back to article BBC Click paid cybercrooks to buy botnet

BBC Click has admitted paying cybercrooks thousands of dollars to buy access to a botnet as part of a controversial cybercrime investigation, broadcast over the weekend. In a website story accompanying the heavily-promoted report, BBC Click reporter Spencer Kelly explains how licence fee payers' money was used to buy access to …

COMMENTS

This topic is closed for new posts.
  1. Albert
    Thumb Up

    I saw the program and thought it was a good idea

    I think a program like Click showing the effects of not having adequate protection when connected to the internet is exactly what is needed. Most people only see the threat to themselves and not the threat they create for others.

    Also, at the end they instructed the machines to remove the BOTs so doing good for the people who were infected.

    It might be a bit grey legally, but I think it was great.

    Also, the statement from the article ‘Much of what BBC Click found was already common knowledge in security circles, if not to the wider public’ is interested as I would expect the wider public are clueless on this.

  2. Anonymous Coward
    Coat

    pay for the IPs

    1. hire botnet

    2. point at honeypot

    3. capture ip addresses

    4. add to a block list at the ISP level.

  3. Simon
    Dead Vulture

    Be kind to the BBC El Reg!

    Umm, yeah, shock horror, anyone who watched the program knows that they paid for the botnet. They said so in the program!

    The episode about botnets was the most interesting thing they have ever done on Click and was worth the money that they paid. I'm sure the cost of making it was cheaper than a typical "On location" episode they do, for example in the US.

    There is a teeny bit of negative reporting here in your article El Reg. The click episode was done in the name of education, so it *Can* be ok to bend the rules sometimes. This is similar to health programs that show full frontal nudity, normally it wouldn't be allowed, but that word "Education" pops up again.

    Of course the people who will be throwing their arms up in horror will be the ones who didn't watch the program, "Oh noes, the BBC are paying money to criminals, I want my license fee back!" or cynical press ;-)

    If the BBC get into trouble then they are going to lose the ability to show groundbreaking events like they have here, it will be a sad day.

  4. Toni Koivunen

    Load of crap

    If PrevX has loose moral and deliberatly choose to aid in unlawful access let it be so but they should atleast have the balls to take the heat instead of trying desperately to point fingers to others.

    Unlawful access sure as hell doesn't come "with the turf", no real researcher does that. There are ways to do things legally and what BBC and PrevX did was not legal. I hope the DA's in Britain have the sense to drag their asses into court.

    You don't go around killing and torturing people "to show the general public how it's done". Big load of crap and I hope they'll pay for that. I would not work with anyone, or give any sensitive data to anyone with the morals that BBC and PrevX have displayed, ever.

  5. N1AK

    Before anyone uses "The real hustle defence"

    In earlier discussions, a lot of uninformed people have spoken about how tricks used in shows like "The Real Hustle" work the same way and are useful for informing the public. What they ignore is:

    "The participants featured in The Real Hustle have either been set up by their family and friends or believe that they are participating in another television programme. After they have been hustled for real any monies or property taken during the hustle are returned to them and their consent for the item to be broadcast is obtained so that viewers can avoid being ripped off by the same scam."

    There are numerous issues with the behavior of the BBC in how it handled this issue, relating to Vigilantism and funding crime and I covered these on my own site: http://john-graham.me.uk/?p=61

  6. James
    Thumb Up

    Go BBC. Stop stirring El Reg.

    I know you don't like them and all but thumbs up to the BBC. Who gives a shiny shit if it was on a US millitary computer, they did it from here and caused no damage. In fact they helped them out by identifying the computers they used.

    Why do you write that ZOMG!!111! it may be on US mil computers when it would be more of a problem if it was on UK citizen computers.

  7. John Smith Gold badge
    Flame

    Straw men and FUD

    In the program the states they paid 30 USD/1000 bots because they were *not* in either the UK or the US and that would have made the price about 10x higher.

    $660 US, that's < £500 even with our crap exchange rate.

    Please note el reg readers are not really the target audience. It is what can happen to un-suspecting, lazy and plain dumb users

    Doing it this way was exactly the same as the EFF building hardware to crack the DES and writing a book about it. The NSA maintained DES remained secure *years* after non vested interests stated it could be broken now given custom hardware. Up to that point it could be argued "That's just an opinion." After the hardware was running NSA accepted that a new standard was needed. Hence AES at 256 bits.

    Sure, if all the public agreed un patched, un firewalled machines are unsafe it would be unnecessary. But if even a (US) goernement body denies it untill the proof can be read in an email this is not an unreasonable approach.

    My one regret. They said 60 bots could shut down a website but gave no indication of what was hosting it. How many to shut down one of the big boys.

  8. Anonymous Coward
    Unhappy

    "All parties agree that there's unlikely to be a prosecution"

    As a license fee payer, I haven't agreed to any such thing.

    The law does not require intent in order to press charges. It does however need a CPS which acts in the public interest rather than in the interests of government/BBC/big business, which is what we have at the moment. Couple that with a Home Secretary who fails to realise that she is a public servant and is expected to look after British citizens, rather than summarily hand them over to foreign powers without any evidence, and we have a nicely stitched up system.

  9. Michael McLean

    What a load of Crap

    Being Honest i think its a good idea to change the wallpaper of the idiots (those that have not updated or clicked a link etc in an email and infected themselves) so that they know how stupid they have been,

    I am sure they would find that better than going the other way and just blocking there pc from accessing the internet on a whole

  10. Anonymous Coward
    Thumb Up

    Justified, utterly without reservation

    1) The BBC were 100% justified (as any researcher would have been) in committing this crime in order to prevent a greater crime.

    2) They hacked into diddly squat, the machines were already compromised.

    3) So what if the machine were military; that is the fault of the military for not securing their systems!

    4) Most people have no idea what a botnet is, so this program is a public service and (hopefully) a major eye-opener.

    5) Their only mistake was in failing to point out CLEARLY that all the infected machines were Windows based and other OSs are orders of magnitude more secure.

    To my first point - ISPs should be following this lead and using similar tactics to identify and remove drone PCs from their networks. I would go even further and say that prosecutions should be considered for those with drone PCs, specifically for those who have not taken reasonable measures (e.g. firewalls etc). Their negligence places us all at risk.

  11. Anonymous Coward
    Anonymous Coward

    Disgusting

    This was bad enough even without the "thousands of dollars". Now it's disgusting. Have they any idea where that money is going? What further crimes is it funding?

    I do hope they get a visit from the police. Isn't the "paying money to criminals" bit illegal, irrespective of the computer misuse issues?

  12. Anonymous Coward
    Thumb Down

    The real crime is doing nothing.

    Millions of PCs are infected and members of botnets.

    Users don't know that the PC they use for online banking and to store their precious information is being controlled by criminals. ISPs do little to help.

    If the BBC help inform people about this major issue then that's great.

    Now get back to work and report something that matters.

  13. Anonymous Coward
    Pirate

    Unethical, illegal

    So the BBC paid thousands of dollars of licence fee money to Russian criminals. I hope BBC accountants, if not the police, followed that one up. And so the BBC met these Russian hackers in Moscow. um kay.

    Legally they shouldn't have used the botnet at all.

    Ethically, the right thing to do was notify the victims of the botnet at the first opportunity, then seek consent to continue. Not exploit their computers and internet connections, and then tell them it could have been worse next time.

    And explain this to me; how did the BBC remediate all 22,000 PCs, some of which were presumeably switched off at any given moment? All of which were running a range of operating systems/diverse locales/varierty of software configurations.

    Perhaps the operators of the botnet are cursing the day they left a self destruct button in Spencer Kelly's hands, but I doubt it. I don't think they remediated those systems at all.

    And as for the claim they set a desktop warning, what the hell use is 'you've got a virus' as a warning to someone who doesn't speak English?

    Something about this reeks of lies, corruption, or fakery.

    There is a phone vote on next weeks program (your votes decide).

  14. Duncan Hothersall
    Flame

    Shut up you moaning twats

    For fuck's sake, if this educated one non-technical viewer about the realities of botnets then it was worth doing. Security companies don't want that education because they make money out of people's ignorance! What the fuck is El Reg doing laying into the Beeb for this? It's really fucking unnecessary. Get your fingers out and get a story up here supporting the BBC who were doing a good thing here.

    For the first time, I'm tempted to use the Death of El Reg icon in earnest. What the fuck is wrong with you? Sort it out.

  15. Jason Bloomberg Silver badge
    Flame

    "Misguided, unnecessary and unethical ..."

    ... but job well done if it has taken those bots out of the botnet and keeps them out.

    Sure, it's dodgy ground the BBC are walking upon - particularly when it seems so many have a BBC-bashing agenda across a wide spectrum - but this is where the "for the greater good defence" card gets played.

    Yes, we all know botnets are out there, we all know the problems they cause, and we all know the difficulty of the law that prevents us from walking up to everyone of them and taking a sledgehammer to them ( before setting them on fire, then pissing on them to put that fire out, and then asking, "Right, who owns this ..." ) as much as we'd like to.

    So well done Click and the BBC. Something worth my licence fee while others sit around doing nothing but hand-wringing and moaning. The hypocrites who would love to see the botnets smashed to sunder but complain when the BBC gets off its arse and tries to make that happen, at least in part, can quite frankly STFU IMHO.

  16. Antony Riley
    Thumb Up

    Thought provoking TV.

    The Reg has run enough stories about the BBC not producing thought provoking TV with license payers money, it seems somewhat two faced to try to take them down when they do create something worth watching.

    I don't agree with giving money to criminals, or the methods used, but on the other hand I can't see how it would be possible to hold the general populations interest without a real example.

    Regards security professionals breaking the law on a day to day basis, I don't need to remind anyone quite how rediculous the laws are in the UK when it comes to computer misuses, to the point where even the most careful security professionals will find it hard to do their jobs without breaking one or more laws (thought maybe not quite so spectacularly as the BBC has done in this case).

    These days anything from a commonly used password database to ping could be deemed illegal.

  17. Anonymous Coward
    Anonymous Coward

    Storn in a tea cup!

    I can't believe how an*l people are being about this program and the subsequent press it's had.

    I am no legal expert and maybe the BBC has stepped across the legal line here but things really need to be put into perspective. I like many millions of email users are bombarded with junk from the masses of spam kings using botnets to spread their cr*p. We are also subject to the inconvenience of these criminals attaching legitimate web sites via DDoS and also by the side line activities of booby trapping sites to gain the IP addresses of victims in the first place. I for one applaud the BBC actions here because as pointed out by Albert most people are unaware of the methods and extent of the problem.

