Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Expert Jailed For Reporting Vulnerabilities In Lee County, FL Elections (theregister.co.uk)

Posted by msmash on from the this-is-what-you-want,-this-is-what-you-get dept.

rootmon writes: Information Security Professional David Levin was arrested 3 months after reporting un-patched SQL injection vulnerabilities in the Lee County, Florida Elections Office run by Sharon Harrington, the Lee County Supervisor of Elections. Harrington's office has been in the news before for voting systems problems (for example in during the 2012 election, 35 districts in Lee County had to remain open 3 hours past the closing of polls due to long lines and equipment issues, wasting $800,000 to $1.6 million of taxpayer money on incompatible iPads for which her office is facing an audit. Rather than fixing the issues in their systems, they chose to charge the whistleblower with three third-degree felonies. The News Press also has several related interviews.

16 of 307 comments (clear)

  1. White Hat by Anonymous Coward · · Score: 5, Interesting

    I hope the courts recognize that white hats are the good guys. I hope that paves the way for Levin (and EFF) to sue Lee County and Harrington for damages. And I hope that discourages other politicians from lashing out at the good guys.

    1. Re:White Hat by Martin+Blank · · Score: 5, Insightful

      Breaking into or executing code on a system without permission is a criminal offense. Even if he was doing it ostensibly for the greater good, Levin should know better (and a tweet from him suggests that he knows he should have known better). The courts aren't going to let this slide just because he's a "good guy," because that sets a bad precedent.

      If you're going to try to break into a system, get permission. If you absolutely must do it without permission, use a burner name and address to make the notification, or go through an attorney to make the notification.

      --
      You can never go home again... but I guess you can shop there.
    2. Re:White Hat by MightyMartian · · Score: 5, Funny

      Or, in the future, sell it to the Russian mob for big bucks and retire.

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
    3. Re:White Hat by dgatwood · · Score: 5, Interesting

      Ha, ha. You still think those vulnerabilities were accidents.

      IMO, it seems far more likely that the SQL injection holes were deliberate. After all, parameterized SQL queries have been the norm for at least eight or ten years, which means that for this to be accidental, either the software would have to be as old as Windows Vista or the developers would have to be so grossly incompetent that they would never be able to hold down a job writing database software for more than a week or two.

      The whole "never attribute to malice" thing applies only when it can be plausibly attributed to incompetence. SQL injections in an election system in 2016 fall so far on the other side of that line that you can't even see the line from there.

      With that said, in the unlikely event that I'm wrong, and that it really was caused by a grossly incompetent vendor, I expect to see that vendor added to a government blacklist and become immediately ineligible for any government contracts going forward. I also expect to see the software in question thrown away and paper ballots used until such time as a suitable replacement can be found. There's no excuse for allowing software that doesn't even meet 2010-era standards to be used for running elections in 2016. None whatsoever.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    4. Re:White Hat by ArhcAngel · · Score: 4, Insightful

      When exposing the vulnerability you simply run it through the legally ambiguous filter.

      I was able to penetrate your system using an injection attack vector

      becomes

      Based on your code I surmised it was likely susceptible to an injection attack vector and wanted to make you aware of it before someone actually tries it.

      --
      "A person is smart. People are dumb, panicky dangerous animals and you know it." - K
    5. Re:White Hat by amiga3D · · Score: 4, Insightful

      There will be no permission. The real reason he's in jail is they're pissed off everyone knows how fucked up their system is. He outed them and they popped his ass in the slammer for it. If they were actually interested in providing a secure system they would have rewarded him instead. The way he was treated says everything about Sharon Harrington's professionalism. She's a typical CYA type interested only in her own continuance of incompetence at her job. I'd say the people in that county should see that she's sacked if they ever want an improvement. Wonder how many of those Ipads walked off on her watch? Maybe they could find a cell for her too.

    6. Re:White Hat by Hulfs · · Score: 4, Insightful

      In this case, the saying definitely applies...there are a LOT of people who have no business creating code for important production systems doing so.

      As scary as it is, there's a non-insignificant portion of workers actively creating software, often connected directly to the web, who have no idea what a SQL Injection is, nor why you need to worry about one.

      Asking about what a SQL Injection is is one of my standard interview questions, you'd be shocked at the number of people who don't have a clue, even those who are interviewing for a senior position. Not really related, but I'm also shocked by the number of people who don't understand what an Outer Join is.

    7. Re:White Hat by Chas · · Score: 4, Insightful

      The thing is, if a security researcher asked for a unit to do security testing on, no permission would be forthcoming.

      The security researcher, being a voter, has a legitimate interest in the safety and security of the voting system.
      Also, as a voter, this person is ALREADY supposed to be able to access the system. It's the fault of the people setting up this system that his ability to access the system is that broad.
      And, since the equipment is being purchased with taxpayer funds, there's a legitimate school of thought that permission for access is already implicit.

      Criminals bent on subverting the voting system are NEVER going to ask permission.

      --


      Chas - The one, the only.
      THANK GOD!!!
  2. Re:FLORIDA by __aaclcg7560 · · Score: 5, Funny

    According to an episode of The X-Files, "all the nuts roll downhill" state.

  3. Re:No he wasn't by hesiod · · Score: 5, Informative

    He was "hacking" it on a video demonstrating it directly to THE ELECTIONS SUPERVISOR, who agree he should not have been arrested.

  4. Government willfully ignorant of their own laws by randomErr · · Score: 4, Interesting

    I wish best for this guy. He did what was right and now faces several felonies. I hope this gets thrown out and he can files a big fat civil lawsuit at the count. He has his felony charges published all over the news and in postings. He'll never be able to get top secret clearance. Any potential employer will Google this guy and may consider him to be too hot to handle.

    --
    You say things that offend me and I can deal with it. Can you?
  5. Re:FLORIDA by The-Ixian · · Score: 4, Funny

    Replying because I mis-click moderated you.

    Was going for +1 Funny and clicked -1 Troll instead.

    --
    My eyes reflect the stars and a smile lights up my face.
  6. Re:Lesson be learned by HornWumpus · · Score: 4, Interesting

    Next time make the reported results so preposterous it's obvious that shenanigans are involved.

    Make 'Vermin Supreme' get 110% of the votes. Give the mainstream candidates large enough negative vote counts to give the national popular vote to 'Vermin Supreme'.

    Until someone does this, to a system directly feeding data to the news networks, the system will continue to be reported as 'secure and working as designed'.

    --
    John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
  7. It shouldn't matter by SeattleLawGuy · · Score: 5, Insightful

    How do you find a vulnerability without actually testing it?

    It almost shouldn't matter in this case. It does, but it shouldn't. When you bring felony charges for basic pen testing, people who find a system is vulnerable are not going to report it. Even if they shouldn't have been snooping around in the first place, isn't it better if they're willing to report the vulnerability before someone does real damage?

    Basic SQL injection vulnerabilities are so trivial to guard against these days that it is the person who spec'd or coded the system who should be facing severe punishment, not the person who ran a penetration test. It is very much like leaving a ballot box unguarded and unlocked at a polling place, and then arresting the person who lifts up the lid and says "hey, someone left this unlocked!" Sure, he shouldn't have been checking, but he's not the one who dropped the ball and you don't arrest him for it.

    In a worse case, this could have been done easily by a random tech guy barely out of high school, a malicious government, a ransomware operator, or anyone who wanted to steal the election. Many people love this kind of soft target. The local government should be thanking their lucky stars it was done by someone who reported it instead of using it to elect the candidate slate of their choice.

    --
    Real lawyers write in C++
  8. Wrong way to go about it by SuperKendall · · Score: 5, Funny

    The correct approach for fixing security issues in a voting system are to elect yourself, then appoint a team of people to correct the issue while funneling you money.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  9. Re:FLORIDA by Anonymous Coward · · Score: 4, Funny

    Frankly I'm disgusted that there's no "+1 Funny Troll" option.