back to article BBC botnet 'public interest' defence rubbished by top IT lawyer

The BBC's argument that "public interest" justified its purchase and use of a botnet in a controversial experiment is little better than vigilantism, according to a top IT lawyer. BBC Click bought a botnet of 22,000 compromised machines in order to send spam to webmail addresses it set up, and to launch a denial of service …

COMMENTS

This topic is closed for new posts.

Page:

Thumb Down

Daily BBC Botnet Update

Do we really need a daily BBC botnet update, with another top law expert or further quotes from different security firms pouring scorn on the Beeb?

Okay, we get it - the consensus is they done wrong. However, do we - the public - really give a fuck anymore?

0
0
Anonymous Coward

In other words....

... the vendors that didn't get the free publicity of being on the program disagree with the methods used so they can get free publicity disagreeing with it.

0
0
Flame

Can of worms

I think the whole thing was badly done, publicizing that it was easy to obtain, the cost of obtaining bots and the ease of use.. they may have just been a marketing company for these guys.

I also dislike the usage of "Russian" hackers, come on seriously I've seen teenagers amass 50K+ botnets with access to botnets that ran in the 100K+ back in 2003. The only difference was that they were not organized crime and they certainly were not russian. These teenagers being from the USA and the UK not russia.

The other issue was posting up a background from the BBC on the peoples computers. Now that's just going to give scammers ideas on how to exploit that by including links to free anti-virus and anti-malware programs that are actually malware programs in sheeps clothes.

As I said Can of Worms.

0
0
Thumb Up

Gapping hole in the law.

If you can target computers in foreign countries where the users are unlikely to complain to the correct authorities.

But then we knew about that already, and in some countries hacking foreign computer systems is almost encouraged.

Good on the BEEB for educating the unwashed masses, again.

0
0
Anonymous Coward

Shock horror!

Lawyer claims damages might have been done; may require court case.

Jesus, why don't these parasites just piss off and leave us all alone?

0
0
Paris Hilton

Victim complaint

Victims making a complaint..

Because their desktop wallpapers were changed, when they could have had their banking details and on-line identities stolen.

I have no doubt it will be a busy day at the computer crimes unit tomorrow.

.. Paris, because her tears are sincere.

0
0
Paris Hilton

TV Licence

I feel quite angry that some of my TV Licence money has been given to Russian hackers for this stupid stunt.

0
0
MnM
Thumb Down

No interest

BBC Click used to be, iirc, leveraged by the crack DSGi staff training department and inflicted upon budding sell-bots to re-program them into repeating 'would you like a memory card with that?' at regular intervals.

The only other use this program has is to fill time between rolling news. Even then, it's somehow less informative than a repeat of news viewed only half an hour earlier.

It's the IT equivalent of Delia demonstrating how to boil an egg.

Lock 'em up.

0
0
Go

I am totally fine with what the BBC did.

Without such a demonstration I doubt a lot of its viewers are even aware of what their computer can unwittingly be a part of. Legality be damned.

0
0
Gates Horns

Well done.

I saw this report. I felt it showed the dangers on these botnets far more effectively than any lab demonstration could have. They also provided a service to the people who's computers were compromised by letting them know about what had been done to them in a way that is very hard to ignore.

I say again, Well done.

If you disagree with me then you are obviously insane.

0
0
Gold badge

I'm with the 1/3rd...

From the article, "A third said that although the exercise might be legally questionable it 'helps raise awareness'"

I agree with that.

These people running unpatched Windows systems are already pwned anyway if there cycles and bandwidth are for sale. Might as well do something useful for the BBC rather than send v!4gr4 spam or DDOS some guy.. and it definitely should raise awareness, for those who are somehow unaware that an unpatched Windows box can get pwned almost immediately. But, that said, there's no question it was illegal. Should they get prosecuted? No, that's why there are judges instead of some kind of automated crime computers*.

*If there WERE automated crime computers, they'd be pwned anyway, so the BBC could of course just pay a few more quid and have the botmasters let them off the hook.

0
0
Thumb Up

Well done BBC!

Quote from article:

Tampering with people's PCs to illustrate the botnet risk is unethical in much the same way that breaking into homes to dramatise the risks of burglary is also a non-starter.

end quote

Not the same thing, your analogy is flawed. It's like saying "Jump off the cliff, the wind rushing past feels so good", obviously also a flawed thought. You need to be carefull what you say when manipulating the masses. The PCs were already broken into, the BBC was simply showing those affected that they needed to "clean up" their systems. I say Hurrah to their actions, it's about time someone did something practical like this

0
0
Coat

"powerful public interest"

Guy Fawkes used similar arguments, didn't he? Maybe now there's scope for some "change" in parliament....

