Security researcher discovers glaring problem with patient data system, FBI stages armed dawn raid


#1

[Read the post]


#2

If a messenger gets killed in the forest and no one is around to hear his message, there’s no security vulnerability, right?


#3

Exceeding authorized access now means you get an FBI raid? WTF happened to fucking interviewing you in your office? Is this guy a flight risk?


#4

Seriously… Even if the raid is acceptable (which it most certainly is not), is a full-blown military style raid truly required under tehse circumstances? This militarized police shit has got to stop.


#5

I don’t know, those hacker types might try to infect the SWAT team with a cyberpathogen. Are you saying the police should be defenseless when they go to intimidate and terrorize likely computer deviants?!?


#6

Uhm, Texas, dude. Even the parking enforcement officers are heavily armed.


#7

The cops are the enforcement arm of Big Business. Cross them at your peril. BB would much rather pay a slap-o-the-wrist fine for leaking a million records than be made to look a fool by someone who isn’t part of the system pointing to their failings.


#8

At what point in the chain of command do we find the guy that decides it makes sense to act like hacking is a violent crime?


#9

Cut the FBI’s budget. They obviously don’t need the money.


#10

It would curb wasting goverment funds. Fiscal conservatives like that sort of stuff, right?


#11

I would think this qualifies as an unreasonable search and seizure. Having a warrant does not give you the right to terrorize innocent citizens. It only gives you the right to execute the warrant.


#12

So sick of hearing about this shit. But please keep posting/reposting, unlikely to hear it from mainstream news in any significant way.


#13

I used to conduct and publish security research similar to Justin Shafer’s actions. I have since given up on full disclosure or even “responsible disclosure”, and try to avoid dealing with HIPAA data at all.

I still research vulnerabilities in services and protocols, but usually only using a local copy of the software with just non-sensitive test data loaded, disconnected from the Internet and from the client’s production network.

Not to blame the victim, but Mr. Shafer’s first mistake was in looking too closely at a server and service outside of the systems owned by his client (for which he hopefully had a contract authorizing him to look for vulnerabilities).

His second and biggest mistake was telling anybody what he found.


#14

Wow!! So much for them caring about the patients.


#15

It’s not a waste if it’s against poor people, smart people or non-white people.

But how will they protect the children from the evil transpeople in the bathrooms?!?!


#16

Does that mean that all of those “pub” FTP directories I have browsed over the years were similarly each my mistake? It seems funny to consider that the admins would claim that anonymous FTP = “hacking” and take it out on the user.


#17

I would surmise that it’s not too many steps from one of the largest software companies in the world deciding that APIs are copyrightable as well. :cry:


#18

Not even a remote hint via some Tor drop-point or somesuch?


#19

It’s too much like whistle blowing, so it makes the government uncomfortable.

  • The real issue is boat-rocking.

Whistle blowers, security researchers, activists - anybody threatening the status quo


#20

[quote=“popobawa4u, post:16, topic:78750, full:true”]

Does that mean that all of those “pub” FTP directories I have browsed over the years were similarly each my mistake?[/quote]
A closer analogy would be a directory named “private” on an otherwise open-access anonymous FTP server.

For more background, see Justin Shafer’s relevant blog post discussing the data that was disclosed in the DataBreaches announcement..

Oddly, the FTP was originally sort of password protected?

“Many IT guys in the dental industry know that the Patterson FTP site has been unsecured for many years. I actually remember them having a passworded FTP site back in 2006. To get the password you would call tech support at Eaglesoft\Patterson Dental and they would just give you the password to the FTP site if you wanted to download anything. It never changed. At some point they made the FTP site anonymous. I think around 2010.”
If he had downloaded the files prior to it going to fully anonymous open access, then Eaglesoft would almost have a point to the “exceeded authorized access” claim.