BBC BLOGS - The Editors
« Previous | Main | Next »

Click's botnet experiment

Post categories:

Mark Perrow Mark Perrow | 17:58 UK time, Friday, 13 March 2009

There's been quite a bit of discussion in the blogosphere over the past 24 hours about the Click botnet experiment. It was aired in news coverage and detailed on this site yesterday - you can see it here, and you can see the full programme on BBC World News and the BBC News channel over the next few days.

Put simply, we posed as a customer, and bought a piece of software which gave us control of thousands of infected computers around the world.

We commanded them to send spam messages to our test addresses, and to stall a website by repeatedly requesting access. Not a working website, of course - in the real world, this technique is used to extort money from businesses that rely on the web for their very survival.

We alerted the PCs that they were liable to infection, gave them a place to go to for further advice, and destroyed the malware for good. It's all in the programme.

A lot of the debate has been about whether we did the right thing digging into the murky world of hackers and organised cybercrime. In seeking to demonstrate the threat, had we put ourselves in the position of those we wanted to expose?

That's always a good question. After all, we could have simply described what we believe happens and given some warning advice, couldn't we? We've done this in the past. So have many others...

But hacking has gone professional. Today, your PC can be doing bad things to other people without you even knowing. It's a major growth area for organised crime: it's global, and very local to all of us who work, communicate and play on the world wide web.

So we felt that there was the strongest public interest in not just describing what malware can do, but actually showing it in action. A real demonstration of the power of today's botnets - to infect, disrupt and damage our digital lives - is the most powerful way to alert our audiences to the dangers that they face. It's a wake-up call to switch on that firewall and improve our security on the internet.

We think that what we did was a first for broadcast journalism. We were amazed by the ease of use of the botnet, and the power of its disruptive capacity.

No-one watching our programme could learn how to build a botnet or where to go to to buy one. But what is very clear is the level of threat - especially to home users who don't have the benefit of corporate-level security. (Our guide to PC protection is here.) As the hackers continue their silent running, we thought it was our job to expose the mechanics of their hidden economy. Please watch the full show and see what you think.

Mark Perrow is executive producer, Click.

Error: Too many requests have been made during a short time period so you have been blocked.

Comments

  • Comment number 1.

    As the full show isn't on iPlayer yet I'm not sure if you did this, but it might have been interesting to have the message you sent to the users ask them to phone the click office.

    You could then have seen just what sort of users were caught in the net and where abouts they were.

  • Comment number 2.

    You were totally 1000% justified in doing this.

    If it wasn't 'Click' online with a test, it might have been something much more malicious.

    No doubt some eejits have been complaining about this. What would they have preferred - some Russian teenagers hacking into their pc and setting up a phishing expedition to suck some money from online banking accounts to fuel the East European mafia ??

    What you need to bring home is that many banks have ALTERED the terms and conditions and legal SMALL PRINT [which most people don't ever read] to make customers liable for some of the losses from their accounts, if money is removed fraudulently, and they didn't take REASONABLE STEPS to prevent it.

    So if it isn't Click Online and the BBC bringing this important issue to their attention, and they haven't kept up with developments in internet banking, virus control and pc protection software, then the way that they find out may be when their online bank account has had funds hoovered out of it by criminals outside the UK jurisdiction.

    I'm not necessarily an advocate of the way the banks are trying to offload the liability and risk for fraud onto their customers - but it is essential that the BBC do their role and educate people about these issues and the other problems which people like the National Hi-tech Crime Unit are uncovering.

  • Comment number 3.

    I moderate an IRC server (we see a thousand regular users connected concurrently) that has been used for botnets, we’re very active in dealing with them (banning systems from the network) and filing reports to other admins via mailing lists to help assist other networks deal with the problem.

    I am truly shocked that in the process of ‘journalism ’ you didn’t consider talking to all the people that deal with the constant pest of bot masters using chat networks to manage their bots, and also that in the process you’re likely to have used one of the servers of well-meaning friends.

    Offended that you’ve claimed to have alerted the drones system owners(unlikely) and removed their malware(even more unlikely), and not considered that you need to apologise to ISPs and network providers that you’ve abused in the process.

    And CAN YOU PLEASE stop refering to these systems as PCs, they are Windows drones, no other platforms like MacOS or Linux are affected or used in this way and you’re continuing the trend of telling people that all computers require extra protection.

  • Comment number 4.

    With respect Mark I don't think you have answered the question.
    Nobody is suggesting these botnets are other than bad or arguing with the usefulness of a program to educate and warn PC users. Full marks for making one.
    The worry is that you went beyond that and apparently used one and then deliberately manipulated users data on their PCs. The fact that you have a loftier moral motive than the fraudsters and meant no harm doesn't affect what you actually did.
    Would you investigate door locks by setting a tame housebreaker to gain entry and leave a message in the insecure houses? I doubt it.

  • Comment number 5.

    Eh, I'd guess that biggest villains in cyberspace would be governments and you can pick any of the many.

    As other strive, Britain already made it to 1984, nothing else to say but it's ''by the book''.


    Peeking from the other side of the tube, peeking from the buildings, poles, trees even?

    Who would need such control of population and for what purpouse?

    Freedom is not tidy, as Rumsfeld once told.

    Pih, pfuj even.

  • Comment number 6.

    I understand the argument. I respect that you acted from the best of motives. I cannot condone what you did. The end does not justify the means. As "White hats" we have to excercise moral judgement and resist the lure of doing something just because we can.

  • Comment number 7.

    Since there was never a doubt that these bots can do what they claim to Windows OS controlled PCs I wonder just what you were trying to prove. Certainly your blog far from legitimises what you did.

    There is a simple fact that no networked computer can ever be entirely secure, no matter what security software or hardware is used. Bots or no bots that will still be the case. It is received wisdom that Windows is less secure than many other operating systems and yet it remains a popular choice amongst many IT professionals.

    Certainly with the correct software installed most Windows users can render their computer very safe from attack. That is until the day comes along when the user does something silly and the software is asked to retrieve the situation. The best software will most often do its job, but are the majority of users buying the correct software for the use they put their computer to?

    And as for the journalistic "Today your computer can be doing bad things to other people without you knowing" you presuppose that most people do not check traffic on their connection when it should be idle.

    Maybe the best advice you can give to anyone is to check traffic at all times they are connected and to switch off the modem at any time unexplained traffic is experienced. As an alternative they can also use security software to block all Internet traffic if they are not intending to go online.

  • Comment number 8.

    I'm also fairly interested in the amount that this has cost, not only to the licence payers, but to the industry in general. For those interested, please see my FoIA request at http://www.whatdotheyknow.com/request/amount_paid_for_use_of_botnet_in

  • Comment number 9.

    I have some sympathy for the public interest argument but I'm concerned about the legality of what you did.

    In the report it states that the lack of criminal intent makes it legal, but I and others more learned in law than me are struggling to reconcile this with section 1 of the Computer Misuse Act.

    This seems to make unauthorised access to a computer system a crime in itself, regardless of the reasons behind that access.

    I would be very interested to see a response which addresses this point.

  • Comment number 10.

    Hackers are definitely anti-social who have hidden agendas. By breaking into other people's computers, they would like to control the cyber-world with their own philosophy. By surreptitiously entering your computer, they try to steal vital or sensitive information which they are not entitled to. Hackers need to be stopped in their tracks before they inflict damage.Stiff sentences should be given once they are caught. Obviously they are intelligent but are using intelligence in misguided ways.

  • Comment number 11.

    #10

    I think you miss a point that many "reformed" hackers have helped to develop the world's best security software. That others rise to the challenge is, to them, a game. The possible or potential pay-off from a criminal element is very often an after thought.

    That is not to decry the criminal abuse of personal data, most of which, interestingly, is gained through poor security of data, most often nothing to do with hacking at all.

    We are many, many years into the computer revolution and yet we still steer clear of operating systems that are considerably better at their job (speed, efficiency AND security) than Windows. Perhaps instead of wanting to hit hackers hard we should be expecting major software developers to show a bit more craft in their products. We should also expect all government and commercial organisations to have the best security systems they can find. Most certainly do not have this.

  • Comment number 12.

    If the computers are already insecure and open to attack by hackers then it's better the BBC do a controlled experiment with the computers than have a hacker take control of them for more sinisterness purposes. It's worth noting that these computers were ALREADY infected (as far as I can tell).

    At least by informing users by posting a notice via their wallpaper should act as a wakeup call and provoke them into taking preventative action. Hopefully it'll help prevent their computer from being used in future by hackers, reducing future malicious internet traffic.

  • Comment number 13.

    This should come as no surprise to anybody with even a mild interest in the BBC over the last few years. They have increasingly taken the moral high ground, an attitude of 'We know what is best for you' and 'We can do what we like, so long as it is in the public interest'. Political bias, even an attempt at 'muck-raking' against Barack Obama in his own back yard being just two examples; this is just one more!

    If I were to attempt a break-in at Mark Thompson's house, I have no doubt that I would be promptly arrested, regardless of whether I took anything or not!

    Whoever it was that took the decision to do this should be under no doubt that it was an illegal act and as such, should be investigated by the Police.

  • Comment number 14.

    This is a somewhat evasive blog: no wonder some of the people who posted comments have missed the point.

    No-one, as far as I know, has accused you of teaching botnet exploitation for beginners. No-one has a problem with your bringing the botnet problem to a wider audience: I'm sure that you've brought the issue to the attention of more people in the past few days than I have in many years of writing books, blogs and conference papers, and that's fine, even if you did get some of the detail wrong.

    But you haven't explained why it's in the public interest for you to put money into the pockets of professional criminals.

    You haven't explained why it's OK for you to use malicious software and techniques by hijacking systems to which you have no right of access, in defiance of the Computer Misuse Act, when you could have got the same result on a closed network using your own resources, or paid someone better qualified to do it for you. You certainly haven't explained how your definition of "intent" varies so dramatically from the definition within section 3 of the CMA.

    "(2) For the purposes of subsection (1)(b) above the requisite intent is an intent to cause a modification of the contents of any computer and by so doing—
    (a) to impair the operation of any computer;
    (b) to prevent or hinder access to any program or data held in any computer; or
    (c) to impair the operation of any such program or the reliability of any such data"

    You haven't explained why a dummy spam mailout is a "real" demonstration and more "in the public interest" than the dozens of other ways you could have made the same points.

  • Comment number 15.

    This comment was removed because the moderators found it broke the house rules. Explain.

  • Comment number 16.

    Very quietly the Police and Justice Act of 2006 went through parliament; this SPECIFICALLY out-laws DDOS attacks. The computer misuse states:

    "(1) A person is guilty of an offence if—
    ...
    (b) the access he intends to secure is unauthorised; and

    (c) he knows at the time when he causes the computer to perform the function that that is the case. "

    Therefore sending spam is a function of a computer and the BBC didn't have permission on the owners of the computers on the infected botnet.


    ALSO: paying for the botnet is-
    i) illegally funding crime
    ii) a waste of license payers money

    The BBC also need to get their definitions correct. Hackers are harmless smart people who just like to play with things and see what the can make things do. CRACKERS are the malicious type who send out hundreds of spam e-mails, perform DDOS attacks and steal your bank details!


    The BBC is giving us hackers a bad name


    -NeoChivers-

  • Comment number 17.

    #13

    I agree that the BBC tends to demonstrate an entirely unjustified high opinion of itself. It also shows that schoolboy tendency to say "look what I've just done". Well actually all that happened was that the BBC knowingly gave license payers' money to a criminal. The BBC didn't prove anything other than boyish stupidity. Instead of keeping sheepishly quiet about it the BBC then admits to having committed the crime in the opening blog.

    Would the BBC run an undercover operation in Iran to build a nuclear weapon just to prove it can be done? Would the BBC put a "fake" suicide bomber, complete with bomb, on a London tube train just to demonstrate it can still be done? Would you crow about these things if you succeeded.

    The vast majority of computer crime is committed via lax handling of personal data by people who should know better, not by hackers whose only aim is to show the many security holes that exist in our computer systems.

    If people (including all BBC personnel) do not use the grey matter they were born with and exercise a little common sense to their computer habits then they lay themselves open to being shafted. It is as simple as dropping or throwing notes out of a wallet or purse, and it does not require a prank to show how it is done.


  • Comment number 18.

    I think it was a good idea though I'm not sure the message will ever get through. Most people (not all, by any means but most) think it's always the other guy who gets it, then hand their secrets to somplete strangers.

    Most people need a huge screen filled with a large typeface warning them not to give any personal details on a site linked from an email. But would even that be enough? Looking at Facebook that now claims it owns your identity, people seem all too willing to hand their secrets over.

    I feel you should have been stronger on the advice - how to create a firewall and check if it's working; how to check if your computer is sending spam (it doens't show up on the "sent" list); how can people forge your email address; and is a program like Spybot that will interrupt an attempt to alter registry entries with something suspicious.

  • Comment number 19.

    Did the BBC consider if they were breaking any laws in which the computers reside?

    Not only have they broke the CMA but alo probably many other laws in many different countries.

  • Comment number 20.

    Just to add my 2p - I genuinely can understand what you were trying to achieve. I and many others have been aware of the issue for a long time and a lot of the pros would love to do what you did - order botnets to self-destroy. They can also do it without needing to buy access.

    I'm sure you're aware of McColo being taken down and the opportunities that were available to order hundreds of thousands of machines to clean themselves up (if not, google it) - But the professionals chose not to act as it would be illegal to use the botnet to do anything (including destroy itself). If the people who do this all day every day had to accept that they couldn't act legally, why do you think you can?

    There are a number of issues here - I don't think anyone objects to you informing a wider audience of the issue and no doubt this controversy will raise the profile even higher. The illegal use of a botnet wasn't required to achieve the above goal. As has been suggested here already, why not infect a network you control rather than using real machines worldwide?

    Lastly, the REAL best way to avoid being infected is to avoid using internet explorer (and to a lesser extent, windows). I understand that you'd be treading on some big legal toes but it's been done before ( http://news.bbc.co.uk/1/hi/technology/7784908.stm ) and that would have been far braver than paying hackers and then not providing decent clean-up advice.

    All in all, I have to say I disagree with your decisions.

  • Comment number 21.

    I just have to say that I fully support the BBC in this ethical hacking exercise. It is a terrific way to raise awareness of the threat of botnets which is otherwise in a hidden and murky world. This has been going on for over 5 years and this is the first time I have seen the subject described to a main stream audience.

  • Comment number 22.

    So, according to the BBC it's OK to hack into a computer system, as long as there is no intent to cause problems. So presumably it would be OK for me to hack into the BBC system, change settings and use it to send mail?

    The BBC are so arrogant it is unbelievable. We know best, so we do what we want.

    I also think you have broken the law.

    Under the Computer Misuse Act 1990:

    3(1) A person is guilty of an offence if

    a) he does any act in a way which causes the unauthorized modification of the contents of any computer; and

    b) at the time when he does so the act he has the requisite intent and the requisite knowledge.

    3(2) for the purposes of subsection 3(1)b above the requisite intent is an intent to cause a modification of the contents of any computer and by so doing

    a) to impair the operation of any computer;

    b) to prevent or hinder access to any program or data held in any computer; or

    c) to impair the operation of any such program or the reliability of any such data.

    As you can see, the hacking done by the BBC clearly falls under section 3(1)a and 3(1)b. The requisite intent under 3(2)a is also met. Any change of, and storage of, code in the memory of a computer will make this part of the memory inaccessible to other programs, i.e. the performance will therefore be impaired. Further, sending email on that system reduces the available bandwidth to the owner, again impairing the system.

    Breaking the law, whatever the motives, is still breaking the law. But hey, we're the BBC so we will just ignore that.

  • Comment number 23.

    There are some bizarre arguments here, along the lines of "the first rule of botnets is you don't talk about botnets".

    It was about time someone showed how the interfaces to these systems is now so simple that is not criminal hackers who are using them but almost anyone who can operates a PC.

    As for the endless (yawn!) debates about which operating systems are secure or otherwise, it is useful to recall that all of the original network computer exploits were originally UNIX-based as Windows decide to be properly network connected (and thus vulnerable) until "95 Second Edition".

