Hacker News new | comments | ask | show | jobs | submit login
FBI raids dental software researcher who discovered patient data on FTP server (dailydot.com)
259 points by corywright on May 27, 2016 | hide | past | web | favorite | 163 comments

As a separate issue: why the "shock and awe" response to what is (even allegedly) a non-violent crime? Why the assault rifles? Why could he not have been arrested by just a couple agents walking upto the door, knocking, serving the search warrant, and then maybe having the techs step in to conduct the search and seizure?

Why does US Law Enforcement so dramatically escalate every contact with a citizen? Everytime they do this, they risk accidental injury to the people, kids, pets.

What in this particular situation necessitated a SWAT-level treatment?

Maybe the law should be fixed such that warrants have to specifically include firearm authorizations.

>Why does US Law Enforcement so dramatically escalate every contact with a citizen?

US LEOs are indoctrinated with the belief that they are 'at war'. Convincing the public of this is imperative to retaining authority, securing more funding, and receiving immunity from any consequences of their actions. One way they accomplish the above is by never passing up an opportunity to dress up like an army man and publicly display force

Requiring the warrant to specify the level of force could be interesting. Are there good reasons why this could not be done?

At a federal level, this is mostly done. Before executing a search warrant, feds usually pull criminal background and check gun registries. Then look at the reason for a search warrant (drugs, guns, terrorism, etc.).

In theory, they combine those things to decide whether to just knock on the door and walk in or bring SWAT along.

This happens different between agencies and what parts of the country.

But, codifying these guidelines / rules into a law probably wouldn't hurt. Sometimes it is hard to capture the nuances of the situation into a formal law though.

Also, remember that like 10-100's of these things are probably executed daily, peacefully, without any conflict or issues. You only hear about it when they go wrong (or some asshole fed is in a bad mood or something I guess).

They check gun registries? Why?

I suppose that registered guns suggest that someone is not criminal, because the alternative assumption should be unregistered guns.

Well, if they're going to arrest someone, they'd have a belief that they're a criminal. If there's evidence that they have a gun (e.g. entry in the gun registry under their name), then they'd have to consider it an attempt to apprehend a presumed-armed, suspected criminal.

I don't see why a registered gun would be a point in their favor. They probably registered their car, paid their taxes, and stopped at red lights too.

It was FBI though, so it was at federal level?

I honestly don't think that being rude and/or hurting feelings (or scarring a baby) really enters into law enforcement of this type (also see my other comment).

You're moving the goal-posts. I don't think that being rude or hurting feelings should cross their mind.

Bringing a gun escalates things immediately. If I was in that home and I was carrying a gun, and if a handful of people abruptly came in with assault rifles, I'm liable to react very differently because it's such an affront to what feels reasonable. I think it's more reasonable to think that this is a terrorist attack and to react accordingly, rather than the reality of people acting as an agent of the government bringing deadly force in droves because someone grabbed a file from a public FTP server.

If I had seen 5 men in suits and shades peacefully walk in without any kind of weapon, I'm not going to think anything of it. They're putting themselves at risk. It makes no sense.

And the honest answer as to, "why?" is that the people who kick in doors are complete meatheads who think that morality and legality strictly align. They think if someone has broken the law, they deserve anything that is coming. They don't care about anyone's safety, they care about taking baddies.

It wasn't long ago that an officer serving a warrant for a non violent offense threw a grenade into a baby's crib (yes, the baby was inside).

Now I'm not sure where their training draws the line on infant collateral damage: Don't shoot in rooms with babies? Shoot around the babies?

But imagine if the rule was: Don't upset the children. (silly I realize, but thats how what-ifs are played). It seems like decisions would be made resulting in fewer grenades landing in bassinets.

This is a culture that believes prosecuting to the "fullest-extent of the law" is the right thing to do, regardless of the actual human circumstances.

Two reasons perhaps. Publicity and safety of the officers. How do they know how this person is going to react (or anyone else in the house)? And the publicity is much greater with a greater show of force (hence a deterrent) as well with a shock and awe response.

> How do they know how this person is going to react (or anyone else in the house)?

This is always true. By that logic, we should SWAT every warrant, every traffic stop, every parade. There should always be a threat assessment.

This would imply it's all #2 ("publicity"). Which means police forces and public defenders are using the threat of extreme violence as... a PR move? Against American citizens who are innocent until proven guilty in a court of law?

Research on the subject says this is more dangerous for the cops then the calmer approaches.

The irony is cops do this to protect themselves, and statistically speaking it has the exact opposite effect.

If the research says that then either:

(1) The law enforcement decision makers are unaware of the research (which is unlikely), or

(2) The stated motivation is not the actual motivation.

Or (3) they don't believe the research and trust their "instincts", right or wrong.

Or (4) they do believe the research, and they use it in their calculation that says that while they should err on the side of caution and should overdo force "a little bit" just in case, that they should be careful not go too far...

... which turns out to be the same calculation they used all along.

but they have cool toys and can pretend they are actual badasses when they raid your home and shoot your dog.. .even tho many of them cant qualify to get in the military ( too fat )

It makes it harder to feel much pity when things go 'wrong' for them, then.

Can you provide a link to said research?

I think you are right about the publicity and show of force. I can't imagine it takes more than a couple police officers to arrest a single suspect in a house in a safe manner.

Pretty sure you could send two officers to the door.


Depending on the response from the inhabitant, either take them into custody or call for backup.

> How do they know how this person is going to react (or anyone else in the house)?

Well, you could do some basic investigation before an arrest, which would both give you in most cases a good idea of the threat profile and often give you a better idea if the information you've been fed actually accurately represents the facts.

Its not "investigation" is, you know, right there in the name of the agency, or anything.

he made the "people in charge" look like fools... (granted, they were idiots acting like fools, and if anything he was trying to help)

"people in charge" only stay in charge when they don't look like fools. so anyone pointing out the king isn't wearing any clothes must be tied to a stake and burned for all to see.

also, your dog must die.

This reminds me of something that happened to me in high school back in 1999. I found an Excel doc in a public network drive that contained every single student's SSN, DOB, whether they had free/reduced lunch, address, phone, etc. I was admittedly snooping around, but this was all public stuff every student and teacher had full access to.

