This is a very scary thing. I wrote a blog post last year about this type of thing in response to Rich’s post on lax wireless security. I was trying to think up scenarios where this would be a problem, and the best example I thought of is what I am going to call the “Pink Slip Virus 2008”.
Consider a virus that does the following: Once installed, the code would periodically download pornography onto the computer, encrypt it, and then store it on the disk. Not too much, and not too often, just a few pictures or small videos. After several weeks of doing this, it would un-encrypt the data, move it to “My Documents” or some subdirectory, and then uninstall itself. It could be programmed to remove signs that it was present, such as scrubbing log files to further hide from detection.
The computer could be infected randomly through a hostile web site or it could be targeted through an injection attack via some insecure service. It could even be targeted by a co-worker who installed this on your machine when you were at lunch, or loaned you an infected memory stick. A virus of this type could be subtle, and use so minimal CPU, network, and disk resources so as to go unnoticed both by the owner of the computer and the IT department.
Now what you have is presumed guilt. If the downloads are discovered by IT, or someone like the malicious co-worker were to proactively mention to HR “I saw something that looked like …” on or after the date the virus uninstalled itself, a subsequent search would reveal pornography on the machine. Odds are the employee would be fired. It would be tough to convince anyone that it was anything other than the employee doing what they should not have been doing, and “innocent until proven guilty” is a legal doctrine that is not applied to corporate hiring/firing decisions.
I was discussing this scenario with our former Director of Marketing at IPLocks, Tom Yates, and he raised a good point. We routinely use Occam’s Razor in our reasoning. This principle states that the simplest explanation is usually the correct one. And the simple explanation would be that you were performing unauthorized browsing with your computer, which could have negative legal consequences for the company, and is almost always a ‘fire-able’ offense. How could you prove otherwise? Who is going to bring in a forensic specialist to prove you are innocent? How could you account for the files?
I have had a home computer infected with a BitTorrent-like virus storing such files on a home computer in 2003, so I know the virus part is quite feasible. I know that remote sessions can be used to instigate activity from a specific machine as well. It is a problem to assume the person and the computer are one and the same. We often assume that you are responsible for specific activity because it was your IP address, or your MAC address, or your account, or your computer that was involved. Your computer is not always under your control, passwords are usually easy to guess, and so it is a dangerous assumption that the official user is responsible for all activity on a computer. Almost every piece of software I have ever downloaded onto my machine takes some action without my consent. So how would you prove it was some guy looking at porn and not spammers, hackers and/or the malicious co-worker?
Reader interactions
4 Replies to “Pink Slip Virus 2008”
Fascinating – I read the article on the successful defense this morning just. What you’‘re talking about is a potential way to blackmail political figures, heads of massive corporations, etc by letting them know that you can immediately have them publicly hung if they don’‘t do what you want. Interestingly enough, once the trojan/virus has removed itself completely there would be little forensics which could ultimately record it… if done right. Just another example of the power of these nasty bugs – obviously taken to a new level of deptravity.
I have dealt with managers looking at browsing habits many times. Every time I advise them that browsing logs are not always accurate. They should always be looked at in context. If someone’s browsing time has increased dramatically and their work quality has declined then it is time for HR Action.
Most places would suggest that if someone is downloading porn then a quiet word with their manager would be the first step. “I’‘m sorry sir, I know the evidence says that I download porn but it is not the case. I must have a virus. Please can we do some checks on the PC. In fact, I’‘m so sure that it wasn’‘t me, I’‘ll backup my work and we can reformat the PC”
It gets a bit more tricky when the porn is illegal, rather than just not work-safe. I recall a news article where someone was discovered downloading kiddie-porn and used the “It must be a virus” excuse.
Lets say for a moment that you prove you are innocent and retain your job. How uncomfortable is it going to be to work there? How many people will still think you are guilty.
I would resign and then sue for constructive dismissal after retaining an employment lawyer. This is assuming that my manager or HR would not listen to reason. If my boss doesn’‘t trust me, and my HR is not willing to admit that this situation would have to be a provable offense, or at least one that has to show a pattern over time—then I’‘m pretty ok with suing.
Note that in many states (and many companies) it is also possible to appeal a dismissal or resignation. At some point, you have to just give in that it is ‘‘just a job’‘. If they fire you for a stupid or wrong reason, there’s always going into business with people that you trust (or for yourself).