Missouri Governor Doesn’t Understand Responsible Disclosure

The Missouri governor wants to prosecute the reporter who discovered a security vulnerability in a state’s website, and then reported it to the state.

The newspaper agreed to hold off publishing any story while the department fixed the problem and protected the private information of teachers around the state.

[…]

According to the Post-Dispatch, one of its reporters discovered the flaw in a web application allowing the public to search teacher certifications and credentials. No private information was publicly visible, but teacher Social Security numbers were contained in HTML source code of the pages.

The state removed the search tool after being notified of the issue by the Post-Dispatch. It was unclear how long the Social Security numbers had been vulnerable.

[…]

Chris Vickery, a California-based data security expert, told The Independent that it appears the department of education was “publishing data that it shouldn’t have been publishing.

“That’s not a crime for the journalists discovering it,” he said. “Putting Social Security numbers within HTML, even if it’s ‘non-display rendering’ HTML, is a stupid thing for the Missouri website to do and is a type of boneheaded mistake that has been around since day one of the Internet. No exploit, hacking or vulnerability is involved here.”

In explaining how he hopes the reporter and news organization will be prosecuted, [Gov.] Parson pointed to a state statute defining the crime of tampering with computer data. Vickery said that statute wouldn’t work in this instance because of a recent decision by the U.S. Supreme Court in the case of Van Buren v. United States.

One hopes that someone will calm the governor down.

Brian Krebs has more.

EDITED TO ADD (11/12): The governor doubled down a few days later.

Posted on October 18, 2021 at 6:20 AM30 Comments

Comments

Winter October 18, 2021 7:24 AM

A US State governor (R) who does not understand internet security? Is that a question?

I thought the original incidence had already showed beyond any doubt that they do not understand even the basics of internet security in the governor’s office.

Winter October 18, 2021 7:46 AM

In addition to not understanding internet security, Mike Parson also does not (want to) understand public health and infectious diseases. There seem to be a general treand of not understanding severe risks in government and attacking messengers.

ht ps://en.wikipedia.org/wiki/Mike_Parson#COVID-19_pandemic
ht tps://www.wsws.org/en/articles/2021/06/28/misso-j28.html

john October 18, 2021 8:01 AM

Hmmm….

” We are here from the government and we are here to help. ”

Sad joke. Another ‘Horn Blower’ without a clue.

Does ‘computer’ security even exist?

John

sanlewis October 18, 2021 9:43 AM

… the governor is a politician and thus a dope by definition; however, politicians play politics and he is primarily doing that here.

State politics demands he deflect blame for his administration’s screwup.

The teacher’s Unions are not happy about the breach of teacher’s personal data — and those unions are a very powerful political force.

Governor needed a scapegoat fast — those evil newspaper reporter-Hackers conveniently fit that immediate political purpose.

The headlines will quiickly fade and there will be no legal prosecutions of anybody.

Clive Robinson October 18, 2021 10:10 AM

Well the Goverhor Mike Parson said,

“We will not let this crime against Missouri teachers go unpunished, and refuse to let them be a pawn in the news outlet’s political vendetta,”

I was agreeing with him untill “news”.

I think those responsible for the system should be sanctioned for failing both “a public duty” and “a private duty”

As for costing $50million…

Only if Gov Mike Parson can push it that high to benifit him directly or indirectly (he is that type after all).

As for “embarrassing the state” correct me if I am wrong but Missouri was not a “banana republic” last time I looked. Nor was it supposed to be run by an individual with less mental acuity than those munching peanuts in the gallery.

To be honest I feel sorry for the teachers etc, not only have they been betrayed by the State, they now have the embarrassment of explaining as to why such an obviously ill educated and thugish person as Mike Parson has been allowed to get where he has…

Impossibly Stupid October 18, 2021 10:15 AM

One hopes that someone will calm the governor down.

You’re being far too optimistic, Bruce. If there were any “someone” who could do that, they would have stopped Mike Parson before he made a fool out of himself. Either he’s being sabotaged, or it points to greater corruption (e.g., incompetent IT staffing as a result of political favors). We’ll know when heads roll (or don’t).

I don’t expect a state governor to necessarily be a computer expert. I do expect his Office of Administration Information Technology Services Division not to misinform him regarding the facts of the matter. If Parson doesn’t clean house as a result of this incident, then every competent IT professional needs to flee Missouri. If they haven’t already, of course.

Vesselin Bontchev October 18, 2021 10:39 AM

Does anyone have the journalist’s story on this? So far I’ve seen only the governor’s and third-party’s hot takes.

NombreNoImportane' October 18, 2021 12:17 PM

Seems pretty obvious that the Gov in this case is a full blown Authoritarian. And is getting bent out of shape on this because he see’s this as a political attack on Trust, instead of what it really is, as the Krebs article lays out.

