Perimeter
3/17/2009
03:05 PM
Sara Peters
Sara Peters
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%
Repost This

BBC Botnet Experiment IS Illegal, No Matter What They Say

Saturday, "Click"--"the BBC's flagship technology programme"--broadcast an investigative report on cybercrime. The exciting thing about this particular program is that they purchased and used a botnet as part of their investigation. The creators of the program are under the impression that their experiment was perfectly legal, beca

Saturday, "Click"--"the BBC's flagship technology programme"--broadcast an investigative report on cybercrime. The exciting thing about this particular program is that they purchased and used a botnet as part of their investigation. The creators of the program are under the impression that their experiment was perfectly legal, because they had no criminal intent.

They are mistaken.Before I go on, I should be clear--I'm pretty much in love with the BBC. I've never seen "Click" because it's not broadcast on BBC America, but if BBC America served up a rock block of "Top Gear," "Skins," "Doctor Who," and "How Clean is Your House?" I'd be riveted to my couch for many hours, refusing any calls. So it somewhat pains me to say that Click broke the law.

Nonetheless, it's true. Unlike the U.S. Computer Fraud and Abuse Act, a conviction for "unauthorized access to computer materials" or "unauthorized modification of computer materials" under the U.K.'s Computer Misuse Act does not require malicious intent. Just look at the text of the Computer Misuse Act itself:

    An Act to make provision for securing computer material against unauthorised access or modification; and for connected purposes.

    [29th June 1990]

    Be it enacted by the Queen's most Excellent Majesty, by and with the advice and consent of the Lords Spiritual and Temporal, and Commons, in this present Parliament assembled, and by the authority of the same, as follows:-

    Computer misuse offences

    1. Unauthorised access to computer material

    (1) A person is guilty of an offence if-

      (a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;

      (b) the access he intends to secure is unauthorised; and

      (c) he knows at the time when he causes the computer to perform the function that that is the case.

    (2) The intent a person has to have to commit an offence under this section need not be directed at-

      (a) any particular program or data;

      (b) a program or data of any particular kind; or

      (c) a program or data held in any particular computer.

    (3) A person guilty of an offence under this section shall be liable on summary conviction to imprisonment for a term not exceeding six months or to a fine not exceeding level 5 on the standard scale or to both. . 2 Unauthorised access with intent to commit or facilitate commission of further offences

    (1) A person is guilty of an offence under this section if he commits an offence under section 1 above ("the unauthorised access offence") with intent-

      (a) to commit an offence to which this section applies; or

      (b) to facilitate the commission of such an offence (whether by himself or by any other person);

      and the offence he intends to commit or facilitate is referred to below in this section as the further offence.

    (2) This section applies to offences-

      (a) for which the sentence is fixed by law; or

      (b) for which a person of twenty-one years of age or over (not previously convicted) may be sentenced to imprisonment for a term of five years (or, in England and Wales, might be so sentenced but for the restrictions imposed by section 33 of the [1980 c. 43.] Magistrates' Courts Act 1980).

    (3) It is immaterial for the purposes of this section whether the further offence is to be committed on the same occasion as the unauthorised access offence or on any future occasion.

    (4) A person may be guilty of an offence under this section even though the facts are such that the commission of the further offence is impossible.

    (5) A person guilty of an offence under this section shall be liable-

      (a) on summary conviction, to imprisonment for a term not exceeding six months or to a fine not exceeding the statutory maximum or to both; and

      (b) on conviction on indictment, to imprisonment for a term not exceeding five years or to a fine or to both.

    3 Unauthorised modification of computer material

    (1) A person is guilty of an offence if-

      (a) he does any act which causes an unauthorised modification of the contents of any computer; and

      (b) at the time when he does the act he has the requisite intent and the requisite knowledge.

    (2) For the purposes of subsection (1)(b) above the requisite intent is an intent to cause a modification of the contents of any computer and by so doing-

      (a) to impair the operation of any computer;

      (b) to prevent or hinder access to any program or data held in any computer; or

      (c) to impair the operation of any such program or the reliability of any such data.

    (3) The intent need not be directed at-

      (a) any particular computer;

      (b) any particular program or data or a program or data of any particular kind; or

      (c) any particular modification or a modification of any particular kind.

    (4) For the purposes of subsection (1)(b) above the requisite knowledge is knowledge that any modification he intends to cause is unauthorised.

    (5) It is immaterial for the purposes of this section whether an unauthorised modification or any intended effect of it of a kind mentioned in subsection (2) above is, or is intended to be, permanent or merely temporary.

    (6) For the purposes of the [1971 c. 48.] Criminal Damage Act 1971 a modification of the contents of a computer shall not be regarded as damaging any computer or computer storage medium unless its effect on that computer or computer storage medium impairs its physical condition.

    (7) A person guilty of an offence under this section shall be liable-

      (a) on summary conviction, to imprisonment for a term not exceeding six months or to a fine not exceeding the statutory maximum or to both; and

      (b) on conviction on indictment, to imprisonment for a term not exceeding five years or to a fine or to both.

So malicious intent doesn't matter. A conviction under the CMA does require that the defendant knew they were attempting unauthorized access/modification; but the people at Click clearly knew they were making--and succeeding at--such attempts.

Here's the thing: True, Click purchased a 21,696-computer strong botnet from Russian and Ukrainian criminal hackers via a chatroom. And true, simply buying the botnet would have been fishy, but probably not illegal--at least not under the CMA. But, using the botnet is illegal. And they did. From their report:

    We set up a spam test - a low-power demo to show what is possible. Even with our botnet set to "slow", we managed to send out over 10,000 e-mails in a few hours.... Our second demonstration was to aim our botnet at a willing volunteer site, to see just how large an army you need to take the site down. The answer was just 60 machines. Performing the DDoS attack three times, with our bots constantly trying to access the site, was enough to take it down.

It doesn't matter that the target Web site was a willing volunteer. The owners of those 60 machines were not willing, and probably not even aware.

So far I've heard no scuttlebutt about law enforcement going after Click's producers--if they don't, the action will be in stark opposition to their action against Daniel Cuthbert, who was, in October 2006, convicted of "unauthorized access to computer materials" under the CMA; he was charged with "unauthorized modification of computer materials," but found not guilty.

I've written quite a bit about Cuthbert's case over the years--first and second in the Alert (our CSI members-only publication), and later as a case study in the Web Security Research Law report we published in June 2007. (I know it's seedy to toot one's own horn, but I really must strongly suggest you give this a read. Understanding the intricacies and hypocrisies of cybercrime law as it relates to Web security research isn't just my favorite security-related subject--it's also of paramount importance to keeping good guy security pros like you all out of jail. I worked on this with a stellar collection of Web security researchers, cybercrime law attorneys and law enforcement agents, and our findings were always fascinating and often frustrating. You can find the full report at http://i.cmpnet.com/gocsi/db_area/pdfs/CSIWebSecurityResearchLaw.pdf.) From that report:

    The charges were brought against Cuthbert for attempting to hack into the Disasters Emergency Committee's (DEC) Web site (www.dec.org.uk). After donating £30 (and an array of personal information) to DEC's tsunami relief fund, Cuthbert grew suspicious that he'd happened upon a phishing site; he received no confirmation message, the page didn't reload, and the whole site suffered from what he calls "poor coding." Finding no way to contact the site administrator, Cuthbert probed a site application with a trivial shell command to test its security; this would later earn him a conviction for unauthorized access to computer material and a charge of unauthorized modification of computer material (for altering the site's log files).

I'm a bit torn on how I feel about this. I commend Click for bold, intrepid investigative reporting, and I'm sure that Click's viewers now know a lot more about the real risks of cybercrime. Nonetheless, bots are not to be bandied about with--Click's actions were definitely illegal, questionably moral, and certainly more significant than the actions Cuthbert was convicted for.

So far no charges have been levied against Click's producers, and I haven't yet heard much discussion about this in the security community. I contacted the BBC's press office last week, hoping to speak to Click presenter, Spencer Kelly; or at least to see the full video of the show (which, regrettably, BBC America does not air). I've not yet received any response; I plan to attempt again tomorrow morning.

We'll be talking about this topic (and many, many others) during our Web Security Summit happening at our CSI SX conference--May 17 through 19, at the Mandalay Bay Hotel in Las Vegas. You can (and should, I dare say) register for the conference at https://www.cmpevents.com/CSISX9/a.asp?option=B. I'll be there, learning from our excellent speakers and perceptive attendees, by day; and doing my damnedest to avoid the Let it Ride and Craps tables, by night.

Sara Peters is senior editor at Computer Security Institute. Special to Dark Reading. Sara Peters is contributing editor to Dark Reading and editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad of other ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-1421
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Craig Knudsen WebCalendar before 1.2.5, 1.2.6, and other versions before 1.2.7 allows remote attackers to inject arbitrary web script or HTML via the Category Name field to category.php.

CVE-2013-2105
Published: 2014-04-22
The Show In Browser (show_in_browser) gem 0.0.3 for Ruby allows local users to inject arbitrary web script or HTML via a symlink attack on /tmp/browser.html.

CVE-2013-2187
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Apache Archiva 1.2 through 1.2.2 and 1.3 before 1.3.8 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters, related to the home page.

CVE-2013-4116
Published: 2014-04-22
lib/npm.js in Node Packaged Modules (npm) before 1.3.3 allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names that are created when unpacking archives.

CVE-2013-4472
Published: 2014-04-22
The openTempFile function in goo/gfile.cc in Xpdf and Poppler 0.24.3 and earlier, when running on a system other than Unix, allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names.

Best of the Web