Advertisements

Governor of Missouri, Mike Parson, thinks people who load a web page and click “View Source” are hackers. A reporter for the St. Louis Dispatch found that by viewing the source of a web page maintained by the state’s Department of Elementary and Secondary Education (DESE), the Social Security Numbers of teachers were exposed. Parsons thinks the reporter is a hacker who must be prosecuted.

The reporter engaged in what’s called “responsible disclosure”. They reported the flaw in the Web site to DESE, and waited until a fix was published before disclosing the flaw.

And that should have been the end of it. If you’re smart, you want people disclosing vulnerabilities responsibly so that you can fix them before bad people take advantage of them. Some organizations even pay bounties to encourage people to responsibly disclose vulnerabilities.

But that isn’t the end of it, because Governor Parson doesn’t know how computers work.

How do computers work?

When a computer requests a web page from another computer (called a web server), it makes a copy in memory. It then displays that page in a browser (or application, which frequently uses a web view these days). Depending on how things are configured, it can save a cached copy on the computer.

Because web pages have always encouraged you to learn (HTML was supposed to be a markup language that was human-readable, so you could look at the source and easily understand it), every browser has shipped with a “View Source” option.

By making a page publicly available, you’re authorizing anyone with a browser to read that page, and its source.

Governor Parson thinks differently, and is doubling down on his wrong belief.

A “multi-step process”. If I had to guess, that’s “Load the web page. View source. Observe 8 digit numbers that are Social Security Numbers.” Because that’s what appears to have happened. There is no hack, it’s reading the information DESE made publicly available.

“DESE asked ITSD to make it non-public and fix it” – fine, that’s what they should have done.

“This matter is serious.” – fine, publishing Social Security Numbers is serious. “The state is committed to bringing to justice anyone who hacked our system.” – OK, but no one was hacked here. There was no hacking that took place. Maybe we need to check the Governor’s definition of hacking?

At no time did the St. Louis Dispatch need written permission. They had authorization to view the publicly accessible page and click “View Source”. They even could search within that view source. The act of making it publicly available is authorization.

If the data was sent to the web browser and viewable with “View Source”, there was no taking. There was no tampering. It was freely available, which the St. Louis Dispatch responsibly disclosed to DESE so that they could get it fixed. Sorting the information in “View Source” so that you can read the data there does not make it converted or decoded, it’s just viewing what the browser sees.

It’s important that the Governor mentions Missouri law. Frequently, the federal government uses the woefully broad CFAA (Computer Fraud and Abuse Act) to prosecute people for using publicly accessible web pages or URLs and finding vulnerabilities within them. I’m not sure what law Missouri has that the Governor wants to apply, but it seems over broad to apply it here.

The state owning its part should be thanking the St. Louis Dispatch for responsibly disclosing the vulnerability.

Their intentions? Dear computer-illiterate Governor, their intentions were clear when they reported it to DESE as a problem. By reporting it as a problem needing to be fixed, they showed their intentions to be helpful and responsible, not hacking, not an attacker, and not targeting Missouri teachers.

The Governor should be embarrassed. He won’t be, because he lacks the sense of a screwdriver.

The worst part is the Governor doubling down on bringing legal action against the reporter at the Dispatch.

The second worst part is, by not accepting and being grateful for responsible disclosure, the Governor discourages anyone else reporting vulnerabilities, making Missourians less safe online. Great job!


All products recommended by Knapsack are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.