Feeds

back to article BBC zombie caper slammed by security pros

A controversial BBC Click documentary which involved researchers obtaining access to a botnet and sending spam is due to screen this weekend despite a growing storm of criticism. Security experts - including McAfee, a firm whose representatives appear in the programme - have described the exercise as misguided and unnecessary. …

COMMENTS

This topic is closed for new posts.

Page:

IT Angle

Sounds fine ...

The more that demonstrates to and educates people about how thin the veneer of the interwebs thingie is the better. Good wake-up call.

Is not the BBC's remit to Inform, Educate and Entertain?

The informing and educating bit is too thin on the ground these days.

0
0
IT Angle

BBC Has Balls

so shut up saying, oohhh its against the law , ooohhh , its not right , the beeb are showing the general public whats going on in our secret little IT world.I think theyve done the right thing illegal or not . Security affects all internet users,and i know its 99.9999999 % of windows p.c`s that are causing the problems.Or should that be 99.9999999 % of computer users causing the problems ? .Is it time to have a computer driving licence ?

0
0
Flame

It's good the BBC are doing this

I am glad the BBC are covering this. I think we need to let people know about Internet security and tell them what actually is happening. On my work router I have explicitly blocked port 25 to stop most bots if they happened to come into the network. There is no need for port 25 and unless there is a specific need, then I would open it.

Let people know what their machine is doing and get them to sort it out. Although I think Microsoft should be made to allow the updates to be done without the WGA.

0
0
Unhappy

Interesting

Given the coverage this is getting on the interwebs, in a week or so there'll probably be a new BBC virus or two and a spate of BBC phishing attacks.

And then how will we know if we have a malicious virus, or if those clever Click guys are just involving us in their next programme using a benign virus that they wrote themselves?

Either way, I'll be looking forward to the Click coverage of these developments.

0
0
Boffin

Interesting indeed

Having originally written the Escapist article, it's quite gratifying that it was picked up. I've had no further comment from any of the involved companies but I will be watching this with some intrepidation.

0
0
Go

In the public interest

Yeh Beeb, you get my vote.

The public should be warned, informed and made aware and how can the Beeb acquire such information robustly?

0
0

Ohh, I have gun

Brb while I check it works... oops

0
0
Thumb Up

Eugene has a good point

The problem with trying to do a demo or simulation is that it's just that -- a demo or simulation.

From a scientific viewpoint, a demo or simulation is just as good as an actual experiment. From an average person's viewpoint, this is not the case. A demo/sim has a certain underlying tone from a normal person's stance: IT'S NOT REAL!!11. Despite it looking really good, it's not real and therefore it must be treated with a healthy measure of distrust. And this is natural.

Showing what an actual botnet can do is scary. It adds a certain element of reality into the presentation that no sim can. Even when I watched the video, and I have a healthy amount of direct experience with botnets, I was a bit taken aback.

I remember giving a report in college about botnets and the massive amount of firepower it can wield (ironically enough I was using the supposed figures of acidstorm's botnet at the time). I remember seeing my audience giving blank/bored looks as I showed the terrabytes/sec of bandwidth that could be used. If I had actually pulled out a small botnet and actively demonstrated the power it can use, I'm certain that no one would be uninterested in the room.

If this presentation removes 1 out of every 10 compromised Windows machines out there, the guys at BBC need to be given a Porsche/let loose in an all-girls Catholic school/knighted or given some kind of just reward.

Is what they did unethical? Perhaps. Unlawful? Maybe. Wrong? Bloody hell no.

0
0

Wake Up And Smell the Coffee!!

As far as I'm concerned the BBC alerted 22,000 potential victims to the fact that their computers were open to about as secure as shares in the banking sector. If it was me who received the warning I would have been grateful for the heads up.

0
0
Thumb Down

Illegal

So if a botter closes the hole they used to compromise a machine, they should escape the clutches of the law?

And are we to believe these guys walked into a bots4sale channel and didn't pay criminals for the loan of there botnet... of which they then *tried* to dismantle... by unauthorised modification of the zombie PC's

Blatant Unauthorised Modification... hang, draw and quarter them.

0
0
Thumb Up

Well done BBC!

Fuck the desktop lawyers, we need more of this.

0
0
Flame

Beeb-bashers FOAD

As 99% of computer users are grossly ignorant of security issues, if the BBC doco raises awareness it can only be a good thing. In this instance, the programme - judging by what we've read - will make the public that little bit more aware of spamming scum and their tricks. Why is that a bad thing?

Knocking the BBC may be a pastime for utter filth like Tony Blair, Alistair Campbell and The Daily (Hate)Mail but what would you knockers put in its place? Fox News? Sky?

