Click's botnet experiment
There's been quite a bit of discussion in the blogosphere over the past 24 hours about the Click botnet experiment. It was aired in news coverage and detailed on this site yesterday - you can see it , and you can see the full programme on ³ÉÈË¿ìÊÖ World News and the ³ÉÈË¿ìÊÖ News channel over the next few days.
Put simply, we posed as a customer, and bought a piece of software which gave us control of around the world.
We commanded them to send spam messages to our test addresses, and to stall a website by repeatedly requesting access. Not a working website, of course - in the real world, this technique is used to extort money from businesses that rely on the web for their very survival.
We alerted the PCs that they were liable to infection, gave them a place to go to for further advice, and destroyed the malware for good. It's all in the programme.
A lot of the debate has been about whether we did the right thing digging into the murky world of hackers and organised cybercrime. In seeking to demonstrate the threat, had we put ourselves in the position of those we wanted to expose?
That's always a good question. After all, we could have simply described what we believe happens and given some warning advice, couldn't we? We've done this in the past. So have many others...
But hacking has gone professional. Today, without you even knowing. It's a major growth area for organised crime: it's global, and very local to all of us who work, communicate and play on the world wide web.
So we felt that there was the strongest public interest in not just describing what malware can do, but actually showing it in action. A real demonstration of the power of today's botnets - to infect, disrupt and damage our digital lives - is the most powerful way to alert our audiences to the dangers that they face. It's a wake-up call to switch on that firewall and improve our security on the internet.
We think that what we did was a first for broadcast journalism. We were amazed by the ease of use of the botnet, and the power of its disruptive capacity.
No-one watching our programme could learn how to build a botnet or where to go to to buy one. But what is very clear is the level of threat - especially to home users who don't have the benefit of corporate-level security. (Our guide to PC protection is .) As the hackers continue their silent running, we thought it was our job to expose the mechanics of their hidden economy. Please watch the full show and see what you think.
Mark Perrow is executive producer, .
Comment number 1.
At 13th Mar 2009, Hymagumba wrote:As the full show isn't on iPlayer yet I'm not sure if you did this, but it might have been interesting to have the message you sent to the users ask them to phone the click office.
You could then have seen just what sort of users were caught in the net and where abouts they were.
Complain about this comment (Comment number 1)
Comment number 2.
At 13th Mar 2009, lordBeddGelert wrote:You were totally 1000% justified in doing this.
If it wasn't 'Click' online with a test, it might have been something much more malicious.
No doubt some eejits have been complaining about this. What would they have preferred - some Russian teenagers hacking into their pc and setting up a phishing expedition to suck some money from online banking accounts to fuel the East European mafia ??
What you need to bring home is that many banks have ALTERED the terms and conditions and legal SMALL PRINT [which most people don't ever read] to make customers liable for some of the losses from their accounts, if money is removed fraudulently, and they didn't take REASONABLE STEPS to prevent it.
So if it isn't Click Online and the ³ÉÈË¿ìÊÖ bringing this important issue to their attention, and they haven't kept up with developments in internet banking, virus control and pc protection software, then the way that they find out may be when their online bank account has had funds hoovered out of it by criminals outside the UK jurisdiction.
I'm not necessarily an advocate of the way the banks are trying to offload the liability and risk for fraud onto their customers - but it is essential that the ³ÉÈË¿ìÊÖ do their role and educate people about these issues and the other problems which people like the National Hi-tech Crime Unit are uncovering.
Complain about this comment (Comment number 2)
Comment number 3.
At 13th Mar 2009, johndrinkwater wrote:I moderate an IRC server (we see a thousand regular users connected concurrently) that has been used for botnets, we’re very active in dealing with them (banning systems from the network) and filing reports to other admins via mailing lists to help assist other networks deal with the problem.
I am truly shocked that in the process of ‘journalism ’ you didn’t consider talking to all the people that deal with the constant pest of bot masters using chat networks to manage their bots, and also that in the process you’re likely to have used one of the servers of well-meaning friends.
Offended that you’ve claimed to have alerted the drones system owners(unlikely) and removed their malware(even more unlikely), and not considered that you need to apologise to ISPs and network providers that you’ve abused in the process.
And CAN YOU PLEASE stop refering to these systems as PCs, they are Windows drones, no other platforms like MacOS or Linux are affected or used in this way and you’re continuing the trend of telling people that all computers require extra protection.
Complain about this comment (Comment number 3)
Comment number 4.
At 13th Mar 2009, woodsy42 wrote:With respect Mark I don't think you have answered the question.
Nobody is suggesting these botnets are other than bad or arguing with the usefulness of a program to educate and warn PC users. Full marks for making one.
The worry is that you went beyond that and apparently used one and then deliberately manipulated users data on their PCs. The fact that you have a loftier moral motive than the fraudsters and meant no harm doesn't affect what you actually did.
Would you investigate door locks by setting a tame housebreaker to gain entry and leave a message in the insecure houses? I doubt it.
Complain about this comment (Comment number 4)
Comment number 5.
At 13th Mar 2009, moriaeencomium wrote:Eh, I'd guess that biggest villains in cyberspace would be governments and you can pick any of the many.
As other strive, Britain already made it to 1984, nothing else to say but it's ''by the book''.
Peeking from the other side of the tube, peeking from the buildings, poles, trees even?
Who would need such control of population and for what purpouse?
Freedom is not tidy, as Rumsfeld once told.
Pih, pfuj even.
Complain about this comment (Comment number 5)
Comment number 6.
At 14th Mar 2009, Nightwol wrote:I understand the argument. I respect that you acted from the best of motives. I cannot condone what you did. The end does not justify the means. As "White hats" we have to excercise moral judgement and resist the lure of doing something just because we can.
Complain about this comment (Comment number 6)
Comment number 7.
At 14th Mar 2009, MeACoalPit wrote:Since there was never a doubt that these bots can do what they claim to Windows OS controlled PCs I wonder just what you were trying to prove. Certainly your blog far from legitimises what you did.
There is a simple fact that no networked computer can ever be entirely secure, no matter what security software or hardware is used. Bots or no bots that will still be the case. It is received wisdom that Windows is less secure than many other operating systems and yet it remains a popular choice amongst many IT professionals.
Certainly with the correct software installed most Windows users can render their computer very safe from attack. That is until the day comes along when the user does something silly and the software is asked to retrieve the situation. The best software will most often do its job, but are the majority of users buying the correct software for the use they put their computer to?
