Australian Shipbuilder Hacked, Refuses to Pay Ransom

 Posted by at 8:37 pm  Breach Incidents, Hack, Non-U.S.
Nov 022018
 

I thought I posted something on this already, but apparently I didn’t, so if you hadn’t heard already, an Australian shipbuilder who also has contracts with the U.S. Navy was hacked and the hacker made extortion demands that the firm has refused.

Jeremy Kirk reports:

Australia’s largest defense exporter says it hasn’t responded to an extortion attempt after ship design schematics were stolen by a hacker.

Austal, which is based in Henderson, Western Australia, is one of the country’s largest shipbuilders; it has built vessels for the U.S. Navy.

The company, which is listed on Australia’s ASX stock exchange, announced the breach late Thursday. The announcement came just a day after a security researcher in France posted screenshots on Twitter of the purported stolen data.

Austal says the material is neither sensitive nor classified and that it has taken steps to secure its data systems.

Read more on GovInfoSecurity.

Here is some of what appeared on Twitter a few days ago:

Is TheDarkOverlord Behind This?

Because of the nature of the crime – a hack and extortion attempt – some people have wondered whether this might be the work of TheDarkOverlord.  The question is understandable, particularly since I reported almost exactly one year ago had TDO had attacked  U.S. Navy defense contractors, including ATS, whose METBENCH software was used on warships. Now another firm that does defense work for the U.S. Navy was attacked? It’s understandable that people would wonder, except if you look at the listings posted on Twitter, those listings are not consistent with TDO’s sales listings, although the April, 2016 join date is intriguing. But selling such important material for 1 BTC?  Would TDO sell for so little? It’s unlikely, but it would be a good way to put pressure on Austal – offer the data so cheaply that lots of people might buy it.

When asked directly whether they were behind the attack and extortion, a TDO spokesperson declined to confirm or deny. But they were willing to make a statement about attacking defense contractors, telling DataBreaches.net in an e-mailed statement:

U.S. Defence contractors are easy pickings and they always house very juicy materials that competing nation-states are very interested in. At some times they can be a tough nut to crack, but given enough time, we always crack the nut. Naval contractors are among the most important contractors to breach as surface and sub-surface warfare vessels allow nation-states to extend their attack capabilities in a very mobile and speedy way.

Commentary: What Constitutes Negligence in Company Data Breaches?

 Posted by at 2:49 pm  Breach Incidents, Commentaries and Analyses, Hack, Health Data
Sep 182018
 

Amy L. Hanna Keeney of Adams and Reese writes about an opinion in a court case that stemmed from one of TheDarkOverlord’s hacks: their attack on Athens Orthopedic Clinic (AOC). I had covered that breach extensively, including commenting on the fact that AOC did not offer any free services to patients whose data had not only been stolen, but had either been publicly dumped on Pastebin and/or reportedly put up for sale on dark net markets.

As Keeney explains in her article, only one of three named plaintiffs in Collins, et al. v. Athens Orthopedic Clinic actually alleged that they had actually experienced fraudulent charges on any of their accounts, and the complaint didn’t actually claim that the fraud had a causal connection to the hack. Basically, the plaintiffs were alleging that they incurred the cost of identity theft protection, credit monitoring, and credit freezes.

Together, the plaintiffs filed a putative class action alleging (1) violation of the Georgia Uniform Deceptive Trade Practices Act by AOC; (2) breach of an implied contract with AOC; (3) unjust enrichment of AOC; and (4) negligence by AOC.

AOC responded to plaintiffs’ complaint by filing a motion to dismiss pursuant to both O.C.G.A. §§ 9-11-12(b)(1) and 12(b)(6).

Disappointingly to privacy advocates, the court held that just an increased risk of harm was not sufficient to grant the plaintiffs standing.

The court explained, “[w]hile credit monitoring and other precautionary measures are undoubtedly prudent, we find that they are not recoverable damages on the facts before us, because the plaintiffs seek only to recover for an increased risk of harm.”

The trial court’s dismissal of plaintiffs’ complaint was affirmed.

That conclusion seems straightforward, right? Not quite. There are two aspects of the Collins opinion that either diminish its usefulness or give you hope, depending on which side of this battle you favor.

Read more on Daily Report.

From my perspective, the decision is an unfortunate one that once again fails to appreciate the harm and costs patients and consumers incur from a breach.

MI: Holland Eye Surgery & Laser Center notifies 42,200 patients about 2016 hack

 Posted by at 9:32 am  Breach Incidents, Hack, Health Data, Of Note, U.S.
Jun 022018
 

After his victim allegedly didn’t respond to his repeated demands for a “security fee,”  a hacker accuses the victim of covering up a hack for almost two years. 

One of the breaches added to HHS’s public breach tool this past week is a breach reported by Holland Eye Surgery and Laser Center in Michigan. The incident is noted on HHS’s breach tool as a hack affecting 42,200 patients.  But according to the self-identified hacker, there’s more to this story than the covered entity has disclosed.

In early April, DataBreaches.net was contacted by a hacker who had contacted this site in the past about a hack of a dental practice. He is known to this site as “Lifelock,” and signs his communications as “Todd Davis,”  aka “Lifelock.” After his first contact with this site in the Yaley case, DataBreaches.net did find him on some dark web markets as Lifelock, selling identity information and “fullz.”

According to Lifelock’s statement to this site: in June, 2016, he hacked Holland Eye Surgery & Laser Center in Holland, Michigan. He then reportedly contacted them and demanded a “security fee” of $10,000.00 for helping them secure their patient data. As he related it to this site:

I invoiced them a fee of 10000 USD a fair payment for my time and to help them secure their data. They turned off access immediately to the RDP server so I know they received communications from me. Over the course of weeks I requested them to pay my invoice to secure their patient data. They never once acknowledged me. But I am very persistent and communicate with staff members, faxes and all means where i can verify delivery. These pricks want to cover up the incident.

When the doctors didn’t pay his “security fee,” he claims he followed through on a threat he had made:  he began selling small amounts of their patients’ data on the dark web – first on AlphaBay, and then later on, on TradeRoute. He claims that each time he did, he informed or taunted the doctors that he was selling their patients’ information.

According to his statements to this site, Lifelock sold more than 200 patients’ information, but still,

the practice did not inform Michigan or HHS authorities that the data had been breached. Their patients had no fair warning that the data had been breached. I setup banks for dirty money transfers in these peoples names, my buyers used them for identity protection for when arrested, and to make cell phone accounts to purchase 5 iphones at a time from Verizon, ATT et al.

I have contacted the practice at least 30 times over the past 2 years to do the right thing for their patients.

As part of the proof he provided to this site, Lifelock included two databases: one called patients.csv, with 202,163 records and one called person.csv, with 42,229 records.  The files are date-stamped June 26, 2016. Holland Eye’s report to HHS seems to correspond to the number of patients in the person.csv file, but it is not clear what happened to all the people who had data in the patients.csv file. That database has names, addresses, insurance information, and some other fields. DataBreaches.net sent an inquiry to Holland Eye’s external counsel asking for an explanation on that point, but did not receive an immediate response. This post will be updated if an explanation is received. UPDATE of June 4: Lawyers for Holland Eye responded to this site’s inquiry: “We investigated the patients.csv file you have a copy of and determined that there is not anyone in it who was not also in the person.csv file. The patients.csv file merely has more than one line item for many individual patients. In short, these people were included in the report to HHS.”  DataBreaches.net appreciates their clarification.

In any event, according to Lifelock, in March of this year, Lifelock contacted the doctors yet again, and also contacted the mayor of Holland, Michigan, Nancy De Boer. Shortly after those unsuccessful attempts, he contacted DataBreaches.net, claiming that his goal was now to get the patients notified and the doctors exposed and shamed for allegedly covering up the breach:

Please find a way to let the people of Holland know that they have been breached and that the people who swore a hippocratic oath to do no harm, have done them immense harm. Further that the people who are supposed to be in charge do not have their best interests in mind and would rather suckle the cocks of the rich Dutchmen rather than inform the common rabble of their plight.

The reference to “people in charge” appears to be a response to his attempt to get a response from Mayor De Boer. According to Lifelock, when he contacted her in March:

She did not respond until I opened multiple lines of credit in her name, utility accounts, EIN’s, etc… She did respond, and appeared to take the breach seriously, but her motive was to find my identity rather than help the people of her town. She used a silly technique of embedding a tracking image to try and find me.

On May 16, after confirming that the breach had never been reported to HHS or the state of Michigan, DataBreaches.net sent Holland Eye Surgery a detailed message about the hacker’s claims with a request for a response.

On May 18, two days later and almost 60 days after they claimed to have first learned of the breach, the practice issued a media notice in the Holland Sentinel.

In that notice, they claim that they first learned of the breach on March 19, 2018 when they were contacted by someone claiming to be a pentester who informed them that he had their patients’ data and had sold some of it.

External counsel for the doctors later confirmed to DataBreaches.net that the “pentester” signed his communication in March as “Todd Davis.”

Notice of May 18 in Holland Sentinel. Courtesy of Holland Sentinel.

According to their media notice, then, although the practice appears to acknowledge that they had been hacked in 2016 and that the hacker was in possession of their patient data, they claim that the hacker “concealed the extent of his or her access until the recent email communications in March 2018.”  That, of course, is disputed by Lifelock’s claims, but this site has no proof of his claims as to any contacts prior to March, 2018. When asked for proof of any early emails, Lifelock had replied:

Unfortunately my original communications to HE have been deleted when sigaint.org went down. I normally delete communications frequently as I am not wanting to have excess evidence should Europol\RCMP\ICR\Scotland Yard et al kick in my door one day. My normal intent is not journalism unfortunately. I will look to see if I can find old email addresses I used and see if there is any evidence. Some email addresses as you can imagine get eliminated for TOS abuses. Sadly Gmail doesn’t like its services to be used for extortion schemes.

Lifelock never provided any additional evidence after that communication. That said, the doctors’ version makes little sense to this blogger, while Lifelock’s version does make sense.

Why would a hacker hack them in June, 2016 and then wait almost two years to first contact them with a (“security fee”) demand? Lifelock’s claims that he hacked them, promptly tried to extort them for a “security fee,” and then upped the pressure on them (or tried to) by selling patient data and letting them know that he was doing that makes a lot more sense, and we’ve certainly seen that scenario before.  TheDarkOverlord (TDO) frequently used such methods – releasing small amounts of patient information or claiming to have sold it – to increase pressure on their victims.

So… is this site being gamed by Lifelock to seek revenge on a reluctant victim or to send a message to other victims to pay up or face public exposure? Perhaps, but if his claims are true, then the doctors covered up a breach for almost two years and knowingly left their patients at risk.  But are his claims true? This site has no evidence or confirmation of the crucial claim that Holland Eye first became aware that they had been breached in June, 2016. Perhaps that is something that OCR should investigate.

DataBreaches.net contacted the Holland Police with a freedom of information request for the police report and any associated records, but has received no response as yet.  This site also contacted Mayor Nancy De Boer’s office to request a statement, but did not get any response.

Holland Eye’s media notice makes clear that they have contacted patients whose Social Security number was involved and offered them credit monitoring services. They have provided all patients with advice on how to protect themselves and to check their statements for signs of information misuse. And as noted at the outset of this report, they have notified HHS.

This post will be updated if more information becomes available.

Did Columbia Falls Schools treat an extortion payment made to TheDarkOverlord as a dirty little secret?

