Technology

tech·nol·o·gy: the branch of knowledge that deals with the creation and use of technical means and their interrelation with life, society, and the environment. Posts in this category pertain to all things technology, including WordPress, computer/internet security, cryptography, digital rights management (DRM), among other things.

Beware Sears Spyware

Filed in Social IssuesTags: Computers, Internet, Privacy, Technology

Slashdot posts about Sears installing spyware under the guise of the "My SHC Community" service. Instead of an innocuous service, users who agree to install the software get ComScore spyware, including a software proxy capable of tracking every transaction performed on the internet - from web sites visited, to login credentials, to emails.

More information from the CA Community Advisor Security Research Blog, which indicates that the spyware has been found on the sears.com and kmart.com websites.

If you see a pop-up window soliciting participation in "My SHC Community" do not pass go, do not collect $200, close the pop-up. Better yet, avoid doing business - if at all possible - with companies that would attempt to install spyware (especially companies that do so as deceptively as this).

Update: RIAA Still Completely Insane, Just Not Acting On It (Yet)

Filed in Social IssuesTags: Computers, Copyright, Fair Use, Internet, Music, Technology

Yesterday I wrote about an RIAA lawsuit against someone solely for ripping legally purchased music CDs. Engadget posted an update that the lawsuit is not for ripping CDs, but rather is one of RIAA's garden-variety MP3 distribution lawsuits. A commenter on their previous post linked to the summary judgement that states as much.

While I pointed out in the previous post that the RIAA still states its belief that ripping CDs - even for personal use - is a copyright violation, they (thus far) have yet to make that argument in court. Here is a key statement from the brief (pg. 6, lines 11-20 - emphasis added):

Howell also objects to liability on the grounds that he owns compact discs (“CDs”) containing the disputed sound recordings and that he “translated” them to his computer for personal use. In support of this argument, Howell attached photographs of CDs and cases to his Response. However, the question is not whether Howell owned legitimate copies of some of the sound recordings on CD, but instead whether he distributed copies of the recordings without authorization. Howell’s right to use for personal enjoyment copyrighted works on CDs he purchased does not confer a right to distribute those works to others without Plaintiffs’ authorization. 17 U.S.C. § 106(3). As he admitted that the sound recordings were “being shared by [his] Kazaa account,” Howell is liable for distributing them in violation of the recording companies’ exclusive right.

That said, given the RIAA's rumblings, don't b e surprised when they eventually sue someone merely for ripping legally purchased CDs.

I would also point out something that may prove to be the impetus for not only the downfall of the RIAA's war on consumers, but also for the application of current copyright law - and that is the application of current statutory damages for copyright infringement to MP3 distribution. Current law allows for damages from $750 to $30,000+ per infringed work.

Given that the going rate for an MP3 is on the order of $1 per song, awarding a statutory damage of even the minimum $750 per song is absolutely outrageous - especially considering that the lawsuit is a case of distribution-by-making-available claim. Here, the RIAA made no effort to prove any actual distribution, but only that the defendant violated laws against distribution of copyrighted work merely by making it available in a publicly accessible, "shared" folder.

Clearly, the RIAA here cannot show anything close to $750 per song in actual damages - and even if the award is considered punitive rather than statutory, the punishment far outweighs the crime. The RIAA's continual pursuit of these statutory damage awards will not only result in a consumer revolt, but may actually lead to public outcry for a revision of the copyright law in question.

Of course, music labels - and thus, the RIAA - are on the verge of going the way of the dinosaur. More artists will produce and distribute their works independently, cutting out the middlemen represented by the RIAA.

IMO, it can't happen soon enough.

RIAA Officially Gives Paying Customers the Middle Finger

Filed in Social IssuesTags: Computers, Copyright, Fair Use, Music, Technology

Engadget links to a report that the RIAA is suing someone not for distributing digital copies of music, but for making personal digital copies of legally purchased CDs. Some of the quotes from the RIAA and their lawyers are amazing:

"If you make unauthorized copies of copyrighted music recordings, you're stealing. You're breaking the law and you could be held legally liable for thousands of dollars in damages."

At the Thomas trial in Minnesota, Sony BMG's chief of litigation, Jennifer Pariser, testified that "when an individual makes a copy of a song for himself, I suppose we can say he stole a song." Copying a song you bought is "a nice way of saying 'steals just one copy,' " she said.

Like the defendant in this absurd lawsuit, I am confident that the courts will uphold what is clearly a fair use of copyrighted work. The RIAA will rue the day tha tthey brought this lawsuit - not only for their legal defeat, but also for the public relations nightmare that the suit will become.

Note that this is not the first time the RIAA has made this argument. Of course, the last time it did so, it directly contradicted its own testimony before the U.S. Supreme court, in which RIAA lawyers stated:

"The record companies, my clients, have said, for some time now, and it's been on their website for some time now, that it's perfectly lawful to take a CD that you've purchased, upload it onto your computer, put it onto your iPod."

Fair-use resources: EFF, Chilling Effects, Stanford Law

Facebook, Beacon, and Privacy Rights

Filed in Social IssuesTags: Internet, Privacy, Technology

Recently, social networking site Facebook has undergone intense scrutiny and backlash for the implementation of its third-party advertising system called Beacon.

For those unaware of the Beacon application, here's a brief primer. Beacon is a JavaScript application used by third-party web sites (such as epicurious, travelocity, blockbuster, etc.) in conjunction with Facebook. The third-party website implements JavaScript code that sends certain data to Facebook. These data may include movies rented at Blockbuster, recipes searched at epicurious, or travel plans booked on travelocity. The websites send these data to Facebook, and if the user of the third-party website can be identified as a Facebook user, the data are published in that user's update feed.

Without re-hashing the explanations given elsewhere, see here for more technical details of the application. Others have listed the third-party websites that have implemented Beacon.

You may be asking yourself why you should care; well, here's why: these third-party websites are sending your personally identifiable user data to Facebook - whether or not you are a Facebook member (as is demonstrated by the previous link explaining the technical details).

It appears that much of the scrutiny has been on Facebook's implementation of the application, and the site's publishing of user-identifiable data. That scrutiny was much-deserved, and Facebook has made significant changes both to the implementation of Beacon and to their privacy policy. In fact, Facebook users can now opt-out of the application entirely - at least on the Facebook side.

However, it appears to me that a lot of heat has been placed on Facebook, and not enough on the third-party websites. While it is somewhat more comforting to know that Facebook will not publish user-identifiable information without my approval, the fact remains that all those data are still sent from the third-party websites to Facebook. If those data are tied to a user who has opted out of the application, Facebook has simply indicated that it will discard, not save, and not publish those data.

While I think Facebook has handled the implementation of Beacon poorly, I have a far greater problem with the third-party websites, who have implemented the Beacon application without any notice to or prior approval from its users. (In fact, one lawyer has speculated that Blockbuster is in clear violation of a law that prohibits the release of movie rental data.)

Facebook would certainly be in the wrong for publishing such data without user permission; however, the third-party websites that gather and send those data to Facebook have committed a far more egregious wrong. Sending to a third party data about my purchases and other activities without my permission has to be a clear violation of any worthwhile privacy policy.

Personally, I don't have a problem with the Beacon application; I only oppose its current implementation. Websites should be free to implement the application, but it should be done openly, and in an opt-in manner. If BrandNameWebsite wants to implement Beagle, and send data about my purchases to Facebook, it should give prior notice to its users, update its privacy policy, and require users to opt-in to having their data collected and sent.

Fortunately, you have options to control your experience with the Beagle application. As mentioned previously, you can opt-out entirely on the Facebook side. You can also use various browser plug-ins to notify you of websites using the Beagle application and to block the application altogether. (Websites that use the application put a few lines of JavaScript code into their website. That code makes a remote call to a known directory on the Facebook website. The plugins work by detecting and/or blocking the URL for the JavaScript code on the Facebook website.)

A Little Insight Into My Job

Filed in PersonalTags: Missouri, Saint Louis, Technology

I am often asked what my job - validation - entails, which is somewhat difficult for anyone not familiar with FDA-regulated industry.

Well, perhaps this AutomationWorld magazine article will help enlighten just a little bit, at least with respect to one aspect of my job. The article interviews and profiles yours truly, with regard to my (and my company's) use of wireless technologies for environmental monitoring and testing:

KV Pharmaceutical is turning to wireless mesh networking technology as a way to save money, while reliably meeting regulatory requirements for temperature and humidity monitoring.

As a manufacturer of generic and branded drugs using proprietary drug delivery systems such as time-release and site-release processes, St. Louis-based KV Pharmaceutical Co. is subject to plenty of federal regulation.

“Being in a regulated industry, we’re required to do environmental monitoring for temperature, relative humidity and that kind of thing. We’re required to monitor those things and record them, so that we can present those data to the FDA (Food and Drug Administration) if requested,” notes Chip Bennett, validation specialist at the company.

Read the rest, if you're interested. Enjoy!

Julie Amero Update

Filed in Social IssuesTags: Computers, Education, Internet, Technology

An update on the miscarriage of justice in the Julie Amero case, about which I previously wrote:

PC World's Steve Bass reports on responses he received from both a juror in the trial, and also from the detective in the case against Julie Amero. Both responses only further prove the gross injustice in Amero's arrest, trial, and conviction.

First, the juror. Bass does a decent job fisking the juror's email, and the comment thread further rebuts the juror. Here are the words of the anonymous juror, who identifies himself only as ConnYankee1951 [Bass' comments interspersed]:

I was on the jury and yes we did find her guilty.

But everything seems to be misquoted by the papers and reporters envolved [sic]. The bottom line was that it didn't make a difference who or how the porn sites showed up on the computer.

The fact that a teacher in a public scol [sic] system did absolutly [sic] nothing to keep it away from the children is what was wrong. Yes we were told that she was given no permissions to turn off the computer, she also said she was not allowed to use any other school equipment.

Bass' comments: According to the trial transcript, Amero testified that she made every attempt to keep the children from seeing the images. In fact, a number of children at the trial testified that she had attempted to block them from seeing the screen. Also, another substitute teacher testified that Julie had asked for help in the teachers lounge.

If a 40 year old school teacher does not have the sense to turn off or is not smart enough to figure it out, would you or any other person wanting her teaching your child or grandchild?

Bass' comments: At the trial Amero testified that she didn’t, in fact, know how to turn a computer on or off.

The juror states: "The bottom line was that it didn't make a difference who or how the porn sites showed up on the computer." Curious statement, that. Let's explore it in more depth, shall we?

First, we need to understand the statute of which Amero was convicted. The germane clause in the statute is as follows:

(a) Any person who (1) wilfully or unlawfully causes or permits any child under the age of sixteen years to be placed in such a situation that the life or limb of such child is endangered, the health of such child is likely to be injured or the morals of such child are likely to be impaired, or does any act likely to impair the health or morals of any such child

The previously linked blog also quotes the jury instruction that accompanies the "risk of injury to a minor" charge:

To find the defendant guilty of wilfully or unlawfully causing or permitting any child under sixteen years to be placed in such a situation that the life or limb of such child is endangered, the health of such child is likely to be injured or the morals of such child are likely to be impaired, the state must prove the following elements beyond a reasonable doubt: (1) that at the time of the incident, the alleged victim was under the age of sixteen years; and (2) that the defendant wilfully or unlawfully caused or permitted the victim to be placed in a situation that endangered the child's life or limb, or was likely to injure his health or impair his morals.

The conduct to be punished must involve a child under the age of sixteen years. The statute also requires wilfulness or unlawfulness in causing or permitting the child to be placed in a situation that his life or limb is endangered, or his health is likely to be injured, or his morals are likely to be impaired. This is the conduct of a person that is deliberately indifferent to, acquiesces in, or creates a situation inimical to the child's moral or physical welfare.

''Wilfully'' means intentionally or deliberately. ''Unlawfully'' means without legal right or justification. Causing or permitting a situation to arise within the meaning of this statute requires conduct on the part of the defendant that brings about or permits that situation to arise when the defendant had such control or right of control over the child that the defendant might have reasonably prevented it.

I am not a lawyer, nor do I play one on tv (nor on my blog). However, the statue and jury instruction seem pretty clear to any reasonably intelligent reader. The entire case rests upon the prosecution's ability to fulfill the burden of proof "that the defendant wilfully or unlawfully caused or permitted the victim to be placed in a situation that endangered the child's life or limb, or was likely to injure his health or impair his morals."

In order for conviction, the prosecution must have proved that Amero 1) intentionally navigated to the illicit web sites in question, and/or 2) did not prevent the students from viewing the illicit images in question. Thus, the juror's statement that the manner in which the images appeared on the computer did not ultimately matter is demonstrably incorrect.

According to both the juror's own statements (following below) and known facts surrounding the trial, the prosecution based their case around - and the jury convicted upon - in part the former allegation. That Amero allegedly navigated to the web sites in question appears to have been a key point in demonstrating her intent (or mens rea). Proving this allegation is critical to proving that Amero was responsible for willfully or unlawfully placing the students in a situation that would impair their morals. The prosecution clearly made the case (and the jury apparently believed) that Amero intentionally navigated to the illicit web sites. If the prosecution's case rested merely on the latter allegation, then the questions of browser history, pop-ups, javascripts, and links would never have arisen, as they would not have mattered.

I will address the allegation itself below, with the juror's comments concerning the prosecution's evidence attempting to prove it.

Back to the juror:

If you and your wife were watching an xxx rated movie the you put into the dvd player, you powered it up and you hit play, then went into the other room for a snack and your child or grandchild entered the room would you expect your wife to stop the dvd or just let it play because she didn't start it. No you would be upset as all get out.

Even giving Julie the benefit of doubt, not knowing enough about a computer to be able to turn it off. Some paper and tape would have covered the screen or a coat or sweater, it was October after all.

First, the juror's analogy does not apply; the premise is entirely different. That said, let's explore his argument: illicit material was on display on the computer's monitor, and Amero did not take appropriate action to prevent the students from viewing it.

If we ignore the former allegation (that Amero created the situation by navigating to the illicit web sites), then no basis exists to claim that Amero's actions were willful or deliberate. Thus, in order to prove that Amero was guilty of "conduct of a person that is deliberately indifferent to, acquiesces in, or creates a situation inimical to the child's moral or physical welfare", the prosecution had to prove that her actions were unlawful. In other words, the prosecution had to prove that Amero, without legal right or justification, permitted a "situation to arise when the defendant had such control or right of control over the child that the defendant might have reasonably prevented it."

First, the prosecution had to prove that Amero had no legal right or justification for her actions. Second, the prosecution had to prove that Amero did not exercise rightful control over the children to prevent the situation.

On the first point, even the juror conceded that Amero had potential legal justification for her actions: her lack of expertise with computers, and her instruction not to turn off the computer. Again, I am no lawyer, but I question the legal precedent of the "paper and tape or sweater or coat" argument with respect to what Amero could have done and what she was legally compelled to have done. Let us recap Amero's actions in response to the situation:

  • Amero attempted to block students' view of the screen, and to push students' faces away from the monitor.
  • Amero attempted to close the pop-up windows that were displaying the illicit images.
  • Amero sought out assistance from another teacher (and was refused help).

Amero clearly and demonstrably attempted to resolve the situation. To claim that Amero was criminally responsible for the situation, as defined by the statute in question, because she did not think to resolve the situation by the entirely arbitrary means of "paper and scissors", "a sweater", or "a coat" seems to me to be incredibly specious.

On the second point, it appears that the prosecution attempted to prove that Amero did not exercise rightful control over the computer - but according to the statute, the burden of proof exists to demonstrate that the defendant did not exercise rightful control over the students. According to the statutes, what Amero did with respect to the computer has, at best, only indirect relevance to what Amero did with respect to the children in exercising her rightful control over the children in order to prevent the situation.

In other words, it is mostly irrelevant that Amero didn't unplug or turn off the computer, or cover the monitor, because such actions do not represent exercise or failure in exercise of rightful control over the students. To the contrary, Amero's actions demonstrated that she made a reasonable effort to exercise her rightful control over the students (see the list above). Further, note that, as a substitute teacher, Amero had considerably less "rightful control" over the students than a regular teacher would have had.

Speaking of "rightful control" over the students, why was the school's IT administrator not held accountable on the same charge? We know that the computer's web-site filtering software was out-of-date at the time the incident occurred. Clearly, the IT administrator was negligent in exercising his rightful control over the students, by allowing the filtering software to become outdated, thus allowing school computers to be used to navigate to illicit web sites. Also, the IT administrator did not maintain the security robustness of the school's computers: the computer had no firewall, its antivirus software was outdated, and the computer was infested with various forms of malware. This negligence is undoubtedly more egregious than anything Julie Amero did or could have done on the morning in question.

On this point, the school board continues to give the appearance of using Amero as a scapegoat for the school's own negligence. Commenting on the trial, current Norwich superintendent Pam Aubin has said, "this wasn't a computer out of control. People are complicating this too much. [Amero] had a responsibility to teach the students. That didn't happen." This blog post also quotes the superintendent at the time of the incident:

Michael J. Frechette, the Norwich superintendent at the time of Amero's arrest, said this was simply a teacher with pornography. "We were just reacting to the facts."

