Tuesday, 17 March 2009

BBC Click’s Pointless & Unethical Botnet usage

After watching the latest BBC Click technology projavascript:void(0)gramme (see http://news.bbc.co.uk/1/hi/programmes/click_online/7938201.stm and watch on BBC iPlayer (UK Only) click here), it is clear BBC Click not only controlled a botnet of 1,696 PCs to send Spam Emails, but actually paid criminals for the privilege! The angle for the BBC Click programme was to illustrate and highlight the internet botnet problem. Which to be fair is a good awareness objective and interesting, however botnets have been widely known about for many years now, certainly within security circles anyway.

"After months of investigation and a few thousand dollars, we had managed to buy a botnet from hackers in Russia and the Ukraine." - BBC Click

I'm ALL for raising awareness of cybercriminal activities, but I think BBC Click programme crossed the ethical line on this one, in they actually used a botnet (namely thousands of PCs infected with centrally controlled malware) without the PC owner’s permission to send out Spam Emails. Which is just not an illegal act in my view but a pretty immoral way to make a point. Furthermore I am troubled the BBC paid criminals thousands of pounds of license payer’s money to buy the botnet. I think they were ill-advised to take this course of action, surely the programme makers could have spoken with any one of the many security vendors on the forefront of dealing with and understanding intricacies of botnets instead.

Many security vendors and organisations have a wealth of real world information and data on botnets accumulated over many years, as well as the botnet key output, which is namely Spam Emails, and to a lesser extent botnet usage in denial of service attacks.
I mean wouldn't it be completely unacceptable to use thousands of pounds of licenser payer cash to buy drugs, just to prove there is a drugs problem, when everyone already knows there is a drugs problem.

I don't enjoy bashing the BBC as I am a huge fan of their many excellent services provided on TV, Radio and Online, however I think they dropped the ball with this one.

I carry out a great deal of research on cybercriminal activity and methodology myself, especially with online payment card fraud. However I am extremely careful to never to cross the ethical and law breaking line, even though it can be highly frustrating at times.  For instance I would consider it highly unethical to purchase stolen payment card details from a cybercriminal, and it certainly would be illegal (it's fraud) to try use stolen credit card information to just prove a point.  Despite some frustrations, I generally find such limits within my own research do not affect my ability to produce good results and raise awareness of important security issues

In fact I have been asked to perform unethical and illegal criminal and hacking actions on several occasions by reporters working for national newspapers, all of which I have refused on ethical grounds.

So I guess I'm pretty disappointed with the BBC Click programme, as I am sure they could have easily illustrated botnet usage within a lab environment, and backed this up with the real world factual data on criminal botnet usage from the anti-spam vendors.

No comments: