FBI Raids Dental Software Researcher Who Found Patient Records On Public Server

blottsie writes: Yet another security researcher is facing possible prosecution under the CFAA for accessing data on a publicly accessible server. The FBI on Tuesday raided Texas-based dental software security researcher Justin Shafer, who found the protected health records of 22,000 patients stored on an anonymous FTP. "This is a troubling development. I hope the government doesn't think that accessing unsecured files on a public FTP server counts as an unauthorized access under the CFAA," Orin Kerr, a George Washington University law professor and CFAA scholar told the Daily Dot. "If that turns out to be the government's theory -- which we don't know yet, as we only have the warrant so far -- it will be a significant overreach that raises the same issues as were briefed but not resolved in [Andrew 'weev' Auernheimer's] case. I'll be watching this closely." It was also reported this week via The Intercept that a provision snuck into the still-secret text of the Senate's annual intelligence authorization that would give the FBI the ability to demand individuals' email data and possibly web-surfing history from their service providers using those beloved 'National Security Letters' -- without a warrant and in complete secrecy.

Say what?

[msauve]

How is anon FTP not authorized? I give my "name" (anonymous), and credentials (email address), and the system makes the decision to let me in , based on the configuration the sysadmin set. If that's not authorization, what is?

Re:Say what?

[wbr1]

Playing devils advocate:

How was it breaking and entering? I put the master key in the lock and the lock opened based on the configuration set by the manufacturer.

Not saying this is right, but it is how it will be presented. These clowns do not care about intent. If the intent of the law was to protect, then they would welcome true penetration tests that are conducted and reported ethically. Instead the laws, and they way they are prosecuted, are designed to protect those in power, those who execute poor judgement.

Re: Say what?

[NicknameUnavailable]

If the bank leaves its vault open, can you take the money?

If they stick a sign outside saying "free money" and have an anonymous form at the door to fill out saying "add a tally for yourself if you took some free money" then yes, you fucking can. The only difference in this case is there was no money involved.

Re:Say what?

[amiga3D]

Exactly. What he's really guilty of is showing how incompetent they are. They put next to no effort into catching people who actually break into systems and access info to perform identity theft. The only people I see them prosecuting are the ones stupid enough to try to help.

Re: Say what?

[fluffernutter]

I agree. A better analogy is that a bank opens their vault, assures a room of two million people that they are not being watched, and then simply leaves them to do whatever they want. They aren't allowed to take the money, but human nature is what it is.

Re:Say what?

[cbiltcliffe]

Who's wallet did he steal? All he did was look at your wallet sitting on the counter, saw that there was money hanging out of it, then turned around and left.

Re: Say what?

[sjames]

OTOH, an anon FTP server is a well known actual thing and has been for decades. A better question is if you walk past a tray of prepared food at the grocery store and it has a sign saying please take one, is it theft if you take one?

Re: Say what?

[wierd_w]

Sure they can!

Here's how:

They create a new class of "loan", with a 0% interest rate, and a date of mandatory repayment of 100bn years from now.

They can put a sign up front advertising these amazing loans, "No credit check, not deposit, no ID required!"

The bank can issue up to 9x the value of thier current deposit holdings in such "loans", and the money they lend out comes from nothing-- per how federal reserve banking is designed to work.

If the bank offers such a "loan", you are perfectly free to take all the free money that you will be too dead to pay back by the due date that you want, until the bank runs out of credit.

Most banks are not this stupid, being for profit institutions-- they expect to be paid back their credit, (which, once they are repaid, the money you give them becomes holdings, and they can lend THAT out at 900% as well) and expect that you will hold the loan in either their bank, or another bank they can take an interbank loan from, and mass generate wealth from nothing. Giving away money at 0% with a due date older than the projected heat death of the universe is not something they will consider-- But if they did, it is not bank robbery to accept their generous offer.

Re: Say what?

[KeithIrwin]

Allowing an anonymous login for an FTP server is tantamount to putting up a sign which says "take the files". If you don't understand why, just follow this link. If you did, in fact, follow that link, congratulations: you just downloaded a file from an FTP server using an anonymous login. It's such an accepted thing that your web browser just did that process for you without bothering to ask if you were okay with it. You've now done the same thing he was accused of doing without even knowing you were doing it.

Putting files on a public FTP server with an anonymous login is exactly the same as putting those files on a public HTTP server without requiring user credentials. The only difference is which protocol is being used.

Re: Say what?

[rrohbeck]

And people don't take the money, they just look at it. Is that theft? Unauthorized access?

Re:Say what?

[Agripa]

And the only ones stupid enough to confess.

Why would you ever admit to doing a good deed like this? Law enforcement is not paid to not arrest you and the courts are not paid to not convict you.

The moral of the story

[JustAnotherOldGuy]

The moral of the story is that if you discover something like this, close your browser and tell no one.

Reporting a vulnerability or data breach has come to mean that "you're some kind of criminal" and must be punished, regardless of the circumstances.

Anonymous FTP server is as private as park bench

An anonymous FTP server is like a park bench. Literally anyone can use it.

This is like alerting the owner of a bag of money which is on a park bench, and then being penalized for sitting on the bench or looking in the bag.

If only they'd go after Wall Street as ferociously as they go after those who investigate company security. But then, the reason they go after those who cross big companies is the same reason they don't go after the people in big companies.

Re:Kill The Messenger!

[amiga3D]

Let me tell you about the HIPAA bullshit. I have more trouble getting access to my records than damn near anyone else. They share my info with all kinds of people.

Re:Was he authorized?

[cbiltcliffe]

but one would have to wonder why he would be trying to access systems of someone who wasn't his client.

Because it was anonymous FTP? That's the whole point of anon FTP, you know: that anybody is allowed to use it.

The emperor has no clothes,

[jenningsthecat]

and woe to the subject who points out that fact. Forget 'security by obscurity' - the gubmint seems hell-bent on 'security by denial'. These days it's safest to pretend not to see security failings. Failing that, it almost seems to be the safer, wiser course of action to profit illegally from said security flaws than to point them out in the hope that they'll be fixed.

Re:It might be correct course of action

[cbiltcliffe]

Are you seriously that mentally challenged? How is it not clear that it was anonymous FTP?

led him to an anonymous FTP server that allowed anyone access.

That's pretty damned clear that it was an anonymous FTP server, because it's described as an anonymous FTP server right there in the text.

There's also the quote about it being a password protected FTP server back in 2006, with a single password that never changed, until they made it anonymous around 2010.

And are you really assuming that they were password protected because they're medical records, which are "always under password protected area?" They must have been password protected, simply because they should have been password protected? Your faith in humanity is astounding. And misplaced.

Maybe next time, instead of pretending you read the article, you could, you know, actually read the article.

Re:It might be correct course of action

[cob666]

Yes, companies ARE required to keep private medical information secure but whether or not the company THOUGHT their secure location extended to the directory where the patient data was is irrelevant. The data was unencrypted and freely accessible via an anonymous ftp server. The company should be penalized for allowing this to happen, NOT the user who found the exposed ftp server and informed the company that the records were freely available.

Re:It might be correct course of action

[dgatwood]

The company is legally required to keep that data in secure location. Thus the company's secure location extends to the place where the patient data was found. And accessing it without authorisation is illegal. It's basically similar situation than if you accidentally found out someone's credit card pin code. The person might be careless with communicating his secrets, but still it's still illegal to use the pin code for anything. Same happens with patient data, the secret data might be carelessly handled, but any access to the data is still illegal operation.

The problem with your logic is that unless the filename makes its contents obvious, there's no way to know what's in a file on an FTP server without downloading it. It clearly makes no sense to prosecute someone for a crime if it isn't possible for them to know that they're committing a crime until they have already finished committing it....

Re:Couple differences

[uncqual]

Unfortunately, none seem to have anything to do with cars. What has /. degraded to?

Protecting ACA

[BlueStrat]

This poor schlub is being prosecuted because he's highlighted one of the pitfalls of the ACA's requirements that medical records be converted to and stored as computer data...that, even barring malicious and intentional hacking, leaks and poor security practices will ensure that patient data will be exposed regardless of any laws or legal penalties put in place. Something those in power assured us would not happen.

He's getting screwed-over because he dared expose the dishonesty of those in power.

The lesson? If you just happen to discover a way to access any of the US government's law enforcement/intelligence networks, do not notify them of a vulnerability. Either sell the method of access and/or the data acquired, or simply post it on the 'net on a server located in Ecuador.

Strat