Com·put·er: an electronic device designed to accept data, perform prescribed mathematical and logical operations at high speed, and displaythe results of these operations. Also called processor. Posts in this category pertain to the use and technology of computers.

Microsoft Concedes Linux Threat

Filed in LinuxTags: Computers, Geekery, Windows

Consider two recent bits of news from Microsoft:

  1. Microsoft extends life of Windows XP for Ultra-Low-Cost PCs
  2. Microsft Vista successor Windows 7 rumored to be released in 2009

What do these mean? Two things: Microsoft recognizes that Vista has not been well-received in the market, and Microsoft recognizes an emerging threat from Linux.

Consider the various markets for computers: enterprise (corporate) systems, high-end (gaming, graphic design, etc.) systems, standard consumer systems, and ultra-low-cost PC (ULCPC) systems. Other niche markets also exist, as well.

Even more than a year after its release, Vista has not been well-received in any of these markets. By all accounts, the corporate adoption rate has been dismal. Due to hardware/software compatibility issues, users of high-end systems likewise have stuck with Windows XP. ULCPCs do not meet the system requirements for Vista. The other niche markets include MacOS and Linux users who don't use any version of a Microsoft operating system.

This scenario leaves the standard consumer system market as the only viable growth option for Vista. This market includes the pre-configured computers purchased through retail outlets or manufacturers' direct-sale web sites. The vast majority of Microsoft's claimed, more than one hundred million Vista license sales come from this market. However, consumer backlash against pre-installed Vista has led to a resurgence of sorts in sales of Windows XP installation media. Windows Vista has trailed Windows XP in these so-called boxed-copy sales from the week Vista was released - and many of those XP copies are being installed over pre-installed Vista.

Microsoft's business model for Windows depends upon the operating system becoming a commodity - that is, for the average computer user, Windows equals computer use, and computer use means Windows.

In this model, corporations standardize on Windows, and follow the upgrade path defined by Microsoft: when Microsoft releases a new OS, corporations dutifully upgrade their systems all at once. In the consumer market, the business model assumes first that users will view the operating system as an unchangeable part of the computer, and second, that those users will replace their systems every 2-3 years, by purchasing another pre-configured computer at retail.

Similar to Microsoft's Office business model, in which Microsoft ensured product lock-in by creating an environment in which their proprietary document format was used by 99% of productivity suite users, Microsoft's Windows business model ensured product lock-in by creating dependency on Windows-only third-party applications and by creating an environment in which consumers could only purchase PCs with Windows pre-installed.

Previous threats to this business model have been relegated to servers, high-end systems, and certain niche markets: Linux is incredibly popular in the server market, MacOS owns the market of those for whom their computer is a fasion statement or status symbol, the computer-geek market often favors GNU/Linux, etc.

However, the emergence of the nascent ULCPC market poses a serious threat to Microsoft's Windows business model. ULCPCs appeal to lower-income PC owners in the US and Europe (the largest PC markets), but are also being targeted at impoverished and third-world communities - especially as an educational tool for children in those communities (see: OLPC and similar projects). These ULCPCs open up a market segment that could, theoretically, dwarf either the corporate or consumer market segments; not to mention, the ULCPC would have an impact on at least the consumer market segment, given its attractive price.

This emerging market would not threaten Microsoft's business model, were it not that almost all such PCs currently come pre-installed not with a Microsoft operating system, but rather with GNU/Linux. These PCs favor Linux for two reasons:

  1. Hardware capability: ULCPCs, due to their hardware specs, are better-suited to running Linux. In almost all cases, they cannot run Vista at all. In most cases, though many are capable of running XP, they perform better under Linux.
  2. Cost: Linux distributions are almost all free; Windows requires licensing - a cost which directly impacts the bottom-line cost for the consumer, and which is counter-intuitive to a product positioned as "very low cost."

Thus, the ULCPC market segment poses a serious threat to Microsoft's market share. This short-term threat, if realized, would have long-term impact on Microsoft's Windows business model.

Should Linux-based ULCPCs become the norm, then what is potentially the largest market segment would be brought up in an environment in which Microsoft Windows is not equivalent with computer use. If the ULCPC brings the computer to those segments of the world population that could not otherwise afford a computer, then this entire population would be brought up in this non-Microsoft Windows environment.

Currently, one of the most popular ULCPCs is the EeePC, sold by Asus. This computer has proven to be popular: sales are expected to be around four million units for 2008 - and while Asus now makes a Windows XP model, the EeePC originally only came pre-installed with Linux. Granted, Asus expects the XP model to take up about 60% of expected 2008 sales, but that still leaves 40% - or nearly two million units - of those sales for Linux-based units.

