Security Expert Jailed For Reporting Vulnerabilities In Lee County, FL Elections (theregister.co.uk) 307
rootmon writes: Information Security Professional David Levin was arrested 3 months after reporting un-patched SQL injection vulnerabilities in the Lee County, Florida Elections Office run by Sharon Harrington, the Lee County Supervisor of Elections. Harrington's office has been in the news before for voting systems problems (for example in during the 2012 election, 35 districts in Lee County had to remain open 3 hours past the closing of polls due to long lines and equipment issues, wasting $800,000 to $1.6 million of taxpayer money on incompatible iPads for which her office is facing an audit. Rather than fixing the issues in their systems, they chose to charge the whistleblower with three third-degree felonies. The News Press also has several related interviews.
White Hat (Score:5, Interesting)
I hope the courts recognize that white hats are the good guys. I hope that paves the way for Levin (and EFF) to sue Lee County and Harrington for damages. And I hope that discourages other politicians from lashing out at the good guys.
Re:White Hat (Score:5, Insightful)
Breaking into or executing code on a system without permission is a criminal offense. Even if he was doing it ostensibly for the greater good, Levin should know better (and a tweet from him suggests that he knows he should have known better). The courts aren't going to let this slide just because he's a "good guy," because that sets a bad precedent.
If you're going to try to break into a system, get permission. If you absolutely must do it without permission, use a burner name and address to make the notification, or go through an attorney to make the notification.
Re:White Hat (Score:5, Funny)
Or, in the future, sell it to the Russian mob for big bucks and retire.
Re: (Score:3)
Or, in the future, sell it to the Russian mob for big bucks and retire.
Someone good at writing Russian gangster dialog should write that scene. It would include the Russian mobster trying to figure out why Levin thinks he'd care about hacking Lee Country elections.
Re:White Hat (Score:4, Funny)
Re:White Hat (Score:4, Insightful)
Or, in the future, sell it to the Russian mob for big bucks and retire.
Should be marked insightful, not funny.
If government is going to be douchey towards people who point out vulnerabilities, then best not to disclose anything to government. They completely deserve whatever comes next.
Let them fail all by themselves.
Re: (Score:2)
Re:White Hat (Score:5, Insightful)
There will be no permission. The real reason he's in jail is they're pissed off everyone knows how fucked up their system is. He outed them and they popped his ass in the slammer for it. If they were actually interested in providing a secure system they would have rewarded him instead. The way he was treated says everything about Sharon Harrington's professionalism. She's a typical CYA type interested only in her own continuance of incompetence at her job. I'd say the people in that county should see that she's sacked if they ever want an improvement. Wonder how many of those Ipads walked off on her watch? Maybe they could find a cell for her too.
Re: (Score:3)
If they were actually interested in providing a secure system they would have rewarded him instead.
Permission can't come in hindsight. Maybe there are pissed off people who reported him, but he still broke the law and MUST be prosecuted if there is evidence, which there clearly is. It not like there is a choice in the matter.
Re: (Score:3, Informative)
There is no MUST - prosecutors have discretion. Judges have discretion, and Juries (though they don;t want you to know it!) have discretion.
Re: (Score:2)
It is a shame you are downvoted to zero, you are correct.
And this STUPID SLOW DOWN COWBOY message, WTF Slashdot. No wonder why everyone went to Reddit.
Re: (Score:2)
Actually there is, the prosecutor has discretion.
Re: (Score:3)
That discretion is based on quality of evidence. If the evidence is clear, there is no choice. Its not the movies.
Completely, utterly not true. The DA has fully discretion on what to prosecute. And political reasons are a huge part of deciding whether to do so or not. [1]
Not only does the DA have the freedom to not prosecute, a jury can declare someone not guilty they know is guilty if they believe the law itself or the punishment that will happen if declared guilty is unjust. [2]
[1] http://definitions.uslegal.com... [uslegal.com]
[2] https://en.wikipedia.org/wiki/... [wikipedia.org]
Re:White Hat (Score:5, Insightful)
The thing is, if a security researcher asked for a unit to do security testing on, no permission would be forthcoming.
The security researcher, being a voter, has a legitimate interest in the safety and security of the voting system.
Also, as a voter, this person is ALREADY supposed to be able to access the system. It's the fault of the people setting up this system that his ability to access the system is that broad.
And, since the equipment is being purchased with taxpayer funds, there's a legitimate school of thought that permission for access is already implicit.
Criminals bent on subverting the voting system are NEVER going to ask permission.
Re: (Score:2)
Re: (Score:3)
I'm pretty sure he's got no idea how the courts work and has never heard of "prosecutorial discretion." There's always a choice. It might not be a politically feasible choice but there's always a choice. It is, after all, the DA that serves as prosecution for the State. I'm not fluent in all of the Floridian regulations but I'm thinking that the Supervisor of Elections is probably not also the District Attorney, or even an assistant.
However, it is Florida. I could be wrong. ;-)
Still, there is discretion. Th
Re:White Hat (Score:4, Interesting)
Imagine if someone found the key to a government building under the door mat. That's clearly a major security lapse.
Imagine if they next USED that key to enter the building on a weekend and rummaged through the offices inside. That's second-degree burglary.
This guy found a way to retrieve the admin password (key), and should have stopped there. Instead, he USED the admin password to log in and rummage around. I've been doing network security for twenty years. I've never seen any reason to do that.
Re: (Score:2)
I agree. Still they should take into account that he did no damage and did report the flaw. Those are mitigating factors. How much you bet those missing Ipads are glossed over? Isn't that theft? Nope, not for the right people it isn't.
Re: (Score:3)
Got to love it. He got involved in politics. Still, they treated him worse than the guys that break into financial institutions to steal credit card info. Of course, in a politician's mind, making them look like the incompetent fools they are is worse.
Re: (Score:3)
Re: (Score:2)
This is democracy at stake here, we can't afford to let some incompetent and potentially corrupt officials dictate the terms. Nothing less than the next President of the US is at stake here. It is absolutely in the countries best interest for these sorts of vulnerabilities to be discovered and patched before the election, otherwise you can never trust the election. I don't care that it hurt their feelings that th
Re: (Score:2)
You can in fact ignore it. If you are doing something to prevent a worse evil than the one you committed you can attempt to present an affirmative defense. Civil disobedience is another case where you break the law as a form of first amendment protest and can trump lesser laws.
Re:White Hat (Score:5, Insightful)
I was able to penetrate your system using an injection attack vector
becomes
Based on your code I surmised it was likely susceptible to an injection attack vector and wanted to make you aware of it before someone actually tries it.
Re: White Hat (Score:4, Insightful)
You are absolutely correct: the way he handled this is a crime. But that just highlights a massive deficiency. How are we supposed to catch security flaws like this?
I can't imagine that asking permission would end well. The target has nothing to gain, and everything to lose. We need someone (or some group) sanctioned to pen test government assets.
From election offices, to the ACA databases, to the DMV, and on and on, we have a LOT of personal data floating around. I would certainly prefer that someone is allowed to make sure these repositories are being kept up to standards.
Re: (Score:3)
You actually can make an argument that you committed a crime in order to prevent a greater evil. It is a valid defense.
https://www.google.com/search?q=affirmative+defense&ie=utf-8&oe=utf-8
Re: (Score:2)
Re: (Score:2)
Yes, also known as "shoot the messenger". If you shoot all messengers, there will be no bad news. And usually bad news stops coming much sooner.
Re: (Score:3, Insightful)
I hope the court realizes that the State officials are incompetent retards who created a serious security situation, not to mention wasting huge sums of money, and that all they're trying to do is use the courts to bury their severe intellectual and technical inadequacies. Courts shouldn't be used to protect the fundamentally moronic.
Re:White Hat (Score:4, Insightful)
I hope the court realizes that the State officials are incompetent retards who created a serious security situation.
Of course they may have just purchased or licensed a serious security situation. There are a lot of poorly written applications created by the private sector and sold to the public sector.
There should be no excuse for a State though. They should have the resources to check out software and services they purchase (especially elections related software or services). When it comes to the County and City level though, many don't have the resources to do this kind of evaluation whether it is available skill sets or money to pay an expert. This is a significant problem that really needs addressing in many localities.
Florida really should drop this one. All they are doing is making themselves look worse (hey!, why just look stupid when you can also look corrupt).
Re:White Hat (Score:5, Interesting)
Ha, ha. You still think those vulnerabilities were accidents.
IMO, it seems far more likely that the SQL injection holes were deliberate. After all, parameterized SQL queries have been the norm for at least eight or ten years, which means that for this to be accidental, either the software would have to be as old as Windows Vista or the developers would have to be so grossly incompetent that they would never be able to hold down a job writing database software for more than a week or two.
The whole "never attribute to malice" thing applies only when it can be plausibly attributed to incompetence. SQL injections in an election system in 2016 fall so far on the other side of that line that you can't even see the line from there.
With that said, in the unlikely event that I'm wrong, and that it really was caused by a grossly incompetent vendor, I expect to see that vendor added to a government blacklist and become immediately ineligible for any government contracts going forward. I also expect to see the software in question thrown away and paper ballots used until such time as a suitable replacement can be found. There's no excuse for allowing software that doesn't even meet 2010-era standards to be used for running elections in 2016. None whatsoever.
Re:White Hat (Score:5, Insightful)
In this case, the saying definitely applies...there are a LOT of people who have no business creating code for important production systems doing so.
As scary as it is, there's a non-insignificant portion of workers actively creating software, often connected directly to the web, who have no idea what a SQL Injection is, nor why you need to worry about one.
Asking about what a SQL Injection is is one of my standard interview questions, you'd be shocked at the number of people who don't have a clue, even those who are interviewing for a senior position. Not really related, but I'm also shocked by the number of people who don't understand what an Outer Join is.
Re: (Score:2)
Re: (Score:2)
Frankly, I'd be surprised if they were using something as *new* as Windows Vista. Windows XP seems more likely. 2000, 98 or even 95 wouldn't be surprising to me. Windows for Workgroups 3.11 wouldn't seem entirely out of the question.
Note that I'm not in any way claiming this to be a good thing, just a sad fact of life.
Re: (Score:3)
Oh, I don't know. Plenty of software is written by people who don't know what parameterized queries are, or who think "it's behind a firewall" is adequate
Re: (Score:3)
After all, parameterized SQL queries have been the norm for at least eight or ten years,
I failed an interview at Cisco for not knowing about prepared SQL statements... back in 1998. Was a big learning experience for inexperienced me. So parameterized queries have been around (and highly recommended) even way back in the golden 90's "Perl is all you need" days.
Re: (Score:3)
Re: (Score:2, Informative)
If a public system like a voting system is left wide open to fraud, then we will fail as a Democracy if we stand silently by and allow fraud to be committed the we all lose
Re: (Score:3)
The GP is right however - according to white-hat philosophy, we should stick our heads into the sand and pray, for to test the security of the system without explicit permission to do so would be just as evil as anything the most ill-intentioned black-hat could do!
No he wasn't (Score:3, Informative)
Re: (Score:2, Troll)
Re: (Score:3)
Re: (Score:2)
How do you find a vulnerability without actually testing it?
Re:No he wasn't (Score:4, Insightful)
Re:No he wasn't (Score:4, Interesting)
So what you're saying is that nobody should ever try to discover vulnerabilities and report them?
What I'm getting at here is yes, in this instance, he went a little too far by using the credentials he found after the injection was done to login to other parts of their system, but if he had stopped after the initial injection worked, and then disclosed that vulnerability to the owners, is that technically still hacking? And if so, doesn't that create a rather terrible precedent?
