Botnets are, without any doubt, a huge and growing problem. The technology news feeds are bursting to the seams with stories about them: how botnets boost click-fraud rates, how botnets control sex spam zombies, how the cyber-criminals are building the first mobile botnet and even how some botnet builders are selling their wares complete with guarantees that they cannot be detected.

However, one thing you do not expect to read about is the people behind the news stories, the reporters themselves, being involved in acquiring a botnet which hacks into the computers of some 22,000 people. Yet that is exactly what seems to have happened over in the BBC newsroom. The makers of the BBC news technology show 'Click' have proudly announced that, as part of an investigation into global cyber crime, they acquired a 'low value botnet' and then spammed users in order to get them infected. The exercise proved successful, so successful that almost "22,000 computers made up Click's network of hijacked machines" according to the BBC.

It then launched a Distributed Denial of Service attack against a test site owned by security specialists Prevx, with the agreement of the company concerned. By bombarding the target site with requests for access the site was made inaccessible very quickly, and with the use of only 60 of the compromised machines within the botnet itself.

The BBC are quick to point out that it has warned all 22,000 people that their PCs are infected, as well as advising them on the best way to prevent such an infection happening again. It has also stated that it did not access any personal data held on the infected computers.

The BBC claims that because it was only done with an intention to demonstrate the collective power of the botnet when in the hands of criminals, and it itself had no criminal intent, it was not breaking the law. When it comes to ethics, though, it sucks elephants through a straw backwards.

Well I wish them luck with that one, although I suspect the BBC lawyers did their homework before allowing this stunt to go ahead. I am all for exposing security issues, and have been known to top toe around the law in order to get the evidence myself in the past. But I am not sure what this particular exercise proves other than botnets are bad and DDoS attacks are bad. The BBC really did not need to infect the computers of 22,000 innocent folk in order to tell us what we already know.

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

9 Years
Discussion Span
Last Post by jbennet
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.