back to article Feds raid dental flaws dad

A dad-of-three says the FBI raided his family home at dawn this week – after he found and reported a password-less FTP server containing people's dental records. In February, Justin Shafer, a 36-year-old dental computer technician and security researcher, discovered and reported a hardcoded password in the Eaglesoft record …

  1. Anonymous Coward
    Anonymous Coward

    Wonder what other flaws are in there

    Sounds like an application ripe for further investigation. ;)

  2. Herby

    Unless you password protect...

    Everyone is authorized. By definition.

    Law enforcement please go away!

    1. Anonymous Coward
      Anonymous Coward

      Re: Unless you password protect...

      Unless you password protect...

      Everyone is authorized. By definition.

      Not quite. Even if you don't lock your house it's still not OK for someone else to enter and have a look around (or worse, steal things), and that's where a bit more definition is required. Is opening said door (i.e. just proving that you can log in) already entering, or is that just discovery, and if you close the door it's OK?

      The moment you start gaining knowledge of the inside (access files, and possibly even get a directory) is where it likely to become dodgy if you do so without permission, which is what was used here to sick law enforcement on the intrepid researcher to cover up the company's embarrassment of being in breach of HIPAA requirements.

      I think, however, that it will be hard to prove damages other than disclosing evidence of utter cluelessness, and AFAIK it's still not illegal to embarrass idiots. If the guy gets a good lawyer it could even become costly to the company, it depends what they have alleged he'd done.

      If someone shows you up for a clueless fool, it's IMHO not a really good idea to confirm that by starting frivolous lawsuits. You're better off graciously accepting the fact that you're there with your pants down and show that you're man enough to take it and actually do something about it - that would show some class and a way to show that you are able to learn from your mistakes.

      Personally, I'd have doubts about this supplier, because out of the two options to progress they not only chose the wrong one, they continued to aggressively pursued that path.

      As for HIPAA, I grabbed this bit from the advice site:

      General Rules

      The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI.

      Specifically, covered entities must:

      Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;

      Identify and protect against reasonably anticipated threats to the security or integrity of the information;

      Protect against reasonably anticipated, impermissible uses or disclosures; and

      Ensure compliance by their workforce.

      I'm no expert, but I'd say they have a serious problem..

      1. a_yank_lurker

        Re: Unless you password protect...

        The major problem with feral case is the guy reported the problems, apparently, appropriately (or at least tried to). The fact that both problems are caused by the incompetence and (criminal?) negligence of others makes this a dodgy case. More than likely the feral shyster is taking the easy way to protect criminal cronies by hanging the white hat out to dry.

      2. brainbone

        Re: Even if you don't lock your house it's still not OK

        However, since a search engine had indexed data on this open FTP server, this is more analogous to leaving your door open AND putting up an "Open House, please come in" sign.

        Please read the more complete account at:

        http://www.dailydot.com/politics/justin-shafer-fbi-raid/

      3. Anonymous Coward
        Anonymous Coward

        Re: Unless you password protect...

        Eaglesoft isn't a covered entity, they don't have to follow HIPAA unless the doctor has a business associate's agreement with them, and most don't.

        I'm kinda sick of seeing the "open door" analogy everywhere. That's not how it works. It's more like this... You're an FTP client enjoying a lazy Sunday browsing down the virtual street. You decide to go to a particular house that you heard about from someone. When you arrive there, you're greeted by a gate with a sign and a button that says "ring me to enter the word 'anonymous' and your email address to see some pictures of the goodies I have inside". You "ring" that doorbell, and suddenly, you receive a bunch of images sent to you by the home owner showing you exactly what they intended for you to see and nothing more. The screen at the gate changes and it lets you know that it's waiting for you to make a choice. You're not in the house, you're still at the gate. You never went inside. In one of the photos, you see a book laying on a coffee table that looks interesting and you shout out to the owner of the house a request to take a look at that book. The owner thinks for a second, then decides he'll make a copy of the book and toss it out to you over the gate so that you can have a closer look. The choice to do that lies ENTIRELY with the owner of that book. That's how it works. FTP clients can only ask for files, servers hand them out. Badly secured or badly managed servers hand out things they shouldn't. So why prosecute the guy at the gate?

    2. Robert Carnegie Silver badge

      There is a password, though.

      It's "default". Or it may as well be. But it -is- a password.

  3. Anonymous Coward
    Anonymous Coward

    Internet is public place. Computer with no password is for public entry. Sees sue ball about to be thrown at fbi.

    1. Anonymous Coward
      Anonymous Coward

      That old chestnut

      falls flat on its face at:

      As my street is a public place, if I leave my doors and windows unlocked and am burgled, is it MY fault?

      There's no mandatory requirement to secure them.

