The Tech Herald have brought it to our attention that Comodo, a security company who include an antivirus product in their range, have backed the BBC’s action in buying and exploiting a botnet for the Click programme’s story. This is clearly swimming against the tide – virtually all the mainstream anti-malware companies who’ve commented have indicated their disapproval of the BBC’s actions.
Melih Abdulhayoglu, Comodo’s CEO, regards buying a botnet as good use of taxpayers’ money, but doesn’t explain why using a real botnet to carry out simulated attacks is better than using legal means, and doesn’t even mention in justification the one thing the BBC did half-right: they did at least try to alert the owners of the compromised systems that they had a problem, although the means of communication (unauthorized modification of data, i.e. desktop wallpaper) was at best inappropriate.
Abdulhayoglu is entitled to his opinion, of course. I wonder, though, whether mainstream companies who planned on attending a security forum organized by Comodo later this month will now be considering whether they can afford to be seen to align with such radical views on the need to conform with the rule of law and, arguably, its own guidelines on what is acceptable in terms of conducting business with criminals?
Historically, the anti-virus industry (as we used to call ourselves) has always been fastidious about maintaining ethical and legal standards, and sometimes this has hampered our effectiveness against the bad guys, who have no such scruples. Vendors whose roots are in other security sectors, though, are sometimes more overtly sympathetic to vigilante action, even if they don’t engage in it themselves.
However, I think the point that many people are still missing is that the BBC didn’t lynch any cybercriminals. On the contrary, they gave them a little extra pocket money. They didn’t uncover anything new: they simply publicised the problem.
So while I’m prepared to give them one rather subdued cheer for bringing the botnet issue to the attention of more people, I’m far from convinced that the way they did it could not have been done just as effectively without flouting the law. I don’t say it isn’t appropriate for some investigations to be carried out under "deep cover": it saddens me, though, that "the public interest" continues to be used as a defence for sensationalist reporting and unnecessary comfort to the enemy.
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence