Man Fired When Laptop Malware Downloaded Porn 635
Geoffrey.landis writes "The Massachusetts Department of Industrial Accidents fired worker Michael Fiola and initiated procedures to prosecute him for child pornography when they determined that internet temporary files on his laptop computer contained child porn. According to Fiola, 'My boss called me into his office at 9 a.m. The director of the Department of Industrial Accidents, my immediate supervisor, and the personnel director were there. They handed me a letter and said, "You are being fired for a violation of the computer usage policy. You have pornography on your computer. You're fired. Clean out your desk. Let's go."' Fiola said, 'They wouldn't talk to me. They said, "We've been advised by our attorney not to talk to you."' However, prosecutors dropped the case when a state investigation of his computer determined there was insufficient evidence to prove he had downloaded the files. Computer forensic analyst Tami Loehrs, who spent a month dissecting the computer for the defense, explained in a 30-page report that the laptop was running corrupted virus-protection software, and Fiola was hit by spammers and crackers bombarding its memory with images of incest and pre-teen porn not visible to the naked eye. The virus protection and software update functions on the laptop had been disabled, and apparently the laptop was 'crippled' by malware. According to Loehrs, 'When they gave him this laptop, it had belonged to another user, and they changed the user name for him, but forgot to change the SMS user name, so SMS was trying to connect to a user that no longer existed ... It was set up to do all of its security updates via the server, and none of that was happening because he was out in the field.' A malware script on the machine surfed foreign sites at a rate of up to 40 per minute whenever the machine was within range of a wireless site."
Re:Certainly sounds fair... (Score:5, Interesting)
Telling quote from TFA (Score:5, Interesting)
Sounds too familiar. What's really fucked up is that his former employers "stand by their decision", namely to fire the guy. The bare minimum would be a public excuse, an offer to let him work there again, and probably a hefty compensation if he refused. But that's not likely to happen since by definition, the government knows best.
Re:The real crime here... (Score:3, Interesting)
Been there to an extent (Score:5, Interesting)
I was even fooled by it once. I found pr0n bookmarks under a cute girl's login and I was thinking "Daaamn this girl is a freaky.." for a few seconds until I realized what it was. I could easily see how people would jump the gun and over react when they find actual material on a computer and not just bookmarks however they should at least ASK the person if they're guilty and send it for investigation first.
Re:yet another (Score:4, Interesting)
Whats interesting in this story is.... (Score:5, Interesting)
However, another article (can't find the link, sorry) was interviewing one of the detectives involved with the case. What he said was something along the lines of "there was a LOT of porn on the computer. 99% of it was just gross stuff, not illegal. But we did find a few pics of young girls.". Which makes me wonder --- how, exactly, do they define child porn?
Are they just arresting people because pictures look young?
It just seems odd that all of a sudden there is all this kiddie porn out on the publicly available internet and it does not draw attention. I would presume, with Tor, Freenet, etc all of that activity would be driven underground (ie: encrypted). Is there really "spam" and popup based kiddie porn still going on in the WWW?
I ask because I have...err...my friend has not seen it since the early early days of the internet. Back then, you truly could stumble across it accidentally. It hasn't been that way for a long long time though, in my experience.
Re:Certainly sounds fair... (Score:3, Interesting)
Re:Alas (Score:4, Interesting)
I'm honestly curious to know; how could they have possibly investigated this more?
Virus? (Score:2, Interesting)
What they're describing sounds like malware intended to run up the traffic rankings of a site. If so, why was it gathering pictures too? Poorly coded? It wastes more bandwidth to pull the entire rendering of the page, than just the HTML and JS. While conserving bandwidth isn't high on the priority list, to keep from being noticed, and to keep their efficiency up, the virus writer would do what they could to keep their impact low.
I find it interesting that they don't mention what the malware was. They gave a vauge description of it, but not a positive description. This eludes to me that it could be the mystery virus defense. Beyond that, it could have been installed accidentally (or intentionally) at some point between when he got the laptop and when it was discovered.
A possible scenario is this, including their facts.
1) The defendant was given a laptop from work
2) The laptop had it's antivirus disabled inadvertently by the IT staff.
3) The defendant browsed to web sites, which may or may not have contained illegal images.
4) The virus was accidentally or intentionally acquired through said sites.
5) The defendant viewed web sites containing illegal images, before or while the virus was running.
6) The virus would acquire web site content when near wireless access points.
7) The defendant's employer found said illegal content on said laptop.
8) The defendant was rightfully terminated, and the evidence given to law enforcement.
9) The defense lawyer drew upon their mighty google-ing ability, and found the "it was a virus" defense.
Re:Why? lots of reasons (Score:5, Interesting)
It happens with malware spreading sites, why not illegal porn?
If the malware can run a distributed dynamic dns based site, it will achieve a highly distributed network that would be hard to shut down easily.
the ultimate untraceable weapon (Score:5, Interesting)
Re:yet another (Score:4, Interesting)
You rely on child exploitation laws which are already in place perhaps? If a child is harmed there are plenty of laws in the way to make sure there is a measure of justice.
This pretty much equates to outlawing the symptoms of a problem such as the tremors of an alcoholic in need of smooth refreshing goodness.
In that context the video is simply evidence against the person who actually harmed a child. That sounds like appropriate punishment to me.
I don't think that will happen though and I actually agree with the current law, at some point I think certain kinds of content serve no use to society, such as malware and kiddie porn but I can understand that information should always be legal. I think in this context we could argue that it is not information and is simply objectionable content.
When something is no good for anyone I think it's safe to say that it should be illegal. If someone comes along that can prove it does some good then the issue needs to be readdressed and evaluated for legitimacy.
Re:Alas (Score:4, Interesting)
Not everybody is a slashdotter (Score:5, Interesting)
usually a witch hunt to fire high paid worker (Score:5, Interesting)
Their team also loves to hand us data that their forensic person has pulled from Windows without giving us access to the original drive. When questioned on how he obtained the data it was clear that their certified forensic expert didn't make a locked copy of the drive but logged in and poked around. The certification their contractor has is from IACIS http://www.cops.org/certifications [cops.org]
None of them so far has gone to a judge AFAIK but I know my PHB has testified for an arbitrator and the arbitrator ruled there was insufficient evidence for a dismissal.
Re:yet another (Score:4, Interesting)
Wouldn't remember it was cnet if it wasn't so much out of their usual scope. However, I think the author had a very valid point. And if someone knows how to get this article I'd highly appreciate it - couldn't find it in recent years...
I smell lawsuit (Score:2, Interesting)
Considering the series of screwups that led to this, I figure his next course of action is a lawsuit against the state - I'd sure as hell do it.
Giving him a laptop without re-initializing it? They got them some dimtwitty IT folks there in Taxachussetts.
My biggest paranoid fear (Score:2, Interesting)
Whenever I have the opportunity, I like to wipe the hard drive completely and do a clean reinstall of all the software, but sometimes, you just can't do this, especially if you don't have the install disks. The reason I like to do this especially is because then I know what the machine acts and feels like under ideal conditions, and if the computer later slows down or acts sluggish, I can tell almost immediately if I've done some dumb cluck thing like downloaded some adware or freeware that turned out to be crapware.
As a direct result of reading Slashdot and TechDirt, I also have locked down my wi-fi with a highly encrypted password. It's too bad actually, as I like the idea of open wi-fi, but I can't take the risk that some joker might use my connection to download porn or music, tied back to me and my IP address. Knock knock from the FBI - no thanks.
Re:That's a nice HUGE FREAKIN' BLOCK OF TEXT (Score:5, Interesting)
Re:The real crime here... (Score:1, Interesting)
In Massachusetts arrest records are never wiped. When I was younger I was arrested for being in the wrong place at the wrong time in Norwood MA, and the charges were in fact dismissed by the judge, but the arrest shows up on my record to this day. Whenever I travel to Canada or am forced to undergo a background check for a job, I always carry the official court document showing that all charges were dismissed because CORI (the Criminal Offender database for MA) just shows a dead-end trail after the arrest.
Despite never having been convicted of a thing, I've been denied several jobs by employers who were turned off by the fact that I was arrested; despite the fact that an arrest is no evidence of wrongdoing. And.. No legal recourse...
Where's the justice?
Re:What is the real truth here? (Score:5, Interesting)
I would like to think that as a sysadmin, I have the duty to protect both the company and the users under my watch. I was not harming the company by giving this guy an out(especially since he had just got a big promotion and an expensive move to corporate HQ).
Do you think I did wrong in not reporting the guy? (It was obviously deliberate browsing, but no kiddie stuffs)
Re:Certainly sounds fair... (Score:1, Interesting)
The Truth (TM) (Score:5, Interesting)
The truth is that this can happen. The truth is that so many corporate desktop and laptop systems are p0wn3d by th3m that it isn't even funny.
The truth is that event logging on these networks and systems are insufficiently detailed as to demonstrate conclusively which actually happened. Any logging that does take place on a system probably can't show you wether the user was responsible, or if an automated program pretending to be the user was responsible. Any corporation that gives a users a typical Windows system and then holds that user responsible when something untoward happens on that system ought to be opening themselves up to a lawsuit.
The truth is that even the the lawyers who advised not to talk about the reasons for dismissal don't recognize this. They prohibit discussion of the details regarding the dismissal of the employee for reasons entirely unrelated to the issue of being entirely unable to conclusively substantiate any accusations which would be made. (It's standard dismissal policy at all of the Fortune 500 to not give any reason). In general, employees, managers, lawyers and judges are completely unprepared to assess the details which would expose the fact that nobody can actually prove that this unfortunate person was probably the victim of some botmaster's prank. People should be surprised that this doesn't happen more often.
That said, there are things one can look at to determine what was *likely* to have happened on that box, and one can assess to some degree what things were relatively more likely than others. If the box was running malware, though, the most likely outcome is that one cannot demonstrate beyond a reasonable doubt that the user was guilty. However, one can, in some cases, demonstrate innocence, by showing, for example, that a given download occurred when the user was away from the keyboard.
It's important to note that the converse is not true. The malware can easily mimic user behavior by performing user style tasks only when the user is logged in. Malware may, for example, have incentive to operate only when a real user is logged in, because certain operations in certain environments are unlikely to succeed if the user is not logged in (being stopped, and identified as likely malware behavior by a 3rd party heuristic detection system, for example.) Malware often does change its behavior based on instructions from the outside, based on the day or the time, based on all sorts of things, and may not behave the same in an isolated test lab as it does "in the wild" so it can be difficult or impossible to demonstrate the full capability of a given strain, even if you have a copy of it.
Re:What is the real truth here? (Score:2, Interesting)
You had him over a barrel, but seemed to allow him an escape. This is a more productive approach than usual, ahd having been caught in the middle of a similar incident (not of my making), I can only applaud your discretion and handling of the issue.
At times it's difficult to make a decision on how to handle something like this without some personal knowledge to help, but sometimes you can fall into circumstances beyond your influence level to deal with.
*disclaimer*
I fell into a
I know better now, but at the time I had no clue.
My boss was NOT amused by the link.
I realize my anecdote may not be typical, but I present this in the framework that sometimes it is not a deliberate and knowing action that can cause grief. At the same time I will acknowledge the fact that sometimes emplyees will go out of their own way to 'stomp on their own dick'.
All I am trying to say is that it may not be a cut and dried incident. You gotta check it out in detail before you ruin someone's career if you attest to being responsible.
In view of that, it sounds (Heh! Heh!-listen to me!) that this person MAY have been in the 'flakey' side of truth, but who knows for sure.
I can't answer your question about "Do you think I did wrong in not reporting the guy?" without more specific information/data, I can say that I find your solution admirable as long as :
1. The problem stops/ceases to exist.
2. It had no impact on the network/server environment.
3. You are not a BOFH, and plan to exploit this alleged lapse in IT Security, and have plugged the 'holes'.
4. You have been/are allowed to eliminate this problem from here on out.
It's much easier to give the benefit of doubt and deal with the issue than to declare war on your users and cause a company/corp wide crisis.
I admire your handling of the problem as far as the info you gave, but under different circumstances, a much different solution may have been in order.
P.S. Did I cover my own ass adequately with that answer?
Sorry, but it's what I have learned to do in Corporate USA instead of actually doing my real job.
P.S.S. Maybe that's why I am currently unemployed?!
Re:Certainly sounds fair... (Score:2, Interesting)
Re:Whats interesting in this story is.... (Score:5, Interesting)
Sure, with child porn one could make a reasonable guess -- there is no confusing an image of a 6-year-old as possibly 18. But for "incest images", the only "portrayal" could be from a text label (in the image, or the filename), or some blatanly obvious visual hints in the photos, which would have been *deliberately* placed to convey the idea that the image portrays incest. There is no way to deduce from an image of two naked people, without knowing their identities as well, that they are engaging in incest.
Saying they the images portray incest based on the labels is no more justified than saying that they portray space aliens, or members of the White House staff, or Osama bin Ladin in disguise.
And are images depicting (or just claiming to depict) incest a crime?
Re:Its called "the greater good" (Score:3, Interesting)
After that, it's your word against his.
Re:Lawyer: This, boys and girls, is why . . . (Score:3, Interesting)
of course he won't get his job back. (Score:3, Interesting)
This is what happens when you assume your system is protected.
It certainly wasn't his job to ensure the machine had functioning anti-virus software. It was some other person's job, and they didn't do it.
Someone wanted to get him fired. (Score:4, Interesting)
Look, we are here on slashdot discussing this as if we don't have the technical skill to use CP as a weapon to get people fired. It's really simple write a bot, and then upload your enemy list in encrypted form to that bot server in whatever location and have that bot send a bunch of child porn to all the people you dislike.
9 times out of 10, most men will accept any photograph of what they think is a hot chick, not knowing what it is before they open it, it could be child porn, it could be a virus, they don't know. The problem is once the child porn is on their computer then they get reported and their computer gets checked for child porn.
They then undelete everything and find that one photo was on the computer for a split second.
This alone is enough to get a person fired. Personally, in my opinion, unless a person has LOTS of child porn, I don't think it's right to report them over one image found somewhere on their drive.
If we go by those standards then only the most paranoid of internet users will be able to avoid being infected with child porn. The situation is messed up but I wont label pedophile so easily.
In my opinion you did the right thing. It's becoming way too easy to label someone a pedophile, at this point any hacker can get just about all of their enemies labeled a pedophile by simply hacking into their enemies computers, uploading the child porn, storing it in some secret hidden directory they can't see, and then alerting the proper authorities.
It's fucked up, but just like there were people writing viruses which would destroy computers, there will be people who spend all their time trying to destroy peoples lives using child porn as a weapon to get people mislabeled into a pedophile.
If all it takes to get labeled a pedophile is to be caught with child porn on your computer, how hard will it be to make you look like a pedophile?
You probably wont have to look for child porn or search for it or anything, I doubt the authorities check search records in these cases to see if the person was searching for child porn, they probably just see the pictures on the computer and scream pedophile.
Re:Its called "the greater good" (Score:2, Interesting)
I work in this field- extracting metadata and tracking chain of custody on relevant electronic documents for court use- when someone who is not informed in the field tries to do something like this it usually ends up in the court throwing out evidence.
Can a CD containing Sony's Rootkit do this? (Score:2, Interesting)
Re:What is the real truth here? (Score:2, Interesting)
Seriously. Why?
He obviously speeks from experience. Why should he be all "Naw, I'm not really that good" if he actually is? Just so YOU don't need to feel challenged?
As far as I can tell he didn't say he's better than everyone else. He just says he's better than most people around him which should be true for a lot of people on Slashdot, don'tcha think?
Knowing what one is worth is a very important piece of knowledge. Not letting it get out of hand is a skill at least as desirable but whether he has that or not seems pretty hard to judge over the internet. So I just think YOU should STFU as long as you neither know the dude nor the people in his close vicinity.
Re:What is the real truth here? (Score:5, Interesting)