IT Employment

Collateral damage: What happens when user support fails the user?

As a support person, your first priority is to protect your end users and help them do their job with the tools they're given. The story of what happened to Michael Fiola is a cautionary tale that all support personnel should take to heart.

As a support person, your first priority is to protect your end users and help them do their jobs with the tools they're given. The story of what happened to Michael Fiola is a cautionary tale that all support personnel should take to heart.

-------------------------------------------------------------------------------------------------------------------

Michael Fiola is a decent guy just doing his job with the tools he has been given by his (now former) employer, the Commonwealth of Massachusetts. They issued him a Dell Latitude laptop to facilitate his writing reports in the field; he used it for that purpose. Fiola, a former investigator with the Massachusetts Department of Industrial Accidents, faced two and a half years in prison after being charged with possession of child pornography.

According to Tami Loehrs, a forensic investigator hired by the defense team, the laptop that Fiola was issued by his employer was a "ticking time bomb."

From PC World:

The Microsoft Systems Management Server software on the laptop was misconfigured and was not receiving critical software updates, and the laptop's Symantec antivirus software was either misconfigured or not working properly, she said.

State IT staff examined Fiola's laptop in March 2007 after they noticed that his Verizon broadband wireless usage was four times above normal. He was fired the same month, after the pornography was discovered.

Fiola, a former firefighter with no criminal record, was ostracized by his community after being criminally charged in August 2007, [attorney, Timothy] Bradl said. "His life has been destroyed," he said. "His friends ran for the hills; his family mostly ran from him."

Since his wife, Robin, was at one point hospitalized for a stress-related illness, Fiola is now facing health insurance payments in excess of his monthly mortgage. But he is unlikely to take his old job back, even if the DIA were to offer it, Bradl said. "I would think that theoretically he'd be entitled to his job back with back-pay, however he would never want to go back to work with such buffoons," he said.

While CNET's Matt Asay saw a Windows vs Linux/Mac issue, I see something different. I see a clear case of what can horribly happen when the workday gets so crowded that we stop thinking critically about what we are doing.

The support side of the house gets crammed with activities, some of which have little to do with what our job is supposed to be -- providing user support. I can look at this tragic situation and pretty much know what happened.

A work order was sent to the Support team who pulled a laptop out of stores that may or may not have been re-imaged. Maybe it was imaged when it came in and the image was outdated. Maybe it got a fresh image but was flawed. It got onto a bench where someone checked to make sure that the necessary software was in place, but it is highly unlikely that anyone had the time to check that each program ran properly. And then it was issued to the user.

In an interview with IDGNS (the parent of PC World), Fiola admits that he is not a tech savvy end user. His whole computing experience is limited to being able to get on the network, use his e-mail, and use the applications that facilitate his job. He doesn't browse, doesn't game, doesn't chat. He just does his job. That means that if his AV wasn't working, he wouldn't necessarily know to alert the Support team that something is wrong.

Michael Fiola is the face of most of our end users. In the course of my career, I have had to paint the power button with red nail polish for a user who could never find it on her PC -- not to humiliate her -- she loved being able to see the thing. But that experience was a wake-up call to me that my end users might not know the first thing about the tools they needed to do their jobs and made me more aware of what I needed to do to protect them.

What is truly sad in this is that Fiola's life will never be the same. I can only imagine that the support team that issued him the laptop in the first place is sick about that. I am certain that they never intended something like this to happen, and I strongly doubt that the oversight that caused the situation was in any way targeted to Fiola. But it happened.

As support people, our responsibility is to keep both our networks and our end users safe. This cautionary tale reminds us that that is our first responsibility, no matter how insane the workday gets.

How do you avoid a problem like this? What checklists do you run when issuing a computer to an end user? Or can you see a place where your procedures could use some rechecking?

