Security Expert Jailed For Reporting Vulnerabilities In Lee County, FL Elections

rootmon writes: Information Security Professional David Levin was arrested 3 months after reporting un-patched SQL injection vulnerabilities in the Lee County, Florida Elections Office run by Sharon Harrington, the Lee County Supervisor of Elections. Harrington's office has been in the news before for voting systems problems (for example in during the 2012 election, 35 districts in Lee County had to remain open 3 hours past the closing of polls due to long lines and equipment issues, wasting $800,000 to $1.6 million of taxpayer money on incompatible iPads for which her office is facing an audit. Rather than fixing the issues in their systems, they chose to charge the whistleblower with three third-degree felonies. The News Press also has several related interviews.

Re:White Hat

[Martin+Blank]

Breaking into or executing code on a system without permission is a criminal offense. Even if he was doing it ostensibly for the greater good, Levin should know better (and a tweet from him suggests that he knows he should have known better). The courts aren't going to let this slide just because he's a "good guy," because that sets a bad precedent.

If you're going to try to break into a system, get permission. If you absolutely must do it without permission, use a burner name and address to make the notification, or go through an attorney to make the notification.

It shouldn't matter

[SeattleLawGuy]

How do you find a vulnerability without actually testing it?

It almost shouldn't matter in this case. It does, but it shouldn't. When you bring felony charges for basic pen testing, people who find a system is vulnerable are not going to report it. Even if they shouldn't have been snooping around in the first place, isn't it better if they're willing to report the vulnerability before someone does real damage?

Basic SQL injection vulnerabilities are so trivial to guard against these days that it is the person who spec'd or coded the system who should be facing severe punishment, not the person who ran a penetration test. It is very much like leaving a ballot box unguarded and unlocked at a polling place, and then arresting the person who lifts up the lid and says "hey, someone left this unlocked!" Sure, he shouldn't have been checking, but he's not the one who dropped the ball and you don't arrest him for it.

In a worse case, this could have been done easily by a random tech guy barely out of high school, a malicious government, a ransomware operator, or anyone who wanted to steal the election. Many people love this kind of soft target. The local government should be thanking their lucky stars it was done by someone who reported it instead of using it to elect the candidate slate of their choice.