It’s becoming a familiar story, an angry parent of a student reports finding inappropriate images, self taken naked pictures and videos, on that student’s cell phone. The images and video were sent to the student by a high school football coach. The mother of the student e-mailed the pictures to the administration of the high school, and the coach was promptly fired in disgrace. But this story has an unusual wrinkle: the student is a 20 year-old at the University of Central Florida, the girlfriend of 32 year-old Mandarin High School football coach Jason Robinson.

Upon finding the pictures, the mother of Jason Robinson’s college age girlfriend fired the images off to the administration at the High School employing this coach. The administration reacted by terminating Robinson, who being within the first three years of his contract there was essentially the equivalent of an “at-will” employee.

The high school principal, Dr. Donna Richardson, fired off the following letter to the coach:

"Effective today you have been reassigned to Bulls Bay for the remainder of this school year. You are 
not to come back onto our campus, and we will make arrangements to get any of your personal 
belongings to you. 

You are also being non-reappointed for the next school year. It is regretful it had to come to this, 
but I believe you understand the situation."

"We hold our teachers to a higher standard. They are in front of our students. They're talking 
with our students. They're teaching our students how to become good characters"

Jason Robinson

So we are left with an ‘at will’ employee, who can be dismissed for any reason, being dismissed for showing a lack of sound judgment and a potential violation of a policy (which for whatever reason couldn’t be located in time to include in the letter). From a legal standpoint, the dismissal may be on solid enough ground.

The incident is problematic on a number of fronts though. As soon as an employing organization begins to pass judgment on the private, non-criminal, non-disallowed by policy, actions of two consenting adults, they open themselves up in an inappropriate role as a moral arbiter over their teachers and staff. The mother’s actions were largely inappropriate in the absence of a crime or high school policy violation regarding relationships between teachers and staff. There has been no indication yet that this relationship started when the girlfriend was a high school student herself. But since you can’t control parents, the high school board, a group of people, owed it to all involved to display a cooler head.

Robinson is claiming this incident has ruined his reputation, and is suing the parents of his 20 year old girlfriend for violating his privacy by looking at the material. It certainly does affect his future prospects in working as a high school football coach to be so publicly dismissed.

A sister of the girlfriend does attend high school at Mandarin also, probably another reason this should have been handled much more quietly, as her life must be a joy right now.

One Wrinkle Though

Dr. Donna Richardson

There is one awkward little wrinkle to the whole episode which may make the school board right (but which throws into question why they wouldn’t comment further to defend their position). There is an allegation that the coach used a school computer to send the images. If that is the case, a policy prohibiting using school equipment to view or send pornography should both be in place and apply (minus the publicity and ’shaming’ e-mail).

So why isn’t that being included in the school’s response to the case? Either because it isn’t true, or because they haven’t conducted a responsible forensics investigation to back up the allegation. To fire someone so publicly without having this was a mistake. Administrative leave, strengthening the case via proper computer forensics, and then having a full story to go forward with is the correct way to go, not an e-mail sent in haste from the principle’s computer.

According to most followup commentary, the “sent from a school computer” piece likely is not true anyway.

Sexting

Basically the act of sending a sexually explicit photograph or message with mobile phones as the communication device. The name derives from a combination (or portmanteau for those who want to learn a new word) of the words sex and texting.

The first well known reference to the word is a 2005 article in the British Sunday Telegraph Magazine. In a survey conducted by Cosmogirl, 20% of teens and 33% of young adults indicated they had sent nude or semi-nude (big difference) pictures of themselves via electronic communications. Some 39% of teens and 59% of young adults had said they sent sexually explicit messages.

The Cosmogirl results have been thrown into question however (surveys always are); at least one sociologist, C.J. Pascoe, an assistant professor at Colorado College, completed a three year study interviewing 80 teenagers and found no evidence of truly explicit text or photographs sent via mobile devices.

From personal experience, students are certainly sending and posting information that their parents and other adults would note is probably a mistake to preserve electronically and share. Campaigns, such as the James Lipton campaign we posted about earlier, Don’t Tweet Your Junk, are largely a reaction to this problem.

So there is an issue here that should not be ignored, one that naturally followed the increasing capabilities of cell phones, the decreasing costs, and the result that more young people than ever have sophisticated access to communications technology (something their parents did not by and large have). That said, hyping the numbers by suggesting that 2 out of every 10 teens are sending naked pictures of themselves via their phones is unnecessarily alarmist.

The other larger problem of overreaction is overzealous prosecution of teenagers under child pornography laws which were certainly not codified to cover teenagers e-mailing photographs to each other. Further, the classification of said teenagers or young adults as sex offenders serves only to weaken the notification requirements under Meghan’s Law, designed to protect youth against real sex predators.

Finally

I don’t understand the proclivity in the number of people sending naked pictures of their junk to other people. Maybe if doing so will result in Paris Hilton like publicity, but for most of us photographing our nether regions should be grounds for having our heads examined. That said, what we have here is two consenting adults sending content between each other. It was no more the high school’s business than it was that of the mother, unless a school computer was used.

One could make the loose case that the Mother of a 20 year-old might have the moral authority to snoop to try to keep her daughter safe (we don’t really think so at 20, but we could see someone saying that). But sending the pictures on to the high school administration rather than handing this as a private family member shows terrible judgment on the mother’s part. But parents can’t be controlled, the school had to realize a story as salacious as this would spawn media coverage, and should have had their act in order before reacting. If they have nothing, no evidence that this relationship started when the girl was underage or in high school, no use of a school computer via evidence gathered in a forensically sound manner, then this school board has made a mistake.

Or as Principal Richardson defined the school’s mission: “They’re teaching our students how to become good characters”. They’re acting like characters all right, so far anyway.

Sources:

• High school coach fired for sexting 20-year-old college girlfriend. Wait, what?
• Mandarin Football Coach Under Fire

Related Posts:

• Press F1 for Help, pwned.
• James Lipton says “Don’t tweet your junk”

Microsoft published security advisory 981169 yesterday in response to the zero day vulnerability reported a few days prior. The vulnerability is in the help system and can be triggered by luring an Internet Explorer user into pressing the F1 key. Windows 2000, Windows XP SP2 & SP3, and Windows 2003 SP2 with Internet Explorer 7 and Internet Explorer 8 are all affected.

Credit to Maurycy Prodeus for publishing the initial details of the vulnerability.

Details

Using the MsgBox VBScript function in an html file, an attacker can create a dialog box prompting the user to hit F1, something that is likely not difficult to do with a message such as “Internet Explorer encountered an error, press F1 to continue”. The MsgBox function is important as its fourth argument specifies a helpfile parameter, basically which hlp or chm file to launch when the user asks for help via F1.

I created a simple help file with the word “Test” using the Microsoft Help Workshop version 4.03. In addition to this, I added the macro to launch a command prompt (cmd.exe). When I double click this file in Windows XP SP3, I get my test helpfile and the command prompt launches as well:

Cmd.exe launched with my Help file.

So we now have a .hlp file which executes code. As mentioned before, the MsgBox function has a parameter to specify a help file to launch when the user hits F1. Here is where I come back to a recurring issue of SMB traffic and allowing it outbound on firewalls. In order for the MsgBox parameter to launch the .hlp file, the attacker must point to a local file (which the user would have had to already download) or host a file on an internet accessible SMB share. If you look at the proof of concept code circulating, currently you will see the MsgBox help parameter is “\x.x.x.x\attackfile.hlp”, a pointer to a help file on an SMB share. Corporate enterprises should certainly block SMB outbound, and with this vulnerability and the several previous attacks via SMB client, users should be blocking this outbound traffic as well.

Vista, Windows 7, & Server 2008

The vulnerability does not work on Vista, Windows 7 and Windows 2008 due to Microsoft no longer including winhlp32.exe with these versions. However, there is an update which can install winhlp32 for these versions (Windows 7 Version I installed from here). I found that these updates did not launch the cmd.exe as the Windows XP version did (I also tried Prodeus’s PoC help file and it displayed but did not run calc.exe). It is possible that Microsoft removed this code execution function from these versions.

Workarounds

The warnings are avoid hitting F1 when prompted by websites. Additionally, permissions to winhlp32.exe can be modified so that it doesn’t execute. In an Active Directory environment, a Group Policy software restriction setting can prohibit winhlp32.exe from launching. As mentioned, I recommend blocking outbound SMB traffic, as there is rarely a justification for mounting a network share on the public internet. This helps with many known vulnerabilities disclosed in the past as well.

