BBC Hijacks 22,000 PCs In Botnet Demonstration

An anonymous reader writes "'[The BBC] managed to acquire its own low-value botnet — the name given to a network of hijacked computers — after visiting chatrooms on the internet. The programme did not access any personal information on the infected PCs. If this exercise had been done with criminal intent it would be breaking the law. But our purpose was to demonstrate botnets' collective power when in the hands of criminals.' The BBC performed a controlled DDoS attack, 'then ordered its slave PCs to bombard its target site with requests for access to make it inaccessible.'"

It gets better

[blowdart]

Controlling machines without permission? Against the computer misuse act.

They used the botnet to spam two email accounts, one at gmail and one at hotmail. That's against the computer misuse act.

And they changed the wallpaper on the machines on the botnet. Against the computer misuse act.

Their "justification" doesn't fly; not having criminal intent is not a defence against the law.

Not against the law???

[RingDev]

If this exercise had been done with criminal intent it would be breaking the law.

So if I install software on your machine that you paid for, consume the bandwidth that you are paying for, burn extra electricity that is paid for by you, all with out ever even letting you know about it, so long as I'm doing it for finding a cure for cancer, it's perfectly legal?

What if I use that bot net to distribute the load of rendering animated gaping anal gay midget porn movies? It's not a crime to render animated gaping anal gay midget porn movies, so I have no criminal intent, so it must be legal, right?

-Rick

Agreed. Mod parent up.

[mmell]

I've been on the bad side of this one - a lack of criminal intent does not mitigate or extenuate criminal action. Their guilt is quite plain (having been admitted, even published by the BBC itself). Now, their lack of criminal intent does have a bearing on sentencing. Inasmuch as the BBC did not wilfully cause damage or fiscal loss to anybody (except, potentially, themselves?), the sentence should be something on the light side, perhaps even suspended; but the matter of their guilt is simple black-letter law.

Illegal and unethical to boot!

[unsupported]

This is both highly illegal and unethical. Illegal in that they accessed the PCs without the owners permission, they sent spam, and changed the settings on the computer.

Unethical even if their motive was not to do criminal intent.

It is like creating a "white worm" to patch servers from an unpatched vulnerability.

armchair lawyers

[Anonymous Coward]

Ah, time to bring out the armchair lawyers. Nevermind that the BBC has its own legal team that reviewed this activity before it happened. I'm sure all of you know better. Especially all you Americans who are well-versed in British law.

Re:Breaking the law

[PhilHibbs]

No, it's more like if your door is already busted wide open and burglars are coming in and out, and a reporter wanders in.

Re:Breaking the law

[unlametheweak]

Regardless of intent it is illegal.

Isn't the BBC "owned" by the government of Britain ("a quasi-autonomous statutory corporation as a public service broadcaster and is run by the BBC Trust; it is, per its charter, supposed to "be free from both political and commercial influence and answer only to its viewers and listeners", Ref: http://en.wikipedia.org/wiki/Bbc [wikipedia.org])? If so it would appear that they are immune from the law because, as contemporary history demonstrates, "intent", when the government is involved is never criminal in nature, but rather for the good of mankind.

Re:It gets better

[PhilHibbs]

Controlling machines without permission? Against the computer misuse act.

Correct.

They used the botnet to spam two email accounts, one at gmail and one at hotmail. That's against the computer misuse act.

Not if it's their own hotmail and gmail accounts or if they have permission, I can spam myself if I want to, and you could spam me as well if I gave you permission.

Their "justification" doesn't fly; not having criminal intent is not a defence against the law.

Journalists have a high degree of freedom in this respect, there are plenty of cases of journalists smuggling guns past airport or other border security as a demonstration.

Don't focus on the legality

[Reality Master 201]

Everyone's going on about how it's actually illegal and the intent doesn't matter (I don't know either way - it is Britain and maybe things work differently there).

What about the fact that some guys from the BBC were able to gain control of 20k infected machines on the web just for the purposes of doing a story? To me, the implications of that are far worse than any possible criminality.

British computers only?

[dazedNconfuzed]

You SURE only British law applies? As noted in another post, when you start hijacking 22,000 computers on the Internet, most likely SOME of those will be in the USA (or other countries where such activity IS illegal). You sure those BBC lawyers know enough about technology to be sure that the activity was limited to British computers, and this did not actually risk becoming an international incident?

Re:It gets better

[Spatial]

I'd be more interested in hearing about whether you think it was the right thing to do or not, instead of shouting "You broke the rules!" like a child in a schoolyard. If they didn't do any harm it isn't very important that they broke the law. Follow the spirit, not the letter.

Reading the article tells me: They disabled the botnet and told the computer owners afterward, and they advised them on how to secure their gear in future. They performed a DDoS on a site, but with prior agreement from the owner.

That's thousands of people who probably learned a valuable lesson. Better to learn that way than to have their credit card details stolen, or their bandwidth used in a malicious DDoS. Given the incredible amount of PCs that are compromised in general, this would seem inevitable without some education to prevent it.

Of course you can make a good argument that it was unethical to invade their PCs, but don't just dismiss the benefits of this out of hand. It's boring, and not really insightful at all.

Re:Illegal and unethical to boot!

[PhilHibbs]

Journalists have a much higher degree of discretion when following legitimate investigations.

Re:Now this...

[sakdoctor]

Then get some security.

No unlocked car or house door analogy is even slightly useful in this case.

Computer security by law is worse than security by obscurity, or security by Symantec product.

Re:Breaking the law

[Opportunist]

It's ok to tell him to get the f.. out. But most people, to return the analogy to the PC, don't even care that someone is standing there, in the middle of their living room, making unsolicited phone calls from your landline, telling everyone about your tv watching habits or even stuffing your jacket pockets with leaflets. As long as they don't trash the place, most people don't care that someone is standing there, coming and going as they please, leaving the window open for any burglar that wants to come in.

