Slashdot Mirror
BBC Hijacks 22,000 PCs In Botnet Demonstration
An anonymous reader writes "'[The BBC] managed to acquire its own low-value botnet — the name given to a network of hijacked computers — after visiting chatrooms on the internet. The programme did not access any personal information on the infected PCs. If this exercise had been done with criminal intent it would be breaking the law. But our purpose was to demonstrate botnets' collective power when in the hands of criminals.' The BBC performed a controlled DDoS attack, 'then ordered its slave PCs to bombard its target site with requests for access to make it inaccessible.'"
Controlling machines without permission? Against the computer misuse act.
They used the botnet to spam two email accounts, one at gmail and one at hotmail. That's against the computer misuse act.
And they changed the wallpaper on the machines on the botnet. Against the computer misuse act.
Their "justification" doesn't fly; not having criminal intent is not a defence against the law.
If this exercise had been done with criminal intent it would be breaking the law.
So if I install software on your machine that you paid for, consume the bandwidth that you are paying for, burn extra electricity that is paid for by you, all with out ever even letting you know about it, so long as I'm doing it for finding a cure for cancer, it's perfectly legal?
What if I use that bot net to distribute the load of rendering animated gaping anal gay midget porn movies? It's not a crime to render animated gaping anal gay midget porn movies, so I have no criminal intent, so it must be legal, right?
-Rick
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
I've been on the bad side of this one - a lack of criminal intent does not mitigate or extenuate criminal action. Their guilt is quite plain (having been admitted, even published by the BBC itself). Now, their lack of criminal intent does have a bearing on sentencing. Inasmuch as the BBC did not wilfully cause damage or fiscal loss to anybody (except, potentially, themselves?), the sentence should be something on the light side, perhaps even suspended; but the matter of their guilt is simple black-letter law.
Everyone's going on about how it's actually illegal and the intent doesn't matter (I don't know either way - it is Britain and maybe things work differently there).
What about the fact that some guys from the BBC were able to gain control of 20k infected machines on the web just for the purposes of doing a story? To me, the implications of that are far worse than any possible criminality.
Then get some security.
No unlocked car or house door analogy is even slightly useful in this case.
Computer security by law is worse than security by obscurity, or security by Symantec product.
It's ok to tell him to get the f.. out. But most people, to return the analogy to the PC, don't even care that someone is standing there, in the middle of their living room, making unsolicited phone calls from your landline, telling everyone about your tv watching habits or even stuffing your jacket pockets with leaflets. As long as they don't trash the place, most people don't care that someone is standing there, coming and going as they please, leaving the window open for any burglar that wants to come in.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Ugh, I can't stand the attitude here. Botnets are a HUGE problem. People need to know if their PCs are hijacked and they need to be fixed. If my PC is hijacked, I want to know about it. Now. When someone's PC is used in a DDOS attack, isn't that illegal activity? I've always heard that ignorance of the law is not an excuse, so if someone is not aware their PC is being used illegally, their PC is still being used for illegal purposes ... should they be held accountable? If there is an activity that is *questionably* legal but can potentially help with the Botnet problem, I'm all for it.