Missouri and the worst response to a bug disclosure we’ve ever seen
Governor Mike Parsons is the 57th Governor of the State of Missouri, and he knows very little about the fundamentals of how the Internet works or basic cybersecurity principles.
That’s okay, of course. We all have our strengths and weaknesses, and if you’re presiding over an entire state, we imagine you’ve got your hands full with plenty of other different and important matters. You probably don’t have that much time to take any Internet 101 evening classes.
But before you undertake a press conference and post a series of tweets, both vowing to catch and prosecute a “hacker” who managed to “decode HTML” of the Missouri Department of Elementary and Secondary Education’s website to extract the social security numbers of several educators, we think that perhaps – perhaps – it would be prudent to speak to at least one cybersecurity expert.
Just to make sure you have all your ducks in order first.
And we can only assume that Governer Mike Parsons did not do that.
But let’s start at the beginning.
Sponsored Content. Continued below...
At some point in the not-so-distant past, a reporter for the St. Louis Dispatch found a pretty glaring privacy vulnerability on the website of the Missouri Department of Elementary and Secondary Education (DESE.)
And as far as vulnerabilities go, this was a whopper. It turned out that the DESE website had been storing sensitive information (social security numbers) of 100,000 educators within the HTML source code of the DESE website. That’s bad.
It’s bad because the HTML of a webpage is publicly visible to anyone who visits the website. Yes, really. You can see the HTML source code for this webpage – if you’re using Google Chrome, just right click on the page and select View page source. Easier still, you could just press F12 on your keyboard to bring up the developer toolkit.
Don’t fret. You’re not “hacking us” by doing that.
The HTML code is simply the code given to your browser by the website server, so your browser knows how to display the website’s pages correctly. As such, the HTML code has to be public. Otherwise how would your browser know how to display the page?
From the St. Louis Dispatch –
…the newspaper found that teachers’ Social Security numbers were contained in the HTML source code of the pages involved.
Not everything in the HTML code will display on an actual webpage, but the HTML code can still be seen by anyone capable of pressing F12. It’s the public offering given by a website. Consequently, it’s a terrible, terrible place to store sensitive information. And yet that is what the DESE website was doing.
Sponsored Content. Continued below...
The St. Louis Dispatch reporter – presumably with some knowledge of responsible disclosure of such vulnerabilities – disclosed the vulnerability to the DESE, and delayed publishing an article on the discovery until the department removed the vulnerability and worked to find if any other related sites and applications contained similar vulnerabilities.
A DESE spokesperson later confirmed that the vulnerabilities were removed.
And that’s really where the story should have ended. A comparative non-story about privacy vulnerabilities; discovered and duly fixed.
But this is where things get a little… weird.
Usually, when you responsibly disclose a vulnerability of this magnitude, you can expect a big “thank you”. In fact, many companies and organisations will pay you the “big bucks” and actually operate paid bounty programs for just this sort of thing. After all, it’s best to have the “good guys” discover a problem and tell you, rather than have the bad guys discover it and profit from it.
The DESE went along another route, instead accusing the St. Louis Dispatch journalist of being a “hacker”. This was quickly followed by the Missouri Office of Administration Information Technology Services Division releasing a statement saying a “hacker took the records of at least three educators, decoded the HTML source code, and viewed the social security number of those specific educators“.
And after that, Governor Parsons himself took to the stage in a press conference (and series of tweets) saying [of the journalist] –
We will not let this crime against Missouri teachers go unpunished. And we refuse to let them be a pawn in the news outlet’s political vendetta. Not only are we going to hold this individual accountable, but we will also be holding accountable all those who aided this individual and the media corporation that employs them.
And
Through a multi-step process, an individual took the records of at least three educators, decoded the HTML source code, and viewed the SSN of those specific educators. We notified the Cole County prosecutor and the Highway Patrol’s Digital Forensic Unit will investigate.
And
This matter is serious. The state is committing to bring to justice anyone who hacked our system and anyone who aided or encouraged them to do so — in accordance with what Missouri law allows AND requires.
…
A hacker is someone who gains unauthorized access to information or content. This individual did not have permission to do what they did. They had no authorization to convert and decode the code.
And
[the reporter is] attempting to embarrass the state and sell headlines for their news outlet.
Let’s be clear – that’s nonsense.
A hacker is someone who gains unauthorised access to a computer system or network. That is not what the journalist did. If the DESE website was indeed storing sensitive information amid the HTML code of its webpage, then technically the DESE website was actually sending that information to the journalist as well as anyone else who loaded up the relevant part of the vulnerable website/application.
No “decoding” necessary.
No hacking necessary.
No intrusion required.
And it’s not illegal to “decode” HTML – whatever that means – and if it was, both Google Chrome and Microsoft Edge would be going to prison for a very long time.
To put in perspective, if you right clicked on this webpage – assuming you’re using Google Chrome – and selected View page source, that doesn’t mean you’re attempting to hack our website, nor does it give us good reason to accuse you of such. Even if you did spend some time rummaging through all the HTML code.
Sponsored Content. Continued below...
If you did do that, and we inexplicably had put sensitive information within that HTML source code, well… that’s on us. Not you.
Governor Parsons – after being universally schooled on cyber basics by Twitter’s cybersecurity alumni – subsequently opted to double down on Twitter by claiming the information taken was “not freely available” and that the journalist needed to complete 8 steps to take it.
And while we’re not sure what constitutes a “step”, if the information was embedded in the HTML code, it indeed was freely available. That is, after all, the point of HTML code for public-facing websites and apps.
If Governor Parsons wants to be angry at anyone, he should direct it instead at the web administrators putting the social security numbers of educators at risk for an indefinite amount of time – not at the person who disclosed the problem.
The kerfuffle has demonstrated that the Missouri Governor’s office has no working knowledge of –
– Cybersecurity
– Online privacy
– Software vulnerability disclosure.
– The law in the context of hacking.
And the longer they put on this misguided and inexplicable façade of claiming this was all the work of an unscrupulous hacker, well…
The journalist did the DESE and the state of Missouri a big favor by responsibly disclosing a glaring software vulnerability, and the governor chose to baselessly accuse him of being a hacker operating outside the law. The governor should apologize immediately and work to ensure that the state’s computer systems are better secured.
And finally, some of the reaction from the cyber community on Twitter.
Sorry, Mike Parsons, HTML that is hosted on a publicly accessible domain is, as you might guess, a public document.
It's like me painting my social security number on my driveway and someone taking an aerial photo of it claiming it was unauthorized.
No expectation of privacy. https://t.co/3VozLzTtEx
— Cher Scarlett (@cherthedev) October 14, 2021
The tech community is exploding over this. It demonstrates how those ignorant of technology suspect techies of witchcraft. The governor is using violence, the vast power of the state, to crack down on somebody who committed no crime. https://t.co/rXZkdoGASO
— Robᵉʳᵗ Graham (@ErrataRob) October 14, 2021
Looking at source code isn't hacking, and it's easily doable by anyone with access to a web browser.
— Adrienne P🎃rter Felt (@__apf__) October 14, 2021
Good news: Government officials finally interested in the concept of unauthorized access in computer crime laws.
Bad news: It's of the "I didn't know you could do this, so it must be hacking" type. https://t.co/QsLHu3CgZX
— Orin Kerr (@OrinKerr) October 14, 2021
This was hacking like helping your neighbor put out a house fire is arson.
— Jeffrey Vagle (@jvagle) October 14, 2021
By this definition, my cat walking across my keyboard and sitting on the F12 key is now a serious, punishable cyber crime. https://t.co/Ivo4zRGbGE
— Rachel Tobac (@RachelTobac) October 14, 2021