A Missouri newspaper told the state about a website security risk. Now it faces prosecution.

[Mark Kaine]

11 hours ago, leadeater said:

I thought hacking was when you used more than 1 finger to type?

I use 2, guess I'm avoiding Missouri for the time being...

[Quackers101]

Where is the freedom?

So they did contact and report it and still be put in the wrong?

 

Hopefully the journalist gets protection from this, and doing their JOB about INFORMING the people.

Instead of going after the journalist, they should have focused on the issue which I guess they did not and the people they put at risk.

[MageTank]

16 hours ago, leadeater said:

I thought hacking was when you used more than 1 finger to type?

Looks like more than 1 finger to me...

[StDragon]

In some states, you have to have a PI license to sort through data that's not yours or that the requestor doesn't own. For example, someone performing IT services to transfer date or clone drives. But, they can't go through browser history to assist someone to determine if a spouse cheated; that role belongs to a PI (Private Investigator).

If not already, we're getting to the point where there will be laws regarding whom is allowed disclose cyber security vulnerabilities. I can totally see certification and licensed being a state/national requirement; probably someone with a legal background. Good Samaritan and intentions be damned, right?? No good deed goes unpunished!

[Jtalk4456]

17 hours ago, CodenameJK said:

the governor claimed it will cost $50 million to figure out how to stop sending social security numbers

 

that's not a meme that's in the Ars Technica article

that hurts my soul...

[Jtalk4456]

18 hours ago, CodenameJK said:

Summary

Missouri Governor Mike Parson threatened to sue the St. Louis Post-Dispatch and prosecute a journalist who discovered a flaw in a state public records database and reported it to the state. The flaw involved the public exposure of 100,000 SSNs of educators that were inadvertently left in the HTML source of the webpage. After giving the state ample time to fix the issue, the paper published a story about the vulnerability. The governor responded in a press statement vowing to prosecute all involved under computer tampering laws.

 

Quotes

Quote from original article from Post-Dispatch

Quote from Ars Technica

My thoughts

Research and testing are the backbone of the cybersecurity field, and these things should always be encouraged through safe harbors and bug bounty programs. Compromised data from a bad actor will always be worse than embarrassment from being called out (no matter how pathetic it is to be sending unnecessary sensitive data "hidden" in HTML source). I think many people here will agree that prosecution is the last thing needed in this case, but this incident is a reminder of how technically-illiterate many of our elected officials can be, and could easily cause a chilling effect in vulnerability reporting, ultimately making everyone less safe.

 

Sources

Original Report from St Louis Post-Dispatch

Governor's Press Conference

 

Further Analysis:

NBC

Ars Technica

NPR

outside the obvious stupidity here, they would need to prove that the paper damaged them in some way. For a news organization publishing a news story, I'd say that's gonna be tough to do. I shudder to think the amount of wasted tax money they will

[wanderingfool2]

10 hours ago, TetraSky said:

even a 5 year old could've accessed that data because it was almost in plain sight

I'm against what is happening with Missouri, but to be clear the data was encoded (not encrypted though)...so not exactly as in plain sight as people are saying.  Still not excusable though, and a terrible idea by whoever decided to implement this...but not as bad as having it in plain text.  [Here is thinking that they might just have used like base64 or something]

 

1 hour ago, Jtalk4456 said:

outside the obvious stupidity here, they would need to prove that the paper damaged them in some way. For a news organization publishing a news story, I'd say that's gonna be tough to do. I shudder to think the amount of wasted tax money they will

So here is the stupidity of the US law, as long as there was a hint of breaching the TOS or any safe guard put in place (like encoding) then they could have grounds to pursue criminal charges.  Aaron's law would actually have prevent the concept of this though, but from what I know Aaron's law was introduced and never went anywhere after that.

 

For those who don't know, Aaron Swartz was a computer programmer who had the DA come after him for accessing scholarly journals (that he had the right to access)...but he did so by a script and downloading quick enough that it started burdening the system...so they concluded he broke the TOS and the DA went and prosecuted him for very similar/the same things that the journalist -might- face if the governor has his way.

 

i.e. If they so choose, they could be prosecuted under the "1986 Computer Fraud and Abuse Act" which really seems to be overly broad and encompassing...pretty much the "we don't like you, and you violated the TOS so we will pursue it as a felony" type of thing.

[Zodiark1593]

4 hours ago, StDragon said:

In some states, you have to have a PI license to sort through data that's not yours or that the requestor doesn't own. For example, someone performing IT services to transfer date or clone drives. But, they can't go through browser history to assist someone to determine if a spouse cheated; that role belongs to a PI (Private Investigator).

If not already, we're getting to the point where there will be laws regarding whom is allowed disclose cyber security vulnerabilities. I can totally see certification and licensed being a state/national requirement; probably someone with a legal background. Good Samaritan and intentions be damned, right?? No good deed goes unpunished!

Not a big deal. Disclosures can be performed anonymously.

[Lightwreather]

An Update:

Turns out that the FBI and a government spokesperson were prepared to thank said reporter:

https://arstechnica.com/tech-policy/2021/12/missouri-planned-to-thank-security-journalist-before-governor-called-him-a-hacker/

[tikker]

7 hours ago, J-from-Nucleon said:

An Update:

Turns out that the FBI and a government spokesperson were prepared to thank said reporter:

https://arstechnica.com/tech-policy/2021/12/missouri-planned-to-thank-security-journalist-before-governor-called-him-a-hacker/

How does this train of thought even work:

 

You: hey FBI, is this malicious?

FBI: "<snip> database was "misconfigured," which "allowed open source tools to be used to query data that should not be public."

You: So hackers stealing our private data that should be private but is public due to a mistake on our end, I see, thanks!

[jagdtigger]

Someone should show to this ahole what a real hacking case looks like by putting his private life on public display.....

[Spindel]

48 minutes ago, tikker said:

How does this train of thought even work:

 

You: hey FBI, is this malicious?

FBI: "<snip> database was "misconfigured," which "allowed open source tools to be used to query data that should not be public."

You: So hackers stealing our private data that should be private but is public due to a mistake on our end, I see, thanks!

Well. It’s a crime to access someones home without an invitation even if they left the door unlocked or open…

 

…but regarding the topic this is still bizzare if it’s true that the joirnalists tried to warn the state about the voulnability well before publishing the article.

 

 

[tikker]

47 minutes ago, Spindel said:

Well. It’s a crime to access someones home without an invitation even if they left the door unlocked or open…

 

…but regarding the topic this is still bizzare if it’s true that the joirnalists tried to warn the state about the voulnability well before publishing the article.

 

 

Wouldn't this be more similar to having your bell open the curtains on the outside and someone pushing that? Ring the bell, curtains open and you take a look at the furniture <-> press ctrl+U and have a look at the webpage's "furniture". Or like sending you a letter with "private" information on the back side of the paper and then getting upset because you looked at the back.

[Spindel]

1 hour ago, tikker said:

Wouldn't this be more similar to having your bell open the curtains on the outside and someone pushing that? Ring the bell, curtains open and you take a look at the furniture <-> press ctrl+U and have a look at the webpage's "furniture". Or like sending you a letter with "private" information on the back side of the paper and then getting upset because you looked at the back.

Nope, that would be a bell with a deliberate function. This is more like going up to the door pressing the door handle and when you notice the door is unlocked you walk into someones house. If you are not invited/expected it is a crime, no matter how ”clumsy” the home owner is for leaving the door unlocked.

[SolarNova]

9 minutes ago, Spindel said:

Nope, that would be a bell with a deliberate function. This is more like going up to the door pressing the door handle and when you notice the door is unlocked you walk into someones house. If you are not invited/expected it is a crime, no matter how ”clumsy” the home owner is for leaving the door unlocked.

I'd say this is more akin to someone taking the contents of their front room, placing it in a public park, then getting pissed off when someone sits on their coach.

[IPD]

This seems like virtually every large-scale data breach.  The CIO of company XYZ probably says "hey, we need to update our POS machines from windows XP to 7 in order to avoid risk of a massive breach.  The CEO/CFO promptly tells them to GFY.  Then the breach happens, and the CIO gets fired for not doing enough.

[tikker]

1 hour ago, Spindel said:

Nope, that would be a bell with a deliberate function. This is more like going up to the door pressing the door handle and when you notice the door is unlocked you walk into someones house. If you are not invited/expected it is a crime, no matter how ”clumsy” the home owner is for leaving the door unlocked.

A doorbell then, you ring the bell, as an unintended side-effect curtains open and you see their furniture. Nothing illegal about that. I don't think there are any laws against looking at the source code of a web page, so I don't see how you can blame someone for seeing something they weren't supposed to see in that regard.

1 hour ago, SolarNova said:

I'd say this is more akin to someone taking the contents of their front room, placing it in a public park, then getting pissed off when someone sits on their coach.

Better expression of my thoughts

27 minutes ago, IPD said:

This seems like virtually every large-scale data breach.  The CIO of company XYZ probably says "hey, we need to update our POS machines from windows XP to 7 in order to avoid risk of a massive breach.  The CEO/CFO promptly tells them to GFY.  Then the breach happens, and the CIO gets fired for not doing enough.

I feel this is the fate of IT people. If everything's fine with little to do you're redundant and if stuff goes wrong then what were you doing in the first place. Switching systems is a lot of work and expensive though, I'll give them that, but a necessary one.

[jagdtigger]

53 minutes ago, IPD said:

This seems like virtually every large-scale data breach.  The CIO of company XYZ probably says "hey, we need to update our POS machines from windows XP to 7 in order to avoid risk of a massive breach.  The CEO/CFO promptly tells them to GFY.  Then the breach happens, and the CIO gets fired for not doing enough.

A bit off-topic but this is why you should always do these warnings via e-mail... (as a matter of fact this is true for everything that has the potential of you ending up in hot water)

[Zodiark1593]

7 hours ago, Spindel said:

Well. It’s a crime to access someones home without an invitation even if they left the door unlocked or open…

This metaphor is nowhere near equivalent to what occurred. 

 

On a technical level, this would be like handing you a book with sensitive info in its pages, and expect you to only look at the cover. Inspect Element only opens that book that you already have in your hands, sensitive information and all. 
 

Reason being, when the site is loaded, all of the underlying html also gets loaded into your system’s memory. In this case, sensitive information was also provided in the html, and loaded into RAM. The only thing Inspect Element does is look at what already resides on your own system. It’s entirely kosher to look at the information already in your possession. 

[Quackers101]

a book with your credit cards and personal info in an hotel and from every customer? just don't lose it now.

aaand... it's gone.

[williamcll]

On 10/15/2021 at 11:06 AM, Arika S said:

please don't give google more reasons to remove inspect element.

[waterfish]

On 10/15/2021 at 1:56 AM, pythonmegapixel said:

So let me get this straight...

 

Government agency somehow accidentally manages to leak confidential information into a publicly accessible web page.

Newspaper privately reports this to government agency.

Government agency doesn't fix it.

Newspaper publicly reports the vulnerability (as is very common practice when it remains unfixed months after private disclosure)

Government agency takes newspaper to court for accessing the confidential information which they literally put onto a publicly accessible web page.

 

What a stupid world we live in.

Sucks to be smart seeing how dumb some people are

[Jtalk4456]

On 12/5/2021 at 9:16 AM, Spindel said:

Well. It’s a crime to access someones home without an invitation even if they left the door unlocked or open…

"If somebody picks your lock on your house — for whatever reason, it's not a good lock, it's a cheap lock or whatever problem you might have — they do not have the right to go into your house and take anything that belongs to you," Parson said in a statement.

A commenter on the Post-Dispatch story offers a more apt analogy:

A better analogy would be you're walking in the street past a neighbor's house and notice their front door wide open with no one around. You can see a purse and car keys near the door. You phone that neighbor, and tell them their door is open and their purse and keys are easily visible from the street. Would Parson consider this breaking and entering?

[tkitch]

14 hours ago, Jtalk4456 said:

"If somebody picks your lock on your house — for whatever reason, it's not a good lock, it's a cheap lock or whatever problem you might have — they do not have the right to go into your house and take anything that belongs to you," Parson said in a statement.

A commenter on the Post-Dispatch story offers a more apt analogy:

A better analogy would be you're walking in the street past a neighbor's house and notice their front door wide open with no one around. You can see a purse and car keys near the door. You phone that neighbor, and tell them their door is open and their purse and keys are easily visible from the street. Would Parson consider this breaking and entering?

A similar description:

Gov Parsons places a stack of papers in front of you.

You flip to page 2.

"Uhhh, did you mean to include XXXXX info?"

Parsons:  YOU WEREN'T SUPPOSED TO SEE PAGE 2!!!!!  LAWSUIT TIME!