Slashdot Mirror
BBC Hijacks 22,000 PCs In Botnet Demonstration
An anonymous reader writes "'[The BBC] managed to acquire its own low-value botnet — the name given to a network of hijacked computers — after visiting chatrooms on the internet. The programme did not access any personal information on the infected PCs. If this exercise had been done with criminal intent it would be breaking the law. But our purpose was to demonstrate botnets' collective power when in the hands of criminals.' The BBC performed a controlled DDoS attack, 'then ordered its slave PCs to bombard its target site with requests for access to make it inaccessible.'"
when you can use slashdot!
...is good journalism. Good job BBC, the masses need to know about NOT USING IE6 TO SURF THE WEB.
Obligatory blog plug: http://www.caseybanner.ca/
If this exercise had been done with criminal intent it would be breaking the law.
Ok, so, I don't know much about the laws, but it is illegal, isn't it?
Whale
It seems a bit stupid to pay the hackers, as now they will have more money to set up botnets with. I suppose if they didn't a spammer would have done anyway, at least they have a chance of shutting them down now I guess.
Just wait until a botnet DDOS's Click's website.
Controlling machines without permission? Against the computer misuse act.
They used the botnet to spam two email accounts, one at gmail and one at hotmail. That's against the computer misuse act.
And they changed the wallpaper on the machines on the botnet. Against the computer misuse act.
Their "justification" doesn't fly; not having criminal intent is not a defence against the law.
I heard the BBC virus also installed a photo of David Attenborough in a bikini as the user's wallpaper and also informed the British government if it found any pictures of knives, guns, or pointed sticks.
If this exercise had been done with criminal intent it would be breaking the law.
So if I install software on your machine that you paid for, consume the bandwidth that you are paying for, burn extra electricity that is paid for by you, all with out ever even letting you know about it, so long as I'm doing it for finding a cure for cancer, it's perfectly legal?
What if I use that bot net to distribute the load of rendering animated gaping anal gay midget porn movies? It's not a crime to render animated gaping anal gay midget porn movies, so I have no criminal intent, so it must be legal, right?
-Rick
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
I've been on the bad side of this one - a lack of criminal intent does not mitigate or extenuate criminal action. Their guilt is quite plain (having been admitted, even published by the BBC itself). Now, their lack of criminal intent does have a bearing on sentencing. Inasmuch as the BBC did not wilfully cause damage or fiscal loss to anybody (except, potentially, themselves?), the sentence should be something on the light side, perhaps even suspended; but the matter of their guilt is simple black-letter law.
Wow. I can't believe this. In the U.S. what the BBC did is a criminal act. Even if they did not have criminal intent.
Under U.S. law what the BBC did would be as if a criminal entered or broke into a house but did not steal or destroy anything.
I challenge the BBC to do the same thing to computers on U.S. soil. The BBC perpetrators would be extradited so fast they would not know what hit them.
This is both highly illegal and unethical. Illegal in that they accessed the PCs without the owners permission, they sent spam, and changed the settings on the computer.
Unethical even if their motive was not to do criminal intent.
It is like creating a "white worm" to patch servers from an unpatched vulnerability.
Yopu for you?
Ah, time to bring out the armchair lawyers. Nevermind that the BBC has its own legal team that reviewed this activity before it happened. I'm sure all of you know better. Especially all you Americans who are well-versed in British law.
if you go randomly grab 22,000 computers for your botnet, it's far more likely than not that some would be in the US. Even if they only targeted BBC registered users or something (didn't read TFA), there'd still be overseas users and such, some in the US. Not that I'm an expert, but I don't think they could reliably get computers from only inside GB.
In other news, A DDOS Brought CNN down for two hours today, BBC was found responding "I wonder who had the opportunity for that" CNN was only to respond "Those limey brits"
the notorious underground computer hacking group self-labeled /. deploys over 30,000 Anonymous Cowards to take down the BBC news website by maliciously posting a link to this news article.
How many of the botnet'd machines were running linux ?
Everyone's going on about how it's actually illegal and the intent doesn't matter (I don't know either way - it is Britain and maybe things work differently there).
What about the fact that some guys from the BBC were able to gain control of 20k infected machines on the web just for the purposes of doing a story? To me, the implications of that are far worse than any possible criminality.
Way to go, BBC. You have moved past bringing the populace breaking news stories to creating them! I am looking forward to the next headline, regarding this. I think we all agree that gaining unauthorized access to another computer is, not only unethical, but illegal. I am surprised, being that this article is on slashdot, now, that the BBC is not already feeling the ramifications of its actions. I highly doubt they asked everyone in those chat rooms: "Hi, we are from the BBC, we would like to pwn your computer in the name of exposing cyber security risks. Is this okay, with you? Great, Thanks!"
