Researcher Gets 20 Days In Prison For Hacking State Websites As Political Stunt (softpedia.com)

← Back to Stories (view on slashdot.org)

Researcher Gets 20 Days In Prison For Hacking State Websites As Political Stunt (softpedia.com)

Posted by BeauHD on Thursday September 8, 2016 @10:50AM from the don't-do-the-crime-if-you-can't-do-the-time dept.

An anonymous reader writes from a report via Softpedia: David Levin, 31, of Estero, Florida will spend 20 days in prison after hacking two websites belonging to the Florida state elections department. Levin, a security researcher, tested the security of two Florida state election websites without permission, and then recorded a video and posted on YouTube. The problem is that the man appearing in the video next to Levin was a candidate for the role of state election supervisor, running for the same position against the incumbent Supervisor of Elections, Sharon Harrington. Harrington reported the video to authorities, who didn't appreciate the media stunt pulled by the two, and charged the security researcher with three counts of hacking-related charges. The researcher turned himself in in May and pleaded guilty to all charges. This week, he received a 20-day prison sentence and two years of probation. In court he admitted to the whole incident being a political stunt.

3 of 85 comments (clear)

Min score:

Reason:

Sort:

Re:What, no thanks? by phantomfive · 2016-09-08 11:29 · Score: 4, Informative

Here's the actual video. Between the guy who made the video, and the team that wrote code allowing SQL injections, the latter is the more serious crime.

You should never, ever write code that allows SQL injections. It's negligent.

--
"First they came for the slanderers and i said nothing."
Re:What, no thanks? by kbrannen · 2016-09-08 16:05 · Score: 3, Informative

You should never, ever write code that allows SQL injections. It's negligent.
Then why do nearly all SQL libraries enable injections? Why aren't parameterized queries required? Is there any reason not to use them?
Is there any reason not to use parameterized queries? No.

Is there any reason non-parameterized queries are enabled? Yes, probably plenty, but I'll give the easy one. :)

The libraries and code can't really tell the difference between "select * from table1 where id < 100" and "select * from table1 where id < $variable" because the calling code is going to fill in $variable from some user input. The first form may be reasonable business logic because all non-reference values are less than 100 and user input values start at 101. The second form looks a lot like the first, but has different intent. The libraries can't determine the intent and by the time they see the SQL, the variable has been expanded and really looks the same.

That being said, good libraries only allow 1 SQL statement per call so injection is a lot harder because "select * from table1 where id < 0 ; delete from users where 1" (injected part in bold) would be disallowed. But injection is a problem because many libraries allow that.
Re:What, no thanks? by ssufficool · 2016-09-08 16:08 · Score: 3, Informative

Vandal: I do not think that word means what you think it means. He exposed a vulnerability and reported before going public. He in no way defaced or destroyed the website or data.