Press F(12) to pay respects - Missouri governor rebuffed: Journalist won’t be prosecuted for viewing HTML

[Lightwreather]

Summary

A Cole County prosecutor has rebuffed Missouri Gov. Mike Parson's request to file criminal charges against a St. Louis Post-Dispatch reporter who identified a major security flaw in a government website by viewing publicly available HTML code.

 

Quotes

Quote

On Friday, Cole County Prosecutor Locke Thompson issued a statement saying he has closed the investigation without charges:

Quote

There is an argument to be made that there was a violation of law. However, upon a review of the case file, the issues at the heart of the investigation have been resolved through non-legal means. As such, it is not in the best interest of Cole County citizens to utilize the significant resources and taxpayer dollars that would be necessary to pursue misdemeanor criminal charges in this case. The investigation is now closed, and the Cole County Prosecutor's Office will have no further comment on the matter.

As the county's prosecuting attorney, Thompson is an elected official. Thompson and Parson are both Republicans.

Gov. Parson's office continues to insist that the journalist committed a crime. "The hacking of Missouri teachers' personally identifiable information is a clear violation of Section 569.095, which the state takes seriously. The state did its part by investigating and presenting its findings to the Cole County Prosecutor, who has elected not to press charges, as is his prerogative," the governor's office said in a statement to Missourinet.

Renaud published a statement on his personal website after the prosecutor's new announcement, saying that the case being closed "is a relief" but "does not repair the harm done to me and my family." Renaud continued:   

Quote

 

My actions were entirely legal and consistent with established journalistic principles. Yet Gov. Mike Parson falsely accused me of being a "hacker" in a televised press conference, in press releases sent to every teacher across the state, and in attack ads aired by his political action committee. He ordered the Highway Patrol to begin a criminal investigation, forcing me to keep silent for four anxious months.

    This was a political persecution of a journalist, plain and simple. Despite this, I am proud that my reporting exposed a critical issue, and that it caused the state to take steps to better safeguard teachers' private data.

    At the same time, I am concerned that the governor's actions have left the state more vulnerable to future bad actors. His high-profile threats of legal retribution against me and the Post-Dispatch likely will have a chilling effect, deterring people from reporting security or privacy flaws in Missouri and decreasing the chance those flaws get fixed.

 

Post-Dispatch Publisher Ian Caso said, "We are pleased the prosecutor recognized there was no legitimate basis for any charges against the St. Louis Post-Dispatch or our reporter. While an investigation of how the state allowed this information to be accessible was appropriate, the accusations against our reporter were unfounded and made to deflect embarrassment for the state's failures and for political purposes."

 

 

My thoughts

So, the reporter and many other people have been vidicated of a possible heinous crime. I am trying to spin that as a joke. Well, anyway, this is still good news and I hope people at least try and learn about something before going all ham on something. Like please, do some research, thank you.

I'm not sure how to end this, so uhh, The End? (hopefully).

Note to mods: I'm not very sure if this is deserving of it's own thread as it is an update to a previously posted story, yet it has been quite some time since there has been activity in that thread. SO uhh, do with this post as you see fit

 

Sources

ArsTechnica

Cole county statement

Missouri Govenor Statement - Missourinet

Josh Renaud Statement

St. Louis post-dispatch

[GhostRoadieBL]

I can't imagine how the expert testamony would go in a case like that

"how would one go about hacking said website?"

'well they hit f12 on their keyboard'

"no, I'm asking how they hacked it"

'yep, that's all it took'

"get the next expert, there must be more to it"

 

[Paul Thexton]

Quote

There is an argument to be made that there was a violation of law

If what any ethical hacker does in finding and disclosing vulnerabilities for the betterment of everyone (rather than for personal gain in selling or taking advantage of secrets found etc), then the law is not fit for purpose and should be reworded. IMO.

[Master Disaster]

1 hour ago, J-from-Nucleon said:

There is an argument to be made that there was a violation of law.

Really fucking big

 

CITATION NEEDED!!!

