The BBC has followed its recent controversial botnet demonstration with a new filmed demo of how a Trojan attack works - except this time it made sure to ask nicely. In a clear change from the earlier exercise, which provoked intense ethical debate, this time around the corporation has gone out of its way to make clear it sought …
Common Sense Prevails
Still crazy what they did the first time, and really there is no excuse the matter has been debated and resolved so many time in the security community that frankly they must have been advised by some complete cowboys or school children.
This story will get no coverage
whereas the original one got lots of coverage, and that's why the original one was right to do, even if it did break the law - no harm no foul.
So in the previous demonstration, did they get the users' permission? The article doesn't make it clear </sarcasm>
Interesting last line in the Sophos blog you linked to, something about moving on - not sure El Reg have!
So while the BBC said that what they did last time was perfectly OK, it now seems that they, err... knew perfectly well it wasn't and were lying through their teeth?
when you see it happening.
It seems amazing, to me, that the BBC with its limited funds can find out where, who and what can infect PCs and steal identities, yet the governments of the world appear helpless to do anything about this cyberspace invasion.
If the governments of the world blacklisted Nigeria's IP address (as an example, because supposedly a lot of scam emails come from there), wouldn't the Nigerian government then actually start cleaning up the scammers - for the sake of their, presumably, majority of honest surfers, same with Russia - maybe not so much China, but they should be isolated anyway for their disgusting human rights violations.
Any companies caught giving virtual IPs to any cut off country would be jailed for five years, or sent to live in that country.
Or is that too simplistic?
One thing you'll not be seeing on the BBC...
... is Graham Cluley!
The proliferate bureau of pravda, I mean the DG at the BBC will have put him on the "not getting back in here until hell freezes over" list.
Paris because she knows when to open her mouth wide!
Their lawyers weren't stupid.
Lawyers obviously knew what they were doing. They told them they wouldn't get in trouble and they didn't get in trouble. How these lawyers knew in advance that the BBC would get away with crimes that mere mortals are punished for is an interesting question if you have paranoid or merely cynical leanings.
Yep, that's too simplistic.
Where (anywhere on the internet) and what (vulnerable computers) are easy questions, the critical question is Who?, and getting enough proof for a court case. The BBC didn't track down the crims.
Blocking countries is not a good idea - too much collateral damage, too little effect on the bad guys.
Internet education for the brain dead
FFS, basic security precautions and a miniscule amount of common sense are all thats needed to deal with the threat of 'trojans'.
The Fear Factory in overdrive, again...
Too right we are annoyed at the BBC for doing the original ridiculous and illegal stunt. We are well aware that if any of us in the security field did such a thing for entertain .. public interest reasons we'd be hauled away, quick as a flash... and now it seems that the security guy they asked also said it would be illegal too.
The second demonstration - with consent - was much better handled.
Missing the point
The problem with the original BBC Click was not that it involved manipulating the PCs of innocent users without their consent. The real issue is that in purchasing the botnet, they have taken a chunk of licence fee money and poured it directly into the pockets of Russian and Ukrainian criminals.
Of course, the BBC broke the law by accessing the compromised PCs, although it could be argued that they did so in the public interest, and caused no damage.
On the other hand, in buying the botnet, the BBC has funded the real criminals and allowed them to build even bigger botnets with which to carry out their scummy activities.
They would actually have been on (slightly) better ethical ground if they'd written the malware themselves.
I'm still waiting for the demonstrations on mugging, carjacking, murder and arson. That'll bring in the viewers. Wonder if they'll warn the victims first or just cook them in their beds to show what can happen if you don't screw your mailbox shut. It is powerful public interest after all....
I guess the resounding victory that was achieved last time by the 'OMG teh illegalz' crowd wasn't so resounding. I mean ... if you have to keep banging on about it as if you hadn't won the debate.
Imagine the scenario...
The software to infect the multiple machines would presumably have to be open source, and would have to throw up dialogs along the lines of "Do you want to install this on your computer?" - plus for added legal protection "Are you sure?" and ""You do realise what you're doing, don't you?", plus an EULA describing exactly what the software would do. Due to this process, you'd probably have to wait a few years to "acquire" sufficient machines to carry out the attack; then once the attack was over the software would presumably have to uninstall itself.
Or of course you could pay your lawyers enough money to find a legal loophole to do it the quick way...
You can't do IP blocks
Because most of the scams come from compromised computers. The primary source of spam/scam emails is the USA (http://www.spamhaus.org/rokso/index.lasso).. and the collateral damage from blocking that country - although it would (temporarily) make email useful again and be highly amusing to watch - would be unnaceptable to most people I expect.
I suppose we could just nuke Michigan. It'd take out Ralsky and who'd miss it?