Not sure this even goes on the board. But here goes. From Window Secrets Newsletter.

--------------------------------------------------------------------------------
TOP STORY

Pop-up ads can land you in jail

By Ryan Russell

If you find yourself the victim of pop-up ads on a computer, with children in the vicinity, you could face decades in prison.

I wish that I was exaggerating or being sensationalistic, but for Julie Amero this is far too real.


Meet Julie Amero, substitute teacher

There's a good chance that you've already heard something about Julie. She's perhaps better known as the Connecticut substitute schoolteacher who's been convicted of "child endangerment." She now faces a sentence of up to 40 years in prison because porn pop-ups appeared on a school computer.

For background on the case, you can read articles from the New York Times, MSNBC, or SecurityFocus. (Full disclosure: WSN editorial director Brian Livingston is quoted in the New York Times piece supporting Julie. The article at the MSNBC site is also a good read, but I don't recommend the accompanying video, which starts out with a falsehood and goes downhill from there.)

Let me begin by saying that I'm biased when it comes to Julie's innocence. I'm doing my best to spread the word about her case, and have offered my technical skills to support her defense. I have access to some technical experts who are reviewing the trial transcripts and computer forensic evidence. I can't point to a public reference to support all of my positions yet, so you'll just have to take my word, for the time being.

There are many points I could make about what's wrong with her case. But I'll stick with my core competency and just point out some of the technical flaws.

Flawed technology condemns an educator

The key issues were set in motion before Julie ever arrived to substitute-teach on the day in October 2004 that the pop-ups occurred. The school district had allowed its Web-filtering software support contract to expire, preventing the software from receiving updates. The computer in question was running Windows 98, and the browser in use was IE 6.

According to evidence analysis performed by Alex Shipp, an independent malware researcher, the antivirus software was a trial version of Cheyenne Antivirus (CA). That product had been discontinued by Computer Associates on Mar. 17, 2004. It appears that CA issued a last courtesy update on June 30. Julie taught the class on Oct. 19. The computer had no antispyware software.

In other words, this computer had almost no protection and an unsecurable operating system. This is the machine Julie was given to use.

On the day in question, the regular teacher was there before class to log Julie into the computer. Substitutes didn't have their own accounts, and were ordered not to log out or shut down the computer. Julie left briefly and, when she returned, the regular teacher was gone. She found students, some of whom didn't even belong in the upcoming class, Web surfing on the teacher's computer.

Experts now analyzing the hard-drive image have confirmed that the computer had been infected with adware days before Julie's arrival. Unfortunately, in this case, that means that when a student tried to visit a hairstyle Web site, he or she was instead redirected to a different site that had adult products advertised. When Julie tried to close the site down, this started a pop-up cascade.

One thing I should mention about Julie: She's a total "computerphobe." She can perform basic computing functions, but that's about it.

So what did she do when she couldn't get rid of the pop-ups? She turned the screen away from the students. It was at the front of the room, where the students would have had to be essentially at the teacher's desk in order to see. She did her best to get rid of the images without making it obvious to the students that something was wrong. If a student approached, she reportedly chased them away.

During a break, Julie went for technical help to get rid of the pop-ups, which reappeared as fast as she tried to close them, but she received no help. No one would return to the classroom with her. She was told not to worry about it. However, she was worried about it, and it turns out she had reason to worry — she was later arrested for "child endangerment."

Legal system fails pop-up victim

When law enforcement became involved, sanity should have prevailed. Instead, the technical flubs continued, and the case sped downhill. A detective was assigned to take a forensic image of the computer and perform a technical analysis.

Let me briefly tell you what I know about taking a proper forensic image of a computer that will be involved in a criminal case. Keep in mind that I'm not a forensics expert; these standards are just common knowledge in the computer security field.

If you're going to image a drive for evidence, you have to use special write-blocking hardware that helps take a sector-by-sector image of the entire hard drive, including the "empty" space. The image is then hashed so that any tampering will be evident, and you always work from copies.

Typically, only software tools with support from existing case law are used. Otherwise, questions can arise over the soundness of the tools and techniques. The imaging tools that have case law behind them are EnCase and the Unix dd utility.

The detective in this case took an "image" of the hard drive with Norton Ghost. Norton Ghost is a tool used to back up a computer's hard drive in order to restore it to a known state after people have modified the configuration. It is often used on training or lab machines. There is nothing wrong with Ghost for what it does, but it is not a forensic tool.

So what did the detective use to examine the "image"? He used a program called ComputerCOP Pro. It appears that the program displays a version of the Internet Explorer history, which shows the URLs that were visited. At trial, this ended up translating to the prosecutor telling the jury that this means that Julie "physically clicked" those links. In fact, pop-ups show up in the history the same way as a link you click on.