More information:

IT Business Edge -- What you don't know can hurt you -- when it's on your laptop

39 comments
rahbm
rahbm

Fiola, as a field employee, was probably given a car; it almost certainly would have been something reliable, robust, and easily maintained. If IT had used the same principles, his laptop would have been running Linux - same (or better) experience for the user, with much less hassle for IT to maintain, and this whole fiasco would not have occurred. Why do people still insist on paying money for Windows, and getting a whole load of extra and unnecessary problems with it?

gil_gosseyn
gil_gosseyn

"...noticed that his Verizon broadband wireless usage..." This brings up something that worries me about direct wireless broadband connections for laptops, & broadband connections in general. I have had a home broadband connection since 2000, and would never even consider connecting my computers to it without going through a router. I would rather have no AV software at all, than to do without the hardware firewall, NAT, stealthed ports, & packet inspection that are provided by even the most basic router. To me, connecting DIRECTLY to a broadband connection is equivalent to walking down a dark, dangerous street naked, while carrying a large pile of cash. Any computer on the Internet with a public IP address is ripe to be hacked in a variety of ways, and the proliferation of WWAN cards in laptops is creating the next generation of 'bots, just waiting to be controlled.

mikifinaz1
mikifinaz1

I have seen over time that many, if not most companies make it a requirement to be able to use the tools and people this helpless are not hired. I have IT review of all hires for this reason and we get to weigh in on hiring from this perspective. Thank God for the new people. I would rather be in the position of restraining their technical enthusiasm, than holding the hand of dinosaurs.

Zpunky
Zpunky

As is typical, this story starts and ends with the perspective of the end user. Ever read 'Wicked'? It's the 'Wizard of Oz' from the witches perspective and gives a whole different spin to things. Outside of the tech industry I think most of us work for organizations that have no clue about the complexities within their own IT departments, nor are they aware how dependent their organizations are on these systems and the people who run them. For lack of better analogy, this puts IT in the 'unwanted stepchild' category; we are perceived as an obligatory necessity, getting the bare minimum of resources, despite increasing demands. Yet, when something goes amiss, we are approached as if we have every resource we need at our disposal. Most execs don???t even blink when told their IT departments worked round the clock to prevent some impending disaster, or that IT staff had to work all weekend to update systems. It's a given that IT makes up in man-hours what it doesn't get in funding. And in this case, it was a government IT Dept. In all organizations, corporate culture is set at the top and permeates down. Responsibility is partnered with authority, and it, too, starts at the top. Yet in most organizations when things go wrong it's the support staff (admin, operations and IT) that bear the burden, regardless of warnings or funding requests. In this situation, if the genesis of child-porn on this laptop was malware or 'bot' related, I'd bet it happened because IT was not given appropriate resources to do its job thoroughly, whether that was funding for more staff or funding for qualified staff. The people parsing out resources are generally uninformed, and don't care to be informed, about their organizations increased reliance on IT and the absolute necessity of adequately funding its needs. Would these same people skimp on the resources for an operating room for their surgery? This issue rises to the top because it affected someone in the field. It is terrible, if the fellow is innocent. But this whole article, by failing to question the level of resources provided to the support department implies that support had everything it needed to prevent the situation and perpetuates the belief support departments are adequately funded. Sadly, I suspect this is the norm, not the exception.

vacaroiu_marius
vacaroiu_marius

Neither an un-educated user, nor careless IT support alone generated this catastrophic effects on the guy's life. It took an over-zealous executive who escalated the situation and decided to immediately fire this guy without listening to him first or making sure that the IT support has done it's job. It was that executive's decision that turned an internally solvable problem (by user training and IT process improvement) into an career and life affecting situation, and latter into one or more trials.

charlie
charlie

Perhaps I am missing something, but does the article ever state how they determined that Fiola had not downloaded the CP himself? Or were the charges simply dropped for lack of evidence that he did? This is a great anecdote for concincing clients, employers, etc., to invest in the proper tools to maintain clean environments.

bus66vw
bus66vw

I often hear "But why should I worry about security. I do nothing but my work and don't go to bad places on the web." Followed by "Why do we need encryption on the wireless Access Point?". From now on I will just hand the person who says this to me a copy of this article. A real life example like this will save me some time.

mdiaz
mdiaz

Poor Mike! I feel for the guy. During his interview he said he thinks a rogue hack or MAYBE somebody from the IT Dept placed the child porn on the laptop!! hmmm... Management screwed up, they assumed him guilty - IT screwed up giving him a defenseless machine (no anti-vir). This is a sad tale and should be a wake up call for everyone in IT to make sure via rigid protocol that every machine they issue is clean & functional.

comradekyttyn
comradekyttyn

CP? On a used laptop? It's more likely than you think! You know, I'm not horribly surprised by this. With people from all walks of life finding god knows what on used and sometimes not used product, it's becoming an everyday event. Maybe educating the masses in how to properly re-image a computer when giving to another professional will help.

dogknees
dogknees

If he didn't, whether by accident or intent, download the images, wouldn't they have timestamps prior to him being given the notebook? Either there's a problem with the way the investigation was done, or he's not quite as innocent as everyone seems to be assuming.

jgarcia
jgarcia

Mr Fiola explanations arise many questions: How the pornographyc material got in to the Laptop? Was it by email, a temporary internet file or someone transfered it from a pendrive? Did Mr. Fiola ever detected those files? Did he ever reported it to the tech support department? If he got them by email, was the email from a known person, was it spam? Did he ever reported the spam to tech support? If we want the user as a first entity responsable for equipment security, tech support must educate him. Basic things as cheking if the OS and AV update processes are working aren't difficult to teach.

james
james

It really sounds like sound in their "IT" department is covering their ass for not doing their job. Where I work I go to each laptop user and make sure the updates have been installed.

kevaburg
kevaburg

A mans family, social and professional life is in tatters. He is branded in such a way that no matter where he goes his label will follow him. And why? Because someone somewhere didn't do their job. A lack of critical updates and functioning AV software left this guy high and dry and yet he was not even aware of it. So what will happen to the people that essentially caused this cataclysmic (not "unfortunate" or "cautionary")event? They will probably get a warning and told not to do it again. In their next appraisal they will get a glowing recommendation for promotion because they resolved this issue and this poor individual will be consigned to the past mistakes bucket. The people that caused this to happen do not deserve to work in IT. People like this help identity thieves (the TK Maxx hackers for example), data theives (like those that stole details from the social security services in the UK) to carry out their misdeeds. A great deal more regulation needs to be brought in to control these incompetents and those accountable should be held accountable. Do I sound cynical? Probably. But I think with good reason............

Tig2
Tig2

I'm so glad that I don't work for the Commonwealth of Massachusetts. I would hate to have to total destruction of a man's career and life on my conscience. And that from the perspective of a former ER nurse. When we are in the role of providing user support, we forget that our end users may not have the first clue about the machine and may not know enough to tell us if something is wrong. This was certainly the case for Michael Fiola. This unfortunate situation should serve as a reminder that our end users depend on us to provide them with tools that facilitate their jobs and protect them from malicious software that will infect them. And it should also remind us (who do support) that we really ARE an important part of the team. So how do you go about guarding and protecting your users? Or do you see something here that reminds you that your procedures need another look, and possibly revision?

mdiaz
mdiaz

Windows may be particularly susceptible to hacking, I'm sure Linux has it's loopholes, and if Linux became the ruling OS, hackers would just focus on a new platform. That would be an interesting skirmish. The source of the kiddie porn on Fiola's laptop is unknown. Was it a zombie porn server? Unlikely if he had his machine OFF frequently, but who knows? I am no fan of MS, Windows or their other software, especially Excel, but compared to Gnumeric, Excel is a cinch to use. (not so subtle plea to programmers) Please make Calc, Gnumeric and open source software menu driven, not macro/formula driven!! Email me directly at tnicboston at juno dot com if you want to chat about this... I gots ideas... yep

seanferd
seanferd

Perhaps the relevant IT dept. should do a little light reading. They can give Michael Kassner's blogs a go, for a start. Chad Perrin's blogs as well.

seanferd
seanferd

What are you saying here? That this guy should have been his own tech support, occasionally investigating the laptop? How was this guy helpless? Is it just because he only used a word processor and email, which is all he needed to do his job? What else, exactly, is it that he was supposed to know? Your comments apply more aptly to the IT dept., management, and the prosecutors office. Dinosaurs, indeed.

seanferd
seanferd

I think the article, and the author, see quite clearly past the end user perspective. If you can't do what is necessary with time or resources allotted, report that to management. (Not that they'll listen.) As far as Fiola's personal troubles go, I would blame management and the prosecutor. Mistakes will always happen, such is life. The thing is, IT noticed an abnormal amount of broadband usage, but failed to see that SMS was not properly connecting to the machine, regardless of any other original misconfiguration. Again, for the guy's problems arising from this incident, I would not blame IT. However, if the malware on the compromised laptop had installed a botnet on the network, I bet a few heads in IT and management would have rolled, regardless as to how poor the resources available to IT were. I do fully acknowledge that management does tend to shoot itself in the foot when it comes to providing support for the support department.

TonytheTiger
TonytheTiger

and the taxpayers are paying for it! They should demand (and get) the exec's head. He should be personally financially liable for all expenses incurred by the employee, and by the state based on relying on his incompetence. How much tax money is wasted by this sort of incompetence? It's easy to joke about it... "what do you expect, they're government workers"... but what we really need to do is seriously answer the question: "What DO we expect?", and then DEMAND it!

buddyfarr
buddyfarr

Even if the time stamps were after he worked there since the MS updates didn't work and neither did the antivirus there is no way to prove that he did it. One malicious email could have planted the first malware and the rest downloaded from it including the child porn.

SingerGuy
SingerGuy

If these files are there as the result of malware then he probably never saw them. It is not uncommon for people who are doing underground illegal activities to run those activities from zombie computers. His computer may have been the unknowing host for a child porn ftp or web site. With today's DDNS capabilities each time he connected to the internet his web services would become active and people would begin hitting his computer. There would be no way for him to know this was happening. This is a good lesson on why we need to not jump to instant conclusions when we encounter problems. Taking a step back and doing good forensic research before accusing anyone of something that is as life-altering as a child porn charge should be an automatic step; especially in a state organization. If his lawyer is any good he shouldn't have to work again for years.

aaron.evolved.public
aaron.evolved.public

Companies spend huge amounts of time and money educating employees on Health and Safety. There are orientation courses, certificates, etc. But I have never worked at a company that has had a basic computer training course. Everyone is given a laptop/computer and sent on their way. If user training is part of the IT job description, then we have to have time built into our day to accomodate that. Companies should have schedule IT training sessions where a tech can educate multiple users. Have an intranet site with FAQs, presenations, videos. Training needs to become part of the company culture. Part of the blame does need to be placed on the IT department, but is the problem a failing in the individual tech or a poorly put together IT process. If there was a defined process for laptops in terms of preping/cleaning laptops on return and someone failed to do that, then yes, that tech did play a major part in that tragedy. If there wasn't a clear procedure, then that is a clear indicator that the department needs to look at their overall struture a bit closer. I also think that users need to understand that computers are not going to go away and invest in themselves in learning the tools of the trade. Most jobs in todays society require some level of computer skills and taking a computer course isn't out of the question. Users should be satisfied with putting a minimal amount of effort into learning the tools of the trade. I am not saying this guy deserved this at all. AT ALL! It's unfortunate what happened. I think there may be multiple factors that contributed to this situation. Too often someone has a flight at 1pm and the IT department was notified at 11am that there was a new user being hired. I hope this guy can find peace again so that when he looks in the mirror he can look himself in the eye and like what he sees. What I take from this story is that IT does need to build diligence into it's procedures because the potential for disaster is ever increasing. CIOs need to look for better ways of protect our users as well as help them protect themselves through education.

catpro-54
catpro-54

courtesy of Boston Herald: DIA spokeswoman Linnea Walsh confirmed Fiola ?was terminated,? but declined to say if any internal discipline has been meted out as a result of his name being cleared in court. ?We stand by our decision,? she said. Makes you happy to have these folks a part of our government, not.

TonytheTiger
TonytheTiger

long enough that the techs should have known of the possibility and brought it to the attention of the powers that be. It's called jumping to conclusions. Perhaps hundreds or thousands of people have had the same consequences as Mr Fiola in the last 10 years. One case I worked on where an employee was fired for porn in 1999 is an example. Techs (higher level office) reported access to certain bad websites to this user to management. They looked at the computer and found many pictures in the internet cache. That was the end of that... He was immediately fired. He lost his first two appeals and 3 months later he was foreclosed on and lost his home. On the last (there would have been one more) appeal the Union asked me to look at the evidence. Right off the bat I noticed that the monitoring software showed hits on the same sites at the same times (to the second!) every day for 19 straight days... Including weekends, and including days when the employee was off on leave! and that it started on a day when the employee wasn't there. (we were still on Windows 95 at the time, and you didn't have to "log on" to use the computer, just press escape and you could use it just wouldn't have network drives). 8 months later he got his job back, but because he wasn't totally innocent (they found a quattro pro football pool spreadsheet on the computer, and discovered that the user had been sending jokes in email), the arbitrator didn't order any back pay. We never did discover the how or who of the "infection", and a similar incident hasn't happened since. Oh, some other fallout of that one was that certain members of management seemed to think that my colleague and I (who "helped the union get that low-life's job back") deserved 'special scrutiny' for the next couple of years. It eventually faded.

RipVan
RipVan

I couldn't get to the link that had the whole story on it. It was blocked by my government workplace computer. (And I never try to by-pass!) But the story on TR didn't really address enough details to tell what happened, although it seemed obvious that there must have been a defense put forward blaming the handling of equipment and the imaging and subsequent support process. We have our share of people who have no business being in computer support and people who have no business using computers. I am surprised something like this hasn't happened here multiple times... Still, I am always amazed by people who, in this highly technical world, say "Just show me what buttons to push to get my job done". Those are the same people who have no qualms about installing (or sometimes just attempting to install) their own screensavers, etc and always stupidly open joke emails from their friends and family. How many other jobs on the planet allow people to work when they routinely have no clue how to use the tools they must wield all day long?

john.demontjoie
john.demontjoie

Rather than getting heated at the IT company, the employee or a Government, your fury would be better directed at the scum who make, copy and distribute this filth.

TonytheTiger
TonytheTiger

date stamps can be forged fairly easily.

wdewey@cityofsalem.net
wdewey@cityofsalem.net

If his computer was not up to date just putting it on the internet would be enough for it to be compromised. I have had a number of people who purchased a new PC, put it directly on the internet just to have it taken over in a couple of minutes. Bill

anne.powel
anne.powel

We have computer/e-mail/spam/virus detection and other education as part of new hire orientation...and EVERYONE has to go to that. They also learn what is and is not acceptable on the network. We bring every laptop in at least once a month to check the updates and anti-virus. It doesn't make us perfect, but it does keep most of the malware and user-download issues at bay.

buddyfarr
buddyfarr

At my organization we have orientation for new employees. This includes a 45 minute to 1 hour computer system orientation on how to login, use outlook, and some other items that they would need to know to do 90% of their work. But, even then employees are hired outside the normal times that orientation is held and then the departments don't make them go to orientation once it comes around. Those are the users we have the most problems with. Unfortunately this is a breakdown in management because we as an IT team cannot force them to go to orientation.

mdiaz
mdiaz

Knowing Mass. the way I do (and government in general) - I would assume that nobody really suffered but the poor bastard that got canned. I personally doubt that most businesses with start firing people either...

mdiaz
mdiaz

wow, what can i say but... Jesus! What a story. Thanks for posting it. Makes me relaize what vindictive management can do to spoil the water in a workplace. Hang in there!

ScarF
ScarF

While walking on the street, some paid services still protect one against the anarchy of uncontrolled desire proved by some of our human fellowships. This is a transparent process without restricting my own freedom, but leveraging it. It is the only idea that there is a payment for doing something bad to another person, isn't it? The same, what I am talking about is that the ISPs may provide content filtering by trying to remove the malware code embedded into the information received from the Internet by one's computer. It is outrageous that one may connect to the Internet while the protections are not fully updated and receive a lot of malware in the first second. A normal user is doomed. And, btw, the protections are updated from the Internet after having a working connection. Is there any other updating way for a user who buys his protection software from a retail store? In the real life, you may find this "limitation of freedom" while traveling through the customs where one is searched for weapons, drugs, and other malproducts. More information about the "content filtering" may be found on the Internet but they who have the desire. I wish you all safe riding on the Internet as well on the streets.

seanferd
seanferd

Stiking a balance between freedom and security, insofar as current models go, I would answer, "Me". I don't want the intrusiveness of the way ISPs would "protect" me, nor would I want my own personal entourage of police when walking down the street. IMHO, you got it in one.

ScarF
ScarF

And here is where we go to the main problem: ISP companies assume no responsibility for the user's safety. When I bought a new computer for myself, I first configyred everything - Windows Firewall included, installed all the needed applications and AV and antimalware software. Then, hooked it on the Internet through a firewall. To my surprise, during the first minute, even before the OS, AV and antispyware to be able to update, I was infected by three malwares. For this, I blame the ISP infrastructure which leaves the users completely unprotected. Today, a lot of people talk about local responsibility regarding the Internet activity and they point the finger at the user or his local IT support, should this exist. However, the problem is global, is on the Internet and it should be addressed mainly by the providers and by the Internet organization. In my naivety I insist in considering that would be less headache at the IT support level if the Internet companies decide to really involve themselves into this fight. Van

dlskhps
dlskhps

At my company every employee is required to take an online computer security, e-mail, spam and internet useage. We provided malware, anti-virus, spy software and show the users how to use and update them. A printed , dated and signed certification is placted in the person's work record and it is updated annually.It takes time which equates to money, but it costs more to hire and train a new person than it does to fire one due to a lack of training.

Editor's Picks