Search This Blog

A Word About Our Blog Entries

The Julie Group shares a professional interest in the area of digital and emerging technology and law. As professionals there is a rich and deep appreciation for the differences of opinion that can appear in this space. You must never assume that opinion, where it is introduced is universally shared and endorsed by all our volunteers. Nor are they necessarily the very best snapshot of a given issue.

Readers are expected to think about the issues, question everything worth discussing, and add value to the conversation by correcting what's here or broadening the understanding of the subject. This is part of the educational process between us all. Our hope is that this exercise results in better law, law enforcement, and citizen participation in forging sophisticated social understandings of the technological forces changing our lives.

Sunday, June 10, 2007

Matt Bandy Could Be You. Or ME.

Matt Bandy's story sent a chill up my spine as I read it this morning. Matthew was 16 when authorities arrested and charged him with possessing and uploading child pornography (Full Story).

Matt was the victim of at least one (and likely more than one) worm that turned his computer into a "zombie computer". To give you an idea of the pervasiveness of zombies, reported on a foiled botnet operation that had put 1.5 million computers and servers under its control. (A botnet is a collection of computers infected with the same worm). Botnets are used to send spam, infect other computers, and upload pornography, among other things.

Here's the thing: Zombies operate transparently. The user has no idea what his own computer is doing. That means you can be held responsible for activity originating with your computer for which you had no control, involvement or even knowledge.

This is exactly what happened to Matt. Ultimately he accepted a plea bargain on the advice of his attorneys. even though the forensic examination of Matt's computer proved the presence of malware, even though he passed two independent polygraph examinations where he flatly denied any pornography uploads, even though two independent psychological evaluations concluded that he did not meet the profile for a diagnosis of paraphilia.

The prosecutor would not back down. If a jury had convicted him, he could have spent up to 90 years in prison (This is not subject to judicial discretion -- more on that in a minute). If he accepted the plea bargain, he would have to register as a sex offender but would be sentenced to probation. After ABC's 20/20 aired a segment on his plight in January 2007, the sex offender designation was removed by order of the court.

Is this justice? How did this happen?

I. Anti-Porn Policies and Initiatives Pressure Local Prosecutors to Produce

There are certain initiatives in the halls of justice - national and state - that have top priority. Project Safe Childhood is one of those. Here is a description of the initiative from the PSC Guide:

PSC creates, on a national platform, locally designed partnerships of federal, state, local, and tribal law enforcement officers in each federal judicial district to investigate and prosecute Internet-based crimes against children.
and this:

U.S. Attorneys will coordinate the investigation and prosecution of child exploitation crimes, and the efforts to identify and rescue victims. Establishing open and formal lines of infor-mation-sharing and case referrals is imperative, so that investigators and prosecutors can use all available tools for finding offenders and selecting the most appropriate forum in which to seek convictions. And aggressive investigations and prosecutions must be accompanied by strong victim-assistance efforts.
Finally, there's this:

"For these reasons, it is important for federal investigators and prosecutors to bring all available resources to bear upon investigations and prosecutions of Internet-based crimes against children, and for federal prosecutors to substantially increase the number of prosecutions of child pornography and enticement offenses."
This is an admirable goal. I am certainly all for the prosecution of those who commit crimes against children, aren't you?

But there's a word missing from that final paragraph. An important one. The word is "legitimate", and it belongs here, so that the sentence reads this way:

"...all available resources to bear upon investigations and LEGITIMATE prosecutions of Internet-based crimes against children, and for federal prosecutors to substantially increase the number of LEGITIMATE number of prosecutions of child pornography and enticement offenses."

Common sense dictates that when the results of an investigation prove the existence of malware and worms which are linked to illegal activity OUTSIDE OF THE CONTROL of the user, a prosecution is not legitimate. Period.

Prosecutors are expected to deliver the goods, and they are measured on the NUMBER OF CASES they prosecute successfully, either by conviction or plea-bargain.

This sweeping initiative and mandate for federal, state and local law enforcement agencies creates an environment of rigidity and the need for prosecutors to give the impression of zero tolerance for pornography, regardless of its source. If you're convicted, the sentences are non-negotiable under federal and state sentencing guidelines.

II. Ignorance about Malware Left the Door Wide Open

In the Bandy case, the ignorance wasn't simply on the prosecutor's end. Matt Bandy's parents had absolutely no clue about how to secure their computer and network properly. They're not unusual. As an admitted geek, I receive calls all the time from friends and family in a panic because their computer is infected with something and they have no idea how it got that way or what to do about it.

Here's a fact: Kids can infect a computer faster than anyone else in the house. They go to game sites, game hack sites, have their Instant Messenger programs open all the time, accept files from anyone and believe what they read. They're kids. They haven't learned to be cynical yet. So when they click on the blinking "You've just won a million dollars" window, they're believers. By the time they figure it out it's too late if they're out there on the Internet with inadequate safeguards.

Here's another fact: Filters are a bandaid and nothing more. Relying on site and word filters to protect kids from pornography doesn't work for anyone. That means schools, homes, and businesses. There are too many ways around them, they can't block every iteration of the word and they give a false sense of security.

One last fact: It can happen even if you're a geek
. I love computers. I'm a geek. I've been on the Internet from the early days, I've built my own computers, I maintain our home and office network and I stay updated on Internet security issues.

