Having devoted much of the past few days to blogging on the topic of the BBC's venture into criminal botherding, and a small portion of my weekend to watching its controversial Click programme, as well as to reading the BBC's own responses to some of the comments from the security industry and others, I'd like to make one or two points here.
It's clear from viewing the whole programme (which some of you at least can do online, if you haven't yet had the opportunity) that the BBC paid several thousand dollars for the control of a botnet comprised of nearly 22,000 infected machines. A bargain, no doubt, but money going into the pockets of an anonymous criminal, albeit for purposes of investigative journalism.
Mark Perrow, Executive Editor of Click, says that it was "in the strongest public interest" to demonstrate "the power of today's botnets": I don't dispute that, but that doesn't justify the way in which Click went about it: buying a real botnet and using it to send pseudo-spam to email accounts and to carry out a mock Distributed Denial of Service attack on a server owned by Prevx, who participated in the program.
The actual demonstrations may have been effective enough as simulations of real attacks, but I don't think they were "real": at least, not in terms of "attacking" the BBC's own email accounts and a minimally DoS-proofed server. I don't think Perrow has proved that they were more effective than other possible simulations or semi-simulations that needn't have involved hijacking systems to which the BBC had no right of access.
And by the way, Mark, you didn't "pose as a customer", you were a customer. This isn't just flirting with the darkside: it's more like paying the darkside for services rendered behind the bike sheds, then bragging about it to the tabloids!
I don't think anyone has accused the BBC of teaching "botnet exploitation for dummies". I'm sure that the botnet problem has been brought to the attention of more people in the past few days than I've been able to reach in many years of writing specialist books and articles, and that's fine. But it isn't fine for a respectable public body to place itself above the law.
Click's claim that they didn't break the law because they had no malicious intent remains dubious, at best. I am most definitely not a lawyer, but intent as defined in the Computer Misuse Act has little to do with benevolence, and everything to do with intent to commit the activity that the CMA defines as illegal.
Some sources have expressed some approval of the BBC's "vigilantism": well, there's good work in countering botnets done by groups that have been described in similar terms, but they don't go out of their way to play footsie with the bad guys, and they don't (or shouldn't) cut legal corners without the bless of law enforcement agencies.
I've been asked - not always politely - why I am so concerned with the interests of the owners of bot-compromised systems, when their irresponsibility is, to a large extent, one of the primary causes of the botnet problem. It's because they're victims too. If they fail to appreciate the role they need to play in maintaining the safety of their own systems and accepting their own responsibilities towards other members of the internet community, that's not only their own fault: it's the fault of society as a whole, and the media and the security community have a responsibility and a role to play in correcting that failure. But if it's done by giving unnecessary comfort to the enemy and even emulating their methods, that poses legal and ethical problems, and risks bring the corporation into disrepute. Moreover, it makes a mockery of the work of those who are trying to address the problem by legal and ethical means.
