Gallery

Mac hacks, BBC attacks and backing hackers

Posted on 18 Jun 2009 at 11:20

Davey Winder exposes the 100% secure mac myth, questions the BBC's botnet morality, and considers hiring hackers.

Those bad BBCbotnet boys

The point remains that botnets are big business and a bigger problem, so what can be done? Education is the key in my opinion, getting out the message that people have to stop being so trusting of everyone and everything online, to stop clicking every link they see - in short, to start applying the same caution they'd apply in the real world.

To educate people about botnets requires propagating the subject beyond the realm of the technology enthusiast and spreading the message out from the pages of tech magazines and into the tabloids or onto the TV, which is probably what the BBC thought it was doing when the BBC News technology programme Click decided to go all investigative and demonstrate how real the botnet danger is.

Unfortunately, the Click journalists decided to expose the danger by acquiring a botnet themselves and infecting unsuspecting people with it. Having got their hands on a pretty low-rent botnet with the help of a willing security researcher or two, the Clickers proceeded to spam people in order to get them to do the clicky thing and become zombified. This exercise was really rather successful and ended up creating 21,696 infected computers to add to the zombie PC network.

At this point, I suspect that most people would consider that the point had been made and it was time to put a stop to the exercise, but not the BBC, which apparently went on to launch a Distributed Denial of Service attack using its new botnet resource. It took only 60 of those zombie PCs to hit the target site - a test server operated by the security researchers - and put it out of action, but should the BBC really be infecting innocent people, building a botnet and using it to launch DDoS attacks at all? The corporation's spokespeople point out that all 22,000 infected souls were warned about their lack of security and given advice on how to prevent it from happening again for real - one wonders if the advice included never reading email from the BBC or visiting BBC-recommended websites. They also insist that no personal data was accessed on the infected computers, but I'm still not really sure this was an ethically justified approach to take, even to demonstrate the danger of botnets. That could have been done in many other ways that didn't involve compromising people's computers.

I'm also not convinced that what the company did was legal, although the BBC obviously must have taken legal opinion before embarking upon such an exercise. Some highly-thought-of technology law specialists have suggested that the programme breached the Computer Misuse Act, which carries a maximum two-year prison term if found guilty in a court of law. The BBC seems to think that because there was no criminal intent then its actions remained within the law, but lawyers I've spoken to think differently and point out that criminal intent isn't a requirement when proving unauthorised access to a computer (just ask Gary McKinnon if you need any further proof). The fact that no harm was actually caused will probably mean no investigation or arrest in this case.

Now I'm no stranger to bending the rules as part of an investigation, and have admitted in the past to using security holes to access data held on government-sponsored systems to collect evidence of vulnerability. However, my personal code of ethics meant that I informed the operators of these systems before going public with my story, so that the security holes could be closed and no further data would be left exposed by publication. I've even been thanked for my part in bringing such breaches to the attention of the Government, and taken part in high-level investigations of what went wrong and why. But on this occasion, it felt more like the BBC Click team wasn't so much looking to expose the danger as simply pursuing more eyeballs for its show, at least to me. The corporation's spokesperson claims there was a "powerful public interest in demonstrating the ease with which such malware can be obtained and used; how it can be deployed on thousands of infected PCs without the owners even knowing it is there; and its power to send spam email or attack other websites undetected", but surely this could have been achieved on a closed network within the BBC that demonstrated everything a live botnet was capable of without recklessly infecting innocent folks' PCs.

Download a year of Davey Winder's Online Security columns by heading to our Free Downloads site