BBC owns the Box

FireFleur · Mar 16, 2009

It seems the BBC click program has started a bit of a debate amongst the cyber security community.

As part of the Click Program, they decided to run a live experiment on the uses of Bot Nets. Apparently they hired a 22K node botnet from a cracker(s), and then proceeded to send what they described as 'spam' to Google and MS systems, to accounts they had set up, from the compromised machines.

After doing this they then set the background wallpaper of the nodes to something informing people they had been compromised.

This is an age old problem, that folks in the computer security world have had to deal with, using fire to fight fire. Normally when a vulnerability, worm or virus is released, people fire up a piece of software called IDAPro, which is a debugger on steroids and allows one to reverse engineer code to see how it works.

Normally one can work out how the penetration is occurring and the vulnerability that is being exploited, and there is often a thought of putting in a cure worm to remove the malware and to patch the system for the vulnerability.

The problem with this approach though, is one of liability and error, along with disguised intention. So, on the whole the practice is quickly dismissed as being the wrong approach by nearly all in the security community.

The BBC are saying they have done this without criminal intent, and to a degree they may be ok depending upon where the systems reside that formed part of the BBC controlled botnet. They say they wanted to highlight the dangers of BotNets and how they worked, but have they really just advertised the existence and the availablity of bot nets?

Was one of your machines compromised by the BBC? And if it had of happened to you, would you be happy about it, or be looking for some form of compensation or proceedings to take place against the BCC?

One of the problems of compromise is that once compromised you can not trust the machine again, it doesn't matter what people say, or what software gets used to try and disinfect, that machine is no longer trustworthy until a complete reinstall is done.

If the BBC has paid for someone to compromise machines, that may not have been compromised (though still vulnerable) then there is a cost in clear up of a complete reinstall, and data intergrity checks.

Most home users are not really aware of all of this preferring to think there is a quick fix that works, but unless you are constantly monitoring and using checksums against installed binaries, configuration and anything capable of causing code execution, you cannot be sure the software, configurations or data have not been further altered, backdoor'd or root kit'd.

So, the compromise itself, much like hitting someone, is the point of cost, you may not be invincible to a punch but someone hitting a punch bag is not going to cause you problems, it is when the punch lands on you.

More info here:

http://news.bbc.co.uk/1/hi/programmes/click_online/7932816.stm

Subbynet · Mar 16, 2009

FireFleur said:
They say they wanted to highlight the dangers of BotNets and how they worked, but have they really just advertised the existence and the availablity of bot nets?

Yes and this is a good thing because there is no such thing as security by obscurity. For far too long people have been wilfully ignorant of computer security (granted its not a "fun" subject) and it's about time an organisation as large as the BBC stood up to the plate to show the real dangers which are at risk.

Bot nets, viruses and worms are no secret, you can find absolutely loads of information on the Internet, people are bombarded constantly with information about computer security, on the news, from your bank, an especially when making purchases online. Yet I bet only 1% of the UK population has took the time to read up on the subject in how to secure themselves.

Look at the sheer numbers who don't run any antivirus or firewall because of reasons such as - it slows my computer down.

For all their faults in undertaking this task the BBC in one program has highlighted the dangers in front of an audience of millions (worldwide), generating a wealth of comments on the Internet. Unfortunately we know from experience not everyone will get the message, and it's a constant battle informing the user about security precautions.

Was one of your machines compromised by the BBC? And if it had of happened to you, would you be happy about it, or be looking for some form of compensation or proceedings to take place against the BCC?

This did not happen to me, but if it did it would be quite rich to blame the BBC. A computer is not a household appliance, it contains personal and important information.

One of the problems of compromise is that once compromised you can not trust the machine again, it doesn't matter what people say, or what software gets used to try and disinfect, that machine is no longer trustworthy until a complete reinstall is done.

If the BBC has paid for someone to compromise machines, that may not have been compromised (though still vulnerable) then there is a cost in clear up of a complete reinstall, and data intergrity checks.

They cannot guarantee the machines would not have been compromised anyway. This is the problem with trying to ask for compensation from the BBC. Sure they have highlighted to you a hole in your system but how do you know that hole was not already being exploited?

It's sheer existence being found so long after it was first reported is reason enough to warrant a complete reinstall and data integrity check, and this can only lead to one conclusion - the computer was never trustworthy to begin with.

Being proactive is the only way forward.

FireFleur · Mar 16, 2009

Ok well you are doing slightly selective quoting, so the response to some of your points is in the original post.

But let's take some of my favourite points of discussion you seem to have popped into your post Subbynet.

Security through obscurity, this is a very limited point that really only comes into the design of security systems, you shouldn't rely on something being hard to find to be the only security. Only and rely, are very important words here, there is nothing wrong with creating an encryption system that also has obscure elements. In fact it makes it more secure generally.

Security through obscurity is an attempt to wake people up to showing off their encryption systems, or perhaps to stop relying on something that is too obvious to exploit, it is not really some blanket term you can apply across everything when discussing security.

In this instance I suppose you are saying the more publicity the better, but did that actually happen, and really is more publicity a better thing? If instead this publicity alerted more to the use of botnets, then it did to the protection against them, then it has a net negative effect for overall security.

And let's assume that some of the computer systems were already compromised, does that now give anyone a right to access those machines? I would say no. If someone has been punched, does that now allow others to punch that person? It is another assault.

And all systems are vulnerable, every thing is vulnerable, that is part of existence itself. Which is why security is a process not a destination, that is quite an important thing to realise, cyber security is about monitoring and correcting software bugs on the defence side, along with analysis of vulnerabilities. On the attack side, you do require authorisation to be inside the law, and if the BBC get away with it what message does that send, and what legal precedent does that set?