    To computer savvy people it is common sense to avoid certain web sites, keep an up to date virus scanner, install a fire wall and never open unsolicited email attachments, but to a very large proportion of the worlds computer users this is still a mystery, hence the level of virus outbreaks and spam.

    If y machine was snared into a botnet I sure as hell would appreciate someone telling me that it had so I could clean it out. I don't want to be responsible for spreading junk email or attacking legitimate web sites in DDoS.

    I also think it two faced of the anti virus firms to knock the BBC here. I would have thought any improvement in peoples knowledge of how to surf safe and avoid the spammer scum and the snare of their botnets would be welcomed by such parties.

    As for your comments Toni Koivunen I presume you are from the US? The only part of your comment that made any sense was the title, "Load of crap" which aptly summed up your comment!. What's the matter, worried your precious Pentagon was hacked? If they can't protect themselves then they deserve someone pointing it out to them.

  18. Andy

    Money should not have changed hands

    They've directly funded criminal activity WITH MY MONEY, and totally without my consent. However you look at that, whatever they thought they were doing, however many weasel words you throw at it, it's wrong.

  19. geist
    Thumb Up

    Education

    If it's OK for educational purposes (and perhaps too keep viewers watching adverts which make £), then i want to educate on how to getta bigga penis for only small fees.

  20. Conor Turton

    Knowledge is power.

    I think this was a good article if it does nothing more than educate people to use Windows Update. If people had, Conficker wouldn't have had the devastating impact it has had as the exploit was patched in a Windows Update months before Conficker came out. Likewise the same with Sasser and all the other major attacks.

    Thanks to the programme, there's now up to 22,000 unsecured computers which will get updated and their users educated.

  21. Anonymous Coward
    Anonymous Coward

    Wallpaper

    I saw the show on News 24 last night.

    I wonder what proportion of the owners of these infected machines could understand the warning message they set as the desktop wallpaper? That botnet consisted of PCs from all around the world. If they sent the same English message to all of them, I imagine a lot of the owners would have responded with a "WTF is that?!" rather than "ooh I'd best get my computer cleaned up. Thanks BBC"

  22. Bill

    In the event it did go to court...

    ...does anyone honestly believe a jury would convict?

    Funny thing about juries - they have a disturbing habit of accepting public interest defences even if there isn't a provision for one in the statute.

  23. Anonymous Coward
    Flame

    why doesnt the BBC get nailed for this

    they illegally bought something illegal from hackers engaged in illegal activities. Or are they not being prosecuted because all those illegals cancel each other out???

    Its the same as buying a gun. You are paying money for something illegal, from a person who is illegally selling it to you, and who acquired it through illegal means. Saying "its OK because were not going to shoot anyone with it, we'll just shoot around them to raise public awareness of guns" just doesn't fucking cut it.

    Depending on where the hacker's alliegances lie, they could be funding terrorism, directly or indirectly - isnt that against the law too?

    When are big, lawless companies like BT and BBC finally going to be nailed for doing illegal things!?! If a sysadmin got drunk and did the same as this incompetent ignorant bunch of retarded fuckwits, then he would be in jail and it would have cost the government £2Million to put right whatever the botnet did.

  24. Anonymous Coward
    Anonymous Coward

    Good value for money

    Pay few thousand of dollars - which is like £3.50 to remove a shed load of machines from spamming and general bot-net crap etc. sounds excellent to me - I bet we pay the police lots more and they do nothing but drink tea, or are getting criminal records

    go BBC - more bot killing plz

  25. Juillen
    Thumb Up

    Carpet sweeping..

    Seems to be the common mode of computer security these days.

    Hey, why make your systems secure when instead, you can hire a bunch of lawyers to say it's illegal to do anything with a computer that you're not authorized to do, then come down hard on anyone you find that is accessing the system in a way you didn't expect (public domain transfers, session states stored in a URL, clicking on search engine links to exposed documents that you didn't think would be visible, but actually were, etc).

    You can have all the programs you want saying "Hey, it's um bad y'know.." to all the people who haven't a clue how to secure their PC, or even know that it even needs to be secured, and you'll be in the same old boat. If it's not something that people really feel they need to know about because they've been burned (or people they know have been burned), they'll carry on as if there's nothing wrong.

    Now, each of those people probably know at least 10 other PC users, so they'll get the hint too.. And the "hey my mate just..." conversations will also probably propogate to another 10 for each of the original 10 (past the "my mate" level, things tend to take on the "urban legend" feel, and it loses impact).

    That's a whole boat load of people that REALLY get the message, not on an abstract "I can put my head in the sand, and it'll just go away" kind of way, but in a far more concrete and real sense.

    As far as legal goes, I have the sneaky suspicion that it's not. Should it be legal? I'd say it's one of those that is in a really grey area. What they did, in general, is good (increasing user education, which vastly increases real terms security, not just 'tick in a box' security), using methods that are bad (paying organised crime, and hijacking people's machines), but with no real ill effect (delivering a message that your machine has been compromised, and you may just want to get it sorted out).

    It's nothing like torture, as mentioned in a previous post, so that comparison is void.

    It's very much white/grey hat stuff. On the whole, I'm pretty much behind that kind of activity (someone takes the time to crack your security then tells you how, so you can make it better, rather than cracking your security, and selling that information to anyone who wants it, so you have no idea your security even needs fixing).

    Computing laws are still damnably primitive; we need a finely crafted tool that will let us hoist up the really destructive contingent, while allowing the creative (white hat) to prosper. Then we may have a snowflake's chance in hell of actually having systems that are secure, rather than putting a tick in a box, and saying they are secure by fiat.

  26. SSB
    Stop

    Er

    Considering it's a BBC World programme would mean it's funded from advertising revenues and not the licence fee...

  27. blue
    Flame

    Choking on a Nice Glass of Bolleaux from El Reg

    Click did pay money for the botnet, but at the end, they informed the owners of the infected machines that they were infected, what to do about preventing such things happening to them in the future, and then they REMOVED the infection from their machines.

    Yeah .. in anyone's book, clearing up thousands of infected machines, educating those people who allowed their machines to become infected and cleaning up the mess, and preventing those machines being used for malicious purposes in the future ... truly a criminal act. What wicked people inhabit the BBC!

    Get over yourselves.

  28. Keith Goddard
    Thumb Down

    RE: "Justified, utterly without reservation"

    Since when has 'For education' ever been a justification for an illegal act.

    And let not forget that they have paid thousands of dollar to a criminal gang engaged in an illegal act which will help them continue their activities.

    And for all of you who think otherwise:

    http://www.opsi.gov.uk/acts/acts1990/ukpga_19900018_en_1#pb1-l1g3

    An Act to make provision for securing computer material against unauthorised access or modification; and for connected purposes.

    1 Unauthorised access to computer material

    (1) A person is guilty of an offence if—

    (a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;

    (b) the access he intends to secure is unauthorised; and

    (c) he knows at the time when he causes the computer to perform the function that that is the case.

    3 Unauthorised modification of computer material

    (1) A person is guilty of an offence if—

    (a) he does any act which causes an unauthorised modification of the contents of any computer; and

    (b) at the time when he does the act he has the requisite intent and the requisite knowledge.

  29. wobbly1
    Unhappy

    "its the unique way we are funded..."

    in essence this is the "research purposes" defence i seem to remember that defence failed for a couple of high-profile nonces from the music business. Not sure what the research was supposed to illustrate . There are botnets... already apparent by the amount of spam. They are for sale.. well look at the technical press and that's also apparent. Some UK main stream press claim the beeb built the botnet rather than buying it. Un-patched machines are plentiful and easy to breach No Sh*t , Sherlock) This exercise added nothing to the debate, it further fouled the tattered reputation of the corporation.

    Mean while whilst looking at R7 web site noscript changed and i found that there where scripts from a third party on the page. (sageanalyst.net) I wrote to the bbc , asking :-

    Who are sageanalyst.net?

    Why are you allowing them to collect data from me without prior permission?

    Is the data going out of UK jurisdiction?

    Is the data (even if aggregated and anonymised) used for commercial purposes?

    I received a form reply giving me a complex opt out procedure. (unnecessary as noscript spotted it ) i have however stopped the beeb running scripts with little loss of usable or desirable function. So the beeb are happy to presume consent from users for their details to be shared. I expect this form google, they don't ask me for a fee or to buy a licence. but having been ripped off by the beeb on an annual basis ( paying for digital services we wont receive here on the south coast until 2012 at the earliest) this feels a bit rich for them to use their scarce resources for such a futile and and ultimately pointless stunt.

  30. Ash
    Flame

    @Anon.C (Justified...)

    "3) So what if the machine were military; that is the fault of the military for not securing their systems!"

    Tell that to the prosecutors in US vs McKinnon.

    Your arrogance is dwarfed only by your ignorance.

  31. Anonymous Coward
    Flame

    Re: Justified, utterly without reservation

    "Most people have no idea what a botnet is, so this program is a public service and (hopefully) a major eye-opener."

    I doubt it. Most people still won't know what a botnet is afterwards, given the usual levels of Beeb documentary eloquence. All this is likely to do is to scare the viewers about an issue the manufacturers and network providers should be dealing with "out of the box", potentially driving those viewers towards acquiring the usual pundit-recommended anti-virus and "system clean-up" software, possibly from the vested interests (undoubtedly featured in the programme), possibly from dodgy places on the Internet.

    And if everyone panics and starts clicking all over Google-served adverts pretending to offer such solutions, we all end up with more infected computers: an own goal for the Beeb, indeed.

  32. Anonymous Coward
    Flame

    Re: Storn in a tea cup!

    "To computer savvy people it is common sense to avoid certain web sites, keep an up to date virus scanner, install a fire wall and never open unsolicited email attachments, but to a very large proportion of the worlds computer users this is still a mystery, hence the level of virus outbreaks and spam."

    I see you're from the "paper over the cracks" school of thinking. It would be far better if we didn't allow vendors to provide insecure products or products which let the user believe that they're using a Windows LAN from the year 1990, but that would mean the end of the cushy relationships between retailers, Microsoft, anti-virus vendors, ISPs... join the dots yourself.

    "What's the matter, worried your precious Pentagon was hacked? If they can't protect themselves then they deserve someone pointing it out to them."

    Maybe the people who made this documentary will be sold out and shipped to the US, too, given the level of support a certain Mr McKinnon has enjoyed from his own government. But then, given that it's the Beeb, with all those warm, fuzzy feelings of 70 or so years of "Auntie", there's another rule in play, here. It's the Beeb, national institution, jumpers for goalposts, blah, blah, after all.