Wake up people! Until the shameful filleting by HMG after the Gilligan affair, the Beeb was our last bastion against the tyranny of New Labour and right-wing newspaper cartels.

As to McAffee's comments... yeah, right. Are El Reg readers the sort of gullible PC World shoppers who believe the FUD pumped out by the parasitic self-serving conmen in the AV sector?

0
0
Thumb Up

Good job BBC

There have been many cases of investigative journos paying crooks for something to highlight the issues, I can think of several cases where fake passports have been purchased, or guns bought, to help explain the story.

Complaining about the Beeb paying crims as part of an investigative report is plain stupid, when compared to the potential good that will come of the great unwashed taking notice and doing something to keep their PC's safer.

0
0

Naivety

Clearly the exercise broke the law, but that is not the worst of it. The beeb has demonstrated that they are themselves completely clueless about the social engineering aspects of malware.

They put up a wallpaper notification that the user's computer has been compromised by a botnet. How does that play as helping clueless users? Next week we will be hearing about thousands of people seeing pop-ups on their computers claiming to be from the BBC, warning them that their computer is infected by whatnot and directing them to some site to get "cleaned" (in fact, to get more comprehensibly cleaned out). There are already blackhats doing this, representing themselves as anti-virus software vendors, now they have a trusted trademark to pose behind, with a well publicised instance to lend credibility.

0
0
Gold badge
Thumb Up

How many reg readers are part of botnets?

None of course.*

Your OS is patched and up to date.

You know responding to pings and letting all packets in through all sockets by default is not just leaving your front door unlocked, its like leaving precise directions to your house posted on the walls outside every prison within 200Km of it with an invitation to drop in for tea and nibbles if Mr Ex-con is passing, along with a schedule showing when your out.

Botnets are composed of the machines of thoughtless, lazy, stupid users who don't even realise they are causing a problem. Yes, "Nice shiny thing" can be dangerous.

If this raises awareness of just 1% of the people who are causing this trouble I'd say its well worth it.

"Is not the BBC's remit to Inform, Educate and Entertain?"

I'd forgotten that under the deluge of uncritical re-cycled press releases of the BBC Web arm.

Even Horizon is showing a return to form after some deeply s"£t documentaries.

I'd forgotten that point. Quite right.

And lastly to those talking about "They broke the Computer Misuse Act."

Probably. As did whoever installed the 22 000 botnet clients I imagine. Which was not them.

I will ask again. How many prosecutions have been made under this act? How many were for installing botnet clients and how many of them were successful?

*But the "I'm too smart to be taken" attitude is very useful to smart operators of such schemes. You are likely to be so proud of your tech you miss the social engineering aspects. Nemesis is always waiting. She brings judgement and retribution to those harbouring false pride.

0
0
Boffin

Another analogy

It's hard to believe the 'It's all right because nobody was hurt' and the 'they should be jolly grateful to know about it' arguments used by so many readers.

If a BBC guy paid a buglar to enter your house (let's say carefully, without jemmying a door or smashing a window) and leave a note on your kitchen table saying you should get better locks and an alarm fitted, I would suggest that the majority of viewers ( probably most Reg readers) to get such a note would feel violated rather than grateful and that the BBC had broken the law. I know I would.

If, on the other hand, the BBC had paid said buglar to assess the security of each house and send them a letter detailing the findings for their particular house, I imagine most *would* then be grateful and probably respect the Beeb more.

The ends doesn't justify the means and anybody breaking into somebody else's PC deserves to fall foul of the CMA. There are ways of doing what Click has done without buying a Botnet.

0
0
Anonymous Coward

A message from your sponsors...

We are deeply appreciative of all the support that has been provided on these comment pages. Please repost but this time include your email address or IP address. so that we can forward to you a small token of our esteem. Our continued success is entirely dependent on your cooperation and determination to oppose communist organisations like the BBC. Our business motto has always been "Ignorance is Bliss" and with your help we will continue to prosper under this banner.

Kyril Adamovich

0
0
IT Angle

Stupid Idea and Waste of Money

So the BBC thinks it is OK to break the law as long you say you mean no harm by it and are making a documentary??

You don't need to rob a bank to explain the concept to people. If I see a car unlocked is ok for me to get in, drive it away and then return it as a "warning" to the owner? The BBC didn't just warn users their PC was part of a botnet they actually used them to send email. Is it now ok for me to use someone elses PC to send email as long as I tell them afterwards?

Anything they show in their documentary they could have staged or simulated. Its just computer graphics FFS. They are wasting our money on recording something a student could have knocked up in MS Paint.

0
0
Thumb Up

Fair enough...

Can't say I have any problem with journalists doing this as a one off, illegal or not. So what if they paid a criminal for access? You're deeply naive if you think the police and secret services don't do that on a daily basis already besides, they borked the botnet in question, assuming the end users could tell the difference between the BBC's "You are infected" message and AntiVirus 360's "You are infected" message.

