Another outing for the Warriors of Chaos. This time facing off against Mark (reigning club Warhammer champion no less!) and his Dark Elves. Here is the full battle report including images created in Battle Chronicler.
Read the rest of this entry »
On Monday I led my Warriors of Chaos against Terry’s Empire army. Truly magic is a fickle mistress. I have written up the complete battle report including images of each round (created in Battle Chronicler).
A Warhammer Fantasy battle report of a 1500pt game between my Warriors of Chaos and Chris’s Orcs and Goblins. Includes army lists, and pictures of each turn created in Battle Chronicler.
My local club the Bedford Gladiators 1500 warhammer league is about to begin. 12 Players have signed up and I have decided to take my new Warriors of Chaos army. I managed to get a couple of test games in against Mike’s High Elves on Monday. Unfortunately I didn’t take notes while I played and I can’t remember the details of game 1 well enough to report on them, beyond saying the game was close and ended in a ~500vp win for my Warriors.
The new Imperial Guard Valkyrie kit comes with a number of tempting options. Normally when building the kit, the owner must choose one set of options. Using rare earth magnets I have built a Valkyrie that can use every option from the new Codex.
I have just emailed the BBC with a FoI request for any information they have on the computers that comprised the Botnet the Click team used.
I would like to make a FoI request for the information (specifically including the IP addresses) regarding the computers that comprised the Botnet used by the BBC Click researchers (Your story: http://news.bbc.co.uk/1/hi/programmes/click_online/7932816.stm). If you believe you would be unable to share the complete IP address, then I would accept the IP addresses in the human readable form with the last section ommited (eg. 208.77.188.166 would become 208.77.188.xxx or 208.77.188).
Although I hope that they will agree to share at least the limited IP information, the FoI process can take a while and I have my doubts that they will give me anything. I am expecting to get a polite refusal either on the grounds that the information hasn’t been retained (convenient) or that it is private information that they cannot share due to the Data Protection Act (In which case the irony will be that if they cannot share it due to the DPA then they also weren’t entitled to collect the information without permission in the first place).
I expect this will probably be my last post regarding this subject until I get a response or some other source is able to get more information out of the BBC who are currently stonewalling by refusing to discuss the legalality of the issue beyond siting “strong public interest” (something that is irrelevant to the Computer Misuse Act). At some date in the future I will write up the information collected as a single page source so people can use it as a stable resource.
If anyone has some new information, or wants to point me in the direction of a news or opinion source I haven’t read/mentioned I’d love to hear about it.
Yesterday when I first read about the BBC Click teams’ Botnet investigation I sent the BBC an email.
In this story it is stated that you acquired and used a botnet. Although the target of the DDoS and spam had consented to this, the article makes clear that the computers that made up the botnet belonged to owners who were not aware you had access.
Can you please respond regarding your position on the legality of your teams actions, especially with regards to the Computer Misuse Act 1990.
I received an email response to this question yesterday at 19:36 (AIM mail had spam filtered it, thus the delay in posting it).
Dear John Graham
I apologise for the delay in responding to your query but the person who was dealing with this was taken ill.
We would answer your point by saying.
It was not our intention to break the law. At no stage was any other data other than the IP address used. There is a powerful public interest in demonstrating the ease with which such malware can be obtained and used; how it can be deployed on thousands of PCs without the owners even knowing it is there; and its power to send spam e mail or attack other websites undetected . This will help computer users realise the importance and value of using basic security techniques to defend their PCs from such attacks. The BBC has strict editorial guidelines for this type of investigation which were followed to the letter.
Although I accept the point that they were covering an important issue, I don’t feel this answer really responds to the question I asked. Hopefully some other, larger, news sources can get a more detailed explanation from the BBC as to why they believe what they did was legal. I find his assertion that no details other than IPs were used strange, especially given the fact that they altered users background images…
Having only just set up this site before posting a couple of links to Slashdot regarding the BBC Click Botnet my site statistics give an interesting insight into the choice of browsers among Slashdot’s users.
Credit also goes to the single visitor was using Solaris OS.
I don’t intend to imply anything from the above results, partly to ensure I avoid any risk of flaming from browser zealots. Though I admit I was suprised to see FF3 used so widely given that from my experience many Slashdotters browse at work, and many workplaces are IE only (so congratulations Mozilla).