  33. Llanfair
    Stop

    Sure, what they did was legally a grey area

    However, I think they had no other way to show what happens everyday on the Internet. Sometimes, you have to go on the grey area to show exactly what is happening. It showed that those who are carrying out the botnet stuff are not technically advanced. Any criminal who can use a computer can carry this out, you do not need to have specialist knowledge. Just enough cash to pay for the botnet.

    Even though I am aware of computer security issues, it was Click that showed just how easy this thing really is and how almost any criminal can do it. Hence why you need to get your machine sorted out.

    As for El Reg and Daily Mail lovers, stop picking on the BBC, because for once they have done a proper documentary on computer security.

  34. Anonymous Coward
    Thumb Down

    @Keith Goddard

    I said "to prevent a greater crime" and that *IS* permitted under UK law, any education is merely a side effect. You've got to do better than a straw man.

    The "antis" one here are probably just "anti" because it's the BBC. Is MS or someone had done it you'd all be praising their bold initiative. But when someone else does it, oh woe betide them!

  35. Anonymous Coward
    Flame

    Re: why doesnt the BBC get nailed for this

    Anonymous Coward: "Depending on where the hacker's alliegances lie, they could be funding terrorism, directly or indirectly - isnt that against the law too?"

    Indeed. I expect the Beeb to make a documentary where they go off somewhere exotic and proceed to shoot endangered animals before exclaiming, "OMFG! People can go somewhere and shoot endangered animals! We had to actually do this with our own eyes and hands because you, the archetypal Britard, and us, the archetypal Educator of the Britards, are now so stupid, our senses dulled from years of court jester-level, whole-week Saturday-evening-level entertainment and manipulation of the herd, that it is now impossible to rely on either you or us to make a single leap of inference any more! We have to actually show us shooting rare tigers to cement the mere idea in your mind!"

    "Thanks to you Mr Jones from Fulham for sponsoring the bullet that did for that tiger! Next week's documentary on piracy will make accomplices of many more of you - stay tuned! Now here's ten minutes of navel-gazing advertising and projection of the BBC brand, also paid for by you!"

    Even if the Beeb did all this, you'd still have all the idiots saying, "Blimey! The Beeb were right to point this out." Presumably while thinking, "I could've read about this stuff but that would involve forming abstract thoughts in m'head, and ain't that what the Interwebs and the gogglebox are for?"

  36. Andy Livingstone

    To yoir corners, please

    1. Those who saw Click and think it was OK.

    2. Those who saw Click and think it was wrong.

    3. Those who did not see Click and just like the sound of their own voices.

    4. Those who did not see Click and simply seize any opportunity to slag off the BBC.

    For those of the American persuasion..... In the UK (BBC land) a "DA" has only one meaning. It's a type of haircut called a Duck's Arse.

  37. Irate BT User
    Black Helicopters

    Not Grey BUT JET BLACK!

    Once "Any Institution" is allowed to bend or even "break the Law" just because it might be in the Public Interest, but an Individual is pilloried & harassed by the State for a similar type of offense; where do we stop!

    The BBC should have known better, news items are about properly investigating & informing the Public; this case looks like Media manipulation!

  38. Anonymous Coward
    Flame

    Re: Re: Storn in a tea cup!

    > I see you're from the "paper over the cracks" school of thinking. It would be far better if we didn't

    > allow vendors to provide insecure products or products which let the user believe that they're

    > using a Windows LAN from the year 1990, but that would mean the end of the cushy relationships

    > between retailers, Microsoft, anti-virus vendors, ISPs... join the dots yourself.

    Try stepping into the real world for a moment. Love or hate Microsoft, and personally I hate them, no one but a fool or a genius would claim to be able to write "perfect" software which was secure and safe. I've been writing software for best part of 20 years and despite all your efforts testing and verifying your software there will always be cases which have not been completely exercised and therefore can potentially be exploited.

    By your argument we should not build cars which can be involved in accidents, however I think you may find that to do this you take away the human from behind the wheel. People need to take responsibility for their own surfing and web habits. To do this people need to be aware of the dangers and understand what safe-surfing is and in that respect any such program is beneficial and justified.

    Personally I think to control the wider menace of spam, etc. botnets should be infiltrated and the owners of the compromised PCs informed of the problem.

  39. Anonymous Coward
    Coat

    BBC Click - unethical.

    Nothing new there, it's clear from their articles and reviews, that companies buy their way in, despite the BBC supposedly being a public company.

    The worst offender, who does not, it seems even care about his obvious paid bias is Darren Waters....

  40. Paul
    Flame

    All license payers at risk?

    I realise this is taking it to extremes but as a result of this act hasn't the BBC made all license payers an accessory to the crime by funding them? For those saying the paying was justified think of what else, other than botnets, Russian underground groups do and now imagine yourself helping to pay for that. I'm usually one to roll my eyes at the mention of this with everything these days but child porn is one of a number of illegal things. Do you still feel so happy and content with the BBC paying your money for this now?

  41. Anonymous Coward
    Thumb Up

    Unethical and a Grey area???

    But a Win-Win -situation nevertheless, the infected PC gets a message to clean up, the communications with the botnet controllers is also poisoned as they will not know if they are dealing with a sting or a real ‘customer’. All we are missing is some way of tracking the payment to get to the botnet controllers, sorta like getting Al Capone for tax evasion.

  42. Apocalypse Later

    One law for them, another for us

    There is a very straightforward problem with discretionary prosecution. If the authorities are allowed to pick and choose who they prosecute, especially with the draconian laws that parliament has been passing lately, then you have institutionalised repression of the rights of individuals. Those in the administration's good books can do as they like, and not worry about the minutia of the legal details, while the rest of us walk a tightrope, knowing that the least misstep will bring the cops down on us like a ton of bricks.

    We have already seen this happen in many areas, despite the assurances when the laws were passed that they would only be used in exceptional circumstances. The 70 year old heckler at the Labour party conference, who was arrested under the terrorism acts, for instance. Or the TV news presenter who was arrested for "child porn" because she took some pictures of her kids at bath time (this despite Jack Straw's personal assurance that "of course" the law would not be used in this way). And we have the now long standing use of majority verdicts in trials, which puts paid to the principle of reasonable doubt. That was supposed to be used only in cases where there was believed to have been jury intimidation, but now it is routine in any case where one or two jury members is firmly convinced the defendant is innocent, to get a conviction anyway.

    If you think the BBC was right to do what they did, then the law is clearly WRONG, because they broke it, without question. Ignoring the law when it suits the administration means that they can get away with ever more draconian laws, promising to ignore them if a "good guy" should slip up. In this case the good guys are journalists, who the administration doesn't want to offend. What's YOUR standing with the administration?

  43. Anonymous Coward
    Flame

    sour grapes all round.

    The beeb did what security firms could do, but are basically too chicken to for fear of getting sued.

    The bottom line is that every one of these firms knows that its no good sitting in our sandcastles while the tide comes in, we have to get out there and do something. So what exactly do these firms do? They 'advise' us on how to put up stronger sandcastle gates and find better tide tables. Great - but the tide is still coming in

    .

    How about these guys taking some positive action with all that expertise? Nope - too worried about lawsuits. But from whom?

    The baddies - its good news if they sue, they have to come out of the woodwork for that.

    The victims - sure, I'm really gonna sue Sophos for telling me my Pc got pwned by russian criminals to sell unripe tarts and fake watches.

    Govt agencies with bad security practice ? Aha, now we're getting to it. These guys mail each other confidential CDs, leave their dongles in a knocking shop and their laptop in a pub. How secure do you think their PCs are? Ha.

    And thats what the security companies fear: that botnet containing 1000s of poorly set up US DOD computers. If they accidentally 'clean up' those boys, they'll have embarrassed the govt and that isn't something up with which either either the Hall or the House will put. Visits to Gitmo will be arranged. Laws concerning offshore betting will be invoked. Life will become 'awkward'.

  44. Giles Jones Gold badge

    Bombing

    Would the BBC set off a bomb to expose the tactics of terrorists?

    Nope, so why is a computer any different? you can still compromise computer systems that are critical to people.

  45. Tom Paine
    Boffin

    Extreme foolishness of PrevX' CEO

    "Every day, most security companies, and law enforcement agencies investigating botnets and information stealers break the law to investigate and uncover stolen information and techniques - It goes with the turf!"

    Speaking as someone who's spent more than a decade in infosec, I'd just like to say: whiskey, tango, foxtrot?! Did this buffoon run that statement past their corporate lawyers before flapping his stupid head open?! (Hint: if he did, they're about to be debarred for life.) Who is he, anyway? Oh, by the sacred noodle of eternity, "Mel Morris", the... the CEO?! Stop it! You're killing me!!

    To misquote M.D., of Private Eye aka Phil Hammond of "Have I Got News For You" fame - after a bit about amusing things doctors write in their notes about especially fat, or stupid, or amusingly unwell patients: "Of course, those lines don't sound quite so funny when they're read out in court."

    For what it's worth, in /my/ professional experience working at three well-known security firms, and a couple of teeny unknowns, I have _never_ known of a deliberate policy to flout the law. Come to that I've never known anyone do anything like this, presumably because people that stupid don't get past reception on their way to the interview. On the contrary, researchers who care about their continuing ability to earn a living are if anything hyper-sensitive to avoid anything ethically or legally dodgy.

    To the saloon bar crowd heavily represented in the comments above saying "Good on yer, BBC!", I suggest you come sit in my chair and enjoy the ramifications of this cheesebrained imbecility as a million and one botherders start throwing out pop-ups claiming to be from journalists at CNN, Bild, or Hello! magazine. Actually, on second thoughts, stay where you are. I have a well-paid, fun job dealing with the consequences of mass use of insecure networked software and ubiquitous IP everywhere, and this sort of well-intentioned doltishness keeps that salary rolling in.

  46. Anonymous Coward
    Flame

    Re: Re: Storn in a tea cup!

    "Try stepping into the real world for a moment. Love or hate Microsoft, and personally I hate them, no one but a fool or a genius would claim to be able to write "perfect" software which was secure and safe. I've been writing software for best part of 20 years and despite all your efforts testing and verifying your software there will always be cases which have not been completely exercised and therefore can potentially be exploited."

    Ah, the "real world" retort: everything is all so messy and there's no time to do things right, and the users are banging their fists on their desks, demanding new features yesterday. If people actually asked the users what they wanted, reliability might be the first thing on the list. Meanwhile, no-one wants to simplify systems and cut away the cruft because "people might be running that service, leave it in!" So, yet another attack vector hangs around for its moment of fame in the advisory lists.

    And after the daily exposure of hype, no-one wants to settle for something simple and reliable that works - it has to be "the shiny" or the toys are thrown out of the pram - so anyone offering something rock-stable but basic isn't going to reach the necessary critical mass amongst the fanboys and the paying punters.

    Of course, secure and reliable software is hard to write, but it isn't as if no work is being done in that area at all. Again, talking about anti-virus software gives various Windows jockeys their veneer of security "expertise" - a bit like the main characters in Absolutely Fabulous spouting fashion labels supposedly makes them experts in that domain - but the real story is how Microsoft and friends with all their billions can't or won't bring even remotely applicable work in this area to market, yet are responsible for delivering systems to millions of consumers.

  47. Duncan Hothersall
    Flame

    @ Giles Jones

    Yes, buying a botnet of machines that were ALREADY compromised and then NOT doing anything damaging to them is the equivalent of setting off a bomb.

    Why am I arguing with you? You're incapable of rational thought.

    *shoots self after viewing violent films and/or video games*

  48. Anonymous Coward
    Thumb Up

    BBC did great!

    No question, the BBC did a good job here. Real investigative reporting.

    Raise the real issue, notify the people involved.

    How can anyone be upset with that?

  49. Neil Greatorex
    Dead Vulture

    This is no different

    Than paying dodgy plumbers & locksmiths in an attempt to "out" them.

    People don't get up in arms then, do they?

    Click is, in the main, eons out of date with current tech, and so far up its own arse to be completely missable, but this episode was the exception.

    Opera users don't need no stinkin' bookmarks :-)

  50. This post has been deleted by its author

  51. Anonymous Coward
    Flame

    Prison time for regular citizens

    The point is though that if you or I or almost any other citizen performed this exercise with the exact same motives and the exact same outcomes we could be facing real prison time! So whilst morally the BBC were probably in the right here the fact that they're legally in the wrong is very important and not something that should be swept under the carpet so lightly!

  52. Neil Greatorex

    @ Giles Jones

    "Would the BBC set off a bomb to expose the tactics of terrorists?"

    Aaah yes the thoughtful, considered, use of analogy :-)

    Drink Cyanide ~ to expose the tactics of ~ Poisoners.

    Pah.

  53. Tom
    Thumb Down

    Commit the crime to educate about it?

    "For fuck's sake, if this educated one non-technical viewer about the realities of botnets then it was worth doing."

    Maybe next week the BBC can do a show about people kicking the crap out of homeless people for fun... or how about a show on gun safety ;)

    For the money they spent they could have setup an isolated network and run the same demo without giving money to crooks or using other peoples computers without permission.

  54. Anonymous Coward
    Joke

    Methinks ...

    Methinks el reg doth be protesting too much :)

  55. Mark

    FFS

    Stop your incessant whining. These numpties whose machines had been subjugated in order to infect/affect others will have switched on to a screen telling them they've got a machine full of crap. This will, hopefully, have educated them to the dangers of what they were doing (lack of patched system, bad downloading and installing, etc etc) and if they've any sense they will get their shit sorted out. Same goes for those ordinary users that watched the program.

    I think far more good will have come out of this than the outlay of a couple of k of license payer funds - if you're pissed at that then you should definitely be confronting them about how much that twat Ross gets paid.

    There's far more shit produced and far more money wasted than this, an informative program for once, at the BBC.

  56. Simon Harvey
    Go

    For those of us OUTSIDE of the mother country ...

    ... you can watch the episode here: http://www.bbcworldnews.com/Pages/ProgrammeMultiFeature.aspx?id=18 or on BBC World (or whatever the hell they call it now).

  57. Anonymous Coward
    Anonymous Coward

    @Simon

    "the most interesting thing they have ever done on Click"

    Assuming it's interesting then it's the only interesting thing they've ever done on that sorry excuse for a program.

    I watched Click from the start, and for a long time, and was often moved to send e-mails complaining about the latest inaccuracy that they paraded. Not that I ever got an answer back. (Aside: I did get an answer back from 5Live once which at least was something.)

    Eventually I got so disgusted with this program that I swore I'd never watch it again. The only time I see it at all is if I'm channel hopping and it happens to be on. I generally carry on hopping PDQ. This wkend I fortuitously (or not) caught the last couple of minutes of the bot item.

    Should have carried on hopping.

  58. Anonymous Coward
    Anonymous Coward

    @Re: Re: Storn in a tea cup!

    Try getting yourself out into the real world for a while and look at other hardware and OSes. IBM's mainframe systems are a damn sight more secure than anything else I've ever come across in the 30+ years I've been at this. Why? Because they work at it and they've had teams of people working on this for decades. They take security reports very, very seriously.

    The obvious retort to this is that they can do this because they control the hardware. So what? The x86 platform is well known so that's no excuse.

    Whilst people who only know MS OSes may say "no OS can be bug-free", those of us who have seen more than this (from ICL, thru' DEC/VAX/Pr1me to IBM and then the PCs) know that you can be a damn sight better than MS' offerings.

    In short, there really is no excuse for shoddy OSes these days.

  59. Anonymous Coward
    Anonymous Coward

    Well done Click

    As a result of the programmes actions, I bet a ot of people will be taking a harder look at their computer security, and that can hardly be bad thing. Discussions that are normally confined to tech or security sites are now happening in exactly those places frequented by those most likely to run unpatched, vulnerable systems.

