ethical disclosure – Techdirt (original) (raw)

Missouri's Governor Still Insists Reporter Is A Hacker, Even As Prosecutors Decline To Press Charges

from the disgusting dept

Last autumn, you may recall, the St. Louis Post-Dispatch published an article revealing that the Missouri Department of Elementary and Secondary Education (DESE) was leaking the Social Security numbers of teachers and administrators, past and present, by putting that information directly in the HTML. The reporters at the paper ethically disclosed this to the state, and waited until this very, very bad security mistake had been patched before publishing the story. In response, rather than admitting that an agency under his watch had messed up, Missouri Governor Mike Parson made himself into a complete laughingstock, by insisting that the act of viewing the source code on the web page was nefarious hacking. Every chance he had to admit he fucked up, he doubled down instead.

The following month, the agency, DESE, flat out admitted it screwed up and apologized to teachers and administrators, and offered them credit monitoring… but still did not apologize to the journalists. FOIA requests eventually revealed that before Governor Parson had called the reporters hackers, the FBI had already told the state that no network intrusion had taken place and it was also revealed that the state had initially planned to thank the journalists. Instead, Parson blundered in and insisted that it was hacking and that people should be prosecuted.

Hell, three weeks after it was revealed that the FBI had told the state that no hacking had happened, Parson was still saying that he expected the journalists to be prosecuted.

Finally, late on Friday, the prosecutors said that they were not pressing charges and considered the matter closed. The main journalist at the center of this, Jon Renaud, broke his silence with a lengthy statement that is worth reading. Here’s a snippet:

This decision is a relief. But it does not repair the harm done to me and my family.

My actions were entirely legal and consistent with established journalistic principles.

Yet Gov. Mike Parson falsely accused me of being a ?hacker? in a televised press conference, in press releases sent to every teacher across the state, and in attack ads aired by his political action committee. He ordered the Highway Patrol to begin a criminal investigation, forcing me to keep silent for four anxious months.

This was a political persecution of a journalist, plain and simple.

Despite this, I am proud that my reporting exposed a critical issue, and that it caused the state to take steps to better safeguard teachers? private data.

At the same time, I am concerned that the governor?s actions have left the state more vulnerable to future bad actors. His high-profile threats of legal retribution against me and the Post-Dispatch likely will have a chilling effect, deterring people from reporting security or privacy flaws in Missouri, and decreasing the chance those flaws get fixed.

This has been one of the most difficult seasons of my nearly 20-year career in journalism

Later in the letter, he notes that a week earlier, Parson himself had decried the treatment of his rejected nominee to lead the state’s Department of Health and Senior Services, noting that Parson complained that “more care was given to political gain than the harm caused to a man and his family.” Renaud noted that the same could be said of Parson’s treatment of himself:

Every word Gov. Parson wrote applies equally to the way he treated me.

He concludes by hoping that “Parson’s eyes will be opened, that he will see the harm he did to me and my family, that he will apologize, and that he will show Missourians a better way.”

And Parson showed himself to be a bigger man and did exactly that… ha ha, just kidding. Parson just kept digging, and put out a truly obnoxious statement, with no apology and continuing to insist that Renaud hacked the government’s computers even though — again, this is important, lest you just think the governor is simply technically ignorant — the FBI has already told him that there was no hacking:

“The hacking of Missouri teachers’ personally identifiable information is a clear violation of Section 56.095, RSMo, which the state takes seriously. The state did its part by investigating and presenting its findings to the Cole County Prosecutor, who has elected not to press charges, as is his prerogative.

The Prosecutor believes the matter has been properly address and resolved through non-legal means.

The state will continue to work to ensure safeguards are in place to protect state data and prevent unauthorized hacks.

This whole statement is utter hogwash and embarrassing nonsense. Again, there was no hacking whatsoever. The state messed up by putting information that should never, ever be in HTML code into HTML code, making it accessible for anyone who viewed the source on their own computer. The state messed up. The state failed to secure the data. The state sent that data to the browsers of everyone who visited certain pages on their public websites. Renaud did exactly the right thing. He discovered this terrible security flaw that the state put on the database, ethically reported it, waited until the state fixed its own error, and then reported on it.

