Original URL: http://www.theregister.co.uk/2007/02/14/julie_amero_case/

Was Julie Amero wrongly convicted?

Mouse-trapped

By Mark Rasch

Posted in Law, 14th February 2007 15:35 GMT

Comment Substitute teacher Julie Amero faces up to 40 years in prison for exposing kids to porn using a classroom computer, but the facts strongly suggest that she was wrongfully convicted. Many issues remain, from the need for an independent computer forensics investigation and the presence of spyware and adware on the machine, to bad or incomplete legal work on both sides of this criminal case.

A recent criminal case in Connecticut points out the problems of computer forensics and aggressive law enforcement. It also points out how companies can get themselves and their employees into legal hot water by failing to take reasonable computer security procedures.

Take the case of Julie Amero, a 40-year-old substitute teacher from Windham, Connecticut. On October 19, 2004 Ms Amero, reportedly four months pregnant, was asked to substitute for Michael Napp's seventh grade language arts class at Kelly Middle School. Classrooms in this suburb of Norwich, Connecticut, apparently have PCs connected to the internet, but substitute teachers don't get passwords. Therefore, Mr Napp logged in, and stayed logged in under his UserID and password. Mr Napp logged into a few websites, and then turned the class and the computer over to Julie. He advised her not to turn off the computer, as she had no password to log back in. It wasn't the first time Amero had used a computer in the classroom. Indeed, she frequently used the computers in the classroom when she was supposed to be substitute teaching – many times in lieu of actually interacting with the 12 and 13 year old kids.

Julie Amero logged in to look at her AOL mail and, about six minutes later, either she or one of the students visited various websites about hair products or hair styles. Now one can reasonably ask why Julie was checking email, or for that matter surfing the web while she was supposed to be teaching. In fact, she spent most of the day logged on to the internet – not just logged on, but actively surfing. And why were her students allowed to be surfing internet websites about hair styles? In fact, Julie Amero had been reprimanded for not paying enough attention to the students and instead just web browsing while in class.

However, on this particular date, it appears that one of the sites that either she or one of the students browsed to had caused a series of "pop-up" ads to be displayed on the classroom computer – and displayed a series of hard-core pornographic sites. She stated that she saw a bunch of the students giggling at the screen, and saw the pornographic sites.

The substitute teacher said she immediately stepped in and shielded the children from the images, pushing them away or physically blocking them from seeing the images. As she tried to close the pop-ups down, new ones would pop-up. She walked down the hall to get the assistance of another faculty member, who advised her that there was nothing that could be done. Meanwhile, of course, the hard-core porn was popping up on the computer for all the seventh graders to see. The substitute asked one of the teachers to call for the school principal to help, but no help was forthcoming. At the end of the day, Amero reported the problem to the assistant principal, who told her "not to worry". Apparently, the incident was not seen as all that significant, and the log data indicates that Amero had continued to use the computer for the rest of the day – browsing lots of other sites, unrelated to porn. Oh yeah, and unrelated to her work as a substitute teacher. In fact, it appears that Julie continued to browse the web all day – even after the pop-up incident.

When the students told their parents what had happened, they told the administration, who vowed that Julie would never work in the classroom again. But they went further. The 40-year-old substitute teacher was arrested, indicted, tried – and here is the kicker – on January 5, 2007, she was convicted of four counts of risk of injury to a minor, or impairing the morals of a child (Conn. Gen. Stat. § 53-21). Indeed, she was originally charged with exposing 10 children in the seventh grade class to the materials on the internet, but six of the charges were dropped. The statute punishes "[a]ny person who...unlawfully...permits any child under the age of 16 years to be placed in such a situation that...the morals of such child are likely to be impaired, or does any act likely to impair the...morals of any such child".

Julie faces 40 years in the slammer for exposing the kids to porn. This despite the fact that a recent study by the University of New Hampshire, published in the journal Pediatrics, which indicates that 42 per cent of children ages 10 to 17 have been exposed to pornography on the internet in the last year, with two-thirds of them saying this exposure was inadvertent – due to pop-ups, bad URLs, or bad search results. Amero will be sentenced 2 March, 2007.