 

on this one. Here's an idea Mr Judge, try outlawing element inspectors and see how far you get. The web literally works because html is readable by the end user, you obfuscate the HTML and the web dies. The thing he did is, quite literally, the exact thing every web browser does when opening any and all web pages, by McJudgersons wacky view "There is an argument to be made that every web browser is a violation of law.".

 

1 hour ago, Paul Thexton said:

If what any ethical hacker does in finding and disclosing vulnerabilities for the betterment of everyone (rather than for personal gain in selling or taking advantage of secrets found etc), then the law is not fit for purpose and should be reworded. IMO.

There is no law that needs changing, it literally doesn't exist. The person who put the info there in the first place might be in breach of some kind of law (almost certainly if they were based in the EU or Australia, not so much the US though) but the person who discovered it did nothing wrong.

[GhostRoadieBL]

50 minutes ago, Master Disaster said:

the person who discovered it did nothing wrong

It's in the wording of the privacy act, "disclosure" was what they breached.

Morally they are in the right and all the steps they took prior to disclosing the info also puts them on the right side of the argument for a "made every attempt to correct the issue prior to making it public" argument they would have used.

Can they change the language to force the addressing of any potential breach found, of course but that means law makers and policy needs to be educated in the technology they are actively using. Which isn't going to happen when something like 30% of the senate doesn't even own cell phones (old number from an article back in 2018 talking about tweets in government but who knows if it's better now)

[wanderingfool2]

2 hours ago, J-from-Nucleon said:

Well, anyway, this is still good news and I hope people at least try and learn about something before going all ham on something. Like please, do some research, thank you.

2 hours ago, GhostRoadieBL said:

I can't imagine how the expert testamony would go in a case like that

"how would one go about hacking said website?"

'well they hit f12 on their keyboard'

"no, I'm asking how they hacked it"

'yep, that's all it took'

"get the next expert, there must be more to it"

Can we please take a moment to actually recognize what the news is reporting in the "click f12" is an absurdly simplistic view of what actually happened, and it wasn't something that could be accidentally found by a few key presses.  This case is not as simple as it has been made out to be, and it really bothers me that everyone just jumps on the trope that it's as simple as viewing the source.

 

1 hour ago, Master Disaster said:

There is no law that needs changing, it literally doesn't exist. The person who put the info there in the first place might be in breach of some kind of law (almost certainly if they were based in the EU or Australia, not so much the US though) but the person who discovered it did nothing wrong.

I've argued a bunch that the law does exist, and it's stupidly vague. The prosecutor literally is saying that (and by the wording of the statement I think he probably thinks it would be stupid to prosecute for it)....but that isn't to say the law doesn't exist and had the prosecutor decided to go for it could have pursued it.

 

Let's be clear about something as well, it's not plain text.  It was still encoded in base64 and there were steps that had to be taken in order to get at the information (more than just the simple "view source").  Oh and btw, despite you saying citation needed it was in the article!

Quote

 569.095.  Tampering with computer data — penalties. — 1.  A person commits the offense of tampering with computer data if he or she knowingly and without authorization or without reasonable grounds to believe that he has such authorization:

(1)  Modifies or destroys data or programs residing or existing internal to a computer, computer system, or computer network; or

(2)  Modifies or destroys data or programs or supporting documentation residing or existing external to a computer, computer system, or computer network; or

(3)  Discloses or takes data, programs, or supporting documentation, residing or existing internal or external to a computer, computer system, or computer network; or

(4)  Discloses or takes a password, identifying code, personal identification number, or other confidential information about a computer system or network that is intended to or does control access to the computer system or network;

(5)  Accesses a computer, a computer system, or a computer network, and intentionally examines information about another person;

(6)  Receives, retains, uses, or discloses any data he knows or believes was obtained in violation of this subsection.

2.  The offense of tampering with computer data is a class A misdemeanor, unless the offense is committed for the purpose of devising or executing any scheme or artifice to defraud or to obtain any property, the value of which is seven hundred fifty dollars or more, in which case it is a class E felony.