    It may well be unethical, morally dubious and even illegal, but I think under these limited circumstances it is justified. Were it to become routine for computer security forms to do something similar I think it would pass well into the region of unacceptable; a legal get out for commercial organisations in the security industry has too much potential for abuse.

  60. groovyf

    A good thing

    It's all in the name of investigative journalism. We see numerous stories of journos testing lapses in airport/rail security (for instance planting a fake bomb - http://www.guardian.co.uk/media/2007/jul/24/pressandpublishing.mirror )

  61. Andrew
    Unhappy

    license fee

    The BBC paid a hacker who infects pcs with viruses for money. Paying people for illegal activities tends to encourage them. They're on the wrong side.

    On the other hand, the fact that these smug bastards get my license fee is the thing I really have a problem with. The amount of money seems to have been negligible (about 3 license fees? that's not going far to bribe a russian policeman)

  62. Hugo
    Dead Vulture

    Can watch this on iPlayer outside the UK too

    " Those in the UK can catch up with the show through iPlayer, via the BBC Click site here."

    Works outside the UK as well, probably because they also show it on the international BBC World channel (and had done before the UK broadcast).

  63. Anonymous Coward
    Alert

    Public Interest?

    It should not be possible to use a defence of public interest against a crime. While claims of public interest may be used to abrogate or lessen a *sentence*, the alleged crime should still be investigated and, if there is sufficient evidence, prosecuted.

    Therefore I believe that, if there is evidence that the BBC contravened the CMA, they *should* be prosecuted. It will then be up to judge and jury to decide if they are, in fact, guilty. This will set a precedent for future cases and act as a guideline for other journalists considering similar acts.

    I actually believe the BBC had some justification in this act, but if it is not tested in a court I am concerned that it will weaken the protection afforded by the CMA, effectively making it legal to be a bot-herder and sell / hire your botnet to others.

    The alternative is for the CMA itself to be amended by Parliament to clarify / close this 'loophole'. IMHO, given the Government's track record on IT legislation and their proclivity for sneaking in authoritarian clauses, we *really* don't want that.

  64. Steve Sutton

    @Andy

    "They've directly funded criminal activity WITH MY MONEY"

    In other news, police pay licence holders to supply alcohol to under-age kids:-

    http://news.bbc.co.uk/1/hi/england/leicestershire/7946243.stm

  65. Mike
    Stop

    The Law

    It was illegal, this is not in question.

    However, compare this with how Daniel Cuthbert was treated when he tested two non existent URLs and got done under the computer misue act, probably spoilt goods now and has a wrecked career;

    http://www.theregister.co.uk/2005/10/11/tsunami_hacker_followup/

    If Daniels treatment was appropriate, why isn't aunty beeb being nailed to the wall for this?

    Simple, the law is not understood nor applied evenly, because it's a bag of shite and tries to shoehorn traditional laws such as "break and entering" and "theft" into the virtural environment, with no practical way of applying them, a complete overhall is required.

  66. Michael
    Pirate

    sounds like an interesting program.. can i see it online?

    NO I FUCKING CANT..... I'M RUNNING LINUX....

    least i dont pay a licence fee......fnaar fnaar..

  67. wobbly1
    Coat

    As a matter of interest...

    ..given the preponderance of pro-Beeb comments coming from "anonymous coward" Might el reg reveal how many "anonymous cowards" where posting from within the Beeb IP range... After all, they may be at a loose end after cbeebees has stopped showing on the Trust's boardroom monitor.

    I won't get my coat , i already have it on

  68. Anonymous Coward
    Thumb Down

    Panick stricken users?

    Apart from the dubious legality of its actions, the BBC have made the assumption that users will know what to do when confronted with that screensaver. Over the last few years, there has been a wealth of bogus infection messages (usually associated with rogue security programs) popping up on people's machines, and scaring the heck out of these users. Some of these users buy the rogue software, some realise its a scam and get antispyware software, and others may panic and re-install windows immediately. How much personal data loss may the BBC have caused by doing this. And furthermore, criminals may now decide to masquerade as the BBC and using similar popups / screensavers / phishing emails to tell the person they are infected, and must "click here" to get the latest solution to fixing the problem. There is a reason that security vendors are very careful about how much detail they publish. Publish too much, and you not only give ideas to the malware writers, but you also give them fuel for social networking attacks. The bigger you are, and the more press you get, the more "legitimate" your BBC virus warning email / pop-up will seem.

    BBC, you did NOT need to do this to prove anything. All you had to do was contact a security vendor who could, for example, set up a demonstration for you on computers installed specifically for that demonstration. You have not only provided cash to further the illegal activities of these criminals, but given the fact there will probably be no legal repercussions from this, in my opinion you have now given other media organisations the idea that this is totally ok to do (as long as you have "honerable" intentions).

  69. Damien Thorn

    Click

    Well they better not break into my house to show me that it can be burgled.

    If they do i will record and demonstrate the uk law on interpretation of householders right to use whatever force they see fit to remove them.

    And they did break the law, the computer misuse act. There isnt a clause about "intent" so they cannot hide and say "we didnt break the law as we had no criminal intent" but thats typical of the bbc and it was YOUR money they used btw - we pay the license.

This topic is closed for new posts.

Other stories you might like