It appears that the BBC has decided to become a hacking company – they recently obtained a botnet of around 22000 machines from an underground forum and demonstrated ( as part of a special investigation ) how to use these machines to send spam to some predefined email addresses they had created. UK law ( specifically the Computer Misuse Act ) regards such an act as criminal. The programme also warned users that their PCs are infected, and advised them on how to make their systems more secure.
Even if the intent was educational and the impact minimal, they have still broken the law. Struan Robertson, a technology lawyer with Pinsent Masons and editor of OUT-LAW.COM, said “It does not matter that the emails were sent to the BBC’s own accounts and criminal intent is not necessary to establish an offence of unauthorised access to a computer,”
But most importantly, the BBC forgot to mention in this investigation what platform the machines were running when they were attacked and controlled as part of the botnet. The likely answer is the Windows platform considering that almost all botnets ( if not all ) are made up entirely of compromised Windows platform machines; so the question is why the BBC ( conveniently ) forgot to mention this? Some lazy loyalty to Microsoft?
This leads me to a recent encounter with a company I do some work for on the odd occasion. They were running an old version of a popular Antivirus package ( although with up to date definitions ) and weren’t doing Windows updates due to the large amounts of bandwidth this can take ( why are Windows users saddled with both an insecure operating system and then the huge costs and time to fix it continuously? ). Consider 200 machines all doing Windows and AV updates – in our capped/(semi)-uncapped South Africa, that could cost a lot and slow down our already slow internet links. Yes there are central update services for both AV and Windows updates but these are not always simple to use and keeping AV up to date in a network this size is costly to say the least ( +/- R40k for 200 machines ).
Now consider a platform that neither requires the attention to security that Windows does, nor the cost in keeping it malware-free. Why use an ecosystem where the vendor shuns security as a priority, requires serious amounts of time in maintenance, has to be patched and AV’d on a daily basis to keep it working, and still fails at the slightest provocation?
Beats me; but then there appear to be a lot of masochists around. Is everyone so used to this daily grind that they can’t ‘see the trees for the forest’?
