FBI Raids Dental Software Researcher Who Found Patient Records On Public Server (dailydot.com)

← Back to Stories (view on slashdot.org)

FBI Raids Dental Software Researcher Who Found Patient Records On Public Server (dailydot.com)

Posted by BeauHD on Friday May 27, 2016 @12:15PM from the unauthorized-access dept.

blottsie writes: Yet another security researcher is facing possible prosecution under the CFAA for accessing data on a publicly accessible server. The FBI on Tuesday raided Texas-based dental software security researcher Justin Shafer, who found the protected health records of 22,000 patients stored on an anonymous FTP. "This is a troubling development. I hope the government doesn't think that accessing unsecured files on a public FTP server counts as an unauthorized access under the CFAA," Orin Kerr, a George Washington University law professor and CFAA scholar told the Daily Dot. "If that turns out to be the government's theory -- which we don't know yet, as we only have the warrant so far -- it will be a significant overreach that raises the same issues as were briefed but not resolved in [Andrew 'weev' Auernheimer's] case. I'll be watching this closely." It was also reported this week via The Intercept that a provision snuck into the still-secret text of the Senate's annual intelligence authorization that would give the FBI the ability to demand individuals' email data and possibly web-surfing history from their service providers using those beloved 'National Security Letters' -- without a warrant and in complete secrecy.

130 comments

Min score:

Reason:

Sort:

Say what? by msauve · 2016-05-27 12:23 · Score: 5, Insightful

How is anon FTP not authorized? I give my "name" (anonymous), and credentials (email address), and the system makes the decision to let me in , based on the configuration the sysadmin set. If that's not authorization, what is?

--
"National Security is the chief cause of national insecurity." - Celine's First Law
1. Re: Say what? by Anonymous Coward · 2016-05-27 12:30 · Score: 0
  
  If the bank leaves its vault open, can you take the money?
2. Re:Say what? by wbr1 · 2016-05-27 12:33 · Score: 2
  
  Playing devils advocate:
  How was it breaking and entering? I put the master key in the lock and the lock opened based on the configuration set by the manufacturer.
  Not saying this is right, but it is how it will be presented. These clowns do not care about intent. If the intent of the law was to protect, then they would welcome true penetration tests that are conducted and reported ethically. Instead the laws, and they way they are prosecuted, are designed to protect those in power, those who execute poor judgement.
  
  --
  Silence is a state of mime.
3. Re: Say what? by NicknameUnavailable · 2016-05-27 12:37 · Score: 2
  
  If the bank leaves its vault open, can you take the money?
  If they stick a sign outside saying "free money" and have an anonymous form at the door to fill out saying "add a tally for yourself if you took some free money" then yes, you fucking can. The only difference in this case is there was no money involved.
4. Re: Say what? by amiga3D · 2016-05-27 12:44 · Score: 1
  
  No, but I think you could look at it. To steal you have to take.
5. Re: Say what? by fustakrakich · 2016-05-27 12:45 · Score: 1
  
  This is more like "if someone leaves their curtains open, can I look inside from across the street and even take pictures if I want?" To which the correct answer is, yes. Since nobody can be bothered to correct these issues at election time, I just don't think about it. You cannot reason with an authoritarian and irrational mob, so appeasement seems to be the favored option.
  
  --
  “He’s not deformed, he’s just drunk!”
6. Re:Say what? by amiga3D · 2016-05-27 12:46 · Score: 2
  
  Exactly. What he's really guilty of is showing how incompetent they are. They put next to no effort into catching people who actually break into systems and access info to perform identity theft. The only people I see them prosecuting are the ones stupid enough to try to help.
7. Re: Say what? by Anonymous Coward · 2016-05-27 13:09 · Score: 0
  
  An open door is invitation.
8. Re:Say what? by msauve · 2016-05-27 13:16 · Score: 1
  
  The lock manufacturer is not the building owner. But, your argument is simply begging the question. Breaking and entering is a physical act, and can occur even if there is no lock. Even if one follows the analogy, with FTP you're not "entering," you're asking for them to come outside.
  
  --
  "National Security is the chief cause of national insecurity." - Celine's First Law
9. Re: Say what? by BitterOak · 2016-05-27 13:16 · Score: 1
  
  If they stick a sign outside saying "free money" and have an anonymous form at the door to fill out saying "add a tally for yourself if you took some free money" then yes, you fucking can
  No, I don't think you can even then. Banks don't have any authority to give out "free money" and so any such sign would clearly have been put up by someone without authorization to do so. (Perhaps a disgruntled employee.) Since a reasonable person would have drawn that conclusion, I don't think you'd get away with taking money in that circumstance.
  
  --
  If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
10. Re: Say what? by msauve · 2016-05-27 13:44 · Score: 1
  
  "Banks don't have any authority to give out "free money" "
  
  What's the basis of that statement? Why can't a business give away money, if they wish, and there's internal approval (i.e. not just an offer from some rogue employee)?
  
  --
  "National Security is the chief cause of national insecurity." - Celine's First Law
11. Re: Say what? by BitterOak · 2016-05-27 13:51 · Score: 1
  
  " What's the basis of that statement? Why can't a business give away money, if they wish, and there's internal approval?
  Because there are money laundering statutes that say you can't.
  
  --
  If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
12. Re:Say what? by VikingNation · 2016-05-27 13:53 · Score: 0
  
  Consider the following scenario. I leave my front door unlocked while out in my back your. You see me out back and open the front door and go in and steal my wallet. I catch you in the act and call the police. Should you get off the charge because the door was unlocked?
13. Re: Say what? by VikingNation · 2016-05-27 13:53 · Score: 1
  
  There was no sign saying 'take the files'. Your analogy breaks down and is not sound.
14. Re: Say what? by VikingNation · 2016-05-27 13:54 · Score: 1
  
  No it is not. You cannot enter someones property uninvited.
15. Re: Say what? by fluffernutter · 2016-05-27 14:03 · Score: 2
  
  I agree. A better analogy is that a bank opens their vault, assures a room of two million people that they are not being watched, and then simply leaves them to do whatever they want. They aren't allowed to take the money, but human nature is what it is.
  
  --
  Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
16. Re:Say what? by fluffernutter · 2016-05-27 14:05 · Score: 0
  
  The risk of getting caught is the only thing that keeps people from helping themselves. Not all people, but enough. If the access is almost anonymous, it's beside the point whether it is allowed or not; people will do what people do.
  
  --
  Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
17. Re:Say what? by msauve · 2016-05-27 14:07 · Score: 1
  
  Non sequitur. What you describe is a physical act constituting not only breaking and entering, but burglary. But to continue with your false analogy, you didn't ask the door to let you in, it didn't open upon your request (so there was no authorization), and you didn't ask for the wallet and have it given to you.
  
  --
  "National Security is the chief cause of national insecurity." - Celine's First Law
18. Re:Say what? by fluffernutter · 2016-05-27 14:08 · Score: 1
  
  Are you that confident that someone accessing anonymous FTP would get caught? Because that's really the point. It's a risk-reward calculation.
  
