Missouri Gov Mike Parson Vows Reporter Who Found Sh*tty Coding In State Website Will PAY
Right-clicking on a public website is 'hacking' now.
No one has ever accused Missouri Gov. Mike Parson of being an especially smart man, but he is at least capable of a low vegetable cunning. Back in October, a reporter for the St. Louis Post-Dispatch discovered an incredibly stupid security vulnerability on a state website . The site, which was designed so people could easily look up credentials and certifications for more than 100,000 public school teachers, counselors, and administrators, included a dumb error in its publicly viewable coding that inadvertently left the Social Security numbers of all those employees pretty much right out in the open for any bad person to steal.
The Post-Dispatch reporter wrote up the story, alerted the Missouri Department of Elementary and Secondary Education to the problem, and held off on publication to give the agency time to fix the security flaw. Then it went to press. The paper noted right up top, in the fourth brief paragraph, that it had delayed the story specifically so the state could protect the educators' data, and so it could check other agencies' webpages for similar problems.
No good reporting goes unpunished, so Parson reacted to the story by demanding the reporter and the Post-Dispatch be investigated and prosecuted for "hacking" the state website.
Thing is, there wasn't any "hacking" involved, as Krebs on Security explained at the time, since the SSNs were almost right out in the open to be seen by anyone with specialized software, like a common web browser.
The newspaper said it found that teachers’ Social Security numbers were contained in the HTML source code of the pages involved. In other words, the information was available to anyone with a web browser who happened to also examine the site’s public code using Developer Tools or simply right-clicking on the page and viewing the source code.
Go ahead and right-click on this page (On a Mac, Press "Command + Option + U"), and you can see Wonkette's page code, which doesn't include any SSNs but may contain this week's Powerball numbers. Or not. It looks a tad bit like this, only this screenshot is from my earlier Facebook Went Full Nixon story .
Oh no! If you right-clicked in Missouri, you're now a criminal hacker, according to Mike Parson! We won't tell.
In a Facebook statement announcing the vendetta against the reporter and the newspaper, Parson insisted that such "unlawful" access of teacher data had to be punished, claiming that the reporter — or rather, "an individual" — had done hacking of private data!
Through a multi-step process, an individual took the records of at least three educators, decoded the HTML source code, and viewed the social security number of those specific educators.
The steps were "right click," "view source," and scrolling. That's because the code was shitty. We guess the reporter did have to read the text on the screen to notice numbers that were clearly SSNs, so that's how he "decoded" the HTML code.
Parson then explained the full weight of Missouri law enforcement would be deployed against the sophisticated right-clicking hacking operation:
This administration is standing up against any and all perpetrators who attempt to steal personal information and harm Missourians. It is unlawful to access encoded data and systems in order to examine other peoples’ personal information. We are coordinating state resources to respond and utilize all legal methods available.
My administration has notified the Cole County prosecutor of this matter, the Missouri State Highway Patrol’s Digital Forensics Unit will also be conducting an investigation of all of those involved.
This incident alone may cost Missouri taxpayers as much as $50 million. This matter is serious. [...]
A hacker is someone who gains unauthorized access to information or content. This individual did not have permission to do what they did. They had no authorization to convert and decode the code. This was clearly a hack.
Indeed, there's clearly a hack here, but it doesn't involve anything the reporter did. Worse, it's like prosecuting a whistleblower, because if people worry reporting a security problem will get them jailed, they may stay quiet and leave the vulnerability in place.
And now we have an update on the story, which sadly does not involve Mike Parsons saying an aide had showed him a computer mouse and explained that some of us are such shitty typists that we illegally view HTML source code several times a day by accidentally hitting the "F12" key when we mean to backspace.
Instead, the Post-Dispatch informs us that yesterday, Parsons said he's pretty sure the Cole County prosecutor will be charging the reporter for his crimes.
Parson referenced a state statute on computer tampering, which says a person commits the offense if they “knowingly and without authorization or without reasonable grounds to believe that he has such authorization” modifies or destroys data, discloses or takes data, or accesses a computer network and intentionally examines personal information.
Then Parson deployed a really bad metaphor, for which he should feel bad:
“If somebody picks your lock on your house — for whatever reason, it’s not a good lock, it’s a cheap lock or whatever problem you might have — they do not have the right to go into your house and take anything that belongs to you,” Parson said.
Except, no, this is more like you taking photos of yourself doing nekkid yoga in your living room and posting only the itty-tiny thumbnails of the photos on Zillow. Someone might enlarge them and see your voonerables by selecting "view image in new tab" then tell you, OMG BECKY I SAW YOUR JUNK, but that ain't hacking.
The Post-Dispatch reported earlier this month that in fact, emails obtained through a public records request showed the state education department was on the verge of thanking the reporter for alerting it to the vulnerability before Parson demanded vengeance. What's more, an FBI investigator who looked at the reporter's emails informing the department of the problem said that the incident was "not an actual network intrusion," and that the FBI dude
said the state’s database was “misconfigured,” which “allowed open source tools to be used to query data that should not be public.”
On Monday, a spokesperson for the Missouri State Highway Patrol confirmed that the investigation was all done, and that the agency had turned over its findings to Cole County Prosecuting Attorney Locke Thompson, who of course had no comment, not even about whether he's a good Locke, a cheap Locke, a fancy CyberLocke, or even a nude yoga doer.
In conclusion, this is extremely stupid, and we just hit F12 and viewed our own code while trying to fix a typo. Just try to come and get us, copper!
[ St Louis Post-Dispatch / Krebs on Security / Post-Dispatch ]
Yr Wonkette is funded entirely by reader donations! If you can, please hack your own bank account to send us $5 or $10 a month, which we will hack to pay our bills. What a terrifying place the internet is!
Do your Amazon shopping through this link, because reasons .
"low vegetable cunning" He's a rutabaga on a mission.
Beauty!