And as for the journalistic "Today your computer can be doing bad things to other people without you knowing" you presuppose that most people do not check traffic on their connection when it should be idle.
Maybe the best advice you can give to anyone is to check traffic at all times they are connected and to switch off the modem at any time unexplained traffic is experienced. As an alternative they can also use security software to block all Internet traffic if they are not intending to go online.
Complain about this comment (Comment number 7)
Comment number 8.
At 14th Mar 2009, Neil McGovern wrote:I'm also fairly interested in the amount that this has cost, not only to the licence payers, but to the industry in general. For those interested, please see my FoIA request at
Complain about this comment (Comment number 8)
Comment number 9.
At 14th Mar 2009, NigelHarper wrote:I have some sympathy for the public interest argument but I'm concerned about the legality of what you did.
In the report it states that the lack of criminal intent makes it legal, but I and others more learned in law than me are struggling to reconcile this with section 1 of the Computer Misuse Act.
This seems to make unauthorised access to a computer system a crime in itself, regardless of the reasons behind that access.
I would be very interested to see a response which addresses this point.
Complain about this comment (Comment number 9)
Comment number 10.
At 14th Mar 2009, Pancha Chandra wrote:Hackers are definitely anti-social who have hidden agendas. By breaking into other people's computers, they would like to control the cyber-world with their own philosophy. By surreptitiously entering your computer, they try to steal vital or sensitive information which they are not entitled to. Hackers need to be stopped in their tracks before they inflict damage.Stiff sentences should be given once they are caught. Obviously they are intelligent but are using intelligence in misguided ways.
Complain about this comment (Comment number 10)
Comment number 11.
At 14th Mar 2009, One Marble Left wrote:#10
I think you miss a point that many "reformed" hackers have helped to develop the world's best security software. That others rise to the challenge is, to them, a game. The possible or potential pay-off from a criminal element is very often an after thought.
That is not to decry the criminal abuse of personal data, most of which, interestingly, is gained through poor security of data, most often nothing to do with hacking at all.
We are many, many years into the computer revolution and yet we still steer clear of operating systems that are considerably better at their job (speed, efficiency AND security) than Windows. Perhaps instead of wanting to hit hackers hard we should be expecting major software developers to show a bit more craft in their products. We should also expect all government and commercial organisations to have the best security systems they can find. Most certainly do not have this.
Complain about this comment (Comment number 11)
Comment number 12.
At 14th Mar 2009, Keith wrote:If the computers are already insecure and open to attack by hackers then it's better the ³ÉÈË¿ìÊÖ do a controlled experiment with the computers than have a hacker take control of them for more sinisterness purposes. It's worth noting that these computers were ALREADY infected (as far as I can tell).
At least by informing users by posting a notice via their wallpaper should act as a wakeup call and provoke them into taking preventative action. Hopefully it'll help prevent their computer from being used in future by hackers, reducing future malicious internet traffic.
Complain about this comment (Comment number 12)
Comment number 13.
At 14th Mar 2009, pionere63 wrote:This should come as no surprise to anybody with even a mild interest in the ³ÉÈË¿ìÊÖ over the last few years. They have increasingly taken the moral high ground, an attitude of 'We know what is best for you' and 'We can do what we like, so long as it is in the public interest'. Political bias, even an attempt at 'muck-raking' against Barack Obama in his own back yard being just two examples; this is just one more!
If I were to attempt a break-in at Mark Thompson's house, I have no doubt that I would be promptly arrested, regardless of whether I took anything or not!
Whoever it was that took the decision to do this should be under no doubt that it was an illegal act and as such, should be investigated by the Police.
Complain about this comment (Comment number 13)
Comment number 14.
At 14th Mar 2009, davidaharley wrote:This is a somewhat evasive blog: no wonder some of the people who posted comments have missed the point.
No-one, as far as I know, has accused you of teaching botnet exploitation for beginners. No-one has a problem with your bringing the botnet problem to a wider audience: I'm sure that you've brought the issue to the attention of more people in the past few days than I have in many years of writing books, blogs and conference papers, and that's fine, even if you did get some of the detail wrong.
But you haven't explained why it's in the public interest for you to put money into the pockets of professional criminals.
You haven't explained why it's OK for you to use malicious software and techniques by hijacking systems to which you have no right of access, in defiance of the Computer Misuse Act, when you could have got the same result on a closed network using your own resources, or paid someone better qualified to do it for you. You certainly haven't explained how your definition of "intent" varies so dramatically from the definition within section 3 of the CMA.
"(2) For the purposes of subsection (1)(b) above the requisite intent is an intent to cause a modification of the contents of any computer and by so doing—
(a) to impair the operation of any computer;
(b) to prevent or hinder access to any program or data held in any computer; or
(c) to impair the operation of any such program or the reliability of any such data"
You haven't explained why a dummy spam mailout is a "real" demonstration and more "in the public interest" than the dozens of other ways you could have made the same points.
Complain about this comment (Comment number 14)
Comment number 15.
At 14th Mar 2009, alfsplace1986 wrote:This comment was removed because the moderators found it broke the house rules. Explain.
Complain about this comment (Comment number 15)
Comment number 16.
At 14th Mar 2009, neochivers wrote:Very quietly the Police and Justice Act of 2006 went through parliament; this SPECIFICALLY out-laws DDOS attacks. The computer misuse states:
"(1) A person is guilty of an offence if—
...
(b) the access he intends to secure is unauthorised; and
(c) he knows at the time when he causes the computer to perform the function that that is the case. "
Therefore sending spam is a function of a computer and the ³ÉÈË¿ìÊÖ didn't have permission on the owners of the computers on the infected botnet.
ALSO: paying for the botnet is-
i) illegally funding crime
ii) a waste of license payers money
The ³ÉÈË¿ìÊÖ also need to get their definitions correct. Hackers are harmless smart people who just like to play with things and see what the can make things do. CRACKERS are the malicious type who send out hundreds of spam e-mails, perform DDOS attacks and steal your bank details!
The ³ÉÈË¿ìÊÖ is giving us hackers a bad name
-NeoChivers-
Complain about this comment (Comment number 16)
Comment number 17.
