FBI Raids Dental Software Researcher Who Found Patient Records On Public Server

blottsie writes: Yet another security researcher is facing possible prosecution under the CFAA for accessing data on a publicly accessible server. The FBI on Tuesday raided Texas-based dental software security researcher Justin Shafer, who found the protected health records of 22,000 patients stored on an anonymous FTP. "This is a troubling development. I hope the government doesn't think that accessing unsecured files on a public FTP server counts as an unauthorized access under the CFAA," Orin Kerr, a George Washington University law professor and CFAA scholar told the Daily Dot. "If that turns out to be the government's theory -- which we don't know yet, as we only have the warrant so far -- it will be a significant overreach that raises the same issues as were briefed but not resolved in [Andrew 'weev' Auernheimer's] case. I'll be watching this closely." It was also reported this week via The Intercept that a provision snuck into the still-secret text of the Senate's annual intelligence authorization that would give the FBI the ability to demand individuals' email data and possibly web-surfing history from their service providers using those beloved 'National Security Letters' -- without a warrant and in complete secrecy.

Say what?

[msauve]

How is anon FTP not authorized? I give my "name" (anonymous), and credentials (email address), and the system makes the decision to let me in , based on the configuration the sysadmin set. If that's not authorization, what is?

Re: Say what?

[sjames]

OTOH, an anon FTP server is a well known actual thing and has been for decades. A better question is if you walk past a tray of prepared food at the grocery store and it has a sign saying please take one, is it theft if you take one?

Re: Say what?

[KeithIrwin]

Allowing an anonymous login for an FTP server is tantamount to putting up a sign which says "take the files". If you don't understand why, just follow this link. If you did, in fact, follow that link, congratulations: you just downloaded a file from an FTP server using an anonymous login. It's such an accepted thing that your web browser just did that process for you without bothering to ask if you were okay with it. You've now done the same thing he was accused of doing without even knowing you were doing it.

Putting files on a public FTP server with an anonymous login is exactly the same as putting those files on a public HTTP server without requiring user credentials. The only difference is which protocol is being used.

The moral of the story

[JustAnotherOldGuy]

The moral of the story is that if you discover something like this, close your browser and tell no one.

Reporting a vulnerability or data breach has come to mean that "you're some kind of criminal" and must be punished, regardless of the circumstances.