What I'd really like to see is what disinfection advice they could fit on a windows wallpaper... TBH it should probably just say "Go buy a Mac" but it's more likely to recommend they do something dumb like advise them to go buy snoreton/whackafee.

0
0
Anonymous Coward

I did notice one thing...

...that the Beed skimmed over. All the compromised machines were Windows boxes. Along with the "get updates" and "use a firewall" they should also have said "or use an OS that is not prone to such malicious attacks, such as Linux or OS X".

Obviously Linux and OS X are not going to protect you from phishing.

0
0
Silver badge
Pirate

Revolting Natives :-) or Sweet and Sticky Proxy Trojans or ... ?

.... Fifth Columnists of the Sixth Estate in Seventh Heaven Manifestations/ Forward Positions? :-)

"The PrevX researcher who participated in the programme, Jacques Erasmus, is on holiday in Namibia and couldn't be reached for comment."

:-) That had me chuckling ..... and thinking how difficult it would be to find anyone Up the Jungle in Guerrilla Warefare.

"Well done BBC! ..... Fuck the desktop lawyers, we need more of this." .... By Anonymous Coward Posted Saturday 14th March 2009 10:07 GMT

Whilst it would not be my choice of words, AC, I thoroughly endorse and second the sentiments. Seems as if the BBC have found where their balls are and what their wedding tackle is really for, and what it can do for their partners and supporters, rather than for those who would think to usurp popular power and lead rather than follow public opinion and lead all by the nose to the grindstone. And not before Time, I would say, although in any sensitive, one can always expect Invisible Stealth and a Certain Protective Circumspection .... Softly softly, catchee monkey.

"Are El Reg readers the sort of gullible PC World shoppers who believe the FUD pumped out by the parasitic self-serving conmen in the AV sector?" .... By Sceptical Bastard Posted Saturday 14th March 2009 10:19 GMT

Most definitively not, Sceptical Bastard, and I presume you are a BBC Supporter, given your unambiguous retort .... Beeb-bashers FOAD. Another nail hit perfectly on the head. :-)

0
0
Unhappy

Shock! Horror! Afterthought!

I hope BT in the UK don't try this technique as a means to further massage its downward spiraling of bandwidth

0
0
Linux

Public Interest

All that matters really.......reading the posts there's a definite need for education....

AC 17:02

>they should also have said "or use an OS that is not prone to such malicious attacks, such as Linux or OS X

Not true though is it - there are lots (and lots) of compromised linux servers. Just because the platform can be secured to a pretty high standard, doesn't mean it is.

Hostile traffic speculatively targeting our (RHEL) web servers is massive and would be successful if we were not on top of patching & security - across applications as much as OS. Much of this traffic originates from compromised linux servers. Targeting linux in DCs is worth the effort since they full of powerful machines, with high traffic and on known subnets - an if they go for the unmanaged subnets, and are reasonable with demand, no one will likely notice.

OSX on the desktop has a measure of protection through obscurity - ie hacking tools are harder for muppets to use than under Windows and target machines are <1% on most ISPs....even so our Macs run additional 3rd party security and occasionally 3rd party patches partly because Apple are notoriously slow - but mostly because many of our users believe there is no malware (or maybe don't much care) and so don't worry about installing it.

Despite the obscurity, it happens - Google on the osx.iworkservices.a trojan for example - that's wild at the moment and commonly used for DDoS - and most infected OSX users have no way of knowing they've installed it.

0
0
Stop

can i?

can i pay a criminal organization £2500 just to see if it works? NO

do i know for sure what the money will be spent on? NO

can i just tell the judge i was only interested in seeing if it works? NO

can i be sure that whilst the BBC was using this botnet, was it being used for nefarious purposes.

the BBC should be shot for what they have done as a "demonstration" is simply not required.

the BBC reek of death

0
0
Gates Horns

Me too!

I too at first thought it was strange that they didn't mention that you should use an OS or web browser that is not as prone to attacks as Microsoft's. Then it occurred to me that it must be the fear of legal action from Microsoft if the BBC were to suggest that its software was not as safe as other products.

0
0
Alien

Coomon Sense?

If the security software, which I have purposely and consciously obtained and installed, warns me about a bot on my computer --- that's fine. That's what it's for.

If some third party trespasses on my network and PC to leave me messages, it is most certainly not fine.

I thought that was what the law was supposed to be about, but then, I am probably as naive about the law as I am about the efficacy of security software.

Anyone see the potential of some sort of hookup between the BBC and Phorm?

0
0
Gold badge
Thumb Up

I have now viewed the whole program

http://news.bbc.co.uk/player/nol/newsid_4970000/newsid_4977500/4977542.stm?bw=bb&mp=wm&news=1&nol_storyid=4977542&bbcws=1

I note

$30/1000 rather than c$300-$400 for US/UK zombies. So c$660 total for victims as they were 3rd world countries. Not sure if Turkey would appreciate being lumped in with Vietnam. DoD or NASA penetration was indeed a straw man.

Disabled comms with all clients at the end of the excercise.

Changed wallpaper to give BBC warning.

Only 60 bots needed to shut down a web site (not sure how many servers in host however).

Nice UI and a nifty range of tools to cause whatever kind of trouble you want. I am not condoning such behaviour, just noting that the UI looked like a bit of work had gone into it.

As they are all foreigners and the abuse (to their computers) all happened abroad how liable would the BBC be? Absence of malice. Victims all abroad in mix of countries, some of which probably don't even have computer misuse laws in the first place.

Level of awareness increase. Substantial.

Actual damage done. Minimal

BBC starting to grow some back. Priceless.

0
0
Bronze badge

jealous

The detractors are just jealous that they didn't think of it first. Well done BBC. Now if only more people actually paid attention to the fact their Windows machines are insecure pieces of junk BY DESIGN and took more steps to protect themselves.

0
0
Anonymous Coward

I don't care

... whether they are convicted for this or not, as long as enforcement of the law is consistent. If a law is enforced inconsistently it should be scrapped because it has become a backdoor for tyrants.

0
0
Thumb Down

It was illegal

This was a clear breach of the Computer Misuse Act, a fact confirmed to me by a specialist IT lawyer with whom I work.

The fact that their intentions were honourable is entirely irrelevant. Meaning well is no defence to a breach of the law (although it may mitigate the sentence). Whether such activity ought to be illegal is a separate issue. It was extremely foolish of the BBC to engage in illegal behaviour and then to broadcast it.

0
0

What if ...

>>'What if one of the compromised computers was at the Department of Defense or NASA?' <<

Indeed. And what if the BBC is actually run by lizard overlords intent on dominating the planet? And what if the person making the inane comment quoted above had to stick to the real facts of the case instead of thinking up scary fact-free hypotheses because there's not enough in the actual material in the story to get people worked up?

The basic fact is that most ISPs know damn well when a customer has an active botnetted machine because it behaves differently to your average box. They also know that many customers just don't care as long as they think their machine is working properly. 'I never put anything confidential on my computer so why should I worry?' is a very frequent response.

Since a pwned machine probably needs fdisk and a reinstall (for many users an expensive hassle - even if they do have installation disks) , many a response to a report from an ISP that a comp is hacked will be for the user to change ISPs.

ISPs don't want to lose customers. Many customers don't care. Kudos to the Beeb for explaining why people SHOULD care.

0
0
Silver badge

Some good points

Even though I still don't see a problem with the concept in principle, some good points were raised above about how it was carried out.

First of all, they paid a large sum of money to crooks for the access to the botnet. I wasn't clear about that from in the initial description. That violates the no harm principle. Even though these 22000 computers were most likely compromised ahead of time, it supports and encourages the people who did it.

Second, I agree that the way they chose to inform the users was somewhat naive. Users should not be in the habit of trusting strange messages like that. On the other hand, I don't know what a better option would be, unless they could actually make the "bot" uninstall itself.

0
0
Flame

Where to start?

Car theft analogies and educating the masses? Amongst all the "blimey, great TV!" and "the Beeb did them a favour!" remarks, very few people can be bothered to see the flaws in the Beeb's masterplan.

As Simon Williams notes, it's one thing pointing out the possibility of a criminal act, quite another to be an accessory (or to give people an incentive to emulate this kind of thing), not to mention extremely condescending to actually exploit a person's possessions and then to inform them of what was done, instead of just telling them about the risks. Just because another programme is already doing this kind of thing and then saying, "at least we're not the real bad guys," doesn't make it in any way right. In fact, it's all rather reminiscent of the Brass Eye drugs episode where the parents of a girl supposedly susceptible to drug-taking fake their own deaths to teach her a lesson: juvenile and condescending (and, once again, real television emulates satire).

Apocalypse Later makes a crucial point: "Next week we will be hearing about thousands of people seeing pop-ups on their computers claiming to be from the BBC..." And this brings us to the point: the Beeb makes some sensational television, supposedly educating its audience, but the educational part gets the usual Beeb documentary brush-aside. I doubt that the Beeb are really that bothered at looking into the deeper issues, either.

Why is it that computer systems are so readily exploitable? Why should people have to immerse themselves in the tedious details of anti-virus software, firewalls, exploits, phishing attacks? If you buy any piece of non-IT equipment from a high-street retailer, there's nothing like the mountain of hidden-but-essential knowledge associated with that device that you see with IT-related stuff. Sure, there's all sorts of stuff that can go on with the telephone network, but even that can be managed in a better fashion than the pitfalls of Internet connectivity. So might we expect a grilling of the top players in the IT business about that, instead of showcasing dodgy "security" vendors whose businesses rely on the perpetuation of the insecure nature of consumer computing?

Sceptical Bastard writes, "Wake up people! Until the shameful filleting by HMG after the Gilligan affair, the Beeb was our last bastion against the tyranny of New Labour and right-wing newspaper cartels."

I think you've woken up too late to cheerlead for the BBC, Mr/Mrs/Miss Bastard. If you're taking the Beeb at face value, you're already imbibing from HMG's premier fear/hysteria-pipe.

0
0
Anonymous Coward

Oh what a hoot

good old BBC, green light to anyone wishing to crack without criminal intent now.

Though isn't the law about unauthorised access to the computer systems.

http://www.opsi.gov.uk/acts/acts1990/ukpga_19900018_en_1#pb1-l1g1

No matter, I am sure they got authorisation ahead of time.

0
0
Linux

Re: I did notice one thing…

Well, yes, they would all be Windows boxes. It is, after all, the most populous (and crackable) desktop OS out there.

I noticed that they also neglected to mention the more important numbers about their DDoS attack: the number of bots alone doesn't say much. You need to know the bandwidth available to them and how much of it was being used, though I can imagine that that would confuse the clicktards :-)

I won't pretend that Linux is 100% secure. It can't be. No kernel can. Same goes for the OS built on top of it, but at least there's enough variety out there to make it harder for the (shall we say) miscreants; and the size of the user base tends to make it Not Worth The Crackers' Time. (There'll always be a few who do it “because they can”, though. And I'm not considering network infrastructure.)

(Watched it at 00:30. Curiously, immediately after I heard the words "we will never be able to talk to these computers again", the screen blanker cut in. I couldn't have timed it better if I'd tried…!)

0
0

Justification

What the Beeb did was obviously against existing law. But a court may decide that their actions were justifiable. It's illegal for me to enter your house if I walk past and the door is open. And I wouldn't - or at least, I wouldn't do it to turn off the TV you'd left on. But I might, to put out a fire - and I would hope that any court would say that I was right so to do.

So the question is: where do the BBC's actions lie on the "Left on telly/telly on fire" scale?

0
0
Linux

Having watched the program...

My g/f has asked to have a her laptop wiped and replaced with Linux. Just need to find out which one her uni approves off. Way to go BBC! Sterling advert for alternative OSs!

To AC @ 17:02, they BBC did say that Windows was the most vulnerable, but they could have made the point that other OSs are more secure a bit more forcefully. I would have been funny to place a Linux box on the net and hear the discussion.

"So, this PC running 'Linux' is on the internet, without firewalls, anti-virus or anything?"

"Yeah."

"Isn't that really dangerous?"

"It would be if it was Windows, but Linux (and OS X) are much more secure. There is still a chance of someone breaking in, but it is much harder and even if they did they will find that the OS is much tougher on what they can and cannot do."

"So you don't need firewalls or anti-virus software for Linux or OS X?"

"I wouldn't go that far, but it is much less critical than Windows. It's still a good idea to run a firewall, especially of your PC is acting like a server. Say for big games."

"And how much doe Linux and OS X cost?"

"Well OS X you only get with Apples, so it's price is in the cost of the new Apple. Linux can be free, or you can choose to pay for support."

"Sorry - you said 'free'"

"Yeah - lots of the big companies do a free version/"

"Free?"

"Yes."

"For a totally secure OS?"

"Well, not totally but much better than Windows."

"Free?"

"Yes, free. As in, no money."

"So if Linux is free, why are so many people still running Windows and being infected?"

"A few reasons. 1) People just don't know about Linux, 2) People resist change, 3) Anti-competitive (some would say illegal) practices my Microsoft to force lock-in and make it much harder to change"

But I guess that may have transgressed their neutrality (i.e. MS would probably have gone to court over it).

0
0

This was completely unnecessary

BBC, we already know that botnets exist and how they work, you really didnt need to go out and give some of our licence money to some criminals and do all this. Unethical, stupid and unnecessary.

0
0
Thumb Down

Security Awareness

All this whining by the security industry makes me want to throw up. They have been preaching "security awareness" for years without so much as a scratch on the surface. Along comes Auntie, and in 6 months (if that's how long it took for the programme to be put together) has done more than the security industry has in God knows how many years.

The BBC probably did break the CMA, but as a previous poster indicated, that's more to do with a badly written law. I am more than happy for my licence fee to be used this way.