In truth, the software also cannot tell you who was in front of the computer, who typed in a URL, or who saw the pictures displayed. It's clear that someone who lacks the technical background to properly interpret the results, and is not willing to put in the time to figure it out, can jump to some very wrong conclusions. The detective never even looked for spyware on the computer.

This is the kind of technical evidence on which Julie was convicted.

An innocent teacher awaits sentencing

Julie is now awaiting sentencing, which is scheduled for Mar. 2. I could discuss jail-time possibilities, but many of us are still refusing to accept any possibility other than someone coming to their senses and throwing the verdict out.

To that end, the experts I mentioned are frantically preparing their report on the technical information. The hope is that the prosecution or court will recognize that there has been a basic mistake in the facts presented at trial before a sentence is handed down.

Despite my bias that I told you about, do you have reasonable doubt about Julie's guilt? For more information, see the julieamer blog at Blogspot, which is largely maintained by Julie's husband. There's a PayPal button at the top of that blog so people can contribute to help pay Julie's defense costs, which are reported to be over $20,000 so far.

Ryan Russell is quality assurance manager at BigFix Inc., a configuration management company. He moderated the vuln-dev mailing list for three years under the alias "Blue Boar." He was the lead author of Hack-Proofing Your Network, 2nd Ed., and the technical editor of the Stealing the Network book series. His Perimeter Scan column appears twice a month in the paid version of the newsletter.

Paperghost has launched a campaign to support this poor victim of misguided misjutice, more info here:

http://www.vitalsecurity.org/

My emails will be duly sent. I do some security stuff as part of my job, and one thing I am always very conscious of is the fact that the malware I find is often from "drive-by" downloads, and nothing the user deliberately did. I've had supervisors come to me concerned over nearly hysterical employees who reported (many in tears) they'd had a sudden pr0n pop-up on their computers and were TERRIFIED they'd get fired. The fact that Internet Exploder is the company standard doesn't help.

It's not that hard to trace which user account has done what on a machine. This sets a dangerous precedent and shows all too clearly what happens when technical illiteratae are involved where they have no d*mn business being. I'd bet half that jury - and the judge herself - prolly couldn't change the freakin' wallpaper on their own computers to save their lives. If they even know how to turn one on.

And I'd love to see the index.dat files off the prosecuting attn'ys computers - home and work. I don't doubt the computers of most of the Norwich police force contain some real gems as well.

**USE OF EXPLETIVES IS UNNECCESSARY**. }:-[

Great Post Datababe, not that I will read all bazillions reports myself. But that this stupid injustice has been brought to the lamp and now the big protector of foolishness is being laid to waste on this case. Thanks I didn't give it much thought once posted. This crap happens everyday now here in America, land of the free and where any fool can get power and abuse it freely.
Again thanks for a great follow up. It is better reading than the original I posted. lol

I understand the stupidity of trying to blame the wrong person on the drive by pop ups. But this case is beyond stupid!!

I had stop following some of the links I started with from PG's blog myself; I was getting too ticked off.

One of the MANY things that bugs me about this whole mess is: this is a substitute teacher. She was logged in to the computer with a staffer's account, as she did not have her own. There is also evidence that some students were surfing on the computer right before the popups started. Yet the school could not rush fast enough to pin the blame on the most defenseless - and dispenable - person.

Covering up some tracks, do you suppose? I d@mn well do.

To heck with the attourneys' and the cops' computers. Let me grab a copy of Web Historian and have just twenty minutes with that classroom computer.

And then maybe fifteen with the PRINCIPLE'S computer.

Oh ho ho ho...methinks he'd have some s'plaining to do.

Yes. I can't understand the way our government and legal system is going. For one it is against right and the peoples desires.
This case is just as stupid as the 2 boarder guards who shot a drug smuggler and they go to prison. And the drug smuggler is free and again crossing the boarder with more drugs. We can't win a war on drugs doing it the right way and now we hamper the guys who try to do their job.
This country in a few years will be a 3rd rate nation. And we deserve it. The people need to stand as one and tell law in enforcement and the government (both elected and the cronies they appoint) to do as they are told and stop playing with our lives as if they mean nothing.
Want further proof look at any public school and it's graduation rate of seniors. Here in Indiana it is 40 %
But gas is 2.49 and nine tenths today up $00.20 in one day! Big business runs this country
so why elect anyone and pay them. We the people (sorry not meant to hurt anyones feelings as some do try to correct things) are the fools and allow all this crap to happen!
One needs to see the WHOLE picture not a quick 15 second news spot. And one needs to be informed on ALL matters not just a cause here or there. Now again I say this is just IMHO!!!
But I dare anyone to prove me wrong on any of the above. DARE anyone to even try!

Politically directed topics are not allowed at SAF. This thread has been closed.