Into The Unknown

In case you haven't already seen the video, the BBC decided to do a little investigation into how easy it was to acquire, use and deploy a small botnet against a particular web site for a segment on their tech show Click.

Here's what they uncovered:

So, the Click investigators managed to DDoS a honeypot web site with just sixty-odd computers' worth of traffic. (Botnet owners must be loving all these new DSL packages with high-speed upload.) Before self-destructing the network, they also (very sensibly, in my opinion) changed the background image of all infected botnet hosts. The image contained had a detailed description of how that machine was compromised, along with a link to a special page on the BBC Click web site which explained how to go about securing the system.

Personally, I think they did the Internet a service - unfortunately this comes at a time when everybody is scrutinising everything the Beeb is doing, and they've been in the spotlight a little too much recently. Some are harping on about how this was a breach of the law (and with a rigid interpretation of the Computer Misuse Act, it most definitely was); we have people like Graham Cluley, the regular Sophos spokesperson, offering the anti-virus manufacturer's slightly condescending take on events. Others are also debating the legality - Click's producers have claimed that as there was no malicious intent behind their actions, they didn't breach the Law, some are pointing out that technically, the Law has been broken irrespective of intent. Struan Roberrtson from Pinsent Masons pointed out that;

"The Act requires that a computer has been made to perform a function with intent to secure access to any program or data on the computer," he said. "Using the botnet to send an email is likely to satisfy that requirement. It also requires that the access is unauthorized — which the BBC appears to acknowledge.

"It does not matter that the BBC’s intent was not criminal or that someone else created the botnet in the first place." Still, Robertson said prosecution was unlikely because the exercise apparently did no harm and "probably did prompt many people to improve their security." The BBC responded that there was 'a powerful public interest in demonstrating the ease with which such malware can be obtained and used,' and that the network "has strict editorial guidelines for this type of investigation, which were followed to the letter."

I fall in line with the latter way of thinking on this - the BBC mention that they consulted their own lawyers before conducting this experiment so they must feel they have a fairly solid case for avoiding penalty. I suspect their culpability is limited as many thousands of the machines were most likely situated outside of the United Kingdom, bringing the scope and geographical constraints of our lovely British law into question. (Without extraditing the entire upper management of the BBC, I suspect there's little way the Corporation could be tried in a court of law for what they have done overseas).

More importantly, are the rest of us justified, as responsible netizens (as many of us claim to be, or would at least like to believe), in the belief that we can criticise the BBC's actions and call them out for dirty tricks here? For some of their past actions, maybe; this time: no. Personally, I think they've done the Internet a service. Not only have they taken a (small) botnet out of action, but they've helped illustrate just how easy it is to acquire a pool of compromised resources and hammer a web site into submission.

As a few more clueful people have observed, what Click unfortunately didn't spend enough time highlighting (probably due to time constraints) is the ease with which the true malicious users seem to be able to avoid getting caught when buying and selling access to these botnets. There must be a large amount of shady transactions taking place for unnamed or suspect items - and Internet payment services are effectively allowing these to happen. Why can't e-money services like PayPal watch for, and flag, transactions which might be related to payment for these kinds of nefarious darknet services?

Update: the BBC responded shortly after with a press release, along with a feature from Mark Perrow which fleshes out their reasoning and underlying motivation for the investigation on their Editors' Blog. The short statement is as follows:

"There is a powerful public interest in demonstrating the ease with which such malware can be obtained and used; how it can be deployed on thousands of PCs without the owners even knowing it is there; and its power to send spam email or attack other websites undetected. This will help computer users realise the importance and value of using basic security techniques to defend their PCs from such attacks.

The BBC has strict editorial guidelines for this type of investigation which were followed to the letter. At no stage was any other data other than the IP address used. We believe that as a result of the investigation, computer users around the world are now better informed of the importance and value of using basic security techniques to defend their PCs from attacks."

I still think this was a well-considered and justified insight into the underbelly of the interwebs, and if it raised peoples' awareness (and helped a few thousand people secure their machines) then surely the BBC has done the world a small favour? This invokes consideration of the classic White Hat / Grey Hat / Black Hat issue... Would you do something borderline (or completely) illegal if it was morally or ethically justified - or in the interest of the common good - in the long run? I'm not sure if I would (but then again, I can't hide behind a Corporation!)