A battle of forensics

At her trial, Norwich Police Detective Mark Lounsbury testified that there was evidence that, while the class was in session, the computer logged entries into websites like meetlovers.com and femalesexual.com, and other graphic sites. Elsewhere, Detective Lounsbury has explained that his forensic procedure is that:

Physical evidence and electronic evidence is collected...This evidence includes internet history, content, and registry data, including "typed URLs". It's these "typed URLs", gleaned from the registry, which are identified - not pop ups. I use a simple tool [ComputerCOP Professional v.3.16.3] to search for the evidence. The tool provides me with an audit trail, evidence log, the evidence, web content log, and visited sites log.

Nobody contested the fact that sites containing pornography were displayed on, and therefore accessed by, the computer in Mr Napp's 7th Grade class. The question, of course was, did Julie Amero do it, and more importantly, did she do it knowingly and intentionally?

This is where the evidence gets fuzzy. The State's Attorney, David Smith, reportedly told the jury: "You have to physically click on it to get to those sites." Other times he appears to have gone further, and suggested not only that Amero clicked on the URLs, but that she physically typed them in. Oh really? The theory that Amero deliberately typed the URLs into the computer is the same idea as that expressed outside the courtroom by school officials, like Norwich Schools Superintendent Pam Aubin who reportedly said: "This wasn't just [someone clicking on] popups [advertisements]."

Pop-ups are irrelevant to forensics?

Others have suggested that Amero's crime was not deliberately going to porn sites, but simply failing to prevent the pop-ups from being seen by the students. Indeed, this may have been the government's theory as well, or an alternate theory that the government came up with after the defense tried to show the existence of pop-ups and spyware. The prosecutor told the jury that Amero was guilty of exposing the children to pornography because she "should have thrown a sweater over the monitor" as a means of protecting the students. The angora defense? This despite the fact that as at least one student testified, the substitute teacher "physically reached up and pushed his face away from her computer".

Indeed, it is possible that the statute permits conviction for merely "permitting" a child to be placed in a situation that might impair their morals. So did the jury convict her for merely pushing the kids away and not yanking the extension cord? It is impossible to say. We all know that Microsoft Windows almost yells at you if you try to turn of your computer this way (well, at least when you reboot) – and that this kind of hard reboot can not only lose important data but can potentially damage the spinning hard drive.

There are significant forensic reasons not to simply unplug a misbehaving computer. Sure, the question now is whether there was malware, spyware, pop-ups, or possible a Trojan horse on the computer. But what if the computer was being actively attacked, through a Trojan or back-door? Turning off the CPU likely would prevent the tracking needed to find the source of the attack. Unplugging the computer, for example, would prevent the creation of certain registry entries that are created only when, for example, the browser is closed properly – such as the registry entry indicating what URLs were typed into the browser – an important evidentiary issue in this case.

The decision about how to respond to this "incident" should not be left exclusively to the substitute teacher, and she should not be faulted – much less prosecuted – for not yanking the cord. There are conflicting reports about how long she kept the offending computer on, with Fox News' Bill O'Reilly reporting that the computer was left on all day, although it is not clear if the monitor remained visible to the students the whole time, and there is no allegation that there was porn on the computer for anything other than the few minutes after around 9am. Apparently neither she, nor any other faculty member, administrator or the principal or assistant principal ever considered just turning off the monitor – assuming that this was easy to do. Amero probably didn't turn off the monitor because she wanted to keep surfing.

Even the local newspaper, calling her acts "disgusting and merit[ing] punishment", failed to distinguish whether Amero's crime was going to pornographic websites in the presence of minors, or just not reacting properly when the pop-ups started coming, noting that Amero "...was accused and convicted of intentionally accessing several pornographic sites - not pop-up ads or windows, as she suggested. And she did not turn off the computer when the students saw the images." OK. Which one was it? If they can't distinguish which crime she was convicted of, how could the jury?

Even the Connecticut model jury instructions simply say that you are guilty of the crime if you "without legal right or justification" permit a person under sixteen, "to be placed in a situation that...was likely to...impair his morals". The jury was also told that "morals" means good morals, living, acting and thinking in accordance with those principles and precepts which are commonly accepted among us as right and decent.

So Amero could be convicted even if she didn't type any URLs or click on any porn sites – in fact, even if (and maybe specifically because) she never even touched the computer! Indeed, she could have been convicted even if there was no porn on any of these sites – all the law appears to have required was that the materials be "indecent" – a four letter word would have supported a decade in the pokey. Perhaps it is the government's theory that not yanking the plug placed the members of the seventh grade class in a situation that was likely to impair their morals. If that was the case, then why present any forensic testimony? Talk about strict liability! Without individually interviewing each of the jurors, we have, quite frankly no idea what the jury convicted her of. I love the law.

Whether or not the government thinks that Amero's crime was not yanking the cord, they asserted in court and out of court that the forensic evidence conclusively demonstrated that she actually typed the URLs – deliberately went to porn sites. And this is clearly not the case, as we'll see with further analysis.

The problem with computer forensics

Detective Lounsbury explained later in an online article his process and thinking for the collection of forensic evidence in the Amero case. He stated:

Physical evidence and electronic evidence is collected...This evidence includes internet history, content, and registry data, including "typed URLs". It's these "typed URLs," gleaned from the registry, which are identified - not pop ups.

'Typed URLs?' Was ist das?

As far as I am aware, there is no search tool apart from either a keylogger or a remote screen capture tool that will be able to forensically and conclusively search for "typed URLs". The registry, history, and log files can show what URLs (websites) were visited, and precisely what time (based upon the system time which can be altered), and in what order. I don't know how this can show that the URL was "typed" as opposed to "clicked through" or "popped-up". In and of itself.

Now there is a "TypedURL" Registry field for Internet Explorer, HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs. This is what is used, for example, when the auto-complete feature starts to fill in a URL you have already been to. This Registry entry records these URLs after the browser is properly closed. And, of course even this is affected by adware, bots, and Trojans. So examining the "typed URLs" doesn't really tell you that those URLs were actually typed – particularly where there is adware. In addition, the Registry entry only includes the last several "typed URLs" – each new one adding itself to the queue. Since Julie was surfing the rest of the day, it's not clear what forensic value this would have – although it was a good starting point.

Many of the sites Amero visited that morning were obscure – porn sites masquerading as legitimate sites for hair-styles. It makes little sense that Amero would have "typed" a hair styling site intending to find porn. In fact, for example, one of the URLs in the cache was http://pagead2.googlesyndication.com - does the government really contend that the substitute teacher typed in that URL? Indeed, in press reports, the government expert and the prosecutor went back and forth, alternatively asserting that their evidence showed that she deliberately went to porn sites because she "typed" the URLs of these sites, and somewhat contradictorily asserting that the evidence of intent was that she "clicked on"; links to these sites – which generally would not have shown up in the "typed URL" registry.

As Dr Neal Krawetz of Hacker Factor has pointed out, a thorough forensic examination might be able to exclude the possibility that a particular URL was typed, but could not demonstrate conclusively that it was, in fact, typed. He points out that you would want to examine the hard drive to determine whether there was spyware or adware on the computer that was either capable of, or actually designed to generate the web requests. You would want to know when the spyware was added to the computer, using timestamps and sector locations, and determine whether these times coincide with the times that the substitute teacher used the computer. You would look at the URLs that were accessed at the time the time the spyware was loaded. If, for example there is a short delay between the times that each website is loaded (and the .jpg files on that website downloaded) this is a strong indication of a pop-up ad. People can only type so fast. The regularity of the opening of the URL (every three seconds, every five seconds, etc.) would indicate a likely pop-up. Were websites opened instantaneously with the closing of other websites, as Ms. Amero testified happened when she tried to shut down or close the pop-ups? There are lots of other ways you could exclude human intervention (well, I suppose pop ups are human intervention, but you know what I mean).

As a matter of fact, it has been reported that the CEO of the maker of the forensic software that Lounsbury used stated that, while the software can find all sorts of files and images, including deleted images or images in unallocated disk space, by keyword or by filetype, [it] does not determine the cause of those files being on the computer (whether caused by malware, intrusion, or direct and willful use), and that it is not the function of [the software] to make that determination." Nevertheless, both the detective and the prosecutor were unequivocal that the forensic evidence demonstrated beyond a reasonable doubt that the substitute teacher deliberately typed in the porn sites.