    So, bravo to Click, hope this might allow it to transfer to BBC One where it belongs and keep up the good work.

    This kind of intelligent but comprehensible reporting is great for the general public and officials who need to know this stuff.

    In particular the section about DDOS was of the highest standard television.

  • Comment number 24.

    I’m completely with the BBC here.

    The fact is that huge numbers of people now have computers and broadband, and the vast majority of them probably don’t know what a botnet is.

    So anything that raises awareness of computer security issues a good thing. Both users and manufacturers have been negligent for far too long.

    Yes, the BBC had to pay money to criminals and access computers without permission. Both were regrettable but essential. Had they just talked about botnets, it wouldn’t have had anything like the impact that this real demonstration is having.

    In my view, the public interest case for the BBCs actions is overwhelming.

    And it's a far better use of our licence fees than paying huge salaries to personality presenters who demand pay cheques as big as their egos.

  • Comment number 25.

    These kinds of arrogant excesses by the BBC convince me that it must have a major clear out of many of its journalists before they bring the whole house down.

  • Comment number 26.

    Surely the viewers of Click are people interested in technology and therefore on the whole computer literate. They are aware of the threat to their Windows PCs and take necessary measures to counter this. I would be surprised if any of the computers you hacked into belong to Click viewers or that any unsecure computers (other than those hacked into) have now been made secure following the broadcast.

    I can't really see what was achieved by your illegal action.

  • Comment number 27.

    Having seen the programme, read the editor's blog and read through all of the comments, I now feel ready to add my say. I work as a computer forensic investigator and professional penetration tester; this is a legal hacker for want of a more accurate description. I get paid to hack into my customer's computer systems to help them secure them better. So I have experience in this area.

    I am not going to comment on which operating system is better than any other as that depends on what software is installed and the user in charge of it. I am also not going to comment on the 'public interest' of such a subject as it clearly is in the public interest. I have two points.

    My problem with the BBC on this subject is the legality of the offense, and I use the word 'offense' deliberately. In my opinion, and that of other security professionals, the BBC has condoned illegal activities and should be investigated by the police not only in the UK but also in the countries where the botnet victims reside. The computer misuse act 1990 is quite clear about permission and there is no evidence to suggest that the BBC gained prior, written permission for access from the ~21,000 botnet victims. The BBC are not (NOT) above the law even if they believe that their moral high horse will protect them. This is arrogance at the highest level and the editor’s blog goes no way to justifying their actions.

    Some good examples have been given on the comments but let me add this one. Would the BBC attempt to smuggle a fake bomb onto a plane to prove lapses in airport security? I used to do bomb disposal in the Army and let me tell you that this can be done, but I won’t do it! Why? Because I would be arrested under terrorism charges even if I then showed them where they had lapses and helped fix them.

    My second and probably biggest problem with this offense is that a criminal group etc has profited from it. Is the BBC now in the game of funding organised crime? How much of the license payer’s money was given to these criminals for this poorly thought out publicity stunt? Please tell us.

    The BBC as a publicly funded organisation should be better than this. The UK population are required to pay for a TV license so that the BBC can exist, fine, whatever. But never - NEVER - use my money to fund crime. Never - NEVER - use my money to commit a crime.

    I suggest you get your lawyers onto this as they are likely to feel some pressure to respond.

  • Comment number 28.

    We all know the bbc loves Microsoft, hates open source and the internet - stop spreading the fud Mark@bbc.

    I refuse to watch click for the reasons i listed - and please microsoft pcs are the bots in net. It be nice if you said so.

  • Comment number 29.

    @27,

    Sorry this is just so much arrogance on your part. Your job is computer security so you would be out of a job if people knew enough to take the simple steps to protect their computer system. The BBC has done an investigative report along the same lines as the News of the World reporter getting a job at Heathrow or Buckingham Palace and pointing out the security weaknesses. The difference here is that it upon a subject that is much more relevant to the general population and indeed it Needs wide media exposure in order to make people aware of the subject.

    Your moral high horse is just a job protectionism which is obvious by such statements as pretentiously "not commenting on operating system or installed software". This is all part of the FUD and mystic that you wish to build for your "profession".

    I congratulate the BBC on their report and their imaginative investigative approach to the covering this issue.

  • Comment number 30.

    I hope that the BBC took all of the legal resource in regards to protect against legal problems...

  • Comment number 31.

    The problems with Windows hail from Bill Gates' lack of foresight over the growth of the Internet. The panic buying of a third party browser (to be branded Internet Explorer) to challenge the very secure Netscape showed Microsoft's desperation not to be left behind. A bigger mistake by Microsoft was to bolt the still poor IE4 into the Windows core, a developed action that was later successfully challenged in the courts.

    All software designed to exploit holes in an operating system is simple and can be dealt with by equally simple security software. The intruder relies on a set of rules being true and any complexity is in how the breach of the hole is developed in successive jumps. Anyone with a simple set of rules who uses a computer heavily without security software is very unlikely to be attacked. Most people however do not like following simple sets of rules and so they rely on software to do the job for them. The advice is simple. Try before you buy and avoid software that is difficult to uninstall. There are some highly effective free products available too.

    The security market relies on the kind of hype demonstrated in this blog and Click's program. By creating anxiety amongst users the criminal element has the perfect environment for the "mistakes" they rely on to be made. Bot nets are not "clever, thinking pieces of software" they are a simple development of a very old idea. The BBC and Click are sadly mistaken if they think this is not poor "exploitation" of people's fears.

