I thought I would make a blog post about the new Eaglesoft AES-256 encryption that is new in Eaglesoft 21 and seems to happen automatically. At least with versions 21.20.7 and 21.20.8

https://pattersonsupport.custhelp.com/app/answers/detail/a_id/20847/~/install%2Fmove-data-to-a-new-server

"Note: For offices that have encrypted their data using AES-256 encryption in version 21 and above, please work with our support department prior to moving your data to a new server. It is recommended that you decrypt your data first, move the data to the new server, and then encrypt the data again once it is on the new server. If this is not done, your Eaglesoft Server likely will not start on the new server due to machine specific information in the encryption"

I was on the phone with support because I couldn't get a new workstation to authenticate correctly with the server, the office recently changed ownership so the office license had changed and the license txt files on the server were wrong. I also asked why the Patterson App Server showed a lock because I had seen it before.

I.. assumed.. that the AES-256 bit encryption was based off the license but this morning I was bored so I decided to read up on this and I see some of this is based off of Machine Specific Encryption.

Basically, the computer encrypts the data but part of the key is a randomly generated key that is part of your computer when windows is installed. C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys

If I encrypt a file with DPAPI (Microsoft DataProtect API), the file cannot be transferred to another computer. How is Patterson encrypting the data? One program that is handy is Nirsoft's and will work on Dentrix's dtx.config but will not encrypt it on a new machine. I wrote a tool to do that though. I wonder if that tool will work on the Eaglesoft database.

https://www.nirsoft.net/utils/dpapi_data_decryptor.html

Because MANY people will NOT "decrypt the data" before moving to a new server. Let's say the server dies, and so... we restore from backup. The backup may be encrypted with machine specific encryption? Long story short, is the encryption key based off your license or machinekey and stored on the cloud somewhere???? Does Patterson backup our encryption keys on their amazon server???? Maybe restore system image backup to virtual machine, decrypt, then move. Yuck.

Hopefully these are the encryption keys..... and hopefully Eaglesoft knows how to read these files regardless of what computer they are on????? And if that is the case, doesn't that mean this encryption kind of... sucks? Let's say this IS AES256 bit encryption but the key is in the data folder. So if you copy the entire DATA folder to an unencrypted USB Drive... would you tell patients the data is encrypted IF in the end, it can be decrypted by figuring out how keyfile.cfg and keybackup.data work???? Maybe you need the license????? WHO KNOWS. Having documentation would be nice.

Sure would be nice to know HOW to decrypt the data.... I don't see it in TechAid. Maybe it is the "Copy DB and Log to C:\Hold".. Not really sure.

And let's say some people ONLY backup the DATA folder on the Eaglesoft Server to a USB Drive. Traditionally that was safe, but now I wonder. Without knowing the Machine Key is your data unreadable? 

And the old encryption.. maybe wasn't that great. 

https://pattersonsupport.custhelp.com/app/answers/detail/a_id/20069/~/encryption?

I am creating a test server and doing an Eaglesoft migration. Maybe I figure out how this works.

1. Go to safemode.

2. rename C:\ProgramData\Sentinel to something else.

3. Delete all files in C:\Program Files\Sentinel One\Sentinel Agent <Version>\config\*

4. Reboot into normal mode and uninstall like so:

C:\Program Files\Sentinel One\Sentinel Agent <Version>\uninstall.exe /uninstall /key "null"

And it should let you uninstall.

I was logged in as SYSTEM with ScreenConnect Backstage feature and had to use takeown and icacls, but it worked.

 I received an email yesterday and this is what it said. I sent an email back stating that although it might not be a violation, it is still a problem. If a company says their database is encrypted, but it can be read by some nerd, and nobody else really knows.... Then when something bad happens dentists won't care because they will say the database is encrypted. I once had a client who had a break-in and someone stole the physical server, but Dentrix advertised encryption so my client told the police and etc that it was encrypted... But... I was his IT guy and he knew what I was doing regarding Dentrix, the FTC hadn't ruled on my complaint, so there was this limbo... Well, having an encrypted database sounded much better to my client at the time... so no patients were notified.

I finally got this working, it took me about 3 years in my spare time. It was challenging to figure out, and I give props to the guy who wrote it or this aspect of it. Pretty sure his name was Mick Gomm. DTXHelp.dll

I heard Dentrix G8 will have a different form of authentication, it makes me kinda sad because I REALLY like how we had control over part of the authentication by creating a database passphrase. All user passwords in the database are based on that, even their Dentrix Developer Program usernames and passwords I heard. I hope the newer authentication is just as secure from the standpoint of a guy on the LAN trying to hack the server. 

This is better than what Open Dental and Eaglesoft do, in terms of how difficult it is.

 Hi!

I recently bought a Polono P60 Mailing Label Printer off of Amazon. It claims it is compatible with just about everything so of course I bought it. Boy was I stupid!

Anyways, I thought I would write a program where you could download a ups mailing label and convert it to something printable on the printer without doing much effort at all.

Here is the program:

http://onsitedentalsystems.com/PolonoUPS_Installer.exe

https://github.com/jshafer817/Polono-UPS-Converter

You run it, and it wants the download.gif file.. this file is originally 1400x800 so I convert it to 800x1200 after removing the 200 pixels of dead space. Then I slightly reduce the image a bit while maintaining resolution, then I set the Density so the PDF is truly 4x6. 

It took some work! This was done with ImageMagick's Magick.NET and PDFium.

With just using the ImageMagick convert utility these 2 lines would do the conversion so the goal was to convert this into a program:

convert.exe download.gif -rotate 90 -gravity South -chop 0x200 cropped.gif

convert.exe cropped.gif -gravity Center -background rgb(255,255,255) -scale 760x1140 -extent 800x1200 cropped2.gif

I went as far as reverse engineering the UPS Thermal Printer app that you can install off the UPS website. It seems this is a language issue as UPS supports different languages but not TSPL.

 So I bought a lot of cameras that supports 1280x720 with the idea to resell these cameras. I dropped off a camera at a local office near me that called to say their old camera broke so I told them great news, I have some at my house.

I go to the office to see that this is what Schick CDR does with 1280x720 images:

With Carestream STV Plugin, they can use cameras above 640x480 and save images above 640x480 but while you are previewing 1280x720 you see it has 640x480 which is annoying.

 I honestly thought they would never respond to my FOIA on Muckrock.

https://www.muckrock.com/foi/united-states-of-america-10/js-submission-documents-123454/

You can download from Muckrock but it is in outlook msg format so here is the actual pdf.

http://onsitedentalsystems.com/2022-00307-FOIA-OS%20%20Shafer-%20responsive%20documents.pdf

You can see my original complaints, and you can see a bit of what happened.

Fun things like:

And:

Today, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced a settlement of potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Rules with MedEvolve, Inc., a business associate that provides practice management, revenue cycle management, and practice analytics software services to covered health care entities. The settlement concludes OCR’s investigation of a data breach, where a server containing the protected health information of 230,572 individuals was left unsecured and accessible on the internet. HIPAA is the federal law that required the establishment of national standards to protect the privacy and security of protected health information. The HIPAA Privacy, Security, and Breach Notification Rules apply to most health care breaches and set the requirements that HIPAA-regulated entities must follow to protect the privacy and security of health information.

The potential HIPAA violations in this case include the lack of an analysis to determine risks and vulnerabilities to electronic protected health information across the organization, and the failure to enter into a business associate agreement with a subcontractor. The HIPAA Rules require that covered entities and business associates (person or entity that has access to protected health information as part of their relationship with a covered entity), enter into contracts – or business associate agreements – that generally document the permissible uses and disclosures of protected health information, that appropriate safeguards will be implemented, and that the covered entity will be notified of any breaches. MedEvolve has paid a $350,000 monetary settlement to OCR and agreed to implement a corrective action plan which identifies steps MedEvolve will take to resolve these potential violations and protect the security of electronic patient health information.

“Ensuring that security measures are in place to protect electronic protected health information where it is stored is an integral part of cybersecurity and the protection of patient privacy,” said OCR Director Melanie Fontes Rainer. “HIPAA regulated entities must ensure that they are not leaving patient health information unsecured on network servers available to the public via the internet.”

In July 2018, OCR initiated an investigation of MedEvolve following the receipt of a breach notification report<https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf> stating that an FTP server containing electronic protected health information was openly accessible to the internet. The information included patient names, billing
addresses, telephone numbers, primary health insurer and doctor’s office account numbers, and in some cases Social Security numbers. OCR investigates every report we receive of breaches of unsecured protected health information affecting 500 or more people. Hacking/IT incidents was the most frequent (79%) type of large breach that was reported to OCR in 2022. Network servers are the largest category by location for breaches involving 500 or more individuals.

It is critical that HIPAA covered entities and their business associates improve their efforts to identify, deter, protect against, detect, and respond to cybersecurity threats and malicious actors.

As a result of the settlement agreement, MedEvolve will be monitored for two years by OCR to ensure compliance with the HIPAA Security Rule. MedEvolve has agreed to take the following steps:

* Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic patient/system data across the organization;
* Develop and implement a risk management plan to address and mitigate identified security risks and vulnerabilities identified in the risk analysis;
* Develop, maintain, and revise, as necessary, its written policies and procedures to comply with the HIPAA Privacy and Security Rules;
* Augment its existing HIPAA and Security Training Program for all MedEvolve workforce members who have access to protected health information; and
* Report to HHS within sixty (60) days when workforce members fail to comply with MedEvolve’s written policies and procedures to comply with the HIPAA Privacy and Security Rules.

The resolution agreement and corrective action plan may be found at:
https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/medevolve-ra-cap/index.html.

OCR is committed to enforcing the HIPAA Rules that protect the privacy and
security of peoples’ health information. If you believe that you or another person’s health information privacy or civil rights have been violated, you can file a complaint with OCR at:
https://www.hhs.gov/ocr/complaints/index.html.

###

Source:  HHS

https://www.databreaches.net/hhs-office-for-civil-rights-settles-hipaa-investigation-with-arkansas-business-associate-medevolve-following-unlawful-disclosure-of-protected-health-information-on-an-unsecured-server-for-350000/

https://www.hhs.gov/about/news/2023/05/16/hhs-office-civil-rights-settles-hipaa-investigation-arkansas-business-associate-medevolve-following-unlawful-disclosure-phi-unsecured-server-350-000.html

https://www.wired.com/2013/03/att-hacker-gets-3-years/

https://www.dailydot.com/debug/justin-shafer-fbi-raid/

I have never posted this on my blog, might as well. They were fined $250K. Thus far, I have made the government 600K, and all I have is a broken heart to show for it. Oh well.

Before the

Federal Trade Commission

Washington, DC 20580

In the Matter of                        ]

]

Henry Schein, Inc.                  ]

(Henry Schein Dental)            ]

March 14, 2014

STATEMENT OF JUSTIN SHAFER

I, Justin Shafer, have personal knowledge of the facts and matters discussed in this statement, and, if called as a witness, could and would testify as follows:

1.     I am over the age of twenty-one (21) and am competent to give this statement.

2.     I am a computer technician in the field of dentistry and am employed at Onsite Dental Systems, 7704 Sagebrush Ct. S., North Richland Hills, Texas.

3.     I graduated from the SMU School of Engineering of Applied Sciences. I hold CompTIA A+ certification and Microsoft Certified Professional 2000 certification with 800 classroom hours.

4.     I have been working in the field for over a decade. In my professional work, I routinely assist dentists who use practice management software that stores and processes patient information. As such, I have had to learn the security features of many commercially available products so that I can advise clients how to protect patient data from external and internal threats.

5.     I have had numerous contacts with both Henry Schein Dental (“HSD”), Dentrix, and US-CERT concerning security vulnerabilities in Dentrix G5 and the deceptive statements HSD/Dentrix has made in marketing it. The following is a partial chronology of my findings and contacts:

6.     In August 2011, I attended the Dentrix Practice Solutions Summit held in Utah. During a presentation about the to-be-released Dentrix G5 software, we were told that the patient data on the disk would be encrypted, as would be the TCP/IP packets.

7.     Database authentication is a crucial component of data security. For database authentication to work, a username and password are required. Failing to use best practices, Dentrix G5 used a hard-coded authentication username and password. As a result, dentists could neither set nor change the administrator password in G5. Hard-coding passwords is a well-known security risk^[1] and is considered a design flaw by NIST.^[2]

8.     Furthermore, because the login credentials were not only hard-coded, but the same across all installations of G5, and because cybercriminals routinely share such login credentials, any hacker who could gain access to the server would be able to easily read the contents of a dental office’s patient database in plain text.[3]

9.     After the event was over, I received a phone call from a Dentrix executive who said he was puzzled because a developer had been able to access a patient database without having the credentials to do so or being authorized to do so. He asked me how that could have happened. Based on his description, I informed him that one possibility was that the Faircom 9.0 server software incorporated in G5 might be exposing the username and password in unencrypted network packets that could be obtained by “packet sniffing.” ^[4]

10.  In March 2012, the month after Dentrix started shipping G5, I downloaded Faircom 9.0 and explored its security. Faircom 9.0 offered various options, including NIST-grade encryption (“Faircom Advanced Encryption,” AES) and their own proprietary “encryption”(“Faircom Standard Encryption”). Dentrix G5 had incorporated the proprietary version and did not give customers the option of using the AES version.

11.  My testing revealed that the administrator’s password could be found in RAM in plain text, which was considered insecure even by 2003 standards,^[5] much less 2012 standards. I could also find the ADMIN username and password in plain text in network packets, which was also considered insecure even by 2002 standards.^[6] Because of these vulnerabilities, patient data secured by “Faircom Standard Encryption” could be easily read without a decryption key or password. By definition, then, there really was no encryption since no key was required, and Dentrix’s claims of “encryption” were inaccurate and misleading, at best, and fraudulent and deceptive at worst.^[7]

12.  In April 2012, I started trying to alert dentists to the security vulnerabilities in Dentrix G5. My initial efforts included starting a discussion thread on a popular website called DentalTown. I also created and uploaded a video to YouTube demonstrating how easy it was to bypass G5’s “encryption.”

13.  In addition to trying to alert dentists about the security vulnerabilities, I was also in direct communication with Dentrix to share my findings and concerns about their security vulnerabilities and claims of “encryption.” Appendices A, B, and C contain some of my e-mail communications to/from them about their security issues during the period April – June, 2012.  Note that I pointed out that Social Security numbers could be read in plain text, which poses a significant risk of identity theft if the patient database is accessed or acquired by a hacker.^[8]

14.  On May 1, 2012, Michael Allsop, Director of Marketing for Henry Schein Practice Solutions (Dentrix), left me a voicemail. The voicemail said Henry Schein’s legal department was looking into my posting the YouTube video. Michael said I might have violated the non-disclosure agreement (NDA) I signed during my 2011 Practice Solutions Summit.[9] Allsop suggested that if I were to bill them, they could pay me a consultation fee, but I should consider removing the video. He repeated the offer and request when I returned his call, and added that I was giving the Dentrix developers a professional black eye. I declined his offer of a consultation fee but agreed to remove the video after making it clear to him that my sole motivation was to get HSD to take the security in G5 more seriously.

15.  On August 9, 2012, Dentrix offered me the opportunity to beta-test Dentrix G5 Productivity Pack 1. The service pack was supposed to include some security enhancements. I declined their offer because of the non-disclosure clause in the agreement, but it was my understanding at the time that Productivity Pack 1 included a purported Fix for packet sniffing the password on the network.

16.  In September 2012, and unrelated to the Dentrix G5 issues described above, I discovered that a dentist using an earlier version of Dentrix had suffered a data security breach, and that his entire patient database with over 11,000 patients’ protected health information had been uploaded to a torrent site in plain text. I notified the dentist (Dr. DiGiallorenzo of Williamsport, Pennsylvania). I also notified Dentrix of the breach, as their entire software for Dentrix 11.0 had also been uploaded to the torrent site, where anyone could download their proprietary software. In discussing the breach with Dentrix, I took the opportunity to point out that this breach showed why having genuine encryption for the patient database was important.

17.  By October 2012, Dentrix was still advertising G5 as providing encryption but still had not effectively addressed the two major security issues with G5 described previously: the hard-coded credentials issue and the use of “standard encryption” that was not genuine encryption. I informed Dentrix that I might report my concerns to US-CERT.

18.  In response, I received a phone call from Howard Bangerter, Dentrix’s Product Manager, saying, in part, that the Henry Schein legal team works on Christmas and they are not someone I want to mess around with. In a subsequent call, he asked me if I had noticed who had viewed my LinkedIn account.

19.  On October 7, 2012, I alerted the United States Computer Emergency Readiness Team (US-CERT) to the hard-coded credentials issue (Appendix D contains a copy of my e-mail to US-CERT).

20.  Also on October 7 2012, I received a voicemail from Howard Bangerter, telling me “I'm not sure you're gonna be happy about what's happened here.” At the time, I had no idea what he meant.^[10] 

21.  According to their records, on October 15, 2012, US-CERT notified Dentrix of the packet sniffing vulnerability.^[11]

22.  Even after submitting a report to US-CERT, I continued trying to encourage Dentrix to stop describing their product as providing “encryption.”

23.  Despite my efforts, in November of 2012, Dentrix gave an interview in which it promoted G5’s encryption as providing greater security and helping dentists comply with HIPAA.^[12] After I read the article, I contacted Steve Roberts, Dentrix’s Director of Product Strategy.  I inquired about the article’s claims regarding “storing and transmitting patient data,” asking him how Dentrix G5 was storing and transmitting encrypted data without the use of Faircom’s Advanced Encryption. I also asked him about the problem of finding the ADMIN hard-coded password that was the same for all Dentrix installations. He told me he would look into the statements Dentrix had given DentalTown in the interview, and told me that Faircom and Dentrix had previously met to review the statements given. I never heard back from Dentrix regarding these issues. Following that email to him, everyone I knew at Dentrix stopped communicating with me, except for Ryan Beardall (Support Operations and Technical Mentor) for Dentrix Technical Support.

24.  On December 17, 2012, Dentrix released Productivity Pack 1. My testing revealed that despite their attempt to address the hard-coding vulnerability, I could still find the hard-coded passwords to the Dentrix G5 database.

25.  On April 26, 2013, US-CERT released a security advisory that confirmed my findings and concerns about Dentrix G5’s hard-coded database credentials.^[13]  Their advisory included a vendor statement from Henry Schein Dental[14] and recommended users deploy PP1 Hotfix1.^[15]

26.  On April 29, 2013, I notified US-CERT about Faircom’s/Dentrix’s claims of “encryption” when there was no encryption but only data obfuscation. I also posted a YouTube video that demonstrated the problem.

27.  On June 10, 2013, US-CERT released a security advisory regarding flaws in Faircom Standard Encryption.^[16] The “encryption” Dentrix G5 had touted in its marketing was described by US-CERT as a “weak obfuscation algorithm that may be unobfuscated without knowledge of a key or password.”

28.  In response to US-CERT rejecting its description as “encryption,” Faircom agreed to re-brand its “standard encryption” option as “data camouflage.”

29.  On June 16, 2013, the National Institute of Standards and Technology (NIST) also issued an advisory about Faircom’s “standard encryption.”^[17]

30.  Despite government concerns and Faircom’s re-branding, from June 2013 until January 2014, Dentrix continued to market G5 as providing “encryption.”

31.  In December 2013, I was contacted by “Dissent Doe” of PHIprivacy.net, a patient privacy advocate and breach blogger. Doe was following up on a report on WNEP about the DiGiallorenzo breach I had discovered.[18] She informed me that as a result of her investigation, she, too, had become concerned about Dentrix’s claims of encryption in G5.

32.  In January 2014, Doe reportedly spoke with Rhett Burnham of Dentrix to discuss their marketing of G5 as providing “encryption.” According to her report of the meeting (which Dentrix did not dispute), Dentrix maintained that it could continue to call its security “encryption” under HIPAA’s definition. Doe and cryptographers she subsequently interviewed and quoted in her blog entry publicly disagreed.^[19] Shortly after she published her concerns with supporting statements by cryptographers, Dentrix reversed their position and re-branded its security in G5 as “data masking.”

33.  Since re-branding G5’s security in January 2014, Dentrix has published an article on data security in its newsletter^[20] and has had certain advertisements on external sites updated or corrected. It has also replaced references on its website to “encryption” with “data masking.” But it has reportedly declined to send individual notification letters to G5 customers to explain to them that what they purchased and believed was “encryption” was not and is not encryption. ^[21]

34.  Because they marketed weak obfuscation as “encryption” and because they continued to market it that way after it should have been clear that they should not be describing it as encryption, and because they have failed to individually notify those who purchased G5, there may be many dentists still laboring under the misimpression that G5 encrypts their patient data, like the dentist in California whose computer was stolen and who then innocently but mistakenly reassured his patients that their stolen data were encrypted.^[22]

35.  Because millions of patients’ protected health information continues to remain at risk given the security flaws and vulnerabilities in G5, and because Dentrix made misleading marketing claims that it has not adequately corrected by contacting all its customers inform them, I urge the Commission to take action to protect patients and consumers and to use its authority to address this situation.

(Signed) ________________________________

Justin Shafer

Appendices

1. Email to Howard Bangerter of Dentrix dated April 28, 2012 regarding unencrypted packets, my post on DentalTown, and a YouTube video I had created.
2. Email to Howard Bangerter dated May 2, 2012 regarding Dentrix G5’s lack of true encryption.
3. Email to Howard Bangerter dated June 25, 2012 demonstrating (using fake data displayed in .gif file) that Social Security numbers are exposed in plain text in G5. 
4. Email to US-CERT dated October 7, 2012 regarding Dentrix G5 hard coded credentials issue.

Appendix A

Appendix B

Appendix C

Appendix D

 I made a complaint about the FBI in Dallas awhile back, I haven't heard anything but last Friday the Atlanta FBI called me wanting an address to send me back my stuff. 

And it all arrived! I threw most of it away except for an old Macbook Pro, Surface 2 Tablet and a Seagate FreeAgent 2TB drive. 

I now have ALL the files I have ever downloaded during 2016\2017... except MedEvolve... because I deleted that myself. Huh.......

Someone sent me an email about this, and thought I would share.

Via email... Alan..
Open Eaglesoft, open the database navigator.. Drop to console and run this command:

Use this:
WMIC /OUTPUT:Process.txt path win32_process get Caption,Processid,Commandline

And you will get this:
dbisqlc.exe "C:\EagleSoft\Shared Files\dbisqlc.exe" -cDBN=DENTSERV;DSN=DENTAL;UID=PDBA;PWD=fK)ZAqhDc/yvg!x`1k=IpxUC#HQKEcL4
Now you know the PDBA Password: In this case..fK)ZAqhDc/yvg!x`1k=IpxUC#HQKEcL4Have fun!

https://pattersonsupport.custhelp.com/app/home

I thought I would take a look at Eaglesoft 21.30 authentication... this is pretty good. 

The WCF Server and Client have added message headers to the messages. The Client adds the CustomerID, UserID, and UserPassword, and DatabaseInfo (based on the connection string) to the message header and the server then validates this before replying to GetServerDatabaseUserInfo method. The info is called a Tenant.

Before: 21.00

StartService(typeof(SetupService), typeof(ISetupService), "SetupService");

After: 21.30

StartService(typeof(SetupService), typeof(ISetupService), "SetupService", false, true, true, ServiceDependency.SetupService);

StartService is like this:

private void StartService(Type instance, Type contract, string serviceName, bool useStreaming = false, bool requiresMessageHeader = true, bool useSilentInstallInspector = false, ServiceDependency serviceDependency = ServiceDependency.Invalid)

requiresMessageHeader = true helps a lot!

Great Work!

https://stackoverflow.com/questions/1426179/how-to-restrict-access-to-a-wcf-service-with-a-shared-key

Well, I guess I won't be writing a multi-threaded customer id guesser for fun anymore. Mission Accomplished.

Someone sent me an email about this, and thought I would share.

Via email... Alan..
Open Eaglesoft, open the database navigator.. Drop to console and run this command:

Use this:
WMIC /OUTPUT:Process.txt path win32_process get Caption,Processid,Commandline

And you will get this:
dbisqlc.exe "C:\EagleSoft\Shared Files\dbisqlc.exe" -cDBN=DENTSERV;DSN=DENTAL;UID=PDBA;PWD=fK)ZAqhDc/yvg!x`1k=IpxUC#HQKEcL4
Now you know the PDBA Password: In this case..fK)ZAqhDc/yvg!x`1k=IpxUC#HQKEcL4Have fun!

https://pattersonsupport.custhelp.com/app/home

 I was recently asked by a client to decrypt Eaglesoft SSN so aide in an Open Dental conversion. So I said okay. And I did it. So for now on, Open Dental conversions will get the SSN.

 Yes. I still have all these files from the Dallas FBI and Atlanta FBI. I don't think they were supposed to give me these files. I say that, because, that's what Ronnie Buentello told me personally. He said, "naturally". We even discussed all this for my plea agreement, because I downloaded so many files with peoples SSN and health info, stuff I found using google, etc. 

Anyways, I made complaints, etc... Tried to get journalists to care, nobody does. I don't think that is right. To date, I have made the government, $600,000. It could have been much higher, if the HHS Office of Civil Rights had actually investigated everything I found. Stuff like Dansville Dental, not even Patterson Dental paid a fine for all my troubles. They own Eaglesoft.

The FBI has been a thorn in my side for the following reasons:

1. They sent a van to scare me back in 2012, it was over a Dentrix Torrent I found. 

2. They raided me over me finding a file in the public.They beat up my car in the process, and lauged at me, and my work with Dentrix.

3. They raided me again claiming I was the mastermind of TheDarkOverlord. Fabricating this, I still don't know how they did this, it was the Atlanta FBI this time.

4. They then claimed I caused an agent emotional distress. Accusing me of cyber-stalking, when their case was falling apart, a judge named Jeffrey Cureton claimed I stalked him too. Long story short, new judge hated all of this, got us all on the phone, said they needed to offer me a misdemeanor.

5. Then, they don't give me back the files we agree upon. They trick me, I pay an attory $2500.00 to go with me to get my stuff, and all they gave me were magazines and a phone.. but we discussed what files I wanted vs what they could delete.

6. Ronnie met me at a Starbucks claiming they "aren't that big of dicks" and gave me a hard drive with my family videos. I was happy, but not happy I didn't have my stuff we agreed upon. He also told me he was present for the original raid, and that made me wonder if Ronnie was one of the guys who stayed behind after everyone left, to beat up my car. I don't know who, because Nathan wouldn't allow me to go inside and see. Which is illegal, at anytime, I could have left.

7. After me sending an email, making fun of the FBI for losing CFAA with Supreme Court, by a cop no less... they overnight all my stuff, including an insult on a drive that said JMSsucksASS. And they did a piss poor job of actually erasing the data!

8. I make complaints, so in response, the Atlanta FBI gives me back everything I downloaded.

9. I.. fix Eaglesoft... Because this is what started a lot of it.. Them and Dentrix. =)

10. .... I am now super annoying, and I want the government to explain why all this happened. Why they gave me, by my estimate, around 800,000 Social Security Numbers. All the hard drives they gave me back, are hiding in a dental office attic. The owner knows they are in the attic, but doesn't know where. Only I do and another person. This is in case I suddenly fall out of a window in my 1st floor apartment. The "squeeky wheel" method, has never let me down. 

 Yes. I still have all these files from the Dallas and Atlanta FBIs. I don't think they were supposed to give me these files. I say that because that's what Agent Ronnie Buentello told me personally. He said, "Naturally." We even discussed all this for my plea agreement because I downloaded so many files with people's SSNs and health info, stuff I found using Google, etc. 

Anyways, I made complaints, etc. I tried to get journalists to care, but nobody did. I don't think that is right. To date, I have made the government $600,000. It could have been much higher if the HHS Office of Civil Rights had investigated everything I found. Stuff like Dansville Dental, not even Patterson Dental, paid a fine for all my troubles. They own Eaglesoft.

The FBI has been a thorn in my side for the following reasons:

1. In 2012, someone sent a van to scare me, in addition to a phone call from the FBI; I think it was over a Dentrix Torrent I found. They said, "If you love your kids," then drove away. My old pretrial release officer, Robert Honstein, told me it was Henry Schein. I doubt that. This would be the first time I heard from FBI Agent Nathan Hopp, who called me to ask about it. He told me I didn't want to get another call from the FBI. 

2. In May 2016, They raided me over me finding a file in the public. They beat up my car in the process and laughed at me and my work with Dentrix. Even though Dentrix was fined for lying about encryption, the FBI did not care.

3. In January 2017, They raided me again, claiming I was the mastermind of TheDarkOverlord. Fabricating this, I still don't know how they did it; it was the Atlanta FBI this time. TDO would like to talk to me on Twitter sometimes, and I notified the FBI then. I emailed the FBI a database they sent me, asking for help. This was ignored.

