Security Expert Jailed For Reporting Vulnerabilities In Lee County, FL Elections

rootmon writes: Information Security Professional David Levin was arrested 3 months after reporting un-patched SQL injection vulnerabilities in the Lee County, Florida Elections Office run by Sharon Harrington, the Lee County Supervisor of Elections. Harrington's office has been in the news before for voting systems problems (for example in during the 2012 election, 35 districts in Lee County had to remain open 3 hours past the closing of polls due to long lines and equipment issues, wasting $800,000 to $1.6 million of taxpayer money on incompatible iPads for which her office is facing an audit. Rather than fixing the issues in their systems, they chose to charge the whistleblower with three third-degree felonies. The News Press also has several related interviews.

White Hat

I hope the courts recognize that white hats are the good guys. I hope that paves the way for Levin (and EFF) to sue Lee County and Harrington for damages. And I hope that discourages other politicians from lashing out at the good guys.

Re:White Hat

[Martin+Blank]

Breaking into or executing code on a system without permission is a criminal offense. Even if he was doing it ostensibly for the greater good, Levin should know better (and a tweet from him suggests that he knows he should have known better). The courts aren't going to let this slide just because he's a "good guy," because that sets a bad precedent.

If you're going to try to break into a system, get permission. If you absolutely must do it without permission, use a burner name and address to make the notification, or go through an attorney to make the notification.

Re:White Hat

[MightyMartian]

I hope the court realizes that the State officials are incompetent retards who created a serious security situation, not to mention wasting huge sums of money, and that all they're trying to do is use the courts to bury their severe intellectual and technical inadequacies. Courts shouldn't be used to protect the fundamentally moronic.

Re:White Hat

[MightyMartian]

Or, in the future, sell it to the Russian mob for big bucks and retire.

Re:White Hat

[StatureOfLiberty]

I hope the court realizes that the State officials are incompetent retards who created a serious security situation.

Of course they may have just purchased or licensed a serious security situation. There are a lot of poorly written applications created by the private sector and sold to the public sector.

There should be no excuse for a State though. They should have the resources to check out software and services they purchase (especially elections related software or services). When it comes to the County and City level though, many don't have the resources to do this kind of evaluation whether it is available skill sets or money to pay an expert. This is a significant problem that really needs addressing in many localities.

Florida really should drop this one. All they are doing is making themselves look worse (hey!, why just look stupid when you can also look corrupt).

Re:White Hat

[dgatwood]

Ha, ha. You still think those vulnerabilities were accidents.

IMO, it seems far more likely that the SQL injection holes were deliberate. After all, parameterized SQL queries have been the norm for at least eight or ten years, which means that for this to be accidental, either the software would have to be as old as Windows Vista or the developers would have to be so grossly incompetent that they would never be able to hold down a job writing database software for more than a week or two.

The whole "never attribute to malice" thing applies only when it can be plausibly attributed to incompetence. SQL injections in an election system in 2016 fall so far on the other side of that line that you can't even see the line from there.

With that said, in the unlikely event that I'm wrong, and that it really was caused by a grossly incompetent vendor, I expect to see that vendor added to a government blacklist and become immediately ineligible for any government contracts going forward. I also expect to see the software in question thrown away and paper ballots used until such time as a suitable replacement can be found. There's no excuse for allowing software that doesn't even meet 2010-era standards to be used for running elections in 2016. None whatsoever.

Re:White Hat

If a public system like a voting system is left wide open to fraud, then we will fail as a Democracy if we stand silently by and allow fraud to be committed the we all lose

Re:White Hat

[ArhcAngel]

When exposing the vulnerability you simply run it through the legally ambiguous filter.

I was able to penetrate your system using an injection attack vector

becomes

Based on your code I surmised it was likely susceptible to an injection attack vector and wanted to make you aware of it before someone actually tries it.