Clearly, either the school administration didn't know "the facts", or else they know the facts and are choosing to deny them. First, a computer openly exposed to the internet, with no firewall, outdated antivirus, outdated filtering software, and that is malware-infested is, by definition, "out of control". Second, Amero was not on trial for abdicating her "responsibility to teach the students." This statement is completely irrelevant. Third, no evidence yet exists that Amero had anything to do with the illicit web sites or images, other than trying to get them off the computer screen and trying to prevent the students from seeing them.

Back to the juror, here is his conclusion:

Finally she was pronounced guilty because she made no effort to hide or stop the porno, not just because she loaded the porno onto the machine. Going to the history pages it was obvious that the paged [sic] were clicked on they were not the result of pop-ups.

Bass' comments: Actually, the defense expert at the trial testified that the sites visited were from pop-ups.

Each web page visited showed where links were clicked on and followed to other pages. Pop ups go to sites without change lnk colors, as in used links.

Bass' comments: That’s incorrect. Pop-ups show as a changed type color, just like a normal site visit.

These statements by the juror proves exactly why this trial was a miscarriage of justice. Anyone with any knowledge whatsoever of the internet and web browsers knows that these statements are patently false. Browser history pages cannot differentiate between URIs to which the browser navigates via a mouse click and those navigated via javascript (e.g. a pop-up window). Also, all links to cached (visited) URIs will show as "visited", regardless of whether the URI was cached in the browser history due to a mouse click on a link or a javascript (pop-up window) command.

That a woman was convicted of a felony and faces up to 40 years of jail time because of such flimsy and outright false evidence of her guilt is an egregious injustice. I cannot fathom how this verdict doesn't get overturned on appeal. This trial was a complete farce, and the juror who responded above proved himself entirely ignorant of such computer technology as would be required to assess the evidence in the case, and completely incompetent to act as a juror in the trial.

Having addressed the juror's response, let's turn to this response from Detective Mark Lounsbury, the crime prevention officer with the Norwich Police Department:

Dear Mr. Bass, Unfortunately the truth in this matter is yet to be told to all those who were not located in the courtroom during the trial. Those in the courtroom saw and heard the truth. Once sentencing is done the truth CAN BE presented to the world IF they want it. I'm thinking the world doesn't want to hear the truth. IGNORANCE IS BLISS. The lies are exciting, bringing up STRONG emotions. OMG, that poor person, victimized by the Evil Government and its minions.

It continues to amaze me how people can base their opinion on what is fed to them. Did anyone ask the Expert for the evidence he recovered which would support his claims? The "curlyhairstye script", those pornographic googlesyndication.com generated pop ups? BUNK also known as errors of commission. Would you like to know the truth? Once sentencing is over I'd be more than happy to let you see the source code, scripts, etc.

I've received allot [sic] of calls and emails regarding this. All from people interested only in TELLING me their opinions or TELLING me they're going to get me. Not once has anyone called or written me to ASK me a question. They apparently have what they want. I work hard every day for the victims of crime. I search for the truth not for me but for them. If what the newspaper reported about my testimony was my actual testimony, taken in context, don't you think there would have been some consequences, a rebuttal, something. Feel free to write if you wish.

With respect to Shakespeare, the detective protests too much, methinks. I find it highly ironic that he is apparently attempting to claim that he is the victim, when Julie Amero is the one facing 40 years in prison, because of his erroneous testimony. As for his testimony, rebuttal testimony by the defense's (bona fide) computer expert was not entered, because the prosecution blocked its admission; therefore, the detective's testimony was the only (so-called) "expert" testimony in the trial (to my knowledge).

Of course, Bass replied with several questions, and got this response:

Dear Mr. Bass, Once the sentencing phase for this case is done I can answer all your questions. I have all the information you seek. My opinion is not important but I am fleshing out a theory concerning site blocking software which was in place and how to circumvent it. I can provide you w/ the source code showing all the .htm and javascripting for each web page, images from those pages, date/time of creation, MD5 hashes, etc. I will contact you after sentencing. Thank you

While I am willing to reserve final judgment until all facts in the trial are revealed following the upcoming sentencing, I highly doubt that any salient facts will emerge that would change my opinion about the trial. Though, I'm extremely interested in Lounsbury's supposed "evidence" to support his testimony - evidence not yet publicly known.