  • Comment number 32.

    @29

    "The BBC has done an investigative report along the same lines as the News of the World reporter getting a job at Heathrow or Buckingham Palace and pointing out the security weaknesses. The difference here is that it upon a subject that is much more relevant to the general population"


    No, the difference here is that what Click did is a criminal offence. The News of the World reporter lying on his CV would be committing a civil offence at most

  • Comment number 33.

    Imv, it is (was) not news that this happens. You did not have to make a pudding to prove it.

    Now the real news would be that you have found a cure for all this.

    A simple question. Why do ISPs send on spam. Why cannot they delete it at source? Even sauce.

  • Comment number 34.

    You seem to be under the impression that this is all automated, it isn't.

    Those boxes are generally exploited using public exploits:-

    [Unsuitable/Broken URL removed by Moderator]

    All the latest buffer overflows and sql injection exploits are there as source code. Anybody can take that code compile it and start exploitng systems.

    What might surprise you is the majority of people doing this are not doing it to sell a BBC reporter access to a home users computer especially seeing as they would have rubbish internet connections.

    Most machines are exploited for international file sharing via ftp which is where ultimatley all the pirated content you see on file sharing networks comes from.

    But most machines are not home users as you suggest and in fact even criminals selling boxes would not generally sell home user boxes either.

    Why would you buy 100 home user boxes when each of them only has 128k upload? 1 box from a commercial network ie: keyweb in germany could do the same job as over a hundred home user boxes.

    So is this a good thing? Maybe not but i would rather such information was freely available than only available to a select few. Knowledge is power and without the freedom of knowledge network security would be far worse than it is today and those who would do real harm ie: terrorists cannot have a free for all as a result.

  • Comment number 35.

    I have no problem with this Mark.

    If mine had been one the vulnerable computers I would have thanked you for letting me know.

    Personally I think it would not be a bad idea if ISPs put some resources into an ongoing programme of the same type - examining their customers computers and warning them. The spam avalanche is one of the main issues coming out of these 'bots' and the ISPs could save some cash on bandwidth saved.

  • Comment number 36.

    @32,

    ... the difference here is that what Click did is a criminal offence. The News of the World reporter lying on his CV would be committing a civil offence at most

    I think you'd have a hard job proving this to a jury. Go on and waste more tax payers money and take the bbc to court, but the action would fail.

    The BBC has performed a public service getting this issue aired, no damage was done and was indeed, "ethical hacking".

    I'm not saying they should be doing such on a regular basis - but then they won't be doing so anyway! I agree with jon112uk, that if my vulnerable computer was used in this demonstration then I would have thanked the BBC for letting me know.

  • Comment number 37.

    Can BBC 24 News broadcasters see me in my bedroom? I sense it often and am quite annoyed by it. I heard some women talking to me at night. Some of them are from the media. Some voice is from the street, some are connected to my room. Am I a special worthy so much their energy? Will I get any material benefit from it? I feel very painful and feel they never consider my feelings inside.

  • Comment number 38.

    Don't allow the BBC to scare you, its actually quite a inaccurate poorly researched story.

    There is no reason anyone should be vulnerable to public exploits which is what most of those boxes would of been hacked with. Simply patch your operating system and most of all SECURE YOUR PORTS.

    Buy a router and then even if your pc does get compromised it will be difficult for their rootkit to recieve a connection due to the lack of a forwarded port.

    So if you have a usb modem bin it.

  • Comment number 39.

    @# 35 & 36

    Why on earth would you be happy? All that you will have learned is that you had an infected machine that may have been cleaned of a botnet. That doesn't tell you how you managed to "allow" your machine to become infected, whether you have other infections, or what you are NOT doing to prevent such infections in the future. The problem with security hype is that it focuses on the "what could be" in order to deal with the "what is". The infection algorithms are always simple because once the hole is breached (an action the user must "allow") then the exploit makes whatever it wishes out of the breach. Appearing to clear an infection is a dangerous assumption that we entrust to security software and yet many products do NOT clean the infected machine.

    The whole point of security measures is to prevent infection in the first place, not to have to resort to complicated cleaning that has been proven to be rather ineffective in many examples of security products. These products already carry a further difficulty for the user in that they may report false positives. Many games titles use highly suspect copy protection which can be easily exploited by anyone with the determination to do so. However it is in the user's gift to prevent any of this happening by acting with common sense on all matters related to their computer habits.

    If the BBC wishes to do its users a service then it may wish to investigate security software and software protection mechanics. By highlighting some of the poorer activities used by the software industry it may help to improve quality.

  • Comment number 40.

    "@32,

    ... the difference here is that what Click did is a criminal offence. The News of the World reporter lying on his CV would be committing a civil offence at most

    I think you'd have a hard job proving this to a jury. Go on and waste more tax payers money and take the bbc to court, but the action would fail."


    It would actually be incredibly easy - they freely admit to what they did and the law clearly states that what they did is illegal. It's the act of unauthorised access that makes the offence, not the intent. I'm not saying that there is anything to gain by pressing charges, other than maybe making them a bit more careful

  • Comment number 41.

    @40,

    "Go on and waste more tax payers money and take the bbc to court, but the action would fail."
    ...It would actually be incredibly easy"


    Oh? Please tell me the number of times this act has been used and been successful? I feel a Clive Pontin moment http://news.bbc.co.uk/1/hi/uk/216868.stm as the BBC describe what they were doing, the media coverage and "security professionals" attempting to justify how good it is for society to have insecure computers. (That sentence is correct). I have confidence that the jury can do their own Threat and Risk Analysis.

    In the meantime, security professionals need to go get their own house in order before they start throwing stones into other people's ponds. (ok, apologies for the mixed metaphor). Auntie Beeb, why don't you follow up this investigation with just how dreadful security IT is where it really matters?

    http://www.computing.co.uk/computing/news/2234069/quarter-mod-systems-tested-far

  • Comment number 42.

    "Please tell me the number of times this act has been used and been successful?"


    I think you're missing the point. Due to some rather clumsily worded legislation, action like this which highlights a problem and tries to help the victims fix the problem is still technically a crime because intent isn't taken into account. It's right there in section 1 of the act.

    Recent amendments to it increased the penalty to a point where you can be extradited for offences under the act (see Gary McKinnon) and also make it an offence to distribute "any article" if there is a "likelihood" that it will be used to commit offences.

    That basically puts security professionals at risk of accidentally committing a crime just by doing their jobs. Tools they use to find weaknesses to fix can just as easily be used by someone to find weaknesses to exploit. Also, an "article" could be defined as information and so allow a software company to silence someone trying to draw attention to security flaws.

  • Comment number 43.

    @43,

    I think you are proving my point that the law is an ass in this case.

    So again, I think it is great that the BBC is exposing some of these problems.

  • Comment number 44.

    Should one of us call the police?

  • Comment number 45.

    @43,

    "I think you are proving my point that the law is an ass in this case."

    I think you'll find that was my point - you claimed that there was no crime committed. I agree the "law is an ass" here, but they could have highlighted the problem without going out and breaking that law themselves.

    Malicious, no. Misguided/naive, definitely.

  • Comment number 46.

    This comment was removed because the moderators found it broke the house rules. Explain.

  • Comment number 47.

    We all know what 'botnets' do, this is no excuse for breaking the law. Can the BBC be 100% sure that the botnet they bought did not have some other payload?

  • Comment number 48.

    @ #44

    According to Reuters, Interpol have the BBC TV Centre surrounded and are going in at dawn tomorrow; or maybe they meant today. You kind of lose track of time with Reuters don't you?

  • Comment number 49.

    @45.

    "I think you are proving my point that the law is an ass in this case."

    I think you'll find that was my point - you claimed that there was no crime committed. I agree the "law is an ass" here, but they could have highlighted the problem without going out and breaking that law themselves.

    Malicious, no. Misguided/naive, definitely.


    I concede your point. Not too sure about your "misguided/naive" statement though. I still think the BBC raising this issue, in this particular way has been a public service. It would be academically interesting how they assessed the legal issue. I disagree with @47 richardcaves stating "We all know what 'botnets' do" - if people really understood botnets then they would protect their PCs better. Clearly they are not.

  • Comment number 50.

    @49

    I think your logic is a little muddled. If "botnets" were highly successful at their jobs then all computer users would "know" someone whose machine has been decimated. A part of the issue we are debating is whether the "actual danger" (i.e. without hyperbole) is as real as this article and the "Click" program would have us believe. I do not believe it is and I have been a professional in the IT industry for over thirty years.

    Looking at some of the hysteria driven "problems" the IT has had over the past decade it really doesn't matter whether you have "protection" or not unless the "protection" you have is able to deal with a specific problem YOU cause. Note the emphasis on YOU because without your intervention in the way the malware requires they are pretty darned useless.

  • Comment number 51.

    Mark,

    Your piece give the impression that you accept that there is at least a case to be made that you should not have done this and that, in fact, what you did was illegal.

    It's unfortunate that you have completely undermined this position by removing a perfectly civil and well informed comment by Graham Cluley (#46). Graham has posted the deleted comment on his blog.

    Can you tell us why you did this?

  • Comment number 52.

    I would also like to complain about the removal of comment #46. Either reinstate the comment, or explain to us what about it caused it to be removed.

    Thus far, it seems you removed it because you don't like it's content. Hardly a reason to remove it.

  • Comment number 53.

    Hello Everyone

    I wholeheartedly support BBC Click in bringing this issue to the attention of main stream audiences. I have no concerns or interest in the legality of the method used to prove the point. The report from a factual and technical point of view was the best the BBC could do without risking eyes glazing over.

    To all the bloggers who raise legal issues or have a problem with what the BBC did... WAKE UP! The BBC did our industry a service - its a pity that our industry could not do this for the benefit of itself and the people it serves.

    Instead of complaining about what the BBC did and how they did it - we should be looking at ways of legally setting up an "anti cybercrime organisation" that specifically uses the sort of tools and mechanisms that Click used in its programme to go after Crackers and relieve poor unsuspecting users from this nightmare world of fly by virus's.

    My experience is that there is a war going on out there and there are certain clear things users can do to protect themselves.

    1. Buy a decent router with a hardware firewall built in
    2. Find out what AV software protection works (google for a review) (the worlds most popular av's do not work and are easy to switch off)

    I spend my working life visiting peoples homes and Businesses repairing PC's and cleaning Virus's off PC's (Microsoft)- I do not know everything, I am kept very busy.

