|
|
|
|
Windows Secrets Newsletter • Issue 97 • 2007-02-22 • Circulation: over 265,000
|
|
For links to every subtopic in this issue, scroll down to the
Index |
|
ADS
|
|
TOP STORY Pop-up ads can land you in jail
Meet Julie Amero, substitute teacher There's a good chance that you've already heard something about Julie. She's perhaps better known as the Connecticut substitute schoolteacher who's been convicted of "child endangerment." She now faces a sentence of up to 40 years in prison because porn pop-ups appeared on a school computer. For background on the case, you can read articles from the New York Times, MSNBC, or SecurityFocus. (Full disclosure: WSN editorial director Brian Livingston is quoted in the New York Times piece supporting Julie. The article at the MSNBC site is also a good read, but I don't recommend the accompanying video, which starts out with a falsehood and goes downhill from there.) Let me begin by saying that I'm biased when it comes to Julie's innocence. I'm doing my best to spread the word about her case, and have offered my technical skills to support her defense. I have access to some technical experts who are reviewing the trial transcripts and computer forensic evidence. I can't point to a public reference to support all of my positions yet, so you'll just have to take my word, for the time being. There are many points I could make about what's wrong with her case. But I'll stick with my core competency and just point out some of the technical flaws. Flawed technology condemns an educator The key issues were set in motion before Julie ever arrived to substitute-teach on the day in October 2004 that the pop-ups occurred. The school district had allowed its Web-filtering software support contract to expire, preventing the software from receiving updates. The computer in question was running Windows 98, and the browser in use was IE 6. According to evidence analysis performed by Alex Shipp, an independent malware researcher, the antivirus software was a trial version of Cheyenne Antivirus (CA). That product had been discontinued by Computer Associates on Mar. 17, 2004. It appears that CA issued a last courtesy update on June 30. Julie taught the class on Oct. 19. The computer had no antispyware software. In other words, this computer had almost no protection and an unsecurable operating system. This is the machine Julie was given to use. On the day in question, the regular teacher was there before class to log Julie into the computer. Substitutes didn't have their own accounts, and were ordered not to log out or shut down the computer. Julie left briefly and, when she returned, the regular teacher was gone. She found students, some of whom didn't even belong in the upcoming class, Web surfing on the teacher's computer. Experts now analyzing the hard-drive image have confirmed that the computer had been infected with adware days before Julie's arrival. Unfortunately, in this case, that means that when a student tried to visit a hairstyle Web site, he or she was instead redirected to a different site that had adult products advertised. When Julie tried to close the site down, this started a pop-up cascade. One thing I should mention about Julie: She's a total "computerphobe." She can perform basic computing functions, but that's about it. So what did she do when she couldn't get rid of the pop-ups? She turned the screen away from the students. It was at the front of the room, where the students would have had to be essentially at the teacher's desk in order to see. She did her best to get rid of the images without making it obvious to the students that something was wrong. If a student approached, she reportedly chased them away. During a break, Julie went for technical help to get rid of the pop-ups, which reappeared as fast as she tried to close them, but she received no help. No one would return to the classroom with her. She was told not to worry about it. However, she was worried about it, and it turns out she had reason to worry — she was later arrested for "child endangerment." Legal system fails pop-up victim When law enforcement became involved, sanity should have prevailed. Instead, the technical flubs continued, and the case sped downhill. A detective was assigned to take a forensic image of the computer and perform a technical analysis. Let me briefly tell you what I know about taking a proper forensic image of a computer that will be involved in a criminal case. Keep in mind that I'm not a forensics expert; these standards are just common knowledge in the computer security field. If you're going to image a drive for evidence, you have to use special write-blocking hardware that helps take a sector-by-sector image of the entire hard drive, including the "empty" space. The image is then hashed so that any tampering will be evident, and you always work from copies. Typically, only software tools with support from existing case law are used. Otherwise, questions can