  --
  Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
19. Re: Say what? by msauve · 2016-05-27 14:09 · Score: 1
  
  Cite? I think that claim is made of whole cloth.
  
  --
  "National Security is the chief cause of national insecurity." - Celine's First Law
20. Re:Say what? by msauve · 2016-05-27 14:14 · Score: 1
  
  What "risk of getting caught?" There's only a risk if you're doing something wrong. Are you describing accessing Google, which is free and anonymous (to the extent you want it to be)? How is anonymously accessing a web site any different than accessing an anon FTP server other than the obvious technical difference?
  
  --
  "National Security is the chief cause of national insecurity." - Celine's First Law
21. Re:Say what? by cbiltcliffe · 2016-05-27 14:15 · Score: 2
  
  Who's wallet did he steal? All he did was look at your wallet sitting on the counter, saw that there was money hanging out of it, then turned around and left.
  
  --
  "City hall" in German is "Rathaus" Kinda explains a few things......
22. Re:Say what? by fluffernutter · 2016-05-27 14:25 · Score: 1
  
  Well that really depends if the intention was for the public to see these 22,000 records or not. If that wasn't the intent and you are in there, then you are doing something wrong whether you will get caught at it or not. It doesn't matter if you get caught or not.
  
  --
  Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
23. Re: Say what? by Mashiki · 2016-05-27 14:45 · Score: 1
  
  This is more like "if someone leaves their curtains open, can I look inside from across the street and even take pictures if I want?" To which the correct answer is, yes.
  Actually the correct answer is "maybe, but likely no." Most places that's considered an invasion of privacy because it's a private dwelling, and an individual has the right to privacy even with their curtains open.
  
  --
  Om, nomnomnom...
24. Re: Say what? by fustakrakich · 2016-05-27 14:49 · Score: 1
  
  Not if it is plain view.
  
  --
  “He’s not deformed, he’s just drunk!”
25. Re:Say what? by msauve · 2016-05-27 14:55 · Score: 1
  
  LOL. How exactly do you tell whether a web site intends for you to view it? Has anyone ever explicitly authorized you to post on slashdot?
  
  --
  "National Security is the chief cause of national insecurity." - Celine's First Law
26. Re:Say what? by fluffernutter · 2016-05-27 15:07 · Score: 1
  
  You're saying if you wandered into an FTP site with 22,000 private medical records you would feel like you were supposed to be there? In certain cases I would be inclined to believe you, and so would a judge. In this case I wouldn't. It's not something that is supposed to be public. I'd expect a judge would also want to know why you were there and what purpose you thought you had.
  
  --
  Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
27. Re:Say what? by msauve · 2016-05-27 15:27 · Score: 1
  
  So, how do you know in advance that there are 22,000 private medical records? The file listing tells you how many, and you only need to see 1 to find out what the files contain.
  
  I'm sorry, but you really don't have any arguments which are reasonable, let alone well thought. Maybe next time.
  
  --
  "National Security is the chief cause of national insecurity." - Celine's First Law
28. Re: Say what? by sjames · 2016-05-27 15:37 · Score: 4, Insightful
  
  OTOH, an anon FTP server is a well known actual thing and has been for decades. A better question is if you walk past a tray of prepared food at the grocery store and it has a sign saying please take one, is it theft if you take one?
29. Re: Say what? by sjames · 2016-05-27 16:21 · Score: 1
  
  For decades now it has been understood that if the FTP server accepts anon as the user name and an email address as the password, it is an anon FTP server and you are authorized. That is the sign. Much like it is understood that you need not knock to enter a place of business when the door is unlocked.
30. Re: Say what? by wierd_w · 2016-05-27 16:24 · Score: 2
  
  Sure they can!
  Here's how:
  They create a new class of "loan", with a 0% interest rate, and a date of mandatory repayment of 100bn years from now.
  They can put a sign up front advertising these amazing loans, "No credit check, not deposit, no ID required!"
  The bank can issue up to 9x the value of thier current deposit holdings in such "loans", and the money they lend out comes from nothing-- per how federal reserve banking is designed to work.
  If the bank offers such a "loan", you are perfectly free to take all the free money that you will be too dead to pay back by the due date that you want, until the bank runs out of credit.
  Most banks are not this stupid, being for profit institutions-- they expect to be paid back their credit, (which, once they are repaid, the money you give them becomes holdings, and they can lend THAT out at 900% as well) and expect that you will hold the loan in either their bank, or another bank they can take an interbank loan from, and mass generate wealth from nothing. Giving away money at 0% with a due date older than the projected heat death of the universe is not something they will consider-- But if they did, it is not bank robbery to accept their generous offer.
31. Re: Say what? by Anonymous Coward · 2016-05-27 16:39 · Score: 0
  
  I asked (supplied username/password). The system said "come on in."
32. Re: Say what? by Mashiki · 2016-05-27 16:42 · Score: 1
  
  Not if it is plain view.
  Even in plain view. Statue and case law on that stuff is generally pretty clear, but can vary from place to place.
  
  --
  Om, nomnomnom...
33. Re: Say what? by uncqual · 2016-05-27 17:10 · Score: 1
  
  The bank vault analogy is bad - in part because taking money from the vault deprives the bank of the money while copying dental records does not affect access by the person who put them there any more then you reading this response reduces the value to anyone else wishing to read this response.
  A better analogy would be if the person responsible for the dental records printed them on flyers and stood on the street corner with a signboard saying "free information" and offered the flyers for free without restrictions to anyone who asked for them.
  
  --
  Why is there an "insightful" mod and why isn't it "-1"? If I wanted insight, I wouldn't be reading /.
34. Re: Say what? by KeithIrwin · 2016-05-27 17:41 · Score: 5, Informative
  
  Allowing an anonymous login for an FTP server is tantamount to putting up a sign which says "take the files". If you don't understand why, just follow this link. If you did, in fact, follow that link, congratulations: you just downloaded a file from an FTP server using an anonymous login. It's such an accepted thing that your web browser just did that process for you without bothering to ask if you were okay with it. You've now done the same thing he was accused of doing without even knowing you were doing it.
  Putting files on a public FTP server with an anonymous login is exactly the same as putting those files on a public HTTP server without requiring user credentials. The only difference is which protocol is being used.
35. Re: Say what? by rrohbeck · 2016-05-27 17:48 · Score: 2
  
  And people don't take the money, they just look at it. Is that theft? Unauthorized access?
  
  --
  thegodmovie.com - watch it
36. Re: Say what? by Anonymous Coward · 2016-05-27 21:01 · Score: 0
  
  Wow, it's like you're the only one that understands; thank you olde-timer!
  CAP === 'iceberg'
37. Re: Say what? by Hognoxious · 2016-05-27 21:43 · Score: 1
  
  Rubbish. If, in the normal course of events it would be visible, there's no invasion. If the people opposite my apartment leave their curtains open, that puts zero restriction on MY right to look out of MY window, whatever they're doing.
  If I was using ladders or one of those fire engine arm things[1] to rise over a nine-foot wall it'd be different.
  Stop making stuff up.
  [1] What are they called?
  
  --
  Confucius say, "Find worm in apple - bad. Find half a worm - worse."
38. Re: Say what? by Anonymous Coward · 2016-05-27 22:10 · Score: 0
  
  Iirc a uk bank (royal bank of scotland?) did that one day at a local branch about 10 years ago and got only one or two takers. Maybe they had a sales speech to go with the free Â£5 notes or maybe it was for press afterwards. Everyone thought there was a catch and didnt bite.
39. Re:Say what? by Agripa · 2016-05-27 22:13 · Score: 2
  
  And the only ones stupid enough to confess.
  Why would you ever admit to doing a good deed like this? Law enforcement is not paid to not arrest you and the courts are not paid to not convict you.
40. Re: Say what? by Hognoxious · 2016-05-27 22:14 · Score: 1
  
  Rodney, you plonker, that's an FTP server's grape of being.
  
  --
  Confucius say, "Find worm in apple - bad. Find half a worm - worse."
41. Re: Say what? by Anonymous Coward · 2016-05-27 22:29 · Score: 1
  
  Yeah this would be like going into a bank through what looks like a public entrance and finding yourself in the bank vault. And then the cops arrest your for bank robbery. Even though you didn't take anything.
42. Re:Say what? by AmiMoJo · 2016-05-27 23:31 · Score: 1
  
  Best thing to do is anonymously disclose it on a security mailing list and then tip off some journalists do they can bring it to the public's attention. The moment you try to take credit for it, you open yourself up to malicious arrest and prosecution.
  The only time you disclose under your real name is if they have a bug bounty programme.
  Hopefully this guy will sue the incompetent idiots who accused him of breaking in.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
43. Re: Say what? by Anonymous Coward · 2016-05-27 23:52 · Score: 0
  
  If the bank threw perfectly valid used dollars bills in the dumpster. If, while looking in the thrash, you found them, it would be legal for you to keep them.
  The fact that the bank cannot legally throw money in the garbage is not your problem. And the FBI would be wrong both morally and legally to go after you, and only you, for this money.
  This is what is happening here.
44. Re: Say what? by Anonymous Coward · 2016-05-27 23:59 · Score: 0
  
  Are you actually retarded or just masquerading?
45. Re: Say what? by VikingNation · 2016-05-28 00:07 · Score: 1
  
  I did not consider that. Very good point and well taken.
46. Re:Say what? by VikingNation · 2016-05-28 00:10 · Score: 1
  
  I suppose the government is saying the guy should have never attempted to log into the server with credentials.
47. Re: Say what? by tomhath · 2016-05-28 01:04 · Score: 1
  
  if you walk past a tray of prepared food at the grocery store and it has a sign saying please take one, is it theft if you take one?
  Of course not. But if you walk past someone's car and see a set of hubcaps you like, it is theft to pry them off and take them?
48. Re: Say what? by Mashiki · 2016-05-28 02:57 · Score: 1
  
  Better learn that it is an invasion of privacy if you ever come to Canada. You wouldn't want to spend 6mo to 4 years in prison for it. See this is what falls into "private areas" there's also semi-public like the walkway going to the front of your house, and public like the sidewalk or street in front of the house/building.
  
  --
  Om, nomnomnom...
49. Re: Say what? by slazzy · 2016-05-28 03:25 · Score: 1
  
  Technically theft but any judge will let you off.
  
  --
  Website Just Down For Me? Find out
50. Re: Say what? by sjames · 2016-05-28 04:04 · Score: 1
  
  You have a bizarre idea on theft. I guess you gave your birthday presents back unopened when you were a child?
51. Re: Say what? by wardrich86 · 2016-05-28 04:04 · Score: 1
  
  If the bank leaves its vault open, can you take the money?
  Bad analogy. How about this: You walk up to a bank with several doors in the front, and a note reading "Please enter through the door with your name. If permitted to take items, there will be a bag just inside your door, otherwise you are to look but not touch." Each door has a long hallway that leads to a room at the end, and each door has a name at the top of it. At the end of this the line of doors is a door that has a note saying "If no door has your name above it, please use this door." You do as permitted and enter that door. Once in, you see a bag and take it along with you down the hallway. At the end of the hallway, you see that all of the hallways end up in the same room at the end, full money.
  
  Now, you've done everything as permitted by the note. You have a bag which grants you permission to take what you want, so... what's wrong with taking the items? Absolutely nothing. Maybe a slight moral issue, but in the end of the day you haven't done anything explicitly wrong.
52. Re: Say what? by mindwhip · 2016-05-28 04:16 · Score: 1
  
  Wrong.
  All money laundering rules require is that you can trace the source of money and usually only require cursory checks unless significant money is involved. In the case of the hypothetical bank the fact you got the money you were at the bank and they were giving out money would be sufficient proof. You might be getting confused with bribery laws that state you can't give cash etc for favours and even then only specific situations.
  Anyway companies give out money all the time... They frequently give money in lieu of failures in their procedures and/or other customer dissatisfaction. Also many companies give out stuff and cash as part of various types of competitions, for marketing reasons but basicly because they can and that's before we even get into sports and charitable sponsorships and donations.
  
  --
  [The Universe] has gone offline.
53. Re: Say what? by sjames · 2016-05-28 04:24 · Score: 1
  
  Naturally it is theft to take the hubcaps off of someone's car, None of the socially agreed upon signs are there that they are being offered to you.
54. Re: Say what? by Hognoxious · 2016-05-28 04:25 · Score: 1
  
  Tell you what, how about you learn to give a citation or fuck off? The first hit from google says just about the opposite; the observed person could be guilty of indecent exposure.
  https://www.thestar.com/news/2...
  
  --
  Confucius say, "Find worm in apple - bad. Find half a worm - worse."
55. Re: Say what? by Anonymous Coward · 2016-05-28 05:42 · Score: 0
  
  If you ask the owner for them and then -they- pry them off and send them to you... then, no it is not theft in any way.
56. Re: Say what? by Anonymous Coward · 2016-05-28 05:47 · Score: 0
  
  An even better analogy... the bank left an authorized security agent at a table in front of the vault. People ask the agent to give them some money. The agent thinks about it a bit, then says, "sure, here's some money." as he slides the money across the table to them.
  The FTP server is the authorized security agent in this story. You can't file theft charges against an FTP server? Then why did you give it the authority to give out your money?
57. Re: Say what? by Anonymous Coward · 2016-05-28 08:35 · Score: 0
  
  Is it theft you didn't subtracted anything from the owner?
  You made a file copy, that's an entire different thing, owner still have their copy. That's how IP fail
58. Re: Say what? by BitterOak · 2016-05-28 09:43 · Score: 1
  
  Wrong.
  All money laundering rules require is that you can trace the source of money and usually only require cursory checks unless significant money is involved. In the case of the hypothetical bank the fact you got the money you were at the bank and they were giving out money would be sufficient proof. You might be getting confused with bribery laws that state you can't give cash etc for favours and even then only specific situations.
  Not true. There are strict rules about banks giving money away. For instance: suppose I were a drug dealer and I had $500,000 that needed to be laundered. I take it to my favorite bank and give it to them in a dark room at the back. Next day the bank, out of the goodness of their heart, decides to give me a "gift" of $450,000. (The bank gets their 10%). Voilà: perfectly laundered money!
  
  --
  If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
59. Re: Say what? by mindwhip · 2016-05-28 10:46 · Score: 1
  
  Nope the bank has to be able to show that the money it accepted was from a legitimate source. It can give away all the money it wants but has to be able to show it obtained it from a legal source and that it was its money to give away (and not a customers).
  
  --
  [The Universe] has gone offline.
60. Re: Say what? by Mashiki · 2016-05-28 21:40 · Score: 1
  
  Article is wrong, so very wrong. Then again it's the Toronto Star, also known in Canada as the Red Star and is known to take a very authoritarian view on things. You enjoy that citation now which will give you a brief overview on criminal and non-criminal privacy rights and you can enjoy this one too. Which reinforced S.8 of the Charter of Rights and Freedoms. You can also find more cases using "the citizen's right to a reasonable expectation of privacy" on this site.
  
  --
  Om, nomnomnom...
61. Re: Say what? by ebvwfbw · 2016-05-29 04:27 · Score: 1
  
  Let's stick to the original question. Don't let an AC change what is being discussed. They are not the same thing and the AC knows it.
  If he wanted to use the bank bit, it would be like the bank allowing anyone off the street to see my banking business. In my case that's boring. For some people, like politicians - that's gold there. They really don't want anyone looking at their business.
62. Re: Say what? by Anonymous Coward · 2016-06-01 03:47 · Score: 0
  
  It's called a cherrypicker.
63. Re: Say what? by Coren22 · 2016-06-01 07:53 · Score: 1
  
  Is it theft you didn't subtracted anything from the owner?
  What about the privacy of the person whose information was in the records?
  
  --
  APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
64. Re: Say what? by NicknameUnavailable · 2016-06-04 16:28 · Score: 1
  
  Of course not. But if you walk past someone's car and see a set of hubcaps you like, it is theft to pry them off and take them?
  This is a false equivalency. An anonymous FTP server was designed explicitly to let people connect without authorization and to serve up whatever it contains to whomever asks.
security researcher by turkeydance · 2016-05-27 12:25 · Score: 0

terrorist pedo. this is easy.
Kill The Messenger! by Frosty+Piss · 2016-05-27 12:37 · Score: 1

...dental software security researcher ...
That's, er, pretty specialized!
I have a lot of "issues" with so-called "security researchers", which in many case are either opertunistic hackers or script kiddies. But really, how can it be "hacking" to access data that does not require "breaking in" to anything? Sure, the dude was not invited, but if it's out there, not fire-walled, and all you need to do is type in some random URL, how can that be illegal?
Now, there may very well be laws, rules, whatever about medical records, but if anything than it's on the medical provider for violating HIPAA or something. On the other hand, disclosing other people's medical records publically available or not might very well be against some law, and maybe it should be...

--
If you want news from today, you have to come back tomorrow.
1. Re:Kill The Messenger! by amiga3D · 2016-05-27 12:48 · Score: 2
  
  Let me tell you about the HIPAA bullshit. I have more trouble getting access to my records than damn near anyone else. They share my info with all kinds of people.
The moral of the story by JustAnotherOldGuy · 2016-05-27 12:43 · Score: 5, Insightful

The moral of the story is that if you discover something like this, close your browser and tell no one.
Reporting a vulnerability or data breach has come to mean that "you're some kind of criminal" and must be punished, regardless of the circumstances.

--
Just cruising through this digital world at 33 1/3 rpm...
1. Re:The moral of the story by rch7 · 2016-05-27 12:51 · Score: 1
  
  Such cases are not about reporting but about extortion. Note dental software. Not some free tetris game software, but "dental". It means money and easy extortion target as they would have big & expensive problem with government institutions when client records are disclosed to everybody.
2. Re:The moral of the story by Anonymous Coward · 2016-05-27 13:03 · Score: 1
  
  Yep... If you're going to be treated like a criminal anyway, may as well act like one and derive some benefit from the spoils.
3. Re:The moral of the story by bill_mcgonigle · 2016-05-27 23:41 · Score: 1
  
  The moral of the story is that if you discover something like this, close your browser and tell no one.
  Reporting a vulnerability or data breach has come to mean that "you're some kind of criminal" and must be punished, regardless of the circumstances.
  Just to be clear here, your reaction is the intent. If you embarrass somebody who has money, thugs with guns will come kick your door down.
  Better not do that.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
4. Re:The moral of the story by JustAnotherOldGuy · 2016-05-28 03:03 · Score: 1
  
  Just to be clear here, your reaction is the intent.
  
  Of course, which is why you must report this kind of thing anonymously, if at all.
  And since real anonymity is nearly impossible these days (especially in the case of embarrassing somebody who has money), the safest course of action is to close your browser and tell no one.
  As Clare Boothe Luce said, "No good deed goes unpunished", and that's as true today as the first time she uttered it.
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
Anonymous FTP server is as private as park bench by Anonymous Coward · 2016-05-27 12:44 · Score: 2, Insightful

An anonymous FTP server is like a park bench. Literally anyone can use it.
This is like alerting the owner of a bag of money which is on a park bench, and then being penalized for sitting on the bench or looking in the bag.
If only they'd go after Wall Street as ferociously as they go after those who investigate company security. But then, the reason they go after those who cross big companies is the same reason they don't go after the people in big companies.
looks like another "protection service" by rch7 · 2016-05-27 12:48 · Score: 1

He is not the first one. The popular racket is simple, they scan for rich doctor files accidentally left online. Once they find something, they offer a "security service" for $###,###. Sure, they don't report their paying "clients" to government for medical records protection violation. It doesn't apply to non-clients. It is not kiddie game.
Arrested wrong person? by Anonymous Coward · 2016-05-27 12:54 · Score: 0

The purpose of anonymous ftp is for anybody do come in and get files.
Setting up the site is publishing the data.
FROM http://www.webopedia.com/TERM/A/anonymous_FTP.html
"A method for downloading public files using the File Transfer Protocol (FTP). "
If the site was in fact anonymous FTP, then what he did was walk in through a door with a big sign on it that said 'come on in'.
To arrest someone when they were invited seems odd.
An arrest might be reasonable for the person publishing private health data, not the person discretely informing them of their error.
Such a person might have reason to obscure the facts?
Either the facts are something else, or the FBI fell for a really dumb story.
Hopefully, they are smart enough to sort it out.
Was he authorized? by BitterOak · 2016-05-27 13:28 · Score: 0

The article describes him as a "dental software security researcher". Does that means it's his job? If so, was he working for the company whose computer he accessed? If so, isn't this authorized access as part of his job? Or was he accessing the system of a competitor of his client? That would be almost certainly unauthorized. I read the linked article and it is light on those details. I think this case would come down to whether or not he was doing this as part of his job and was therefore authorized to access these records. If not, he could be a in a boatload of trouble, but one would have to wonder why he would be trying to access systems of someone who wasn't his client.

