The BBC's purchase of a botnet added little to our knowledge and was probably not legal either.
With eerie music and the trademark dark room with a couple of monitors, BBC 1's Click presenter announced that it had 20,000 computers “all hijacked... and all under our control”. So began a news story that has promoted raging debate in the security community.
The BBC purchased a botnet for “a few thousand dollars” and went about showing what it could do. It launched a spam attack against a test email address, and also used its new toy to mount a denial-of-service attack against a machine run by security company Prevx (with its consent). After its experiment was finished, it changed the backdrops of the infected machines to point to a “you've been hacked” page with security tips, then closed down the botnet.
So why all the fuss?
The first problem with the BBC's research is that it may well have broken the law. Under UK law, unauthorised access to someone's computer is an offence under the Computer Misuse Act. The BBC's story claimed that it wasn't breaking the law, as it had no “criminal intent”, yet this does not appear to be a valid defence under the Act. IT law specialists Pinsent Masons suggested in a blog that an offence had probably been committed, but that prosecution was unlikely. This has since been confirmed by the police, who refuse to investigate unless they receive a complaint from a victim.
The same lack of criminal intent did not seem to be a valid defence for Daniel Cuthbert in 2005, when he was prosecuted for making a security probe against a charity website he had passed his credit card details to. One rule for us journalists, another for Joe Public, it would seem.
There is also the problem of passing money to criminals. It can be valid in journalism, but only if there's a pressing public-interest need.
Most important is that this “research” didn't generate any new information. The botnet market is well known, the link between botnets and spam well documented and the level of attack needed to launch a denial-of-service attack is simple to simulate.
There is a fine line to be drawn between legitimate research and breaking the law. In 2008, US researchers hijacked the Storm botnet to research the effectiveness of spam. While the ethics and legality of this experiment are also debatable, it did generate valuable research. Recent research into GhostNet had similar ethical trade-offs.
Before the dust had settled on the botnet affair, the Beeb was at it again, this time with another “shock horror” news piece about credit card details for sale. Once again, it was felt necessary to spend some money with crooks “in the public interest”. As with the botnet “research”, it is doubtful whether there was any benefit in this exercise, as the carding marketplace is also well known and has been thoroughly investigated (see Kimberly Peretti's thorough review at www.chtlj.org/authors/peretti).
Indeed, the BBC report seemed to focus purely on one issue, that Indian call centres had been caught selling data, without mentioning that numerous large UK and US card handlers have also suffered major breaches.
The BBC's botnet experiment has generated heated discussion in the security community. The anti-virus industry has, not surprisingly, been very critical. About the only defenders of the action are Prevx, which was closely involved in the experiment (and which is, it should be said, a well-established and respected security vendor). Less publicity-friendly security researchers have been busy firing off Freedom of Information requests to the BBC to find out more details (the BBC is a publicly funded body and every UK television owner is legally required to pay an annual licence fee).
Botnets are an absorbing and active area of research. Far more interesting to me are recent developments such as Psybot, which uses vulnerable ADSL routers to establish a botnet, and the infamous Conficker. The BBC's work did little to advance research and certainly not enough to justify breaking the law.