BBC Hijacks 22,000 PCs In Botnet Demonstration

An anonymous reader writes "'[The BBC] managed to acquire its own low-value botnet — the name given to a network of hijacked computers — after visiting chatrooms on the internet. The programme did not access any personal information on the infected PCs. If this exercise had been done with criminal intent it would be breaking the law. But our purpose was to demonstrate botnets' collective power when in the hands of criminals.' The BBC performed a controlled DDoS attack, 'then ordered its slave PCs to bombard its target site with requests for access to make it inaccessible.'"

Breaking the law

[qoncept]

If this exercise had been done with criminal intent it would be breaking the law.

Ok, so, I don't know much about the laws, but it is illegal, isn't it?

They paid hackers

[Anonymous Coward]

It seems a bit stupid to pay the hackers, as now they will have more money to set up botnets with. I suppose if they didn't a spammer would have done anyway, at least they have a chance of shutting them down now I guess.

Just wait until a botnet DDOS's Click's website.

I'm sure some were in the US

[JeanBaptiste]

if you go randomly grab 22,000 computers for your botnet, it's far more likely than not that some would be in the US. Even if they only targeted BBC registered users or something (didn't read TFA), there'd still be overseas users and such, some in the US. Not that I'm an expert, but I don't think they could reliably get computers from only inside GB.

Skewed views of the law

[grayn0de]

Way to go, BBC. You have moved past bringing the populace breaking news stories to creating them! I am looking forward to the next headline, regarding this. I think we all agree that gaining unauthorized access to another computer is, not only unethical, but illegal. I am surprised, being that this article is on slashdot, now, that the BBC is not already feeling the ramifications of its actions. I highly doubt they asked everyone in those chat rooms: "Hi, we are from the BBC, we would like to pwn your computer in the name of exposing cyber security risks. Is this okay, with you? Great, Thanks!"

Re:Illegal and unethical to boot!

[je ne sais quoi]

Meh. I'm not too concerned: the BBC creating a botnet is like the BBC going out and speeding or driving aggressively during rush hour. Sure, it's illegal and unsafe, but when everybody is doing so why single out the BBC for their activity? In fact, maybe if the BBC can demonstrate just how trivially easy it is to create and use a botnet, people will wake up and start taking security more seriously because them doing it calls attention to the problem. Actually if everyone did this and started creating their own botnets, sure it might bring down the internet for awhile, at least those machines that are pwned, but you can bet that software and router companies would start patching their software more quickly and more efficiently. In any case, how do you know that the BBC didn't infect their own computers?

But never mind me...all you people on the righteous indignation bandwagon just mod me troll already and be done with it. Grab your pitchforks! Burn down the BBC! They're breaking the law!

Re:I'm sure some were in the US

[mjjw]

The BBC has a GeoIP database which they use to determine whether or not you are eligible to use services such as iPlayer. Whether or not they checked if the computers were in the UK I do not know, but they certainly could have done.

Re:why use botnet

[N1AK]

I wrote about this story on my site [john-graham.me.uk] and submitted it to The Reg at 10:20 this morning when I read the story on their website. Now its been aired on TV it seems to be getting a lot of coverage. I added an update a few minutes ago covering the two areas of the Computer Misuse Act that are likely to be quoted quite a bit in the debate about the legality.

I find it amazing that something this dubious was allowed to get all the way to airing without someone at the BBC having a hissy fit. Perhaps they have received legal advice that said it was legit?

As an aside, if I had wanted to submit my page to Slashdot is there a way I could of done it that (assuming it got published) wouldn't result in my host wishing a painful death upon me? I didn't change it partly because it's a short write up and partly for that reason.

Re:Now this...

[N1AK]

Accessing and modifying data on other peoples computers is illegal.

It's not that simple, accessing someones computer itself is a crime under the Computer Misuse Act. Modifying data is another crime but I think the BBC can safely argue that they didn't have 'requisite intent':

For the purposes of subsection (1)(b) above the requisite intent is an intent to cause a modification of the contents of any computer and by so doing--
(a) to impair the operation of any computer;
(b) to prevent or hinder access to any program or data held in any computer; or
(c) to impair the operation of any such program or the reliability of any such data.

I have written a longer analysis of the Computer Misuse Act and how it relates to the BBC Click Botnet [john-graham.me.uk] if you are interested. Please note IANAL and I don't mean in the kinkeh sex sense either.

Re:Breaking the law

[odourpreventer]

The police still needs permission from you the property owner (the computer being your property), otherwise it is illegal.

The BBC Already did it

[Anonymous Coward]

Beat The Burglar [imdb.com]

Re:Now this...

[ciderVisor]

I hope you took time to explain to them that Windows Defender is not a firewall. If you want a firewall then Windows....erm, Firewall might be more appropriate, funnily enough.

I've been running Windows XP malware-free for over 2 years thanks to Windows Firewall, Windows Defender and LUA accounts [msdn.com]. Do your friends a favour and set them up properly. Free them from third-party AV hell.

Re:Breaking the law

[tygerstripes]

Yes, this is illegal. There was an embarrassing attempt to cover their asses with the following:

If this exercise had been done with criminal intent it would be breaking the law.

There's no question of mens rea - they knew exactly what they were doing, whether or not they thought it was a crime - while actus reus is satisfied if they undertook the crime. The crime in this case was gaining unauthorised access to personal computers. "Criminal intent" doesn't come into it - they deliberately did something which is a criminal act.

However, they won't get prosecuted. This has nothing to do with "ties to the guv'mint", and everything to do with journalistic licence. They exposed criminal activity without effecting any damage to property or reputation, and in doing so helped to inform and protect not only the several thousand people directly involved, but a whole nation of news-reading, tech-ignoring proles.

This is exactly what investigative journalism is about. While technically they broke the law, there is a fine history of decades of case-law precedent where journalists went undercover and got involved in criminal practices purely in an effort to expose and prevent it in future.

There's no way in hell the CPS (the body responsible for prosecuting criminal cases) would touch this. Flimsy though it may be, journalistic integrity is afforded impressive leniency in British culture and law, provided it is seen to be of public benefit.

Re:Now this...

[Nick Ives]

Ditto. Vista's much derided UAC actually makes running Windows securely much easier too, it's actually the best part about Vista and I'm disappointed that MS is sacrificing security for ease of use in Win7. MS needs to stand firm against apps that bring up UAC prompts during normal operation whilst streamlining the UI to make the prompts more descriptive and eliminate multiple UAC prompts during certain operations.

To paraphrase, those who sacrifice security for ease of use deserve neither.

Re:why use botnet

[Teancum]

I suppose that the BBC views themselves as a branch of the British government. Yes, I know that it is supposedly an "independent" organization, but it is fully-funded by taxpayers in the UK.

Then again, would many people consider a similar investigation by the U.S. Department of Defense or Department of Justice to be legit?

Real monetary damages can be calculated here as well, as depreciation value and CPU time... not to mention access to network resoruces are certainly not "free" for the taking. Furthermore, technician time spent to remove these bot program, scanner software required to find this stuff.... removing this software is likely to be the more expensive part.

Assuming â100 per computer that was infected (a rather low estimate), that would be around â200,000 that this reporter has potentially set up his company for liability damages.

Re:Breaking the law

[tygerstripes]

1. Nobody comes to arrest you. Why the hell would the police get involved? You'll get increasingly strongly-worded letters and then, eventually, a court summons.

2. What if you don't pay your gas/credit-card/porn-subscription bill? Same story. Does that mean NPower/Barclays/shemaleswithdiseasedsheep.com is affiliated with the government?

3. I said they were autonomous, not completely independent and uninvolved. This means they can follow that charter in whatever way they see fit.

Know what? I'm tired of discussing this point. The Beeb's history and reputation speaks for itself. If you have a serious point then please make it, and then show me a more effective alternative. Insofar as it's possible, the Beeb is as I've described.

Re:why use botnet

[Cederic]

Evidence of actual crime is being published by the BBC. It is illegal to use computing resources owned by other people without their permission.

Illegal. That means it's a crime.

I completely accept that there's minimal harm to any given individual. This does not make it legal.

I don't want punitive damages. I don't really care about punishment of any tangible form. I do want prosecution and the full process of the law.