FBI Raids Dental Software Researcher Who Found Patient Records On Public Server (dailydot.com) 130
blottsie writes: Yet another security researcher is facing possible prosecution under the CFAA for accessing data on a publicly accessible server. The FBI on Tuesday raided Texas-based dental software security researcher Justin Shafer, who found the protected health records of 22,000 patients stored on an anonymous FTP. "This is a troubling development. I hope the government doesn't think that accessing unsecured files on a public FTP server counts as an unauthorized access under the CFAA," Orin Kerr, a George Washington University law professor and CFAA scholar told the Daily Dot. "If that turns out to be the government's theory -- which we don't know yet, as we only have the warrant so far -- it will be a significant overreach that raises the same issues as were briefed but not resolved in [Andrew 'weev' Auernheimer's] case. I'll be watching this closely." It was also reported this week via The Intercept that a provision snuck into the still-secret text of the Senate's annual intelligence authorization that would give the FBI the ability to demand individuals' email data and possibly web-surfing history from their service providers using those beloved 'National Security Letters' -- without a warrant and in complete secrecy.
Say what? (Score:5, Insightful)
Re: (Score:2)
If the bank leaves its vault open, can you take the money?
If they stick a sign outside saying "free money" and have an anonymous form at the door to fill out saying "add a tally for yourself if you took some free money" then yes, you fucking can. The only difference in this case is there was no money involved.
Re: (Score:2)
If they stick a sign outside saying "free money" and have an anonymous form at the door to fill out saying "add a tally for yourself if you took some free money" then yes, you fucking can
No, I don't think you can even then. Banks don't have any authority to give out "free money" and so any such sign would clearly have been put up by someone without authorization to do so. (Perhaps a disgruntled employee.) Since a reasonable person would have drawn that conclusion, I don't think you'd get away with taking money in that circumstance.
Re: (Score:2)
What's the basis of that statement? Why can't a business give away money, if they wish, and there's internal approval (i.e. not just an offer from some rogue employee)?
Re: (Score:2)
" What's the basis of that statement? Why can't a business give away money, if they wish, and there's internal approval?
Because there are money laundering statutes that say you can't.
Re: (Score:2)
Re: (Score:2)
Wrong.
All money laundering rules require is that you can trace the source of money and usually only require cursory checks unless significant money is involved. In the case of the hypothetical bank the fact you got the money you were at the bank and they were giving out money would be sufficient proof. You might be getting confused with bribery laws that state you can't give cash etc for favours and even then only specific situations.
Anyway companies give out money all the time... They frequently give mo
Re: (Score:2)
Wrong.
All money laundering rules require is that you can trace the source of money and usually only require cursory checks unless significant money is involved. In the case of the hypothetical bank the fact you got the money you were at the bank and they were giving out money would be sufficient proof. You might be getting confused with bribery laws that state you can't give cash etc for favours and even then only specific situations.
Not true. There are strict rules about banks giving money away. For instance: suppose I were a drug dealer and I had $500,000 that needed to be laundered. I take it to my favorite bank and give it to them in a dark room at the back. Next day the bank, out of the goodness of their heart, decides to give me a "gift" of $450,000. (The bank gets their 10%). Voilà: perfectly laundered money!
Re: (Score:2)
Nope the bank has to be able to show that the money it accepted was from a legitimate source. It can give away all the money it wants but has to be able to show it obtained it from a legal source and that it was its money to give away (and not a customers).
Re: Say what? (Score:5, Insightful)
OTOH, an anon FTP server is a well known actual thing and has been for decades. A better question is if you walk past a tray of prepared food at the grocery store and it has a sign saying please take one, is it theft if you take one?
Re: (Score:2)
if you walk past a tray of prepared food at the grocery store and it has a sign saying please take one, is it theft if you take one?
Of course not. But if you walk past someone's car and see a set of hubcaps you like, it is theft to pry them off and take them?
Re: (Score:2)
Naturally it is theft to take the hubcaps off of someone's car, None of the socially agreed upon signs are there that they are being offered to you.
Re: (Score:1)
Of course not. But if you walk past someone's car and see a set of hubcaps you like, it is theft to pry them off and take them?
