Man Fired When Laptop Malware Downloaded Porn 635
Geoffrey.landis writes "The Massachusetts Department of Industrial Accidents fired worker Michael Fiola and initiated procedures to prosecute him for child pornography when they determined that internet temporary files on his laptop computer contained child porn. According to Fiola, 'My boss called me into his office at 9 a.m. The director of the Department of Industrial Accidents, my immediate supervisor, and the personnel director were there. They handed me a letter and said, "You are being fired for a violation of the computer usage policy. You have pornography on your computer. You're fired. Clean out your desk. Let's go."' Fiola said, 'They wouldn't talk to me. They said, "We've been advised by our attorney not to talk to you."' However, prosecutors dropped the case when a state investigation of his computer determined there was insufficient evidence to prove he had downloaded the files. Computer forensic analyst Tami Loehrs, who spent a month dissecting the computer for the defense, explained in a 30-page report that the laptop was running corrupted virus-protection software, and Fiola was hit by spammers and crackers bombarding its memory with images of incest and pre-teen porn not visible to the naked eye. The virus protection and software update functions on the laptop had been disabled, and apparently the laptop was 'crippled' by malware. According to Loehrs, 'When they gave him this laptop, it had belonged to another user, and they changed the user name for him, but forgot to change the SMS user name, so SMS was trying to connect to a user that no longer existed ... It was set up to do all of its security updates via the server, and none of that was happening because he was out in the field.' A malware script on the machine surfed foreign sites at a rate of up to 40 per minute whenever the machine was within range of a wireless site."
What is the real truth here? (Score:4, Insightful)
Certainly sounds fair... (Score:5, Insightful)
yet another (Score:5, Insightful)
Alas (Score:5, Insightful)
Re:What is the real truth here? (Score:3, Insightful)
Oh, and by the way, the real Truth is here. (check my name)
A poorer man would've been convicted (Score:5, Insightful)
If he hadn't had the resources to hire his own expert, he would be in prison and branded a sex offender for life, all because his boss didn't practice safe hex.
Dayam. (Score:5, Insightful)
Not that Linux (or OSX, or any of 'em for that matter) are 100% crack-proof, but putting one's career at the mercy of common malware and the only safety net is a sharp eye at the IT department?
OTOH, I suspect this guy (if he plays his cards right and has a sharp lawyer on retainer) may never have to work another day in his life.
The real crime here... (Score:5, Insightful)
Re:Certainly sounds fair... (Score:1, Insightful)
Re:Tough lesson learned... (Score:5, Insightful)
"We stand by our decision" (Score:5, Insightful)
"We stand by our decision," she said.
The worst part is that the assholes at DIA responsible for the horrible "roll-out" of a replacement laptop, and the PHB's responsible for firing him w/o doing proper research into the issue will not be punished in any way. THEIR lives won't be ruined. Even if he wins a lawsuit. It'll be money from the DIA, but no real punishment to the people involved.
Somebody find all their names and contact info (I'm too lazy) and post it. Let's send the info to Russia with requests for Viagra and child porn.
Seriously though, The Office is funny on TV, but tragic in real life. These people should be arrested for harassment and criminal negligence at the least.
What kind of laws can we enforce (and/or pass) to truly punish the individuals responsible for shit like this? Lawsuit money from the organization isn't even close to justice.
Why? lots of reasons (Score:5, Insightful)
* to provide a plausible alibi for any of his perverted friends
* to drive up the cost of prosecuting this type of crime so prosecutors will have less money to prosecute his brother-in-law who runs an organized crime family
* kicks/jollies/juvenile reasons
* someone paid him to do it
* Why ask why
* He wanted his work to get on CowboyNealBoard, er, I mean Slashdot
Re:The real crime here... (Score:1, Insightful)
Re:Lawyer: This, boys and girls, is why . . . (Score:5, Insightful)
What that bit of malware probably did was go around to a bunch of sites that the author gets fees from and makes it look like someone is browsing them.
Get a botnet of 1,000 computers going and it looks like hacker X convinced 1,000 people to view the site over and over.
