[HN Gopher] Reporter who told Missouri officials of website flaw...
___________________________________________________________________
Reporter who told Missouri officials of website flaw did 'nothing
out of line'
Author : danso
Score : 185 points
Date : 2021-11-03 18:06 UTC (4 hours ago)
(HTM) web link (statescoop.com)
(TXT) w3m dump (statescoop.com)
| bellyfullofbac wrote:
| The title truncation is so unhelpful and IMO editorialising. Is
| it ", judge said", meaning case closed and the statement can be
| said as fact? Is it maybe a quote from an institution like the
| EFF, defending him?
|
| Nope, it's ", emails said"...
| danso wrote:
| I tried every variation to get the hed to fit under 80 chars --
| it was either "emails said" or "Missouri"
|
| In any case, the "nothing out of line" comes from a security
| expert reviewing the emails:
|
| > _While Missouri officials redacted most of Renaud's second
| email, Katie Moussouris, the CEO of Luta Security, told
| StateScoop it appears he took all the right steps in disclosing
| a vulnerability._
|
| > _"Nothing in what you've shared with me looks like it was out
| of line with sensible coordinated vulnerability disclosure
| activities of any researcher trying to protect victims of
| sensitive data exposure," said Moussouris, a co-author of the
| international standards for vulnerability disclosures._
| dylan604 wrote:
| >fit under 80 chars
|
| Is it 1985 with a CRT TTY? This limitation is laughable.
| bee_rider wrote:
| Is this the CRT and fake news we've been told to worry
| about? It seems underwhelming.
| danso wrote:
| That's the limitation HN imposes on submission titles.
| Anything longer will not go through.
| dylan604 wrote:
| I understand why. It doesn't make it any less laughable.
| Don't editorialize the title, except we're going to make
| it impossible not to. eyerolllikeimateenager
| randombits0 wrote:
| It's so much faster when you search ssn's clientside!
| infogulch wrote:
| As a Missouri resident, what is the best method of contacting
| these baffons (and their opponents) to voice my displeasure with
| this appalling response from state officials?
| shadowgovt wrote:
| I know that "bleeds it leads" is the rule for journalism, but I
| sort of wish there were a way to tell people to stop giving this
| story oxygen.
|
| The governor knows his claims are foolish and he knows he's
| building a controversy out of thin air. It's playing great with
| his constituents, and the fact that his position of power
| inclines people to take him seriously means he can get away with
| it.
| BeefySwain wrote:
| I understand your point, but what's the alternative? The answer
| can't be roll over and ignore people negligently/dangerously
| ignorant people in positions of power.
|
| If your premise is true (that the harder those who understand
| this push against it, the harder he will push back, and the
| voters of his state like him for that) then there is no winning
| strategy here.
| breckenedge wrote:
| Your role in this game is to get angry at the stupidity of
| the governor. Your prize is rage. The winning strategy is not
| to play, let the courts battle this crap. If you want to do
| something, donate to the EFF or another organization or this
| prof's legal fund (if he has one?).
| TillE wrote:
| > It's playing great with his constituents
|
| Doubtful.
|
| This is absolutely one of those cases where public attention
| and pressure can spare someone from getting lost in the legal
| system. Burying the story only helps those abusing their power.
| shadowgovt wrote:
| Regarding "It's playing great with his constituents:"
|
| His PAC is running ads like this.
| https://www.youtube.com/watch?v=9IBPeRa7U8E
|
| To a lot of us, that looks like nonsense, but you have to
| remember how far through the looking-glass a lot of the
| conservative populace has gone... The press is now the enemy
| in their mind, and they don't understand technology well
| enough to get why these claims are ridiculous. So he gets to
| build steam and any pushback is just seen as more "fake news"
| coverage that would (of course) support their fellows in the
| media.
|
| It's deeply frustrating because it's a form of social jujitsu
| built atop existing mistrust, and there _aren 't_ good ways
| to combat it.
| afavour wrote:
| Why would refusing to cover the story stop that problem? He's
| literally running ads with it so it's going to get plenty of
| oxygen no matter what. Might as well true to get the actual
| truth out there as well.
| alexjplant wrote:
| The DoE is complicit in this as well (from the original article):
|
| > In the letter to teachers, Education Commissioner Margie
| Vandeven said "an individual took the records of at least three
| educators, unencrypted the source code from the webpage, and
| viewed the social security number (SSN) of those specific
| educators."
|
| > But in the press release, DESE called the person who discovered
| the vulnerability a "hacker" and said that individual "took the
| records of at least three educators"
|
| This squares perfectly with my own experience. As a middle
| schooler I had several interactions with my school system's IT
| department where they baselessly accused me of hacking and
| malicious intent; I responsibly disclosed a method of bypassing
| their web content filter and they responded by going through my
| roaming profile and leveling charges at me of "remotely hacking
| computer systems" because of a screenshot of a terminal emulator
| they found. I was a good kid with a perfect disciplinary record.
| In retrospect it was a series of incompetent staffers covering
| for their inability by bullying a child.
|
| The US needs to stop using public facilities (schools, the
| military, etc) as white-collar welfare and hire more people that
| actually care. Ignorance is forgivable but when combined with a
| steadfast opposition to personal growth it becomes malicious.
| It'd be better for society to fire clowns like these and
| administer them unemployment than to have them crowd out those
| that actually give a shit.
|
| *EDIT: To clarify for anybody that would read the above as
| "government workers don't care": there are plenty that do. I
| break bread with them and want them to be able to do their jobs
| unimpeded by the ones that _don't_.
| chucksta wrote:
| Similar experience, their reasoning why it was so stern was
| because the password acquired was valid throughout the entire
| district, and used for multiple core systems (security, AD,
| grades, etc..)
|
| No one thought to ask IT why they used the same PW 5+ times for
| critical infra, its all just the kids fault for finding one of
| them
| harikb wrote:
| Part of this is general attitude towards all hacking - that
| systems can "never be secured", it is never the
| designer/implementer's fault, and we should just blame the bad
| actors.
|
| When banks/financial systems can get away with not upgrading a
| decade old Java framework with 6 month old struts
| vulnerability, and just blame the hacker, it is not surprising
| the average school sysadmin will do the same.
| hn_throwaway_99 wrote:
| > unencrypted the source code from the webpage
|
| Because "reading HTML" is now "unencrypting".
|
| People got caught with their pants down and are now just trying
| to lie their way out of it, nothing new but still sad.
| jlgaddis wrote:
| You must not be aware that _CTRL-U_ is the secret h4x0r
| backdoor key for "unencrypt".
| xxpor wrote:
| Someone probably tried to explain how TLS works and it flew
| right over their heads.
| Eldt wrote:
| The SSNs were base64 encoded I believe, which is strange to
| consider encryption, but they also seem to be conflating the
| "decryption" of that with viewing the source code. This is
| just so ridiculous of them.
| jdavis703 wrote:
| Encoding is not encryption. That's like if I got the raw
| bytes of Unicode characters and converted them to legible
| text. Or another way, that's like two people talking about
| me in a language I don't understand, and then I respond to
| them in said language.
| matt123456789 wrote:
| That's a terrific analogy. And it's one that a jury will
| relate to. Sadly, if it goes to court, the poor guy's
| lawyer is gonna have to spend a lot of time explaining
| how the State's servers were sending this information in
| clear text to everyone who requested the page, refuting
| the false equivalence that the prosecution will make
| between "hacking" and "view source->decode to ASCII".
| tyingq wrote:
| They were. It was the _VIEWSTATE thing that ASP.NET sticks
| into pages. The developers put the full SSN into the
| _VIEWSTATE object, which is base64 encoded into the pages.
|
| See https://news.ycombinator.com/item?id=28992667
|
| There's a good comment there that the Microsoft ASP.NET
| help pages specifically call out an SSN as a terrible thing
| to put into _VIEWSTATE :)
| extra88 wrote:
| There's no mention of any kind of encoding in the delivered
| HTML. From the newspaper [0]:
|
| > the newspaper found that teachers' Social Security
| numbers were contained in the HTML source code of the pages
| involved.
|
| and later:
|
| > In reality, the Post-Dispatch discovered the
| vulnerability and confirmed that the nine-digit numbers
| were indeed Social Security numbers.
|
| [0] https://www.stltoday.com/news/local/education/missouri-
| teach...
| tyingq wrote:
| See https://news.ycombinator.com/item?id=28992667
| extra88 wrote:
| Thanks.
|
| Given this, I think the journalist over-simplified the
| situation in their story and that the "F12" jokes are
| unjustified. Recognizing there's a disclosure of private
| information here requires a lot more technical knowledge
| beyond the ability to view the HTML source.
|
| The governor is still wrong for pursuing this and what
| the newspaper did was right, given that they disclosed it
| to the responsible parties and didn't publish until the
| problem site was taken down.
| tyingq wrote:
| I feel like the F12 jokes are fine, since they don't even
| match the Governor's exaggerated rhetoric about
| "hacking". Pasting the base64 into one of many online
| decoders isn't much of an extra step. The Governor kept
| calling it a complicated 8 step process or something
| similar to that.
| rrobukef wrote:
| Base64 can be done by hand with two tables: one splitting
| every character in three times two bits and one that
| takes four pairs of bits and looks it up in the ascii
| table. Done.
|
| It's hard to call this encryption.
| butterfi wrote:
| Back in the 80's, my computer teacher kicked me out of class
| because I had logged into my friends account at another school
| and downloaded instructions for an "assassination game" (pick a
| name from a hat, 'assassinate' your victim with a toy gun)
| which we never played because we just weren't that interested.
| The teacher was going through the trash and "discovered" my
| "hacking" because everything was printed on paper. Fortunately
| for me, I had access to other computers and went on to a long,
| successful career in computers. No thanks to you, shitty
| computer teacher.
| handrous wrote:
| > The US needs to stop using public facilities (schools, the
| military, etc) as white-collar welfare and hire more people
| that actually care. Ignorance is forgivable but when combined
| with a steadfast opposition to personal growth it becomes
| malicious. It'd be better for society to fire clowns like these
| and administer them unemployment than to have them crowd out
| those that actually give a shit.
|
| Our purest white-collar welfare system is the health insurance
| industry, I'd say. IIRC at one point Obama explicitly stated
| that a reason he didn't think single-payer and similar were
| viable to advance, is because they'd put too many people out of
| work.
|
| The military is, obviously, our main work-required blue-collar
| welfare system, among other kinds of wealth-shuffling it does.
| Why, one can get nearly-European-standard-for-all public
| benefits, through that program, provided one is reasonably
| sound of body and mind. Healthcare, pension, housing, et c.
| [edit] education, too!
| justin_oaks wrote:
| I do remember Obama talking about losing jobs in health care.
| With that kind of logic, we'd never have allowed cars because
| the horse and carriage industries would lose jobs.
|
| I'm not unsympathetic to those who would lose jobs from
| changes in the industry. Here's my thought: if government
| action that disrupts an industry then that action should be
| done piecemeal over several years to allow a softer
| transition.
| CoastalCoder wrote:
| > The US needs to stop using public facilities (schools, the
| military, etc) as white-collar welfare and hire more people
| that actually care.
|
| In my experience, most IT/CS people who seek to work for
| state/federal government _do_ care.
|
| Unfortunately the combination of extreme red tape, low pay,
| inability to fire lazy employees, and occasionally being
| punching bags for politicians trying to score cheap points with
| their constituents, take their toll over time.
| thr0wawayf00 wrote:
| So much this. Pay and working conditions are such a joke for
| so many government jobs compared to the private sector.
| Government workers make nothing compared to the private
| sector, we expect them to be miracle workers, we refuse to
| acknowledge them when they do work miracles, and then we get
| mad and want to slash the budget when they can't.
|
| It really sucks because I'd happily work for slightly under
| market rate to do work for a government office, but I just
| can't work for 1/3-1/2 of the pay I make working in the
| private sector, not with housing prices the way they are.
| pirate787 wrote:
| Federal govt IT is basically competitive on salary but the
| hiring process is rigged. The job descriptions are tightly
| bound to specific experience that only other govt workers
| or contractors could know and understand.
| d3ad1ysp0rk wrote:
| Where can I make 150-200k/year in federal IT?
| alexjplant wrote:
| Last I checked $140k is about the going rate for
| government contractor software engineering work in the
| DC/Northern Virginia area. Add $10-20k for a Secret
| clearance or Public Trust and $30-50k for a Top Secret
| clearance (though you'll probably have to deal with
| working in a SCIF at least some of the time with a
| clearance). I'm pretty sure you can push that latter
| number even higher if you get a TS/SCI and start doing
| spooky stuff.
| mixmastamyk wrote:
| We need laws not just to protect whistleblowers (etc.) but to
| punish those who retaliate against them.
| the_optimist wrote:
| And just like that, everyone is a "whistleblower". And I saw
| that as someone with a very strong interest in disclosure and
| transparency.
| mixmastamyk wrote:
| Shorthand, why I put (etc.) in there. I could list a lot of
| things like "security researcher" and here, "journalist."
| Good enough?
| ivalm wrote:
| > hire people that actually care
|
| One thing to note is that hiring skilled IT workers is often
| outside budget capabilities. It's not that they want to hire
| someone incompetent, they simply can't afford to hire someone
| competent.
| [deleted]
| sirspacey wrote:
| No.
|
| There has been massive interest in modernizing these systems.
|
| It's the beliefs and attitudes of leadership that cause well
| intentioned engineers who are willing to take a lower salary
| to leave
| willis936 wrote:
| It doesn't help that they used a Soviet method of denying
| shortcomings in hopes that fantasy will overrule reality.
| What can you do when you have limited resources to make your
| situation worse? Punish people who are helping you for free.
| AstroDogCatcher wrote:
| Incompetent people will do anything they can to avoid
| admitting that they are incompetent.
|
| One of the more interesting possible outcomes of a UBI I
| hope to see in my lifetime is the ejection of many of the
| seat-warmers currently occupying IT positions in western
| public sector organisations.
| heavyset_go wrote:
| Middle schools can pay administrators $250k+ a year, but
| can't afford sys admins?
| munk-a wrote:
| In the US it looks like middle school administrators make,
| on average, 57k[1] - which is definitely below a sys admin
| cost.
|
| 1. Edit, source: https://www.zippia.com/school-
| administrator-jobs/salary/
| jdavis703 wrote:
| I checked, the top paid IT person in my local Bay Area
| school district makes $168,000 a year (he's the CIO).
| There's a "L4" software developer making $131,000 a year.
| The next highest is a DBA earning $129,000 a year. So it
| would appear at least my district isn't budgeting a
| competitive amount for technical talent. These salaries are
| far below market rate, to the point that many of these
| people might qualify for subsidized housing.
| walrus01 wrote:
| > district makes $168,000 a year (he's the CIO). There's
| a "L4" software developer making $131,000 a year.
|
| I think that really says more about the absolutely
| _absurd_ cost of living and non-rational real estate
| costs in the SF bay area than it does about the school
| district. In many places with _normal_ cost of living, if
| your US W2 take home is $129k a year, you can live a very
| comfortable upper middle class lifestyle. Whether or not
| you have a spouse or partner with their own career and
| your combined W2 gross income might be $210k a year.
|
| Same as what I said above also applies to absurd real
| estate and cost of living in Seattle, Vancouver, New
| York, etc.
| ivan_gammel wrote:
| Hiring DBA or a developer for a school is extremely
| inefficient use of the budget. School IT must be
| standardized and automated to the point where you only
| need 2 sysadmins and few more first line support people
| per 50-100 schools to run operations and 4-5 companies
| developing school management systems for the entire
| national market, with standardized interoperability.
| thr0wawayf00 wrote:
| That standardization and automation you're talking about
| costs money too. Schools deal with technical debt on the
| IT infra level much like SaaS companies do.
|
| Of course, you should be able to cut a $129k/yr DBA if
| you just spend the millions needed to streamline the IT
| systems.
| ivan_gammel wrote:
| Simple search shows that there are 130 000 schools in the
| USA. Spending 10M to develop reasonable IT standards and
| 120M more on compliant software is just $1000 per school.
| And this is not a military software, it can actually be
| developed offshore by decent engineers earning half of
| that DBA salary (that is, you get 2000 _man-years_ of
| work for those money).
| gamerDude wrote:
| I work with school districts and there are these
| companies. And they are absolutely atrocious. And they
| make it difficult to transfer. So schools are somewhat
| stuck in the old way. Literally every district level
| person hates the software, but they can't change it.
| ivan_gammel wrote:
| This is where government should be able to help with
| regulation. Nobody should be able to enter or stay on the
| market without ensuring interoperability, security and
| accessibility and without transferring certain rights to
| customers. I'm pretty sure the market will remain
| attractive for business even with the open source
| requirement.
| treeman79 wrote:
| My wife (teacher) wasn't allowed to use the microwave for a
| year due to the cost of electricity.
|
| They got upset when I suggested we donate 20 dollars to
| cover microwave budget for entire school for the year.
| ranger_danger wrote:
| Something tells me it wasn't really about the cost.
| Someone just hates smelling food I bet.
| treeman79 wrote:
| Microwaves were in classrooms.
| Iefthandrule wrote:
| You make it sound like no one is responsible for setting the
| budget and determining that a decently paid IT staff is not
| worth it.
|
| It is malicious intent the whole way down.
| jedberg wrote:
| Is it worth it though? If a few teachers have their
| identity stolen, will that in any way hurt the school? I
| mean, it _should_ hurt them, but it 's unlikely that it
| will. The only people who might feel bad are the moral IT
| folk who created the problem.
| jjeaff wrote:
| I mean, is there really any risk of that anymore? Equifax
| had already seen to it that basically every adult in
| America's personal information is out there.
| josephg wrote:
| I don't think it's malicious intent. Hanlon's razor: never
| ascribe to malice what can be explained by incompetence.
| It's simply that nobody at any level takes actual
| responsibility for outcomes. People at the bottom of the
| system (teachers, parents) can see problems but are usually
| disempowered and voiceless, and can't fix them on their
| own. And people at the top are either ignorant of the real
| problems or lack real leadership and incentives to fix
| them. (Or they feel overburdened and overwhelmed).
|
| An old friend of mine teaches the first year CS curriculum
| at a local university. By all reports he's phenomenally
| good at his job. He truly cares and his students adore him.
| But he's making a fraction of the salary he could be making
| in industry. At some point he's probably going to quit to
| do a job he's not as good at, and doesn't enjoy as much.
| Why is he paid many times less than he's worth? Because the
| university wants to pay CS lecturers who teach 2000
| students the same as they pay people who teach poetry to a
| class of 5. So my friend can't get a competitive salary
| without entire departments revolting. Who's fault is that?
| I don't believe it's malicious intent. It's just a boring,
| systematic failure high up in the org chart leading to
| bland mediocrity. The only people who can do something
| about it don't care about outcomes enough to fix the
| problem.
| gameswithgo wrote:
| americans don't want to pay taxes, then americans complain
| about the quality of their infrastructure
| kodah wrote:
| The military and education do hire people that care,
| insinuating that they don't seems very wrong. What I do see
| here, is that someone is speaking far outside their domain of
| expertise. Software Engineers love to do this on a lot of
| subjects. Having a deep background in Systems it's amusing at
| times, but I certainly wouldn't say they don't care.
| torstenvl wrote:
| The military does hire people who care, and we are constantly
| frustrated re people who _don 't_ care.
| alexjplant wrote:
| > insinuating that they don't seems very wrong
|
| It's a good thing that's not what I did then... I said that
| the bad workers "crowd out those that actually give a shit",
| which means that there _are_ indeed people that care (albeit
| fewer than there should be).
|
| > What I do see here, is that someone is speaking far outside
| their domain of expertise.
|
| I spent 15 years working in government contracting,
| specifically in defense. I've worked with a _lot_ of civilian
| DoD employees (many of whom I respect immensely on a
| professional basis and consider my friends). I also am
| related to and am friends with a number of former public
| school teachers that left their field for greener pastures.
| Institutional rot isn't exactly a secret.
|
| Per the HN guidelines please
|
| > Assume good faith.
| kodah wrote:
| Yeah, your corrected statement still seems wrong. I
| disagreed with your assessment, I didn't "assume bad
| faith".
|
| My personal disagreement is blaming individual people.
