Slashdot Mirror
BBC Hijacks 22,000 PCs In Botnet Demonstration
An anonymous reader writes "'[The BBC] managed to acquire its own low-value botnet — the name given to a network of hijacked computers — after visiting chatrooms on the internet. The programme did not access any personal information on the infected PCs. If this exercise had been done with criminal intent it would be breaking the law. But our purpose was to demonstrate botnets' collective power when in the hands of criminals.' The BBC performed a controlled DDoS attack, 'then ordered its slave PCs to bombard its target site with requests for access to make it inaccessible.'"
...is good journalism. Good job BBC, the masses need to know about NOT USING IE6 TO SURF THE WEB.
Obligatory blog plug: http://www.caseybanner.ca/
If this exercise had been done with criminal intent it would be breaking the law.
Ok, so, I don't know much about the laws, but it is illegal, isn't it?
Regardless of intent it is illegal. They are gaining unauthorized access to someones PC and using it for their own personal gain. If I were to demonstrate how to crack someones WEP key in 5 minutes without the victim's explicit written permission it would be illegal, even if done just for "educational purposes." Sure, it's edgy reporting, but it is still highly illegal.
I doubt anything will come of it though.
Posts not to be taken literally. Almost everything is sarcasm.
Wow. I can't believe this. In the U.S. what the BBC did is a criminal act. Even if they did not have criminal intent.
Under U.S. law what the BBC did would be as if a criminal entered or broke into a house but did not steal or destroy anything.
I challenge the BBC to do the same thing to computers on U.S. soil. The BBC perpetrators would be extradited so fast they would not know what hit them.
"If this exercise had been done with criminal intent it would be breaking the law."
So, if I run over a pedestrian with my car while absentminded I obviously have no criminal intent so I'm not breaking the law?
Once the BBC had finished with their botnet, they changed the desktop background of all the infected computers to tell people what had happened and link them to this webpage, which contains some information on how to secure Windows. Then, they uninstalled the botnet software.
(1)DOCOMEFROM!2~.2'~#1WHILE:1<-"'?.1$.2'~'"':1/.1$.2'~#0"$#65535'"$"'"'&.1$.2'~'#0$#65535'"$#0'~#32767$#1"
Feel free to read the law first. It's actually quite readable, even to non-lawyers. It looks like they might have some wiggle room with clause (3)(2) to me.
Get free bitcoins: http://freebitco.in
Actually, hijacking any computer - even if you didn't do anything bad and were trying to demonstrate a security flaw - is illegal. There have been other cases in our past where someone wanted to show the flaws in security...all to end up getting arrested.
I do not support "The Man". I also do not support your irrational stupidity
Here's a slightly blurry screenshot of the wallpaper: http://www.heise.de/bilder/134489/0/1
Actually English, Scots, and US law do distinguish between performing the same act (actus reus) with different intent (mens rea). It's a common lay misconception that "doing X" is illegal. In fact, traditionally "doing X" with one intent is usually a particular crime, while "doing X" with a different intent is a lesser crime, or not illegal at all. A simple example would be injuring another human being. Firstly, the law distinguishes between a deliberate or accidental act. Further, the law distinguishes deliberate injury with the intent to defend oneself from injury, accidental injury through deliberate negligence of safety standards, etc. etc.
I'm not sure what the mens rea is on cyber-crime in any legal system that uses the concept, mind you. And it seems that legal systems are reworking mens rea into "circumstances" to eliminate the human part of the equation, i.e. in some legal systems if you're in situation X and you do Y, that is always illegal, regardless of intent. It's likely that, given their youth, cyber-crime laws in the UK are worded as such.
No kidding!!! What do you say at this point?
Beat the Burglar might only have targeted volunteers, but the more recent The Real Hustle didn't. (In one episode they went and fraudulently tricked a locksmith into opening someone else's house, then went in and installed secret cameras and stole things from it. Presumably according to BBC reasoning that's OK because they gave the things back and got permission to show the footage.)
(1)DOCOMEFROM!2~.2'~#1WHILE:1<-"'?.1$.2'~'"':1/.1$.2'~#0"$#65535'"$"'"'&.1$.2'~'#0$#65535'"$#0'~#32767$#1"
Regardless of intent it is illegal. They are gaining unauthorized access to someones PC and using it for their own personal gain. If I were to demonstrate how to crack someones WEP key in 5 minutes without the victim's explicit written permission it would be illegal, even if done just for "educational purposes." Sure, it's edgy reporting, but it is still highly illegal.
Why do you say that? These statements have no legal meaning or merit.
I'm not overly familiar with British criminal law, per se, but I am handy in the commonwealth legal principles (having studied law in three commonwealth countries, and being a lawyer in a commonwealth country and New York state), and while anyone would need legal advice specific to their jurisdiction (i.e. none of what I'm saying is legal advice), I can say with reasonable confidence that this act of the BBC would be criminal in only two scenarios:
1. There was mens rea, or the guilty mind, component of a criminal act; or
2. The BBC committed a crime where mens rea is not required (viz. a crime of strict or absolutely liability).
As the guilty mind seems to be lacking on these facts, only crimes of strict liability may be laid against the BBC. As I don't know of any strict liability crime arising from these facts, I surmise that they have not broken one, but I stand to be corrected.
It may be a civil wrong that is a species of trespass, or that violates some statute specific to computers and/or the internet, but in the absence of provable damages by someone affected (i.e. the botnet computer owners or the DoS'd computer), there is no cause of action that would give rise to a lawsuit. The botnet owners don't know they are on a botnet, so their damages are negligible -- if anything I would argue they benefit from being taken over by the BBC as opposed to someone with actual malicious intent. The DoS'd machine is presumably one owned by the BBC.
Even if found to be guilty of civil or criminal wrongdoing, the BBC may have a complete defence because their act was taken as part of a protected form of investigative journalism or alternatively because they are acting as a good Samaritan in the public interest. They seem to be acting with the interest of exposing to the public and documenting a very important situation on the internet. Their investigative journalism is good for the public and the owners of the botnet who may thus become aware of their participation in this grand malicious scheme. In addition to these defences, it would be bad public policy to stifle such valuable investigative journalism.
In any case I'm confident that the lawyers for the BBC have given this due consideration. That a large, sophisticated corporation actually did this for the purpose of publication, and then did publish it, strongly suggests that it is not illegal.
In the United States your mileage may vary (i.e. taking control of a botnet even with good intentions may be illegal). There are a large number of laws that are driven by commercial interest groups, which laws give rise to "criminality" in spite of the public's interests to the contrary. Thankfully most of the world, including the BBC, isn't generally subject to these laws.
Please don't mislead people with sensationalistic statements like "highly illegal", without at least providing some modicum of support for these otherwise bald assertions. What criminal law do you think the BBC broke? Your post appears wholly incorrect, unsupported and misleading. It distracts from the real issues at hand, wastes readers' time, and is disrespectful to those who value facts and truth. Please consider taking the time to research your assertions before posting to a public forum like this. Thank you.
Almost.
Mens Rea is almost always about your level of intent, not what you intended to do. This is important for things such as assault or murder, where intent can range from "I meant to kill him" to "I just wanted to stop him hitting me" to "I didn't know he was standing there". As such, the mens rea will affect the nature of the crime.
However, in most cases it is merely a case of "Did you intend to do it?" In the case of burglary, for example, the only way you could argue the mens rea would be either by pleading insanity (didn't know you were doing it) or demonstrating that you thought you had the right to enter the place you entered and take what you took. You're pleading that you were not knowingly guilty of doing what you did. For the majority of crimes you can't be excused by claiming that you did it with good reason; though that may mitigate your sentencing, it won't mitigate the conviction.
Since the crime in this case was illegal access of someone's personal computer, the crime was knowingly undertaken irrespective of what the ultimate intention was. However, as I've said in a later post, I don't think this particular case will even see the courts; nor do I think it should.
Meta will eat itself
Well, it's fully funded by tv-owners. Not all taxpayers own tvs, and vice-versa.
There is nothing interesting going on at my blog
Technically, by anyone with equipment that receives live TV broadcasts. This includes video recorders and PCs that are used to stream live events (e.g. sports) from the BBC web site, but does not include TVs used solely to watch DVDs or PCs that use iPlayer to watch shows an hour or more after they are broadcast.
I am TheRaven on Soylent News
I suppose that the BBC views themselves as a branch of the British government.
Hah! You jest, surely?
Yes, I know that it is supposedly an "independent" organization,
It is
but it is fully-funded by taxpayers in the UK.
Incorrect.
The BBC is funded by a licence fee that all TV set owners pay, it's raised independently of the government and is specifically not a tax, the money never goes anywhere close to the Treasury. Many people chose not to have a TV and thus don't need to pay the license (I was one of these people for about 3 years, I had dial-up and a DVD collection, what'd I need a TV for?)
It also gets money from overseas sales and a semi-independent part dedicated to overseas broadcasts is funded by the Foreign Office in the same way as Radio America and similar.
I suspect the BBC has broken the law. I suspect they'll get investigated. I think that, regardless, they did the right thing--most people have no idea what a botnet is, let alone how much damage they do. Anything that raises awareness amongst domestic users in an open and transparent way is good. Those that had their PCs hijacked mught do well to upgrade their security (again).
Mat Bowles