Missouri FAIL: Gov. Mike Parson says Viewing Web Source is ‘Hacking’

The Missouri Department of Education website was leaking teachers’ social security numbers. A local journalist, Josh Renaud, spotted the PII flaw and reported it to the department, giving them plenty of time to fix the leak.

But the state governor accused Renaud of hacking. Specifically, Gov. Mike Parson (R) alleges the journalist “accessed source code and then went a step further to convert and decode that data.” Bizarrely, the 66-year-old believes that reading HTML violates the state’s Electronic Crime statutes—specifically section 569.095: Tampering with computer data.

But anyone viewing the source of a public web page obviously has “reasonable grounds to believe that he has such authorization.” In today’s SB Blogwatch, we fact-check sextugenarian politicians.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: ST chief engineers ranked.

Parson Knows

What’s the craic? Michael Kan reports—“Missouri Gov. Goes After Reporter Who Found Shockingly Bad Flaw in State Website”:

Collectively roll their eyes
If you find and report a security flaw to a company, you’re normally thanked; sometimes you can even receive a reward. However, the governor of Missouri is taking the opposite approach and threatening to prosecute a journalist.

Teachers’ Social Security numbers … were viewable via the plaintext HTML computer code in … the website for the state’s Department of Elementary and Secondary Education. … Anyone could find the sensitive personal information simply by right-clicking within a browser, and hitting “View Page Source.”

But … Republican Governor Mike Parson described the journalist who uncovered the vulnerability as a hacker, [saying he] had to “convert and decode” the website’s computer code to access the Social Security numbers. However, the governor’s response is causing the IT industry to collectively roll their eyes.

Tell me a story and fill it with analogies, please. A nearly-amused Philip Bump obliges—“The governor accused it of ‘hacking’”:

Hilarity
You are reading these words right now because your computer or phone was sent a number of files telling the device what words to display and how they should be formatted. One of those files included HTML, HyperText Markup Language.

Since your computer was sent this file, you’re free to look at it. If you’re on your desktop or laptop, find the “View source” command. … There’s nothing magical about this.

You are doing the equivalent of looking under the hood of your car. … It’s as though I put a $5 bill on the sidewalk outside my house and then yelled at you for picking it up without permission. It’s also as though I then attacked you for having no authorization to walk on the sidewalk, given that the authority to use a sidewalk is as presumed as [that] to access a public HTML file.

Parson’s rhetoric was over the top to the point of near hilarity.

Use the source, Luke. Jack Suntrup and Kurt Erickson try to remain impartial—“Parson issues legal threat”:

Certainly no malicious intent
Parson said at a news conference that the Cole County prosecutor and the Missouri Highway Patrol would investigate the matter. He said [we] would be held accountable but didn’t mention action against the state officials who maintained a faulty system.

[We] reported the flaw to DESE on Tuesday and waited to publish any report until the information was removed from the state website. [But] the Department of Elementary and Secondary Education released statements … describing a Post-Dispatch journalist as a “hacker.”

Parson said the “individual” … was attempting to “embarrass the state and sell headlines for their news outlet. [He] did not have permission to do what he did. … We will not let this crime against Missouri teachers go unpunished. And we refuse to let them be a pawn in the news outlet’s political vendetta.”

The newspaper’s attorney, Joseph Martineau, [said] “The reporter did the responsible thing by reporting his findings to DESE so that the state could act to prevent disclosure and misuse. … A hacker is someone who subverts computer security with malicious or criminal intent. Here, there was no breach of any firewall or security and certainly no malicious intent. For DESE to deflect its failures by referring to this as ‘hacking’ is unfounded.”

Good grief. One of many eyerolling commentators is websap:

Most of the general public don't understand
We live in a world where everyone thinks they understand computers … but they don’t. … This is the same reason why I think most of the general public don’t understand how much data social media apps can collect on them.

As is @RachelTobac:

F12
By this definition, my cat walking across my keyboard and sitting on the F12 key is now a serious, punishable cyber crime. [You] shall now hereby be named: Advanced Persistent Pet.

Your toe beans are now under arrest. Any F12 keys you’ve hit while playing with a piece of string can and will be used against you.

Hilarious. And cute. But what of the chilling effects? I_think_u_goofed thinks Gov. Parson goofed:

That Governor is too old
This seems like the worst kind of knee-jerk reaction. … This actively discourages researchers/reporters from reporting vulnerabilities, that left un-checked can cause massive and long lasting impact.

By threatening reporters/researchers … they are actively disregarding the INTENT of the reporter’s actions and looking at the RESULT. Never mind the cost the state would have incurred having to correct the hundreds or possibly thousands of fraudulent tax returns that would have doubtlessly been submitted next year if those SSNs had leaked, not to mention disability, unemployment, financial assistance claims that would be fraudulently submitted by malicious actors.

This [is] “shooting the messenger” by promising to prosecute the reporter who discovered and reported the vulnerability. … It sounds to me like that Governor is too old to understand how these systems work.

Too old? Or just too dumb? Jim Gribble says it’s the latter, with a side-order of Dunning-Kruger:

Thank the reporter
Too dumb to know how dumb he is. I’m a web designer and I look at pages’ source code all the time. I also deal with common security issues. Without even looking at the source code of this website, I can make a pretty informed guess about why the vulnerability happened.

Every teacher in the state should thank the reporter.

Whatever next? Here’s jenningsthecat (no relation):

Good Samaritan
In other news, someone somewhere in Missouri picked up a lost wallet, looked inside for ID so the wallet could be returned, saw a driver’s license and a social security card, and returned the wallet to its rightful owner. The good Samaritan is now being held by police, and faces charges for identity theft.

Meanwhile, as you hoomans say, I’m allears:

Shocking and disgusting. Next thing you know, someone will release the formula for the deadly toxin dihydrogen monoxide.

And Finally:

Hint: It’s not Scotty

[Spoilers for Lower Decks season 2]

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Brittney Butler (via Unsplash)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 590 posts and counting.See all posts by richi