An interesting book on the matter is; Aggressive Network Self Defence, and it explores the various ins and outs of the problem. To be honest I think it just creates more attack vectors. It would be interesting to see what the BBC plastered on the Wallpaper, but if it was install a firewall and AV, then subsequently that software was used as point of attack, the BBC are again making themselves liable.

One of the authors of Firewalls and Internet Security runs without a firewall nowadays, he calls it skinny dipping, and that is quite a big acceptance that security should be at the application level, and the addition of a firewall is another potential point of compromise. Anti virus is classic, what are people doing running programs that allow the interpretation and execution of data from untrusted sources in the first place.

Sure there is a balance to be found, but I don't think it is through the irresponsible actions that the BBC have shown, they should have instead faked it, and made out that it was real, and here is hoping that they will be admitting that shortly. I haven't seen anyone actually claim they were compromised yet.

ken_uk · Mar 16, 2009

The press are often very irresponsible in their reporting, whether its alerting people how to commit computer crimes, or even informing terrorists of incredibly effective ways of exploding things. They dont think before reporting any more.

If the bbc had created this botnet, and had infected the machines themselves then I would expect to see someone in deep trouble.

But as I understand it, they just paid to use an existing botnet of *already* compromised machines, and were simply using the botnet to alert all the people who had been compromised, and then they got the network shut down.

In itself that is not to bad, but I am not convinced they have not commited a crime, as surely you cant perform an illegal act in order to 'warn people'. Not unless you have legal authority to do so, in which case it would no longer be illegal....

Subbynet · Mar 16, 2009

FireFleur said:
Ok well you are doing slightly selective quoting, so the response to some of your points is in the original post.

Yes, I know - this is my opinion lol... You set the question, I answered... I didn't think this was going to be a discussion between ourselves!

In this instance I suppose you are saying the more publicity the better, but did that actually happen, and really is more publicity a better thing? If instead this publicity alerted more to the use of botnets, then it did to the protection against them, then it has a net negative effect for overall security.

Yes I'm talking about publicity, I wouldn't be talking about encryption in relation to this issue.

If you have reports of a security issue, and fail to act on that for reasons such as "people are unlikely to exploit or find it", that's security by obscurity. Likewise, if people are unable to find out about security problems from a vendor per-se, that's security by obscurity. (Hiding and Hoping the details are not released is not security)

You'll have to explain how the public being alerted to bot nets is a negative, unless you're assuming that many will go on to create such Bot Nets. Surely, if they had the skill to create one, they already knew of their existence.

(I've seen Bot Nets for years - easily 10 years, swamping the IRC channels...)

The BBC gave no details of how to create a Bot Net, but if they did, I'd agree with you.

Also look at the ratio of people who would undertake creating a Bot Net, compared to those who would possibly go on to protect themselves, and in the process would cut down the amount of machines available for those wanting to create such bot nets.

And let's assume that some of the computer systems were already compromised, does that now give anyone a right to access those machines? I would say no. If someone has been punched, does that now allow others to punch that person? It is another assault.

And all systems are vulnerable, every thing is vulnerable, that is part of existence itself. Which is why security is a process not a destination, that is quite an important thing to realise, cyber security is about monitoring and correcting software bugs on the defence side, along with analysis of vulnerabilities. On the attack side, you do require authorisation to be inside the law, and if the BBC get away with it what message does that send, and what legal precedent does that set?

I completely agree with you there is no such thing as an open door policy, but sometimes there is a need to explain to the public in detail the issues at hand.

In the UK we allow investigative journalism a sort of semi-legal basis to undertake illegal acts for the public good. In the past the BBC has purchased guns from Eastern Europe (took them all the way to Ireland and back to the UK), sold stolen cars to dodgy people, bought drugs, gone in with the IRA types... Lots of stuff has been brought to the attention of the public because of investigative journalists.

This will not set any precedent for others.

The message about protecting yourself from issues such as bot nets has been ongoing for years, but how many reports have ever received the reaction such as the one made now by the BBC? The fact you've even taken the time to post it here on a business forum shows it has done its purpose in getting the public to think about computer security.

FireFleur · Mar 16, 2009

Yes, it is interesting it is not clear if the botnet was formed before or in response to the BBC's request.

In reality botnets are constantly evolving, so malware is used to build up the botnet over time, and access is allotted. Their level sophistication is high, they don't have anything to hold them back, and of course it is quite interesting for them.

But, money supposedly changed hands between people who had control of the botnet at the time (n.b. that might be the same people who compromised the machines in the first place), and the BBC went on to compromise the machines further.

I am using the term compromise to mean illicit access, not just the very first compromise. From a technical viewpoint it is of interest who cracked the system, but for all intents purposes it is who has control at the time of each unauthorised access.

And Ken, you are right the responsible thing to have done would be to alert the people whose hosts were compromised and not used the access, and the alert should not have been via the compromised system.

Who is to say in the future that botnet controllers won't add a feature that looks for these alerts via system, and then hoses the system, so better to inform via another avenue.

Though as it stands, the BBC have paid licence payer money for criminal activity. It would have been better to have made a reality show with the money, got some sponsorship, dump some hackers on an island supply them with some kit and see what happens, only way off the island is to crack a satellite they pop into orbit, to be later used for something else.

That's a reinstall I would like to see

ken_uk · Mar 16, 2009

Yup, that would make good tv

Its not so much that people will be made more aware of botnets, and therefore go onto create them, thats not a problem I forsee, its more that people who were of criminal intent, who had not heard of them will now be doing there research and buying use of them for criminal purposes, now they now they exist.

FireFleur · Mar 16, 2009

Well it is better security for a vendor to not inform about the security problem, and instead just fix it and roll out the update. The debate between revealing zero day exploits and not, is firmly on the not.

What sometimes happens is people inform vendor, look for credit, company does nothing, or sues them, and then they go public.