--
If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
1. Re:Was he authorized? by cbiltcliffe · 2016-05-27 14:18 · Score: 2
  
  but one would have to wonder why he would be trying to access systems of someone who wasn't his client.
  Because it was anonymous FTP? That's the whole point of anon FTP, you know: that anybody is allowed to use it.
  
  --
  "City hall" in German is "Rathaus" Kinda explains a few things......
2. Re:Was he authorized? by BitterOak · 2016-05-27 18:28 · Score: 1
  
  but one would have to wonder why he would be trying to access systems of someone who wasn't his client.
  Because it was anonymous FTP? That's the whole point of anon FTP, you know: that anybody is allowed to use it.
  I do understand about anonymous FTP. The point I was trying to make is all that is moot if he was hired to test that security in the first place. I guess my question boils down to this: Who exactly hired him? I'm genuinely curious, cause to me this story doesn't make a whole lot of sense.
  
  --
  If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
3. Re:Was he authorized? by Anonymous Coward · 2016-05-28 02:03 · Score: 0
  
  What if no one hired him? What if he just happened upon the FTP server?
  Nothing has been brought forward to indicate he did anything wrong in finding it or reporting it, and no indication of any extortion or anything like that. There are other sources that seem to backup his version of events, too.
  He could have been working for the company or a competitor, but nothing has been suggested that upon finding the server he acted with any intent at wrongdoing. He reported and only disclosed after seeing the problem fixed.
4. Re:Was he authorized? by BitterOak · 2016-05-28 09:45 · Score: 1
  
  What if no one hired him? What if he just happened upon the FTP server?
  The article specifically says he's a dental software security researcher. It's his job. Therefore it stands to reason, someone hired him.
  
  --
  If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
Couple differences by Sycraft-fu · 2016-05-27 13:31 · Score: 1

First, that's not how locks work. A normal lock has only one keying. Master keyed locks are done do by larger organizations. To get that master key you have to either get it from them in an authorized manner, or steal it somehow. It isn't like the manufacturers maintain an "all locks" master key and hand it out to people.
However more to the point an anon FTP is an implicit invitation to anyone to come in, just like a public HTTP server. In terms of the real world, it is like an open store. If you enter an unlocked store, you are not trespassing. If they tell you to leave you have to, but simply entering is allowed because the fact that they are presenting themselves for the public to use and have not locked their door is saying "We want you to come in." That's different than a place that is locked. The lock is an explicit "keep out" message.
1. Re:Couple differences by trabby · 2016-05-27 14:21 · Score: 1
  
  I think that is the best analogy that I have read out of the other 50 analogies presented here.
2. Re:Couple differences by uncqual · 2016-05-27 17:54 · Score: 2
  
  Unfortunately, none seem to have anything to do with cars. What has /. degraded to?
  
  --
  Why is there an "insightful" mod and why isn't it "-1"? If I wanted insight, I wouldn't be reading /.
It might be correct course of action by tp_xyzzy · 2016-05-27 13:36 · Score: 0

There's many aspects which goes against the "security researchers": It's medical records, which need to be password protected. If the researcher knew what he was doing, he would understand that medical records are always under password protected area. Seeing those records anywhere should indicate those "experts" that they have _already_ exceeded their authorisation. Also the article wasn't exactly clear whether it really was anonymous ftp access -- at some point it claimed that the researcher had "explored the fixed passwords" of some equipment. That explanation didn't sound like anonymous ftp access. Instead it sounds like guessing passwords based on how other such equipment works, which is clearly illegal activity. It is classic case of exceeding authorisation. And the dental software company clearly knows what they're doing, since they can summon the appropriate legal mechanisms for exactly that situation. So their action is accurate response to illegal hacking.
on the other hand, the security researchers did try to report their findings. I dunno what special rules need to be followed when reporting such issues publicly. But medical records definitely have strict rules how such disclosures should be handled, so that criminals can't get access to the data. Random people on the internet trying to report their findings can do nothing but more harm to everyone...
1. Re:It might be correct course of action by cbiltcliffe · 2016-05-27 14:29 · Score: 3, Insightful
  
  Are you seriously that mentally challenged? How is it not clear that it was anonymous FTP?
  
  led him to an anonymous FTP server that allowed anyone access.
  That's pretty damned clear that it was an anonymous FTP server, because it's described as an anonymous FTP server right there in the text.
  There's also the quote about it being a password protected FTP server back in 2006, with a single password that never changed, until they made it anonymous around 2010.
  And are you really assuming that they were password protected because they're medical records, which are "always under password protected area?" They must have been password protected, simply because they should have been password protected? Your faith in humanity is astounding. And misplaced.
  Maybe next time, instead of pretending you read the article, you could, you know, actually read the article.
  
  --
  "City hall" in German is "Rathaus" Kinda explains a few things......
2. Re:It might be correct course of action by tp_xyzzy · 2016-05-27 15:58 · Score: 1
  
  > And are you really assuming that they were password protected because they're medical records, which are "always under password protected area?" They must have been password protected, simply because they should have been password protected? Your faith in humanity is astounding. And misplaced.
  The company is legally required to keep that data in secure location. Thus the company's secure location extends to the place where the patient data was found. And accessing it without authorisation is illegal. It's basically similar situation than if you accidentally found out someone's credit card pin code. The person might be careless with communicating his secrets, but still it's still illegal to use the pin code for anything. Same happens with patient data, the secret data might be carelessly handled, but any access to the data is still illegal operation.
3. Re:It might be correct course of action by cob666 · 2016-05-27 16:17 · Score: 2
  
  Yes, companies ARE required to keep private medical information secure but whether or not the company THOUGHT their secure location extended to the directory where the patient data was is irrelevant. The data was unencrypted and freely accessible via an anonymous ftp server. The company should be penalized for allowing this to happen, NOT the user who found the exposed ftp server and informed the company that the records were freely available.
  
  --
  Do what thou wilt shall be the whole of the Law - Aleister Crowley
4. Re:It might be correct course of action by dgatwood · 2016-05-27 16:36 · Score: 2
  
  The company is legally required to keep that data in secure location. Thus the company's secure location extends to the place where the patient data was found. And accessing it without authorisation is illegal. It's basically similar situation than if you accidentally found out someone's credit card pin code. The person might be careless with communicating his secrets, but still it's still illegal to use the pin code for anything. Same happens with patient data, the secret data might be carelessly handled, but any access to the data is still illegal operation.
  The problem with your logic is that unless the filename makes its contents obvious, there's no way to know what's in a file on an FTP server without downloading it. It clearly makes no sense to prosecute someone for a crime if it isn't possible for them to know that they're committing a crime until they have already finished committing it....
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
5. Re:It might be correct course of action by Anonymous Coward · 2016-05-27 18:32 · Score: 1
  
