Spencer Kelly over at BBC News rented a botnet and took it for a spin. Then he wrote a story and produced a video about it explaining a little bit of what he did in the process. His antics included sending 10,000 spams and that drew the ire of Sophos' Asia-Pacific head of technology Paul Ducklin.
Ducklin wrote that "the BBC had no legal right, and certainly no moral right, to connect up to other people's PCs without permission, especially considering that this unauthorised access was carried out using a backdoor (the bot) which the BBC knew had almost certainly been illegally and unknowingly installed in the first place. And the BBC had no right to use those PCs for its own purpose, which was, after all, to make a TV programme."
The further make his point Ducklin posed the question, what if the botnet software developers added functionality that wasn't apparent? For example, what if clicking to send spam actually deletes all the files on a user's computer?
That's a good question. The BBC probably did act a bit irresponsibly - and I am in no way surprised since that seems to be standard practice for much of mainstream media which by all measure is clearly self-centered and overly narcissistic.
Be that as it may, by simply running this experiment the BBC found itself in a "damned if you do and damned if you don't" situation as demonstrated by Larry Seltzer over at eWeek, where he wrote "In the end the BBC states that they notified the owners of the systems involved that they were infected. They didn't provide details on how they did this (I wonder why, he said sarcastically), but our reporting indicates that they did this by modifying the user's wallpaper to include a note about it. Well-intentioned as it may have been, this alone is a violation of the Computer Misuse Act. It's also a common technique of rogue anti-malware products; they use any avenue they can get to try to get the user to "fix" their problem by buying the premium program.
Wow, that's a week argument (no pun intended) if I ever heard one. No offense intended to Larry - but if I found out someone's computer was infected you can bet your last penny that I would make it known to them in whatever way I could and not give a flip what rogue developers do. It's a function of placing some rules above others - right versus wrong from a sense of conscience without regard to legal malarkey.