The BBC published a self-justification of sorts over the Click fiasco on Friday 13th March: when I came upon it the following morning, I posted a comment there, pointing out Mark Perrow had addressed the issues this industry hadn't complained about, and ignored the issues that we were concerned about.
My comment is number 14, if you're interested, but if so, you might want to hurry up, before the BBC delete it. Graham Cluley also commented, very politely and very comprehensively, and the comment was deleted. According to the mail they sent him and the web page itself, (see comment number 47), this was because he broke the house rules.
You can see the comment he made reproduced in his blog here, and the BBC's house rules are published here,
If you can see what rule it was that he broke, please let him (and me) know, as he's as puzzled as I am. I'm pretty sure that embarrassing the BBC isn't against the rules.
So, since I'm almost as fed up with the topic as the BBC seem to be, let's think about what this programme really achieved.
- It raised public awareness of the botnet issue, and that's a Good Thing, though I doubt that a programme that was confined to the BBC's news channel reached as many of the people who need to know about the issue as some of its defenders are assuming.
- Nearly 22,000 people were informed that they had a bot problem. We don't know how many were actually able to see the message, or took any remedial action, but if any of them did, that's a Good Thing.
- A botnet of nearly 22,000 machines was taken down. Of course, we don't know how many of the systems involved were completely cleaned, how many were still infected by other malware, how many were damaged by the cleaning, and how many cleaned machines were re-infected almost immediately. But if any of them are now safer and cleaner than they were before the BBC's actions, that's a Good Thing.
- The BBC and its legal department are probably now better acquainted with the Computer Misuse Act, and perhaps the Click programme is a little more aware of its responsibility to its viewers and those of us who help to fund it. That's certainly a Good Thing, though it might have been better if they'd researched better for they started filming. Or was this a case of "too good an angle to check"?
The question is, what was achieved that couldn't have been achieved by legal, ethical means, avoiding the need for the criminal fraternity to become a little richer while experiencing no apparent negative impact at all? Apart, of course, from a story that attracted notoriety rather than universal admiration...
David Harley
Director of Malware Intelligence