However, there has been a spate of individuals being turned upon for their positive disclosure. Rather than being applauded for their efforts to create a more secure environment for other Internet users, they are hounded and as dental computer technician Justin Shafer found out, arrested at gunpoint.
A Step Too Far?
Shafer's crime was probing too far into a massive security hole he discovered in popular dentistry software, Dentrix. The software claimed to encrypt patient user records. However, it was found to use an extremely weak form of encryption, and even then it was not a default setting for the software. Despite the company advertising their software as a secure platform, it instead exposed the private information of thousands of patients, including social security numbers and payment information.
Even after Dentrix software creator Henry Schein Dental settled with the Federal Trade Commission, the FBI took umbrage with just how far Shafer had probed into the unsecured FTP (File Transfer Protocol) server. His accessing the confidential files triggered an FBI response under the federal statute known as the Computer Fraud and Abuse Act (CFAA), who arrived at Shafer’s home with around 15 agents, some wielding automatic rifles.
Unsurprisingly, they were not interested in a cup of tea and a chat, instead carting Shafer off, along with 29 of his computers and other devices.
Arrested For helping?
When the data was discovered, Shafer contacted DataBreaches.net to assist with the unencrypted data and making a responsible disclosure. Yet it is he who has been arrested and vilified, despite the software company having not yet closed the vulnerability. To rub salt into the wounds, it emerged that it was the same company he had tried to assist that had filed the claims against him, claiming he had accessed their unsecured FTP server “without authorisation”.
In 2013, talented computer programmer Aaron Swartz took his own life after what critics called “an unnecessarily harsh prosecution” strategy under CFAA. The response to perceived violations of CFAA vastly outweigh any benefits a security researcher could possibly receive from a positive or responsible disclosure, turning those individuals away from securing services for the general public in a dangerous game of cat-and-mouse.
Nearly three years after Swartz’s death, CFAA is still to be reformed, giving companies disgruntled by their own lack of security chance to prosecute those attempting to help.
Which simply put, just isn’t right.
Image courtesy of David Castillo Dominici / freedigitalphotos.net.