"If this exercise had been done with criminal intent it would be breaking the law."
So, if I run over a pedestrian with my car while absentminded I obviously have no criminal intent so I'm not breaking the law?
You SURE only British law applies? As noted in another post, when you start hijacking 22,000 computers on the Internet, most likely SOME of those will be in the USA (or other countries where such activity IS illegal). You sure those BBC lawyers know enough about technology to be sure that the activity was limited to British computers, and this did not actually risk becoming an international incident?
Can we get a "-1 Wrong" moderation option?
Once the BBC had finished with their botnet, they changed the desktop background of all the infected computers to tell people what had happened and link them to this webpage, which contains some information on how to secure Windows. Then, they uninstalled the botnet software.
(1)DOCOMEFROM!2~.2'~#1WHILE:1<-"'?.1$.2'~'"':1/.1$.2'~#0"$#65535'"$"'"'&.1$.2'~'#0$#65535'"$#0'~#32767$#1"
In other news, 22,000 PC users are stupid Windows users.
The BBC perpetrators would be extradited so fast they would not know what hit them.
Sadly true as we have a very one-sided treaty regarding extradition.
If you aren't far left by the age of 18 you have no heart. If you aren't far right by 30 you have no brain.
What? That jewelery in my pocket? Oh, my - I was looking at it and forgot to put it back. No intent to steal, no harm no foul.
There's a reason they call them laws. Otherwise, we'd call them "suggestions".
If this exercise had been done with criminal intent it would be breaking the law.
lolwut. actually, in the United States, it is totally illegal, both at the federal level (18 USC 1030) and every single state. I'm sure it's just as illegal in England. Sony didn't have criminal intent when it distributed rootkits. I would like to see the BBC sued by 22,000 people.
Actually, hijacking any computer - even if you didn't do anything bad and were trying to demonstrate a security flaw - is illegal. There have been other cases in our past where someone wanted to show the flaws in security...all to end up getting arrested.
I do not support "The Man". I also do not support your irrational stupidity
This more childish attention seeking from the BBC. They're losing audience share even in my demographic (50ish, middle class) who used to be their cheerleaders. I noticed that the operating system word was not mentioned throughout the whole of this childish and possibly illegal prank. Perhaps that's because Eric Huggers (and lately a lot of his Msoft minions) are now at the top of BBC technology. As for Spencer Kelly of Click (which is a product placement program rather than a serious one) he's admitted publically that he doesn't know much about computers: http://news.bbc.co.uk/1/low/programmes/click_online/meet_the_team/default.stm It's sad to see a great institution brought so low and we still have to pay for these tossers (to use the technical word).
On y va, qui mal y pense!
The BBC has done this to highlight an issue.
The problem with this, is everyone who needs to know already know's it's an issue. Those who did not know, will still be none the wiser, and will shruug their shoulders, try to do what the BBC says - 'secure' the computer, and in a few months any instructions laid out will be stale, broken, old, or incomplete.
Lagality
To my mind, its clearly illegal. But being illegal and being punished, are two very distant worlds. For years now, entire governments, corporate entities, criminals, and everyone else has run round committing this 'crime', and it's never been dealt with. The massive waves of Malware and spyware, often being shipped by companies that exist openly are simply a symptom of a system that has failed.
I can probably count on one hand the times that in raw clear daylight, entities are tackled and dealt with criminally in this subject. Wether it be Sony installing a root-kit, or the BBC doing this, it's become an everyday crime. Your computer is not as some claim, akin to a house with no lock, its clearly your land, and stepping on it is 'tresspassing' and doing something you should not be.
Its probably far too late now, the horse has gone, but companies that breach the law to this extent should be prosecuted and made to answer for this.
My problem with the BBC is that by making this nonsense - they have once again, invited kiddies to the underground, and created a level of encouragement. After all, the kids will say, if the BBC can do it and not be criminalised, so can I.
It's really time that companies that are like the BBC, legit, and when they do things like this, that they be prosecuted to the full extent of the law. That applies to Sony and it's root kit and others. We need to get back to the basis in law that someone else's computer is not yours, and if you decide to screw with it, you face criminal charges.
Further, it would be very interesting to see what the BBC IT structure and management make of this, and wether they would be happy were it someone else hacking and using their systems and networks.
We`re all equal
But, my armchair lawyer friend (and the five million others who will pipe up), the CPS must decide that it is in the "public interest" to prosecute.
This little get-out clause is both used for good - not trying to punish someone who has assisted their terminally ill partner with suicide when they had made a living will years before and were still mentally competent, say - and for bad - such as not pursuing corrupt police officers.
They are apparently oblivious to the fact that DDOSing a site also means saturating the connection of the PCs involved in the attack which could have a critical function within a business. Do they even know the way that the backdoor application works? Is it possible that it is spreading through local shares and otherwise wrecking havoc on some network by propagating through some unpatched exploit?
"Click has now destroyed its botnet, and no longer controls any hijacked machines."
This quote worries me as they don't seem to understand what they're doing. Did they click a button that said "destroy botnet"? By destroy, do they mean wipe out some critical files?
I'm gonna rob a bank... but I have no criminal intent. I just want everyone to see how insecure our banks really are. (and get a kick out of it)
Oh stop that egocentric rant!
Different countries have different laws. Cope with that!
bickerdyke
Here's a slightly blurry screenshot of the wallpaper: http://www.heise.de/bilder/134489/0/1
Meet the new overlord. Same as the old overlord. Yeeeeeaaaahhhh!!
Let me fix that for you:
"[The BBC] managed to acquire its own low-value botnet http://news.bbc.co.uk/1/hi/programmes/click_online/7932816.stm the name given to a network of hijacked MICROSOFT Windows computers - after visiting chatrooms on the internet. The programme did not access any personal information on the infected MICROSOFT Windows PCs. If this exercise had been done with criminal intent it would be breaking the law. But our purpose was to demonstrate botnets' collective power when in the hands of criminals." The BBC performed a controlled DDoS attack, "then ordered its slave MICROSOFT Windows PCs to bombard its target site with requests for access to make it inaccessible."
Now it's been edited to show the facts.
I say things which affects my Karma negatively. (and I don't care) For instance; All religion is false.
I don't think entering a home through an open door and looking around is not a crime, only breaking-and-entering or refusing to leave are crimes. Maybe it is just that way in the US?
Beat The Burglar
the BBC did not wilfully cause damage or fiscal loss
I'd bet gmail and hotmail would beg to differ with that one. It might not be much, but it definitely cost them to receive the spam that they sent.
"I doubt anything will come of it though"
In the UK the punishment does not seem tailored to fit the crime. It seems tailored to fit the offender. So I agree with you.
http://news.bbc.co.uk/1/hi/england/south_yorkshire/7939988.stm
If this exercise had been done with criminal intent it would be breaking the law.
I am so glad to know that if you hack into computers, but do it with good intentions, that it is not illegal. That's wonderful for all the white hats who have been accused of breaking-in for merely notifying people of vulnerabilities, or those who have written proof-of-concepts to kick-start lazy corporations into implementing real security measures. Fortunately, they will now all be released from jail and their reputations returned to them.
Or am I misunderstanding? Is it okay to do so long as you work for the BBC?
Better yet
When the BBC "harmlessly" pokes at 22,000 poorly secured boxen (presumably in the UK and overseas) "without criminal intent" its OK.
When Gary MacKinnon "harmlessly" pokes at a handful of poorly secured overseas boxen HAVING BROKEN NO LAW IN THE UK and also "without criminal intent" he gets extradited and faces 70 years in jail.
Double standards. No?
Anyone quoted by a reporter knows how little they understand
Don't believe what you read is the truth.
Kudos... very good point indeed.
It has been proven in (United States) courts that even spouses are committing a chargeable act by logging into their significant other's computer without permission. I realize this was the BBC, but if they did this to even one of the computers in the USA then they are in trouble.
'Variants of Conficker use a variety of methods to spread, including exploiting the MS08-067 vulnerability in the Microsoft Windows server service patched by Redmond in October'
davecb5620@gmail.com
I wonder if they are going to copyright the name "88(" next.
<KIDS-JOKE>
Knock-Knock.
Who's there?
Ether
Ether who?
Ether Bunny!
Knock-Knock.
Who's there?
Nutter
Nutter who?
Nutter Ether Bunny!
Knock-Knock.
Who's there?
Cargo
Cargo who?
Cargo "Beep Beep" and run over all the Ether Bunnies!
Knock-Knock.
Who's there?
Boo
Boo who?
Don't cry. All the Ether Bunnies be back next year.
</KIDS-JOKE>
Fascism starts when the efficiency of the government becomes more important than the rights of the people.