Re:White Hat

[amiga3D]

There will be no permission. The real reason he's in jail is they're pissed off everyone knows how fucked up their system is. He outed them and they popped his ass in the slammer for it. If they were actually interested in providing a secure system they would have rewarded him instead. The way he was treated says everything about Sharon Harrington's professionalism. She's a typical CYA type interested only in her own continuance of incompetence at her job. I'd say the people in that county should see that she's sacked if they ever want an improvement. Wonder how many of those Ipads walked off on her watch? Maybe they could find a cell for her too.

Re:White Hat

[Mr+D+from+63]

If they were actually interested in providing a secure system they would have rewarded him instead.

Permission can't come in hindsight. Maybe there are pissed off people who reported him, but he still broke the law and MUST be prosecuted if there is evidence, which there clearly is. It not like there is a choice in the matter.

Re:White Hat

[shawn2772]

Or, in the future, sell it to the Russian mob for big bucks and retire.

Someone good at writing Russian gangster dialog should write that scene. It would include the Russian mobster trying to figure out why Levin thinks he'd care about hacking Lee Country elections.

Re:White Hat

[Kernel+Kurtz]

Or, in the future, sell it to the Russian mob for big bucks and retire.

Should be marked insightful, not funny.

If government is going to be douchey towards people who point out vulnerabilities, then best not to disclose anything to government. They completely deserve whatever comes next.

Let them fail all by themselves.

Re:White Hat

[raymorris]

Imagine if someone found the key to a government building under the door mat. That's clearly a major security lapse.

Imagine if they next USED that key to enter the building on a weekend and rummaged through the offices inside. That's second-degree burglary.

This guy found a way to retrieve the admin password (key), and should have stopped there. Instead, he USED the admin password to log in and rummage around. I've been doing network security for twenty years. I've never seen any reason to do that.

Re:White Hat

[GameboyRMH]

The GP is right however - according to white-hat philosophy, we should stick our heads into the sand and pray, for to test the security of the system without explicit permission to do so would be just as evil as anything the most ill-intentioned black-hat could do!

Re:White Hat

There is no MUST - prosecutors have discretion. Judges have discretion, and Juries (though they don;t want you to know it!) have discretion.

Re: White Hat

[jxander]

You are absolutely correct: the way he handled this is a crime. But that just highlights a massive deficiency. How are we supposed to catch security flaws like this?

I can't imagine that asking permission would end well. The target has nothing to gain, and everything to lose. We need someone (or some group) sanctioned to pen test government assets.

From election offices, to the ACA databases, to the DMV, and on and on, we have a LOT of personal data floating around. I would certainly prefer that someone is allowed to make sure these repositories are being kept up to standards.

Re:White Hat

[shaitand]

"Breaking into or executing code on a system without permission is a criminal offense. Even if he was doing it ostensibly for the greater good"

You actually can make an argument that you committed a crime in order to prevent a greater evil. It is a valid defense.

https://www.google.com/search?q=affirmative+defense&ie=utf-8&oe=utf-8

Re:White Hat

[Hulfs]

In this case, the saying definitely applies...there are a LOT of people who have no business creating code for important production systems doing so.

As scary as it is, there's a non-insignificant portion of workers actively creating software, often connected directly to the web, who have no idea what a SQL Injection is, nor why you need to worry about one.

Asking about what a SQL Injection is is one of my standard interview questions, you'd be shocked at the number of people who don't have a clue, even those who are interviewing for a senior position. Not really related, but I'm also shocked by the number of people who don't understand what an Outer Join is.

Re:White Hat

[amiga3D]

Got to love it. He got involved in politics. Still, they treated him worse than the guys that break into financial institutions to steal credit card info. Of course, in a politician's mind, making them look like the incompetent fools they are is worse.

Re:White Hat

[edtice1559]

What if he inserted the key into the lock, verified that it opened the door, locked the door again, and dropped the key off at the police station? That seems to be a better analogy. Of course if he got caught testing the key, he'd have a tough time pleading his case that he was going to turn it over to the police.

Re:White Hat

[Chas]

The thing is, if a security researcher asked for a unit to do security testing on, no permission would be forthcoming.

