As we have stated time and time again, the corporate world does not care about your data. Instead they are much more concerned with saving face and preventing anyone from finding out about how awful they are at security. This type of behavior is very common when it comes to security research as companies try to shore up their own reputations before they do anything about the problems in their applications. In Shafer’s case he found that the FTP server had probably been left open for years and he did not even disclose the issue until the server was secured.
EagleSoft, who has now gone very quiet, is claiming that Shafer violated the CFAA (Computer Fraud and Abuse Act) by accessing the server at all. It was based on this that they phoned the FBI and demanded that Shafer be arrested. The FBI complied and showed up at Shafer’s house with a whole gang in tow to execute the arrest of this, obviously (sarcasm), criminal. Shafer probably has an option for legal action against EagleSoft at least and, depending on the details of the “investigation” by the FBI, one for wrongful arrest.
It is nice to know that the FBI is able to jump so quickly at the information given to them by a corporate entity like this without much of an investigation. It seems eerily similar to how ICE handles take down requests over copyright. A company (or legal group) just has to call up and make the claim to get a domain confiscated. Of course we have watched the FBI botch the MegaUpload case for years as they illegally took evidence out of the country, pushed for warrants that were not legal in NZ, and much more. They are much less of a law enforcement organization these days than they are copyright enforcement and bullies for corporate interests.
We will keep an eye on this one very closely as it could create precedent for security researchers moving forward.