
How a security pro’s ill-advised hack of a Florida elections site backfired - iamchmod
http://arstechnica.com/security/2016/05/how-a-security-pros-ill-advised-hack-of-a-florida-elections-site-backfired/
======
jwcrux
That's what happens when you compromise a site that you don't have
authorization to test. You always run this risk when performing testing that
isn't under the umbrella of a formal bug bounty.

~~~
hannibalhorn
Perhaps there should be some sort of bug bounty on all government (at least
federal, ideally state, and in a perfect world local) sites? Would be awesome
if, say, the US CTO spearheaded an effort to implement one.

~~~
yaur
Most bug bounty programs don't let you pivot and try to escalate your
privileges on a live system, which is exactly what this guy did and exactly
why he is in so much trouble.

------
Someone1234
In my opinion he was likely in the wrong here, but likely had the right
intentions.

As with all computer crimes they massively over-charge people, because of
"hacker" moral panics and a public that doesn't understand how proportionately
bad something is (or isn't).

I'd just give the dude a fine and let him walk. But he is legitimately facing
jail time on this one.

------
sathackr
Did anyone notice the Flame Internet at the top left of the page? A quick
google brings up flamepro.com which is in the same geographical area. They
have a picture of the original website on their facebook page also. I bet this
is the company responsible for developing the site. If so, I wonder how many
other sites they've built have similar lapses. I wonder if they posted
screenshots of others on their Facebook page?

Also I didn't hear any mention of the site not using SSL -- so, on top of the
credentials being stored in cleartext, they're likely sent in cleartext also.

------
tantalor
It's strange to call this whistleblowing.

1\. security guy was not an insider, but whistleblowers usually are

2\. lax security is not illegal or illicit, just dumb

3\. security guy informed staff of vulnerability and they fixed it, so... why
blow the whistle?

------
patcheudor
A number of years ago, upon getting a Jury Duty notice, I took an
observational look at the security of the jury registration site. It quickly
became apparent, without exploitation that it was XSS and SQLi vulnerable. I
immediately reached out to the local court IT director with a disclosure,
ensuring that I was as clear as possible on the fact that I did not exploit
the system. She contacted me within an hour and I worked with her office over
the course of the next several months to confirm the vulnerabilities and in
the end, retire the solution entirely by justifying the budget for
replacement. I went from an annoying security researcher to valuable partner.
Later that year a number of developers from her team joined me for my annual
DEFCON outing and were extremely grateful for the discovery and how I handled
it as they'd been trying to get the solution replaced for years.

Unfortunately a lot of people either don't know where the line is or don't
have the skills to know how to not cross the line. Far too many times I see
people toss a tool like SQLMap at something rather than understanding how SQLi
works. If you understand SQLi, honestly there is very little need to run an
automated discovery and exploitation tool against it, even in cases of blind
SQLi, that comes when you have permission which in my experience isn't hard to
get if you come to the table with credible observational security findings.

This particular case appears to be a cut and dried case of attempting to use
hacking for political gain.

------
spacemanmatt
Terrible security and software skill should be defenses to hacking. I have had
bad auth systems come apart in my hands because I used it "wrong" and was
accused of hacking.