 Posted by at 7:26 pm  Breach Incidents, Commentaries and Analyses, Education Sector, Hack, Of Note
Mar 092018
 

Update of March 12: After this story appeared on March 9, DataBreaches.net received a call from Superintendent Bradshaw, who had been out of town when my email had arrived. This story has been updated – and corrected occasionally – to incorporate his answers.

If students are at risk of significant emotional damage because highly sensitive information has been hacked and held for an extortion payment, should a school district pay or not? And if they do pay, should they admit that publicly? Last year, Columbia Falls Schools in Montana found themselves caught in the middle between hackers’ threats and pressure not to cave in to extortionists. 

When the hackers known as TheDarkOverlord (TDO) attacked a small school district in  Montana last September,  the story did not initially make national news. Most people had probably never even heard of School District Six or Columbia Falls Schools, a district that has two elementary schools, one junior high school, and one high school to cover 2,400 students in a large area of northern Flathead County, Montana.

But as more details emerged, it became clear that this attack was exponentially more frightening than any of the hackers’ previously known attacks. Without being anywhere near their target physically, TDO had managed to instill terror in a community by sending out personalized threat messages to parents and students as well as district administrators. Threats of violence were punctuated with phrases such as “blood splattering the hallways.”

[Note: DataBreaches.net refers to TDO in the plural because it appears that there is more than one individual involved as part of a collective.] 

As fear spread to other schools in the area, more and more schools decided to close while the threats were evaluated and investigated. Within a matter of days, more than 15,000 students in more than 30 public and private schools  and one community college were told their schools were closed.

TDO’s Twitter avatar.

Adding to the community’s fear,  the hackers – who seem to relish being referred to as “savages” – had let it be known that they had managed to gain access to the school’s security cameras and were able to watch what was going on.

It came as no surprise to read that even the Superintentent of Columbia Falls Schools had been terrified. Steve Bradshaw told the Flathead Beacon:

“In all honesty, it’s the first time in my career that I’ve ever moved a gun to my bedroom,” Bradshaw, the Columbia Falls school superintendent, said.

Although parents and school personnel did not know it at first, the risk of actual physical violence to the parents and students was slim to nonexistent. Not only is TDO not in the Montana area as far as anyone in law enforcement knows, there is nothing in their known history that would predict that they would actually commit violence with their own hands.

But there was still a significant risk of harm that could not be ignored. If the district did not pay TDO’s extortion demand, would TDO release or dump highly sensitive data that they claimed that they had acquired from counseling and school health records? Could they name and shame or expose a vulnerable student in such a way that it might lead a vulnerable student to commit violence or suicide?

Based on my past interviews with these hackers, I could not rule out that possibility. It was a possibility that kept me up nights, worrying.

Thankfully, there was no tragedy in Columbia Falls last year. I was relieved, but I also wondered why TDO hadn’t dumped data or taken any other harsh measures. Had they had a change of heart (unlikely but not impossible)? Had the district paid their extortion demand?  Or was there some other explanation for their lack of punitive response?

I could find no news reports indicating that the district had made any extortion payment. To the contrary,  a report by NBC in November quoted Superintendent Bradshaw as saying that Columbia Falls had decided not to pay the extortion. One week earlier, Bradshaw had also told another news outlet that the district had declined to pay the ransom.

What Bradshaw didn’t tell either news outlet – because he did not know, it now appears – was that weeks earlier, a partial payment had been made to the hackers through an intermediary.  The payment was certainly not as much as the hackers had demanded, but DataBreaches.net can now reveal that there was a payment and some details about it.

A “Test” Payment

By agreement with TDO, DataBreaches.net will not be revealing the bitcoin address used for payment, but TDO gave this site the address and then signed a message from it that this site was able to verify.

Of course, the address by itself does not prove who made a payment to it or for what purpose, but TDO also provided this site with digitally signed emails (DKIM) with headers and paths. The email chain revealed that Superintendent Bradshaw and someone claiming to be from the Flathead County Sheriff’s Office had been in email communication and negotiations with TDO.

On September 21, for example, Superintendent Bradshaw had emailed TDO:

We request that the Flathead County Sheriff’s Office continue to negotiate on our behalf as our agent. The email address for all communications is [redacted by DataBreaches.net]. Option 3 seems the best. We are a small community with limited resource we need to discuss amounts.

The “Option 3,” reference was to the third option outlined in TDO’s ransom letter to the District.  Instead of paying $150,000 in BTC over the course of a year, the District could get a discounted rate of $75,000 if they paid it all in BTC by  2017-10-20 23:59 UTC.

Some of the emails I was provided were signed by “FCSO” (for the Flathead County Sheriff’s Office). Whoever was writing emails signed by FCSO never signed their emails as anything other than “FCSO,” and DataBreaches.net does not know the identity of the participant from the sheriff’s office. Indeed,  this site has no real proof that the person signing emails as FCSO was actually employed by FCSO. For all this site knows, it could have been a federal agent.

In any event, “FCSO” subsequently introduced a fourth party to the email communications and negotiations. On October 10, “FCSO” emailed TDO:

You will be contacted shortly by email from an individual who will be making this initial payment on our behalf. The email will come from the email address [redacted by DataBreaches.net] and you can consider that they are acting on our behalf. This initial payment will be a smaller amount of $5,000 and is designed to test whether we can send payments to you reliably.

Shortly thereafter, the intermediary established themselves with TDO and then made a payment to that bitcoin address. The BTC payment was slightly more than 1 BTC – an amount that was the then-equivalent of USD $5,000.00.

In a conversation with DataBreaches.net on March 12, Superintendent Bradshaw stated that not only was he not aware that any payment had been made to the wallet, but he had – and still has – no idea who paid the hackers, who the intermediary was, or what the source of the funds was. All he knows, he tells me, is that the district did not pay and its insurer did not pay.

Under Pressure

But if TDO anticipated that there would be more to come, they were wrong, because although the October 10th payment went smoothly and TDO confirmed receiving it, the district subsequently appeared to renege on any agreement and declined to pay.  In actuality, the district may not have been reneging if they didn’t even know any payment had been made, and the Superintendent claims he was pretty much kept in the dark about how others were responding to the hackers.

DataBreaches.net was not given all of the intervening emails, but an email dated October 23 from “FCSO” to TDO began:

FCSO and SD6 continued to work thoughout the weekend in a good faith effort to me [sic] the demands. We have been unable to overcome mounting pressure from outside sources around the country to discontinue further payments as well as communications. With that said, FCSO will discontinue the monitoring of this account. We recognize the $5,000 we worked diligently to provide you is lower that [sic] your demand.

The monitored account that FCSO referred to was a Gmail account that they had created for this matter.

But who were those outside sources around the country exerting “mounting pressure” on them not to pay and not to communicate? Were they other school districts or school board associations who didn’t want CFSD to encourage TDO to attack districts by rewarding them with ransom payments? Was it insurance companies? How about government agencies?

Based on my conversation with the Superintendent on March 12, it appears that any pressure the Superintendent was feeling was from his own community. The district had held meetings with parents to keep them apprised of the situation and according to Superintendent Bradshaw, the parents were militant about the district not paying ransom.  As one parent expressed it at  a meeting, “It will be a cold day in Hell before you spend my tax dollars paying these assholes off.”

Questions, But No Answers

As of this updated story, we still do not know for sure who made the payment or the source of the funds to pay the hackers, but Superintendent Bradshaw firmly denied that it was the district or the district’s insurer.

Sheriff Chuck Curry of the FCSO never responded to a voicemail requesting he contact this site to discuss the extortion payment and case, so we could not clarify whether it was really someone from the FCSO emailing TDO, and we do not know whether the county was the source of the $5,000.00 payment.

But should the payment to the hackers have been revealed?

We need to have a serious discussion about what to do in these miserable situations – pay or not pay, but we also need transparency so we can understand how decisions that have been made in the past potentially affected outcomes.

There are those who may raise the issue of whether this site is being gamed by TDO for its own purposes.  Of course it is. It is not to TDO’s advantage to have people think that victims can just not pay anything and escape unscathed. I can see why TDO would want to use the media  to let the public know that they had received a payment, lest other future victims decide not to pay anything, erroneously thinking that CFSD hadn’t paid anything and nothing bad happened.

But there is also a real story and real issues here that we should address. The U.S. Education Department and FBI have sent out alerts to schools about the need to secure data against attacks, but I harbor little hope that most entities will promptly and effectively secure their data or purge what may be no longer needed.

So assuming that districts still fail to adequately secure personal information, what should districts do the next time someone comes along and hacks extremely sensitive counseling records or health records? Should they pay or not pay? And if they pay, should they disclose that? And if they can’t afford to pay, should the FBI or federal agencies make payments to TDO to protect children from having sensitive files revealed?

These are not easy questions to answer.

On a positive note, however, I am happy to update this story with Superintendent Bradshaw’s  comments that the students in the district coped really well with everything that happened to them and they feel safe again in their schools. The parents and school personnel seem to have done a great job of helping the kids feel safe, and the kids are now focused on other issues. As one student put it in talking about the loss of a fellow student to cancer, if they are able to overcome that loss, they can overcome anything, and they live in  a great community.  It sure sounds like it.

Court dates set in Justin Shafer case

 Posted by at 12:09 pm  Commentaries and Analyses, Hack, Health Data, Of Note, U.S.
Nov 182017
 

On Friday, December 1, lawyers for an infosec researcher who has been in jail since April will  argue that U.S. District Judge David C. Godbey should release Justin Shafer from jail while he awaits trial.

Justin Shafer

For those who are not familiar with the case, Shafer, a dental integrator technician and independent infosecurity researcher, faces federal charges of  cyberstalking an FBI agent and the agent’s family. And those are the only charges he currently faces, although you might have been misled by others’ headlines into believing that he is an alleged hacker or an alleged co-conspirator of the blackhats known as TheDarkOverlord.  Shafer has not been charged with any hacking-related activity at all.

In fact, the case against Shafer initially had nothing to do with blackhat hackers at all and everything to do with the fact that Shafer was uncovering and disclosing leaking databases and the entities who he was reporting upon did not always take kindly to being embarrassed publicly for their poor data security. Shafer would also file complaints with HHS/OCR and the FTC over sloppy or failed data security.  And it was one of those entities who apparently tried to accuse Shafer of hacking them after he found patient data on a public FTP server that did not require any login.

Once the FBI started investigating Shafer as if he was some blackhat criminal for finding and disclosing leaky databases, Shafer’s relationship with one Dallas FBI agent started to deteriorate. And it was only against the backdrop of that already somewhat adversarial relationship that when one month later, Shafer started investigating TheDarkOverlord and trying to help the FBI, that the FBI started treating him as a possible co-conspirator instead of as an asset.

To be clear: while Shafer repeatedly and demonstrably attempted to help the FBI catch TheDarkOverlord, Shafer did make negative public comments to and about a Dallas FBI agent, Nathan Hopp, whom Shafer felt harassed by over a period of years. Those comments were made on Shafer’s blog and on his Twitter account.  But was there really anything criminal about those comments or are they protected speech under the First Amendment?

And who wouldn’t be angry if you’d been raided three times by the FBI and you had never done anything illegal? Maybe it was imprudent to shoot off his mouth at an FBI agent or his family, but Shafer and his family have been through a lot of harassment from their perspective. I recently reported what Shafer’s wife told me about how all these raids have affected their children, but here’s a snippet of Shafer’s description of one of the raids, and his concern for his child’s safety because of it.  On February 2, he wrote about the second (January) raid:

… I heard some boots making noise outside the house. I went outside, and there was a guy with an AK-47 pointing it at me, freaking out because my hands are not up.

That is when I saw 5 or 6 guys buy my garage, and I think everyone had an AK-47 it seemed. These dudes were TWICE the size of the guys who raided me the first time. They told me they were not part of the first people who raided me, because I asked if Nathan Hawk was around. =)

[Note: at the time of this raid, Shafer still mistakenly thought Agent Hopp’s name was “Hawk”].

I remember what [a lawyer] said, and decided I would take his friendly advice. He told me if he was raided, he would decline all interviews and just leave. You don’t need to be present during a raid, really.

The FBI Agent who had a gun on me, told me we could go inside after they “cleared” the house (make sure nobody else is inside). I told him I “respectfully decline the interview”.. I then told him I wanted to leave, and they said okay but didn’t let me leave. Then he told me again, they would let me leave after I talked, and reminded him that I “respectfully decline this interview”. So they put me into a NRH cop car, and then told me they were taking me to jail

[…]

I was upset when my 3  year old daughter handed me a CR-2032 battery. Any kid who eats one of those, dies. Horrific. I am very careful to keep shit off the floor. If she had of eaten it, I would be losing my mind…..

Might you be upset with the FBI under similar circumstances?

But wait, you say – didn’t the FBI find actual evidence during that January raid that Shafer was conspiring with the blackhat hackers known as TheDarkOverlord? Didn’t you see something about a stolen database and a chat log?

No, the FBI did not find evidence of any conspiracy nor any criminal activity on Shafer’s part.

What they found was that TheDarkOverlord gave Shafer information in 2016 which Shafer had then promptly passed along to the Dallas FBI via e-mail and phone to help them. What they found in January, 2017 was what Shafer had already given them and other law enforcement agencies in 2016 to help them catch TheDarkOverlord.

And if you haven’t seen the evidence I posted showing that Shafer was trying to help the FBI  – see this post for screenshots.

So Shafer was charged on charges of cyberstalking that were padded by references to claims that he was being investigated as a co-conspirator of TheDarkOverlord when the factual history shows that Shafer was passing along information on TheDarkOverlord to law enforcement in both this country and the U.K.

When Shafer was arrested, he was released with pre-trial conditions. Those conditions included what many First Amendment experts might consider prior restraint of speech.  Shafer has every right to complain about an FBI agent whom he feels is harassing him or his family. He has every right to complain loudly and publicly about an agency repeatedly raiding him even though there is no evidence of wrongdoing on his part.

Criticizing an FBI agent publicly doesn’t seem exactly prudent, but that doesn’t make it  criminal speech or conduct. So why has it cost Shafer his freedom for all these months?

On December 1, Tor Ekeland, Shafer’s attorney, will argue that Shafer should be released from jail while he awaits trial on the cyberstalking charges.  That trial date has now been set to begin January 22, 2018.

I remember the days when EFF and the ACLU would be all over a case like this, forcefully speaking up for and defending someone in Shafer’s position. While EFF did make a few comments to a Dallas reporter about this case, the ACLU of Texas and the national ACLU have remained silent. Why?

Shafer’s speech may have been imprudent, but unpopular speech is exactly what most needs protection and vigorous defense.  If using Google to look up someone’s address or saying “hi” to someone’s wife on Facebook can be construed as evidence of “cyberstalking,” we are all in trouble.

This is one of those cases that has the potential to make bad law on free speech. If you care about the First Amendment and pushing back against government attempts to erode your right to protected speech, maybe you should get to the Dallas federal courthouse on December 1 at 10:00 am and show your support for Shafer and the issue of free speech.

And if you’re an infosec researcher who has ever been falsely accused of hacking or wrongdoing because you tried to do the right thing to improve data security, then perhaps you should speak up and support Shafer, because if they can chill his speech by jailing him for so long, what can they do to your speech and ability to disclose vulnerabilities and leaks you find?

 

 

 

 Older Entries