On Friday, the World Wide Web was offically 20 years old.
The BBC celebrated its birthday by explaining the inner working of a ‘botnet’. A botnet is a robotic network. A series of private computers that have been linked together by being infected with code, usually introduced in the form of trojans and other viruses, which allow the originators of the code to take control of that computer whenever the owner is on-line.
Computers that have been caught up in a botnet have been effectively taken over, and are usually controlled by criminals and spammers whose motives include selling viagra, operating financial scams and crippling websites through coordinated attacks. These gangs rent out use of ‘their’ bot for many thousands of pounds.
Perhaps not the sort of company you would expect a publicly funded oganisation to keep, so it will come as some surprise that the BBC ‘Click’ programme not only explained how to organise a ‘bot’ – it obtained access to a botnet of 22,000 compromised Windows PCs from an underground forum. It used these machines to send junk mail to two accounts it had established with Gmail and Hotmail. The programme also used these compromised PCs to show how they might be used in a denial of service attack (DDoS) which bombard a website with traffic until it becomes blocked. Some threaten website operators with DDoS attacks in bids to extract pay offs.
In fairness, the researchers did warn the owners of the malware-infected PCs forcing their PC to display a message from BBC Click explaining how to clean up their machines.
The Computer Misuse Act 1990 makes it an offence in the United Kingdom to access another person’s computer, or alter data on their computer, without the owner’s permission.
The legislation has been used on a number of occasions to bring British hackers and virus writers to book, as obviously anyone breaking into a computer or installing malware is in breach of the act.
It is, therefore, somewhat surprising to find that the BBC appears to be have breached the law when making a program about computer crime.
Blogger John Graham was quick off the mark and e-mailed the BBC. He received this rather surprising reply:
It was not our intention to break the law. At no stage was any other data other than the IP address used. There is a powerful public interest in demonstrating the ease with which such malware can be obtained and used; how it can be deployed on thousands of PCs without the owners even knowing it is there; and its power to send spam e mail or attack other websites undetected . This will help computer users realise the importance and value of using basic security techniques to defend their PCs from such attacks. The BBC has strict editorial guidelines for this type of investigation which were followed to the letter.
Struan Robertson, a technology lawyer says:
“The BBC appears to have broken the Computer Misuse Act by causing 22,000 computers to send spam. It does not matter that the emails were sent to the BBC’s own accounts and criminal intent is not necessary to establish an offence of unauthorised access to a computer,” he said.
“The Act requires that a computer has been made to perform a function with intent to secure access to any program or data on the computer. Using the botnet to send an email is likely to satisfy that requirement. It also requires that the access is unauthorised – which the BBC appears to acknowledge. It does not matter that the BBC’s intent was not criminal or that someone else created the botnet in the first place.”
The Register has enquired of the BBC whether they paid cyber criminals for access to this bot, using public funds; they have yet to receive response.
The BBC appear to be pleading a ‘public interest’ defence to their law breaking – if the BBC did indeed pay for this access, is the public interest sufficient to warrant payment to cyber criminals?