    I am not in the real sense of the words an "IT Guru" just someone that has been in the industry for nearly 20 years and have at one point or another seen the best and the worst the industry ( and users of it) as whole has been responsible for ... (long sentence but you get the point)

    Time and time again I visit clients and find the following scenario

    1. Children in the house 10 - 16 yrs Girls or boys irls love MSN the boys are into anything that is for the mal-adjusted
    (if its a business then there is no qualified IT Manager present and there is no IT policy that prohibits worker internet activity)
    2. Unsuspecting busy parents who do not know what their children are doing on their PC's
    3. They have got bang up to date antivirus (the two most popular ones at PCW! (Can't say Norton or Mcafee - you may delete this Mr Moderator)
    4. They have paid their hefty subscription to these companies.
    5. Generally but not always a USB modem is present.
    6. Heavy Peer to Peer activity (MSN, Internet Games)

    Every time and I mean EVERY time the following infections, spyware and peer to peer programs are on the systems

    1. My websearch toolbar - This enables a conduit to the nasty stuff
    2. Antivirus pro 2008/9 - This is a con to get your credit card details
    3. Limewire - This is a mechanism to provide free illegal music
    4. Bit Torrent - This is a mechanism to get hold of free software (illegal)
    5. Free (illegal) Music - Nothing is free is except the virus that is bound into the MP3 file
    6. Free video codecs - (Click here to download this file to enable you to view this video - This is the virus)
    7. Bear share is present

    Here are the rules that will keep your PC's clean.

    1. Get an ethernet router with a firewall built in - do not buy the cheapest
    2. Test your firewall (www.grc.com)This will test whether your PC's are invisible to port probers
    3. Buy decent (inexpensive) AV software
    4. Don't download free Music - you'll get a virus
    5. Don't share or download files on Peer to Peer you will expose yourself to other users virus's
    6. Don't download video codecs to enable you to view video clips unless it is from a trusted source

    Finally

    If the BBC wants to continue their expose' here are the useful areas that could be explored that will inform and protect people and their systems...

    1. Do an Anti virus/Malware software test drive of the most popular software ( Say the Top Ten )
    2. Specifically do the the sort of activities that people should not do (but almost always do!) and see which AV software does the best job of protecting PC's (Microsoft based) Then, ask the manufacturers of that software Why their software is so easy to circumvent? and what are they going to do about it?

    We are all computer users - right? We all want an easy life - right? We are all interested because we are users - right? So why do I see seemingly intellegent, qualified IT people blog themselves insane complaining about what the BBC Click programme did when it is clear that knowledge is power and to the disadvantage of those who wish to exploit the unsuspecting....

    Regards to all - I wrote did this to pass some time (whilst yet another 8 PC's are being scanned and cleaned of yet more infections) before putting on the protection to prevent (as best as possible) future attacks from thieves who wish to extort and steal other poeples hard earned cash.

  • Comment number 54.

    @53, CDoSPCoctor.

    I heartily support everything you have written. The link between illegal downloads, careless users and viruses is very interesting.

    I would also suggest people read this about the comparative threat between PCs and Macs

    http://binaryrescue.com/2008/07/08/summer-of-mac-love-malware/

    (Note that there are 5 known Mac Malware programs "in the wild" - all are "trojans" - they are types of scams (they attempt to trick the user rather than work automatically), rather than spyware, virus, worm or botnet).

  • Comment number 55.

    Thanks Ynda20,

    Just one piece of information missing from the Mac review which is very good by the way.. How many Macs in the world are there compared to active Windows based PC's? I recon 90% windows 10% macs (excluding Linux)

    I Think that Microsoft would need a complete re-write of the OS code to make it as good as the Mac. Perhaps Windows 7 will be the answer. ( Idoubt it though..

    Regards

    Nick Bache

  • Comment number 56.

    Mark,
    The internet is the new minefield? If you can crack the mine layers Mark Ill nominate you for an MBE!.

  • Comment number 57.

    @55 Hi Nick,

    I'm not really too sure what you are trying to say... you have the figures about right for numbers of PCs vs Macs. Yes, there are very many more PCs but I am guessing the overwhelming majority of PCs are bought for businesses and used in businesses. When looking at domestic/small business users the proportion for Apple looks somewhat better. But that's irrelevant to my argument that less risky options exist (and Macs do run Windows applications nowadays using bootcamp or Parallels).

    I doubt whether Windows 7 will be the answer either. I have heard that it is a marked improvement over Vista (but is that saying much!?)

  • Comment number 58.

    This comment was removed because the moderators found it broke the house rules. Explain.

  • Comment number 59.

    Interesting point on one of the earlier comments about testing door locks by using a burglar and leaving an innocent message in insecure houses as part of the reporting. I do think this is different though and the BBC is justified in this case - the level of public awareness of these threats is very low and I found it an appropriate way to highlight the issue.

  • Comment number 60.

  • Comment number 61.

    A couple of comments on the Computer Misuse Act 1990.
    Many of you are citing the OLD and superseded language of Section 3. This was completely replaced with new language pursuant to Section 36 of the Police and Justice Act 2006. The Section 3 case is hard (but not impossible) to make.
    The broadcast DOES, however, pretty clearly show what appears to be a violation of Section 1 of the Computer Misuse Act.
    I have been trying for more than a week to get Richard Taylor, the show's producer, to contact me and comment since I plan to publish an article on this topic. Perhaps he reads this blog and wants to get in touch?

  • Comment number 62.

    In case you are wondering precisely why I believe that this programme violated British law, you can find analasis here:

    http://www.computerweekly.com/Articles/2009/05/11/235970/opinion-why-bbc-click-violated-the-computer-misuse.htm

    I'd still love to hear from someone at BBC about this.

  • Comment number 63.

    Here's a disturbing aspect to the story which I described earlier today.

