Governor of Missouri, Mike Parson, thinks people who load a web page and click “View Source” are hackers. A reporter for the St. Louis Dispatch found that by viewing the source of a web page maintained by the state’s Department of Elementary and Secondary Education (DESE), the Social Security Numbers of teachers were exposed. Parsons thinks the reporter is a hacker who must be prosecuted.
The reporter engaged in what’s called “responsible disclosure”. They reported the flaw in the Web site to DESE, and waited until a fix was published before disclosing the flaw.
And that should have been the end of it. If you’re smart, you want people disclosing vulnerabilities responsibly so that you can fix them before bad people take advantage of them. Some organizations even pay bounties to encourage people to responsibly disclose vulnerabilities.
But that isn’t the end of it, because Governor Parson doesn’t know how computers work.
How do computers work?
When a computer requests a web page from another computer (called a web server), it makes a copy in memory. It then displays that page in a browser (or application, which frequently uses a web view these days). Depending on how things are configured, it can save a cached copy on the computer.
Because web pages have always encouraged you to learn (HTML was supposed to be a markup language that was human-readable, so you could look at the source and easily understand it), every browser has shipped with a “View Source” option.
By making a page publicly available, you’re authorizing anyone with a browser to read that page, and its source.
Governor Parson thinks differently, and is doubling down on his wrong belief.
Through a multi-step process, an individual took the records of at least three educators, decoded the HTML source code, and viewed the SSN of those specific educators.— Governor Mike Parson (@GovParsonMO) October 14, 2021
We notified the Cole County prosecutor and the Highway Patrol’s Digital Forensic Unit will investigate. pic.twitter.com/2hkZNI1wXE
A “multi-step process”. If I had to guess, that’s “Load the web page. View source. Observe 8 digit numbers that are Social Security Numbers.” Because that’s what appears to have happened. There is no hack, it’s reading the information DESE made publicly available.
Upon receiving this notice, DESE immediately contacted the Missouri Office of Administration ITSD, who programs and maintains the web application, to remove public access to the portal and update the code.— Governor Mike Parson (@GovParsonMO) October 14, 2021
“DESE asked ITSD to make it non-public and fix it” – fine, that’s what they should have done.
This matter is serious. The state is committing to bring to justice anyone who hacked our system and anyone who aided or encouraged them to do so — in accordance with what Missouri law allows AND requires.— Governor Mike Parson (@GovParsonMO) October 14, 2021
“This matter is serious.” – fine, publishing Social Security Numbers is serious. “The state is committed to bringing to justice anyone who hacked our system.” – OK, but no one was hacked here. There was no hacking that took place. Maybe we need to check the Governor’s definition of hacking?
A hacker is someone who gains unauthorized access to information or content. This individual did not have permission to do what they did. They had no authorization to convert and decode the code.— Governor Mike Parson (@GovParsonMO) October 14, 2021
At no time did the St. Louis Dispatch need written permission. They had authorization to view the publicly accessible page and click “View Source”. They even could search within that view source. The act of making it publicly available is authorization.
Under Missouri law, a person commits the offense of tampering with computer data if he or she knowingly and without authorization accesses, takes, and examines personal information without permission. This data was not freely available and had to be converted and decoded.— Governor Mike Parson (@GovParsonMO) October 14, 2021
If the data was sent to the web browser and viewable with “View Source”, there was no taking. There was no tampering. It was freely available, which the St. Louis Dispatch responsibly disclosed to DESE so that they could get it fixed. Sorting the information in “View Source” so that you can read the data there does not make it converted or decoded, it’s just viewing what the browser sees.
It’s important that the Governor mentions Missouri law. Frequently, the federal government uses the woefully broad CFAA (Computer Fraud and Abuse Act) to prosecute people for using publicly accessible web pages or URLs and finding vulnerabilities within them. I’m not sure what law Missouri has that the Governor wants to apply, but it seems over broad to apply it here.
The state does not take this matter lightly and we are working to strengthen our security to prevent this incident from happening again. The state is owning its part, and we are addressing areas in which we need to do better than we have done before.— Governor Mike Parson (@GovParsonMO) October 14, 2021
The state owning its part should be thanking the St. Louis Dispatch for responsibly disclosing the vulnerability.
We will not rest until we clearly understand the intentions of this individual and why they were targeting Missouri teachers.— Governor Mike Parson (@GovParsonMO) October 14, 2021
Their intentions? Dear computer-illiterate Governor, their intentions were clear when they reported it to DESE as a problem. By reporting it as a problem needing to be fixed, they showed their intentions to be helpful and responsible, not hacking, not an attacker, and not targeting Missouri teachers.
The Governor should be embarrassed. He won’t be, because he lacks the sense of a screwdriver.
The worst part is the Governor doubling down on bringing legal action against the reporter at the Dispatch.
The second worst part is, by not accepting and being grateful for responsible disclosure, the Governor discourages anyone else reporting vulnerabilities, making Missourians less safe online. Great job!