  The company is legally required to keep that data in secure location. Thus the company's secure location extends to the place where the patient data was found. And accessing it without authorisation is illegal. It's basically similar situation than if you accidentally found out someone's credit card pin code. The person might be careless with communicating his secrets, but still it's still illegal to use the pin code for anything. Same happens with patient data, the secret data might be carelessly handled, but any access to the data is still illegal operation.
  That's a cute theory, and from TFS apparently the thing the prosecutor is trying to gain a conviction (and perhaps a promotion) with.
  But it is a deeply disturbing conflation of two issues. First, we have the data, that ought to be protected. Second, we have the means with which it is or is not being protected, which is obliged to be there. This legal theory says that because you have the first, the second turns into legal protection, when it was supposed to be a legal stick to make sure there is actual protection for the data.
  IOW, you may be obliged to protect that data but it doesn't have to be technical. You just boobietrap the thing with legal red tape and done. Which means that if you tell people about their technical protection oversights you're going to get ensnared and jailed, while if you simply snatch the data and sell it, nobody cares.
  "Just don't get caught! -- Love, your friendly neighbourhood DA."
  This is easy to see because what happened is that Company of Idiots, ultd. left the data with protection obligation out in the open on an anon ftp, which is to say entirely unprotected forsaking their obligation, and Shmuck R. Smudgycoat stumbled upon the data, then told CoI about it so that they might correct the error of their ways. Not so, says prosecutor, CoI has an obligation to protect so that's really a legal protection of the data so Smudgycoat is guiltee of accessing protected data. Even though it wasn't protected, it just was supposed to be.
  That's about as arse-backwards as it gets. Which is nothing unusual in the USoA legal system, but still.
6. Re:It might be correct course of action by Anonymous Coward · 2016-05-27 22:39 · Score: 0
  
  And accessing it without authorisation is illegal.
  So ?
  He connected after which the FTP door guard asked "who are you?", and let him in after he supplied RFC documented(!) anonymous credentials. If that is not authorisation than I do not know what is.
  And no, "he should have second guessed the intentions of whomever owned those documents" isn't any kind of argumentation. If it would be than you cannot access *anything* (websites included) without running the risk of being declared an intruder (and convicted as a hacker).
  
  It's basically similar situation than if you accidentally found out someone's credit card pin code.
  Nope. Not in the least.
  In the first place, because he asked and got permission from that "someone" to look thru their stuff, even though that "someone" did/does not know him at all. Second, he did not find "someone's" (your) pincodes, he found other peoples pincodes, who could get greatly inconvenienced if they would become public knowledge.
  
  The person might be careless with communicating his secrets
  Wrong again.
  He tried to attented "someone" to the above breach of trust of the people those pincodes belong to, but "someone" refused to even acknowledge that.
  That is not "careless", that constitutes to willfully ignoring it.
  
  but still it's still illegal to use the pin code for anything
  True, but what has that to do with anything ? Have you got any indication that the data has been abused by him any way ?
  
  Same happens with patient data, the secret data might be carelessly handled, but any access to the data is still illegal operation.
  It always amazes me how little thought-thru this is:
  -- Security researcher:
  I found a file which name indicates that it contains sensitive data and thats a breach of peoples trust, if not the HIPA laws.
  -- Company:
  No it doesn't, and you can't prove it as its illegal to look inside that file.
  -- Security researcher:
  Drats.
  ... and as the company can therefore not be called out for its callous disregard of other peoples privacy/(financial)security, it continues as if nothing has happened at all ...
7. Re:It might be correct course of action by tp_xyzzy · 2016-05-28 00:18 · Score: 1
  
  > IOW, you may be obliged to protect that data but it doesn't have to be technical. You just boobietrap the thing with legal red tape and done. Which means that if you tell people about their technical protection oversights you're going to get ensnared and jailed, while if you simply snatch the data and sell it, nobody cares.
  Maybe their cunning plan for data security was that the ip address of their ftp site is already enough protection for their patient data. If noone knows the server exists, it might even work. The article gave some pretty strange description of how the security researcher's found out about the server's existence. "They were researching issues about fixed database credientals". Which kinda sounds like operation that already requires authorised access -- who would give some random person on the internet access to a password file? Probably the real unauthorised access happened some time _before_ accesssing the ftp site. The article focuses that the anon ftp site and how anyone should be permitted access to such things, but it completely forgets that the unauthorised access can happen at the place where server's location on the internet is discovered, Normally you need a port scan or (in this case, examining the credientals), which might not exactly be legal operations in the first place.
8. Re:It might be correct course of action by Anonymous Coward · 2016-05-28 01:11 · Score: 0
  
  That devolves back into the first point: "Protection" by legal red tape trap.
  The public internet being what it is, public and all, there is really no way to put up a sign saying "you can't access this" short of asking for credentials. Or, if you must, inferring them from things like IP addresses, which is what packet filters do. To use a simile, you can drop a box of files on Times Square, then walk away, and nobody'll believe you were being prudent about securing the data in the files. But if you drop a box of files somewhere in the wilderness where there happens to be no signs pointing "here be boxes", that's sufficient data protection? I don't buy that, sorry. There's still no access control whatsoever, so it's not data protection in any technical sense.
  Besides, while port scanning might be not exactly legal where you are, that's a dead letter because generally unenforceable (hello Chinese noise), and in any case it's very hard to make that into some sort of digital trespassing simile. Anything you can reach over the public internet is effectively public space, digitally created by the digital networks and the digital hosts on them, together forming The internet.
  By that logic, and logic I generally support and adhere to, the only real way to secure data is to keep it somewhere not connected to public networks. If that's not an option, well, you can try and secure it. But not securing it at all except by vague claims of obscurity and relying on the legal system to cover your oversight? Again, if that's allowed to fly then the data protection requirement laws just got turned on their heads.
9. Re:It might be correct course of action by Anonymous Coward · 2016-05-28 08:58 · Score: 0
  
  WTF, this is amazing.
  So if the company decides leaving shit on street, then the street become "secure location extends" and the company is right?
  Fucking A M A Z I N G thinking.
10. Re:It might be correct course of action by Anonymous Coward · 2016-05-28 09:04 · Score: 0
  
  Only a fool would do that. If you put things in a public IP without password, it's public, game over.
  The only time I did that, it was a temporary thing, and didn't have too much value if someone copied it by "accident". The fault would be entire mine. You got to know what the result of your actions are, you can't blame others.
11. Re:It might be correct course of action by Anonymous Coward · 2016-05-29 07:54 · Score: 0
  
  Clearly you haven't worked in information security. Me I have bee a pen tester and worked in information security for over 20 years. Medical networks have the WORST security of any industry. I do both PCI and HIPPA pen testing for a living. Every time I see a site is medical related I know it will be a long night and easy pickings.
  
  It's medical records, which need to be password protected. If the researcher knew what he was doing, he would understand that medical records are always under password protected area.
  True under HIPPA is it SUPPOSE TO BE in a protected area. That doesn't mean it actually is. You would be surprised where I have found medical records unprotected. Just because the law says it is to be one way doesn't make it so.
  
