The BBC botnet debacle

There is an active thread over at Funsec on a very interesting subject:  The BBC’s recent use of a botnet for a televised story.

The BBC wanted to show how botnets work.  Unfortunately, they took control of a real live botnet.  Real people’s computers.  To send spam to a couple of web email accounts they had set up. 

They then put a desktop wallpaper on the infected systems, telling them that they were infected, and then they disabled the botnet.

This is wrong on so many levels.  And it sets a dangerous precedent.

Larry Seltzer at eWeek has written an excellent piece on the subject

I can expound a bit, Yes, it’s illegal.  You can parse it any way you want, but you do not take control of other systems without the permission of the users.  Period.  

But the legal argument is only one part of it. It’s unethical.

Malware researchers routinely deal with botnets for analysis purposes.  It would be considered a high crime indeed to allow a spambot to actually send spam to the outside world, even for “testing” purposes. And, shutting down a botnet yourself, even with the best intentions, is simply not a good idea.  You don’t know what accidental harm you may cause.  You don’t really know what’s on the user’s system that will simply restart the whole process.