The security researcher, being a voter, has a legitimate interest in the safety and security of the voting system.
Also, as a voter, this person is ALREADY supposed to be able to access the system. It's the fault of the people setting up this system that his ability to access the system is that broad.
And, since the equipment is being purchased with taxpayer funds, there's a legitimate school of thought that permission for access is already implicit.

Criminals bent on subverting the voting system are NEVER going to ask permission.

Re:White Hat

[AK+Marc]

When Putin gets more electoral votes than Trump, you'll see why the Russian mob cares.

Re:White Hat

[KGIII]

I'm pretty sure he's got no idea how the courts work and has never heard of "prosecutorial discretion." There's always a choice. It might not be a politically feasible choice but there's always a choice. It is, after all, the DA that serves as prosecution for the State. I'm not fluent in all of the Floridian regulations but I'm thinking that the Supervisor of Elections is probably not also the District Attorney, or even an assistant.

However, it is Florida. I could be wrong. ;-)

Still, there is discretion. The State may choose to not bring charges and has done so many, many times in the past. Read your local court news to see which cases were simply dismissed. Many of those will have been dismissed due to the DA opting to not prosecute for any one of a number of reasons. Better still, go to the courts and sit there, in person, and witness it and see it in action for yourself. While folks are there, they can learn about the proceedings and watch to ensure that the justice being done in their name is actually 'just' and not 'just us.'

Re:White Hat

[SecurityGuy]

After all, parameterized SQL queries have been the norm for at least eight or ten years, which means that for this to be accidental, either the software would have to be as old as Windows Vista or the developers would have to be so grossly incompetent that they would never be able to hold down a job writing database software for more than a week or two.

Oh, I don't know. Plenty of software is written by people who don't know what parameterized queries are, or who think "it's behind a firewall" is adequate security. If you actually work somewhere you don't see stuff like this, you're either not looking or very, very lucky and you should never quit your job, because literally everywhere else is worse.

Re:White Hat

[John+Meacham]

That discretion is based on quality of evidence. If the evidence is clear, there is no choice. Its not the movies.

Completely, utterly not true. The DA has fully discretion on what to prosecute. And political reasons are a huge part of deciding whether to do so or not. [1]

Not only does the DA have the freedom to not prosecute, a jury can declare someone not guilty they know is guilty if they believe the law itself or the punishment that will happen if declared guilty is unjust. [2]

[1] http://definitions.uslegal.com...
[2] https://en.wikipedia.org/wiki/...

Re:White Hat

[rsborg]

After all, parameterized SQL queries have been the norm for at least eight or ten years,

I failed an interview at Cisco for not knowing about prepared SQL statements... back in 1998. Was a big learning experience for inexperienced me. So parameterized queries have been around (and highly recommended) even way back in the golden 90's "Perl is all you need" days.

Re:White Hat

[Shortguy881]

There is a major difference between academic knowledge and practical application. I say this because I still see many developers (I do code reviews where I work and help aspiring developers outside of work) who completely ignore what they learned and just go about solving the problem the fastest way. You are right in saying there is no excuse, but that doesn't make people code better and it doesn't make this particular vulnerability malicious.

No he wasn't

[110010001000]

He was arrested for actually hacking the website. Stop it with the clickbait headlines. This isn't the Star.

Re:No he wasn't

[Mr+D+from+63]

On second thought, it will be interesting to see the number of dupes posting here who believe the headline.

Re:No he wasn't

[hesiod]

He was "hacking" it on a video demonstrating it directly to THE ELECTIONS SUPERVISOR, who agree he should not have been arrested.

Re:No he wasn't

[Luthair]

For a running service 'testing' hacks is still hacking.

Re:No he wasn't

[110010001000]

No he wasn't. He "hacked" it previously before the demonstration. Stop lying. I agree he shouldn't have been arrested but there is no reason to lie for clicks.

Re:No he wasn't

[iCEBaLM]

So what you're saying is that nobody should ever try to discover vulnerabilities and report them?

What I'm getting at here is yes, in this instance, he went a little too far by using the credentials he found after the injection was done to login to other parts of their system, but if he had stopped after the initial injection worked, and then disclosed that vulnerability to the owners, is that technically still hacking? And if so, doesn't that create a rather terrible precedent?

Re:No he wasn't

[shaitand]

Technically, you should never be checking a third party service for vulnerabilities without their explicit consent. As a third party, no you aren't supposed to test sites for vulnerabilities.

Re:No he wasn't

[Obfuscant]

I'm having trouble even knowing where to start with someone who thinks that robbing from the rich and giving to the poor is in any way analogous to a security researcher reporting a flaw they discovered.

It isn't. But "breaking the law" is analogous to using a website flaw to gather login credentials and then using those credentials to access other, properly protected material. From TFA:

"Levin then went a step further and used the Lee County supervisor's username and password to gain access to other password protected areas."

First off, if what he did is illegal under the current law (which has yet to be decided in court),

When someone says "he broke the law" in common language, it means "I believe there is evidence to support the claim he broke the law." And here, there is. Unauthorized use of computing systems is a crime. He knew his access was unauthorized because he had to use credentials that he got from breaking into a website.

So, while criminal liability and determination of guilt under the legal system has to await a court's decision, it is fair to say "he broke the law" in normal discussion.

then the law should be repealed and the jury should vote for nullification.

So you'd be happy if someone shoulder-surfed your login and then used that to look through all your files? The law against unauthorized computer access deals with that; it should be repealed or nullified you say.

Second, unlike your "rob from the rich to give to the poor" analogy, what he actually did was the equivalent of walking through a gigantic hole into a bank's vault,

Nope. He had to log in using credentials he got by picking the lock on a vault door.

left the money alone,

Again, nope. He used the credentials he obtained after picking the lock on the vault door to open a few other properly secured doors. That's not leaving the money alone, that's using the money he found.

And it doesn't take a conspiracy to recognize that it would only take a phone call from the election officer to the D.A. to get this guy charged, since he posted a video of something that on its face would appear to be illegal...

Yes. Why is this a bad thing? Should election officials not be allowed to report illegal activities they see in a video posted publicly?

..if you didn't apply any common sense at all.

The failure of common sense occurred when the white hat hacker didn't immediately report the problem to the relevant authorities, but instead "went a step further and used the Lee County supervisor's username and password to gain access to other password protected areas."

The problem with the website was the ability to perform an SQL injection attack. It was a violation of law to then use the credentials to wander around other password protected areas. But see, the summary doesn't talk about the latter problem, it claims he was arrested for reporting the SQL issue. You have to read TFA to find out what actually happened, because a headline that says "hacker arrested for using stolen credentials to access elections computer" isn't sexy enough a headline for this forum.

Re:FLORIDA

[__aaclcg7560]

According to an episode of The X-Files, "all the nuts roll downhill" state.

Government willfully ignorant of their own laws

[randomErr]

I wish best for this guy. He did what was right and now faces several felonies. I hope this gets thrown out and he can files a big fat civil lawsuit at the count. He has his felony charges published all over the news and in postings. He'll never be able to get top secret clearance. Any potential employer will Google this guy and may consider him to be too hot to handle.

Re:FLORIDA

[The-Ixian]

Replying because I mis-click moderated you.

Was going for +1 Funny and clicked -1 Troll instead.

Lesson be learned

Next time don't report it to them, report it to the media.

Re:Lesson be learned

[HornWumpus]

Next time make the reported results so preposterous it's obvious that shenanigans are involved.

Make 'Vermin Supreme' get 110% of the votes. Give the mainstream candidates large enough negative vote counts to give the national popular vote to 'Vermin Supreme'.

Until someone does this, to a system directly feeding data to the news networks, the system will continue to be reported as 'secure and working as designed'.

Re:FLORIDA

[__aaclcg7560]

Was going for +1 Funny and clicked -1 Troll instead.

Happens all the time. ;)

It shouldn't matter

[SeattleLawGuy]

How do you find a vulnerability without actually testing it?

It almost shouldn't matter in this case. It does, but it shouldn't. When you bring felony charges for basic pen testing, people who find a system is vulnerable are not going to report it. Even if they shouldn't have been snooping around in the first place, isn't it better if they're willing to report the vulnerability before someone does real damage?

Basic SQL injection vulnerabilities are so trivial to guard against these days that it is the person who spec'd or coded the system who should be facing severe punishment, not the person who ran a penetration test. It is very much like leaving a ballot box unguarded and unlocked at a polling place, and then arresting the person who lifts up the lid and says "hey, someone left this unlocked!" Sure, he shouldn't have been checking, but he's not the one who dropped the ball and you don't arrest him for it.

In a worse case, this could have been done easily by a random tech guy barely out of high school, a malicious government, a ransomware operator, or anyone who wanted to steal the election. Many people love this kind of soft target. The local government should be thanking their lucky stars it was done by someone who reported it instead of using it to elect the candidate slate of their choice.

Re:It shouldn't matter

[iCEBaLM]

It is very much like leaving a ballot box unguarded and unlocked at a polling place, and then arresting the person who lifts up the lid and says "hey, someone left this unlocked!" Sure, he shouldn't have been checking, but he's not the one who dropped the ball and you don't arrest him for it.

I agree, somewhat. The analogy breaks down slightly because in the "physical world" you can sense that something may be open, such as a door, by looking at it and not necessarily walking through. Then the question is, is it illegal to try to open a locked door? Is it illegal to try to open a door that isn't yours but is easily accessible? (no barriers, no signage, etc)

However when it comes to networks, the only way to "see" a vulnerability is to actually use it and test if it works. Is that hacking? Should it be illegal?

Wrong way to go about it

[SuperKendall]

The correct approach for fixing security issues in a voting system are to elect yourself, then appoint a team of people to correct the issue while funneling you money.

Re:Wrong way to go about it

Just change the winners name to "You have an SQL injection vulnerability".
And be done with it.

Next time, sue the state

[TranceThrust]

Security professionals and tech enthusiasts should take note of this technique and apply it in reverse: instead of reporting vulnerabilities to the government institutes who caused them, bring those guys to court. Sue them for unsafely handling the information you entrust them with. Things are not going to get better unless this kind of incompetence can cost someone's head.

Re:FLORIDA

[Sir_Eptishous]

There is no downhill for anything to roll to in Florida.

Isn't Wikileaks still around?

[John.Banister]

When I was thinking about who could pass on this sort of useful information without exposing the source to prosecution, Wikileaks came to mind.

Re:FLORIDA

The joke is that things roll downhill from the rest of the US into Florida.

Re:Must we prepend "tax payer" to money

[ScentCone]

so it is kind of redundant to quantify the term money with "tax payer"

No, it's not. Because a LOT of people seem to think that there actually is something called "government money." Nearly half the country pays no income tax at all, and a large percentage of those get a "tax refund" on the income taxes they don't pay. That flow of money is rarely referred to as "other people's money" - just as tax credit, as earned income credit ... as anything other than a portion of the money that other people pay as taxes. Politicians, especially on the left, talk routinely about how they'll start a new program, or enhance regulatory power, or fund this, or that ... all with a glossy coat of the atmospherics of it being "government money." They say, "It's high time we funded and expansion of NIH's chimpanzee sexuality study..." instead of "It's high time we gathered up some money from the half of the country that pays income taxes, mostly from the minority of that half that pays almost all such taxes, and have them buy an expansion of NIH's ..."

It is this kind of attitude that pushes bean counting and attempted cost savings to such an extreme level that it is detrimental.

No, it's this kind of attitude that helps remind people whose money is being spent. That's part of keeping keeping such expenditures reasonable, instead of running up tens of trillions of dollars of debt ... do you really need to hear an explanation as to why that is detrimental?

Re:FLORIDA

[Locke2005]

I'll go with the Simpsons: "Florida, America's wang."

Slanted

[Verdatum]

manishs, did you investigate this one before pushing it up? The more I read about it, the more this all looks like a stunt by Sinclaire. Instead of going through proper channels, this guy went through an opposing candidate, and actively goes above and beyond privately reporting a security flaw; instead publically exposing it on YouTube and going on to actually explore the system once gaining access. All this with no time for the government to fix it. That's not how security evaluators should _ever_ behave. So then he goes to jail, allowing crummy summaries like this one, to effectively say "RAWR, HARRINGTON BAD!!". Harrington did not appear to pursue the arrest. It looks like Sinclair hoped to get an arrest to increase negative exposure on Harrington to help get her voted out. Publishing a summary like this on Slashdot means that these people are effectively playing the editors. The only good thing is that the summary feels so incredibly slanted that it sets off some people's bullshit detectors.

Re:FLORIDA

Frankly I'm disgusted that there's no "+1 Funny Troll" option.

A little clarity

[DanForSupervisor]

It seems my first post disappeared for some reason. Thank you so much for your great article above. Most of your posts have been fantastic. A see a very few who are a little misguided. I hope the following information helps: There was no “break[ing] into an account” as Sharon Harrington states. Sharon left the door open. Dave was driving by and saw the door had been left open by his neighbor renting the house, Sharon. He knew the person who left the door open would call the police and pretend that Dave somehow opened the door. So, he called a neighbor who understands doors and could confirm that, yes, the door in fact was left wide open. He wanted a witness, in case the person who was renting the house lied to the police. The neighbor he called, Dan, called the renter and informed her she left her door wide open. The renter couldn’t be bothered to call Dan back, ever. Instead, she called her door repair guy to call Dan back. This door guy works full time for the renter and was actually the one who left the door open to begin with. Dan and Dave had to explain repeatedly to the door guy: a. That the door was left open b. What door it was on the house c. How to close the door d. How to secure the door, so this did not happen again e. That they were lucky a burglar did not see the open door and steal anything or vandalize the house before Dave saw the open door and Dan reported it *BREAK* 1. No one was "caught." The issues were reported by Dave. In fact neither the county nor the state could tell if they had EVER had a data breach. The state was very clear about that. 2. Dave stopped as soon as he proved the holes were real. There was no rummaging around inside someone else's system. He did not take any information, either. 3. Dave never perused around the system. He simply logged in once to show the holes were real, not a honeypot. As soon as he proved his point, he backed out and never entered again. 4. None of the information was released to the public until AFTER Dave helped them fix the holes, and the systems were claimed to be secure. 5. Dave not only reported the holes, he showed them how to find the holes. After explaining where the holes were, they still could not find them. So, he showed them how to fix the holes and gave them Best Practices going forward. The state asked for a written report, which he provided. They gave him permission to go into the system. When Dave found they did not even have the most basic tools to detect intruders, he provided them with those software tools. 6. The FDLE did not actually investigate. They just tried to find a law they felt Dave broke (which is not an applicable law in this case), and tried to figure out how to nail him on it. They reported the current Supervisor's claims as fact without investigating. The claims turned out to be false. The FDLE did not put a real IT person on the case and STILL does not understand what happened or how it happened. The only dates they used they received from Dave and I, in cooperating into the investigation of why the holes were left there for years to begin with. The investigation is supposed to be into the Gross Negligence of the state and county. However, the FDLE is allowing themselves to be used as political pawns by a corrupt politician. *BREAK* There is a synopsis at: www.gofundme.com/237czxgc You can find more videos and information at www.Facebook.com/DanForSupervisor Also, there is a list at www.DanSinclair.com/supervisornews.htm The site is ugly and boring. However, the facts are accurate. I see on here some posts that appear to be from one of the two under qualified IT guys for the agency that was responsible for protecting the systems, and did not. FYI, the IT person responsible used a password of 1234. I can tell you now as it has been changed. That gives you an idea of the problem we are dealing with here. All of the UserID's and Passwords they left exposed to the public facing interface were in clear text and part of the primary database. There are a L