Man Fired When Laptop Malware Downloaded Porn

Geoffrey.landis writes "The Massachusetts Department of Industrial Accidents fired worker Michael Fiola and initiated procedures to prosecute him for child pornography when they determined that internet temporary files on his laptop computer contained child porn. According to Fiola, 'My boss called me into his office at 9 a.m. The director of the Department of Industrial Accidents, my immediate supervisor, and the personnel director were there. They handed me a letter and said, "You are being fired for a violation of the computer usage policy. You have pornography on your computer. You're fired. Clean out your desk. Let's go."' Fiola said, 'They wouldn't talk to me. They said, "We've been advised by our attorney not to talk to you."' However, prosecutors dropped the case when a state investigation of his computer determined there was insufficient evidence to prove he had downloaded the files. Computer forensic analyst Tami Loehrs, who spent a month dissecting the computer for the defense, explained in a 30-page report that the laptop was running corrupted virus-protection software, and Fiola was hit by spammers and crackers bombarding its memory with images of incest and pre-teen porn not visible to the naked eye. The virus protection and software update functions on the laptop had been disabled, and apparently the laptop was 'crippled' by malware. According to Loehrs, 'When they gave him this laptop, it had belonged to another user, and they changed the user name for him, but forgot to change the SMS user name, so SMS was trying to connect to a user that no longer existed ... It was set up to do all of its security updates via the server, and none of that was happening because he was out in the field.' A malware script on the machine surfed foreign sites at a rate of up to 40 per minute whenever the machine was within range of a wireless site."

Certainly sounds fair...

[Raineer (1002750)]

Good to know they researched heavily before firing him. At my company when re-deploying hardware like a laptop it is standard to wipe it completely and load a ghosted image. Who WOULDN'T do at least as much?

Re:Certainly sounds fair...

[Secrity (742221)]

They did fire him -- they fired him and never asked any questions. The investigation was by the prosecutor, not his employer. I wonder if he will be hired back with back pay.

Re:Certainly sounds fair...

[wtfispcloadletter (1303253)]

Then there's projects like Unattended that work great and can have a laptop or workstation back up and running in a default state, with all programs and updates applied in 60-90 minutes.

There is no excuse for giving someone a used laptop or workstation that hasn't been cleaned. We don't concern ourselves much with our workstations since they never leave our network, but any laptops get a thorough cleansing before being re-issued to someone else.

Re:Certainly sounds fair...

[Raineer (1002750)]

Maybe somebody without Ghost?

If you don't have something similar to Ghost, then you sure as hell don't fire someone with something illegal on the HDD. That is one certain way to open yourself (as a company) up to lawsuits. If you cannot prove what was on the laptop when you gave it to him, the firing surely is on shaky grounds.

Why? lots of reasons

[davidwr (791652)]

* to disrupt society
* to provide a plausible alibi for any of his perverted friends
* to drive up the cost of prosecuting this type of crime so prosecutors will have less money to prosecute his brother-in-law who runs an organized crime family
* kicks/jollies/juvenile reasons
* someone paid him to do it
* Why ask why
* He wanted his work to get on CowboyNealBoard, er, I mean Slashdot

Re:Why? lots of reasons

[secolactico (519805)]

* To create mirrored websites to ensure availability of the material.

It happens with malware spreading sites, why not illegal porn?

If the malware can run a distributed dynamic dns based site, it will achieve a highly distributed network that would be hard to shut down easily.

Re:Lawyer: This, boys and girls, is why . . .

[jythie (914043)]

Because the sites the malware connects through pay via click through.

What that bit of malware probably did was go around to a bunch of sites that the author gets fees from and makes it look like someone is browsing them.

Get a botnet of 1,000 computers going and it looks like hacker X convinced 1,000 people to view the site over and over.

Re:Lawyer: This, boys and girls, is why . . .

[Kjella (173770)]

Personally, I'm skeptical about the idea of malware that secretly downloads and hides kiddie porn--why would the malware developer do that? I really can't fault the emploeyr for not considering such an idea and investigating it.

Providing a layer of protection between the source nad the potential customers? I doubt an ad server serving up illegal images would be alive for very long.

Re:Lawyer: This, boys and girls, is why . . .