Re:Breaking the law

[Opportunist]

...and you complaining about the reporter who told you that burglars are coming and going, because he made you look stupid. Instead of thanking him and asking him how to get rid of the burglars. Or at least cursing him and asking him how to get rid of them.

What?!? They destroyed it?

[rnddev]

They are apparently oblivious to the fact that DDOSing a site also means saturating the connection of the PCs involved in the attack which could have a critical function within a business. Do they even know the way that the backdoor application works? Is it possible that it is spreading through local shares and otherwise wrecking havoc on some network by propagating through some unpatched exploit?

"Click has now destroyed its botnet, and no longer controls any hijacked machines."
This quote worries me as they don't seem to understand what they're doing. Did they click a button that said "destroy botnet"? By destroy, do they mean wipe out some critical files?

Clarification

[awpoopy]

Let me fix that for you:
"[The BBC] managed to acquire its own low-value botnet http://news.bbc.co.uk/1/hi/programmes/click_online/7932816.stm [bbc.co.uk] the name given to a network of hijacked MICROSOFT Windows computers - after visiting chatrooms on the internet. The programme did not access any personal information on the infected MICROSOFT Windows PCs. If this exercise had been done with criminal intent it would be breaking the law. But our purpose was to demonstrate botnets' collective power when in the hands of criminals." The BBC performed a controlled DDoS attack, "then ordered its slave MICROSOFT Windows PCs to bombard its target site with requests for access to make it inaccessible."
Now it's been edited to show the facts.

Re:Breaking the law

[tygerstripes]

NO!!!

Your quote diametrically refutes your posit! It is funded by the public and given a mandate of political neutrality and autonomy by that charter. That charter was issued by the government many years ago and has been essentially sacrosanct since then. The BBC is "owned" by the people, more so than the government is.

Contemporary History, with regards to the BBC, demonstrates that they have managed to maintain that detachment and impartiality - even to the detriment of the ruling government - on many occasions. It's out of keeping with the increasingly totalitarian character of UK government, I know, but somehow the Beeb seems to be just-about maintaining its function. Whether that will continue indefinitely is anybody's guess, but for god's sake, give them credit where it's due for now...

Re:May I know your address?

[Spatial]

Why, are you going to perform a denial of furniture attack on my neighbours?

Theft from my house is making the analogy inaccurate. They didn't take anything but a minor amount of transfer bandwidth. That's about as serious as stealing the oxygen in my house by breathing.

The analogy would be closer if you simply got into my house without telling me (causing no damage), performed some pre-arranged DDoS with a security company who agreed to it previously, and then vacated, leaving everything as it was before you arrived. After leaving, you then proceed to tell me why you did it, how you did it and how to stop you doing it again. Later you tell the world about such things through a respected news service, in a report about the insecurity of houses like mine and the people who exploit them for profit to the detriment of others.

In that case, I wouldn't like it much but I wouldn't want to sue you or anything either. It would be embarrassing and annoying. I'd probably become quite conscious about the crappy security of my house and fix it up.

Unbelievable

[ppentz]

Ugh, I can't stand the attitude here. Botnets are a HUGE problem. People need to know if their PCs are hijacked and they need to be fixed. If my PC is hijacked, I want to know about it. Now. When someone's PC is used in a DDOS attack, isn't that illegal activity? I've always heard that ignorance of the law is not an excuse, so if someone is not aware their PC is being used illegally, their PC is still being used for illegal purposes ... should they be held accountable? If there is an activity that is *questionably* legal but can potentially help with the Botnet problem, I'm all for it.

Re:It gets better

[LingNoi]

Not if it's their own hotmail and gmail accounts or if they have permission, I can spam myself if I want to, and you could spam me as well if I gave you permission.

No you can't. I'm pretty sure Google and Microsoft wouldn't be happy with you spamming their servers. It might be going to your gmail or hotmail account however your permission means squat unless you're sending the mail to your own mail server.

In fact I'm sure DDOSing Google and Microsoft servers with spam is against the law by itself.

Re:Some information missing from the summary

[Yacoby]

Computer Misuse Act (1990) forbids the unauthorized modification of computer material. How is changing the desktop not modification of computer material?

Re:why use botnet

[jabithew]

Erm, did you RTFA? The botnet was previously existing, the BBC spammed two accounts they'd set up, and DDOS'd a site they'd set up. I'd be shocked if they didn't tell the hosts what they were going to do. As a final step, they notified all members of the botnet that they'd been hacked by changing their desktop background. I think it would be difficult to claim damages as the BBC did not propagate the botnet and anyone in their clutches got off lightly.

Re:Now this...

[Anonymous Coward]

Fine. We get it. But the analogy still doesn't hold, and if what they did happens to be against the law, then the law is wrong.

MSIE6's known functionality is that it does bad things and should never ever, under any circumstances, be used with the internet. If a person knows this (and everyone does or has had enough years to learn) and still chooses to use a program that downloads hostile code and runs that code, then that user must want to download and run hostile code.

So here's your analogy. You put a sign up in front of your house, saying, "Please come in and take something." You are robbed every day for 8 years while that sign is up. You don't complain. You meet the "thieves" and offer them lemonade as they peruse your stuff. You give them a kiss as they leave, saying, "Come back again soon!"

At 8 years and one day, someone from the BBC comes in and you shout "thief!!" and call the cops, even though your "please come in and take something" sign is still out front.

When something like that happens, the correct thing for society to do, is have a policy where the cops ignore the call. A crime did not take place.

If you play Russian Roulette every day, don't bitch about your head wounds.