Parson knew from the beginning that no hacking occurred. The FBI told the state that no hacking occurred. The state had prepared to thank Renaud and his colleagues at the St. Louis Post-Dispatch. It was only after Parson decided to deny, deny, deny and blame, blame, blame reporters for pointing out Parson’s own government’s failings, that this whole thing got out of hand.

The prosecutors have their own reasons for declining to prosecute, but the most likely reason is they knew they’d get laughed out of court and it would make them and Parson look even more ridiculous. Renaud chose give a heartfelt write up of what Parson’s nonsense put him through, and asked in the politest way possible for Parson to look deep inside at the harm he had caused and to apologize. Instead, Parson quadrupled down, continued to insist that his own government’s failings could be blamed on a “hack,” and insisting that he’s trying to “protect” the state when all he’s done is show why no serious tech company should do business in such a state.

Missouri: elect better politicians. Parson is an embarrassment.

Filed Under: dese, ethical disclosure, hacking, jon renaud, journalism, mike parson, missouri, security flaw, view source
Companies: st. louis post dispatch

from the let-it-go,-mike dept

Missouri Governor Mike Parson is nothing if not consistent in his desire to stifle free speech. As you’ll recall, the St. Louis Post-Dispatch discovered that the state’s Department of Elementary and Secondary Education (DESE) website was programming in such an incompetent fashion that it would reveal, to anyone who knew where to look, the social security numbers of every teacher and administrator in the system (including those no longer employed there). The reporting on the vulnerability was done exactly following ethical disclosure best practices — getting just enough evidence of the vulnerability, alerting the state to the problem and not publishing anything until the vulnerability was fixed. The FBI told Missouri officials early on “that this incident is not an actual network intrusion” and DESE initially wrote up a press release thanking the journalists for alerting them to this.

But then Parson blundered his way into making a mess of it, insisting that the reporters were hackers and ordering the Missouri Highway Patrol to “investigate” them for prosecution. When people mocked him for this, he doubled down by insisting that this was real hacking and that those reporting otherwise were part of “the fake news.”

A month later, DESE admitted that it had fucked up, apologized to all the teachers and administrators (current and former) who its own incompetence had exposed, and offered credit monitoring to them all. Notably, DESE did not apologize to the journalists who discovered this mess, and the governor has continued to stand by his call to prosecute them.

Earlier this week the Highway Patrol claimed it had completed its investigation… and turned the findings over to state prosecutors. That alone seems worrisome, as there’s nothing to turn over to prosecutors here beyond “our governor is a very foolish man, who can’t admit to his own failings.”

Capt. John Hotz said the results were turned over to Cole County Prosecuting Attorney Locke Thompson.

?The investigation has been completed and turned over to the Cole County Prosecutor?s office,? Hotz told the Post-Dispatch on Monday.

And the Governor still thinks the end result will be the prosecution of journalists for exposing the fact that his own administration ran a dangerously incompetent computer system that put 600,000 current and former state employees’ private info at risk:

Gov. Mike Parson on Wednesday expressed his opinion the Cole County prosecuting attorney would bring charges in the case of a Post-Dispatch reporter who alerted the state to a significant data vulnerability.

?I don?t think that?ll be the case,? Parson said when asked what he would do if the prosecutor didn?t pursue the case. ?That?s up to the prosecutor; that?s his job to do.?

Parson’s continued insistence that this was unauthorized hacking is absolute garbage.

?If somebody picks your lock on your house ? for whatever reason, it?s not a good lock, it?s a cheap lock or whatever problem you might have ? they do not have the right to go into your house and take anything that belongs to you,? Parson said.

That analogy is just dumb on multiple levels. They didn’t pick any lock. They didn’t intrude somewhere they weren’t supposed to go. The website put the info on their computers in the HTML. They didn’t break any locks. They didn’t access a system they didn’t have access to. They just went where they were allowed to go, and the state’s incompetent technologists handed them info it should not have.

Under Parson’s definition of “hacking” it would be easy to turn anyone into a hacker. Just expose data you shouldn’t expose on a website, and wait until anyone visited the page. That’s not how this should work and the fact that he’s still pressing this issue raises serious questions about Parson’s competence to do anything, let alone run an entire state.

Filed Under: criminalizing security, ethical disclosure, hacking, journalism, mike parson, missouri highway patrol, vulnerability
Companies: st. louis post dispatch

Missouri Governor Still Lying About Reporters Who Uncovered Ridiculous Bad State Computer Security; Still Insists They Were Hackers

from the lie-through-it,-mike dept

Missouri Governor Mike Parson is nothing if not committed to shamelessly lying. As you’ll recall, after journalists from the St. Louis Post-Dispatch ethically informed the state that the Department of Elementary and Secondary Education (DESE) website included a flaw that revealed the social security numbers of over 600,000 state teachers and school administrators, Parson responded by calling the reporters hackers and vowing to prosecute them. Again, the DESE system displayed this information directly in the HTML, available for anyone to see if they knew where to look. That’s not hacking. That’s incompetent computer security.

So far, this has mostly played out as expected. A month after the revelations, DESE finally admitted it fucked up and apologized to the teachers and administrators and offered them identity fraud protection services. Then, last week, a public record request revealed something incredible, though perhaps not surprising: the FBI had already told Missouri officials that no hacking took place and DESE had prepared a statement (correctly) thanking the journalists for alerting them to their own fuck up… but that statement was ditched in favor of the nonsense one claiming that the journalists “hacked” the system. As we said in that last story, right at the end it notes that the Highway Patrol investigation, instigated by Parson, was “still active.”

And now Parson is still standing by the ridiculous claim that the reporters are hackers. As for how he could possibly claim that after the revelation of internal documents on the situation? Well, Parson is trotting out the old “fake news” bullshit:

Asked at a ribbon-cutting ceremony Tuesday whether, in light of the records provided by the state, he still believed the newspaper committed a crime, Parson said, ?Most certainly I believe that. And most certainly I don?t know where that information?s coming from that you guys printed on that, whether it?s very accurate or not either. It has a tendency not to be very accurate a lot of times.?

Dude. What? Do newspapers make errors sometimes? Sure. But (1) from the very beginning it was abundantly clear that the problem here was with the state, not with the reporters, because under no circumstances should people be able to see the Social Security Numbers of other people in HTML and (2) if you’re crying “fake news” about documents revealed under a public records law then you have to actually say what’s fake. Is Parson claiming that his own government supplied fake information in response to a public records request? Because that would be fucked up. No, the truth is that Parson can’t handle the fact that everyone knows he’s just wrong, so he’s going to lie right through it.

Missourians, you deserve better than a governor who will actively lie to you and put state employees at risk. Elect someone who is not a liar.

Filed Under: dese, ethical disclosure, hackers, html, journalism, mike parson, missouri, security research
Companies: st. louis post dispatch

Newly Revealed Details Show That Missouri Government Totally Knew That Journalists Were Not At Fault For Teacher Data Vulnerability

from the of-course-they-knew dept

Kudos for open records laws proving to us that not only is Missouri Governor Mike Parson a technologically illiterate hack, but he’s a lying one as well. You’ll recall, of course, that in October, the St. Louis Post-Dispatch reported on how the state’s Department of Elementary and Secondary Education (DESE) website was designed in such a dangerous way that it was exposing the social security numbers of state teachers and administrators, and rather than thanking the journalists for their ethical disclosure of this total security fail by the state, DESE and Governor Parson called them hackers and asked law enforcement to prosecute them. Governor Parson continued to double down for weeks, insisting that reporting this vulnerability (and failed security by the government he runs) was malicious hacking until DESE finally admitted it fucked up and apologized to the over 600,000 teachers and administrators whose data was vulnerable — but never apologizing to the journalists.

The Post-Dispatch, whose reporters potentially still face charges, put out an open records request to find out more about what the government was saying and discovered, somewhat incredibly, that before DESE referred to them as hackers, it already knew that it was at fault here and even initially planned to thank the journalists. As the documents reveal, the FBI flat out told DESE that this was a DESE fuckup and DESE had sent Gov. Parson a planned statement that thanked the journalists:

In an Oct. 12 email to officials in Gov. Mike Parson?s office, Mallory McGowin, spokeswoman for DESE, sent proposed statements for a press release announcing the data vulnerability the newspaper uncovered.

?We are grateful to the member of the media who brought this to the state?s attention,? said a proposed quote from Education Commissioner Margie Vandeven.

The Parson administration and DESE did not end up using that quote.

The next day, on Oct. 13, the Office of Administration issued a news release calling the Post-Dispatch journalist a ?hacker.?

This is truly incredible. As are the details of the conversation between a Missouri employee and a local FBI agent.

Meanwhile, at 3:24 p.m. on Oct. 13, Angie Robinson, cybersecurity specialist for the state, emailed Department of Public Safety Director Sandra Karsten to inform her that she had forwarded emails from the Post-Dispatch to Kyle Storm with the FBI in St. Louis.

?Kyle informed me that after reading the emails from the reporter that this incident is not an actual network intrusion,? she said.

Instead, she wrote, the FBI agent said the state?s database was ?misconfigured.?

?This misconfiguration allowed open source tools to be used to query data that should not be public,? she wrote.

So, by the time of the “hacker” statement by DESE, it was already pretty clear to people within DESE that it was DESE at fault and not journalists ethically disclosing DESE’s terribly bad security practices. However, the report also notes that the FBI and the local Assistant US Attorney were still investigating whether or not they could bring criminal charges against the journalists:

?Kyle said the FBI would speak to Gwen Carroll, the AUSA (Assistant U.S. Attorney), with the updated information from the emails to see if this still fit the crime and if she was interested in prosecuting,? Robinson said.

Oh, and even worse: technically the criminal investigation is still ongoing:

As of Tuesday, the Highway Patrol?s investigation was still active, Capt. John Hotz told the Post-Dispatch.

That investigation needs to be closed, and everyone involved from DESE to Governor Parson to the Highway Patrol owe the St. Louis Post-Dispatch, its reporters, and the citizens of Missouri a massive apology.

Filed Under: data breach, dese, ethical disclosure, mike parson, missouri, right click, view source, vulnerability
Companies: st. louis post dispatch

Missouri Governor Doubles Down On 'View Source' Hacking Claim; PAC Now Fundraising Over This Bizarrely Stupid Claim

from the wtf-missouri dept

Hey Missouri: stop electing technically illiterate dipshits. First you had Claire McCaskill, one of the key sponsors of FOSTA (who is still defending it years later). You got rid of her, but replaced her with Josh Hawley, who seems to think his main job in the Senate (besides whipping up support for insurrectionists and planning his run for the Presidency) is to destroy the internet and reshape it according to his own personal vision.

And then there’s your governor. We wrote about him a few years ago when he claimed (ridiculously) that the 1st Amendment meant he could withhold public records (which is not how any of this works). But, of course, last week, his tech ignorance broke into prime time after the St. Louis Post-Dispatch ethically disclosed that the state’s Department of Elementary and Secondary Education (DESE) website was including teacher & administrator social security numbers in the HTML. DESE pulled down the pages, but not before calling the journalists “hackers.” Parson then doubled down and called for the journalists to be prosecuted. And then kept insisting that viewing HTML source code was hacking.

For the past week people on Twitter have been repeatedly mocking Parson for this, but he just won’t give up, and neither will the United Missouri PAC that is a huge Parson supporter and was even fined last year by the Missouri Ethics Commission over improper contributions and failure to report the contributions to Parson.

Earlier this week, United Missouri seemed to think that Parson’s blatant technical illiteracy was worth doubling down on and turning into a culture war against “the fake news.” It produced a video that is so embarrassing and cringeworthy it feels like a parody.

I mean, the transcript is so stupid that it makes me wonder about the quality of education in Missouri that someone could be this clueless.

The latest from the Missouri “fake news factory” is from the St. Louis Post-Dispatch, where a reporter has been digging around HTML code on a state website. The state technology division said the hacker took the records of at least 3 educators, decoded the HTML source code and viewed the social security numbers from the state website.

