State worker cleared on child porn charges that were due to malware

A fired Massachusetts state worker has been exonerated of a charge of possessing child pornography after computer forensics showed that his work laptop was infected with malicious software that was surreptitiously visiting illegal Web sites.

Michael Fiola, 53, was fired as a worker's comp fraud investigator with the Massachusetts Department of Industrial Accidents in March 2007 after IT administrators found cached images of child porn in the temporary Internet files in his browser, according to the Dark Reading security news site.

Fiola, described as being "computer illiterate," hired a forensics expert who found the evidence that was used to convince the court to drop the case last week. He remains unemployed and plans to sue the agency over his firing.

"Our lives have been hell," Fiola, a former state park ranger now living in Rhode Island told the Boston Herald. "I hope to recover my reputation, but our friends all ran."

His laptop initially attracted attention because its wireless usage was four times higher than that of his co-workers. But because the IT department hadn't properly configured the agency laptop and antivirus software wasn't working on the machine, it was riddled with Trojans and viruses, in addition to the malicious software that was bringing up the porn sites.

[krosavcheg]

Looks like looking first, then leaping here is the lesson. Don't assume someone is guilty until you actually start doing your homework first. Wireless access of any sort should always have the caveat of who else might me attached or using it. I hope he gets millions.

[Lerianis]

This is going to be more and more of a problem as time goes on. Simply time to legalize and regulate child pornography, just like we do with adult pornography, and add some more protections even to ADULT pornography, like mandatory mental health checkups a few times a year.

[Dalkorian]

Your "answer" couldn't be more wrong Lerianis. I'd rather they made it illegal to use winblows, which makes attacks like this easy. Legalizing child porn protects no one, children will still get exploited for profit and pleasure and the next trojan problem will be with terror sites instead. Nothing solved, more problems caused. The ultimate bad solution.

[Thomas, David]

Sounds to me like the IT staff should be fired

[n4zhg]

But they won't. Union rules. Now maybe this guy can sue them for official oppression under color, defamation of character and other things. Let's see if the state has the stones to shield them.

[The_Decider]

Need anymore reasons to not use Windows? Before you idiots start braying about AV software, OSX and Linux don't need those cycle stealing, memory hogging programs to run safely.

[allen b--2008]

Umm, yeah they do. You will not find an Apple press release that says, "you don't need AV." The only difference is that there aren't as many malicious applications that target these OS's. But once they overtake MS as the top OS, then there will be. Just watch.

[The_Decider]

Wrong, there are no in the wild exploits that can propagate itself. Your argument is sheer idiocy, security through obscurity has been debunked so many times. Market share and security have nothing to do with each other. Care to explain why Windows Server is a minor player with the vast majority of the exploits? Because windows products are easier to exploit.

[kkohnen]

Nah. Post naked pictures of the IT staff on the internet.

[n4zhg]

A sure substitute for ipecac...

[thedreaming]

You're supposed to be innocent before proven guilty, not the other way around. I hope he wins his case and sues them out of business!

[n4zhg]

Unfortunately it isn't possible to sue Massachusetts out of business, but we can hope.

[Seaspray0]

"OSX and Linux don't need those cycle stealing, memory hogging programs.." Only according to you, Decider. You CAN'T prove OSX and Linux are 100% free from security holes, therefore they DO need protection. On the other hand, I can prove that the are not 100% free... if they were, then there would have never been written security updates for either. Therefore, they DO need protection. I can't beleive anyone would be stupid enough to believe their OS is 100% safe. Let me guess, you work for an IT department in the state of Massachusetts?

[The_Decider]

Sheesh, idiocy abounds here. There is a difference between a security hole and an exploit. No one but you MS shills claim that people say OSX is 100% secure. This would have never, ever happened on a Linux or OSX laptop, that is fact.

[The_Decider]

Put a default configured windows machine next to a default OSX and Linux box. Connect them to the internet. Come back in 24 hours. Guess which box will be loaded with trojans, rookits and backdoors. Guess with two won't. People do this several time a year and every time Windows get owned.

I never said they don't need protection, I said they don't need AV software. Nice attempt at a strawman. I wouldn't expect this level of idiocy from you, your comments are exactly what vegetablehead, future guy, jean and suyts would blather about.

Again no one said that linux and OSX are 100% secure, you are this stupid to believe I did.

[alegr]

All THREE won't. The problem with Windows is between the chair and the keyboard. Unattended system will be OK. Why don't you do such an experiment? I can't believe you can't find a copy of XP SP3 or Vista SP1.

