BBC zombie caper slammed by security pros
Daft Beeb-bot doco gets go-ahead
Regcast training : Hyper-V 3.0, VM high availability and disaster recovery
Analysis A controversial BBC Click documentary which involved researchers obtaining access to a botnet and sending spam is due to screen this weekend despite a growing storm of criticism.
Security experts - including McAfee, a firm whose representatives appear in the programme - have described the exercise as misguided and unnecessary. Legal experts contacted by El Reg reckon the show potentially breaches the unauthorised modifications provisions of the Computer Misuse Act, the UK's computer hacking law.
The BBC's only response to the growing row to date has been a post from @BBCClick on Twitter stating: "We would not put out a show like this one without having taken legal advice."
BBC Click obtained access to a botnet of 22,000 compromised Windows PCs from an underground forum. It used these machines to send junk mail to two accounts it had established with Gmail and Hotmail. The programme also used these compromised PCs to show how they might be used in a denial of service attack. After obtaining permission from security firm PrevX, it launched an assault that rendered a backup test site established by the firm unreachable.
Researchers warned the owners of the malware-infected PCs that their machines had the pox by changing their wallpaper to display a message from BBC Click explaining how to clean up their machines.
BBC Click twitters that the show was "six months in the making", adding "We're very happy with it and reckon it's a good watch".
Security experts are less impressed. Graham Cluley, senior technology consultant at Sophos, wrote a blog posting arguing that even though BBC Click had honourable intentions in raising awareness about botnets it didn't excuse potential breaches of the Computer Misuse Act and potentially computer crime laws in other countries.
"Maybe it isn't just UK computer crime laws that have been broken. What if one of the compromised computers was at the Department of Defense or NASA? Does Spencer Kelly [BBC Click reporter] want to be the next Gary McKinnon?"
Cluley put the question of whether or not the BBC's approach was justified up for debate among other security firms on Twitter. Kaspersky, AVG, McAfee, FaceTime and F-Secure all agreed that the BBC had behaved badly.
PrevX, which participated in the programme, has posted a combative response defending the BBC's tactics in a posting to the Escapist video game forum here.
Aside from PrevX, the general consensus seems to be that the whole exercise was about as dumb as a brain-dead zombie.
Both Sophos and McAfee reckon the behaviour of compromised machines could have been faked without resorting to using networks of compromised PCs. McAfee's reaction is particularly telling because Greg Day, a security researcher at McAfee, is interviewed in the programme. It turns out McAfee had little inkling of BBC Click's plans. Queried by El Reg on whether it reckoned BBC Click's tactics were ethical, McAfee gave a clear 'no':
McAfee conducted an interview about botnets with BBC Click in spring of 2008 but was not involved in the botnet experiment conducted for this programme. McAfee's conversation with BBC Click was a general discussion about botnets and a demonstration of what they are capable of, done within a contained environment at McAfee Avert Labs in Aylesbury. Although educating people about the dangers associated with the internet is a subject close to McAfee's heart, the company does not endorse the approach taken by the BBC to raise awareness of the issue of botnets.
COMMENTS
AC@17:49
You'll have to bear with me as I say Brass Eye some time ago so I'm going from memory.
Brass Eye's targets were 3 fold. Uncritical media outlets who will whip anything into a moral panic. The pressure and special interest groups who will take advantage of that uncritical attitude to turn a storm in a teacup into a tornado and the well meaning (but lets say suggestible) members of the public who over react, some times hysterically.
Their method was to concoct a (just barely) plausible story about something similar to some story currently obsessing some parts of the media. The issue would have unmasked as bogus by a few minutes checking by a mildly interested hack . This would come from some non-existent charity or pressure group, which a few more minutes checking would have also revealed as nonsense.
Backing this up were the celebrity endorsements. Here the point was the "Halo" effect. X is trustworthy, they say it is so, so it must be. The point here is that part of the value of such people is that the general public trust them. There point was it was staggeringly easy to get people to endorse their rubbish with almost no one saying "Hold on, this is rubbish.”
This is the part I remember most fondly and which I mentioned. All done against a backdrop of loud intrusive music and impressive, but basically meaningless graphics.
