Despite taking some criticism, the British Broadcasting Corp. is defending its decision to buy a botnet in an effort to inform the public about the dangers of cyber-crime.
In an experiment, the BBC technology program “Click” bought a botnet over the Internet and used it to spam e-mail accounts the program set up to demonstrate the role of botnets in spamming operations. It also used the botnet to launch a DDoS (distributed denial of service) attack against a site owned by security vendor Prevx with the vendor’s consent.
The Click team then informed the owners of the infected machines that they had been compromised and shut the botnet down.
As news of the experiment spread, some observers questioned both the need for and the legality of the show’s actions. The BBC however maintains that the network has strict editorial guidelines for these types of investigations and those rules were followed to the letter.
“It was not our intention to break the law,” a BBC spokesperson said. “At no stage was any other data other than the IP address used. There is a powerful public interest in demonstrating the ease with which such malware can be obtained and used; how it can be deployed on thousands of infected PCs without the owners even knowing it is there; and its power to send spam e-mail or attack other Web sites undetected.”
The BBC would not discuss what the botnet cost or the exact methods the Click team used to obtain the botnet. Still, some questioned whether or not the demonstration was worth putting money into the hands of hackers.
“We believe that as a result of the investigation, computer users are now better informed of the importance and value of using basic security techniques to defend their PCs from attacks,” the BBC spokesperson said. “This has been a subject of some debate and comment in the blogosphere. However we believed that the issue is vital for all PC users, not just those in the blogosphere, and that there would be great public interest in this demonstration.”