Saturday, January 27, 2007

Connecticut's Pursuit of Folly

Fox News just did a live report on the Julie Amero story and they did an excellent job.

Some of the details that are now emerging - that Julie was four months pregnant at the time of her arrest, that another teacher was actually logged in at the time of the downloaded files, and that the computer in question was "totally in the clear" (i.e. not running any updated security software) are disturbing to say the least.

Since my last blog I have had a chance to look at the javascript and html at the heart of the case, courtesy of pages retrieved from archive.org dated November 2004.

Upon examining both new and old code for www.hair-styles.org and www.new-hair-styles.com, the sites visited by Julie Amero back in 2004, several things are immediately obvious: neither site is a "hair design site". Both sites are obvious fronts for Russian and Ukrainian porn, hair-loss and penis-enlargement sites. Browsing these sites, it is clear that what we're looking at are the types of landing pages typically associated with malicious spyware and bot-nets.

Sure, they *look* like hair style web sites, but the style sheet is named "images/sex_style.css" and the background image lives at "http://sex.sweetmeet.ru/" and if you scroll down the page far enough you get to a penis enlargement ad that is a fixed component of the page. Want more proof this is a fake site? The ">>>" images beside the links on the left of the page link to - you guessed it - "sweetmeat.ru".

None of this is visible by the way. It only becomes visible when you click on it. Are you guilt of malicious intent when you click on a link that has an invisible destination?

Looking inside the "body" tag, I find a javascript onload request that tries to initiate a popup. Luckily, most later-version browsers have popup filters built in. Unfortunately for Julie Amero, she was working on a Windows 98 computer that appears to have been very badly maintained by the IT staff at the school (I spoke to someone who has examined this computer first-hand on Friday, and read the Norwich Town Hall meeting minutes last week. I think it is about time someone starting asking the IT manager at Kelly High some harder questions. Contrary to some reports, there was an almost total absence of end point protection on this computer.)

I could go on, but it should be clear to anyone now that the judge in this two-day case didn't want to listen to technical "hocus-pocus", the defense lawyer wasn't "on the case" (literally), and the prosecutor on this case just wanted to get a conviction and move up in life. Sound familiar? Prediction: This will end up being Connecticut's "Duke Lacrosse Team" case.

Barbara Tuchman, one of the best historians ever in my book, once wrote a great book that encompassed Troy, Vietnam, the Renaiisance Popes, and the loss of America by the British called "The March of Folly". In the book, she defines folly as "the pursuit of policy contrary to self-interest". Advisers to the Connecticut Governor should advise quick action now, because the folks Fox News had on tonight are smart people, and the "folly ranking" of what is happening in Norwich is headed for the red zone - fast.

Note: Javascript, for the non-technical, is simply a set of instructions usually written in plain text that get fed into your Internet browser as a web page loads. These instructions tell the browser what to display, whether or not to pop up a window above the page you are looking at upon loading the page, what to do upon submitting a form button and other behaviors. It's pretty hard to design a working web site without javascript, and sites can look pretty ugly if you decide to turn it off.

Optional non-javascript approaches exist, but they can be hard work. Javascript simplifies the job of building web sites and helps maintain consistency of behavior across the site. The problems start when javascript and html are used in simple, but bad ways, to do stuff that is invisible upon loading a typical web page.

No comments: