BBC Hijacks 22,000 PCs In Botnet Demonstration

An anonymous reader writes "'[The BBC] managed to acquire its own low-value botnet — the name given to a network of hijacked computers — after visiting chatrooms on the internet. The programme did not access any personal information on the infected PCs. If this exercise had been done with criminal intent it would be breaking the law. But our purpose was to demonstrate botnets' collective power when in the hands of criminals.' The BBC performed a controlled DDoS attack, 'then ordered its slave PCs to bombard its target site with requests for access to make it inaccessible.'"

why use botnet

[fredan]

when you can use slashdot!

Re:why use botnet

[Spazztastic]

when you can use slashdot!

Well, a botnet is probably faster. By the time your article gets through the submission queue the target would probably have gone offline along with the sun burning out.

Re:why use botnet

[Opportunist]

The botnet is not stronger. But it is quicker. Easier. More seductive.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:why use botnet

[Hatta]

Is it also fitter, happier, and more productive?

Re:

[shermo]

And he actually lost karma in the entire exchange.

Now I'm sure someone's going to vote me down in a poor attempt at irony, but hopefully my correct use of apostrophes will save me.

Re:

[geordie_loz]

But At least your article is likeley to be duped within a week or two.

Re:

[Ninnle Labs, LLC]

But At least your article is likeley to be duped within a day or two.

fix'd!

Re:why use botnet

[N1AK]

I wrote about this story on my site [john-graham.me.uk] and submitted it to The Reg at 10:20 this morning when I read the story on their website. Now its been aired on TV it seems to be getting a lot of coverage. I added an update a few minutes ago covering the two areas of the Computer Misuse Act that are likely to be quoted quite a bit in the debate about the legality.

I find it amazing that something this dubious was allowed to get all the way to airing without someone at the BBC having a hissy fit. Perhaps they have received legal advice that said it was legit?

As an aside, if I had wanted to submit my page to Slashdot is there a way I could of done it that (assuming it got published) wouldn't result in my host wishing a painful death upon me? I didn't change it partly because it's a short write up and partly for that reason.

Re:why use botnet

[Teancum]

I suppose that the BBC views themselves as a branch of the British government. Yes, I know that it is supposedly an "independent" organization, but it is fully-funded by taxpayers in the UK.

Then again, would many people consider a similar investigation by the U.S. Department of Defense or Department of Justice to be legit?

Real monetary damages can be calculated here as well, as depreciation value and CPU time... not to mention access to network resoruces are certainly not "free" for the taking. Furthermore, technician time spent to remove these bot program, scanner software required to find this stuff.... removing this software is likely to be the more expensive part.

Assuming â100 per computer that was infected (a rather low estimate), that would be around â200,000 that this reporter has potentially set up his company for liability damages.

Re:

[growse]

Well, it's fully funded by tv-owners. Not all taxpayers own tvs, and vice-versa.

Re:

[TheRaven64]

Technically, by anyone with equipment that receives live TV broadcasts. This includes video recorders and PCs that are used to stream live events (e.g. sports) from the BBC web site, but does not include TVs used solely to watch DVDs or PCs that use iPlayer to watch shows an hour or more after they are broadcast.

Re:

[jabithew]

Erm, did you RTFA? The botnet was previously existing, the BBC spammed two accounts they'd set up, and DDOS'd a site they'd set up. I'd be shocked if they didn't tell the hosts what they were going to do. As a final step, they notified all members of the botnet that they'd been hacked by changing their desktop background. I think it would be difficult to claim damages as the BBC did not propagate the botnet and anyone in their clutches got off lightly.

Re:

[Cederic]

Evidence of actual crime is being published by the BBC. It is illegal to use computing resources owned by other people without their permission.

Illegal. That means it's a crime.

I completely accept that there's minimal harm to any given individual. This does not make it legal.

I don't want punitive damages. I don't really care about punishment of any tangible form. I do want prosecution and the full process of the law.

Re:why use botnet

[MatB]

I suppose that the BBC views themselves as a branch of the British government.

Hah! You jest, surely?

Yes, I know that it is supposedly an "independent" organization,

It is

but it is fully-funded by taxpayers in the UK.

Incorrect.