When I found it, I told one of the teachers that I trusted and she insisted that I must tell the principal. So I went down to the principal's office and told her. My primary goal was to get this removed or made private because even at that young age I knew this was very sensitive data and I wouldn't want just anyone having access to my information like that.

When I got home from school, I found my mother upset because we'd been called to return to school for an emergency meeting. I was questioned, and when I told them I only wanted this sensitive information properly secured I was told by the county IT administrator "Did you ever stop to think if maybe this information was public for a reason?" I took a second, and literally wanted to say "There is no reason this information should ever be public" but I ended up keeping my mouth shut in hopes to not get into further trouble.

I was nearly expelled for "hacking". They placed me on "academic probation" and threatened that if I did so much as forget my school ID at home one day, I would be immediately expelled without question. I was removed from my elective classes that involved computers and was disallowed from touching any computers at school.

Fun fact: Someone on the yearbook staff accidentally deleted the only copy of the yearbook files and our yearbook was in danger of basically not being made. I was called to the principal's office and asked to help. I was able to recover the deleted files and save the day. At some point they realized I never had malicious intent, but I still hold a small grudge for the way I was treated as a criminal for uncovering such a big security hole.

> I was told by the county IT administrator "Did you ever stop to think if maybe this information was public for a reason?"

Absolutely jaw-dropping.

People's reactions to this kind of thing just blow my mind. If you are about to walk away from your car, having parked it in a high-crime area, and a passerby points out to you that you haven't locked it, do you call the police and have them arrested for looking into your car? If they were going to steal your car, would they have told you about it???

My wife ran into this back in 2001 or so. She had visited some Web site and noticed that the URLs followed a familiar pattern -- I think related to the Microsoft Access database. She wondered if some internal files were accessible via paths analogous to those she'd seen on the intranet where she worked. Sure enough, they were. She told the company about it, and of course they yelled at her.


> "Did you ever stop to think if maybe this information was public for a reason?"

If it was meant to be public, then you shouldn't have gotten in trouble for pointing out its existence. I don't understand the twisted logic there.

This is public for the teachers, snooping this file is the same as rummaging through teacher's stuff!

Then why wasn't it protected by authentication available to teachers only?

Yes, teacher's stuff containing a ton of other people's SSNs and other personal info and sitting around for anyone to access without any barrier! Totally cool, just hope no one does an rummaging!

I had a similar thing happen to me. In high school our user names were first letter of first name and last four of last name. The passwords were the last four digits of our phone numbers.

I figured out that the teachers had the same schema for their accounts. They also published a directory with all the names and phone numbers of the students and teachers. So basically I tried accounts until I got a teacher who didn't change their password. Then I used their ability to place files in shared folders on the network to distribute Quake2 across the different servers. I told a friend and they told people and inevitably the school blamed me for it and kicked me out of all my electives that had computers in them. I was the first student to ever fail touch typing because I couldn't complete the class.

Standardized learning and I have never been friends. I'm glad they tought me the system doesn't work and to work/learn outside of it.

I don't think that's really similar at all. You circumvented password protection and used it to play games. I don't agree with the punishment, but you clearly broke the rules. I also don't see that as having anything whatsoever to do with standardized learning, just you wanting to play games at school.

It does fit with the trend of crazy overreactions to "computer hacking" though. If some kids figure out where you keep the keys to the gym and you catch them playing basketball after hours when it's supposed to be closed, you give them some detention, you don't prohibit them from ever entering the gym thereby causing them to miss school assemblies and fail classes. But do the equivalent thing on a computer and they assume you need the Hannibal Lecter treatment or else you'll whistle into a phone and bring forth Armageddon.

this isn't really the same, it sounds you logged ("hacked") into someone elses account by correctly guessing their password and then used their account for nefarious purposes

A similar thing happened to me at my university. This new website came out called TheFacebook.com and it seemed hip to add artificial friends like famous actors, super heroes, etc. I had the bright idea to add the school president as a friend by creating a fake account like the thousands of other fake accounts on TheFacebook. I needed a university email address, but luckily, my school allowed you to create a personalized email alias. What should I change my personalized email address to...? How about <president's name>@mail.myschool.edu? That would be funny - and I'd just revert it back after creating the stupid FB account.

There was some problem with the alias. I couldn't receive the FB confirmation email. So I gave up and went to sleep. The next morning I received a call from the campus police - they wanted to talk to me. I don't remember all the details, but I just remember a long process of being interrogated by campus police and later school administrators who were certain that I had hacked the president's email account. I mistakenly thought simply telling them "I wanted to add the school president as a friend on TheFacebook" was innocent and harmless enough. Some time later I received a letter with a list of 20 or so charges including things like Identity Theft and the possibility that I may be expelled.

I only found out at the end of this whole process that due to a bug in the mail system it allowed me to register a duplicate email alias and all of the school president's emails were being bounced and they assumed I was receiving them. I was able to knock it down writing an apology and community service.

Some time later I received a letter with a list of 20 or so charges including things like Identity Theft and the possibility that I may be expelled.

Wow. Whatever happened to the cops coming and saying "That was dumb. Let this be a lesson. Don't do it again."?

To be honest, that sounds like a really stupid idea.

> I was nearly expelled for "hacking". They placed me on "academic probation"

This reaction makes me very, very angry.

I would love to push it back on them: it's unclear under what laws/regulations this would fall, but if you (as the student who found it) can get in trouble for finding this info, they can most certainly get in trouble for posting it in a location it can be found in.

Further, because you were actually punished for it, it means one of two things: they were in fact in the wrong for publishing it (and thus should be punished -- whether it's a criminal offence or merely a professional reprimand); or if they can't be punished, neither can you -- which means the principal should be in trouble for a giving out a groundless punishment.

In my mind, it ceases being an "honest mistake" when they attempt to punish the person who points it out.

I realize that the real world is much more complex than this: you were a kid, your parents don't necesarily want to put you through the doubtless retaliation the administration would put you through anyway (even if not official), and the people with the authority may not see it the same way (in the same way police officers rarely charge other officers with crimes).

