The BBC has followed its recent controversial botnet demonstration with a new filmed demo of how a Trojan attack works - except this time it made sure to ask nicely.
In a clear change from the earlier exercise, which provoked intense ethical debate, this time around the corporation has gone out of its way to make clear it sought the permission of the owner of a PC before hacking into it. The latest demo, which appeared on the BBC news website on Monday, illustrates how a single spyware-infected PC creates a means for cybercrooks to nab passwords or watch users of infected PCs, providing the machine uses a webcam.
The BBC sought the assistance of Jacques Erasmus of PrevX in both the latest small-scale exercise and earlier, larger experiment - the difference of course being that none of the computer users in the botnet caper were asked for their permission. BBC researchers changed the wallpaper on compromised machines to alert victims that their machines were infected, but only after running and filming its security demo.
In the latest case the demo clearly states at the beginning, via captions, that "this simulation depicts acts that are illegal", and later: "This time the 'victim' knew we had control of his laptop."
The same courtesy was not extended when BBC Click used licence-payers' money to buy access to more than 21,000 already compromised computers, in order to send spam to Hotmail and Gmail accounts. The botnet - which BBC Click acquired on the stipulation that compromised machines were located in neither the US nor UK - was also used to flood a test site established by PrevX with junk traffic, simulating a denial of service attack.
BBC Click, by its own account, paid "a few thousand dollars... to buy a botnet from hackers in Russia and the Ukraine".
Several security experts and an IT lawyer contacted by El Reg reckoned the botnet demonstration broke UK law, which prohibits unauthorised access or modification to computers. The BBC, which congratulated itself on the BBC Click programme as a breakthrough piece of investigative journalism, responded by saying its lawyers had cleared the programme to air.
Mark Perrow, executive producer at BBC Click, said "there was the strongest public interest in not just describing what malware can do, but actually showing it in action" in a blog post here. Struan Robertson, editor of out-law.com and legal director at solicitors Pinsent Masons, told us this "powerful public interest" argument is irrelevant when considering whether an offence had occurred under UK computer hacking law.
Graham Cluley, senior technology consultant at Sophos and one of the fiercest critics of the original programme, responded to the BBC's argument with a post to the same BBC theeditorblog arguing that it was unnecessary to risk breaking the law in order to demonstrate the problem of botnets. His post was deleted by the BBC, much to Cluley's indignation.
The minority of security vendors - and the majority of Reg commentards - supported the BBC's exercise as something that raised awareness about the growing problem of compromised computers in a far more accessible way than any government information security awareness campaign.
PrevX's Erasmus, who assisted the BBC in both exercises, couldn't be reached when the BBC Click botnet experiment aired back in March because he was on holiday, fishing in Namibia. But when we caught up with Erasmus at last month's Infosec show he told us that he'd told BBC Click researchers that their exercise was illegal, at least in his opinion. Erasmus's role was to talk BBC click researcher Spencer Kelly through the technical side of the exercise, which Kelly (not Erasmus) carried out.
This time around the BBC seems to have learnt a lesson from its earlier botnet caper by going out of its way to obtain permission before hacking, signalling an apparent change in the BBC's editorial policy. Perhaps the corporation listens, after all. ®