The BBC is funded by a licence fee that all TV set owners pay, it's raised independently of the government and is specifically not a tax, the money never goes anywhere close to the Treasury. Many people chose not to have a TV and thus don't need to pay the license (I was one of these people for about 3 years, I had dial-up and a DVD collection, what'd I need a TV for?)

It also gets money from overseas sales and a semi-independent part dedicated to overseas broadcasts is funded by the Foreign Office in the same way as Radio America and similar.

I suspect the BBC has broken the law. I suspect they'll get investigated. I think that, regardless, they did the right thing--most people have no idea what a botnet is, let alone how much damage they do. Anything that raises awareness amongst domestic users in an open and transparent way is good. Those that had their PCs hijacked mught do well to upgrade their security (again).

Re:

[bluefoxlucid]

ENOTXKCD, EAGAIN

Re:why use botnet

[Piranhaa]

This demonstration never really took place. They made up a bogus story that will get Slashdot to DoS the site for them.

Now this...

[kcbanner]

...is good journalism. Good job BBC, the masses need to know about NOT USING IE6 TO SURF THE WEB.

Re:Now this...

[sopssa]

Accessing and modifying data on other peoples computers is illegal. Better article written by a known security researcher Dancho Danchev [zdnet.com], who also thinks it was controversial and illegal act.

Even if your intentions are good, I DO NOT WANT you using my computer or making changes to it without my permissions.

Re:Now this...

[sakdoctor]

Then get some security.

No unlocked car or house door analogy is even slightly useful in this case.

Computer security by law is worse than security by obscurity, or security by Symantec product.

Re:Now this...

[ciderVisor]

I hope you took time to explain to them that Windows Defender is not a firewall. If you want a firewall then Windows....erm, Firewall might be more appropriate, funnily enough.

I've been running Windows XP malware-free for over 2 years thanks to Windows Firewall, Windows Defender and LUA accounts [msdn.com]. Do your friends a favour and set them up properly. Free them from third-party AV hell.

Re:

[Nick Ives]

Ditto. Vista's much derided UAC actually makes running Windows securely much easier too, it's actually the best part about Vista and I'm disappointed that MS is sacrificing security for ease of use in Win7. MS needs to stand firm against apps that bring up UAC prompts during normal operation whilst streamlining the UI to make the prompts more descriptive and eliminate multiple UAC prompts during certain operations.

To paraphrase, those who sacrifice security for ease of use deserve neither.

Re:Now this...

[Ralish]

Free them from third-party AV hell.

Windows Defender is an anti-spyware product, and not a virus scanner. It will NOT protect you against most virus threats, nor is it intended to.

In this respect, a 3rd-party virus scanner is still required if the detection and removal of viruses is important to you. Yes, there is Windows Live OneCare, but apart from the fact that it's scheduled to be discontinued in the future, you still have to pay for it.

Re:Now this...

[N1AK]

Accessing and modifying data on other peoples computers is illegal.

It's not that simple, accessing someones computer itself is a crime under the Computer Misuse Act. Modifying data is another crime but I think the BBC can safely argue that they didn't have 'requisite intent':

For the purposes of subsection (1)(b) above the requisite intent is an intent to cause a modification of the contents of any computer and by so doing--
(a) to impair the operation of any computer;
(b) to prevent or hinder access to any program or data held in any computer; or
(c) to impair the operation of any such program or the reliability of any such data.

I have written a longer analysis of the Computer Misuse Act and how it relates to the BBC Click Botnet [john-graham.me.uk] if you are interested. Please note IANAL and I don't mean in the kinkeh sex sense either.

Re:Now this...

[Eternauta3k]

This reminds me of a certain video by The Onion [youtube.com]

Re:Now this...

[mike2R]

Out Law have an article [out-law.com]:

Though the activity is likely to have been technically illegal, Robertson said that it is unlikely that the corporation will be punished for it.

"The maximum penalty for this offence is two years' imprisonment. But it is very unlikely that any prosecution will follow because the BBC's actions probably caused no harm. On the contrary, it probably did prompt many people to improve their security," he said.

A blog posting from security firm Sophos suggests [sophos.co.uk] that the BBC has committed an offence of making unauthorised modifications to a computer. Robertson said that that is unlikely.

"The offence of unauthorised modification requires a recklessness or an intent that I don't think the BBC has displayed," he said.

Section three of the Computer Misuse Act describes the need for an intent to impair the operation of a computer or to hinder access to data. Such intent is not required for the section one offence of unauthorised access, said Robertson.

The BBC did not respond to OUT-LAW's request for comment. However, a message on the programme's Twitter account [twitter.com] suggests that the team did consult lawyers. "We would not put out a show like this one without having taken legal advice," it said.

Breaking the law

[qoncept]

If this exercise had been done with criminal intent it would be breaking the law.

Ok, so, I don't know much about the laws, but it is illegal, isn't it?

Re:Breaking the law

[jeffmeden]

Don't worry, it was a "low value" botnet... That makes it OK.

Re:

[snowraver1]

What's a botnet?

Re:Breaking the law

[Dr Caleb]

It's an electrically charged net that we use to catch runaway robots. Like the Ethernet we use to catch the EtherBunny.

Re:Breaking the law

[Gryften]

The EtherBunny is the one that runs around anaesthetizing kids to commemorate the ressurection of Jesus, right?

Re:

[Linker3000]

Only kids with lisps

Re:Breaking the law

[Spazztastic]

If this exercise had been done with criminal intent it would be breaking the law.

Ok, so, I don't know much about the laws, but it is illegal, isn't it?

Regardless of intent it is illegal. They are gaining unauthorized access to someones PC and using it for their own personal gain. If I were to demonstrate how to crack someones WEP key in 5 minutes without the victim's explicit written permission it would be illegal, even if done just for "educational purposes." Sure, it's edgy reporting, but it is still highly illegal.

I doubt anything will come of it though.

Re:Breaking the law

[unlametheweak]

Regardless of intent it is illegal.

Isn't the BBC "owned" by the government of Britain ("a quasi-autonomous statutory corporation as a public service broadcaster and is run by the BBC Trust; it is, per its charter, supposed to "be free from both political and commercial influence and answer only to its viewers and listeners", Ref: http://en.wikipedia.org/wiki/Bbc [wikipedia.org])? If so it would appear that they are immune from the law because, as contemporary history demonstrates, "intent", when the government is involved is never criminal in nature, but rather for the good of mankind.

Re:Breaking the law

[tygerstripes]

NO!!!

Your quote diametrically refutes your posit! It is funded by the public and given a mandate of political neutrality and autonomy by that charter. That charter was issued by the government many years ago and has been essentially sacrosanct since then. The BBC is "owned" by the people, more so than the government is.

Contemporary History, with regards to the BBC, demonstrates that they have managed to maintain that detachment and impartiality - even to the detriment of the ruling government - on many occasions. It's out of keeping with the increasingly totalitarian character of UK government, I know, but somehow the Beeb seems to be just-about maintaining its function. Whether that will continue indefinitely is anybody's guess, but for god's sake, give them credit where it's due for now...

Re:Breaking the law

[tygerstripes]

1. Nobody comes to arrest you. Why the hell would the police get involved? You'll get increasingly strongly-worded letters and then, eventually, a court summons.

2. What if you don't pay your gas/credit-card/porn-subscription bill? Same story. Does that mean NPower/Barclays/shemaleswithdiseasedsheep.com is affiliated with the government?

3. I said they were autonomous, not completely independent and uninvolved. This means they can follow that charter in whatever way they see fit.

Know what? I'm tired of discussing this point. The Beeb's history and reputation speaks for itself. If you have a serious point then please make it, and then show me a more effective alternative. Insofar as it's possible, the Beeb is as I've described.

Re:

[ais523]

Beat the Burglar might only have targeted volunteers, but the more recent The Real Hustle didn't. (In one episode they went and fraudulently tricked a locksmith into opening someone else's house, then went in and installed secret cameras and stole things from it. Presumably according to BBC reasoning that's OK because they gave the things back and got permission to show the footage.)

Re:Breaking the law

[Sockatume]

Actually English, Scots, and US law do distinguish between performing the same act (actus reus) with different intent (mens rea). It's a common lay misconception that "doing X" is illegal. In fact, traditionally "doing X" with one intent is usually a particular crime, while "doing X" with a different intent is a lesser crime, or not illegal at all. A simple example would be injuring another human being. Firstly, the law distinguishes between a deliberate or accidental act. Further, the law distinguishes deliberate injury with the intent to defend oneself from injury, accidental injury through deliberate negligence of safety standards, etc. etc.

I'm not sure what the mens rea is on cyber-crime in any legal system that uses the concept, mind you. And it seems that legal systems are reworking mens rea into "circumstances" to eliminate the human part of the equation, i.e. in some legal systems if you're in situation X and you do Y, that is always illegal, regardless of intent. It's likely that, given their youth, cyber-crime laws in the UK are worded as such.

Re:Breaking the law

[tygerstripes]

Almost.

Mens Rea is almost always about your level of intent, not what you intended to do. This is important for things such as assault or murder, where intent can range from "I meant to kill him" to "I just wanted to stop him hitting me" to "I didn't know he was standing there". As such, the mens rea will affect the nature of the crime.

However, in most cases it is merely a case of "Did you intend to do it?" In the case of burglary, for example, the only way you could argue the mens rea would be either by pleading insanity (didn't know you were doing it) or demonstrating that you thought you had the right to enter the place you entered and take what you took. You're pleading that you were not knowingly guilty of doing what you did. For the majority of crimes you can't be excused by claiming that you did it with good reason; though that may mitigate your sentencing, it won't mitigate the conviction.

Since the crime in this case was illegal access of someone's personal computer, the crime was knowingly undertaken irrespective of what the ultimate intention was. However, as I've said in a later post [slashdot.org], I don't think this particular case will even see the courts; nor do I think it should.

Re:Breaking the law

[debrain]

Regardless of intent it is illegal. They are gaining unauthorized access to someones PC and using it for their own personal gain. If I were to demonstrate how to crack someones WEP key in 5 minutes without the victim's explicit written permission it would be illegal, even if done just for "educational purposes." Sure, it's edgy reporting, but it is still highly illegal.

Why do you say that? These statements have no legal meaning or merit.

I'm not overly familiar with British criminal law, per se, but I am handy in the commonwealth legal principles (having studied law in three commonwealth countries, and being a lawyer in a commonwealth country and New York state), and while anyone would need legal advice specific to their jurisdiction (i.e. none of what I'm saying is legal advice), I can say with reasonable confidence that this act of the BBC would be criminal in only two scenarios:

1. There was mens rea, or the guilty mind, component of a criminal act; or

2. The BBC committed a crime where mens rea is not required (viz. a crime of strict or absolutely liability).

As the guilty mind seems to be lacking on these facts, only crimes of strict liability may be laid against the BBC. As I don't know of any strict liability crime arising from these facts, I surmise that they have not broken one, but I stand to be corrected.

It may be a civil wrong that is a species of trespass, or that violates some statute specific to computers and/or the internet, but in the absence of provable damages by someone affected (i.e. the botnet computer owners or the DoS'd computer), there is no cause of action that would give rise to a lawsuit. The botnet owners don't know they are on a botnet, so their damages are negligible -- if anything I would argue they benefit from being taken over by the BBC as opposed to someone with actual malicious intent. The DoS'd machine is presumably one owned by the BBC.

Even if found to be guilty of civil or criminal wrongdoing, the BBC may have a complete defence because their act was taken as part of a protected form of investigative journalism or alternatively because they are acting as a good Samaritan in the public interest. They seem to be acting with the interest of exposing to the public and documenting a very important situation on the internet. Their investigative journalism is good for the public and the owners of the botnet who may thus become aware of their participation in this grand malicious scheme. In addition to these defences, it would be bad public policy to stifle such valuable investigative journalism.

In any case I'm confident that the lawyers for the BBC have given this due consideration. That a large, sophisticated corporation actually did this for the purpose of publication, and then did publish it, strongly suggests that it is not illegal.

In the United States your mileage may vary (i.e. taking control of a botnet even with good intentions may be illegal). There are a large number of laws that are driven by commercial interest groups, which laws give rise to "criminality" in spite of the public's interests to the contrary. Thankfully most of the world, including the BBC, isn't generally subject to these laws.