  Also the article wasn't exactly clear whether it really was anonymous ftp access.
  The article plainly states it is an anon server. Also let's say I login with anonymous with the password foo@example.com and I gained access. That is an AUTHORIZED! login. The service checked your credentials and ALLOWED you access. You didn't exploit the system. You properly logged in. Let's say I used admin with a password of admin. No this is NOT an anonymous login but still a violation of HIPPA laws. Common logins are not allowed. So either method of gaining access does show the software company is in violation of HIPPA laws. The software company is responsible for the breach.
  Also why was this information at a software company's network? Did these people go to a software company to get treated? Whatever Doctor's office or hospital who turned these records over to this company also broke the law. Your records are not to be turned over to third parties.
  
  And the dental software company clearly knows what they're doing,
  Boy this one makes me laugh. Clearly you have never worked with medical software. Like I said I have worked over over 20 years as a white hat hacker. I have seen every type of network and software applications. I have tested everything from adult toy store web sites to NASA networks and let me tell you medical software of all kinds is the most expensive and PURE CRAP coding you'll ever see. It's a shameful rip off. Just because they are a "dental software company" does not mean they are secure or that they know what they are doing.
  
  other hand, the security researchers did try to report their findings
  Yes he did IN THE PROPER MANNER. He didn't post it the the internet for all to steal he just reported "L found a problem". For that he gets arrested. Would it have been better for him to anonymously post the patient's records up on the net for all to see? I think not.
  Once when working at a data center I found a problem is the NexGEN medical software. When I properly reported the flaw to them. They tried to have me fired. They would rather have you arrested than spend the time and the trouble to fix a problem.
  When doing PCI testing I have a problem and report it and next year when I come back the problem is gone. PCI requires the reported problem to be fixed and retested if needed. HIPPA on the other hand just "says" you "should" be tested. Big difference. Last year I crack a very large hospital in a very large US city that had a Domain Administrator's password of "admin". (really that's true!) Last month I retested the same place and guess what the Administrator's password was STILL!!! "admin". With that tell me these clowns know what they are doing. Tell me they care about patient records.
The emperor has no clothes, by jenningsthecat · 2016-05-27 14:24 · Score: 2

and woe to the subject who points out that fact. Forget 'security by obscurity' - the gubmint seems hell-bent on 'security by denial'. These days it's safest to pretend not to see security failings. Failing that, it almost seems to be the safer, wiser course of action to profit illegally from said security flaws than to point them out in the hope that they'll be fixed.

--
'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
1. Re: The emperor has no clothes, by Anonymous Coward · 2016-05-27 22:22 · Score: 0
  
  Didnt wyoming just pass a "snitches get stitches" law making it illegal to tell the feds about toxic waste dumping or health issues (e.g. e coli)?
2. Re:The emperor has no clothes, by Hognoxious · 2016-05-27 22:32 · Score: 1
  
  If you shoot the messenger, you'll stop getting messages.
  
  --
  Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Anonymous FTP is the key by shellster_dude · 2016-05-27 14:35 · Score: 1

If I access a router with a known backdoor password, and someone failed to patch it, that is breaking and entering. It is clear that such access was not intended by the owner of the device, and I am effectively breaching their perimeter without their permission. In this case the guy use anonymous FTP. The entire purpose of anonymous FTP is to allow anyone to download files. FTP technology and anonymous access is routinely employed by companies and websites specifically to exchange files with everyone. Therefore, given the plain and regular use of the technology, one can easily argue that they effective were inviting file downloads. Until this guy was able to validate the content of the files, he would arguably not have known that the files were supposed to be protected. The fact that he reported the finding shows that he was not behaving maliciously and acting in good faith.
The best way to go by drinkypoo · 2016-05-27 14:38 · Score: 1

Make an anon release to a news outlet. Hilarity ensues.

--
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Private Property by Anonymous Coward · 2016-05-27 14:56 · Score: 0

If I leave my car door open, key in the ignition, parked in front of your house, it doesn't give you permission to touch my car, let alone enter it, let alone drive it, not securing your property is not a crime, interfering with others unsecured property without permission is called trespassing or theft.
However intentions count in some circumstances.
I think he broke the law, and I think the people holding the records broke the law too, both should be charged or fined.
1. Re: Private Property by Anonymous Coward · 2016-05-27 21:24 · Score: 0
  
  https://tools.ietf.org/html/rfc1635
Because it is anonymous FTP by hawkingradiation · 2016-05-27 15:09 · Score: 1

Boy some of you guys must be pretty young. Have you ever used anonymous ftp? Anonymous ftp works by entering the host, then your username, coincidentally: "anonymous" or "ftp", and then you enter your email or the password "guest". It doesn't even check if these are correct. It just let's you straight through

--
Society use your Sciences
1. Re:Because it is anonymous FTP by Anonymous Coward · 2016-05-27 15:58 · Score: 0
  
  It just let's you straight through
  
  Exactly! There's no difference between having documents on an "anonymous FTP server" and putting them up on a public web page.
  For example, Brown's CS department has an anonymous FTP server, described here:
  https://cs.brown.edu/about/system/services/ftp/
  You can access it here:
  ftp://ftp.cs.brown.edu/
  Open that in your browser. All modern browsers will give you a directory listing without even prompting for a login.
  Now, if someone at Brown accidentally stuck some sensitive files on that server—and I stumbled across one of those files—I can't report it without worrying that the FBI is going to come bash in my front door???
Report anonymously by Anonymous Coward · 2016-05-27 15:53 · Score: 0

Nah, the lesson is to report anonymously so they get exposed for doing wrong and so you don't face reprisal.
1. Re:Report anonymously by Anonymous Coward · 2016-05-27 16:58 · Score: 1
  
  How does one report such things anonymously? I requested a password reset from a municipal website and they emailed my password to me in plain text. I'm honestly afraid to tell anybody.
2. Re:Report anonymously by Anonymous Coward · 2016-05-28 05:54 · Score: 1
  
  Type up a sheet with instructions on how to access the data. Print copies and place in envelopes. Label envelopes with names of "real press" reporters. Drop envelopes at establishments or homes where reporters can be found. Watch news outlets. Eat popcorn.
The outcome doesnt matter - its the threat by Anonymous Coward · 2016-05-27 15:54 · Score: 0

So long as they continue to discourage people from notifying the public about this type of activity, then they win.
Explain "public" by Anonymous Coward · 2016-05-27 16:42 · Score: 0

Public means "hey I have this server over here, if you want to use it, go nuts"... not "I was doing a port scan of this network range, and found a FTP server and decided I would try logging into it". The latter is considered "computer trespass" or "unauthorized access of computer networks and data". If he did the crime, then I'm sorry, and I hope his court wait isn't lengthy.
Re:Anonymous FTP server is as private as park benc by uncqual · 2016-05-27 18:09 · Score: 1

That is completely nonsense. It is like walking up to a shop with the lights on and no Open or Closed sign or any posted hours and opening the door and entering the shop if the door opens.
I don't recall when I first accessed an anon FTP server, but it was certainly well over 25 years ago and I've used anon access many times. If user 'anonymous' and an arbitrary email address is accepted as a password, it's open for the public to access anything that the user can get to -- everyone knows that and everyone knows that every administrator who configures a system presumably intends it to be that way.

