Computer Illiteracy
Here’s another scary story of malware destroying an innocent person’s life. The IT department for Massachusetts’ Department of Industrial Accidents did a negligent job of configuring a 53-year-old worker’s computer, leaving antivirus protection disabled, leaving his computer wide open to attack. The computer became riddled with trojans and viruses, causing all manner of porn to download onto the computer. The same IT workers noted that the computer had unusually high wireless traffic, causing them to inspect the computer, where they found loads of porn in the browser cache–including child porn. These same inept IT workers didn’t bother to make a quick check to see how the porn got there–they just assumed the user was a pervert, accused him, and promptly destroyed the man’s life. The man who used the computer was instantly fired, without being given a chance to do more than quickly protest his innocence before being thrown out of the building. He was immediately stripped of his last pay, his insurance, all his benefits. His wife was hospitalized for stress, and the couple now face horrendous insurance costs.
The prosecutors, apparently so lured by the prospect of jailing a child porn viewer (probably a career-boosting case), didn’t bother to look for alternate explanations; they just accused the man–a former firefighter with no criminal record–and plastered him with a reputation as a child pornographer. Never mind that a quick search would have unveiled the fact that no URL was entered before the computer accessed 40 sites in 60 seconds, one example of how malware was responsible for the porn. No matter that child porn was just part of the vast amount of bizarre porn found on the computer, indicating not a child porn user but instead a malware script randomly accessing porn sites.
The hapless 53-year-old was arrested and charged last August. His friends deserted him, his family mostly turned away. His wife, however, remained loyal to him, and hired the attorney who got a forensic expert to look at the computer. That expert found the machine crawling with malware–something the prosecutors would have found instantly had they bothered to make even a perfunctory forensic check. But as I said, the DA didn’t bother–he likely just smelled a juicy, easy victory that he could ride to public office, and jumped on it. Probably figured that it was the accused’s job to find any exculpatory evidence–or else he just didn’t care. Once the defendant’s expert found the malware, two experts hired by the DA confirmed the analysis and the case was dropped.
So, when his innocence was proven, did his old office hire him back? Not a chance. Despite the fact that it was the office’s responsibility for the computer that got him fired–they gave him an infected computer and then fired him for it–they “stand by” their decision. Not even any word that the IT department workers, who both misconfigured the computer and blamed the computer user for the porn, were punished in any way.
The DA in charge of the case, by the way, apparently did not have the least inclination to have a simple check performed on the computer, a check that would have revealed the problem–but this very same DA, in a case earlier this year, went to a great deal of trouble to perform an “extensive review of phone records, financial transactions, and other documents” in order to clear a corrupt Romney aide of the charge of impersonating a police officer, something the aide has a reputation for doing. An innocent man gets railroaded while a slimy political operative gets cleared? Sounds like a great DA’s office they have over there.
But the way the porn malware case was handled is nothing new; I reported four months ago about a case where a substitute teacher was convicted of exposing her students to porn, and faced a 40-year sentence–when it should have been clear that a malware attack was responsible. She has since been granted a new trial, but is still in danger of being convicted–the prosecutor there apparently still thinks she forced porn on her students.
In the more recent case, the man whose computer was bombarded told reporters that was had no idea what was happening because he was computer illiterate. But the IT workers who were responsible for the whole affair have no such excuse, neither do prosecutors, who had full access to technical experts. They were simply negligent–or worse.
Reminds me of when I was in High School. Me and a few other students who had computer skills were considered ‘threats’ and the teachers were told to keep us away from the computers (not a single one of us ever did anything.) Any time anything went wrong with the network we were called down to the sys admin’s office and grilled for at least an hour. Shit really hit the fan when some kid was accused of loading up a floppy with ‘hundreds’ of viruses and trying to intentionally infect the school’s computers. When they pressed charges against the kid, it came out that in order to ‘save money’ the sys admin didn’t buy any anti-virus software. The good guys won (kinda), the sys admin ‘resigned’, but he walked into a job teaching IT in education classes at the local college. >:(
Perhaps software will appear that interrogates a computer and tells the police and employeers if the user is doing bad stuff with the computer. I think it is the responsibility of the programmers to fix this problem. Perhaps the experts already have this software. Perhaps it will take a little while before police/da/employers get accoustomed to using it. Also, if they suspsect someone, they could add some software to monitor the person in order to “catch them in the act”.
K: Was the kid really trying to infect the system–i.e., did they actually catch him with a floppy with viruses–or did the unprotected system simply get infected and they blamed the kid with no real evidence? Either way, it sounds like a real goofball operation…
YKW: Probably not going to happen, though I certainly would expect employers to try. But in the past, attempts to use computer data against users, like what you describe, have run up against privacy and/or self-incrimination laws. For example, some software makers have tried to create home-phone piracy routines into their software, essentially making the user’s computer rat out the user, and when this has come to light, all hell breaks loose. Although, in the situation you describe, the company could argue that it’s their computer and so such issues don’t apply. And in today’s atmosphere, who knows, they might even get away with it. But it would be akin to the kind of software used to spy on employees–received very badly and fought against by advocacy groups tooth and nail.
The floppy had viruses on it AFTER it was removed from the computer (which was enough evidence by the sys admin’s reasoning) but nobody knows for sure if the floppy infected that computer (they did find viruses on other computers on the network, but just claimed that they infected by being on the same network as the computer the student supposedly infected) or if the computer infected the floppy (or maybe both had viruses and they simply infected each other with different viruses). Nobody competent was ever allowed to examine the evidence and the kid, of course, claimed he was innocent.