Related Posts:

• Turning an ATM into a Slot Machine
• iPhone 4 Ordering and Session Switching
• Thou Shalt Not Send Naked Pictures…To Anyone Ever
• May’s Patch Tuesday
• IEPeers – A New Internet Explorer Zero Day Vulnerability

I’ve often referred to sanctimonious information technology people who say outlandish things at conferences or in news articles as “talking beards”. This is based on having the Dilbert cartoon below hanging in my cubicle for years. James Lipton’s role in new public service announcements (PSA’s) on texting (text messaging) for teenagers gives the concept a whole new meaning. The campaign “Before you text, give it a ponder”, which features videos with Lipton of Inside the Actors Studio loaning his trademark beard to teenagers so that its magical properties of forethought can be temporarily bestowed on them, effectively uses humor to combat the problems of sexting and cyber-bullying.

The fundamental idea of the campaign is that there is a demographic within teenagers and pre-teens that are “bystanders” in the negative behavior exhibited using mobile phones. This more passive (as it relates to negative mobile phone behaviors) group enables bad behavior through reactionary propagation of messages, but potentially would not if they briefly considered the downstream effect of their actions. LG Mobile Phones seeks to reach them with a social responsibility campaign relying on humor.

Here's a nickel kid...

A Broader Campaign

The campaign is another early part of a multi-year continued effort sponsored by LG Electronics MobileComm U.S.A., Inc. (LG Mobile Phones) and created by Young & Rubicam, Inc. (a marketing and communications company) to combat mobile phone misuse and risky behavior. After conducting focus group style interviews with teenagers, LG determined that an awareness initiative based on a heavy handed approach would be largely ineffective, and decided a campaign based on humorous takes of real life situations would resonate better with this audience.

Further they identified that opposed to the conventional wisdom that this behavior is in essence bullies seeking out weaker victims in the digital age, that the group actually most likely to engage in negative behavior is a demographic identified as “tabloid teens”. These are teenagers who are part of a social circle that trade in gossip as a form of social currency and are as a result both the highest level perpetrators and victims of negative mobile phone behavior. LG has instead focused the campaign on a demographic of teens who are bystanders, persons who are enabling the negative behaviors but only in a passive or reactionary way (those who spread messages but do not create or target them).

Quick Statistics

The Usage:

• Today, approximately 79% of all teens (17 million) have a mobile device – a 36% increase since 2005.
• Teens are a huge consumer market segment and spend more than $100 billion annually.
• 57% of teens view a cell phone as key to their social life. 80% say their cell phone provides a sense of security.
• The average teen sends and receives 1,700 text messages a month. Across the country they’re sending 20,000 texts every second.

The Downside:

• 1 in 5 teens has received a naked picture on their mobile devices, referred to as sexting.
• 50% of youths said they’ve been the victim of some form of digital abuse.
• 22% of respondents indicated they’d been the target of lies spread through digital media.
• 8% of respondents indicated they’d been threatened with some form of digital blackmail.

The Video PSA’s

Locker Room

Angry

Catfight

Unicorn

What do we want?

The features teens most want according to the same CTIA survey? They want security that guarantees only they have access to their data on the phone. Good teenagers…

The expectations of teenagers...

Campaign Elements

LG has covered all their social media bases with this campaign:

• Flickr
• Youtube
• Facebook
• Twitter

PonderBeard on Twitter.

DTXTR

This part of the campaign follows the release earlier in the year of the DTXTR (DEE-text-ER) which translates the shorthand normally used in texting and instant messaging into English that the uninitiated (parents of teenagers ostensibly) can understand. As an example, the tool should allow MOS (Mom over shoulder) to better understand what she’s reading.

LG's DEE-text-ER

Finally

We commend LG Electronics not only for launching a campaign designed to address some of the risky behavior teenagers and tweens are engaging in, but for doing it in a thoughtful, creative, and somewhat risky way. This approach, employing multiple delivery mediums and using humor, is generally known to increase the effectiveness of awareness campaigns. The same concepts can be applied to security awareness campaigns within your own firm.

The campaign will likely get some flak for using terms like “junk”, appearing at first glance flippant about the issues of sexting and cyber-bullying, and for being somewhat uncompromising in their approach (no sugarcoating). For that LG is exercising some level of corporate courage, for being more concerned about the effectiveness of the campaign than potential criticisms thereof, and we hope they continue to stay with it.

References

• www.giveitaponder.com
• CTIA survey

Related Posts:

• Persistent XSS on Twitter.com
• Zuckerburg Apologizes for Facebook Privacy Changes
• Thou Shalt Not Send Naked Pictures…To Anyone Ever
• Give this Man a Haircut and Support a Worthwhile Cause
• Press F1 for Help, pwned.