Remember clock Ahmed the clock kid? I had a situation almost exactly like his, except I made a working FM radio, could change stations and listen to local news and weather, I thought it was the coolest thing ever.

The school did not, and the district superintendent agreed with them. Who knew that an FM Radio made out of a La Gloria Cubana cigar box-with labelling removed so as not to run afoul of any "tobacco paraphernalia" questions constituted a "bomb".

Parents sued to have me reinstated, but the social stigma lasted well throughout high school. Kids nicknamed me "bomberman" and there was this whole narrative that I had to be removed from the school, handcuffed by the FBI and put into the back of a box truck and hauled away. When in reality, my dad picked me up in his Honda (which would later become my Honda) and we drove home.

It sounds like you weren't sufficiently brown to get media attention? "Public school bureaucracy run by bureaucrats" doesn't have the right mass appeal.

> It sounds like you weren't sufficiently brown to get media attention?

Or just didn't have a family with the right media instincts.

> "Public school bureaucracy run by bureaucrats" doesn't have the right mass appeal.

It has incredible mass appeal, which is frequently exploited politically -- by both sides of the political spectrum.

But for it to get media attention, someone's got to get it to the media's attention. Outside of people and institutions that are already high-probability news sources, the media isn't really actively monitoring what goes on to find potential stories, things become stories because someone involved brings it to the attention of the media.

Ahmed: police called. handcuffed, questioned for 90 minutes, transported to juvenile jail, all without being able to see parents. plus racist comments.

iamdave: picked up from school by his dad, no police involved.

Not exactly the same situations. Both crappy situations, but Ahmed's treatment was an order of magnitude more inappropriate.

Well my intent here wasn't really to make a comparison of our situations as much as it was to highlight heavy handed bureaucracy within primary educational systems.

>It sounds like you weren't sufficiently brown to get media attention? "Public school bureaucracy run by bureaucrats" doesn't have the right mass appeal.

We're brown, I think colloquially "black".

> Remember clock Ahmed the clock kid?

It turned out that his invention was a fully pre-built alarm clock removed from its plastic housing.

Also other details emerged that pretty much sealed the case against him - what he did was create an intentional hoax.

That's your take-away from the situation, not the fact a child was handcuffed and treated like a terrorist for purely anti-Muslim reasons? Wow.

Crystal radios were a school project taught in science class when I was in high school

> This reaction makes me very, very angry.

You are hearing one side of a story (that doesn't mean there is another side that would change your mind or my mind of course) but keep in mind that the parent also said "I admit I was snooping".

Let's say for arguments sake someone enters a room that they are not supposed to be in and finds something in a desk drawer that shouldn't be there. Should the person snooping be commended for doing that? As if a reward saying "go anywhere anytime and as long as the end justifies you are off the hook". Are you allowed to enter your neighbors house in search of contraband or access his computer? I realize this was allegedly "public" but the devil is in the details of what that means exactly.

> I was nearly expelled for "hacking". They placed me on "academic probation" and threatened that if I did so much as forget my school ID at home one day, I would be immediately expelled without question. I was removed from my elective classes that involved computers and was disallowed from touching any computers at school.

Makes me glad that my school was reasonable when I got dragged into some "hacking" accusations. We were just made to work with the IT staff for a week (instead of going to classes), and that was the end of it.

The IT staff were surprising fine with it all (I think they realised A) that we weren't malicious, just bored and curious, and B) that it was their mistakes that gave people access (VNC server installed on all PCs with the password "vnc"; domain admin. account having the password of "school" etc.)

I got in a lot of trouble in high school for playing with the DOS prompt in Windows. My teacher told the principal that the scary black window full of monospace text was -and I'm quoting here- a "highly sensitive zone" on the computer that no innocent student would access. Obviously I protested, and predictably the principal didn't believe a word of what I had to say.

I believe I had to stay up late writing a 4-page apology paper to forestall disciplinary proceedings since my family was planning to go on vacation the next day.

About a month or so a go i found a open public mongo database with about 12GB of records regarding peoples retirement founds of what i assume was hundreds of thousands of people, account numbers, how much money was in the accounts when they had moved them to various founds and so on.

Thought long and hard about what to do but decided to not do anything, dont feel like risking my entire life just to help someone. This is me assuming they did not intend to have it publicly open.

With that story out there, it would be nice to have a legit legal way to inform the police or a similar trustworthy government agency that could handle issues like this.

Bran Krebs (Krebs On Security) breaks these types of stories, though he's a journalist so would publicly disclose it. Very possible he'd contact them privately prior to a story though in the hopes they fix it before publication.

In Finland, you can send an anonymous tip to the Communications Regulation Authority, who will then inform the service provider.

Perhaps the FCC has something similar?

Seems like, at the very least, you could offer it to Wikileaks. Might be too small a story for them to care about though.

I'm looking at 'Have I been pwned' [0], but they seem to care about only breaches that have been publicly acknowledged. Sounds like they don't want to be in the business of breaking this kind of news themselves.

Maybe there needs to be a new Web site for this kind of thing -- located outside the US, of course. (Probably there already is one and I don't know about it.)

[0] https://haveibeenpwned.com/

You could search PGP keyservers for email addresses/domains of the local media where that retirement fund is located and take it from there, using your own judgment about the reporter and outlet, and how much you'd want to mask that communication.

> You could search PGP keyservers for email addresses/domains of the local media where that retirement fund is located

Best case among the likely outcomes of that is: "Can you re-send that e-mail? It's all garbled or something."

Annonomous email through a few proxies from a one time email address should be sufficient.

"I accidentally discovered this when I miss typed an IP."

And there should be a responsibility for not applying proper measures to protect personal information.


It sounds like Patterson Dental deserves as much blame as the FBI, if not more, because it sounds like they were the ones pressing charges and motivating prosecution in the first place. Also, why aren't they being charged with what is almost certainly a HIPAA violation?

If patterson dental (and I say if since we don't really know) is behind him getting arrested, I hope all their patients find out about the details of this and they go out of business. If nothing else they should be charged with HIPAA violations.

