Justin Shafer’s Record of Finding Security Vulnerabilities

Who is Justin Shafer?

Justin Shafer is known among cybersecurity professionals around the world as a white-hat security researcher.

He has been publicly credited at least three times by Carnegie Mellon University’s Software Engineering Institute (SEI), which is sponsored by the Cybersecurity Division of the Department of Homeland Security, for his work in discovering security vulnerabilites. It’s been estimated that the identities of half a million patients were protected by the expertise and actions of Justin Shafer.

Below are the three serious vulnerabilities that Justin Shafer properly reported to U.S. authorities between 2013 and 2016.


Vulnerability Note VU#948155
http://www.kb.cert.org/vuls/id/948155

Henry Schein Dentrix G5 uses hard-coded database credentials shared across multiple installations

“Thanks to Justin Shafer for reporting this vulnerability.” CERT, April 26, 2013


Vulnerability Note VU#900031
http://www.kb.cert.org/vuls/id/900031

Faircom c-treeACE database weak obfuscation algorithm vulnerability

“Thanks to Justin Shafer for reporting this vulnerability.” – CERT, June 10, 2013


Vulnerability Note VU#619767
http://www.kb.cert.org/vuls/id/619767

Open Dental installs with default database credentials

“Thanks to Justin Shafer for reporting this vulnerability.” – CERT, September 6, 2016


* CERT stands for Computer Emergency Response Team, an expert group that handles computer security incidents.

The CERT Coordination Center is the worldwide center for coordinating information about Internet security at Carnegie Mellon University. It is the first and most well-known CERT.

RECENT NEWS AND BLOG ARTICLES ABOUT JUSTIN SHAFER

Endgadget: engadget.com/2017/10/24/doj-demands-twitter-account-info-over-public-data-search/

Reason.com: reason.com/blog/2017/10/24/doj-fishes-for-twitter-info

Vanity Fair: https://www.vanityfair.com/news/2017/10/justice-department-demands-five-twitter-users-personal-info-over-an-emoji

A security researcher embarrassed the D.O.J., and the F.B.I. retaliated with a subpoena.

Tech Dirt: techdirt.com/articles/20171023/18275838465/doj-subpoenas-twitter-about-popehat-dissent-doe-others-over-smiley-emoji-tweet.shtml

The crazy story of how the DOJ issued a subpoena to Twitter attempting to identify five Twitter users, not because of anything they had done, but because someone else the DOJ disliked — a security researcher named Justin Shafer — had tweeted an emoji at them in response to a discussion about a different case.

techdirt.com/articles/20171025/11290738482/dojs-bizarre-subpoena-over-emoji-highlights-ridiculous-vendetta-against-security-researcher.shtml

DataBreaches.net: databreaches.net/is-a-vendetta-by-the-fbi-keeping-an-innocent-man-in-jail-or-has-doj-just-lost-its-mind-altogether/

databreaches.net/doj-subpoenas-twitter-about-popehat-dissent-doe-and-others-over-a-smiley-emoji-tweet/

Associate’s Mind: associatesmind.com/2017/10/25/doj-subpoena-twitter-smiley-assault-with-a-deadly-tweet-part-viii/

New York Magazine: nymag.com/selectall/2017/10/doj-subpoenas-twitter-users-over-smiley-face-emoji-tweet.html

DOJ Subpoenas Twitter Users Over Smiley-Face-Emoji Tweet

Popehat (First-Amendment Law Blog): popehat.com/2017/10/24/in-which-my-identity-is-sought-by-federal-grand-jury-subpoena/

https://twitter.com/truefire_/status/737037042920488960

Daily Dot: dailydot.com/layer8/justin-shafer-fbi-raid/

FBI raids security researcher who discovered private patient data on public server

Someone alerts you to exposed, unencrypted patient information on your FTP server. Is the correct response to thank them profusely or try to have them charged as a criminal hacker?

YCombinator: news.ycombinator.com/item?id=15549632

Below is the voice of the first witness in the Rivello case.

Related: Judge Dismisses Twitter Stalking Case (2011)