1. 63

“To put it bluntly, I’m not sure I trusted Infosys to revoke this key in a timely manner. So I did it for them with aws iam delete-access-key –access-key-id=$AWS_ACCESS_KEY_ID, and now the key is useless”

= gold

  1.  

  2. 31

    Ah, bodyshops gonna bodyshop.

    As someone who works in the healthcare space – here’s your daily HIPAA primer.

    In this case, HIPAA applies to Johns Hopkins as the covered entity. They’ll have a business associate agreement (BAA) in place with Infosys that allows Infosys to receive protected health information (PHI) and do stuff with it that the covered entity requests - ML stuff, in this case. If you ever stumble over PHI in the wild, while the business associate can be liable on their own, it’s often best to start with the covered entity. Look for their compliance/privacy/legal teams first – good infosec teams know what to do, but a privacy officer always does, even if they are a bad privacy officer.

    When the covered entity hears about this, they’ll freak out, lock things down, and investigate to decide if they need to make a notification of a breach. There are flowcharts that help[0], but step zero - which is often not on them - is always to ask “did we actually disclose anything?” In this case, if Infosys has IAM/S3 access logs that can show nobody saw those records, they were never disclosed – the tree fell but nobody was in the woods to hear it.

    If, however, Infosys can’t prove that? You have to assume a breach happened – this means sending a notification to every individual in those files & HHS no later than annually. If there were >500 people in the file? You additionally have to send a press release to local media & HHS within 60 days so you can appear on the wall of shame. Infosys & JHU get to fight out who pays any penalty, but assuming a BAA is in place it should roll to Infosys.

    [0]: this is probably not a great flowchart because HHS dropped the “risk of harm” standard a while back, but it’s one of the ones I can find that’s public so it’s an example at least.

    1. 19

      I wouldn’t have deleted that key on their behalf. If it was running some kind of critical service it would now be failing, and services might be at risk, services potentially critical to human life. It’s also Unauthorized Access to a Computer and you shouldn’t trust a corporation to not take legal action against you when it has the opportunity.

      1. 5

        The blog appears to be ran by a British citizen who lives in London, so short of the US govt getting involved, there isn’t likely much Infosys could do, even if they got super duper upset about it.

        US laws do not apply outside of the US, despite the US not always acting like that’s the case.

        That said, I agree it wasn’t the best action they could have done, but hindsight is 20/20 and all.

        1. 2

          US laws do not apply outside of the US, despite the US not always acting like that’s the case.

          If you hack into something that’s hosted on US soil, or route traffic across US soil to do it, you can bet US law applies. The only question is whether the country you’re currently in will extradite you.

          Or, more simply: laws still apply just fine on the internet and you probably rely on that being true, whether you realize it or not.

          1. 6

            I completely agree that US laws apply on US soil, obviously they do. They just don’t apply outside the US at all, unless the other countries want them to apply. It’s the treaties and the UK’s willingness that matter here. It’s hard to say how the UK would handle this particular case, assuming the US govt got upset enough to bother the UK about it.

            My comment that you are quoting was more about: The US govt can generally bully their way into whatever they want in most places on the planet, since they currently have the largest military and economy around.

            1. 5

              The current UK prime minister is the son-in-law of the founder of infosys. So I don’t think it would take too much to inflict pain on the author of this blog.

              1. 3

                Wow, that’s unfortunate for the OP. Though at the rate the UK is currently going through prime minsters, that may change tomorrow.

                1. 2

                  My first reaction would be “surely they wouldn’t do anything so petty?” but then I remember who is running the UK at the moment and now I’m not so sure.

                2. 2

                  Any type of network or equipment that’s on US soil is, well, on US soil. Any sort of entity you affect that’s on US soil is on US soil. Lots of things are actually on US soil.

                  “But the person sending the bytes over the wire wasn’t in the US” doesn’t change that. At best it just means now two countries can each carry out a prosecution, and the person hopes the one they’re currently in won’t do that and won’t extradite.

                  This isn’t some sort of completely new unheard-of never-before-considered untested thing, either. Extradition treaties, and other procedures for handling people who think they’ll evade punishment by being on the other side of a border, is something that literally goes back millennia.

                  1. 1

                    The only part I disagree with is: “At best it just means now two countries can each carry out a prosecution”.

                    This assumes the action is illegal in both countries. In this case, where the OP deleted the AWS key, that’s possible, but I wouldn’t say it’s certain. That’s for lawyers to fight over, if it ever gets that far.

                3. 4

                  US law does not apply outside the US, some Americans just think it does.

                  1. 3

                    If what you do passes through wires, networks, servers, routers, anything on US soil, then it was not “outside the US”.