[vux984 (928602)]

Personally, I'm skeptical about the idea of malware that secretly downloads and hides kiddie porn--why would the malware developer do that?

I've actually seen this sort of thing a couple times... not for kiddie porn luckily. Just movies (hollywood) and warez back before p2p.

As you can imagine finding servers to host and distribute this sort of stuff can be difficult. So why not compromise some random persons laptop, setup an ftp server, irc, dynamic dns, and whatever else... and then use it as a free and 'anonymous' remote host and storage.

It wouldn't surprise me in the least that this could be in use for kiddie porn distribution.

I really can't fault the emploeyr for not considering such an idea and investigating it.

When dealing with any case of child abuse including kiddie porn, one should ALWAYS be extremely cautious. Because whether he is innocent or not, people will never look at him the same way again.

..why Megan's law and "zero tolerance" is tyranny.

[plasmacutter (901737)]

abuse including kiddie porn, one should ALWAYS be extremely cautious. Because whether he is innocent or not, people will never look at him the same way again.

and this is why "zero tolerance" and "Megan's law" are tyranny.

zero tolerance laws produce an extreme disincentive to properly and discretely investigate such things before slinging around an accusation which will ruin somebody's life.

"Megan's law"s punish people after the official debt to society has been paid. If you are so sure pedophilia is an incurable, life-long disease, than imprison them for life or develop a house arrest program, but you can't simply toss these sex offenders out, put a big neon "child molester" sign over their head, and pretend they have the same rights, or are not in danger of vigilantism.

Re:..why Megan's law and "zero tolerance" is tyran

[John Meacham (1112)]

Indeed. they should extend the indictment requirement required by the constitution for capital offenses to these sorts of crimes. Being falsely accused of molestation is much worse than being falsely accused of murder in terms of social repurcusions. (assuming one was eventually declared innocent of both).

Re:..why Megan's law and "zero tolerance" is tyran

[ScrewMaster (602015)]

Amendment 8 - Cruel and Unusual Punishment. Ratified 12/15/1791.

Excessive bail shall not be required, nor excessive fines imposed, nor cruel and unusual punishments inflicted.

Frankly, zero-tolerance doesn't seem like what the Founders had in mind, nor does torturing people you don't like for the rest of their natural (and now probably shortened) lives. Granted, I suppose this depends upon your interpretation of "cruel and unusual", but if this can be applied to sex offenders it can be applied to any group of people if you can manage to vilify them sufficiently.

Re:Lawyer: This, boys and girls, is why . . .

[Sparks23 (412116)]

From my (admittedly cursory) read of the article, I gather they claim the malware was trying to pop up the images to a broken account. I.e., the malware downloaded the images (hence their being in the temp directory) and tried to display, but then failed. Thus, the user never saw that the laptop was doing this, or else he could've gone, 'uhm, something is very wrong with this machine.'

If this is true, though, the real question then becomes how they didn't notice the virus on the machine when reconfiguring things (poorly) for the new user. At that point, if the defense argument is accurate, the malware should have still been able to display this stuff, and you'd think the IT guys would have noticed...

Re:Lawyer: This, boys and girls, is why . . .

[networkBoy (774728)]

Your skepticism is mis-placed.
There is more than one kind of malware.
One kind sends Phishing Spam / Viagra spam / etc.
Another performs DDoS attacks.
A third acts as a distributed FTP/Fileshare server so that the guilty have a place to hide & share their wares and not have a single point of being shut down by the authorities. Whether this be lists of CC numbers or kiddie porn is immaterial.
-nB

Re:Lawyer: This, boys and girls, is why . . .

[Killeroid (1156515)]

Personally, I'm skeptical about the idea of malware that secretly downloads and hides kiddie porn--why would the malware developer do that? The malware wasn't downloading and hiding kiddie porn From the article: "Loehrs found a script file that was set to go out and run its own searches on foreign Web sites, she said. "And once you get into some of these foreign sites, you'll get all kinds of stuff you don't want to see. "Actually, the child pornography was just a very small portion of it. The majority was just bizarre porn. He was being hit with everything," she added." The malware author was probably running a pay per click scam by using his malware to visit a bunch of sites and making it seem a bunch of visitors were browsing the site.

