Image: Jacob Moscovitch / Getty Images
Piracy. Disinformation. Monitoring. CYBER is Motherboard’s podcast and feature story on the dark underbelly of the Internet.
Missouri Gov. Mike Parson wants to sue a reporter who warned the state that a government website exposed the social security numbers of teachers and administrators.
Parson called Saint Louis. Post-shipment journalist Josh Renaud is a “hacker” and pledged to prosecute at a press conference Thursday. The crime ?” by Renaud By clicking on “view source” on a publicly accessible web page.
“The state does not take this matter lightly,” Parson said, according to the Missouri Independent. “This administration stands up against all perpetrators who attempt to steal personal information and harm Missourians.”
Parson said he referred the case to the Cole County district attorney and also asked the Missouri State Highway Patrol to investigate.
Wednesday, the St. Louis Post-Expedition reported that a loophole in the state’s elementary and secondary education department exposed the SSNs of departmental employees, including teachers, administrators and counselors. Renaud reported that SSNs are visible simply by viewing the HTML source code of vulnerable pages, which anyone can do with two clicks on any modern browser.
Governor Parson’s office declined to comment and referred us to a recording of Parson’s press conference.
The way that the St. Louis Post-Expedition and Renaud handled the situation seems to be a classic example of ethical bug disclosure. The newspaper reported that it found the bug in the web application configured to allow the public to search for certifications and teacher credentials. More than 100,000 SSns have been exposed, according to the document.
After the newspaper alerted the state government, the department fixed the bug on Tuesday and the newspaper published its article on Wednesday, once there was no longer any risk to teachers whose SSNs were exposed. Parson’s comments are also a classic example of government officials apparently having no idea how technology works and vilifying people who conduct ethical security research as criminals, rather than simply thanking them for having rendered a public service that makes us all safer.
“The newspaper delayed the release of this report to give the department time to take action to protect teachers’ private information and to allow the state to ensure that no other agency’s web applications contain information. similar vulnerabilities, ”the St. Louis Post-Dispatch wrote in its article.
A spokesperson for the St. Louis Post-Dispatch shared the following statement:
“The journalist acted responsibly in reporting his findings to the Department of Primary and Secondary Education (DESE) so that the state can act to prevent disclosure and misuse,” the statement said. “A hacker is someone who subverts computer security with malicious or criminal intent. Here there has been no firewall or security breach and certainly no malicious intent. That DESE hijacks its failures by qualifying it as “piracy” is unfounded. Fortunately, these failures have been discovered.
This story has been updated to include the statement from the spokesperson for St. Louis Post-Dispatch.