I thought I would make a blog post about the time I found a data leak. I was up late one night, similar to right now. I was hunting for leaks and I decided it would be fun to search filemare.com. I liked to search Filemare. Filemare.com WAS a search engine that indexed public FTP servers instead of WWW.
For context, I had been raided by the FBI in May 2016 for downloading a file from a public FTP server and the company claimed I "hacked them" which is called CFAA or USC 18 1030a, a felony. It got a lot of publicity because nobody had ever heard of such a thing, in the tech industry. People download files from public FTP servers as well as HTTP all the time. The onus, was on the FBI, and me being me decided I would help them in their quest. And the best way to do that is make them feel stupid. This ended up being an unwise move in the end, and it taught me a lesson in how to treat people. Most of the time anyways, I guess you could save I am a "recovering asshole". If I found an FTP server with PHI I would usually email it to the guy who was in charge of my raid. Just to make sure we are clear. I got upset at times and got emotional, mainly because of the car. Mid life crisis I guess.
Anyways, I searched for the word HIPAA and it came back with a server with odd-looking XML data, and when it loaded in the browser, and just kept loading and loading because there was SO MUCH DATA.
I am sure my initial assessment was incorrect lol. But I did mess with some XML libraries for a bit.
I also found info.zip on the FTP server which meant the account used for public viewing could also write to the FTP server. There was a virus going around the internet looking for public FTP servers that allowed write access, and if that was allowed, would copy itself to the FTP server.
I also checked the openftp4 repository on GitHub, which was a snapshot of every public FTP server in the ipv4 address space shortly after my raid, which shows something called a Banner. A Banner is what you see when you login to the FTP server and it showed if it allowed "anonymous access" which means public.
I still have a screenshot and there is so much data you might as well just imagine a 100% redacted document.
I decided to show all my friends on Facebook so they could witness this, as this breach was SO large I wanted some other folks to see what I was seeing. Why? Because companies just LOVE to LIE. And the FBI doesn't give a sh*t. They will even vandalize a car if you're a smart ass about it. So... have fun going after my Facebook friends for something that isn't illegal. That was my thinking back then, and the supreme court ruled that I WAS RIGHT in mid-2021. This is the reality\society we live in. The federal government would at one time, raid you on some behest of a company, because.. you downloaded a file they that some IT guy didn't secure. Land of the Free and Home of the Brave, you say?
Anyways, I helped 400K that time. This is still the largest I have found to date, the runner-up being MedEvolve. When I say "Data security is really cool on the cloud", it comes from this: https://www.dentaltown.com/magazine/article/2623/corporate-profile-curve-dental Which I think I blogged earlier about, and how full of sh*t I was for saying that.
Month's later the FBI would go onto claim I stalked them by friend requesting an agent's wife with the message I thought he was homosexual and was surprised he was married. Also I posted some back the blue image on my facebook that scared them. There had been a recent shooting between an armed gunman and the Dallas Police Dept. And the FBI took that to mean... something stupid. But being stupid is nothing new to the FBI.
So much the agent's wife claimed she needed a firearm, armed security at her work, and she had to move out of her house for 2 weeks. Literally. When it got close to trial my actual judge (Judge Godsby), let me out of jail on first amendment and the prosecution didn't like that. So they got another lower judge to claim I had cyber-stalked him too, from just emailing him regarding him signing search warrants to allow the FBI to raid me. So then, Judge Godsby had to recuse himself and they found a judge from Houston to try my case. And she seemed to side with me too, but that is for another story. Misdemeanor is what she thought would be a good idea, but not over FTP, yes.. to make the judge happy and save 20K at trial, I plead guilty to threatening an FBI agent's family member.. But we all know what really happened, don't we? They also claimed I was the mastermind of "thedarkoverlord" hacking group. But that is also for another story.
Life got unreal. While I was in jail awaiting trial this person tweeted this image to me:
https://twitter.com/matter_2575/status/859579175648231424
This was interesting because it was an attachment I sent to 2 people to prove how long I had called someone at CHPW, just in case because you have to make sure you have all this stuff. One was Jeff and Bob Young the Seattle Times guy. I should have recorded CHPW because they lied in their report to the Seattle Times. I left them my name and number and even tweeted to them as well.
"The incident began when someone left a phone message with the agency on Nov. 7. McGuire said she doesn’t have information about that person’s identity or motive. The caller, McGuire said, just indicated that they had identified a vulnerability in the computer network of the firm that provides the organization with technical services."
1. I never call something public a "vulnerability".
2. I always leave my info, and in fact, they returned my call. I called from my Google and Verizon phone numbers.
But the fact that someone was now tweeting this image to me from my private email meant either, the Seattle Times reporter Bob Young was making fun of me. Or the FBI had used the attachment to make fun of me and matter_2525 is an FBI agent, OR matter_2525 is a local HIPAA attorney named Jeff, I kind of doubt that but one never knows. He gave me 1K cash when I got out of jail which I am thankful for. But.. maybe he felt guilty??
Funny fact: I thought the FTP server was managed by Dell, but Dell had sold this to NTTData very recently in that time and could have been Dell's fault for all we know. I went to see the @NTTDataServices account on twitter and they had ALREADY blocked me. lol.
Anyways, this entire pissing match started over Patterson Dental having me raided over their FTP server mistake, which they NEVER were fined for by HHS for such a blatant HIPAA violation. I still have the data too, the FBI recently gave it back to me. I might even have this data but the drive doesn't work and I doubt it worked when the FBI went to "format" it or whatever they tried to do.. Sigh. Up until my FBI raid I had only found some FTP servers in my spare time (Grandstreet) but after my raid, I kicked my research into FULL GEAR. I have never REALLY blogged about it, and this post doesn't really count. Like the Nevada Marijuana Databreach... that was really cool. Not sure about NTT Data, or all the other FTP servers I found on the internet, like Dansville Dental (50K of Patients), or Patient's Choice which I wonder about, because they claimed 1069 patients when in reality it was 1069 pdf files, not patients. Doubt letters were mailed out. I personally submitted complaints with PHI and screenshots of Google search results, recorded phone conversations, their answer: We aren't going to investigate.
"Sorry, the Federal Government can't look stupid, by having you find patient data on public FTP servers"... click.
It is dumb to raid someone for downloading a file that didn't have ANY technological safeguards and was deemed public for anyone to download. But, we all knew that anyway... didn't we? I am sure I emailed my findings to the Dallas FBI at the time just to gloat.
As Dr. Larry Emmott would say:
