Did The BBC Break The Law By Exposing Botnets?
from the but-we-didn't-mean-any-harm dept
A TV show on the BBC is highlighting the ongoing problem of botnets — by acquiring one of its own and using other people’s computers in it to mount a DDOS attack on a security company’s web site. The BBC says it had the security company’s approval to do so, and that it didn’t have any criminal intent, making its action legal. But some people aren’t so sure, and say that intent doesn’t offer a way out under British computer law. A tech lawyer says it’s unlikely the broadcaster will face prosecution because there wasn’t any real harm done, but those whose computers were used in the attack might disagree and view the methods used to make a point about computer security as a bit extreme.
Comments on “Did The BBC Break The Law By Exposing Botnets?”
If those people computer’s involved in the bot net really cared about the harm being done they should learn to protect their computers better. At the very least turn them off when not in use.
Re: Re:
That’s like saying that if you really cared about keeping your home secure, you should have a complete security system with armed guards, dogs, etc.
What the BBC failed to realise is that they not only acted against the security company, they committed the digital equivalent of breaking and entering against a large no of people from various countries. If anyone actually succeeds in proving that they’re computer was part of the botnet, they will be charged under the British equivalent of the Computer Fraud and Abuse Act.
Re: Re: Re:
But the BBC didn’t actually infect anyone – they bought time on an existing BotNet where every member could be said to have “opted in” through their choice to ignore adequate security software.
Re: Re: Re: Re:
Using the hosue analogy again, not installing a security system on your house does not mean you have “opted in” to allowing somebody to break into your house and use your toilet while you’re not looking.
Re: Re: Re:2 Re:
To use the house analogy, installing AVG is like getting a free home security system that installs itself, and shutting down the PC when not in use is like locking the doors when no one’s home. Sounds like something everyone would do if in that situation.
Re: Re: Re:2 Re:
No, it just means you are ignorant and reckless moron.
Just like if you don’t look around while crossing a busy road or watch your step while hiking in the mountains. You are obviously not opting in to be run over by a car or tripping over and breaking your nose. You just happen to be an idiot unfit to do those things.
Re: Re: Re:2 Re:
I agree that the user has not opted in but using the same house analogy let’s say that while you are vacationing, a criminal breaks into your house. This is most definitely illegal. However the criminal then throws a party at your house and charges entry at the door. Are guests at the party criminally liable for breaking and entering?
Stop shooting the messenger!
Oh for heaven’s sake. What’s the point of bleating about what the BBC did wrong, when it specifically set out to demonstrate the existence and extent of the problem? This is the same as firing whistle blowers who point out failings in the company they work for. Why the obsession with shooting the messenger? The people whose computers were used for this should just be glad that they were not being used for genuinely nefarious purposes. In fact, perhaps they already are!
If the BBC are charged it will be another case of law enforcement targeting the “low-hanging fruit” because they are not competent enough to catch real criminals and that is something of which they should be deeply ashamed. A case against the BBC would only highlight the failure to catch the real criminals and they would be well-advised not to go down that road!
And I am sure the BBC will take the next DDOS attack on their servers as educational and shrug it off. After all the attackers didn’t really intend to trash those data bases, it was just meant to demonstrate the security hole. No criminal intent in that. WTF were those arrogant bastards thinking, they can’t even run a broadcasting network right, now they are computer security experts/white hat hackers. I think the proper nomenclature is criminal.
Re: Re:
The BBC attacked a site owned by a company called Prevx, with their up-front agreement. It is a site specifically set up for testing defences against this sort of attack. RTFA
this is just investigative journalism at its finest and is no differant than the bbc journalist that got a job at an airport with a fake cv
In other news, there are still at least 22,000 people out there dumb enough to get themselves infected by a brand new botnet… As long as those people are out there, this kind of educational material are needed.
@ PaulT
Unfortunately the reason that the BBC could compromise the users PC is because the dumb idiots ignore/don’t understand the ‘Education’.
I support friends, family and the local community. 99% of them wouldn’t have a clue about the threat. Even if they did, they wouldn’t know what to do or where to start apart from pester me.
Lastly, of all the people targeted by the BBC there is bound to be one idiot who totally misses the point and starts legal action due to being violated in some way. I do hope the BBC managed to avoid infecting any machines in the USA as that bunch would sue their Mother if they saw a $1 oportunity.
