FBI Raids Dental Software Researcher Who Found Patient Records On Public Server

blottsie writes: Yet another security researcher is facing possible prosecution under the CFAA for accessing data on a publicly accessible server. The FBI on Tuesday raided Texas-based dental software security researcher Justin Shafer, who found the protected health records of 22,000 patients stored on an anonymous FTP. "This is a troubling development. I hope the government doesn't think that accessing unsecured files on a public FTP server counts as an unauthorized access under the CFAA," Orin Kerr, a George Washington University law professor and CFAA scholar told the Daily Dot. "If that turns out to be the government's theory -- which we don't know yet, as we only have the warrant so far -- it will be a significant overreach that raises the same issues as were briefed but not resolved in [Andrew 'weev' Auernheimer's] case. I'll be watching this closely." It was also reported this week via The Intercept that a provision snuck into the still-secret text of the Senate's annual intelligence authorization that would give the FBI the ability to demand individuals' email data and possibly web-surfing history from their service providers using those beloved 'National Security Letters' -- without a warrant and in complete secrecy.

Say what?

[msauve]

How is anon FTP not authorized? I give my "name" (anonymous), and credentials (email address), and the system makes the decision to let me in , based on the configuration the sysadmin set. If that's not authorization, what is?

Re: Say what?

[sjames]

OTOH, an anon FTP server is a well known actual thing and has been for decades. A better question is if you walk past a tray of prepared food at the grocery store and it has a sign saying please take one, is it theft if you take one?

The moral of the story

[JustAnotherOldGuy]

The moral of the story is that if you discover something like this, close your browser and tell no one.

Reporting a vulnerability or data breach has come to mean that "you're some kind of criminal" and must be punished, regardless of the circumstances.

Anonymous FTP server is as private as park bench

An anonymous FTP server is like a park bench. Literally anyone can use it.

This is like alerting the owner of a bag of money which is on a park bench, and then being penalized for sitting on the bench or looking in the bag.

If only they'd go after Wall Street as ferociously as they go after those who investigate company security. But then, the reason they go after those who cross big companies is the same reason they don't go after the people in big companies.

Re:It might be correct course of action

[cbiltcliffe]

Are you seriously that mentally challenged? How is it not clear that it was anonymous FTP?

led him to an anonymous FTP server that allowed anyone access.

That's pretty damned clear that it was an anonymous FTP server, because it's described as an anonymous FTP server right there in the text.

There's also the quote about it being a password protected FTP server back in 2006, with a single password that never changed, until they made it anonymous around 2010.

And are you really assuming that they were password protected because they're medical records, which are "always under password protected area?" They must have been password protected, simply because they should have been password protected? Your faith in humanity is astounding. And misplaced.

Maybe next time, instead of pretending you read the article, you could, you know, actually read the article.