Please don't mislead people with sensationalistic statements like "highly illegal", without at least providing some modicum of support for these otherwise bald assertions. What criminal law do you think the BBC broke? Your post appears wholly incorrect, unsupported and misleading. It distracts from the real issues at hand, wastes readers' time, and is disrespectful to those who value facts and truth. Please consider taking the time to research your assertions before posting to a public forum like this. Thank you.

Re:

[Spazztastic]

These are of historical and educational interest only.

WEP is far from deprecated in the smaller community unfortunately. Old wireless cards don't support WPA/WPA2 and not everybody can afford to buy a new one (even for $30). Most WEP setups are put in by someone one time and never touched because the user doesn't know any better. I suppose it's better than having just an open network...

Re:

[Cimexus]

Hell, the Nintendo DS, which is a relatively new piece of hardware (released way after WPA was common) supports only WEP. So if you have a DS in the house and you actually want to use the online features ... you have to use WEP. Argh!

Re:

[marcello_dl]

Yep, this seems more of a demonstration of people not caring if somebody gets into YOUR pc.

It's like a guy entering your house through an open windows, and standing there without stealing or ruining anything. Is it ok or it is more ok to tell him "Get The F*k Out"? You decide, sheep ;D

Re:

[ShieldW0lf]

It's like a guy entering your house through an open windows, and standing there without stealing or ruining anything. Is it ok or it is more ok to tell him "Get The F*k Out"? You decide, sheep ;D

I'd say it's more like you leaving your hunting rifles lying around on the front lawn and someone took them and used them for a drive-by.

Securing your machine is your responsibility. Failing to do so is negligence.

Re:

[gandhi_2]

Almost all hunting rifles are bolt-action. That would make a pretty ineffective drive-by. Especially if you are the one doing the driving and shooting.

Re:Breaking the law

[PhilHibbs]

No, it's more like if your door is already busted wide open and burglars are coming in and out, and a reporter wanders in.

Re:Breaking the law

[Opportunist]

...and you complaining about the reporter who told you that burglars are coming and going, because he made you look stupid. Instead of thanking him and asking him how to get rid of the burglars. Or at least cursing him and asking him how to get rid of them.

Re:Breaking the law

[ciderVisor]

It's more like eating a nectarine and marvelling at how juicy and delicious it is, then realising that it's not a nectarine you're eating but a human head !

Re:Breaking the law

[Opportunist]

It's ok to tell him to get the f.. out. But most people, to return the analogy to the PC, don't even care that someone is standing there, in the middle of their living room, making unsolicited phone calls from your landline, telling everyone about your tv watching habits or even stuffing your jacket pockets with leaflets. As long as they don't trash the place, most people don't care that someone is standing there, coming and going as they please, leaving the window open for any burglar that wants to come in.

Re:

[bentcd]

Ok, so, I don't know much about the laws, but it is illegal, isn't it?

Presumably. The press tends to be given a fair amount of leeway in cases such as this though.

Re:

[rhsanborn]

I wonder if I can take the car of every BBC staffer and use it to demonstrate how a small army of cars can do something illegal if I so chose to do so. But I'm not using them to do anything illegal, so it's ok that I took them.

Re:

[bickerdyke]

First of all.... what do you know about BRITISH law?

Re:

[Ontheotherhand]

Well. it is more draconian than american law, not underpinned by a constitution as such, but usually interpreted by a non political group of Judges so that in general it works. recent right wing hastily passed laws on anti terrorism and new fangled computer thingies not withstanding.

Re:

[ianare]

I thought journalists had greater freedom in certain situations. For example interviewing a wanted felon and not reporting his/her location to police would normally be illegal (obstruction of justice, aiding a felon), but journalists do that all the time.

Re:Breaking the law

[yo_tuco]

"I don't know much about the laws, but it is illegal, isn't it?"

It is legal if you wear a suit-n-tie and work in a corporate office. But if you wear a tee-shirt working from your basement, you're under arrest for unauthorized access.

Re:

[Jurily]

Ok, so, I don't know much about the laws, but it is illegal, isn't it?

Did they do it with the permission and supervision of the police?

Re:

[odourpreventer]

The police still needs permission from you the property owner (the computer being your property), otherwise it is illegal.

Re:

[Leafheart]

If this exercise had been done with criminal intent it would be breaking the law.

Ok, so, I don't know much about the laws, but it is illegal, isn't it?

It is not illegal if you are a journalist. It would be illegal if it were you or I though. If you are a blogger it is not clear yet.

Re:

[tygerstripes]

Yes, this is illegal. There was an embarrassing attempt to cover their asses with the following:

If this exercise had been done with criminal intent it would be breaking the law.

There's no question of mens rea - they knew exactly what they were doing, whether or not they thought it was a crime - while actus reus is satisfied if they undertook the crime. The crime in this case was gaining unauthorised access to personal computers. "Criminal intent" doesn't come into it - they deliberately did something which

They paid hackers

[Anonymous Coward]

It seems a bit stupid to pay the hackers, as now they will have more money to set up botnets with. I suppose if they didn't a spammer would have done anyway, at least they have a chance of shutting them down now I guess.

Just wait until a botnet DDOS's Click's website.

It gets better

[blowdart]

Controlling machines without permission? Against the computer misuse act.

They used the botnet to spam two email accounts, one at gmail and one at hotmail. That's against the computer misuse act.

And they changed the wallpaper on the machines on the botnet. Against the computer misuse act.

Their "justification" doesn't fly; not having criminal intent is not a defence against the law.

Re:

[lee1026]

Actually, intent is often considered in the law. IANAL, but I am assuming their legal department signed off on this.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[Spazztastic]

Their "justification" doesn't fly; not having criminal intent is not a defence against the law.

I'm sorry officer! My intent wasn't criminal when I broke into my neighbors house to see their renovation of their living room and watch a few episodes of Desperate Housewives on their HDTV! I was just curious, you see...

Re:

[Clipless]

But it is all OK because they didn't have any "criminal intent."

I wish I had known that was a valid argument during my little DUI incident.
Live and Learn I guess.

Re:

[geekboy642]

Don't mind the inevitable AC trashing you'll get for that remark. MADD has pretty well succeeded in brainwashing the common sense out of an entire generation.

Re:It gets better

[PhilHibbs]

Controlling machines without permission? Against the computer misuse act.

Correct.

They used the botnet to spam two email accounts, one at gmail and one at hotmail. That's against the computer misuse act.

Not if it's their own hotmail and gmail accounts or if they have permission, I can spam myself if I want to, and you could spam me as well if I gave you permission.

Their "justification" doesn't fly; not having criminal intent is not a defence against the law.

Journalists have a high degree of freedom in this respect, there are plenty of cases of journalists smuggling guns past airport or other border security as a demonstration.

Re:

[Zerth]

And theft of services. If any of those were on metered connections, they could have cost the owner a fair bit of money.

Re:It gets better

[Spatial]

I'd be more interested in hearing about whether you think it was the right thing to do or not, instead of shouting "You broke the rules!" like a child in a schoolyard. If they didn't do any harm it isn't very important that they broke the law. Follow the spirit, not the letter.

Reading the article tells me: They disabled the botnet and told the computer owners afterward, and they advised them on how to secure their gear in future. They performed a DDoS on a site, but with prior agreement from the owner.

That's thousands of people who probably learned a valuable lesson. Better to learn that way than to have their credit card details stolen, or their bandwidth used in a malicious DDoS. Given the incredible amount of PCs that are compromised in general, this would seem inevitable without some education to prevent it.

Of course you can make a good argument that it was unethical to invade their PCs, but don't just dismiss the benefits of this out of hand. It's boring, and not really insightful at all.

Re:May I know your address?

[Spatial]

Why, are you going to perform a denial of furniture attack on my neighbours?

Theft from my house is making the analogy inaccurate. They didn't take anything but a minor amount of transfer bandwidth. That's about as serious as stealing the oxygen in my house by breathing.

The analogy would be closer if you simply got into my house without telling me (causing no damage), performed some pre-arranged DDoS with a security company who agreed to it previously, and then vacated, leaving everything as it was before you arrived. After leaving, you then proceed to tell me why you did it, how you did it and how to stop you doing it again. Later you tell the world about such things through a respected news service, in a report about the insecurity of houses like mine and the people who exploit them for profit to the detriment of others.

In that case, I wouldn't like it much but I wouldn't want to sue you or anything either. It would be embarrassing and annoying. I'd probably become quite conscious about the crappy security of my house and fix it up.

Re:

[ais523]

Given that the BBC has a program which, amongst other things, steals things from people then gives them back again (and then gets permission to show the resulting film on TV), I suspect if they were going to get in trouble for this sort of thing they would have done long ago.

Screenshot

[xororand]

Here's a slightly blurry screenshot of the wallpaper: http://www.heise.de/bilder/134489/0/1 [heise.de]

Re:

[aetherworld]

So they pay their fines and promise never to do it again. Still, I liked the demonstration. It's good for educating the not so technically inclined people among us.

Seeing someone else changing things on your computer, even if it's just the wallpaper is pretty scary for many people. More so than hearing anonymous reports about botnets and how their computer could be infected too. If you actually see it happen, you're more likely to be more cautious in the future.

Not against the law???

[RingDev]

If this exercise had been done with criminal intent it would be breaking the law.

So if I install software on your machine that you paid for, consume the bandwidth that you are paying for, burn extra electricity that is paid for by you, all with out ever even letting you know about it, so long as I'm doing it for finding a cure for cancer, it's perfectly legal?

What if I use that bot net to distribute the load of rendering animated gaping anal gay midget porn movies? It's not a crime to render animated gaping anal gay midget porn movies, so I have no criminal intent, so it must be legal, right?

-Rick

Re:

[Spatial]

It probably is illegal, this is the UK we're talking about. [google.com] Midgets could be construed as children!

Re:

[bickerdyke]

So.. if I smash a window to pull your unconscious body out of your burning house, that should be illegal just cause I should have ASKED you first?

And so your example _might_ even be legal, if you can give a *really* good reason for not asking first. And it should be one why you couldn't have asked, and not why you didnt want to.

Re:

[RingDev]

So.. if I smash a window to pull your unconscious body out of your burning house, that should be illegal just cause I should have ASKED you first?

Poor analogy.

This would be more akin to noticing that your door was unlocked, entering your house, helping themselves to the fridge, prank calling their friends, then waking you up and letting you know that your door was unlocked.

-Rick

Illegal and unethical to boot!

[unsupported]

This is both highly illegal and unethical. Illegal in that they accessed the PCs without the owners permission, they sent spam, and changed the settings on the computer.

Unethical even if their motive was not to do criminal intent.

It is like creating a "white worm" to patch servers from an unpatched vulnerability.

Re:

[PhilHibbs]

Journalists have a much higher degree of discretion when following legitimate investigations.

armchair lawyers

[Anonymous Coward]

Ah, time to bring out the armchair lawyers. Nevermind that the BBC has its own legal team that reviewed this activity before it happened. I'm sure all of you know better. Especially all you Americans who are well-versed in British law.

British computers only?

[dazedNconfuzed]

You SURE only British law applies? As noted in another post, when you start hijacking 22,000 computers on the Internet, most likely SOME of those will be in the USA (or other countries where such activity IS illegal). You sure those BBC lawyers know enough about technology to be sure that the activity was limited to British computers, and this did not actually risk becoming an international incident?

Re:armchair lawyers

[xorsyst]

Feel free to read the law [opsi.gov.uk] first. It's actually quite readable, even to non-lawyers. It looks like they might have some wiggle room with clause (3)(2) to me.

In other news...

[Dishwasha]

the notorious underground computer hacking group self-labeled /. [slashdot.org] deploys over 30,000 Anonymous Cowards to take down the BBC news website by maliciously posting a link to this news article.

Don't focus on the legality

[Reality Master 201]

Everyone's going on about how it's actually illegal and the intent doesn't matter (I don't know either way - it is Britain and maybe things work differently there).

What about the fact that some guys from the BBC were able to gain control of 20k infected machines on the web just for the purposes of doing a story? To me, the implications of that are far worse than any possible criminality.

