[LINK] Pop-up ads can land you in jail

Pilcher, Fred Fred.Pilcher at act.gov.au
Fri Feb 23 08:45:54 AEDT 2007


The following quoted from the "Windows Secrets" newsletter issue 97 of 22-1-2-07.

* * * *

Pop-up ads can land you in jail

  By Ryan Russell

If you find yourself the victim of pop-up ads on a computer, with children in the vicinity, you could face decades in prison.

I wish that I was exaggerating or being sensationalistic, but for Julie Amero this is far too real.
 

Meet Julie Amero, substitute teacher 

There's a good chance that you've already heard something about Julie. She's perhaps better known as the Connecticut substitute schoolteacher who's been convicted of "child endangerment." She now faces a sentence of up to 40 years in prison because porn pop-ups appeared on a school computer.

For background on the case, you can read articles from the New York Times, MSNBC, or SecurityFocus. (Full disclosure: WSN editorial director Brian Livingston is quoted in the New York Times piece supporting Julie. The article at the MSNBC site is also a good read, but I don't recommend the accompanying video, which starts out with a falsehood and goes downhill from there.)

Let me begin by saying that I'm biased when it comes to Julie's innocence. I'm doing my best to spread the word about her case, and have offered my technical skills to support her defense. I have access to some technical experts who are reviewing the trial transcripts and computer forensic evidence. I can't point to a public reference to support all of my positions yet, so you'll just have to take my word, for the time being.

There are many points I could make about what's wrong with her case. But I'll stick with my core competency and just point out some of the technical flaws.

Flawed technology condemns an educator 

The key issues were set in motion before Julie ever arrived to substitute-teach on the day in October 2004 that the pop-ups occurred. The school district had allowed its Web-filtering software support contract to expire, preventing the software from receiving updates. The computer in question was running Windows 98, and the browser in use was IE 6.

According to evidence analysis performed by Alex Shipp, an independent malware researcher, the antivirus software was a trial version of Cheyenne Antivirus (CA). That product had been discontinued by Computer Associates on Mar. 17, 2004. It appears that CA issued a last courtesy update on June 30. Julie taught the class on Oct. 19. The computer had no antispyware software.

In other words, this computer had almost no protection and an unsecurable operating system. This is the machine Julie was given to use.

On the day in question, the regular teacher was there before class to log Julie into the computer. Substitutes didn't have their own accounts, and were ordered not to log out or shut down the computer. Julie left briefly and, when she returned, the regular teacher was gone. She found students, some of whom didn't even belong in the upcoming class, Web surfing on the teacher's computer.

Experts now analyzing the hard-drive image have confirmed that the computer had been infected with adware days before Julie's arrival. Unfortunately, in this case, that means that when a student tried to visit a hairstyle Web site, he or she was instead redirected to a different site that had adult products advertised. When Julie tried to close the site down, this started a pop-up cascade.

One thing I should mention about Julie: She's a total "computerphobe." She can perform basic computing functions, but that's about it.

So what did she do when she couldn't get rid of the pop-ups? She turned the screen away from the students. It was at the front of the room, where the students would have had to be essentially at the teacher's desk in order to see. She did her best to get rid of the images without making it obvious to the students that something was wrong. If a student approached, she reportedly chased them away.

During a break, Julie went for technical help to get rid of the pop-ups, which reappeared as fast as she tried to close them, but she received no help. No one would return to the classroom with her. She was told not to worry about it. However, she was worried about it, and it turns out she had reason to worry - she was later arrested for "child endangerment."

Legal system fails pop-up victim 

When law enforcement became involved, sanity should have prevailed. Instead, the technical flubs continued, and the case sped downhill. A detective was assigned to take a forensic image of the computer and perform a technical analysis.

Let me briefly tell you what I know about taking a proper forensic image of a computer that will be involved in a criminal case. Keep in mind that I'm not a forensics expert; these standards are just common knowledge in the computer security field.

If you're going to image a drive for evidence, you have to use special write-blocking hardware that helps take a sector-by-sector image of the entire hard drive, including the "empty" space. The image is then hashed so that any tampering will be evident, and you always work from copies.

Typically, only software tools with support from existing case law are used. Otherwise, questions can arise over the soundness of the tools and techniques. The imaging tools that have case law behind them are EnCase and the Unix dd utility.

The detective in this case took an "image" of the hard drive with Norton Ghost. Norton Ghost is a tool used to back up a computer's hard drive in order to restore it to a known state after people have modified the configuration. It is often used on training or lab machines. There is nothing wrong with Ghost for what it does, but it is not a forensic tool.

So what did the detective use to examine the "image"? He used a program called ComputerCOP Pro. It appears that the program displays a version of the Internet Explorer history, which shows the URLs that were visited. At trial, this ended up translating to the prosecutor telling the jury that this means that Julie "physically clicked" those links. In fact, pop-ups show up in the history the same way as a link you click on.

In truth, the software also cannot tell you who was in front of the computer, who typed in a URL, or who saw the pictures displayed. It's clear that someone who lacks the technical background to properly interpret the results, and is not willing to put in the time to figure it out, can jump to some very wrong conclusions. The detective never even looked for spyware on the computer.

This is the kind of technical evidence on which Julie was convicted.

An innocent teacher awaits sentencing 

Julie is now awaiting sentencing, which is scheduled for Mar. 2. I could discuss jail-time possibilities, but many of us are still refusing to accept any possibility other than someone coming to their senses and throwing the verdict out.

To that end, the experts I mentioned are frantically preparing their report on the technical information. The hope is that the prosecution or court will recognize that there has been a basic mistake in the facts presented at trial before a sentence is handed down.

Despite my bias that I told you about, do you have reasonable doubt about Julie's guilt? For more information, see the julieamer blog at Blogspot, which is largely maintained by Julie's husband. There's a PayPal button at the top of that blog so people can contribute to help pay Julie's defense costs, which are reported to be over $20,000 so far. 
  
-----------------------------------------------------------------------
This email, and any attachments, may be confidential and also privileged. If you are not the intended recipient, please notify the sender and delete all copies of this transmission along with any attachments immediately. You should not copy or use it for any purpose, nor disclose its contents to any other person.
-----------------------------------------------------------------------




More information about the Link mailing list