BBC Click has admitted paying cybercrooks thousands of dollars to buy access to a botnet as part of a controversial cybercrime investigation, broadcast over the weekend. In a website story accompanying the heavily-promoted report, BBC Click reporter Spencer Kelly explains how licence fee payers' money was used to buy access to …
I saw the program and thought it was a good idea
I think a program like Click showing the effects of not having adequate protection when connected to the internet is exactly what is needed. Most people only see the threat to themselves and not the threat they create for others.
Also, at the end they instructed the machines to remove the BOTs so doing good for the people who were infected.
It might be a bit grey legally, but I think it was great.
Also, the statement from the article ‘Much of what BBC Click found was already common knowledge in security circles, if not to the wider public’ is interested as I would expect the wider public are clueless on this.
pay for the IPs
1. hire botnet
2. point at honeypot
3. capture ip addresses
4. add to a block list at the ISP level.
Be kind to the BBC El Reg!
Umm, yeah, shock horror, anyone who watched the program knows that they paid for the botnet. They said so in the program!
The episode about botnets was the most interesting thing they have ever done on Click and was worth the money that they paid. I'm sure the cost of making it was cheaper than a typical "On location" episode they do, for example in the US.
There is a teeny bit of negative reporting here in your article El Reg. The click episode was done in the name of education, so it *Can* be ok to bend the rules sometimes. This is similar to health programs that show full frontal nudity, normally it wouldn't be allowed, but that word "Education" pops up again.
Of course the people who will be throwing their arms up in horror will be the ones who didn't watch the program, "Oh noes, the BBC are paying money to criminals, I want my license fee back!" or cynical press ;-)
If the BBC get into trouble then they are going to lose the ability to show groundbreaking events like they have here, it will be a sad day.
Load of crap
If PrevX has loose moral and deliberatly choose to aid in unlawful access let it be so but they should atleast have the balls to take the heat instead of trying desperately to point fingers to others.
Unlawful access sure as hell doesn't come "with the turf", no real researcher does that. There are ways to do things legally and what BBC and PrevX did was not legal. I hope the DA's in Britain have the sense to drag their asses into court.
You don't go around killing and torturing people "to show the general public how it's done". Big load of crap and I hope they'll pay for that. I would not work with anyone, or give any sensitive data to anyone with the morals that BBC and PrevX have displayed, ever.
Before anyone uses "The real hustle defence"
In earlier discussions, a lot of uninformed people have spoken about how tricks used in shows like "The Real Hustle" work the same way and are useful for informing the public. What they ignore is:
"The participants featured in The Real Hustle have either been set up by their family and friends or believe that they are participating in another television programme. After they have been hustled for real any monies or property taken during the hustle are returned to them and their consent for the item to be broadcast is obtained so that viewers can avoid being ripped off by the same scam."
There are numerous issues with the behavior of the BBC in how it handled this issue, relating to Vigilantism and funding crime and I covered these on my own site: http://john-graham.me.uk/?p=61
Go BBC. Stop stirring El Reg.
I know you don't like them and all but thumbs up to the BBC. Who gives a shiny shit if it was on a US millitary computer, they did it from here and caused no damage. In fact they helped them out by identifying the computers they used.
Why do you write that ZOMG!!111! it may be on US mil computers when it would be more of a problem if it was on UK citizen computers.
Straw men and FUD
In the program the states they paid 30 USD/1000 bots because they were *not* in either the UK or the US and that would have made the price about 10x higher.
$660 US, that's < £500 even with our crap exchange rate.
Please note el reg readers are not really the target audience. It is what can happen to un-suspecting, lazy and plain dumb users
Doing it this way was exactly the same as the EFF building hardware to crack the DES and writing a book about it. The NSA maintained DES remained secure *years* after non vested interests stated it could be broken now given custom hardware. Up to that point it could be argued "That's just an opinion." After the hardware was running NSA accepted that a new standard was needed. Hence AES at 256 bits.