| There should be funding and education resources set up to
| ensure that people who make calls like this are educated
| enough to do so. You're in the business of personal
| accountability and I'm in the business of saying the people
| are a byproduct of the failing system. I'll bet my next
| paycheck if you wash out everyone that you deem lackluster
| and replace them with people you find to be excellent, the
| same outcome will be had over a matter of time.
| nend wrote:
| >It'd be better for society to fire clowns like these and
| administer them unemployment than to have them crowd out those
| that actually give a shit.
|
| The people that give a shit are making 10x as much by not
| working for a public middle school.
|
| Fire the current lot if you want, but they'll just be replaced
| by the next set of people who aren't skilled enough to make
| market rate.
| ethbr0 wrote:
| Exactly.
|
| Most non-core-business organizations can't afford to hire
| someone competent, and therefore hire someone else.
|
| But obviously that person isn't going to say "Gee, I'm really
| not great at this computer stuff, but I'll do what I can."
| They say "Sure, I know all about all the computer stuff!"
|
| And then you have their leadership (who doesn't know any
| details), taking whatever they report up at face value.
|
| The governor probably believed he had a leg to stand on here,
| because I'm sure that's _exactly what his people told him_.
| handrous wrote:
| > The governor probably believed he had a leg to stand on
| here, because I'm sure that's exactly what his people told
| him.
|
| My money's on this being purely a political decision. And
| for that, considering who it is and their position in the
| political landscape, I think it's too early to definitively
| call it a blunder.
| munk-a wrote:
| I think it's a pretty terrible political decision
| regardless of the outcome. Whenever you take a stance on
| a highly technical issue like this you're rolling the
| dice and hoping that you don't actually have a number of
| technical minded folks in your state. It can backfire
| amazingly.
|
| It's much easier to play political games on much more
| abstract issues where it's harder to evaluate the
| options.
| handrous wrote:
| I don't think many tech folks, even in Missouri, are
| among this guy's voters, and the ones who are, aren't
| turning "blue" over this (they're probably in it for
| religious reasons, i.e. abortion).
|
| Meanwhile, he's received national attention.
|
| We'll see, but it may yet be a smart play, politically
| speaking. I'm not saying it for-sure is, I just don't
| think that result's anywhere near being off the table.
| munk-a wrote:
| I fled to Canada over a decade ago so take my opinion
| here with a grain of salt but... I think that folks still
| talk to other folks on a local and familial level so a
| cousin of mine that's anti-vax has reached out to talk
| about technical news occasionally and you'll tend to chat
| with neighbors.
|
| So having someone technically minded in your general blob
| of associations is generally enough for these sorts of
| obviously stupid moves to get politicians in serious
| trouble.
|
| The stakes are a lot lower obviously - but this is a much
| clearer case of technical malpractice than anything
| having to do with Snowden and reminds me of Morris[1]'s
| case - basically it's complete BS and a misuse of the
| law.
|
| 1. https://en.wikipedia.org/wiki/Robert_Tappan_Morris (I
| might be thinking of someone else - I thought there was a
| teenager that got the book thrown at them back in the
| early days of the web but maybe I'm just misremebering
| things)
| handrous wrote:
| My spouse is a teacher and has practically made a game of
| "which low-status jobs would match my current benefits-
| inclusive income, while never making me take work home or
| making me deal with kids' mental health issues, which is
| incredibly stressful?" With current wage hikes in the service
| industry, the proportion that make the cut is going up daily.
| RHSeeger wrote:
| I think it varies wildly by area, too. The teachers in my
| area appear to make a reasonable salary once you include
| pension. Admittedly, the stress level of the job comes into
| play, too...
| mlindner wrote:
| This is all setting up for a lawsuit against the government for
| libel. Especially as the governor now is amplifying his attack
| rather than backing down. When they first went on the attack you
| could play it off with an excuse that they didn't know any
| better, but after they were informed, it's now into the territory
| of libel. However IANAL.
| mabbo wrote:
| All I've learned from this entire escapade is that the next time
| someone finds a major vulnerability in a Missouri state website,
| they will know that the best path forward is to sell it to
| criminals.
|
| They make some money and they don't have the Governor attacking
| their reputation.