If you scream fire in a theatre, even if there is a fire that can cause panic, better to use a more obscure method of evacuating people.

In this instance, what they may have done is advertise for people selling botnet access, now more people realise you can buy botnets, and their usage will probably increases. It is not the creation, it is the advertising of the availability.

Investigative journalism, would not allow someone to join a group and then kill someone, so there are many problems with investigative journalism when they break the law. The IRA would often get new recruits to break some law, only when that had happened would they be trusted enough. I don't think I would be particularly happy to have my knee caps blown off by some trigger happy undercover journalist because of public interest.

To do gun running they would inform all the police in each country, there would be a prior notification, they would be crazy not to, some countries will respond with deadly force.

And a private individual's computer system is not a public resource or building, so the parallels to the Heathrow security breaches is debatable, and public interest is not so obvious.

As to posting here, well, it is interesting to see who responds, it tends to be people with a prior interest. In fact I didn't see the program, and I didn't see comments anywhere else until the tech press picked it up.

I doubt it is in Vogue, Shoot or Playboy. Some of the newspapers have picked up on it, but more because people are claiming what the BBC have done is wrong.

Subbynet · Mar 16, 2009

FireFleur said:
Well it is better security for a vendor to not inform about the security problem, and instead just fix it and roll out the update. The debate between revealing zero day exploits and not, is firmly on the not.

Microsoft themselves still have vulnerability reports from years ago. Imagine you are waiting for Microsoft to fix a problem before you can even decide to take precautions yourself. What does that say not revealing zero day exploits?

http://www.vupen.com/english/Unpatched-Microsoft-Vulnerabilities.php

Also what happens when the code in question is open source?

What sometimes happens is people inform vendor, look for credit, company does nothing, or sues them, and then they go public.

If you scream fire in a theatre, even if there is a fire that can cause panic, better to use a more obscure method of evacuating people.

(Dodgy analogy alert! lol

)

Are you saying fire alarms are dangerous? the evidence suggests they save lives - despite the panic dealing with a fire can bring.

Personally I'd rather hit the fire bell because I have no reason to believe a panic will occur.

In this instance, what they may have done is advertise for people selling botnet access, now more people realise you can buy botnets, and their usage will probably increases. It is not the creation, it is the advertising of the availability.

Its old news! http://it.slashdot.org/article.pl?sid=07/10/16/155209

You can find loads of information regarding the purchasing of bot nets online. Its not that hard for a decent coder to just write one themselves.

Remember they also advertising in the fact that you need to protect yourself. If everybody looked after their own then there wouldn't be a Bot Net problem in the first place.

Investigative journalism, would not allow someone to join a group and then kill someone, so there are many problems with investigative journalism when they break the law. The IRA would often get new recruits to break some law, only when that had happened would they be trusted enough. I don't think I would be particularly happy to have my knee caps blown off by some trigger happy undercover journalist because of public interest.

Take an idea to the extreme mate - murder I think might be a bit far - I agree.

And a private individual's computer system is not a public resource or building, so the parallels to the Heathrow security breaches is debatable, and public interest is not so obvious.

Sorry, I disagree entirely... Computer security has been a problem for a long time, and needed highlighting.

As to posting here, well, it is interesting to see who responds, it tends to be people with a prior interest. In fact I didn't see the program, and I didn't see comments anywhere else until the tech press picked it up.

I doubt it is in Vogue, Shoot or Playboy. Some of the newspapers have picked up on it, but more because people are claiming what the BBC have done is wrong.

Right or wrong doesn't matter - the BBC must have known how it would have looked, but it was the result which matter, and it's increased the awareness of a major problem. I fully admit it will not be the end of the problem by any means, and more work will need to be done but without people like the BBC being proactive how will the normal person on the street find out about these issues.

Mar 16, 2009

ken_uk said:
The press are often very irresponsible in their reporting, whether its alerting people how to commit computer crimes, or even informing terrorists of incredibly effective ways of exploding things. They dont think before reporting any more.

If the bbc had created this botnet, and had infected the machines themselves then I would expect to see someone in deep trouble.

But as I understand it, they just paid to use an existing botnet of *already* compromised machines, and were simply using the botnet to alert all the people who had been compromised, and then they got the network shut down.

In itself that is not to bad, but I am not convinced they have not commited a crime, as surely you cant perform an illegal act in order to 'warn people'. Not unless you have legal authority to do so, in which case it would no longer be illegal....

Well they must have incited someone to commit a crime.

Hang em by there goolies.

Earl

FireFleur · Mar 16, 2009

You cannot tar everyone with the same brush. Some vendors fix the problem, or were aware of the problem before they were informed, having the exploit in the wild doesn't help secure the users of their systems.

You cannot just find a few bad apples or even if the majority were bad about fixing, and say because of that all exploits should just be announced immediately, that would just create more compromises.

The fire alarm is a better more obscure way of alerting people to evacuate a building, notice it doesn't scream Fire, that's the point, an example where something more obscure is better. Yes, I am loading the words, but security through obscurity can afford some extra security.

Now, I only used that analogy because you mentioned IRA membership and gun smuggling

But it is interesting, there are degrees aren't there, but unfortunately with computer systems how do they know they are not being used for critical work, or even life saving work. They compromised 22,000 machines, altered them and made them run code, so hey who knows they could have killed someone inadvertently, at least we can say they ran the risk of doing it. And to say well it might have happened anyhow doesn't work, if it happened at the time the BBC were accessing the machines without authorisation they did it.

I think the people who are aware of the problem were aware of it before the BBC Click program ran, and sure a few extra will now be thinking about computer security.

The field is vast, and not definitive, and quite boring too most. I am sure if I explained how to do a heap overflow the vast majority would just roll their eyes, and wish for an off button. The people who needed to know about botnets were companies like MS and they already knew, the average user is not going to be fiddling around with software to make it more secure.

But, some folks are going to be interested just because these things exist, non technical people looking for an edge, and again we could say they would find out eventually, but the BBC has made that time a bit sooner.

Subbynet · Mar 16, 2009

I'm not asking for the exploits to be released, but I'm asking for the vulnerability reports to be released immediately, and yes understand this focuses the attention of crackers to look further, but it will also focus everybody else including security professionals of companies and important institutions like hospitals.

Some vendors are very good at providing security updates for their applications, so they're not all bad apples, but when I can point to that single 900lb apple which is Microsoft, with the sheer number of applications this one vendor provides, and whose code is used by thousands of third parties and still provide a large list of unfixed years old vulnerabilities, you have to surely say it's fair that we are warned.

I can't understand the reasoning in the end user not trying to protect themselves, I'm willing to place very large bet that the majority of those 22,000 computers did not have decent antivirus and firewall protection. The installation of these is so simple everyone can do it and the cost is not even prohibitive, NOD32 costs about £40...

It's even more important to places like hospitals to properly secure their networks from disruption. Let's say the BBC used the recent Adobe PDF vulnerability as an example.

The problem with not telling anyone is yes they may still have had this one attack and yes this may have led to a death (but really I'd be surprised if any of these machines are hooked up!) all because a doctor or nurse opened a dodgy PDF file. Afterwards some days, weeks, months or years later the admin thinks something strange is going on, but what does the system administrator work on? What went wrong, what happened, and how to fix it? The admin is likely to have many more machines running the exact same config/applications in institution like a hospital and all we have to work from is its symptoms and not the cause. This may lead to even more errors.

FireFleur · Mar 17, 2009

I agree the advisories tend to come out fairly quickly, there maybe a very small grace period, just to validate or look at the implications of the advisory, but they often come out quite quickly.

There is an attack vector if the claims are not substantiated, the normal response to the report is a block on the firewall and the disabling of the service, if you want high security, so there is room for abuse there.

Normally some form of web of trust is set up, and a lot of security companies share vulnerabilities. Though some security consultants have been bot herders as well, so trust is really a key thing to understand in security.

The end user not protecting themselves is quite simple, more security less usability, and whilst MS often produces insecure software they are aiming for usable software. There was a time back when Gates made each coder responsible for the security of their code, but would a product ever see the light of day if that was the primary concern.

Firewalls can also offer a false sense of security, I would agree it tends to make the machine less desirable to crack, but as I say there are problems with them as being a point of attack themselves.

A FW really requires constant monitoring and adjustment. Most seem to tweak a FW up over time and take it back down to really just input initiation blocking. Privilege escalation is not too hard on windows, so a lot of attacks will disable the FW before commencing communication, or they will hitch a ride on the browser stream. They have their uses, but really they are a quick fix software where you block the problem whilst removing the software, it is not so much a permanent shield as it is something to buy a little time when making alterations.

But, that nuance is lost on most users, they think 'firewall protects' and it is just not true in reality. We have the problem of analogy, things often don't fit and inside of that loose analogy lies many attack vectors.

To be honest I wasn't thinking about hospitals, I was envisaging a Cure for Cancer researcher just getting to the final stages of his work, suddenly being distracted by the wallpaper changing and shredding the Cure by mistake.

Hospitals, well they are probably one of the most insecure places when it comes to data control, I think they live under the illusion that people have a code of ethics towards them. But, ever since they have been used to store personal data, and biometrics have been mentioned, they will have been under constant attack. I would expect most hospital systems to be compromised in some way, and the number of social engineering attacks against them is massive. Generally people will be syphoning data, but a targeted attack could be fatal, and there is room for error on systems not associated with health monitoring, just record keeping, and dosages and drugs could be altered either maliciously or without criminal intent.

I think people have been given all the heads up they need, and it is not a case of people having information hidden from them. What the BBC did was cross the line, instead of explaining and running an example (they have a lot of machines themselves, they could have botnet'd that), they decided to break the law in quite a reckless and feckless manner. I haven't seen the program but I have watched the little flash excerpt and it really doesn't inspire people to take security seriously, and it doesn't inform as to the correct procedure, in the main because it is too complex and time consuming.

ken_uk · Mar 18, 2009

I missed the program, but I wonder how they did the wallpaper change, did they just add a message onto the existing wallpaper, or did they replace what was there with something of there own.

I have left notes on wallpaper before, if someone had left an important note on someone's machine and the bbc changed the wallpaper, that note would disapear.

If the note was about someone needing to have some vital medication, or about a safety device not operating correctly, or about something really, really important that needed doing then the bbc could really mess up someones day.

What about people that have systems with software that keep changing the wallpaper on a regular basis? What if they missed the message, as the wallpaper had changed again... What if they then noticed some vunerability had occured, as they missed the message, they could spend a long time trying to track down what happened, courtesy of the BBC.

What if the desktop was on public display in a shop or something displaying a advert (waiting for something else to run) and up popped a message about them being hacked or whatever the message was... Damage to business reputation, courtesy of the BBC.

What if hackers decide to do the same, and future botnets pop up a message saying your machine has been compromised, but dont worry its the BBC that did it, check this link out, and you dont need to worry everything is now safe.

Off pops Mr public to check the link, thinks its all above board, the message tells them they dont need to do anything, so they willingly leave the machine compromised. A nice false sense of security, and a lovely way in for the hackers courtesy of the BBC.

FireFleur · Mar 18, 2009

This is it, we don't know what the BBC have done, and I suspect they don't either.

A computer system is quite fragile, a cracker is someone who throws a spanner in the works.

We often find those who can crack would make awful software developers and vice versa. It is harder to develop and definitely harder to develop secure code, but it is not too hard to throw a spanner in. And that spanner can do a lot of unforeseen things, that is the nature of it.

Sure some of the top crackers are probably amongst the top software developers in the world, and those lot tend to be able to maintain a system through a compromise and look at the system as a whole, but it is rare.

The BBC just blundered in by all accounts. It is quite possible they have ended up blocking email access for those machines or IP numbers. There is a reason ISPs don't get too involved, because the IPs are leased by them. So, it could even be someone needing to send an email to someone on hotmail or gmail, that they now cannot do, because of actions by the BBC.

I just think the BBC had not thought this through, and it is not so much without illegal intent, but instead without malicious intent, I don't think they intended to incovenience a great number of people, just so they can get viewing figures and further their own careers by increased expsoure.

But, if they had spoken to a few security consultancies, the overwhleming response would be for them not to do it in this way. It is a standard well known thing, don't compromise a machine unless you have authorisation. However well intentioned you are you cannot control the teleological effect of it all, with that level of compromise, you cannot act responsibly in the public interest, too many variables.

This matter is debated in the security field quite often, there are quite a few texts on the whole matter. Sure, there are some in the compromise and cure camp, but they tend to be a bit gun ho. And, if you said well if you wish that to be the case then, would you give blanket authorisation for anyone to access and 'fix' your machine, their reponse is normally an empthatic 'no!', so what does that tell us. Well it shows us they would still like the protection afforded by the law, and that they would prefer to fix their own problems in a controlled manner.

The BBC themselves could be running a security flaw, have they given authorisation for anyone to go in diagnose and fix their security problem? Is this what they are saying, can we all now compromise BBC machines, in the public interest, and change their wallpaper to a friendly message and get them to send out email? Is it open season on the BBC? Because hey, if it is and it is in the public interest quite a few computer security companys might enjoy the increased public exposure.

ken_uk · Mar 18, 2009

Just watched it on iplayer..

Apparently they got each infectedd machine that was online at the time to send out 500 emails each to two seperate email addresses (one hotmail, one gmail - I wonder what exact time/date they did it, was it when gmail went down recently?).

They also explained what a DDOS was, and how it could effectively be used to bring down your competitors websites, or the site of companies you hold a grudge against. They were even nice enough to let people know there is money to be made by blackmailing people with DDOS, and even nicer to state that gambling websites are the best target.... Throw in some other examples, such as bringing down the websites for a large airport, just so they dont forget to please wannabe terrorists also.

The wallpaper was COMPLETELY changed to one of their own, with a message saying all is well now, the bbc did it etc, so future botnets really will have a nice means of fooling people to leave a machine as-is. Not to mention the possible damage mentioned earlier by completely changing a wallpaper.

Overall, the program was effectively one big advert for botnets, even going as far as showing people just how cheap they are, how they will need to spend a little more if they want to get credit card details/bank passwords etc. Great examples shown of how to send spam on a large scale, and DDOS sites.

Just to make it clear that you dont have to be that technical, so its open to any semi-literate criminal with a bit cash, they even showed how simple the user interface is, and stressed its ease of use.

The bbc really balls'd up on this one.

FireFleur · Mar 18, 2009

Showing how to technically achieve a compromise is not really a problem. It can be handled in a manner in which the defence is also shown, and in a neutral way, if you cannot do that, then you probably shouldn't reveal the exploit.

The big problem is the cracking toolkits, that allows anyone to attempt an attack on a system. This was free advertising for them, what is normally done is to remind people that they could be compromised themselves by using such tools. I do hope the BBC highlighted that possibility because that works as a detractor for their use.

Subbynet · Mar 19, 2009

I'm sorry guys but I feel you are using some quite absurd scenarios to try and prove a point.

ken_uk said:
I missed the program, but I wonder how they did the wallpaper change, did they just add a message onto the existing wallpaper, or did they replace what was there with something of there own.

I have left notes on wallpaper before, if someone had left an important note on someone's machine and the bbc changed the wallpaper, that note would disapear.

If the note was about someone needing to have some vital medication, or about a safety device not operating correctly, or about something really, really important that needed doing then the bbc could really mess up someones day.

So let me get this straight instead of writing a note with a pen and paper, or maybe opening up Notepad and typing a note, or maybe instead of giving someone a call - you have decided to open an application like Microsoft paint, modify their existing background and then saved it before proceeding to reset this as their new desktop wallpaper....

How would the messages about vital medical information work? Is this a note saying honey at 1 PM you must take your pills? Does someone who needs vital medical help really require a computer wallpaper to inform them of this information?

What if the desktop was on public display in a shop or something displaying a advert (waiting for something else to run) and up popped a message about them being hacked or whatever the message was... Damage to business reputation, courtesy of the BBC.

The problem with this is that the computer was already in use as a system for sending spam and distributed denial of service attacks. The disruption caused to other businesses and people because of this one insecure computer was immense, and before the BBC acted this machine would have carried on causing disruption to other businesses until the owner decided to sort out proper security. (Probably never)

What if hackers decide to do the same, and future botnets pop up a message saying your machine has been compromised, but dont worry its the BBC that did it, check this link out, and you dont need to worry everything is now safe.

Off pops Mr public to check the link, thinks its all above board, the message tells them they dont need to do anything, so they willingly leave the machine compromised. A nice false sense of security, and a lovely way in for the hackers courtesy of the BBC.

There's a very good reason to attackers will never undertake this themselves, because the machine will no longer be any good to them. What is the point in hacking a machine - setting it up in a bot net only to use it to tell all your victims their computers have been hacked?

And if they did change the wallpaper would you honestly think that your computer is safe? Did the BBC wallpaper actually say this? The BBC said that your computer is still at risk but the means they used to control your computer has been removed.