Yet, my 17-year old son managed to: a) Visit Internet porn sites; and b) infect his computer with 100 different flavors of malware in February of this year. This, despite what I thought was a locked-down network (he ended up on a neighbor's wifi connection), and up-to-date virus protection (his expired in January, I didn't check and he didn't tell me). As far as I can tell, it took about two surfing sessions to thoroughly infect his laptop.

Matt Bandy's story could have been mine. It could be yours. It will be someone else's. It is already someone else's.

Greater minds than mine are wrestling with this issue. Some of them participate here. While waiting to hear from them, visit the Center for Safe and Responsible Internet Use. Director Nancy Willard has some excellent information on the site about cyberbullying and keeping kids safe. Read it. And start talking about it.


Skip Brewer said...

I'm sorry, but I seriously doubt Matt Bandy is innocent. Even if you accept the idea that his computer was being used to store someone else's images, that does not explain the link files in his "Recent" folder. Those files are created when someone actively double-clicks on a folder or file from within the GUI. They are not created when the file is accessed remotely (such as through a backdoor or Trojan). This means that Matt had viewed the content and was aware of its presence on his computer.

There is also the question of why there was a CD containing almost exclusively porn, with a lop level folder titled JPE (for JPEG or images).

I am a trained forensic examiner, although I am not in law enforcement. After reviewing the evidence presented, I have to say that you are most likely defending a guilty party.

The Julie Group said...


Not every case will be a slam dunk. The Julie Group would be useless if we only commented on obvious cases.

Our job is not to judge but illuminate the issues (and in some cases scold the fools).

A number of our experts are troubled by the same thorny issues. Keep following our discussions, I think you'll find that we aren't myopic.

Andy Russell said...

Mr. Brewer asks for an explanation of “link files” on Matt’s hard drive. Would he agree that could be caused by police examining his hard drive -- which would support innocence, not guilt?

Anonymous said...

There has been alot of misinformation published on this case. I've been deeply involved since the beginning. I don"t know where Skip is getting his information but it is not accurate. I should know I'm Matt's mom. If people want the truth they should go to our Web site. We did not have to go public with our case,we had nothing to gain, we did so with good intentions of helping others, we saw the injustice and wanted to warn others of the dangers. My son and my family have suffered greatly from inaccurate information and people like Skip who make staements on blogs and else where that my son is guilty, even when all the evidence proved he was innocent-once again see our web site. I'm very proud of my son and family,we did what we felt was right--not many people would risk going public on this issue,we hoped to help others--and we have heard from many across the nation in similar situations. These people are struggling desparately to save their loved ones,their home, their lives. I doubt Skip would have the courage to speak out like my son. This is a very important issue and many innocent peoples lives our at stake. I'm so pleased that you have formed your group, we both have the same goal and it is good to know that we are not the only voice out there,trying to spead this message. Jeanne Bandy

Andy Russell said...

Dear editors of the Julie Group: You say a number of your experts are troubled by thorny issues that could point to Matt's guilt, such as Skip's comment that the “link files” on the "recent" folder of Matt’s hard drive indicates his guilt. However, are you aware that police examination of Matt's hard drive easily explains those link files and points to his innocence?

Anonymous said...

I'm unfamiliar with this case, but if the Police aren't using write-blockers or analysing a bit-for-bit copy to prevent contaminating the "crime scene" then that data should be inadmissable as evidence.

i.e. when lifting footprints from the flowerbed outside a burgled house, don't make your own and submit them as evidence!

Skip said...

Sorry, it has been a while since I have checked this blog, so I didn't have an opportunity to responde to questions and responses.

Andy Russell suggested that perhaps the link files were created by the police clicking on the files to view the. Andy, if that were the case, teh link files would be date-stamped with the date and time the pictures were first viewed, when they were last viewed, and how many times they were opened. It would be easy for the defense to establish that fact. Also, any forensic investigator worth his salt will not look for the files through the host operating system, but will make a forensic image, and will examine the image using write-blocking tools to prevent modifications to the evidence.

To Jeanne Bandy, I am sorry for the pain you have suffered. I have not examined the evidence directly, so I cannot say with any certainty if the images were originally placed on the drive by a bot-net or not. But from the evidence that has been published, it appears that your son at least knew of the images and didn't report it. Unfortunately, that is also a crime.

Anonymous said...

Skip: I think your rush to judgement is foolish and harmful. Did you read Tami Loehr's forensic report of the examination of Matt's hard drive?

I suspect you are a teenager ("Skip") and you should learn early on not make judgements without knowing all the facts

Anonymous said...

Unfortunately the police viewed the Bandy family computer in the home at the time they went in without using a mirror or seperate system. Also the CD with the images was one of six total that was used to back-up the hard drive, not a stand alone CD as the proscuter would like you to believe.

Dr. Kardasz said...

I supervised the Bandy investigation.

I read the forensic report that was done by an experienced trained and veteran professional from the Maricopa County Prosecutors Office.

Bandy was charged with images that were found on a compact disk that was on a desk next to his home computer.

Could a phantom trojan virus attacker/burglar also load a blank cd, place it into the drive-tray, place images on it and then remove it and put it on the nearby desk?


It is not unusual to find viruses on the computers of persons who surf porn.

Bandy plead guilty, perhaps because he was guilty.


Anonymous said...

Dr. Kardasz, how did you get your Doctorate when you obviously cannot read?

Do you even understand the concept of a backup? As mentioned in the post immediately preceeding your own?

Anonymous said...