Dear WinTard user...
So how many of the 22,000 hijacked machines were running OS X?
No further questions ;)
An investigation by the BBC into cybercrime may itself have broken UK computer crime law. BBC Click got its hands on a botnet of 22,000 compromised PCs from an underground forum. It used these machines to send spam to two accounts it had established with Gmail and Hotmail. The programme also used these zombie machines to show …
"Even if it was done with the best intentions and in the public interest, that is unauthorised modification of a computer and an offence under the Computer Misuse Act,"
What's even more offensive is not prosecuting the company that supplied the OS that was so easily compromised in the botnet attack. Now what was the name again, I notice how it was never mentioned in the original article.
"These are not attacking any kind of vulnerability in the computer .. They are attacking the vulnerability of people's brains"
"We were just seeing how easy it is to do" ...
similar to that McKinnon blokes defence imo , he was just looking ......
Dodgy corporation thinking that the laws don't apply to them as per usual even though they actually helped the infected users by advising them how easy they were to infect .... the fact remains that they illegally took control of those machines .... and if the owners of said machines have unpatched/protected machines in the first place the chances are that they won't know/care about patching them now...
The only way to prevent machines being incorporated into botnets would be for a law to be passed where ISP detect if machines are fit to be used on the Internet , patched , secure etc .and block them if they aren't .... similar to an M.O.T that automobiles have to pass.
Paris 'cos she loves to be serviced !
The BBC contravene the computer misuse law in the name of education and seemingly walk away scott free.
Forgive me if I'm mistaken but I remember similar instances whereby 'joe bloggs' has attempted similar feats in the name of education for the common good which resulted in jail time.
... the law is an ass!
Such action is probably the only way to make some people aware that their PCs have been compromised. It's certainly the most efficient, and ISPs should be encouraged to take similar action, or at least notify their customers, when they detect suspicious activity on their networks.
Do we know where the compromised PCs are based in the world?
What if some of those botnet computers were in the US military? The Pentagon? NASA?
Will the USA try and extradite the BBC's Spencer Kelly just like Gary McKinnon?
I'm running a poll on my blog if anyone wants to give their opinion on whether the Beeb were justified or not in what they did.
Graham Cluley, Sophos
Is it still flavour of the month to bash the BBC?? I cant think of a better company that could get the message out and highlight the problem which ultimately is a benefit to everyone.
As for lawyers, its like asking a gardener if your lawn needs cutting......the answer will always be yes, cheque is fine....
Maybe there should be an international taskforce that collects botnets, disables them and alerts the user.
" 'The BBC appears to have broken the Computer Misuse Act by causing 22,000 computers to send spam,' said Struan Robertson, editor of out-law.com and legal director at solicitors Pinsent Masons. 'It does not matter that the emails were sent to the BBC's own accounts and criminal intent is not necessary to establish an offence of unauthorised access to a computer.' "
If SPAM is defined as "Unsolicited email of a commercial nature" (and I am reasonably certain that it is [meat-like products not withstanding]) then you cannot, by definition, SPAM yourself. Because then it isn't unsolicited.
The unauthorized access to a computer bit is still valid though.
Great, so now a hacker can get into people's computers, put a screensaver on saying this is the BBC, you need to install some software to fix this, cue download more malware. This is exactly the kind of thing we are told not to trust, 'you bank will never ask for your password' etc, you would think the BBC wouldn't hack inot your computer!
They will get off scott free but they deserve a massive fine for this, what were they thinking????
Again and again in these forums, and I'm thinking of the ones that relate to botnets and spam and viruses, commenters are arguing over the rights and wrongs of using a 'good' virus or some other techniques to expose users vulnerability to hijacking and prompting them to fix it.
Now someone has actually gone and done that and you're all jumping up and down, shouting 'It's wrong! It's wrong!' Make you're chuffing minds up peeps. What is it you actually want?
A spam reduced world or the one that we've got where we all sit around bitchin about how botnets and spam are the incarnation of Satan but actually doing fuck all to fix anything more than our own spam filters?
Personally, I think the BBC have probably done us a service by, hopefully, reducing by a few thousand the number of machines capable of spewing out the shit that we all have to filter from our inboxes 24/7.
Yes, it was probably illegal. But FFS surely that has to be weighed against the positive end result.
IMHO I don't think they went far enough by half.
Im still bemused knowing that thousands of folk out there dont even notice that there computer runs like a 20 year old one legged dog,with slow to useless web speeds and busy hard drives thats sending out spam everyday?
Do these tards not know what a smooth un infected pc should be like?
"Oh i thougth that was normal" "Whats task manager?"
Aims Anti Webtard rifle
Ill vote for a licence to use a computer any day,whenever if ever a petition arises.
Now forgive me if im wrong and feel free to persecute me if im being bloody stupid, but the headline :
"BBC team exposes cyber crime risk "
does lend itself to intimating that this is something the beeb has uncovered. Now I can accept the argument that the BBC news website is read by a large audience which is not particularly knowledgeable about botnets and so an article is newsworthy on the website, however, compounding a lack of research into cybercrime law with sending oneself up for 'exposing' something that has been well known to be in existence is very shoddy journalism.
Even the simplest of investigations would show how well known this is and also would show how easy it is to gain access to a 'botherd' without having to then very probably break the law in doing so. The arguement that it was in the public interest is particularly weak here as I cannot see how they can demonstrate that they needed to perform a mass email send.
My own opinions of BBC technology reporting aside, I think that If Daniel Cuthbert can be prosecuted for his "offence" then the Click team should be worried. At least he wasn't trying to grandstand! It would be nice if the BBC could articulate just how they decided this was a wise thing to do even if it was a good thing to make the masses more aware.
Bill - because most of this is his fault.
Well, if the BBC acted unlawfully it shows how useful this law is. If it doesn't stop the public broadcaster it's not exactly going to stop someone whose motives are less wholesome.
If your system has been compromised, the fact that it's against the law isn't going to help. It's like the hunt master reassuring the police that he will say "Stop" when the hounds have picked up a scent.
Well as far as I'm concerned if the BBC had altered the machines so that they were taken offline then I would have been applauding the action.
Often machines that have been participating in botnets have been doing so for far to long and need to be shutdown, updated and fixed and then regularly updated and maintained from that point onwards instead of becoming spam generation machines.
Can I use that an excuse next time I'm found in a strangers house in the middle of the night?
"Its not illegal, your front door was open because you basically gave your keys to a stranger down the pub. So I've just come in to walk around and see what your house looks like, oh I and I might have used your computer to send a few emails. but I've not done anything really illegal like actually steal anything"
There really are some fuckwits at the BBC. I don't actually think its Illegal to leave your computer unpatched so it can be hijacked, it IS illegal to access those computers without permission and use them in a covert way
"What's even more offensive is not prosecuting the company that supplied the OS that was so easily compromised in the botnet attack. Now what was the name again, I notice how it was never mentioned in the original article."
If you think non-windows OSs can't be compromised by stupid users running dodgy programs, you're asleep, and aren't paying attention to your secuirty mailing lists, and I hope to God you aren't responsible for computer security in your job.
"The BBC contravene the computer misuse law in the name of education and seemingly walk away scott free."
I'm not trying to say they _won't_ get away with it, but that news story was posted at 5am, 9 hours ago. It's hardly a huge miscarriage of justice that there hasn't been evidence collected and a decision to prosecute made at this stage, is it?
I found this story on The Register having already tried to make a complaint to the Met about the BBC. Because I am not a victim I am unable to, they will not take a complaint.
I will be making a complaint to the press complaints commision too.
My main beef with this is that the BBC are making this outrageous claim that because there was no criminal intent it is legal.
You've got potentially loads of script kiddies out there who may well want to do nothing more than spam their friends who may well now believe their acts are legal and may well end up prosecuted for doing something the BBC has told them is legal.
"You are using the letter of the law to defeat the spirit of the law"
What they did probably removed a huge amount of computers from that botnet. Yes the BBC had control of these machines, and could have done massive amounts of damage - but considering how easilly the BBC got access to this botnet surely you'd be happy to see it removed from the internet rarther then still out there waiting for letters to filter through ISP's crappy legal dept's and then slowly out to the users in all those different countries?
If they had gone onto peoples computers, hunted for illegal material and then posted that information to law enforcement agencies - yes that would've gone too far - but they didn't. They acted IN the public interest, FOR the public good.
Seriously, get over ourselves, stop lapping up the Wackie Jackie hype and realise that there are exceptions to the rules and discretion should be used in some situations.
Best intentions or not - you do not break into someones house and steal all their stuff to show it was possible and with "the best intentions".. Bandwidth was used here that will never be gotten back and perhaps peoples computers crashed when the ddos attack took place. Maybe someone had an important message set as their screensaver like "Must remember to take my pills at 2.30pm to avoid dieing a painful death" and whilst their bandwidth was being throttled they could have been stopped from doing anything, ranging from having a wank to an important business conference.
And..... For future cases, if they are not prosecuted OR if they are prosecuted and the charges dismissed by "Experts" then how does this fair for future cases.
"In the case of the BBC it was argued that a denial of service attack or changing of screensaver did no harm to the computer and does not qualify as illegally modifying a computers contents"
"The BBC appears to have broken the Computer Misuse Act by causing 22,000 computers to send spam," said Struan Robertson, editor of out-law.com and legal director at solicitors Pinsent Masons. "It does not matter that the emails were sent to the BBC's own accounts and criminal intent is not necessary to establish an offence of unauthorised access to a computer."
If the emails sent were by the BBC to their own accounts, on what grounds are they 'spam' - surely that refers only to unsolicited emails?
That said, those responsible at the BBC seem very naïve if they think that what they did was in any way legal, or indeed ethical.
Hopefully the shouty lawyer types will see this as a form of "ethical hacking" rather than a black & white Computer Misuse issue. Consider if the BBC had gone down the ISP info route:
1 - spend time tracking down names and contact details for each and every ISP involved
2 - ISPs then have to look-up who was using the IP at the time
3 - Letters get written (maybe) along the lines of "Dear Mr Smith. This is your friendly ISP warning you that you need to update your Windows XP security settings.... etc."
4 - I susect Mr Smith will get as far as "ISP" before adding the letter to the other 21,999 in the paper recycling bins around the UK.
5 - 22,000 compromisable PCs will remain compromisable.
6 - Just maybe a small percentage of people will take the letter to their PC and follow the instructions.
At least this way the BBC threw a bloody great bitmap in front of the users. with a URL containing instructions on how to fix the problem. How many are going to ignore that after a few days?
An ethical approach would have notified the users immediately, and reported the botnet operator to the police.
BBC did not notify users first, did not ask for consent to use the resources of their computers, and exploited those machines regardless.
CMA is a criminal offence.
In other news, BBC launches its own version of 'Who Wants to be a Millionaire'. Contestants are given a balaclava and handgun, and get 10 minutes to steal as much cash as possible from a high street bank (all money returned, banks advised about security measures etc etc)
Is there a wallet in this coat?
It's also probably an example where the only valid kind of test is an in-the-wild test. And an in-the-wild test will have to involve a degree of blindness (preferably double-blindness) or the test becomes biased. How would the BBC be able to perform a test like this unbiased and not break the law?
As the BBC pointed out (well they didn't metion Linux,), that you need to update your software.
See how many securtiy fixes have been released for Mac and Linux....oh look there are some, best ignore them and pretend it doesn't happen coz Dave down the park told me so, so it must be true.
I don't give a flying f**k which software is the best, I left the playground a long time ago.
You my friends are the stupid sort of f**kwits that this article is trying to enlighten.
NO OS IS 100% secure. Get over it and keep updated.
I only installed that key logging software to survey how many people were using strong passwords and educate them if they weren't.... honestly!
If there isn't at the very least a criminal investigation into what the BBC did then that in itself will be criminal. I am also exceedingly Pro-BBC under normal circumstances too for the record.
Its time the ISPs and AV companies took direct action against these botnets by at the very least keeping them off the Internet until they clean up their act. This is the way the Internet has to police itself, does anyone really expect national governments or police forces to be able to do anything about this? Of course not, don't be stupid. Those dullards who let themselves be compromised need some tough love, instead of this precious pontificating. The BBC is to be commended for at least daring to do something positive - unlike the bloody US lawyers who defend the spam bandits for example!
We need direct action now against the spammers, hackers and fraudsters that are blighting the internet.
>> BBC Click claimed that "If the exercise had been done with criminal intent it would be breaking the law".
The intentionally broke the law, but it is okay because they didn't intend to break the law, therefore no law was broken. Sounds a lot like mind over matter. Are they able to bend laws with the power of their minds. Simply be thinking strongly enough, they can make the illegal legal. It all makes my brain hurt. Although, I don't suppose they invented the idea; it's not that different from the filesharing freetard* mantra.
*BTW I hate that word
Ok I'm on the fence about one issue - alerting the user...Its in thier interest!
BUT using those machines to ddos a site (no matter which) and to send mail (no matter where)was clearly NOT in the INTEREST of the computer OWNER.
This is deffinatly a breach of the misuse act... There is no way of painting that...
Biting the hand that feeds IT © 1998–2019