Slashdot Mirror

← Back to Stories (view on slashdot.org)

FBI Raids Dental Software Researcher Who Found Patient Records On Public Server (dailydot.com)

Posted by BeauHD on from the unauthorized-access dept.

blottsie writes: Yet another security researcher is facing possible prosecution under the CFAA for accessing data on a publicly accessible server. The FBI on Tuesday raided Texas-based dental software security researcher Justin Shafer, who found the protected health records of 22,000 patients stored on an anonymous FTP. "This is a troubling development. I hope the government doesn't think that accessing unsecured files on a public FTP server counts as an unauthorized access under the CFAA," Orin Kerr, a George Washington University law professor and CFAA scholar told the Daily Dot. "If that turns out to be the government's theory -- which we don't know yet, as we only have the warrant so far -- it will be a significant overreach that raises the same issues as were briefed but not resolved in [Andrew 'weev' Auernheimer's] case. I'll be watching this closely." It was also reported this week via The Intercept that a provision snuck into the still-secret text of the Senate's annual intelligence authorization that would give the FBI the ability to demand individuals' email data and possibly web-surfing history from their service providers using those beloved 'National Security Letters' -- without a warrant and in complete secrecy.

91 of 130 comments (clear)

  1. Say what? by msauve · · Score: 5, Insightful

    How is anon FTP not authorized? I give my "name" (anonymous), and credentials (email address), and the system makes the decision to let me in , based on the configuration the sysadmin set. If that's not authorization, what is?

    --
    "National Security is the chief cause of national insecurity." - Celine's First Law
    1. Re:Say what? by wbr1 · · Score: 2
      Playing devils advocate:

      How was it breaking and entering? I put the master key in the lock and the lock opened based on the configuration set by the manufacturer.

      Not saying this is right, but it is how it will be presented. These clowns do not care about intent. If the intent of the law was to protect, then they would welcome true penetration tests that are conducted and reported ethically. Instead the laws, and they way they are prosecuted, are designed to protect those in power, those who execute poor judgement.

      --
      Silence is a state of mime.
    2. Re: Say what? by NicknameUnavailable · · Score: 2

      If the bank leaves its vault open, can you take the money?

      If they stick a sign outside saying "free money" and have an anonymous form at the door to fill out saying "add a tally for yourself if you took some free money" then yes, you fucking can. The only difference in this case is there was no money involved.

    3. Re: Say what? by amiga3D · · Score: 1

      No, but I think you could look at it. To steal you have to take.

    4. Re: Say what? by fustakrakich · · Score: 1

      This is more like "if someone leaves their curtains open, can I look inside from across the street and even take pictures if I want?" To which the correct answer is, yes. Since nobody can be bothered to correct these issues at election time, I just don't think about it. You cannot reason with an authoritarian and irrational mob, so appeasement seems to be the favored option.

      --
      “He’s not deformed, he’s just drunk!”
    5. Re:Say what? by amiga3D · · Score: 2

      Exactly. What he's really guilty of is showing how incompetent they are. They put next to no effort into catching people who actually break into systems and access info to perform identity theft. The only people I see them prosecuting are the ones stupid enough to try to help.

    6. Re:Say what? by msauve · · Score: 1

      The lock manufacturer is not the building owner. But, your argument is simply begging the question. Breaking and entering is a physical act, and can occur even if there is no lock. Even if one follows the analogy, with FTP you're not "entering," you're asking for them to come outside.

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    7. Re: Say what? by BitterOak · · Score: 1

      If they stick a sign outside saying "free money" and have an anonymous form at the door to fill out saying "add a tally for yourself if you took some free money" then yes, you fucking can

      No, I don't think you can even then. Banks don't have any authority to give out "free money" and so any such sign would clearly have been put up by someone without authorization to do so. (Perhaps a disgruntled employee.) Since a reasonable person would have drawn that conclusion, I don't think you'd get away with taking money in that circumstance.

      --
      If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
    8. Re: Say what? by msauve · · Score: 1

      "Banks don't have any authority to give out "free money" "

      What's the basis of that statement? Why can't a business give away money, if they wish, and there's internal approval (i.e. not just an offer from some rogue employee)?

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    9. Re: Say what? by BitterOak · · Score: 1

      " What's the basis of that statement? Why can't a business give away money, if they wish, and there's internal approval?

      Because there are money laundering statutes that say you can't.

      --
      If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
    10. Re: Say what? by VikingNation · · Score: 1

      There was no sign saying 'take the files'. Your analogy breaks down and is not sound.

    11. Re: Say what? by VikingNation · · Score: 1

      No it is not. You cannot enter someones property uninvited.

    12. Re: Say what? by fluffernutter · · Score: 2

      I agree. A better analogy is that a bank opens their vault, assures a room of two million people that they are not being watched, and then simply leaves them to do whatever they want. They aren't allowed to take the money, but human nature is what it is.

      --
      Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
    13. Re:Say what? by msauve · · Score: 1

      Non sequitur. What you describe is a physical act constituting not only breaking and entering, but burglary. But to continue with your false analogy, you didn't ask the door to let you in, it didn't open upon your request (so there was no authorization), and you didn't ask for the wallet and have it given to you.

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    14. Re:Say what? by fluffernutter · · Score: 1

      Are you that confident that someone accessing anonymous FTP would get caught? Because that's really the point. It's a risk-reward calculation.

      --
      Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
    15. Re: Say what? by msauve · · Score: 1

      Cite? I think that claim is made of whole cloth.

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    16. Re:Say what? by msauve · · Score: 1

      What "risk of getting caught?" There's only a risk if you're doing something wrong. Are you describing accessing Google, which is free and anonymous (to the extent you want it to be)? How is anonymously accessing a web site any different than accessing an anon FTP server other than the obvious technical difference?

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    17. Re:Say what? by cbiltcliffe · · Score: 2

      Who's wallet did he steal? All he did was look at your wallet sitting on the counter, saw that there was money hanging out of it, then turned around and left.

      --
      "City hall" in German is "Rathaus" Kinda explains a few things......
    18. Re:Say what? by fluffernutter · · Score: 1

      Well that really depends if the intention was for the public to see these 22,000 records or not. If that wasn't the intent and you are in there, then you are doing something wrong whether you will get caught at it or not. It doesn't matter if you get caught or not.

      --
      Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
    19. Re: Say what? by Mashiki · · Score: 1

      This is more like "if someone leaves their curtains open, can I look inside from across the street and even take pictures if I want?" To which the correct answer is, yes.

      Actually the correct answer is "maybe, but likely no." Most places that's considered an invasion of privacy because it's a private dwelling, and an individual has the right to privacy even with their curtains open.

      --
      Om, nomnomnom...
    20. Re: Say what? by fustakrakich · · Score: 1

      Not if it is plain view.

      --
      “He’s not deformed, he’s just drunk!”
    21. Re:Say what? by msauve · · Score: 1

      LOL. How exactly do you tell whether a web site intends for you to view it? Has anyone ever explicitly authorized you to post on slashdot?

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    22. Re:Say what? by fluffernutter · · Score: 1

      You're saying if you wandered into an FTP site with 22,000 private medical records you would feel like you were supposed to be there? In certain cases I would be inclined to believe you, and so would a judge. In this case I wouldn't. It's not something that is supposed to be public. I'd expect a judge would also want to know why you were there and what purpose you thought you had.

      --
      Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
    23. Re:Say what? by msauve · · Score: 1

      So, how do you know in advance that there are 22,000 private medical records? The file listing tells you how many, and you only need to see 1 to find out what the files contain.

      I'm sorry, but you really don't have any arguments which are reasonable, let alone well thought. Maybe next time.

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    24. Re: Say what? by sjames · · Score: 4, Insightful

      OTOH, an anon FTP server is a well known actual thing and has been for decades. A better question is if you walk past a tray of prepared food at the grocery store and it has a sign saying please take one, is it theft if you take one?

    25. Re: Say what? by sjames · · Score: 1

      For decades now it has been understood that if the FTP server accepts anon as the user name and an email address as the password, it is an anon FTP server and you are authorized. That is the sign. Much like it is understood that you need not knock to enter a place of business when the door is unlocked.

    26. Re: Say what? by wierd_w · · Score: 2

      Sure they can!

      Here's how:

      They create a new class of "loan", with a 0% interest rate, and a date of mandatory repayment of 100bn years from now.

      They can put a sign up front advertising these amazing loans, "No credit check, not deposit, no ID required!"

      The bank can issue up to 9x the value of thier current deposit holdings in such "loans", and the money they lend out comes from nothing-- per how federal reserve banking is designed to work.

      If the bank offers such a "loan", you are perfectly free to take all the free money that you will be too dead to pay back by the due date that you want, until the bank runs out of credit.

      Most banks are not this stupid, being for profit institutions-- they expect to be paid back their credit, (which, once they are repaid, the money you give them becomes holdings, and they can lend THAT out at 900% as well) and expect that you will hold the loan in either their bank, or another bank they can take an interbank loan from, and mass generate wealth from nothing. Giving away money at 0% with a due date older than the projected heat death of the universe is not something they will consider-- But if they did, it is not bank robbery to accept their generous offer.

    27. Re: Say what? by Mashiki · · Score: 1

      Not if it is plain view.

      Even in plain view. Statue and case law on that stuff is generally pretty clear, but can vary from place to place.

      --
      Om, nomnomnom...
    28. Re: Say what? by uncqual · · Score: 1

      The bank vault analogy is bad - in part because taking money from the vault deprives the bank of the money while copying dental records does not affect access by the person who put them there any more then you reading this response reduces the value to anyone else wishing to read this response.

      A better analogy would be if the person responsible for the dental records printed them on flyers and stood on the street corner with a signboard saying "free information" and offered the flyers for free without restrictions to anyone who asked for them.

      --
      Why is there an "insightful" mod and why isn't it "-1"? If I wanted insight, I wouldn't be reading /.
    29. Re: Say what? by KeithIrwin · · Score: 5, Informative

      Allowing an anonymous login for an FTP server is tantamount to putting up a sign which says "take the files". If you don't understand why, just follow this link. If you did, in fact, follow that link, congratulations: you just downloaded a file from an FTP server using an anonymous login. It's such an accepted thing that your web browser just did that process for you without bothering to ask if you were okay with it. You've now done the same thing he was accused of doing without even knowing you were doing it.

      Putting files on a public FTP server with an anonymous login is exactly the same as putting those files on a public HTTP server without requiring user credentials. The only difference is which protocol is being used.

    30. Re: Say what? by rrohbeck · · Score: 2

      And people don't take the money, they just look at it. Is that theft? Unauthorized access?

      --
      thegodmovie.com - watch it
    31. Re: Say what? by Hognoxious · · Score: 1

      Rubbish. If, in the normal course of events it would be visible, there's no invasion. If the people opposite my apartment leave their curtains open, that puts zero restriction on MY right to look out of MY window, whatever they're doing.

      If I was using ladders or one of those fire engine arm things[1] to rise over a nine-foot wall it'd be different.

      Stop making stuff up.

      [1] What are they called?

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
    32. Re:Say what? by Agripa · · Score: 2

      And the only ones stupid enough to confess.

      Why would you ever admit to doing a good deed like this? Law enforcement is not paid to not arrest you and the courts are not paid to not convict you.

    33. Re: Say what? by Hognoxious · · Score: 1

      Rodney, you plonker, that's an FTP server's grape of being.

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
    34. Re: Say what? by Anonymous Coward · · Score: 1

      Yeah this would be like going into a bank through what looks like a public entrance and finding yourself in the bank vault. And then the cops arrest your for bank robbery. Even though you didn't take anything.

    35. Re:Say what? by AmiMoJo · · Score: 1

      Best thing to do is anonymously disclose it on a security mailing list and then tip off some journalists do they can bring it to the public's attention. The moment you try to take credit for it, you open yourself up to malicious arrest and prosecution.

      The only time you disclose under your real name is if they have a bug bounty programme.

      Hopefully this guy will sue the incompetent idiots who accused him of breaking in.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    36. Re: Say what? by VikingNation · · Score: 1

      I did not consider that. Very good point and well taken.

    37. Re:Say what? by VikingNation · · Score: 1

      I suppose the government is saying the guy should have never attempted to log into the server with credentials.

    38. Re: Say what? by tomhath · · Score: 1

      if you walk past a tray of prepared food at the grocery store and it has a sign saying please take one, is it theft if you take one?

      Of course not. But if you walk past someone's car and see a set of hubcaps you like, it is theft to pry them off and take them?

    39. Re: Say what? by Mashiki · · Score: 1

      Better learn that it is an invasion of privacy if you ever come to Canada. You wouldn't want to spend 6mo to 4 years in prison for it. See this is what falls into "private areas" there's also semi-public like the walkway going to the front of your house, and public like the sidewalk or street in front of the house/building.

      --
      Om, nomnomnom...
    40. Re: Say what? by slazzy · · Score: 1

      Technically theft but any judge will let you off.

      --
      Website Just Down For Me? Find out
    41. Re: Say what? by sjames · · Score: 1

      You have a bizarre idea on theft. I guess you gave your birthday presents back unopened when you were a child?

    42. Re: Say what? by wardrich86 · · Score: 1

      If the bank leaves its vault open, can you take the money?

      Bad analogy. How about this: You walk up to a bank with several doors in the front, and a note reading "Please enter through the door with your name. If permitted to take items, there will be a bag just inside your door, otherwise you are to look but not touch." Each door has a long hallway that leads to a room at the end, and each door has a name at the top of it. At the end of this the line of doors is a door that has a note saying "If no door has your name above it, please use this door." You do as permitted and enter that door. Once in, you see a bag and take it along with you down the hallway. At the end of the hallway, you see that all of the hallways end up in the same room at the end, full money.

      Now, you've done everything as permitted by the note. You have a bag which grants you permission to take what you want, so... what's wrong with taking the items? Absolutely nothing. Maybe a slight moral issue, but in the end of the day you haven't done anything explicitly wrong.

    43. Re: Say what? by mindwhip · · Score: 1

      Wrong.

      All money laundering rules require is that you can trace the source of money and usually only require cursory checks unless significant money is involved. In the case of the hypothetical bank the fact you got the money you were at the bank and they were giving out money would be sufficient proof. You might be getting confused with bribery laws that state you can't give cash etc for favours and even then only specific situations.

      Anyway companies give out money all the time... They frequently give money in lieu of failures in their procedures and/or other customer dissatisfaction. Also many companies give out stuff and cash as part of various types of competitions, for marketing reasons but basicly because they can and that's before we even get into sports and charitable sponsorships and donations.

      --
      [The Universe] has gone offline.
    44. Re: Say what? by sjames · · Score: 1

      Naturally it is theft to take the hubcaps off of someone's car, None of the socially agreed upon signs are there that they are being offered to you.

    45. Re: Say what? by Hognoxious · · Score: 1

      Tell you what, how about you learn to give a citation or fuck off? The first hit from google says just about the opposite; the observed person could be guilty of indecent exposure.

      https://www.thestar.com/news/2...

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
    46. Re: Say what? by BitterOak · · Score: 1

      Wrong.

      All money laundering rules require is that you can trace the source of money and usually only require cursory checks unless significant money is involved. In the case of the hypothetical bank the fact you got the money you were at the bank and they were giving out money would be sufficient proof. You might be getting confused with bribery laws that state you can't give cash etc for favours and even then only specific situations.

      Not true. There are strict rules about banks giving money away. For instance: suppose I were a drug dealer and I had $500,000 that needed to be laundered. I take it to my favorite bank and give it to them in a dark room at the back. Next day the bank, out of the goodness of their heart, decides to give me a "gift" of $450,000. (The bank gets their 10%). Voilà: perfectly laundered money!

      --
      If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
    47. Re: Say what? by mindwhip · · Score: 1

      Nope the bank has to be able to show that the money it accepted was from a legitimate source. It can give away all the money it wants but has to be able to show it obtained it from a legal source and that it was its money to give away (and not a customers).

      --
      [The Universe] has gone offline.
    48. Re: Say what? by Mashiki · · Score: 1

      Article is wrong, so very wrong. Then again it's the Toronto Star, also known in Canada as the Red Star and is known to take a very authoritarian view on things. You enjoy that citation now which will give you a brief overview on criminal and non-criminal privacy rights and you can enjoy this one too. Which reinforced S.8 of the Charter of Rights and Freedoms. You can also find more cases using "the citizen's right to a reasonable expectation of privacy" on this site.

      --
      Om, nomnomnom...
    49. Re: Say what? by ebvwfbw · · Score: 1

      Let's stick to the original question. Don't let an AC change what is being discussed. They are not the same thing and the AC knows it.

      If he wanted to use the bank bit, it would be like the bank allowing anyone off the street to see my banking business. In my case that's boring. For some people, like politicians - that's gold there. They really don't want anyone looking at their business.

    50. Re: Say what? by Coren22 · · Score: 1

      Is it theft you didn't subtracted anything from the owner?

      What about the privacy of the person whose information was in the records?

      --
      APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
    51. Re: Say what? by NicknameUnavailable · · Score: 1

      Of course not. But if you walk past someone's car and see a set of hubcaps you like, it is theft to pry them off and take them?

      This is a false equivalency. An anonymous FTP server was designed explicitly to let people connect without authorization and to serve up whatever it contains to whomever asks.

  2. Kill The Messenger! by Frosty+Piss · · Score: 1

    ...dental software security researcher ...

    That's, er, pretty specialized!

    I have a lot of "issues" with so-called "security researchers", which in many case are either opertunistic hackers or script kiddies. But really, how can it be "hacking" to access data that does not require "breaking in" to anything? Sure, the dude was not invited, but if it's out there, not fire-walled, and all you need to do is type in some random URL, how can that be illegal?

    Now, there may very well be laws, rules, whatever about medical records, but if anything than it's on the medical provider for violating HIPAA or something. On the other hand, disclosing other people's medical records publically available or not might very well be against some law, and maybe it should be...

    --
    If you want news from today, you have to come back tomorrow.
    1. Re:Kill The Messenger! by amiga3D · · Score: 2

      Let me tell you about the HIPAA bullshit. I have more trouble getting access to my records than damn near anyone else. They share my info with all kinds of people.

  3. The moral of the story by JustAnotherOldGuy · · Score: 5, Insightful

    The moral of the story is that if you discover something like this, close your browser and tell no one.

    Reporting a vulnerability or data breach has come to mean that "you're some kind of criminal" and must be punished, regardless of the circumstances.

    --
    Just cruising through this digital world at 33 1/3 rpm...
    1. Re:The moral of the story by rch7 · · Score: 1

      Such cases are not about reporting but about extortion. Note dental software. Not some free tetris game software, but "dental". It means money and easy extortion target as they would have big & expensive problem with government institutions when client records are disclosed to everybody.

    2. Re:The moral of the story by Anonymous Coward · · Score: 1

      Yep... If you're going to be treated like a criminal anyway, may as well act like one and derive some benefit from the spoils.

    3. Re:The moral of the story by bill_mcgonigle · · Score: 1

      The moral of the story is that if you discover something like this, close your browser and tell no one.

      Reporting a vulnerability or data breach has come to mean that "you're some kind of criminal" and must be punished, regardless of the circumstances.

      Just to be clear here, your reaction is the intent. If you embarrass somebody who has money, thugs with guns will come kick your door down.

      Better not do that.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    4. Re:The moral of the story by JustAnotherOldGuy · · Score: 1

      Just to be clear here, your reaction is the intent.

      Of course, which is why you must report this kind of thing anonymously, if at all.

      And since real anonymity is nearly impossible these days (especially in the case of embarrassing somebody who has money), the safest course of action is to close your browser and tell no one.

      As Clare Boothe Luce said, "No good deed goes unpunished", and that's as true today as the first time she uttered it.

      --
      Just cruising through this digital world at 33 1/3 rpm...
  4. Anonymous FTP server is as private as park bench by Anonymous Coward · · Score: 2, Insightful

    An anonymous FTP server is like a park bench. Literally anyone can use it.

    This is like alerting the owner of a bag of money which is on a park bench, and then being penalized for sitting on the bench or looking in the bag.

    If only they'd go after Wall Street as ferociously as they go after those who investigate company security. But then, the reason they go after those who cross big companies is the same reason they don't go after the people in big companies.

  5. looks like another "protection service" by rch7 · · Score: 1

    He is not the first one. The popular racket is simple, they scan for rich doctor files accidentally left online. Once they find something, they offer a "security service" for $###,###. Sure, they don't report their paying "clients" to government for medical records protection violation. It doesn't apply to non-clients. It is not kiddie game.

  6. Couple differences by Sycraft-fu · · Score: 1

    First, that's not how locks work. A normal lock has only one keying. Master keyed locks are done do by larger organizations. To get that master key you have to either get it from them in an authorized manner, or steal it somehow. It isn't like the manufacturers maintain an "all locks" master key and hand it out to people.

    However more to the point an anon FTP is an implicit invitation to anyone to come in, just like a public HTTP server. In terms of the real world, it is like an open store. If you enter an unlocked store, you are not trespassing. If they tell you to leave you have to, but simply entering is allowed because the fact that they are presenting themselves for the public to use and have not locked their door is saying "We want you to come in." That's different than a place that is locked. The lock is an explicit "keep out" message.

    1. Re:Couple differences by trabby · · Score: 1

      I think that is the best analogy that I have read out of the other 50 analogies presented here.

    2. Re:Couple differences by uncqual · · Score: 2

      Unfortunately, none seem to have anything to do with cars. What has /. degraded to?