Microsoft has conceded that increasing Linux pre-installation poses a threat to its Windows market share, due primarily to the ULCPC market. (Linux pre-installation in the consumer market segment, while not insignificant, still remains a niche. It may yet pose a threat to Microsoft's dominant market share, but that outcome will take significant time.) Note that, in order to break into the ULCPC market, Microsoft had to make two important concessions: Microsoft first had to offer discount XP licenses to ULCPC manufacturers, and then had to extend the end-of-life date for XP at least another year.

Microsoft has found itself caught in an untenable situation: take reduced profits (due to licensing discounts) on OEM sales of a product the company wants to end-of-life (Windows XP), in order to prevent a potential hemorrhage of market share, meanwhile trying to cut losses on the product into which the company has most heavily invested in the past seven years, but which has been mostly rejected by the market (Windows Vista) - all while being forced to put all long-term hope in a product the company must now rush to get out the door early in order to stem the tide (Windows 7).

Microsoft is facing a complete upheaval of its operating-system business model. Could this scenario be the reason that Microsoft is all of a sudden so interested in buying Yahoo?

Linux Survives PWN 2 OWN Contest; Mac, Vista Fall – and What It Means For You

Filed in LinuxTags: Computers, Geekery, Windows

Head-to-head-to-head, Vista vs. MacOS vs. GNU/Linux in the PWN 2 OWN contest at CanSecWest 2008:

Three targets, all patched. All in typical client configurations with typical user configurations. You hack it, you get to keep it...

Each has a file on them and it contains the instructions and how to claim the prize.

Targets (typical road-warrior clients):

  • VAIO VGN-TZ37CN running Ubuntu 7.10
  • Fujitsu U810 running Vista Ultimate SP1
  • MacBook Air running OSX 10.5.2

...Once you extract your claim ticket file from a laptop (note that doing so will involve executing code on the box, simple directory traversal style bugs are inadequate), you get to keep it.

The contest took place over three days, the challenge - and the cash prize - diminishing each day:

Day 1: March 26th: Remote pre-auth

All laptops will be open only for Remotely exploitable Pre-Auth vulnerabilities which require no user interaction. First one to pwn it, receives the laptop and a $20,000 cash prize.

The pwned machine(s) will be taken out of the contest at that time.

Day 2: March 27th: Default client-side apps

The attack surfaces increases to also include any default installed client-side applications which can be exploited by following a link through email, vendor supplied IM client or visiting a malicious website. First one to pwn it receives the laptop and a $10,000 cash prize.

The pwned machine(s) will be taken out of the contest at that time.

Day 3: March 28th: Third Party apps

Assuming the laptops are still standing, we will finally add some popular 3rd party client applications to the scope. That list will be made available at CanSecWest, and will be also posted here on the blog. First to pwn it receives the laptop and a $5,000 cash prize.

All three laptops survived the first day, as none of the contestants attempted any hacks.

However, day two brought the first successful attack: the MacBook Air was compromised in a matter of minutes. The attack vector was the Safari web browser. The contestant instructed the MacBook Air user to navigate to a specially designed web page using Safari. The attack reportedly took less than two minutes:

Charlie Miller, who was the first security researcher to remotely exploit the iPhone, felled the Mac by tapping a security bug in Safari. The exploit involved getting an end user to click on a link, which opened up a port that he was then able to telnet into. Once connected, he was able to remotely run code of his choosing.

And finally, day three saw the second successful attack, as the Vista laptop was compromised. This time, the attack exploited a reportedly cross-platform vulnerability in Java:

"The flaw is in something else, but the inherent nature of Java allowed us to get around the protections that Microsoft had in place," he said in an interview shortly after he claimed his prize Friday. "This could affect Linux or Mac OS X."

That means that in the end, only the GNU/Linux laptop (running Ubuntu) was left standing.

What is the moral of the story here? Well, in my opinion, there are two:

  1. Don't believe the Apple/Mac hype from Steve Jobs or his army of Apple fanboys. According to the two winning contestants, the Mac was the easiest of the three targets. Those who claim that Apple is inherently more secure have been proven to be making a baseless claim.
  2. More importantly, remember that the single, weakest link in security is the user (this means you). The successful attacks were accomplished by exploiting vulnerabilities not in the OSes themselves, but in standard-install and popular third-party apps (web browser, Java). A security-ignorant user can have his Mac box compromised, just as a security-aware user can safely use his Windows box.

