Botnets are big news these days and for good reason. They are big business for criminal organizations, and a bane for the average computer user. They are also very interesting to study. This week I read two articles about botnets that really have little to do with botnets themselves, but about ethical decisions made by companies researching botnets.
The first article, from InformationWeek discussed the choice made by the producers of the BBC show, Click. The show attempted to educate their viewers about botnets by demonstrating their power. The producers purchased a botnet from a criminal organization then used it to send spam and to perform a DoS attack against a volunteer website.
The author of the article, Sara Peters, pointed out that what the show’s producers did was both illegal and unethical. They sent unwanted email to thousands of people using the botnet controlling thousands of infected computers. They also used the botnet to control 60 infected computers to perform the DoS attack. As Ms. Peters pointed out, these actions are in clear violation of UK law. It also disrespected people’s rights because it is unlikely that any of the people owning the infected computers were interested in participating in the experiment.
The second article is authored by M.E. Kabay, who also happens to be the program director for the MSIA program at Norwich University, where I am currently a student. Dr. Kabay wrote about a decision made by the management of Tipping Point.
The Tipping Point management faced the same decision Captian Picard faced in “I Borg“, where the crew found an injured Borg who was separated from the collective mind. Following Picard’s orders, Geordi and Data created an unsolvable geometric puzzle that would act as a virus and destroy the Borg if it were inserted into the collective mind. In the end, Picard found this choice to be unethical and he let the Borg, Hugh, return to the collective without infecting him with the virus.
In much the same way, the Tipping Point scientists discovered a way to take control of the Kraken botnet and use it to destroy itself. Pretty neat if you asked me. This was a chance to destroy a huge botnet consisting of more than 400,000 infected computers. Why wouldn’t they take advantage of this discovery?
Yet, the Tipping Point management found this choice to be unethical. Destroying the botnet involved making changes to infected computers without first gaining their owner’s permission. Additionally, these changes might have unintentional consequences. There was no way to know the cleansing action wouldn’t cause more damage to the infected computers. Unlike the BBC, the Tipping Point management did not presume to have the right to change the configuration of people’s computers without their owner’s permission.
So, we have two companies researching and experimenting with botnets resulting in two very different decisions on how to deal with them. The BBC broke the law while attempting to educate their viewers. Conversly, Tipping Point chose not to break the law even if it meant killing the world’s largest botnet. I think the main point to remember is one cannot do good by breaking the law and violating people’s rights even if you are trying to help them.
