Dentist-turned bug-biter given a taste of freedom

Justin Shafer, who last year sparked a complaint to the FBI for discovering a dental software vendor's unprotected FTP server, will walk free until his trial begins.

Although his vulnerability work upset some of his targets, Shafer's detention wasn't directly about hacking: he took exception to repeated FBI raids, went public about the issue on Facebook, and was cuffed as a cyberstalker.

Under charges of violating 18 U.S. Code § 119 and 18 U.S. Code § 2261 (the first is “Protection of individuals performing certain official duties”, which prevents naming people like FBI investigators or their families; the second law covers “Interstate domestic violence”), Shafer has been held without bail since April.

He's now been released for trial under conditions [PDF] that include restricted access to computers or the internet for work purposes only, even then subject to monitoring and approval by a probation officer.

Other conditions of the release include that he's not to make any further posts naming the officers, but a report at Databreaches report quoted the judge as saying criticising the FBI won't count as a breach of conditions.

A tale of escalation

Shafer's imprisonment followed what was clearly an escalation of behaviour through 2016 that arguably had the judge worried, since another of the release conditions is that he submit to a mental health assessment.

The case started quietly enough, with a February 2016 vulnerability disclosure. Patterson Dental's Eaglesoft practice management system contained an unchangeable, hardcoded password, and the company had left an FTP server unsecured.

The first complaint to the FBI was from Patterson Dental, leading to the May 2016 raid. What aggrieved Shafer was that two further raids followed – but when he complained in posts on Twitter and Facebook, Shafer was breaching his bail conditions.

Shafer still faces the cyberstalking charges; the date of that trial is yet to be set. ®