      Don't get me wrong, I'm not saying its safe or "best practice", but the unwanted intruder is the criminal, not the house or its owner.

      1. Anonymous Coward
        Anonymous Coward

        Re: That old chestnut

        "if I leave my doors and windows unlocked and am burgled, is it MY fault?"

        Technically, no, it is the burglars fault. In practise, you would get very limited sympathy, and possibly insurance problems. Also the burglar would be able to claim that it was a crime of impulse, rather than premeditated; and possibly plead that the crime would not have occurred at all had it not presented itself so invitingly. The burglar will almost certainly get a lighter sentence than one who had to break in.

        1. Anonymous Coward
          Anonymous Coward

          Re: That old chestnut

          "In practise, you would get very limited sympathy, and possibly insurance problems. "

          It's been reported that some insurance companies won't pay out on burglaries committed while the occupants were on holiday if they posted about the holiday on FB. This is an extension of the idea that people should take reasonable steps to secure their property.

          1. Anonymous Coward
            Anonymous Coward

            Re: That old chestnut

            Talking of chestnuts, how come we're using burglary as the simile? The owner was not deprived of anything and nothing was vandalised (as far as I know), so trespassing would be more accurate in this case.

            So it's an equivalent of someone leaving their garden gate open, and someone else wandering in and photographing their gnomes, or something.

            1. David Dawson

              Re: That old chestnut

              Talking of chestnuts, how come we're using burglary as the simile?

              ---

              analogy.

              A simile is a figure of speech used to exaggerate a quality of something by comparing it to something else. You can usually link them to 'like' and 'as a' in a sentence.

              An analogy is comparison where you use something familiar to enable understanding of something more esoteric, as here.

              Both are a form of metaphor.

              </pedant>

              1. Anonymous Coward
                Anonymous Coward

                Re: That old chestnut

                Your rite.

                Consider yourself upvoted.

      2. Version 1.0 Silver badge

        Re: That old chestnut

        If it was an open FTP server then Google and other search providers will have been spidering it for years.

      3. Steve Davies 3 Silver badge

        Re: That old chestnut

        Common sense does not enter into US Law Enforcement/Prosecutors' minds when deciding to take on a case. You break the law and you go to jail for the max time possible. That is their No 1 position.

        I'd go as far as to say, that it is surgically removed when they sign up.

        It remains to be seen if the Feds go after the company OR that the company is sued into oblivion by a class action suit from the people who's records were left exposed.

    2. tom dial Silver badge

      Lack of a password is not an invitation for access.any more than is a port left open due to accidental firewall misconception.

      That said, if the circumstances are as reported, Mr. Shafer should have a reasonable basis to sue based on unreasonableness of the search, and the federal agent who put his or her name on the affidavit seeking the search warrant* (and any supervisors who signed off on it) should be disciplined firmly, at least to the extend of losing a chunk of pay, as should whoever authorized a raid in the early morning. The issuing judge might have authorized speedy action to prevent destruction of evidence, but it is quite unlikely that the circumstances would warrant starting a surprise search before normal rising time or Shafer's reported (in Daily Dot) detention in handcuffs.

      Warrants may sometimes be obtained fraudulently or through error. Judges generally are not in position to determine independently the truth of an affidavit and must rely on the honesty of the applicant and those who support the warrant application. None of them are likely to be pleased if a warrant is overturned after the fact because a search was determined later to have been objectively unreasonable and any evidence collected during the search is disallowed, along with other evidence to which it guided the way. That is not, of course a very satisfactory solution for those who, like Shafer, are on the receiving end, but may be the best possible given that criminal justice is administered by imperfect people with incomplete knowledge and sometimes impure motives.

      And at the back of it all is the CFAA, which came out of the starting gate in need of major revision and has not improved with age.

      * This assumes there was a warrant; if there wasn't, the government's (and agents') difficulties would properly be quite a bit larger.

  4. hplasm
    Big Brother

    FBI

    Federal Bureau of Intimidation.

    Bloody Stasi wannabes.

    1. a_yank_lurker

      Re: FBI

      It's seems that ferals could teach the Stasi a few lessons.

    2. Anonymous Coward
      Anonymous Coward

      Re: FBI - Bloody Stasi wannabes.

      It's Facebook that is the Stasi wannabee except that it is far more successful at it than the Stasi ever was.

      It's other internal security organisations that are FBI wannabees. J Edgar Hoover was the first director if its preceding organisation, the Bureau of Investigation, in 1924 - long before the Gestapo or its successor the Stasi.

    3. Anonymous Coward
      Anonymous Coward

      Re: FBI

      Blame the people who created the law, not the people who are told they have to enforce it.

  5. Richard Jones 1

    When is a Flaw Not a Flaw

    Was this an FBI mandated back door used for catching or unmasking deadly munchers?

    I feel that the unreliability of the software needs further exposure so that people know that Patterson Dental and Eaglesoft are running and open house for dental information. Are there any rules on data confidentiality in the USA that would allow a customer, or even a worried person with dental issues to sue for worry and anxiety?

    That should hush the matter up rather nicely... or on second thoughts, of well.

    1. Mike Lewis

      Re: When is a Flaw Not a Flaw

      > Are there any rules on data confidentiality in the USA that would allow a customer, or even a worried person with dental issues to sue for worry and anxiety?

      There's something called the HIPAA (Health Insurance Portability and Accountability Act) that appears to have been violated. The Privacy Rule covers "any part of an individual's medical record or payment history". The Security Rule states that "Information systems must be protected from intrusion. When information flows over open networks, some form of encryption must be utilised." (quotes are from Wikipedia)

  6. Anonymous Coward
    Anonymous Coward

    Sounds like Eaglesoft are about to have a bad time. Clearly they are not security experts. Whether invoking the Computer Fraud and Abuse Act was done through panicked ignorance or malevolence it's going to go wrong either way...if ignorance, it really does not bode well for their software (especially now it's hit the news) and if malevolence then they're trying it from an extremely unwise tactical position.

    I think if the Computer Fraud and Abuse Act is invoked then the FBI have to take the machines away to get an unbroken chain of evidence. They can still come out of this looking shiny if they process it quickly. Probably won't happen, I expect.

    And, of course, there could be more to the story than we're seeing. We're hearing it from the security researcher's side. Sounds plausible enough, but haven't heard the evidence from the opposing team yet.

  7. Christoph

    We know our software is secure

    It must be secure because nobody reports any problems. And if anybody does, we do a dawn raid and threaten them and their family with assault weapons. See? Nobody reports any problems.

    1. Andy Non Silver badge
      Coat

      Re: We know our software is secure

      Sounds like the only way to report problems without heavy handed repercussions is to do an anonymous dump of the exposed data on TOR. That tends to get people's attention.

  8. Ernie Mercer

    What's not clear in the article is who he reported this TO. If he reported it to Eaglesoft, that might be analogous to telling a homeowner that his house was unlocked.

    1. Anonymous Coward
      Anonymous Coward

      Found another article that has more detail:

      http://www.dailydot.com/politics/justin-shafer-fbi-raid/

      1. Ernie Mercer

        Found another article that has more detail:

        Very helpful. Thanks!

  9. Destroy All Monsters Silver badge
    Windows

    Going after the guy who tells you you are an asshole feels like partying in the '90s ... but then!

    Then Dailydot cites Shafer:

    “Many IT guys in the dental industry know that the Patterson FTP site has been unsecured for many years. I actually remember them having a passworded FTP site back in 2006. To get the password you would call tech support at Eaglesoft\Patterson Dental and they would just give you the password to the FTP site if you wanted to download anything. It never changed. At some point they made the FTP site anonymous. I think around 2010.”

    "RING RING! " "Hello?" "Dear Patterson ... CLASS ACTION SUIT!"

    Under the California Act, any data subject whose covered confidential information or records data were negligently released may recover nominal damages of one thousand dollars ($1,000), whether or not the plaintiff suffered or was threatened with actual damages, in addition to any actual damages. If there was actual economic damage or personal injury resulting from the breach, punitive damages of $3,000 per individual are also available.

  10. William Higinbotham

    SSAN Only

    The FBI should only be interested if the server had Social Security numbers on it, otherwise it should have been passed on to the local enforcement office.

    1. tom dial Silver badge

      Re: SSAN Only

      On the face of the CFAA text (18 USC 1030) the restriction to SSAN only does not seem correct. However, the act appears not to apply in the case of an anonymous FTP server, as such things effectively authorize anyone to search and retrieve data within the limits otherwise set by the server's security environment.

  11. Anonymous Coward
    Anonymous Coward

    I think the tooth will come out eventually.

    Keep it up US government and pretty soon no one will tell you or anyone about any issues, then you will be up shit creek without a paddle. Somehow, I think by doing these sorts of things they think they will scare people away from probing and analysing software and networks, good luck with that because there will always be someone in a land you can't get to (China, my logs are filled with this) being more than happy to have fun at your expense.

  12. Neoc

    So, let me get this straight: I notice my neighbour has left his front door wide open. I contact him on his mobile to let him know about the state of his door. Next thing I know, the police are arresting me for breaking and entering.

    Typical reaction from a company who realised they made a catastrophic PR failure and rushed in to smother the news. Unfortunately, that might have worked 10-15 years ago, but not in these days of social networking.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon