Slashdot Mirror

← Back to Stories (view on slashdot.org)

Man Fired When Laptop Malware Downloaded Porn

Posted by samzenpus on from the your-computer-wants-porn dept.

Geoffrey.landis writes "The Massachusetts Department of Industrial Accidents fired worker Michael Fiola and initiated procedures to prosecute him for child pornography when they determined that internet temporary files on his laptop computer contained child porn. According to Fiola, 'My boss called me into his office at 9 a.m. The director of the Department of Industrial Accidents, my immediate supervisor, and the personnel director were there. They handed me a letter and said, "You are being fired for a violation of the computer usage policy. You have pornography on your computer. You're fired. Clean out your desk. Let's go."' Fiola said, 'They wouldn't talk to me. They said, "We've been advised by our attorney not to talk to you."' However, prosecutors dropped the case when a state investigation of his computer determined there was insufficient evidence to prove he had downloaded the files. Computer forensic analyst Tami Loehrs, who spent a month dissecting the computer for the defense, explained in a 30-page report that the laptop was running corrupted virus-protection software, and Fiola was hit by spammers and crackers bombarding its memory with images of incest and pre-teen porn not visible to the naked eye. The virus protection and software update functions on the laptop had been disabled, and apparently the laptop was 'crippled' by malware. According to Loehrs, 'When they gave him this laptop, it had belonged to another user, and they changed the user name for him, but forgot to change the SMS user name, so SMS was trying to connect to a user that no longer existed ... It was set up to do all of its security updates via the server, and none of that was happening because he was out in the field.' A malware script on the machine surfed foreign sites at a rate of up to 40 per minute whenever the machine was within range of a wireless site."

14 of 635 comments (clear)

  1. Re:Certainly sounds fair... by Secrity · · Score: 4, Interesting

    They did fire him -- they fired him and never asked any questions. The investigation was by the prosecutor, not his employer. I wonder if he will be hired back with back pay.

  2. Telling quote from TFA by GroeFaZ · · Score: 5, Interesting

    "As soon as you mention child pornography, everybody's senses go out the window, she [the computer forensics expert] said."

    Sounds too familiar. What's really fucked up is that his former employers "stand by their decision", namely to fire the guy. The bare minimum would be a public excuse, an offer to let him work there again, and probably a hefty compensation if he refused. But that's not likely to happen since by definition, the government knows best.

    --
    The grass is always greener on the other side of the light cone.
  3. Been there to an extent by 7-Vodka · · Score: 4, Interesting
    I've worked for the state of MA and I've run into the same problem many times on their computers. Depending on where you work their IT people are really not that knowledgeable or hardworking and I can't blame them, they have to work with microsoft crap, I would be slacking too.

    I was even fooled by it once. I found pr0n bookmarks under a cute girl's login and I was thinking "Daaamn this girl is a freaky.." for a few seconds until I realized what it was. I could easily see how people would jump the gun and over react when they find actual material on a computer and not just bookmarks however they should at least ASK the person if they're guilty and send it for investigation first.

    --

    Liberty.

  4. Whats interesting in this story is.... by tacokill · · Score: 5, Interesting

    The fact the he was charged with child porn. I've been following this case in the news because it is such an odd case. As TFA says, they eventually figured out it was viruses and malware doing the downloading of images (over the web, BTW). Ok, fair enough.

    However, another article (can't find the link, sorry) was interviewing one of the detectives involved with the case. What he said was something along the lines of "there was a LOT of porn on the computer. 99% of it was just gross stuff, not illegal. But we did find a few pics of young girls.". Which makes me wonder --- how, exactly, do they define child porn?

    Are they just arresting people because pictures look young?

    ...or did they find real kiddie porn on there?

    It just seems odd that all of a sudden there is all this kiddie porn out on the publicly available internet and it does not draw attention. I would presume, with Tor, Freenet, etc all of that activity would be driven underground (ie: encrypted). Is there really "spam" and popup based kiddie porn still going on in the WWW?

    I ask because I have...err...my friend has not seen it since the early early days of the internet. Back then, you truly could stumble across it accidentally. It hasn't been that way for a long long time though, in my experience.

    1. Re:Whats interesting in this story is.... by Riktov · · Score: 4, Interesting

      What's even more bizarre is the claim (in the summary) that some of the images portrayed incest.

      Sure, with child porn one could make a reasonable guess -- there is no confusing an image of a 6-year-old as possibly 18. But for "incest images", the only "portrayal" could be from a text label (in the image, or the filename), or some blatanly obvious visual hints in the photos, which would have been *deliberately* placed to convey the idea that the image portrays incest. There is no way to deduce from an image of two naked people, without knowing their identities as well, that they are engaging in incest.

      Saying they the images portray incest based on the labels is no more justified than saying that they portray space aliens, or members of the White House staff, or Osama bin Ladin in disguise.

      And are images depicting (or just claiming to depict) incest a crime?

  5. Re:Alas by PhoenixAtlantios · · Score: 4, Interesting

    What safe actions could they have realistically taken in that situation to investigate it? If you mess around with investigating that yourself and don't immediately hand the situation over to the police don't you risk incriminating yourself by 'protecting' the person from the police?

    I'm honestly curious to know; how could they have possibly investigated this more?

  6. Re:Why? lots of reasons by secolactico · · Score: 5, Interesting

    * To create mirrored websites to ensure availability of the material.

    It happens with malware spreading sites, why not illegal porn?

    If the malware can run a distributed dynamic dns based site, it will achieve a highly distributed network that would be hard to shut down easily.

    --
    No sig
  7. the ultimate untraceable weapon by analog_line · · Score: 4, Interesting

    Get child porn on your enemy's computer as long as he runs Windows (or whatever else), total deniability because there's so much malware out there. This scares the bejeezus out of me.

  8. Not everybody is a slashdotter by fm6 · · Score: 4, Interesting

    From a purely technical point of view, a clean install is good advice in this situation (and many others!) But it's not something an ordinary user can do. This guy certainly doesn't have the expertise, not if he was using such a thoroughly compromised system. So he has to turn it over to the IT department, which then charges his department $100 or more for the service. That's approaching the total value of the laptop if its been around for any length of time.

  9. usually a witch hunt to fire high paid worker by GoodNicksAreTaken · · Score: 5, Interesting

    I'm involved in investigating things like this in my line of work. The argument I've worked on the most was that X worker was on eBay at 6am, and then there is a record of X on at 12pm, so we fired X for waisting time spending 6 hours of their day on eBay. Everyone of the cases I've helped investigate the employee was a few months from reaching a big pay increase or increase in retirement benefits.

    Their team also loves to hand us data that their forensic person has pulled from Windows without giving us access to the original drive. When questioned on how he obtained the data it was clear that their certified forensic expert didn't make a locked copy of the drive but logged in and poked around. The certification their contractor has is from IACIS http://www.cops.org/certifications

    None of them so far has gone to a judge AFAIK but I know my PHB has testified for an arbitrator and the arbitrator ruled there was insufficient evidence for a dismissal.

  10. Re:That's a nice HUGE FREAKIN' BLOCK OF TEXT by Geoffrey.landis · · Score: 4, Interesting

    That's a nice HUGE FREAKIN' BLOCK OF TEXT you've got there, buddy. Maybe you'd like some PARAGRAPH STRUCTURE to wash it down. Don't blame me, the story as I submitted it had paragraph breaks.
    --
    http://www.geoffreylandis.com
  11. Re:What is the real truth here? by Missing_dc · · Score: 5, Interesting

    As a sys-admin, I was given a laptop to use that was my predecessor's. While doing a search of the laptop, I found A LOT of porn in the internet cache. My predecessor had used the firewall/lan bypass device we reserve for site visitors to surf for porn on company time. I did not report him, I simply contacted him and said "I seem to have found some adult material on your laptop, all time and user stamped for you. I think I will re-image this machine, do you have any objections?" He seemed pretty thankful that I was doing so and has been very helpful towards me ever since (8+ months).

    I would like to think that as a sysadmin, I have the duty to protect both the company and the users under my watch. I was not harming the company by giving this guy an out(especially since he had just got a big promotion and an expensive move to corporate HQ).

    Do you think I did wrong in not reporting the guy? (It was obviously deliberate browsing, but no kiddie stuffs)

    --
    How amazed would you be to suddenly find that you just forgot what I wrote and you needed to reread my post.... again.
  12. The Truth (TM) by Gary+W.+Longsine · · Score: 5, Interesting

    Firing people based on things that happened on an infected PC is the modern equivalent of shouting burn the witch!

    The truth is that this can happen. The truth is that so many corporate desktop and laptop systems are p0wn3d by th3m that it isn't even funny.

    The truth is that event logging on these networks and systems are insufficiently detailed as to demonstrate conclusively which actually happened. Any logging that does take place on a system probably can't show you wether the user was responsible, or if an automated program pretending to be the user was responsible. Any corporation that gives a users a typical Windows system and then holds that user responsible when something untoward happens on that system ought to be opening themselves up to a lawsuit.

    The truth is that even the the lawyers who advised not to talk about the reasons for dismissal don't recognize this. They prohibit discussion of the details regarding the dismissal of the employee for reasons entirely unrelated to the issue of being entirely unable to conclusively substantiate any accusations which would be made. (It's standard dismissal policy at all of the Fortune 500 to not give any reason). In general, employees, managers, lawyers and judges are completely unprepared to assess the details which would expose the fact that nobody can actually prove that this unfortunate person was probably the victim of some botmaster's prank. People should be surprised that this doesn't happen more often.

    That said, there are things one can look at to determine what was *likely* to have happened on that box, and one can assess to some degree what things were relatively more likely than others. If the box was running malware, though, the most likely outcome is that one cannot demonstrate beyond a reasonable doubt that the user was guilty. However, one can, in some cases, demonstrate innocence, by showing, for example, that a given download occurred when the user was away from the keyboard.

    It's important to note that the converse is not true. The malware can easily mimic user behavior by performing user style tasks only when the user is logged in. Malware may, for example, have incentive to operate only when a real user is logged in, because certain operations in certain environments are unlikely to succeed if the user is not logged in (being stopped, and identified as likely malware behavior by a 3rd party heuristic detection system, for example.) Malware often does change its behavior based on instructions from the outside, based on the day or the time, based on all sorts of things, and may not behave the same in an isolated test lab as it does "in the wild" so it can be difficult or impossible to demonstrate the full capability of a given strain, even if you have a copy of it.

    --
    If you mod me down, I shall become more powerful than you could possibly imagine.
  13. Re:What is the real truth here? by Rocknrico · · Score: 5, Interesting

    You can't imagine the world of crap awaiting that guy had you reported him. It would have been a problem that would probably haunt him for the rest of his life. My spouse recently almost lost her job after a 40 year old arrest for dope surfaced in the FCIC database after a background check. Nevermind that she has a clean record since 1968, and has tirelessly worked with youth groups, sunday school, Boy/Girl scouts and extremely active both at church and the community. In fact, the official arrest /court records don't even exist after a 1997 fire at the courthouse destroyed everything. As a computer professional, I'm shocked that Georgia went back so far in time to key that data into the database. You definitely did the right thing. Definitely.