I mean, holy shit. HTML code is public. That’s what “view source” is there for. There’s no “digging around.” And, incredibly, here United Missouri/Parson are admitting that the social security numbers were in HTML! THAT IS THE PROBLEM! No one should ever be putting SSNs in HTML. The fact that DESE put SSNs in HTML is the very problem that the reporters were highlighting. And if it wasn’t actually a problem, why did DESE pull down the website in the first place? It’s not hacking. It’s showing that Parson’s administration is incompetent.

And then, the video takes Parson’s own failure to protect teachers and administrators in the state… and blames it on the reporters who (ethically) disclosed this negligent coding?

Governor Parson believes everyone is entitled to their privacy. Especially our teachers.

THEN WHY DID YOUR ADMINISTRATION REVEAL THEIR SOCIAL SECURITY NUMBERS IN HTML, YOU TECHNICALLY IGNORANT FOOLS? No one should ever be putting SSNs in HTML. The fact that they were there is the problem. Not the fact that these reporters alerted the state to their own coding (and data handling) error. The privacy breach is the state’s fault, not the reporters. The reporters disclosed all of this in the most ethical manner possible: alerting the state and not publishing anything until after the leaked data was removed from the web.

Governor Parson is standing up to the fake news media and is committed to bringing to justice anyone who obtained private information. The St. Louis Post-Dispatch is purely playing politics. Exploiting private information is a squalid excuse for journalism. And hiding behind the noble principle of free speech to do it is shameful.

Note that they keep calling the St. Louis Post-Dispatch “fake news” but don’t dispute a single thing they reported. So it’s fake news, but also a crime? Furthermore, the only one who should be “brought to justice” is the state for putting social security numbers in HTML in the first place. And the only one “purely playing politics” appears to be Governor Mike Parson and his corrupt PAC.

And, of course, everyone with even the most basic understanding of HTML know that it’s Parson who’s full of shit here, as is clear from all the comments on the video:

I get that, these days, the Trumpian populists politicians think they can just make shit up and lie constantly and their ignorant base will lap it up, but this takes all that to new levels of stupid. You don’t have to be a genius computer science grad to understand that you never ever put SSNs in HTML and that whoever did that is at fault here.

Filed Under: data breach, ethical disclosure, hacking, html, journalism, mike parson, missouri, view source
Companies: united missouri

from the wtf-missouri? dept

Last Friday, Missouri’s Chief Information Security Officer Stephen Meyer stepped down after 21 years working for the state to go into the private sector. His timing is noteworthy because it seems like Missouri really could use someone in their government who understands basic cybersecurity right now.

We’ve seen plenty of stupid stories over the years about people who alert authorities to security vulnerabilities then being threatened for hacking, but this story may be the most ridiculous one we’ve seen. Journalists for the St. Louis Post-Dispatch discovered a pretty embarrassing leak of private information for teachers and school administrators. The state’s Department of Elementary and Secondary Education (DESE) website included a flaw that allowed the journalists to find social security numbers of the teachers and administrators:

Though no private information was clearly visible nor searchable on any of the web pages, the newspaper found that teachers? Social Security numbers were contained in the HTML source code of the pages involved.

The newspaper asked Shaji Khan, a cybersecurity professor at the University of Missouri-St. Louis, to confirm the findings. He called the vulnerability ?a serious flaw.?

?We have known about this type of flaw for at least 10-12 years, if not more,? Khan wrote in an email. ?The fact that this type of vulnerability is still present in the DESE web application is mind boggling!?

In the HTML source code means that it sent that information to the computers/browsers of those who knew what pages to go to. It also appears that the journalists used proper disclosure procedures, alerting the state and waiting until it had been patched before publishing their article:

The Post-Dispatch discovered the vulnerability in a web application that allowed the public to search teacher certifications and credentials. The department removed the affected pages from its website Tuesday after being notified of the problem by the Post-Dispatch.

Based on state pay records and other data, more than 100,000 Social Security numbers were vulnerable.

The newspaper delayed publishing this report to give the department time to take steps to protect teachers? private information, and to allow the state to ensure no other agencies? web applications contained similar vulnerabilities.