                    Like I said to the other person: you probably, whether you realize/like it or not, rely on the fact that wherever you reside can in fact enforce its laws in this fashion, regardless of which country you reside in.

                    1. 2

                      If this comes as a surprise to anyone, consider the story of CSE TransTel, a telecom company, and its parent company CSE Global Limited, both based in Singapore. CSE TransTel signed a contract to install communications equipment inside Iran, and paid purchase orders to Iranian companies to support delivery & installation of their equipment. They made their payments out of a Singapore-based bank.

                      What’s the problem, you ask? They made payments out of an account denominated in US dollars. These payments were processed through the US financial system: as a result, the US government argued that the actions of an entirely foreign company using entirely foreign banks resulted in financial institutions in the US handling payments to Iranian companies, which violates sanctions against Iran. This created a US nexus that made otherwise totally legal actions impermissible under US laws.

                      CSE TransTel settled with OFAC for twelve million dollars. Why? They’re based in Singapore?! If they didn’t, they’d end up listed as a specially designated national and any US company or person would be legally barred from working with them or risk OFAC sanctions of their own.

                      The US legal system and enforcement regimes will take a very broad determination of jurisdiction, and any company – web hosting, infrastructure, payments – with a US connection are legally required to fall in line.

                      1. 2

                        From my other comment: The US govt can generally bully their way into whatever they want in most places on the planet, since they currently have the largest military and economy around.

                        Here CSE TransTel had to have known it was a bad idea to sell to Iran, since even their own government is less than pleased with Iran’s nuclear weapons program. They probably thought about it, and figured it was worth trying, got caught and eventually gave in, knowing their own govt wasn’t really on their side either.

                        I’m not necessarily against the US Govt’s bullying tactics, it helps the world just get stuff done sometimes, but it is a power they can(and arguably have) over-used sometimes.

                        1. 1

                          You seem to have a very specific political axe to grind, but it’s not applicable here.

                          To see why, imagine there’s a building near an international border, and someone on the other side of the border throws a rock across and breaks a window in the building. The country the building was in can call it a violation of their laws, even though the person who threw the rock wasn’t on their soil. Whether the person who threw the rock will actually be punished by the country the building was in depends on the existence and details of extradition treaties, but nobody should be surprised if that person gets extradited to face consequences in the country where the building was.

                          The internet didn’t change anything about this. If you send bits over wires, and some of those wires are in another country, that country’s laws apply. It’s not “bullying” or some sort of new, unique, just-made-up recent thing. Like I already said in another reply, we’re talking about things that political and legal systems have been dealing with for literally thousands of years at this point. Rather: a lot of people hoped and wished and wanted the internet to somehow provide a new, never-before-seen type of extraterritorial place where those political and legal systems couldn’t reach, but their wanting and wishing didn’t and hasn’t made it so. Instead, long-existing frameworks have been adapted as needed, and that’s that.

                          1. 1

                            You seem to have a very specific political axe to grind, but it’s not applicable here.

                            no? You seem to be misunderstanding what I’m saying perhaps? I’m a little confused by this comment.

                            Anyways, The US and the UK have an extradition treaty, and the UK government is happy to publish it here: https://www.gov.uk/government/publications/extradition-treaty-between-the-uk-and-the-usa-with-exchange-of-notes

                            I’m not currently an international lawyer and I haven’t read the whole thing, but skimming through it, it seems to say, In general, if it’s against the law in both countries, then they will automatically extradite people either direction. Which seems totally reasonable to me.

                            Nowhere in there does it say that US laws apply in the UK, as that is straight up ridiculous. An easy example of how ridiculous that is: Guns are generally illegal in the UK and are generally not illegal in the US.

                            1. 1

                              You seem to be misunderstanding what I’m saying perhaps?

                              Over and over you single out one and only one country and talk about “bullying”.

                              Nowhere in there does it say that US laws apply in the UK, as that is straight up ridiculous.

                              The issue here is you are the one who is trying to argue that this is somehow “US law applying in the UK”. Not me.

                              I’ve explained to you multiple times now that it is an extremely normal and banal and accepted and uncontroversial idea that you can break the law of a country by committing acts that involve or have effect on entities or infrastructure in that country, even if your physical body was not physically within that country’s borders at the time.

                              But this is not the same as saying a particular country’s laws apply everywhere – thus the example of throwing a rock over the border and causing damage on the other side, which hopefully is a pretty clear and common-sense example of the underlying principle.

                              1. 1

                                Over and over you single out one and only one country and talk about “bullying”.

                                Would s/bullying/interfering/g be a better word for you? The US is far from the only ones that do this type of behaviour. Generally it’s larger countries relative to smaller countries, that the US is the largest just makes them more effective at it.

                                The issue here is you are the one who is trying to argue that this is somehow “US law applying in the UK”. Not me.

