Missouri Gov. Mike Parson faces a monumental backlash after threatening to sue a reporter for responsibly reporting a serious security breach on the state’s website.
Earlier this week, St. Louis Post-Dispatch reporter Josh Renaud reported that the state’s Department of Elementary and Secondary Education (DESE) website exposed social security numbers of over 100 000 teachers. These SSNs were discovered by viewing the HTML source code of the site’s web pages, allowing anyone with an Internet connection to find sensitive information by right-clicking on the page and pressing “view source from.” the page “. For many, viewing the source code of a web page is as easy as pressing F12 on your keyboard.
The Post-Dispatch reported the vulnerability to state authorities to correct the website and delayed publication of an article on the issue to give the state sufficient time to resolve the issue. DESE has since confirmed that “the teacher certification search tool has been deactivated immediately” and that the vulnerability is now fixed.
This should have been the end. While any other official could have thanked the newspaper for discovering the flaw and for having warned before going public, Republican Missouri Governor Mike Parson called the reporter who discovered the vulnerability a “hacker,” and said the newspaper discovered the loophole in “an attempt to embarrass the state.”
“A hacker is someone who obtains unauthorized access to information or content. This individual was not allowed to do what he did, ”he said at a press conference on Thursday. “This individual is not a victim. They were acting against a state agency to compromise teachers’ personal information in an attempt to embarrass the state and sell titles to their media.
“The state is committed to bringing to justice anyone who hacked into our system and anyone who aided and encouraged them to do so,” Parson said. The governor also referred the case to county prosecutors.
Unsurprisingly, the governor’s response to the Post-Dispatch report – and his clearly confused understanding of the term “hacker” – drew criticism, even within his own party. Republican lawmaker Tony Lovasco wrote about Twitter that it was “clear that the governor’s office has a fundamental misunderstanding of both web technology and industry standard procedures for reporting security vulnerabilities,” adding that “reporters who responsibly sound the alarm on data privacy is not criminal hacking ”.
US Senator Ron Wyden also called Parson’s remarks, Tweeter: “Journalism is not a crime. Neither does cybersecurity research. Real leaders don’t let go of their attack dogs on the press when they expose government failures, they roll up their sleeves and solve the problem.
Naturally, players in the cybersecurity industry were also quick to react to Parson’s comments. Rachel Tobac, hacker and CEO of SocialProof Security, tweeted: “If your code is leaking personal data through public developer tools that anyone can see by just pressing F12 on a keyboard, then you have a huge data leak problem, not a hack situation, between your files. hands.”
The Post-Dispatch also takes Parson’s response with a pinch of salt and stands by Renaud’s side. The newspaper said its reporter “acted responsibly in reporting its findings to DESE so that the state can act to prevent disclosure and misuse.”
“A hacker is someone who subverts computer security with malicious or criminal intent. Here there has been no breach of firewall or security and certainly no malicious intent, ”he added in a statement. “That DESE hijacks its failures by qualifying it as ‘piracy’ is unfounded. “
Of course, while Parson promises to hold the Post-Dispatch “accountable” for the crime supposedly helping the state find and fix a security breach, the chances of Renaud facing possible conviction are likely. thin, given a recent US decision. Supreme Court in Van Buren v. United States, which ruled that a person breaks the law when they access files or other information that they might not otherwise have been able to.
But if the state takes action, a lawsuit could have a chilling effect on security journalism and research, further amplifying the problem of researchers facing legal threats and attacks after discovering and reporting security breaches. to their owners.