So, as a user, what can you do to protect yourself? Many things - and these apply regardless of which Operating System you choose:

  1. Always operate behind a hardware firewall. Even if you only have one computer using your broadband internet connection, set it up behind a router. These devices are cheap (less than $100 for a wi-fi router, and $50 or less for an ethernet-only router), and provide the lion's share of protection you need for your computer.
  2. Never run as root (administrator). All operating systems have the ability to set up and use accounts with non-admin privileges. Linux and MacOS do so by default. Windows notoriously hasn't in the past, but one of the best changes in Vista - annoying though it may be - is the User Account Control, allowing a user to operate without admin rights, until explicitly elevated. If you are still using WinXP (or older), set up an account with admin privileges, but also an account without admin privileges. Use the non-admin account on a regular basis.
  3. Stay away from the internet's red-light district. While it is true that any web site can be hacked, most internet-based exploits are found on adult web sites, warez (software-pirating) web sites, and other "black-hat" (malicious computer hacking) web sites. Avoid them, and you will limit your exposure.
  4. Never, ever, open unsolicited email attachments. Surprisingly, email remains a viable attack vector, even though this basic rule has been preached for over a decade. If you receive an email attachment you didn't request or weren't otherwise expecting, do not open it. Period.
  5. Use web scripts judiciously. Use ActiveX even more suspiciously. Most browser-based attacks take advantage of JavaScript (cross-platform), the Java Runtime Environment (JRE, also cross-platform), or ActiveX (IE-, and thus, Windows-only). If you use Firefox, use the No Scripts plugin. If you use Internet Explorer, set ActiveX controls to require explicit authorization.
  6. Keep your third-party apps to a minimum. If you must use them, keep them updated. Another common attack vector is vulnerabilities discovered in third-party apps (e.g. QuickTime, Adobe Flash, Skype, etc.). If you don't need them, don't use them. Don't have them running by default. If you must have them, ensure that their browser plugins are configured not to launch/run automatically.

There is, as always, more (avoiding phishing, etc.); but the above list should provide the bulk of protection. Learn to modify your computer-use behavior, bearing in mind that you cannot place ultimate trust in your operating system to protect you.

Beware Sears Spyware

Filed in Social IssuesTags: Computers, Internet, Privacy, Technology

Slashdot posts about Sears installing spyware under the guise of the "My SHC Community" service. Instead of an innocuous service, users who agree to install the software get ComScore spyware, including a software proxy capable of tracking every transaction performed on the internet - from web sites visited, to login credentials, to emails.

More information from the CA Community Advisor Security Research Blog, which indicates that the spyware has been found on the and websites.

If you see a pop-up window soliciting participation in "My SHC Community" do not pass go, do not collect $200, close the pop-up. Better yet, avoid doing business - if at all possible - with companies that would attempt to install spyware (especially companies that do so as deceptively as this).

Update: RIAA Still Completely Insane, Just Not Acting On It (Yet)

Filed in Social IssuesTags: Computers, Copyright, Fair Use, Internet, Music, Technology

Yesterday I wrote about an RIAA lawsuit against someone solely for ripping legally purchased music CDs. Engadget posted an update that the lawsuit is not for ripping CDs, but rather is one of RIAA's garden-variety MP3 distribution lawsuits. A commenter on their previous post linked to the summary judgement that states as much.

While I pointed out in the previous post that the RIAA still states its belief that ripping CDs - even for personal use - is a copyright violation, they (thus far) have yet to make that argument in court. Here is a key statement from the brief (pg. 6, lines 11-20 - emphasis added):

Howell also objects to liability on the grounds that he owns compact discs (“CDs”) containing the disputed sound recordings and that he “translated” them to his computer for personal use. In support of this argument, Howell attached photographs of CDs and cases to his Response. However, the question is not whether Howell owned legitimate copies of some of the sound recordings on CD, but instead whether he distributed copies of the recordings without authorization. Howell’s right to use for personal enjoyment copyrighted works on CDs he purchased does not confer a right to distribute those works to others without Plaintiffs’ authorization. 17 U.S.C. § 106(3). As he admitted that the sound recordings were “being shared by [his] Kazaa account,” Howell is liable for distributing them in violation of the recording companies’ exclusive right.

That said, given the RIAA's rumblings, don't b e surprised when they eventually sue someone merely for ripping legally purchased CDs.

I would also point out something that may prove to be the impetus for not only the downfall of the RIAA's war on consumers, but also for the application of current copyright law - and that is the application of current statutory damages for copyright infringement to MP3 distribution. Current law allows for damages from $750 to $30,000+ per infringed work.

Given that the going rate for an MP3 is on the order of $1 per song, awarding a statutory damage of even the minimum $750 per song is absolutely outrageous - especially considering that the lawsuit is a case of distribution-by-making-available claim. Here, the RIAA made no effort to prove any actual distribution, but only that the defendant violated laws against distribution of copyrighted work merely by making it available in a publicly accessible, "shared" folder.

