Why does US Law Enforcement so dramatically escalate every contact with a citizen? Everytime they do this, they risk accidental injury to the people, kids, pets.
What in this particular situation necessitated a SWAT-level treatment?
Maybe the law should be fixed such that warrants have to specifically include firearm authorizations.
US LEOs are indoctrinated with the belief that they are 'at war'. Convincing the public of this is imperative to retaining authority, securing more funding, and receiving immunity from any consequences of their actions. One way they accomplish the above is by never passing up an opportunity to dress up like an army man and publicly display force
In theory, they combine those things to decide whether to just knock on the door and walk in or bring SWAT along.
This happens different between agencies and what parts of the country.
But, codifying these guidelines / rules into a law probably wouldn't hurt. Sometimes it is hard to capture the nuances of the situation into a formal law though.
Also, remember that like 10-100's of these things are probably executed daily, peacefully, without any conflict or issues. You only hear about it when they go wrong (or some asshole fed is in a bad mood or something I guess).
This is always true. By that logic, we should SWAT every warrant, every traffic stop, every parade. There should always be a threat assessment.
This would imply it's all #2 ("publicity"). Which means police forces and public defenders are using the threat of extreme violence as... a PR move? Against American citizens who are innocent until proven guilty in a court of law?
The irony is cops do this to protect themselves, and statistically speaking it has the exact opposite effect.
Well, you could do some basic investigation before an arrest, which would both give you in most cases a good idea of the threat profile and often give you a better idea if the information you've been fed actually accurately represents the facts.
Its not "investigation" is, you know, right there in the name of the agency, or anything.
"people in charge" only stay in charge when they don't look like fools. so anyone pointing out the king isn't wearing any clothes must be tied to a stake and burned for all to see.
also, your dog must die.
When I found it, I told one of the teachers that I trusted and she insisted that I must tell the principal. So I went down to the principal's office and told her. My primary goal was to get this removed or made private because even at that young age I knew this was very sensitive data and I wouldn't want just anyone having access to my information like that.
When I got home from school, I found my mother upset because we'd been called to return to school for an emergency meeting. I was questioned, and when I told them I only wanted this sensitive information properly secured I was told by the county IT administrator "Did you ever stop to think if maybe this information was public for a reason?" I took a second, and literally wanted to say "There is no reason this information should ever be public" but I ended up keeping my mouth shut in hopes to not get into further trouble.
I was nearly expelled for "hacking". They placed me on "academic probation" and threatened that if I did so much as forget my school ID at home one day, I would be immediately expelled without question. I was removed from my elective classes that involved computers and was disallowed from touching any computers at school.
Fun fact: Someone on the yearbook staff accidentally deleted the only copy of the yearbook files and our yearbook was in danger of basically not being made. I was called to the principal's office and asked to help. I was able to recover the deleted files and save the day. At some point they realized I never had malicious intent, but I still hold a small grudge for the way I was treated as a criminal for uncovering such a big security hole.
Absolutely jaw-dropping.
People's reactions to this kind of thing just blow my mind. If you are about to walk away from your car, having parked it in a high-crime area, and a passerby points out to you that you haven't locked it, do you call the police and have them arrested for looking into your car? If they were going to steal your car, would they have told you about it???
My wife ran into this back in 2001 or so. She had visited some Web site and noticed that the URLs followed a familiar pattern -- I think related to the Microsoft Access database. She wondered if some internal files were accessible via paths analogous to those she'd seen on the intranet where she worked. Sure enough, they were. She told the company about it, and of course they yelled at her.
Unfathomable.
If it was meant to be public, then you shouldn't have gotten in trouble for pointing out its existence. I don't understand the twisted logic there.
I figured out that the teachers had the same schema for their accounts. They also published a directory with all the names and phone numbers of the students and teachers. So basically I tried accounts until I got a teacher who didn't change their password. Then I used their ability to place files in shared folders on the network to distribute Quake2 across the different servers. I told a friend and they told people and inevitably the school blamed me for it and kicked me out of all my electives that had computers in them. I was the first student to ever fail touch typing because I couldn't complete the class.
Standardized learning and I have never been friends. I'm glad they tought me the system doesn't work and to work/learn outside of it.
There was some problem with the alias. I couldn't receive the FB confirmation email. So I gave up and went to sleep. The next morning I received a call from the campus police - they wanted to talk to me. I don't remember all the details, but I just remember a long process of being interrogated by campus police and later school administrators who were certain that I had hacked the president's email account. I mistakenly thought simply telling them "I wanted to add the school president as a friend on TheFacebook" was innocent and harmless enough. Some time later I received a letter with a list of 20 or so charges including things like Identity Theft and the possibility that I may be expelled.
I only found out at the end of this whole process that due to a bug in the mail system it allowed me to register a duplicate email alias and all of the school president's emails were being bounced and they assumed I was receiving them. I was able to knock it down writing an apology and community service.
Wow. Whatever happened to the cops coming and saying "That was dumb. Let this be a lesson. Don't do it again."?
This reaction makes me very, very angry.
I would love to push it back on them: it's unclear under what laws/regulations this would fall, but if you (as the student who found it) can get in trouble for finding this info, they can most certainly get in trouble for posting it in a location it can be found in.
Further, because you were actually punished for it, it means one of two things: they were in fact in the wrong for publishing it (and thus should be punished -- whether it's a criminal offence or merely a professional reprimand); or if they can't be punished, neither can you -- which means the principal should be in trouble for a giving out a groundless punishment.
In my mind, it ceases being an "honest mistake" when they attempt to punish the person who points it out.
I realize that the real world is much more complex than this: you were a kid, your parents don't necesarily want to put you through the doubtless retaliation the administration would put you through anyway (even if not official), and the people with the authority may not see it the same way (in the same way police officers rarely charge other officers with crimes).
The school did not, and the district superintendent agreed with them. Who knew that an FM Radio made out of a La Gloria Cubana cigar box-with labelling removed so as not to run afoul of any "tobacco paraphernalia" questions constituted a "bomb".
Parents sued to have me reinstated, but the social stigma lasted well throughout high school. Kids nicknamed me "bomberman" and there was this whole narrative that I had to be removed from the school, handcuffed by the FBI and put into the back of a box truck and hauled away. When in reality, my dad picked me up in his Honda (which would later become my Honda) and we drove home.
You are hearing one side of a story (that doesn't mean there is another side that would change your mind or my mind of course) but keep in mind that the parent also said "I admit I was snooping".
Let's say for arguments sake someone enters a room that they are not supposed to be in and finds something in a desk drawer that shouldn't be there. Should the person snooping be commended for doing that? As if a reward saying "go anywhere anytime and as long as the end justifies you are off the hook". Are you allowed to enter your neighbors house in search of contraband or access his computer? I realize this was allegedly "public" but the devil is in the details of what that means exactly.
Makes me glad that my school was reasonable when I got dragged into some "hacking" accusations. We were just made to work with the IT staff for a week (instead of going to classes), and that was the end of it.
The IT staff were surprising fine with it all (I think they realised A) that we weren't malicious, just bored and curious, and B) that it was their mistakes that gave people access (VNC server installed on all PCs with the password "vnc"; domain admin. account having the password of "school" etc.)
I believe I had to stay up late writing a 4-page apology paper to forestall disciplinary proceedings since my family was planning to go on vacation the next day.
Thought long and hard about what to do but decided to not do anything, dont feel like risking my entire life just to help someone. This is me assuming they did not intend to have it publicly open.
With that story out there, it would be nice to have a legit legal way to inform the police or a similar trustworthy government agency that could handle issues like this.
Perhaps the FCC has something similar?
I'm looking at 'Have I been pwned' [0], but they seem to care about only breaches that have been publicly acknowledged. Sounds like they don't want to be in the business of breaking this kind of news themselves.
Maybe there needs to be a new Web site for this kind of thing -- located outside the US, of course. (Probably there already is one and I don't know about it.)
Best case among the likely outcomes of that is: "Can you re-send that e-mail? It's all garbled or something."
"I accidentally discovered this when I miss typed an IP."
So, the chance of them going "out of business" is pretty slim. It's entirely possible that dentists unfortunate enough to have chosen Eaglesoft will get to pay some HIPAA fines, however.
Foremost among the many reasons, because investigation of HIPAA Privacy and Security violations is almost entirely (if not entirely) complaint-based rather than proactive, and probably no one filed a complaint to the HHS Office of Civil Rights.
Which I think should be the immediate and first act on discovering something like this with PHI, if for no other reason that doing so makes clearly applicable the whistleblower protections of 45 CFR 160.316.
It seems that the 21st century responsible disclosure procedure goes like that:
0. use tor for the research itself
1. report problems anonymously
2. if they don't care - report them to law enforcement for breach of confidentiality
3. if these don't care either or don't accept anonymous tips - make noise in the media
Of course, this is for dealing with idiots who keep their data on public FTP. If the attack takes some clever hacking, go check if they don't offer bug bounties. Funny times we are living in.
There is no step 2.
I'm also very much glad to see the incredible foresight and knowledge that the FBI is displaying here. What better way to show us why we should not responsibly disclose data vulnerabilities than to arrest and raid someone's home for doing so?
Stories like this really influence me to put my faith in the capabilities of law enforcement. What that means for our individual rights and freedoms, and for the future of the US economy is sure to be nothing but excellent! I would never think about moving away from such a country!
