
FTP Server at LSUHealth New Orleans - nwalfield
http://samsclass.info/125/proj11/conway.htm
======
SeanDav
This is a symptom of an unfortunately very common reaction to system security.
Unless businesses are actively encouraging bug hunting, almost unbelievably
they will act with a lot of hostility to exposure of weaknesses in their
systems and will often shoot the messenger with extreme prejudice, even if
they receive the information privately.

There are countless examples of people getting burned rather than rewarded or
even thanked for bringing to attention some sort of flaw. My advice is do not
bother. There is almost no upside for you and likely very significant
downsides.

~~~
skywhopper
Nowhere in the original article[1] is the professor accused of hacking and
certainly not of having any malicious intent. The headline of the subsequent
summary in scmagazine.com[2] is where the word "hacked" came in, and to be
fair to the reporters, what the professor did would be considered "hacking" in
some legal interpretations of existing laws whether that's right or wrong.

To be clear, we have absolutely zero evidence that the IT staff at the
hospital ever accused him of anything or claimed he did anything wrong.
Apparently they didn't respond and tell him thanks, but given that they knew
who it was, if the hospital thought it was a crime, surely they would have
contacted the authorities.

In any case, neither article named the professor until he came forward, so I'm
not sure how even the extremely mild misinterpretations of the case could be
called libel, exactly.

All in all, this isn't exactly a cut-and-dried case of curious white-hat
smeared by the government and media. There are plenty of those to go around.
We needn't invent more.

[1]
[http://www.thenewsstar.com/story/news/local/2014/08/19/conwa...](http://www.thenewsstar.com/story/news/local/2014/08/19/conway-
server-breach-personal-information-lost/14296833/)

[2] [http://www.scmagazine.com/professor-hacks-university-
health-...](http://www.scmagazine.com/professor-hacks-university-health-
conway-in-demonstration-for-class/article/367123/)

~~~
acdha
Check out the actual HIPAA retaliation complaint:

[http://samsclass.info/125/proj11/LSU-
HIPAA2.pdf](http://samsclass.info/125/proj11/LSU-HIPAA2.pdf)

I had the same initial question about why he was reacting so strongly but
people sending letters to your college administration demanding action is
something of an existential threat to someone who teaches ethical hacking.

~~~
kevinpet
Technically, he did not file a complaint with the office of civil rights. He
should file a formal complaint with health and human services since he
discovered a HIPAA breach, and since they decided to be assholes about it.
They aren't likely to stumble on an article and take action based on that.

------
jnbiche
Sam, if you're reading this, you need to find the newspapers' ombudsman.
You'll probably get better results from him/her than the CEO, since their job
is specifically to address these issues and in a decent organization will be
given the autonomy to do so (no guarantees here!).

It's not clear to be that LSU is responsible for anything more than shitty
security. It's possible that they told the newspaper lies, but it's also
possible that they told them the truth and that the newspaper misreported. I
think reporting them for a HIPAA retaliation may have been premature, unless
you know more about this situation than you wrote on your site (as opposed to
reporting a HIPAA violation, which this clearly is).

But best of luck going after the newspapers. I'm getting sick of these
"journalists" making up lies about the central figures in their stories
without bothering to even check with them first to get their side of the
story.

EDIT: Aaand, apparently, neither publication has an ombudsman, which tells you
a lot already. Not a big surprise with SCMagazine, which is some kind of trade
magazine, but it's too bad that even a small-circulation newspaper like the
News Star wouldn't have one.

~~~
coldcode
I spent a time as a HIPAA architect so I know exposing patient information to
the public is a violation and should be reported even if accidental. However
reporting it and having someone actually investigate it and prosecute is
unlikely. It was pretty rare that anything was ever done (been a few years),
especially to a large organization. I also know that people inside companies
that handle HIPAA covered information rarely care as long as they pass their
audits.

------
ck2
This is a case of some idiot who is responsible for the server having to tell
management something so they say "oh this guy hacked it".

Management tells the lawyers and PR which forwards it to the "news" who just
go for the most sensationalist story possible.

Hope he wins any lawsuit and more importantly his reputation back somehow.

I'm not even sure what would have been the better course here other than to
have CC'ed other people on the email.

ps. No way in heck I am going to click on them but those filenames seem to
appear in google cache elsewhere.

~~~
UnoriginalGuy
Let's assume that is all true, the "journalist" not contacting the professor
before publishing that article seems quite unprofessional.

I mean aren't real journalists meant to check sources and get both sides of a
story (or outside of America anyway)?

~~~
rational-future
> aren't real journalists meant to check sources and get both sides of a story

No, they are meant to sell as much ads as possible.

~~~
mpclark
Steady on.

The journalists I know do indeed meet society's expectations for fairness and
accuracy, and make calls and pound beats, but there are also a lot more people
who project themselves as journalists who are a long way from this ideal.
Sadly market pressures mean there are a lot of the latter about.

------
Mithaldu
The follow-up article ( [http://www.scmagazine.com/professor-says-google-
search-not-h...](http://www.scmagazine.com/professor-says-google-search-not-
hacking-yielded-medical-info/article/368909/) ) has the most ironic line in
it:

> At press time, Sam Bowne had not responded to a Thursday email and Friday
> phone call from SCMagazine.com for comment.

------
tptacek
Falsely accusing someone of a crime often isn't just libel, it's _per se_
libel, meaning that that there's liability even if the aggrieved party can't
prove damages. Running a newspaper article that turned out to be false without
even attempting to contact you might clear the negligence hurdle here.

------
metaobject
I like the fact that the article stated that no patient information had been
accessed. How many times have you heard that line when news of a breach is
made public? It makes me think that these folks would rather cover up a breach
than actually take responsibility for it.

~~~
fnordfnordfnord
Yeah. Having been caught storing private information on an open ftp server
disqualifies your authority to claim that you know/knew who else may have
accessed the data.

------
Mandatum
I can give some personal experience on this - I started bug/vuln reporting
mid-last year. I've reporting a bunch of web-applications bugs that ranged
from simple XSS and CSRF to RCE and directory transversal in a range of
applications (Enterprise software is rampant with holes).

I've only encountered two non-respondents. Everyone else has thanked and
patched within a month and I even gained employment from one encounter! Yet to
get a reward, however I do this for a hobby, rather than money.

Although one day I hope to do this professionally! There isn't much work in
New Zealand for it though.

EDIT: To clarify, my process is: report to vendor with suggested patches,
follow-up 1 week later if no response, follow-up two weeks after response to
see if it's patched, ask permission to use my bug report publicly. In some
cases there'll be a phone call from the respondent to ask about my background
and see what my intentions are. Occasionally they schedule a coffee/meeting.

------
chris_wot
The journalist's twitter account is here:
[https://twitter.com/writingadam](https://twitter.com/writingadam)

~~~
pavel_lishin
Let's not turn this into a reddit-style witch hunt.

~~~
chris_wot
Umm... too late? The witch hunt began with the man targeting the professor.

~~~
pavel_lishin
Mom, he started it!

------
rdxm
One can only hope our friends at UHC are undergoing a proper procto-scoping by
the regulators at this point.

As for the reporting side of this (note I did not use the word
'Journalism'...)..this is the quality level that has become the standard in
the world of junk news. One must have the sensationalism in the title to get
the click...that's it. The actual quality of the content is pretty much
irrelevant..

------
lutusp
If the linked recitation in any way corresponds to reality, and it seems to,
the professor has a legitimate complaint, but he should have consulted an
attorney before publishing his responses to the various parties involved. The
reason I say this is because, even though he appears to be in the right and
has a reason to be outraged, he could be sued for libel himself.

As one example, if he describes a named or identifiable person as a "liar"
online, the subject could sue for defamation of character _if it turns out
that they didn 't know what they said was false_ (which fails the definition
of "lying"). That's a simple case where an extreme, emotional term places
someone in a _false light_.

[http://en.wikipedia.org/wiki/False_light](http://en.wikipedia.org/wiki/False_light)

Remember, in this litigous society, no one is immune from legal actions, even
those clearly wronged, as the facts seem to indicate in this case.

------
Soyuz
I'm not sure why people inform organizations about vulnerabilities. All what
they will get from informing them is to get shock when they slap you on the
face and call the police for the alleged hack!

it is better to sell the vulnerability in the underground forums

~~~
XorNot
No it is better to do absolutely nothing, and quietly divest yourself from
them because that's not illegal.

