What is the issue here?
What public interest would be served by a prosecution (if there was in fact any offence)? If none then this question is only of technical academic importance at best.
A controversial BBC Click documentary which involved researchers obtaining access to a botnet and sending spam is due to screen this weekend despite a growing storm of criticism. Security experts - including McAfee, a firm whose representatives appear in the programme - have described the exercise as misguided and unnecessary …
I'll say it again - the BBC were 100% correct to do this, even though it meant breaking the law.
Security Researchers would have been 100% right as well.
This action is only required because ISPs will not kick the zombies off their networks, the police don't care and MPs too busy feathering their own nests.
If the audience are engineers, then you can do this in a lab and they'll be convinced.
If the audience are non-technical, then they have two assets engineering types typically lack: thick skulls (although the brain inside may be fine) and huge heaps of apathy-fueling doubt. (Doubt about whether the lab accurately reflects the Internet, for example. I know that particular doubt sounds highly technical but it's my experience that non-engineering types can shape their doubt reflexively to reject almost anything that might cause them to otherwise think about nerdy things.)
The way to get through to the non-technical types is to show them something actually happening, in the real world, so easily-done (or at least appearing so) that it makes it onto the TV news. Once you show that you click a few things and push a key and parts of the Internet fall off, non-technical folk get angry, pay attention, etc..
What's not clear to me is what the BBC want to accomplish by getting through to the non-engineers. New laws being made? Ratings?
Paris, because I'd like to get through to her, though I'd probably take a different tack than herding a botnet on camera.
Anything that makes users more aware of the perils of internet promicuity can't be a bad thing.
I have to disagree with McAfee and Graham Cluley. Cluley says 'What if one of the compromised computers was at the Department of Defense or NASA? Does Spencer Kelly [BBC Click reporter] want to be the next Gary McKinnon'. Well, this would serve to highlight the fact that even high-profile industries can't get their act together as far as security is concerned which would only make it more obvious to people to be careful on the internet.
As for McAfee, well it only exposes how problematic for them, protecting their users is.
I personally think, on the whole, that the BBC is one of the few things we've still to be proud of in this country and the iPlayer is a prime example of the Beeb moving in all the right directions.
Agreed, sometimes their work is biased and sensationalist, but you can only hope people read between the lines. After all, they have to compete with the rest of the world's media who are only too fond or being overly opinionated.
Surely they're all mad because the BBC removed the trojan from the botnet computers. Something that maybe the security companies fail at doing.
On the ethical side, the BBC removed the trojan stopping any real criminals using it for much more malicious purposes. Doing something slightly illegal to stop something even worse in this case is obviously ethically sound.
'The PrevX researcher who participated in the programme, Jacques Erasmus, is on holiday in Namibia and couldn't be reached for comment'
Don't worry I am sure he will be back just as soon as he has helped the ex-Prime Minister of Namibia get his FORTY MILLION DOLLARS out of the country using the money the BBC lent him.
No because everyone understands what a car is and the obviousnesses about how to steal one or indeed make one secure.
Not everyone understands what the little grey box under their desk really does and as such when you say to them "you can take out any internet site of your choice" they go "yeah yeah, but what does that mean?" so then you need the practicle demonstration.
Or were all your science lessons at school theory based with no experiments?
What they did was probably illegal, but it shouldn't be.
They didn't harm anyone, they helped a bunch of people, and while security researchers know about botnets, I can promise you non of my non-tech friends know about them so awareness does need to be raised.
Best thing that can come of this is computer misuse laws are changed to require proof of intent to harm or monetary gain.
That's not what happened though. Using your analogy, what the BBC did was demonstrate that they could give a quid to some shifty bloke on a street corner and he'd come back with someone's car with the keys in the ignition. The BBC then drove the car back to the owner and told them how to avoid having it nicked again.
I'm interested to see the show.....if it makes a few technophobes de-bot their PC then everyone's a winner.
If I understand correctly, the BBC did not infect any machines, it just got the wires to control machines already infected. At the end it made a modification to the machines to let the users know their machines were infected and how to fix them. Surely that is more good than bad.
The fact is, McAfee, etc, would rather you pay them to clean your machine rather than getting the BBC to do it for free. No wonder the are so up in arms....
My problem with the whole thing is that the BBC clearly stated in the versions already broadcast that "This isn't illegal because we are not doing it with criminal intent." Regardless of whether there were a public interest defense (or education research defense etc) covering the BBC, this strongly worded and definitive statement makes it appear that anybody is allowed to do this as long as they don't have criminal intent. The BBC giving legal advice in this manner is wrong particularly when people have been prosecuted for performing non-malicious actions such as typing "../../"
"if the Beeb were doing a program on car security, would they break into someone's car without their knowledge & drive it away"
A stupid analogy. The PCs in question had already been compromised. What the BBC did was more akin to telling an owner that they'd left their car unlocked with the keys in the ignition.
I think Eugene Goodrich's comments really hit the nail on the head. Showing a real-life zombie-net at work may wake a few people up.
Well now, if leaflet-deliverers frequently stole cars, used them to deliver adverts for fake drugs and financial scams, but later returned the cars so that the owner was none the wiser... maybe they'd have to, in order to get the car owners to notice and take action.
Not just the little people.
Regardless of their motives or the "public good", the law was broken. If they don't like it, work to get the law amended to allow this sort of exception *before* testing it out.
See here http://blogs.securiteam.com/index.php/archives/1261 for another brits take on it. I'm an American, so my opinion is only worth about 1/2 on this forum.
The Real Hustle - a BBC programme shown on BBC 3 I think, occasionally does exactly that. I can remember a programme where they took cars from an attended parking car park. OK it was a con trick rather than a break in but most illegal access to PCs is gained through users being conned into downloading or accessing something they shouldn't have rather than brute force through the network port.
My opinion is that if the DoD or NASA had a compromised PC they would want to know rather than not. Why shoot the messenger?
What the BBC did is clearly a breach of the law. The PC/Servers that were used in the attack had additional load added to them so the BBC could prove a point. This could have (and probably did) cause some machines to stop doing the task that they are put on the internet to do. This could be to host a web site, run email and maybe even provide critical services!!
The BBC should be commended for highlighting such issues but back handed around the head for doing it the way they did. If someone finds a flaw in the BBCs web site should that person then exploit it and take the site down/deface the site etc to prove that even large corporations need security? I am sure that if this was done the BBC wouldn't be quite so calm about it and would be looking to prosecure the person!
Don't you know that car analogies only work on Slashdot.
I have to agree with the majority of other posters, the BBC were completely right to do what they did this documentary. The fact that people are kicking up a stink over it is a Good Thing[tm] because it just helps hilight the problem of zombie computers and the tied hands of those who are able to do something about botnets but can't becuse they could be arrested for hacking, and how governments & agencies don't care or don't have the necessary resources & scissors to cut through the red tape involved.
"if the Beeb were doing a program on car security, would they break into someone's car without their knowledge & drive it away"
Assuming for a moment that you intended that to be a question, and supplying our own question mark at the end of it, I can answer thusly: yes. I've seen it many times. They do a documentary on car security, they show somebody jimmying the door lock open, or fooling the sensor, or whatever. Of course, they don't show it to a reproducible amount of detail, but they show it to make a point of how quick and easy it is for a practiced thief to do - the shock value is what drives the message home to the viewers. "Oh my god, it's that easy for them to do, I'd better beef up my security." I've also seen them demonstrate how pickpockets and conmen work, as well as bank robbers etc etc. Why not? It's a documentary. It's gotta be documented. Otherwise what's the point? It may as well be a work of fiction.
the answer is yes
Because they did an item once on thefts from cars and how no one takes a blind bit of notice unless its their car
Oh and it took someone smashing the side window in with a big hammer on a car parked in a busy road, ripping the radio out while the car alarm is blaring, then walking down the road holding the radio above his head while wearing a shirt saying 'I theive from cars' before anyone called the cops
Yes, they would, ever watched Top Gear? They'd probably buy the car first, but still...
I, for one, approve the idea, as they didn't infect the zombies in the first place, didn't use them to do any harm to anyone in any way, warned the zombies they were infected, and proved that the botnets are not only a problem when mastered by their creators, but also by any smart ass that knows enough about logging in to an IRC channel.
All in all, I'd call it a pretty good piece of television (though I haven't seen it yet... now, where's iplayer again?)
This post has been deleted by its author
In the past, when crime journalism was to the fore of the tabloids and the broadsheets, (before it went all celeb shite) was it ok back then for them to pay bribes and give back handers to the cops?
Sometimes, you got to break the law to highlight the crime. It's called investigative journalism.
El Reg turning into Daily Mail with faux outrage and its petty battles with the Beeb. Please. You are embarrassing yourself.
If they wanted to do it with a controlled lab they could have gained access legally to quite a lot of their own machienes and maybe from the security company to build into their botnet. As they say it only took 60 bots to drop that server. And aparently they send 500 messages per second yet the numbers stuggled to reach over 2000 emails with 22k of bots.
The Beeb should have used a controlled enviroment rather than public computers. (I say public in a worldwide sense)
This post has been deleted by its author
Why should there be one rule for a media outlet and another for security researchers? If any security researcher did this above ground and blogged about it, irrespective of the 'informing the public' argument they'd be up before the law, but the beeb is untouchable?
I think the unethical and illegal actions of the BBC and the complicity of Prevx is an advertisement to your future script kiddies. I mean, if BBC Click can do it easily and without legal recourse, why not everyone else?
Raising a bit more awareness among the gen. pub. would be good, but I suspect raising the blood pressure of a fair few BT/PCworld/other_toyshop helldesk operators is more likely. ("I've caught a botnet called windows firewall!!" etc...)
Absolutely no question it's illegal though. CMA makes no provision for "intent" - it's an offence to use any computer that you don't have (implicit or explicit) permission to use.
On another note, isn't there something in the CMA that makes it obligatory for the owner of a system to "take all reasonable precautions" to make their machine/network secure, or be held (partly) liable? In other words, if you're dumb enough to stick a vulnerable machine out there and it gets used for DDS/kiddiepr0n/something nasty - YOU are liable. Would that sharpen a few minds vis-a-vis online security?
The people who were told that their PCs were infected and how to clean them are probably pleased. That shouldn't be a problem.
If you want to be legalistic about it, you could think of it as implied consent. If a doctor finds you unconscious on the ground, he can assume you would like to be revived. Likewise it's perfectly reasonable to assume the owner of an infected PC would like to have it cleaned or at least be informed of the problem.
We've been following the letter of the law right along. Has that gotten us anywhere in battling the proliferation of botnets? Absolutely not. I applaud the BBC's attempt to make this issue much more visible to the public. And I doubly applaud their attempt to alert the owner of the bot-infested PC to clean it up. It's the least that should be done in every circumstance.
Intent plays a huge role here, and BBC's intent is clearly for the common good. More in the security community should be crying out for the laws to be changed so that botnets can be tackled head on rather than sitting around in some giant hand-wringing pity party of inaction. BBC's methods might not be the best way to change the sorry state of Internet security, but at least they're doing something, which is more than can be said for many.
Cue the "Death Wish" movie poster images...
''if the Beeb were doing a program on car security, would they break into someone's car without their knowledge & drive it away''
Well the do have a good programme ''the real hussle'' where they do exactly this sort of thing. I think that it is good as it really does show that the scams are possible.
It was on the international BBC World News channel yesterday. You can probably watch it online now.
IIRC they said they spent a few thousand dollars for the botnet which they bought over IM, and said they paid a bit over the odds. Without even considering the Computer Misuse Act that sounds well dodgy, licence payers' money going directly to cybercrooks.
And they said the demos were ok because they were only spamming their own accounts, but I bet they didn't have permission to hammer Hotmail or Gmail's servers.
It was interesting to see the botnet control panel, and how easy it was to take down a site, but not at licence fee payer's expense and criminals' gain.
Reg Webmaster, your site has been compromised and substandard Daily Mail code has been inserted into your database!!
Oh, sorry it actually IS an el reg story!? Bloody hell, the standards are slipping.
So, some lawyers say it may have technically breached a law but it is unlikely to be prosecuted, and some competitors to the security company that worked with the BBC said "the company does not endorse the approach taken by the BBC to raise awareness of the issue of botnets" (ooo, BBC must be quaking in their boots) <translation> "especially as they didn't use us to help!! Scream! Kick!"
This is a non-story, and has as much to do with McKinnon as apples with oranges. And that whole situation is wrong anyway, so why people are wishing it on the BBC...?
For every pointless and weak attack like this on the BBC, the more people realise how baseless a lot of its detractors are.
Well, I believe there should be an agency dedicated to actively infiltrating and patching these zombies, but they are also useful for governments too...
The AV good guys hide behind the questionable we-can't-touch-them-because-that-would-be-illegal "ethic", while the hackers completely disregard it. So the playing field can never be level.
Now we see hyperparasitic behaviour in this ever more complex ecosystem. Actually the hackers want to keep their zombies in good condition, and lock out and clean up competitors, as long as they retain control.
If someone actually does manage to clean up the zombies using antiagents, then the AV companies would suffer, so they seem to want this stupid situation to continue.
Congrats to Click for getting a few thousand zombies patched. Only another 15 milliion to go. :(
and I hope the Beeb win.
If they do, this will be a massive win for security researchers and curious people on the internet to play around with 'hacking' tools for 'research purposes' on other people's computers and get away with it.
What needs to be done to get the Met' to investigate this?
they do cons on people & tell them afterward, & only then give their money/wallet/mobile back then.On one episode they got people to give them company bank deposits by saying the night safe was broken. No-one seems bothered by that series, which is analogous to the "car security" programme when they "break into someones car".
Most peoples attitude is like Homer Simpson's when he puts his arms round his television and says "Lets never fight again". Telly is godlike & therefore not subject to mortal law.
Horned Bill icon - cos its all his bleedin' fault (heh)
This is not the Beeb breaking in and stealing your car. This is the Beeb talking to the car jacker and renting your stolen car and afterwards leaving it parked in your driveway.
Besides someone already did the car security thing a few years back. Set out cars with surveillance systems and live cameras to show show you a jacker getting into your car and making off with it.
As for Mc*cough*ee and their ilk, I personally have very little respect and even less trust for their industry. There is always that thought in the back of my mind that they would evaporate as companies if not for all these cyber criminals and various flavours of the minute chunks of malicious code floating out there. I detect a note self serving coming from their quarter each time they speak up.
*/ it would be a joke but I dread just how bad it really is...
For a start the 22 000 real computer users who presumably had f*#k all idea that their machine was some bot herders slave.
"What if one of those PCs was in the DoD"
After all the publicity over McKinnon how lame would that make the world's wealthiest defence administration organisation? They'd more likely change the screen saver back and follow instructions to get rid of it and hope no one noticed. I'd call that crocodile tears for a straw man.
They spammed 2 disposable free email accounts. Jack Straws constituency account was not one of them. Who can say how many others are also on Hotmail.
They disrupted a test network. Which is designed for penetration testing.
And as for saturation advertising. I don't get digital. I have seen nothing about it. But my VCR is being set.
No doubt a prosecution under the Computer Misuse Act would be so simple even the CPS might do it. How many real prosecutions have taken place under this act?
Bot herders are in it for the money. Once you've proved you can do it that's the only motive. I find it astonishing all those ISPs bitching about how it "Would be" 8/10/12/20mbps if only the customers didn't clog up the net with YouTube,iPlayer streaming, bittorrents, Skype etc.
Not a sound about the thing most of their users are really steamed about. That customers don't want and would have disappear for ever.
Computer users can get connected to the internet with no training and no awareness of the hazards (to their privacy and finances at least but in worst case to their physical safety) in a way which is unthinkable with say a motor car.
Anyone who bought a car, got behind the wheel and drove onto the public highway with no training, no license and no practice who then crashed and ended up in a wheelchair would be thought nothing other than a complete moron. Yet people with as little awareness take equivalent risks with their finances and privacy on the internet every day.
Sure with unlimited time and skills any single PC could be made a zombie. But their has to be a valence. Make building a bot net hard work and suddenly its a *job* where they have to put in serious effort and time.
so shut up saying, oohhh its against the law , ooohhh , its not right , the beeb are showing the general public whats going on in our secret little IT world.I think theyve done the right thing illegal or not . Security affects all internet users,and i know its 99.9999999 % of windows p.c`s that are causing the problems.Or should that be 99.9999999 % of computer users causing the problems ? .Is it time to have a computer driving licence ?
I am glad the BBC are covering this. I think we need to let people know about Internet security and tell them what actually is happening. On my work router I have explicitly blocked port 25 to stop most bots if they happened to come into the network. There is no need for port 25 and unless there is a specific need, then I would open it.
Let people know what their machine is doing and get them to sort it out. Although I think Microsoft should be made to allow the updates to be done without the WGA.
Given the coverage this is getting on the interwebs, in a week or so there'll probably be a new BBC virus or two and a spate of BBC phishing attacks.
And then how will we know if we have a malicious virus, or if those clever Click guys are just involving us in their next programme using a benign virus that they wrote themselves?
Either way, I'll be looking forward to the Click coverage of these developments.
The problem with trying to do a demo or simulation is that it's just that -- a demo or simulation.
From a scientific viewpoint, a demo or simulation is just as good as an actual experiment. From an average person's viewpoint, this is not the case. A demo/sim has a certain underlying tone from a normal person's stance: IT'S NOT REAL!!11. Despite it looking really good, it's not real and therefore it must be treated with a healthy measure of distrust. And this is natural.
Showing what an actual botnet can do is scary. It adds a certain element of reality into the presentation that no sim can. Even when I watched the video, and I have a healthy amount of direct experience with botnets, I was a bit taken aback.
I remember giving a report in college about botnets and the massive amount of firepower it can wield (ironically enough I was using the supposed figures of acidstorm's botnet at the time). I remember seeing my audience giving blank/bored looks as I showed the terrabytes/sec of bandwidth that could be used. If I had actually pulled out a small botnet and actively demonstrated the power it can use, I'm certain that no one would be uninterested in the room.
If this presentation removes 1 out of every 10 compromised Windows machines out there, the guys at BBC need to be given a Porsche/let loose in an all-girls Catholic school/knighted or given some kind of just reward.
Is what they did unethical? Perhaps. Unlawful? Maybe. Wrong? Bloody hell no.
So if a botter closes the hole they used to compromise a machine, they should escape the clutches of the law?
And are we to believe these guys walked into a bots4sale channel and didn't pay criminals for the loan of there botnet... of which they then *tried* to dismantle... by unauthorised modification of the zombie PC's
Blatant Unauthorised Modification... hang, draw and quarter them.
As 99% of computer users are grossly ignorant of security issues, if the BBC doco raises awareness it can only be a good thing. In this instance, the programme - judging by what we've read - will make the public that little bit more aware of spamming scum and their tricks. Why is that a bad thing?
Knocking the BBC may be a pastime for utter filth like Tony Blair, Alistair Campbell and The Daily (Hate)Mail but what would you knockers put in its place? Fox News? Sky?
Wake up people! Until the shameful filleting by HMG after the Gilligan affair, the Beeb was our last bastion against the tyranny of New Labour and right-wing newspaper cartels.
As to McAffee's comments... yeah, right. Are El Reg readers the sort of gullible PC World shoppers who believe the FUD pumped out by the parasitic self-serving conmen in the AV sector?
There have been many cases of investigative journos paying crooks for something to highlight the issues, I can think of several cases where fake passports have been purchased, or guns bought, to help explain the story.
Complaining about the Beeb paying crims as part of an investigative report is plain stupid, when compared to the potential good that will come of the great unwashed taking notice and doing something to keep their PC's safer.
Clearly the exercise broke the law, but that is not the worst of it. The beeb has demonstrated that they are themselves completely clueless about the social engineering aspects of malware.
They put up a wallpaper notification that the user's computer has been compromised by a botnet. How does that play as helping clueless users? Next week we will be hearing about thousands of people seeing pop-ups on their computers claiming to be from the BBC, warning them that their computer is infected by whatnot and directing them to some site to get "cleaned" (in fact, to get more comprehensibly cleaned out). There are already blackhats doing this, representing themselves as anti-virus software vendors, now they have a trusted trademark to pose behind, with a well publicised instance to lend credibility.
None of course.*
Your OS is patched and up to date.
You know responding to pings and letting all packets in through all sockets by default is not just leaving your front door unlocked, its like leaving precise directions to your house posted on the walls outside every prison within 200Km of it with an invitation to drop in for tea and nibbles if Mr Ex-con is passing, along with a schedule showing when your out.
Botnets are composed of the machines of thoughtless, lazy, stupid users who don't even realise they are causing a problem. Yes, "Nice shiny thing" can be dangerous.
If this raises awareness of just 1% of the people who are causing this trouble I'd say its well worth it.
"Is not the BBC's remit to Inform, Educate and Entertain?"
I'd forgotten that under the deluge of uncritical re-cycled press releases of the BBC Web arm.
Even Horizon is showing a return to form after some deeply s"£t documentaries.
I'd forgotten that point. Quite right.
And lastly to those talking about "They broke the Computer Misuse Act."
Probably. As did whoever installed the 22 000 botnet clients I imagine. Which was not them.
I will ask again. How many prosecutions have been made under this act? How many were for installing botnet clients and how many of them were successful?
*But the "I'm too smart to be taken" attitude is very useful to smart operators of such schemes. You are likely to be so proud of your tech you miss the social engineering aspects. Nemesis is always waiting. She brings judgement and retribution to those harbouring false pride.
It's hard to believe the 'It's all right because nobody was hurt' and the 'they should be jolly grateful to know about it' arguments used by so many readers.
If a BBC guy paid a buglar to enter your house (let's say carefully, without jemmying a door or smashing a window) and leave a note on your kitchen table saying you should get better locks and an alarm fitted, I would suggest that the majority of viewers ( probably most Reg readers) to get such a note would feel violated rather than grateful and that the BBC had broken the law. I know I would.
If, on the other hand, the BBC had paid said buglar to assess the security of each house and send them a letter detailing the findings for their particular house, I imagine most *would* then be grateful and probably respect the Beeb more.
The ends doesn't justify the means and anybody breaking into somebody else's PC deserves to fall foul of the CMA. There are ways of doing what Click has done without buying a Botnet.
We are deeply appreciative of all the support that has been provided on these comment pages. Please repost but this time include your email address or IP address. so that we can forward to you a small token of our esteem. Our continued success is entirely dependent on your cooperation and determination to oppose communist organisations like the BBC. Our business motto has always been "Ignorance is Bliss" and with your help we will continue to prosper under this banner.
So the BBC thinks it is OK to break the law as long you say you mean no harm by it and are making a documentary??
You don't need to rob a bank to explain the concept to people. If I see a car unlocked is ok for me to get in, drive it away and then return it as a "warning" to the owner? The BBC didn't just warn users their PC was part of a botnet they actually used them to send email. Is it now ok for me to use someone elses PC to send email as long as I tell them afterwards?
Anything they show in their documentary they could have staged or simulated. Its just computer graphics FFS. They are wasting our money on recording something a student could have knocked up in MS Paint.
Can't say I have any problem with journalists doing this as a one off, illegal or not. So what if they paid a criminal for access? You're deeply naive if you think the police and secret services don't do that on a daily basis already besides, they borked the botnet in question, assuming the end users could tell the difference between the BBC's "You are infected" message and AntiVirus 360's "You are infected" message.
What I'd really like to see is what disinfection advice they could fit on a windows wallpaper... TBH it should probably just say "Go buy a Mac" but it's more likely to recommend they do something dumb like advise them to go buy snoreton/whackafee.
...that the Beed skimmed over. All the compromised machines were Windows boxes. Along with the "get updates" and "use a firewall" they should also have said "or use an OS that is not prone to such malicious attacks, such as Linux or OS X".
Obviously Linux and OS X are not going to protect you from phishing.
.... Fifth Columnists of the Sixth Estate in Seventh Heaven Manifestations/ Forward Positions? :-)
"The PrevX researcher who participated in the programme, Jacques Erasmus, is on holiday in Namibia and couldn't be reached for comment."
:-) That had me chuckling ..... and thinking how difficult it would be to find anyone Up the Jungle in Guerrilla Warefare.
"Well done BBC! ..... Fuck the desktop lawyers, we need more of this." .... By Anonymous Coward Posted Saturday 14th March 2009 10:07 GMT
Whilst it would not be my choice of words, AC, I thoroughly endorse and second the sentiments. Seems as if the BBC have found where their balls are and what their wedding tackle is really for, and what it can do for their partners and supporters, rather than for those who would think to usurp popular power and lead rather than follow public opinion and lead all by the nose to the grindstone. And not before Time, I would say, although in any sensitive, one can always expect Invisible Stealth and a Certain Protective Circumspection .... Softly softly, catchee monkey.
"Are El Reg readers the sort of gullible PC World shoppers who believe the FUD pumped out by the parasitic self-serving conmen in the AV sector?" .... By Sceptical Bastard Posted Saturday 14th March 2009 10:19 GMT
Most definitively not, Sceptical Bastard, and I presume you are a BBC Supporter, given your unambiguous retort .... Beeb-bashers FOAD. Another nail hit perfectly on the head. :-)
All that matters really.......reading the posts there's a definite need for education....
>they should also have said "or use an OS that is not prone to such malicious attacks, such as Linux or OS X
Not true though is it - there are lots (and lots) of compromised linux servers. Just because the platform can be secured to a pretty high standard, doesn't mean it is.
Hostile traffic speculatively targeting our (RHEL) web servers is massive and would be successful if we were not on top of patching & security - across applications as much as OS. Much of this traffic originates from compromised linux servers. Targeting linux in DCs is worth the effort since they full of powerful machines, with high traffic and on known subnets - an if they go for the unmanaged subnets, and are reasonable with demand, no one will likely notice.
OSX on the desktop has a measure of protection through obscurity - ie hacking tools are harder for muppets to use than under Windows and target machines are <1% on most ISPs....even so our Macs run additional 3rd party security and occasionally 3rd party patches partly because Apple are notoriously slow - but mostly because many of our users believe there is no malware (or maybe don't much care) and so don't worry about installing it.
Despite the obscurity, it happens - Google on the osx.iworkservices.a trojan for example - that's wild at the moment and commonly used for DDoS - and most infected OSX users have no way of knowing they've installed it.
can i pay a criminal organization £2500 just to see if it works? NO
do i know for sure what the money will be spent on? NO
can i just tell the judge i was only interested in seeing if it works? NO
can i be sure that whilst the BBC was using this botnet, was it being used for nefarious purposes.
the BBC should be shot for what they have done as a "demonstration" is simply not required.
the BBC reek of death
I too at first thought it was strange that they didn't mention that you should use an OS or web browser that is not as prone to attacks as Microsoft's. Then it occurred to me that it must be the fear of legal action from Microsoft if the BBC were to suggest that its software was not as safe as other products.
If the security software, which I have purposely and consciously obtained and installed, warns me about a bot on my computer --- that's fine. That's what it's for.
If some third party trespasses on my network and PC to leave me messages, it is most certainly not fine.
I thought that was what the law was supposed to be about, but then, I am probably as naive about the law as I am about the efficacy of security software.
Anyone see the potential of some sort of hookup between the BBC and Phorm?
$30/1000 rather than c$300-$400 for US/UK zombies. So c$660 total for victims as they were 3rd world countries. Not sure if Turkey would appreciate being lumped in with Vietnam. DoD or NASA penetration was indeed a straw man.
Disabled comms with all clients at the end of the excercise.
Changed wallpaper to give BBC warning.
Only 60 bots needed to shut down a web site (not sure how many servers in host however).
Nice UI and a nifty range of tools to cause whatever kind of trouble you want. I am not condoning such behaviour, just noting that the UI looked like a bit of work had gone into it.
As they are all foreigners and the abuse (to their computers) all happened abroad how liable would the BBC be? Absence of malice. Victims all abroad in mix of countries, some of which probably don't even have computer misuse laws in the first place.
Level of awareness increase. Substantial.
Actual damage done. Minimal
BBC starting to grow some back. Priceless.
This was a clear breach of the Computer Misuse Act, a fact confirmed to me by a specialist IT lawyer with whom I work.
The fact that their intentions were honourable is entirely irrelevant. Meaning well is no defence to a breach of the law (although it may mitigate the sentence). Whether such activity ought to be illegal is a separate issue. It was extremely foolish of the BBC to engage in illegal behaviour and then to broadcast it.
>>'What if one of the compromised computers was at the Department of Defense or NASA?' <<
Indeed. And what if the BBC is actually run by lizard overlords intent on dominating the planet? And what if the person making the inane comment quoted above had to stick to the real facts of the case instead of thinking up scary fact-free hypotheses because there's not enough in the actual material in the story to get people worked up?
The basic fact is that most ISPs know damn well when a customer has an active botnetted machine because it behaves differently to your average box. They also know that many customers just don't care as long as they think their machine is working properly. 'I never put anything confidential on my computer so why should I worry?' is a very frequent response.
Since a pwned machine probably needs fdisk and a reinstall (for many users an expensive hassle - even if they do have installation disks) , many a response to a report from an ISP that a comp is hacked will be for the user to change ISPs.
ISPs don't want to lose customers. Many customers don't care. Kudos to the Beeb for explaining why people SHOULD care.
Even though I still don't see a problem with the concept in principle, some good points were raised above about how it was carried out.
First of all, they paid a large sum of money to crooks for the access to the botnet. I wasn't clear about that from in the initial description. That violates the no harm principle. Even though these 22000 computers were most likely compromised ahead of time, it supports and encourages the people who did it.
Second, I agree that the way they chose to inform the users was somewhat naive. Users should not be in the habit of trusting strange messages like that. On the other hand, I don't know what a better option would be, unless they could actually make the "bot" uninstall itself.
Car theft analogies and educating the masses? Amongst all the "blimey, great TV!" and "the Beeb did them a favour!" remarks, very few people can be bothered to see the flaws in the Beeb's masterplan.
As Simon Williams notes, it's one thing pointing out the possibility of a criminal act, quite another to be an accessory (or to give people an incentive to emulate this kind of thing), not to mention extremely condescending to actually exploit a person's possessions and then to inform them of what was done, instead of just telling them about the risks. Just because another programme is already doing this kind of thing and then saying, "at least we're not the real bad guys," doesn't make it in any way right. In fact, it's all rather reminiscent of the Brass Eye drugs episode where the parents of a girl supposedly susceptible to drug-taking fake their own deaths to teach her a lesson: juvenile and condescending (and, once again, real television emulates satire).
Apocalypse Later makes a crucial point: "Next week we will be hearing about thousands of people seeing pop-ups on their computers claiming to be from the BBC..." And this brings us to the point: the Beeb makes some sensational television, supposedly educating its audience, but the educational part gets the usual Beeb documentary brush-aside. I doubt that the Beeb are really that bothered at looking into the deeper issues, either.
Why is it that computer systems are so readily exploitable? Why should people have to immerse themselves in the tedious details of anti-virus software, firewalls, exploits, phishing attacks? If you buy any piece of non-IT equipment from a high-street retailer, there's nothing like the mountain of hidden-but-essential knowledge associated with that device that you see with IT-related stuff. Sure, there's all sorts of stuff that can go on with the telephone network, but even that can be managed in a better fashion than the pitfalls of Internet connectivity. So might we expect a grilling of the top players in the IT business about that, instead of showcasing dodgy "security" vendors whose businesses rely on the perpetuation of the insecure nature of consumer computing?
Sceptical Bastard writes, "Wake up people! Until the shameful filleting by HMG after the Gilligan affair, the Beeb was our last bastion against the tyranny of New Labour and right-wing newspaper cartels."
I think you've woken up too late to cheerlead for the BBC, Mr/Mrs/Miss Bastard. If you're taking the Beeb at face value, you're already imbibing from HMG's premier fear/hysteria-pipe.
Well, yes, they would all be Windows boxes. It is, after all, the most populous (and crackable) desktop OS out there.
I noticed that they also neglected to mention the more important numbers about their DDoS attack: the number of bots alone doesn't say much. You need to know the bandwidth available to them and how much of it was being used, though I can imagine that that would confuse the clicktards :-)
I won't pretend that Linux is 100% secure. It can't be. No kernel can. Same goes for the OS built on top of it, but at least there's enough variety out there to make it harder for the (shall we say) miscreants; and the size of the user base tends to make it Not Worth The Crackers' Time. (There'll always be a few who do it “because they can”, though. And I'm not considering network infrastructure.)
(Watched it at 00:30. Curiously, immediately after I heard the words "we will never be able to talk to these computers again", the screen blanker cut in. I couldn't have timed it better if I'd tried…!)
What the Beeb did was obviously against existing law. But a court may decide that their actions were justifiable. It's illegal for me to enter your house if I walk past and the door is open. And I wouldn't - or at least, I wouldn't do it to turn off the TV you'd left on. But I might, to put out a fire - and I would hope that any court would say that I was right so to do.
So the question is: where do the BBC's actions lie on the "Left on telly/telly on fire" scale?
My g/f has asked to have a her laptop wiped and replaced with Linux. Just need to find out which one her uni approves off. Way to go BBC! Sterling advert for alternative OSs!
To AC @ 17:02, they BBC did say that Windows was the most vulnerable, but they could have made the point that other OSs are more secure a bit more forcefully. I would have been funny to place a Linux box on the net and hear the discussion.
"So, this PC running 'Linux' is on the internet, without firewalls, anti-virus or anything?"
"Isn't that really dangerous?"
"It would be if it was Windows, but Linux (and OS X) are much more secure. There is still a chance of someone breaking in, but it is much harder and even if they did they will find that the OS is much tougher on what they can and cannot do."
"So you don't need firewalls or anti-virus software for Linux or OS X?"
"I wouldn't go that far, but it is much less critical than Windows. It's still a good idea to run a firewall, especially of your PC is acting like a server. Say for big games."
"And how much doe Linux and OS X cost?"
"Well OS X you only get with Apples, so it's price is in the cost of the new Apple. Linux can be free, or you can choose to pay for support."
"Sorry - you said 'free'"
"Yeah - lots of the big companies do a free version/"
"For a totally secure OS?"
"Well, not totally but much better than Windows."
"Yes, free. As in, no money."
"So if Linux is free, why are so many people still running Windows and being infected?"
"A few reasons. 1) People just don't know about Linux, 2) People resist change, 3) Anti-competitive (some would say illegal) practices my Microsoft to force lock-in and make it much harder to change"
But I guess that may have transgressed their neutrality (i.e. MS would probably have gone to court over it).
All this whining by the security industry makes me want to throw up. They have been preaching "security awareness" for years without so much as a scratch on the surface. Along comes Auntie, and in 6 months (if that's how long it took for the programme to be put together) has done more than the security industry has in God knows how many years.
The BBC probably did break the CMA, but as a previous poster indicated, that's more to do with a badly written law. I am more than happy for my licence fee to be used this way.
"...You know responding to pings and letting all packets in through all sockets by default is not just leaving your front door unlocked, its like leaving precise directions to your house posted on the walls outside every prison within 200Km of it with an invitation to drop in for tea and nibbles if Mr Ex-con is passing, along with a schedule showing when your out."
Not should you Google "bob the angry flower apostrophe" at the earliest opportunity, but you are... let's be polite and call it "mistaken", if you think that "responding to pings" is some sort of security risk. I stopped reading at that point.
Persons known to me were approached to be involved in programme; the phrase "wouldn't touch it with a bargepole as we enjoy having careers, rather than porridge" popped to mind, like, immediately. Believe me, if you work in the industry it's pretty important to have a good mental image of where the legal:illegal line is drawn. Plenty of promising infosec careers have gone down in flames because of a moment's thoughtless "sure what the hell, let's take a look" response to a situation like this; that's why the actual security people quoted in the Reg piece are pretty much unanimously saying "this is almost certainly breaking the law". Notice I'm not taking a position on whether it was a right or wrong thing to do, morally. (That's not my department, said Wehrner von Braun.) However, if there's some sort of unwritten public interest law that enables the BBC to do this sort of thing then can we see it tested in court, please? 'Cos otherwise we're going to see a lot of kiddies trying it out as a defence when they get nicked.