0
0
Flame

@John Smith

"...You know responding to pings and letting all packets in through all sockets by default is not just leaving your front door unlocked, its like leaving precise directions to your house posted on the walls outside every prison within 200Km of it with an invitation to drop in for tea and nibbles if Mr Ex-con is passing, along with a schedule showing when your out."

Not should you Google "bob the angry flower apostrophe" at the earliest opportunity, but you are... let's be polite and call it "mistaken", if you think that "responding to pings" is some sort of security risk. I stopped reading at that point.

Persons known to me were approached to be involved in programme; the phrase "wouldn't touch it with a bargepole as we enjoy having careers, rather than porridge" popped to mind, like, immediately. Believe me, if you work in the industry it's pretty important to have a good mental image of where the legal:illegal line is drawn. Plenty of promising infosec careers have gone down in flames because of a moment's thoughtless "sure what the hell, let's take a look" response to a situation like this; that's why the actual security people quoted in the Reg piece are pretty much unanimously saying "this is almost certainly breaking the law". Notice I'm not taking a position on whether it was a right or wrong thing to do, morally. (That's not my department, said Wehrner von Braun.) However, if there's some sort of unwritten public interest law that enables the BBC to do this sort of thing then can we see it tested in court, please? 'Cos otherwise we're going to see a lot of kiddies trying it out as a defence when they get nicked.

Note: I loathe and despise the Daily Mail, and this is not some sort of "bash the Beeb" agenda (although there are plenty of things I like to moan about, like Newsnight being on BBC 2 at 10:30 rather than 9pm on BBC 1, the complete dearth of anyone who's not embarrassed to appear knowledgable about science, technology or engineering (oh god, please shoot me before I have to writhe through another John Humphries interview... "so, this, this - ``computer'' thingy -- you just sort of, like, make them work, right?" I'd love it if they swapped all the arts grads presenters out for some people with actual clue about stuff that matters, who then say stuff like "so, tell me about this ''house of commons'' thingy, it sounds terribly exciting" when interviewing a party leader... </rant>

0
0
Gold badge
Flame

@thad, AC@20:25, @David

@thad

"If the security software, which I have purposely and consciously obtained and installed, warns me about a bot on my computer --- that's fine. That's what it's for"

Which suggests you are not a member of the group of people causing the problem this programme addresses.

This was a show for the people who don't have "Security" software on their PC, did'nt know they needed it and did not know what *can* happen if they don't have it.

AC@20:25

"it's all rather reminiscent of the Brass Eye drugs episode"

Er,no. Brass Eye satirised the *media* obsession with this, not the problem itself.

Getting celebrities to voice over complete b*((*cks proving that they knew as little about the subject as some guy in the street was particularly amusing. IIRC Only Desmond Morris told them they were talking s*(t (Depressed elephant commits suicide by inserting trunk in rear and suffocating).

"Sure, there's all sorts of stuff that can go on with the telephone network, but even that can be managed in a better fashion than the pitfalls of Internet connectivity. "

2 words. Communication & evolution

A telephone is *only* useful in a network. From day 1 inter-operability had to happen. The GPO was formed to effectively nationalise competing but incompatible UK phone networks.

This need for absolute inter-connection from exchange to exchange anywhere on the globe was handled by global authorities setting global standards for all levels of the process with long pay back periods on plant (GPO was 40 years, not sure what it is now) and corrosponding rigerous change management on the software.

BTW Microsoft Exchange was originally named for the plan to use NT to drive company switchboards. 1 problem. Comms managers do not expect to re-boot their PBX. Ever. You don't hear much about this side of Microsoft's business these days.

the down side. Its a lowest common denominator network. Only speech is guaranteed to work everywhere end to end.

Computers of all sorts can (could) have useful lives with no connection to anywhere else. Talking to another site was rather avant garde to begin with. Before you could say supplier lock in all hardware at both ends of a line (any line) had to come from the same mfg.

These closed systems often only got opened through a lawsuit. The need to get these different servers to allow access to data from other servers and the resulting free market drove TCP/IP development.

"Why is it that computer systems are so readily exploitable? "

They're not provided you don't connect them to a network and don't transfer data to them with infect able media. You create work and print it off or transfer it to disposable, never re-connected media.

Like having a car without a license. You can drive it around your property but you cannot go anywhere.

But you want convenience as well. Then you need to carry out elementary precautions which have become easier over time, and in later versions are on by default.

But lets be honest some cars have way better crash safety and break in security than others.

Oh look, Windows is pre installed.

Nothing for me to worry about.

Bright shiny thing. Pretty.

Not quite.

Computers have quit substantial abilities. If you don't realise their power that's because someone has worked hard for you to harness it. It does not mean it cannot cause you harm.

@David.

"we already know that botnets exist and how they work"

You may. The large majority of the GBP do not. It never begins to cross their minds that at least some of the spam in their personal email in-box *might* have come from *their* own computer, and I dunno, maybe they're like, *responsible* for doing something about it.

Ignorance is curable. Stupidity is forever.

0
0
Thumb Up

Scared Security Companies?

Hasn't all this BBC bashing taken the spotlight of the security companies and anti-virus publishers?

If I had paid for virus protection/a firewall program and then got a desktop background saying that the beeb had been in, my first thought would be, well what am I paying good money for these programs for?

By jumping on the BBC are they hiding the fact they haven't put enough into preventing this happening in the first place?

I am well aware that not all the 22000 computer will have been running an active firewall or anti-virus, but surely some will have. I applaud the BBC for what they have done, whilst it may break some domestic laws, and maybe some international laws as well, they have rid the internet of 22000 zombie boxes and highlighted the need for a bit more savvy internet usage!

Just my 2p..

0
0
Silver badge
Unhappy

I'm sure the problem can't be...

I'm sure it's not just a matter of someone fixing 22,000 PCs and the security guys not getting money out of it.

I'm also sure it can't be that security guy's wealth rely on the existence of bots. Nah, can't be. I'm sure. They couldn't be that cynical. Or could they?

0
0
Gold badge
Happy

@Tom Paine

Thank you for taking the time to police my missing apostrophe. I normally run my Word Processor's "spellcheck" function over my submissions but this time I missed one. Mea culpa.

I trust the previous sentence met your parsing standards and you are still with me.

I have also Read "Bob the angry flower." What an angry little flower he is.

The American fondness for using "mode" and "task" as verbs must have you frothing at the mouth.

I'm sorry you could not do me the courtesy of reading the rest of my post but I'll try and finish yours.

"if you think that "responding to ping's" "

If I'm mistaken please explain. It's always interesting to listen to professionals. I'm more an interested by-stander where computer security is concerned. My time and experience are limited. I try to keep it simple.

On a corporate network linked to multiple internal servers no doubt there are all sorts of information request packets flying about. Perhaps that is your environment.

It is not mine. I do not serve any web pages from this machine, or any other kind of web service. It does not have a mail client on it. There is no remote support contract covering it.

So why would anyone legitimately be trying to find out if this IP address is in use?

Your Para 2 does not need comment but I would be interested if your friends have any idea how many actual prosecutions have occurred under the Computer Misuse Act. I have 126 for 1990-2006, but perhaps they are more up to date.

Para 3. John Humphries may or may not know what they are talking about but part of this is trying to appeal to Mr & Mrs Average Licensepayer.

However you might like to look up Taylor Mali's poem "Like Lilly Like Wilson" on YouTube for the idea of bad speaking habits leading to bad thinking habits. I think we can agree on that.

Ignorance of Science and Maths is not only acceptable in the UK, it it almost applauded.

Who needs a science degree? You look good in a suit, annunciate clearly, cultivate the right friends and do exactly what your party tells you. £60k a year, mortgage benefits and extremely MP friendly expense claim arrangements are just around the corner.

Good luck with changing that attitude. It may take a while.

On a side note and not to be pedantic but its "knowledgeable," not knowledgable.

I always try to respond to anyone who specifically replies to me as quickly as possible given the other calls on my time.

0
0
Gold badge
Boffin

@Quirkafleeg

" You need to know the bandwidth available to them and how much of it was being

IIRC the program said all bots were on broadband connections. No idea what the usual level of broadband in Vietnam is however. They also said the spam rate on each bot was fairly low so users would not see a radical slow down.

An alternate question on the DDOS might be what is the bandwidth of the pipe into Prevx's (backup) web site and how does that compare with some of the major names.

0
0
Stop

why pay criminals?

exactly why did the BBC feel the need to pay for a real botnet, when the creation of one as a test would have served just as well and be an example of the ease of creation.

I'm looking forward to the next BBC documentary on Drink Driving, where a reseacher gets pissed and weaves dangerously through the streets.

0
0
Stop

@David - You reckon?

"BBC, we already know that botnets exist and how they work, you really didnt need to go out and give some of our licence money to some criminals and do all this."

You ask most of your relatives who don't work in the computer industry about botnets and see how much they know about them.

0
0
Flame

@John Smith

"Er,no. Brass Eye satirised the *media* obsession with this, not the problem itself."

Let's re-read what I wrote, shall we? Or perhaps read it for the first time in your case...

"In fact, it's all rather reminiscent of the Brass Eye drugs episode where the parents of a girl supposedly susceptible to drug-taking fake their own deaths to teach her a lesson: juvenile and condescending (and, once again, real television emulates satire)."

