The Missouri government is threatening legal action against a newspaper reporter that helpfully pointed out a glaring cybersecurity hole in one of its websites. Instead of thanking the journalist, Gov. Mike Parson has accused him of “hacking” and claims he wants to see him criminally prosecuted.
The reporter, Josh Renaud of the St. Louis Post-Dispatch, recently discovered that the Missouri Department of Elementary and Secondary Education website had left some 100,000 social security numbers belonging to public school teachers, administrators, and other education officials exposed to the internet.
How did this happen? Renaud reports that the website had apparently had the personal information embedded into the HTML source code of the website — a fairly grievous coding bungle. The newspaper subsequently verified its findings with a cybersecurity professor at the University of Missouri-St. Louis, who called the flub “mind boggling.” The paper then responsibly disclosed the vulnerability to the government, giving officials time to take down the affected pages. Finally, on Thursday, the paper published its findings.
However, instead of thanking Renaud and the newspaper for helping identify a giant mistake the government had made, Gov. Parson subsequently announced that he would be pursuing legal action against them. On Thursday, Parson held a press conference in which he claimed that the state website had been “hacked,” and that the culprit would be held legally responsible. During his comments, the governor claimed that this “hacker” had engaged in a “multi-step process” to view and download the “the records of at least three educators.” He subsequently announced that the Cole County prosecutor and the Highway Patrol’s Digital Forensic Unit would be investigating the incident.
“This matter is serious. The state is committing to bring to justice anyone who hacked our system and anyone who aided or encouraged them to do so — in accordance with what Missouri law allows AND requires,” Parson later tweeted. “A hacker is someone who gains unauthorised access to information or content. This individual did not have permission to do what they did. They had no authorization to convert and decode the code.”
However, it would appear that Parson did not count on the rage of infosec twitter, which erupted in vitriol not long after his press conference. Droves of computer science experts came out of the woodwork to point out that what the governor is talking about does not sound like hacking at all — more like the state doesn’t know how to build websites.
“Don’t encode SSNs of people in the HTML of publicly available webpages. And if you do, don’t call the cops if someone notices and (quite responsibly) warns you,” tweeted Matt Blaze, a computer science researcher with Georgetown Law. “Also, don’t tweet stuff that makes you look like an idiot,” he added.
Software engineer and journalist Tony Webster said that the governor is “threatening to prosecute a journalist who 100% did the ethical thing,” while also noting that Renaud had engaged in “the gold standard for reporting security failures.”
“This is utterly ludicrous. Looking at HTML source is not hacking,” tweeted Cato Institute technology fellow Julian Sanchez. “Every Web browser has a ‘view source’ button. And… you’ve ALREADY ‘accessed’ the source code of every Web page you look at. That’s what the server sends to your browser!”
Renowned computer scientist Marcus Hutchins, meanwhile, merely tweeted out the following, in an apparent reference to Parson’s misunderstanding of computers:
— MalwareTech (@MalwareTechBlog) October 14, 2021
Granted, state and local government employees are not known for their advanced technological prowess. But, unless there’s a whole lot we’re missing about this episode, Parson seems to have really stepped in it. Even if Parson isn’t super well-versed in computer science, state governments also have IT departments with staff that should be able to explain to the governor how websites work and why a person like Renaud would probably be considered a helpful good samaritan — not a “hacker.”
We reached out to both the Missouri Information Technology Services Division and the Governor’s Office to inquire about the incident and will update this story if they respond.