Re:Lawyer: This, boys and girls, is why . . .

[by Anonymous Coward]

Probably, the malware itself is a temporary webserver to help distribute the load of an illegal kiddie porn pay site. Look up Fast Flux (http://en.wikipedia.org/wiki/Fast_flux [wikipedia.org]) spammers use it all the time and it is very simple to set up.

Re:Certainly sounds fair...

[dal20402 (895630)]

Anytime. It was so satisfying, I'd leave again if I weren't already gone. Maybe I'll fly up there just to leave again.

Re:Certainly sounds fair...

[treeves (963993)]

Maybe they'll change their name to The Massachusetts Department of Industrial Accidents Waiting To Happen.

yet another

[Brian Gordon (987471)]

case where you can't help but think "this can't be right".. making certain types of information illegal to possess just doesn't make practical sense in the context of the Internet, no matter how morally objectionable we find it.

Re:yet another

[by Anonymous Coward]

Possession crimes in general are bad ideas. You can make anyone a criminal with only minimal effort.

"Officer, I'd like to make an anonymous tip. So-and-so Smith is carrying marijuana in a plastic baggie taped to the inside of his bumper, license plate 555-555. He parks at workplace. I overheard him talking about selling it."

Bam. Reasonable cause, possession, and intent to distribute despite the fact that Mr. Smith has led a blameless life. Because of someone's grudge and quick work with masking tape, he's now a felon.

Possession crimes are super-easy to prove in court and are therefore a favorite of prosecutors.

"Here's a photo of the illicit material in his possession. What do you think, jury? If he had the material in his possession, he's guilty of the crime."

Of course there are absolutely no corrupt officials or police officers who would ever plant such evidence. If you believe that, I've got a bridge to sell you.

Bonus: Captcha == "Bunkmate" which is what this guy narrowly avoided being plowed by.

Re:yet another

[Jafafa Hots (580169)]

And also, how can we possibly stop people from murdering each other unless we arrest people who have crime scene photos?

Re:yet another

[anagama (611277)]

Make _intentionally_ having it a crime. Yes, this does create a harder burden for prosecution, but why should someone be prosecuted for something that 1) they didn't actually do, 2) didn't even know was going on, and 3) didn't even know they had. If we prosecute such people, we might as well just admit we're no longer "home of the free" but are rather just another pathetic abusive government.

Re:yet another

[turbidostato (878842)]

" Because in some cases people might be unaware of what's happening on their computer, it doesn't make sense to make information illegal to posess?"

You told it: it doesn't make sense to make information illegal to posess. I thought that to be self-evident in "the land of the free".

Alas

[rustalot42684 (1055008)]

If people hadn't jumped to conclusions and had done a more thorough investigation, this man would not have lost his job and reputation.

A poorer man would've been convicted

[davidwr (791652)]

I've heard of people getting screwed by their bosses before but this is ridiculous.

If he hadn't had the resources to hire his own expert, he would be in prison and branded a sex offender for life, all because his boss didn't practice safe hex.

Tough lesson learned...

[Muckluck (759718)]

This is a tough lesson learned for Mr. Fiola, but the lesson is, always request a clean build when receiving new equipment in the workplace. That would have eliminated the malware and given him a clean system to work on.

Re:Tough lesson learned...

[oldspewey (1303305)]

And how does the average corporate employee even know whether he/she has a "clean build" when issued a new laptop. Most times a laptop arrives pre-imaged with an OS and a standard suite of software tools. Unless you go poking around the filesystem you can't really tell how "clean" the machine is.

Dayam.

[Penguinisto (415985)]

Man... reason # 10,297,668 why I primarily use Linux as my desktop @ work.

Not that Linux (or OSX, or any of 'em for that matter) are 100% crack-proof, but putting one's career at the mercy of common malware and the only safety net is a sharp eye at the IT department?

OTOH, I suspect this guy (if he plays his cards right and has a sharp lawyer on retainer) may never have to work another day in his life.

/P

The real crime here...

[adsl (595429)]

The real crime here is that the charges were dropped thru "insufficient evidence".... Why is this loophole allowed to prosecutors? How about. "We are sorry we should never have arrested you, fired you and will will formally erradicate all your arrest process so it never happened and give you backed dated pay and legal expenses".

