Security Expert Jailed For Reporting Vulnerabilities In Lee County, FL Elections

rootmon writes: Information Security Professional David Levin was arrested 3 months after reporting un-patched SQL injection vulnerabilities in the Lee County, Florida Elections Office run by Sharon Harrington, the Lee County Supervisor of Elections. Harrington's office has been in the news before for voting systems problems (for example in during the 2012 election, 35 districts in Lee County had to remain open 3 hours past the closing of polls due to long lines and equipment issues, wasting $800,000 to $1.6 million of taxpayer money on incompatible iPads for which her office is facing an audit. Rather than fixing the issues in their systems, they chose to charge the whistleblower with three third-degree felonies. The News Press also has several related interviews.

White Hat

I hope the courts recognize that white hats are the good guys. I hope that paves the way for Levin (and EFF) to sue Lee County and Harrington for damages. And I hope that discourages other politicians from lashing out at the good guys.

Re:White Hat

[dgatwood]

Ha, ha. You still think those vulnerabilities were accidents.

IMO, it seems far more likely that the SQL injection holes were deliberate. After all, parameterized SQL queries have been the norm for at least eight or ten years, which means that for this to be accidental, either the software would have to be as old as Windows Vista or the developers would have to be so grossly incompetent that they would never be able to hold down a job writing database software for more than a week or two.

The whole "never attribute to malice" thing applies only when it can be plausibly attributed to incompetence. SQL injections in an election system in 2016 fall so far on the other side of that line that you can't even see the line from there.

With that said, in the unlikely event that I'm wrong, and that it really was caused by a grossly incompetent vendor, I expect to see that vendor added to a government blacklist and become immediately ineligible for any government contracts going forward. I also expect to see the software in question thrown away and paper ballots used until such time as a suitable replacement can be found. There's no excuse for allowing software that doesn't even meet 2010-era standards to be used for running elections in 2016. None whatsoever.

Re:White Hat

[raymorris]

Imagine if someone found the key to a government building under the door mat. That's clearly a major security lapse.

Imagine if they next USED that key to enter the building on a weekend and rummaged through the offices inside. That's second-degree burglary.

This guy found a way to retrieve the admin password (key), and should have stopped there. Instead, he USED the admin password to log in and rummage around. I've been doing network security for twenty years. I've never seen any reason to do that.

Government willfully ignorant of their own laws

[randomErr]

I wish best for this guy. He did what was right and now faces several felonies. I hope this gets thrown out and he can files a big fat civil lawsuit at the count. He has his felony charges published all over the news and in postings. He'll never be able to get top secret clearance. Any potential employer will Google this guy and may consider him to be too hot to handle.

Re:No he wasn't

[110010001000]

No he wasn't. He "hacked" it previously before the demonstration. Stop lying. I agree he shouldn't have been arrested but there is no reason to lie for clicks.

Re:Lesson be learned

[HornWumpus]

Next time make the reported results so preposterous it's obvious that shenanigans are involved.

Make 'Vermin Supreme' get 110% of the votes. Give the mainstream candidates large enough negative vote counts to give the national popular vote to 'Vermin Supreme'.

Until someone does this, to a system directly feeding data to the news networks, the system will continue to be reported as 'secure and working as designed'.

Re:No he wasn't

[iCEBaLM]

So what you're saying is that nobody should ever try to discover vulnerabilities and report them?

What I'm getting at here is yes, in this instance, he went a little too far by using the credentials he found after the injection was done to login to other parts of their system, but if he had stopped after the initial injection worked, and then disclosed that vulnerability to the owners, is that technically still hacking? And if so, doesn't that create a rather terrible precedent?

Next time, sue the state

[TranceThrust]

Security professionals and tech enthusiasts should take note of this technique and apply it in reverse: instead of reporting vulnerabilities to the government institutes who caused them, bring those guys to court. Sue them for unsafely handling the information you entrust them with. Things are not going to get better unless this kind of incompetence can cost someone's head.

Re:It shouldn't matter

[iCEBaLM]

It is very much like leaving a ballot box unguarded and unlocked at a polling place, and then arresting the person who lifts up the lid and says "hey, someone left this unlocked!" Sure, he shouldn't have been checking, but he's not the one who dropped the ball and you don't arrest him for it.

I agree, somewhat. The analogy breaks down slightly because in the "physical world" you can sense that something may be open, such as a door, by looking at it and not necessarily walking through. Then the question is, is it illegal to try to open a locked door? Is it illegal to try to open a door that isn't yours but is easily accessible? (no barriers, no signage, etc)

However when it comes to networks, the only way to "see" a vulnerability is to actually use it and test if it works. Is that hacking? Should it be illegal?

Re:Wrong way to go about it

Just change the winners name to "You have an SQL injection vulnerability".
And be done with it.