Re: (Score:3)
It shouldn't matter (Score:5, Insightful)
How do you find a vulnerability without actually testing it?
It almost shouldn't matter in this case. It does, but it shouldn't. When you bring felony charges for basic pen testing, people who find a system is vulnerable are not going to report it. Even if they shouldn't have been snooping around in the first place, isn't it better if they're willing to report the vulnerability before someone does real damage?
Basic SQL injection vulnerabilities are so trivial to guard against these days that it is the person who spec'd or coded the system who should be facing severe punishment, not the person who ran a penetration test. It is very much like leaving a ballot box unguarded and unlocked at a polling place, and then arresting the person who lifts up the lid and says "hey, someone left this unlocked!" Sure, he shouldn't have been checking, but he's not the one who dropped the ball and you don't arrest him for it.
In a worse case, this could have been done easily by a random tech guy barely out of high school, a malicious government, a ransomware operator, or anyone who wanted to steal the election. Many people love this kind of soft target. The local government should be thanking their lucky stars it was done by someone who reported it instead of using it to elect the candidate slate of their choice.
Re: (Score:2)
Actually, everyone involved in the procurement, installation and use of these machines should be at least fired, and quite honestly, should be charged with negligence of their duty. The company that provided these machines should be sued, and the machines returned as being "unfit" and full and complete refund sought.
The fact that they are going after the wrong guy, is all the evidence I need to show once again, government is the problem, not the solution. We need to take back our country from the statist el
Re:It shouldn't matter (Score:4, Interesting)
It is very much like leaving a ballot box unguarded and unlocked at a polling place, and then arresting the person who lifts up the lid and says "hey, someone left this unlocked!" Sure, he shouldn't have been checking, but he's not the one who dropped the ball and you don't arrest him for it.
I agree, somewhat. The analogy breaks down slightly because in the "physical world" you can sense that something may be open, such as a door, by looking at it and not necessarily walking through. Then the question is, is it illegal to try to open a locked door? Is it illegal to try to open a door that isn't yours but is easily accessible? (no barriers, no signage, etc)
However when it comes to networks, the only way to "see" a vulnerability is to actually use it and test if it works. Is that hacking? Should it be illegal?
Re: (Score:2)
Especially when you are talking about a server with a public function and he is part of the community serviced by that server.
Re: (Score:2)
It is very much like leaving a ballot box unguarded and unlocked at a polling place, and then arresting the person who lifts up the lid and says "hey, someone left this unlocked!"
It is trivial to detect an unlocked ballot box. It has no lock on it! You don't need to open it up to know that. And unguarded likewise, does not require opening it up to demonstrate.
In this case, knowing that an SQL injection attack can get the elections supervisor login credentials may take an actual SQL injection attack. But it doesn't take any deep insight to know that having the supervisor's credentials will give someone access to other parts of the system, which is what this guy proceeded to do after
Re: (Score:2)
His actions prevented future defrauding of the people which is a far greater crime than unauthorized systems access. It's akin to kicking you in the balls to stop you from shooting a nun. It's called an affirmative defense.
In Florida, the state in question, for instance, medical marijuana was illegal last I checked but medical necessity is considered valid as an affirmative defense if charge
Re: (Score:2)
You get permission to test BEFORE you do the testing!
Found the key under the door mat, then USED it (Score:2)
Imagine if someone found the key to a government building under the door mat. That's clearly a major security lapse.
Imagine if they next USED that key to enter the building on a weekend and rummaged through the offices inside. That's second-degree burglary.
This guy found a way to retrieve the admin password (key), and should have stopped there. He could have just said "hey look, the admin password is exposed". Instead, he USED the admin password to log in and rummage around. I've been doing network securit
Re:No he wasn't (Score:5, Informative)
He was "hacking" it on a video demonstrating it directly to THE ELECTIONS SUPERVISOR, who agree he should not have been arrested.
Re:No he wasn't (Score:4, Interesting)
Re: (Score:2)
If that is the case, the article was not clear on that point. I went back and reread it and still am not entirely sure, but I am not intimately familiar with the details so I will accept that I could have been incorrect in my assessment.
Re: (Score:2)
Re: (Score:2)
He already blew by the fact that Dan Sinclair was not the head of the "Lee County, Florida Elections Office run by Sharon Harrington, the Lee County Supervisor of Elections."
We're not making sense. We're demagoguing our preferred narrative, facts be damned.
Re: (Score:2)
No, he was not. A candidate for elections supervisor for a county is not the active elections supervisor for the county.
Re: (Score:2)
A candidate for elections supervisor for a county is not the active elections supervisor for the county.
From the article: "Levin detailed the SQL injection in a YouTube video shot with elections supervisor Dan Sinclair". It does not say "candidate" anywhere in the text.
Re: (Score:2)
It helps to read the related inteviews [news-press.com] linked in the summary instead of simply the lede.
Get a grip.
Re: (Score:2)
He was arrested for actually hacking the website.
Correct. He is being charged with gray hatting.
Re: (Score:2)
nor that he did anything more than his civic duty after discovering a vulnerability.
How is it his "civic duty" to use the login credentials he obtained by hacking into a website to access other secure areas of the system? Is there any surprise that the login credentials of the election supervisor can actually be used to log into other parts of the network, and is this really a bug in the system?
Had he stopped at the SQL injection attack and reported that, we could argue about whether that was criminal in itself. But by stepping over the line and using the credentials he nullified the arg
Re: (Score:3)
I'm having trouble even knowing where to start with someone who thinks that robbing from the rich and giving to the poor is in any way analogous to a security researcher reporting a flaw they discovered.
It isn't. But "breaking the law" is analogous to using a website flaw to gather login credentials and then using those credentials to access other, properly protected material. From TFA:
First off, if what he did is illegal under the current law (which has yet to be decided in court),
When someone says "he broke the law" in common language, it means "I believe there is evidence to support the claim he broke the law." And here, there is. Unauthorized use of computing
Government willfully ignorant of their own laws (Score:5, Interesting)
Re: (Score:2)
You find one that's open. A few days later you see that neighbor and tell them "oh, by the way your bedroom window is unlocked."
"And to prove it, I reached in and took a pair of your wife's panties. Here they are..." Or "I reached in and took the keys laying on top of your dresser and then looked through the trunk of your car. You've also got a flat spare."
To make the analogy fit, the window would have had to been accessible from a public space, like next to the sidewalk. Even so, trying it would have been breaking and entering. But if you start with "I saw it was ajar ..." you're closer.
Re: (Score:2)
Cute straw man. But that's an invalid analogy. Running an web server on port 80 is, by definition and RFC, an invitation with the message: "Come on in, look around, anywhere you can get to, go."
If you want to play the "house" analogy, the correct one is an open house that you've placed up for sale. You've invited the public in, with open doors, open windows, open rooms, for them to roam where they wish. But outside the rooms you've carefully curated for show; behind one door there is a basement into whi
Re: (Score:2)
You don't look for vulnerabilities in someone's 'public' place of business either. It's as if you broke into the library's safe and told the owner 'Your locking mechanism is out of date, I was able to break into it... Then I found your building access key in the safe so I decided to break into all of your employee's offices too."
Quoted from the article: "Levin then went a step further and used the Lee County supervisor's username and password to gain access to other password protected areas."
Lesson be learned (Score:2, Insightful)
Next time don't report it to them, report it to the media.
Re:Lesson be learned (Score:5, Interesting)
Next time make the reported results so preposterous it's obvious that shenanigans are involved.
Make 'Vermin Supreme' get 110% of the votes. Give the mainstream candidates large enough negative vote counts to give the national popular vote to 'Vermin Supreme'.
