Missouri Governor Accuses Reporter of Hacking After State Leaked Data

The Missouri authorities is threatening authorized motion towards a newspaper reporter that helpfully identified a evident cybersecurity gap in considered one of its web sites. Instead of thanking the journalist, Gov. Mike Parson has accused him of “hacking” and claims he needs to see him criminally prosecuted.

The reporter, Josh Renaud of the St. Louis Post-Dispatch, not too long ago found that the Missouri Department of Elementary and Secondary Education web site had left some 100,000 social safety numbers belonging to public college lecturers, directors, and different training officers uncovered to the web.

How did this occur? Renaud reports that the web site had apparently had the non-public data embedded into the HTML supply code of the web site—a reasonably grievous coding bungle. The newspaper subsequently verified its findings with a cybersecurity professor on the University of Missouri-St. Louis, who known as the flub “mind boggling.” The paper then responsibly disclosed the vulnerability to the federal government, giving officers time to take down the affected pages. Finally, on Thursday, the paper printed its findings.

However, as a substitute of thanking Renaud and the newspaper for serving to determine an enormous mistake the federal government had made, Gov. Parson subsequently introduced that he can be pursuing authorized motion towards them. On Thursday, Parson held a press conference by which he claimed that the state web site had been “hacked,” and that the perpetrator can be held legally accountable. During his feedback, the governor claimed that this “hacker” had engaged in a “multi-step process” to view and obtain the “the records of at least three educators.” He subsequently introduced that the Cole County prosecutor and the Highway Patrol’s Digital Forensic Unit can be investigating the incident.

“This matter is serious. The state is committing to bring to justice anyone who hacked our system and anyone who aided or encouraged them to do so — in accordance with what Missouri law allows AND requires,” Parson later tweeted. “A hacker is someone who gains unauthorized access to information or content. This individual did not have permission to do what they did. They had no authorization to convert and decode the code.”

However, it could seem that Parson didn’t depend on the fad of infosec twitter, which erupted in vitriol not lengthy after his press convention. Droves of pc science specialists got here out of the woodwork to level out that what the governor is speaking about doesn’t sound like hacking in any respect—extra just like the state doesn’t know how you can construct web sites.

“Don’t encode SSNs of people in the HTML of publicly available webpages. And if you do, don’t call the cops if someone notices and (quite responsibly) warns you,” tweeted Matt Blaze, a pc science researcher with Georgetown Law. “Also, don’t tweet stuff that makes you look like an idiot,” he added.

Software engineer and journalist Tony Webster said that the governor is “threatening to prosecute a journalist who 100% did the ethical thing,” whereas additionally noting that Renaud had engaged in “the gold standard for reporting security failures.”

“This is utterly ludicrous. Looking at HTML source is not hacking,” tweeted Cato Institute know-how fellow Julian Sanchez. “Every Web browser has a ‘view source’ button. And… you’ve ALREADY ‘accessed’ the source code of every Web page you look at. That’s what the server sends to your browser!”

Renowned pc scientist Marcus Hutchins, in the meantime, merely tweeted out the next, in an obvious reference to Parson’s misunderstanding of computer systems:

Granted, state and native authorities workers are usually not recognized for his or her superior technological prowess. But, except there’s an entire lot we’re lacking about this episode, Parson appears to have actually stepped in it. Even if Parson isn’t tremendous well-versed in pc science, state governments even have IT departments with workers that ought to be capable to clarify to the governor how web sites work and why an individual like Renaud would most likely be thought of a useful good samaritan—not a “hacker.”

We reached out to each the Missouri Information Technology Services Division and the Governor’s Office to inquire concerning the incident and can replace this story in the event that they reply.