This is a false equivalency. An anonymous FTP server was designed explicitly to let people connect without authorization and to serve up whatever it contains to whomever asks.
Re: Say what? (Score:2)
Re: (Score:2)
You have a bizarre idea on theft. I guess you gave your birthday presents back unopened when you were a child?
Re: There was no sign (Score:1)
Re: (Score:2)
Net servers assume business rules, not residential.
Access implies permission to download in an anon FTP server. The whole purpose of anon FTP is to distribute data freely to the public (remember, it pre-dates HTTP).
The defendant's "crime" is as follows: He picks up the store manager's wallet off of the tray under the "Please take one" sign, holds it up and calls to the manager "Hey, I don't think you meant to leave this here". Suddenly cops with assault weapons appear behind him and take him away.
The icing
Re: There was no sign (Score:2)
Your problem is use of the house/doorway metaphor where it does not fit. Even if you could make a case (which I'll not address here) that allowing someone to log into a server does not automatically grant the right to download files to which they have been given read access, you certainly cannot make such a case for an FTP server, which is dedicated to allowing downloads and/or uploads of accessible files. The fact of its being an FTP server that allows the user access counts as the "Please download" sign.
Re: (Score:2)
Is it theft you didn't subtracted anything from the owner?
What about the privacy of the person whose information was in the records?
Re: (Score:3)
Sure they can!
Here's how:
They create a new class of "loan", with a 0% interest rate, and a date of mandatory repayment of 100bn years from now.
They can put a sign up front advertising these amazing loans, "No credit check, not deposit, no ID required!"
The bank can issue up to 9x the value of thier current deposit holdings in such "loans", and the money they lend out comes from nothing-- per how federal reserve banking is designed to work.
If the bank offers such a "loan", you are perfectly free to take all t
Re: (Score:1)
Re: (Score:3)
Re: (Score:3)
And people don't take the money, they just look at it. Is that theft? Unauthorized access?
Re: (Score:2)
For decades now it has been understood that if the FTP server accepts anon as the user name and an email address as the password, it is an anon FTP server and you are authorized. That is the sign. Much like it is understood that you need not knock to enter a place of business when the door is unlocked.
Re: (Score:1)
Yeah this would be like going into a bank through what looks like a public entrance and finding yourself in the bank vault. And then the cops arrest your for bank robbery. Even though you didn't take anything.
Re: Say what? (Score:5, Informative)
Allowing an anonymous login for an FTP server is tantamount to putting up a sign which says "take the files". If you don't understand why, just follow this link [nasa.gov]. If you did, in fact, follow that link, congratulations: you just downloaded a file from an FTP server using an anonymous login. It's such an accepted thing that your web browser just did that process for you without bothering to ask if you were okay with it. You've now done the same thing he was accused of doing without even knowing you were doing it.
Putting files on a public FTP server with an anonymous login is exactly the same as putting those files on a public HTTP server without requiring user credentials. The only difference is which protocol is being used.
Re: (Score:1)
Re: (Score:2)
Rodney, you plonker, that's an FTP server's grape of being.
Re: (Score:1)
Let's stick to the original question. Don't let an AC change what is being discussed. They are not the same thing and the AC knows it.
If he wanted to use the bank bit, it would be like the bank allowing anyone off the street to see my banking business. In my case that's boring. For some people, like politicians - that's gold there. They really don't want anyone looking at their business.
Re: (Score:2)
No, but I think you could look at it. To steal you have to take.
Re: (Score:1)
This is more like "if someone leaves their curtains open, can I look inside from across the street and even take pictures if I want?" To which the correct answer is, yes. Since nobody can be bothered to correct these issues at election time, I just don't think about it. You cannot reason with an authoritarian and irrational mob, so appeasement seems to be the favored option.
Re: (Score:2)
This is more like "if someone leaves their curtains open, can I look inside from across the street and even take pictures if I want?" To which the correct answer is, yes.
Actually the correct answer is "maybe, but likely no." Most places that's considered an invasion of privacy because it's a private dwelling, and an individual has the right to privacy even with their curtains open.
Re: (Score:1)
Not if it is plain view.
Re: (Score:2)
Not if it is plain view.
Even in plain view. Statue and case law on that stuff is generally pretty clear, but can vary from place to place.
