FBI brings guns to the house of a security researcher with three kids, all because of a publicly available FTP server

May 29, 2016 11:50 GMT  ·  By

Over a dozen FBI agents raided the house of Justin Shafer, 36, of Texas, a dental computer technician and software security researcher, who had previously reported security issues in the software and server infrastructure of a US-based healthcare services provider, The Daily Dot reports.

Prior to having his house searched and 29 items seized, Shafer had reported to Patterson Dental that their Eaglesoft dental practice management software was storing private patient records in a publicly available FTP server.

Shafer discovered this while he was investigating the company's Eaglesoft software. The researcher eventually found that Eaglesoft was using a hard-coded database password shared across all installations.

Shafer's good deed doesn't go unpunished

Shafer worked with DataBreaches.net to secure the FTP server with Patterson Dental and made his findings public in mid-February. The FTP server exposed the medical records of 22,000 patients, and Shafer claims it has done so as early as 2006.

At the end of March, US-CERT also published an alert on Patterson Dental's Eaglesoft software issues, related to its hard-coded database credentials.

As it appears today, instead of thanking the researcher for his proper disclosure of a sensitive data leak, Patterson Digital filed a complaint with local law authorities about being hacked.

FBI agents told Shafer during the house search that Patterson Dental had claimed that he "exceeded authorized access" when researching the issue of the publicly available FTP server.

The US has problems interpreting its "hacking" laws

This entire incident is another case of the US' Computer Fraud And Abuse Act (CFAA), a piece of miswritten legislation that allows authorities to prosecute security researchers as if they were criminals.

In a very simple explanation, this law would allow police to charge people as thieves after they find wallets on the street and return them to their owners.

Horrendous misinterpretations of the CFAA have led to the prosecution, and even conviction in some cases, of many security researchers. The most famous case is of Aaron Swartz, who, after being badgered and harassed with overblown accusations, took his own life in 2013.

This is not Shafer's first run-in with the healthcare industry. Previously, the researcher found out that Henry Schein was making false claims that its Dentrix G5 software was using encryption. Shafer's findings led to another US-CERT alert and a fine from the FTC.

We'll be featuring a special story on the recently proposed CFAA reforms later on today.