Skewed views of the law

[grayn0de]

Way to go, BBC. You have moved past bringing the populace breaking news stories to creating them! I am looking forward to the next headline, regarding this. I think we all agree that gaining unauthorized access to another computer is, not only unethical, but illegal. I am surprised, being that this article is on slashdot, now, that the BBC is not already feeling the ramifications of its actions. I highly doubt they asked everyone in those chat rooms: "Hi, we are from the BBC, we would like to pwn your computer in the name of exposing cyber security risks. Is this okay, with you? Great, Thanks!"

Good to know!

[Exitar]

"If this exercise had been done with criminal intent it would be breaking the law."

So, if I run over a pedestrian with my car while absentminded I obviously have no criminal intent so I'm not breaking the law?

Re:

[Zerth]

No, that would be reckless endangerment.

You have to do it deliberately for a news piece on elderly drivers and why they can't miss a farmers market.

Re:

[Hatta]

So, if I run over a pedestrian with my car while absentminded I obviously have no criminal intent so I'm not breaking the law?

Only if you do so for "educational purposes".

Some information missing from the summary

[ais523]

Once the BBC had finished with their botnet, they changed the desktop background of all the infected computers to tell people what had happened and link them to this webpage [bbc.co.uk], which contains some information on how to secure Windows. Then, they uninstalled the botnet software.

Re:

[Yacoby]

Computer Misuse Act (1990) forbids the unauthorized modification of computer material. How is changing the desktop not modification of computer material?

It is illegal

[furby076]

Actually, hijacking any computer - even if you didn't do anything bad and were trying to demonstrate a security flaw - is illegal. There have been other cases in our past where someone wanted to show the flaws in security...all to end up getting arrested.

What?!? They destroyed it?

[rnddev]

They are apparently oblivious to the fact that DDOSing a site also means saturating the connection of the PCs involved in the attack which could have a critical function within a business. Do they even know the way that the backdoor application works? Is it possible that it is spreading through local shares and otherwise wrecking havoc on some network by propagating through some unpatched exploit?

"Click has now destroyed its botnet, and no longer controls any hijacked machines."
This quote worries me as they don't seem to understand what they're doing. Did they click a button that said "destroy botnet"? By destroy, do they mean wipe out some critical files?

Clarification

[awpoopy]

Let me fix that for you:
"[The BBC] managed to acquire its own low-value botnet http://news.bbc.co.uk/1/hi/programmes/click_online/7932816.stm [bbc.co.uk] the name given to a network of hijacked MICROSOFT Windows computers - after visiting chatrooms on the internet. The programme did not access any personal information on the infected MICROSOFT Windows PCs. If this exercise had been done with criminal intent it would be breaking the law. But our purpose was to demonstrate botnets' collective power when in the hands of

Unbelievable

[ppentz]

Ugh, I can't stand the attitude here. Botnets are a HUGE problem. People need to know if their PCs are hijacked and they need to be fixed. If my PC is hijacked, I want to know about it. Now. When someone's PC is used in a DDOS attack, isn't that illegal activity? I've always heard that ignorance of the law is not an excuse, so if someone is not aware their PC is being used illegally, their PC is still being used for illegal purposes ... should they be held accountable? If there is an activity that is *questionably* legal but can potentially help with the Botnet problem, I'm all for it.

I'm sure some were in the US

[JeanBaptiste]

if you go randomly grab 22,000 computers for your botnet, it's far more likely than not that some would be in the US. Even if they only targeted BBC registered users or something (didn't read TFA), there'd still be overseas users and such, some in the US. Not that I'm an expert, but I don't think they could reliably get computers from only inside GB.

Re:

[Timothy Brownawell]

I don't think they could reliably get computers from only inside GB.

Should be fairly simple with a decent GeoIP [geoip.co.uk] database.

Re:

[mjjw]

The BBC has a GeoIP database which they use to determine whether or not you are eligible to use services such as iPlayer. Whether or not they checked if the computers were in the UK I do not know, but they certainly could have done.

Re:

[bickerdyke]

Oh stop that egocentric rant!

Different countries have different laws. Cope with that!

Re:

[Carewolf]

I don't think entering a home through an open door and looking around is not a crime, only breaking-and-entering or refusing to leave are crimes. Maybe it is just that way in the US?

Re:

[Canazza]

Am I the only one who heard 'pointed sticks' being read out as if it were that Monty Python Banana self-defence sketch?