This was nothing to do with "Getting celebrities to voice over complete b*((*cks", or "bollocks" for those people not oversensitive about their language. The satire was about the way in which people, in order to "bring attention" to a problem and to prevent bad things from happening, actually cause more harm than the most likely outcome had they not bothered. Of course, the material was meant as an exaggeration of what people do in real life - that's what satire is all about - even though Chris Morris then dabbled with lobbying members of parliament.

Whether it's the media or whether it's special interest groups (courted by the media) who behave in the way described is peripheral to this discussion. The producers of a BBC documentary paid hard cash to take over a botnet, interfered with people's computers and then said, "So that's what a botnet is, everyone." The shoe fits, somehow.

0
0
Alert

armed robbery or child porn?

dear BBC. i am not sure how armed robberies happen or how child porn rings work - please could you demonstrate these? Ideally you'll carry out a big heist on a large bank with gold rather than notes as those seem to be the bigger events that i dont know about and you'll set up and run a multi-terabyte porn server using encrypted channels and transfer/watch lots of illegal material.

all of this should be recorded in Hi-Def because that would make better court evidence after you've broken a few more laws in this country.

0
0
Gold badge
Happy

AC@17:49

You'll have to bear with me as I say Brass Eye some time ago so I'm going from memory.

Brass Eye's targets were 3 fold. Uncritical media outlets who will whip anything into a moral panic. The pressure and special interest groups who will take advantage of that uncritical attitude to turn a storm in a teacup into a tornado and the well meaning (but lets say suggestible) members of the public who over react, some times hysterically.

Their method was to concoct a (just barely) plausible story about something similar to some story currently obsessing some parts of the media. The issue would have unmasked as bogus by a few minutes checking by a mildly interested hack . This would come from some non-existent charity or pressure group, which a few more minutes checking would have also revealed as nonsense.

Backing this up were the celebrity endorsements. Here the point was the "Halo" effect. X is trustworthy, they say it is so, so it must be. The point here is that part of the value of such people is that the general public trust them. There point was it was staggeringly easy to get people to endorse their rubbish with almost no one saying "Hold on, this is rubbish.”

This is the part I remember most fondly and which I mentioned. All done against a backdrop of loud intrusive music and impressive, but basically meaningless graphics.

This was usually followed up by supposed members of the general public who were reacting to the "Threat" in a fairly excessive fashion. The interviews IIRC were typically conducted in a fairly condescending fashion as befitted someone interviewing someone whose moral panic they had actually caused while they themselves can't understand what the fuss is about.

I would suggest there is no existing moral panic in the mainstream media on spam. No pressure group making outrageous claims about its harm and no celebrities acting as media spokes persons about it.

So no I don't see the similarity to Brass Eye.

Highly vocal pressure group. No.

Vocal pressure group inflaming situation. No

Over reacting members of the general public. No

Click's presentation was low key and stated it was not that easy to get control of a botnet in the first place When done they informed all victims of what had happened and what to do about it and disabled any further control of the bots. The common ground with Brass Eye and Chris Morris in particular would be the hope that people are a bit less trusting and a bit more critical.

Could it have been done without a live demo. Once again for the *target* audience I don't think so. I'm with Eugene Goodrich (earlier post) for exactly those reasons. Unless you told them it was real but used a simulation. That's lying to the audience, It fails as soon as it becomes know as the next thing you tell them will be met with "Well they faked it last time so why should we believe them this time."

"producers of a BBC documentary paid hard cash to take over a botnet."

Ever noticed the title "Fixer" on BBC documentaries in foreign and often violent countries? They help get interviews and help the film crew avoid trouble with the local "authorities," who might be just a bunch of guys with automatic weapons. Some times smiling politely does not work.

Time for Mr Green to make an appearance. America may be hated widely but there's one product of their economy which is welcome nearly everywhere.

Any sort of rogue trader / watchdog type programme has probably made initial payments to crooked tradesmen, often with criminal records.

This must come as quite a shock to you.

As for the amount. $660 US is (at tonight's closing exchange rate) is £458.33. Not quite enough for round trip to the US to do some filming but likely adequate to order a murder in somewhere like Pakistan or Afghanistan. Or 0.002291% of what Jonathan Ross was trousering prior to his little "vocal malfunction."

I'm no Media studies student, but I am a student of the media.

NB. I'm sure most people here (including our moderator) can cope with bad language. However its a presumption which can be inaccurate. I grew up reading Mad magazine, which itself was the product of an early moral panic about comics in the 1950's, when they were "Corrupting youth." I am cautious about anything that might be read by at least half a dozen total strangers, which would include anything on a bulletin board or email system. And I still had a complaint about a misplaced apostrophe.

0
0

Page:

This topic is closed for new posts.