Slashdot Mirror
Security Expert Jailed For Reporting Vulnerabilities In Lee County, FL Elections (theregister.co.uk)
rootmon writes: Information Security Professional David Levin was arrested 3 months after reporting un-patched SQL injection vulnerabilities in the Lee County, Florida Elections Office run by Sharon Harrington, the Lee County Supervisor of Elections. Harrington's office has been in the news before for voting systems problems (for example in during the 2012 election, 35 districts in Lee County had to remain open 3 hours past the closing of polls due to long lines and equipment issues, wasting $800,000 to $1.6 million of taxpayer money on incompatible iPads for which her office is facing an audit. Rather than fixing the issues in their systems, they chose to charge the whistleblower with three third-degree felonies. The News Press also has several related interviews.
Is know as the _________ state?
If we hang all people who can hack computers, they become unhackable by humans. Problem solved.
I hope the courts recognize that white hats are the good guys. I hope that paves the way for Levin (and EFF) to sue Lee County and Harrington for damages. And I hope that discourages other politicians from lashing out at the good guys.
He was arrested for actually hacking the website. Stop it with the clickbait headlines. This isn't the Star.
Everyone knows that he's really a haxx0r and haxx0rz belong in jail. It's the law!
Yes, the law is stupid, and so is most every county in Florida. Even so, this "edgy" image is exactly what "security professionals" have been actively pursuing and now they're all indignant it's come back to bite them? Seriously guise, it's like you completely didn't think at all before diving into didling computers and bothering everyone. It's not that the work shouldn't be done, it's that the environment you created wherein you work is counter-productive and you have yourself to blame.
I wish best for this guy. He did what was right and now faces several felonies. I hope this gets thrown out and he can files a big fat civil lawsuit at the count. He has his felony charges published all over the news and in postings. He'll never be able to get top secret clearance. Any potential employer will Google this guy and may consider him to be too hot to handle.
You say things that offend me and I can deal with it. Can you?
its a coverup for some 3rd-world style voting irregularities. Nothing to see here, move along...
C|N>K
Next time don't report it to them, report it to the media.
There is a fine line between criminal hacking and being a security professional. That fine line has something to do with being asked and hired to do it.
If you are asked and hired to do penetration testing and security audits, by the owner of the equipment that you are testing, then you are not a criminal hacker.
Under all other cases, you are a criminal hacker.
Got it?
If he had only reported that he was able to get in the front door it would be one thing, but tfa says that he also used what he found to log in and explore, seems to me that is where the legality line was crossed, not the exposure of the vulnerability itself.
NEVER go to government with ANY information, good OR bad, unless they are already expecting you to. Rest assured that if they have a problem, they will come to you. Otherwise, stay as far away from government as possible, unless you actually like your good deeds punished.
blame can be laid at the POTUS
thanks OBAMA and your policies against whistle blowers.
How do you find a vulnerability without actually testing it?
It almost shouldn't matter in this case. It does, but it shouldn't. When you bring felony charges for basic pen testing, people who find a system is vulnerable are not going to report it. Even if they shouldn't have been snooping around in the first place, isn't it better if they're willing to report the vulnerability before someone does real damage?
Basic SQL injection vulnerabilities are so trivial to guard against these days that it is the person who spec'd or coded the system who should be facing severe punishment, not the person who ran a penetration test. It is very much like leaving a ballot box unguarded and unlocked at a polling place, and then arresting the person who lifts up the lid and says "hey, someone left this unlocked!" Sure, he shouldn't have been checking, but he's not the one who dropped the ball and you don't arrest him for it.
In a worse case, this could have been done easily by a random tech guy barely out of high school, a malicious government, a ransomware operator, or anyone who wanted to steal the election. Many people love this kind of soft target. The local government should be thanking their lucky stars it was done by someone who reported it instead of using it to elect the candidate slate of their choice.
Real lawyers write in C++
Yay police state!
Fuck you, pleb, that's why.
Close that parentheses, you're killing me!!
The correct approach for fixing security issues in a voting system are to elect yourself, then appoint a team of people to correct the issue while funneling you money.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Close those parentheses, you're killing me!!
)
Security professionals and tech enthusiasts should take note of this technique and apply it in reverse: instead of reporting vulnerabilities to the government institutes who caused them, bring those guys to court. Sue them for unsafely handling the information you entrust them with. Things are not going to get better unless this kind of incompetence can cost someone's head.