Note: I loathe and despise the Daily Mail, and this is not some sort of "bash the Beeb" agenda (although there are plenty of things I like to moan about, like Newsnight being on BBC 2 at 10:30 rather than 9pm on BBC 1, the complete dearth of anyone who's not embarrassed to appear knowledgable about science, technology or engineering (oh god, please shoot me before I have to writhe through another John Humphries interview... "so, this, this - ``computer'' thingy -- you just sort of, like, make them work, right?" I'd love it if they swapped all the arts grads presenters out for some people with actual clue about stuff that matters, who then say stuff like "so, tell me about this ''house of commons'' thingy, it sounds terribly exciting" when interviewing a party leader... </rant>
"If the security software, which I have purposely and consciously obtained and installed, warns me about a bot on my computer --- that's fine. That's what it's for"
Which suggests you are not a member of the group of people causing the problem this programme addresses.
This was a show for the people who don't have "Security" software on their PC, did'nt know they needed it and did not know what *can* happen if they don't have it.
"it's all rather reminiscent of the Brass Eye drugs episode"
Er,no. Brass Eye satirised the *media* obsession with this, not the problem itself.
Getting celebrities to voice over complete b*((*cks proving that they knew as little about the subject as some guy in the street was particularly amusing. IIRC Only Desmond Morris told them they were talking s*(t (Depressed elephant commits suicide by inserting trunk in rear and suffocating).
"Sure, there's all sorts of stuff that can go on with the telephone network, but even that can be managed in a better fashion than the pitfalls of Internet connectivity. "
2 words. Communication & evolution
A telephone is *only* useful in a network. From day 1 inter-operability had to happen. The GPO was formed to effectively nationalise competing but incompatible UK phone networks.
This need for absolute inter-connection from exchange to exchange anywhere on the globe was handled by global authorities setting global standards for all levels of the process with long pay back periods on plant (GPO was 40 years, not sure what it is now) and corrosponding rigerous change management on the software.
BTW Microsoft Exchange was originally named for the plan to use NT to drive company switchboards. 1 problem. Comms managers do not expect to re-boot their PBX. Ever. You don't hear much about this side of Microsoft's business these days.
the down side. Its a lowest common denominator network. Only speech is guaranteed to work everywhere end to end.
Computers of all sorts can (could) have useful lives with no connection to anywhere else. Talking to another site was rather avant garde to begin with. Before you could say supplier lock in all hardware at both ends of a line (any line) had to come from the same mfg.
These closed systems often only got opened through a lawsuit. The need to get these different servers to allow access to data from other servers and the resulting free market drove TCP/IP development.
"Why is it that computer systems are so readily exploitable? "
They're not provided you don't connect them to a network and don't transfer data to them with infect able media. You create work and print it off or transfer it to disposable, never re-connected media.
Like having a car without a license. You can drive it around your property but you cannot go anywhere.
But you want convenience as well. Then you need to carry out elementary precautions which have become easier over time, and in later versions are on by default.
But lets be honest some cars have way better crash safety and break in security than others.
Oh look, Windows is pre installed.
Nothing for me to worry about.
Bright shiny thing. Pretty.
Computers have quit substantial abilities. If you don't realise their power that's because someone has worked hard for you to harness it. It does not mean it cannot cause you harm.
"we already know that botnets exist and how they work"
You may. The large majority of the GBP do not. It never begins to cross their minds that at least some of the spam in their personal email in-box *might* have come from *their* own computer, and I dunno, maybe they're like, *responsible* for doing something about it.
Ignorance is curable. Stupidity is forever.
Hasn't all this BBC bashing taken the spotlight of the security companies and anti-virus publishers?
If I had paid for virus protection/a firewall program and then got a desktop background saying that the beeb had been in, my first thought would be, well what am I paying good money for these programs for?
By jumping on the BBC are they hiding the fact they haven't put enough into preventing this happening in the first place?
I am well aware that not all the 22000 computer will have been running an active firewall or anti-virus, but surely some will have. I applaud the BBC for what they have done, whilst it may break some domestic laws, and maybe some international laws as well, they have rid the internet of 22000 zombie boxes and highlighted the need for a bit more savvy internet usage!
Just my 2p..
I'm sure it's not just a matter of someone fixing 22,000 PCs and the security guys not getting money out of it.
I'm also sure it can't be that security guy's wealth rely on the existence of bots. Nah, can't be. I'm sure. They couldn't be that cynical. Or could they?
Thank you for taking the time to police my missing apostrophe. I normally run my Word Processor's "spellcheck" function over my submissions but this time I missed one. Mea culpa.
I trust the previous sentence met your parsing standards and you are still with me.
I have also Read "Bob the angry flower." What an angry little flower he is.
The American fondness for using "mode" and "task" as verbs must have you frothing at the mouth.
I'm sorry you could not do me the courtesy of reading the rest of my post but I'll try and finish yours.
"if you think that "responding to ping's" "
If I'm mistaken please explain. It's always interesting to listen to professionals. I'm more an interested by-stander where computer security is concerned. My time and experience are limited. I try to keep it simple.
On a corporate network linked to multiple internal servers no doubt there are all sorts of information request packets flying about. Perhaps that is your environment.
It is not mine. I do not serve any web pages from this machine, or any other kind of web service. It does not have a mail client on it. There is no remote support contract covering it.
So why would anyone legitimately be trying to find out if this IP address is in use?
Your Para 2 does not need comment but I would be interested if your friends have any idea how many actual prosecutions have occurred under the Computer Misuse Act. I have 126 for 1990-2006, but perhaps they are more up to date.
Para 3. John Humphries may or may not know what they are talking about but part of this is trying to appeal to Mr & Mrs Average Licensepayer.
However you might like to look up Taylor Mali's poem "Like Lilly Like Wilson" on YouTube for the idea of bad speaking habits leading to bad thinking habits. I think we can agree on that.
Ignorance of Science and Maths is not only acceptable in the UK, it it almost applauded.