The fact is, as long as the person who designed it hadn't intended it to be visible, and the act of needing to decode the base64 makes it a crime.  If it was distributed in plain-text, yea it probably wouldn't have run afoul (well...it would in the sense he did it more than once and used someone else's info, which then triggers this again).  Specifically though section 5 is what I suspect would be used, maybe section 3...depending what the sites TOS was.

 

Do I think that the guy should have been prosecuted? No, absolutely not.  The law wasn't created with that concept in mind...but we need to recognize that the law needs to be changed.

[GhostRoadieBL]

1 minute ago, wanderingfool2 said:

This case is not as simple as it has been made out to be, and it really bothers me that everyone just jumps on the trope that it's as simple as viewing the source.

Should blame the guy wanting to ban the f12 key, that's what everyone is making fun of. It's obviously not a simple case but certain groups saw rubics cubes after Snowden as a joke on "the government" too

[wanderingfool2]

6 minutes ago, GhostRoadieBL said:

Should blame the guy wanting to ban the f12 key, that's what everyone is making fun of. It's obviously not a simple case but certain groups saw rubics cubes after Snowden as a joke on "the government" too

Did you not read what I said.  You cannot access this just by simply clicking f12.  It has never been about the fact that it's just a single button click away.

 

This is why I hate modern media news outlets as well.  All about the click-bait while ignoring things that they have gotten drastically wrong.

Imagine if someone managed to factor Google public key (into the two primes).  Should we go around saying that the number was publicly distributed so it doesn't matter.

[GhostRoadieBL]

5 minutes ago, wanderingfool2 said:

You cannot access this just by simply clicking f12. 

That's what makes it funny!

A troglodyte governor getting bent due to a lack of knowledge on how to access information and lashing out without even asking someone if it was possible.

It's not about accessing THAT information anymore, it's about the governor.

[starsmine]

I have seen no indication that it was more complicated then hitting f12. Even if the data was encrypted inside the visible source code, that COUNTS AS A DATABASE BREACH.

people dont freak out when a database breach happens because its in the database as plain text, its still encrypted there. people freak out because there is nothing to stop brute forcing the database at that point, and its only a mater of time that things get cracked. 

 

It is as simple as hitting f12 in this case. 

The HTML/Javascript page a user sees SHOULD NOT do business logic with the database, it should request the back end, that the user can not see and has no access to, to do it.

 

[Estiar]

22 minutes ago, wanderingfool2 said:

Did you not read what I said.  You cannot access this just by simply clicking f12.  It has never been about the fact that it's just a single button click away.

 

This is why I hate modern media news outlets as well.  All about the click-bait while ignoring things that they have gotten drastically wrong.

Imagine if someone managed to factor Google public key (into the two primes).  Should we go around saying that the number was publicly distributed so it doesn't matter.

This doesn't change the fact that anyone could access sensitive information within their browser. The reporter did not change anything within the computer systems either. That's no hacking, otherwise I've hacked half of the websites I've been on. Furthermore, the journalist doesn't need authorization to read a websites underlying HTML. That's a public document.

 

Also, the difference between the State of Missouri and Google is that Google awards bounties. Missouri tries to award criminal charges.

[wanderingfool2]

20 minutes ago, GhostRoadieBL said:

That's what makes it funny!

A troglodyte governor getting bent due to a lack of knowledge on how to access information and lashing out without even asking someone if it was possible.

It's not about accessing THAT information anymore, it's about the governor.

No, saying the governor want's to ban f12 is a very dangerous thing to say.  Do I agree with how the governor went after the reporter, no...but what the governor was pursuing and saying was all technically correct (from what I've seen).

 

It's simply wrong to say that the governor had a lack of knowledge and silly to keep going on as if that is the case.  Just because the news is misleading people, doesn't make what he said less true or factual.  He hasn't been stating F12, the NEWS and people like yourself who keep this myth perpetuating going that it was just an F12.  Even Linus on WAN show was talking about as if it was the case.  IT is not the case.

 

16 minutes ago, starsmine said:

I have seen no indication that it was more complicated then hitting f12. Even if the data was "encrypted" inside the visible source code, that COUNTS AS A DATABASE BREACH.

people dont freak out when a database breach happens because its in the database as plain text, its still encrypted there. people freak out because there is nothing to stop brute forcing the database at that point, and its only a mater of time that things get cracked. 

 

It is as simple as hitting f12 in this case. 

No it's not

https://cdn.arstechnica.net/wp-content/uploads/2021/10/Litigation-Hold-and-Demand.pdf

This is from the lawyers who was suing for defamation.  They tip-toe around it for a while, but do indeed state it was encoded in base64 the data.

 

10 minutes ago, Estiar said:

This doesn't change the fact that anyone could access sensitive information within their browser. The reporter did not change anything within the computer systems either. That's no hacking, otherwise I've hacked half of the websites I've been on. Furthermore, the journalist doesn't need authorization to read a websites underlying HTML. That's a public document.

 

Also, the difference between the State of Missouri and Google is that Google awards bounties. Missouri tries to award criminal charges.

It's wrong to state that they were trying to prosecute for just hitting f12 though.  If you effectively go into the source, and access data that is more than just easily human readable, then yes you broke the law.  It's also only a public document to an extent.  As long as there was a measure, no matter how small, from accessing the data it no longer really becomes a public document in the eyes of the law.  Examples of this is accessing an open FTP site, and getting classified documents (laws like these were made back in those days, when there wasn't necessarily protection on things such as FTP's or terminals).

 

It's ridiculous that there was political pressure to do so in the first place, but the fact is it's still a law and the law needs to be changed. 

 

edit:

It goes back to what I originally said in the threads regarding this when it broke.  The more I think about this, the more I have a feeling that they might have thought there was a whistle blower and were trying to get who blew the whistle on it.  There is no way the reporter discovered this on his own, he literally had to go to an expert asking to see if it was true...which to me says there was a third party involved which hasn't been named (and I can bet that the governor was likely trying to figure out who blabbed)

[starsmine]

46 minutes ago, wanderingfool2 said:

 

No it's not

https://cdn.arstechnica.net/wp-content/uploads/2021/10/Litigation-Hold-and-Demand.pdf

This is from the lawyers who was suing for defamation.  They tip-toe around it for a while, but do indeed state it was encoded in base64 the data.
 

Quote

Visiting the public website, which was accessible by anyone and did not require a login; • Looking at the publicly available source code, which can be easily done by anyone on any webpage under the “View” menu option; • Identifying a suspicious piece of the source code referred to as “View State” that can contain security flaws like the one found here; and • Translating the source code into plain text, which can also be done by anyone. This entire process could be completed by anyone in a matter of just a few minutes. None of the data was encrypted, no passwords were required, and no steps were taken by the State of Missouri to protect the Social Security numbers of its teachers that the State automatically sent to every website visitor.

Quote

In this situation, sensitive data sent by the State’s web application to every visitor’s browser was merely translated into a different format – Base64 encoding – and translated back to readable text to identify the security flaw. Because the sensitive data was not encrypted or otherwise protected, and because the State of Missouri chose to transmit teachers’ Social Security numbers through its publicly available website, any member of the public could easily see teachers’ Social Security numbers by simply translating the data the State was sending to everyone. Sensitive data should never be stored in the View State in the first place. View State is simply Base64 encoded and can easily be viewed by anyone because it is readily available in the browser. In the extreme case where sensitive data must be transmitted to the user’s browser, the View State should be encrypted. The State’s Credential Checker Application had no unavoidable need to store and send Social Security numbers in the View State. 

Im sorry, I gave you the benefit of the doubt and said it was encrypted.
base64 is not encryption. that's like saying Octal is encryption, or Hexadecimal is encryption. is 10 a decimal encryption of Ten?

Thats straight up plain text, viewable by hitting f12. There is no two primes here. There was nothign to crack.
Thats like saying 010101000110100001100001011101000010000001110100011010000110100101110011001000000111001101110100011100100110100101101110011001110010000001101001011100110010000001100101011011100110001101101111011001000110010101100100 (This string is encoded), is an ecrypted string. all base64 is, is 6 binary digit into one digit. Like hexadecimal is 4 binary digits into 1 digit. (the above in base 64 VGhhdCB0aGlzIHN0cmluZyBpcyBlbmNvZGVk)

 

Its a database leak (f12 viewable) of plain text. 