"white hats" are not "the good guys". They want you to believe that, but all they have is self-expressed good intentions, honest. They're also more "ETHICAL" than thou. But as good little consultants making good money with their cute little shtick, they're part of the problem, not part of the solution. Just as the "black hats" are. I prefer the people on the other side of the fence, that have formed a cottage industry with veritable product pipelines, that don't call themselves "hacker" and pose a lot, but actually work for a living. Even if, yes, they're doing very questionable things. At least they're honest about it! The hatted bunch isn't, and is wilfully publicly shifty to boot. Buncha s'kiddies, learning nothing. Worse, they haven't made much of a dent in cyber crime nor in solving security problems in the decades they've been telling us they were trying really hard. They are purveyors of new imperial fabric, nothing more.
The Government will NEVER give you permission to perform hack/pen tests. They request more tax dollars from you to pay for their own Government hacking teams to tell people what the Government want's them to hear.
If you didn't already know that, castration is a good option for you.
It's a government agency, so it is kind of redundant to quantify the term money with "tax payer". All it does is push people away from government programs that could improve quality of life.
It is this kind of attitude that pushes bean counting and attempted cost savings to such an extreme level that it is detrimental. This is why the government is so bad at finding the right organizations to do work for them; they just keep giving out contracts to the lowest bidder. This is why there are so many inefficiencies, they are afraid of spending money on existing projects in the short term to save money in the long term.
When I was thinking about who could pass on this sort of useful information without exposing the source to prosecution, Wikileaks came to mind.
This is why I change the voting records every-time I access one of these websites VIA sql injection. And I've accessed quite a few :)
Remember folks, changing votes is only legal if you run the system.
Trump 2016!
By that standard, shouldn't this guy be jailed for telling the bank they left their front door unlocked? http://www.foxnews.com/us/2015...
I've abandoned my search for truth; now I'm just looking for some useful delusions.
Sharon Harrington should resign. According to this poll run on polldaddy.com by the News Press, 83% of her constituents want her to do so. https://polldaddy.com/poll/893... Why is she still in office? Her office seems to have more and more scandals and controversy to the South West Florida communities of Fort Myers and Cape Coral. Shame! Leave David Levin and his family alone. He just reported a vulnerability he didn't steal any information, he even blurred out passwords when he documented it. Seems like the desperate act of a corrupt politician.
manishs, did you investigate this one before pushing it up? The more I read about it, the more this all looks like a stunt by Sinclaire. Instead of going through proper channels, this guy went through an opposing candidate, and actively goes above and beyond privately reporting a security flaw; instead publically exposing it on YouTube and going on to actually explore the system once gaining access. All this with no time for the government to fix it. That's not how security evaluators should _ever_ behave. So then he goes to jail, allowing crummy summaries like this one, to effectively say "RAWR, HARRINGTON BAD!!". Harrington did not appear to pursue the arrest. It looks like Sinclair hoped to get an arrest to increase negative exposure on Harrington to help get her voted out. Publishing a summary like this on Slashdot means that these people are effectively playing the editors. The only good thing is that the summary feels so incredibly slanted that it sets off some people's bullshit detectors.
Is this action of his pardon worthy? Yes, what he did is illegal, so maybe they should prosecute him, however, it's absolutely in the public interest to discover and repair this kind of vulnerability.
Because if he doesn't blow the whistle ASAP, might it happen that someone else hacks in, gains control, and then closes the security hole after themselves, thus allowing themselves COMPLETE control of the election process?
Yet it was illegal.
Imagine if someone found the key to a government building under the door mat. That's clearly a major security lapse.
Imagine if they next USED that key to enter the building on a weekend and rummaged through the offices inside. That's second-degree burglary.
This guy found a way to retrieve the admin password (key), and should have stopped there. He could have just said "hey look, the admin password is exposed". Instead, he USED the admin password to log in and rummage around. I've been doing network security for twenty years. I've never seen any reason to do that. Showing that the password (or key) is available to bad guys is more than sufficient.
The way I see it; this would to some degree seem like a honeypot that someone stumbled upon unknowingly that was used to snare those coming across with good intentions of reporting vulnerabilities. This is why I do not pen test a network unless it's my own, or if it's a company i have explicit permissions with a paycheck to do so.
The whole good samaritan thing on the internet these days is not worth the legal hassle, or the possible bad publicity.
This would seem more like someone poking around on a companies website looking for vulnerabilities, and instead unknowingly stumbling upon a would-be honeypot. This is why if you are not explicitly working with that company to pen test their network; this instantly sets someone up for failure regardless of the intentions.
Why do we have to read about this kind of abuse on (the very good Register) in the UK? Why don't stories like this get domestic airtime?
-In space, it is very hard to rig lights.
How do you know the key actually works?
Oh, you have to actually LOG IN.
Unless you're the admin who knows the password, that's the only way for an outsider to know.
But wait? How do you know this is an ADMIN password and not just an ordinary user password?
OH. You have to check out admin functions while being logged in.
Can't believe a 20 year security guy couldn't figure out this simple fact.
Imagine he "apparently" found an admin password, went to the authorities and reported this, and could not log in with it. They'd nail him for a false report.
Or maybe the password worked but it wasn't an admin (but a limited user) password. Same thing.
Don't become Randal Schwartz.
Finding God in a Dog
He was arrested for hacking into the website and taking data, he was not arrested for reporting the vulnerability. though some may argue they are related he had no right or approval to hack the site and certainly no approval to take information from it after hacking it. If you are going to test a website for vulnerabilities as a security researcher you need to have the owners approval.
This guy breached the website, gained password access and then repeatedly accessed the site unauthorized. Then he showed teh site owners what he could do and they, naturally, shit a brick and had him arrested.
He's been convicted of hacking the supervisor of elections system, not pointing out lax security.
The douche-nozzle got exactly what he deserved.
Why would anyone report an issue if you can get jailed for it?
Reminds me of an ISP in Amarillo, TX that got majorly hacked almost 10 years ago. They managed to pin the hack on a white hat that had informed them of various other vulnerabilities on their system since "the hacker was the only ones that knew about it (the vulnerability) and had the expertise to pull it off"...
Try rummaging through physical records in physical offices with a stolen key, then try that defense and tell me how it works .
Beause the government is supposed to be "of the people", we have rhw open records laws which establish a procedure for anyone to access government information, using a proper process ratified by the voterd and their representatives. "Hack government systems ,then use stolen passwords to access related systems " isn't the process that we the people have agreed upon.
Perhaps the European Union, as well as other groups could post a travel warning for Florida. Social conditions, the Florida legal system, jail conditions and a backward sociopathic governor combine to create a place somewhat dangerous to visitors. Palm Beach county, in particular, is a devil in the flesh. First, they made it illegal to feed the poor. Then they shut down a church that allowed the homeless a place to sleep. Then their county sheriff ran an exhaustive string of TV ads instructing the public never to give spare change to the poor but to send that money to the county who would take care of the poor, which is a huge lie. Then, in their ever evil minds they decided to bomb the public park wit loud operas from dusk to dawn to keep the poor from sleeping in the park. That park is important for the poor as it is on the water, with a breeze, that helps to blow away the swarms of tropical mosquitos as well as preventing heat exhaustion in our very hot climate. Essentially it is the pigeon theory applied to humans. Don't feed them as more will come. Destroy their nests and they will go elsewhere. Harras them so they will be unhappy here. Only a county is a state with an evil, corrupt governor like Rick Scott could have these kinds of issues and decent people from foreign lands deserve to be protected from this type of system. After all, we might have to arrest a European for giving food to a starving child in the streets. Then that European might end up in a Florida jail with 20 people in a cramped cell and no air conditioning.
Right. Good thing this isn't political at all.
This is the real lesson of stories like these.
I have seen countless shitty things at my Fortune 1000 cube farm - will never report any of them.
Can we get someone who isn't a moron to choose the articles, please?
Oh yeah, I'm sure they would have been totally on board with being hacked if he had asked.
This is democracy at stake here, we can't afford to let some incompetent and potentially corrupt officials dictate the terms. Nothing less than the next President of the US is at stake here. It is absolutely in the countries best interest for these sorts of vulnerabilities to be discovered and patched before the election, otherwise you can never trust the election. I don't care that it hurt their feelings that their system was wide open to attack and practically begging for someone to manipulate the vote, this needs to be fixed before November.
The place to start is to get rid of all of the touch screen voting machines that don't produce a verifiable paper trail. How is it possible to ever trust such a machine?
It seems my first post disappeared for some reason. Thank you so much for your great article above. Most of your posts have been fantastic. A see a very few who are a little misguided. I hope the following information helps: There was no “break[ing] into an account” as Sharon Harrington states. Sharon left the door open. Dave was driving by and saw the door had been left open by his neighbor renting the house, Sharon. He knew the person who left the door open would call the police and pretend that Dave somehow opened the door. So, he called a neighbor who understands doors and could confirm that, yes, the door in fact was left wide open. He wanted a witness, in case the person who was renting the house lied to the police. The neighbor he called, Dan, called the renter and informed her she left her door wide open. The renter couldn’t be bothered to call Dan back, ever. Instead, she called her door repair guy to call Dan back. This door guy works full time for the renter and was actually the one who left the door open to begin with. Dan and Dave had to explain repeatedly to the door guy: a. That the door was left open b. What door it was on the house c. How to close the door d. How to secure the door, so this did not happen again e. That they were lucky a burglar did not see the open door and steal anything or vandalize the house before Dave saw the open door and Dan reported it *BREAK* 1. No one was "caught." The issues were reported by Dave. In fact neither the county nor the state could tell if they had EVER had a data breach. The state was very clear about that. 2. Dave stopped as soon as he proved the holes were real. There was no rummaging around inside someone else's system. He did not take any information, either. 3. Dave never perused around the system. He simply logged in once to show the holes were real, not a honeypot. As soon as he proved his point, he backed out and never entered again. 4. None of the information was released to the public until AFTER Dave helped them fix the holes, and the systems were claimed to be secure. 5. Dave not only reported the holes, he showed them how to find the holes. After explaining where the holes were, they still could not find them. So, he showed them how to fix the holes and gave them Best Practices going forward. The state asked for a written report, which he provided. They gave him permission to go into the system. When Dave found they did not even have the most basic tools to detect intruders, he provided them with those software tools. 6. The FDLE did not actually investigate. They just tried to find a law they felt Dave broke (which is not an applicable law in this case), and tried to figure out how to nail him on it. They reported the current Supervisor's claims as fact without investigating. The claims turned out to be false. The FDLE did not put a real IT person on the case and STILL does not understand what happened or how it happened. The only dates they used they received from Dave and I, in cooperating into the investigation of why the holes were left there for years to begin with. The investigation is supposed to be into the Gross Negligence of the state and county. However, the FDLE is allowing themselves to be used as political pawns by a corrupt politician. *BREAK* There is a synopsis at: www.gofundme.com/237czxgc You can find more videos and information at www.Facebook.com/DanForSupervisor Also, there is a list at www.DanSinclair.com/supervisornews.htm The site is ugly and boring. However, the facts are accurate. I see on here some posts that appear to be from one of the two under qualified IT guys for the agency that was responsible for protecting the systems, and did not. FYI, the IT person responsible used a password of 1234. I can tell you now as it has been changed. That gives you an idea of the problem we are dealing with here. All of the UserID's and Passwords they left exposed to the public facing interface were in clear text and part of the primary database. There are a L
A site has been setup for donations to David Levin's Defense Fund: https://www.gofundme.com/237czxgc , there is also more information regarding how David tried to report the holes to county and state officials and they decided to "kill the messenger".
Sounds like they didn't address the vulnerability though so ..........
When laws enforce arrogance... we have a problem.
https://en.wikipedia.org/wiki/...
Write polite letters.
Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.
That's funny. I actually had an older Slashdot account, then in 2012 I made a new one. My very first post under this account includes a hint as to why I made a new account.
> I'll run right off and hack slashdot to look in their database to try to see your "hint"
Like this?:
-------
User: Zero__Kelvin
Post ID: 25843231
Subject: Re:So what powers does the IETF have on this?
Score 0, Flamebait
Date:Thursday November 20, 2008 @09:39PM
Thread: Kaminsky Bug Options Include "Do Nothing," Says IETF
Body:
"you need to work on your reading comprehension skills."
"ROTFLMAO. You might want to hone your writing skills to the point where you know how and where to use C apital letters :-)
You are quite mistaken as well. I was able to comprehend the fact that you are not particularly smart without having to read a single complete sentence!
-------
Kinda funny, between the two of us, our Slashdot posts are enough to fill a 320 page book.
You seem to be representing yourself as quite the accomplished security professional in your replies to Martin.