Detective Lounsbury went further, though. He reportedly also said that he can differentiate between what is and what is not a pop-up based on the source codes [sic]. What source codes? The source code of the websites that were visited? Did Lounsbury really access the servers that held the HTML for these hairstyle sites and forensically examine their source code, but somehow forget to look for spyware on the machine he was given? Indeed, he himself indicated that it is the normal practice to use:

Additional tools which search for specific viruses, trojans, and worms by their unique hashes can be brought into play to search for the known bad code.

Once evidence is located, police take note of the date and time it was created, modified, and last accessed. When the evidence (malware, .jpg, web page) was created is the "when" in "who, what, when, where, how and why." So, if malware was created at the same time the web pages and images were created, was the malware spawned by the "typed URL", by its content (i.e. Web Attacker kit), or mouse napping (click-throughs)? If there's no malware created prior to a web page with questionable content how do you end up at said web page?

Of course, Detective Lounsbury forgets the fact that, with sophisticated enough tools, and sufficient access, malware can be wiped from the system, system dates altered, and that even a simple rebooting or accessing of files can change their forensic value. It's understandable, though, considering the fact that he had very little substantive computer forensics training. He continued:

I ask this rhetorical question: Where does objectionable material come from - a site like Disney.com or the pornographic dot coms? Where do abusive JavaScript and Web Attacker kits reside? What about zero-day Internet Explorer Exploits such as the one discussed at this site on techfeed.net: 'A security hole in IE was recently confirmed by Microsoft. Now exploits that install tons of adware have been spotted on Porn sites. This exploit is reportedly easy to duplicate, and experts expect the problem to spread quickly to other shady sites across the Internet.'

The detective seems to be suggesting that the only way to get pornographic malware (that is, malware that loads pornographic websites) is to go to a pornographic website. While it is true that many pornographic websites do engage in "mouse-trapping" pop-ups, spyware, adware, or even fat-finger typing can send you into an infinite loop of pornography. So can hijacked websites, like the website of the NFL's Super Bowl Dolphin Stadium which, once visited, installed a nifty key-logger onto your computer. Malware can come from many sources – including the AOL mail that Julie Amero went to. Indeed, as the recent settlement with the Federal Trade Commission indicates, you can even get malware or a rootkit by simply playing a music CD.

A bumbled forensic defense?

The PC in the classroom – like many school computers – was running Windows 98 and the browser was Internet Explorer 5. There was no evidence that either browser or OS had been, in any significant degree, updated, and neither the PC nor the network itself apparently had any kind of firewall. Win 98 is no longer even patchable and is not supported by its creator. None of this is unusual. Finally, the PC was reportedly riddled with spyware, much of which predated Julie Amero's use of the computer.

A defense forensic expert prepared a report contained the following chronology of events based upon his forensic examination.

On October 19, 2004, around 8:00 A.M., Mr Napp, the class' regular teacher logged on to the PC because Julie Amero being a substitute teacher did not have her own id and password. It makes sense that Mr Napp told Julie not to logoff or shut the computer off, for if she did she and the students would not have access to the computer. The initial user continued use of the PC and accessed Tickle.com, cookie.monster.com, addynamics.com, and adrevolver.com all between 8:06:14 - 8:08:03 AM. During the next few moments Julie retrieved her email through AOL.

Amazingly, despite having two laptops filled with forensic evidence, the defense expert, for reasons discussed below, reportedly was only able to present two powerpoint slides in Amero's defense. Not noted in the forensic examiner's report is the fact that those sites are all strongly linked to adware and automated popups. Of course, addynamnics.com and adrevolver.com are adware sites, and despite the forensic examiner's conclusion that "the initial user...accessed" these sites, a more accurate assessment would be that these sites were accessed while the initial user was logged in – consistent with adware with pornographic pop-ups. For example, Ad Dynamics is a Canadian company that advertises that it will "Manage, deliver and track banner [sic] of any size, pop-ups, text ads and many different types of rich media ads". Similarly, they are listed as known domains for spyware and popup adware. The forensic report continues:

http://www.hair-styles.org was accessed at 8:14:24 A.M., based upon the hair style images uploaded to the PC we were led to believe that there were students using the computer to search out hair styles. The user went to http://www.crayola.com at 8:35:27 A.M. The user continued accessing the original hair site and was directed to http://new-hair-styles.com. This site had pornographic links, pop-ups were then initiated by http://pagead2.googlesyndication.com. There were additional pop-ups by realmedia.com, cnentrport.net, and by 9:20:00 A.M., several java, aspx's and html scripts were uploaded. A click on the curlyhairstyles.htm icon on the http://www.new-hair-styles.com site led to the execution of the curlyhairstyle script along with others that contained pornographic links and pop-ups. Once the aforementioned started, it would be very difficult even for an experienced user to extricate themselves from this situation of porn pop-ups and loops.

All of the jpgs that we looked at in the internet cache folders were of the 5, 6 and 15 kB size, very small images indeed. Normally, when a person goes to a pornographic website they are interested in the larger pictures of greater resolution and those jpgs would be at least 35kB and larger. We found no evidence of where this kind of surfing was exercised on October 19, 2004.

Now you probably don't want to retrace the clicks of the seventh grade class noted in the forensic report – well, not unless you want a bit of porn yourself. Even a cursory review of these sites three years later shows that these are not hair design sites, they are fronts for porn or penis-enlargement sites in Russia and the Ukraine. Looking behind the site itself the style sheet for these sites is named "images/sex_style.css" and the background image lives at "http://sex.sweetmeet.ru/". If you scroll down the page far enough, you get to a penis enlargement ad that is a fixed component of the page. The ">>>" images beside the links on the left of the page link to "sweetmeat.ru" the porn site that Amero was convicted of visiting. And guess what else? There is a javascript on called "function popUP(url,h,w,resizable,scrollbars)" – to open pop-ups.

Oh, and many of the hairstyle pictures are of women wearing little or no clothing (long hair covers their chest). All this, coupled with the fact that the seventh grade girls were apparently looking for information about hair styles which might be of interest to 12-year-old girls, and not so much for 40-year-old women, one can reasonably ask what is a more reasonable explanation for the pornographic pop-ups – a 12-year-old surfing for hair styles, or a 40-year-old faculty member surfing porn from a borrowed account in the presence of 29 curious pre-teens, hoping none of them would notice?

So let's get this straight. The machine's internet history showed that a previous user had been accessing the kind of sites likely to plant pornographic malware, such as dubious dating sites. The forensic examination also showed a host of adware and spyware on the machine, much of which had been in place and operating well before the porn incident - including one designed to hijack and redirect the browser. And on this evidence, she was convicted?

What the jury didn't see

The police detective indicated that the police never examined the school computer for the existence of Trojan horses, logic bombs, spyware, adware or other malicious code. They reportedly didn't do this because the defense did not raise the "malware defense" prior to trial. Indeed, many have conjectured that the "pop-up" defense was manufactured for the trial, and that Julie never told anyone about the pop-ups at the time, or indeed at any time prior to trial.

However, if you wanted to assert that the defendant deliberately clicked on pornographic websites, and offer expert testimony to that effect, it would be incumbent upon you to eliminate the possibility – indeed, the probability – of the existence of malware. Indeed, the police detective himself suggested that a normal procedure would be to look for malware created before or at the time of the alleged criminal acts.

This may be a case where the defendant was wrongfully convicted because of a technicality – not just because of spyware or pop-ups. You see, Connecticut law requires the defense to give the government any written reports or tangible evidence they intend to introduce at trial, or evidence "[w]hich is a report or statement as to a...scientific test or experiment made in connection with the particular case prepared by, and relating to the anticipated testimony of, a person whom the defendant intends to call as a witness."

It is not clear whether the defense expert prepared such a written report, or whether if so, it was disclosed to the prosecution. In 1992, the Connecticut Supreme Court in a case against Adrian Genotti (220 Conn. 796, 1992) held that there was no legal obligation to prepare and therefore disclose a written report, and that an expert should not be prevented from testifying just because no written report was created and/or disclosed.

It appears that the government did not rebut the argument that the substitute teacher was the victim of pop-ups because they didn't know that was going to be the defense. In fact, Amero may not have even raised this as a defense until immediately before trial. It also appears that, as a result the defense wasn't fully able to present this defense because they didn't give the government sufficient notice of the expert's reports.

Indeed, despite the fact that the investigation and the case had been pending for almost two years, it appears that nobody even brought up the possibility of the pop-up defense until shortly before trial. This may have been tactical on the part of the defense, or it may have been because the defendant simply didn't focus on what caused the porn to be displayed. In any event, the cops didn't look for evidence to rebut a defense about which they weren't aware, and so they never looked for spyware and adware. Because the defense may not have given notice of the existence of the expert report, the court curtailed the expert's testimony. So Ms Amero goes to jail for a failure to produce some paper?

The IP address history logs of the school apparently were not reviewed. What is worse, it appears that nobody attempted to recreate the sessions with live internet accounts to see whether the pop-ups actually occurred at the time. The defense expert's request to do so in court was denied. However, while some of the particular sites may no longer have been active at the time of the trial three years later, archives of these sites indicate that they were likely sources of malware. Indeed, even an immediate reconstruction of the events might not yield an identical result, as malware sites are polymorphic – changing URLs sometimes within minutes, and the results would only be useful if it used a similarly outdated computer, with a similar lack of controls, and similarly un-updated software and browser.

As a result, it is impossible, without an independent forensic examination, to determine whether Julie (a) deliberately surfed for porn; (b) inadvertently went to a porn website; (c) was the victim of pop-up porn sites; or (d) merely sat by while students did any of the acts. It makes little difference for purposes of her termination (for not paying attention in class), but makes a huge difference for criminal purposes.

Where was the school's filter?

While the Norwich school's Information Services Director Bob Hartz reportedly told a school board hearing in January 2007 that the school was running Symantec's WebNOT filtering software [Editor's note: SecurityFocus is owned by Symantec Corp], Hartz stated that the automatic update feature was not activated – possibly due to an unpaid invoice. Thus, for at least three months, the system was not blocking many pornographic websites, including the ones seen by the 7th grade class. There did not appear to be any kind of adware blocking software on the school machines. This could explain why there had never been an incident involving pop-ups prior to that date, and – assuming, as Hartz later told the school board, a new filter was installed (and updated) it hasn't happened since. Filters aren't perfect – but outdated filters are much less than perfect. Now who again exposed the kids to materials that impaired their morals?

Now I am not suggesting, without a full review of the evidence, that it was impossible that Ms Amero voluntarily visited the porn sites while sitting as a substitute teacher in the 7th grade class. Stranger things have happened. I also don't think that the mere presence of spyware, adware, or even remote control or Trojan horse software should act as a perfect defense to any crime or fraud that someone might conduct. This is not a "twinkie-defense" – "gee, I have malware, you can't convict me of anything". I have previously written about the so-called Trojan horse defense to allegations of hacking or downloading pornography. Indeed, the defense may be misused, and only an independent forensic examination can say for sure. However, the facts of this case strongly suggest that the substitute teacher was the victim of mouse-trapping, and not a porn surfer.

Not only could Amero be sentenced to 20 years in jail, there is nothing to prevent the Connecticut legislature from requiring – years hence – that she register as a sex-offender, and have her name posted on the internet in that capacity. She rejected a government plea offer which would have guaranteed a probationary sentence and a non-felony conviction. Nobody seems to suggest that a 20 year sentence is appropriate, and indeed, it is likely that Amero will get probation anyway. But the real question here is: does the evidence support the criminal conviction for knowingly displaying pornography (as opposed to not doing her job, surfing other websites during class time, or failing to react properly to the pornographic websites.)

This seems to be an example of bad – or at least incomplete – lawyering on both sides, and the vagaries of a "jury of your peers". Firstly, neither the prosecution nor defense experts fully presented their cases – the prosecution because they had no notice that adware would be an issue, the defense because they weren't permitted to because of possible discovery violations. The jury was asked to render a verdict on incomplete evidence and vague and ambiguous jury instructions about exactly what the crime was. Moreover, juries tend to believe expert testimony, and experts frequently display a degree of certainty that is not supported by the facts. And that is the real crime here. How is it that you can have two experts examine the same computer and conclude – with equal degrees of certitude – that the defendant deliberately typed in the URLs, and that she did not? The answer lies not with science, or forensics, but with humans. People naturally come to forensic examinations with preconceived ideas, and trying to prove something. This dictates what files they examine, and what they conclude from these files. They shade their testimony and examination. What is possible becomes likely. What is merely unlikely becomes impossible. The truth is, we will see more people wrongfully convicted of crimes they did not commit because the computer indicates that they did it. And computers never lie, right HAL?

Institutional liability

This case is an object lesson not only to users, but to their employers as well. First of all, I want to point out that companies have a fiduciary obligation to their employees to take efforts necessary to prevent them from being unfairly and unjustly implicated in criminal activity – to have strong authentication systems, and decent policies and practices.

Now I am generally sympathetic to public schools, which depend on taxpayers to pony up funds for everything from books, pens, pencils, and computers to teacher salaries, physical plant, and softballs. They have tight budgets, high expectations, and usually very little support. So its not unusual that they might have outdated equipment, unpatched systems, untrained users (particularly substitute teachers), outmoded or non-existent firewalls, no anti viral or anti spyware systems, and little access control. While this neighborhood in Connecticut is by no means low income, I am sure that budgets are tight there, like everywhere else. Computer security just isn't a high priority, especially when they are seeking $40m to renovate the school itself.

To help schools acquire new computer hardware and wire or rewire their schools, Congress in 2000 passed the Children's Internet Protection Act (CIPA). CIPA imposes certain types of requirements on any school or library that receives funding support for Internet access or internal connections from the "E-rate" program - a program that makes certain technology more affordable for eligible schools and libraries. In early 2001, the Federal Communications Commission (FCC) issued rules implementing CIPA. It requires schools that participate in the E-rate program to certify that they have an Internet safety policy and technology protection measures in place. This policy must include technology protection measures to block or filter Internet access to pictures that: (a) are obscene, (b) are child pornography, or (c) are harmful to minors, for computers that are accessed by minors. They also must adopt and enforce a policy to monitor online activities of minors including (a) access by minors to inappropriate matter on the Internet; (b) the safety and security of minors when using electronic mail, chat rooms, and other forms of direct electronic communications; (c) unauthorized access, including so-called "hacking," and other unlawful activities by minors online; (d) unauthorized disclosure, use, and dissemination of personal information regarding minors; and (e) restricting minors access to materials harmful to them.

It is not clear whether the Norwich, Connecticut school district received e-Rate funds, although many other Connecticut schools did, and a 2005 report by the Connecticut Department of Information Technolgy suggests that Norwich received e-Rate funds and that they had "upgraded" their internet filtering in 2004 to the N2H2 Sentient filtering system. A report issued the day after the conviction by the Connecticut Education Network (CEN) confirms this.

Thus, Norwich was mandated to have measures in place to block access to pornographic sites. Would the failure to update blocking software take the school district out of compliance? It certainly would implicate the annual certification that they had blocking protection in place – or at least that they had effective blocking in place.

This points out that there are a host of laws and regulations that mandate levels of protection and security. These may include legal requirements to keep spyware, malware and anti-virus protections active and updated, to use appropriate filtering software, to monitor activities, and take appropriate remedial efforts. Oh yeah, and to have an effective incident response program that includes computer forensics that will actually tell when and how someone may have violated these rules. Or when they simply appear to have violated the rules.

Indeed, several years ago I was involved in an incident where an employee was almost terminated for attempting to repeatedly hack into a series of computers located in Eastern Europe – pinging one IP address after another sequentially and repeatedly. Looked like a hack. A forensic examination of his computer indicated that he had inadvertently downloaded malware, which was unsuccessfully attempting to register itself at its home base.

Similarly, the February 2000 Distributed Denial of Service Attack launched by the infamous mafiaboy involved bots that infected thousands of computers located mainly in academic environments. While these unpatched systems became the vehicles for attacks on others, a cursory forensic exam would have indicated that the colleges and universities were the source of, rather than the victims of these attacks. The same thing is obviously true for spam bots, file parking, and other methods used by hackers to divert attention from themselves and on to other innocent people or systems.

An incomplete forensic examination can lead to the creation of an "airtight" criminal case against the wrong person. Next time it could be a senior corporate executive who could face some jail time. Maybe then we will do something about it.

This article originally appeared in Security Focus.

Copyright © 2007, SecurityFocus