Was Julie Amero wrongly convicted?


Secure remote control for conventional and virtual desktops

Institutional liability

This case is an object lesson not only to users, but to their employers as well. First of all, I want to point out that companies have a fiduciary obligation to their employees to take efforts necessary to prevent them from being unfairly and unjustly implicated in criminal activity – to have strong authentication systems, and decent policies and practices.

Now I am generally sympathetic to public schools, which depend on taxpayers to pony up funds for everything from books, pens, pencils, and computers to teacher salaries, physical plant, and softballs. They have tight budgets, high expectations, and usually very little support. So its not unusual that they might have outdated equipment, unpatched systems, untrained users (particularly substitute teachers), outmoded or non-existent firewalls, no anti viral or anti spyware systems, and little access control. While this neighborhood in Connecticut is by no means low income, I am sure that budgets are tight there, like everywhere else. Computer security just isn't a high priority, especially when they are seeking $40m to renovate the school itself.

To help schools acquire new computer hardware and wire or rewire their schools, Congress in 2000 passed the Children's Internet Protection Act (CIPA). CIPA imposes certain types of requirements on any school or library that receives funding support for Internet access or internal connections from the "E-rate" program - a program that makes certain technology more affordable for eligible schools and libraries. In early 2001, the Federal Communications Commission (FCC) issued rules implementing CIPA. It requires schools that participate in the E-rate program to certify that they have an Internet safety policy and technology protection measures in place. This policy must include technology protection measures to block or filter Internet access to pictures that: (a) are obscene, (b) are child pornography, or (c) are harmful to minors, for computers that are accessed by minors. They also must adopt and enforce a policy to monitor online activities of minors including (a) access by minors to inappropriate matter on the Internet; (b) the safety and security of minors when using electronic mail, chat rooms, and other forms of direct electronic communications; (c) unauthorized access, including so-called "hacking," and other unlawful activities by minors online; (d) unauthorized disclosure, use, and dissemination of personal information regarding minors; and (e) restricting minors access to materials harmful to them.

It is not clear whether the Norwich, Connecticut school district received e-Rate funds, although many other Connecticut schools did, and a 2005 report by the Connecticut Department of Information Technolgy suggests that Norwich received e-Rate funds and that they had "upgraded" their internet filtering in 2004 to the N2H2 Sentient filtering system. A report issued the day after the conviction by the Connecticut Education Network (CEN) confirms this.

Thus, Norwich was mandated to have measures in place to block access to pornographic sites. Would the failure to update blocking software take the school district out of compliance? It certainly would implicate the annual certification that they had blocking protection in place – or at least that they had effective blocking in place.

This points out that there are a host of laws and regulations that mandate levels of protection and security. These may include legal requirements to keep spyware, malware and anti-virus protections active and updated, to use appropriate filtering software, to monitor activities, and take appropriate remedial efforts. Oh yeah, and to have an effective incident response program that includes computer forensics that will actually tell when and how someone may have violated these rules. Or when they simply appear to have violated the rules.

Indeed, several years ago I was involved in an incident where an employee was almost terminated for attempting to repeatedly hack into a series of computers located in Eastern Europe – pinging one IP address after another sequentially and repeatedly. Looked like a hack. A forensic examination of his computer indicated that he had inadvertently downloaded malware, which was unsuccessfully attempting to register itself at its home base.

Similarly, the February 2000 Distributed Denial of Service Attack launched by the infamous mafiaboy involved bots that infected thousands of computers located mainly in academic environments. While these unpatched systems became the vehicles for attacks on others, a cursory forensic exam would have indicated that the colleges and universities were the source of, rather than the victims of these attacks. The same thing is obviously true for spam bots, file parking, and other methods used by hackers to divert attention from themselves and on to other innocent people or systems.

An incomplete forensic examination can lead to the creation of an "airtight" criminal case against the wrong person. Next time it could be a senior corporate executive who could face some jail time. Maybe then we will do something about it.

This article originally appeared in Security Focus.

Copyright © 2007, SecurityFocus

Choosing a cloud hosting partner with confidence

More from The Register

next story
Bono apologises for iTunes album dump
Megalomania, generosity and FEAR of irrelevance drove group to Apple deal
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
Doctor Who's Flatline: Cool monsters, yes, but utterly limp subplots
We know what the Doctor does, stop going on about it already
Arab States make play for greater government control of the internet
Nerds told to get lost in last-minute power grab bid at UN meeting
Apple SILENCES Bose, YANKS headphones from stores
The, er, Beats go on after noise-cancelling spat
Zippy one-liners, broken promises: Doctor Who on the Orient Express
Series finally hits stride, but Clara's U-turn is baffling
Don't bother telling people if you lose their data, say Euro bods
You read that right – with the proviso that it's encrypted
10 Top Tips For PRs Considering Whether To Phone The Register
You'll Read These And LOL Even Though They're Serious
Stop ROBOT exploitation, cry striking Foxconn workers
HP downturn and automation eroding overtime on China's production lines
prev story


Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.