BBC and botnets – a storm in a teacup?

The BBC has hit the news recently for indulging in a bit of cybercriminality – or something very close to it – in which they seem to have:

  1. rented a botnet of about 22,000 PCs from cybercriminals
  2. commanded the PCs in this botnet to send spam to two email accounts
  3. instructed those PCs to attack a website
  4. used the botnet to change the Windows desktop image on the infected PCs
  5. filmed these activities
  6. constructed a piece of documentary television from the above results.

The operation sounds to be a noble one – take a dash of investigative journalism, a pinch of computer pedagogics, and mix them together, under one of the world’s strongest television brands, into a watchable TV programme which might genuinely encourage viewers to take the security of their own PCs more seriously.

So why have computer security experts around the world come out so strongly against the BBC in this case?

Sophos online poll results regarding BBC sending spam through a botnet

Perhaps 11% of the respondents in a recent poll conducted on Sophos’s website are right in saying, “what’s all the fuss about?”

Or perhaps the end justifies the means, as 33% of our respondents said when they answered that, although what the BBC did was legally questionable, “it helps raise awareness.”

No. The experts are quite right, and so is the 56% majority of our pollsters. The BBC has acted wrongly.

The BBC simply didn’t need to go as far as it did to demonstrate the cybercriminal possibilities of a botnet (if, indeed, spamming two email addresses really demonstrates very much at all). The demonstration it filmed could easily, more scientifically, probably more effectively, and definitely more quickly, easily and safely, have been done in a research laboratory.

Worse still, the BBC had no legal right, and certainly no moral right, to connect up to other people’s PCs without permission, especially considering that this unauthorised access was carried out using a backdoor (the bot) which the BBC knew had almost certainly been illegally and unknowingly installed in the first place. And the BBC had no right to use those PCs for its own purpose, which was, after all, to make a TV programme.

I’ll accept that the BBC probably did no harm to the majority of PCs in this experiment. I’ll assume that their casual attitude won’t lead to a rash of copycat experiments by youngsters keen to take a peek at their teachers’ PCs at school. I’ll agree that there might be a silver lining here, since the BBC claims to have cleaned up the PCs involved.

Let’s instead look at a few examples of what could go wrong in this sort of experiment. Let’s understand why UK law, and the law in many other countries, clearly instructs us that we may not mess around at all with other people’s computers without their permission. And let’s remember why reputable computer security researchers carry out this sort of experiment in a secure lab.

For example, what if the commands in this bot had been rewired programmatically, without the BBC’s knowledge (after all, they didn’t write and plant the bot themselves!), so that the command to start spamming instead caused the bot to begin deleting files on the infected PC? What if the command telling the bot to remove itself actually triggered complete different, malicious behaviour – just the sort of sting in the tail which we have seen in real-world malware samples over the years?

What if the BBC’s use of the bot triggered a bug which caused the bot to crash and freeze the PC in the middle of something important to the user of that PC, such as paying a gas bill or logging his or her blood sugar levels with a hospital as part of daily medical routine? Or if it just happened to be the BBC’s self-serving spam which pushed users over their ISP’s monthly data cap and left them without internet service?

What if the botted PC was actually part of of a legally-authorised malware research or law enforcement operation, now needlessly knocked out of action by the BBC’s unauthorised involvement?

It doesn’t matter that the BBC thought these outcomes were unlikely, or that they don’t seem to have occurred. You can’t go around rather arrogantly subsuming other people’s responsibility for their PCs, no matter that you might think they have been remiss in allowing themselves to get infected in the first place.

Back in the early 1990s, renowned computer security experts Bill Cheswick and Steve Bellovin wrote the first edition of a book which the makers of this BBC programme would do well to read. In “Firewalls and Internet Security,” they address the ethics of computer security in a section where they write as follows:

"...Computer security is a matter of good manners. If people want to be left alone, they should be, whether or not you think their attitude makes sense.."

"The ethical issues go even further. Some people have suggested that in the event of a successful attack in progress, we might be justified in penetrating the attacker's computers under the doctrine of self-defence... We have not carried out any such action, and we would be extremely reluctant to. If nothing else, we would prefer to adhere to a higher moral standard than might strictly be required by law..."