Electronic Product Design

Tuesday, 14 June 2016 00:00 Written by

Dangers of Positive Disclosure

16-06-14 hacking 200At the end of last year, we took a quick look at hacking bounties. These are bounties collected by so-called “white-hat” hackers, those Internet users or security researchers who discover critical flaws in system infrastructure that could allow more nefarious parties access to sensitive information. For the most part their efforts are applauded, and in some cases, financially rewarded for making a disclosure to the company rather than those who would use the information to cause damage.

However, there has been a spate of individuals being turned upon for their positive disclosure. Rather than being applauded for their efforts to create a more secure environment for other Internet users, they are hounded and as dental computer technician Justin Shafer found out, arrested at gunpoint.

A Step Too Far?

Shafer's crime was probing too far into a massive security hole he discovered in popular dentistry software, Dentrix. The software claimed to encrypt patient user records. However, it was found to use an extremely weak form of encryption, and even then it was not a default setting for the software. Despite the company advertising their software as a secure platform, it instead exposed the private information of thousands of patients, including social security numbers and payment information.

Even after Dentrix software creator Henry Schein Dental settled with the Federal Trade Commission, the FBI took umbrage with just how far Shafer had probed into the unsecured FTP (File Transfer Protocol) server. His accessing the confidential files triggered an FBI response under the federal statute known as the Computer Fraud and Abuse Act (CFAA), who arrived at Shafer’s home with around 15 agents, some wielding automatic rifles.

Unsurprisingly, they were not interested in a cup of tea and a chat, instead carting Shafer off, along with 29 of his computers and other devices.

Arrested For helping?

When the data was discovered, Shafer contacted DataBreaches.net to assist with the unencrypted data and making a responsible disclosure. Yet it is he who has been arrested and vilified, despite the software company having not yet closed the vulnerability. To rub salt into the wounds, it emerged that it was the same company he had tried to assist that had filed the claims against him, claiming he had accessed their unsecured FTP server “without authorisation”.

In 2013, talented computer programmer Aaron Swartz took his own life after what critics called “an unnecessarily harsh prosecution” strategy under CFAA. The response to perceived violations of CFAA vastly outweigh any benefits a security researcher could possibly receive from a positive or responsible disclosure, turning those individuals away from securing services for the general public in a dangerous game of cat-and-mouse.

Nearly three years after Swartz’s death, CFAA is still to be reformed, giving companies disgruntled by their own lack of security chance to prosecute those attempting to help.

Which simply put, just isn’t right.

Image courtesy of David Castillo Dominici / freedigitalphotos.net.

Leave a comment

Our Latest News


How we do it


Connect with us

Check us out:

More stuff

Contact Us


Hawkshead Designs Ltd
Unit 4 Penrose House
Treleigh Industrial Estate
TR16 4DE

T: 01209 216 878

E: info@hawksheaddesigns.co.uk

Electronic Design Solutions and Electronic Product Design

Read our Standard Terms & Conditions here.

This website is brought to you by Nicola Bathe.