This was usually followed up by supposed members of the general public who were reacting to the "Threat" in a fairly excessive fashion. The interviews IIRC were typically conducted in a fairly condescending fashion as befitted someone interviewing someone whose moral panic they had actually caused while they themselves can't understand what the fuss is about.
I would suggest there is no existing moral panic in the mainstream media on spam. No pressure group making outrageous claims about its harm and no celebrities acting as media spokes persons about it.
So no I don't see the similarity to Brass Eye.
Highly vocal pressure group. No.
Vocal pressure group inflaming situation. No
Over reacting members of the general public. No
Click's presentation was low key and stated it was not that easy to get control of a botnet in the first place When done they informed all victims of what had happened and what to do about it and disabled any further control of the bots. The common ground with Brass Eye and Chris Morris in particular would be the hope that people are a bit less trusting and a bit more critical.
Could it have been done without a live demo. Once again for the *target* audience I don't think so. I'm with Eugene Goodrich (earlier post) for exactly those reasons. Unless you told them it was real but used a simulation. That's lying to the audience, It fails as soon as it becomes know as the next thing you tell them will be met with "Well they faked it last time so why should we believe them this time."
"producers of a BBC documentary paid hard cash to take over a botnet."
Ever noticed the title "Fixer" on BBC documentaries in foreign and often violent countries? They help get interviews and help the film crew avoid trouble with the local "authorities," who might be just a bunch of guys with automatic weapons. Some times smiling politely does not work.
Time for Mr Green to make an appearance. America may be hated widely but there's one product of their economy which is welcome nearly everywhere.
Any sort of rogue trader / watchdog type programme has probably made initial payments to crooked tradesmen, often with criminal records.
This must come as quite a shock to you.
As for the amount. $660 US is (at tonight's closing exchange rate) is £458.33. Not quite enough for round trip to the US to do some filming but likely adequate to order a murder in somewhere like Pakistan or Afghanistan. Or 0.002291% of what Jonathan Ross was trousering prior to his little "vocal malfunction."
I'm no Media studies student, but I am a student of the media.
NB. I'm sure most people here (including our moderator) can cope with bad language. However its a presumption which can be inaccurate. I grew up reading Mad magazine, which itself was the product of an early moral panic about comics in the 1950's, when they were "Corrupting youth." I am cautious about anything that might be read by at least half a dozen total strangers, which would include anything on a bulletin board or email system. And I still had a complaint about a misplaced apostrophe.
armed robbery or child porn?
dear BBC. i am not sure how armed robberies happen or how child porn rings work - please could you demonstrate these? Ideally you'll carry out a big heist on a large bank with gold rather than notes as those seem to be the bigger events that i dont know about and you'll set up and run a multi-terabyte porn server using encrypted channels and transfer/watch lots of illegal material.
all of this should be recorded in Hi-Def because that would make better court evidence after you've broken a few more laws in this country.
@John Smith
"Er,no. Brass Eye satirised the *media* obsession with this, not the problem itself."
Let's re-read what I wrote, shall we? Or perhaps read it for the first time in your case...
"In fact, it's all rather reminiscent of the Brass Eye drugs episode where the parents of a girl supposedly susceptible to drug-taking fake their own deaths to teach her a lesson: juvenile and condescending (and, once again, real television emulates satire)."
This was nothing to do with "Getting celebrities to voice over complete b*((*cks", or "bollocks" for those people not oversensitive about their language. The satire was about the way in which people, in order to "bring attention" to a problem and to prevent bad things from happening, actually cause more harm than the most likely outcome had they not bothered. Of course, the material was meant as an exaggeration of what people do in real life - that's what satire is all about - even though Chris Morris then dabbled with lobbying members of parliament.
Whether it's the media or whether it's special interest groups (courted by the media) who behave in the way described is peripheral to this discussion. The producers of a BBC documentary paid hard cash to take over a botnet, interfered with people's computers and then said, "So that's what a botnet is, everyone." The shoe fits, somehow.
IT infrastructure monitoring strategies
Agentless Backup is Not a Myth
Top 10 SIEM implementer’s checklist
Steps to Take Before Choosing a Business Continuity Partner
Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider
