Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researcher Gets 20 Days In Prison For Hacking State Websites As Political Stunt (softpedia.com)

Posted by BeauHD on from the don't-do-the-crime-if-you-can't-do-the-time dept.

An anonymous reader writes from a report via Softpedia: David Levin, 31, of Estero, Florida will spend 20 days in prison after hacking two websites belonging to the Florida state elections department. Levin, a security researcher, tested the security of two Florida state election websites without permission, and then recorded a video and posted on YouTube. The problem is that the man appearing in the video next to Levin was a candidate for the role of state election supervisor, running for the same position against the incumbent Supervisor of Elections, Sharon Harrington. Harrington reported the video to authorities, who didn't appreciate the media stunt pulled by the two, and charged the security researcher with three counts of hacking-related charges. The researcher turned himself in in May and pleaded guilty to all charges. This week, he received a 20-day prison sentence and two years of probation. In court he admitted to the whole incident being a political stunt.

85 comments

  1. Political stunt as it may've been... by Lead+Butthead · · Score: 4, Insightful

    the abysmal security in place is down right embarrassing. and we all know how much the government likes to silence the messengers.

    --
    ELOI, ELOI, LAMA SABACHTHANI!?
    1. Re:Political stunt as it may've been... by PopeRatzo · · Score: 1

      the abysmal security in place is down right embarrassing. and we all know how much the government likes to silence the messengers.

      Lee County Florida is a Republican country, and the current Supervisor of Elections is a Republican. They're a district that had tons of issues with their elections. If you remember stories about people having to wait 6 and 8 hours to vote in the 2012 election, but those came from Lee County. They shut down early voting in an effort to help out Mitt Romney, but it backfired. Then this Ms Harrington, the Election Supervisor, decided she was going to buy a bunch of iPads and use those in the election. Of course, it all went to shit.

      Florida has had a lot of issues with voter disenfranchisement, election-rigging and outright fraud. Remember Katherine Harris?

      --
      You are welcome on my lawn.
    2. Re:Political stunt as it may've been... by msauve · · Score: 2

      OTOH, there seem to be a lot of self-proclaimed "security researchers" who are looking for nothing but fame and glory, and have a primary interest beyond improving security. A responsible professional would have communicated the findings privately long before making things public on Youtube.

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    3. Re:Political stunt as it may've been... by Anonymous Coward · · Score: 0

      "A complaint made on a web site cannot be properly evaluated". Ok then just believe whatever you want since evaluating information is not possible if it comes from a website.

      What she did specifically was to stop the hand recount of ballots. Essentially stopping the verification process from occurring and just accepting questionable results at face value. While it may technically have been entirely legal she was also the co-chair of the Bush campaign in Florida presenting a clear conflict of interest. I say all this knowing that you cannot properly evaluate this claim just for the sake of others who may not know already.

    4. Re:Political stunt as it may've been... by AmiMoJo · · Score: 1

      More evidence that the only responsible way to disclose security issues is to anonymously post them to a public space on the internet. Unless the company has a reputable bug bounty programme you risk being sued or prosecuted.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    5. Re: Political stunt as it may've been... by Anonymous Coward · · Score: 0

      And why shouldn't the Republicans rig the elections against the Democrats? It seems in the case of Bernie that the Democrats are more than willing to rig the elections against their own. Oh I'm sorry, we shouldn't read the email leaks because ....Russia!

    6. Re: Political stunt as it may've been... by PopeRatzo · · Score: 1

      And why shouldn't the Republicans rig the elections against the Democrats?

      Trump 2016.

      --
      You are welcome on my lawn.
    7. Re:Political stunt as it may've been... by DRJlaw · · Score: 1

      the abysmal security in place is down right embarrassing. and we all know how much the government likes to silence the messengers.

      When someone is the one exploiting that abysmal security to trespass into a protected computer, they're not merely the messenger, they're the attacker. And attackers tend to get punished.

      If the reporters covering this story were being silenced, then you could complain about "shooting the messenger" problems. This an ordinary and expected result for an ordinary incident of vigilantism.

    8. Re:Political stunt as it may've been... by Anonymous Coward · · Score: 0

      How is this the government's fault? They aren't the ones who broke the law by breaking into a server. Just because a server or anything else (a house, a car, whatever) has imperfect security doesn't mean it's OK to break in. At least I hope not. I don't want anyone busting through the windows of my house or car just to prove a point.

    9. Re:Political stunt as it may've been... by Anonymous Coward · · Score: 2, Informative

      From the youtube link: "This video was NOT released until AFTER the Lee County SoE staff CONFIRMED they had fixed the holes and the information was not compromised. The holes were fixed on 1/25/2016 prior to the uploading and airing of this video. "

    10. Re:Political stunt as it may've been... by Coren22 · · Score: 1

      If they instead pick the lock on your car, filming it the whole time, tell you about it, and wait for you to fix it before posting the video on youtube?

      He informed them of the vulnerability and waited for it to be fixed before posting the video. They didn't have an issue with it until it made the lady in charge look bad.

      --
      APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
  2. prison and not jail? by Joe_Dragon · · Score: 1

    prison and not jail?

    1. Re:prison and not jail? by Anonymous Coward · · Score: 0

      he's probably in county jail. prison is state run and takes serious crimes and longer sentences

    2. Re:prison and not jail? by Anonymous Coward · · Score: 0

      This was my first thought. You DON'T go to "prison" for 20 days. Period. You go to a local remand facility.

      It's dipshit journalism in action. No wonder slashdot picked it up.

  3. What, no thanks? by ITRambo · · Score: 2

    Instead of commenting on helping keep the system honest, the researcher get jail time. Politicians are jerks.

    1. Re:What, no thanks? by bloodhawk · · Score: 1

      The whole thing was done as a publicity stunt for politician. He deserved everything he got, it is people like him that tarnish the reputation of security researchers.

    2. Re:What, no thanks? by Anonymous Coward · · Score: 0

      Motives matter, sometimes.

    3. Re:What, no thanks? by phantomfive · · Score: 4, Informative

      Here's the actual video. Between the guy who made the video, and the team that wrote code allowing SQL injections, the latter is the more serious crime.

      You should never, ever write code that allows SQL injections. It's negligent.

      --
      "First they came for the slanderers and i said nothing."
    4. Re:What, no thanks? by Anonymous Coward · · Score: 0

      What are you talking about. We need more people doing what he did. Not less.

      In fact we need better standardized systems designed from the ground up and people paid to peer review that are actually competent in security mechanics to find hard-to-identify holes. We need thought out long-term standards where we've got an opportunity to work out the bugs. I'd rather see a system that closer resembled something from the 1990s in terms of bloat (ie little to no bloat) and simplicity combined with modern security mitigation techniques and system hardening.

      We need a new simple CPU of a secure design, standard simplified communications chips (networking), and a small well understood (by *many people* whom are paid to do this) code base for these components and everything running on top that are designed for long-term use (10-15 years). This would give us the opportunity to work out the bugs and patch the holes. The software running on top should also be standardized to the greatest degree possible and modularized such that only the components needed for a particular use case were actually utilized.

      Do this would result in systems which are much more secure. We need more decentralization too. So some complexity will ultimately find its way into the equation, but it should be well designed with proper proofs. Z.cash which is based on Zero Cash (zero proofs, or the math behind anonymity, unlike mixers). High latency anonymity networks with significant caches (something closer to Freenet than Tor). Communications software based around standards that are integrated with simpler GPG-level encryption with clear alerts where appropriate. Automated update systems that are designed with security in mind. Remote access systems that utilize true two-level authentication (password protected secure ID, not this cellular crap).

    5. Re:What, no thanks? by Anonymous Coward · · Score: 0

      Motive Always Matter.
      It is the difference between Negligent Homicide and First Degree Murder.

    6. Re:What, no thanks? by Anonymous Coward · · Score: 0

      The researcher must be a total idiot if he thinks compromising any state or federal systems related to elections will not be prosecuted. The government is already a little sensitive to people fucking around with their computer systems.

      Sort of like Snowden thinking he could steal and publish information on foreign intelligence operations and not be charged with violating the Espionage Act. His idiocy functioned on multiple levels. First he went public before he was in a country willing to shield him and is now getting a whole new perspective on what a surveillance state really looks like. The Espionage Act penalties upon conviction rival the penalties for committing capital murder and he has already publically admitted his actions. All because he took it upon himself to single handily change US foreign intelligence policies while evidently never understanding that the US is not the only country on the planet conducting foreign espionage operations. You would have thought he would have realized that "counter intelligence" operations require a minimum of two parties.

      Breaking into any system and claiming you are merely testing the security to show the owners the weaknesses is bullshit. It's no more than some twit saying "look how smart I am".
      If you want to test someone's security you better get permission first and there are plenty of legitimate bug bounty programs to keep them busy. Programs that are paying out a large sum of money for those willing and able to participate.

    7. Re:What, no thanks? by Anonymous Coward · · Score: 0

      He didn't get anything. The wannabe politician got off free. Only the researcher went to jail. It probably wasn't even his idea to hack the site.

    8. Re:What, no thanks? by phantomfive · · Score: 1

      If it makes you feel better, the wannabe politician (aka 'Florida Man') didn't win the election.

      --
      "First they came for the slanderers and i said nothing."
    9. Re:What, no thanks? by ShanghaiBill · · Score: 1

      You should never, ever write code that allows SQL injections. It's negligent.

      Then why do nearly all SQL libraries enable injections? Why aren't parameterized queries required? Is there any reason not to use them?

    10. Re:What, no thanks? by ShanghaiBill · · Score: 2, Insightful

      the researcher get jail time.

      Just because a vandal calls himself a "researcher" doesn't mean he is one.

      Politicians are jerks.

      So are vandals.

    11. Re:What, no thanks? by phantomfive · · Score: 1

      Is there any reason not to use them?

      No.

      --
      "First they came for the slanderers and i said nothing."
    12. Re:What, no thanks? by swalve · · Score: 1

      Exactly. When you do civil disobedience, you have to be willing to do the time. He did the right thing, perhaps the wrong way.

    13. Re:What, no thanks? by Anonymous Coward · · Score: 0

      Am I correct in understanding that the politician was there with him, participating in the video as the attack was performed?

      Why isn't he getting jail time too?

      Oh...right....they are above the law.

    14. Re:What, no thanks? by Anonymous Coward · · Score: 0

      Not in FBI investigations...

    15. Re:What, no thanks? by kbrannen · · Score: 3, Informative

      You should never, ever write code that allows SQL injections. It's negligent.

      Then why do nearly all SQL libraries enable injections? Why aren't parameterized queries required? Is there any reason not to use them?

      Is there any reason not to use parameterized queries? No.

      Is there any reason non-parameterized queries are enabled? Yes, probably plenty, but I'll give the easy one. :)

      The libraries and code can't really tell the difference between "select * from table1 where id < 100" and "select * from table1 where id < $variable" because the calling code is going to fill in $variable from some user input. The first form may be reasonable business logic because all non-reference values are less than 100 and user input values start at 101. The second form looks a lot like the first, but has different intent. The libraries can't determine the intent and by the time they see the SQL, the variable has been expanded and really looks the same.

      That being said, good libraries only allow 1 SQL statement per call so injection is a lot harder because "select * from table1 where id < 0 ; delete from users where 1" (injected part in bold) would be disallowed. But injection is a problem because many libraries allow that.

    16. Re:What, no thanks? by ssufficool · · Score: 3, Informative

      Vandal: I do not think that word means what you think it means. He exposed a vulnerability and reported before going public. He in no way defaced or destroyed the website or data.

    17. Re:What, no thanks? by Anonymous Coward · · Score: 0

      Then why do nearly all SQL libraries enable injections?

      How does one 'disable' injections when your library takes a raw SQL text string as input?

    18. Re:What, no thanks? by Anonymous Coward · · Score: 0

      Is there any reason not to use parameterized queries?

      Yes, when you go with the lowest price, nonparameterized queries are "technically acceptable" because they get the job done. Lowest Price Technically Acceptable (LPTA) is the government term I am referencing here. It why so many OPM, DHS, FBI, DoD, etc., etc. systems have such crappy security despite very clear policies emphasizing security. Under these types of contracts, the guy that "guarded" the cash register at McDonalds for 20 years is the top candidate for a security engineering job with his 20 years of security experience. It is how crap like "cybersecurity" become industry standard verbiage because the people at the top are being advised by morons hired by companies making a killing. I have been told time and time again that I will get what I pay for and obviously so will the government.

    19. Re:What, no thanks? by parkinglot777 · · Score: 1

      Then why do nearly all SQL libraries enable injections?

      IMHO, it is not their business to determine validity of injection queries. It is the responsibility of the query implementers to SANITIZE the query string to their intent of use. You could compare SQL libraries as tools. They are fine by themselves and would have no problem if being used properly. However, too many people can use them but don't really have the knowledge to use them properly; thus, this kind of problems occurs.

    20. Re: What, no thanks? by Anonymous Coward · · Score: 0

      Agreed. In fact I know of one product that definitely does not use paramaterized queries. However, this was considered acceptable because a) the database is short-lived, b) contains no user-sensitive information, c) it's essentially read-only once populated; d) isolated to each device; e) [most importantly] the data comes into the box over a trusted channel, not the internet, with no outside access; and is 100% controlled by the organization which creates the source data. Even if someone hacked a device, all they'd do is mess up the info displayed to them on their own box and/or crash it, and it all goes poof with the next day's data anyways. The device controls no other devices (ie., no network client/server capability to the outside world).

      Cargo-cult security practices aren't much better than no security practices. One must actually think about the possibilities and have multiple eyes review the design on an ongoing basis.

    21. Re: What, no thanks? by Anonymous Coward · · Score: 0

      Snowden knew very well he'd probably be charged under the Espionage act, he was not being an 'idiot'. He knew of prior whistleblowers (Drake et al.) who'd been subjected to far worse, all of which who'd tried to go through legit channels. That's why he exited the US prior to making his leaks public.

    22. Re:What, no thanks? by Coren22 · · Score: 1

      Apparently, they were perfectly ok with the breach and reporting he did until the video hit (after they told him they corrected the issue).

      He is only getting time because he made Sharon Harrington look bad.

      --
      APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
    23. Re: What, no thanks? by Coren22 · · Score: 1

      Prior whistleblowers did not go through proper channels, and were prosecuted. The proper channels are there to provide a method that is allowed within the NDAs signed. Snowden decided to publish rather than go through proper channels. He purposely committed treason and espionage when he had options available to him that did not break these laws.

      --
      APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
  4. Never report security vulnerabilites by Anonymous Coward · · Score: 1

    Too much risk in reporting vulnerabilities to the proper parties. The only sane thing to do is sell the vulnerabilities on the dark web and pocket the cash (and keep your freedom).

    1. Re:Never report security vulnerabilites by tomhath · · Score: 3, Interesting

      If he had reported the vulnerability he wouldn't go to jail. But by exploiting it to make a candidate look bad he deserves what he'll get in jail.

    2. Re:Never report security vulnerabilites by Anonymous Coward · · Score: 0

      Says you. I'm with parent. Criminal Justice system is the bounty waiting for Dudley Do-rights. Only a moron gives something away for free while risking punishment when the bad guys will pay Bitcoin with less risk of criminal consequences. This is what happens when you shoot too many messengers.

    3. Re:Never report security vulnerabilites by AlphaBro · · Score: 1

      IANAL, but this is blatantly wrong. If you test a system without permission, you are breaking the law. It does not matter if you exploit any vulnerabilities or not.

    4. Re:Never report security vulnerabilites by AlphaBro · · Score: 1

      Nonsense, nobody is paying for garbage like this. And if you've got something that's actually good, such as an exploit for Chrome, you can easily sell it for five or six figures to a "legitimate" company with absolutely no risk of repercussions.

    5. Re:Never report security vulnerabilites by sinij · · Score: 1

      If you test a system without permission, you are breaking the law. It does not matter if you exploit any vulnerabilities or not.

      Good thing black hats always ask permission before compromising web sites.

      Nothing gets fixed unless someone somewhere gets embarrassed.

    6. Re:Never report security vulnerabilites by AlphaBro · · Score: 1

      I didn't say the law was just, I merely pointed out that the distinction is not between discovery and exploitation.

    7. Re:Never report security vulnerabilites by swalve · · Score: 1

      Black hats are "the bad guys". You can't claim to be a good guy when you are doing the exact same thing. There are other ways to make the point.

    8. Re:Never report security vulnerabilites by AK+Marc · · Score: 1

      There have been complaints about those systems. Nobody cared. Until it was compromised on camera, it wasn't fixed. When the ostrich response is the only response, unless you make an elected official look like an idiot, should you have to go to jail for disclosing a vulnerability?

      --
      Learn to love Alaska
    9. Re:Never report security vulnerabilites by AK+Marc · · Score: 1

      If you suspect it's vulnerable, what do you do? Verify your suspicions? Report them without proof or verification? One is illegal, and the other is ignored. And the vulnerability will remain, to be exploited later.

      --
      Learn to love Alaska
    10. Re:Never report security vulnerabilites by AlphaBro · · Score: 3, Insightful

      If it's a live system, permission has not been granted, and a similar test environment cannot be setup, then I Ignore it, and if at all possible, I avoid using the vulnerable system in question. Bear in mind I say this as someone that does vulnerability research for a living. I'm not a fan of the extant legislation, but if that's what society wants from me, that's what it's going to get. I refuse to risk my freedom for a bunch of assholes that don't want my help, and I've plenty of paying customers that aren't complete idiots, so my attention is better spent on them.

      Maybe someday the pols will get their shit together and the problem will work itself out, but I have little faith at this point.

    11. Re:Never report security vulnerabilites by Anonymous Coward · · Score: 0

      The only way to get any corporation or politician to do something:

      1) Make them lots of money.

      2) Make them look really GOOD.

      3) LOSE them lots of money.

      4) Make them look really BAD.

      Note, however, that 2 and 4 are very bad ideas unless you are God, rich, or just don't care.

    12. Re:Never report security vulnerabilites by meta-monkey · · Score: 1

      If he had reported the vulnerability he wouldn't go to jail.

      He did. In addition to informing election officials, he also published the video for political purposes.

      But by exploiting it to make a candidate look bad he deserves what he'll get in jail.

      Correct, you have identified the true unforgivable crime: embarrassing politicians.

      --
      We don't have a state-run media we have a media-run state.
    13. Re:Never report security vulnerabilites by ebyrob · · Score: 1

      You can't use a system without "testing" it in some way.

      Purposely taking control of a computer system above your sanction is breaking the law.

      These are OK:
      Oops my keyboard slipped and I accidentally typed: John Smith'
      Oops my name is: O'Riley

      Not OK:
      Robert'); DROP TABLE Students; --

    14. Re:Never report security vulnerabilites by Anonymous Coward · · Score: 1

      Not everything is about you, and not everything is your responsibility. There are ethical, not to mention legal lines that must be respected. If you've done everything legal and ethical, then that is the point at which you must stop. Cross that line and you risk moving from White Hat to Black Hat status.

      You don't have to like it. The vulnerability may well be there and risk spilling information. It's not your responsibility anymore and it's irresponsible to continue. This is the difference between being a professional and being an amateur. Pros know about the lines and respect them. Amateurs might know about the lines, might decide that "they know better", and might cross the line.

      Cross the line and you set yourself up for legal liability.

  5. He gives "security research" a bad name by QuietLagoon · · Score: 3, Funny
    Granted some of the system (most?) needs to have a good security audit, he should not have done it so publically. He should have contacted the owner of the site and told them about the issues he found.

    .
    Putting the video on youtube shows that he deserved the jail time he received.

    1. Re:He gives "security research" a bad name by sjames · · Score: 1

      Since the site is part of the county government, the public is the owner.

    2. Re:He gives "security research" a bad name by QuietLagoon · · Score: 1

      OK, then go to the county government. My point remains the same.

    3. Re:He gives "security research" a bad name by Anonymous Coward · · Score: 0

      And the Public Put him in a Public Jail.

      Adding the word Public does not excuse a crime.

    4. Re:He gives "security research" a bad name by sjames · · Score: 1

      Not really. The public (in particular, the voters) have a right to know. That is, the disclosure was in the public interest (even if it was ultimately a publicity stunt).

    5. Re:He gives "security research" a bad name by phantomfive · · Score: 1

      He should have contacted the owner of the site and told them about the issues he found.

      He did. The video wasn't released until after the issue was fixed.

      --
      "First they came for the slanderers and i said nothing."
    6. Re:He gives "security research" a bad name by sjames · · Score: 2

      Except when it means that he actually did contact the owners of the website about the problem.

      He probably did earn a few days jail for grandstanding, but probably not the probation.

    7. Re:He gives "security research" a bad name by AlphaBro · · Score: 1

      Agreed. Our current laws sound good on paper, but we need exemptions for stagnant government organizations that won't grant permission for penetration tests. Actual attackers aren't going to ask for permission, nor will they reveal actions.

    8. Re:He gives "security research" a bad name by Anonymous Coward · · Score: 0

      Publicly. The word is publicly.

    9. Re:He gives "security research" a bad name by Anonymous Coward · · Score: 0

      He didn't 'earn' any days jail unless you're a fan of wasting even more of your tax contributions on housing a non-violent offender for absolutely no good reason.

      I think what you meant to say is he earned a more hefty fine that he'd have no trouble paying given his status.

  6. Bad security is NOT an invitation to break in by Sycraft-fu · · Score: 4, Interesting

    You don't want it to become one either, or people can break in your house because it has shit security. Even if you have "good" security for a home, it still sucks in the grand scheme and is trivial to bypass. However I imagine you'd be pretty pissed if someone broke in and said "Well you have abysmal security, don't silence the messenger!"

    That doesn't mean people shouldn't try and have good electronic security (and physical security for that matter) but that they don't is not an invitation or excuse for breaking in.

    1. Re: Bad security is NOT an invitation to break in by Anonymous Coward · · Score: 1

      I agree except that a neighbor telling you that your door is wide open shouldn't go to prison for trespassing.

      This guy did it wrong of course, you tell the "home owner". You don't buy a four page ad in the wall street journal with the address and how to get in -which is what he did in this case-.

    2. Re:Bad security is NOT an invitation to break in by Anonymous Coward · · Score: 2, Informative

      You don't want it to become one either, or people can break in your house because it has shit security. Even if you have "good" security for a home, it still sucks in the grand scheme and is trivial to bypass. However I imagine you'd be pretty pissed if someone broke in and said "Well you have abysmal security, don't silence the messenger!"

      That doesn't mean people shouldn't try and have good electronic security (and physical security for that matter) but that they don't is not an invitation or excuse for breaking in.

      Keep in mind, what we are actually talking about is a tax payer funded website that is open to the public (and the entire world). How you make the leap from that to breaking into a private home seems to just be a straw man argument.

      If you are a known election official with obligations to the voters, then you should expect to be held accountable if you are violating basic best practices.

      So, back to your private home break-in metaphor, if the election official is bringing confidential information home, putting it in their trash and then leaving it in an unlocked trash bin at the public street curb, it should be open to public review. The fact the trash bin is in front of a private home should not ever be a valid excuse to betray the public trust in failing to meet the obligation to correctly handle confidential data.

      I really don't care if your straw man argument dictates that such a review of the trash is a so-called "break-in" instead of an audit. The election officials still failed to meet their obligations to follow computer security best practices.

      So, he went to a system that was intended for public access (similar to a public street curb) and issued a SQL injection which copied the data into a temporary memory buffer for storage and when the buffer was delivered, it was emptied for future use (similar to a trash bin). None of this involved breaking into a privately owned home or anything close to it.

      Election officials should be shielded by the law for their failures. Best practices shouldn't be something you might "try" to do to meet obligations to the voters. Failing to meet those obligations very much should be an excuse for a security audit.

    3. Re:Bad security is NOT an invitation to break in by geekmux · · Score: 1

      You don't want it to become one either, or people can break in your house because it has shit security. Even if you have "good" security for a home, it still sucks in the grand scheme and is trivial to bypass. However I imagine you'd be pretty pissed if someone broke in and said "Well you have abysmal security, don't silence the messenger!"

      That doesn't mean people shouldn't try and have good electronic security (and physical security for that matter) but that they don't is not an invitation or excuse for breaking in.

      Shitty home security affects the lives of a single family.

      Shitty election security affects the lives of millions of people.

      BIG difference when talking about silencing messengers.

    4. Re:Bad security is NOT an invitation to break in by Coren22 · · Score: 1

      If someone picks your lock while filming it, tells you how they picked your lock, and gives you the chance to fix it before posting the video, would you really lock them up for trespassing when they didn't actually enter your house?

      --
      APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
    5. Re: Bad security is NOT an invitation to break in by Vermonter · · Score: 1

      You don't need to walk in to a house to verify that the door is open.

  7. bum rap by Anonymous Coward · · Score: 0

    "In court he admitted to the whole incident being a political stunt."

    Probably true, but the stunt would not have been possible if the incumbent (Sharon) had been doing her job.

    1. Re:bum rap by K.+S.+Kyosuke · · Score: 1

      You've misspelled "incumbetent".

      --
      Ezekiel 23:20
  8. Re:Oh lawd by K.+S.+Kyosuke · · Score: 1

    This is much more interesting and relevant, I think. (But some would perhaps argue that being dumb is its own kind of ugliness.)

    --
    Ezekiel 23:20
  9. Sense when did by Anonymous Coward · · Score: 0

    Prison and Jail become interchangeable words?
    Makes you look ignorant.

    1. Re:Sense when did by Anonymous Coward · · Score: 0

      Probably about the same time as sense and since.

  10. Security hackers are valuable to society by LeftCoastThinker · · Score: 1

    We the people need to get a grip on this country or we are going to end up a banana republic. If we could only figure out how to get a referendum process in place at the national level such that the people could pass laws irrevocable by congress or the courts (essentially constitutional amendments, above the crap that congress churns out) we would be in such better shape.

    We could pass a common sense law that security researchers could register as such with the FBI (or even maybe a private non-profit security professional organization; US Cyber Security Society or some such) and then pretty much attempt to penetrate any system that they want, with the additional caveat that they send the results and any evidence back to the company/entity tested. They would also be free to disseminate information about the hack, but not anything sensitive from the servers they penetrated to the pubic as a news/informative service. In much the same way reporters are specially protected, they should be protected as the public has a right to know if there are gaping security holes in their banks, their ballot boxes etc...

    --
    If you disagree, please post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like
  11. Re: Oh lawd by Anonymous Coward · · Score: 0

    You could throw in lazy, incompetent and possibly corrupt and that's just going by that short interview.

  12. Testing security is a crime by Tony+Isaac · · Score: 2

    ...unless you have permission from the owner.

    If I test the security of your house by trying to break in, you have every right to call the police and have me arrested. Now, if you pay me, or invite me, to test your home security by trying to break in, that's a completely different story.

    Computer systems are no different.

    1. Re:Testing security is a crime by Anonymous Coward · · Score: 0

      What if I don't want to pay you and think your claims that my house is insecure is total bs?

  13. replace() by Anonymous Coward · · Score: 0

    Funny how this article gets a total different connotation when you replace researcher with script kiddie. Still, thankfully he didn't get more jailtime and I agree people should be kept responsible for the protection of data in their servers.

  14. Punish the person reporting the problem by Anonymous Coward · · Score: 0

    This is SO VERY TYPICAL of idiots and buffoons - punish the person that shows you clearly you f---ed up in your so-called security.... I as a taxpayer applaud them for showing how lacadaisical your handling of security is, as it shows a systemic problem - not unlike a certain candidate that doesn't seem to grok the word "classified"...

  15. lol "security researcher" by Anonymous Coward · · Score: 0

    I love this new "security researcher" designation. It sounds so much more professional than "nerd looser with no social life, no girlfriend and no life still living in his mother's basement well into his 30's".

  16. Just by HeckRuler · · Score: 1

    20 DAYS? And then some probation.

    Huh. Ok. Sometimes the punishment really does fit the crime. Bravo court system.