4. They then claimed I caused an agent emotional distress. Accusing me of cyber-stalking, a judge named Jeffrey Cureton claimed I stalked him when their case was falling apart. The new judge hated all of this, got us on the phone, and said they needed to offer me a misdemeanor.

5. In 2018, while on probation, I found MedEvolve. I did this to see what would happen. I deleted the data after I was certain MedEvolve would tell the Office of Civil Rights about the leak. I no longer have this data. I also found a dental office in McKinney, TX, that was exposing their PMS database to the internet; I informed Agent Buentello at the Dallas FBI that I would help them, which I did. Their IT guy stuck the server in the DMZ, and I had it removed. They had also been attacked with ransomware twice, server admin password was a dictionary word and MySQL root was blank. This was to convince the FBI they had won me over, like faking Stockholm syndrome. Plus, it helped patients, etc. I really just wanted my stuff back. I also did this facebook thing.

5.  In 2019, they still hadn't returned anything. The FBI then tricked me, I paid an attorney $2500.00 to go with me to get my stuff at the Dallas FBI, and all they gave me were magazines and a phone.. but we discussed what files I wanted vs. what they could delete.

6. In and around June 26th 2019, Agent Buentello met me at a Starbucks, claiming they "aren't that big of dicks" and gave me a hard drive with my family videos. I was happy, but not happy I didn't have my stuff we agreed upon. He also told me he was present for the original raid, making me wonder if Agent Buentello was one of the guys who stayed behind after everyone left to beat up my car. I don't know who because Agent Nathan Hopp wouldn't allow me to see inside. Which is illegal, and at any time, I could have left. Agent Bentuello also informed me that Nathan was his boss when we were at Starbucks. Nathan is the person who accused me of stalking.

7. In and around June 6th, 2021, After I sent an email making fun of the FBI for losing CFAA with the Supreme Court, by a cop, no less... the Dallas FBI overnights all my stuff, including an insult on a drive that said JMSsucksASS. And they did a piss poor job of actually erasing the data!

8. Around April 7th 2023, I complained about the Dallas FBI to the US-DOJ about all this. A guy named Brian Luley passed my complaint along to the FBI. He specializes in lie detection, and when I found out, I emailed him, saying I was willing to take a polygraph test. I am!

In addition to the complaint, I made some FOIA requests,

9. Around June 2023, the Atlanta FBI called me and wanted an address to send the stuff they took. And they didn't format anything. They gave me back everything I downloaded. So this is the answer to my complaint about the government giving me Social Security Numbers I found online? What?

10. I fixed Eaglesoft authentication... This is what started a lot of it. Them and Dentrix. The encryption seems a bit whack to me. 

11. I made a complaint against the Atlanta FBI, but haven't heard anything.

12. 2024.... I am now super annoying, and I want the government to explain why all this happened. Why they gave me, by my estimate, around 800,000 Social Security Numbers, the largest being Community Healthplan of Washington. All the hard drives they gave me back are hiding in a dental office attic. The owner knows they are in the attic but doesn't know where. Only I do and another person. This is in case I suddenly fall out of a window in my 1st-floor apartment. The "squeaky wheel" method has never let me down.

They shouldn't have given me these files back because if my SSN was in them, I wouldn't want someone else to have it. DUH. The Office of Civil Rights should have investigated these data leaks, but many were not. That's what HIPAA laws say. I feel like these FBI agents should be deposed by someone to explain why they did this. In my dreams, right?

These files have been given to VXUnderground and Brian Luley at US-DOJ for analysis and holding onto, as well as the dental office attic method. Someone else should verify my claim. If only someone on my list actually cared, but nobody does. Not even the Doctors.

 I haven't posted about cameras in awhile.. I wrote capture button software for MacOS and Linux for the smaller segment of dentists that will actually use this stuff. It only works on the PerfectCam intraoral camera.

Linux I got working in X11 and Wayland with KDE and Gnome. This uses V4L2 to talk to the camera and I created a virtual keyboard daemon to output the keystrokes.

Mainly for a program called Clear Dental. I need to write a manual for the IOC Snapshot website.

https://iocsnapshot.com/installation-manuals/perfectcam-camera/perfectcam-utility-for-macos/

Fun stuff!