I'm especially curious about the "theory" that he is fleshing out "concerning site blocking software...and how to circumvent it". I do hope that theory includes how a woman who was so computer-illiterate that she could barely read email and couldn't turn a computer on or off would implement such a site-blocking software circumvention. Do, tell, detective!

Other coverage: Nationwide awareness of Julie Amero injustice grows

Coverage of the Julie Amero Case:

Substitute Incrimination and Computer Injustice
Julie Amero Update

Daylight Saving Time: the 2007 Y2K

Filed in MiscellaneousTags: Geekery, Technology

As far as tech nightmares go, this one might be worse than Y2K.

The US Congress changed the rules for Daylight Saving Time, starting in 2007. This year, rather than spring forward the first Sunday of April and fall back the last Sunday in October, DST will begin on the second Sunday of March, and end the first Sunday of November.

Growing up in the then-non-DST-observing Indiana, I still find the whole DST process foreign enough that I don't have a set routine. So for me, I make the change when I'm told, and move on. However, many of today's advanced consumer electronics have programmed algorithms for DST - and reprogramming these devices might be impossible, potentially requiring manual changes four times a year. Worse, as with Y2K, legacy computer systems and software may not account for the new changes properly, leading to potential - and unknown - consequences.

Microsoft has established a help center to deal with the change as it impacts their products.

Substitute Incrimination and Computer Injustice

Filed in Social IssuesTags: Computers, Education, Internet, Technology

The other day I read this article on PC World about Julie Amero, a substitute teacher convicted for exposing students to pornographic material on the computer of the teacher for whom she was substituting. In summary:

The story is short: On October, 19, 2004, Amero was a substitute teacher for a seventh-grade language class at Kelly Middle School. A few students were crowded around a PC; some were giggling. She investigated and saw the kids looking at a barrage of graphic, hard-core pornographic pop-ups.

(Follow-up stories here, here, and here, with local newspaper coverage here, here, and here.) The prosecution alleged that Amero had used the computer to visit adult web sites, while the defense countered that the computer was already infested with various malware programs that caused the illicit pop-ups. The analysis of the case is drastically different, depending upon which story is true.

The prosecution alleged that Amero intentionally visited various adult web sites, but this report by the defense's expert computer witness refutes that claim. This expert was prepared to re-enact the events in the classroom with a clean laptop in the courtroom, but the prosecution objected to this defense, and the judge did not allow it. (And from the conclusion of the report, it appears that the judge also did not even allow the expert to present the results of his forensic examination of the computer.

This whole story appears to be a case of 1) the school using the substitute teacher as a scapegoat for its own failure to ensure the security of its students and its computer resources, and 2) the prosecutor, judge, and jury acting from a position of complete computer/internet illiteracy.

The computer in question was running Windows 98 and Internet Explorer 5, with no firewall, was infested with malware, and had outdated anti-virus signatures (according to an op-ed piece written by Alex Eckelberry). Thus, the first entity responsible for the incident is the school administration, for not having and/or following a procedure or policy for computer administration that would include ensuring that computers are protected against malware, and that antivirus signatures are maintained. In fact, the school admitted that their blacklist filter was not kept current during the time in question.

Also, school computers were allowed to be used for personal internet use, with only a blacklist filter in place. As this blog points out, this policy is a recipe for potential disaster, since blacklist filters that are not kept current are easily bypassed, and many malicious or illicit web sites intentionally use a practice called typosquatting (using typographic-error URLs in order to lure visitors who intend to go to one website but are instead directed somewhere else due to an incorrectly spelled URL - think "google" vs. "goggle").

The prosecution alleged two things: one, that Amero intentionally visited the web sites that served the illicit images, and two, that Amero did not prevent the students from continuing to see the images by immediately turning off the computer.

The forensic evidence (which was not allowed to be presented) clearly proved that the illicit images came to the computer through clicks on what was ostensibly a hair-style web site, and were of a size consistent with pop-up ads, not intentional image downloads. This evidence proves that the computer experienced what is known as a "pop-up storm" - something with which anyone who has used a computer with software older than Internet Explorer 6 running on Windows XP Service Pack 2 (or better) is experienced. Further - and worse - the police software used to examine the computer (ComputerCOP Pro) cannot differentiate between an explicit click and a script-generated window-open. The prosecution proved that the computer made a connection to an illicit web site, but had no means whatsoever, using the police software, to prove how the site was accessed.