Clearly, the RIAA here cannot show anything close to $750 per song in actual damages - and even if the award is considered punitive rather than statutory, the punishment far outweighs the crime. The RIAA's continual pursuit of these statutory damage awards will not only result in a consumer revolt, but may actually lead to public outcry for a revision of the copyright law in question.

Of course, music labels - and thus, the RIAA - are on the verge of going the way of the dinosaur. More artists will produce and distribute their works independently, cutting out the middlemen represented by the RIAA.

IMO, it can't happen soon enough.

RIAA Officially Gives Paying Customers the Middle Finger

Filed in Social IssuesTags: Computers, Copyright, Fair Use, Music, Technology

Engadget links to a report that the RIAA is suing someone not for distributing digital copies of music, but for making personal digital copies of legally purchased CDs. Some of the quotes from the RIAA and their lawyers are amazing:

"If you make unauthorized copies of copyrighted music recordings, you're stealing. You're breaking the law and you could be held legally liable for thousands of dollars in damages."

At the Thomas trial in Minnesota, Sony BMG's chief of litigation, Jennifer Pariser, testified that "when an individual makes a copy of a song for himself, I suppose we can say he stole a song." Copying a song you bought is "a nice way of saying 'steals just one copy,' " she said.

Like the defendant in this absurd lawsuit, I am confident that the courts will uphold what is clearly a fair use of copyrighted work. The RIAA will rue the day tha tthey brought this lawsuit - not only for their legal defeat, but also for the public relations nightmare that the suit will become.

Note that this is not the first time the RIAA has made this argument. Of course, the last time it did so, it directly contradicted its own testimony before the U.S. Supreme court, in which RIAA lawyers stated:

"The record companies, my clients, have said, for some time now, and it's been on their website for some time now, that it's perfectly lawful to take a CD that you've purchased, upload it onto your computer, put it onto your iPod."

Fair-use resources: EFF, Chilling Effects, Stanford Law

Julie Amero Update

Filed in Social IssuesTags: Computers, Education, Internet, Technology

An update on the miscarriage of justice in the Julie Amero case, about which I previously wrote:

PC World's Steve Bass reports on responses he received from both a juror in the trial, and also from the detective in the case against Julie Amero. Both responses only further prove the gross injustice in Amero's arrest, trial, and conviction.

First, the juror. Bass does a decent job fisking the juror's email, and the comment thread further rebuts the juror. Here are the words of the anonymous juror, who identifies himself only as ConnYankee1951 [Bass' comments interspersed]:

I was on the jury and yes we did find her guilty.

But everything seems to be misquoted by the papers and reporters envolved [sic]. The bottom line was that it didn't make a difference who or how the porn sites showed up on the computer.

The fact that a teacher in a public scol [sic] system did absolutly [sic] nothing to keep it away from the children is what was wrong. Yes we were told that she was given no permissions to turn off the computer, she also said she was not allowed to use any other school equipment.

Bass' comments: According to the trial transcript, Amero testified that she made every attempt to keep the children from seeing the images. In fact, a number of children at the trial testified that she had attempted to block them from seeing the screen. Also, another substitute teacher testified that Julie had asked for help in the teachers lounge.

If a 40 year old school teacher does not have the sense to turn off or is not smart enough to figure it out, would you or any other person wanting her teaching your child or grandchild?

Bass' comments: At the trial Amero testified that she didn’t, in fact, know how to turn a computer on or off.

The juror states: "The bottom line was that it didn't make a difference who or how the porn sites showed up on the computer." Curious statement, that. Let's explore it in more depth, shall we?

First, we need to understand the statute of which Amero was convicted. The germane clause in the statute is as follows:

(a) Any person who (1) wilfully or unlawfully causes or permits any child under the age of sixteen years to be placed in such a situation that the life or limb of such child is endangered, the health of such child is likely to be injured or the morals of such child are likely to be impaired, or does any act likely to impair the health or morals of any such child

The previously linked blog also quotes the jury instruction that accompanies the "risk of injury to a minor" charge:

To find the defendant guilty of wilfully or unlawfully causing or permitting any child under sixteen years to be placed in such a situation that the life or limb of such child is endangered, the health of such child is likely to be injured or the morals of such child are likely to be impaired, the state must prove the following elements beyond a reasonable doubt: (1) that at the time of the incident, the alleged victim was under the age of sixteen years; and (2) that the defendant wilfully or unlawfully caused or permitted the victim to be placed in a situation that endangered the child's life or limb, or was likely to injure his health or impair his morals.

The conduct to be punished must involve a child under the age of sixteen years. The statute also requires wilfulness or unlawfulness in causing or permitting the child to be placed in a situation that his life or limb is endangered, or his health is likely to be injured, or his morals are likely to be impaired. This is the conduct of a person that is deliberately indifferent to, acquiesces in, or creates a situation inimical to the child's moral or physical welfare.

''Wilfully'' means intentionally or deliberately. ''Unlawfully'' means without legal right or justification. Causing or permitting a situation to arise within the meaning of this statute requires conduct on the part of the defendant that brings about or permits that situation to arise when the defendant had such control or right of control over the child that the defendant might have reasonably prevented it.

I am not a lawyer, nor do I play one on tv (nor on my blog). However, the statue and jury instruction seem pretty clear to any reasonably intelligent reader. The entire case rests upon the prosecution's ability to fulfill the burden of proof "that the defendant wilfully or unlawfully caused or permitted the victim to be placed in a situation that endangered the child's life or limb, or was likely to injure his health or impair his morals."

In order for conviction, the prosecution must have proved that Amero 1) intentionally navigated to the illicit web sites in question, and/or 2) did not prevent the students from viewing the illicit images in question. Thus, the juror's statement that the manner in which the images appeared on the computer did not ultimately matter is demonstrably incorrect.

According to both the juror's own statements (following below) and known facts surrounding the trial, the prosecution based their case around - and the jury convicted upon - in part the former allegation. That Amero allegedly navigated to the web sites in question appears to have been a key point in demonstrating her intent (or mens rea). Proving this allegation is critical to proving that Amero was responsible for willfully or unlawfully placing the students in a situation that would impair their morals. The prosecution clearly made the case (and the jury apparently believed) that Amero intentionally navigated to the illicit web sites. If the prosecution's case rested merely on the latter allegation, then the questions of browser history, pop-ups, javascripts, and links would never have arisen, as they would not have mattered.

I will address the allegation itself below, with the juror's comments concerning the prosecution's evidence attempting to prove it.

Back to the juror:

If you and your wife were watching an xxx rated movie the you put into the dvd player, you powered it up and you hit play, then went into the other room for a snack and your child or grandchild entered the room would you expect your wife to stop the dvd or just let it play because she didn't start it. No you would be upset as all get out.

Even giving Julie the benefit of doubt, not knowing enough about a computer to be able to turn it off. Some paper and tape would have covered the screen or a coat or sweater, it was October after all.

First, the juror's analogy does not apply; the premise is entirely different. That said, let's explore his argument: illicit material was on display on the computer's monitor, and Amero did not take appropriate action to prevent the students from viewing it.

If we ignore the former allegation (that Amero created the situation by navigating to the illicit web sites), then no basis exists to claim that Amero's actions were willful or deliberate. Thus, in order to prove that Amero was guilty of "conduct of a person that is deliberately indifferent to, acquiesces in, or creates a situation inimical to the child's moral or physical welfare", the prosecution had to prove that her actions were unlawful. In other words, the prosecution had to prove that Amero, without legal right or justification, permitted a "situation to arise when the defendant had such control or right of control over the child that the defendant might have reasonably prevented it."

First, the prosecution had to prove that Amero had no legal right or justification for her actions. Second, the prosecution had to prove that Amero did not exercise rightful control over the children to prevent the situation.

On the first point, even the juror conceded that Amero had potential legal justification for her actions: her lack of expertise with computers, and her instruction not to turn off the computer. Again, I am no lawyer, but I question the legal precedent of the "paper and tape or sweater or coat" argument with respect to what Amero could have done and what she was legally compelled to have done. Let us recap Amero's actions in response to the situation:

  • Amero attempted to block students' view of the screen, and to push students' faces away from the monitor.
  • Amero attempted to close the pop-up windows that were displaying the illicit images.
  • Amero sought out assistance from another teacher (and was refused help).

Amero clearly and demonstrably attempted to resolve the situation. To claim that Amero was criminally responsible for the situation, as defined by the statute in question, because she did not think to resolve the situation by the entirely arbitrary means of "paper and scissors", "a sweater", or "a coat" seems to me to be incredibly specious.

On the second point, it appears that the prosecution attempted to prove that Amero did not exercise rightful control over the computer - but according to the statute, the burden of proof exists to demonstrate that the defendant did not exercise rightful control over the students. According to the statutes, what Amero did with respect to the computer has, at best, only indirect relevance to what Amero did with respect to the children in exercising her rightful control over the children in order to prevent the situation.

In other words, it is mostly irrelevant that Amero didn't unplug or turn off the computer, or cover the monitor, because such actions do not represent exercise or failure in exercise of rightful control over the students. To the contrary, Amero's actions demonstrated that she made a reasonable effort to exercise her rightful control over the students (see the list above). Further, note that, as a substitute teacher, Amero had considerably less "rightful control" over the students than a regular teacher would have had.

Speaking of "rightful control" over the students, why was the school's IT administrator not held accountable on the same charge? We know that the computer's web-site filtering software was out-of-date at the time the incident occurred. Clearly, the IT administrator was negligent in exercising his rightful control over the students, by allowing the filtering software to become outdated, thus allowing school computers to be used to navigate to illicit web sites. Also, the IT administrator did not maintain the security robustness of the school's computers: the computer had no firewall, its antivirus software was outdated, and the computer was infested with various forms of malware. This negligence is undoubtedly more egregious than anything Julie Amero did or could have done on the morning in question.

On this point, the school board continues to give the appearance of using Amero as a scapegoat for the school's own negligence. Commenting on the trial, current Norwich superintendent Pam Aubin has said, "this wasn't a computer out of control. People are complicating this too much. [Amero] had a responsibility to teach the students. That didn't happen." This blog post also quotes the superintendent at the time of the incident:

Michael J. Frechette, the Norwich superintendent at the time of Amero's arrest, said this was simply a teacher with pornography. "We were just reacting to the facts."

Clearly, either the school administration didn't know "the facts", or else they know the facts and are choosing to deny them. First, a computer openly exposed to the internet, with no firewall, outdated antivirus, outdated filtering software, and that is malware-infested is, by definition, "out of control". Second, Amero was not on trial for abdicating her "responsibility to teach the students." This statement is completely irrelevant. Third, no evidence yet exists that Amero had anything to do with the illicit web sites or images, other than trying to get them off the computer screen and trying to prevent the students from seeing them.

Back to the juror, here is his conclusion:

Finally she was pronounced guilty because she made no effort to hide or stop the porno, not just because she loaded the porno onto the machine. Going to the history pages it was obvious that the paged [sic] were clicked on they were not the result of pop-ups.

Bass' comments: Actually, the defense expert at the trial testified that the sites visited were from pop-ups.

Each web page visited showed where links were clicked on and followed to other pages. Pop ups go to sites without change lnk colors, as in used links.

Bass' comments: That’s incorrect. Pop-ups show as a changed type color, just like a normal site visit.

These statements by the juror proves exactly why this trial was a miscarriage of justice. Anyone with any knowledge whatsoever of the internet and web browsers knows that these statements are patently false. Browser history pages cannot differentiate between URIs to which the browser navigates via a mouse click and those navigated via javascript (e.g. a pop-up window). Also, all links to cached (visited) URIs will show as "visited", regardless of whether the URI was cached in the browser history due to a mouse click on a link or a javascript (pop-up window) command.

That a woman was convicted of a felony and faces up to 40 years of jail time because of such flimsy and outright false evidence of her guilt is an egregious injustice. I cannot fathom how this verdict doesn't get overturned on appeal. This trial was a complete farce, and the juror who responded above proved himself entirely ignorant of such computer technology as would be required to assess the evidence in the case, and completely incompetent to act as a juror in the trial.

Having addressed the juror's response, let's turn to this response from Detective Mark Lounsbury, the crime prevention officer with the Norwich Police Department:

Dear Mr. Bass, Unfortunately the truth in this matter is yet to be told to all those who were not located in the courtroom during the trial. Those in the courtroom saw and heard the truth. Once sentencing is done the truth CAN BE presented to the world IF they want it. I'm thinking the world doesn't want to hear the truth. IGNORANCE IS BLISS. The lies are exciting, bringing up STRONG emotions. OMG, that poor person, victimized by the Evil Government and its minions.

It continues to amaze me how people can base their opinion on what is fed to them. Did anyone ask the Expert for the evidence he recovered which would support his claims? The "curlyhairstye script", those pornographic generated pop ups? BUNK also known as errors of commission. Would you like to know the truth? Once sentencing is over I'd be more than happy to let you see the source code, scripts, etc.

I've received allot [sic] of calls and emails regarding this. All from people interested only in TELLING me their opinions or TELLING me they're going to get me. Not once has anyone called or written me to ASK me a question. They apparently have what they want. I work hard every day for the victims of crime. I search for the truth not for me but for them. If what the newspaper reported about my testimony was my actual testimony, taken in context, don't you think there would have been some consequences, a rebuttal, something. Feel free to write if you wish.

With respect to Shakespeare, the detective protests too much, methinks. I find it highly ironic that he is apparently attempting to claim that he is the victim, when Julie Amero is the one facing 40 years in prison, because of his erroneous testimony. As for his testimony, rebuttal testimony by the defense's (bona fide) computer expert was not entered, because the prosecution blocked its admission; therefore, the detective's testimony was the only (so-called) "expert" testimony in the trial (to my knowledge).

Of course, Bass replied with several questions, and got this response:

Dear Mr. Bass, Once the sentencing phase for this case is done I can answer all your questions. I have all the information you seek. My opinion is not important but I am fleshing out a theory concerning site blocking software which was in place and how to circumvent it. I can provide you w/ the source code showing all the .htm and javascripting for each web page, images from those pages, date/time of creation, MD5 hashes, etc. I will contact you after sentencing. Thank you

While I am willing to reserve final judgment until all facts in the trial are revealed following the upcoming sentencing, I highly doubt that any salient facts will emerge that would change my opinion about the trial. Though, I'm extremely interested in Lounsbury's supposed "evidence" to support his testimony - evidence not yet publicly known.

I'm especially curious about the "theory" that he is fleshing out "concerning site blocking software...and how to circumvent it". I do hope that theory includes how a woman who was so computer-illiterate that she could barely read email and couldn't turn a computer on or off would implement such a site-blocking software circumvention. Do, tell, detective!

Other coverage: Nationwide awareness of Julie Amero injustice grows

Coverage of the Julie Amero Case:

Substitute Incrimination and Computer Injustice
Julie Amero Update

Substitute Incrimination and Computer Injustice

Filed in Social IssuesTags: Computers, Education, Internet, Technology

The other day I read this article on PC World about Julie Amero, a substitute teacher convicted for exposing students to pornographic material on the computer of the teacher for whom she was substituting. In summary:

The story is short: On October, 19, 2004, Amero was a substitute teacher for a seventh-grade language class at Kelly Middle School. A few students were crowded around a PC; some were giggling. She investigated and saw the kids looking at a barrage of graphic, hard-core pornographic pop-ups.

(Follow-up stories here, here, and here, with local newspaper coverage here, here, and here.) The prosecution alleged that Amero had used the computer to visit adult web sites, while the defense countered that the computer was already infested with various malware programs that caused the illicit pop-ups. The analysis of the case is drastically different, depending upon which story is true.

The prosecution alleged that Amero intentionally visited various adult web sites, but this report by the defense's expert computer witness refutes that claim. This expert was prepared to re-enact the events in the classroom with a clean laptop in the courtroom, but the prosecution objected to this defense, and the judge did not allow it. (And from the conclusion of the report, it appears that the judge also did not even allow the expert to present the results of his forensic examination of the computer.

This whole story appears to be a case of 1) the school using the substitute teacher as a scapegoat for its own failure to ensure the security of its students and its computer resources, and 2) the prosecutor, judge, and jury acting from a position of complete computer/internet illiteracy.

The computer in question was running Windows 98 and Internet Explorer 5, with no firewall, was infested with malware, and had outdated anti-virus signatures (according to an op-ed piece written by Alex Eckelberry). Thus, the first entity responsible for the incident is the school administration, for not having and/or following a procedure or policy for computer administration that would include ensuring that computers are protected against malware, and that antivirus signatures are maintained. In fact, the school admitted that their blacklist filter was not kept current during the time in question.

Also, school computers were allowed to be used for personal internet use, with only a blacklist filter in place. As this blog points out, this policy is a recipe for potential disaster, since blacklist filters that are not kept current are easily bypassed, and many malicious or illicit web sites intentionally use a practice called typosquatting (using typographic-error URLs in order to lure visitors who intend to go to one website but are instead directed somewhere else due to an incorrectly spelled URL - think "google" vs. "goggle").

The prosecution alleged two things: one, that Amero intentionally visited the web sites that served the illicit images, and two, that Amero did not prevent the students from continuing to see the images by immediately turning off the computer.

The forensic evidence (which was not allowed to be presented) clearly proved that the illicit images came to the computer through clicks on what was ostensibly a hair-style web site, and were of a size consistent with pop-up ads, not intentional image downloads. This evidence proves that the computer experienced what is known as a "pop-up storm" - something with which anyone who has used a computer with software older than Internet Explorer 6 running on Windows XP Service Pack 2 (or better) is experienced. Further - and worse - the police software used to examine the computer (ComputerCOP Pro) cannot differentiate between an explicit click and a script-generated window-open. The prosecution proved that the computer made a connection to an illicit web site, but had no means whatsoever, using the police software, to prove how the site was accessed.

Also, while some hold the assertion as fact), it does not appear that the prosecution proved (or even attempted to prove) that Amero herself, and not a student or students, was operating the computer at the time that the sites in question were visited. Given that the computers internet history cache shows that kid-centric websites such as crayola and hair-styling sites were visited, the prosecution's first argument appears to be unproven at best, and specious at worst.

The prosecution (and others) assert that Amero should have shut down the computer. This assertion makes some assumptions, namely that Amero was expert enough to know what was happening to the computer, and that Amero had the authority to remedy the situation by shutting down the computer. The prosecution proved neither. At the beginning of the day, the permanent class teacher logged onto the computer for Amero, giving explicit instructions not to log off from or shut off the computer. So, to shut down the computer - as the prosecution contended Amero should have done - would have been a direct violation of the teacher's instruction not to do so.

Also, when the incident occurred, Amero attempted to get rid of the popups by closing each popup window. Anyone with any experience with popup storms knows that this action will only invite further popup windows, usually at a rate beyond what is possible to keep up with. Amero, who is by no means a computer expert, did make a good-faith effort to get rid of the illicit images and to prevent the students from viewing them. She even asked for help from the school administration - help that, over the course of the school day, never came. So, the prosecution's second argument is an unproven claim based on an untrue assertion of the proper course of action in the incident.

In short, students - not Amero - were using the computer when the popup storm happened, the popups were generated by a script on a non-pornographic website, and Amero did try to prevent the students from viewing the images.

Worse than the prosecution's ridiculous case, is that nobody involved in the case (except the defense's expert, who was not allowed to present anything near his full testimony) has anything even resembling sufficient computer/internet literacy or expertise: the school board, the police, the prosecution, the defense attorney, the judge, the jury, or the defendant.

Perhaps I should exclude the school board; it is more likely that the board needed someone to take the fall for the incident, and chose Amero. Parents were outraged over their children being exposed to illicit images at school, and the board was forced to act. This action, of course, came after the vice principal initially told Amero not to worry at the end of the school day in question, when she went to the office for at least the second time that day, to report the incident. The first time she reported it, she was promised help, but nobody ever came to provide the promised help. If Amero's actions had been sufficiently criminal to warrant her arrest, why did the school not call the police at the time of the incident?

The police who investigated the case didn't even search for spyware on the computer, and the police investigator testified in the trial that an image coming from a given web site proves that someone had to intentionally go to that web site in order to see the image. This assertion is patently untrue. The defense's expert witness had evidence that the illicit images came first through a malware javascript link on ostensibly innocuous hair style web site. Both Amero and the students testified that the images were on popup windows, not a website proper.

Even to pursue this case proves the prosecution's lack of computer expertise. The defense attorney admitted to Alex Eckelberry that he had no computer expertise. This fact alone should be enough for an appeal - if not an outright mistrial. The judge upheld the prosecution's objection of perfectly reasonable defense testimony, was reportedly falling asleep during trial, and reportedly gave instructions to the jury for an expedited completion of the trial. The jury clearly had insufficient computer expertise, and were reportedly violating sequestering rules by discussing the case outside the courtroom. Amero's lack of computer expertise has already been addressed.

This case was a trial that should not have taken place, carried out by a judge, jury, and attorneys who should not have been involved, regarding a criminal charge that should not have been filed, against a completely innocent victim.

More commentary: ComputerWorld's Preston Gralla initially lauds the conviction. Alex Eckelberry refutes his opinion, after wich Gralla issues a mea culpa, and Eckelberry praises the change-of-opinion. Eckelberry also links to an AlterNet story about the case, as well as a Digg comment storm.

If you want to help, go to this website set up by Julie Amero's husband for information on the case and defense fund contributions.

Coverage of the Julie Amero Case:

Substitute Incrimination and Computer Injustice
Julie Amero Update

Windows Vista DRM

Filed in Social IssuesTags: Computers, DRM, Geekery, Technology, Windows

Leo Laporte and Steve Gibson have been having an interesting discussion about Windows Vista Digital Rights Management (DRM) in Episodes 73, 74, and 75 of their weekly SecurityNow podcast, including a conversation with Peter Gutmann, who wrote a white paper called "A Cost Analysis of Windows Vista Content Protection".

Today I noticed a GRC newsgroup post referencing a shashdot post discussing a Windows Vista Blog post discussing Gutmann's paper.

If you are considering an upgrade to Windows Vista, and are not familiar with what Microsoft is doing with respect to DRM in the new O/S, you probably want to take a look.

Sorry For The Delay

Filed in PersonalTags: Computers

My laptop hard drive failed Sunday morning. I'll get caught up on posts this evening. I owe y'all a couple OYB posts.

Oh, yeah... and Anna and I are done; for good. I won't be bothering to hide posts/pics this time, though; what's in the past, is past.

Fun With RSS

Filed in Web DevelopmentTags: Computers, Geekery, Internet

Just came across Local Weather RSS Feeds. Nifty.

Oh, I use Omea Reader. Lots of choices for RSS aggregators out there, but I like this one.