FTP Server at LSUHealth New Orleans

This is a symptom of an unfortunately very common reaction to system security. Unless businesses are actively encouraging bug hunting, almost unbelievably they will act with a lot of hostility to exposure of weaknesses in their systems and will often shoot the messenger with extreme prejudice, even if they receive the information privately.<p>There are countless examples of people getting burned rather than rewarded or even thanked for bringing to attention some sort of flaw. My advice is do not bother. There is almost no upside for you and likely very significant downsides.

Sam, if you&#x27;re reading this, you need to find the newspapers&#x27; ombudsman. You&#x27;ll probably get better results from him&#x2F;her than the CEO, since their job is specifically to address these issues and in a decent organization will be given the autonomy to do so (no guarantees here!).<p>It&#x27;s not clear to be that LSU is responsible for anything more than shitty security. It&#x27;s possible that they told the newspaper lies, but it&#x27;s also possible that they told them the truth and that the newspaper misreported. I think reporting them for a HIPAA retaliation may have been premature, unless you know more about this situation than you wrote on your site (as opposed to reporting a HIPAA violation, which this clearly is).<p>But best of luck going after the newspapers. I&#x27;m getting sick of these &quot;journalists&quot; making up lies about the central figures in their stories without bothering to even check with them first to get their side of the story.<p>EDIT: Aaand, apparently, neither publication has an ombudsman, which tells you a lot already. Not a big surprise with SCMagazine, which is some kind of trade magazine, but it&#x27;s too bad that even a small-circulation newspaper like the News Star wouldn&#x27;t have one.

This is a case of some idiot who is responsible for the server having to tell management something so they say &quot;oh this guy hacked it&quot;.<p>Management tells the lawyers and PR which forwards it to the &quot;news&quot; who just go for the most sensationalist story possible.<p>Hope he wins any lawsuit and more importantly his reputation back somehow.<p>I&#x27;m not even sure what would have been the better course here other than to have CC&#x27;ed other people on the email.<p>ps. No way in heck I am going to click on them but those filenames seem to appear in google cache elsewhere.

The follow-up article ( <a href="http://www.scmagazine.com/professor-says-google-search-not-hacking-yielded-medical-info/article/368909/" rel="nofollow">http:&#x2F;&#x2F;www.scmagazine.com&#x2F;professor-says-google-search-not-h...</a> ) has the most ironic line in it:<p>&gt; At press time, Sam Bowne had not responded to a Thursday email and Friday phone call from SCMagazine.com for comment.

Falsely accusing someone of a crime often isn&#x27;t just libel, it&#x27;s <i>per se</i> libel, meaning that that there&#x27;s liability even if the aggrieved party can&#x27;t prove damages. Running a newspaper article that turned out to be false without even attempting to contact you might clear the negligence hurdle here.

I like the fact that the article stated that no patient information had been accessed. How many times have you heard that line when news of a breach is made public? It makes me think that these folks would rather cover up a breach than actually take responsibility for it.

I can give some personal experience on this - I started bug&#x2F;vuln reporting mid-last year. I&#x27;ve reporting a bunch of web-applications bugs that ranged from simple XSS and CSRF to RCE and directory transversal in a range of applications (Enterprise software is rampant with holes).<p>I&#x27;ve only encountered two non-respondents. Everyone else has thanked and patched within a month and I even gained employment from one encounter! Yet to get a reward, however I do this for a hobby, rather than money.<p>Although one day I hope to do this professionally! There isn&#x27;t much work in New Zealand for it though.<p>EDIT: To clarify, my process is: report to vendor with suggested patches, follow-up 1 week later if no response, follow-up two weeks after response to see if it&#x27;s patched, ask permission to use my bug report publicly. In some cases there&#x27;ll be a phone call from the respondent to ask about my background and see what my intentions are. Occasionally they schedule a coffee&#x2F;meeting.

The journalist&#x27;s twitter account is here: <a href="https://twitter.com/writingadam" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;writingadam</a>

One can only hope our friends at UHC are undergoing a proper procto-scoping by the regulators at this point.<p>As for the reporting side of this (note I did not use the word &#x27;Journalism&#x27;...)..this is the quality level that has become the standard in the world of junk news. One must have the sensationalism in the title to get the click...that&#x27;s it. The actual quality of the content is pretty much irrelevant..

If the linked recitation in any way corresponds to reality, and it seems to, the professor has a legitimate complaint, but he should have consulted an attorney before publishing his responses to the various parties involved. The reason I say this is because, even though he appears to be in the right and has a reason to be outraged, he could be sued for libel himself.<p>As one example, if he describes a named or identifiable person as a &quot;liar&quot; online, the subject could sue for defamation of character <i>if it turns out that they didn&#x27;t know what they said was false</i> (which fails the definition of &quot;lying&quot;). That&#x27;s a simple case where an extreme, emotional term places someone in a <i>false light</i>.<p><a href="http://en.wikipedia.org/wiki/False_light" rel="nofollow">http:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;False_light</a><p>Remember, in this litigous society, no one is immune from legal actions, even those clearly wronged, as the facts seem to indicate in this case.

I&#x27;m not sure why people inform organizations about vulnerabilities. All what they will get from informing them is to get shock when they slap you on the face and call the police for the alleged hack!<p>it is better to sell the vulnerability in the underground forums

Reading through this, it seemed like a pretty clear-cut case where Bowne had done things right from start to finish. And then I got to this:<p>&quot;Apparently, committing libel is a common thing for them, and they are comfotable completely ignoring the protests of their victims.&quot;<p>I understand that he&#x27;s likely under tremendous stress as a result of the allegations that LSU has made, but I&#x27;m a bit concerned that in his expression of shock and outrage he has turned to making what appear to be potentially libelous statements of his own.<p>I hope that his goal of having the accusations withdrawn is not hindered by this momentary slip into hyperbole.

The follow-up article is a bit better. But I don&#x27;t like the way the original title is presented as fact:<p>&quot;Professor hacks University Health Conway in demonstration for class&quot;<p>While the follow-up is titled as &quot;<i>Professor says</i>...&quot;<p>&quot;Professor says Google search, not hacking, yielded medical info&quot;<p><a href="http://www.scmagazine.com/professor-says-google-search-not-hacking-yielded-medical-info/article/368909/" rel="nofollow">http:&#x2F;&#x2F;www.scmagazine.com&#x2F;professor-says-google-search-not-h...</a>

&gt; This is a very strange way to run a news blog.<p>He doesn&#x27;t seem to realize all that matters to the blog is getting page views...

I think the first article is just an sponsored article by University Health Conway. By trying to convince public opinion that it was hacking, University Health Conway probably want to skip charges for negligence, reveal and distribute personal data publicly...

I think the thing to be careful of here is the method(s) one uses to reveal a vulnerability.<p>Think of a brick-and-mortar analogy. You queue up at airport security, you go through, and you notice that their procedures are such that one COULD bring a banned item through and potentially not get spotted. You inform the appropriate authorities that you think there might be a weakness, and you say how and why.<p>This is probably not going to get you in trouble.<p>Another scenario: You go through security and make a mental note (as above) of a potential vulnerability. You (as above) report it to the appropriate authorities. Now some time in the future you are going through airport security and you wonder to yourself &quot;I wonder if they fixed it&quot;. So you decide to test it out. You bring a banned item through. You get caught. You are in trouble but you say in response &quot;but I was the guy who informed you of the vulnerability and I was just checking to see if it was fixed&quot;.<p>Good luck with that.<p>My feeling is that if you notice a potential (or actual) vulnerability as part of a everyday, normal use case of a website, or a web service, or network, then fine, you can report it, and you likely won&#x27;t get into trouble.<p>On the other hand if you additionally decide to test the system in such a way that could be misconstrued as an attack, then you will probably get into trouble.<p>Another analogy: you walk into Macy&#x27;s and on your way in you notice that the security system they are using is outdated, and you know it is vulnerable --- (made up silly example) you know that if you break in while holding a tuna sandwich, the alarm will not go off. So that night after the store is closed and locked, you break in, while holding a tuna sandwich, and you take a pair of $300 shoes. The next day you go to the store and you say &quot;look guys, I was able to break into your store and steal these $300 shoes.&quot; You think they will thank you? or will they call the police?

This is why I never ever &quot;report&quot; security vulnerabilities without first having a contract with the afflicted party. It sucks, but I am not willing to be burned as a witch just because I understand security.

Next time send the newspaper an anonymous tip.<p>The guys with the open FTP server clearly don&#x27;t give 2 fucks about your privacy, but in a sue-happy atmosphere they&#x27;re trying to place the blame on someone else.

I have always loved Sam&#x27;s work at Defcon. It is sad to see the world &quot;turn&quot; on a good security researcher.

it&#x27;s sad that institutions act this way. I also stumbled upon a rather nasty vulnerability in the website of a largish company. I left it as is, without notifying anyone, precisely because I didn&#x27;t want any trouble.<p>if I found it by accident, I&#x27;m sure malicious actors can find it as well.

Why don&#x27;t they lawyer up, and sue them for defmation&#x2F;libel?

Clearly the article was wrong, but the reporter could only go off of what the hospital told him or her, and that does not seem to have included the professor&#x27;s contact information. Rather, I&#x27;m guessing the message that got out of the IT department was &quot;we got hacked by a professor&quot;, which then likely mutated via the rumor mill into the details about a class demonstration.<p>If anything, I think this shows the hospital gave the professor a lot more benefit of the doubt than I would have expected.<p>The professor did himself no favors with his email:<p><pre><code> I am Sam Bowne, an instructor at City College San Francisco, and I found two security problems on your server with a Google search. Your FTP server has been compromised, and some files named &quot;w0000000t&quot; were added to it. </code></pre> If I&#x27;m the IT administrator who receives this message, then after reading the first two sentences, I&#x27;ve already jumped to the conclusion that <i>this professor</i> is the individual who compromised my server! &quot;Hi, I found security issues with your server, and now it&#x27;s compromised!&quot;<p>Sure, once you&#x27;ve read the intro by the professor, the meaning is clear, but think of yourself as a sysadmin getting this email, without the context of &quot;I just found this, I had nothing to do with it&quot; in your brain, and how are you going to react? Once the idea that the sender of this email is a hacker who broke into your server has entered your mind, it&#x27;s going to be very hard to interpret it differently. Given that, the guy got treated pretty nicely by the story and the hospital in the end.

&quot;It is outrageous for a journalist to write such lies, accusing me of serious crimes, without even contacting me to find out what happened.&quot;<p>There is little to nothing that can be done about this. It&#x27;s all about narratives, sensationalism, and agendas today.<p>Just take a look at the media stories about Ukraine where everyone (in US media) just makes shit up and presents it as the truth. No one questions anything.<p>Or the Michael Brown shooting. Where the media (CNN, MSNBC) pushed their narrative once more, completely ignoring all facts surrounding the event.<p>It goes on and on and on, with almost every major story being so biased, misleading, and twisted, that it might as well be seen as a complete fabrication...<p>Here is another good example of security related stories being &quot;misleading&quot; - <a href="http://blog.erratasec.com/2014/02/that-nbc-story-100-fraudulent.html" rel="nofollow">http:&#x2F;&#x2F;blog.erratasec.com&#x2F;2014&#x2F;02&#x2F;that-nbc-story-100-fraudul...</a>