Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Crime Bug Communications Network Privacy Security The Courts The Internet United States Politics

Researcher Gets 20 Days In Prison For Hacking State Websites As Political Stunt (softpedia.com) 85

An anonymous reader writes from a report via Softpedia: David Levin, 31, of Estero, Florida will spend 20 days in prison after hacking two websites belonging to the Florida state elections department. Levin, a security researcher, tested the security of two Florida state election websites without permission, and then recorded a video and posted on YouTube. The problem is that the man appearing in the video next to Levin was a candidate for the role of state election supervisor, running for the same position against the incumbent Supervisor of Elections, Sharon Harrington. Harrington reported the video to authorities, who didn't appreciate the media stunt pulled by the two, and charged the security researcher with three counts of hacking-related charges. The researcher turned himself in in May and pleaded guilty to all charges. This week, he received a 20-day prison sentence and two years of probation. In court he admitted to the whole incident being a political stunt.
This discussion has been archived. No new comments can be posted.

Researcher Gets 20 Days In Prison For Hacking State Websites As Political Stunt

Comments Filter:
  • by Lead Butthead ( 321013 ) on Thursday September 08, 2016 @05:55PM (#52851239) Journal

    the abysmal security in place is down right embarrassing. and we all know how much the government likes to silence the messengers.

    • the abysmal security in place is down right embarrassing. and we all know how much the government likes to silence the messengers.

      Lee County Florida is a Republican country, and the current Supervisor of Elections is a Republican. They're a district that had tons of issues with their elections. If you remember stories about people having to wait 6 and 8 hours to vote in the 2012 election, but those came from Lee County. They shut down early voting in an effort to help out Mitt Romney, but it backfired.

    • by msauve ( 701917 )
      OTOH, there seem to be a lot of self-proclaimed "security researchers" who are looking for nothing but fame and glory, and have a primary interest beyond improving security. A responsible professional would have communicated the findings privately long before making things public on Youtube.
      • Re: (Score:2, Informative)

        by Anonymous Coward

        From the youtube link: "This video was NOT released until AFTER the Lee County SoE staff CONFIRMED they had fixed the holes and the information was not compromised. The holes were fixed on 1/25/2016 prior to the uploading and airing of this video. "

    • by Sycraft-fu ( 314770 ) on Thursday September 08, 2016 @07:06PM (#52851623)

      You don't want it to become one either, or people can break in your house because it has shit security. Even if you have "good" security for a home, it still sucks in the grand scheme and is trivial to bypass. However I imagine you'd be pretty pissed if someone broke in and said "Well you have abysmal security, don't silence the messenger!"

      That doesn't mean people shouldn't try and have good electronic security (and physical security for that matter) but that they don't is not an invitation or excuse for breaking in.

      • I agree except that a neighbor telling you that your door is wide open shouldn't go to prison for trespassing.

        This guy did it wrong of course, you tell the "home owner". You don't buy a four page ad in the wall street journal with the address and how to get in -which is what he did in this case-.

      • Re: (Score:2, Informative)

        by Anonymous Coward

        You don't want it to become one either, or people can break in your house because it has shit security. Even if you have "good" security for a home, it still sucks in the grand scheme and is trivial to bypass. However I imagine you'd be pretty pissed if someone broke in and said "Well you have abysmal security, don't silence the messenger!"

        That doesn't mean people shouldn't try and have good electronic security (and physical security for that matter) but that they don't is not an invitation or excuse for breaking in.

        Keep in mind, what we are actually talking about is a tax payer funded website that is open to the public (and the entire world). How you make the leap from that to breaking into a private home seems to just be a straw man argument.

        If you are a known election official with obligations to the voters, then you should expect to be held accountable if you are violating basic best practices.

        So, back to your private home break-in metaphor, if the election official is bringing confidential information home, puttin

      • You don't want it to become one either, or people can break in your house because it has shit security. Even if you have "good" security for a home, it still sucks in the grand scheme and is trivial to bypass. However I imagine you'd be pretty pissed if someone broke in and said "Well you have abysmal security, don't silence the messenger!"

        That doesn't mean people shouldn't try and have good electronic security (and physical security for that matter) but that they don't is not an invitation or excuse for breaking in.

        Shitty home security affects the lives of a single family.

        Shitty election security affects the lives of millions of people.

        BIG difference when talking about silencing messengers.

      • If someone picks your lock while filming it, tells you how they picked your lock, and gives you the chance to fix it before posting the video, would you really lock them up for trespassing when they didn't actually enter your house?

    • by AmiMoJo ( 196126 )

      More evidence that the only responsible way to disclose security issues is to anonymously post them to a public space on the internet. Unless the company has a reputable bug bounty programme you risk being sued or prosecuted.

    • by DRJlaw ( 946416 )

      the abysmal security in place is down right embarrassing. and we all know how much the government likes to silence the messengers.

      When someone is the one exploiting that abysmal security to trespass into a protected computer, they're not merely the messenger, they're the attacker. And attackers tend to get punished.

      If the reporters covering this story were being silenced, then you could complain about "shooting the messenger" problems. This an ordinary and expected result for an ordinary incident of vigil

  • prison and not jail?

  • by ITRambo ( 1467509 ) on Thursday September 08, 2016 @05:59PM (#52851267)
    Instead of commenting on helping keep the system honest, the researcher get jail time. Politicians are jerks.
    • The whole thing was done as a publicity stunt for politician. He deserved everything he got, it is people like him that tarnish the reputation of security researchers.
      • Re:What, no thanks? (Score:5, Informative)

        by phantomfive ( 622387 ) on Thursday September 08, 2016 @06:29PM (#52851419) Journal
        Here's the actual video [youtube.com]. Between the guy who made the video, and the team that wrote code allowing SQL injections, the latter is the more serious crime.

        You should never, ever write code that allows SQL injections. It's negligent.
        • You should never, ever write code that allows SQL injections. It's negligent.

          Then why do nearly all SQL libraries enable injections? Why aren't parameterized queries required? Is there any reason not to use them?

          • Is there any reason not to use them?

            No.

          • Re:What, no thanks? (Score:4, Informative)

            by kbrannen ( 581293 ) on Thursday September 08, 2016 @11:05PM (#52852527)

            You should never, ever write code that allows SQL injections. It's negligent.

            Then why do nearly all SQL libraries enable injections? Why aren't parameterized queries required? Is there any reason not to use them?

            Is there any reason not to use parameterized queries? No.

            Is there any reason non-parameterized queries are enabled? Yes, probably plenty, but I'll give the easy one. :)

            The libraries and code can't really tell the difference between "select * from table1 where id < 100" and "select * from table1 where id < $variable" because the calling code is going to fill in $variable from some user input. The first form may be reasonable business logic because all non-reference values are less than 100 and user input values start at 101. The second form looks a lot like the first, but has different intent. The libraries can't determine the intent and by the time they see the SQL, the variable has been expanded and really looks the same.

            That being said, good libraries only allow 1 SQL statement per call so injection is a lot harder because "select * from table1 where id < 0 ; delete from users where 1" (injected part in bold) would be disallowed. But injection is a problem because many libraries allow that.

          • Then why do nearly all SQL libraries enable injections?

            IMHO, it is not their business to determine validity of injection queries. It is the responsibility of the query implementers to SANITIZE the query string to their intent of use. You could compare SQL libraries as tools. They are fine by themselves and would have no problem if being used properly. However, too many people can use them but don't really have the knowledge to use them properly; thus, this kind of problems occurs.

    • Re: (Score:3, Insightful)

      the researcher get jail time.

      Just because a vandal calls himself a "researcher" doesn't mean he is one.

      Politicians are jerks.

      So are vandals.

      • Re: (Score:3, Informative)

        by ssufficool ( 1836898 )

        Vandal: I do not think that word means what you think it means. He exposed a vulnerability and reported before going public. He in no way defaced or destroyed the website or data.

  • by Anonymous Coward

    Too much risk in reporting vulnerabilities to the proper parties. The only sane thing to do is sell the vulnerabilities on the dark web and pocket the cash (and keep your freedom).

    • by tomhath ( 637240 ) on Thursday September 08, 2016 @06:56PM (#52851573)
      If he had reported the vulnerability he wouldn't go to jail. But by exploiting it to make a candidate look bad he deserves what he'll get in jail.
      • IANAL, but this is blatantly wrong. If you test a system without permission, you are breaking the law. It does not matter if you exploit any vulnerabilities or not.
        • by sinij ( 911942 )

          If you test a system without permission, you are breaking the law. It does not matter if you exploit any vulnerabilities or not.

          Good thing black hats always ask permission before compromising web sites.

          Nothing gets fixed unless someone somewhere gets embarrassed.

          • I didn't say the law was just, I merely pointed out that the distinction is not between discovery and exploitation.
          • by swalve ( 1980968 )
            Black hats are "the bad guys". You can't claim to be a good guy when you are doing the exact same thing. There are other ways to make the point.
        • by AK Marc ( 707885 )
          If you suspect it's vulnerable, what do you do? Verify your suspicions? Report them without proof or verification? One is illegal, and the other is ignored. And the vulnerability will remain, to be exploited later.
          • by AlphaBro ( 2809233 ) on Thursday September 08, 2016 @09:12PM (#52852157)
            If it's a live system, permission has not been granted, and a similar test environment cannot be setup, then I Ignore it, and if at all possible, I avoid using the vulnerable system in question. Bear in mind I say this as someone that does vulnerability research for a living. I'm not a fan of the extant legislation, but if that's what society wants from me, that's what it's going to get. I refuse to risk my freedom for a bunch of assholes that don't want my help, and I've plenty of paying customers that aren't complete idiots, so my attention is better spent on them.

            Maybe someday the pols will get their shit together and the problem will work itself out, but I have little faith at this point.
          • by Anonymous Coward

            Not everything is about you, and not everything is your responsibility. There are ethical, not to mention legal lines that must be respected. If you've done everything legal and ethical, then that is the point at which you must stop. Cross that line and you risk moving from White Hat to Black Hat status.

            You don't have to like it. The vulnerability may well be there and risk spilling information. It's not your responsibility anymore and it's irresponsible to continue. This is the difference between bei

        • by ebyrob ( 165903 )

          You can't use a system without "testing" it in some way.

          Purposely taking control of a computer system above your sanction is breaking the law.

          These are OK:
          Oops my keyboard slipped and I accidentally typed: John Smith'
          Oops my name is: O'Riley

          Not OK:
          Robert'); DROP TABLE Students; --

      • by AK Marc ( 707885 )
        There have been complaints about those systems. Nobody cared. Until it was compromised on camera, it wasn't fixed. When the ostrich response is the only response, unless you make an elected official look like an idiot, should you have to go to jail for disclosing a vulnerability?
      • If he had reported the vulnerability he wouldn't go to jail.

        He did. In addition to informing election officials, he also published the video for political purposes.

        But by exploiting it to make a candidate look bad he deserves what he'll get in jail.

        Correct, you have identified the true unforgivable crime: embarrassing politicians.

  • by QuietLagoon ( 813062 ) on Thursday September 08, 2016 @06:25PM (#52851411)
    Granted some of the system (most?) needs to have a good security audit, he should not have done it so publically. He should have contacted the owner of the site and told them about the issues he found.

    .
    Putting the video on youtube shows that he deserved the jail time he received.

    • by sjames ( 1099 )

      Since the site is part of the county government, the public is the owner.

      • OK, then go to the county government. My point remains the same.
        • by sjames ( 1099 )

          Not really. The public (in particular, the voters) have a right to know. That is, the disclosure was in the public interest (even if it was ultimately a publicity stunt).

          • Agreed. Our current laws sound good on paper, but we need exemptions for stagnant government organizations that won't grant permission for penetration tests. Actual attackers aren't going to ask for permission, nor will they reveal actions.
    • He should have contacted the owner of the site and told them about the issues he found.

      He did. The video wasn't released until after the issue was fixed.

  • We the people need to get a grip on this country or we are going to end up a banana republic. If we could only figure out how to get a referendum process in place at the national level such that the people could pass laws irrevocable by congress or the courts (essentially constitutional amendments, above the crap that congress churns out) we would be in such better shape.

    We could pass a common sense law that security researchers could register as such with the FBI (or even maybe a private non-profit securi

  • by Tony Isaac ( 1301187 ) on Friday September 09, 2016 @03:13AM (#52853231) Homepage

    ...unless you have permission from the owner.

    If I test the security of your house by trying to break in, you have every right to call the police and have me arrested. Now, if you pay me, or invite me, to test your home security by trying to break in, that's a completely different story.

    Computer systems are no different.

  • 20 DAYS? And then some probation.

    Huh. Ok. Sometimes the punishment really does fit the crime. Bravo court system.

Any sufficiently advanced technology is indistinguishable from magic. -- Arthur C. Clarke

Working...