Would you care to look at this another way?
Imagine that you are investigating and monitoring illegal botnet activity, slowly collecting intelligence from a group of bots on a network that you have identified as infected. You spend months collecting this data with the intention of bringing those responsible to justice. Without wanring one day, the bots are removed from these computers by the BBC causing months of intelligence gathering to be wasted.
Is this out of the realms of possibility?
Ummm, pardon my style of speech, but there are a certain number of points raised as a result of what I posted that are rather interesting.
DFICSI, yes, that is what the CMA90 says. And you would be very correct in assuming BBC was breaking the law if it was them that infected (and thereby gaining unauthorised access to) the zombies. Since it was not them, and since everything has been above board as far as the law is concerned (eg security company & legal advisors (who would know the law far better than us, I'm sure)) where exactly is the crime?
As for the endpoint, the target, it was a specially set-up computer owned by the security company BBC used. BBC was given permission to use it in this fashion by the security company, with all legal niceties observed (as security companies do as a rule, these days). So, again, where is the crime in that?
I have also not seen or heard anything about the BBC "buying" access to the botnet, the only thing I've read (in the register, if I recall) was that they "gained access to a botnet through a forum", which may be translated in any number of ways.
As for what I've written regarding the simulations, Jamie, its a kind-of-reply to the comments made by AV vendors' claims that the whole story could have been simulated.
In essence, all I am basically saying is that what I, as a computer scientist & netsec scientist, see is an effort by the BBC to highlight a rather large problem the UK is plagued by, and to show the public not how to do it but how easy it is for others to do it and how dangerous it is not to take measures to secure your PC. They "may" have "possibly"/"perhaps" stepped very close to the line, but (based on the information currently openly available at this time) they have not gone past it.
I personally don't view this as a wholly bad thing. Quite the contrary, actually, IF they have dispensed with the hyperbole and presented the facts as they are during the recording stages.
That is what I was essentially trying to say.
Cheers
DarkSYN
PS For those of you who are worried about what I'll be passing to my students, all I can say is that I try to teach them how to think and act like the scientists they want and came to a H.E. institution to be.
Would you care to look at this another way?
Imagine that you are investigating and monitoring illegal botnet activity, slowly collecting intelligence from a group of bots on a network that you have identified as infected. You spend months collecting this data with the intention of bringing those responsible to justice. Without wanring one day, the bots are removed from these computers by the BBC causing months of intelligence gathering to be wasted.
Is this out of the realms of possibility?
That is actually quite an interesting scenario. Problems
a) You are investigating and monitoring illegal activity on an open network. Privacy and ethical concerns aside, its an open network you are investigating, open to the world+dog. What, therefore, are the dangers inherent in that approach?
b) One day the bots are removed from these computers. Okay, so, how is this different from a number of people running (insert antivirus product here) following a successful advertisment praising the (insert antivirus product here)?
I am sorry, DFICSI, but these things happen to the best of us, and they are outside our control. We, therefore, take it in our stride and move on.
Cheers
DarkSYN
I think the issues regarding whether or not the action was illegal are brought up neatly in the OUT-LAW article
A couple of brief extracts
The programme has said that the activity would only be illegal if those behind it had 'criminal intent', but Struan Roberrtson, a technology lawyer with Pinsent Masons and editor of OUT-LAW.COM, said that this is not true.
"The BBC appears to have broken the Computer Misuse Act by causing 22,000 computers to send spam. It does not matter that the emails were sent to the BBC's own accounts and criminal intent is not necessary to establish an offence of unauthorised access to a computer," he said.
"The Act requires that a computer has been made to perform a function with intent to secure access to any program or data on the computer. Using the botnet to send an email is likely to satisfy that requirement. It also requires that the access is unauthorised – which the BBC appears to acknowledge. It does not matter that the BBC's intent was not criminal or that someone else created the botnet in the first place," said Robertson.
A blog posting from security firm Sophos suggests that the BBC has committed an offence of making unauthorised modifications to a computer. Robertson said that that is unlikely.
"The offence of unauthorised modification requires a recklessness or an intent that I don't think the BBC has displayed," he said.
Section three of the Computer Misuse Act describes the need for an intent to impair the operation of a computer or to hinder access to data. Such intent is not required for the section one offence of unauthorised access, said Robertson.
I'm not a lawyer but the above does reflect what I'd expect to be the case having re-read the relevant sections of the CMA. However, the piece does go on to say
Though the activity is likely to have been technically illegal, Robertson said that it is unlikely that the corporation will be punished for it.
"The maximum penalty for this offence is two years' imprisonment. But it is very unlikely that any prosecution will follow because the BBC's actions probably caused no harm. On the contrary, it probably did prompt many people to improve their security," he said.
A blog posting from security firm Sophos suggests that the BBC has committed an offence of making unauthorised modifications to a computer. Robertson said that that is unlikely.
"The offence of unauthorised modification requires a recklessness or an intent that I don't think the BBC has displayed," he said.
Section three of the Computer Misuse Act describes the need for an intent to impair the operation of a computer or to hinder access to data. Such intent is not required for the section one offence of unauthorised access, said Robertson.
So, no harm no foul even though the suggestion is that the action was technically illegal. Make of that what you will.
I take your point about highlighting the problem, and I don't think anyone's arguing that the Beeb's heart was in the right place, but I do question the judgment of those involved.
Jamie
Oh dear - it does rather make you worry about the "I was hacking it in order to make them aware of the security risks" defence being seen as valid - something which many convicted people know isn't true - despite their hearts quite possibly having been in the right place.
I've not yet seen the program, so I'll base my response on what I've gleaned so far from this discussion -
Under section (1) Unauthorised access to computer material
A person is guilty of an offence if
© he causes a computer to perform any function with intent to secure access to any program or data held in any computer;
(d) the access he intends to secure is unauthorized; and
(e) he knows this at the time when he causes the computer to perform the function that this is the case.
Fortunately section 17 clarifies this a bit, defining access for the above
(a) alters or erases the program or data;
(b) copies or moves it to any storage medium other than that in which it is held or to a different location in the storage medium in which it is held;
© uses it; or
(d) has it output from the computer in which it is held - whether by having it displayed or in any other manner.
Arguably the BBC has
(a) altered the data { uploaded a file to display, thus altering the data on the machine }
© used it { to send spam }
and
(d) displayed it { changing the background of the screen to display the file uploaded }
by the nature of the piece, they can't claim that they didn't know that their behaviour was unauthorised ( or they really are terrible journalists ! )
I'm not really sure how this can not be seen as having been in breach of the CMA … However, in this country, unlike many others, unless it is a statutory offence ( which I'm pretty sure the CMA isn't ) illegallity is in the hands of a judge and jury.
Personally, I'd like to see the BBC taken to court for it - as this will clearly define what is and isn't legal for someone to do in the name of research, journalism or good intentions.
[ Doing my legal course next week - I may well change my mind later -P ]
DFICSI, yes, that is what the CMA90 says. And you would be very correct in assuming BBC was breaking the law if it was them that infected (and thereby gaining unauthorised access to) the zombies. Since it was not them, and since everything has been above board as far as the law is concerned (eg security company & legal advisors (who would know the law far better than us, I'm sure)) where exactly is the crime?
As for the endpoint, the target, it was a specially set-up computer owned by the security company BBC used. BBC was given permission to use it in this fashion by the security company, with all legal niceties observed (as security companies do as a rule, these days). So, again, where is the crime in that?
I have also not seen or heard anything about the BBC "buying" access to the botnet, the only thing I've read (in the register, if I recall) was that they "gained access to a botnet through a forum", which may be translated in any number of ways.
Where do I begin?
First of all the BBC said that they bought the botnet on the actual program. They paid a couple of thousand pounds by their own admission. Maybe you should watch it before questioning where I got my facts from.
Second, yes the original 'hackers' broke the law by gaining access to these computers but did the BBC have authorisation from the owners of these computers? No - therein lies the crime.
The endpoint target was set up by them, that is true but the methods they used to target it (ie using other people's computers without their permission) is wholly illegal and unethical.
Just because someone has the 'permission' of a security consultant it doesn't mean that they are legally permitted to do it. As I said McAfee distanced themselves IMMEDIATELY when they learned what the BBC had done. What does that tell you? They even said that the steps taken were completely unnecessary.
Defend the action as much as you want but the FACT remains it was illegal. Another fact is that botnets are well documented and details of these can be found on the internet. The BBC have decided to make interesting television at the risk of breaking the law.
I notice you said nothing about breakingthe law in other countries too.
Ask any number of forensic professionals about this 'experiment' and you'll see that not one of them agrees with what was done.
Oh dear - it does rather make you worry about the "I was hacking it in order to make them aware of the security risks" defence being seen as valid
I was just thinking how long it's been since I last heard that proposed as a serious defence (or a seriously good reason). It was a loooooooooong time ago.
Maybe these things come and go, like flared trousers 😯
Jamie
A brief analogy.
Top gear produce a show in which the presenters each buy a stolen car from some random car thief. They drive the cars around their own track, never taking it on a public road.
The show ends and everyone is happy.
Ludicrous isn't it?
Hmmm, very interesting insights into the world of DF & associated legal issues!!!
Jamie, I will DEFINITELY read the whole out-law article on the subject, and thanks for including it.
Azrael, your take on the matter is interesting, as is your interpretation of the CMA90. It would indeed appear that your points a, b and c hold true, from a totally technical perspective.
In one of the pieces that Jamie quoted, however, it has been stated that aside from the technical perspective there is also the intent to consider, and since the intent in this case is (I'll take the leap of faith and say it, although I'm referring to the press) educational in nature, where exactly is the uber-bad here? As I do remember saying, they have stepped very close to the line but they did not cross it.
DFICSI, with regards to your argument about the payment, I trully have not read anything about them paying for it, nor did I know it has been aired already (I thought it was going to be aired, future tense), so if I've been wrong in either or both, I appologise.
With regards to your second point, no, it wouldn't absolve them of all legal responsibility but the BBC are not themselves the ones who "hacked" and zombified the computers, therefore they themselves cannot be accused of breaking into those computers.
With regards to your point about security consultants, one of the functions of such individuals/companies would be to advise their clients on what is or is not legal and can or cannot be done in a legal and professional manner. Furthermore, their legal team should also have highlighted these issues. What worries me is that they didn't, apparently. As for McAfee saying that the steps were unnecessary….actually they are…
Finally, with regards to the opinions expressed here about the "I was hacking it in order to make them aware of the security risks" bit, I don't believe you can say for sure that they've "hacked" anything in this specific case.
As for breaking the law in other countries, I didn't see it to begin with, LOL!
As for this "Another fact is that botnets are well documented and details of these can be found on the internet. ", as someone who's researched the topic of DDoS attacks and BotNets for both his MSc and nowadays his PhD, I can, with great ease, tell you that, no, they are neither well documented nor can sufficiently high-quality details be easily found online without performing live tests yourselves.
And, I should also mention that I've been having rather large problems finding substantially good quality publically available datasets on DDoS attacks and botnet traces so as to do my research, so I am actually resorting to small-scale simulations to get some preliminary data to begin data classification. I should, thus, ask you where you where exactly you found sufficiently scientifically sound documentation and information to be able to say it is a fact.
Finally, the "I was hacking it in order to make them aware of the security risks" first of all does not apply to this case, exactly (intent, remember?), and it is also part of the basis for network security advisories (amongst other things), the use of which has helped the network security, antivirus, computing and to some extent digital forensics, amongst other sectors.
Cheers
DarkSYN
Hi DarkSYN,
Quite a lot of points there but I'll confine my replies to just two of them
In one of the pieces that Jamie quoted, however, it has been stated that aside from the technical perspective there is also the intent to consider, and since the intent in this case is (I'll take the leap of faith and say it, although I'm referring to the press) educational in nature, where exactly is the uber-bad here? As I do remember saying, they have stepped very close to the line but they did not cross it.
I think the crucial point here is that the act defines a number of different offences and intent is not relevant to all of them. With regard to crossing the line I'm not quite sure whether you're referring to the law or acceptable (perhaps forgivable?) behaviour. As always, much depends on interpretation/precedents when it comes to the law and how you define what's acceptable!
Finally, the "I was hacking it in order to make them aware of the security risks" first of all does not apply to this case, exactly (intent, remember?), and it is also part of the basis for network security advisories (amongst other things), the use of which has helped the network security, antivirus, computing and to some extent digital forensics, amongst other sectors.
I'm not sure I follow the argument in the first part (applicability) but it sounds as though you're essentially arguing that hacking is justified if it has at least some positive outcome?
Jamie