Botnets are, without any doubt, a huge and growing problem. The technology news feeds are bursting to the seams with stories about them: how botnets boost click-fraud rates, how botnets control sex spam zombies, how the cyber-criminals are building the first mobile botnet and even how some botnet builders are selling their wares complete with guarantees that they cannot be detected.

However, one thing you do not expect to read about is the people behind the news stories, the reporters themselves, being involved in acquiring a botnet which hacks into the computers of some 22,000 people. Yet that is exactly what seems to have happened over in the BBC newsroom. The makers of the BBC news technology show 'Click' have proudly announced that, as part of an investigation into global cyber crime, they acquired a 'low value botnet' and then spammed users in order to get them infected. The exercise proved successful, so successful that almost "22,000 computers made up Click's network of hijacked machines" according to the BBC.

It then launched a Distributed Denial of Service attack against a test site owned by security specialists Prevx, with the agreement of the company concerned. By bombarding the target site with requests for access the site was made inaccessible very quickly, and with the use of only 60 of the compromised machines within the botnet itself.

The BBC are quick to point out that it has warned all 22,000 people that their PCs are infected, as well as advising them on the best way to prevent such an infection happening again. It has also stated that it did not access any personal data held on the infected computers.

The BBC claims that because it was only done with an intention to demonstrate the collective power of the botnet when in the hands of criminals, and it itself had no criminal intent, it was not breaking the law. When it comes to ethics, though, it sucks elephants through a straw backwards.

Well I wish them luck with that one, although I suspect the BBC lawyers did their homework before allowing this stunt to go ahead. I am all for exposing security issues, and have been known to top toe around the law in order to get the evidence myself in the past. But I am not sure what this particular exercise proves other than botnets are bad and DDoS attacks are bad. The BBC really did not need to infect the computers of 22,000 innocent folk in order to tell us what we already know.

166 Views
About the Author

A freelance technology journalist for 30 years, I have been a Contributing Editor at PC Pro (one of the best selling computer magazines in the UK) for most of them. As well as currently contributing to Forbes.com, The Times and Sunday Times via Raconteur Special Reports, SC Magazine UK, Digital Health, IT Pro and Infosecurity Magazine, I am also something of a prolific author. My last book, Being Virtual: Who You Really are Online, which was published in 2008 as part of the Science Museum TechKnow Series by John Wiley & Sons. I am also the only three times winner (2006, 2008, 2010) of the BT Information Security Journalist of the Year title, and was humbled to be presented with the ‘Enigma Award’ for a ‘lifetime contribution to information security journalism’ in 2011 despite my life being far from over...

jbennet 1,618

The BBC are gonna get in trouble

The computer misuse act is quite strict.