Re: @ PaulT
The BBC *didn’t* compromise anyone’s PC – they bought time on an existing BotNet. The machines had already been compromised by a third party, and would have remained so whether or not the BBC got involved.
Re: Re: @ PaulT
Peet McKimmie wrote:
In other words, the BBC bought stolen goods.
BBC BotNet
Certainly good investigative journalism. To many people have their computer and or wireless networks wide open to attack.
What many UK PC users do not understand properly, is the level of risk they have exposed themselves to. When you get caught up in one of these botnet’s they don’t just take remote control of the computer, they quite often also have additional payloads, install keyloggers, and so much more. It would be easy to fit up a person for any number of criminal acts, without them even knowing, how they downloaded pornography, terrorist info, Infiltrate their bank account and or Identity theft, Scary really.
Patching any OS, installing AV, and enabling Firewalls needs to be a mantra known to all. Anti-trust concerns are now causing more concerns than they are fixing. In particular, they bash Microsoft for putting the tools on the OS, users blame them for producing an OS, that does not protect adequately.
When a large web site I was managing, came under attack it was a worldwide selection of IP’s, it was definitely deliberate, and targetted. Any company running a large web site will have scaled, and taken countermeasures. Always have a good relationship with your ISP.
No I don’t work for Microsoft!
Should be thankful the BBC was in control
What about the flip side here. Your computer is infected by a botnet and will be used for malicious activity, pick one of the following:
A) Your PC under the control of a criminal gang without your knowledge
B) Your PC under the control of a BBC journalist using their own addresses for spam and a server that has approval to reveal the issue, then tell you about it so you can fix your PC and stop the problem before another gang is in control?
I think I know which one I would pick.
Oh Bloody Brilliant
Let’s try and make reporting less effective by criminalizing the “investigative” portion of it. That’s really smart!
bad analogy
Whether you “allow” that access or not, if you leave the fsking door open, someone will get in!
Malware is chock full of not only botnet control software, but potentially, keyloggers and other bad stuff designed to steal your stuff.
So if we use your house analogy, its like going to bed at night, leaving the front porch light on, door open, and someone comes in to use your phone for illegal activity, stage attacks on your neighbor’s property, and steal all your wife’s jewelry as well as all your electronics, before they leave.
So yes, it IS your fault, even if you didn’t give specific permission for the break-in, and the cops’ll tell you you’re an idiot after they take your report. The least you can do is turn the light off and close the door. Most people put locks on their doors and use those to deny easy access.
Same with your computer. Buy a security app and USE it. Update your operating system, so it’ll pull the patches to stay safe as the vulnerabilities are discovered. If you don’t take these elementary steps, it IS your fault if you get compromised.
Saying you broke into people’s computers without their consent to prove a point is just wrong. Next time I rob a bank I’ll just tell the manager “hey, I was just testing your security measures for the BBC!”
The BBC would quite likely be guilty of compromising some laws if not in the UK (Target Audience), then certainly elsewhere in the world. By participating in a BotNet style Activity, by using somebody else’s bandwidth, or computing time. When I saw this item, early Saturday, the computers participating as Bots were worldwide not just UK.
The secondary issue, is malicious intent, or use. In this instance there was none. They were merely demonstrating, to increase awareness, Opting in or Out is not the issue.
To respond to some other comments, Should governments, force everyone to have a certificate of computer competance, or computer driving licence, before they are allowed use the Internet? Nanny state, Aunty BEEB, Hacker who wants to take advantage, take your pick.
The house analogy doesn’t work, because there are many automated programs infecting machines out there that will scan for any opening and exploit it… without manned operation.
Not securing with a firewall and some sort of malware/virus scanner (both are available for free) is like blaming the person who taught you about rain, after you let your outdoor sugar pile melt away into slowly escaping, sweet, sweet syrup.
Oh - its ok then
It is ok because it is the BBC.
However, the individual who informs someone about their bad security shall be prosecuted to the fullest extent of the law.
btw, the site subjected to the attack from the botnet might have been party to the activity but the botnet participants were not.
@BBC: Great program and you did a great job exposing the problem! @Everyone else: ignore *this* pointless discussion!