    "Opinion: BBC Click exploited worlds poor and vulnerable"

    "By purchasing and using an illegal computer botnet, BBCs Click programme chose to educate their affluent English-speaking technically savvy audience about computer security by exploiting 21,000 poor and vulnerable computer users in the developing world. . . ."

    You can find the remainder here:
    http://www.computerweekly.com/Articles/2009/05/13/236010/opinion-bbc-click-exploited-worlds-poor-and-vulnerable.htm

    BBC Click Producers: please contact me whenever you like.

  • Comment number 64.

    I think the BBC did a great job! Well done first class bit of undercover journalism, its the kind of controversial cutting journalism that put the BBC News where it is today. To say that you wouldn't get a tame burglar to enter someones house to test there locks is actually very inaccurate and stupid; as the BBC HAS done that and then some in the show: The Real Hustle high stakes show.

    Where not only does the shows presenter gain eatery to a house by stealing someone identity from the rubbish in there bins out side the house they brake into! They use the stolen identity to make a fake ID which they then use to call up a lock smith to let them into victims house posing as the owner. Once in they also remove a large quantity of electrical goods and jewellery as well as put in hidden cameras in the building to watch for the unsuspecting 'victim' to come home and there reaction.

    The presenter then leaves with a big sports bag filled with kit and leave the house scot free and home dry. Of course they give all the items taken back and show the victim how they did it. The victim obviously agreed to them showing this happening to them to help it stop happening to others. Also there are people and contractors out there that are hired to do just that job.

    All credit to the BBC for supplying the ignorant masses about this large and constant threat of cybercrime, peoples ignorance is what helps and allows cybercriminals to get away with this sort of activity so easily. This style of hard hitting controversial journalism always brings the topic into the direct light as it should be.

    People complaining about this are ignorant, idiotic, narrow minded fools that are looking for nothing more than an orange box to stand on and rant. Grow up get a life and let the BBC do what it does best; producing good, cutting edge, and controversial journalism.

  • Comment number 65.

    Oh I'm an ICT professional btw, so I knew about all of this just not the scale it had reached. Like most ICT professionals, this show didnt teach me much that I didnt know, but the masses just have no idea, and no way of knowing with out being told or shown. This show hopefully raised awareness. ICT illiterate ignorant masses that help perpetuate this problem and the only way to ever get to them is by slapping them in the face with it.

  • Comment number 66.


    @65: My problem is that the Click viewers are, almost by definition, NOT the audience most in need of education.

  • Comment number 67.


    To all of you who are talking about "burglary" as a metaphor. Try this instead.

    It's like the BBC found a criminal locksmith gang: a gang who copy keys to houses and keep extra keys which are on-sold to criminals. The BBC (in effect) purchased 21,000 of these illegal keys and paid agents to walk into 21,000 houses.

    Of coruse we don't know EXACTLY what all 21,000 agents did while they were in 21,000 houses. A few of them may have caused damage. We'll never know for sure.

  • Comment number 68.

    This comment was removed because the moderators found it broke the house rules. Explain.

  • Comment number 69.

    After a long period of silence, apparently Spencer Kelly is now happy to talk about this incident in public. He spoke about this broadcast at a public conference yesterday, Monday 21 September 2009. Please tell Spencer that I'd love to meet with him on BBC News at his convenience to ask whether or not the production team understood that preparing this story involved violating the Computer Misuse Act.

    Or maybe you guys could just answer that here. Did the production crew actually know that the actions filmed in the UK constituted a crime under British law?

  • Comment number 70.

    Strange how some seem to be more concerned by the BBC's actions in exposing a problem (even if they did technically break the law in doing so) rather than in the wider problem it's self, would they have preferred that most people stay ignorant of the issue and if so one has to start wondering why...

  • Comment number 71.

    @70: I don't think that Click really "exposed" this problem, and they certainly offered no original thinking on how to solve it. Worse, they exported the risk of computer damage to 21,000 of the world's poor in order to "educate" a small group of English speaking westerners about this risk. Even worse, they failed to highlight the risks of playing around with a BotNet. And even worse, they failed to acknowledge or explain that what they did broke the law. They made it look sexy.

    Sadly, the law-breaking part added almost nothing to the story. It just heightened the drama of the moment.

  • Comment number 72.

    I genuinly think that the BBCs experiment was beneficial to the public and the people affected because we all learnt how serious those botnets are. They did let the people infected know that it was just an experiment and wasn't real and even gave them tips of how to make their computers more secure for the future.
    However, they did break the CMA law, but overall, I agree with what they done and think it was a worthwhile experiment!

  • Comment number 73.

    @72: you say that "They did let the people infected know that it was just an experiment . . . and even gave them tips of how to make their computers more secure for the future."

    Well, we know that they attempted to place that warning on 21,000+ infected computers. What we don't know is how many of those machines crashed as a result of the attempts to change the computer contents. Perhaps some of these people never had the opportunity to read the warning.

    Worse, the warning that was shown (for less than a second) in the television broadcast appears to have been written IN ENGLISH. The presenter said that the infected machines were "in the developing world", and in the list of places we wer told that machines were scattered in Russia, China, other former Soviet Union states, Africa, etc. if the warning was only posted in english, how many of those "developing world" computer users would have understood the warning that was left? if someone left me a warning written in Thai, it wouldn't do me any good.

    I maintain that the efforts to "educate" were focussed almost entirely on English speaking viewers, and that the risks of the education were loaded onto the world's poor.

    Disgraceful.

 

BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.