Experts blast BBC over botnet stunt

Security firms around the world are criticizing the BBC for its conduct in a recent episode of the computer programme Click.

In the episode, BBC reporters enlisted the help of third-party security experts to conduct an investigative report on building a botnet.

The team was able to purchase a massive network of some 22,000 controlled systems which were used to send e-mails and perform a denial-of-service attack on a test site.

Though the network later dismantled the botnet and informed the owners of the compromised systems, the story drew criticism from local security experts.

Sophos senior security consultant Graham Cluley condemned the attacks as a breach of the Computer Misuse Act.

In the days following the report, it has become apparent that Cluley is far from being alone in his protest over the BBC's actions.

"The BBC simply didn't need to go as far as it did to demonstrate the cybercriminal possibilities of a botnet," argued Paul Ducklin, head of technology for Sophos' Asia-Pacific branch.

"The demonstration it filmed could easily, more scientifically, probably more effectively, and definitely more quickly, easily and safely, have been done in a research laboratory."

A site poll from the security firm found that 56 per cent of visitors felt that the action was wrong on either legal or ethical grounds, while only 33 per cent felt that the awareness raised by the report justified the BBC's actions.

Researchers and executives from other security firms such as McAfee, F-Secure and Sunbelt Software are throwing their support behind Cluley and Sophos as well.

"You just don’t get involved, because it’s not only wrong, there are too many unintended consequences that can occur," wrote Sunbelt chief executive Alex Eckelberry.

"To have a TV show use a botnet, to 'prove a point' is beyond the pale, particularly since the point could have easily been proven it in other ways."