                                Then I apologize for my part in our miscommunication. Though I find it very confusing that you think my position is that US law applies in the UK. Clearly we don’t seem to be communicating well during this course of conversation. With such gross miscommunication, it’s probably easier to just stop. Especially since the stakes for you and me are at worst some feelings being hurt. Have a pleasant and wonderful weekend!

              2. 4

                I mean, it’s sketchy, but it does seem to be a key used for development, and which had been inactive for a whole year. Granted, anyone who screws up by issuing AdministratorAccess keys to individual developers might also run some critical service under them, but given the context (running some statistical models over externally-hosted records from several sources) it appears rather unlikely that it was used to run anything critical to human life. The key was, after all, used by Infosys to run things at their end, not by JH.

                I don’t wanna defend what the author did, I’m, not sure I would’ve done it that way, either, but I do think it was quite safe to do from a technical standpoint. From a legal standpoint, based on my experience working with (and, sadly for my mental sanity, occasionally in) outsourcing companies, I doubt there is anyone at Infosys’ end who can a) read logs and b) is not on the verge of ragequitting, so there’s probably no one to notify the Legal team about it :-).

                1. 6

                  It might seem that way, but there was no way for the author to know. They should have reported to infosys and Johns Hopkins.

                  As it is, the author has potentially harmed people and/or incurred liability.

                  1. 13

                    It seems like the author ended up doing that precisely because they couldn’t contact either JH or Infosys. There’s obviously no way to verify that, but I have been at the receiving end of the problem. Someone went public with several issues in a program that the company I was working for sold. The higher-ups got very butthurt, nasty press release came out…

                    …turned out the researcher had tried to contact them through several separate channels, but messages got ignored each time because they weren’t read by anyone who actually understood what was being said to them. One of the official channels for reporting security issues was mostly unused, because people usually went through unofficial channels. IIRC the people who supposedly monitored that channel weren’t even working there anymore. Dude ended up going public because he thought it was likely the only way to actually prevent anyone from getting harmed, despite incurring liability.

                    1. 1

                      Were there any legal consequences?

                      1. 3

                        AFAIK no, and the whole thing was dropped like a very hot potato the moment people realized there had been as much as one attempt at responsible disclosure. I mean it’s not 1992, companies are legitimately expected to make this no more complicated than a couple of Google searches and an email.

                        Management is rarely inclined to litigate when there’s a looming PR disaster in it. A lawsuit moves slowly, even when coaxed with money and connections, whereas social media and the press operate on an hourly timetable. Realistically, there’s barely anything to gain from a lawsuit on a matter like this, and potentially a lot to lose in terms of PR and community relations – they only move forward if someone in the legal team really needs to prove themselves. Even the financial incentives are practically zero, the kind of sum they could get is probably in the sort of amount that companies like Infosys regularly write off for government bribes.

                        1. 2

                          That’s my view as well. Infosys would be very stupid to raise a legal stink about this, as it would shine a light at their alleged incompetence at deploying code and responding to disclosures.

                    2. 3

                      You’re right, but the flip side is reporting it properly, having them not do anything about it, and then a bad actor finds and uses it. Not much to recommend one over the other imo.

                      1. 8

                        From what I’ve seen, you may run into careless business associates / sub-associates, but covered entities are often very wary of the risk around HIPAA violations. It sounded like the author attempted to report to Infosys directly so I’m not surprised he hit a wall.

                        So again, if you find PHI – "Johns Hopkins Hospital" "general counsel" into your favorite search engine took me straight to their legal department, including direct contacts to HIPAA lawyers. Even without specialist lawyers, just get in touch with someone in their legal / leadership chain. The magic happens when you say “I’d like to report a HIPAA violation” to a human, preferably a human on a legal team.

                        And if you truly can’t get anyone to act, HHS has a process to report complaints directly to them. It’ll likely take longer for them to act, but they have broad leeway to sanction bad actors and will get the attention of the offender.

                        1. 1

                          On the other hand, people not living in USA might not be be so intimately familiar with USA laws and compliance culture.

                  2. 1

                    All access to remote computers is unauthorized. Maybe we should stop allowing corporations to hurt themselves and others, even if it means violating their privacy.

                  3. 5

                    I’m somewhat surprised the author published all these details. To be clear, I don’t condemn any of his actions or disclosed details, but companies like this can be rather litigious in these cases and sadly the law has not caught up or is intentionally overbearing.

                    OpSec for security research oftentimes boils down to: even if you did everything right and followed responsible disclosure to a tee, never make yourself known and use third parties as a proxy for all communication, including private disclosure.

                    1. 2

                      The way I think of it, I’d rather them invalidate the key and make a blog post than have them post the key and info on the darknet or something.

                    2. 3

                      Well, this is horrifying.