Zack Whittaker reports:
A bipartisan group of senators have introduced legislation aimed at securing internet-connected smart devices, which were at the center of a massive cyberattack that brought down large swathes of the internet last year.
The distributed denial-of-service in October lasted for less than a day, but it further fueled concerns about threats posed by insecure and easily hijacked so-called Internet of Things (IoT) devices, thanks to an industry-wide apathy toward supplying devices with even the most basic security.
Read more on ZDNet.
Keep in mind that the bill would prohibit the type of thing that researcher Justin Shafer kept trying to increase awareness about – hard-coded credentials. Shafer is currently in jail, awaiting trial on charges of cyberstalking a federal agent and the agent’s family.
Shafer’s problems with law enforcement began when he exposed the fact that numerous health-related entities were exposing protected health information (PHI) on public FTP servers. It is believed that one of the companies he exposed, Patterson Dental, tried to make it seem that he hacked them.
The new bill, if it passes, would have more protections for researchers. As Whittaker reports:
The senators also added a caveat to the bill that would expand legal protections for security researchers working in the Internet of Things space to exempt “good faith” vulnerability hunting activities from federal hacking laws.
The hope is that the exemption would draw more security experts to the field, encouraging researchers to report vulnerabilities to ensure security flaws are fixed sooner.
It would also expand legal protections for cyber researchers working in “good faith” to hack equipment to find vulnerabilities so manufacturers can patch previously unknown flaws.
Why is Shafer still in jail? Does anyone in the FBI have the integrity to come forward and tell us what really happened and why Shafer got raided THREE times and arrested when all he was doing was pursuing trying to get entities to be more responsible about securing PHI and disclosing when they failed to do so? Why has he been persecuted this way – because entities were embarrassed that he exposed their security failures? Is that what this has been all about? If so, shame on any company that tried to portray him as a cirminal hacker, and shame on the FBI for pursuing this. Seriously. It’s disgusting.
I’ve often wondered the same thing.
I think it goes back to the LANAP breach.
http://justinshafer.blogspot.com/2016/01/williamsport-pa-databreach-update.html
Justin was interviewed by local media, and that he was told he was a suspect. He said he was interviewed by the Dallas FBI field office as well regarding that case long before the Patterson fiasco and that the IT guy for LANAP, the practice’s lawyer and the State Police were, at least at one time, fingering him for the breach.
According to what Justin said, the special agent who interviewed him is the same agent involved in all three raids of his home, the same agent Justin is accused of stalking/doxing on twitter/facebook.
I distinctly recall him years ago mentioning he felt threatened by what the agent had told him at that time on the phone when discussing the LANAP breach. Justin said, and I’m paraphrasing, that the agent asked if he was a gray hat, a pentester, and if that were true then he should stop or he wouldn’t like the next call he’d get from the feds, or something to that effect.
Then of course there’s this nugget on your site…
Justin Shafer says:
November 25, 2015 at 4:40 am
“If anyone is a “hack” it would be whoever investigated this databreach.”
I’m curious… Who investigates the investigators?
Do they read your site? Maybe that irked someone. His computer seat detective work was rather interesting!
I’m aware of what happened after Shafer went to media after LANAP. I had even published the threat letter he received. Someone did a sloppy job, I think, of investigating that one, as my investigation and analyses by CyberWarNews.info showed that the most recent entry in the LANAP database was circa May, 2009. In February 2010, those files were uploaded to PirateBay. In September 2012, Shafer started notifying people that PHI was in those files. When no one did anything, he went to the media the following year. How much more responsible could he have been in his disclosure??
Anyone who knows Justin would know that there is NO WAY IN HELL he would ever upload PHI and PII like that to PirateBay. It is the opposite of what he does in his efforts to improve security.
I can believe he got off on a wrong foot with SA Hopp, if that’s what happened. And I can believe he could be nasty or sarcastic to entities if he felt they were lying or trying to cover up a breach. But I believe that what has happened since then is an abuse of power and a travesty. And I’d be happy to sit down with the Dallas FBI to discuss this or hear their side of it, but I know damned well that some of that stuff in the PC affidavit was utter bullshit. And that may not sound very professional of me as a journalist, but we cannot live in fear of calling people or federal agencies – or the courts – out when they create and perpetuate injustice.