[The_Decider]

@alegr: Wrong again. There are many studies showing just that. An unattended default Windwos install will get owned fast. Go do a search on this subject. Seriously, are you being paid my MS or are you really this stupid. Windows is SIMPLE to exploit, WITHOUT any user intervention. Enjoy your delusions.

[jkoskovics]

You know, it's real easy for an arrogant individual to take advantage of a person and make them a victim...again, rather than pay attention to the real story.
The issue is responsibility of the employer who failed in their required dilligence and as a result, create a victim out of someone they should have protected, educated, and respected.

A lesson to users not to be so trusting, especially of the "experts" who set them up...litterally! But as for the rest of his life, he may never regain the trust and respect of those who gave value to his life...his friends. That's a little more important than a petty, childish attitude about an operating system. It's not about a platform, and it's not about data...it's about something more important.

[n4zhg]

And that's why this guy shouldn't settle for anything less than $25 million. Maybe when the taxpayers learn they have to cough up, there will be torched and pitchforks around the governor's mansion demanding accountability.

[protagonistic]

I have to say you are both right and wrong, but then the post you replied to is also wrong. As someone who no longer runs Windows, but rather uses OS X and PC-BSD and occasionally Linux I can speak from experience.

Anyway, no OS presently out there will keep a determined idiot at the keyboard from malware. Some OSs do better than others at this but they all have security holes. That being said, it is a whole lot easier to secure OS X, BSD and Linux than it is to secure Windows. Your odds of getting infected with malware with a default setup are much higher with Windows.

I do monitor my systems for any unusual activity because the only secure system is one that is locked in a vault and has no power applied. Even with those precautions someone will eventually figure out a way to access it. :-)

[alegr]

It's very easy to secure Windows. Change the user type to "Limited User" (and get rid of those programs that arrogantly require administrative privileges). That's what's by default in OS X.

[The_Decider]

@alger, that is not enough to secure windows. Getting elevation of privigedges is not hard on windows. Don't even try to compare the limited user account in windows with the multi-user setup in *nix. They are not even close to the same thing and all it does is show your ignorance.

[The_Decider]

Some applications need root access to function, that is not arrogance, that is fact.

[alegr]

Decider,
Only those functions need admin privileges that perform privileged actions. Normal user software doesn't need that. I know Windows in and out. Can you cite an example of something that unnecessarily need elevated privileges?


And, by the way, limited used account is no worse that non-root account in Unix. Is you think otherwise, feel free to tell.

[The_Decider]

The account system in Windows is a half-assed after though. The system used in *nix isn't. There are no comparisons between the two, and claims others shows you have little technical knowledge. I have written many desktop apps that need admin privileges. Lets see you write security software, for example, without it.

[alegr]

The account system in NT-based Windows is no worse than in U*X. In Win9x, it's an afterthought, but in NT it's NOT. I see you have little knowledge in Windows, beoynd Win9x. You sure don't know its kernel and usermode API. While I do know both Win32 and POSIX.

[miltor]

Wow. Decider is pretty arrogant. And wrong. Funny how those go hand-in-hand.

The fact is, the DEFAULT config in Windows is to download and install updates automatically AND to turn on the firewall. So, if I leave this brand new Vista box I'm building all alone for a few minutes, it'll get all of the updates, install them, and reboot.

Oh, the Server 2008 machine I'm running at home is my DMZ box, running with with no AV...guess what? All that internet traffic is pouring in, and it's virus and malware-free. Did I mention it's running in the default config? Firewall...Auto-updates...You know, things that a good sys admin utilizes. The defaults.

Now, please stop spewing garbage until you know what you're talking about.

[grinningevild]

And I thought Massachusetts was moving towards adopting open source applications on everything.

[n4zhg]

It was until Bill Gates had the CIO fired.

[Penguinisto]

While no OS is 100% safe from malware, I can say with certainty that if the guy used a Mac or Linux machine, he wouldn't have experienced this mess. OTOH, I'm fairly sure that the guy will likely never have to work another day of his entire life once his lawyers get done with the employer(s).

[alegr]

Good luck suing gvernment employer. They might be immune...

[Lerianis]

Not from this lawsuit, they are not immune. They should have scanned the computer for malware BEFORE saying to that person "You are under arrest for having child pornography!"

[sanenazok]

Maybe the lawyers won't have to work, but he almost certainly will. If he was a minority then it would be different thing all together...

[Penguinisto]

While no OS is 100% safe from malware, I can say with certainty that if the guy used a Mac or Linux machine, he wouldn't have experienced this mess. OTOH, I'm fairly sure that the guy will likely never have to work another day of his entire life once his lawyers get done with the employer(s).

[unknown unknown]

That's the problem with sex crimes, especially ones that involve children, everyone assumes someone is guilty the moment they're accused. It doesn't help we have people like Nancy Grace whipping people into child predator hysteria, and proclaiming them guilty on national TV. It is a very serious problem when it ruins innocent lives.

[sanenazok]

Re: Lerianis

You're headed to a tropical climate where you'll have a chance to say hi to Hitler!

[The_Decider]

What the hell is wrong with these idiots:

'OSX is 100% secure so it is as vulnerable as windows and therefore needs AV'

"No one has ever put a default Windows install on the INTERNET that got exploited"

"The only time Windows gets exploited is when the user does something stupid,."

It would be funny if it wasn't for the fact that this fan boys truly believe it.

[Lerianis]

Actually, Decider, that is true. 99% of the time when someone's computer is infected with malware, they have done something stupid: running without a firewall, running without antivirus, not anti-spyware scanning once a month or more, etc.

[itguy2003]

I think you are the fanboy... http://www.youtube.com/watch?v=Pe6clRUYTE0
I guess you were right about mac's not being able to be exploited. Sure if you put a PC on the internet with no updates it will be exploited, thats what updates are for and Apple has em too, same with *nix .

[sanenazok]

I agree that this would not have been a problem if the government decided to use Macs. It would be simple: they would only be able to afford one or two computers, at the most and this would have never happened.

[itguy2003]

No they would have had six :) , but it wouldnt have happened because they wouldnt have been able to use any usefull programs so they would have stayed in off mode.

[itguy2003]

They found the pictures in his temporary Internet files ? So what were browser windows of child porn flying around on his screen and he did not notice or think to tell anyone. He probably was looking at the child porn. Alot of porn websites have viruses and malware on them. So just because he had some malware on his PC he is innocent??? He got off on a technicality. Old perv was looking the **** up himself.

[wpcallaghan]

The browser window probably never displayed the photos. Someone just used the cache as a temporary location for storing the files. The gist of the story was that the employee had to pay someone big bucks to prove that he never downloaded or viewed the material.

It is fairly easy to use other computers for illegal activities if they are not protected with properly configured firewalls. It doesn't even take a lot of computer savvy.

[n4zhg]

There's a reason why they are called "script kiddies".

[russkeller]

You got a point. No matter what though justice was lost in this one. Either a bad guy got away or an innocent guy had his life destroyed living with that stigma.

[Advacery]

This is not about Operating Systems. I use several of them. One person bashing another persons Operating System in childish.

This is about someone being terminated by an employer before there was a competent investigation into wrongdoing according to a court. Then there is the issue of the long term consequences of the unjustified termination which has yet to be decided.

[wpcallaghan]

I don't know anything about Massachusetts labor laws, but in a lot of states the employer is perfectly in their right to fire an employee for having porn on their computer, regardless of whether or not they had any knowledge of it. In a case like this, there would be no recourse for the employee and no compensation, as long as the company followed proper procedures.

[Advacery]

wpcallaghan,

It appears he wasn't just fired. You don't end up in court charged with something when you're fired. The company must have turn over their suspicions to a prosecutor.

[n4zhg]

You people keep calling this a "company" and it is not. It is DIA, a government agency. They were the ones that turned over the data to the police. Of course, the police are about as computer literate as the poor slob they tried to railroad.

[wpcallaghan]

I don't know anything about Massachusetts labor laws, but in a lot of states the employer is perfectly in their right to fire an employee for having porn on their computer, regardless of whether or not they had any knowledge of it. In a case like this, there would be no recourse for the employee and no compensation, as long as the company followed proper procedures.

[Pause2Reflect]

Here's what will change as a result of this sad story: zip. Also, zilch, squat, and nada.

Prosecutors adore child porn cases. They enrage the public (justifiably) and appeal to the prurient subconscious, bringing more attention than any other type of case to the prosecutor -- along with a nice "child protecting hero" veneer. Add to this, over the past twenty years (and especially since 9/11) Americans have been tripping over each other in a non-race to see who can be more complacent about the disintegration of civil rights. The drivers for prosecution continue to firmly favor "shoot first, act questions later (or never)."

Maybe you're next. But of course, odds are you won't be, so don't worry about it.