--
Why is there an "insightful" mod and why isn't it "-1"? If I wanted insight, I wouldn't be reading /.
Stands to reason by Anonymous Coward · 2016-05-27 18:11 · Score: 0

The "computer security" industry has explicitly cultivated an image of being dangerously edgy, give-us-money-or-your-stuff-is-in-danger, then confused the issue by spinning their tales such that nobody, not even themselves, could clearly answer just who was doing right and who was doing wrong.
So while this seems a throwback to early days where people got prosecuted essentially because the accusers didn't know much less wanted to understand what was really going on, but this is much worse. We're seeing the chickens coming home to roost. It may not be what the "security researchers" wanted, but it sure is what they've been shooting for all along.
There is also that the USoA "justice" system has essentially gone rogue, but since the field they're operating in has been well and truly muddled, that's just fertile soil for promotions within the justice department, as there is no morality left on which to rebuff the rogue agents of justice.
To the general public, "computer security" is nothing but shady bunches of tech-y shady people that would probably best be locked up anyway, lest they lock up your computer. It doesn't matter what the "computer security researchers" think of this, since nobody understands them anyway. Except that they talk about how much they like being illegal all day, like they're in a bad western or something. It has even anchored itself into the very words used. Syeah, nothing much you can say against that, really.
Re:Anonymous FTP server is as private as park benc by Anonymous Coward · 2016-05-27 19:56 · Score: 0

And you left your whole pension on the bench for all to see and you don't want to be notified?
Remember that time? by pablo_max · 2016-05-27 20:16 · Score: 1

If you have nothing to hide, you should not be worried, they said. The government is there to protect us, they said. The government has a right to do those things, they said. The government would never cross the line, they said.
Well, I would say at this point it is probably past the "too late" stage and you are stuck with the monster which decades of apathy and "blind misplaced patriotism" has created.
The US government has so much power at this point, I find it hard to imagine the people could ever take it back without a lot of bloodshed. I hope I am wrong.
1. Re:Remember that time? by Anonymous Coward · 2016-05-28 09:09 · Score: 0
  
  They can try to ban cryptography. But that's impossible. People can take it back, but the time window is closing. This Orwellian dystopia still haven't come to it's ultimatum.
Meanwhile... by transami · 2016-05-27 20:36 · Score: 1

Every time I go to the hospital they have no ability to access my previous records!

--
:T:R:A:N:S:
Protecting ACA by BlueStrat · 2016-05-27 20:50 · Score: 2

This poor schlub is being prosecuted because he's highlighted one of the pitfalls of the ACA's requirements that medical records be converted to and stored as computer data...that, even barring malicious and intentional hacking, leaks and poor security practices will ensure that patient data will be exposed regardless of any laws or legal penalties put in place. Something those in power assured us would not happen.
He's getting screwed-over because he dared expose the dishonesty of those in power.
The lesson? If you just happen to discover a way to access any of the US government's law enforcement/intelligence networks, do not notify them of a vulnerability. Either sell the method of access and/or the data acquired, or simply post it on the 'net on a server located in Ecuador.
Strat

--
Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
1. Re:Protecting ACA by vandamme · 2016-05-29 05:38 · Score: 1
  
  "Kill the messenger."
Re:Anonymous FTP server is as private as park benc by Hognoxious · 2016-05-27 21:50 · Score: 1

If they aren't supposed to, then put a fence around it with a combination lock to open the gate, and only give the combination to people who are supposed to be there.

--
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
17% of FBI are moles. by Anonymous Coward · 2016-05-27 22:44 · Score: 0

What will they do with your information US citizens.
FBI logic by Anonymous Coward · 2016-05-27 22:53 · Score: 0

... anonymous FTP ...

So he legitimately logged in but didn't have authority to access the files? Juries have gotten dumb of late but I doubt any juror will swallow that double-think.
Re:Anonymous FTP server is as private as park benc by Anonymous Coward · 2016-05-28 01:53 · Score: 0

I think it's more like finding a wallet and going to return it, contents intact, only to be called a thief and be arrested.
But this case doesn't even need analogies. It's pretty simple, unless there's some evidence no one knows about. The FTP was public. His path to finding it seems legitimate. What he says he did after finding also seems legitimate and there are other entities to back him up at every step.
This isn't even an overreaction, because this needed NO reaction by authorities against him. Only the company that DID fail to secure the records. This is plain and simply wrong on every possible angle that has been brought to light.
I await a stupidly argued prosecution, for what didn't happen, and his life to be really unpleasant for as long as they can make it, just because.
Re:Anonymous FTP server is as private as park benc by Anonymous Coward · 2016-05-28 05:50 · Score: 0

"front lawn" = implied private domain, access is a violation
"park" = implied public domain, accessible by deliberate design, open channel to access it is intentionally placed and maintained (and used)

We hear enough "victim" bullshit in other headlines, thanks. Those games don't work when you explicitly publish files or data to an internet location.
Hmmm by easyTree · 2016-05-28 09:56 · Score: 1

The US is tripping over itself to become a police state as soon as possible.

--
Requiem for the American Dream
Re: There was no sign by lamer01 · 2016-05-29 02:25 · Score: 1

Second point is that although access to enter was granted, access to download is not implicit. One logged on, you are effectively in someone else's house. If this were a house and the door was left wide open, I think even entering may be construed as trespassing. If in said house, the owner left all their confidential information on their office desk, you are not allowed to take pictures of them with your phone. To go back to the original thread, if the researcher ended up on this frp server by following a link that the server owner provided, either directly or indirectly by having a link on a public web site saying 'Hey, go look at these documents', then I would exonerate the guy.
Re: There was no sign by sjames · 2016-05-29 04:59 · Score: 1

Net servers assume business rules, not residential.
Access implies permission to download in an anon FTP server. The whole purpose of anon FTP is to distribute data freely to the public (remember, it pre-dates HTTP).
The defendant's "crime" is as follows: He picks up the store manager's wallet off of the tray under the "Please take one" sign, holds it up and calls to the manager "Hey, I don't think you meant to leave this here". Suddenly cops with assault weapons appear behind him and take him away.
The icing on the cake? They completely ignored the muggers openly shaking down elderly customers in front of the store.
Re: There was no sign by skywire · 2016-05-29 05:06 · Score: 1

Your problem is use of the house/doorway metaphor where it does not fit. Even if you could make a case (which I'll not address here) that allowing someone to log into a server does not automatically grant the right to download files to which they have been given read access, you certainly cannot make such a case for an FTP server, which is dedicated to allowing downloads and/or uploads of accessible files. The fact of its being an FTP server that allows the user access counts as the "Please download" sign.

--
Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety.
Wrong idiot arrested... by martinfb · 2016-05-30 04:00 · Score: 1

The wrong person was arrested.The absolute idiot that exposed secure info should be arrested, fined, and banned from any IT job or function for life. Further, the HIPPA regs need to be made clearer and more encompassing, and enforced. If my info were in that compromised data, I'd be very angry at NOT Mr Shafer, rather the blithering idiot that made these data so available!

--

Self-importance and self-indulgence is the root of ALL evil.