Should IT Get The Blame In Teacher's Pornography Case?Should IT Get The Blame In Teacher's Pornography Case?

The legal wrangling swirling around a Connecticut substitute teacher over whether or not she intentionally exposed students to online porn will pose a challenge for IT managers and computer security professionals.

Who is ultimately responsible for what happens at the desktop? The user or IT?

"There's a shift right now in the whole area of security away from just antivirus to security control. What happens at the desktop is ultimately the responsibility of the administrator," said Ron O'Brien, a senior security analyst with Sophos, in an interview. "If I surf the Internet, and I go to an unblocked Web site hosting malicious content and I download that to my desktop, I have now infected the network. The administrator, in addition to controlling what I do on the keyboard, needs to filter the content coming from the Internet into the network."

Julie Amero, a substitute teacher at Kelly Middle School in Norwich, Conn., got a new chance this week to present her case. Last January, she was convicted on four counts of risk of injury to a minor in connection to an October 2004 classroom incident. Six students testified during trial that they saw glimpses of pornographic images that appeared on Amero's computer.

The teacher has long argued that she didn't intentionally pull up the images and that she tried to block the students from seeing them. But the prosecution obviously convinced the jury otherwise. The government noted that she could have turned the computer off, but Amero testified that she had been told not to turn off the computer and that she had gone and asked for help. The defense's computer security expert wasn't allowed to testify at trial.

According to the Norwich Bulletin, a police detective who examined the computer and testified for the prosecution admitted that he never checked the machine for spyware or adware.

On Wednesday, a Connecticut Superior Court judge granted Amero a new trial, giving her the chance to offer an expert's testimony that malware was the cause of the pornographic images on her computer.

Since her conviction, Amero has become something of a cause celebre for security experts, who have argued that malware on what was a completely unprotected computer easily could have thrown a series of pornographic pop-ups onto her screen -- all without her bidding.

"Have you ever seen spyware infections?" asked Rich Sutton, director of 8e6 Labs at 8e6 Technologies, a security company that focuses on Internet filtering for K-12 schools. "They're insidious, and they're very difficult to eradicate. Their intent is to put Web content in front of the end user that the end user did not request. You point your browser to a benign site and you get pop-ups from unwanted sites, and it's not under the control of the user." Sutton said in an interview that he finds it "very viable" that the pornographic images didn't appear on Amero's computer because she called them up. "It's very likely that she's a victim here," he said.

Sophos' O'Brien agrees. "She was the adult in the room at the time responsible for what the children were exposed to, so she became the scapegoat for what was a lack of responsibility on the part of the people who should have been maintaining that PC," he said, noting that the computer in the classroom wasn't running a firewall or antivirus software. "When I look for who is responsible for maintaining that PC, I don't look to the substitute teacher There was a tool in the classroom that wasn't properly maintained."

And that, added O'Brien, should be a loud warning to CIOs and IT administrators in education, government, and industry. In a corporate setting, pornographic Web sites or pornographic pop-ups on computer screens could lead to office unrest and even create a hostile work environment.

"It's really a kind of wake-up call for not only teachers and parents, but for IT administrators to realize that there are 9,500 new URLs that we identify each day that are hosting malicious content," O'Brien said. "If someone is surfing the Internet, the likelihood they will connect to a Web site that will download malicious content onto their PCs increases exponentially every day It comes down to the integrity of the network and the extent the administrator is able to maintain a safe system."

Sutton added that, at the least, IT is responsible for ensuring that all the computers attached to the network have antivirus and anti-spyware software installed, and that the machines are patched and up to date.

"It's inevitable that they're going to be fighting fires," said Sutton. "There should be an initial effort to make sure computers are patched and uninfected. But then you have to clean up the infections that occur. In this case, there haven't been a lot of discussions about how IT strategy could have lessened the effect of this infected computer."

Alan Paller, director of research at the SANS Institute, said in an interview that the responsibility may go even higher up the ladder. Executives, whether school or corporate, are the ones who dictate to IT leaders if they have the rights -- and the budgets -- to filter attachments and inappropriate Web sites, he said.

And Keith Jones, a senior partner with Jones, Rose, Dykstra & Associates, said, "It's always an executive call. The budget goes to someone else and then something bad happens It always goes back to upper management."