But what we really need are some damn whistleblower protections for
cybersecurity - buzz-wordy enough for government funding and command centers,
but no actual help for the people who _want_ to help because it feels like the
right thing to do.

~~~
gilgoomesh
There _are_ protections for cybersecurity here. From the article:

> HIPAA explicitly forbids LSU from retaliating against me for reporting a
> HIPAA violation, so I filed a federal complaint against them for their
> illegal retaliation.

------
akerl_
Reading through this, it seemed like a pretty clear-cut case where Bowne had
done things right from start to finish. And then I got to this:

"Apparently, committing libel is a common thing for them, and they are
comfotable completely ignoring the protests of their victims."

I understand that he's likely under tremendous stress as a result of the
allegations that LSU has made, but I'm a bit concerned that in his expression
of shock and outrage he has turned to making what appear to be potentially
libelous statements of his own.

I hope that his goal of having the accusations withdrawn is not hindered by
this momentary slip into hyperbole.

~~~
atmosx
Hm, not really. That's just you being pedantic. When you've been a victim of
someone else's incompetence you assume that he is an incompetent because, the
only reason you know of his existence is because of his incompetence.

Given the fact that many of us believe that the two magazines do not _really
care_ about what happened, as much as they prefer getting _clicks_ \- a view
which is supported by the course of action this story took - it's not a far-
fetched claim at all. Especially for a man in his position.

NOTE: They didn't took any action even when notified. The only way for them to
remove the article would a letter from a lawyer (or at least that's what I'm
getting).

~~~
akerl_
Neither his position nor his circumstances provide factual backing for the
claim that "committing libel is a common thing for them" or that "they are
comfotable completely ignoring the protests of their victims".

Being a victim of their incompetence does not give him free license to imagine
ways he things that they are incompetent and then express them as fact.

They have not yet taken any action. It's just as likely that they haven't seen
his tweet.

They are certainly in the wrong here. But his jab at their moral standing
weakens his position, and given the state of business <-> individual relations
when it comes to disclosing security vulnerabilities, he wants his position to
be as strong as possible in case they do turn out to be malicious and attempt
to make the case that he violated their security.

~~~
spacemanmatt
There is a good chance a judge would find that the reporters are guilty of
libel. Then the professor would be in a pretty good position to defend libel
counter-charges.

I thought you'd get more meat from his reference to their crimes. Libel is
civil.

~~~
lutusp
> There is a good chance a judge would find that the reporters are guilty of
> libel. Then the professor would be in a pretty good position to defend libel
> counter-charges.

That's true, but in many cases like this, on weighing the evidence and seeing
evidence for mutual libels, the judge will throw out both actions. The
professor should have consulted an attorney before calling people liars -- all
the subjects need to do is show that they didn't publish statements _that they
knew were false_ (thus failing the definition of "lie"). Failing a reasonable
test of due diligence may be deplorable, but it doesn't make one a liar.

> I thought you'd get more meat from his reference to their crimes. Libel is
> civil.

All true. One of the ironies of modern times is that a civil action can do
more to undermine one's life than a criminal one, depending on the
circumstances.

------
teachingaway
The follow-up article is a bit better. But I don't like the way the original
title is presented as fact:

"Professor hacks University Health Conway in demonstration for class"

While the follow-up is titled as " _Professor says_..."

"Professor says Google search, not hacking, yielded medical info"

[http://www.scmagazine.com/professor-says-google-search-
not-h...](http://www.scmagazine.com/professor-says-google-search-not-hacking-
yielded-medical-info/article/368909/)

------
lnanek2
> This is a very strange way to run a news blog.

He doesn't seem to realize all that matters to the blog is getting page
views...

------
cientifico
I think the first article is just an sponsored article by University Health
Conway. By trying to convince public opinion that it was hacking, University
Health Conway probably want to skip charges for negligence, reveal and
distribute personal data publicly...

------
plg
I think the thing to be careful of here is the method(s) one uses to reveal a
vulnerability.

Think of a brick-and-mortar analogy. You queue up at airport security, you go
through, and you notice that their procedures are such that one COULD bring a
banned item through and potentially not get spotted. You inform the
appropriate authorities that you think there might be a weakness, and you say
how and why.

This is probably not going to get you in trouble.

Another scenario: You go through security and make a mental note (as above) of
a potential vulnerability. You (as above) report it to the appropriate
authorities. Now some time in the future you are going through airport
security and you wonder to yourself "I wonder if they fixed it". So you decide
to test it out. You bring a banned item through. You get caught. You are in
trouble but you say in response "but I was the guy who informed you of the
vulnerability and I was just checking to see if it was fixed".

Good luck with that.

My feeling is that if you notice a potential (or actual) vulnerability as part
of a everyday, normal use case of a website, or a web service, or network,
then fine, you can report it, and you likely won't get into trouble.

On the other hand if you additionally decide to test the system in such a way
that could be misconstrued as an attack, then you will probably get into
trouble.

Another analogy: you walk into Macy's and on your way in you notice that the
security system they are using is outdated, and you know it is vulnerable ---
(made up silly example) you know that if you break in while holding a tuna
sandwich, the alarm will not go off. So that night after the store is closed
and locked, you break in, while holding a tuna sandwich, and you take a pair
of $300 shoes. The next day you go to the store and you say "look guys, I was
able to break into your store and steal these $300 shoes." You think they will
thank you? or will they call the police?

~~~
pitnips
I like your first analogy. Your second analogy, on the other and, seems to me
to justify the action. I think Macy's would thank you rather than call the
police, but that's just my opinion.

~~~
plg
maybe they would thank you. Imagine though the day after, they had noticed
security camera footage of a masked intruder wandering the store, and then
taking merchandise out the door. They can't identify the intruder. They call
the police. There is an investigation. They spend $$$ on a new security
system. People are fired. Then some time later you wander in with a smile on
your face and tell them how you were the one who cracked their system. I can
see a scenario where they are furious with you and call the police, telling
them that you have just confessed to a crime. Then police then say, hey buddy
you committed a crime, you confessed to it, and now you are trying to say you
did it "for a good reason". Good luck with that.

~~~
tzakrajs
Bad analogy in this case because the school had no idea that their FTP server
was even attacked in the first place.

Better analogy to what happened: Imagine you steal the $300 shoes with your
new fangled trick and the mall security do not notice at all. You come back
the next morning with the $300 shoes in-tow and then they call the police.

------
cjschroed
This is why I never ever "report" security vulnerabilities without first
having a contract with the afflicted party. It sucks, but I am not willing to
be burned as a witch just because I understand security.

------
mariuolo
Next time send the newspaper an anonymous tip.

The guys with the open FTP server clearly don't give 2 fucks about your
privacy, but in a sue-happy atmosphere they're trying to place the blame on
someone else.

~~~
volume
At a minimum the reporter could have googled Sam to find out he teaches
security and the range of classes:
[http://samsclass.info/](http://samsclass.info/)

... or applied some logic. Instead of contacting them directly he could have:

* broadcasted it to the world (maybe a reporter!) that the FTP server was insecure * do/say nothing

~~~
pyre
How was the reported supposed to Google this? Looks like he wasn't named in
the original article or the SCMagazine.com article. Just a "professor of
computer science at City College in San Francisco." Unless he is the _only_
computer science professor there, then they didn't have his name.

------
gravypod
I have always loved Sam's work at Defcon. It is sad to see the world "turn" on
a good security researcher.

------
jigglepanda
it's sad that institutions act this way. I also stumbled upon a rather nasty
vulnerability in the website of a largish company. I left it as is, without
notifying anyone, precisely because I didn't want any trouble.

if I found it by accident, I'm sure malicious actors can find it as well.

~~~
chid
If you read the article, it was already exploited.

------
rmc
Why don't they lawyer up, and sue them for defmation/libel?

------
skywhopper
Clearly the article was wrong, but the reporter could only go off of what the
hospital told him or her, and that does not seem to have included the
professor's contact information. Rather, I'm guessing the message that got out
of the IT department was "we got hacked by a professor", which then likely
mutated via the rumor mill into the details about a class demonstration.

If anything, I think this shows the hospital gave the professor a lot more
benefit of the doubt than I would have expected.

The professor did himself no favors with his email:

    
    
        I am Sam Bowne, an instructor at City College
        San Francisco, and I found two security problems
        on your server with a Google search.
    
        Your FTP server has been compromised, and some
        files named "w0000000t" were added to it.
    

If I'm the IT administrator who receives this message, then after reading the
first two sentences, I've already jumped to the conclusion that _this
professor_ is the individual who compromised my server! "Hi, I found security
issues with your server, and now it's compromised!"

Sure, once you've read the intro by the professor, the meaning is clear, but
think of yourself as a sysadmin getting this email, without the context of "I
just found this, I had nothing to do with it" in your brain, and how are you
going to react? Once the idea that the sender of this email is a hacker who
broke into your server has entered your mind, it's going to be very hard to
interpret it differently. Given that, the guy got treated pretty nicely by the
story and the hospital in the end.

~~~
binarymax
Your first sentence echoes the sorry state of affairs regarding what passes
for journalism these days. Getting all angles of the story and doing fact
checking is absolutely the responsibility of the journalist. The author had
the professors name - all it takes is 5 minutes of research to get contact
information to follow up correctly. The journalist really has no excuse in
this matter.

~~~
ar-jan
> The author had the professors name

No, as far as we know the articles were based on the University Health legal
notice
[http://www.uhsystem.com/Conway/FINAL%20Conway%20-%20Press%20...](http://www.uhsystem.com/Conway/FINAL%20Conway%20-%20Press%20Release%20-%202014-8-15.pdf),
which does NOT contain Sam's name.

Can you accuse someone of libel if the accused is unnamed?

This doesn't take away from the fact that the claims in the report are false,
of course.

~~~
lutusp
> Can you accuse someone of libel if the accused is unnamed?

Only if the unnamed person can be identified. If a person is unnamed, or given
a made-up name, _and_ readers cannot associate the name with a real person,
the it's not libel.

Many legal actions revolve around this issue. A plaintiff says, "I'm the
person this article is about!" while simultaneously claiming, "The article
doesn't describe me accurately!" Only one of those can be true.

------
powertower
"It is outrageous for a journalist to write such lies, accusing me of serious
crimes, without even contacting me to find out what happened."

There is little to nothing that can be done about this. It's all about
narratives, sensationalism, and agendas today.

Just take a look at the media stories about Ukraine where everyone (in US
media) just makes shit up and presents it as the truth. No one questions
anything.

Or the Michael Brown shooting. Where the media (CNN, MSNBC) pushed their
narrative once more, completely ignoring all facts surrounding the event.

It goes on and on and on, with almost every major story being so biased,
misleading, and twisted, that it might as well be seen as a complete
fabrication...

Here is another good example of security related stories being "misleading" \-
[http://blog.erratasec.com/2014/02/that-nbc-
story-100-fraudul...](http://blog.erratasec.com/2014/02/that-nbc-
story-100-fraudulent.html)

~~~
ethanpil
This is exactly was has been happening to reports about Israel / Gaza. Same
problem. Outright lies.

~~~
pessimizer
And while we're being vague cranks, how about the parking on the street around
the corner from my house? Is it allowed on weekdays or isn't it? At what time?
I can never get a straight answer.

~~~
lotsofmangos
I can remember back when there were ships on the Tyne.

Big ships. With funnels and everything.