Patterson is not a dental clinic. Like Henry Schein which was also mentioned in TFA, it is a large dental supply company. One reason that dentistry is so expensive, is that assholes like these run an oligopoly of "specialty" dental supplies. It's not as bad as military procurement, but it's kind of like that. Dentists as a profession are risk-averse, and that includes the "risk" of purchasing dental equipment and supplies without a 300% price markup.

So, the chance of them going "out of business" is pretty slim. It's entirely possible that dentists unfortunate enough to have chosen Eaglesoft will get to pay some HIPAA fines, however.

> So, the chance of them going "out of business" is pretty slim. It's entirely possible that dentists unfortunate enough to have chosen Eaglesoft will get to pay some HIPAA fines, however.

Will they? Since Eaglesoft claimed to provide encryption, and the practices relied on that claim, it seems unlikely that the practices are at fault; if they are subject to civil liability at all for inadvertent violations -- or even if they just have costs to cure the violations without money liability, which seems more likely given the history of HIPAA enforcement -- they would seem to have a claim for at least the total resulting costs in damages against Patterson.

As far as criminal violations of HIPAA goes, it doesn't seem particularly likely that any occurred, and if any did its pretty clear that the practices are (barring any evidence of knowledge that hasn't come to light) unlikely to have had the requisite knowledge or intent to be culpable, though the violations may have been willfully caused by Patterson's actions, which -- even though Patterson might not usually be directly covered by HIPAA as regards what appears to be on-premise software they sell -- might make Patterson a (and possibly the only) chargeable principal in any crime. 18 USC Sec. 2(b): "Whoever willfully causes an act to be done which if directly performed by him or another would be an offense against the United States, is punishable as a principal."

HIPAA violations that are prosecuted are so rare they may as well not exist. I worked at a place that shared all the prod server/db passwords in a text file and they thought that was OK because they passed some half-ass audit. No one cared.

> Also, why aren't they being charged with what is almost certainly a HIPAA violation?

Foremost among the many reasons, because investigation of HIPAA Privacy and Security violations is almost entirely (if not entirely) complaint-based rather than proactive, and probably no one filed a complaint to the HHS Office of Civil Rights.

Which I think should be the immediate and first act on discovering something like this with PHI, if for no other reason that doing so makes clearly applicable the whistleblower protections of 45 CFR 160.316.

Another lesson not to trust people/organizations ignorant enough to keep confidential data in plain text on anonymous FTP.

It seems that the 21st century responsible disclosure procedure goes like that:

0. use tor for the research itself

1. report problems anonymously

2. if they don't care - report them to law enforcement for breach of confidentiality

3. if these don't care either or don't accept anonymous tips - make noise in the media

Of course, this is for dealing with idiots who keep their data on public FTP. If the attack takes some clever hacking, go check if they don't offer bug bounties. Funny times we are living in.

Step 1: Anonymously report them to law inforcement.

There is no step 2.

Nonsense. It could be as a easy as printing fliers at home and dropping them in an appropriate space, or mailing letters with the return address the same as the mailing address, or using Tails 2.x to email hippa and the police using a throwaway address. But contacting them in person? NFW

Yes, print flyers on your home printer that you purchased with a credit card in your own name and had shipped to your home address. Handle all the pieces of paper with your bare hands, too. What could possibly go wrong?*


Gee, let's find out. First off it applies to "some color laser printers". Don't have one. Second, printer was bought in person with cash and was a gift. Third, gee that's super hard, wear latex gloves. I sure hope the police are more intelligent than you are. No offense.

Never print anything for anonymous purpose. All printers have a watermark.

This is not strictly true. So many color printers have a yellow-dot identifier pattern now that you should just assume that anything you print with one can be forensically linked with the printer's serial number, unless you definitively know otherwise. Monochrome printers are much less likely to add a nearly-invisible identifier pattern to every page. Check your printed pages under a microscope with different colors of light.

Nevertheless, if you want to print something and wish to remain anonymous, it isn't a bad idea to assume that every document that a particular printer ever prints can be linked using the printer's serial number, even if you think that specific printer is safe. Never print anything on it that can be linked to your public identity. Don't connect it to the internet.

You may never know whether there's some sort of steganographic encoding mechanism that targets certain print geometries in ways that you can't detect. There probably isn't. But if you're a dissident or troublemaker, can you take even a tiny risk?

Speaking of which, since we are talking flyers. Type once, print once at low res in b/w, and then copy that at a lower res, using that to make fliers. Done and done.

The FBI is going to have a hell of a time arguing that accessing a public FTP server with no password protection is a crime.

I am pleased they might move forward with this prosecution. Keep in mind the legal costs incurred to do this, in addition to the already employed 12-15 FBI agents who were probably paid overtime to heroically rescue that poor family from this monster was already well worth the cost. Spending more money and resources here is obviously the right thing to do. Really, the resources expended to handcuff this man in his boxers in front of his 9-year-old daughter were a very well allocated by one of our most important government agencies, the FBI.

I'm also very much glad to see the incredible foresight and knowledge that the FBI is displaying here. What better way to show us why we should not responsibly disclose data vulnerabilities than to arrest and raid someone's home for doing so?

Stories like this really influence me to put my faith in the capabilities of law enforcement. What that means for our individual rights and freedoms, and for the future of the US economy is sure to be nothing but excellent! I would never think about moving away from such a country!

Other places aren't much better either. In my country, you don't get to reach the courts. If some official doesn't like you, and you aren't a descendant of a well-known lineage and don't have connections, you will accidentally fall down a couple of flights of stairs, repeatedly.

And should you by some miraculous series of events manage to get your case heard in a court (have $$$ to burn), they'll just appeal the verdict (and win).

There is no escaping this shitfest.

Western Europe and especially Scandanavia are better. That is my opinion based on the observations I have gathered.

I am not sure where you are from, but I agree that it can also get worse.

Not necessarily. I've spent the last few years fighting various hacking charges in Finland and will most likely continue to do so for several years to come.

The law enforcement here will consistently take anything the FBI tells them as a fact, even when the information provided by them has been consistently shown to be false or even maliciously fabricated.

