
FBI raids dental software researcher who discovered patient data on FTP server - corywright
http://www.dailydot.com/politics/justin-shafer-fbi-raid/
======
ghoul2
As a separate issue: why the "shock and awe" response to what is (even
allegedly) a non-violent crime? Why the assault rifles? Why could he not have
been arrested by just a couple agents walking upto the door, knocking, serving
the search warrant, and then maybe having the techs step in to conduct the
search and seizure?

Why does US Law Enforcement so dramatically escalate every contact with a
citizen? Everytime they do this, they risk accidental injury to the people,
kids, pets.

What in this particular situation necessitated a SWAT-level treatment?

Maybe the law should be fixed such that warrants have to specifically include
firearm authorizations.

~~~
gist
Two reasons perhaps. Publicity and safety of the officers. How do they know
how this person is going to react (or anyone else in the house)? And the
publicity is much greater with a greater show of force (hence a deterrent) as
well with a shock and awe response.

~~~
zbobet2012
Research on the subject says this is more dangerous for the cops then the
calmer approaches.

The irony is cops do this to protect themselves, and statistically speaking it
has the exact opposite effect.

~~~
dragonwriter
If the research says that then either:

(1) The law enforcement decision makers are unaware of the research (which is
unlikely), or

(2) The stated motivation is not the actual motivation.

~~~
PKop
Or (3) they don't believe the research and trust their "instincts", right or
wrong.

~~~
sheepleherd
Or (4) they do believe the research, and they use it in their calculation that
says that while they should err on the side of caution and should overdo force
"a little bit" just in case, that they should be careful not go too far...

... which turns out to be the same calculation they used all along.

------
jneal
This reminds me of something that happened to me in high school back in 1999.
I found an Excel doc in a public network drive that contained every single
student's SSN, DOB, whether they had free/reduced lunch, address, phone, etc.
I was admittedly snooping around, but this was all public stuff every student
and teacher had full access to.

When I found it, I told one of the teachers that I trusted and she insisted
that I must tell the principal. So I went down to the principal's office and
told her. My primary goal was to get this removed or made private because even
at that young age I knew this was very sensitive data and I wouldn't want just
anyone having access to my information like that.

When I got home from school, I found my mother upset because we'd been called
to return to school for an emergency meeting. I was questioned, and when I
told them I only wanted this sensitive information properly secured I was told
by the county IT administrator "Did you ever stop to think if maybe this
information was public for a reason?" I took a second, and literally wanted to
say "There is no reason this information should ever be public" but I ended up
keeping my mouth shut in hopes to not get into further trouble.

I was nearly expelled for "hacking". They placed me on "academic probation"
and threatened that if I did so much as forget my school ID at home one day, I
would be immediately expelled without question. I was removed from my elective
classes that involved computers and was disallowed from touching any computers
at school.

Fun fact: Someone on the yearbook staff accidentally deleted the only copy of
the yearbook files and our yearbook was in danger of basically not being made.
I was called to the principal's office and asked to help. I was able to
recover the deleted files and save the day. At some point they realized I
never had malicious intent, but I still hold a small grudge for the way I was
treated as a criminal for uncovering such a big security hole.

~~~
godzillabrennus
I had a similar thing happen to me. In high school our user names were first
letter of first name and last four of last name. The passwords were the last
four digits of our phone numbers.

I figured out that the teachers had the same schema for their accounts. They
also published a directory with all the names and phone numbers of the
students and teachers. So basically I tried accounts until I got a teacher who
didn't change their password. Then I used their ability to place files in
shared folders on the network to distribute Quake2 across the different
servers. I told a friend and they told people and inevitably the school blamed
me for it and kicked me out of all my electives that had computers in them. I
was the first student to ever fail touch typing because I couldn't complete
the class.

Standardized learning and I have never been friends. I'm glad they tought me
the system doesn't work and to work/learn outside of it.

~~~
Obi_Juan_Kenobi
I don't think that's really similar at all. You circumvented password
protection and used it to play games. I don't agree with the punishment, but
you clearly broke the rules. I also don't see that as having anything
whatsoever to do with standardized learning, just you wanting to play games at
school.

~~~
AnthonyMouse
It does fit with the trend of crazy overreactions to "computer hacking"
though. If some kids figure out where you keep the keys to the gym and you
catch them playing basketball after hours when it's supposed to be closed, you
give them some detention, you don't prohibit them from ever entering the gym
thereby causing them to miss school assemblies and fail classes. But do the
equivalent thing on a computer and they assume you need the Hannibal Lecter
treatment or else you'll whistle into a phone and bring forth Armageddon.

------
callesgg
About a month or so a go i found a open public mongo database with about 12GB
of records regarding peoples retirement founds of what i assume was hundreds
of thousands of people, account numbers, how much money was in the accounts
when they had moved them to various founds and so on.

Thought long and hard about what to do but decided to not do anything, dont
feel like risking my entire life just to help someone. This is me assuming
they did not intend to have it publicly open.

With that story out there, it would be nice to have a legit legal way to
inform the police or a similar trustworthy government agency that could handle
issues like this.

~~~
rveeblefetzer
You could search PGP keyservers for email addresses/domains of the local media
where that retirement fund is located and take it from there, using your own
judgment about the reporter and outlet, and how much you'd want to mask that
communication.

~~~
x1798DE
> You could search PGP keyservers for email addresses/domains of the local
> media where that retirement fund is located

Best case among the likely outcomes of that is: "Can you re-send that e-mail?
It's all garbled or something."

------
openasocket
It sounds like Patterson Dental deserves as much blame as the FBI, if not
more, because it sounds like they were the ones pressing charges and
motivating prosecution in the first place. Also, why aren't they being charged
with what is almost certainly a HIPAA violation?

~~~
blktiger
If patterson dental (and I say if since we don't really know) is behind him
getting arrested, I hope all their patients find out about the details of this
and they go out of business. If nothing else they should be charged with HIPAA
violations.

~~~
jessaustin
Patterson is not a dental clinic. Like Henry Schein which was also mentioned
in TFA, it is a large dental supply company. One reason that dentistry is so
expensive, is that assholes like these run an oligopoly of "specialty" dental
supplies. It's not as bad as military procurement, but it's kind of like that.
Dentists as a profession are risk-averse, and that includes the "risk" of
purchasing dental equipment and supplies without a 300% price markup.

So, the chance of them going "out of business" is pretty slim. It's entirely
possible that dentists unfortunate enough to have chosen Eaglesoft will get to
pay some HIPAA fines, however.

~~~
dragonwriter
> So, the chance of them going "out of business" is pretty slim. It's entirely
> possible that dentists unfortunate enough to have chosen Eaglesoft will get
> to pay some HIPAA fines, however.

Will they? Since Eaglesoft claimed to provide encryption, and the practices
relied on that claim, it seems unlikely that the practices are at fault; if
they are subject to civil liability at all for inadvertent violations -- or
even if they just have costs to cure the violations without money liability,
which seems more likely given the history of HIPAA enforcement -- they would
seem to have a claim for _at least_ the total resulting costs in damages
against Patterson.

As far as _criminal_ violations of HIPAA goes, it doesn't seem particularly
likely that any occurred, and if any did its pretty clear that the practices
are (barring any evidence of knowledge that hasn't come to light) unlikely to
have had the requisite knowledge or intent to be culpable, though the
violations may have been willfully caused by Patterson's actions, which --
even though _Patterson_ might not usually be directly covered by HIPAA as
regards what appears to be on-premise software they sell -- might make
_Patterson_ a (and possibly the only) chargeable principal in any crime. 18
USC Sec. 2(b): "Whoever willfully causes an act to be done which if directly
performed by him or another would be an offense against the United States, is
punishable as a principal."

~~~
coldcode
HIPAA violations that are prosecuted are so rare they may as well not exist. I
worked at a place that shared all the prod server/db passwords in a text file
and they thought that was OK because they passed some half-ass audit. No one
cared.

------
qb45
Another lesson not to trust people/organizations ignorant enough to keep
confidential data in plain text on anonymous FTP.

It seems that the 21st century responsible disclosure procedure goes like
that:

0\. use tor for the research itself

1\. report problems anonymously

2\. if they don't care - report them to law enforcement for breach of
confidentiality

3\. if these don't care either or don't accept anonymous tips - make noise in
the media

Of course, this is for dealing with idiots who keep their data on public FTP.
If the attack takes some clever hacking, go check if they don't offer bug
bounties. Funny times we are living in.

~~~
Retric
Step 1: Anonymously report them to law inforcement.

There is no step 2.

~~~
hackney
Nonsense. It could be as a easy as printing fliers at home and dropping them
in an appropriate space, or mailing letters with the return address the same
as the mailing address, or using Tails 2.x to email hippa and the police using
a throwaway address. But contacting them in person? NFW

~~~
tajen
Never print anything for anonymous purpose. All printers have a watermark.

~~~
logfromblammo
This is not strictly true. So many color printers have a yellow-dot identifier
pattern now that you should just assume that anything you print with one can
be forensically linked with the printer's serial number, unless you
definitively know otherwise. Monochrome printers are much less likely to add a
nearly-invisible identifier pattern to every page. Check your printed pages
under a microscope with different colors of light.

Nevertheless, if you want to print something and wish to remain anonymous, it
isn't a bad idea to assume that every document that a particular printer ever
prints can be linked using the printer's serial number, even if you _think_
that specific printer is safe. Never print anything on it that can be linked
to your public identity. Don't connect it to the internet.

You may never know whether there's some sort of steganographic encoding
mechanism that targets certain print geometries in ways that you can't detect.
There probably isn't. But if you're a dissident or troublemaker, can you take
even a tiny risk?

~~~
hackney
Speaking of which, since we are talking flyers. Type once, print once at low
res in b/w, and then copy that at a lower res, using that to make fliers. Done
and done.

------
AdmiralAsshat
The FBI is going to have a hell of a time arguing that accessing a public FTP
server with no password protection is a crime.

~~~
cmdrfred
I believe that it is still considered unauthorized access even if they don't
have a password set up. I think it goes back to law that existed before
computers where if you entered someones home without permission you can't
simply argue that there wasn't a lock on the door.

Edit: ProAm above reminded me of the Andrew Auernheimer case that was nearly
identical to this and was resolved as I describe.

~~~
nfriedly
Yea.. but a site on the internet is more akin to a store than someone's home.
It's completely normal to walk into someone's store.

~~~
maxerickson
An ftp server is clearly more akin to a spooky abandoned building.

~~~
agroot12
A more accurate analogy for an FTP server is a machine that sends you letters
on demand.

It's like Shafer wrote a letter to their office asking for their list of
patients, and lo and behold, they've sent him back an envelope containing that
list.

------
wyldfire
> Defense attorney Tor Ekeland, who represented Auernheimer in the federal
> court case in New Jersey, has offered to help Shafer ...

Based on his website it appears that "Tor" is actually his given name. What an
odd coincidence.

~~~
mjgoins
Yeah common Scandinavian name, same as Thor, essentially.

------
Steuard
I know this is only tangentially related to the HN content here, but does
anyone have a sense of why the FBI would choose to respond to this sort of
case with a dozen agents and weapons drawn? Rather than, say, two guys
politely ringing the bell and asking him to come with them?

Unless there's a lot left out of this article, I wouldn't think most
"unauthorized computer access" suspects tend to be heavily armed.
(Particularly if the company actually reported the context of the "crime",
including the fact that he had voluntarily notified them of the problem.)

~~~
geggam
SOP ...Military tactics against citizens. Overwhelm with force so the subject
cowers in fear. Works great doesnt it ?

~~~
hellbanner
Yes, remember GwB's "Shock & Awe"

------
merrywhether
Reading this, I had an idea for a new law that could counteract this stupid
reaction to security research:

Particularly for protected patient information (but maybe for other classes of
sensitive data as well), it would be interesting to somehow classify having
this information breached as a crime by the holder of the information (I
realize this might be hard to do given the reality of security these days, so
there would need to be some nuance of course). The crux of my idea would be to
automatically count any access that results in prosecution as a breach of said
data, thus meaning that prosecuting a security researcher would automatically
put the information holder under separate prosecution. I wonder if something
like this could be feasible.

~~~
AnthonyMouse
> classify having this information breached as a crime by the holder of the
> information

The source of the problem in this case is that the CFAA is too loose/broad and
the penalties are _absurd_. The solution is to fix that. Make it so that the
only penalties available are proportional and innocuous actions like reporting
vulnerabilities are bright-line not illegal whatsoever.

You're essentially suggesting cold war style MAD as a solution to the
government foolishly supplying toxic waste to children who are then found
using it to poison people they don't like, under the theory that if everyone
can poison everyone then everyone will have to behave. Better to clean up the
toxic waste than ensure equal access to it.

------
sathackr
Fun fact:

Many financial institutions use the last 4 of your SSN as identity
verification.

If you're a business, it's the last 4 of your FEI/EIN.

I know at least in FL, this is publicily available at sunbiz.org

So with the account number printed at the bottom of your paycheck/stub and the
FEI/EIN, you can often authenticate to a financial institution and obtain
privileged information.

I know this not because I was on the "hacker" side, but because I was involved
on the financial institution side of it and caught this as part of my
engagement. The institution was issuing new logins for its internet banking
site and the password would have been based on the users name, zip code, and
SSN/FEI/EIN, all 3 of which are available (in FL) on that sunbiz.org site.

~~~
DrScump
Years ago, one of my credit unions used SSN as the account number... so every
one of our checks had our SSN printed right on it.

~~~
sathackr
awesome!

In my experience, credit unions are usually worse than Banks on the security
side. There are exceptions, but they are not the norm.

One credit union I dealt with always opened and closed with a single employee.
Very dangerous for the employee. This same union kept the A and B part codes
to their vault in a locked desk drawer(one of those cheap desk drawer locks
that anyone can pick with a paper clip) in the lobby, and full internet access
was available on all computers. Tellers all shared a single cash drawer and
the teller PCs were routinely used by the tellers for general web surfing,
Facebook, Pandora, etc...

------
downandout
Unless there is more to the story, he won't be prosecuted for accessing an
anonymous FTP server. However, they will scour the computers/drives they took
(for months or possibly even years), looking for evidence of this or any other
technically illegal misdeed. In the unlikely event they find nothing that they
can take issue with (this being a security researcher's computer equipment,
they'll find all kinds of hacking tools and possibly evidence of other
research that could be construed as hacking attempts), in a year or so, he
might get his stuff back. If they find anything, he'll face charges for that.

That's how law enforcement in the US works. A crack in the door, in the form
of a ridiculous accusation, is all it takes for one's life to be destroyed.

------
rrggrr
Here's an investigative tool the CFAA & the FBI needs... if a company like
Patterson Dental spins up an investigative raid with a baseless complaint, the
Bureau should be able to charge them with a crime. One almost hopes the FBI
investigation yields enough evidence to charge Patterson with a criminal
violation of HIPAA.

~~~
a3n
Why would the FBI and prosecutors punish Patterson? The gave the FBI an
opportunity for raids and prosecutions, and those look great on an annual
review.

~~~
dragonwriter
> Why would the FBI and prosecutors punish Patterson? The gave the FBI an
> opportunity for raids and prosecutions, and those look great on an annual
> review.

Why go after Patterson? Because that would give them opportunities for more
raids and prosecutions, which look great on an annual review. And raids and
prosecutions for acts which are probably more politically useful to
politically-minded US Attorneys than whatever kind of case they could make
against Shafer.

~~~
a3n
True. But given the choice between the two (and they clearly had this choice),
I wonder if they consider that an individual will not be able to mount as
strong a defense as a business.

~~~
dragonwriter
> But given the choice between the two (and they clearly had this choice)

That's less clear than it might seem; the information Patterson gave them may
have been sufficient basis for probable cause against Shafer, but it was
probably shaded (at least by omission) in a way that it did not do so against
Patterson.

Now, obviously, one would _hope_ that the FBI would do some meaningful
additional investigation before conducting a raid, but there were very few
people beside the person they'd been handed as a subject who would have been
able to provide information which would have flipped this to something where
Patterson would be the offending party (and even there, its for something
which the FBI is neither the usual first investigating agency nor an agency
that is particularly expert.)

------
fiatmoney
It needs to be understood that if you react this way to responsible disclosure
practices, your company & you personally will be subject to irresponsible
disclosure practices.

~~~
CydeWeys
Oh, I've already learned the lesson loud and clear. If I ever discover a
vulnerability to disclose, I'm releasing it anonymously on pastebin sites
while logged into Tor through a VPN from a free WiFi spot.

And, of course, sign it with a new PGP key you've just created, so that if you
ever need to release a follow-up with proof that it's you, or come forward as
the author of the disclosure, you can.

~~~
miander
Of course, said key is a liability if it is found in your possession.

~~~
qb45
Encrypt, hexdump, render in green font on black background, set as wallpaper.
Nobody will ask :)

------
pmontra
Do you have laws in the USA that mandate protection of health data?

~~~
AnimalMuppet
Yes. HIPPA.

~~~
pmontra
But apparently they didn't go after the company, so maybe those data are not
the kind of information protected by HIPPA?

~~~
joesmo
It most certainly is information protected by HIPAA. It's just that there are
no enforced consequences for companies breaking HIPAA (or pretty much any
other law) while there are dire consequences for people accessing public data
under the CFAA. I'll put it this way: if I wanted to murder someone in the US
and get away with it, there are dozens of opportunities under the law as long
as said murder is committed under the umbrella of a corporation. But god
fucking forbid you access public data that was not secured properly by idiotic
corporations and your life is ruined like this researcher's is about to be.
Our judicial system is a joke; a society without justice is no different than
the random savagery it purports to be above.

------
mevile
I'm not addressing the FBI response, but hear me out. As a security researcher
you have to stop at the first vulnerability. Don't use the vulnerability to
get more information. It's the companies responsibility to ascertain the
impact of the problem. This person should not have attempted to download
anything from the FTP server. It should have spotted the FTP server, notified
the company and made it clear they never attempted to download anything from
it.

There was a similar issue with S3 credentials and Facebook a few months ago.
The security researcher went too far. There was a large outcry by everyone
about Facebooks response. I'm not addressing the response. I'm saying as a
security researcher you need to protect yourself by trying very hard to limit
the impact of what you're doing to remove risk of legal liability. Only go as
far as the first problem and no further.

------
phusion
This is so wrong, but it's not surprising. We've been reading stories for
years of security researchers being charged with a crime or harassed for
simply pointing out blatant security holes.

What kind of thinking is this? He was doing them a favor. Every time, it seems
to me that they are embarrassed by the incident and lash out. WHY!?? We should
be treating these researchers like heroes, not kicking in their doors and
having the FBI charge them with criminal CFAA violations. Once the chilling
effect comes down in full force, we'll have a much less secure Internet.

~~~
spydum
I thought they did not have the "reason" for the arrest -- only the warrant.

The arrest may have nothing to do with accessing the Public FTP, and entirely
to do with the research he was doing on the FTP service itself. If he was
attempting to exploit the FTP service hosted by someone else (something or
other aboubt database credentials was mentioned), he would absolutely be in
violation of CFAA. You do that sort of research on your OWN system.

First rule of security testing: make sure you have permission.

------
a3n
It's as if the CFAA was intended to protect behavior like Patterson did.

------
pipermerriam
The FBI seems to have lost it's way (Same with most of the other 3-letter
governmental entities and other law enforcement). How do we change the system
so that they are held accountable for these sort of things?

This is getting ridiculous. I can't predict the general public's opinions on
things like this but it seems so clearly "wrong".

I have hope for a peaceful fix but I am skeptical that we aren't well on our
way to a much more traditional violent revolution.

Everything I've read on the subject suggests that the early signs of
revolution are a sufficiently large disparity between the rich and the poor
such that the poor can no longer provide for themselves. It seems like this is
well on its way and likely speeding up.

I'd love to see some statistics on situations like the 2014 Ferguson Missouri
situation. I'm curious if there's a rise in situations where the government
sufficiently crosses the line that the public backlash manifests violently. I
expect that we're still in a stage where these situations are still largely
centered around poor minorities [1] but situations like this suggest that
incidents are starting to expand into demographics that might get the "middle
class" [2] to finally pay attention.

I hope we can find a way to unite as a single voice to change things. I hope
it doesn't end up being violent. The following things encourage me.

* Decreased relevance of the "mass media". This is a double edged sword. On one hand it allows for news that might be ignored by a major network to still be disseminated widely. On the other hand, the "public" has a really poor track record of consuming news that isn't also entertainment and many of these issues seem to fall entirely outside of people's interests.

* The ability to aggregate these sort of events to establish a clear pattern of behavior. It's getting harder to hide things.

Also these disclaimers:

1\. I say poor minorities because based on my knowledge of the law enforcement
overstepping it's typically in situations involving people who are poor and
black.

2\. The "middle class" is used here to reference a predominantly "white"
demographic that most mass media caters to. I've struggled to find the
appropriate language here, fearing I'll be labeled racists somehow. Hoping
that my message reads as intended.

------
joesmo
In the meantime, companies like Apple and Google are deleting users' files
without their consent and infecting computers with malware through ads yet I
don't see Tim Cook or Larry Page being woken up in the middle of the night by
a SWAT team. What a fucking joke our legal system is.

------
cloudjacker
Use Tor through Whonix gateway. FBI's NIT doesn't have a way through that.

------
2close4comfort
The FBI putting the Cyber in Cyber. I know we all feel safer with them on the
watch

------
King-Aaron
So basically, when you discover critical vulnerabilities in a server, do not
tell the owners about it. Sell the information anonymously to the highest
bidder.

------
eric_h
I could not get this site to fully load even after (or maybe because) my
adblocker blocked 68 requests.

However, loads great in lynx!

~~~
eric_h
I wasn't joking, the site actually loads much better, faster and more readably
in lynx than it did in my regular browser (safari with ABP)