SpaceLifeForm October 18, 2021 3:51 PM

Who knew one can decode the HTML source code?

I am curious as to why this Missouri website actually exists. I did not know it existed and have never visited it.

Apparently, it was or is searchable via multiple formbox methods.

One of those was or is via School District.

And, via that query, all of the results would be there, in the HTML. At once, all of the employees of that District.

So, the entire site was easily scrapeable.

Why? Because the list of Missouri School Districts is readily available.

Where would one find that list, one may wonder.

The list is printed on the Missouri State Tax form instructions. Available online.

SpaceLifeForm October 18, 2021 4:29 PM

Who knew one can decode the HTML source code?

So, any employee of any K-12 School District in Missouri should assume that their SSN has been exposed.

I believe most readers here understand that just the combination of Name and SSN is potentionally problematic.

A bit more effort, and Address found.

And, bang! Credit Fraud.

So, who jumps first?

Is the State of Missouri going to wake up?

Or, will there be a lawsuit?

I bet on the latter.

Clive Robinson October 18, 2021 4:36 PM

@ SpaceLifeForm,

The list is printed on the Missouri State Tax form instructions. Available online.

I wonder what else is online in Missouri…

One thing I’m sure is not, is the “OFF Switch” for the orifice “Below the Parson’s Nose”…

John October 18, 2021 8:06 PM

I don’t understand drinking to excess 5 nights a week, political “parties” or paying for hookers (not that there’s anything wrong with any of those things). I don’t judge.

Guess we are even … well … perhaps not.

SpaceLifeForm October 18, 2021 11:21 PM

hxtps://www.kmov.com/news/missouri-governor-urged-to-appoint-cybersecurity-panel/article_0a176a1d-8ff1-5190-a5ea-2d37def8b412.html?block_id=1057681

Three months after creation of a commission to identify cybersecurity risks in state government, Missouri Gov. Mike Parson has yet to appoint any members. A state lawmaker said Friday that vulnerabilities exposed on a state website prove the need for just such a panel of experts.

[The State of Missouri was warned about this and 32 other problems, two years ago, and yet did nothing]

[They will be soon. Thanks Guv for getting Anonymous on the problem!]

[Found via hxtps://techcrunch.com/2021/10/15/f12-isnt-hacking-missouri-governor-threatens-to-prosecute-local-journalist-for-finding-exposed-state-data/ ]

hxtps://pastebin.com/s3sFrcwa

Basic Info

CMS: Drupal
Caching: Varnish
Programming L: PHP
Database: Percona
Security: Imperva
Widgets: Twitter
JavaScript library: jQuery
PaaS: Amazon Web Services
UI framework: Bootstrap
Webservers: Apache,Nginx,Amazon EC2

[snip more details about vulns. Expect issues soon]

echo October 19, 2021 6:41 AM

Following the link through and skimming the article… It’s interesting how the publcity photo is composed. Different spaces photograph in different ways and you have to use tricks to create an impression of space and symmetry. This fails as the photograph is taken close in and off centre. Then there is colour. It’s a very brown scene and the governor has a yellow tie making the whole scene look like an ashtray or seedy bar.

The governor also has a severe case of bad tailoring as shown by his “collar gap”. I partially watched a video last week and the FBI agent giving his position one topic had the same problem.

Me October 19, 2021 8:56 AM

“In explaining how he hopes the reporter and news organization will be prosecuted, [Gov.] Parson pointed to a state statute defining the crime of…” embarrassing the governor.

Kent October 19, 2021 11:45 AM

Funny that the State of Missouri CISO position shows as “Vacant” on the state web page.

I’ll bet no one is lining up for that crap show.

Rufus October 19, 2021 12:19 PM

@Clive Robinson

“I wonder what else is online in Missouri…

One thing I’m sure is not, is the “OFF Switch” for the orifice “Below the Parson’s Nose”…”

As a former Missouri resident, the great state of Missouri used to use SSNs as driver license numbers. Now that is some mind blowing stuff.

SpaceLifeForm October 19, 2021 4:05 PM

Exactly the same, but different

hxtps://www.stltoday.com/news/local/govt-and-politics/missouri-teacher-pension-system-probing-possible-cyber-attack/article_49c5817e-ac8d-5c88-a581-dc5b5c34d8f0.html

It is unclear whether DESE has made credit monitoring available to the more than 100,000 teachers affected by the security flaw.

Clive Robinson October 19, 2021 5:21 PM

@ SpaceLifeForm, ALL,

With regards,

“It is unclear whether DESE has made credit monitoring available…”

Does it realy matter if they did or did not?

Let me put it another way “what do you get for your money?” with credit monitoring…

Obviously due to numbers if it was going to be given, most likely it would be to “the lowest bidder”. Who would be not bidding on a schedule of service issued by the state, but a service the bidder would supply and call “credit monitoring” or some such. So basically those effected would get nothing of any real use anyway, and most likely have to pay through the nose for “extras”. Where extras might well include “notification”.

Oh and the chances are the “credit monitoring” service provider will have some clauses saying they can not be sued if they release peoples details and in fact will probably “sell the details on” as we used to see with “Health Care Plans”.

echo October 20, 2021 7:56 PM

@Clive

Oh and the chances are the “credit monitoring” service provider will have some clauses saying they can not be sued if they release peoples details and in fact will probably “sell the details on” as we used to see with “Health Care Plans”.

It’s not just what you say but how you say it (and sometimes who is saying it) which matters. The problem here is focus. Do you want to promote better standards or manufacture learned helplessness? This is all wound up in power and control of the narrative.

A simple legal change in the US that you are not able to sign away your rights in law would head off a lot of problems. It is kind of odd that contract law currently supercedes law in this respect.

Expertise is not the ability to turn a nut but knowing which nut to turn, as you know.

Clive Robinson October 21, 2021 8:17 AM

@ echo,

A simple legal change in the US that you are not able to sign away your rights in law would head off a lot of problems. It is kind of odd that contract law currently supercedes law in this respect.

Well there are two reasons for not changing the law in the US,

1, Everything has to be for sale.
2, That includes the legislators.

Which means the people who believe in the first reason and promote it have the finance to ensure that legislation does not get in the way.

You read some of the employment legislation think tanks paid for by one of the three “GOP Families” wanted you would realise that it’s way way way beyond “the life of the first born” stuff…

That nonsense with new “Company Towns” where the company sets the legislation and appoints the judiciary, is a societal disaster waiting to happen.

Winter October 21, 2021 8:41 AM

@Clive, echo
“That nonsense with new “Company Towns” where the company sets the legislation and appoints the judiciary, is a societal disaster waiting to happen.”

It is quite an old tradition, it is called “Feudalism”. But this is the consequence of Libertarianism as it pervades the US [1].

I have been in discussion with Libertarians who answered similar questions in the same way in the case where a community uses state powers to run a Vital service, vital as in “not drowning”. The Libertarian position was that it should not be the State who keep the land habitable, but Companies. That solution would make all inhabitants serfs of the Company, which was not a problem for them, it seems.

Anyhow, I do not take seriously Libertarians anyway as they advocate a society where people could “sell” themselves into serfdom and slavery. Because that is just another way to describe debt slavery.

[1] Want to see how a True Libertarian USA would look like, search for: “A Libertarian Walks Into a Bear”.

echo October 21, 2021 1:15 PM

@Clive, @Winter

The everything and legislators for sale, and feudalism/libertarianism do naturally follow…

Two data points came on my radar this week or three if you count yet another in the open scandal. The first is the Taxpayers Allience (aka dark money funded Tufton Street operation) and the other two involve establishment and right wing billionaire owned media propping up a useful idiot nurtured by the far right. Perhaps it’s the times we live in but they used to at least pretend to be rational and sane. Now they are tipping into such extreme frothing they look unhinged.

Then there is the issue of toxic media and politicians taking advantage of a significant security incident this week trying to turn events into an opportunity to blame the other side and play the innocent victim. This kind of reckless, irrational, and nasty behaviour has been noticed by the EU judging by public statements and published documentation.

No surprise the wingnuts hate the European Convention on Human Rights, and UN human rights obligations are not similarly written into US law because bent politicians/judges/lawyers/scholars.

I note after commenting on the Russian constitution and pointing out the law the office of the President of the US had a go at Putin on this point a couple of weeks later. Coincidence, I’m sure…

TJ Williams October 22, 2021 12:09 AM

Missouri way of doing business and mindset is best described in the Netflix Ozark series, or not…

SpaceLifeForm October 22, 2021 3:46 PM

@ TJ Williams

Fairly accurate. 99% of the sharp tech folk live and work in tbe KC and STL areas. Anyone that ever did IT work in Jefferson City planned their escape ASAP.

echo October 23, 2021 3:25 PM

I am cursed by synchronity. Watching the vdieo in the Techdirt article I couldn’t help noticing the governor has an appalling collar gap. Starting at 5:46 there is a discussion in this Sartorial Talks video which popped up a few days ago while the topic was bugging me after seeing a video of an FBI agent with the same problem.

https://www.youtube.com/watch?v=WYnCnGNaG-U

I won’t go on about the American “sack suit” but by the gods they offend my eyes.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.