CFAA overreach: FBI raids home of security researcher

From the stop-me-if-you’ve-heard-this-one-before dept:

Over on Daily Dot this morning, I reported that the FBI executed a search warrant at the home of researcher Justin Shafer.  Shafer’s name will be familiar to regular readers of DataBreaches.net because he exposed a long-standing security vulnerability in Dentrix software and challenged Henry Schein’s claims that their product provided “encryption.”  Our combined efforts resulted in the recent consent order announced by the FTC.

The raid Tuesday is concerning, as there are significant similarities to Andrew “weev” Auernheimer’s federal hacking case where the government charged – and a jury convicted – Auernheimer  for scraping/slurping users’ iPAD data from a publicly available AT&T server. Auernheimer’s conviction was overturned by the Third Circuit after a successful appeal, but the appeals court never got to the critical issue of whether accessing a publicly available server is a violation under the Computer Fraud and Abuse Act (CFAA).

So here we  go again on the risk researchers face of criminal prosecution as felons for accessing and reporting on what they find on publicly available servers. Can the government not realize that these researchers are providing a valuable service and we want to encourage responsible disclosure? How many hundreds of millions of people whose personal information was exposed would still be at risk if researchers like Chris Vickery and Justin Shafer didn’t research and didn’t disclose responsibly?

According to Shafer, the FBI agent  reportedly told him the search and seizure were because Patterson Dental claimed he “exceeded authorized access” to their FTP server in an incident reported on DataBreaches.net in February.

But – and as Shafer said he pointed out to the FBI agent – this was an anonymous FTP server with no login (user/pass) required. According to Shafer, the FBI agent responded, “But you shared it with <this site>.”  To which this blogger would respond, “So what if he did? There’s nothing wrong with going to the media to disclose a breach, and no individuals were put at risk of harm if a sample of data were provided for verification, notification, and reporting purposes.”

Shafer did nothing wrong in investigating what he found on the server or in contacting DataBreaches.net to help disclose it and report on it. Do the FBI and the software manufacturer wish to chill a free press, too, or is it just researchers?

If Shafer did nothing wrong, how did a prosecutor convince a magistrate judge to issue a search warrant based on probable cause when there was no code bypassed, no login required, no evidence that any data downloaded had been used in furtherance of a crime, and no personal data disclosed publicly in Shafer’s reporting on the incident or this site’s reporting on it?  Unfortunately, the probable cause affidavit is under seal, but this blogger wonders if the magistrate judge really understood the nature of an anonymous FTP server.

For more details on the raid, read my article on Daily Dot. For other vulnerabilities and breaches Shafer has shared with this site, search here and see his blog.

Instead of pointing fingers at Shafer, if any fingers are to be pointed, they should probably be pointed at Patterson Dental.

The bottom line is that I don’t know why Patterson Dental would have filed a criminal complaint against him, if they did. Maybe they are trying to portray themselves as victims of a “hack” when the real victims are their clients and the clients’ patients. Maybe they are trying to chill researchers’ and journalists’ reporting of security lapses. I really don’t know, but as a matter of public policy, the government should not be declaring war on security researchers who do no harm to data or data subjects and who disclose responsibly.

Worryingly, the raid on Shafer may well be just the prelude to another overzealous government prosecution under CFAA, and that should concern us all.

About the author: Dissent

12 comments to “CFAA overreach: FBI raids home of security researcher”

You can leave a reply or Trackback this post.
  1. Anonymous - May 27, 2016

    I hope he can sue them and the FBI.

  2. Jordana Ari - May 27, 2016

    How come you never became an attorney? You mAde 1 compelling case in support of the man who was seized AKA Justin Shafer.

    Since I dont trust the government, i am sure thr FBI searched his home because the government didn’t want this to get out. I can think of plenty of situations where the government did this

  3. Bob - May 28, 2016

    I love that the search warrant instructs the FBI to seize Bernoulli drives …

    You asked if the judge understood it was an anonymous FTP server open to anyone. With a warrant referencing 30 year-old hardware, I think you have your answer.

  4. Anonymous - May 30, 2016

    Any update on this from either side?

    Is corporate harassment in the game play? I mean, answering a door with a gun in your face because someone accessed your public FTP is quite the shady and shoddy excuse for the FBI to potentially blow your head off your shoulders and put a hole in your kid.