Re:Lawyer: This, boys and girls, is why . . . (Score:5, Insightful)
Re:yet another (Score:3, Insightful)
Re:Dayam. (Score:2, Insightful)
Most organisations wouldn't (Score:3, Insightful)
I saw the movie (Score:5, Insightful)
Re:Lawyer: This, boys and girls, is why . . . (Score:5, Insightful)
I've actually seen this sort of thing a couple times... not for kiddie porn luckily. Just movies (hollywood) and warez back before p2p.
As you can imagine finding servers to host and distribute this sort of stuff can be difficult. So why not compromise some random persons laptop, setup an ftp server, irc, dynamic dns, and whatever else... and then use it as a free and 'anonymous' remote host and storage.
It wouldn't surprise me in the least that this could be in use for kiddie porn distribution.
I really can't fault the emploeyr for not considering such an idea and investigating it.
When dealing with any case of child abuse including kiddie porn, one should ALWAYS be extremely cautious. Because whether he is innocent or not, people will never look at him the same way again.
Re:What is the real truth here? (Score:5, Insightful)
Sounds like a good reason to either demand a clean install when being issued a machine (and check it yourself anyway) or (if dealing with clueless types) wipe it, hand it back, and play the luser:
"Uhh, I can't log on..."
Re:yet another (Score:4, Insightful)
Re:Lawyer: This, boys and girls, is why . . . (Score:5, Insightful)
If this is true, though, the real question then becomes how they didn't notice the virus on the machine when reconfiguring things (poorly) for the new user. At that point, if the defense argument is accurate, the malware should have still been able to display this stuff, and you'd think the IT guys would have noticed...
Re:Tough lesson learned... (Score:3, Insightful)
umm?! (Score:1, Insightful)
Re:yet another (Score:2, Insightful)
I mean, you wouldn't punish someone for having videos of people being murdered, would you? You would only punish those who did the killing, and perhaps those who purchased it, providing that the purchaser knew that they were encouraging such behavior, which is a stretch, I know. That's why I'm not sure if purchasing kiddie porn should be illegal.
Re:Unlawful Termination (Score:3, Insightful)
Re:Lawyer: This, boys and girls, is why . . . (Score:1, Insightful)
> why would the malware developer do that?
Perhaps the malware is part of a P2P network distributing porn? Why risk getting arrested for distributing porn when you can co-opt other (innocent) people's computers into a network that does your dirty work for you?
Re:The real crime here... (Score:2, Insightful)
Re:Telling quote from TFA (Score:1, Insightful)
No future employer is likely to take the public relations gamble that he's innocent, versus the huge risks if he isn't, when there's a thousand other candidates as good who are not a risk at all.
In a case like that, where the guy is irretrievably ruined for life, he should be compensated the same as anyone else who can never work again through workplace negligence, say in the form of physical injury, which would be anticipated remaining lifetime earning, with whatever cap there is on such damages.
Of course, that won't happen. He'll probably work in some cheap, dead-end junk job, where nobody cares about background and nobody asks questions. If he's lucky. The US has a high homeless rate, and very little of it is voluntary or self-inflicted.
Re:"We stand by our decision" (Score:2, Insightful)
There's certainly plenty of blame to pass around here, but before you go on a witch hunt, let's look at what may have happened.
Now, chances are that the PHB was not the one who discovered the child porn. More than likely the content was reported to the PHB or HR or whatever by somebody in IT. So right away we have an unknown and possibly long chain of communication. So the PHB hears from somebody in the company that one of the employees is downloading child porn, what is he supposed to do now (especially if he's not tech savy)? Did the IT department inform the PHB or HR or whatever that it could be a false alarm? Maybe, maybe not. Was the critical information lost somewhere during the chain of communication? Maybe or maybe not. We do know from the article that the PHB consulted the company lawyer (probably a good idea). So now a lawyer is involved. what advice did the lawyer give to the PHB? Was the PHB acting of his own accord, or directly following instructions from legal? The answer is not obvious.
Now somebody somewhere dropped the ball, but it is entirely unclear which person or persons are to blame for that happening. Additionally it appears on the surface that the mistake was not made wilfully or out of spite, but out of a mistaken conviction.
If this had happened to me, I would be far less concerned about getting even with whoever was to blame, and far more interested in pursueing appropriate compensation.
Re:yet another (Score:5, Insightful)
"Officer, I'd like to make an anonymous tip. So-and-so Smith is carrying marijuana in a plastic baggie taped to the inside of his bumper, license plate 555-555. He parks at workplace. I overheard him talking about selling it."
Bam. Reasonable cause, possession, and intent to distribute despite the fact that Mr. Smith has led a blameless life. Because of someone's grudge and quick work with masking tape, he's now a felon.
Possession crimes are super-easy to prove in court and are therefore a favorite of prosecutors.
"Here's a photo of the illicit material in his possession. What do you think, jury? If he had the material in his possession, he's guilty of the crime."
Of course there are absolutely no corrupt officials or police officers who would ever plant such evidence. If you believe that, I've got a bridge to sell you.
Bonus: Captcha == "Bunkmate" which is what this guy narrowly avoided being plowed by.
..why Megan's law and "zero tolerance" is tyranny. (Score:5, Insightful)
zero tolerance laws produce an extreme disincentive to properly and discretely investigate such things before slinging around an accusation which will ruin somebody's life.
"Megan's law"s punish people after the official debt to society has been paid. If you are so sure pedophilia is an incurable, life-long disease, than imprison them for life or develop a house arrest program, but you can't simply toss these sex offenders out, put a big neon "child molester" sign over their head, and pretend they have the same rights, or are not in danger of vigilantism.
Re:yet another (Score:3, Insightful)
Comment removed (Score:5, Insightful)
Re:yet another (Score:5, Insightful)
You told it: it doesn't make sense to make information illegal to posess. I thought that to be self-evident in "the land of the free".
Re:..why Megan's law and "zero tolerance" is tyran (Score:5, Insightful)
Re:..why Megan's law and "zero tolerance" is tyran (Score:5, Insightful)
Excessive bail shall not be required, nor excessive fines imposed, nor cruel and unusual punishments inflicted.
Frankly, zero-tolerance doesn't seem like what the Founders had in mind, nor does torturing people you don't like for the rest of their natural (and now probably shortened) lives. Granted, I suppose this depends upon your interpretation of "cruel and unusual", but if this can be applied to sex offenders it can be applied to any group of people if you can manage to vilify them sufficiently.
Re:Not everybody is a slashdotter (Score:5, Insightful)
Not having a skill you might happen (I assume) to have shouldn't be cause for derision or ridicule. As for the "nerve", you've obviously never had a job at a company of any significant size. And we'll leave it at that.
Re:yet another (Score:5, Insightful)
His arrest record will be enough (Score:2, Insightful)
Heck, he may even be barred from volunteering at his child's school as long as this information is public.
Re:yet another (Score:5, Insightful)
I once heard that described as "trying to cure diarrhea by tinkering with the plumbing in your house."
When something is no good for anyone I think it's safe to say that it should be illegal. If someone comes along that can prove it does some good then the issue needs to be readdressed and evaluated for legitimacy.
That, ultimately, isn't the issue. The problem here is that the mere accusation of child pornography is punitive to such a degree that, even if you're not ultimately convicted, you'll suffer severe consequences. That's not what the Founders had in mind for our legal system (as corrupted as their vision has become.) Somebody who gets nailed for drug possession or dealing (which, given how much the government spends to stop it must be a crime worse than murder) doesn't go through what a person merely accused of possessing child pornography does. It's one thing to punish those who break the law, those who hurt other people
Better to let a guilty man go free than imprison an innocent one. There are those who disagree with that, who believe that a few thousand wrongly imprisoned souls are a small price to pay "for the children" but they're wrong. If child pornography is truly as big a problem as everyone says (I'm not saying that it isn't, I just haven't looked up any numbers on it) then give law enforcement the funds they need to go after the real criminals, the ones who exploit the innocent is such a horrible way. To do otherwise is no justice at all.
Re:What is the real truth here? (Score:5, Insightful)
Re:Certainly sounds fair... (Score:3, Insightful)
Re:..why Megan's law and "zero tolerance" is tyran (Score:5, Insightful)
Its called "the greater good" (Score:5, Insightful)
By bringing it to his attention
1) You save the company a competent employee
2) Discourage him from doing it again
3) You demonstrate your personal loyalty to an up and coming executive.
The question you have to answer, is did the employees actions harm the company
in a non-trivial manner? I assume the answer is no. There are many things users
do that waste time, most of which are trivial and do not actively cost the company money.
If the cost of stopping these trivial things exceeds the benefits then you tolerate it and move on.
I would be more concerned about the use of a "firewall/lan bypass device" than the content itself.
Re:..why Megan's law and "zero tolerance" is tyran (Score:5, Insightful)
Note his daughter was 11. He saw him on the sex offender list and thought "kiddy fucker" immediately, not "rape" or "mild sexual harassment" (which can get you there too, with a little work).
Sue, sue sue. (Score:3, Insightful)
Sue the state for full re-employable reinstatement, back this and that, damage to reputation internationally, pain and suffering, cracks in the sidewalk, and anything else.
Re:Dayam. (Score:3, Insightful)
I'd also recommend:
a) No root SSHD
b) Denyhosts, with known hosts in hosts.allow
c) Using an alternate SSH port
d) Using a secure password. Alphanumeric with various characters
Even with an OK alphanumeric password, I've seen boxes hacked through brute-force. Already-rooted machines will happily look for others to add to their army. Having a secure OS and failing on (d) is still a good way to invite disaster.
(sorry if I'm preaching to the choir, but I've seen plenty of hacked boxen in both the windows and 'nix/BSD realm lately due to poor security practices).
Re:Its called "the greater good" (Score:5, Insightful)
Re:..why Megan's law and "zero tolerance" is tyran (Score:3, Insightful)
Just to clarify, do you mean the dictionary definition of pedophile, ie, an adult that likes to molest children, or the legal definition of pedophile, ie, someone who is 18 or greater and is unfortunate enough that their sexual partner is only 18 minus iota and/or someone who likes their 30 year old wife to wear pigtails and short skirts.
40 sites per minute? (Score:2, Insightful)
'dd' is not the Linux counterpart to ghost (Score:3, Insightful)
In any case where you have 80+ GB partitions that are mostly empty, which is most of the time, dd results in wait times (and space requirements on the destination) that are simply unacceptable and a huge waste IMO. The drives will also tend to become rather warm and stay that way for too long.
Re:Not everybody is a slashdotter (Score:5, Insightful)
You've got to admit the OP has a point though.
The guy in TFA got sacked for using Windows.
You Evangelists always say it's so easy to use, but if Windows is so easy, how come this guy needs L337 skills just to avoid being labelled a child pornographer and losing his job?
Next time anyone says "No one ever got sacked for buying Microsoft", I'm pointing to this guy.
Re:What is the real truth here? (Score:2, Insightful)
Re:What is the real truth here? (Score:2, Insightful)
All that kind of adds up-I'm sure there are guys on
I don't put it past the hackers to infect with CP (Score:3, Insightful)
At this point, having child pornography on your computer is like being infected with a virus, only this virus is child porn. The only way to get it off is to basically reformat your drive. If you were smart your drive was encrypted and that reformat will be the end of it, and if you aren't so smart then there could be traces of child porn (invisible to the naked eye) which could still be on your machine.
The point is, this guy probably deleted whatever child porn the malware sent to him. Thus it was invisible to the naked eye. Yet that doesn't change the fact that his computer still legally contained the 1s and 0s in a form which is still illegal.
So while I do think there are pedophiles, I don't think this guy is one of them. And this is the sorta situation that our ridiculous child porn laws create.