Re: (Score:2)
Rubbish. If, in the normal course of events it would be visible, there's no invasion. If the people opposite my apartment leave their curtains open, that puts zero restriction on MY right to look out of MY window, whatever they're doing.
If I was using ladders or one of those fire engine arm things[1] to rise over a nine-foot wall it'd be different.
Stop making stuff up.
[1] What are they called?
Re: (Score:2)
Better learn that it is an invasion of privacy if you ever come to Canada. You wouldn't want to spend 6mo to 4 years in prison for it. See this is what falls into "private areas" there's also semi-public like the walkway going to the front of your house, and public like the sidewalk or street in front of the house/building.
Re: (Score:2)
Tell you what, how about you learn to give a citation or fuck off? The first hit from google says just about the opposite; the observed person could be guilty of indecent exposure.
https://www.thestar.com/news/2... [thestar.com]
Re: (Score:2)
Article is wrong, so very wrong. Then again it's the Toronto Star, also known in Canada as the Red Star and is known to take a very authoritarian view on things. You enjoy that citation now [wikibooks.org] which will give you a brief overview on criminal and non-criminal privacy rights and you can enjoy this one too. [canlii.org] Which reinforced S.8 of the Charter of Rights and Freedoms. You can also find more cases using "the citizen's right to a reasonable expectation of privacy" on this site. [canlii.org]
Re: (Score:1)
Re: (Score:2)
The bank vault analogy is bad - in part because taking money from the vault deprives the bank of the money while copying dental records does not affect access by the person who put them there any more then you reading this response reduces the value to anyone else wishing to read this response.
A better analogy would be if the person responsible for the dental records printed them on flyers and stood on the street corner with a signboard saying "free information" and offered the flyers for free without restr
Re: (Score:2)
Bad analogy. How about this: You walk up to a bank with several doors in the front, and a note reading "Please enter through the door with your name. If permitted to take items, there will be a bag just inside your door, otherwise you are to look but not touch." Each door has a long hallway that leads to a room at the end, and each door has a name at the top of it. At the end of this the line of doors is a door that has a note saying "If no doo
Re: (Score:3)
How was it breaking and entering? I put the master key in the lock and the lock opened based on the configuration set by the manufacturer.
Not saying this is right, but it is how it will be presented. These clowns do not care about intent. If the intent of the law was to protect, then they would welcome true penetration tests that are conducted and reported ethically. Instead the laws, and they way they are prosecuted, are designed to protect those in power, those who execute p
Re: (Score:3)
Exactly. What he's really guilty of is showing how incompetent they are. They put next to no effort into catching people who actually break into systems and access info to perform identity theft. The only people I see them prosecuting are the ones stupid enough to try to help.
Re: (Score:3)
And the only ones stupid enough to confess.
Why would you ever admit to doing a good deed like this? Law enforcement is not paid to not arrest you and the courts are not paid to not convict you.
Re: (Score:2)
Best thing to do is anonymously disclose it on a security mailing list and then tip off some journalists do they can bring it to the public's attention. The moment you try to take credit for it, you open yourself up to malicious arrest and prosecution.
The only time you disclose under your real name is if they have a bug bounty programme.
Hopefully this guy will sue the incompetent idiots who accused him of breaking in.
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I'm sorry, but you really don't have any arguments which are reasonable, let alone well thought. Maybe next time.
Couple differences (Score:2)
First, that's not how locks work. A normal lock has only one keying. Master keyed locks are done do by larger organizations. To get that master key you have to either get it from them in an authorized manner, or steal it somehow. It isn't like the manufacturers maintain an "all locks" master key and hand it out to people.
However more to the point an anon FTP is an implicit invitation to anyone to come in, just like a public HTTP server. In terms of the real world, it is like an open store. If you enter an u
Re: (Score:1)
Re: (Score:3)
Unfortunately, none seem to have anything to do with cars. What has /. degraded to?
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Re: (Score:3)
Who's wallet did he steal? All he did was look at your wallet sitting on the counter, saw that there was money hanging out of it, then turned around and left.
Because it is anonymous FTP (Score:2)
security researcher (Score:1)
Kill The Messenger! (Score:2)
...dental software security researcher ...
