Researcher Gets 20 Days In Prison For Hacking State Websites As Political Stunt (softpedia.com)

← Back to Stories (view on slashdot.org)

Researcher Gets 20 Days In Prison For Hacking State Websites As Political Stunt (softpedia.com)

Posted by BeauHD on Thursday September 8, 2016 @10:50AM from the don't-do-the-crime-if-you-can't-do-the-time dept.

An anonymous reader writes from a report via Softpedia: David Levin, 31, of Estero, Florida will spend 20 days in prison after hacking two websites belonging to the Florida state elections department. Levin, a security researcher, tested the security of two Florida state election websites without permission, and then recorded a video and posted on YouTube. The problem is that the man appearing in the video next to Levin was a candidate for the role of state election supervisor, running for the same position against the incumbent Supervisor of Elections, Sharon Harrington. Harrington reported the video to authorities, who didn't appreciate the media stunt pulled by the two, and charged the security researcher with three counts of hacking-related charges. The researcher turned himself in in May and pleaded guilty to all charges. This week, he received a 20-day prison sentence and two years of probation. In court he admitted to the whole incident being a political stunt.

53 of 85 comments (clear)

Min score:

Reason:

Sort:

Political stunt as it may've been... by Lead+Butthead · 2016-09-08 10:55 · Score: 4, Insightful

the abysmal security in place is down right embarrassing. and we all know how much the government likes to silence the messengers.

--
ELOI, ELOI, LAMA SABACHTHANI!?
1. Re:Political stunt as it may've been... by PopeRatzo · 2016-09-08 11:38 · Score: 1
  
  the abysmal security in place is down right embarrassing. and we all know how much the government likes to silence the messengers.
  Lee County Florida is a Republican country, and the current Supervisor of Elections is a Republican. They're a district that had tons of issues with their elections. If you remember stories about people having to wait 6 and 8 hours to vote in the 2012 election, but those came from Lee County. They shut down early voting in an effort to help out Mitt Romney, but it backfired. Then this Ms Harrington, the Election Supervisor, decided she was going to buy a bunch of iPads and use those in the election. Of course, it all went to shit.
  Florida has had a lot of issues with voter disenfranchisement, election-rigging and outright fraud. Remember Katherine Harris?
  
  --
  You are welcome on my lawn.
2. Re:Political stunt as it may've been... by msauve · 2016-09-08 12:06 · Score: 2
  
  OTOH, there seem to be a lot of self-proclaimed "security researchers" who are looking for nothing but fame and glory, and have a primary interest beyond improving security. A responsible professional would have communicated the findings privately long before making things public on Youtube.
  
  --
  "National Security is the chief cause of national insecurity." - Celine's First Law
3. Re:Political stunt as it may've been... by AmiMoJo · 2016-09-08 15:52 · Score: 1
  
  More evidence that the only responsible way to disclose security issues is to anonymously post them to a public space on the internet. Unless the company has a reputable bug bounty programme you risk being sued or prosecuted.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
4. Re: Political stunt as it may've been... by PopeRatzo · 2016-09-08 15:57 · Score: 1
  
  And why shouldn't the Republicans rig the elections against the Democrats?
  Trump 2016.
  
  --
  You are welcome on my lawn.
5. Re:Political stunt as it may've been... by DRJlaw · 2016-09-08 16:02 · Score: 1
  
  the abysmal security in place is down right embarrassing. and we all know how much the government likes to silence the messengers.
  When someone is the one exploiting that abysmal security to trespass into a protected computer, they're not merely the messenger, they're the attacker. And attackers tend to get punished.
  If the reporters covering this story were being silenced, then you could complain about "shooting the messenger" problems. This an ordinary and expected result for an ordinary incident of vigilantism.
6. Re:Political stunt as it may've been... by Anonymous Coward · 2016-09-08 20:51 · Score: 2, Informative
  
  From the youtube link: "This video was NOT released until AFTER the Lee County SoE staff CONFIRMED they had fixed the holes and the information was not compromised. The holes were fixed on 1/25/2016 prior to the uploading and airing of this video. "
7. Re:Political stunt as it may've been... by Coren22 · 2016-09-09 05:27 · Score: 1
  
  If they instead pick the lock on your car, filming it the whole time, tell you about it, and wait for you to fix it before posting the video on youtube?
  He informed them of the vulnerability and waited for it to be fixed before posting the video. They didn't have an issue with it until it made the lady in charge look bad.
  
  --
  APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
prison and not jail? by Joe_Dragon · 2016-09-08 10:57 · Score: 1

prison and not jail?
What, no thanks? by ITRambo · 2016-09-08 10:59 · Score: 2

Instead of commenting on helping keep the system honest, the researcher get jail time. Politicians are jerks.
1. Re:What, no thanks? by bloodhawk · 2016-09-08 11:13 · Score: 1
  
  The whole thing was done as a publicity stunt for politician. He deserved everything he got, it is people like him that tarnish the reputation of security researchers.
2. Re:What, no thanks? by phantomfive · 2016-09-08 11:29 · Score: 4, Informative
  
  Here's the actual video. Between the guy who made the video, and the team that wrote code allowing SQL injections, the latter is the more serious crime.
  
  You should never, ever write code that allows SQL injections. It's negligent.
  
  --
  "First they came for the slanderers and i said nothing."
3. Re:What, no thanks? by phantomfive · 2016-09-08 12:10 · Score: 1
  
  If it makes you feel better, the wannabe politician (aka 'Florida Man') didn't win the election.
  
  --
  "First they came for the slanderers and i said nothing."
4. Re:What, no thanks? by ShanghaiBill · 2016-09-08 12:23 · Score: 1
  
  You should never, ever write code that allows SQL injections. It's negligent.
  Then why do nearly all SQL libraries enable injections? Why aren't parameterized queries required? Is there any reason not to use them?
5. Re:What, no thanks? by ShanghaiBill · 2016-09-08 12:26 · Score: 2, Insightful
  
  the researcher get jail time.
  Just because a vandal calls himself a "researcher" doesn't mean he is one.
  
  Politicians are jerks.
  So are vandals.
6. Re:What, no thanks? by phantomfive · 2016-09-08 12:28 · Score: 1
  
  Is there any reason not to use them?
  No.
  
  --
  "First they came for the slanderers and i said nothing."
7. Re:What, no thanks? by swalve · 2016-09-08 13:08 · Score: 1
  
  Exactly. When you do civil disobedience, you have to be willing to do the time. He did the right thing, perhaps the wrong way.
8. Re:What, no thanks? by kbrannen · 2016-09-08 16:05 · Score: 3, Informative
  
  You should never, ever write code that allows SQL injections. It's negligent.
  Then why do nearly all SQL libraries enable injections? Why aren't parameterized queries required? Is there any reason not to use them?
  Is there any reason not to use parameterized queries? No.
  
  Is there any reason non-parameterized queries are enabled? Yes, probably plenty, but I'll give the easy one. :)
  
  The libraries and code can't really tell the difference between "select * from table1 where id < 100" and "select * from table1 where id < $variable" because the calling code is going to fill in $variable from some user input. The first form may be reasonable business logic because all non-reference values are less than 100 and user input values start at 101. The second form looks a lot like the first, but has different intent. The libraries can't determine the intent and by the time they see the SQL, the variable has been expanded and really looks the same.
  
  That being said, good libraries only allow 1 SQL statement per call so injection is a lot harder because "select * from table1 where id < 0 ; delete from users where 1" (injected part in bold) would be disallowed. But injection is a problem because many libraries allow that.
9. Re:What, no thanks? by ssufficool · 2016-09-08 16:08 · Score: 3, Informative
  
  Vandal: I do not think that word means what you think it means. He exposed a vulnerability and reported before going public. He in no way defaced or destroyed the website or data.
10. Re:What, no thanks? by parkinglot777 · 2016-09-09 03:46 · Score: 1
  
  Then why do nearly all SQL libraries enable injections?
  IMHO, it is not their business to determine validity of injection queries. It is the responsibility of the query implementers to SANITIZE the query string to their intent of use. You could compare SQL libraries as tools. They are fine by themselves and would have no problem if being used properly. However, too many people can use them but don't really have the knowledge to use them properly; thus, this kind of problems occurs.
11. Re:What, no thanks? by Coren22 · 2016-09-09 05:33 · Score: 1
  
  Apparently, they were perfectly ok with the breach and reporting he did until the video hit (after they told him they corrected the issue).
  He is only getting time because he made Sharon Harrington look bad.
  
  --
  APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
12. Re: What, no thanks? by Coren22 · 2016-09-09 05:35 · Score: 1
  
  Prior whistleblowers did not go through proper channels, and were prosecuted. The proper channels are there to provide a method that is allowed within the NDAs signed. Snowden decided to publish rather than go through proper channels. He purposely committed treason and espionage when he had options available to him that did not break these laws.
  
  --
  APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
Never report security vulnerabilites by Anonymous Coward · 2016-09-08 11:17 · Score: 1

Too much risk in reporting vulnerabilities to the proper parties. The only sane thing to do is sell the vulnerabilities on the dark web and pocket the cash (and keep your freedom).
1. Re:Never report security vulnerabilites by tomhath · 2016-09-08 11:56 · Score: 3, Interesting
  
  If he had reported the vulnerability he wouldn't go to jail. But by exploiting it to make a candidate look bad he deserves what he'll get in jail.
2. Re:Never report security vulnerabilites by AlphaBro · 2016-09-08 12:22 · Score: 1
  
  IANAL, but this is blatantly wrong. If you test a system without permission, you are breaking the law. It does not matter if you exploit any vulnerabilities or not.
3. Re:Never report security vulnerabilites by AlphaBro · 2016-09-08 12:30 · Score: 1
  
  Nonsense, nobody is paying for garbage like this. And if you've got something that's actually good, such as an exploit for Chrome, you can easily sell it for five or six figures to a "legitimate" company with absolutely no risk of repercussions.
4. Re:Never report security vulnerabilites by sinij · 2016-09-08 12:52 · Score: 1
  
  If you test a system without permission, you are breaking the law. It does not matter if you exploit any vulnerabilities or not.
  Good thing black hats always ask permission before compromising web sites.
  
  Nothing gets fixed unless someone somewhere gets embarrassed.
5. Re:Never report security vulnerabilites by AlphaBro · 2016-09-08 12:58 · Score: 1
  
  I didn't say the law was just, I merely pointed out that the distinction is not between discovery and exploitation.
6. Re:Never report security vulnerabilites by swalve · 2016-09-08 13:10 · Score: 1
  
  Black hats are "the bad guys". You can't claim to be a good guy when you are doing the exact same thing. There are other ways to make the point.
7. Re:Never report security vulnerabilites by AK+Marc · 2016-09-08 13:44 · Score: 1
  
  There have been complaints about those systems. Nobody cared. Until it was compromised on camera, it wasn't fixed. When the ostrich response is the only response, unless you make an elected official look like an idiot, should you have to go to jail for disclosing a vulnerability?
  
  --
  Learn to love Alaska
8. Re:Never report security vulnerabilites by AK+Marc · 2016-09-08 13:52 · Score: 1
  
  If you suspect it's vulnerable, what do you do? Verify your suspicions? Report them without proof or verification? One is illegal, and the other is ignored. And the vulnerability will remain, to be exploited later.
  
  --
  Learn to love Alaska
9. Re:Never report security vulnerabilites by AlphaBro · 2016-09-08 14:12 · Score: 3, Insightful
  
  If it's a live system, permission has not been granted, and a similar test environment cannot be setup, then I Ignore it, and if at all possible, I avoid using the vulnerable system in question. Bear in mind I say this as someone that does vulnerability research for a living. I'm not a fan of the extant legislation, but if that's what society wants from me, that's what it's going to get. I refuse to risk my freedom for a bunch of assholes that don't want my help, and I've plenty of paying customers that aren't complete idiots, so my attention is better spent on them.
  
  Maybe someday the pols will get their shit together and the problem will work itself out, but I have little faith at this point.
10. Re:Never report security vulnerabilites by meta-monkey · 2016-09-09 01:12 · Score: 1
  
  If he had reported the vulnerability he wouldn't go to jail.
  He did. In addition to informing election officials, he also published the video for political purposes.
  
  But by exploiting it to make a candidate look bad he deserves what he'll get in jail.
  Correct, you have identified the true unforgivable crime: embarrassing politicians.
  
  --
  We don't have a state-run media we have a media-run state.
11. Re:Never report security vulnerabilites by ebyrob · 2016-09-09 03:37 · Score: 1
  
  You can't use a system without "testing" it in some way.
  Purposely taking control of a computer system above your sanction is breaking the law.
  These are OK:
  Oops my keyboard slipped and I accidentally typed: John Smith'
  Oops my name is: O'Riley
  Not OK:
  Robert'); DROP TABLE Students; --
12. Re:Never report security vulnerabilites by Anonymous Coward · 2016-09-09 04:20 · Score: 1
  
  Not everything is about you, and not everything is your responsibility. There are ethical, not to mention legal lines that must be respected. If you've done everything legal and ethical, then that is the point at which you must stop. Cross that line and you risk moving from White Hat to Black Hat status.
  You don't have to like it. The vulnerability may well be there and risk spilling information. It's not your responsibility anymore and it's irresponsible to continue. This is the difference between being a professional and being an amateur. Pros know about the lines and respect them. Amateurs might know about the lines, might decide that "they know better", and might cross the line.
  Cross the line and you set yourself up for legal liability.
He gives "security research" a bad name by QuietLagoon · 2016-09-08 11:25 · Score: 3, Funny

Granted some of the system (most?) needs to have a good security audit, he should not have done it so publically. He should have contacted the owner of the site and told them about the issues he found.
.
Putting the video on youtube shows that he deserved the jail time he received.
1. Re:He gives "security research" a bad name by sjames · 2016-09-08 11:37 · Score: 1
  
  Since the site is part of the county government, the public is the owner.
2. Re:He gives "security research" a bad name by QuietLagoon · 2016-09-08 11:40 · Score: 1
  
  OK, then go to the county government. My point remains the same.
3. Re:He gives "security research" a bad name by sjames · 2016-09-08 12:14 · Score: 1
  
  Not really. The public (in particular, the voters) have a right to know. That is, the disclosure was in the public interest (even if it was ultimately a publicity stunt).
4. Re:He gives "security research" a bad name by phantomfive · 2016-09-08 12:15 · Score: 1
  
  He should have contacted the owner of the site and told them about the issues he found.
  He did. The video wasn't released until after the issue was fixed.
  
  --
  "First they came for the slanderers and i said nothing."
5. Re:He gives "security research" a bad name by sjames · 2016-09-08 12:16 · Score: 2
  
  Except when it means that he actually did contact the owners of the website about the problem.
  He probably did earn a few days jail for grandstanding, but probably not the probation.
6. Re:He gives "security research" a bad name by AlphaBro · 2016-09-08 12:52 · Score: 1
  
  Agreed. Our current laws sound good on paper, but we need exemptions for stagnant government organizations that won't grant permission for penetration tests. Actual attackers aren't going to ask for permission, nor will they reveal actions.
Bad security is NOT an invitation to break in by Sycraft-fu · 2016-09-08 12:06 · Score: 4, Interesting

You don't want it to become one either, or people can break in your house because it has shit security. Even if you have "good" security for a home, it still sucks in the grand scheme and is trivial to bypass. However I imagine you'd be pretty pissed if someone broke in and said "Well you have abysmal security, don't silence the messenger!"
That doesn't mean people shouldn't try and have good electronic security (and physical security for that matter) but that they don't is not an invitation or excuse for breaking in.
1. Re: Bad security is NOT an invitation to break in by Anonymous Coward · 2016-09-08 12:37 · Score: 1
  
  I agree except that a neighbor telling you that your door is wide open shouldn't go to prison for trespassing.
  This guy did it wrong of course, you tell the "home owner". You don't buy a four page ad in the wall street journal with the address and how to get in -which is what he did in this case-.
2. Re:Bad security is NOT an invitation to break in by Anonymous Coward · 2016-09-08 13:14 · Score: 2, Informative
  
  You don't want it to become one either, or people can break in your house because it has shit security. Even if you have "good" security for a home, it still sucks in the grand scheme and is trivial to bypass. However I imagine you'd be pretty pissed if someone broke in and said "Well you have abysmal security, don't silence the messenger!"
  That doesn't mean people shouldn't try and have good electronic security (and physical security for that matter) but that they don't is not an invitation or excuse for breaking in.
  Keep in mind, what we are actually talking about is a tax payer funded website that is open to the public (and the entire world). How you make the leap from that to breaking into a private home seems to just be a straw man argument.
  If you are a known election official with obligations to the voters, then you should expect to be held accountable if you are violating basic best practices.
  So, back to your private home break-in metaphor, if the election official is bringing confidential information home, putting it in their trash and then leaving it in an unlocked trash bin at the public street curb, it should be open to public review. The fact the trash bin is in front of a private home should not ever be a valid excuse to betray the public trust in failing to meet the obligation to correctly handle confidential data.
  I really don't care if your straw man argument dictates that such a review of the trash is a so-called "break-in" instead of an audit. The election officials still failed to meet their obligations to follow computer security best practices.
  So, he went to a system that was intended for public access (similar to a public street curb) and issued a SQL injection which copied the data into a temporary memory buffer for storage and when the buffer was delivered, it was emptied for future use (similar to a trash bin). None of this involved breaking into a privately owned home or anything close to it.
  Election officials should be shielded by the law for their failures. Best practices shouldn't be something you might "try" to do to meet obligations to the voters. Failing to meet those obligations very much should be an excuse for a security audit.
3. Re:Bad security is NOT an invitation to break in by geekmux · 2016-09-09 01:14 · Score: 1
  
  You don't want it to become one either, or people can break in your house because it has shit security. Even if you have "good" security for a home, it still sucks in the grand scheme and is trivial to bypass. However I imagine you'd be pretty pissed if someone broke in and said "Well you have abysmal security, don't silence the messenger!"
  That doesn't mean people shouldn't try and have good electronic security (and physical security for that matter) but that they don't is not an invitation or excuse for breaking in.
  Shitty home security affects the lives of a single family.
  Shitty election security affects the lives of millions of people.
  BIG difference when talking about silencing messengers.
4. Re:Bad security is NOT an invitation to break in by Coren22 · 2016-09-09 05:22 · Score: 1
  
  If someone picks your lock while filming it, tells you how they picked your lock, and gives you the chance to fix it before posting the video, would you really lock them up for trespassing when they didn't actually enter your house?
  
  --
  APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
5. Re: Bad security is NOT an invitation to break in by Vermonter · 2016-09-09 06:30 · Score: 1
  
  You don't need to walk in to a house to verify that the door is open.
Re:Oh lawd by K.+S.+Kyosuke · 2016-09-08 12:57 · Score: 1

This is much more interesting and relevant, I think. (But some would perhaps argue that being dumb is its own kind of ugliness.)

--
Ezekiel 23:20
Re:bum rap by K.+S.+Kyosuke · 2016-09-08 13:40 · Score: 1

You've misspelled "incumbetent".

--
Ezekiel 23:20
Security hackers are valuable to society by LeftCoastThinker · 2016-09-08 16:20 · Score: 1

We the people need to get a grip on this country or we are going to end up a banana republic. If we could only figure out how to get a referendum process in place at the national level such that the people could pass laws irrevocable by congress or the courts (essentially constitutional amendments, above the crap that congress churns out) we would be in such better shape.
We could pass a common sense law that security researchers could register as such with the FBI (or even maybe a private non-profit security professional organization; US Cyber Security Society or some such) and then pretty much attempt to penetrate any system that they want, with the additional caveat that they send the results and any evidence back to the company/entity tested. They would also be free to disseminate information about the hack, but not anything sensitive from the servers they penetrated to the pubic as a news/informative service. In much the same way reporters are specially protected, they should be protected as the public has a right to know if there are gaping security holes in their banks, their ballot boxes etc...

--
If you disagree, please post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like
Testing security is a crime by Tony+Isaac · 2016-09-08 20:13 · Score: 2

...unless you have permission from the owner.
If I test the security of your house by trying to break in, you have every right to call the police and have me arrested. Now, if you pay me, or invite me, to test your home security by trying to break in, that's a completely different story.
Computer systems are no different.
Just by HeckRuler · 2016-09-09 06:45 · Score: 1

20 DAYS? And then some probation.
Huh. Ok. Sometimes the punishment really does fit the crime. Bravo court system.