Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

3/17/2009
03:06 PM
Sara Peters
Sara Peters
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

BBC Botnet Experiment IS Illegal, No Matter What They Say

Saturday, "Click"--"the BBC's flagship technology programme"--broadcast an investigative report on cybercrime. The exciting thing about this particular program is that they purchased and used a botnet as part of their investigation. The creators of the program are under the impression that their experiment was perfectly legal, because they had

Saturday, "Click"--"the BBC's flagship technology programme"--broadcast an investigative report on cybercrime. The exciting thing about this particular program is that they purchased and used a botnet as part of their investigation. The creators of the program are under the impression that their experiment was perfectly legal, because they had no criminal intent.

They are mistaken.Before I go on, I should be clear--I'm pretty much in love with the BBC. I've never seen "Click" because it's not broadcast on BBC America, but if BBC America served up a rock block of "Top Gear," "Skins," "Doctor Who," and "How Clean is Your House?" I'd be riveted to my couch for many hours, refusing any calls. So it somewhat pains me to say that Click broke the law.

Nonetheless, it's true. Unlike the U.S. Computer Fraud and Abuse Act, a conviction for "unauthorized access to computer materials" or "unauthorized modification of computer materials" under the U.K.'s Computer Misuse Act does not require malicious intent. Just look at the text of the Computer Misuse Act itself:

    An Act to make provision for securing computer material against unauthorised access or modification; and for connected purposes.

    [29th June 1990]

    Be it enacted by the Queen's most Excellent Majesty, by and with the advice and consent of the Lords Spiritual and Temporal, and Commons, in this present Parliament assembled, and by the authority of the same, as follows:-

    Computer misuse offences

    1. Unauthorised access to computer material

    (1) A person is guilty of an offence if-

      (a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;

      (b) the access he intends to secure is unauthorised; and

      (c) he knows at the time when he causes the computer to perform the function that that is the case.

    (2) The intent a person has to have to commit an offence under this section need not be directed at-

      (a) any particular program or data;

      (b) a program or data of any particular kind; or

      (c) a program or data held in any particular computer.

    (3) A person guilty of an offence under this section shall be liable on summary conviction to imprisonment for a term not exceeding six months or to a fine not exceeding level 5 on the standard scale or to both. . 2 Unauthorised access with intent to commit or facilitate commission of further offences

    (1) A person is guilty of an offence under this section if he commits an offence under section 1 above ("the unauthorised access offence") with intent-

      (a) to commit an offence to which this section applies; or

      (b) to facilitate the commission of such an offence (whether by himself or by any other person);

      and the offence he intends to commit or facilitate is referred to below in this section as the further offence.

    (2) This section applies to offences-

      (a) for which the sentence is fixed by law; or

      (b) for which a person of twenty-one years of age or over (not previously convicted) may be sentenced to imprisonment for a term of five years (or, in England and Wales, might be so sentenced but for the restrictions imposed by section 33 of the [1980 c. 43.] Magistrates' Courts Act 1980).

    (3) It is immaterial for the purposes of this section whether the further offence is to be committed on the same occasion as the unauthorised access offence or on any future occasion.

    (4) A person may be guilty of an offence under this section even though the facts are such that the commission of the further offence is impossible.

    (5) A person guilty of an offence under this section shall be liable-

      (a) on summary conviction, to imprisonment for a term not exceeding six months or to a fine not exceeding the statutory maximum or to both; and

      (b) on conviction on indictment, to imprisonment for a term not exceeding five years or to a fine or to both.

    3 Unauthorised modification of computer material

    (1) A person is guilty of an offence if-

      (a) he does any act which causes an unauthorised modification of the contents of any computer; and

      (b) at the time when he does the act he has the requisite intent and the requisite knowledge.

    (2) For the purposes of subsection (1)(b) above the requisite intent is an intent to cause a modification of the contents of any computer and by so doing-

      (a) to impair the operation of any computer;

      (b) to prevent or hinder access to any program or data held in any computer; or

      (c) to impair the operation of any such program or the reliability of any such data.

    (3) The intent need not be directed at-

      (a) any particular computer;

      (b) any particular program or data or a program or data of any particular kind; or

      (c) any particular modification or a modification of any particular kind.

    (4) For the purposes of subsection (1)(b) above the requisite knowledge is knowledge that any modification he intends to cause is unauthorised.

    (5) It is immaterial for the purposes of this section whether an unauthorised modification or any intended effect of it of a kind mentioned in subsection (2) above is, or is intended to be, permanent or merely temporary.

    (6) For the purposes of the [1971 c. 48.] Criminal Damage Act 1971 a modification of the contents of a computer shall not be regarded as damaging any computer or computer storage medium unless its effect on that computer or computer storage medium impairs its physical condition.

    (7) A person guilty of an offence under this section shall be liable-

      (a) on summary conviction, to imprisonment for a term not exceeding six months or to a fine not exceeding the statutory maximum or to both; and

      (b) on conviction on indictment, to imprisonment for a term not exceeding five years or to a fine or to both.

So malicious intent doesn't matter. A conviction under the CMA does require that the defendant knew they were attempting unauthorized access/modification; but the people at Click clearly knew they were making--and succeeding at--such attempts.

Here's the thing: True, Click purchased a 21,696-computer strong botnet from Russian and Ukrainian criminal hackers via a chatroom. And true, simply buying the botnet would have been fishy, but probably not illegal--at least not under the CMA. But, using the botnet is illegal. And they did. From their report:

    We set up a spam test - a low-power demo to show what is possible. Even with our botnet set to "slow", we managed to send out over 10,000 e-mails in a few hours.... Our second demonstration was to aim our botnet at a willing volunteer site, to see just how large an army you need to take the site down. The answer was just 60 machines. Performing the DDoS attack three times, with our bots constantly trying to access the site, was enough to take it down.

It doesn't matter that the target Web site was a willing volunteer. The owners of those 60 machines were not willing, and probably not even aware.

So far I've heard no scuttlebutt about law enforcement going after Click's producers--if they don't, the action will be in stark opposition to their action against Daniel Cuthbert, who was, in October 2006, convicted of "unauthorized access to computer materials" under the CMA; he was charged with "unauthorized modification of computer materials," but found not guilty.

I've written quite a bit about Cuthbert's case over the years--first and second in the Alert (our CSI members-only publication), and later as a case study in the Web Security Research Law report we published in June 2007. (I know it's seedy to toot one's own horn, but I really must strongly suggest you give this a read. Understanding the intricacies and hypocrisies of cybercrime law as it relates to Web security research isn't just my favorite security-related subject--it's also of paramount importance to keeping good guy security pros like you all out of jail. I worked on this with a stellar collection of Web security researchers, cybercrime law attorneys and law enforcement agents, and our findings were always fascinating and often frustrating. You can find the full report at http://i.cmpnet.com/gocsi/db_area/pdfs/CSIWebSecurityResearchLaw.pdf.) From that report:

    The charges were brought against Cuthbert for attempting to hack into the Disasters Emergency Committee's (DEC) Web site (www.dec.org.uk). After donating £30 (and an array of personal information) to DEC's tsunami relief fund, Cuthbert grew suspicious that he'd happened upon a phishing site; he received no confirmation message, the page didn't reload, and the whole site suffered from what he calls "poor coding." Finding no way to contact the site administrator, Cuthbert probed a site application with a trivial shell command to test its security; this would later earn him a conviction for unauthorized access to computer material and a charge of unauthorized modification of computer material (for altering the site's log files).

I'm a bit torn on how I feel about this. I commend Click for bold, intrepid investigative reporting, and I'm sure that Click's viewers now know a lot more about the real risks of cybercrime. Nonetheless, bots are not to be bandied about with--Click's actions were definitely illegal, questionably moral, and certainly more significant than the actions Cuthbert was convicted for.

So far no charges have been levied against Click's producers, and I haven't yet heard much discussion about this in the security community. I contacted the BBC's press office last week, hoping to speak to Click presenter, Spencer Kelly; or at least to see the full video of the show (which, regrettably, BBC America does not air). I've not yet received any response; I plan to attempt again tomorrow morning.

We'll be talking about this topic (and many, many others) during our Web Security Summit happening at our CSI SX conference--May 17 through 19, at the Mandalay Bay Hotel in Las Vegas. You can (and should, I dare say) register for the conference at https://www.cmpevents.com/CSISX9/a.asp?option=B. I'll be there, learning from our excellent speakers and perceptive attendees, by day; and doing my damnedest to avoid the Let it Ride and Craps tables, by night.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17475
PUBLISHED: 2020-08-14
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
CVE-2020-0255
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-10751. Reason: This candidate is a duplicate of CVE-2020-10751. Notes: All CVE users should reference CVE-2020-10751 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-14353
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-17464
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2020-17473
PUBLISHED: 2020-08-14
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.