The BBC just blundered in by all accounts. It is quite possible they have ended up blocking email access for those machines or IP numbers. There is a reason ISPs don't get too involved, because the IPs are leased by them. So, it could even be someone needing to send an email to someone on hotmail or gmail, that they now cannot do, because of actions by the BBC.

This doesn't even make sense because the machines are already part of a bot net network. These machines could of been sending hundreds of thousands of e-mails, or disrupting hundreds of businesses to extort money before the BBC got hold of them.

This does not let the BBC off the hook by any means, but let's not pretend that these machines would have just sat there doing nothing otherwise.

But, if they had spoken to a few security consultancies, the overwhleming response would be for them not to do it in this way.

This matter is debated in the security field quite often, there are quite a few texts on the whole matter. Sure, there are some in the compromise and cure camp, but they tend to be a bit gun ho. And, if you said well if you wish that to be the case then, would you give blanket authorisation for anyone to access and 'fix' your machine, their reponse is normally an empthatic 'no!', so what does that tell us. Well it shows us they would still like the protection afforded by the law, and that they would prefer to fix their own problems in a controlled manner.

The BBC themselves could be running a security flaw, have they given authorisation for anyone to go in diagnose and fix their security problem? Is this what they are saying, can we all now compromise BBC machines, in the public interest, and change their wallpaper to a friendly message and get them to send out email? Is it open season on the BBC? Because hey, if it is and it is in the public interest quite a few computer security companys might enjoy the increased public exposure.

I fully agree with you, you will hear an emphatic no. Yet the poll above (answered mostly by security conscious people) clearly indicates a wish (of 44%) to educate the public. You see this is the point, no one is asking for a change in the law or any idea of some blanket authorisation because that would be just stupid. What they are saying is this one stunt we can perhaps turn a blind eye to because of the value in educating the viewer.

FireFleur said:
The big problem is the cracking toolkits, that allows anyone to attempt an attack on a system. This was free advertising for them, what is normally done is to remind people that they could be compromised themselves by using such tools. I do hope the BBC highlighted that possibility because that works as a detractor for their use.

What do you mean this can work as a detractor for their use? You keep making out as if people are just going to fall over this application on a website like downloads.com. Anyone using this application knows all too well the ramifications of it being used against themselves. (and others)

The wallpaper was COMPLETELY changed to one of their own, with a message saying all is well now, the bbc did it etc, so future botnets really will have a nice means of fooling people to leave a machine as-is. Not to mention the possible damage mentioned earlier by completely changing a wallpaper.

This is clearly exaggerated. The message said nothing of the like and can actually be read if you decide to pause the program. It actually mentions that the computer is still insecure and gives advice on how to update and to install protection.

Overall, the program was effectively one big advert for botnets, even going as far as showing people just how cheap they are, how they will need to spend a little more if they want to get credit card details/bank passwords etc. Great examples shown of how to send spam on a large scale, and DDOS sites.

Just to make it clear that you dont have to be that technical, so its open to any semi-literate criminal with a bit cash, they even showed how simple the user interface is, and stressed its ease of use.

The bbc really balls'd up on this one.

Is a program about drug prevention, one big advert for drugs?

So what is the solution? What would you do? Never mention anything again? Should we never have any information in the public domain which could be used for crime? And are we naive to believe that such information is not already in the public domain? Who is teaching who?

FireFleur · Mar 19, 2009

Ok, I will take your points as you do, I wish you could do it without quoting

, but I will just go in order.

The scenarios aren't absurd

It is trivial to write a message to the root window, and quite a few do use that feature. I don't why you insist on doing things the hard way and opening up a copy of paint. The point to realise though, is anyone could be doing anything and the BBC don't have the right to ride rough shod over anything.

It is actually absurd to assume no one was inconvenienced by this, 22,000 machines, and that inconvenience could have resulted in a fatality, that is what being expressed. An example is given but it doesn't have to be that particular example. You ran to hospitals as an assumption, others will choose examples of their own making. The possibility exists that a fatality could have been caused and there are near endless examples, all of which are quite possible. Cyber space is not meat space, the unlikely happens more often.

The compromise is being what if'd after the event, and before everyone knows the repercussions. The what if'ing should have been done by the BBC, and people are showing that if it had been done, they would have a huge list of potential problems their attack could cause.

How does anyone know these machines were compromised prior; sending out spam, and DDoS attack? That was not made clear, and I don't know how they would know. But, let's assume they were, so what, it doesn't give the right to compromise the machine again.

Just as a documentary on assaults does give a journalist the right to punch a man on the way to hospital, just because he is damaged doesn't make it right to damage further. You mention proper security, but so far I have only heard firewall and AV from you, and that is not proper security. Proper security is constant monitoring, and it costs a fortune.
---

What is the point in using a false trusted positive? It allows the cracker to control the actions of the compromised, either to get them to install something else, or to give a false sense of security. That is security 101, it is about trust.
--

What is a botnet? A botnet can be something waiting to happen, so you have scanned some IPs have a list of vulnerabilities, then when someone wants to hire, they get given the software for access, the exploits are run from their machine, and the botnet comes into being. So, the machines may not have been prior compromised.

ISPs may not block compromised machines, or make the matter public because it is not a machine to them, it is an IP number they own. Gmail and Hotmail can do their own blocking, and this could be a case of the first time this IP number was used in a mass spamming. An heuristic for spam is number of same/similar emails sent over a network, or perhaps this attack tripped it over the level for blocking. Let's realise those machines may have been doing nothing untoward unless the BBC ponied over the cash.
---

The poll only shows that the majority of people in that poll thought what the BBC did was wrong. I have no idea who took that poll, but if that poll was put in front of most security consultancies it would be skewed even higher in disfavour of what the BBC did. And it doesn't show 44% want to educate, at most you can say 33% thought it helped raised awareness from that poll, 11% didn't care. The poll is bogus because the questions are framed, how about a question of; 'No, what is all the fuss about?', it is just as loaded. If you agree on the emphatic no, and still want others to be compromised as a lesson to them, that is hypocrisy, a society based on hypocrisy is a civil war waiting to happen.

