Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Crime Government Software Cloud Databases Privacy Security Science Technology

FBI Raids Dental Software Researcher Who Found Patient Records On Public Server (dailydot.com) 130

blottsie writes: Yet another security researcher is facing possible prosecution under the CFAA for accessing data on a publicly accessible server. The FBI on Tuesday raided Texas-based dental software security researcher Justin Shafer, who found the protected health records of 22,000 patients stored on an anonymous FTP. "This is a troubling development. I hope the government doesn't think that accessing unsecured files on a public FTP server counts as an unauthorized access under the CFAA," Orin Kerr, a George Washington University law professor and CFAA scholar told the Daily Dot. "If that turns out to be the government's theory -- which we don't know yet, as we only have the warrant so far -- it will be a significant overreach that raises the same issues as were briefed but not resolved in [Andrew 'weev' Auernheimer's] case. I'll be watching this closely." It was also reported this week via The Intercept that a provision snuck into the still-secret text of the Senate's annual intelligence authorization that would give the FBI the ability to demand individuals' email data and possibly web-surfing history from their service providers using those beloved 'National Security Letters' -- without a warrant and in complete secrecy.
This discussion has been archived. No new comments can be posted.

FBI Raids Dental Software Researcher Who Found Patient Records On Public Server

Comments Filter:
  • Say what? (Score:5, Insightful)

    by msauve ( 701917 ) on Friday May 27, 2016 @08:23PM (#52199225)
    How is anon FTP not authorized? I give my "name" (anonymous), and credentials (email address), and the system makes the decision to let me in , based on the configuration the sysadmin set. If that's not authorization, what is?
    • by wbr1 ( 2538558 )
      Playing devils advocate:

      How was it breaking and entering? I put the master key in the lock and the lock opened based on the configuration set by the manufacturer.

      Not saying this is right, but it is how it will be presented. These clowns do not care about intent. If the intent of the law was to protect, then they would welcome true penetration tests that are conducted and reported ethically. Instead the laws, and they way they are prosecuted, are designed to protect those in power, those who execute p

      • by amiga3D ( 567632 )

        Exactly. What he's really guilty of is showing how incompetent they are. They put next to no effort into catching people who actually break into systems and access info to perform identity theft. The only people I see them prosecuting are the ones stupid enough to try to help.

        • by Agripa ( 139780 )

          And the only ones stupid enough to confess.

          Why would you ever admit to doing a good deed like this? Law enforcement is not paid to not arrest you and the courts are not paid to not convict you.

        • by AmiMoJo ( 196126 )

          Best thing to do is anonymously disclose it on a security mailing list and then tip off some journalists do they can bring it to the public's attention. The moment you try to take credit for it, you open yourself up to malicious arrest and prosecution.

          The only time you disclose under your real name is if they have a bug bounty programme.

          Hopefully this guy will sue the incompetent idiots who accused him of breaking in.

      • by msauve ( 701917 )
        The lock manufacturer is not the building owner. But, your argument is simply begging the question. Breaking and entering is a physical act, and can occur even if there is no lock. Even if one follows the analogy, with FTP you're not "entering," you're asking for them to come outside.
        • The risk of getting caught is the only thing that keeps people from helping themselves. Not all people, but enough. If the access is almost anonymous, it's beside the point whether it is allowed or not; people will do what people do.
          • by msauve ( 701917 )
            What "risk of getting caught?" There's only a risk if you're doing something wrong. Are you describing accessing Google, which is free and anonymous (to the extent you want it to be)? How is anonymously accessing a web site any different than accessing an anon FTP server other than the obvious technical difference?
            • Well that really depends if the intention was for the public to see these 22,000 records or not. If that wasn't the intent and you are in there, then you are doing something wrong whether you will get caught at it or not. It doesn't matter if you get caught or not.
              • by msauve ( 701917 )
                LOL. How exactly do you tell whether a web site intends for you to view it? Has anyone ever explicitly authorized you to post on slashdot?
                • You're saying if you wandered into an FTP site with 22,000 private medical records you would feel like you were supposed to be there? In certain cases I would be inclined to believe you, and so would a judge. In this case I wouldn't. It's not something that is supposed to be public. I'd expect a judge would also want to know why you were there and what purpose you thought you had.
                  • by msauve ( 701917 )
                    So, how do you know in advance that there are 22,000 private medical records? The file listing tells you how many, and you only need to see 1 to find out what the files contain.

                    I'm sorry, but you really don't have any arguments which are reasonable, let alone well thought. Maybe next time.
      • First, that's not how locks work. A normal lock has only one keying. Master keyed locks are done do by larger organizations. To get that master key you have to either get it from them in an authorized manner, or steal it somehow. It isn't like the manufacturers maintain an "all locks" master key and hand it out to people.

        However more to the point an anon FTP is an implicit invitation to anyone to come in, just like a public HTTP server. In terms of the real world, it is like an open store. If you enter an u

    • Boy some of you guys must be pretty young. Have you ever used anonymous ftp? Anonymous ftp works by entering the host, then your username, coincidentally: "anonymous" or "ftp", and then you enter your email or the password "guest". It doesn't even check if these are correct. It just let's you straight through [webopedia.com]
  • terrorist pedo. this is easy.
  • ...dental software security researcher ...

    That's, er, pretty specialized!

    I have a lot of "issues" with so-called "security researchers", which in many case are either opertunistic hackers or script kiddies. But really, how can it be "hacking" to access data that does not require "breaking in" to anything? Sure, the dude was not invited, but if it's out there, not fire-walled, and all you need to do is type in some random URL, how can that be illegal?