Ugh, I can't stand the attitude here. Botnets are a HUGE problem. People need to know if their PCs are hijacked and they need to be fixed. If my PC is hijacked, I want to know about it. Now. When someone's PC is used in a DDOS attack, isn't that illegal activity? I've always heard that ignorance of the law is not an excuse, so if someone is not aware their PC is being used illegally, their PC is still being used for illegal purposes ... should they be held accountable? If there is an activity that is *questionably* legal but can potentially help with the Botnet problem, I'm all for it.
I wondered why gmail was down again, second time in 2 weeks... Google needs to beef up it's servers :)
Laters Sol "Have you found the secrets of the universe? Asked Zebade "I'm sure I left them here somewhere"
Prosecutorial discretion would likely keep this as a non-issue in the interests of furthering public education.
I've been on the bad side of this one - a lack of criminal intent does not mitigate or extenuate criminal action. Their guilt is quite plain (having been admitted, even published by the BBC itself). Now, their lack of criminal intent does have a bearing on sentencing. Inasmuch as the BBC did not wilfully cause damage or fiscal loss to anybody (except, potentially, themselves?), the sentence should be something on the light side, perhaps even suspended; but the matter of their guilt is simple black-letter law.
These guys need to be chucked in jail ASAP. Why? They wonder why their youth has no respect for the law. It's because things like this are allowed to slide. Nailing these folks will make more of the knife youth pay attention to the system than almost anything else the government could easily do.
Since they were sending spam to Google and Microsoft servers they most likely are breaking US law and can be extradited. Perhaps you should inform US police to look into it.
Guilt is not a variable. The law in most places accomodates this by permitting sentence flexibility at judgement. I.e., BBC may never pay one pence in damages nor suffer any legal sanctions because they didn't do anything wrong, but they are still guilty of a violation of law.
In this instance, a sentence of zero punishment may make sense, but that does not change the fact that the BBC knowingly and intentionally did something they knew to be illegal. They intentionally broke the law, and then boasted about it.
That's the problem with analogies - they break down sooner or later. Fine. I'll drop the analogy. Question for you - did the BBC break the law? Never mind if punishment is in order, did they break the law?
If not, I want their set of rules instead of mine. I've got a few people who need an appointment with a clue-by-four.
If this exercise had been done with criminal intent it would be breaking the law.
"Your honor, I just pointed the gun in a random direction and pulled the trigger. If this exercise had been done with criminal intent it would be breaking the law. But since I had no intention of actually shooting someone, only demonstrating what can happen when a gun goes off, I consider this perfectly legal! And please, give my condolences to their next of kin."
I'm sorry, but intent can never be proved in court. Penalties need to be assessed based on outcomes, not intent. Accidentally kill somebody with your car, and you go to jail for involuntary manslaughter, even if your intentions were perfectly innocent. And this wasn't an "accident", it was a deliberate violation of computer security and privacy laws. If a news reporter sells drugs to school kids to prove how easy it is to do, he's still gonna go to jail!
I've abandoned my search for truth; now I'm just looking for some useful delusions.
I'm modifying your data! I'm in your web cache right now!!!!
Arrest me!
Be pedantic all you want. Welchia aside, we should honor the gray wizard(s) they let the mundanes know what's going on.
Police and Justice Act (2006)
Go read it and then wonder how the BBC can seriously think that they are immune to section 36,3.6
--- This meme is memory intensive
To be honest, I wouldn't be surprised if the bbc were in the business of distributing genuine malware.
Important to remember that they still have those disgusting phone lines ripping off the consumers that pay for their champagne parties; it wasn't too long ago that they were found to be behaving in a thieving manner with respect to these "competitions."
The license fee is daylight robbery when you consider the drivel they put out. The Brand/Ross business just added insult to injury - anyone with half a brain can see that they're rotten to the core.
Lol I had to look it up. Sadly it seems that they didn't use the format as they should.
:) )
I'd like to see them try to break into my father's house, though (I hope he didn't set up anything lethal
There are three kinds of lies: lies, damned lies, and statistics.
Interestingly, if a 13 year old did exactly the same thing just to see if he could, HE would likely see prosecution (if it's anything like in the U.S.) even though arguably his culpability should be LESS because he lacks the maturity to fully appreciate the serious nature of the act and the potential for things to go very badly.
Umm no, its still illegal unless the laws have changed. Doesn't matter what your intent was.
That argument didn't work for Kevin, it shouldn't work for the BBC either.
---- Booth was a patriot ----
"By running MSIE, you agree..."
Seriously, how many years of experience do people have to have with a piece of bad software, before they take responsibility for what they know that it does?
"Believe me!" -- Donald Trump
Yeah they paid £6k of public money to known criminals and knowingly broke the law for the sake of some sensationalist journalism .. what's not to like?
So the researchers at the BBC are allowed to break the law (and spend public money doing it) but other people who're "investigating" computers that don't belong to them get extradited? [ http://news.zdnet.co.uk/security/0,1000000189,39619206,00.htm ]
I'm not saying McKinnon is blameless incidentally.
I don't care who's cracking someone's computer or controlling a botnet, it's wrong and they should be punished for it.
a lack of criminal intent does not mitigate or extenuate criminal action.
Not always true. For many actions intent does in fact matter in whether it is considered a crime (for example in the U.S., showing someone a gun). However you are correct that some crimes are simply a matter of action regardless of intent, and in those cases intent can mitigate the punishment. I don't know how the U.K. treats this sort of computer crime but I would not just assume that it is a strict liability.
This post explains the concept in far greater detail than I could have.
Build a man a fire, he's warm for one night. Set him on fire, and he's warm for the rest of his life.
I don't want to harm the BBC. I'm just teaching myself stuff.
By definition, e-mail you send to yourself is not spam. (Unless you have multiple personalities maybe.)
Build a man a fire, he's warm for one night. Set him on fire, and he's warm for the rest of his life.
The wiggle room is in bold:
"A person is guilty of an offence if at the time when he does the act he has the requisite intent and the requisite knowledge to cause a modification of the contents of any computer and by so doing impair the operation of any such program or the reliability of any such data."
So you would need to prove that not only did the BBC access the botnet, but also that they did so with the intent to wreck software or data on those computers. It might be tough to prove as the BBC could argue that their intent was a non-destructive demonstration in the service of the public good. I think that is a common argument for journalists.
Build a man a fire, he's warm for one night. Set him on fire, and he's warm for the rest of his life.
Got it?
After a court find you liable according to the law of the land. And imprison you for breaking it.
Just try stoping any debts you have and you will be in deep doo-doo, but that does not mean that your creditor is in a dark alliance with the government.
IANAL but write like a drunk one.
The relentless pressure from the government, to the point that has forced out general directors, tells us that the BBC is applying journalistic pressure where it is hurting.
Both Conservative and Labour government and parties have complained at one time or another of bias from the BBC.
Well, if everybody says that that means the BBC is hunky dory.
IANAL but write like a drunk one.
An UK based hacker that broke into US's government computers is close to be extradited to the US and to face the music of the insane laws over there.
IANAL but write like a drunk one.
So raising the alarm is unethical?
Gee, glad to know. Death to all whistle-blowers.
IANAL but write like a drunk one.
It is not in the public interest to have media organisations misusing computers belonging to other people in order to pursue a story.
Admittedly Crimestoppers refused to take the details and told me to ring the police, who have left me on hold for ages.
When a big corporation or government does it: It's a lesson.
When a person does it: It's a crime.
Instead of buying or renting a server farm (or using cloud-computing services), why not buy a botnet or build your own?
I've been on the bad side of this one - a lack of criminal intent does not mitigate or extenuate criminal action. Their guilt is quite plain (having been admitted, even published by the BBC itself). Now, their lack of criminal intent does have a bearing on sentencing. Inasmuch as the BBC did not wilfully cause damage or fiscal loss to anybody (except, potentially, themselves?), the sentence should be something on the light side, perhaps even suspended; but the matter of their guilt is simple black-letter law.
Unless they're not prosecuted. Prosecutors are not obliged to file charges if they don't feel it would be the best use of their limited resources.
MediaWiki developer, Total War Center sysadmin
This is what my fucking license fee is being spent on these days.
"it's raised independently of the government and is specifically not a tax"
If it's not a tax, then this is an optional licence fee? What would happen to someone who doesn't pay?
Could that be that BBC infected their own PCs for this "experiment"? Last time I checked the company had 25K employees. Most of them, I am sure, are givem company's hardware...
"Tragedy of the commons" - Someone paid for the intermediate bandwidth everyone paid with time because traffic slowed. Network neutrality indeed...
15TW = 15,000 Nuclear Reactors. (Approx. one accident a month.)
The question is, did they break the law? http://research.zscaler.com/2009/03/botnets-for-everybody.html
Maybe it's a unique law over the pond, but I thought in the states this "demonstration" by the BBC would still be considered illegal?