      --
      Why is there an "insightful" mod and why isn't it "-1"? If I wanted insight, I wouldn't be reading /.
  7. Re:Was he authorized? by cbiltcliffe · · Score: 2

    but one would have to wonder why he would be trying to access systems of someone who wasn't his client.

    Because it was anonymous FTP? That's the whole point of anon FTP, you know: that anybody is allowed to use it.

    --
    "City hall" in German is "Rathaus" Kinda explains a few things......
  8. The emperor has no clothes, by jenningsthecat · · Score: 2

    and woe to the subject who points out that fact. Forget 'security by obscurity' - the gubmint seems hell-bent on 'security by denial'. These days it's safest to pretend not to see security failings. Failing that, it almost seems to be the safer, wiser course of action to profit illegally from said security flaws than to point them out in the hope that they'll be fixed.

    --
    'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
    1. Re:The emperor has no clothes, by Hognoxious · · Score: 1

      If you shoot the messenger, you'll stop getting messages.

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  9. Re:It might be correct course of action by cbiltcliffe · · Score: 3, Insightful

    Are you seriously that mentally challenged? How is it not clear that it was anonymous FTP?

    led him to an anonymous FTP server that allowed anyone access.

    That's pretty damned clear that it was an anonymous FTP server, because it's described as an anonymous FTP server right there in the text.

    There's also the quote about it being a password protected FTP server back in 2006, with a single password that never changed, until they made it anonymous around 2010.

    And are you really assuming that they were password protected because they're medical records, which are "always under password protected area?" They must have been password protected, simply because they should have been password protected? Your faith in humanity is astounding. And misplaced.

    Maybe next time, instead of pretending you read the article, you could, you know, actually read the article.

    --
    "City hall" in German is "Rathaus" Kinda explains a few things......
  10. Anonymous FTP is the key by shellster_dude · · Score: 1

    If I access a router with a known backdoor password, and someone failed to patch it, that is breaking and entering. It is clear that such access was not intended by the owner of the device, and I am effectively breaching their perimeter without their permission. In this case the guy use anonymous FTP. The entire purpose of anonymous FTP is to allow anyone to download files. FTP technology and anonymous access is routinely employed by companies and websites specifically to exchange files with everyone. Therefore, given the plain and regular use of the technology, one can easily argue that they effective were inviting file downloads. Until this guy was able to validate the content of the files, he would arguably not have known that the files were supposed to be protected. The fact that he reported the finding shows that he was not behaving maliciously and acting in good faith.

  11. The best way to go by drinkypoo · · Score: 1

    Make an anon release to a news outlet. Hilarity ensues.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  12. Because it is anonymous FTP by hawkingradiation · · Score: 1

    Boy some of you guys must be pretty young. Have you ever used anonymous ftp? Anonymous ftp works by entering the host, then your username, coincidentally: "anonymous" or "ftp", and then you enter your email or the password "guest". It doesn't even check if these are correct. It just let's you straight through

    --
    Society use your Sciences
  13. Re:It might be correct course of action by tp_xyzzy · · Score: 1

    > And are you really assuming that they were password protected because they're medical records, which are "always under password protected area?" They must have been password protected, simply because they should have been password protected? Your faith in humanity is astounding. And misplaced.

    The company is legally required to keep that data in secure location. Thus the company's secure location extends to the place where the patient data was found. And accessing it without authorisation is illegal. It's basically similar situation than if you accidentally found out someone's credit card pin code. The person might be careless with communicating his secrets, but still it's still illegal to use the pin code for anything. Same happens with patient data, the secret data might be carelessly handled, but any access to the data is still illegal operation.

  14. Re:It might be correct course of action by cob666 · · Score: 2

    Yes, companies ARE required to keep private medical information secure but whether or not the company THOUGHT their secure location extended to the directory where the patient data was is irrelevant. The data was unencrypted and freely accessible via an anonymous ftp server. The company should be penalized for allowing this to happen, NOT the user who found the exposed ftp server and informed the company that the records were freely available.

    --
    Do what thou wilt shall be the whole of the Law - Aleister Crowley
  15. Re:It might be correct course of action by dgatwood · · Score: 2

    The company is legally required to keep that data in secure location. Thus the company's secure location extends to the place where the patient data was found. And accessing it without authorisation is illegal. It's basically similar situation than if you accidentally found out someone's credit card pin code. The person might be careless with communicating his secrets, but still it's still illegal to use the pin code for anything. Same happens with patient data, the secret data might be carelessly handled, but any access to the data is still illegal operation.

    The problem with your logic is that unless the filename makes its contents obvious, there's no way to know what's in a file on an FTP server without downloading it. It clearly makes no sense to prosecute someone for a crime if it isn't possible for them to know that they're committing a crime until they have already finished committing it....

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.

  16. Re:Report anonymously by Anonymous Coward · · Score: 1

    How does one report such things anonymously? I requested a password reset from a municipal website and they emailed my password to me in plain text. I'm honestly afraid to tell anybody.

  17. Re:Anonymous FTP server is as private as park benc by uncqual · · Score: 1

    That is completely nonsense. It is like walking up to a shop with the lights on and no Open or Closed sign or any posted hours and opening the door and entering the shop if the door opens.

    I don't recall when I first accessed an anon FTP server, but it was certainly well over 25 years ago and I've used anon access many times. If user 'anonymous' and an arbitrary email address is accepted as a password, it's open for the public to access anything that the user can get to -- everyone knows that and everyone knows that every administrator who configures a system presumably intends it to be that way.

    --
    Why is there an "insightful" mod and why isn't it "-1"? If I wanted insight, I wouldn't be reading /.
  18. Re:Was he authorized? by BitterOak · · Score: 1

    but one would have to wonder why he would be trying to access systems of someone who wasn't his client.

    Because it was anonymous FTP? That's the whole point of anon FTP, you know: that anybody is allowed to use it.

    I do understand about anonymous FTP. The point I was trying to make is all that is moot if he was hired to test that security in the first place. I guess my question boils down to this: Who exactly hired him? I'm genuinely curious, cause to me this story doesn't make a whole lot of sense.

    --
    If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
  19. Re:It might be correct course of action by Anonymous Coward · · Score: 1

    The company is legally required to keep that data in secure location. Thus the company's secure location extends to the place where the patient data was found. And accessing it without authorisation is illegal. It's basically similar situation than if you accidentally found out someone's credit card pin code. The person might be careless with communicating his secrets, but still it's still illegal to use the pin code for anything. Same happens with patient data, the secret data might be carelessly handled, but any access to the data is still illegal operation.

    That's a cute theory, and from TFS apparently the thing the prosecutor is trying to gain a conviction (and perhaps a promotion) with.

    But it is a deeply disturbing conflation of two issues. First, we have the data, that ought to be protected. Second, we have the means with which it is or is not being protected, which is obliged to be there. This legal theory says that because you have the first, the second turns into legal protection, when it was supposed to be a legal stick to make sure there is actual protection for the data.

    IOW, you may be obliged to protect that data but it doesn't have to be technical. You just boobietrap the thing with legal red tape and done. Which means that if you tell people about their technical protection oversights you're going to get ensnared and jailed, while if you simply snatch the data and sell it, nobody cares.

    "Just don't get caught! -- Love, your friendly neighbourhood DA."

    This is easy to see because what happened is that Company of Idiots, ultd. left the data with protection obligation out in the open on an anon ftp, which is to say entirely unprotected forsaking their obligation, and Shmuck R. Smudgycoat stumbled upon the data, then told CoI about it so that they might correct the error of their ways. Not so, says prosecutor, CoI has an obligation to protect so that's really a legal protection of the data so Smudgycoat is guiltee of accessing protected data. Even though it wasn't protected, it just was supposed to be.

    That's about as arse-backwards as it gets. Which is nothing unusual in the USoA legal system, but still.

  20. Remember that time? by pablo_max · · Score: 1

    If you have nothing to hide, you should not be worried, they said. The government is there to protect us, they said. The government has a right to do those things, they said. The government would never cross the line, they said.
    Well, I would say at this point it is probably past the "too late" stage and you are stuck with the monster which decades of apathy and "blind misplaced patriotism" has created.
    The US government has so much power at this point, I find it hard to imagine the people could ever take it back without a lot of bloodshed. I hope I am wrong.

  21. Meanwhile... by transami · · Score: 1

    Every time I go to the hospital they have no ability to access my previous records!

    --
    :T:R:A:N:S:
  22. Protecting ACA by BlueStrat · · Score: 2

    This poor schlub is being prosecuted because he's highlighted one of the pitfalls of the ACA's requirements that medical records be converted to and stored as computer data...that, even barring malicious and intentional hacking, leaks and poor security practices will ensure that patient data will be exposed regardless of any laws or legal penalties put in place. Something those in power assured us would not happen.

    He's getting screwed-over because he dared expose the dishonesty of those in power.

    The lesson? If you just happen to discover a way to access any of the US government's law enforcement/intelligence networks, do not notify them of a vulnerability. Either sell the method of access and/or the data acquired, or simply post it on the 'net on a server located in Ecuador.

    Strat

    --
    Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
    1. Re:Protecting ACA by vandamme · · Score: 1

      "Kill the messenger."

  23. Re:Anonymous FTP server is as private as park benc by Hognoxious · · Score: 1

    If they aren't supposed to, then put a fence around it with a combination lock to open the gate, and only give the combination to people who are supposed to be there.

    --
    Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  24. Re:It might be correct course of action by tp_xyzzy · · Score: 1

    > IOW, you may be obliged to protect that data but it doesn't have to be technical. You just boobietrap the thing with legal red tape and done. Which means that if you tell people about their technical protection oversights you're going to get ensnared and jailed, while if you simply snatch the data and sell it, nobody cares.

    Maybe their cunning plan for data security was that the ip address of their ftp site is already enough protection for their patient data. If noone knows the server exists, it might even work. The article gave some pretty strange description of how the security researcher's found out about the server's existence. "They were researching issues about fixed database credientals". Which kinda sounds like operation that already requires authorised access -- who would give some random person on the internet access to a password file? Probably the real unauthorised access happened some time _before_ accesssing the ftp site. The article focuses that the anon ftp site and how anyone should be permitted access to such things, but it completely forgets that the unauthorised access can happen at the place where server's location on the internet is discovered, Normally you need a port scan or (in this case, examining the credientals), which might not exactly be legal operations in the first place.

  25. Re:Report anonymously by Anonymous Coward · · Score: 1

    Type up a sheet with instructions on how to access the data. Print copies and place in envelopes. Label envelopes with names of "real press" reporters. Drop envelopes at establishments or homes where reporters can be found. Watch news outlets. Eat popcorn.

  26. Re:Was he authorized? by BitterOak · · Score: 1

    What if no one hired him? What if he just happened upon the FTP server?

    The article specifically says he's a dental software security researcher. It's his job. Therefore it stands to reason, someone hired him.

    --
    If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
  27. Hmmm by easyTree · · Score: 1

    The US is tripping over itself to become a police state as soon as possible.

    --
    Requiem for the American Dream
  28. Re: There was no sign by lamer01 · · Score: 1

    Second point is that although access to enter was granted, access to download is not implicit. One logged on, you are effectively in someone else's house. If this were a house and the door was left wide open, I think even entering may be construed as trespassing. If in said house, the owner left all their confidential information on their office desk, you are not allowed to take pictures of them with your phone. To go back to the original thread, if the researcher ended up on this frp server by following a link that the server owner provided, either directly or indirectly by having a link on a public web site saying 'Hey, go look at these documents', then I would exonerate the guy.

  29. Re: There was no sign by sjames · · Score: 1

    Net servers assume business rules, not residential.

    Access implies permission to download in an anon FTP server. The whole purpose of anon FTP is to distribute data freely to the public (remember, it pre-dates HTTP).

    The defendant's "crime" is as follows: He picks up the store manager's wallet off of the tray under the "Please take one" sign, holds it up and calls to the manager "Hey, I don't think you meant to leave this here". Suddenly cops with assault weapons appear behind him and take him away.

    The icing on the cake? They completely ignored the muggers openly shaking down elderly customers in front of the store.

  30. Re: There was no sign by skywire · · Score: 1

    Your problem is use of the house/doorway metaphor where it does not fit. Even if you could make a case (which I'll not address here) that allowing someone to log into a server does not automatically grant the right to download files to which they have been given read access, you certainly cannot make such a case for an FTP server, which is dedicated to allowing downloads and/or uploads of accessible files. The fact of its being an FTP server that allows the user access counts as the "Please download" sign.

    --
    Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety.
  31. Wrong idiot arrested... by martinfb · · Score: 1

    The wrong person was arrested.The absolute idiot that exposed secure info should be arrested, fined, and banned from any IT job or function for life. Further, the HIPPA regs need to be made clearer and more encompassing, and enforced. If my info were in that compromised data, I'd be very angry at NOT Mr Shafer, rather the blithering idiot that made these data so available!

    --


    Self-importance and self-indulgence is the root of ALL evil.