    Now, there may very well be laws, rules, whatever about medical records, but if anything than it's

    • by amiga3D ( 567632 )

      Let me tell you about the HIPAA bullshit. I have more trouble getting access to my records than damn near anyone else. They share my info with all kinds of people.

  • by JustAnotherOldGuy ( 4145623 ) on Friday May 27, 2016 @08:43PM (#52199289)

    The moral of the story is that if you discover something like this, close your browser and tell no one.

    Reporting a vulnerability or data breach has come to mean that "you're some kind of criminal" and must be punished, regardless of the circumstances.

    • by rch7 ( 4086979 )

      Such cases are not about reporting but about extortion. Note dental software. Not some free tetris game software, but "dental". It means money and easy extortion target as they would have big & expensive problem with government institutions when client records are disclosed to everybody.

    • by Anonymous Coward

      Yep... If you're going to be treated like a criminal anyway, may as well act like one and derive some benefit from the spoils.

    • The moral of the story is that if you discover something like this, close your browser and tell no one.

      Reporting a vulnerability or data breach has come to mean that "you're some kind of criminal" and must be punished, regardless of the circumstances.

      Just to be clear here, your reaction is the intent. If you embarrass somebody who has money, thugs with guns will come kick your door down.

      Better not do that.

      • Just to be clear here, your reaction is the intent.

        Of course, which is why you must report this kind of thing anonymously, if at all.

        And since real anonymity is nearly impossible these days (especially in the case of embarrassing somebody who has money), the safest course of action is to close your browser and tell no one.

        As Clare Boothe Luce said, "No good deed goes unpunished", and that's as true today as the first time she uttered it.

  • by Anonymous Coward

    An anonymous FTP server is like a park bench. Literally anyone can use it.

    This is like alerting the owner of a bag of money which is on a park bench, and then being penalized for sitting on the bench or looking in the bag.

    If only they'd go after Wall Street as ferociously as they go after those who investigate company security. But then, the reason they go after those who cross big companies is the same reason they don't go after the people in big companies.

  • He is not the first one. The popular racket is simple, they scan for rich doctor files accidentally left online. Once they find something, they offer a "security service" for $###,###. Sure, they don't report their paying "clients" to government for medical records protection violation. It doesn't apply to non-clients. It is not kiddie game.

  • The article describes him as a "dental software security researcher". Does that means it's his job? If so, was he working for the company whose computer he accessed? If so, isn't this authorized access as part of his job? Or was he accessing the system of a competitor of his client? That would be almost certainly unauthorized. I read the linked article and it is light on those details. I think this case would come down to whether or not he was doing this as part of his job and was therefore authorize
    • but one would have to wonder why he would be trying to access systems of someone who wasn't his client.

      Because it was anonymous FTP? That's the whole point of anon FTP, you know: that anybody is allowed to use it.

      • but one would have to wonder why he would be trying to access systems of someone who wasn't his client.

        Because it was anonymous FTP? That's the whole point of anon FTP, you know: that anybody is allowed to use it.

        I do understand about anonymous FTP. The point I was trying to make is all that is moot if he was hired to test that security in the first place. I guess my question boils down to this: Who exactly hired him? I'm genuinely curious, cause to me this story doesn't make a whole lot of sense.

  • by jenningsthecat ( 1525947 ) on Friday May 27, 2016 @10:24PM (#52199575)

    and woe to the subject who points out that fact. Forget 'security by obscurity' - the gubmint seems hell-bent on 'security by denial'. These days it's safest to pretend not to see security failings. Failing that, it almost seems to be the safer, wiser course of action to profit illegally from said security flaws than to point them out in the hope that they'll be fixed.

  • If I access a router with a known backdoor password, and someone failed to patch it, that is breaking and entering. It is clear that such access was not intended by the owner of the device, and I am effectively breaching their perimeter without their permission. In this case the guy use anonymous FTP. The entire purpose of anonymous FTP is to allow anyone to download files. FTP technology and anonymous access is routinely employed by companies and websites specifically to exchange files with everyone.
  • Make an anon release to a news outlet. Hilarity ensues.

  • If you have nothing to hide, you should not be worried, they said. The government is there to protect us, they said. The government has a right to do those things, they said. The government would never cross the line, they said.
    Well, I would say at this point it is probably past the "too late" stage and you are stuck with the monster which decades of apathy and "blind misplaced patriotism" has created.
    The US government has so much power at this point, I find it hard to imagine the people could ever take it

  • Every time I go to the hospital they have no ability to access my previous records!

  • by BlueStrat ( 756137 ) on Saturday May 28, 2016 @04:50AM (#52200303)

    This poor schlub is being prosecuted because he's highlighted one of the pitfalls of the ACA's requirements that medical records be converted to and stored as computer data...that, even barring malicious and intentional hacking, leaks and poor security practices will ensure that patient data will be exposed regardless of any laws or legal penalties put in place. Something those in power assured us would not happen.

    He's getting screwed-over because he dared expose the dishonesty of those in power.

    The lesson? If you just happen to discover a way to access any of the US government's law enforcement/intelligence networks, do not notify them of a vulnerability. Either sell the method of access and/or the data acquired, or simply post it on the 'net on a server located in Ecuador.


  • The US is tripping over itself to become a police state as soon as possible.

  • The wrong person was arrested.The absolute idiot that exposed secure info should be arrested, fined, and banned from any IT job or function for life. Further, the HIPPA regs need to be made clearer and more encompassing, and enforced. If my info were in that compromised data, I'd be very angry at NOT Mr Shafer, rather the blithering idiot that made these data so available!

"Well, it don't make the sun shine, but at least it don't deepen the shit." -- Straiter Empy, in _Riddley_Walker_ by Russell Hoban