Until someone does this, to a system directly feeding data to the news networks, the system will continue to be reported as 'secure and working as designed'.
Re: (Score:2)
He hacked a website, not a voting machine.
Re: (Score:2)
Make 'Vermin Supreme' get 110% of the votes. Give the mainstream candidates large enough negative vote counts to give the national popular vote to 'Vermin Supreme'.
We here at Pizza Hut respect and value our customer's opinions, but we do not consider the results of that online vote binding. Our new flavor of pizza will instead be called The Murine Lover's pizza.
Re: (Score:2)
He should have done responsible disclosure via a lawyer, with a 30 day notice, before posting the video. If he owns a security firm, he should have a god damn lawyer.
He didn't "only" report it though... (Score:2)
FYPTW (Score:2)
Yay police state!
Fuck you, pleb, that's why.
For God's sake man! (Score:2)
Re: (Score:2)
Close that parentheses, you're killing me!!
Ah, you must be a Lisp programmer. :-P
Wrong way to go about it (Score:5, Funny)
The correct approach for fixing security issues in a voting system are to elect yourself, then appoint a team of people to correct the issue while funneling you money.
Re: (Score:2)
Don't forget to order a huge batch of Ipads and "lose" a bunch of them in the process.
Re: (Score:2, Interesting)
Just change the winners name to "You have an SQL injection vulnerability".
And be done with it.
Re: (Score:2)
you'll continue to win elections, so might have to leave the issue uncorrected and arrest anyone who points the finger... o wait!!!
For God's sake man (Score:2)
)
Next time, sue the state (Score:3, Interesting)
Must we prepend "tax payer" to money (Score:2)
It's a government agency, so it is kind of redundant to quantify the term money with "tax payer". All it does is push people away from government programs that could improve quality of life.
It is this kind of attitude that pushes bean counting and attempted cost savings to such an extreme level that it is detrimental. This is why the government is so bad at finding the right organizations to do work for them; they just keep giving out contracts to the lowest bidder. This is why there are so many inefficienc
Re: (Score:3)
so it is kind of redundant to quantify the term money with "tax payer"
No, it's not. Because a LOT of people seem to think that there actually is something called "government money." Nearly half the country pays no income tax at all, and a large percentage of those get a "tax refund" on the income taxes they don't pay. That flow of money is rarely referred to as "other people's money" - just as tax credit, as earned income credit ... as anything other than a portion of the money that other people pay as taxes. Politicians, especially on the left, talk routinely about how they
Re: (Score:2)
"taxpayer money" == "government money". Just because they got it (mostly) from the taxpayers, or that they are expected to use it responsibility, doesn't mean it isn't theirs.
All I want is to keep it neutral. No qualifiers, just let people make their own judgement. Just because some people might think of it as "government money" vs "taxpayer money" doesn't mean your opinion needs to be hammered in every time the subject is brought up.
Isn't Wikileaks still around? (Score:3)
In other news... (Score:2)
Re: (Score:2)
The main difference is intent, and the secondary difference is what happened once access was gained.
Slanted (Score:3)
Re:FLORIDA (Score:5, Funny)
Re:FLORIDA (Score:5, Funny)
Replying because I mis-click moderated you.
Was going for +1 Funny and clicked -1 Troll instead.
Re: (Score:3)
Was going for +1 Funny and clicked -1 Troll instead.
Happens all the time. ;)
Re:FLORIDA (Score:4, Funny)
Frankly I'm disgusted that there's no "+1 Funny Troll" option.
Re: (Score:2)
I always preferred the Appendix version: all the garbage collects there, and sooner or later causes nothing but problems.
Re: (Score:3)
Re: (Score:2, Informative)
The joke is that things roll downhill from the rest of the US into Florida.
Re: (Score:2)
"The swamp with freeways state"?
Re:FLORIDA (Score:4, Funny)
Re: (Score:2)