Mines the one with suspicious wires dangling from pockets

0
0
Unhappy

oh auntie

Let me get this straight - auntie beeb gives licence-fee payers' cash to dodgy E European crooks, and we're supposed to be grateful? Never mind the IT angle, aren't we always being told by the government that patronising criminals - DVDs, drugs - goes to fund their other nefarious activities? Why is this any different? Never mind Ross/Brand, when it comes to grown-up scandals like the Gaza appeal and this, I wonder who the heck the beeb think they are.

0
0
Pirate

BBC Funding

So, the BBC think it is ok to fund organised crime with our licence fees?

Nobody goes around murdering people to demonstrate how easy or how big a problem murder is, nobody deliberately gets drunk then drives a Chelsea Tractor at 50mph past a school at home time, nobody physically assaults a teenage girl to demonstrate rape!

And how can the BBC justify handing over hard cash, money we have paid to Auntie in good faith, to known criminals in the name of journalism?

Maybe the Beeb are looking to start some form of new reality TV series called 'Big Crime'!

I've been a fan of 'Click' for some time now, but this has changed my views on Click and the BBC.

Where are their Ethics and Morals?

I guess they will want to increase the licence fee now to pay for their drug and alcohol habits!

0
0
Silver badge

Pah. More FUD

"the same issues could have been illustrated in the lab, without interfering with the PCs of innocent victims or sending spam."

Yeah, they "interfered" with innocent victims by telling them they were pwnd and advising them to clean their PC. And they spammed their own e-mail addresses. Clearly, these dangerous criminals need to be punished.

"The public interest argument is no defence to the Computer Misuse Act."

Oh, that's most white hats behind the bars then I believe?

The BBC stuff is probably a bit of sensationalist crap, but doesn't the CPS have more serious matters to examine? Like, illegal wiretaping by BT and Phorm? Or ruining the life of anyone foolish enough to draw a pic of a pic of a pic of a kid witnessing a sexual act, for that matter?

0
0
Bod

according to a top IT lawyer

Yeah, and I can see many top IT lawyers are lining up to take on any potential case against the BBC, and I doubt they're doing it out of any sense of moral justice ;)

Whilst yeah it's technically a bit naughty, really it's a fuss about nothing that helps the media and lawyers make money from the story.

Who loses from any potential case? The taxpayer. Whether they win or lose, as it will be Police/State vs the BBC. Both tax payer funded.

Just drop it and move on. The best thing about this is hopefully the more clueless PC owners in the UK (the majority) will have seen this and realised just what is possible. Hopefully taking action to make their PCs more secure and maybe will understand a bit more about where spam comes from and learn to ignore it.

0
0
Thumb Down

Stupid analogy (similie?)

"Tampering with people's PCs to illustrate the botnet risk is unethical in much the same way that breaking into homes to dramatise the risks of burglary is also a non-starter."

No it isn't!!! Lazy false analogies like this drive me up the flipping wall!

Clearly, everyone already knows that it's possible that a person could break into your house and steal your TV.

Not everyone is aware that someone can hijack your computer and use it in a money-making racket.

There. Think about it next, ok? Thanks!

0
0
Thumb Down

Victim Complaint

Paying criminals to commit crime encourages criminals to commit crime.

We are all, therefore, victims of the BBC's criminal action.

How about I wipe my arse with the TV licence reminder form and post iton YouTube

and claim that's in the public interest?

I at least could argue that I was trying to keep money *out* of

the hands of criminals.

Come to think of it, pass that tax return too..

0
0

Waste of time

Beyond there being evidence (which in this case, there is), the DPP requires a prosecution to be "in the public interest". Prosecuting the BBC will not be in the public interest. What will it achieve? It'll be a waste of tax-payers' money. I'd resent the CPS taking this one on. The BBC aren't perfect, by any means, but this one would be silly.

0
0
Thumb Up

Good on the Beeb

I agree they broke the law.

I do think the "public interest" defence is strong enough.

I do think the "to prevent a greater crime" defence is more than enough.

MS should hang their head in shame for making a shoddy OS that is so easy to subvert and hack into.

ISPs should have their heads in shame for not identifying and kicking these zombies off their networks.

The end-users caught up in this should get a clue and either learn a few security basics or install Linux (although they'll still need some security basics there too).

0
0
Coat

Well done BBC

You've taken a chunk of my license-fee, and given it to criminal gangsters in Russia/Ukraine, in an attemp to be 'sensational'. Sure, people need educating about security issues, but a lab demonstration would have done the job.

Like AC-'Can of worms' says, this was probably the best marketing the hackers could hope for. I knew the idea behind it before, but now i know just how easy it is to aquire and run a botnet, and have a rough idea of how much it should cost. Cheers for the advice.

A good idea, very badly implemented.

The one with the botmaster's number in the pocket.

0
0
Paris Hilton

Well done BBC

About time this happened and I hope they show a documentary and how easy it is to do this. The AV vendors are talking bollocks. Its well known this can be done in a lab, but then what? Post the results on their own websites?

I think most Mr&Mrs public dont visit AV site nor visit the reg, but they do use the internet and I am sure this is going to pop up on most isp home pages.

The public need to be better informed and it is a part of the BBC's job to provide educational content. In this day and age there needs to be a lot more on TV about computer security. How about bringing the issue up in the countless soaps?

I have no idea why peggy in eastenders has not had her bank details stolen yet!

Paris because even she knows how to private content... oh wait...

0
0
Flame

Crisis? What crisis?

What is amusing is that the BBC had barely acknowledged the criticism levelled against it. Usually they're quite happy to talk about people having a go at the BBC.. as long as the people making the complaints are the usual gobshite nutjobs. As soon as valid, well-reasoned criticism raises its head, the BBC just ignore it.

You know, thinking about how you could do this differently and legally, it would be trivially easy to get your OWN machines infected and attached to a botnet, and then break in to them. I get dozens of spams every day that will do just that.

0
0
Pirate

Are they seriously....

...trying to excuse breaking the Law with a defence based on "we defined it as being in the public interest".

Ok, who sets the definition of "public interest"? Oh, wait, that's usually the Meedja init?

So basically, if I read their defence correctly, it's "we did it because we felt like it". Is it me or does anyone else think they've been taking lessons from BT and Phorm?

Either we have Laws and we're all held accountable, or we collectively say "bollocks to it" and go off and do our own thing "becasue it's in the public interest". I'm sure there's a lot of people out there who feel that offing the entire contents of the Parliament would be deeply in the public interest. It's still bloody well called terrorism, it's still bloody well illegal and anyone trying it would rightly still be strung up by their left testicle.

If the Law is mutable on grounds of "public interest" then what the hell use is it?

Pirates... for obvious reasons.

0
0
Bronze badge

Didn't buy premium machines

The programme itself made clear that they did not pay a premium for machines not in the UK. Quite the opposite in fact: they bought machines at a _discount_ because they were all based in developing countries and as such less likely to have access to valuable financial details. I admit I was uneasy watching this programme: buying a botnet in this manner simply provides further financial incentive to create more botnets. However, buying cheap machines in this manner at least mitigates that effect.

0
0
tom

i think what the BBC did was good

that the BBC did was make aware to all the program viewer what can be done very easily. furthermore they also mad this fact aware to a another load of people. don't forget if the BBC had not bought it someone else would have, and there motives would not have been educational!!!!!!!!!!!!!!!!!!

0
0
Flame

Woot?

Met refuse to act unless someone affected complains?

A criminal offence has taken place - they should investigate it. Pure and simple.

And then have the BBC shut down forthwith. Castration for male staff, nail pulling for the females, burning at stake for the rest. lefty pinko commy bastards...

0
0

BBC Click breaching CMA? I don't think so.

I have to disagree with the lawyers that the program makers could be prosecuted under the Computer Misuse Act 1990. That Act was introduced as a Private Member's Bill as a direct result of the Dr Popp "AIDS Disk Trojan" incident in late 1989 (I am, in fact, the journalist who broke that story in the final edition of PC Business World of that year). Had the Act contained the provisions that were in the draft Bill I saw early in the New Year of 1990 but which was omitted in order to get non-controversial legislation passed, then the lawyers might have a point.

The computers in the botnet used by the BBC were already compromised and were being controlled by their eastern European masters and none of them were in the UK (or the US). BBC Click instructed the botnet to send spam email and then mount a Denial of Service attack that had been pre-arranged and agreed in advance with a security company. Finally the botnet was instructed to replace the Windows Wallpaper with instructions to the machine's owner/user on how to avoid being infected and the trojan programs ordered to self-destruct. Sending spam is not (yet) a criminal offence and mounting the DOS attack was authorised by the site affected. It is only the final two parts of the demonstration that are arguably illegal - changing the wallpaper and getting the trojan to delete itself being an unauthorised modifications. However the BBC can argue that those two acts were a force for good and they acted in the best interest of the user.

0
0

...forgot...

Gary McKinnon anyone?

0
0
Alert

Some one had to do it

The legality is debateable but some one had to do it!

I hope this will be broadcasted on the beeb so it will be brought to the attention of a wider swathe of people other than those who peruse el reg and other online news forums.

0
0

Idiots

"Tampering with people's PCs to illustrate the botnet risk is unethical in much the same way that breaking into homes to dramatise the risks of burglary is also a non-starter."

No, it's like going to someone's house that's already broken into and putting a massive sign in the middle of the living room that says "YOUR KITCHEN WINDOW DOESN'T LOCK PROPERLY. YOU SHOULD FIX IT". There's a quite substantial difference.

0
0
Anonymous Coward

title

stop saying well done bbc. please.

they are a bunch of rich bastard fucktards who do / show what they please and (now) fund criminals.

they are funded by our tv licence money. how does that make you feel?

/me cancels tv licence.......

0
0

Public interest defence

Try that as a cop out for not paying your TV licence fee. "I withheld it from the Beeb because they are linked to Russian computer crime nets."

In recent times, often (with some variation over time) the most common reason for women to be in prison is for not paying for the TV licence (or rather, not paying the 1000 pound fine levied for not having a TV licence). It is usually the women as the men are not at home when the enforcers come. But when the BBC breaks the law themselves, the cops can't be arsed to do anything.

0
0

This post has been deleted by a moderator

Go

Go BBC

I'm glad the BBC exposed the ease with which botnet's can be used for illegal purposes. The "top" IT lawyer seems more interested in earning a fee than actually contributing to protect the public interest. I think it's important we don't shoot the messenger or others will be less likely to come forward in the future.

0
0
Silver badge
Flame

FFS

"The public interest argument is no defence to the Computer Misuse Act"

That would of course have to be tested in court.

"Breaking the law in the public interest is an argument that vigilantes will use"

An interesting turn of emotive phrase there. Totally irrelevant if it is in the public interest and somewhat suggesting vigilantism is always bad.

"Some Reg readers have reported their concerns about the programme to the Met's Computer Crime Unit"

Did they also report their concerns about all those bloody botnets ? Or were they more interested in bashing the BBC ?

Do they also report themselves to the police when they break the speed limit or when a little more lax than they should be in claiming expenses and filing tax returns ?

0
0

Advice

"it had cleared the exercise with its lawyers"

Just like Phorm did, not to mention Tony Blair before the Iraq War, all of which doubtless involved a bit of arm-twisting of the lawyers concerned.

In any case, why was it necessary to duplicate a set of circumstances that is everywhere already? I thought the Beeb was supposed to be hard up!

0
0

Bad idea, badly executed

Mind you in Russia a bad idea could get you badly executed!

Efros

0
0

I've probably missed the boat but I have a more fitting analogy.

This is nothing like breaking into homes, this is more like the beeb payed to sleep with some "trafficed sex workers" then let them go. The beeb did no harm and they raised awareness.

That said, it was still illegal and people have lost their livelyhood for less.

0
0

job's a good 'un

BBC is there to educate and raise awareness of issues affecting people in the UK, under the guise of "news" and "educational programming".

Botnets affect people in the UK.

BBC has raised awareness of botnets.

Job done.

As for the whingers and whiners, if they got their thumbs out of their arse and actually DID something positive rather than whinging and whining I'd be a bit more impressed. Instead they sit around flinging shit at each other and at anyone who dares interfere with their bandaid solutions to serious problems.

Now if only they'd put the blame where it really lies, which is Microsoft and their shills, and their shit-for-brains designers who made an operating system that has, effectively, zero security.

0
0
Nat

The Real Hustle

"Tampering with people's PCs to illustrate the botnet risk is unethical in much the same way that breaking into homes to dramatise the risks of burglary is also a non-starter."

As I recall, the BBC Three programme 'The Real Hustle' had their tame grifters hook people's house keys through their letterbox, use these to unlock the front door then put them back with a note warning the homeowner of what they'd done. Assuming this wasn't faked, it would seem the has a habit of committing crimes in the public interest...

0
0

@TV Licence

I feel annoyed that the BBC pay license money to provide Dross, fail to provide decent investigative programs,have a brain dead news service (new game, how many ER's can we get per minute?), provide cheapo stupid programs, filmed with COD's (Cameraman on Drugs, where the camera work is appalling, move around like some demented prat on crack, and makes me feel sick)

So its no surprise they did the bot test, good, maybe the GBP will realise what a crock their software is.

