The BBC botnet debacle

There is an active thread over at Funsec on a very interesting subject: The BBC’s recent use of a botnet for a televised story.

The BBC wanted to show how botnets work. Unfortunately, they took control of a real live botnet. Real people’s computers. To send spam to a couple of web email accounts they had set up.

They then put a desktop wallpaper on the infected systems, telling them that they were infected, and then they disabled the botnet.

This is wrong on so many levels. And it sets a dangerous precedent.

Larry Seltzer at eWeek has written an excellent piece on the subject

I can expound a bit, Yes, it’s illegal. You can parse it any way you want, but you do not take control of other systems without the permission of the users. Period.

But the legal argument is only one part of it. It’s unethical.

Malware researchers routinely deal with botnets for analysis purposes. It would be considered a high crime indeed to allow a spambot to actually send spam to the outside world, even for “testing” purposes. And, shutting down a botnet yourself, even with the best intentions, is simply not a good idea. You don’t know what accidental harm you may cause. You don’t really know what’s on the user’s system that will simply restart the whole process.

You just don’t get involved, because it’s not only wrong, there are too many unintended consequences that can occur. You’re playing with fire. Report it to the ISP, report it to the relevant authorities, but don’t play with live ammo like this.

To have a TV show use a botnet, to “prove a point”, is beyond the pale — particularly since the point could have easily been proven it in other ways.

The company that helped the BBC should have put the brakes on this idea. However, it was the BBC reporter that ultimately pulled the trigger.

Graham Cluley (a rising star in the security blogging world) has done the work so I don’t have to, and you can read more at his blog post here; and Dave Harley has done some good writing as well here.