DDoS Attack Lands British TV Show In Hot Water

A show aired on the BBC’s technology program “Click” may have landed the British television broadcasting firm in hot water. In an effort to demonstrate how easy it is to launch a distributed denial of service (DDoS) attack, the program producers used information and software acquired via online chat-rooms to create a botnet.

The software the BBC used controlled 22,000 computers, causing them to send out spam to two email accounts set up specifically for the demonstration. It also used the botnet to launch a DDoS attack against a site owned by security vendor Prevx, with the site owner’s consent.

The question is, did the BBC break the law? They don’t think so. In fact, their response to the blogosphere discussions http://www.theregister.co.uk/2009/03/13/bbc_botnet_analysis/comments about the televised experiment focused on how they believed they had managed to educate Internet users on the benefits of PC security. http://www.eweek.com/c/a/Security/BBC-Responds-to-Botnet-Controversy

Struan Robertson, a technology lawyer with Pinsent Masons, and editor of OUT-LAW.COM, thinks otherwise.

“The BBC appears to have broken the Computer Misuse Act by causing 22,000 computers to send spam. It does not matter that the emails were sent to the BBC’s own accounts and criminal intent is not necessary to establish an offence of unauthorized access to a computer,” he said, reports OUT-LAW.COM. http://www.out-law.com//default.aspx?page=9863

“The Act requires that a computer has been made to perform a function with intent to secure access to any program or data on the computer. Using the botnet to send an email is likely to satisfy that requirement. It also requires that the access is unauthorized – which the BBC appears to acknowledge. It does not matter that the BBC’s intent was not criminal or that someone else created the botnet in the first place.”

Machines can be compromised simply by visiting an infected website or opening an email containing a virus as an attachment and, according to TRACE, a quarter of all machines are part of a botnet. Protecting a machine with anti-virus software is the first line of defense however Prevx CEO Mel Morris believes that the security industry isn’t doing enough in this field. http://www.escapistmagazine.com/forums/read/7.96800#1504549