That's, er, pretty specialized!
I have a lot of "issues" with so-called "security researchers", which in many case are either opertunistic hackers or script kiddies. But really, how can it be "hacking" to access data that does not require "breaking in" to anything? Sure, the dude was not invited, but if it's out there, not fire-walled, and all you need to do is type in some random URL, how can that be illegal?
Now, there may very well be laws, rules, whatever about medical records, but if anything than it's
Re: (Score:3)
Let me tell you about the HIPAA bullshit. I have more trouble getting access to my records than damn near anyone else. They share my info with all kinds of people.
The moral of the story (Score:5, Insightful)
The moral of the story is that if you discover something like this, close your browser and tell no one.
Reporting a vulnerability or data breach has come to mean that "you're some kind of criminal" and must be punished, regardless of the circumstances.
Re: (Score:2)
Such cases are not about reporting but about extortion. Note dental software. Not some free tetris game software, but "dental". It means money and easy extortion target as they would have big & expensive problem with government institutions when client records are disclosed to everybody.
Re: (Score:1)
Yep... If you're going to be treated like a criminal anyway, may as well act like one and derive some benefit from the spoils.
Re: (Score:2)
The moral of the story is that if you discover something like this, close your browser and tell no one.
Reporting a vulnerability or data breach has come to mean that "you're some kind of criminal" and must be punished, regardless of the circumstances.
Just to be clear here, your reaction is the intent. If you embarrass somebody who has money, thugs with guns will come kick your door down.
Better not do that.
Re: (Score:2)
Just to be clear here, your reaction is the intent.
Of course, which is why you must report this kind of thing anonymously, if at all.
And since real anonymity is nearly impossible these days (especially in the case of embarrassing somebody who has money), the safest course of action is to close your browser and tell no one.
As Clare Boothe Luce said, "No good deed goes unpunished", and that's as true today as the first time she uttered it.
Re: (Score:1)
Re: (Score:1)
Type up a sheet with instructions on how to access the data. Print copies and place in envelopes. Label envelopes with names of "real press" reporters. Drop envelopes at establishments or homes where reporters can be found. Watch news outlets. Eat popcorn.
Anonymous FTP server is as private as park bench (Score:2, Insightful)
An anonymous FTP server is like a park bench. Literally anyone can use it.
This is like alerting the owner of a bag of money which is on a park bench, and then being penalized for sitting on the bench or looking in the bag.
If only they'd go after Wall Street as ferociously as they go after those who investigate company security. But then, the reason they go after those who cross big companies is the same reason they don't go after the people in big companies.
Re: (Score:2)
That is completely nonsense. It is like walking up to a shop with the lights on and no Open or Closed sign or any posted hours and opening the door and entering the shop if the door opens.
I don't recall when I first accessed an anon FTP server, but it was certainly well over 25 years ago and I've used anon access many times. If user 'anonymous' and an arbitrary email address is accepted as a password, it's open for the public to access anything that the user can get to -- everyone knows that and everyone kn
Re: (Score:2)
If they aren't supposed to, then put a fence around it with a combination lock to open the gate, and only give the combination to people who are supposed to be there.
looks like another "protection service" (Score:2)
He is not the first one. The popular racket is simple, they scan for rich doctor files accidentally left online. Once they find something, they offer a "security service" for $###,###. Sure, they don't report their paying "clients" to government for medical records protection violation. It doesn't apply to non-clients. It is not kiddie game.
Was he authorized? (Score:1)
Re: (Score:3)
but one would have to wonder why he would be trying to access systems of someone who wasn't his client.
Because it was anonymous FTP? That's the whole point of anon FTP, you know: that anybody is allowed to use it.
Re: (Score:2)
but one would have to wonder why he would be trying to access systems of someone who wasn't his client.
Because it was anonymous FTP? That's the whole point of anon FTP, you know: that anybody is allowed to use it.
I do understand about anonymous FTP. The point I was trying to make is all that is moot if he was hired to test that security in the first place. I guess my question boils down to this: Who exactly hired him? I'm genuinely curious, cause to me this story doesn't make a whole lot of sense.
Re: (Score:2)
What if no one hired him? What if he just happened upon the FTP server?
The article specifically says he's a dental software security researcher. It's his job. Therefore it stands to reason, someone hired him.
Re:It might be correct course of action (Score:4, Insightful)
Are you seriously that mentally challenged? How is it not clear that it was anonymous FTP?
led him to an anonymous FTP server that allowed anyone access.
That's pretty damned clear that it was an anonymous FTP server, because it's described as an anonymous FTP server right there in the text.
There's also the quote about it being a password protected FTP server back in 2006, with a single password that never changed, until they made it anonymous around 2010.
And are you really assuming that they were password protected because they're medical records, which are "always under password protected area?" They must have been password protected, simply because they should have been password protected? Your faith in humanity is astounding. And misplaced.
Maybe next time, instead of pretending you read the article, you could, you know, actually read the article.
Re: (Score:1)
> And are you really assuming that they were password protected because they're medical records, which are "always under password protected area?" They must have been password protected, simply because they should have been password protected? Your faith in humanity is astounding. And misplaced.
The company is legally required to keep that data in secure location. Thus the company's secure location extends to the place where the patient data was found. And accessing it without authorisation is illegal. It
Re: (Score:3)
Re: (Score:3)
Re: (Score:1)
The company is legally required to keep that data in secure location. Thus the company's secure location extends to the place where the patient data was found. And accessing it without authorisation is illegal. It's basically similar situation than if you accidentally found out someone's credit card pin code. The person might be careless with communicating his secrets, but still it's still illegal to use the pin code for anything. Same happens with patient data, the secret data might be carelessly handled, but any access to the data is still illegal operation.
That's a cute theory, and from TFS apparently the thing the prosecutor is trying to gain a conviction (and perhaps a promotion) with.
But it is a deeply disturbing conflation of two issues. First, we have the data, that ought to be protected. Second, we have the means with which it is or is not being protected, which is obliged to be there. This legal theory says that because you have the first, the second turns into legal protection, when it was supposed to be a legal stick to make sure there is actual prot
Re: (Score:1)
> IOW, you may be obliged to protect that data but it doesn't have to be technical. You just boobietrap the thing with legal red tape and done. Which means that if you tell people about their technical protection oversights you're going to get ensnared and jailed, while if you simply snatch the data and sell it, nobody cares.
Maybe their cunning plan for data security was that the ip address of their ftp site is already enough protection for their patient data. If noone knows the server exists, it might e
The emperor has no clothes, (Score:3)
and woe to the subject who points out that fact. Forget 'security by obscurity' - the gubmint seems hell-bent on 'security by denial'. These days it's safest to pretend not to see security failings. Failing that, it almost seems to be the safer, wiser course of action to profit illegally from said security flaws than to point them out in the hope that they'll be fixed.
Re: (Score:2)
If you shoot the messenger, you'll stop getting messages.
Anonymous FTP is the key (Score:2)
The best way to go (Score:2)
Make an anon release to a news outlet. Hilarity ensues.
Remember that time? (Score:2)
If you have nothing to hide, you should not be worried, they said. The government is there to protect us, they said. The government has a right to do those things, they said. The government would never cross the line, they said.
Well, I would say at this point it is probably past the "too late" stage and you are stuck with the monster which decades of apathy and "blind misplaced patriotism" has created.
The US government has so much power at this point, I find it hard to imagine the people could ever take it
Meanwhile... (Score:2)
Every time I go to the hospital they have no ability to access my previous records!
Protecting ACA (Score:3)
This poor schlub is being prosecuted because he's highlighted one of the pitfalls of the ACA's requirements that medical records be converted to and stored as computer data...that, even barring malicious and intentional hacking, leaks and poor security practices will ensure that patient data will be exposed regardless of any laws or legal penalties put in place. Something those in power assured us would not happen.
He's getting screwed-over because he dared expose the dishonesty of those in power.
The lesson? If you just happen to discover a way to access any of the US government's law enforcement/intelligence networks, do not notify them of a vulnerability. Either sell the method of access and/or the data acquired, or simply post it on the 'net on a server located in Ecuador.
Strat
Re: (Score:1)
"Kill the messenger."
Hmmm (Score:1)
The US is tripping over itself to become a police state as soon as possible.
Wrong idiot arrested... (Score:1)