Missouri is considering legal action against a reporter who pointed out a serious cybersecurity flaw in one of its websites. Instead of thanking him, Gov. Mike Parson accused Parson of hacking, and he claims he would like to see him prosecuted criminally.
Josh Renaud, a reporter for the St. Louis Post-Dispatch discovered recently that 100,000 social security numbers belonging the Missouri Department of Elementary and Secondary Education had been exposed online by administrators and teachers of public schools.
How could this have happened? Renaud reported that the website's personal information had been embedded into its HTML source code. This is a very serious mistake. Renaud reports that the newspaper verified its findings with a University of Missouri-St. Louis cybersecurity professor, who called it a very serious bungle. Officials were then able to take down affected pages. The paper finally published its findings on Thursday.
Instead of thanking Renaud, the newspaper, and for helping to identify the huge mistake made by the government, Gov. Parson announced that he would pursue legal action against them. Parson spoke out on Thursday to claim that the state website was hacked and that the perpetrator would be held accountable. The governor stated that the hacker had used a multi-step process in order to view and download records from at least three educators.
G/O Media could receive a $100 commission on Apple AirPods Max dazzling sound and activenoise cancelling, comfort, and integration to Apple devices. Amazon: Buy for $449
This is a serious matter. Parson tweeted that the state will bring to justice all those who have hacked into our system, as well as anyone who encouraged or assisted them in doing so according to what Missouri law permits and requires. Hackers are those who gain unauthorized access or modify information. They did not have permission. They did not have authorization to decode and convert the code.
Parson may have not been aware of the fury on infosec Twitter, which quickly erupted into vitriol shortly after his press conference. Computer science experts poured out to highlight that the governor's talk does not sound like hacking. It is more like the state doesn't know how to create websites.
In HTML for publicly accessible webpages, don't include SSNs. Don't do it. If someone does notice, they will (quite responsibly!) warn you. He also advised against tweeting anything that could make you appear stupid.
Tony Webster, a software engineer and journalist, said that Renaud was threatening to prosecute him for failing to do the right thing.
This is absurd. Julian Sanchez, a Cato Institute technology fellow, tweeted that looking at HTML source isn't hacking. Every Web browser contains a view source button. You have already accessed the source code for every Web page that you view. This is what the server sends your browser.
In the meantime, Marcus Hutchins (respected computer scientist) simply tweeted the following in apparent reference to Parsons' misinterpretation of computers.
While state and local employees may not be known for their technological skills, they are well-known for their ability to use the latest technology. Parson appears to have done a great job, even if there was a lot missing from this episode. Parson, even though he isn't a computer scientist, has state governments IT departments that can explain how websites work to leaders. Renaud could be considered a good samaritan and not a hacker.
We reached out both to the Missouri Information Technology Services Division as well as the Governors Office in order to inquire about the incident. If they respond, we will update this story.