| jimt1234 wrote:
| Excellent point. But I don't think anyone is gonna pay much for
| "Right-click. View source code. Done." LOL
| tppiotrowski wrote:
| Related political ad: https://youtu.be/9IBPeRa7U8E
| depaya wrote:
| My god, the nerve they have to end that video with "UNITING
| MISSOURI"
| the_only_law wrote:
| I'm going to start referring to anything I read as "decoding".
| amatecha wrote:
| "Just poured a fresh cup of coffee and reading- errr decoding
| Hacker News!"
| danso wrote:
| Previous thread from 3 weeks ago:
| https://news.ycombinator.com/item?id=28867562
|
| Recent developments:
|
| - The CS professor whose expert opinion was quoted by the
| newspaper article is demanding an apology and legal expenses from
| the state, alleging that the governor defamed and violated his
| free speech rights.
|
| - The governor's political fundraising committee is running ads
| making this a "fake news" issue.
|
| The email that the reporter sent, in advance of publishing the
| article revealing the state education website's data leakage:
|
| > _"I recently discovered a significant exposure of the sensitive
| data of more than 100,000 teachers on a DESE website," Renaud
| wrote to the agency's communications chief, Mallory McGowin. "At
| this point I am confident what I found is a genuine vulnerability
| -- I have confirmed with three teachers from different districts
| that their data was exposed. I also have consulted an UMSL
| cybersecurity researcher who verified my findings. The P-D plans
| to publish a story about this sensitive data exposure, but we
| wanted to inform DESE first so that you would have a chance to
| mitigate the problem."_
|
| > _Renaud shared his timeline for publishing the story and asked
| for interviews with officials from DESE and the Missouri Office
| of Administration's Information Technology Services Division. In
| a second email sent about 45 minutes later, he described the
| steps he'd taken in finding and confirming the vulnerability._
| docmechanic wrote:
| Thanks for the update. Not surprised to see the governor making
| the "fake news" argument rather than trying to criminalize the
| reading of HTML code - in browsers only - across the state of
| Missouri.
| notreallyserio wrote:
| I love the term fake news. As soon as someone uses it in some
| genuine fashion, I know that I don't have to take anything
| else they may say seriously. (Unless, of course, I become the
| direct target.)
| heavyset_go wrote:
| At one point "fake news" meant something concrete,
| referring to throwaway blogs masquerading as actual news
| organizations that don't exist.
| smnrchrds wrote:
| A few years ago an American lawyer wrote a book called Three
| Felonies a Day [0] whose premise is that "the average
| professional in this country wakes up in the morning, goes to
| work, comes home, eats dinner, and then goes to sleep,
| unaware that he or she has likely committed several federal
| crimes that day". If pressing F12 is a crime, the average
| software developer must be committing three felonies an hour.
|
| [0] https://www.amazon.ca/Three-Felonies-Day-Target-
| Innocent/dp/...
| devrand wrote:
| Do you even need to press F12? Is looking at the HTML is
| the problem? What if I just download the page? I now have
| leaked SSNs saved to my computer. Is that criminal under in
| governor's mind?
| testplzignore wrote:
| Each received TCP packet is a separate charge. After
| conviction, sentences will be served reliably and in
| order. Errors will be detected and punished severely.
| havkd wrote:
| That depends on whether you press F12 on your page or on
| someone else's
| rootusrootus wrote:
| As I recall, that book was considered pretty good but the
| consensus was that the title was off by large amount. I.e.
| most people definitely do not commit three felonies a day.
| Maybe a few a month. Which is still bad, yes.
|
| FWIW, I can't remember the last time I pressed F12 ;-)
| dylan604 wrote:
| Of course the GP's premise assumes that most devs are web
| frontend types that care about the HTML. Based on modern
| frontend libraries, is there really any default HTML that
| view source would see other than enough to load up the
| megabytes of JS code?
| jdavis703 wrote:
| Yes, consider the case of server side rendering. Or even
| companies like Basecamp that disavow single page
| applications. Or massive legacy ASP, PHP and Java web
| apps.
| gzer0 wrote:
| That is intriguing. Within the source code of its HTML,
| the White House included an easter bunny encouraging
| people to apply for jobs if they are reading this
| message!
|
| Would I be slandered and jailed for applying to this job
| offering by the US Gov't? What do you think Parson would
| have done in this situation? I did have to press F12, so
| this is quite the predicament! /s
|
| [1]. https://www.cnbc.com/2021/01/21/biden-white-house-
| website-ha...
| jdavis703 wrote:
| It depends on how you count, but I can say someone in my
| house is in near-continuous possession of illegal drugs
| (cannabis). So there's one felony. Then maybe I bypass
| paywalls (potentially a CFAA violation) scrolling through
| the morning news. And then maybe I jump through a closing
| train door, which I've been warned before is considered
| "interfering with a railroad's operation." So there,
| three felonies before I'm in the office.
| rootusrootus wrote:
| > someone in my house is in near-continuous possession of
| illegal drugs (cannabis). So there's one felony
|
| Unless they've already been convicted in the past, that
| is a misdemeanor.
|
| The railroad example is more interesting, though I can't
| find anything truly on point. All the legislation I have
| seen suggests you'd 1) have to _intend_ to disrupt the
| service, and 2) put something on or near the tracks. I
| couldn 't find anything even hinting that delaying a
| train through normal passenger controls constituted
| interference with a railroad.
|
| Even if those were all felonies, I think most people
| don't even lead _that_ exciting an existence :).
| elliekelly wrote:
| The book is already a decade old. Surely technology has
| allowed us to inadvertently commit a greater number of
| felonies faster and with more efficiency!
| silpheed5 wrote:
| Lucky for me, I don't even have an F12 key on my current
| keyboard.
| dylan604 wrote:
| Thank the heavens that Apple actually saved us from
| ourselves. All hail Apple! /s
| threatofrain wrote:
| > The governor's political fundraising committee is running ads
| making this a "fake news" issue.
|
| https://www.youtube.com/watch?v=9IBPeRa7U8E
|
| If anyone is curious what the political ad looks like.
| dangle1 wrote:
| Also the misfortune of a large fire on Monday that has taken
| out the workspace and equipment of 80 IT professionals:
|
| https://www.stltoday.com/news/local/govt-and-politics/more-c...
|
| Best online comment on the article:
|
| "When the building's on fire, don't call the fire department or
| Parson will accuse you of arson.
| obiwan14 wrote:
| That's shocking! I thought the reporting was guilty of the most
| heinous crime in the history of the state of Missouri. /s
| dekhn wrote:
| The state is not proceeding with any legal actions, right? And
| they're not, because they've already concluded the governor is
| full of crap, right?
|
| So far all I've seen here is the governor repeatedly make a fool
| of himself while the rest of the state is backing away slowly
| from the crazy old man.
|
| The STL Dispatch actually _really_ wants the state to try to sue
| here, and I don 't think Parsons quite appreciates just how much
| trouble his statements can get him in.
| tombert wrote:
| I know nothing about law, but would there be ground for some
| form of defamation here? At this point, the governor has had
| what the reporter did thoroughly explained to him, and he keeps
| claiming that this is "hacking" seemingly just because he's
| embarrassed. From my perspective, it seems like he's outright
| lying and making accusations of criminal activity, in order to
| besmirch the name of someone he doesn't like.
| EtherTyper wrote:
| This comment on an earlier post about the event seems
| relevant.
|
| https://news.ycombinator.com/item?id=28947555
| torstenvl wrote:
| In the U.S., defamation is generally covered by state law,
| with very few exceptions. There's also usually substantial
| immunity for officials acting in an official capacity
| (Parsons is addressing an issue of governmental embarrassment
| not personal embarrassment).
|
| I think the better route is impeachment for failing to take
| care that the laws are faithfully executed and abuse of
| office. But it's not clear that Missouri provides a way for
| the newspaper or any individual to force that issue.
| dekhn wrote:
| you're turning the case around- yes, you're right, the
| reporter and academic could sue, but it's not worth it (the
| defamation wasn't particularly effective) IMHO. It would
| mainly just make money for lawyers and mildly embarass the
| state.
|
| Realistically, there's an IT executive in the Missouri
| government who screwed up, and the newspaper should be suing
| the state for criminal infosec practices (they did, after
| all, leak individual SSNs).
___________________________________________________________________
(page generated 2021-11-03 23:00 UTC)