Also, while some hold the assertion as fact), it does not appear that the prosecution proved (or even attempted to prove) that Amero herself, and not a student or students, was operating the computer at the time that the sites in question were visited. Given that the computers internet history cache shows that kid-centric websites such as crayola and hair-styling sites were visited, the prosecution's first argument appears to be unproven at best, and specious at worst.

The prosecution (and others) assert that Amero should have shut down the computer. This assertion makes some assumptions, namely that Amero was expert enough to know what was happening to the computer, and that Amero had the authority to remedy the situation by shutting down the computer. The prosecution proved neither. At the beginning of the day, the permanent class teacher logged onto the computer for Amero, giving explicit instructions not to log off from or shut off the computer. So, to shut down the computer - as the prosecution contended Amero should have done - would have been a direct violation of the teacher's instruction not to do so.

Also, when the incident occurred, Amero attempted to get rid of the popups by closing each popup window. Anyone with any experience with popup storms knows that this action will only invite further popup windows, usually at a rate beyond what is possible to keep up with. Amero, who is by no means a computer expert, did make a good-faith effort to get rid of the illicit images and to prevent the students from viewing them. She even asked for help from the school administration - help that, over the course of the school day, never came. So, the prosecution's second argument is an unproven claim based on an untrue assertion of the proper course of action in the incident.

In short, students - not Amero - were using the computer when the popup storm happened, the popups were generated by a script on a non-pornographic website, and Amero did try to prevent the students from viewing the images.

Worse than the prosecution's ridiculous case, is that nobody involved in the case (except the defense's expert, who was not allowed to present anything near his full testimony) has anything even resembling sufficient computer/internet literacy or expertise: the school board, the police, the prosecution, the defense attorney, the judge, the jury, or the defendant.

Perhaps I should exclude the school board; it is more likely that the board needed someone to take the fall for the incident, and chose Amero. Parents were outraged over their children being exposed to illicit images at school, and the board was forced to act. This action, of course, came after the vice principal initially told Amero not to worry at the end of the school day in question, when she went to the office for at least the second time that day, to report the incident. The first time she reported it, she was promised help, but nobody ever came to provide the promised help. If Amero's actions had been sufficiently criminal to warrant her arrest, why did the school not call the police at the time of the incident?

The police who investigated the case didn't even search for spyware on the computer, and the police investigator testified in the trial that an image coming from a given web site proves that someone had to intentionally go to that web site in order to see the image. This assertion is patently untrue. The defense's expert witness had evidence that the illicit images came first through a malware javascript link on ostensibly innocuous hair style web site. Both Amero and the students testified that the images were on popup windows, not a website proper.

Even to pursue this case proves the prosecution's lack of computer expertise. The defense attorney admitted to Alex Eckelberry that he had no computer expertise. This fact alone should be enough for an appeal - if not an outright mistrial. The judge upheld the prosecution's objection of perfectly reasonable defense testimony, was reportedly falling asleep during trial, and reportedly gave instructions to the jury for an expedited completion of the trial. The jury clearly had insufficient computer expertise, and were reportedly violating sequestering rules by discussing the case outside the courtroom. Amero's lack of computer expertise has already been addressed.

This case was a trial that should not have taken place, carried out by a judge, jury, and attorneys who should not have been involved, regarding a criminal charge that should not have been filed, against a completely innocent victim.

More commentary: ComputerWorld's Preston Gralla initially lauds the conviction. Alex Eckelberry refutes his opinion, after wich Gralla issues a mea culpa, and Eckelberry praises the change-of-opinion. Eckelberry also links to an AlterNet story about the case, as well as a Digg comment storm.

If you want to help, go to this website set up by Julie Amero's husband for information on the case and defense fund contributions.

Coverage of the Julie Amero Case:

Substitute Incrimination and Computer Injustice
Julie Amero Update

Windows Vista DRM

Filed in Social IssuesTags: Computers, DRM, Geekery, Technology, Windows

Leo Laporte and Steve Gibson have been having an interesting discussion about Windows Vista Digital Rights Management (DRM) in Episodes 73, 74, and 75 of their weekly SecurityNow podcast, including a conversation with Peter Gutmann, who wrote a white paper called "A Cost Analysis of Windows Vista Content Protection".

Today I noticed a GRC newsgroup post referencing a shashdot post discussing a Windows Vista Blog post discussing Gutmann's paper.

If you are considering an upgrade to Windows Vista, and are not familiar with what Microsoft is doing with respect to DRM in the new O/S, you probably want to take a look.