As a separate issue: why the "shock and awe" response to what is (even allegedly) a non-violent crime? Why the assault rifles? Why could he not have been arrested by just a couple agents walking upto the door, knocking, serving the search warrant, and then maybe having the techs step in to conduct the search and seizure?<p>Why does US Law Enforcement so dramatically escalate every contact with a citizen? Everytime they do this, they risk accidental injury to the people, kids, pets.<p>What in this particular situation necessitated a SWAT-level treatment?<p>Maybe the law should be fixed such that warrants have to specifically include firearm authorizations.
This reminds me of something that happened to me in high school back in 1999. I found an Excel doc in a public network drive that contained every single student's SSN, DOB, whether they had free/reduced lunch, address, phone, etc. I was admittedly snooping around, but this was all public stuff every student and teacher had full access to.<p>When I found it, I told one of the teachers that I trusted and she insisted that I must tell the principal. So I went down to the principal's office and told her. My primary goal was to get this removed or made private because even at that young age I knew this was very sensitive data and I wouldn't want just anyone having access to my information like that.<p>When I got home from school, I found my mother upset because we'd been called to return to school for an emergency meeting. I was questioned, and when I told them I only wanted this sensitive information properly secured I was told by the county IT administrator "Did you ever stop to think if maybe this information was public for a reason?" I took a second, and literally wanted to say "There is no reason this information should ever be public" but I ended up keeping my mouth shut in hopes to not get into further trouble.<p>I was nearly expelled for "hacking". They placed me on "academic probation" and threatened that if I did so much as forget my school ID at home one day, I would be immediately expelled without question. I was removed from my elective classes that involved computers and was disallowed from touching any computers at school.<p>Fun fact: Someone on the yearbook staff accidentally deleted the only copy of the yearbook files and our yearbook was in danger of basically not being made. I was called to the principal's office and asked to help. I was able to recover the deleted files and save the day. At some point they realized I never had malicious intent, but I still hold a small grudge for the way I was treated as a criminal for uncovering such a big security hole.
About a month or so a go i found a open public mongo database with about 12GB of records regarding peoples retirement founds of what i assume was hundreds of thousands of people, account numbers, how much money was in the accounts when they had moved them to various founds and so on.<p>Thought long and hard about what to do but decided to not do anything, dont feel like risking my entire life just to help someone.
This is me assuming they did not intend to have it publicly open.<p>With that story out there, it would be nice to have a legit legal way to inform the police or a similar trustworthy government agency that could handle issues like this.
It sounds like Patterson Dental deserves as much blame as the FBI, if not more, because it sounds like they were the ones pressing charges and motivating prosecution in the first place. Also, why aren't they being charged with what is almost certainly a HIPAA violation?
Another lesson not to trust people/organizations ignorant enough to keep confidential data in plain text on anonymous FTP.<p>It seems that the 21st century responsible disclosure procedure goes like that:<p>0. use tor for the research itself<p>1. report problems anonymously<p>2. if they don't care - report them to law enforcement for breach of confidentiality<p>3. if these don't care either or don't accept anonymous tips - make noise in the media<p>Of course, this is for dealing with idiots who keep their data on public FTP. If the attack takes some clever hacking, go check if they don't offer bug bounties. Funny times we are living in.
> Defense attorney Tor Ekeland, who represented Auernheimer in the federal court case in New Jersey, has offered to help Shafer ...<p>Based on his website it appears that "Tor" is actually his given name. What an odd coincidence.
I know this is only tangentially related to the HN content here, but does anyone have a sense of why the FBI would choose to respond to this sort of case with a dozen agents and weapons drawn? Rather than, say, two guys politely ringing the bell and asking him to come with them?<p>Unless there's a lot left out of this article, I wouldn't think most "unauthorized computer access" suspects tend to be heavily armed. (Particularly if the company actually reported the context of the "crime", including the fact that he had voluntarily notified them of the problem.)
Reading this, I had an idea for a new law that could counteract this stupid reaction to security research:<p>Particularly for protected patient information (but maybe for other classes of sensitive data as well), it would be interesting to somehow classify having this information breached as a crime by the holder of the information (I realize this might be hard to do given the reality of security these days, so there would need to be some nuance of course). The crux of my idea would be to automatically count any access that results in prosecution as a breach of said data, thus meaning that prosecuting a security researcher would automatically put the information holder under separate prosecution. I wonder if something like this could be feasible.
Fun fact:<p>Many financial institutions use the last 4 of your SSN as identity verification.<p>If you're a business, it's the last 4 of your FEI/EIN.<p>I know at least in FL, this is publicily available at sunbiz.org<p>So with the account number printed at the bottom of your paycheck/stub and the FEI/EIN, you can often authenticate to a financial institution and obtain privileged information.<p>I know this not because I was on the "hacker" side, but because I was involved on the financial institution side of it and caught this as part of my engagement. The institution was issuing new logins for its internet banking site and the password would have been based on the users name, zip code, and SSN/FEI/EIN, all 3 of which are available (in FL) on that sunbiz.org site.
Unless there is more to the story, he won't be prosecuted for accessing an anonymous FTP server. However, they will scour the computers/drives they took (for months or possibly even years), looking for evidence of this or any other technically illegal misdeed. In the unlikely event they find nothing that they can take issue with (this being a security researcher's computer equipment, they'll find all kinds of hacking tools and possibly evidence of other research that could be construed as hacking attempts), in a year or so, he might get his stuff back. If they find anything, he'll face charges for that.<p>That's how law enforcement in the US works. A crack in the door, in the form of a ridiculous accusation, is all it takes for one's life to be destroyed.
Here's an investigative tool the CFAA & the FBI needs... if a company like Patterson Dental spins up an investigative raid with a baseless complaint, the Bureau should be able to charge them with a crime. One almost hopes the FBI investigation yields enough evidence to charge Patterson with a criminal violation of HIPAA.
It needs to be understood that if you react this way to responsible disclosure practices, your company & you personally will be subject to irresponsible disclosure practices.
I'm not addressing the FBI response, but hear me out. As a security researcher you have to stop at the first vulnerability. Don't use the vulnerability to get more information. It's the companies responsibility to ascertain the impact of the problem. This person should not have attempted to download anything from the FTP server. It should have spotted the FTP server, notified the company and made it clear they never attempted to download anything from it.<p>There was a similar issue with S3 credentials and Facebook a few months ago. The security researcher went too far. There was a large outcry by everyone about Facebooks response. I'm not addressing the response. I'm saying as a security researcher you need to protect yourself by trying very hard to limit the impact of what you're doing to remove risk of legal liability. Only go as far as the first problem and no further.
This is so wrong, but it's not surprising. We've been reading stories for years of security researchers being charged with a crime or harassed for simply pointing out blatant security holes.<p>What kind of thinking is this? He was doing them a favor. Every time, it seems to me that they are embarrassed by the incident and lash out. WHY!?? We should be treating these researchers like heroes, not kicking in their doors and having the FBI charge them with criminal CFAA violations. Once the chilling effect comes down in full force, we'll have a much less secure Internet.
The FBI seems to have lost it's way (Same with most of the other 3-letter governmental entities and other law enforcement). How do we change the system so that they are held accountable for these sort of things?<p>This is getting ridiculous. I can't predict the general public's opinions on things like this but it seems so clearly "wrong".<p>I have hope for a peaceful fix but I am skeptical that we aren't well on our way to a much more traditional violent revolution.<p>Everything I've read on the subject suggests that the early signs of revolution are a sufficiently large disparity between the rich and the poor such that the poor can no longer provide for themselves. It seems like this is well on its way and likely speeding up.<p>I'd love to see some statistics on situations like the 2014 Ferguson Missouri situation. I'm curious if there's a rise in situations where the government sufficiently crosses the line that the public backlash manifests violently. I expect that we're still in a stage where these situations are still largely centered around poor minorities [1] but situations like this suggest that incidents are starting to expand into demographics that might get the "middle class" [2] to finally pay attention.<p>I hope we can find a way to unite as a single voice to change things. I hope it doesn't end up being violent. The following things encourage me.<p>* Decreased relevance of the "mass media". This is a double edged sword. On one hand it allows for news that might be ignored by a major network to still be disseminated widely. On the other hand, the "public" has a really poor track record of consuming news that isn't also entertainment and many of these issues seem to fall entirely outside of people's interests.<p>* The ability to aggregate these sort of events to establish a clear pattern of behavior. It's getting harder to hide things.<p>Also these disclaimers:<p>1. I say poor minorities because based on my knowledge of the law enforcement overstepping it's typically in situations involving people who are poor and black.<p>2. The "middle class" is used here to reference a predominantly "white" demographic that most mass media caters to. I've struggled to find the appropriate language here, fearing I'll be labeled racists somehow. Hoping that my message reads as intended.
In the meantime, companies like Apple and Google are deleting users' files without their consent and infecting computers with malware through ads yet I don't see Tim Cook or Larry Page being woken up in the middle of the night by a SWAT team. What a fucking joke our legal system is.
So basically, when you discover critical vulnerabilities in a server, do not tell the owners about it. Sell the information anonymously to the highest bidder.