Also, it appears that the problems here go back a long ways, and the state should have been well aware that this problem existed:

The state auditor?s office has previously sounded warning bells about education-related data collection practices, with audits of DESE in 2015 and of school districts in 2016.

The 2015 audit found that DESE was unnecessarily storing students? Social Security numbers and other personally identifiable information in its Missouri Student Information System. The audit urged the department to stop that practice and to create a comprehensive policy for responding to data breaches, among other recommendations. The department complied, but clearly at least one other system contained an undetected vulnerability.

This is where a competent and responsible government would thank the journalists for finding the vulnerability and disclosing it in an ethical manner designed to protect the info of the people the state failed to properly protect.

But that’s not what happened.

Instead, first the Education Commissioner tried to make viewing the HTML source code nefarious:

In the letter to teachers, Education Commissioner Margie Vandeven said ?an individual took the records of at least three educators, unencrypted the source code from the webpage, and viewed the social security number (SSN) of those specific educators.?

It was never “encrypted,” Commissioner, if the journalists could simply look at the source code and get the info.

Then DESE took it up a notch and referred to the journalists as “hackers.”

But in the press release, DESE called the person who discovered the vulnerability a ?hacker? and said that individual ?took the records of at least three educators? ? instead of acknowledging that more than 100,000 numbers had been at risk, and that they had been available to anyone through DESE?s own search engine.

And then, it got even worse. Missouri Governor Mike Parson called a press conference in which he again called the journalists hackers and said he had notified prosecutors and the Highway Patrol’s Digital Forensic Unit to investigate. Highway Patrol? He also claimed (again) that they had “decoded the HTML source code.” That’s… not difficult. It’s called “view source” and it’s built into every damn browser, Governor. It’s not hacking. It’s not unauthorized.

Through a multi-step process, an individual took the records of at least three educators, decoded the HTML source code, and viewed the SSN of those specific educators.

We notified the Cole County prosecutor and the Highway Patrol?s Digital Forensic Unit will investigate. pic.twitter.com/2hkZNI1wXE

— Governor Mike Parson (@GovParsonMO) October 14, 2021

It gets worse. Governor Parson claims that this “hack” could cost $50 million. I only wish I was joking.

This incident alone may cost Missouri taxpayers up to $50 million and divert workers and resources from other state agencies. This matter is serious.

The state is committing to bring to justice anyone who hacked our system and anyone who aided or encouraged them ? In accordance with what Missouri law allows AND requires.

A hacker is someone who gains unauthorized access to information or content. This individual did not have permission to do what they did. They had no authorization to convert and decode the code. This was clearly a hack.

We must address any wrongdoing committed by bad actors.

If it costs $50 million to properly secure the data on your website that previous audits had already alerted you as a problem, then that’s on the incompetent government who failed to properly secure the data in the first place. Not on journalists ethically alerting you to fix the vulnerability. And, there’s no “unauthorized access.” Your system put that info into people’s browsers. There’s no “decoding” to view the source. That’s not how any of this works.

As people started loudly mocking Governor Parson, he decided to double down, insisting that it was more than a simple “right click” and repeating that journalists had to “convert and decode the data.”

We want to be clear, this DESE hack was more than a simple ?right click.?

THE FACTS: An individual accessed source code and then went a step further to convert and decode that data in order to obtain Missouri teachers? personal information. (1/3) pic.twitter.com/JKgtIpcibM

— Governor Mike Parson (@GovParsonMO) October 14, 2021

Again, even if it took a few steps, that’s still not hacking. It’s still a case where the state agency made that info available. That’s not on the journalists who responsibly disclosed it. It’s on the state for failing to protect the data properly (and for collecting and storing too much data in the first place).

Indeed, in doing this ridiculous show of calling them hackers and threatening prosecution, all the state of Missouri has done is make damn sure that the next responsible/ethical journalists and/or security researchers will not alert the state to their stupidly bad security. Why take the risk?

Filed Under: blame the messenger, dese, disclosure, ethical disclosure, hacking, mike parson, private information, schools, social security numbers, st. louis, teachers, vulnerabilities
Companies: st. louis post dispatch