Now let me guess, how many infected computes were not CRAPOS?

Anyone got the figures?

0
0
Paris Hilton

22,000 PC's in a Lab Environment...Please!

A few points here to think on:

- They didn't break into these systems themselves

- They notified the owners of the vulnerability

- They also proved that a remote attack with no knowledge from the end user is possible

The lab test which many posts above me have toted really wont drive the point home. People view lab tests as over the top 'Worst case scenarios'. This approach, all be it a little extreme, really drives the point home that this could be you.

I've been trying to come up with an analogy for this and so far this is the best I have. This is the equivalent to the BBC going into a pawn shop and knowingly buying stolen jewelry. Then after buying the jewelry returning it to the rightful owner stating that they wore it first.

I would love to hear several of the Bot's oblivious owners and how they personally felt.

Paris because even she can understand the report the BBC did.

0
0
Gates Horns

why other peoples boxes?

why cant they just build their own botnet. in a lab using their own bandwith and own computers.

but no!

lets go round with infected home users.

0
0
Anonymous Coward

Oh well...

...just goes to show what useless twonks the BBC really are. Publicising the DEC gaza appeal to help countless innocent people falls outside their charter, but it would appear handing over cash (OUR cash) to some cybercrooks to get access to the comprised computers of others (probably a good proportion of which were license payers) falls within it.

Perhaps it's just a big ruse - their real aim is to find those using iplayer without a license fee!!

0
0
Gold badge
Boffin

A small technical question

"An apology is more likely to make the problem go away"

Who exactly should the BBC apologise to?

0
0
Anonymous Coward

Used my licence fee to fund criminals… blah blah blah

Oh come on, botnets are a huge problem for the internet. And, if the beeb had not purchased those bots, then some more unscrupulous sod would have. Not purchasing them would not have prevented the criminals from selling them.

I’m fine with people who want to complain that their licence fee is being misused, in fact I agree. But I think that the whole Click thing is small potatoes when compared giving Jonathon Ross £6,000,000 a year, or Chris Moyals £650,000. I don’t think that the level of their “talent” warrants such sums. Nor do I think that the faceless BBC execs need to be paid so much. They said that is was something like £450 per 1000 compromised PC’s in the UK/USA. So what if they spend a grand or two getting the bots? That sum would only keep an exec in cocaine for a couple of days anyway.

If the program made 1% of viewers sit up and realise that they should change their surfing habits, then that was money well spent.

You may as well press charges against investigation journalists who illustrate that they can buy a gun or purchase crack.

0
0

Give it a rest

Come on, how many times have you run this same story now?

First, it seems pretty clear that there is a VERY strong public interest in this story, irrespective of whether or not there's an explicit public interest immunity clause in the law. It's blatantly obvious no prosecution would or could ever be brought. First, the Director of Public Prosecutions can decide to block ANY case if he decides it's not in the public interest to proceed. And secondly, no jury in the land would convict the BBC for this.

Complaining about the BBC giving money to the Russian Mafia, all of the $800 or whatever it was? How is that different from undercover reporters exposing credit card or identity card scams by paying fraudsters for false documents, from exposing corrupt officials in the police or tax office who will take money to look up someone's details, from paying someone to smuggle their reporter in so they can report from Zimbabwe or Sudan, or any one of countless other examples where they might be giving money to criminals but you probably appreciate the results. Come to that, how is it different from the police paying an informant to prevent a bigger crime?

I'm sure the journalists at the BBC (and elsewhere) have very strong guidelines on not doing anything to encourage people to break the law who wouldn't otherwise have done so, but clearly there are plenty of situations where paying a small amount to a petty criminal to expose a much bigger issue may be justified.

0
0
Thumb Down

@James Hedley

No it's not a lazy analogy -- you're again confusing reason and method. The fact that 'everyone knows' your home could be broken into is completely irrelevant. Like so many other comments, bringing botnets to the attention of the public is the *reason* for the Click project. It's the method that's being criticised.

Once again, there are plenty of ways to highlight the problem which don't involve paying money to Russian cybercrooks or making use of victim's PCs without their permission. The analogy of coming into your home -- even if it isn't secure -- and say, watching a couple of DVDs on your home cinema, before leaving you a note suggesting you fit better locks, is a very good one. It's still tresspass at the very least. In Click's case its most likely infringing the CMA.

0
0

Page:

This topic is closed for new posts.

Forums