And should you by some miraculous series of events manage to get your case heard in a court (have $$$ to burn), they'll just appeal the verdict (and win).
There is no escaping this shitfest.
This is so true and so many people don't realize it.
It's easy to be idealistic about these things until it actually happens to you.
Being "in the right" doesn't mean you'll win ("right" according to your morals/ethics and "right" legally are often two completely different things) and it doesn't mean that the costs of fighting - financial, personal, etc. won't ruin you, especially when the plaintiff is stubborn, vindictive and has deeper pockets than you do.
More often than not, you'll end up settling civil cases, and the tangible and intangible costs that you accrued while fighting your case are usually victory enough for the plaintiff.
Why? Andrew "Weev" Auernheimer was prosecuted AND CONVICTED for accessing a public HTTP server with no password protection. They apparently didn't have any trouble pursuing that with a straight face. The conviction was overturned because they had prosecuted him in the wrong state.
“It’s weev all over again.”
Edit: ProAm above reminded me of the Andrew Auernheimer case that was nearly identical to this and was resolved as I describe.
When you analogize to a separate situation like keyed locks or zeppelin airspace access rules you're attempting to say something about similarities between the reasoning in resolving the rule on both sides, which requires you to actually make a contention about what aspects of the situation are compatible, and which of those aspects are salient to the definition in question.
Computer behavior patterns are different enough that if you want to analogize, for the love of god explain the aspect you are analogizing. Even the notion of a "protocol" doesn't really exist in meat space.
Something like "transit through third-party routers is a form of access easement"? OK, I could maybe roll with that as a premise if we get into the weeds about what that would imply.
"It's like an unlocked door!" Jesus christ, stop. No, it's not. Even particular unlocked doors aren't what you're thinking of as an archetypical unlocked door, because "unlocked door" isn't a legal concept.
From the article:
I actually remember them having a passworded FTP site
back in 2006. To get the password you would call tech support
at Eaglesoft\Patterson Dental and they would just give you the
password to the FTP site if you wanted to download anything.
It never changed. At some point they made the FTP site anonymous.
For 'unauthorized access' to a computer system you (should) need to knowingly access a protected system in a way not permitted by the rights granted to you by the computer system, or by deliberate deception of either the computer systems or people.
So for 'knowing' we have to actually know (via banners, etc.) that we're somewhere we shouldn't be. For 'protected' it has to be actually protected (none of this "I found unprotected files lying around with no password" nonsense). The last two clauses cover privilege escalation attacks and social engineering. So it should matter if you're operating the system normally or if you accidentally just click/type something wrong and found your way in vs. you were deliberately hacking / social engineering your way in.
I'd also add a safe harbor for anyone who in good faith reported the issue to the site operators, police, or government regulatory bodies to prevent reprisal like this ugly case.
Sadly, I don't get to write these laws.
It is more like having a store with lights on and an open sign then arresting someone for breaking an entering when they go inside.
Sometimes that's just the time, expense, job and reputation loss, etc. of the arrest, but sometimes (e.g. Freddie Gray) the ride is a'rough ride' and you can't beat that either.
Based on his website it appears that "Tor" is actually his given name. What an odd coincidence.
Unless there's a lot left out of this article, I wouldn't think most "unauthorized computer access" suspects tend to be heavily armed. (Particularly if the company actually reported the context of the "crime", including the fact that he had voluntarily notified them of the problem.)
The rationalization is that serving warrants can sometimes be risky, so why take the chance? It's in law enforcement's best interest to err on the side of caution: better to scare the crap out of people than get shot without warning. Which is why the government and the courts are supposed to balance LE's concerns with the rights of the people.
The best policy may be, simply not to be home at 6 AM. They're psychologically incapable of raiding when normal people are awake, or of making arrests in safer ways such as via a phone call to an attorney or simply waiting by their target's car until he leaves for work in the morning.
They probably rarely have cause to perform this sort of raid, so they do so at any opportunity.
Particularly for protected patient information (but maybe for other classes of sensitive data as well), it would be interesting to somehow classify having this information breached as a crime by the holder of the information (I realize this might be hard to do given the reality of security these days, so there would need to be some nuance of course). The crux of my idea would be to automatically count any access that results in prosecution as a breach of said data, thus meaning that prosecuting a security researcher would automatically put the information holder under separate prosecution. I wonder if something like this could be feasible.
The source of the problem in this case is that the CFAA is too loose/broad and the penalties are absurd. The solution is to fix that. Make it so that the only penalties available are proportional and innocuous actions like reporting vulnerabilities are bright-line not illegal whatsoever.
You're essentially suggesting cold war style MAD as a solution to the government foolishly supplying toxic waste to children who are then found using it to poison people they don't like, under the theory that if everyone can poison everyone then everyone will have to behave. Better to clean up the toxic waste than ensure equal access to it.
In my industry, the EPA produces technology forcing regulation, we will have to invest a few hundred million to meet the upcoming standards and continue selling our product in the US after 2020. To sell our product in 2027, we need technology that hasn't been commercialized yet.
Maybe computer security could use a technology forcing regulation to get real investment in secure software to happen.
Many financial institutions use the last 4 of your SSN as identity verification.
If you're a business, it's the last 4 of your FEI/EIN.
I know at least in FL, this is publicily available at sunbiz.org
So with the account number printed at the bottom of your paycheck/stub and the FEI/EIN, you can often authenticate to a financial institution and obtain privileged information.
I know this not because I was on the "hacker" side, but because I was involved on the financial institution side of it and caught this as part of my engagement. The institution was issuing new logins for its internet banking site and the password would have been based on the users name, zip code, and SSN/FEI/EIN, all 3 of which are available (in FL) on that sunbiz.org site.
In my experience, credit unions are usually worse than Banks on the security side. There are exceptions, but they are not the norm.
One credit union I dealt with always opened and closed with a single employee. Very dangerous for the employee. This same union kept the A and B part codes to their vault in a locked desk drawer(one of those cheap desk drawer locks that anyone can pick with a paper clip) in the lobby, and full internet access was available on all computers. Tellers all shared a single cash drawer and the teller PCs were routinely used by the tellers for general web surfing, Facebook, Pandora, etc...
That's how law enforcement in the US works. A crack in the door, in the form of a ridiculous accusation, is all it takes for one's life to be destroyed.
Why go after Patterson? Because that would give them opportunities for more raids and prosecutions, which look great on an annual review. And raids and prosecutions for acts which are probably more politically useful to politically-minded US Attorneys than whatever kind of case they could make against Shafer.
And, of course, sign it with a new PGP key you've just created, so that if you ever need to release a follow-up with proof that it's you, or come forward as the author of the disclosure, you can.
This is my plan too. Responsibly disclose anonymously. That should prevent our corporate lords from sending SWAT teams into our homes.
There was a similar issue with S3 credentials and Facebook a few months ago. The security researcher went too far. There was a large outcry by everyone about Facebooks response. I'm not addressing the response. I'm saying as a security researcher you need to protect yourself by trying very hard to limit the impact of what you're doing to remove risk of legal liability. Only go as far as the first problem and no further.
What kind of thinking is this? He was doing them a favor. Every time, it seems to me that they are embarrassed by the incident and lash out. WHY!?? We should be treating these researchers like heroes, not kicking in their doors and having the FBI charge them with criminal CFAA violations. Once the chilling effect comes down in full force, we'll have a much less secure Internet.
The arrest may have nothing to do with accessing the Public FTP, and entirely to do with the research he was doing on the FTP service itself. If he was attempting to exploit the FTP service hosted by someone else (something or other aboubt database credentials was mentioned), he would absolutely be in violation of CFAA. You do that sort of research on your OWN system.
First rule of security testing: make sure you have permission.
This is getting ridiculous. I can't predict the general public's opinions on things like this but it seems so clearly "wrong".
I have hope for a peaceful fix but I am skeptical that we aren't well on our way to a much more traditional violent revolution.
Everything I've read on the subject suggests that the early signs of revolution are a sufficiently large disparity between the rich and the poor such that the poor can no longer provide for themselves. It seems like this is well on its way and likely speeding up.
I'd love to see some statistics on situations like the 2014 Ferguson Missouri situation. I'm curious if there's a rise in situations where the government sufficiently crosses the line that the public backlash manifests violently. I expect that we're still in a stage where these situations are still largely centered around poor minorities [1] but situations like this suggest that incidents are starting to expand into demographics that might get the "middle class" [2] to finally pay attention.
I hope we can find a way to unite as a single voice to change things. I hope it doesn't end up being violent. The following things encourage me.
* Decreased relevance of the "mass media". This is a double edged sword. On one hand it allows for news that might be ignored by a major network to still be disseminated widely. On the other hand, the "public" has a really poor track record of consuming news that isn't also entertainment and many of these issues seem to fall entirely outside of people's interests.
* The ability to aggregate these sort of events to establish a clear pattern of behavior. It's getting harder to hide things.
Also these disclaimers:
1. I say poor minorities because based on my knowledge of the law enforcement overstepping it's typically in situations involving people who are poor and black.
2. The "middle class" is used here to reference a predominantly "white" demographic that most mass media caters to. I've struggled to find the appropriate language here, fearing I'll be labeled racists somehow. Hoping that my message reads as intended.
However, loads great in lynx!