It is 100% correct to say they were trying to prosecute for just hitting f12. 

Encoded =/= encrypted.

 

[wanderingfool2]

26 minutes ago, starsmine said:

Encoded =/= encrypted.

Did I say it was encryption.  No, I specifically have been using the word encoded; which is not my fault your failure to read.

 

You can't claim that encoded != encryption and then try claiming base64 is plaintext...because that is just stupid.  Plaintext is sending the data and it being presentable in a human readable form.  This was base64, which mean someone would first have to recognize the data was base64 and then copying the data into a base64 decoder.

 

You were the one who said "It is as simple as hitting f12 in this case", which I bolded for you.  It is not that case, and it's wrong to keep that myth going that any layperson would have stumbled across it and been able to use that data.  I can bet even on this forum, over 50% of people if they hit f12 and saw a base64 string in there they wouldn't have the knowledge to recognize it was base64 and decode it.  So no, it's not straight up plaintext and it's not as "simple" as hitting F12 and magically getting the SIN number.

 

If it was that case, the author of the article wouldn't have had to ask someone for help.  So no it's not being prosecuted for "hitting F12".  It's being prosecuted for accessing information that obviously wasn't meant to be seen by human eyes.  It doesn't matter if it's stupid to prosecute someone for something like that, but the laws allow it.  There is a massive distinction between sending data in plain-text and sending base64..and it's important because if it was plain-text the law would be much harder to apply (again aside from the fact he did 3 test cases, which doing that could be argued violated that law).

 

Again, my two primes example is merely stating that just because something was released publicly doesn't mean it's free game and saying it's easy.  There was a case a while back where one of the vendors use overlapping primes for their product...as a result it made it more trivial to factor the numbers.  It's also akin to using an encryption that has a known solution to it.

[Estiar]

1 hour ago, wanderingfool2 said:

 

 

It's wrong to state that they were trying to prosecute for just hitting f12 though.  If you effectively go into the source, and access data that is more than just easily human readable, then yes you broke the law.  It's also only a public document to an extent.  As long as there was a measure, no matter how small, from accessing the data it no longer really becomes a public document in the eyes of the law.  Examples of this is accessing an open FTP site, and getting classified documents (laws like these were made back in those days, when there wasn't necessarily protection on things such as FTP's or terminals).

 

It's ridiculous that there was political pressure to do so in the first place, but the fact is it's still a law and the law needs to be changed. 

Here's what the Litigation Hold and Demand says

Quote

Under the cited statute, Professor Khan committed no crime. Every visitor to
the Missouri Department of Elementary and Secondary Education’s website
with the security flaw received teachers’ Social Security numbers and sensitive
personal information unwittingly.

Courts interpreting a similar federal law also agree with this conclusion.
The Computer Fraud and Abuse Act prohibits “access[ing] a computer without
authorization or exceed[ing] authorized access.” 18 U.S.C. § 1030. Where a
“website is publicly available on the Internet, without requiring any login,
password, or other individualized grant of access,” a visitor collecting
information from the website is not doing so without authorization or in excess
of authorization. See Cvent, Inc. v. Eventbrite, Inc., 739 F. Supp. 2d 927, 932-
34 (E.D. Va. 2010). This is true even if the visitor “scrapes” the website by using
an automated system to copy information from the site. Id. The United States
Supreme Court recently looked at the definition of “authorized access” and
determined that “an individual ‘exceeds authorized access’ when he accesses a
computer with authorization but then obtains information located in particular
areas of the computer—such as files, folders, or databases—that are off limits
to him.” Van Buren v. United States, 141 S. Ct. 1648, 1662 (2021). The Court
cautioned the government from trying to define authorized access expansively
and turning “millions of otherwise law-abiding citizens [into] criminals.” Id. at
1654-62. That is what the State of Missouri is appearing to do here:
Criminalize anyone who visited a public website affected by a security flaw
created by the government, and especially punish those who happen to have
the knowledge required to notice and report the flaw. The expansive reading
by the State would criminalize other common behavior, such as using Google
to search for a celebrity without their permission. See RSMo. § 569.095.1(5)
(“Accesses a computer, a computer system, or a computer network, and
intentionally examines information about another person”).

Though this is from one side of the ordeal, I think the reasoning is sound. It's not as if the journalist used fraudulent credentials. The main point is that the website's source needs to be defined through law as authorized access or not. The Supreme Court says this

Quote

“an individual ‘exceeds authorized access’ when he accesses a
computer with authorization but then obtains information located in particular
areas of the computer—such as files, folders, or databases—that are off limits
to him.” Van Buren v. United States, 141 S. Ct. 1648, 1662 (2021)

Does the journalist exceed authorized access by looking at the website source? The defense lawyer obviously says no, saying

Quote

No statute in Missouri or on the federal level prohibits members of the general
public from viewing publicly available websites or viewing the website’s
unencrypted source code. No reasonable person would think they were
unauthorized to view a publicly available website, its unencrypted source code,
or any of the unencrypted translations of that source code. There is no probable
cause to investigate Professor Khan, and instigation or continuation of any
proceeding against him would therefore be prohibited.

 

[starsmine]

30 minutes ago, wanderingfool2 said:

 

If it was that case, the author of the article wouldn't have had to ask someone for help.  So no it's not being prosecuted for "hitting F12".  It's being prosecuted for accessing information that obviously wasn't meant to be seen by human eyes.  It doesn't matter if it's stupid to prosecute someone for something like that, but the laws allow it.  There is a massive distinction between sending data in plain-text and sending base64..and it's important because if it was plain-text the law would be much harder to apply (again aside from the fact he did 3 test cases, which doing that could be argued violated that law).

 

There is no distinction between sending data as base64, hexadecimal, ascii, unicode, code page 1252, or whatever other character encoding method. 
ascii is not plain text by your definition. its a base128/256 encode. Its all LUTS that are known and used commonly. 
Hell thats WHAT we use base64 and hexadecimal and all the rest for, to make it readable to HUMAN eyes.

And again, I have to point out, it does not mater, none of this, even if it was encrypted, this should not be viewable on the user's side. zero business logic having to do with the database should even be seen. 

[wanderingfool2]

3 minutes ago, starsmine said:

There is no distinction between sending data as base64, hexadecimal, ascii, unicode, code page 1252, or whatever other character encoding method. 
ascii is not plain text by your definition. its a base128/256 encode. Its all LUTS that are known and used commonly. 
Hell thats WHAT we use base64 and hexadecimal and all the rest for, to make it readable to HUMAN eyes.

It's wrong to characterize saying it's plaintext so it's as simple as hitting F12.  Want an example.

 

It's the difference from getting something like this

var infoVar = "This is a plaintext message, notice how you can actually read what it says and interpret it.  The other example is a base64"
var infoVar2 = "YmV0IG1vc3Qgd29uJ3QgZGVjb2RlIHRoaXMgYW5kIHdpbGwganVzdCBiZWxpZXZlIHRoZXkgYXJlIHRoZSBzYW1lLiBTbyBubyBub3QgYXMgc2ltcGxlIGFzIGhpdHRpbmcgRjEy"

I converted infoVar into Base64 so they contain the same information

The above is why you can't characterize it as just hitting F12, because I bet if you hit F12 and even were looking for SIN's the majority wouldn't find it...because it's not inherently readable by humans.

 

It's not correct to characterize Base64 as plaintext, because unless you decode it you don't know what it is.  It could be a datafile for all you know...also it doesn't go into added detail whether the information they decoded was actually the in plaintext or if it was something like a int64 binary representation or plaintext (at that stage after decoding).

 

The base64 is sent in plaintext, but the fact is you can't say that base64 data is plaintext (and to my point, it validates that it's not as simple as clicking F12).  The whole point behind this is that this distinction makes it so if they wanted to it would have been a lot easier to prosecute him under that law.

 

32 minutes ago, Estiar said:

Though this is from one side of the ordeal, I think the reasoning is sound. It's not as if the journalist used fraudulent credentials. The main point is that the website's source needs to be defined through law as authorized access or not. The Supreme Court says this

It of course was the defense response, so they would be citing similar cases that match similarly to theirs.  It is however still a different law, and could still be prosecuted.  Again, like I've said if it was plaintext no problem...but the fact it was encoded could be an issue

[Paul Thexton]

23 hours ago, Master Disaster said:

There is no law that needs changing, it literally doesn't exist. The person who put the info there in the first place might be in breach of some kind of law (almost certainly if they were based in the EU or Australia, not so much the US though) but the person who discovered it did nothing wrong.

That's absolutely my opinion on it too, but apparently the prosecutor thinks otherwise even though they've decided not to proceed.

[wanderingfool2]

19 minutes ago, Paul Thexton said:

That's absolutely my opinion on it too, but apparently the prosecutor thinks otherwise even though they've decided not to proceed.

Well if you look at the law I quoted, it's a badly written law.  I don't think the reporter necessarily did anything wrong, but the more I read this the more I do come to the conclusion that there is another party involved that hasn't been named (and I'm wondering if that was the true target).  *See my comments at the bottom

 

I doubt that the person who put that information there was breaching any laws.  It's likely an oversight...as they do allow searching using the SIN number so the data might have slipped in that way (especially if it was encoded and they were just parsing the data).  After all, the way the data was stored if they had configured their web.config to have it always encrypt view states this actually wouldn't have happened.  [Who knows, at one stage it might have actually been enabled, and someone switched it to Auto which would have effectively disabled it].

 

Actually, the function names used to protect viewstates are extremely stupidly named in my opinion,here's an interesting thing about view states [decided to read up a bit more about it].

https://docs.microsoft.com/en-us/archive/msdn-magazine/2010/july/security-briefs-view-state-security

Quote

However, there is a caveat. The reason the method is named RegisterRequiresViewStateEncryption, and not something like EnableViewStateEncryption, is because the page can choose to ignore the request. If the page’s ViewStateEncryptionMode is set to Auto (or Always), the control’s request will be granted and the view state will be encrypted. If ViewStateEncryptionMode is set to Never, the control’s request will be ignored and the view state will be unprotected.

Specifically, it says if you use the function that literally uses the words Requires ViewState Encryption in it...and you set web.config to Never the webpage doesn't break...instead it sends the data without encryption (which is the most asinine thing I've seen...it's up there with Google's do not track location and they track the location).

 

 

 

*****Overall though, there is more to this story than what is being publicly disclosed here.  The one thing I know for a fact the reporter was told about this exploit and didn't come across it on his own *Guessing what happened*

Whether it was a whistle blower, or there were rumblings around the dark web that the reporter happened to catch wind of.  It's the only way I can think of, given that the reporter needed the help of a professor to find that data.  If it is the case that the reporter was tipped off by someone, then it might stand to reason they could have been pursuing it to get the information about who told him (so they could pursue them).  The key being the wording regarding issue has been resolved through non-legal means...that to me says that the reporter might have told them what they were looking for (like the identity of the person who told him)

[Taf the Ghost]

Whoever was the technical advisor to the Governor royally screwed up and should have been fired. It's most likely the local paper and the governor hate each other, but you have technical advisors for a reason.

[mr moose]

On 2/16/2022 at 6:08 AM, wanderingfool2 said:

and it really bothers me that everyone just jumps on the trope that it's as simple as viewing the source.

 

 

Welcome to the internet, I still see people trying to argue we can see 1000FPS because several PC E-magazines misinterpreted a naval study then quoted each other with it.    

 

For the record I understand what you are saying and it makes perfect sense, there is a shit law that needs to be updated badly because had this been a more serious case politically then they could easily have gone for the jugular.   

 

I think the reason it has been dropped is because everyone else in government pointed out that should the courts realize how easy this law can be used as a weapon they might A, set a precedent closing the loophole or B. order the law be reviewed.   Both bad outcomes for Governments needing shitty laws like this as back up for pesky freedom fighters.