I spent 3 months in jail in 2014 because the FBI emailed the Finnish NBI and alleged that I had perpetrated various attacks against large US tech companies, they provided some information vaguely connecting me to the crimes and claimed to have further evidence they'd deliver shortly. They requested that the Finnish police arrest me and seize my equipment, they did so without question.

Based on that single contact from the FBI the Finnish NBI held me in jail for 3 months and banned me from using the phone or in any manner communicating with anyone outside the jail. After the 3 months had passed the FBI had still failed to deliver any evidence, and the Finnish police had failed to discover any. In fact, they had unquestionably discovered heaps of evidence against the aforementioned allegations since the very day they arrested me. Just a few days before Christmas they were forced to very reluctantly release me.

Now it's 2016 and I just recently got a letter stating that most of those charges have been dropped as the FBI has failed to deliver the promised evidence. I've also received letters informing me of various covert surveillance techniques utilized against me after my release. These are supposed to require an even higher standard of proof than keeping someone in investigative custody, but obviously they're hard to contest when you aren't told about them.

Incompetent fucks desperately hoping to score big wins for their careers or with personal vendettas are hardly an US only problem, but at least in the US I could've fought the FBI in court. That's hardly an option here. The only thing that's better here are the sentencing policies.

That's sounds like quite an interesting story if what you are saying is taken as true and at face value. Have you tried contacting press, or lawyers in the US who would want to take on your case?

Honestly, going after the FBI for lying to the Finnish police would probably be a pretty hard case to win. Especially considering how blatantly unreasonable the behaviour of the .fi authorities has been.

It's possible that I could win. But that wouldn't really achieve anything, it wouldn't make the .fi authorities stop.

The best option I have available is to keep fighting my charges in Finland, as no matter whether I win or lose it'll be significantly harder for any other country to prosecute me for those same crimes. The courts here are fairly reasonable, while they require ridiculously low standards of proof, you essentially have to kill someone to actually go to prison here. Perhaps that makes it easier to say "guilty" just to play safe, keep the LE and prosecutors happy.

If your story is true, then you were, as it appears, wrongfully and unlawfully imprisoned. I think you should at least try contacting press and some lawyers -- if what you are saying is a true story.

It sounds pretty interesting to me -- I imagine someone in the press would pick it up.

>If your story is true, then you were, as it appears, wrongfully and unlawfully imprisoned. I think you should at least try contacting press and some lawyers -- if what you are saying is a true story.

I was indeed wrongfully imprisoned, but by the Finnish government. I can and will receive compensation from them but at best that's going to be a few thousand euros per month, a nominal sum considering the time lost. It's hardly an irregular thing here, mostly because every single case where a person is taken into investigative custody and not given a prison sentence is treated as such. This has created a situation where these cases are so common that the justice system treats them as acceptable routine.

Does Finland not have protections against defamation? If someone that wasn't an American FBI employee falsely accused you of a crime, would you have a legal remedy?

Article 24, paragraphs 8-10?

It looks like you would have to file a criminal complaint in order to proceed with a civil claim, and the state cannot act on criminal charges until you actually make the complaint, unless the defamation appeared in the mass media. If the Finnish prosecutor declines to act against the FBI, your only remaining remedy is to file a claim in the court of public opinion by getting a local journalist to tell your story on a slow news day.

You owe it to yourself and all noncriminal Finnish hackers to at least make a defamation complaint to Finnish police against the FBI. Your statute of limitations is 5 years.

I've actually been thinking of filing several of such complaints for a while, but it's sort of been on the backburner. However on monday I'll see if I can get copies of the original communications and get the complaints filed.

Rather unlikely that any prosecutor would pick them up, but who knows?

> Other places aren't much better either.

You haven't been in many countries, have you?

Majority of Europe you will see SWAT team on TV once a year when they do a huge bust of over 100 drug dealers or terrorist. It would be a public shame, heads with rolls and never ending phone-calls from constitutes asking and demanding answers why their money was spent on performing a raid on a hacker who broke into publicly open computer.

I will also bet (as long as we are somewhere legal to do so like LV) a $100 that you won't find an example in Europe when SWAT team killed a dog or threw a flash grenade into a crib with a baby in it... something that happens in US and that noone can be reasonably held accountable.

You are cherry-picking Western Europe -- the most peaceful and developed part of the world -- to make your point.

The outcome of a trial is secondary. Have you ever been sued by the government? How much money, time, effort and nerves do you think you will lose, no matter the outcome? The act of being sued is plenty of punishment. If they really want to destroy you they can keep going through the courts even after losing - they could not care less if they win or lose.

> The act of being sued is plenty of punishment.

This is so true and so many people don't realize it.

It's easy to be idealistic about these things until it actually happens to you.

Being "in the right" doesn't mean you'll win ("right" according to your morals/ethics and "right" legally are often two completely different things) and it doesn't mean that the costs of fighting - financial, personal, etc. won't ruin you, especially when the plaintiff is stubborn, vindictive and has deeper pockets than you do.

More often than not, you'll end up settling civil cases, and the tangible and intangible costs that you accrued while fighting your case are usually victory enough for the plaintiff.

> The FBI is going to have a hell of a time arguing that accessing a public FTP server with no password protection is a crime.

Why? Andrew "Weev" Auernheimer was prosecuted AND CONVICTED for accessing a public HTTP server with no password protection. They apparently didn't have any trouble pursuing that with a straight face. The conviction was overturned because they had prosecuted him in the wrong state.

Isn't this exactly what Andrew Auernheimer was charged and convicted with?

Yes - and that's also pointed out in the arcticle:

“It’s weev all over again.”

Except this guy didn't leak a bunch of emails like weev did? Right? If he does go down, that would be terrible for him and his family, but he would be a better poster child for government overreach than weev is.

"He is an upstanding family man, with 4 children. He accessed a publicly available server on the Internet, the kind of server you could access at any time by clicking a hyperlink on Facebook, and now he is a felon and rotting in jail." Or something like that.

Not at all, the key in weevs case was intent.

I believe that it is still considered unauthorized access even if they don't have a password set up. I think it goes back to law that existed before computers where if you entered someones home without permission you can't simply argue that there wasn't a lock on the door.

Edit: ProAm above reminded me of the Andrew Auernheimer case that was nearly identical to this and was resolved as I describe.

Please stop with home / lock / etc. metaphors. This is a very simple situation and there is no need to analogize.

When you analogize to a separate situation like keyed locks or zeppelin airspace access rules you're attempting to say something about similarities between the reasoning in resolving the rule on both sides, which requires you to actually make a contention about what aspects of the situation are compatible, and which of those aspects are salient to the definition in question.

Computer behavior patterns are different enough that if you want to analogize, for the love of god explain the aspect you are analogizing. Even the notion of a "protocol" doesn't really exist in meat space.

Something like "transit through third-party routers is a form of access easement"? OK, I could maybe roll with that as a premise if we get into the weeds about what that would imply.

"It's like an unlocked door!" Jesus christ, stop. No, it's not. Even particular unlocked doors aren't what you're thinking of as an archetypical unlocked door, because "unlocked door" isn't a legal concept.

I was merely theorizing that in 1986 when the Computer Fraud and Abuse Act was written that was the reasoning behind why it was written in that way. I assumed that the readers here understand the underlying tech involved.

It sure sounds like there wasn't a "lock on the door". There is a significant difference between FTP and other protocols: FTP has specific support for "anonymous" sessions. There is even an entire RFC (1635, "How to Use Anonymous FTP")[1] on the topic.

From the article:

    I actually remember them having a passworded FTP site
    back in 2006. To get the password you would call tech support
    at Eaglesoft\Patterson Dental and they would just give you the
    password to the FTP site if you wanted to download anything.
    It never changed. At some point they made the FTP site anonymous. 
While there so no mention of the username involved in the anonymous access, it sounds like they switched from handing out a common password (stupid, but probably qualifying as "unauthorized access" for CFAA purposes. However, if the change where they "made the FTP site anonymous" involved the standard username "anonymous", then the server is offering access.

[1] https://tools.ietf.org/html/rfc1635

Yea.. but a site on the internet is more akin to a store than someone's home. It's completely normal to walk into someone's store.

An ftp server is clearly more akin to a spooky abandoned building.

A more accurate analogy for an FTP server is a machine that sends you letters on demand.

It's like Shafer wrote a letter to their office asking for their list of patients, and lo and behold, they've sent him back an envelope containing that list.

Or a private lending library that is technically open to the public, but no one ever goes there, because all the books are about dental drills.

I think that's a gopher server

Yea. This would be a felony that a 4 year old child, your tech ignorant grandmother, and any other random Facebook user could commit by clicking on a link.

I'm not justifying the law I consider it ridiculous but I'm pretty sure that is how it is written.

Yes, the law on the subject is mostly nonsense. That said, I've thought a lot on the subject and this is what I think the law should have been -

For 'unauthorized access' to a computer system you (should) need to knowingly access a protected system in a way not permitted by the rights granted to you by the computer system, or by deliberate deception of either the computer systems or people.

So for 'knowing' we have to actually know (via banners, etc.) that we're somewhere we shouldn't be. For 'protected' it has to be actually protected (none of this "I found unprotected files lying around with no password" nonsense). The last two clauses cover privilege escalation attacks and social engineering. So it should matter if you're operating the system normally or if you accidentally just click/type something wrong and found your way in vs. you were deliberately hacking / social engineering your way in.

I'd also add a safe harbor for anyone who in good faith reported the issue to the site operators, police, or government regulatory bodies to prevent reprisal like this ugly case.

Sadly, I don't get to write these laws.

This doesn't hold up because homes are made to be accessed by one person or a specific group of people.

It is more like having a store with lights on and an open sign then arresting someone for breaking an entering when they go inside.

Yeah, somehow people forget that the act of connecting a computer to the Internet is an implicit permission for all the Internet to access it unless specified otherwise (by e.g. requiring authentication). That's, like, the fundamental principle of the Internet.

These are the types of cases SV money should fund and defend.

The problem with this is summed up with the phrase "you can beat the rap, but you can't beat the ride."

Sometimes that's just the time, expense, job and reputation loss, etc. of the arrest, but sometimes (e.g. Freddie Gray) the ride is a'rough ride' and you can't beat that either.

If it is, then it should be a crime to access unprotected wifi.

Unless they put a banner at the top after you login that says "This server is private blah blah blah"

> Defense attorney Tor Ekeland, who represented Auernheimer in the federal court case in New Jersey, has offered to help Shafer ...

Based on his website it appears that "Tor" is actually his given name. What an odd coincidence.

Yeah common Scandinavian name, same as Thor, essentially.

I know this is only tangentially related to the HN content here, but does anyone have a sense of why the FBI would choose to respond to this sort of case with a dozen agents and weapons drawn? Rather than, say, two guys politely ringing the bell and asking him to come with them?

Unless there's a lot left out of this article, I wouldn't think most "unauthorized computer access" suspects tend to be heavily armed. (Particularly if the company actually reported the context of the "crime", including the fact that he had voluntarily notified them of the problem.)

I imagine it's a part of a trend of "militarization" of law enforcement. In the last few years police forces have greatly expanded their SWAT forces, partly because of the practice of the US military giving away surplus military tech to law enforcement. And if you have a hammer, all the world seems like a nail.

The rationalization is that serving warrants can sometimes be risky, so why take the chance? It's in law enforcement's best interest to err on the side of caution: better to scare the crap out of people than get shot without warning. Which is why the government and the courts are supposed to balance LE's concerns with the rights of the people.

Until agents start getting thrown in prison for assault, their ridiculous assaults on harmless residents who pose no threat will continue.

The best policy may be, simply not to be home at 6 AM. They're psychologically incapable of raiding when normal people are awake, or of making arrests in safer ways such as via a phone call to an attorney or simply waiting by their target's car until he leaves for work in the morning.

SOP ...Military tactics against citizens. Overwhelm with force so the subject cowers in fear. Works great doesnt it ?

Yes, remember GwB's "Shock & Awe"

I believe the FBI wanted to seize all of the computers and data access devices before he flashed them somehow. I totally agree with you, but that is my only guess for having guns drawn and not allowing him to get dressed.

You guys in the US should be asking this question extremely loudly. You're seeing a full-scale militarisation of your police, and very public fear tactics being used against non-criminals in any case surrounding information security. These stories echo the Stasi-era more and more each day.

Any time part of an organization is given resources, they must use those resources to justify having them and continuing to have them.

They probably rarely have cause to perform this sort of raid, so they do so at any opportunity.

Reading this, I had an idea for a new law that could counteract this stupid reaction to security research:

Particularly for protected patient information (but maybe for other classes of sensitive data as well), it would be interesting to somehow classify having this information breached as a crime by the holder of the information (I realize this might be hard to do given the reality of security these days, so there would need to be some nuance of course). The crux of my idea would be to automatically count any access that results in prosecution as a breach of said data, thus meaning that prosecuting a security researcher would automatically put the information holder under separate prosecution. I wonder if something like this could be feasible.

> classify having this information breached as a crime by the holder of the information

The source of the problem in this case is that the CFAA is too loose/broad and the penalties are absurd. The solution is to fix that. Make it so that the only penalties available are proportional and innocuous actions like reporting vulnerabilities are bright-line not illegal whatsoever.

You're essentially suggesting cold war style MAD as a solution to the government foolishly supplying toxic waste to children who are then found using it to poison people they don't like, under the theory that if everyone can poison everyone then everyone will have to behave. Better to clean up the toxic waste than ensure equal access to it.

>(I realize this might be hard to do given the reality of security these days, so there would need to be some nuance of course)

In my industry, the EPA produces technology forcing regulation, we will have to invest a few hundred million to meet the upcoming standards and continue selling our product in the US after 2020. To sell our product in 2027, we need technology that hasn't been commercialized yet.

Maybe computer security could use a technology forcing regulation to get real investment in secure software to happen.

I like a bit of this idea, but too many people already have it in mind that the holder of the information is a "victim of hacking", so punishing them is "victim blaming", which we all know is always bad.

Fun fact:

Many financial institutions use the last 4 of your SSN as identity verification.

If you're a business, it's the last 4 of your FEI/EIN.

I know at least in FL, this is publicily available at sunbiz.org

So with the account number printed at the bottom of your paycheck/stub and the FEI/EIN, you can often authenticate to a financial institution and obtain privileged information.

I know this not because I was on the "hacker" side, but because I was involved on the financial institution side of it and caught this as part of my engagement. The institution was issuing new logins for its internet banking site and the password would have been based on the users name, zip code, and SSN/FEI/EIN, all 3 of which are available (in FL) on that sunbiz.org site.

My last bank had the username for online banking set to the account number, and the password set to the last 4 of SSN by default. The password was limited to 4 characters, but they did allow special characters.

Years ago, one of my credit unions used SSN as the account number... so every one of our checks had our SSN printed right on it.


In my experience, credit unions are usually worse than Banks on the security side. There are exceptions, but they are not the norm.

One credit union I dealt with always opened and closed with a single employee. Very dangerous for the employee. This same union kept the A and B part codes to their vault in a locked desk drawer(one of those cheap desk drawer locks that anyone can pick with a paper clip) in the lobby, and full internet access was available on all computers. Tellers all shared a single cash drawer and the teller PCs were routinely used by the tellers for general web surfing, Facebook, Pandora, etc...

Unless there is more to the story, he won't be prosecuted for accessing an anonymous FTP server. However, they will scour the computers/drives they took (for months or possibly even years), looking for evidence of this or any other technically illegal misdeed. In the unlikely event they find nothing that they can take issue with (this being a security researcher's computer equipment, they'll find all kinds of hacking tools and possibly evidence of other research that could be construed as hacking attempts), in a year or so, he might get his stuff back. If they find anything, he'll face charges for that.

That's how law enforcement in the US works. A crack in the door, in the form of a ridiculous accusation, is all it takes for one's life to be destroyed.

Here's an investigative tool the CFAA & the FBI needs... if a company like Patterson Dental spins up an investigative raid with a baseless complaint, the Bureau should be able to charge them with a crime. One almost hopes the FBI investigation yields enough evidence to charge Patterson with a criminal violation of HIPAA.

Why would the FBI and prosecutors punish Patterson? The gave the FBI an opportunity for raids and prosecutions, and those look great on an annual review.

> Why would the FBI and prosecutors punish Patterson? The gave the FBI an opportunity for raids and prosecutions, and those look great on an annual review.

Why go after Patterson? Because that would give them opportunities for more raids and prosecutions, which look great on an annual review. And raids and prosecutions for acts which are probably more politically useful to politically-minded US Attorneys than whatever kind of case they could make against Shafer.

True. But given the choice between the two (and they clearly had this choice), I wonder if they consider that an individual will not be able to mount as strong a defense as a business.

> But given the choice between the two (and they clearly had this choice)

That's less clear than it might seem; the information Patterson gave them may have been sufficient basis for probable cause against Shafer, but it was probably shaded (at least by omission) in a way that it did not do so against Patterson.

Now, obviously, one would hope that the FBI would do some meaningful additional investigation before conducting a raid, but there were very few people beside the person they'd been handed as a subject who would have been able to provide information which would have flipped this to something where Patterson would be the offending party (and even there, its for something which the FBI is neither the usual first investigating agency nor an agency that is particularly expert.)

Field offices don't have unlimited budgets. If it turns out this raid was unjustified - and it certainly appears to be - its not going to reflect positively on the people who caused it.

That would make me even more nervous, because if they would find some childprn it would have been justified.

You are being paranoid. There are over 13,000 FBI agents but probably 5x that number are needed to deal with organized crime, white collar crime, national security threats, public corruption, background investigations and other cases within their jurisdiction. You can bet there were/are a few agents shaking their heads in irritation over what appears to be a waste of resources.

This seems like bullshit. It would have been easy to determine ahead of time that Shafer is not a threat to evade arrest, destroy evidence, or harm agents. Based on that, it would have been easy to interrupt Shafer as he headed to his car to drive to work, explain to him his situation, and have him call his wife and ask her to take the children and walk down to the park for an hour. Next time FBI want to harass a citizen like this, they should leave the assault weapons at home.