Re:The real crime here...

[LostCluster (625375)]

The real problem is that, as the summary said, they didn't change the security software username, and killed the old username at the server. Therefore, he was running unupdated software... leaving him open to any new Internet threat. Sounds like the IT Department deserves to be fired.

Telling quote from TFA

[GroeFaZ (850443)]

"As soon as you mention child pornography, everybody's senses go out the window, she [the computer forensics expert] said."

Sounds too familiar. What's really fucked up is that his former employers "stand by their decision", namely to fire the guy. The bare minimum would be a public excuse, an offer to let him work there again, and probably a hefty compensation if he refused. But that's not likely to happen since by definition, the government knows best.

"We stand by our decision"

[Strange Ranger (454494)]

DIA spokeswoman Linnea Walsh confirmed Fiola "was terminated," but declined to say if any internal discipline has been meted out as a result of his name being cleared in court.

"We stand by our decision," she said.

So now the DIA is trying cover it's own ass for giving him "a ticking time bomb" and then firing him for it and ruining any social life he had.
The worst part is that the assholes at DIA responsible for the horrible "roll-out" of a replacement laptop, and the PHB's responsible for firing him w/o doing proper research into the issue will not be punished in any way. THEIR lives won't be ruined. Even if he wins a lawsuit. It'll be money from the DIA, but no real punishment to the people involved.

Somebody find all their names and contact info (I'm too lazy) and post it. Let's send the info to Russia with requests for Viagra and child porn.

Seriously though, The Office is funny on TV, but tragic in real life. These people should be arrested for harassment and criminal negligence at the least.

What kind of laws can we enforce (and/or pass) to truly punish the individuals responsible for shit like this? Lawsuit money from the organization isn't even close to justice.

Been there to an extent

[7-Vodka (195504)]

I've worked for the state of MA and I've run into the same problem many times on their computers. Depending on where you work their IT people are really not that knowledgeable or hardworking and I can't blame them, they have to work with microsoft crap, I would be slacking too.

I was even fooled by it once. I found pr0n bookmarks under a cute girl's login and I was thinking "Daaamn this girl is a freaky.." for a few seconds until I realized what it was. I could easily see how people would jump the gun and over react when they find actual material on a computer and not just bookmarks however they should at least ASK the person if they're guilty and send it for investigation first.

Whats interesting in this story is....

[tacokill (531275)]

The fact the he was charged with child porn. I've been following this case in the news because it is such an odd case. As TFA says, they eventually figured out it was viruses and malware doing the downloading of images (over the web, BTW). Ok, fair enough.

However, another article (can't find the link, sorry) was interviewing one of the detectives involved with the case. What he said was something along the lines of "there was a LOT of porn on the computer. 99% of it was just gross stuff, not illegal. But we did find a few pics of young girls.". Which makes me wonder --- how, exactly, do they define child porn?

Are they just arresting people because pictures look young?

...or did they find real kiddie porn on there?

It just seems odd that all of a sudden there is all this kiddie porn out on the publicly available internet and it does not draw attention. I would presume, with Tor, Freenet, etc all of that activity would be driven underground (ie: encrypted). Is there really "spam" and popup based kiddie porn still going on in the WWW?

I ask because I have...err...my friend has not seen it since the early early days of the internet. Back then, you truly could stumble across it accidentally. It hasn't been that way for a long long time though, in my experience.

Re:Whats interesting in this story is....

[locokamil (850008)]

You mean your friend's experience, right?

I saw the movie

[Ranger (1783)]

It's called Farm Sluts [youtube.com]. Hilarious! Well not for the guy in real life.

the ultimate untraceable weapon

[analog_line (465182)]

Get child porn on your enemy's computer as long as he runs Windows (or whatever else), total deniability because there's so much malware out there. This scares the bejeezus out of me.

usually a witch hunt to fire high paid worker

[GoodNicksAreTaken (1140859)]

I'm involved in investigating things like this in my line of work. The argument I've worked on the most was that X worker was on eBay at 6am, and then there is a record of X on at 12pm, so we fired X for waisting time spending 6 hours of their day on eBay. Everyone of the cases I've helped investigate the employee was a few months from reaching a big pay increase or increase in retirement benefits.

Their team also loves to hand us data that their forensic person has pulled from Windows without giving us access to the original drive. When questioned on how he obtained the data it was clear that their certified forensic expert didn't make a locked copy of the drive but logged in and poked around. The certification their contractor has is from IACIS http://www.cops.org/certifications [cops.org]

None of them so far has gone to a judge AFAIK but I know my PHB has testified for an arbitrator and the arbitrator ruled there was insufficient evidence for a dismissal.

Re:What is the real truth here?

[John Hasler (414242)]

Sounds like it may have been the previous user that got the machine infected.

Re:What is the real truth here?

[couchslug (175151)]

"Sounds like it may have been the previous user that got the machine infected."

Sounds like a good reason to either demand a clean install when being issued a machine (and check it yourself anyway) or (if dealing with clueless types) wipe it, hand it back, and play the luser:

"Uhh, I can't log on..."

Not everybody is a slashdotter

[fm6 (162816)]

From a purely technical point of view, a clean install is good advice in this situation (and many others!) But it's not something an ordinary user can do. This guy certainly doesn't have the expertise, not if he was using such a thoroughly compromised system. So he has to turn it over to the IT department, which then charges his department $100 or more for the service. That's approaching the total value of the laptop if its been around for any length of time.

Re:Not everybody is a slashdotter

[dedazo (737510)]

Yeah, it's too bad he did not have the skill and nerve

Not having a skill you might happen (I assume) to have shouldn't be cause for derision or ridicule. As for the "nerve", you've obviously never had a job at a company of any significant size. And we'll leave it at that.

Re:What is the real truth here?

[Missing_dc (1074809)]

As a sys-admin, I was given a laptop to use that was my predecessor's. While doing a search of the laptop, I found A LOT of porn in the internet cache. My predecessor had used the firewall/lan bypass device we reserve for site visitors to surf for porn on company time. I did not report him, I simply contacted him and said "I seem to have found some adult material on your laptop, all time and user stamped for you. I think I will re-image this machine, do you have any objections?" He seemed pretty thankful that I was doing so and has been very helpful towards me ever since (8+ months).

I would like to think that as a sysadmin, I have the duty to protect both the company and the users under my watch. I was not harming the company by giving this guy an out(especially since he had just got a big promotion and an expensive move to corporate HQ).

Do you think I did wrong in not reporting the guy? (It was obviously deliberate browsing, but no kiddie stuffs)

Julie Amero ?

[PoliTech (998983)]

Julie Amero and the Porn Pop-Ups [wikipedia.org] all over again?

Re:Julie Amero ?

[stavros-59 (1102263)]

Yep.

The forensic report is linked to on this page [csoonline.com] and is scathing about the IT staff.
They did the handover and didn't even notice that the antivirus wasn't working and that their SMS update system wasn't working.

It should be policy to handover computers with clean image and with updates.

Re:What is the real truth here?

[One Childish N00b (780549)]

Hey, this trick worked on my mother when she busted me with (regular) porn on the family computer back in the day. I just showed her some flashy sensationalist article from the newspaper about 'malware' and 'popups' and told her the internet must have done it. Obviously it was that evil internet that had filled her computer with pornography, and not her pure-minded, cherub-like son. Curse that evil internet.

I wonder if she ever noticed that 'the internet' preferred brunettes?

Re:What is the real truth here?

[susano_otter (123650)]

Let me guess: Your mom is a brunette...

Re:What is the real truth here?

[blofeld9999 (1010357)]

She is. I know this because I also prefer brunettes.

Re:I submitted to the Firehose at 6PM! on the 18th

[hummassa (157160)]

Why don't you try writing your submissions intelligently and professionally?

Because then it would eliminate any chance of them going to the /. front page? :-)

Re:That's a nice HUGE FREAKIN' BLOCK OF TEXT

[Geoffrey.landis (926948)]

That's a nice HUGE FREAKIN' BLOCK OF TEXT you've got there, buddy. Maybe you'd like some PARAGRAPH STRUCTURE to wash it down.

Don't blame me, the story as I submitted it [slashdot.org] had paragraph breaks.