arise over the soundness of the tools and techniques. The imaging tools that have case law behind them are EnCase and the Unix dd utility. The detective in this case took an "image" of the hard drive with Norton Ghost. Norton Ghost is a tool used to back up a computer's hard drive in order to restore it to a known state after people have modified the configuration. It is often used on training or lab machines. There is nothing wrong with Ghost for what it does, but it is not a forensic tool. So what did the detective use to examine the "image"? He used a program called ComputerCOP Pro. It appears that the program displays a version of the Internet Explorer history, which shows the URLs that were visited. At trial, this ended up translating to the prosecutor telling the jury that this means that Julie "physically clicked" those links. In fact, pop-ups show up in the history the same way as a link you click on. In truth, the software also cannot tell you who was in front of the computer, who typed in a URL, or who saw the pictures displayed. It's clear that someone who lacks the technical background to properly interpret the results, and is not willing to put in the time to figure it out, can jump to some very wrong conclusions. The detective never even looked for spyware on the computer. This is the kind of technical evidence on which Julie was convicted. An innocent teacher awaits sentencing Julie is now awaiting sentencing, which is scheduled for Mar. 2. I could discuss jail-time possibilities, but many of us are still refusing to accept any possibility other than someone coming to their senses and throwing the verdict out. To that end, the experts I mentioned are frantically preparing their report on the technical information. The hope is that the prosecution or court will recognize that there has been a basic mistake in the facts presented at trial before a sentence is handed down. Despite my bias that I told you about, do you have reasonable doubt about Julie's guilt? For more information, see the julieamer blog at Blogspot, which is largely maintained by Julie's husband. There's a PayPal button at the top of that blog so people can contribute to help pay Julie's defense costs, which are reported to be over $20,000 so far. Ryan Russell is quality assurance manager at BigFix Inc., a configuration management company. He moderated the vuln-dev mailing list for three years under the alias "Blue Boar." He was the lead author of Hack-Proofing Your Network, 2nd Ed., and the technical editor of the Stealing the Network book series. His Perimeter Scan column appears twice a month in the paid version of the newsletter. |
|
ADS
|
|
LANGALIST TIPS Make more space by deleting log files
Hidden log files eat your disk space Log files can be useful: They're usually plain-text records of actions taken by software as it runs — changes made, files added or deleted, and so on. When something goes wrong, it may be possible to examine the appropriate log file to see what the software was trying to do when it encountered trouble. That, in turn, can be a valuable troubleshooting clue. But over the years, log files have moved from front-line troubleshooting to a rarely used and obscure tool tucked away on your PC. Log files can be like weeds, growing in the quiet corners of your hard drive. Try this experiment in order to see just how many log files are taking up space on your hard drive: Click Start, Search, then search All files and folders on your hard drive for any files named *.log. Odds are, you'll find hundreds of log files you probably never knew existed. (The \Windows\ folder tree alone is a rich repository of log files.) My system currently has almost 900 of the suckers! With today's large disks, a passel of small log files isn't worth worrying about. But sometimes log files can become huge, or a single active program may create a large quantity of log files. Karen Cleveland found one such instance in the ZoneAlarm Security Suite, which practically logs every heartbeat. Let's take a look at her example, but keep in mind that the log-file proliferation caused by other programs can often be cured in similar ways:
You also can use various disk-cleaning utilities to delete log files automatically, if you're sure you no longer need them. For example, the free do-it-yourself CleanAll tool can easily be modified to delete any or all of the log files on your system each time it runs. But sometimes, software will lock a log file while it's in use, making it difficult to remove by normal means. A tool like the free and excellent MoveOnBoot (a more powerful paid version is also available) can delete files that are normally locked, in-use, or otherwise unable to be deleted from inside Windows. The above steps can take care of log files after they're created. But, of course, it's best to keep unneeded log files from being generated in the first place. Most log-creating software, including the ZoneAlarm Security Suite, lets you turn off the log file function, if you're sure you don't need it.  Figure 1. This example shows how the ZoneAlarm Pro firewall lets you control its log keeping. The "Advanced" button allows even finer control. For example, to enable, disable, or alter event logging and program logging in the ZoneAlarm Security Suite and in the stand-alone Zone Alarm Pro firewall, follow these steps: Step 1. Select Alerts & Logs. Step 2. In the Event Logging area, select the desired setting. On creates a log entry for all events. Off means no events are logged. Step 3. In the Program Logging area, specify the log level. High creates a log entry for all program alerts. Med. creates a log entry for high-rated program alerts only. Off means no program events are logged. So, if you're drowning in log files — even hidden log files you never knew existed — you can easily get your head above water. Back up and delete the log files you don't want or need, and then adjust your software so that it doesn't create new unnecessary log files in the first place. Running floppy-based tools with no floppy drive Some software still legitimately needs to boot from a floppy drive. Reader Chris Henshaw asks what to do when your PC no longer has a floppy to boot from:
The reason why BootItNG requires a floppy is also the main reason why I personally like and recommend it: BootItNG is 100% self-contained. When it's running from its boot medium, Windows is entirely inert. No files are open or in use. Nothing is "live" on the hard drive. This means that BootItNG's partition work and imaging work has no competition from other programs while it's running. Instead, the self-booting utility completely "owns" the PC and so is not likely to run into any problems with locked or in-use files, or files that change during the imaging process. Most other disk-imaging tools that run from inside Windows (including Terabyte's own Image for Windows) rely on software sleight-of-hand; features like shadowing to create reliable backups and images of in-use and locked files. This usually works, but is not 100% certain, as is booting from an external medium. In fact, this is also why some tools that use shadowing and similar techniques still recommend that you close all other programs before making an image or backup. That's the only way to get the reliability on par with that of externally bootable tools. Admittedly, it's less convenient to use a tool that requires a separate boot. To me, it's worth it for the extra certainty of the imaging/backup process. But, it may not be for you. Indeed, BootItNG has a free trial period in which you can experiment to see if it fits your needs. If it doesn't, you haven't lost a dime. CD-Rs don't survive freezing temperatures It's midwinter here in the northern hemisphere, while our friends on the bottom half of the Earth swelter through summer. Either extreme can be deadly for CDs you create yourself, as reader Dalton Seymour found out:
Another look at HijackThis Reader Chris DeWitt's note focuses on an old favorite antimalware tool:
Fred Langa edited the LangaList e-mail newsletter from 1997 to 2006, when it merged with Windows Secrets. Prior to that, he was editor of Byte Magazine and editorial director of CMP Media, overseeing Windows Magazine and others. |
|
ADS
|
|
USEFUL LINKS Now, rechargeable batteries you can rely on A new technology is about to change your opinion of rechargeable batteries, and products that take advantage of the new technique are already showing up in shops. (By Brian Livingston, Datamation) More info |
|
WACKY WEB WEEK Gollum and Smeagol get their groove on
|
|
YOUR SUBSCRIPTION The Windows Secrets Newsletter is published weekly on the 1st through 4th Thursdays of each month, plus occasional news updates. Vacation breaks occur in late August, Thanksgiving Week, and Christmas/New Year's. Publisher: WindowsSecrets.com LLC, 300 Queen Anne Ave. N. #456, Seattle, WA 98109 USA. Vendors, please send no unsolicited packages to this address (readers' letters are fine). Editorial Director: Brian Livingston. Editor: Fred Langa. Contributing Editors: Susan Bradley, Scott Dunn, Mark Edwards, Woody Leonhard, Chris Mosby, Ryan Russell. Research Director: Vickie Stevens. Program Director: Brent Scheffler. Managing Editor: Jody Braverman. Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, LangaList, LangaList Plus, WinFind, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of WindowsSecrets.com LLC. All other marks are the trademarks or service marks of their respective owners. HOW TO SUBSCRIBE: Anyone may subscribe to this newsletter by visiting our free signup page. WE GUARANTEE YOUR PRIVACY: 1. We will never sell, rent, or give away your address to any outside party, ever. 2. We will never send you any unrequested e-mail, besides newsletter updates. 3. All unsubscribe requests are honored immediately, period. Privacy policy HOW TO UNSUBSCRIBE: To unsubscribe from the Windows Secrets Newsletter,
|