Sure, if all the public agreed un patched, un firewalled machines are unsafe it would be unnecessary. But if even a (US) goernement body denies it untill the proof can be read in an email this is not an unreasonable approach.
My one regret. They said 60 bots could shut down a website but gave no indication of what was hosting it. How many to shut down one of the big boys.
"All parties agree that there's unlikely to be a prosecution"
As a license fee payer, I haven't agreed to any such thing.
The law does not require intent in order to press charges. It does however need a CPS which acts in the public interest rather than in the interests of government/BBC/big business, which is what we have at the moment. Couple that with a Home Secretary who fails to realise that she is a public servant and is expected to look after British citizens, rather than summarily hand them over to foreign powers without any evidence, and we have a nicely stitched up system.
What a load of Crap
Being Honest i think its a good idea to change the wallpaper of the idiots (those that have not updated or clicked a link etc in an email and infected themselves) so that they know how stupid they have been,
I am sure they would find that better than going the other way and just blocking there pc from accessing the internet on a whole
Justified, utterly without reservation
1) The BBC were 100% justified (as any researcher would have been) in committing this crime in order to prevent a greater crime.
2) They hacked into diddly squat, the machines were already compromised.
3) So what if the machine were military; that is the fault of the military for not securing their systems!
4) Most people have no idea what a botnet is, so this program is a public service and (hopefully) a major eye-opener.
5) Their only mistake was in failing to point out CLEARLY that all the infected machines were Windows based and other OSs are orders of magnitude more secure.
To my first point - ISPs should be following this lead and using similar tactics to identify and remove drone PCs from their networks. I would go even further and say that prosecutions should be considered for those with drone PCs, specifically for those who have not taken reasonable measures (e.g. firewalls etc). Their negligence places us all at risk.
This was bad enough even without the "thousands of dollars". Now it's disgusting. Have they any idea where that money is going? What further crimes is it funding?
I do hope they get a visit from the police. Isn't the "paying money to criminals" bit illegal, irrespective of the computer misuse issues?
The real crime is doing nothing.
Millions of PCs are infected and members of botnets.
Users don't know that the PC they use for online banking and to store their precious information is being controlled by criminals. ISPs do little to help.
If the BBC help inform people about this major issue then that's great.
Now get back to work and report something that matters.
So the BBC paid thousands of dollars of licence fee money to Russian criminals. I hope BBC accountants, if not the police, followed that one up. And so the BBC met these Russian hackers in Moscow. um kay.
Legally they shouldn't have used the botnet at all.
Ethically, the right thing to do was notify the victims of the botnet at the first opportunity, then seek consent to continue. Not exploit their computers and internet connections, and then tell them it could have been worse next time.
And explain this to me; how did the BBC remediate all 22,000 PCs, some of which were presumeably switched off at any given moment? All of which were running a range of operating systems/diverse locales/varierty of software configurations.
Perhaps the operators of the botnet are cursing the day they left a self destruct button in Spencer Kelly's hands, but I doubt it. I don't think they remediated those systems at all.
And as for the claim they set a desktop warning, what the hell use is 'you've got a virus' as a warning to someone who doesn't speak English?
Something about this reeks of lies, corruption, or fakery.
There is a phone vote on next weeks program (your votes decide).
Shut up you moaning twats
For fuck's sake, if this educated one non-technical viewer about the realities of botnets then it was worth doing. Security companies don't want that education because they make money out of people's ignorance! What the fuck is El Reg doing laying into the Beeb for this? It's really fucking unnecessary. Get your fingers out and get a story up here supporting the BBC who were doing a good thing here.
For the first time, I'm tempted to use the Death of El Reg icon in earnest. What the fuck is wrong with you? Sort it out.
"Misguided, unnecessary and unethical ..."
... but job well done if it has taken those bots out of the botnet and keeps them out.
Sure, it's dodgy ground the BBC are walking upon - particularly when it seems so many have a BBC-bashing agenda across a wide spectrum - but this is where the "for the greater good defence" card gets played.