    What type of time does a kid get for the crime of “swatting”? Will a corporation get the same? This is no different. They guy basically got both vanned and swatted in order to prevent public participation of his findings.

    So we have a combo vanned-swatted corporate hit and a type of combo corporate-state SLAPP at play here with the FBI knowing full well what they were doing upon request of a corporation.

    Surely there’s an update to this.

    Surely there is some corporate and state hate directed at yourself, no? Seems public knowledge and public participation in regards to a public FTP server open to the public gets the above treatment. You and Chris are obviously on this corporate-state sponsored hit list. Yes, hit list. It comes across this way for sure. The messenger has to be stopped at all costs it appears and the state is very wiling to ensure it, and enforce this with firearms at a corp’s bidding.

    • Dissent - May 30, 2016

      “You and Chris:” you mean Chris and Shafer or did you really mean Chris and me (Dissent)?

      No update on the main issue yet, but I’ll have some follow-up on Daily Dot this week, with more planned as things develop.

      • Anonymous - May 30, 2016

        oh, yes, meant you (Dissent) and Chris.

        • Dissent - May 30, 2016

          I’m sure there are some companies that would prefer I drop off the face of the earth. Then again, there are probably some federal regulators who feel that way, too. But to the extent that any charges against Shafer are motivated by him going to the media to publicly disclose a breach, well, screw them x 2.

          The problem under our laws is that he cannot sue them for this. Filing a victim report to law enforcement is privileged, as I understand it.

  5. IA Eng - May 31, 2016

    Look, just because a door is unlocked, doesn’t mean your approved to access the interior. If it is well established business and it has a sign that says “welcome” or come on in, then its a different situation. A search warrant means nothing. You sit down with the FBI agents that are in the raid and tell them to write all of the information you give them. make sure what they write down is correct, not paraphrased.

    If you appear you have nothing to hide – you probably don’t.

    Letting the world know about something is wrong. There are other avenues to this. They think like, OK, I have given them enough time to correct the problem, under MY rules, so if they do not do anything about it, I’ll tell the world and let everyone know including the hackers.

    Why not simply walk into a police station. File a report. Then, contact ICE or the FBI or any other agency out there if the people responsible aren’t responsive. Putting all of this “fix it or else” attitude is a mild form of aggression. Trying to keep any breach FROM happening is the best way out. It’s BS to think they want to do this WHILE the system is vulnerable. Toot your horn AFTER the issue is resolved. It shows you care about privacy, rather than hits and reputation.

    • Jordana Ari - May 31, 2016

      As much as I see your point of view, isnt that the reason why Shafer executed and acted in such a way? If one doesnt think the authorities are not doing their job effectively or ignoring, then that is when some may act in civil disobedience.

      • Dissent - May 31, 2016

        There was no act of civil disobedience if he believed what he was doing was perfectly lawful. And legal experts I’ve spoken to agree with him on that.

        • Jordana Ari - May 31, 2016

          I do not think he did anything wrong either to make a point. I was going by comment above mine in regards to the dissenting opinion. Depending on other experts or justices, in cases, you never know on cases will be resolved. I can think of plenty of ridiculous examples.

    • Dissent - May 31, 2016

      It’s a public server that permits anyone who visits it to download anything on it. No active login required, and no banner or anything restrictive. And no way to know what was in some of those files until after you download them and open them. That could have happened to any of us.

      He didn’t let the world know about the exposed data until after it was fixed. He has every right to go to the media to report the incident.

      As to the hard-coded database issue, which is another matter, he has been contacting them and urging them to address it since 2014. This is like Henry Schein all over again in that respect. So he filed a report with CERT, which is public, and he has every right to discuss it – particularly, I think, since Patterson didn’t even respond to CERT’s notification in March. If they were serious and had responded with a plan/timeline, he likely would have waited – as he did with Schein when CERT told him that Schein had given them a date by which it would be addressed.

      Did he put pressure on them to address the VU by going public with it? Probably. But is that really a bad thing if he’s been trying to get it addressed for 2+ years?

      I’ll have a follow-up on this matter. We may agree when you know more of the fact pattern here. Then again, we may have to agree to disagree on this one. At the very least, I do not see where he did anything illegal, and any disagreement between us may be over ethics.

Comments are closed.