What happens when the FBI raids a security researcher? Security researchers stop helping companies fix flaws in their systems.
This chilling effect on security researchers was one consequential response over the past week to the news of a recent early-morning FBI raid on Texas dental computer technician Justin Shafer. The report also resulted in an outpouring of anger towards the Federal Bureau of Investigation and the company that has apparently sought to have him charged criminally.
As previously reported on the Daily Dot, Shafer has a history of identifying and reporting vulnerabilities in dental patient management software. Shafer’s research is done on his own time and on his own dime to help improve data security for dental patient data. Some of his past research formed the basis for the Federal Trade Commission’s enforcement action against dental software producer Henry Schein that resulted in a recent settlement.
In February of this year, Shafer began publicly criticizing Eaglesoft, software created by a company known as Patterson Dental, and also filed a vulnerability report with CERT, a division of Carnegie Mellon University’s Software Engineering Institute. The National Vulnerability Database issued an alert about Eaglesoft 17 in April, based on Shafer’s report to CERT in February. Whether his public criticism of Eaglesoft factored in to Patterson Dental’s alleged attempt to get him criminally prosecuted is unknown, as Patterson Dental has yet to respond to any of our inquiries made by email, website contact, and phone requesting an explanation or statement. In the course of his Internet searches, Shafer also often finds and responsibly discloses data leaks of patient information. In what appear to be “shoot the messenger” responses, some entities have tried to blame him for their breaches or data leaks or tried to stifle his reporting on what he has found. On a few occasions, Shafer has had to explain to law enforcement that he did not do anything other than try to alert an entity that they had a data leak or that he was simply notifying affected patients who may not have been notified of a breach.
It was this second type of activity—coming across exposed patient data and responsibly disclosing it—that is allegedly at the heart of the FBI raid on his home. In February, Shafer was using a public and anonymous File Transfer Protocol (FTP) server owned by Patterson Dental, which he had visited a number of times before. Clicking on a link to their FTP site from a Google search for information relevant to his research on Eaglesoft’s security took him directly to a listing of files Patterson Dental made available for downloading. There was no login screen or active login required, and Shafer was not testing the security of the FTP site or Eaglesoft software. Shafer started downloading some of the articles that might have had useful information.
When he later discovered that some of these files contained unsecured and unencrypted patient data, Shafer did what he’s done many times before: He attempted to alert the responsible parties, and he reported his findings to this author. Only after the data were secured did Shafer report the incident on his blog; DataBreaches.net also reported it. Neither report included any individual’s personal information.
Shafer made no attempt to hide his identity from Patterson Dental when he reported what he found.
Rather than thanking Shafer for his efforts to protect patient information, however, it would appear that Patterson Dental is attempting to have Shafer charged criminally under the Computer Fraud and Abuse Act (CFAA), a federal law first enacted in 1986 that is often criticized for its broad language, its use by aggressive prosecutors, and its heavy penalties. Applied too broadly, CFAA can be especially problematic for innovators and researchers.
“No good deed goes unpunished”
The Internet’s reaction to the Daily Dot’s report on the FBI raid was swift. Some commenters engaged in the generally futile task of trying to identify an accurate brick-and-mortar analogy for accessing a public anonymous FTP server with no restrictions only to be told you broke the law by “exceeding authorized access.” A few people criticized Shafer for not having first requested permission to access the files (despite the fact that they were publicly available for download without any login or further authorization required). Many just expressed anger at the FBI and Patterson Dental:
The moral of the story is that if you discover something like this, close your browser and tell no one.
Reporting a vulnerability or data breach has come to mean that “you’re some kind of criminal” and must be punished, regardless of the circumstances.
Do you want black hats? This is how you get black hats.
— wes1274, reddit, May 27
This is what happens when career politicians set technical laws, they are written very broadly, poorly and applied haphazardly. In order to have these laws written and interpreted intelligently, they need to be vetted by info tech researchers and security professionals.
— gimmebeer, Reddit, May 27
Securing customer data is hard. Attacking people who reveal that you haven’t is easy. Remember the corporate security pledge, “If you see something, say nothing.”
— johnwillo, Ars Technica, May 27
Outrageous! The guy goes about RESPONSIBLY alerting a company to a possible data vulnerability. He gives them the knowledge they need to better protect their customers and the public from evil-doers. In response: 1. The company reports him as if he’s a criminal threat 2. The FBI takes an obvious white-collar situation with zero threat of physical violence and escalates it to an armed raid of an innocent family’s home. How in the world does any of this make sense? WTF are the FBI thinking here? Honestly, I’d like to hear the planning session for this raid. Does no one bring an ounce of common sense to this? Each day that goes by I’m convinced much of America’s law enforcement community is populated largely with people of severely-below average intelligence.
— MHStrawn, Ars Technica, May 27
If a messenger gets killed in the forest and no one is around to hear his message, there’s no security vulnerability, right?
— CarlMud, BoingBoing, May 27
“exceeded authorized access when viewing the publicly available data” Wait, what?
— Zak, Ars Technica, May 27
UK: We need cyber skills
US: We need skilled people
Whitehat: found a FTP data leak
FBI: go directly to jail
Blackhat: ka-ching #hackerwars
— Hacker Fantastic (@hackerfantastic) May 27, 2016
Not only is patient data insecure, the government is doing its darnedest to keep it insecure. https://t.co/GS9J0GbvhV
— David Mann (@manndmd) May 28, 2016
Good thing the FBI never needs cooperation of security folks. https://t.co/8LFdFL77GP
— Jack Daniel (@jack_daniel) May 27, 2016
It’s entirely possible that the complaint against him was filed as an act of retribution for Justin’s exposure of Eaglesoft 17’s security flaws back in February.
— agamoto, Reddit, May 28
Where was the danger here? You had someone trying to help. He told the people he thought were in a position to act on his report, and had the professional and ethical responsibility to do so. He should be thanked, not arrested.I work in IT. I struggle constantly to bring attention and resources to the intractable problem of systems and network security; We’re laughably behind everywhere in our industry versus the bad guys and the very last thing we need is people afraid to speak up out of fear that they’ll get their door kicked in at 5am for reporting.
— A letter sent to the FBI; text copy emailed to Dissent Doe
Surely someone at the FBI is looking at this, and saying – damn, that was stupid. Lets just drop it. And go raid the original company for evidence of it being stupid and charging them in court for stupidity.
— Irreverent Monk, May 28
OpenDocument Format editor and security expert Patrick Durusau, responding to the Daily Dot’s report on Shafer’s situation, advised researchers to remain anonymous and not disclose breaches or vulnerabilities to the responsible entity:
“… without revealing your identity, notify plaintiff’s attorneys in the legal jurisdictions where patients live or where the potential defendants are located.
If that seems to lack the ‘bang’ of public shaming, consider that setting plaintiffs lawyers on them makes terriers hunting rats look quite tame. (not for the faint of heart)”
Some researchers have already taken this advice.
These responses were soon be accompanied by a note to your author from an anonymous security researcher, who said he or she is abandoning the work disclosing security vulnerabilities for fear of law-enforcement reprisal. Not only that, he or she dumped an entire cache of potential vulnerabilities in your author’s lap.
An email, sent from a throwaway email address, immediately made clear that I was about to have a major headache despite its cheery “Hi there” greeting. From the emails:
Today I read the article that was written concerning the security researcher who was hauled in by the FBI. I’ve been working on an extensive project over the last several months, which I have now ceased continuing. The majority of the reason is that this small project has uncovered very simple yet an absurdly high number of vulnerabilities with multiple companies and web sites. While I had begun reaching out to a few, I now have no desire to ever do so again…. If the FBI believes that an anonymous ftp site is somehow a protected site that has levels of authorization, we were realizing that taking several hundred critical vulns [vulnerabilities] to hundreds of companies, it would only take one to be pissed off that you told them.
I will leave you with this cache of vulns, and do with them what you will, I don’t really see a reason to risk everything to help a company that may or may not be hostile. I only ask that if you do disclose to the various companies or write about, that I stay anonymous. (My co-researcher also feels the same.) Feel free to say why I stopped our research and why I have no desire to be a part of disclosure now.
So I am now in possession of more than 100 findings with hundreds more on the way. A quick attempt to spot-check or verify the reports shows that some of the vulnerabilities appear to have been resolved, but some of the most serious ones are still issues. As my anonymous correspondent wrote when I questioned him or her as to how serious some of these vulnerabilities were:
The immediate significance is that given any of the urls in the top block… those are game over type bugs. Given the script we generated to test can run through the top 200 crit files and 250,000 websites in a day and a half is quite telling. But more importantly, there is no way that we are the only ones doing this simple test. It is obviously speculation, but I think it’s fairly safe to say most of the ones I send that have those type of critical exposure have already been breached by not so friendly folks. They might deny it or ignore it, and they most likely don’t even know it, but it’s hard to imagine that more than not are compromised to some degree. And the troubling thing is these are major companies with millions of users data that they are entrusted with.
Ok I’m a bit bitter. :-) Thank God for the FTC taking some kind of stand against this do nothing system of selling inherently insecure services and devices to a consumer that shouldn’t need to know about routing tables and fuzzing just to run a router or post photos online. So that’s why we decided today to send this info to you. If you can use it to bring attention to the true state of where things are, then the research wasn’t wasted…. It was either that, or dump in pastebin, grab some popcorn and watch the world burn for a few months.
My correspondent also stated that the research he or she did violated no laws of the U.S. or Canada. “At no time did we use the files that are exposed and public, nor did we attempt to access restricted information,” the correspondent said.
This is the immediate impact, at least for this researcher and perhaps many others who learned of the FBI’s raid on Shafer: People discovering exposed personal or sensitive information stop letting affected entities know or just dump it all on public paste sites where black hat hackers can get the information and exploit it.
And here I am, with at least 100 known potential security vulnerabilities just waiting for a hacker to find them, concerned about what might happen if I attempt to responsibly disclose them myself.
Dissent Doe is the pseudonym of a privacy advocate who reports on privacy issues and data security breaches PogoWasRight.org and DataBreaches.net Her research on breaches has fueled resources such as DataLossDB.org and InfoisBeautiful, and it has served as the basis for a number of Federal Trade Commission investigations.