Yes, we all know botnets are out there, we all know the problems they cause, and we all know the difficulty of the law that prevents us from walking up to everyone of them and taking a sledgehammer to them ( before setting them on fire, then pissing on them to put that fire out, and then asking, "Right, who owns this ..." ) as much as we'd like to.
So well done Click and the BBC. Something worth my licence fee while others sit around doing nothing but hand-wringing and moaning. The hypocrites who would love to see the botnets smashed to sunder but complain when the BBC gets off its arse and tries to make that happen, at least in part, can quite frankly STFU IMHO.
Thought provoking TV.
The Reg has run enough stories about the BBC not producing thought provoking TV with license payers money, it seems somewhat two faced to try to take them down when they do create something worth watching.
I don't agree with giving money to criminals, or the methods used, but on the other hand I can't see how it would be possible to hold the general populations interest without a real example.
Regards security professionals breaking the law on a day to day basis, I don't need to remind anyone quite how rediculous the laws are in the UK when it comes to computer misuses, to the point where even the most careful security professionals will find it hard to do their jobs without breaking one or more laws (thought maybe not quite so spectacularly as the BBC has done in this case).
These days anything from a commonly used password database to ping could be deemed illegal.
Storn in a tea cup!
I can't believe how an*l people are being about this program and the subsequent press it's had.
I am no legal expert and maybe the BBC has stepped across the legal line here but things really need to be put into perspective. I like many millions of email users are bombarded with junk from the masses of spam kings using botnets to spread their cr*p. We are also subject to the inconvenience of these criminals attaching legitimate web sites via DDoS and also by the side line activities of booby trapping sites to gain the IP addresses of victims in the first place. I for one applaud the BBC actions here because as pointed out by Albert most people are unaware of the methods and extent of the problem.
To computer savvy people it is common sense to avoid certain web sites, keep an up to date virus scanner, install a fire wall and never open unsolicited email attachments, but to a very large proportion of the worlds computer users this is still a mystery, hence the level of virus outbreaks and spam.
If y machine was snared into a botnet I sure as hell would appreciate someone telling me that it had so I could clean it out. I don't want to be responsible for spreading junk email or attacking legitimate web sites in DDoS.
I also think it two faced of the anti virus firms to knock the BBC here. I would have thought any improvement in peoples knowledge of how to surf safe and avoid the spammer scum and the snare of their botnets would be welcomed by such parties.
As for your comments Toni Koivunen I presume you are from the US? The only part of your comment that made any sense was the title, "Load of crap" which aptly summed up your comment!. What's the matter, worried your precious Pentagon was hacked? If they can't protect themselves then they deserve someone pointing it out to them.
Money should not have changed hands
They've directly funded criminal activity WITH MY MONEY, and totally without my consent. However you look at that, whatever they thought they were doing, however many weasel words you throw at it, it's wrong.
If it's OK for educational purposes (and perhaps too keep viewers watching adverts which make £), then i want to educate on how to getta bigga penis for only small fees.
Knowledge is power.
I think this was a good article if it does nothing more than educate people to use Windows Update. If people had, Conficker wouldn't have had the devastating impact it has had as the exploit was patched in a Windows Update months before Conficker came out. Likewise the same with Sasser and all the other major attacks.
Thanks to the programme, there's now up to 22,000 unsecured computers which will get updated and their users educated.
I saw the show on News 24 last night.
I wonder what proportion of the owners of these infected machines could understand the warning message they set as the desktop wallpaper? That botnet consisted of PCs from all around the world. If they sent the same English message to all of them, I imagine a lot of the owners would have responded with a "WTF is that?!" rather than "ooh I'd best get my computer cleaned up. Thanks BBC"
In the event it did go to court...
...does anyone honestly believe a jury would convict?
Funny thing about juries - they have a disturbing habit of accepting public interest defences even if there isn't a provision for one in the statute.
why doesnt the BBC get nailed for this
they illegally bought something illegal from hackers engaged in illegal activities. Or are they not being prosecuted because all those illegals cancel each other out???
Its the same as buying a gun. You are paying money for something illegal, from a person who is illegally selling it to you, and who acquired it through illegal means. Saying "its OK because were not going to shoot anyone with it, we'll just shoot around them to raise public awareness of guns" just doesn't fucking cut it.
Depending on where the hacker's alliegances lie, they could be funding terrorism, directly or indirectly - isnt that against the law too?
When are big, lawless companies like BT and BBC finally going to be nailed for doing illegal things!?! If a sysadmin got drunk and did the same as this incompetent ignorant bunch of retarded fuckwits, then he would be in jail and it would have cost the government £2Million to put right whatever the botnet did.
Good value for money
Pay few thousand of dollars - which is like £3.50 to remove a shed load of machines from spamming and general bot-net crap etc. sounds excellent to me - I bet we pay the police lots more and they do nothing but drink tea, or are getting criminal records
go BBC - more bot killing plz
Seems to be the common mode of computer security these days.
Hey, why make your systems secure when instead, you can hire a bunch of lawyers to say it's illegal to do anything with a computer that you're not authorized to do, then come down hard on anyone you find that is accessing the system in a way you didn't expect (public domain transfers, session states stored in a URL, clicking on search engine links to exposed documents that you didn't think would be visible, but actually were, etc).
You can have all the programs you want saying "Hey, it's um bad y'know.." to all the people who haven't a clue how to secure their PC, or even know that it even needs to be secured, and you'll be in the same old boat. If it's not something that people really feel they need to know about because they've been burned (or people they know have been burned), they'll carry on as if there's nothing wrong.
Now, each of those people probably know at least 10 other PC users, so they'll get the hint too.. And the "hey my mate just..." conversations will also probably propogate to another 10 for each of the original 10 (past the "my mate" level, things tend to take on the "urban legend" feel, and it loses impact).
That's a whole boat load of people that REALLY get the message, not on an abstract "I can put my head in the sand, and it'll just go away" kind of way, but in a far more concrete and real sense.
As far as legal goes, I have the sneaky suspicion that it's not. Should it be legal? I'd say it's one of those that is in a really grey area. What they did, in general, is good (increasing user education, which vastly increases real terms security, not just 'tick in a box' security), using methods that are bad (paying organised crime, and hijacking people's machines), but with no real ill effect (delivering a message that your machine has been compromised, and you may just want to get it sorted out).
It's nothing like torture, as mentioned in a previous post, so that comparison is void.
It's very much white/grey hat stuff. On the whole, I'm pretty much behind that kind of activity (someone takes the time to crack your security then tells you how, so you can make it better, rather than cracking your security, and selling that information to anyone who wants it, so you have no idea your security even needs fixing).
Computing laws are still damnably primitive; we need a finely crafted tool that will let us hoist up the really destructive contingent, while allowing the creative (white hat) to prosper. Then we may have a snowflake's chance in hell of actually having systems that are secure, rather than putting a tick in a box, and saying they are secure by fiat.
Considering it's a BBC World programme would mean it's funded from advertising revenues and not the licence fee...
Choking on a Nice Glass of Bolleaux from El Reg
Click did pay money for the botnet, but at the end, they informed the owners of the infected machines that they were infected, what to do about preventing such things happening to them in the future, and then they REMOVED the infection from their machines.
Yeah .. in anyone's book, clearing up thousands of infected machines, educating those people who allowed their machines to become infected and cleaning up the mess, and preventing those machines being used for malicious purposes in the future ... truly a criminal act. What wicked people inhabit the BBC!
Get over yourselves.
RE: "Justified, utterly without reservation"
Since when has 'For education' ever been a justification for an illegal act.
And let not forget that they have paid thousands of dollar to a criminal gang engaged in an illegal act which will help them continue their activities.
And for all of you who think otherwise:
An Act to make provision for securing computer material against unauthorised access or modification; and for connected purposes.
1 Unauthorised access to computer material
(1) A person is guilty of an offence if—
(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;
(b) the access he intends to secure is unauthorised; and
(c) he knows at the time when he causes the computer to perform the function that that is the case.
3 Unauthorised modification of computer material
(1) A person is guilty of an offence if—
(a) he does any act which causes an unauthorised modification of the contents of any computer; and
(b) at the time when he does the act he has the requisite intent and the requisite knowledge.
"its the unique way we are funded..."
in essence this is the "research purposes" defence i seem to remember that defence failed for a couple of high-profile nonces from the music business. Not sure what the research was supposed to illustrate . There are botnets... already apparent by the amount of spam. They are for sale.. well look at the technical press and that's also apparent. Some UK main stream press claim the beeb built the botnet rather than buying it. Un-patched machines are plentiful and easy to breach No Sh*t , Sherlock) This exercise added nothing to the debate, it further fouled the tattered reputation of the corporation.
Mean while whilst looking at R7 web site noscript changed and i found that there where scripts from a third party on the page. (sageanalyst.net) I wrote to the bbc , asking :-
Who are sageanalyst.net?
Why are you allowing them to collect data from me without prior permission?
Is the data going out of UK jurisdiction?
Is the data (even if aggregated and anonymised) used for commercial purposes?
I received a form reply giving me a complex opt out procedure. (unnecessary as noscript spotted it ) i have however stopped the beeb running scripts with little loss of usable or desirable function. So the beeb are happy to presume consent from users for their details to be shared. I expect this form google, they don't ask me for a fee or to buy a licence. but having been ripped off by the beeb on an annual basis ( paying for digital services we wont receive here on the south coast until 2012 at the earliest) this feels a bit rich for them to use their scarce resources for such a futile and and ultimately pointless stunt.
"3) So what if the machine were military; that is the fault of the military for not securing their systems!"
Tell that to the prosecutors in US vs McKinnon.
Your arrogance is dwarfed only by your ignorance.
Re: Justified, utterly without reservation
"Most people have no idea what a botnet is, so this program is a public service and (hopefully) a major eye-opener."
I doubt it. Most people still won't know what a botnet is afterwards, given the usual levels of Beeb documentary eloquence. All this is likely to do is to scare the viewers about an issue the manufacturers and network providers should be dealing with "out of the box", potentially driving those viewers towards acquiring the usual pundit-recommended anti-virus and "system clean-up" software, possibly from the vested interests (undoubtedly featured in the programme), possibly from dodgy places on the Internet.
And if everyone panics and starts clicking all over Google-served adverts pretending to offer such solutions, we all end up with more infected computers: an own goal for the Beeb, indeed.
Re: Storn in a tea cup!
"To computer savvy people it is common sense to avoid certain web sites, keep an up to date virus scanner, install a fire wall and never open unsolicited email attachments, but to a very large proportion of the worlds computer users this is still a mystery, hence the level of virus outbreaks and spam."
I see you're from the "paper over the cracks" school of thinking. It would be far better if we didn't allow vendors to provide insecure products or products which let the user believe that they're using a Windows LAN from the year 1990, but that would mean the end of the cushy relationships between retailers, Microsoft, anti-virus vendors, ISPs... join the dots yourself.
"What's the matter, worried your precious Pentagon was hacked? If they can't protect themselves then they deserve someone pointing it out to them."
Maybe the people who made this documentary will be sold out and shipped to the US, too, given the level of support a certain Mr McKinnon has enjoyed from his own government. But then, given that it's the Beeb, with all those warm, fuzzy feelings of 70 or so years of "Auntie", there's another rule in play, here. It's the Beeb, national institution, jumpers for goalposts, blah, blah, after all.
Sure, what they did was legally a grey area
However, I think they had no other way to show what happens everyday on the Internet. Sometimes, you have to go on the grey area to show exactly what is happening. It showed that those who are carrying out the botnet stuff are not technically advanced. Any criminal who can use a computer can carry this out, you do not need to have specialist knowledge. Just enough cash to pay for the botnet.
Even though I am aware of computer security issues, it was Click that showed just how easy this thing really is and how almost any criminal can do it. Hence why you need to get your machine sorted out.
As for El Reg and Daily Mail lovers, stop picking on the BBC, because for once they have done a proper documentary on computer security.
I said "to prevent a greater crime" and that *IS* permitted under UK law, any education is merely a side effect. You've got to do better than a straw man.
The "antis" one here are probably just "anti" because it's the BBC. Is MS or someone had done it you'd all be praising their bold initiative. But when someone else does it, oh woe betide them!
Re: why doesnt the BBC get nailed for this
Anonymous Coward: "Depending on where the hacker's alliegances lie, they could be funding terrorism, directly or indirectly - isnt that against the law too?"
Indeed. I expect the Beeb to make a documentary where they go off somewhere exotic and proceed to shoot endangered animals before exclaiming, "OMFG! People can go somewhere and shoot endangered animals! We had to actually do this with our own eyes and hands because you, the archetypal Britard, and us, the archetypal Educator of the Britards, are now so stupid, our senses dulled from years of court jester-level, whole-week Saturday-evening-level entertainment and manipulation of the herd, that it is now impossible to rely on either you or us to make a single leap of inference any more! We have to actually show us shooting rare tigers to cement the mere idea in your mind!"
"Thanks to you Mr Jones from Fulham for sponsoring the bullet that did for that tiger! Next week's documentary on piracy will make accomplices of many more of you - stay tuned! Now here's ten minutes of navel-gazing advertising and projection of the BBC brand, also paid for by you!"
Even if the Beeb did all this, you'd still have all the idiots saying, "Blimey! The Beeb were right to point this out." Presumably while thinking, "I could've read about this stuff but that would involve forming abstract thoughts in m'head, and ain't that what the Interwebs and the gogglebox are for?"
To yoir corners, please
1. Those who saw Click and think it was OK.
2. Those who saw Click and think it was wrong.
3. Those who did not see Click and just like the sound of their own voices.
4. Those who did not see Click and simply seize any opportunity to slag off the BBC.
For those of the American persuasion..... In the UK (BBC land) a "DA" has only one meaning. It's a type of haircut called a Duck's Arse.
Not Grey BUT JET BLACK!
Once "Any Institution" is allowed to bend or even "break the Law" just because it might be in the Public Interest, but an Individual is pilloried & harassed by the State for a similar type of offense; where do we stop!
The BBC should have known better, news items are about properly investigating & informing the Public; this case looks like Media manipulation!
Re: Re: Storn in a tea cup!
> I see you're from the "paper over the cracks" school of thinking. It would be far better if we didn't
> allow vendors to provide insecure products or products which let the user believe that they're
> using a Windows LAN from the year 1990, but that would mean the end of the cushy relationships
> between retailers, Microsoft, anti-virus vendors, ISPs... join the dots yourself.
Try stepping into the real world for a moment. Love or hate Microsoft, and personally I hate them, no one but a fool or a genius would claim to be able to write "perfect" software which was secure and safe. I've been writing software for best part of 20 years and despite all your efforts testing and verifying your software there will always be cases which have not been completely exercised and therefore can potentially be exploited.
By your argument we should not build cars which can be involved in accidents, however I think you may find that to do this you take away the human from behind the wheel. People need to take responsibility for their own surfing and web habits. To do this people need to be aware of the dangers and understand what safe-surfing is and in that respect any such program is beneficial and justified.
Personally I think to control the wider menace of spam, etc. botnets should be infiltrated and the owners of the compromised PCs informed of the problem.
BBC Click - unethical.
Nothing new there, it's clear from their articles and reviews, that companies buy their way in, despite the BBC supposedly being a public company.
The worst offender, who does not, it seems even care about his obvious paid bias is Darren Waters....
All license payers at risk?
I realise this is taking it to extremes but as a result of this act hasn't the BBC made all license payers an accessory to the crime by funding them? For those saying the paying was justified think of what else, other than botnets, Russian underground groups do and now imagine yourself helping to pay for that. I'm usually one to roll my eyes at the mention of this with everything these days but child porn is one of a number of illegal things. Do you still feel so happy and content with the BBC paying your money for this now?
Unethical and a Grey area???
But a Win-Win -situation nevertheless, the infected PC gets a message to clean up, the communications with the botnet controllers is also poisoned as they will not know if they are dealing with a sting or a real ‘customer’. All we are missing is some way of tracking the payment to get to the botnet controllers, sorta like getting Al Capone for tax evasion.
One law for them, another for us
There is a very straightforward problem with discretionary prosecution. If the authorities are allowed to pick and choose who they prosecute, especially with the draconian laws that parliament has been passing lately, then you have institutionalised repression of the rights of individuals. Those in the administration's good books can do as they like, and not worry about the minutia of the legal details, while the rest of us walk a tightrope, knowing that the least misstep will bring the cops down on us like a ton of bricks.
We have already seen this happen in many areas, despite the assurances when the laws were passed that they would only be used in exceptional circumstances. The 70 year old heckler at the Labour party conference, who was arrested under the terrorism acts, for instance. Or the TV news presenter who was arrested for "child porn" because she took some pictures of her kids at bath time (this despite Jack Straw's personal assurance that "of course" the law would not be used in this way). And we have the now long standing use of majority verdicts in trials, which puts paid to the principle of reasonable doubt. That was supposed to be used only in cases where there was believed to have been jury intimidation, but now it is routine in any case where one or two jury members is firmly convinced the defendant is innocent, to get a conviction anyway.
If you think the BBC was right to do what they did, then the law is clearly WRONG, because they broke it, without question. Ignoring the law when it suits the administration means that they can get away with ever more draconian laws, promising to ignore them if a "good guy" should slip up. In this case the good guys are journalists, who the administration doesn't want to offend. What's YOUR standing with the administration?
sour grapes all round.
The beeb did what security firms could do, but are basically too chicken to for fear of getting sued.
The bottom line is that every one of these firms knows that its no good sitting in our sandcastles while the tide comes in, we have to get out there and do something. So what exactly do these firms do? They 'advise' us on how to put up stronger sandcastle gates and find better tide tables. Great - but the tide is still coming in
How about these guys taking some positive action with all that expertise? Nope - too worried about lawsuits. But from whom?
The baddies - its good news if they sue, they have to come out of the woodwork for that.
The victims - sure, I'm really gonna sue Sophos for telling me my Pc got pwned by russian criminals to sell unripe tarts and fake watches.
Govt agencies with bad security practice ? Aha, now we're getting to it. These guys mail each other confidential CDs, leave their dongles in a knocking shop and their laptop in a pub. How secure do you think their PCs are? Ha.
And thats what the security companies fear: that botnet containing 1000s of poorly set up US DOD computers. If they accidentally 'clean up' those boys, they'll have embarrassed the govt and that isn't something up with which either either the Hall or the House will put. Visits to Gitmo will be arranged. Laws concerning offshore betting will be invoked. Life will become 'awkward'.
Would the BBC set off a bomb to expose the tactics of terrorists?
Nope, so why is a computer any different? you can still compromise computer systems that are critical to people.
Extreme foolishness of PrevX' CEO
"Every day, most security companies, and law enforcement agencies investigating botnets and information stealers break the law to investigate and uncover stolen information and techniques - It goes with the turf!"
Speaking as someone who's spent more than a decade in infosec, I'd just like to say: whiskey, tango, foxtrot?! Did this buffoon run that statement past their corporate lawyers before flapping his stupid head open?! (Hint: if he did, they're about to be debarred for life.) Who is he, anyway? Oh, by the sacred noodle of eternity, "Mel Morris", the... the CEO?! Stop it! You're killing me!!
To misquote M.D., of Private Eye aka Phil Hammond of "Have I Got News For You" fame - after a bit about amusing things doctors write in their notes about especially fat, or stupid, or amusingly unwell patients: "Of course, those lines don't sound quite so funny when they're read out in court."
For what it's worth, in /my/ professional experience working at three well-known security firms, and a couple of teeny unknowns, I have _never_ known of a deliberate policy to flout the law. Come to that I've never known anyone do anything like this, presumably because people that stupid don't get past reception on their way to the interview. On the contrary, researchers who care about their continuing ability to earn a living are if anything hyper-sensitive to avoid anything ethically or legally dodgy.
To the saloon bar crowd heavily represented in the comments above saying "Good on yer, BBC!", I suggest you come sit in my chair and enjoy the ramifications of this cheesebrained imbecility as a million and one botherders start throwing out pop-ups claiming to be from journalists at CNN, Bild, or Hello! magazine. Actually, on second thoughts, stay where you are. I have a well-paid, fun job dealing with the consequences of mass use of insecure networked software and ubiquitous IP everywhere, and this sort of well-intentioned doltishness keeps that salary rolling in.
Re: Re: Storn in a tea cup!
"Try stepping into the real world for a moment. Love or hate Microsoft, and personally I hate them, no one but a fool or a genius would claim to be able to write "perfect" software which was secure and safe. I've been writing software for best part of 20 years and despite all your efforts testing and verifying your software there will always be cases which have not been completely exercised and therefore can potentially be exploited."
Ah, the "real world" retort: everything is all so messy and there's no time to do things right, and the users are banging their fists on their desks, demanding new features yesterday. If people actually asked the users what they wanted, reliability might be the first thing on the list. Meanwhile, no-one wants to simplify systems and cut away the cruft because "people might be running that service, leave it in!" So, yet another attack vector hangs around for its moment of fame in the advisory lists.
And after the daily exposure of hype, no-one wants to settle for something simple and reliable that works - it has to be "the shiny" or the toys are thrown out of the pram - so anyone offering something rock-stable but basic isn't going to reach the necessary critical mass amongst the fanboys and the paying punters.
Of course, secure and reliable software is hard to write, but it isn't as if no work is being done in that area at all. Again, talking about anti-virus software gives various Windows jockeys their veneer of security "expertise" - a bit like the main characters in Absolutely Fabulous spouting fashion labels supposedly makes them experts in that domain - but the real story is how Microsoft and friends with all their billions can't or won't bring even remotely applicable work in this area to market, yet are responsible for delivering systems to millions of consumers.
@ Giles Jones
Yes, buying a botnet of machines that were ALREADY compromised and then NOT doing anything damaging to them is the equivalent of setting off a bomb.
Why am I arguing with you? You're incapable of rational thought.
*shoots self after viewing violent films and/or video games*
BBC did great!
No question, the BBC did a good job here. Real investigative reporting.
Raise the real issue, notify the people involved.
How can anyone be upset with that?
This is no different
Than paying dodgy plumbers & locksmiths in an attempt to "out" them.
People don't get up in arms then, do they?
Click is, in the main, eons out of date with current tech, and so far up its own arse to be completely missable, but this episode was the exception.
Opera users don't need no stinkin' bookmarks :-)
- SMASH the Bash bug! Apple and Red Hat scramble for patch batches
- BENDY iPhone 6, you say? Pah, warp claims are bent out of shape: Consumer Reports
- NASA rover Curiosity drills HOLE in MARS 'GOLF COURSE'
- WHY did Sunday Mirror stoop to slurping selfies for smut sting?
- Business is back, baby! Hasta la VISTA, Win 8... Oh, yeah, Windows 9