At 15th Mar 2009, One Marble Left wrote:#13
I agree that the ³ÉÈË¿ìÊÖ tends to demonstrate an entirely unjustified high opinion of itself. It also shows that schoolboy tendency to say "look what I've just done". Well actually all that happened was that the ³ÉÈË¿ìÊÖ knowingly gave license payers' money to a criminal. The ³ÉÈË¿ìÊÖ didn't prove anything other than boyish stupidity. Instead of keeping sheepishly quiet about it the ³ÉÈË¿ìÊÖ then admits to having committed the crime in the opening blog.
Would the ³ÉÈË¿ìÊÖ run an undercover operation in Iran to build a nuclear weapon just to prove it can be done? Would the ³ÉÈË¿ìÊÖ put a "fake" suicide bomber, complete with bomb, on a London tube train just to demonstrate it can still be done? Would you crow about these things if you succeeded.
The vast majority of computer crime is committed via lax handling of personal data by people who should know better, not by hackers whose only aim is to show the many security holes that exist in our computer systems.
If people (including all ³ÉÈË¿ìÊÖ personnel) do not use the grey matter they were born with and exercise a little common sense to their computer habits then they lay themselves open to being shafted. It is as simple as dropping or throwing notes out of a wallet or purse, and it does not require a prank to show how it is done.
Complain about this comment (Comment number 17)
Comment number 18.
At 15th Mar 2009, Doctor Bob wrote:I think it was a good idea though I'm not sure the message will ever get through. Most people (not all, by any means but most) think it's always the other guy who gets it, then hand their secrets to somplete strangers.
Most people need a huge screen filled with a large typeface warning them not to give any personal details on a site linked from an email. But would even that be enough? Looking at Facebook that now claims it owns your identity, people seem all too willing to hand their secrets over.
I feel you should have been stronger on the advice - how to create a firewall and check if it's working; how to check if your computer is sending spam (it doens't show up on the "sent" list); how can people forge your email address; and is a program like Spybot that will interrupt an attempt to alter registry entries with something suspicious.
Complain about this comment (Comment number 18)
Comment number 19.
At 15th Mar 2009, ethicalhack3r wrote:Did the ³ÉÈË¿ìÊÖ consider if they were breaking any laws in which the computers reside?
Not only have they broke the CMA but alo probably many other laws in many different countries.
Complain about this comment (Comment number 19)
Comment number 20.
At 16th Mar 2009, Basic wrote:Just to add my 2p - I genuinely can understand what you were trying to achieve. I and many others have been aware of the issue for a long time and a lot of the pros would love to do what you did - order botnets to self-destroy. They can also do it without needing to buy access.
I'm sure you're aware of McColo being taken down and the opportunities that were available to order hundreds of thousands of machines to clean themselves up (if not, google it) - But the professionals chose not to act as it would be illegal to use the botnet to do anything (including destroy itself). If the people who do this all day every day had to accept that they couldn't act legally, why do you think you can?
There are a number of issues here - I don't think anyone objects to you informing a wider audience of the issue and no doubt this controversy will raise the profile even higher. The illegal use of a botnet wasn't required to achieve the above goal. As has been suggested here already, why not infect a network you control rather than using real machines worldwide?
Lastly, the REAL best way to avoid being infected is to avoid using internet explorer (and to a lesser extent, windows). I understand that you'd be treading on some big legal toes but it's been done before ( ) and that would have been far braver than paying hackers and then not providing decent clean-up advice.
All in all, I have to say I disagree with your decisions.
Complain about this comment (Comment number 20)
Comment number 21.
At 16th Mar 2009, ynda20 wrote:I just have to say that I fully support the ³ÉÈË¿ìÊÖ in this ethical hacking exercise. It is a terrific way to raise awareness of the threat of botnets which is otherwise in a hidden and murky world. This has been going on for over 5 years and this is the first time I have seen the subject described to a main stream audience.
Complain about this comment (Comment number 21)
Comment number 22.
At 16th Mar 2009, JGScotland wrote:So, according to the ³ÉÈË¿ìÊÖ it's OK to hack into a computer system, as long as there is no intent to cause problems. So presumably it would be OK for me to hack into the ³ÉÈË¿ìÊÖ system, change settings and use it to send mail?
The ³ÉÈË¿ìÊÖ are so arrogant it is unbelievable. We know best, so we do what we want.
I also think you have broken the law.
Under the Computer Misuse Act 1990:
3(1) A person is guilty of an offence if
a) he does any act in a way which causes the unauthorized modification of the contents of any computer; and
b) at the time when he does so the act he has the requisite intent and the requisite knowledge.
3(2) for the purposes of subsection 3(1)b above the requisite intent is an intent to cause a modification of the contents of any computer and by so doing
a) to impair the operation of any computer;
b) to prevent or hinder access to any program or data held in any computer; or
c) to impair the operation of any such program or the reliability of any such data.
As you can see, the hacking done by the ³ÉÈË¿ìÊÖ clearly falls under section 3(1)a and 3(1)b. The requisite intent under 3(2)a is also met. Any change of, and storage of, code in the memory of a computer will make this part of the memory inaccessible to other programs, i.e. the performance will therefore be impaired. Further, sending email on that system reduces the available bandwidth to the owner, again impairing the system.
Breaking the law, whatever the motives, is still breaking the law. But hey, we're the ³ÉÈË¿ìÊÖ so we will just ignore that.
Complain about this comment (Comment number 22)
Comment number 23.
At 16th Mar 2009, Briantist wrote:There are some bizarre arguments here, along the lines of "the first rule of botnets is you don't talk about botnets".
It was about time someone showed how the interfaces to these systems is now so simple that is not criminal hackers who are using them but almost anyone who can operates a PC.
As for the endless (yawn!) debates about which operating systems are secure or otherwise, it is useful to recall that all of the original network computer exploits were originally UNIX-based as Windows decide to be properly network connected (and thus vulnerable) until "95 Second Edition".
So, bravo to Click, hope this might allow it to transfer to ³ÉÈË¿ìÊÖ One where it belongs and keep up the good work.
This kind of intelligent but comprehensible reporting is great for the general public and officials who need to know this stuff.
In particular the section about DDOS was of the highest standard television.
Complain about this comment (Comment number 23)
Comment number 24.
At 16th Mar 2009, sidefall wrote:I’m completely with the ³ÉÈË¿ìÊÖ here.
The fact is that huge numbers of people now have computers and broadband, and the vast majority of them probably don’t know what a botnet is.
So anything that raises awareness of computer security issues a good thing. Both users and manufacturers have been negligent for far too long.
