BBC Click has admitted paying cybercrooks thousands of dollars to buy access to a botnet as part of a controversial cybercrime investigation, broadcast over the weekend. In a website story accompanying the heavily-promoted report, BBC Click reporter Spencer Kelly explains how licence fee payers' money was used to buy access to …
Prison time for regular citizens
The point is though that if you or I or almost any other citizen performed this exercise with the exact same motives and the exact same outcomes we could be facing real prison time! So whilst morally the BBC were probably in the right here the fact that they're legally in the wrong is very important and not something that should be swept under the carpet so lightly!
@ Giles Jones
"Would the BBC set off a bomb to expose the tactics of terrorists?"
Aaah yes the thoughtful, considered, use of analogy :-)
Drink Cyanide ~ to expose the tactics of ~ Poisoners.
Commit the crime to educate about it?
"For fuck's sake, if this educated one non-technical viewer about the realities of botnets then it was worth doing."
Maybe next week the BBC can do a show about people kicking the crap out of homeless people for fun... or how about a show on gun safety ;)
For the money they spent they could have setup an isolated network and run the same demo without giving money to crooks or using other peoples computers without permission.
Methinks el reg doth be protesting too much :)
Stop your incessant whining. These numpties whose machines had been subjugated in order to infect/affect others will have switched on to a screen telling them they've got a machine full of crap. This will, hopefully, have educated them to the dangers of what they were doing (lack of patched system, bad downloading and installing, etc etc) and if they've any sense they will get their shit sorted out. Same goes for those ordinary users that watched the program.
I think far more good will have come out of this than the outlay of a couple of k of license payer funds - if you're pissed at that then you should definitely be confronting them about how much that twat Ross gets paid.
There's far more shit produced and far more money wasted than this, an informative program for once, at the BBC.
For those of us OUTSIDE of the mother country ...
... you can watch the episode here: http://www.bbcworldnews.com/Pages/ProgrammeMultiFeature.aspx?id=18 or on BBC World (or whatever the hell they call it now).
"the most interesting thing they have ever done on Click"
Assuming it's interesting then it's the only interesting thing they've ever done on that sorry excuse for a program.
I watched Click from the start, and for a long time, and was often moved to send e-mails complaining about the latest inaccuracy that they paraded. Not that I ever got an answer back. (Aside: I did get an answer back from 5Live once which at least was something.)
Eventually I got so disgusted with this program that I swore I'd never watch it again. The only time I see it at all is if I'm channel hopping and it happens to be on. I generally carry on hopping PDQ. This wkend I fortuitously (or not) caught the last couple of minutes of the bot item.
Should have carried on hopping.
@Re: Re: Storn in a tea cup!
Try getting yourself out into the real world for a while and look at other hardware and OSes. IBM's mainframe systems are a damn sight more secure than anything else I've ever come across in the 30+ years I've been at this. Why? Because they work at it and they've had teams of people working on this for decades. They take security reports very, very seriously.
The obvious retort to this is that they can do this because they control the hardware. So what? The x86 platform is well known so that's no excuse.
Whilst people who only know MS OSes may say "no OS can be bug-free", those of us who have seen more than this (from ICL, thru' DEC/VAX/Pr1me to IBM and then the PCs) know that you can be a damn sight better than MS' offerings.
In short, there really is no excuse for shoddy OSes these days.
Well done Click
As a result of the programmes actions, I bet a ot of people will be taking a harder look at their computer security, and that can hardly be bad thing. Discussions that are normally confined to tech or security sites are now happening in exactly those places frequented by those most likely to run unpatched, vulnerable systems.
It may well be unethical, morally dubious and even illegal, but I think under these limited circumstances it is justified. Were it to become routine for computer security forms to do something similar I think it would pass well into the region of unacceptable; a legal get out for commercial organisations in the security industry has too much potential for abuse.
A good thing
It's all in the name of investigative journalism. We see numerous stories of journos testing lapses in airport/rail security (for instance planting a fake bomb - http://www.guardian.co.uk/media/2007/jul/24/pressandpublishing.mirror )
The BBC paid a hacker who infects pcs with viruses for money. Paying people for illegal activities tends to encourage them. They're on the wrong side.
On the other hand, the fact that these smug bastards get my license fee is the thing I really have a problem with. The amount of money seems to have been negligible (about 3 license fees? that's not going far to bribe a russian policeman)
Can watch this on iPlayer outside the UK too
" Those in the UK can catch up with the show through iPlayer, via the BBC Click site here."
Works outside the UK as well, probably because they also show it on the international BBC World channel (and had done before the UK broadcast).
It should not be possible to use a defence of public interest against a crime. While claims of public interest may be used to abrogate or lessen a *sentence*, the alleged crime should still be investigated and, if there is sufficient evidence, prosecuted.
Therefore I believe that, if there is evidence that the BBC contravened the CMA, they *should* be prosecuted. It will then be up to judge and jury to decide if they are, in fact, guilty. This will set a precedent for future cases and act as a guideline for other journalists considering similar acts.
I actually believe the BBC had some justification in this act, but if it is not tested in a court I am concerned that it will weaken the protection afforded by the CMA, effectively making it legal to be a bot-herder and sell / hire your botnet to others.
The alternative is for the CMA itself to be amended by Parliament to clarify / close this 'loophole'. IMHO, given the Government's track record on IT legislation and their proclivity for sneaking in authoritarian clauses, we *really* don't want that.
"They've directly funded criminal activity WITH MY MONEY"
In other news, police pay licence holders to supply alcohol to under-age kids:-
It was illegal, this is not in question.
However, compare this with how Daniel Cuthbert was treated when he tested two non existent URLs and got done under the computer misue act, probably spoilt goods now and has a wrecked career;
If Daniels treatment was appropriate, why isn't aunty beeb being nailed to the wall for this?
Simple, the law is not understood nor applied evenly, because it's a bag of shite and tries to shoehorn traditional laws such as "break and entering" and "theft" into the virtural environment, with no practical way of applying them, a complete overhall is required.
sounds like an interesting program.. can i see it online?
NO I FUCKING CANT..... I'M RUNNING LINUX....
least i dont pay a licence fee......fnaar fnaar..
As a matter of interest...
..given the preponderance of pro-Beeb comments coming from "anonymous coward" Might el reg reveal how many "anonymous cowards" where posting from within the Beeb IP range... After all, they may be at a loose end after cbeebees has stopped showing on the Trust's boardroom monitor.
I won't get my coat , i already have it on
Panick stricken users?
Apart from the dubious legality of its actions, the BBC have made the assumption that users will know what to do when confronted with that screensaver. Over the last few years, there has been a wealth of bogus infection messages (usually associated with rogue security programs) popping up on people's machines, and scaring the heck out of these users. Some of these users buy the rogue software, some realise its a scam and get antispyware software, and others may panic and re-install windows immediately. How much personal data loss may the BBC have caused by doing this. And furthermore, criminals may now decide to masquerade as the BBC and using similar popups / screensavers / phishing emails to tell the person they are infected, and must "click here" to get the latest solution to fixing the problem. There is a reason that security vendors are very careful about how much detail they publish. Publish too much, and you not only give ideas to the malware writers, but you also give them fuel for social networking attacks. The bigger you are, and the more press you get, the more "legitimate" your BBC virus warning email / pop-up will seem.
BBC, you did NOT need to do this to prove anything. All you had to do was contact a security vendor who could, for example, set up a demonstration for you on computers installed specifically for that demonstration. You have not only provided cash to further the illegal activities of these criminals, but given the fact there will probably be no legal repercussions from this, in my opinion you have now given other media organisations the idea that this is totally ok to do (as long as you have "honerable" intentions).
Well they better not break into my house to show me that it can be burgled.
If they do i will record and demonstrate the uk law on interpretation of householders right to use whatever force they see fit to remove them.
And they did break the law, the computer misuse act. There isnt a clause about "intent" so they cannot hide and say "we didnt break the law as we had no criminal intent" but thats typical of the bbc and it was YOUR money they used btw - we pay the license.