Maybe he deleted it. (Score:4, Insightful)
Maybe it was not visible to the naked eye because he deleted it. I don't know, but I can easily see a situation where some script kiddie creates a bot which trolls chatrooms and which sends random users child porn and then sends the feds after them.
It probably would not take a lot of time to write such a bot, or to trick the typical horny middle aged male to accept a picture of what they think is an adult woman, only to find out later it's child porn. But whats he supposed to do? his computer has been infected.
So now he has to reformat his entire computer. I can see this being the new WinNuke.
WHY WOULD HE WANT HIS JOB BACK? (Score:3, Insightful)
Re:Not thinking of the children (Score:3, Insightful)
You're as bad as they are (Score:3, Insightful)
Thats the kind of behaviour that gets (got) the wrong person and ruins their life.
Sam
Re:Legal "slam dunk"? (Score:5, Insightful)
For company/government controlled computers people should not forget that network/computer administrators can quite readily take over users computers and use them for what ever nefarious activities they want to and then blame the poor end user. In this case the administrator really and I mean really fucked up, I mean they found the child porn but missed the viruses et al, what, does the admin get such of kick looking for porn on there users computers that they forget to fulfil the security functions that they are actually paid for.
While the end user is certainly in the clear, the admin is in real trouble as now somehow they have to prove their innocence as the actual administrator of the infected (by whom ?) computer. Also the admin should be subject to criminal negligence charges as they bore false witness against the user as the admin should have detected the viruses et al prior to bearing witness against the end user, so some really serious stuff and the end user and their lawyer can really go to town on them.
So the real question for the future is, is it the end user's computer or the system administrator's computer, who has the greater control and hence who has the greater ownership? Running a far more secure OS like Linux will certainly do more to protect computer administrator's from future prosecutions, something to really think about.
Re:Not everybody is a slashdotter (Score:4, Insightful)
Nor did they appear to factor all that in - the litigation costs.
It sounds even more negligent given they passed that guy a non "clean" laptop in the first place.
Anyway, often the problem is the downtime it takes to reimage the machine - esp if it's an old laptop and nobody has an "up to date" and pristine image.
AFAIK normally nobody cares.
Except in this case. I guess someone cared enough to start a witch hunt and this poor chap got the brunt of it.
Someone screams "child porn" and suddenly it's like a mass shark frenzy with blood in the water.
Re:Legal "slam dunk"? (Score:5, Insightful)
How about actually following the money trail? Are the malware authors and people putting those images up really doing such stuff for free? Someone must be paying for those ads, the creation of child porn sites etc.
There are more serious crimes than possession of some image file, especially an image file that is likely to be downloaded by malware.
Lastly, Linux isn't going to help. The real problem is mass hysteria - lots of people suddenly turning their brains off when they hear a trigger phrase. Sure child porn is bad, but if you really want to fix it, follow the money to the bitter end. Not go around starting stupid witch hunts. The way they do things, I figure it's just a tool for cynical manipulation of a mindless populace.
Re:What is the real truth here? (Score:5, Insightful)
One thing that will make a real difference for you is to find your natural peer group. Until then, like the AC said: ask for lessons in humility.
Back to Salem? (Score:4, Insightful)
So these regular folks would notice that somebody (often a lonely old woman) acted a bit oddly. Instead of using a bit of imagination and charity to understand why, they leaped to the conclusion that she was consorting with the Devil. Just as some Native American tribes got their fun from torturing prisoners to death - life was DULL in those days - torturing and killing a witch just made their year. (Another possible parallel is that those who informed on "witches" often did a deal with the state whereby they split the victim's - often considerable - possessions between them).
Nowadays it's not quite respectable to torture people or burn them alive (unless they're foreign Bad People). But these here pedophiles... we should string 'em all up.
There seems to be a type of mentality that doesn't even want to understand how nasty pictures can wind up on someone's laptop, without the owner's knowledge or consent. It's just a great chance to get someone down and kick him, kick him, kick him...
danger will robinson (Score:3, Insightful)
Re:Legal "slam dunk"? (Score:5, Insightful)
When something bad happens, and you fire somebody you are, by the strictest interpretation of the words, "doing something about it." It might not be anything effective, but if you don't know what is effective, then "doing something" sounds a lot better than "doing nothing."
Out of all the ineffective ways of of "doing something", firing somebody is the most attractive, because it localizes the blame in a person who is, or at least in short order will be, outside the organization. It is the solution that shifts the most blame. Since the person is outside the organization, he can't defend himself.
Unless he lawyers up.
Re:Legal "slam dunk"? (Score:3, Insightful)
Smacking the company hard like that will discourage the abusive behavior by it's management.
The man was EXONERATED (Score:4, Insightful)
The point here is that an innocent man has been through hell because IT screwed up and didn't set up SMS correctly so his computer had numerous security holes. The summary doesn't convey this, of course, resulting in the stupid (and, actually, offensive) comments from those who assume that he was guilty based on the summary. Folks, this is a real story about a real person, not something from xkcd. You should not be so quick to judge, especially when you didn't RTFA.
The guy might be rotting the the slammer somewhere if it weren't for his wife who rounded up the competent resources to find out what really happened.
I am infuriated because of the occasional poor summary posting that Slashdot seems to be proud of. If I see another story about an air-powered car again, I am going to puke and stop reading.
Now knows his former "friends" never really were - (Score:3, Insightful)
Real friends wouldn't assume someone is guilty and shun someone - especially on evidence so flimsy.
Real friends would try to assume someone was innocent.
Real friends don't run like than. (If he was convicted in a fair trial that would be different).
Bet if (when) he wins a multi-million dollar judgment his former "friends" will be back!!!
"Oh, we hate perverts, we were just being careful, didn't want our kids hurt, or our reputation harmed, etc, I'm sure you understand, but since a court has ruled in your favor we know this must be the very rare exception where someone isn't guilty...
Oh, and by the way, I need $80K for a downpayment, and you got $80M...."
Re:Not everybody is a slashdotter (Score:2, Insightful)
You "Evangelists" have the most amusing double standards and syncopated rationalizations.
Re:Legal "slam dunk"? (Score:4, Insightful)
Linux would have helped, instead of having a sophisticated network system where you need a valid login/pass to get access to the updates for your computer system... all the updates needed come from trusted repositories, no password or login needed, oh and, if the end user isn't given permission to install software, instead of having a dumb script on the system that logs in to a server, there can be a central server that runs a script that logs in as the admin user on each system to force updates, without having to create a new login/pass every time a new user grabs a linux laptop.
linux doesn't fix the dancing pigs problem, but by being a inherently secure platform, remote administration isn't a joke feature thrown in as a 'buzz' word to movie more copies and try to avoid loosing important corporate customers to more secure products.
Linux would have solved All the problems this company ran into. As a matter of fact, i've run across compromised windows systems where even after a format with a DOD level file system erase were automatically reinfected by malware that had corrupted the bios of the motherboard. the only thing that worked, was switching those machines to linux, and reflashing the bios (because it kept having problems with stability until the bios was reflashed)
and if you think, well security software must have caught up by now, the sad truth is that about 3% of malware and rootkits released in 2006 are Actually protected against by security suites. the problem is, the way windows lets any administrator process to re write almost any file instantly, and any file with a reboot.
once the software infects, disinfecting a system is very hard, doing a complete wipe, and flash of all programmable chips (optical drive, the main bios, there are even viruses that can infect the memory of a HDD's internal controller, which isn't normally accessible to the end user) a lot of people just throw computers away when the malware comes back, after a format.
windows really really pisses me off more and more everyday because of how the way windows was designed, despite decades of end user knowledge in developing secure UNIX systems for college campuses, all because windows was completely managed by greedy, profiteers who didn't care a whit about how things were designed as long as they were number one, and had no serious competitors.
oh and hey, even if the guy was running linux, and it wasn't auto updating, since it was a desktop and not a server, it probably wouldn't have run any of the popular programs hackers who target linux target.