Botnets are, without any doubt, a huge and growing problem. The technology news feeds are bursting to the seams with stories about them: how botnets boost click-fraud rates, how botnets control sex spam zombies, how the cyber-criminals are building the first mobile botnet and even how some botnet builders are selling their wares complete with guarantees that they cannot be detected.
However, one thing you do not expect to read about is the people behind the news stories, the reporters themselves, being involved in acquiring a botnet which hacks into the computers of some 22,000 people. Yet that is exactly what seems to have happened over in the BBC newsroom. The makers of the BBC news technology show 'Click' have proudly announced that, as part of an investigation into global cyber crime, they acquired a 'low value botnet' and then spammed users in order to get them infected. The exercise proved successful, so successful that almost "22,000 computers made up Click's network of hijacked machines" according to the BBC.
It then launched a Distributed Denial of Service attack against a test site owned by security specialists Prevx, with the agreement of the company concerned. By bombarding the target site with requests for access the site was made inaccessible very quickly, and with the use of only 60 of the compromised machines within the botnet itself.
The BBC are quick to point out that it has warned all 22,000 people that their PCs are infected, as well as advising them on the best way to prevent such an infection happening again. It has also stated that it did not access any personal data held on the infected computers.
The BBC claims that because it was only done with an intention to demonstrate the collective power of the botnet when in the hands of criminals, and it itself had no criminal intent, it was not breaking the law. When it comes to ethics, though, it sucks elephants through a straw backwards.
Well I wish them luck with that one, although I suspect the BBC lawyers did their homework before allowing this stunt to go ahead. I am all for exposing security issues, and have been known to top toe around the law in order to get the evidence myself in the past. But I am not sure what this particular exercise proves other than botnets are bad and DDoS attacks are bad. The BBC really did not need to infect the computers of 22,000 innocent folk in order to tell us what we already know.