Well since yesterday morning when I first wrote about this story the BBC Botnet has made it into a number of news sources including The Guardian who asked “Did BBC botnet break the law?” and the coverage on Sophos’s website and The Register has been mentioned here yesterday. Slashdot had the story posted in which I posted a couple of comments (The links on these posts have driven more traffic to this site than any other source).
Whether the BBC’s action was legal has been the focus of a lot of discussion so far, but in this post I want to discuss whether it was moral. A lot of people are taking the position that the BBC should be thanked for this piece of journalism, as it will raise awareness of the issue and they also destroyed the Botnet. However my own opinion is that what the BBC did completely unacceptable for a number of reasons:
The BBC acquired a Botnet, and although they haven’t entirely explained how it is implied that they bought it. If this is the case then the BBC has knowingly paid a criminal for access to his services. This more than negates any good they can claim by having then disposed of the Botnet.
When the BBC bought that Botnet they helped ensure creating Botnets was profitable which encourages criminals to create more. That is the exact same reason why having the police buy Heroin and Guns from dealers isn’t the solution to gun and drug crime.
The BBC Botnet had 22,000 computers in it. The BBC hasn’t said anything about where these computers were, or if it even knew. As Botnets aren’t designed to stay within one geographical region it is unlikely that these 22,000 machines were all within the United Kingdom. It is in fact likely that it will contain 1000s of foriegn PCs, and perfectly possible that it will include machines on military networks either inside or outside of the United Kingdom.
Maybe it’s just me but if I found out that China State Central television (Chinese State broadcaster) had bought access to a Botnet that my PC had been compromised by and used my PC without authorisation, changed my background and then ‘deleted’ the exploit I wouldn’t be overly impressed.
And then there is the question of legal jurisdictions. As Gary McKinnon is finding out at the moment, being in the UK when you access resources in another Country doesn’t protect you from the laws of that Country. If the BBC Botnet included an American PC are they sure their action wasn’t illegal under US or State Law?
The debate over whether it is acceptable to produce programs that work like Malware etc but for the purpose of good has been going on for years. Should it be acceptable to write a program that searches for PCs with a security flaw and install an application on them that removes all viruses, checks and reports the user for any illegal pornography, checks and reports the user for any pirated content and then fixes the security flaw? I would hope most people would say no to this extreme example, but what needs to be considered is that it can be justified on the same grounds as the BBC’s action.
I posted a story earlier today asking whether the BBC had broken the law when it performed a piece of investigatve journalism which included using a Botnet. The BBC used this botnet to perform spamming and DDoS operations on targets who had agreed to take part which is likely to ensure this side was legal.
However what is less clear is whether the BBC’s use of compromised PCs (the Botnet) whose owners had not given permission was legal under the Computer Misuse Act 1990. Although I initially thought the BBCs actions would of clearly crossed the line, I am beginning to think that they can claim their actions were within the law.
A person is guilty of an offence if—
(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;
(b) the access he intends to secure is unauthorised; and
(c) he knows at the time when he causes the computer to perform the function that that is the case
If the BBC broke the law it is likely to be this law. The BBC’s action was clearly intentional (c) and unauthorised (b) so the only question is whether the BBCs instructions to the Botnet to DDoS and Spam are covered by (a) “causes a computer to perform any function with intent to secure access to any program or data”. Given that a computer that is part of a Botnet is running the program that is exploiting it this seems likely to be the case.
(1) A person is guilty of an offence if—
(a) he does any act which causes an unauthorised modification of the contents of any computer; and
(b) at the time when he does the act he has the requisite intent and the requisite knowledge.
This is the crime that Sophos have chosen to focus on, and in my opinion the BBC are safe on this charge. When the BBC installed a new wallpaper on the people’s computers informing them that they had been compromised it clearly performed “the unauthorised modification of the contents of any computer”. However it is the requirement (b) “has the requisite intent” that the BBC can claim means they did not commit a crime.
For the purposes of subsection (1)(b) above the requisite intent is an intent to cause a modification of the contents of any computer and by so doing—
(a) to impair the operation of any computer;
(b) to prevent or hinder access to any program or data held in any computer; or
(c) to impair the operation of any such program or the reliability of any such data.
What the BBC did probably doesn’t meet this criteria for requisite intent. Do any of you have a different opinion on the matter?
update 13th March 17:30:
David Harley left a comment on this topic including a link to his own article on this subject, I found it extremely informative and interesting to read and suggest it strongly to anyone interested in this story.