The public would certainly be safer and happier if there were fewer FBI agents rather than more.

That is even more reason for those FBI agents in charge to find something else to legitimate this waste of resources. For a real life example how this works you might google "FBI Keith Gartenlaub"

It needs to be understood that if you react this way to responsible disclosure practices, your company & you personally will be subject to irresponsible disclosure practices.

Oh, I've already learned the lesson loud and clear. If I ever discover a vulnerability to disclose, I'm releasing it anonymously on pastebin sites while logged into Tor through a VPN from a free WiFi spot.

And, of course, sign it with a new PGP key you've just created, so that if you ever need to release a follow-up with proof that it's you, or come forward as the author of the disclosure, you can.

Of course, said key is a liability if it is found in your possession.

Encrypt, hexdump, render in green font on black background, set as wallpaper. Nobody will ask :)

Connect to the VPN after connecting to Tor. Putting the VPN in there can actually lessen anonymity due to a financial relationship. So make sure you procured that VPN anonymously, via Tor, with a crypto currency that you have mixed.

This is my plan too. Responsibly disclose anonymously. That should prevent our corporate lords from sending SWAT teams into our homes.

Would you do this to a company that has a clearly stated responsible disclosure policy and respects your efforts? Especially if it involved commonly used desktop software that would harm many people by ignoring an existing policy?

No, I wouldn't do it to a company that has a history of handling disclosures properly. But for every one company that does that, there's a dozen that are clueless.

Do you have laws in the USA that mandate protection of health data?


But apparently they didn't go after the company, so maybe those data are not the kind of information protected by HIPPA?

It most certainly is information protected by HIPAA. It's just that there are no enforced consequences for companies breaking HIPAA (or pretty much any other law) while there are dire consequences for people accessing public data under the CFAA. I'll put it this way: if I wanted to murder someone in the US and get away with it, there are dozens of opportunities under the law as long as said murder is committed under the umbrella of a corporation. But god fucking forbid you access public data that was not secured properly by idiotic corporations and your life is ruined like this researcher's is about to be. Our judicial system is a joke; a society without justice is no different than the random savagery it purports to be above.

I'm not addressing the FBI response, but hear me out. As a security researcher you have to stop at the first vulnerability. Don't use the vulnerability to get more information. It's the companies responsibility to ascertain the impact of the problem. This person should not have attempted to download anything from the FTP server. It should have spotted the FTP server, notified the company and made it clear they never attempted to download anything from it.

There was a similar issue with S3 credentials and Facebook a few months ago. The security researcher went too far. There was a large outcry by everyone about Facebooks response. I'm not addressing the response. I'm saying as a security researcher you need to protect yourself by trying very hard to limit the impact of what you're doing to remove risk of legal liability. Only go as far as the first problem and no further.

This is so wrong, but it's not surprising. We've been reading stories for years of security researchers being charged with a crime or harassed for simply pointing out blatant security holes.

What kind of thinking is this? He was doing them a favor. Every time, it seems to me that they are embarrassed by the incident and lash out. WHY!?? We should be treating these researchers like heroes, not kicking in their doors and having the FBI charge them with criminal CFAA violations. Once the chilling effect comes down in full force, we'll have a much less secure Internet.

I thought they did not have the "reason" for the arrest -- only the warrant.

The arrest may have nothing to do with accessing the Public FTP, and entirely to do with the research he was doing on the FTP service itself. If he was attempting to exploit the FTP service hosted by someone else (something or other aboubt database credentials was mentioned), he would absolutely be in violation of CFAA. You do that sort of research on your OWN system.

First rule of security testing: make sure you have permission.

It's as if the CFAA was intended to protect behavior like Patterson did.

The FBI seems to have lost it's way (Same with most of the other 3-letter governmental entities and other law enforcement). How do we change the system so that they are held accountable for these sort of things?

This is getting ridiculous. I can't predict the general public's opinions on things like this but it seems so clearly "wrong".

I have hope for a peaceful fix but I am skeptical that we aren't well on our way to a much more traditional violent revolution.

Everything I've read on the subject suggests that the early signs of revolution are a sufficiently large disparity between the rich and the poor such that the poor can no longer provide for themselves. It seems like this is well on its way and likely speeding up.

I'd love to see some statistics on situations like the 2014 Ferguson Missouri situation. I'm curious if there's a rise in situations where the government sufficiently crosses the line that the public backlash manifests violently. I expect that we're still in a stage where these situations are still largely centered around poor minorities [1] but situations like this suggest that incidents are starting to expand into demographics that might get the "middle class" [2] to finally pay attention.

I hope we can find a way to unite as a single voice to change things. I hope it doesn't end up being violent. The following things encourage me.

* Decreased relevance of the "mass media". This is a double edged sword. On one hand it allows for news that might be ignored by a major network to still be disseminated widely. On the other hand, the "public" has a really poor track record of consuming news that isn't also entertainment and many of these issues seem to fall entirely outside of people's interests.

* The ability to aggregate these sort of events to establish a clear pattern of behavior. It's getting harder to hide things.

Also these disclaimers:

1. I say poor minorities because based on my knowledge of the law enforcement overstepping it's typically in situations involving people who are poor and black.

2. The "middle class" is used here to reference a predominantly "white" demographic that most mass media caters to. I've struggled to find the appropriate language here, fearing I'll be labeled racists somehow. Hoping that my message reads as intended.

In the meantime, companies like Apple and Google are deleting users' files without their consent and infecting computers with malware through ads yet I don't see Tim Cook or Larry Page being woken up in the middle of the night by a SWAT team. What a fucking joke our legal system is.

Use Tor through Whonix gateway. FBI's NIT doesn't have a way through that.

The FBI putting the Cyber in Cyber. I know we all feel safer with them on the watch

So basically, when you discover critical vulnerabilities in a server, do not tell the owners about it. Sell the information anonymously to the highest bidder.

I could not get this site to fully load even after (or maybe because) my adblocker blocked 68 requests.

However, loads great in lynx!

I wasn't joking, the site actually loads much better, faster and more readably in lynx than it did in my regular browser (safari with ABP)


The FBI has always been our enemy, from John Edgar Hoover onward.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact