Link here
http://news.bbc.co.uk/1/hi/programmes/click_online/7932816.stm

It would seem to be creating a bit of controversy already.
http://www.sophos.com/blogs/gc/g/2009/03/12/bbc-break-law-botnet-send-spam/

If I would've hacked into someone's computer using an existing vulnerability just to warn him that he has problems, I would probably be accused of breaking the law. Speaking of double standards...:thumbd:

The legality might be questionable, but it was a very graphic demonstration that opened a few eyes. To many users, trojans, spyware, etc are abstract ideas that exist in the movies or only happen to those browsing porn or downloading pirated material. Sometimes it takes a good smack upside the head to really get their attention, to show them that the threats are real.

Since there was no criminal intent, actual damage or data theft, there should be no criminal charges. IMO, if more users had been exposed to this kind of "wake up call" starting several years ago, malware might not be as widespread as it is.

-{ Quote: "If I would've hacked into someone's computer using an existing vulnerability just to warn him that he has problems, I would probably be accused of breaking the law. Speaking of double standards...:thumbd:" }-
They did not hack anyone, they used already hacked user's PC to let them know, that they are hacked, which is better that what was done with known McColo botnet, which is responsible for significant part of world spam, but they did not let users know, that they are infected, because it would be ilegal, so the botnet has been reactivated again, but users rights did not get violeted. By the way, blocking "bad content" against users wish like porno or p2p is legal of course. :wacko:

-{ Quote: "They did not hack anyone, they used already hacked user's PC to let them know, that they are hacked, which is better that what was done with known McColo botnet, which is responsible for significant part of world spam, but they did not let users know, that they are infected, because it would be ilegal, so the botnet has been reactivated again, but users rights did not get violeted. By the way, blocking "bad content" against users wish like porno or p2p is legal of course. :wacko:" }-
Ok, maybe you should try to control some computer from a botnet then go public and say you just did that, then see what happens. On a different note, are you familiar with the term "unauthorized computer access"? Because it is exactly what happened in this case, and as far as I know (if I am wrong, please correct me) this is against the law in many countries.

Well, here is the catch, it is about todays sociate and about sheep and insane laws, which protects crimminals instead of people. So in this context "unauthorized computer access" sounds like an irony. What do we have here is a problem (botnet), someone who pointed at it (BBC) and what is the solution, well there will be none, because noone is interested in solving problem, that would cause companies to loose money, so instead lets talk about BBC, who is the villain here, right? Lets just pretend, that we are working on a solution, creating laws to stop it, which are obviously useless, just let the people live in their dreamworld, where hacking a PC with all anti-xxx aplications will protect them from evil hackers, who are too stupid to bypass them and we will live happily ever after. ::)

By the way, 60 PCs with a broadband connetion to take down a medium size webpage, ainot that amazing, when there are botnets with millions PCs?

-{ Quote: "Well, here is the catch, it is about todays sociate and about sheep and insane laws, which protects crimminals instead of people. So in this context "unauthorized computer access" sounds like an irony. What do we have here is a problem (botnet), someone who pointed at it (BBC) and what is the solution, well there will be none, because noone is interested in solving problem, that would cause companies to loose money, so instead lets talk about BBC, who is the villain here, right? " }-
I agree with you here. What I am trying to say is that BBC acted in this matter similar to what is called Grey Hat (http://en.wikipedia.org/wiki/Grey_hat). I belive that this kind of actions shouldn't be illegal, but unfortunately they are in this twisted world we are living in. BBC made a mistake doing it and showing it to the public because that could encourage other people act as "grey hats" (after all, they saw that on BBC, that couldn't be illegal, right?) and they might find themselves in legal trouble after that.

-{ Quote: "Well, here is the catch, it is about todays sociate and about sheep and insane laws, which protects crimminals instead of people. So in this context "unauthorized computer access" sounds like an irony. What do we have here is a problem (botnet), someone who pointed at it (BBC) and what is the solution, well there will be none, because noone is interested in solving problem, that would cause companies to loose money, so instead lets talk about BBC, who is the villain here, right? Lets just pretend, that we are working on a solution, creating laws to stop it, which are obviously useless, just let the people live in their dreamworld, where hacking a PC with all anti-xxx aplications will protect them from evil hackers, who are too stupid to bypass them and we will live happily ever after. ::)

By the way, 60 PCs with a broadband connetion to take down a medium size webpage, ainot that amazing, when there are botnets with millions PCs?" }-

Unfortunately the BBC made a mistake that day IMO...and so did prevx in helping them to do so.

The BBC should be no different from any other UK company or individual in that it is governed by the Computer Misuse Act (1990) (http://www.opsi.gov.uk/acts/acts1990/UKpga_19900018_en_1.htm)

By accessing those computers they have committed the following offence under UK law:


-{ Quote: "Unauthorised access to computer material

(1)
A person is guilty of an offence if—


(a)
he causes a computer to perform any function with intent to secure access to any program or data held in any computer;


(b)
the access he intends to secure is unauthorised; and


(c)
he knows at the time when he causes the computer to perform the function that that is the case.


(2)
The intent a person has to have to commit an offence under this section need not be directed at—


(a)
any particular program or data;


(b)
a program or data of any particular kind; or


(c)
a program or data held in any particular computer.

(3)
A person guilty of an offence under this section shall be liable on summary conviction to imprisonment for a term not exceeding six months or to a fine not exceeding level 5 on the standard scale or to both." }-

In other words it does not matter what they were doing or what their intentions were, as far as the law is concerned if you do not have authorisation to access those computers you should not be doing it.

Some people have also said that by modifying the dekstop/screensaver that was also in violation of the "Unauthorised modification of computer material." clause but it seems to qualify they would have had to have done any of the following:

-{ Quote: "(a)
to impair the operation of any computer;

(b)
to prevent or hinder access to any program or data held in any computer; or

(c)
to impair the operation of any such program or the reliability of any such data." }-


Nevertheless, it was uncalled for and as such I made an official complaint to the BBC asking them to explain their actions. If I did the same thing and got caught I would be taken to court. They have done it on national television and nothing has happened so far. Whoever their tech advisors are must not have a clue about UK computer law.

Edit:

Looks like the prevx ceo is a bit grumpy to say teh least...well at least he is following the company PR policy there (we catch what you miss!):
http://www.escapistmagazine.com/forums/read/7.96800#1504549

:D

i saw this the other day, you can watch the program on iplayer if you're in the uk, or probably on the 'bbc click home page' it's the latest episode they mention it at the start. they say they don't do any harm! aprt from using other people's bandwidth and cpu cycles lol.

http://news.bbc.co.uk/1/hi/programmes/click_online/default.stm
http://www.bbc.co.uk/iplayer/episode/b00jctj1/Click_14_03_2009/

edit the links above, i think, are the whole programme with a lot more about the attack. the link in the first link is an editted version.

Actually, BBC had no right on doing such.

I really haven't digged that much, as I'm not concerned with BBC at all, but, where did they get the botnet, in the first place?
I don't think they made their own, did they? If they haven't, then they've paid to whomever did it. In what will this money be spent on?

Also, it's sad to see a security vendor participate in this.

It doesn't matter if there was no bad intentions here, as I believe there weren't, but, they paid for a botnet to someone, who, perhaps, does that for a living.
Instead of being part of the solution, they're helping the bad guys out, and being part of the problem. I don't get it.

Unless I'm seeing the wrong picture here.

And, accessing any system without authorization, is a violation of law, unless, in certain situations, law allows it so. (Not my wish to debate whether or not that is correct.) So, in my most honest opinion, both BBC and Prevx did the wrong thing here.

I would clap my hands if this situation was to trap bad guys into believing someone wanted to pay for a botnet, and on the act, they would get nailed, or whatever.

Now, getting into the system of people totally unaware of such, isn't just right.

Otherwise, one of these days, hackers will have the path free to do whatever they want, as all they ever wished and wish, is to show that systems aren't safe. No crime committed, as they were, in fact, just helping out.


Regards

in the click episode they said they brought a botnet the way criminals would. aka using instant messenging softeare using fake names and then using a company as a middle man to exchange the money so neither side knew who was who.
so in other words the bbc is giving money to criminals?

http://www.bbc.co.uk/complaints/
http://www.bbc.co.uk/complaints/complaints_stage1.shtml

:isay: :P

edit. i sent a complaint lol. i said they paid criminals and used CPU cycles and bandwidth without consent. :D

BBC in hot water for hiring botnet
http://www.networkworld.com/news/2009/031609-bbc-in-hot-water-for.html

http://news.cnet.com/8301-1009_3-10195550-83.html
-{ Quote: "The BBC violated the Computer Misuse Act by acquiring and using the software to control the botnet, according to Struan Robertson, a technology lawyer with Pinsent Masons and editor of the firm's Out-Law.com site." }-
i don't like the bbc so i'm gald they're stupid enough to give public money to criminals!

edit.
http://www.computerweekly.com/blogs/editors-blog/2009/03/15-questions-that-the-bbc-shou.html
http://www.sophos.com/blogs/gc/g/2009/03/12/bbc-break-law-botnet-send-spam/
http://www.pcadvisor.co.uk/news/index.cfm?newsid=112795

Absolutely ridiculous. The BBC are using OUR license payer money and giving it to criminals????

I am seriously fuming and cannot believe they would actually PAY a criminal...completely absurd!

Please people, get writing complaints and make them realise that someone's head has to roll after soemthing like this. This is a farce.

It's unlikely a prosecution will be brought in this case.

Whilst this has generated interest amongst news sources and security blogs, I just wonder how much of the general public who use computers actually saw the programme. It was broadcast on the BBC News Channel at various times and a shortned version shown on BBC Breakfast early morning so if they were intending to reach a wide audience to alert them to the botnet problem, they won't have achieved a great deal. I agree more people are aware of it now than before, but in reality not nearly as many people as they'd like to have reached.

Thanks for posting the articles and other comments. All I can say is that from the perspective of a novice with computer and internet security, the initial post, and therefore I imagine the stunt itself, helped open my eyes on the issues of viruses, spyware, ID theft etc and how such attacks are actually operated, in relation to what was said in post #3:
-{ Quote: "The legality might be questionable, but it was a very graphic demonstration that opened a few eyes. To many users, trojans, spyware, etc are abstract ideas that exist in the movies or only happen to those browsing (...)" }-

and post #15

-{ Quote: "
Whilst this has generated interest amongst news sources and security blogs, I just wonder how much of the general public who use computers actually saw the programme. It was broadcast on the BBC News Channel at various times and a shortned version shown on BBC Breakfast early morning so if they were intending to reach a wide audience to alert them to the botnet problem, they won't have achieved a great deal. I agree more people are aware of it now than before, but in reality not nearly as many people as they'd like to have reached." }-

Although there are discussions here (that I cannot contribute to >not skilled enough) as to the legal implications to this action.