Site RSS Feed
Comments Feed
Sometimes you raman amplifier just come across a product which is truly outstanding. This is one of those times.
The BBC’s weekly technology programme Click has just finished filming a special on the dangers of hackers controlling botnets.
The programme researched and demonstrated these dangers by acquiring access to 22,000 computers in various locations around the world. These computers were then each used to send hundreds of emails to BBC email accounts hosted on Google’s Gmail and Microsoft’s Hotmail services; and also to launch a Distributed Denial of Service (DDoS) attack against one of security firm PrevX’s websites, who also contributed to the programme. Here is an excerpt from the program, which is to be broadcast on Saturday 14th March 2009:The BBC correspondant Spencer Kelly states that the programme gained access to “around 20,000 infected computers – If you were to do this with criminal intent, you’d be breaking the law.” However, it is on very dubious legal ground that this claim is made. The UK Computer Misuse Act 1990, Section 1 states that:
1 – A person is guilty of an offence if—
(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;
(b) the access he intends to secure is unauthorised; and
(c) he knows at the time when he causes the computer to perform the function that that is the case.
Under these terms, having “criminal intent” is not required to be in violation of the act. By securing access to a program running on the computer (ie, the ones used to send the emails or that generated the DDoS traffic) the BBC breaches part 1-a. The access to these systems was also totally unauthorised, breaching part 1-b. The BBC also admits that they were aware that the access to these systems was unauthorised, breaching part 1-c.
Struan Roberrtson, a technology lawyer and editor of OUT-LAW.com seems to have confirmed this:
To add to the BBC’s misuse of remote systems, the end of the report explains how the offending bots were cleaned and a message left on the computer’s desktop background warning the owner that their computer had been compromised. The BBC is therefore also guilty of illegally modifying the contents of a computer without authorisation, this puts them in breach of Section 3 of the Computer Misuse Act:
1 – A person is guilty of an offence if—
(a) he does any act which causes an unauthorised modification of the contents of any computer; and
(b) at the time when he does the act he has the requisite intent and the requisite knowledge.
Although this section of the act does apparently require more criminal intent than section 1 in order to be in violation, the BBC have still hindered access to a program (the bot) by removing it from the system. Regardless of whether the program should have been there in the first place, it is not up to the BBC to decide whether or not it should have been removed; therefore parts 1 and 2 are satisfied. Also, having the intention of performing this action when access was gained to these systems, the BBC appears to be in breach of Section 2 of the act, titled “Unauthorised access with intent to commit or facilitate commission of further offences”.
While it is unlikely that anyone from the BBC will be prosecuted as a result of these offences, it is incredibly irresponsible that the BBC have chosen to demonstrate the dangers of botnets by gaining control of remote computers and clearly breaching the Computer Misuse Act in the process.
This argument has been raised in numerous articles across the Internet over the last day, but one point I have failed to see repeated much is the fact that Google and Microsoft’s email systems were abused by the process of sending spam. The accounts on these systems may have been owned by the BBC, but at no stage do they mention contacting Google or Microsoft in order to warn them of the large quantities of intentionally malicious email they were about to send, affecting the spam filtering capabilities of these systems.
Having spent a number of years running high-traffic Internet Relay Chat (IRC) servers on EFnet, I am no stranger to having to deal with DDoS attacks – frequently reaching sizes into Gigabits of data per second; the bots themselves connecting to and flooding the network, and also the hackers who use IRC as a control mechanism to access their botnets. It is a never ending challenge to make sure these systems are kept away from regular users and not allowed to utilise our network to perform abusive tasks, such as spreading trojans further to other users. All measures we have in place to combat this scourge have to be ‘defensive’ in nature as we deal with users from across the whole world and every country has their own laws which govern computer misuse. This limits us to potentially denying access to services for legitimate users, simply because there is a bot somewhere on their network. We fully recognise that it is not our place to connect to or alter the contents of a remote computer system without authorisation.
It should also be noted that by sending large volumes of email and DDoS traffic, the BBC has not only affected innocent remote user’s systems and the systems on the receiving end; but they have also affected every single data network inbetween those two points. Sending DDoS traffic over the Internet is something that should be taken very seriously. Every packet of data sent costs someone money somewhere, even more so if that data has to travel over trans-continental links. I wonder if the BBC considered this before performing their little demonstration; and how much it actually cost.
Powered by WordPress | Theme by Roy Tanck | Copyright © lovingthe.com 2007