Mike Parson, Governor of Missouri, does not understand how websites work. He held a press conference earlier this week in St. Louis to once more reiterate his desire to prosecute a St. Louis Post-Dispatch journalist for looking at the source code of a state-run website.
In October 2021 reporter Josh Renaud reported that the Department of Elementary and Secondary Education website source code had exposed the social security numbers of over 100,000 school teachers, administrators, and counselors. He published the story only after he’d reported the problem to the state and the vulnerability had been resolved.
Parson and the DESE were apparently not grateful for the alert and immediately accused Renaud of “hacking” the DESE website. Missouri Education Commissioner Margie Vandeven sent a letter to educators saying “an individual took the records of at least three educators, unencrypted the source code from the webpage, and viewed the social security number (SSN) of those specific educators.”
According to records obtained by the St. Louis Post-Dispatch, the FBI told the state the website had been “misconfigured” and that Renaud’s actions were “not an actual network intrusion”.
The source code was not encrypted. A website’s source code is typically available to anyone using a web browser. While scraping it requires some technical knowledge, just looking at it is as simple as opening the “Developer Tools” option available in nearly every web browser, including Chrome, Safari, Firefox, and Edge. If you want, you can go look at The Verge’s source code right now. By the logic of Parson and the DESE anyone who uses the Developer Tools on a website they don’t own is a hacker.
In fact…gimme a second….boom, I just hacked Facebook.
While a gross misunderstanding of how websites work by both a state agency and the governor of said state might be funny, Governor Parson’s behavior since the paper first published its story is anything but. According to public records obtained by the St. Louis Post-Dispatch Vandeven had initially planned to thank the paper for finding the vulnerability. Her tone only became accusatory after meeting with the governor’s office.
The Missouri State Highway Patrol, whose superintendent is appointed by the governor, initiated a probe into the newspaper’s story. They turned the case over to Cole County Prosecuting Attorney Locke Thompson on Monday, December 27. Governor Parson then held a press conference on Wednesday, December 29, where he cited a state statute related to computer tampering and repeatedly suggested Thompson should use it to prosecute Renaud and the paper.
In the press conference, he compared Renaud’s actions to a person using a lock pick to enter a person’s home without permission. Which is in no way an appropriate analogy. Websites are public-facing. They’re akin to public buildings, not homes. A more apt analogy would be if a person is in a state-owned building and walks by a locked room, and sees someone posted a bunch of sensitive information in the window for anyone to see, regardless of whether or not they have keys.
Personally, I would want someone to knock on the door and point out the problem without fear of prosecution by an embarrassed man with no grasp of how websites work.
Credit: Source link