---

Oh, you are bolding quotes now, and then commenting on other words, what's that about, and what is this downloads.com that you talk of?

People with a nefarious bent are more likely to hunt out and use botnets to carry out attacks, because the BBC publicised it. I don't see how you cannot see that. The detractor works, just like the emphatic no worked above, you are seeded with doubt that it could backfire, and cause you more harm than the positive you are trying to achieve for yourself. It causes people to think, 'oh, perhaps not such a good idea then'.
---

The wallpaper, thanks for posting a picture

But, the words are not exaggerated that you are quoting, the BBC logo is emblazoned across the top. And all machines are insecure, all nodes on the net are insecure, and it doesn't matter what software you install. Security is a process not a destination, there is no silver bullet, there is only vigilance.
---

Is a program on drugs a great big advert for drugs, yes probably is, I bet more folks go out and score some weed after seeing Reefer Madness than an Episode of Friends, well there is one episode, oh two. Remember though, drugs are a prohibition crime, cyber crimes are more akin to trespass, vandalism and theft, there is a victim.
---

What is the solution, well to begin with the BBC get prosecuted and if guilty of a crime, they have to pay restitution to all the owners of the machines they compromised. This would act as quite a large deterrent.

There is no solution for computer security, there is only the law to act as deterrent. Just as there is no solution to war, no solution to assault, no solution to fraud, no solution to people breaking the law. The closest you get is the idea of self defence, but huge investment of time and training.

Sure you can wear a bullet proof vest, until armour piercing bullets are used, or napalm is hurled, then you can make a tank, but hard to find a car parking space at the local shops, and the cost of a tank leaves quite a hole in the wallet.

Take the bomb for example, MAD (Mutually Assured Destruction) is the thin thread of a defence we have for it, you better bet your bottom quid that obscurity is being used on how to obtain the items to create a nuclear bomb, and that obscurity affords a lower cost of monitoring those items. If everyone knows how to build a bomb, and where the materials are then you can kiss this planet goodbye.

We just have to live with it, and apply the law, some things should be kept secret for as long as possible, but if the Pandora's box is open it is open.

But, let me make it clear, if the BBC had not compromised other people's machines without authorisation and just shown a program on how botnets operate and told the truth most would agree what they did was at worse banal.

FireFleur · Mar 19, 2009

Let's try and sum up the difference in beliefs here.

One camp thinks that the more exposure the better, and that if there is no illegal intent and the attack is for a documentary then it is ok to compromise other people's machines.

The other camp, says the means don't justify the ends, the problem could have been expressed in a much safer manner, no law need have been broken, and no victims compromised.

I think that is what it boils down to. But, hey I can see every cracker calling themselves a documentary maker now.

Subbynet · Mar 19, 2009

FireFleur said:
Ok, I will take your points as you do, I wish you could do it without quoting , but I will just go in order.

What's wrong with quoting? :|

I quote as I do because I wished to directly reply to certain points... The problem with how you have quoted is that I can't directly refer to the issue in question without scrolling up and down the page continuously. This made your post harder to follow.

Frankly... I don't know where to start with your reply...

FireFleur · Mar 19, 2009

Well it is just different styles. Excessive quoting tends to create argument, whereas prose lends itself to discussion. And altering quoting by adding your own emphasis is a bit off

Quoting can be used selectively, so quote one sentence and just ignore the original conclusion, now that can be done if the sentence is not valid, but if you just offer a different conclusion and the original still stands as possible, then that is side stepping.

I would be interested to know what you think about the situation in your own words if you will. That is more interesting because you will have to draw upon your own reason for legitimacy and actually wonder if what they did could be abused or how we measure the positive and the negative from their actions.

I think the summation was fairly fair, it could also be the case that some security companies want more exposure to the dangers of crackers, so they can sell more widgets. Now those widgets could be snake oil or silver bullets, but at that point they tend to keep a bit quiet.

I would like to see the BBC do an expose on the security of firewalls and anti virus, and how they can be used against the user. Now, that wouldn't break any law, as long as they do it on machines they are authorised to access, but it would start to show the truth of all of this.

Subbynet · Mar 19, 2009

You mention proper security, but so far I have only heard firewall and AV from you, and that is not proper security. Proper security is constant monitoring, and it costs a fortune.

This is got to be a joke right? Here we are having a discussion about the BBC and bot nets, so I advocate the installation of a firewall and decent antivirus software. Your response to this is the tell me this is not proper security?

No one is asking for enterprise grade security, but if these computers had even the most basic antivirus and firewall in place the chances are they would have never been vulnerable in the first place.

Let's realise those machines may have been doing nothing untoward unless the BBC ponied over the cash.

Yeah right... Honestly this is madness...

The wallpaper, thanks for posting a picture But, the words are not exaggerated that you are quoting, the BBC logo is emblazoned across the top.

The words are clearly exaggerated, as the BBC wallpaper does not give the impression that all is okay with your computer, it quite clearly says that you are at risk and there are number of checks that you should do.

So clear that I decided to post a picture!!!

What is the solution, well to begin with the BBC get prosecuted and if guilty of a crime, they have to pay restitution to all the owners of the machines they compromised. This would act as quite a large deterrent.

This is not the solution, this is prosecuting the BBC.

You are living in dream world if you think this will act as a deterrent to anyone. The bot nets consist of thousands of computers from hundreds of countries and there is no legal powers available to catch these people for the most part - there's a reason why they call the Internet the new Wild West. They most certainly ain't going to pay any sort of compensation or restitution to any owners of these machines. We can't even find the money they make from their illegal activities so the chances of this happening are quite frankly nil.

There is no solution for computer security, there is only the law to act as deterrent. Just as there is no solution to war, no solution to assault, no solution to fraud, no solution to people breaking the law. The closest you get is the idea of self defence, but huge investment of time and training.

This is probably the most absurd thing actually said in this thread. There is not a single person in the land who deals with computer security who is relying on the law to act as a deterrent.

We just have to live with it, and apply the law, some things should be kept secret for as long as possible, but if the Pandora's box is open it is open.

The box is open and it has been open for the last 10 years.

FireFleur · Mar 19, 2009

The box has been open for a lot longer than that

Ok well without quoting

, you seem to think the law is useless.

Yet, many crackers have been bought to justice, the money trail is much simpler to follow then you may believe. And sure those at the top of their game in money laundering can move it between accounts and get the money cleaned they are few, and it does require quite a lot of set up.

And we have had security consultants convicted for controlling botnets, and even those using ../, one cracker is fighting deportation at the moment. Just look around there are many reports where crackers have been arrested, to be honest I think the prosecutions are more draconian than rehabilitation.

So, lots of crackers get caught, and some people will be deterred, you will often see a comment that goes they stopped cracking because they thought it might lead to them being caught. It does work in some instance, but obviously not all. But each time one is caught, it can increase the risk to others, so yes it does work as a deterrent.

You are quite black and white in your thinking, no one said rely on just the law, the law is the big one though, throughout the posts you will see me use the phrase 'security is a process not a destination', that means you can add security via vigilance, but the fix of AV and Firewall is not it, not by a long chalk. A lot of the AV and Firewall vendors get compromised themselves, spate of that recently.

Looking at the problem objectively what we have are very talented people, who have found they can make a lot more money by cracking into systems than they can by working elsewhere, and that is more the crux of the problem, their abilities are being undervalued in normal society. And when that happens make it into controlled entertainment, get them in your military and intelligence services. A few are tackling the problem that way, and there is ethical hacking, but it needs some more support. The skills are useful for things, and pen testing of software is something more companies maybe should be forced to do.

Let's realise those machines may have been doing nothing untoward unless the BBC ponied over the cash. I am going to emphasise that may, that may just claims possibility, and a 'Yeah right.. Honestly this is madness', is bogus dude

Are you serioulsy claiming that 100% of the machines were already compromised, DDoSing and Spamming? I am sure one of them wasn't out of the 22,000, and I won't may that statement

Subbynet · Mar 19, 2009

My friend, I have to say I think you could argue with a brick wall, honestly!

I also believe we are so far apart that the chances of ever coming to any understanding is more or less impossible.

That's me taking the polite route out...

FireFleur · Mar 19, 2009

Well you have stopped saying anything, you have just said oh it is not that way

I suspect it is because you believe the Firewall and AV are the route, but have you built a firewall yourself, or created AV software? Have you at least reverse engineered some or studied the source code of a few? Or is this just something you were told?

You don't have to answer, if you want to bow out that's cool. But taking the thread that way could be interesting.

ken_uk · Mar 19, 2009

If my machine had been compromised by a botnet, then I would assume nothing on it is safe.

I would not trust the BBC's advice that simply turning on the firewall, running the os updates and running a a/v scan would be sufficient.

Simply because the machine the machine has been compromised, and some one else that previously controlled it could have screwed up the firewall, or replaced it with one of there own, or altered its settings. The a/v could have been altered, any of the executable files or libraries on the pc could be ones supplied by whoever controlled that botnet previously.

All the BBC apparently did was uninstall the botnet.

Hopefully they were intelligent enough to do that themselves rather than rely on a botnet supplied uninstallation package, which would not be trustworthy.

They won't have been able to undo any previous hacks done in the past whilst the machine was under that botnets control.

Its left people with a false sense of security.

FireFleur · Mar 19, 2009

It bears repeating that instead of running a firewall or AV, it is better to run secure applications, so ones which will not allow foreign code execution.

The browser is problematic nowadays, and perhaps a deep packet inspection on that stream but better still a VM or a separate user. There are script blockers, and I think there is a current browser vulnerability that has just been demonstrated, so there will be people jumping on that for exploit and patches for upgrade. So a quick update cycle is part of the security process.

But once compromised it is a reinstall generally, the only ones who don't do that either have exact copies of the machine they can check against or tripwired so they can analyse the attack.

Removal software is bizarre I cannot really think of a good time to use it, and I can imagine malware set to payload on the use of it. Perhaps you could isolate the drive and use it to analyse the problem but it is not a general security solution in and of itself, probably came out of honeypots.

ken_uk · Mar 20, 2009

Just re-watched the end of the programme, and this is the exact wording of what they said about removing the botnet software.

Were going to order the botnet to self destruct.
Each bot will be told to remove the software that controls it,severing ties with our control panel. We can never talk to these machines again.

That to me sounds like they did use the botnet's own software to remove itself.
Not a wise move, unless they went through all that code with a fine tooth comb (and they knew that the code was the same on every single machine in that botnet).

FireFleur · Mar 20, 2009

A botnet is conceptual, the way they are talking about it also lends one to believe they may have run exploits directly to form it.

The BBC were given incredibly bad technical advice, or it has gone through some odd translator.

I suspect it is now in the public interest to have a full inquiry into what exactly happened, the BBC could have been subverted in as much as someone was using them as a puppet to form a botnet. Some countries may take the actions of the BBC as an act of war, it is a pseudo UK public institution, Russians were involved in one step, and I think a South African was in the studio. Perhaps a bit far fetched, but it is odd that they think what they did was legal, safe and there would be no repercussions, most degree educated UK computer scientists are taught computer law.

Cookie Consent

Essential

Analytics

Marketing

BBC owns the Box