offence)? If none then this question is only of technical academic importance at best.
I'll say it again - the BBC were 100% correct to do this, even though it meant breaking the law.
Security Researchers would have been 100% right as well.
This action is only required because ISPs will not kick the zombies off their networks, the police don't care and MPs too busy feathering their own nests.
Silly people.
Now if I were to type ../../.. on the end of a URL and have my career ruined that would be different.
Wouldn't it?
If the audience are engineers, then you can do this in a lab and they'll be convinced.
If the audience are non-technical, then they have two assets engineering types typically lack: thick skulls (although the brain inside may be fine) and huge heaps of apathy-fueling doubt. (Doubt about whether the lab accurately reflects the Internet, for example. I know that particular doubt sounds highly technical but it's my experience that non-engineering types can shape their doubt reflexively to reject almost anything that might cause them to otherwise think about nerdy things.)
The way to get through to the non-technical types is to show them something actually happening, in the real world, so easily-done (or at least appearing so) that it makes it onto the TV news. Once you show that you click a few things and push a key and parts of the Internet fall off, non-technical folk get angry, pay attention, etc..
What's not clear to me is what the BBC want to accomplish by getting through to the non-engineers. New laws being made? Ratings?
Paris, because I'd like to get through to her, though I'd probably take a different tack than herding a botnet on camera.
Anything that makes users more aware of the perils of internet promicuity can't be a bad thing.
I have to disagree with McAfee and Graham Cluley. Cluley says 'What if one of the compromised computers was at the Department of Defense or NASA? Does Spencer Kelly [BBC Click reporter] want to be the next Gary McKinnon'. Well, this would serve to highlight the fact that even high-profile industries can't get their act together as far as security is concerned which would only make it more obvious to people to be careful on the internet.
As for McAfee, well it only exposes how problematic for them, protecting their users is.
I personally think, on the whole, that the BBC is one of the few things we've still to be proud of in this country and the iPlayer is a prime example of the Beeb moving in all the right directions.
Agreed, sometimes their work is biased and sensationalist, but you can only hope people read between the lines. After all, they have to compete with the rest of the world's media who are only too fond or being overly opinionated.
BBC FTW
if the Beeb were doing a program on car security, would they break into someone's car without their knowledge & drive it away
Surely they're all mad because the BBC removed the trojan from the botnet computers. Something that maybe the security companies fail at doing.
On the ethical side, the BBC removed the trojan stopping any real criminals using it for much more malicious purposes. Doing something slightly illegal to stop something even worse in this case is obviously ethically sound.
'The PrevX researcher who participated in the programme, Jacques Erasmus, is on holiday in Namibia and couldn't be reached for comment'
Don't worry I am sure he will be back just as soon as he has helped the ex-Prime Minister of Namibia get his FORTY MILLION DOLLARS out of the country using the money the BBC lent him.
"due to screen this weekend"
El Reg, it was last week it was screened, unless I can watch next weeks TV in my dreams!
No because everyone understands what a car is and the obviousnesses about how to steal one or indeed make one secure.
Not everyone understands what the little grey box under their desk really does and as such when you say to them "you can take out any internet site of your choice" they go "yeah yeah, but what does that mean?" so then you need the practicle demonstration.
Or were all your science lessons at school theory based with no experiments?
What they did was probably illegal, but it shouldn't be.
They didn't harm anyone, they helped a bunch of people, and while security researchers know about botnets, I can promise you non of my non-tech friends know about them so awareness does need to be raised.
Best thing that can come of this is computer misuse laws are changed to require proof of intent to harm or monetary gain.
That's not what happened though. Using your analogy, what the BBC did was demonstrate that they could give a quid to some shifty bloke on a street corner and he'd come back with someone's car with the keys in the ignition. The BBC then drove the car back to the owner and told them how to avoid having it nicked again.
I'm interested to see the show.....if it makes a few technophobes de-bot their PC then everyone's a winner.
this is just showing you what can be done just like another bbc show "the real hustle" which is in its 6th season. a person/computer being exploited for gain and then the marks being told that they were exploited
If I understand correctly, the BBC did not infect any machines, it just got the wires to control machines already infected. At the end it made a modification to the machines to let the users know their machines were infected and how to fix them. Surely that is more good than bad.
The fact is, McAfee, etc, would rather you pay them to clean your machine rather than getting the BBC to do it for free. No wonder the are so up in arms....
My problem with the whole thing is that the BBC clearly stated in the versions already broadcast that "This isn't illegal because we are not doing it with criminal intent." Regardless of whether there were a public interest defense (or education research defense etc) covering the BBC, this strongly worded and definitive statement makes it appear that anybody is allowed to do this as long as they don't have criminal intent. The BBC giving legal advice in this manner is wrong particularly when people have been prosecuted for performing non-malicious actions such as typing "../../"
"if the Beeb were doing a program on car security, would they break into someone's car without their knowledge & drive it away"
A stupid analogy. The PCs in question had already been compromised. What the BBC did was more akin to telling an owner that they'd left their car unlocked with the keys in the ignition.
I think Eugene Goodrich's comments really hit the nail on the head. Showing a real-life zombie-net at work may wake a few people up.
Yes, they would. In fact on "The Real Hustle" they have.
Well now, if leaflet-deliverers frequently stole cars, used them to deliver adverts for fake drugs and financial scams, but later returned the cars so that the owner was none the wiser... maybe they'd have to, in order to get the car owners to notice and take action.
does it matter if they broke the law or not?
I mean seriously?
what exactly is the chance of them being nicked even if they have?
it will just go in the "too difficult" pile.
now if an individual did it thats different.
sigh
...a click reporter getting probed in gitmo has to be worth trying.
Not just the little people.
Regardless of their motives or the "public good", the law was broken. If they don't like it, work to get the law amended to allow this sort of exception *before* testing it out.
See here http://blogs.securiteam.com/index.php/archives/1261 for another brits take on it. I'm an American, so my opinion is only worth about 1/2 on this forum.
The Real Hustle - a BBC programme shown on BBC 3 I think, occasionally does exactly that. I can remember a programme where they took cars from an attended parking car park. OK it was a con trick rather than a break in but most illegal access to PCs is gained through users being conned into downloading or accessing something they shouldn't have rather than brute force through the network port.
My opinion is that if the DoD or NASA had a compromised PC they would want to know rather than not. Why shoot the messenger?
was well and truly dead.
What the BBC did is clearly a breach of the law. The PC/Servers that were used in the attack had additional load added to them so the BBC could prove a point. This could have (and probably did) cause some machines to stop doing the task that they are put on the internet to do. This could be to host a web site, run email and maybe even provide critical services!!
The BBC should be commended for highlighting such issues but back handed around the head for doing it the way they did. If someone finds a flaw in the BBCs web site should that person then exploit it and take the site down/deface the site etc to prove that even large corporations need security? I am sure that if this was done the BBC wouldn't be quite so calm about it and would be looking to prosecure the person!
Don't you know that car analogies only work on Slashdot.
I have to agree with the majority of other posters, the BBC were completely right to do what they did this documentary. The fact that people are kicking up a stink over it is a Good Thing[tm] because it just helps hilight the problem of zombie computers and the tied hands of those who are able to do something about botnets but can't becuse they could be arrested for hacking, and how governments & agencies don't care or don't have the necessary resources & scissors to cut through the red tape involved.
"if the Beeb were doing a program on car security, would they break into someone's car without their knowledge & drive it away"
Assuming for a moment that you intended that to be a question, and supplying our own question mark at the end of it, I can answer thusly: yes. I've seen it many times. They do a documentary on car security, they show somebody jimmying the door lock open, or fooling the sensor, or whatever. Of course, they don't show it to a reproducible amount of detail, but they show it to make a point of how quick and easy it is for a practiced thief to do - the shock value is what drives the message home to the viewers. "Oh my god, it's that easy for them to do, I'd better beef up my security." I've also seen them demonstrate how pickpockets and conmen work, as well as bank robbers etc etc. Why not? It's a documentary. It's gotta be documented. Otherwise what's the point? It may as well be a work of fiction.
the answer is yes
Because they did an item once on thefts from cars and how no one takes a blind bit of notice unless its their car
Oh and it took someone smashing the side window in with a big hammer on a car parked in a busy road, ripping the radio out while the car alarm is blaring, then walking down the road holding the radio above his head while wearing a shirt saying 'I theive from cars' before anyone called the cops
Yes, they would, ever watched Top Gear? They'd probably buy the car first, but still...
I, for one, approve the idea, as they didn't infect the zombies in the first place, didn't use them to do any harm to anyone in any way, warned the zombies they were infected, and proved that the botnets are not only a problem when mastered by their creators, but also by any smart ass that knows enough about logging in to an IRC channel.
All in all, I'd call it a pretty good piece of television (though I haven't seen it yet... now, where's iplayer again?)
To use your analogy, in this case the BBC did not break into someone's car - they found a car that had been broken into, and drove it back to the owner, then left a note suggesting that they lock it in the future.
In the past, when crime journalism was to the fore of the tabloids and the broadsheets, (before it went all celeb shite) was it ok back then for them to pay bribes and give back handers to the cops?
Sometimes, you got to break the law to highlight the crime. It's called investigative journalism.
El Reg turning into Daily Mail with faux outrage and its petty battles with the Beeb. Please. You are embarrassing yourself.
If they wanted to do it with a controlled lab they could have gained access legally to quite a lot of their own machienes and maybe from the security company to build into their botnet. As they say it only took 60 bots to drop that server. And aparently they send 500 messages per second yet the numbers stuggled to reach over 2000 emails with 22k of bots.
The Beeb should have used a controlled enviroment rather than public computers. (I say public in a worldwide sense)
Why should there be one rule for a media outlet and another for security researchers? If any security researcher did this above ground and blogged about it, irrespective of the 'informing the public' argument they'd be up before the law, but the beeb is untouchable?
I think the unethical and illegal actions of the BBC and the complicity of Prevx is an advertisement to your future script kiddies. I mean, if BBC Click can do it easily and without legal recourse, why not everyone else?
Raising a bit more awareness among the gen. pub. would be good, but I suspect raising the blood pressure of a fair few BT/PCworld/other_toyshop helldesk operators is more likely. ("I've caught a botnet called windows firewall!!" etc...)
Absolutely no question it's illegal though. CMA makes no provision for "intent" - it's an offence to use any computer that you don't have (implicit or explicit) permission to use.
On another note, isn't there something in the CMA that makes it obligatory for the owner of a system to "take all reasonable precautions" to make their machine/network secure, or be held (partly) liable? In other words, if you're dumb enough to stick a vulnerable machine out there and it gets used for DDS/kiddiepr0n/something nasty - YOU are liable. Would that sharpen a few minds vis-a-vis online security?
The people who were told that their PCs were infected and how to clean them are probably pleased. That shouldn't be a problem.
If you want to be legalistic about it, you could think of it as implied consent. If a doctor finds you unconscious on the ground, he can assume you would like to be revived. Likewise it's perfectly reasonable to assume the owner of an infected PC would like to have it cleaned or at least be informed of the problem.
I don't know if they'd break into a car, but they certainly scam people (and then tell them the error of their ways): see "The Real Hustle" (http://www.bbc.co.uk/realhustle/)
We've been following the letter of the law right along. Has that gotten us anywhere in battling the proliferation of botnets? Absolutely not. I applaud the BBC's attempt to make this issue much more visible to the public. And I doubly applaud their attempt to alert the owner of the bot-infested PC to clean it up. It's the least that should be done in every circumstance.
Intent plays a huge role here, and BBC's intent is clearly for the common good. More in the security community should be crying out for the laws to be changed so that botnets can be tackled head on rather than sitting around in some giant hand-wringing pity party of inaction. BBC's methods might not be the best way to change the sorry state of Internet security, but at least they're doing something, which is more than can be said for many.
Cue the "Death Wish" movie poster images...
Anonymous Coward, please see The Real Hustle.
They have previously stolen a car on this show (later to return it to it's owner)
Adam
''if the Beeb were doing a program on car security, would they break into someone's car without their knowledge & drive it away''
Well the do have a good programme ''the real hussle'' where they do exactly this sort of thing. I think that it is good as it really does show that the scams are possible.
Sure, why not?
As long as they bring the car back and pay for any damage etc. it'd be a far more effective lesson than stopping someone in a car park and saying "theoretically, this is how I could break into your car..."
It was on the international BBC World News channel yesterday. You can probably watch it online now.
http://www.bbcworldnews.com/Pages/ProgrammeMultiFeature.aspx?id=18
IIRC they said they spent a few thousand dollars for the botnet which they bought over IM, and said they paid a bit over the odds. Without even considering the Computer Misuse Act that sounds well dodgy, licence payers' money going directly to cybercrooks.
And they said the demos were ok because they were only spamming their own accounts, but I bet they didn't have permission to hammer Hotmail or Gmail's servers.
It was interesting to see the botnet control panel, and how easy it was to take down a site, but not at licence fee payer's expense and criminals' gain.
Reg Webmaster, your site has been compromised and substandard Daily Mail code has been inserted into your database!!
Oh, sorry it actually IS an el reg story!? Bloody hell, the standards are slipping.
So, some lawyers say it may have technically breached a law but it is unlikely to be prosecuted, and some competitors to the security company that worked with the BBC said "the company does not endorse the approach taken by the BBC to raise awareness of the issue of botnets" (ooo, BBC must be quaking in their boots) <translation> "especially as they didn't use us to help!! Scream! Kick!"
This is a non-story, and has as much to do with McKinnon as apples with oranges. And that whole situation is wrong anyway, so why people are wishing it on the BBC...?
For every pointless and weak attack like this on the BBC, the more people realise how baseless a lot of its detractors are.
<shakes head>
Marks/10: FAIL
nK
No, but by the look of things they would get in, start it, roll it up and down the road and then return it undamaged and leave a notice saying how to lock the doors...
Well, I believe there should be an agency dedicated to actively infiltrating and patching these zombies, but they are also useful for governments too...
The AV good guys hide behind the questionable we-can't-touch-them-because-that-would-be-illegal "ethic", while the hackers completely disregard it. So the playing field can never be level.
Now we see hyperparasitic behaviour in this ever more complex ecosystem. Actually the hackers want to keep their zombies in good condition, and lock out and clean up competitors, as long as they retain control.
If someone actually does manage to clean up the zombies using antiagents, then the AV companies would suffer, so they seem to want this stupid situation to continue.
Congrats to Click for getting a few thousand zombies patched. Only another 15 milliion to go. :(
Read the BBC's page: "If this exercise had been done with criminal intent it would be breaking the law."
Hilarious, such a good grasp of the law they have there :-) presumably nicking a car without criminal intent (borrowing I believe it's called), would be fine according to the beeb.
and I hope the Beeb win.
If they do, this will be a massive win for security researchers and curious people on the internet to play around with 'hacking' tools for 'research purposes' on other people's computers and get away with it.
What needs to be done to get the Met' to investigate this?
they do cons on people & tell them afterward, & only then give their money/wallet/mobile back then.On one episode they got people to give them company bank deposits by saying the night safe was broken. No-one seems bothered by that series, which is analogous to the "car security" programme when they "break into someones car".
Most peoples attitude is like Homer Simpson's when he puts his arms round his television and says "Lets never fight again". Telly is godlike & therefore not subject to mortal law.
Horned Bill icon - cos its all his bleedin' fault (heh)
This is not the Beeb breaking in and stealing your car. This is the Beeb talking to the car jacker and renting your stolen car and afterwards leaving it parked in your driveway.
Besides someone already did the car security thing a few years back. Set out cars with surveillance systems and live cameras to show show you a jacker getting into your car and making off with it.
As for Mc*cough*ee and their ilk, I personally have very little respect and even less trust for their industry. There is always that thought in the back of my mind that they would evaporate as companies if not for all these cyber criminals and various flavours of the minute chunks of malicious code floating out there. I detect a note self serving coming from their quarter each time they speak up.
*/ it would be a joke but I dread just how bad it really is...
For a start the 22 000 real computer users who presumably had f*#k all idea that their machine was some bot herders slave.
"What if one of those PCs was in the DoD"
After all the publicity over McKinnon how lame would that make the world's wealthiest defence administration organisation? They'd more likely change the screen saver back and follow instructions to get rid of it and hope no one noticed. I'd call that crocodile tears for a straw man.
They spammed 2 disposable free email accounts. Jack Straws constituency account was not one of them. Who can say how many others are also on Hotmail.
They disrupted a test network. Which is designed for penetration testing.
And as for saturation advertising. I don't get digital. I have seen nothing about it. But my VCR is being set.
No doubt a prosecution under the Computer Misuse Act would be so simple even the CPS might do it. How many real prosecutions have taken place under this act?
Bot herders are in it for the money. Once you've proved you can do it that's the only motive. I find it astonishing all those ISPs bitching about how it "Would be" 8/10/12/20mbps if only the customers didn't clog up the net with YouTube,iPlayer streaming, bittorrents, Skype etc.
Not a sound about the thing most of their users are really steamed about. That customers don't want and would have disappear for ever.
Computer users can get connected to the internet with no training and no awareness of the hazards (to their privacy and finances at least but in worst case to their physical safety) in a way which is unthinkable with say a motor car.
Anyone who bought a car, got behind the wheel and drove onto the public highway with no training, no license and no practice who then crashed and ended up in a wheelchair would be thought nothing other than a complete moron. Yet people with as little awareness take equivalent risks with their finances and privacy on the internet every day.
Sure with unlimited time and skills any single PC could be made a zombie. But their has to be a valence. Make building a bot net hard work and suddenly its a *job* where they have to put in serious effort and time.
Sign up, sign up for The Register's weekly IT security newsletter - click here