Who needs a science degree? You look good in a suit, annunciate clearly, cultivate the right friends and do exactly what your party tells you. £60k a year, mortgage benefits and extremely MP friendly expense claim arrangements are just around the corner.
Good luck with changing that attitude. It may take a while.
On a side note and not to be pedantic but its "knowledgeable," not knowledgable.
I always try to respond to anyone who specifically replies to me as quickly as possible given the other calls on my time.
" You need to know the bandwidth available to them and how much of it was being
IIRC the program said all bots were on broadband connections. No idea what the usual level of broadband in Vietnam is however. They also said the spam rate on each bot was fairly low so users would not see a radical slow down.
An alternate question on the DDOS might be what is the bandwidth of the pipe into Prevx's (backup) web site and how does that compare with some of the major names.
exactly why did the BBC feel the need to pay for a real botnet, when the creation of one as a test would have served just as well and be an example of the ease of creation.
I'm looking forward to the next BBC documentary on Drink Driving, where a reseacher gets pissed and weaves dangerously through the streets.
"BBC, we already know that botnets exist and how they work, you really didnt need to go out and give some of our licence money to some criminals and do all this."
You ask most of your relatives who don't work in the computer industry about botnets and see how much they know about them.
"Er,no. Brass Eye satirised the *media* obsession with this, not the problem itself."
Let's re-read what I wrote, shall we? Or perhaps read it for the first time in your case...
"In fact, it's all rather reminiscent of the Brass Eye drugs episode where the parents of a girl supposedly susceptible to drug-taking fake their own deaths to teach her a lesson: juvenile and condescending (and, once again, real television emulates satire)."
This was nothing to do with "Getting celebrities to voice over complete b*((*cks", or "bollocks" for those people not oversensitive about their language. The satire was about the way in which people, in order to "bring attention" to a problem and to prevent bad things from happening, actually cause more harm than the most likely outcome had they not bothered. Of course, the material was meant as an exaggeration of what people do in real life - that's what satire is all about - even though Chris Morris then dabbled with lobbying members of parliament.
Whether it's the media or whether it's special interest groups (courted by the media) who behave in the way described is peripheral to this discussion. The producers of a BBC documentary paid hard cash to take over a botnet, interfered with people's computers and then said, "So that's what a botnet is, everyone." The shoe fits, somehow.
dear BBC. i am not sure how armed robberies happen or how child porn rings work - please could you demonstrate these? Ideally you'll carry out a big heist on a large bank with gold rather than notes as those seem to be the bigger events that i dont know about and you'll set up and run a multi-terabyte porn server using encrypted channels and transfer/watch lots of illegal material.
all of this should be recorded in Hi-Def because that would make better court evidence after you've broken a few more laws in this country.
You'll have to bear with me as I say Brass Eye some time ago so I'm going from memory.
Brass Eye's targets were 3 fold. Uncritical media outlets who will whip anything into a moral panic. The pressure and special interest groups who will take advantage of that uncritical attitude to turn a storm in a teacup into a tornado and the well meaning (but lets say suggestible) members of the public who over react, some times hysterically.
Their method was to concoct a (just barely) plausible story about something similar to some story currently obsessing some parts of the media. The issue would have unmasked as bogus by a few minutes checking by a mildly interested hack . This would come from some non-existent charity or pressure group, which a few more minutes checking would have also revealed as nonsense.
Backing this up were the celebrity endorsements. Here the point was the "Halo" effect. X is trustworthy, they say it is so, so it must be. The point here is that part of the value of such people is that the general public trust them. There point was it was staggeringly easy to get people to endorse their rubbish with almost no one saying "Hold on, this is rubbish.”
This is the part I remember most fondly and which I mentioned. All done against a backdrop of loud intrusive music and impressive, but basically meaningless graphics.
This was usually followed up by supposed members of the general public who were reacting to the "Threat" in a fairly excessive fashion. The interviews IIRC were typically conducted in a fairly condescending fashion as befitted someone interviewing someone whose moral panic they had actually caused while they themselves can't understand what the fuss is about.
I would suggest there is no existing moral panic in the mainstream media on spam. No pressure group making outrageous claims about its harm and no celebrities acting as media spokes persons about it.
So no I don't see the similarity to Brass Eye.
Highly vocal pressure group. No.
Vocal pressure group inflaming situation. No
Over reacting members of the general public. No
Click's presentation was low key and stated it was not that easy to get control of a botnet in the first place When done they informed all victims of what had happened and what to do about it and disabled any further control of the bots. The common ground with Brass Eye and Chris Morris in particular would be the hope that people are a bit less trusting and a bit more critical.
Could it have been done without a live demo. Once again for the *target* audience I don't think so. I'm with Eugene Goodrich (earlier post) for exactly those reasons. Unless you told them it was real but used a simulation. That's lying to the audience, It fails as soon as it becomes know as the next thing you tell them will be met with "Well they faked it last time so why should we believe them this time."
"producers of a BBC documentary paid hard cash to take over a botnet."
Ever noticed the title "Fixer" on BBC documentaries in foreign and often violent countries? They help get interviews and help the film crew avoid trouble with the local "authorities," who might be just a bunch of guys with automatic weapons. Some times smiling politely does not work.
Time for Mr Green to make an appearance. America may be hated widely but there's one product of their economy which is welcome nearly everywhere.
Any sort of rogue trader / watchdog type programme has probably made initial payments to crooked tradesmen, often with criminal records.
This must come as quite a shock to you.
As for the amount. $660 US is (at tonight's closing exchange rate) is £458.33. Not quite enough for round trip to the US to do some filming but likely adequate to order a murder in somewhere like Pakistan or Afghanistan. Or 0.002291% of what Jonathan Ross was trousering prior to his little "vocal malfunction."
I'm no Media studies student, but I am a student of the media.
NB. I'm sure most people here (including our moderator) can cope with bad language. However its a presumption which can be inaccurate. I grew up reading Mad magazine, which itself was the product of an early moral panic about comics in the 1950's, when they were "Corrupting youth." I am cautious about anything that might be read by at least half a dozen total strangers, which would include anything on a bulletin board or email system. And I still had a complaint about a misplaced apostrophe.
Biting the hand that feeds IT © 1998–2021