“British Botnet Corporation” Should Apologise

There are some things you just don’t do in security research or you become part of the problem. Controlling and modifying other people’s machines, even if they are “bots” in a botnet, is one of them. This is what the BBC did.

Not many in the security community are impressed with the BBC’s cheap trick of buying a botnet and using it to demonstrate what botnets can do. I’m as disappointed with Prevx, the security vendor who cooperated with the stunt.

Despite the BBC’s assertion that no laws were broken, I’m more impressed with those who cite the Computer Misuse Act to claim the contrary. To do what the BBC claims to have done they must have violated this act. One can argue the merits of various parts of the act, but as a general matter it’s not good for vigilantes to go about violating people’s computers to make a self-serving point. The act is clear that unauthorised actions on a computer (like sending e-mail from it or changing the wallpaper) are violations, and of course they should be. They also may have exposed themselves to civil liability by involving ISPs in their fake, demonstrative DDOS.

What they did was wrong on a number of levels, not least of which is that it seems they paid for the privilege of using a real botnet. Who did they pay? Is it right to reward the herders of a botnet by giving them business? What will those herders do with the money paid by the BBC?

How do responsible security researchers work? It’s not exactly the same field as botnet research, but I think you can get a good sense of good principles from the Fundamental Principles of Testing for the AMTSO (Anti-Malware Testing Standards Organization): Never create new malware and protect the public networks from the research at all times.

Alex Eckelberry, CEO of Sunbelt Software, commenting on this in a post to the funsec mailing list, says it well:

… malware researchers routinely deal with botnets for analysis purposes. It would be considered a high crime indeed to allow a spambot to actually send spam to the outside world, even for “testing” purposes. And, shutting down a botnet yourself, even with the best intentions, is simply not a good idea. You don’t know what accidental harm you may cause. You also don’t really know what’s on the user’s system that will simply restart the whole process.

In the end the BBC states that they notified the owners of the systems involved that they were infected. They didn’t provide details on how they did this (I wonder why, he said sarcastically), but our reporting indicates that they did this by modifying the user’s wallpaper to include a note about it. Well-intentioned as it may have been, this alone is a violation of the Computer Misuse Act. It’s also a common technique of rogue anti-malware products; they use any avenue they can get to try to get the user to “fix” their problem by buying the premium program.

This last analogy may seem cheap and unfair, but I think it illustrates how close you tread to the dark side when you go down this path. You end up using the tools that the bad guys use because they’re what’s available. And like Eckelberry says, you never know what will happen as a result, and it will be your fault. I hope the BBC stops defending its actions and apologises as it should. This sets a terrible example.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.