Yes, the ³ÉÈË¿ìÊÖ had to pay money to criminals and access computers without permission. Both were regrettable but essential. Had they just talked about botnets, it wouldn’t have had anything like the impact that this real demonstration is having.
In my view, the public interest case for the ³ÉÈË¿ìÊÖs actions is overwhelming.
And it's a far better use of our licence fees than paying huge salaries to personality presenters who demand pay cheques as big as their egos.
Complain about this comment (Comment number 24)
Comment number 25.
At 16th Mar 2009, KennethM wrote:These kinds of arrogant excesses by the ³ÉÈË¿ìÊÖ convince me that it must have a major clear out of many of its journalists before they bring the whole house down.
Complain about this comment (Comment number 25)
Comment number 26.
At 16th Mar 2009, Richard Kent wrote:Surely the viewers of Click are people interested in technology and therefore on the whole computer literate. They are aware of the threat to their Windows PCs and take necessary measures to counter this. I would be surprised if any of the computers you hacked into belong to Click viewers or that any unsecure computers (other than those hacked into) have now been made secure following the broadcast.
I can't really see what was achieved by your illegal action.
Complain about this comment (Comment number 26)
Comment number 27.
At 16th Mar 2009, leejlawson wrote:Having seen the programme, read the editor's blog and read through all of the comments, I now feel ready to add my say. I work as a computer forensic investigator and professional penetration tester; this is a legal hacker for want of a more accurate description. I get paid to hack into my customer's computer systems to help them secure them better. So I have experience in this area.
I am not going to comment on which operating system is better than any other as that depends on what software is installed and the user in charge of it. I am also not going to comment on the 'public interest' of such a subject as it clearly is in the public interest. I have two points.
My problem with the ³ÉÈË¿ìÊÖ on this subject is the legality of the offense, and I use the word 'offense' deliberately. In my opinion, and that of other security professionals, the ³ÉÈË¿ìÊÖ has condoned illegal activities and should be investigated by the police not only in the UK but also in the countries where the botnet victims reside. The computer misuse act 1990 is quite clear about permission and there is no evidence to suggest that the ³ÉÈË¿ìÊÖ gained prior, written permission for access from the ~21,000 botnet victims. The ³ÉÈË¿ìÊÖ are not (NOT) above the law even if they believe that their moral high horse will protect them. This is arrogance at the highest level and the editor’s blog goes no way to justifying their actions.
Some good examples have been given on the comments but let me add this one. Would the ³ÉÈË¿ìÊÖ attempt to smuggle a fake bomb onto a plane to prove lapses in airport security? I used to do bomb disposal in the Army and let me tell you that this can be done, but I won’t do it! Why? Because I would be arrested under terrorism charges even if I then showed them where they had lapses and helped fix them.
My second and probably biggest problem with this offense is that a criminal group etc has profited from it. Is the ³ÉÈË¿ìÊÖ now in the game of funding organised crime? How much of the license payer’s money was given to these criminals for this poorly thought out publicity stunt? Please tell us.
The ³ÉÈË¿ìÊÖ as a publicly funded organisation should be better than this. The UK population are required to pay for a TV license so that the ³ÉÈË¿ìÊÖ can exist, fine, whatever. But never - NEVER - use my money to fund crime. Never - NEVER - use my money to commit a crime.
I suggest you get your lawyers onto this as they are likely to feel some pressure to respond.
Complain about this comment (Comment number 27)
Comment number 28.
At 16th Mar 2009, Person wrote:We all know the bbc loves Microsoft, hates open source and the internet - stop spreading the fud Mark@bbc.
I refuse to watch click for the reasons i listed - and please microsoft pcs are the bots in net. It be nice if you said so.
Complain about this comment (Comment number 28)
Comment number 29.
At 16th Mar 2009, ynda20 wrote:@27,
Sorry this is just so much arrogance on your part. Your job is computer security so you would be out of a job if people knew enough to take the simple steps to protect their computer system. The ³ÉÈË¿ìÊÖ has done an investigative report along the same lines as the News of the World reporter getting a job at Heathrow or Buckingham Palace and pointing out the security weaknesses. The difference here is that it upon a subject that is much more relevant to the general population and indeed it Needs wide media exposure in order to make people aware of the subject.
Your moral high horse is just a job protectionism which is obvious by such statements as pretentiously "not commenting on operating system or installed software". This is all part of the FUD and mystic that you wish to build for your "profession".
I congratulate the ³ÉÈË¿ìÊÖ on their report and their imaginative investigative approach to the covering this issue.
Complain about this comment (Comment number 29)
Comment number 30.
At 17th Mar 2009, dennisjunior1 wrote:I hope that the ³ÉÈË¿ìÊÖ took all of the legal resource in regards to protect against legal problems...
Complain about this comment (Comment number 30)
Comment number 31.
At 17th Mar 2009, MeACoalPit wrote:The problems with Windows hail from Bill Gates' lack of foresight over the growth of the Internet. The panic buying of a third party browser (to be branded Internet Explorer) to challenge the very secure Netscape showed Microsoft's desperation not to be left behind. A bigger mistake by Microsoft was to bolt the still poor IE4 into the Windows core, a developed action that was later successfully challenged in the courts.
All software designed to exploit holes in an operating system is simple and can be dealt with by equally simple security software. The intruder relies on a set of rules being true and any complexity is in how the breach of the hole is developed in successive jumps. Anyone with a simple set of rules who uses a computer heavily without security software is very unlikely to be attacked. Most people however do not like following simple sets of rules and so they rely on software to do the job for them. The advice is simple. Try before you buy and avoid software that is difficult to uninstall. There are some highly effective free products available too.
The security market relies on the kind of hype demonstrated in this blog and Click's program. By creating anxiety amongst users the criminal element has the perfect environment for the "mistakes" they rely on to be made. Bot nets are not "clever, thinking pieces of software" they are a simple development of a very old idea. The ³ÉÈË¿ìÊÖ and Click are sadly mistaken if they think this is not poor "exploitation" of people's fears.
Complain about this comment (Comment number 31)
Comment number 32.
At 17th Mar 2009, MonkeyBot 5000 wrote:@29
"The ³ÉÈË¿ìÊÖ has done an investigative report along the same lines as the News of the World reporter getting a job at Heathrow or Buckingham Palace and pointing out the security weaknesses. The difference here is that it upon a subject that is much more relevant to the general population"
No, the difference here is that what Click did is a criminal offence. The News of the World reporter lying on his CV would be committing a civil offence at most
Complain about this comment (Comment number 32)
Comment number 33.
At 17th Mar 2009, Walrus wrote:Imv, it is (was) not news that this happens. You did not have to make a pudding to prove it.
Now the real news would be that you have found a cure for all this.
A simple question. Why do ISPs send on spam. Why cannot they delete it at source? Even sauce.
Complain about this comment (Comment number 33)
Comment number 34.
At 17th Mar 2009, bigsammyb wrote:You seem to be under the impression that this is all automated, it isn't.
Those boxes are generally exploited using public exploits:-
[Unsuitable/Broken URL removed by Moderator]
All the latest buffer overflows and sql injection exploits are there as source code. Anybody can take that code compile it and start exploitng systems.
What might surprise you is the majority of people doing this are not doing it to sell a ³ÉÈË¿ìÊÖ reporter access to a home users computer especially seeing as they would have rubbish internet connections.
Most machines are exploited for international file sharing via ftp which is where ultimatley all the pirated content you see on file sharing networks comes from.
But most machines are not home users as you suggest and in fact even criminals selling boxes would not generally sell home user boxes either.
Why would you buy 100 home user boxes when each of them only has 128k upload? 1 box from a commercial network ie: keyweb in germany could do the same job as over a hundred home user boxes.
So is this a good thing? Maybe not but i would rather such information was freely available than only available to a select few. Knowledge is power and without the freedom of knowledge network security would be far worse than it is today and those who would do real harm ie: terrorists cannot have a free for all as a result.
Complain about this comment (Comment number 34)
Comment number 35.
At 17th Mar 2009, jon112uk wrote:I have no problem with this Mark.
If mine had been one the vulnerable computers I would have thanked you for letting me know.
Personally I think it would not be a bad idea if ISPs put some resources into an ongoing programme of the same type - examining their customers computers and warning them. The spam avalanche is one of the main issues coming out of these 'bots' and the ISPs could save some cash on bandwidth saved.
Complain about this comment (Comment number 35)
Comment number 36.
At 17th Mar 2009, ynda20 wrote:@32,
... the difference here is that what Click did is a criminal offence. The News of the World reporter lying on his CV would be committing a civil offence at most
I think you'd have a hard job proving this to a jury. Go on and waste more tax payers money and take the bbc to court, but the action would fail.
The ³ÉÈË¿ìÊÖ has performed a public service getting this issue aired, no damage was done and was indeed, "ethical hacking".
I'm not saying they should be doing such on a regular basis - but then they won't be doing so anyway! I agree with jon112uk, that if my vulnerable computer was used in this demonstration then I would have thanked the ³ÉÈË¿ìÊÖ for letting me know.
Complain about this comment (Comment number 36)
Comment number 37.
At 17th Mar 2009, isabelladean wrote:Can ³ÉÈË¿ìÊÖ 24 News broadcasters see me in my bedroom? I sense it often and am quite annoyed by it. I heard some women talking to me at night. Some of them are from the media. Some voice is from the street, some are connected to my room. Am I a special worthy so much their energy? Will I get any material benefit from it? I feel very painful and feel they never consider my feelings inside.
Complain about this comment (Comment number 37)
Comment number 38.
At 17th Mar 2009, bigsammyb wrote:Don't allow the ³ÉÈË¿ìÊÖ to scare you, its actually quite a inaccurate poorly researched story.
There is no reason anyone should be vulnerable to public exploits which is what most of those boxes would of been hacked with. Simply patch your operating system and most of all SECURE YOUR PORTS.
Buy a router and then even if your pc does get compromised it will be difficult for their rootkit to recieve a connection due to the lack of a forwarded port.
So if you have a usb modem bin it.
Complain about this comment (Comment number 38)
Comment number 39.
At 18th Mar 2009, MeACoalPit wrote:@# 35 & 36
Why on earth would you be happy? All that you will have learned is that you had an infected machine that may have been cleaned of a botnet. That doesn't tell you how you managed to "allow" your machine to become infected, whether you have other infections, or what you are NOT doing to prevent such infections in the future. The problem with security hype is that it focuses on the "what could be" in order to deal with the "what is". The infection algorithms are always simple because once the hole is breached (an action the user must "allow") then the exploit makes whatever it wishes out of the breach. Appearing to clear an infection is a dangerous assumption that we entrust to security software and yet many products do NOT clean the infected machine.
The whole point of security measures is to prevent infection in the first place, not to have to resort to complicated cleaning that has been proven to be rather ineffective in many examples of security products. These products already carry a further difficulty for the user in that they may report false positives. Many games titles use highly suspect copy protection which can be easily exploited by anyone with the determination to do so. However it is in the user's gift to prevent any of this happening by acting with common sense on all matters related to their computer habits.
If the ³ÉÈË¿ìÊÖ wishes to do its users a service then it may wish to investigate security software and software protection mechanics. By highlighting some of the poorer activities used by the software industry it may help to improve quality.
Complain about this comment (Comment number 39)
Comment number 40.
At 18th Mar 2009, MonkeyBot 5000 wrote:"@32,
... the difference here is that what Click did is a criminal offence. The News of the World reporter lying on his CV would be committing a civil offence at most
I think you'd have a hard job proving this to a jury. Go on and waste more tax payers money and take the bbc to court, but the action would fail."
It would actually be incredibly easy - they freely admit to what they did and the law clearly states that what they did is illegal. It's the act of unauthorised access that makes the offence, not the intent. I'm not saying that there is anything to gain by pressing charges, other than maybe making them a bit more careful
Complain about this comment (Comment number 40)
Comment number 41.
At 18th Mar 2009, ynda20 wrote:@40,
"Go on and waste more tax payers money and take the bbc to court, but the action would fail."
...It would actually be incredibly easy"
Oh? Please tell me the number of times this act has been used and been successful? I feel a Clive Pontin moment as the ³ÉÈË¿ìÊÖ describe what they were doing, the media coverage and "security professionals" attempting to justify how good it is for society to have insecure computers. (That sentence is correct). I have confidence that the jury can do their own Threat and Risk Analysis.
In the meantime, security professionals need to go get their own house in order before they start throwing stones into other people's ponds. (ok, apologies for the mixed metaphor). Auntie Beeb, why don't you follow up this investigation with just how dreadful security IT is where it really matters?
Complain about this comment (Comment number 41)
Comment number 42.
At 18th Mar 2009, MonkeyBot 5000 wrote:"Please tell me the number of times this act has been used and been successful?"
I think you're missing the point. Due to some rather clumsily worded legislation, action like this which highlights a problem and tries to help the victims fix the problem is still technically a crime because intent isn't taken into account. It's right there in section 1 of the act.
Recent amendments to it increased the penalty to a point where you can be extradited for offences under the act (see Gary McKinnon) and also make it an offence to distribute "any article" if there is a "likelihood" that it will be used to commit offences.
That basically puts security professionals at risk of accidentally committing a crime just by doing their jobs. Tools they use to find weaknesses to fix can just as easily be used by someone to find weaknesses to exploit. Also, an "article" could be defined as information and so allow a software company to silence someone trying to draw attention to security flaws.
Complain about this comment (Comment number 42)
Comment number 43.
At 18th Mar 2009, ynda20 wrote:@43,
I think you are proving my point that the law is an ass in this case.
So again, I think it is great that the ³ÉÈË¿ìÊÖ is exposing some of these problems.
Complain about this comment (Comment number 43)
Comment number 44.
At 18th Mar 2009, KennethM wrote:Should one of us call the police?
Complain about this comment (Comment number 44)
Comment number 45.
At 19th Mar 2009, MonkeyBot 5000 wrote:@43,
"I think you are proving my point that the law is an ass in this case."
I think you'll find that was my point - you claimed that there was no crime committed. I agree the "law is an ass" here, but they could have highlighted the problem without going out and breaking that law themselves.
Malicious, no. Misguided/naive, definitely.
Complain about this comment (Comment number 45)
Comment number 46.
At 19th Mar 2009, Graham-Cluley wrote:This comment was removed because the moderators found it broke the house rules. Explain.
Complain about this comment (Comment number 46)
Comment number 47.
At 19th Mar 2009, richardcaves wrote:We all know what 'botnets' do, this is no excuse for breaking the law. Can the ³ÉÈË¿ìÊÖ be 100% sure that the botnet they bought did not have some other payload?
Complain about this comment (Comment number 47)
Comment number 48.
At 19th Mar 2009, ObsoleteExocet wrote:@ #44
According to Reuters, Interpol have the ³ÉÈË¿ìÊÖ TV Centre surrounded and are going in at dawn tomorrow; or maybe they meant today. You kind of lose track of time with Reuters don't you?
Complain about this comment (Comment number 48)
Comment number 49.
At 19th Mar 2009, ynda20 wrote:@45.
"I think you are proving my point that the law is an ass in this case."
I think you'll find that was my point - you claimed that there was no crime committed. I agree the "law is an ass" here, but they could have highlighted the problem without going out and breaking that law themselves.
Malicious, no. Misguided/naive, definitely.
I concede your point. Not too sure about your "misguided/naive" statement though. I still think the ³ÉÈË¿ìÊÖ raising this issue, in this particular way has been a public service. It would be academically interesting how they assessed the legal issue. I disagree with @47 richardcaves stating "We all know what 'botnets' do" - if people really understood botnets then they would protect their PCs better. Clearly they are not.
Complain about this comment (Comment number 49)
Comment number 50.
At 22nd Mar 2009, Wherewhich wrote:@49
I think your logic is a little muddled. If "botnets" were highly successful at their jobs then all computer users would "know" someone whose machine has been decimated. A part of the issue we are debating is whether the "actual danger" (i.e. without hyperbole) is as real as this article and the "Click" program would have us believe. I do not believe it is and I have been a professional in the IT industry for over thirty years.
Looking at some of the hysteria driven "problems" the IT has had over the past decade it really doesn't matter whether you have "protection" or not unless the "protection" you have is able to deal with a specific problem YOU cause. Note the emphasis on YOU because without your intervention in the way the malware requires they are pretty darned useless.
Complain about this comment (Comment number 50)
Comment number 51.
At 23rd Mar 2009, tug wrote:Mark,
Your piece give the impression that you accept that there is at least a case to be made that you should not have done this and that, in fact, what you did was illegal.
It's unfortunate that you have completely undermined this position by removing a perfectly civil and well informed comment by Graham Cluley (#46). Graham has posted the deleted comment on his blog.
Can you tell us why you did this?
Complain about this comment (Comment number 51)
Comment number 52.
At 23rd Mar 2009, momomuppet wrote:I would also like to complain about the removal of comment #46. Either reinstate the comment, or explain to us what about it caused it to be removed.
Thus far, it seems you removed it because you don't like it's content. Hardly a reason to remove it.
Complain about this comment (Comment number 52)
Comment number 53.
At 26th Mar 2009, CDoSPCoctor wrote:Hello Everyone
I wholeheartedly support ³ÉÈË¿ìÊÖ Click in bringing this issue to the attention of main stream audiences. I have no concerns or interest in the legality of the method used to prove the point. The report from a factual and technical point of view was the best the ³ÉÈË¿ìÊÖ could do without risking eyes glazing over.
To all the bloggers who raise legal issues or have a problem with what the ³ÉÈË¿ìÊÖ did... WAKE UP! The ³ÉÈË¿ìÊÖ did our industry a service - its a pity that our industry could not do this for the benefit of itself and the people it serves.
Instead of complaining about what the ³ÉÈË¿ìÊÖ did and how they did it - we should be looking at ways of legally setting up an "anti cybercrime organisation" that specifically uses the sort of tools and mechanisms that Click used in its programme to go after Crackers and relieve poor unsuspecting users from this nightmare world of fly by virus's.
My experience is that there is a war going on out there and there are certain clear things users can do to protect themselves.
1. Buy a decent router with a hardware firewall built in
2. Find out what AV software protection works (google for a review) (the worlds most popular av's do not work and are easy to switch off)
I spend my working life visiting peoples homes and Businesses repairing PC's and cleaning Virus's off PC's (Microsoft)- I do not know everything, I am kept very busy.
I am not in the real sense of the words an "IT Guru" just someone that has been in the industry for nearly 20 years and have at one point or another seen the best and the worst the industry ( and users of it) as whole has been responsible for ... (long sentence but you get the point)
Time and time again I visit clients and find the following scenario
1. Children in the house 10 - 16 yrs Girls or boys irls love MSN the boys are into anything that is for the mal-adjusted
(if its a business then there is no qualified IT Manager present and there is no IT policy that prohibits worker internet activity)
2. Unsuspecting busy parents who do not know what their children are doing on their PC's
3. They have got bang up to date antivirus (the two most popular ones at PCW! (Can't say Norton or Mcafee - you may delete this Mr Moderator)
4. They have paid their hefty subscription to these companies.
5. Generally but not always a USB modem is present.
6. Heavy Peer to Peer activity (MSN, Internet Games)
Every time and I mean EVERY time the following infections, spyware and peer to peer programs are on the systems
1. My websearch toolbar - This enables a conduit to the nasty stuff
2. Antivirus pro 2008/9 - This is a con to get your credit card details
3. Limewire - This is a mechanism to provide free illegal music
4. Bit Torrent - This is a mechanism to get hold of free software (illegal)
5. Free (illegal) Music - Nothing is free is except the virus that is bound into the MP3 file
6. Free video codecs - (Click here to download this file to enable you to view this video - This is the virus)
7. Bear share is present
Here are the rules that will keep your PC's clean.
1. Get an ethernet router with a firewall built in - do not buy the cheapest
2. Test your firewall (www.grc.com)This will test whether your PC's are invisible to port probers
3. Buy decent (inexpensive) AV software
4. Don't download free Music - you'll get a virus
5. Don't share or download files on Peer to Peer you will expose yourself to other users virus's
6. Don't download video codecs to enable you to view video clips unless it is from a trusted source
Finally
If the ³ÉÈË¿ìÊÖ wants to continue their expose' here are the useful areas that could be explored that will inform and protect people and their systems...
1. Do an Anti virus/Malware software test drive of the most popular software ( Say the Top Ten )
2. Specifically do the the sort of activities that people should not do (but almost always do!) and see which AV software does the best job of protecting PC's (Microsoft based) Then, ask the manufacturers of that software Why their software is so easy to circumvent? and what are they going to do about it?
We are all computer users - right? We all want an easy life - right? We are all interested because we are users - right? So why do I see seemingly intellegent, qualified IT people blog themselves insane complaining about what the ³ÉÈË¿ìÊÖ Click programme did when it is clear that knowledge is power and to the disadvantage of those who wish to exploit the unsuspecting....
Regards to all - I wrote did this to pass some time (whilst yet another 8 PC's are being scanned and cleaned of yet more infections) before putting on the protection to prevent (as best as possible) future attacks from thieves who wish to extort and steal other poeples hard earned cash.
Complain about this comment (Comment number 53)
Comment number 54.
At 27th Mar 2009, ynda20 wrote:@53, CDoSPCoctor.
I heartily support everything you have written. The link between illegal downloads, careless users and viruses is very interesting.
I would also suggest people read this about the comparative threat between PCs and Macs
(Note that there are 5 known Mac Malware programs "in the wild" - all are "trojans" - they are types of scams (they attempt to trick the user rather than work automatically), rather than spyware, virus, worm or botnet).
Complain about this comment (Comment number 54)
Comment number 55.
At 30th Mar 2009, CDoSPCoctor wrote:Thanks Ynda20,
Just one piece of information missing from the Mac review which is very good by the way.. How many Macs in the world are there compared to active Windows based PC's? I recon 90% windows 10% macs (excluding Linux)
I Think that Microsoft would need a complete re-write of the OS code to make it as good as the Mac. Perhaps Windows 7 will be the answer. ( Idoubt it though..
Regards
Nick Bache
Complain about this comment (Comment number 55)
Comment number 56.
At 1st Apr 2009, newtried wrote:Mark,
The internet is the new minefield? If you can crack the mine layers Mark Ill nominate you for an MBE!.
Complain about this comment (Comment number 56)
Comment number 57.
At 1st Apr 2009, ynda20 wrote:@55 Hi Nick,
I'm not really too sure what you are trying to say... you have the figures about right for numbers of PCs vs Macs. Yes, there are very many more PCs but I am guessing the overwhelming majority of PCs are bought for businesses and used in businesses. When looking at domestic/small business users the proportion for Apple looks somewhat better. But that's irrelevant to my argument that less risky options exist (and Macs do run Windows applications nowadays using bootcamp or Parallels).
I doubt whether Windows 7 will be the answer either. I have heard that it is a marked improvement over Vista (but is that saying much!?)
Complain about this comment (Comment number 57)
Comment number 58.
At 3rd Apr 2009, netwebcrazy wrote:This comment was removed because the moderators found it broke the house rules. Explain.
Complain about this comment (Comment number 58)
Comment number 59.
At 9th Apr 2009, SizweMahlala wrote:Interesting point on one of the earlier comments about testing door locks by using a burglar and leaving an innocent message in insecure houses as part of the reporting. I do think this is different though and the ³ÉÈË¿ìÊÖ is justified in this case - the level of public awareness of these threats is very low and I found it an appropriate way to highlight the issue.
Complain about this comment (Comment number 59)
Comment number 60.
At 27th Apr 2009, moriaeencomium wrote:Good night and good luck!
Complain about this comment (Comment number 60)
Comment number 61.
At 30th Apr 2009, Robert Carolina wrote:A couple of comments on the Computer Misuse Act 1990.
Many of you are citing the OLD and superseded language of Section 3. This was completely replaced with new language pursuant to Section 36 of the Police and Justice Act 2006. The Section 3 case is hard (but not impossible) to make.
The broadcast DOES, however, pretty clearly show what appears to be a violation of Section 1 of the Computer Misuse Act.
I have been trying for more than a week to get Richard Taylor, the show's producer, to contact me and comment since I plan to publish an article on this topic. Perhaps he reads this blog and wants to get in touch?
Complain about this comment (Comment number 61)
Comment number 62.
At 12th May 2009, Robert Carolina wrote:In case you are wondering precisely why I believe that this programme violated British law, you can find analasis here:
I'd still love to hear from someone at ³ÉÈË¿ìÊÖ about this.
Complain about this comment (Comment number 62)
Comment number 63.
At 13th May 2009, Robert Carolina wrote:Here's a disturbing aspect to the story which I described earlier today.
"Opinion: ³ÉÈË¿ìÊÖ Click exploited worlds poor and vulnerable"
"By purchasing and using an illegal computer botnet, ³ÉÈË¿ìÊÖs Click programme chose to educate their affluent English-speaking technically savvy audience about computer security by exploiting 21,000 poor and vulnerable computer users in the developing world. . . ."
You can find the remainder here:
³ÉÈË¿ìÊÖ Click Producers: please contact me whenever you like.
Complain about this comment (Comment number 63)
Comment number 64.
At 14th May 2009, jomyers wrote:I think the ³ÉÈË¿ìÊÖ did a great job! Well done first class bit of undercover journalism, its the kind of controversial cutting journalism that put the ³ÉÈË¿ìÊÖ News where it is today. To say that you wouldn't get a tame burglar to enter someones house to test there locks is actually very inaccurate and stupid; as the ³ÉÈË¿ìÊÖ HAS done that and then some in the show: The Real Hustle high stakes show.
Where not only does the shows presenter gain eatery to a house by stealing someone identity from the rubbish in there bins out side the house they brake into! They use the stolen identity to make a fake ID which they then use to call up a lock smith to let them into victims house posing as the owner. Once in they also remove a large quantity of electrical goods and jewellery as well as put in hidden cameras in the building to watch for the unsuspecting 'victim' to come home and there reaction.
The presenter then leaves with a big sports bag filled with kit and leave the house scot free and home dry. Of course they give all the items taken back and show the victim how they did it. The victim obviously agreed to them showing this happening to them to help it stop happening to others. Also there are people and contractors out there that are hired to do just that job.
All credit to the ³ÉÈË¿ìÊÖ for supplying the ignorant masses about this large and constant threat of cybercrime, peoples ignorance is what helps and allows cybercriminals to get away with this sort of activity so easily. This style of hard hitting controversial journalism always brings the topic into the direct light as it should be.
People complaining about this are ignorant, idiotic, narrow minded fools that are looking for nothing more than an orange box to stand on and rant. Grow up get a life and let the ³ÉÈË¿ìÊÖ do what it does best; producing good, cutting edge, and controversial journalism.
Complain about this comment (Comment number 64)
Comment number 65.
At 14th May 2009, jomyers wrote:Oh I'm an ICT professional btw, so I knew about all of this just not the scale it had reached. Like most ICT professionals, this show didnt teach me much that I didnt know, but the masses just have no idea, and no way of knowing with out being told or shown. This show hopefully raised awareness. ICT illiterate ignorant masses that help perpetuate this problem and the only way to ever get to them is by slapping them in the face with it.
Complain about this comment (Comment number 65)
Comment number 66.
At 17th May 2009, Robert Carolina wrote:@65: My problem is that the Click viewers are, almost by definition, NOT the audience most in need of education.
Complain about this comment (Comment number 66)
Comment number 67.
At 17th May 2009, Robert Carolina wrote:To all of you who are talking about "burglary" as a metaphor. Try this instead.
It's like the ³ÉÈË¿ìÊÖ found a criminal locksmith gang: a gang who copy keys to houses and keep extra keys which are on-sold to criminals. The ³ÉÈË¿ìÊÖ (in effect) purchased 21,000 of these illegal keys and paid agents to walk into 21,000 houses.
Of coruse we don't know EXACTLY what all 21,000 agents did while they were in 21,000 houses. A few of them may have caused damage. We'll never know for sure.
Complain about this comment (Comment number 67)
Comment number 68.
At 22nd May 2009, skincareproducts wrote:This comment was removed because the moderators found it broke the house rules. Explain.
Complain about this comment (Comment number 68)
Comment number 69.
At 22nd Sep 2009, Robert Carolina wrote:After a long period of silence, apparently Spencer Kelly is now happy to talk about this incident in public. He spoke about this broadcast at a public conference yesterday, Monday 21 September 2009. Please tell Spencer that I'd love to meet with him on ³ÉÈË¿ìÊÖ News at his convenience to ask whether or not the production team understood that preparing this story involved violating the Computer Misuse Act.
Or maybe you guys could just answer that here. Did the production crew actually know that the actions filmed in the UK constituted a crime under British law?
Complain about this comment (Comment number 69)
Comment number 70.
At 22nd Sep 2009, TV Licence fee payer against ³ÉÈË¿ìÊÖ censorship wrote:Strange how some seem to be more concerned by the ³ÉÈË¿ìÊÖ's actions in exposing a problem (even if they did technically break the law in doing so) rather than in the wider problem it's self, would they have preferred that most people stay ignorant of the issue and if so one has to start wondering why...
Complain about this comment (Comment number 70)
Comment number 71.
At 23rd Sep 2009, Robert Carolina wrote:@70: I don't think that Click really "exposed" this problem, and they certainly offered no original thinking on how to solve it. Worse, they exported the risk of computer damage to 21,000 of the world's poor in order to "educate" a small group of English speaking westerners about this risk. Even worse, they failed to highlight the risks of playing around with a BotNet. And even worse, they failed to acknowledge or explain that what they did broke the law. They made it look sexy.
Sadly, the law-breaking part added almost nothing to the story. It just heightened the drama of the moment.
Complain about this comment (Comment number 71)
Comment number 72.
At 1st Oct 2009, AspiringPresenter-x wrote:I genuinly think that the ³ÉÈË¿ìÊÖs experiment was beneficial to the public and the people affected because we all learnt how serious those botnets are. They did let the people infected know that it was just an experiment and wasn't real and even gave them tips of how to make their computers more secure for the future.
However, they did break the CMA law, but overall, I agree with what they done and think it was a worthwhile experiment!
Complain about this comment (Comment number 72)
Comment number 73.
At 26th Oct 2009, Robert Carolina wrote:@72: you say that "They did let the people infected know that it was just an experiment . . . and even gave them tips of how to make their computers more secure for the future."
Well, we know that they attempted to place that warning on 21,000+ infected computers. What we don't know is how many of those machines crashed as a result of the attempts to change the computer contents. Perhaps some of these people never had the opportunity to read the warning.
Worse, the warning that was shown (for less than a second) in the television broadcast appears to have been written IN ENGLISH. The presenter said that the infected machines were "in the developing world", and in the list of places we wer told that machines were scattered in Russia, China, other former Soviet Union states, Africa, etc. if the warning was only posted in english, how many of those "developing world" computer users would have understood the warning that was left? if someone left me a warning written in Thai, it wouldn't do me any good.
I maintain that the efforts to "educate" were focussed almost entirely on English speaking viewers, and that the risks of the education were loaded onto the world's poor.
Disgraceful.
Complain about this comment (Comment number 73)