[HN Gopher] Governor vows criminal prosecution of reporter who f...
___________________________________________________________________
Governor vows criminal prosecution of reporter who found flaw in
state website
Author : davidw
Score : 1086 points
Date : 2021-10-14 16:57 UTC (6 hours ago)
(HTM) web link (missouriindependent.com)
(TXT) w3m dump (missouriindependent.com)
| adrr wrote:
| Do they even have jurisdiction to go after the reporter. My guess
| is the site is cloud hosted in a state other than Missouri. Cross
| state boundaries is a federal matter.
| codegeek wrote:
| sshhh. The Governor would prosecute you for saying "Cloud
| Hosted". How dare you find this info that is hidden in the
| clouds ? Literally only the Gods can see the clouds.
| otrahuevada wrote:
| Judging by his tweets, the governor seems under the impression
| that "decoding" the HTML is a multi step process and breaking it
| constitutes unlawful access.
|
| He does not, however, feel like expanding on what that means.
| Several people tried to reach him on that, without success.
|
| Does anyone have "lawful" access to the site? I want to see for
| myself how those bits of PII showed up in the markup.
| wanderingmind wrote:
| Can someone with knowledge of law explain if the reporter can now
| file a lawsuit against the government for violating his 1A rights
| or does he need to wait for this case to get thrown out first.
| MrWiffles wrote:
| With "leaders" this goddamn stupid, it's no wonder Russia pulls
| off so many hacks against us.
| kizer wrote:
| "Hacked our system" -- LOL. Nothing like our conservatives for a
| great laugh. What a moron.
| codingclaws wrote:
| "...decoded the HTML source code..."
| jhinra wrote:
| I know, right? By that logic, I've just decoded your comment by
| reading it.
| woopwoop wrote:
| The governor of Montana battered a reporter for asking him a
| question he didn't like [0]. There exist a number of politicians
| who feel that these are reasonable responses to adversarial
| press, and apparently a large number of voters who agree with
| them.
|
| [0] https://en.wikipedia.org/wiki/Greg_Gianforte#Election-
| eve_as...
| blunte wrote:
| When the "leaders" show themselves to be so proudly ignorant, it
| makes you wonder what other decisions they have made which are
| completely wrong and fully executed.
|
| In this case, I'm not terribly surprised since that governer is
| from the party which frequently equates educated people as being
| "elite" - a characteristic to be avoided.
| vbo wrote:
| There are developers out there that look like you and me, use the
| same tools and speak the same (programming) languages, yet have
| absolutely no concept of access control.
|
| I feel there's an enormous education/awareness gap when it comes
| to basic security practices and it's going to hurt all of us
| sooner or later by having our private information leaked, sold,
| abused, maybe ultimately deemed irrelevant in itself -- ie what
| would the world look like if all (or a significant chunk) of
| private information was leaked and you couldn't trust the old
| tokens of identity?
| tyingq wrote:
| _" No private information was publicly visible, but teacher
| Social Security numbers were contained in HTML source code of the
| pages."_
|
| So "view source" is now hacking.
| joshenberg wrote:
| Quote from the St Louis Post Dispatch article is even more groan-
| worthy:
|
| "In the letter to teachers, Education Commissioner Margie
| Vandeven said "an individual took the records of at least three
| educators, unencrypted the source code from the webpage, and
| viewed the social security number (SSN) of those specific
| educators."
|
| I guess webpages are kinda like encryption for idiots.
| idworks1 wrote:
| > echo json_encode($search_results);
|
| This is how I found out how much I, and all other contractors
| were being paid. And also how much the contracting company was
| actually charging the clients. All the data was being returned
| in a json but the very little was being displayed.
|
| Looking at the story, this is more of a posture thing. I'm sure
| the Governor is surrounded with people who can tell him that no
| hacking took place, but why miss an opportunity to show you
| take the privacy of Missourians to heart.
| 0x262d wrote:
| wow, what fraction of websites leak data I want to look at?
| should I be poking at every non-tech-giant site I go to?
| codegeek wrote:
| You will be surprised. Do a "Inspect Element" and have fun
| filtering on "XHR requests". Notice that JSON that a lot of
| those requests return. but sshhhh, you didn't hear this
| from me.
| photochemsyn wrote:
| The analogy is going up to a house and checking all the
| doors and windows to see if they are locked. That's rather
| like port scanning, a form of 'poking'. If you go to a
| state government web site and do that, even if you don't
| exfiltrate data or load it up with ransomware, it's
| definitely very shady behavior, although it seems there are
| no laws against it in the USA (some ISPs will ban users
| caught doing this however).
|
| Obviously if you broke into someone's house and then asked
| them to pay you for your 'vuln discovery', err...
|
| However, I think looking at HTML code on a public facing
| web page is not that. If you hang naked pictures of
| yourself on your front door, you don't get to complain when
| people take pictures of them.
|
| 1. https://www.calyptix.com/top-threats/port-scanning-
| legal-ans...
| ajmurmann wrote:
| The data was send to my browser. The more fitting analogy
| to me is that I get a letter and a huge pile of documents
| in a giant binder. Some of the documents are referenced
| in the letter. Now the sender gets upset because I
| started looking at the documents in the binder that
| weren't referenced in their cover letter.
| cmckn wrote:
| Last year, when a Nintendo Switch was difficult to come by,
| I found that a large retailer's API returned exact stock
| counts (and even restock dates in some cases) for any
| physical store you wanted. Got a Switch for myself and a
| couple friends in an afternoon.
| cowsup wrote:
| Careful, son, you're quickly entering elite hacker turf.
| samstave wrote:
| Dont worry, I only do all this behind 7 proxies. Plus I
| called google and they know all about it.
| ncr100 wrote:
| * https://oa.mo.gov/commissioners-office/news/state-
| missouri-a...
|
| The State labeling a reporter as "a hacker".
|
| * https://dese.mo.gov/media/pdf/educator-data-incident-
| commiss... * https://twitter.com/mocommissioner
|
| State Education Commissioner refers to reporter only as a
| "individual". The Commissioner signs the letterhead "PhD".
| Sarcastically, I presume the PhD corresponds to the increase in
| level of correctness, from "hacker" to "individual".
| dylan604 wrote:
| If it is served via https, it is encrypted.
|
| Edit: sorry, forgot the /s
| anm89 wrote:
| if it's in plain text in the html served, it isn't
| throwawaycuriou wrote:
| expand the lawsuit to Apple, Google, other heathen browser
| makers
| dylan604 wrote:
| But if you're an idiot to believe viewing source is
| hacking, then you're clearly the type that viewing the
| source is viewing encrypted data.
|
| The actual quote states that the data was first
| "unencrypted" before viewing the source. This is in fact
| correct if not poorly phrased, but who'd expect proper
| terms used when we're talking about "these" people?
| anm89 wrote:
| I get what the article says and what the county claims.
| That doesn't make what the parent said right.
| jmull wrote:
| Not once it's loaded by the browser it's not.
| badRNG wrote:
| jesus christ...
| mikro2nd wrote:
| yes...?
| dylan604 wrote:
| Get the Escalade
| birdyrooster wrote:
| With mustard and mayonnaise on the blades
| MisterBastahrd wrote:
| Oh shit, I'm reading your encrypted message right now!
| badRNG wrote:
| You should consider responsibly disclosing this
| vulnerability rather than posting it here.
| buitreVirtual wrote:
| Don't dare disclosing it in Missouri!
| willcipriano wrote:
| It's ok, the disclosure is also encrypted.
| navbaker wrote:
| No it's not, you forgot to wrap it in an "<encrypted>"
| tag.
| lapetitejort wrote:
| Don't forget the </encrypted> tag or else the rest of the
| internet's traffic will be encrypted forever.
| NoGravitas wrote:
| What a nefarious ransomware attack!
| iamcreasy wrote:
| I didn't get the joke. Can anybody explain it?
| jayd16 wrote:
| Https traffic is indeed encrypted, but its encrypted for
| you the user.
|
| Its like saying you stole documents from a sealed container
| when that container had your name on it, it was addressed
| to you, and you had the key.
| codegeek wrote:
| I knew u forgot the /s. If the Governor understood https and
| encryption, he wouldn't be penalizing the reporter for "View
| Source". Clearly he got caught at being incompetent and he is
| doubling down on "how dare you"
| cat199 wrote:
| nono - 'view source' is really the 'hack this website'
| button, it's just called 'view source' to keep the bad guys
| from knowing about it.
| Bluecobra wrote:
| Well you see the Internet is not something that you just
| dump something on. It's not a big truck. It's a series of
| tubes!
| teawrecks wrote:
| "Unencrypted" in this context means "did something we don't
| understand".
| MrPatan wrote:
| You left out the best bit: "through a multi-step process"
| DebtDeflation wrote:
| Right click.
|
| View Page Source.
|
| That's 2 steps. Hence, multi-step.
| eightails wrote:
| Could do it in a single step with F12. I suppose then you
| still have to scroll/search to find the relevant nodes...
| "multi-step" indeed
| dillondoyle wrote:
| Option+Command+U
|
| :)
| shepherdjerred wrote:
| Three steps! What hacker could envision such an elaborate
| plan?
| airstrike wrote:
| Nice catch... Unbelievable. What isn't a multi-step process,
| really? The first thing I do in the morning is to make coffee
| and though I've distilled that process down to its bare
| minimum so I can do it while still half asleep, it is still
| very much a multi-step process...
| ilaksh wrote:
| I feel like not understanding basic things like that should get
| you fired. The Education Commissioner and Governor of the State
| of Missouri have demonstrated a lack of understanding of basic
| technologies. At this point, that means they lack core
| competencies to do their job, and should be fired.
| mhandley wrote:
| Where "unencypted" means "turned the web page over, and read
| what was printed on the back of it".
|
| It seems stupid to us, but non-techies just won't understand
| unless we come up with reasonable analogies.
| rbanffy wrote:
| > I guess webpages are kinda like encryption for idiots.
|
| I prefer to call them muggles.
| jimt1234 wrote:
| "unencrypted the source code" means they ran an unminify tool.
| Very advanced; criminal masterminds. /s
| meijer wrote:
| Probably just "View Source".
| [deleted]
| tomxor wrote:
| Probably without comments stripped.
| anm89 wrote:
| I sincerely doubt it was minified
| klyrs wrote:
| I can't wait to see the legislation that treats plaintext as
| encrypted, and goes on to criminalize all written and
| electronic communication.
| dylan604 wrote:
| We must end all encryption --FBI
| dillondoyle wrote:
| How relevant for education and today. The education commission
| should have "send a flu shot!" lmfao
| Buttons840 wrote:
| Will this definition of encryption hold for HIPAA cases in
| Missouri?
| websap wrote:
| We live in a world where everyone thinks they understand
| computers and have an expectation of security and privacy, but
| they don't realize how hard it is to build these systems
| correctly. The best security appears to be invisible to the
| consumer, but requires a lot of thought by the implementer.
|
| This is the same reason why I think most of the general public
| don't understand how much data social media apps can collect on
| them. I know a lot of average technology users, who allow every
| single permission whenever an App asks them, because they're
| like obviously its not going to do any harm. Without realizing
| how every action they take is recorded in a database somewhere,
| which will get compromised sometime in the future.
|
| I'm not a mobile developer, but it would be interesting if iOS
| provided a service that allowed data to never leave the phone
| and provided an API for Apps to get particular types of data
| and showed warning levels in the App, each time more sensitive
| data is accessed. The App store needs to be a place where if I
| download an App from, I need to have the peace of mind that it
| won't cause more harm than good.
| ajmurmann wrote:
| > I'm not a mobile developer, but it would be interesting if
| iOS provided a service that allowed data to never leave the
| phone
|
| I'm not sure I follow. Do you mean the app wouldn't be
| allowed to send any data over the network? As soon as the app
| can send any data, it's trivial to hide in there whatever the
| app wants to send home.
| websap wrote:
| My idea is that Apple encourages Apps and features / adds
| badges for those apps that only store data locally. The
| local storage should be able to identify different types of
| data. They provide an API that allows data to be queried so
| that whenever an App queries some critically of
| confidential data it throws a big warning.
| ohazi wrote:
| The developer would just query the sensitive field either
| immediately or at a seemingly reasonable moment (along
| with dozens of other sensitive and non-sensitive fields),
| put everything into a blob, and then send it to the
| server as an opaque web request to some innocuous looking
| endpoint like POST /login.
|
| You either have to completely trust the developer today
| and forever after, or you need to make some fundamental
| advancements in homomorphic cryptography. "Secure data
| store that can be queried with a permissions box" doesn't
| work.
| jmull wrote:
| > Parson said...the reporter was "attempting to embarrass the
| state and sell headlines for their news outlet."
|
| Literally a reporter's job.
| mhh__ wrote:
| This could actually become illegal in the UK. The official
| secrets act might be amended to make it illegal to embarrass
| the state...
| BoxOfRain wrote:
| An Act of Parliament which would ironically embarrass the
| state in itself. Unsurprising from the same cast of muppets
| who wanted to use local newsagents to verify your age for
| internet pornography and make encryption illegal.
|
| It's not even a partisan thing, it seems like almost all our
| major parties seem to lose 40 IQ points when the internet is
| involved. Everyone from Blair onwards has been a tinpot
| authoritarian when it comes to digital rights.
| mhh__ wrote:
| I don't think they had the IQ in the first place.
|
| More than half of sampled Maps couldn't calculate the
| probability of two heads in a row from a fair coin
| faeyanpiraat wrote:
| -50 points from your profile
| jimnotgym wrote:
| ...because being an embarrassment to the state is reserved
| for our government
| xxpor wrote:
| The fact that journalists in the UK can and have been
| prosecuted for publishing leaks is completely absurd.
| Europeans think the first amendment goes too far a lot of the
| time, but this is the other side of it.
|
| https://en.wikipedia.org/wiki/New_York_Times_Co._v._United_S.
| ..
| nemo44x wrote:
| So nearly every pol will have to be locked up.
| iggldiggl wrote:
| To quote Yes Minister: "The Official Secrets Act is not there
| to protect secrets, it is there to protect officials."
| switch007 wrote:
| It is amazing how much truth they stuffed in to that show
| teawrecks wrote:
| A good faith reading of that statement interprets it to
| mean: the act isn't intended to keep pertinent information
| away from the public, but to protect the identities of
| officials who were tangentially involved.
|
| Surely no official interprets it to mean: protecting the
| _public image_ of officials by way of hiding pertinent
| information from the public, right?
| rchaud wrote:
| It was successful, because I, a non-Missourian now know about
| it, whereas in its initial state, this story would have been
| voluntarily witheld.
|
| Those scheming reporters! /s
| snarf21 wrote:
| And literally protected by the 1st amendment.
| 0xBA5ED wrote:
| The funny thing is, the reporter successfully embarrassed the
| state, then the state embarrassed itself further in response.
| mmazing wrote:
| Color me surprised.
|
| I really don't understand the whole "double down" approach to
| doing things.
| wonderwonder wrote:
| you wouldn't; neither would most of us on this site. ~50%
| of the population wouldn't. They are targeting the 50% + 1
| of their state population that voted for this man. They are
| probably doing a pretty good job of it too.
| gizmodo59 wrote:
| We won't know it for sure. Most of the state is not technical
| so it's whatever the popular media spins it.
| e40 wrote:
| Streisand effect, too. None of us would have heard about this
| otherwise.
| toomuchtodo wrote:
| "I'm going to weaponize the law because you embarrassed us."
| moate wrote:
| I can't imagine that a large, national organization like the
| ACLU or CPJ would want to dump tons of money into making this
| a massive national story should that happen...
|
| Someone about to experience the Streisand effect in FULL
| force.
| mcguire wrote:
| Somehow, I have the feeling the _St. Louis Post-Dispatch
| 's_ lawyers are thinking, "Bring it! We haven't had this
| much fun in ages."
| merpnderp wrote:
| I'm sure the judges likely to see this case are giggling
| over what they'll say to the state prosecutors.
| InitialLastName wrote:
| Having read opinions by federal circuit court judges on
| technical matters, it's not clear to me that the judges
| who will see this case are likely to understand the
| matter any better than the governor.
| wonderwonder wrote:
| In a state like Missouri getting sued by the ACLU is
| probably something that can be used to win an election and
| is seen as a badge of honor. They probably welcome it and
| all it costs them is tax payer dollars. They really just
| need to publicize any controversial party the ACLU
| represented and claim to be standing up to the sorts of
| people that would defend that behavior.
|
| If they lose in court it turns into a two for one as they
| get to rail against 'activist judges' and whip their base
| to go out and vote.
| fnordfnordfnord wrote:
| >Literally a reporter's job.
|
| And the governor's helping!
| stewx wrote:
| We should be treating Social Security Numbers as usernames, not
| passwords, since SSNs can't be revoked when exposed in a leak.
| csense wrote:
| Prosecuting people for responsible disclosure?
|
| This governor is a fricking idiot.
| FpUser wrote:
| When idiot directs prosecution it becomes a crime on its own.
| dylan604 wrote:
| This seems to be a requirement these days for being a governor.
|
| I understand not everyone can know everything. The fact that it
| is deemed unacceptable to admit not having all of the
| information to make an informed decision/comment where someone
| in a position of authority makes shit up to just sound
| authoritative is a sad state of affairs. It's not like being a
| governor is the same as posting things on an internet forum.
| psychometry wrote:
| FTFY: It's a requirement for being a governor in a red state.
| good8675309 wrote:
| Polarize much? Let's just go back to the general population
| not trusting the government or any politician regardless of
| party affiliation. They're all corrupt and ignorant, it's a
| basic requirement.
| psychometry wrote:
| Oh, you're one of those morons who thinks both parties
| are equally bad, huh?
| dylan604 wrote:
| We've got some presidential mis-speaks a plenty too. Some
| haven't been a governor, and didn't come from a "red"
| state.
| psychometry wrote:
| This is clearly not an example of a politician simply
| "misspeaking".
| dylan604 wrote:
| Yet. Wait for them to evaluate the blowback, and then the
| walkback from the comment.
| kbenson wrote:
| As much as it would be comforting if it actually was,
| incompetence is not limited to either political party.
| tomrod wrote:
| It's seems there is a certain set of political beliefs that
| enshrine intolerance of knowledge. Perhaps shared across
| multiple parties.
| Wistar wrote:
| "Idiot" is relatively high praise.
| SavantIdiot wrote:
| I'm glad my Senator can speak intelligently at DefCon.
| yummybear wrote:
| If responsibly reporting a flaw is as bad as using it for evil,
| you might as well just sell it on the dark web.
| michael_michael wrote:
| After the Affordable Care Act went into effect I signed our
| company up for our state's marketplace. While browsing our plan
| options, I noticed the url used a scheme like
| marketplace.org/employers/341/plans.aspx. Of course, I tried
| changing the number in the url to 342 to see what happened. To my
| astonishment, it loaded up the next company's plans, including a
| list of employee names, ages, plan cost, and SSNs.
|
| After I shopped a few other companies to see how our plans
| compared, I notified the marketplace operator via the only link
| on the website for customer service. Within about an hour,
| someone from their IT department rang me on the phone and started
| grilling me about how many other plans I browsed, and insisted
| that I clear my cache and browsing history, and notified me that
| they would be watching to make sure nobody at our IP address
| didn't access any other plans while the issue was being fixed.
|
| I was pretty surprised at his response, and assumed they would be
| more grateful for exposing a pretty basic flaw, but I guess a
| natural human tendency in these situations is to try to
| externalize the blame. Perhaps it's more difficult to hold
| yourself accountable than it is to assume that others who've
| found your shoddy work are malicious actors.
| thrwwybnkvln wrote:
| I found a similar kind of problem at a bank, though the
| vulnerability was so simple I stumbled on it by accident. I
| promptly switched banks but was never brave enough to report it
| for fear I might wind up in a very bad situation.
| [deleted]
| comeonseriously wrote:
| > ... someone from their IT department rang me on the phone and
| started grilling me about how many other plans I browsed, and
| insisted that I clear my cache and browsing history, and
| notified me that they would be watching to make sure nobody at
| our IP address didn't access any other plans while the issue
| was being fixed.
|
| An IT employee who doesn't know about VPNs. Sigh.
| megablast wrote:
| Or phone hotspots. Or cafes. Or home internet. Or open
| wifi's. Or language translation websites. Or proxies. Or a
| dozen other ways that do not require a VPN.
| K5EiS wrote:
| Maybe he was hoping OP didnt know about VPNs, it's not an
| uncommon scare tactic to imply being tracked is unavoidable.
| Ph0X wrote:
| Would be ironic since OP caught an exploit that their
| entire team wasn't smart enough to catch... yet somehow he
| wouldn't know about something as basic as VPNs?
| idiotsecant wrote:
| Zero chance this was an issue of an entire team not being
| smart enough to check - everyone who touched this would
| immediately understand it wasn't in the authenticated
| flow. This smells like bad requirements being delivered
| to the implementers.
| judge2020 wrote:
| I'm sure any further unauthorized access from random VPN
| IPs would have also been blamed on OP, unfortunately. "He
| found this out then an hour later random IPs exploited it.
| He must have initiated those VPNs".
| TedDoesntTalk wrote:
| VPN doesn't matter here. OP made it clear he was logged
| into the system first. Presumably all data is blocked
| until you are logged in. And if you are logged in, IT
| admin does not care about your IP address when they have
| your username.
| beerandt wrote:
| Unless the IT guy was accidentally letting it slip that
| there was no authorization implemented at all.
| lazide wrote:
| Which in context? Is very, very likely
| bigfish24 wrote:
| Similarly, a gov registration fee website simply disabled the
| "next" button at UI layer because I was late from the deadline.
| Easy bypass and paid fee, never heard anything else.
| formerly_proven wrote:
| I dunno, this seems pretty normal. Just today news broke that
| in Germany some guy who found a flaw in a web-shop backend
| leaking the data of hundreds of thousands of people got raided,
| because the operator reported him to the police - and somehow
| both police and state attorney found it wise to prosecute him
| instead of referring the case to the GDPR officer to fine the
| operator.
|
| It's pretty obvious that when you find a flaw you simply don't
| approach the people responsible for it, unless they have an
| EXCELLENT reputation of dealing with this. Otherwise do an
| anonymous full disclosure (edit: _if_ you have an entity that
| routinely handles this sort of thing and has an EXCELLENT
| reputation, that would work too). If nothing happens, provide a
| PoC.
|
| Of course people, even in IT, are kind of weird here. Somehow
| responsible disclosure got into people's minds as The Good And
| Proper Thing to do, and full disclosure being somehow
| irresponsible. Analogy: Some guy finds out the mayor is
| completely corrupt or does some illegal stuff. What do you do?
| a) Disclose this through e.g. the press b) Approach the mayor
| and try to get him to fix his stuff. Somehow, when it comes to
| IT security, people wanna see hackers do b) because a) would
| clearly be irresponsible. Wtf?
| judge2020 wrote:
| Perhaps many people are spoiled and blinded by the SV
| megacorp culture of (usually) taking in bug reports and
| fixing them and handing out recognition/money. It would be
| nice if everyone accepted responsible disclosure, but that's
| not going to be the case until some legislation comes along
| to require it in the absence of malice.
| LordDragonfang wrote:
| It's not "spoiled" to expect, at worst, a thank you for
| pointing out a serious and extremely easily exploited
| vulnerability in public-facing code. You are inarguably
| doing the company a favor by disclosing it to them and
| helping them cover their ass and and in some cases lack of
| competency.
|
| Something shouldn't have to be literally illegal to be
| considered shitty behavior. (Of course, people are often
| incentivised to be shitty, which is why legislation should
| _also_ be applied to the issue)
| qwertox wrote:
| All this reminds me of the case of Lilith Wittmann [1], who
| got sued by the CDU (Germany's majority-holding party) in May
| 2021 because she discovered a security flaw in their election
| campaign app "CDU connect". Data from around 100.000 visitors
| and 18.500 election campaign helpers was not sufficiently
| secured.
|
| She used responsible disclosure to let the CDU know of this
| flaw, got sued in response.
|
| After an outcry from the community the CDU apologized to her
| and retracted the complaint and the proceeding was suspended
| in the end of August 2021.
|
| It's pretty sad to see how people who act upon their best
| intentions, intentions which are beneficial to the society,
| are hit so strongly by those who are afraid to admit that
| they made a mistake. Hit in such a manner, that it tears
| apart the daily routine in a very negative way for months.
|
| [1] https://lilithwittmann.medium.com/
| nerdawson wrote:
| Sad to hear just how common these sorts of stories are. I
| remember reading fairly recently about a guy who reported a
| flaw to a company working with the NHS in the UK (should
| emphasise this is an external company and not the NHS
| themselves) and ended up having to crowdfund his legal
| battle.
| Tepix wrote:
| The CDU party no longer holds the majority :-)
| folli wrote:
| Still can't tell if this is good or bad.
| peterburkimsher wrote:
| Trot Hunt from Have I Been Pwned has an "EXCELLENT
| reputation".
|
| Perhaps responsible disclosure could pass through his entity?
|
| It's a way of anonymising the source to keep them safe, and
| centralising the risk to someone who is already highly
| regarded by companies and governments.
| avereveard wrote:
| You got things the other way around it's not about the
| disclosure is about mitigation.
|
| If one contacts the corrupted major for a timed disclosure,
| he gets time to hide crimes or can continue being corrupted,
| but the press running the story only damages the major.
|
| If I run to the press with a vulnerability, everyone is
| empowered in exploiting it. Sure it puts lots of pressure on
| the devs, but devs can only work so fast, which creates a
| window of opportunity which damages both them and their
| users. A timed disclosure doesn't prevent exploitation that's
| already happening, but doesn't increase the problem by itself
|
| The desired outcomes in the two cases are different, and it's
| no surprise different strategies are optimal.
| bigiain wrote:
| > but devs can only work so fast, which creates a window of
| opportunity which damages both them and their users.
|
| Sadly, time and time again, what in practice ends up
| happening is the window of opportunity is wasted by the
| devs being instructed to work on new features rather than
| fix critical security bugs the company thinks are not
| widely known.
|
| Apple's response to four zero days being only the most
| recent high profile example of that.
| dzhiurgis wrote:
| Local CERT is sometimes happy to be a proxy, still best do
| anonymously tho
| thepete2 wrote:
| That comparison is a bit off though, because exposing the
| mayor's corruption doesn't put other people and their data at
| risk.
| klyrs wrote:
| Domestic abuse is pretty "normal" too. That doesn't make it
| tolerable.
| wonderwonder wrote:
| These 2 things are not even remotely comparable.
| klyrs wrote:
| So? Something being "normal" doesn't make it just. Or
| even legal.
| wonderwonder wrote:
| Its not normal in society to commit domestic violence,
| most people in western society would find themselves
| ostracized from their peers if they were a known wife /
| child abuser. If I told my friends the website allowed me
| to see other plans and I checked them out they would just
| ask if I saw anything interesting and chuckle at the
| flaw. Curiosity is normal; beating your spouse is not.
| klyrs wrote:
| Ah, I see the misunderstanding. The behavior I'm seeing
| called "normal" is people being punished in response
| responsible disclosure, where the actual guilty party is
| illegally leaking private information. I'm comparing
| administrative abuse to domestic abuse.
|
| If changing a few characters in a URL was a crime, I'd be
| gone for life.
|
| edit: and, I'm using "normal" in the same sense as the
| comment I was originally responding to: to indicate an
| everyday occurrence
| b3morales wrote:
| > a) Disclose this through e.g. the press b) Approach the
| mayor and try to get him to fix his stuff. Somehow, when it
| comes to IT security, people wanna see hackers do b) because
| a) would clearly be irresponsible. Wtf?
|
| Huh? This analogy doesn't really make sense. The difference
| for software is extremely basic: if you publicize a
| vulnerability immediately, you give more opportunity for it
| to be exploited while it's being fixed. Malicious actors who
| hadn't found the vulnerability yet now get it handed to them
| on a silver platter.
|
| Private notification simply gives the operator a head start
| on closing the hole before it's more widely known by
| potential attackers.
| formerly_proven wrote:
| That's not the point of the analogy (some other siblings
| got it wrong, too, so the fault is likely mine). The point
| is that it's inherently very risky for you to contact
| someone about a problem they created accidentally,
| negligently or possibly intentionally in order to get it
| fixed (and that might result in them being fined or
| otherwise punished when the issue becomes known). So you
| should not do that. You should either seek a trustworthy
| intermediary for you to handle the interaction (this might
| be difficult / non-existent in your locale) or reveal the
| issues anonymously.
|
| Again, it's not about Optimally Mitigating Corporate
| Security Fuckups, it's much more basic than that: it's
| about keeping you safe. This should _obviously_ be priority
| #1. Anyone telling anyone else to do responsible disclosure
| by default because That 's What Good Guys Do And You're Not
| A Good Guy If You Don't is quite clearly not putting the
| safety of the reporter at #1.
| b3morales wrote:
| I see, yes -- I certainly agree with disclosing
| safely/anonymously.
| kmlx wrote:
| > The difference for software is extremely basic: if you
| publicize a vulnerability immediately, you give more
| opportunity for it to be exploited while it's being fixed.
|
| if it's live it's already being exploited. simple
| principle, but very effective.
| bryanrasmussen wrote:
| this is a poor analogy because the IT department isn't doing
| something illegal, they are just doing something poorly, the
| proper analogy would be if you found out the mayor routinely
| left the special stamp that you can use to get anyone
| released from jail laying on the park bench he eats lunch at
| - do you then go around telling people hey the mayor does
| this or do you say hey mayor please stop taking that stamp
| with you to lunch because you always forget it at the park
| bench and someday somebody is going to use it to do bad
| stuff!
|
| OR let us reverse the analogy
|
| You find out Facebook is running an international slave trade
| by using their data to find vulnerable teenage girls sending
| them invites and then kidnapping them. Do you A) approach
| Facebook and try to get them to stop their practice B) alert
| everyone immediately.
|
| The answer is you alert everyone immediately because Facebook
| in this example is doing corrupt and illegal things. There is
| a difference in how you should react concerning security
| problems that others can take advantage of and willfully
| committing illegal and corrupt acts.
| TheCraiggers wrote:
| > this is a poor analogy because the IT department isn't
| doing something illegal
|
| At what point does it cross the line into IT malpractice? I
| would say that not even bothering to verify the current
| user has the access to view what is being requested is well
| over that line.
|
| When you're dealing with PII, HIPAA, etc, there should be a
| standard level of competence. If I go into a doctor's
| office with a runny nose, and they remove my liver, simply
| stating that they practiced medicine "poorly" shouldn't be
| a defense.
| cortesoft wrote:
| Umm, this seems to imply that these security vulnerabilities
| are intentional, which doesn't seem like what is happening.
| In your mayor example, you wouldn't go to the mayor because
| you know he is intentionally trying to break the law, so
| going to him doesn't make sense.
|
| Incompetence is very different than malfeasance.
| Miraste wrote:
| The problem is that the response, as it pertains to you, is
| going to be the same for incompetence or malfeasance in a
| large number of organizations. Consider what the average
| self-interested politician would do if you uncovered a
| corruption problem in their administration they did not
| know about. Are they going to fix the problem, reward you,
| and risk losing the next election beneath an avalanche of
| attack ads? Or are they going to bury it and crush you?
|
| Large governments and corporations are not your friends.
| They will hurt you if it benefits them, often very short-
| sightedly and regardless of the root problem. There are far
| too many articles like this one to think "responsible
| disclosure" is a safe practice. I remember one case where
| the red team was hired by the agency involved explicitly to
| perform pentesting, and when they found a vulnerability the
| government pressed charges!
| bigiain wrote:
| > I remember one case where the red team was hired by the
| agency involved explicitly to perform pentesting, and
| when they found a vulnerability the government pressed
| charges!
|
| If the case you're remembering is the one where the red
| team assumed (without asking) that physically breaking
| into the courthouse at night was "in scope" of their
| engagement, I'm of the opinion the short-sightedness
| there was not the agency...
|
| https://www.cnbc.com/2019/11/12/iowa-paid-coalfire-to-
| pen-te...
|
| It's _maybe_ grey area. But there's no way I'd escalate a
| pen test to breaking in to a courthouse without explicit
| in writing permission from someone clearly authorised to
| give it, including in writing assurances that all
| relevant law enforcement had been notified (at least at
| high levels, if part of the authorised physical pen test
| was actually testing on-ground law enforcement
| capabilities).
| Miraste wrote:
| That is the case I was thinking of, but I went back to
| check my memory and it was not a gray area. They had a
| signed contract from the Iowa Judicial Branch and its
| Information Security Officer that specified gaining
| physical access to the building. Source:
|
| https://krebsonsecurity.com/2020/01/iowa-prosecutors-
| drop-ch...
|
| They did fail to verify that law enforcement was aware
| (the client specifically asked them not to) and they seem
| to have misunderstood the building's ownership structure.
| The end result was that they fulfilled their contract and
| were arrested for it after encountering one idiot with
| power, after which the local politicians piled on in
| order not to look weak.
| TeMPOraL wrote:
| Yeah, in my mind, the only "responsible disclosure" these
| days is one made anonymously to the local data protection
| authority.
| Verdex wrote:
| Reading through these comments gave me the same thought.
| Notice a problem? Buy a raspberry pi with cash, visit
| starbucks, upload report about the issue to reporters via
| newly created (and never used again) gmail account, throw
| away raspberry pi, never talk or think about the issue
| again.
| kadoban wrote:
| Gmail is probably not ideal. Last I tried I needed a
| phone number to create an account that actually worked.
| watchdogtimer wrote:
| I found a similar vulnerability in one of our vendors' online
| order system. I noticed after placing an order an integer in
| the order confirmation page URL. I reduced it by one and
| refreshed the page. Sure enough, I got all the order details of
| the previous customer's sale. Reducing _that_ URL by one got
| the next previous sale details etc. I notified the company
| about it. They fixed it, and in gratitude sent me a small
| package containing a pen and other office kitsch branded with
| their logo. Not much of a bug bounty, but the pen has proven
| useful.
| andrei_says_ wrote:
| I think the main difference is the one between
| acknowledgment, action + (small) gratitude vs. fear,
| paralysis and scare tactics / trying to control the
| environment instead of fixing the issue.
| kirlfiend_grill wrote:
| I let a company know that the url for their receipts
| (including name, address etc) was simply an md5 of the order
| number. They graciously offered 15% off on my next order as a
| thank you.
| renewiltord wrote:
| Oh there are so many things like this. Ages ago, I used this to
| find a whole listing of internal fax numbers for a government
| org I wanted to get someone's attention at and totally slow-
| spammed them using a fax API. Got a couple of reads based off
| that.
|
| There's no way I'm telling them I did that, haha!
|
| Rule 1: Never tell people they're making a mistake unless you
| trust them to trust you.
| _dain_ wrote:
| People have gone to jail for incrementing integers in URLs like
| that (most famously, weev).
| tailspin2019 wrote:
| Looks like there is just a little bit more to that story...
|
| https://en.wikipedia.org/wiki/Weev
| victorhooi wrote:
| Yes, but "weev" is also a well-renowned internet "troll".
| Basically - he appears to take joy out of denigrating,
| humiliating, insulting and doxxing other people.
|
| https://en.wikipedia.org/wiki/Weev
|
| He's also a neo-Nazi and white supremacist. I do believe in
| free speech, but some of the things he does seem to take it
| way too far.
|
| And he famously doxed Kathy Sierra, a female technical writer
| who created the Head First series. I actually quite like some
| of the books in the series, and it's incredibly sad to hear
| incidents like this which actively discourage females in
| tech.
|
| https://en.wikipedia.org/wiki/Kathy_Sierra
|
| I suspect there's more to the AT&T incident than just, oh, I
| found a flaw, let me responsible report this to the relevant
| parties in responsible disclosure.
| _dain_ wrote:
| Bad laws and a corrupt justice system are infinitely more
| dangerous than a single man, however unpleasant he may be.
| People pointed out at the time, that the CFAA is totally
| broken, but nobody listened because the victim was
| unsympathetic. Well, now we see in TFA how nothing has
| changed.
|
| "Yes, I'd give the Devil benefit of law, for my own
| safety's sake!"
|
| And it should be noted, that weev's turn towards overt
| neonazism (rather than just antisocial trolling) took place
| in prison, where he was mistreated.
| mcbutterbunz wrote:
| Didn't he also give the data he found to Gawker before
| notifying AT&T of the issue? That seems like a pretty key
| difference here, but I don't know what weev was charged and
| convicted for.
| _dain_ wrote:
| "Conspiracy to access a computer without authorization",
| which was and is completely preposterous. The Gawker part
| is completely immaterial, it was still a total travesty of
| justice. The judgement was later overturned on procedural
| grounds rather than on the merits (which it should have
| been). He did nothing that merited imprisonment, and even
| less so his mistreatment there.
| hobofan wrote:
| IIRC there was a recent story here in Germany where a court
| decided that the blame is entirely on the website owner, and
| incrementing an integer didn't constitute as hacking, as no
| security measures were circumvented (as a lack of
| authorization checks meant no security measures were in
| place).
|
| So I'm hopeful that the courts are slowly starting to wisen
| up in that respect.
| andrei_says_ wrote:
| Fear. The IT person is likely scared of (fill in the blank -
| blame, losing their job etc. )
|
| They are scared because their leadership is likely also afraid
| - and so unable to provide protection by taking responsibility.
|
| This is the vibe of an organization where mistakes lead to
| blame and punishment instead of quick resolution and learning.
| coliveira wrote:
| It is very easy for IT managers to put the blame on "hackers"
| intruding into the network, instead of assuming they created an
| insecure system. In many companies this can work.
| Spivak wrote:
| I very much want the blame to be on the person who broke into
| my house regardless of whether my door was locked or my
| window was open.
| zentiggr wrote:
| Which works great when there's some kind of access
| restriction in place.
|
| If you wind up putting your tax returns in the 'little free
| library' you set up on your front yard, you can't blame
| others for reading them, then handing them back to you and
| not telling anyone else.
|
| That's the proper analogy for what happened in the original
| article.
| skissane wrote:
| Years ago, I worked at this place, they tried to install
| these new core routers. The first core router worked fine,
| but connect the second and the whole campus network would go
| into meltdown.
|
| The network team could not work it out. The vendor could not
| work it out. But one of the IT managers had an explanation:
| me. Firstly, it was due to an OpenVPN I installed on a server
| (with permission-as a stopgap measure so we could remotely
| access the "next-gen data centre" because the networking team
| was taking too long to get the real VPN installed and it was
| blocking other teams on the project.) The explanation didn't
| make any technical sense: the VPN is just an application,
| nothing to do with the core routers; but he wasn't technical
| enough to understand that. They told me to shut it down, so I
| did (even though doing so inconvenienced the project), and lo
| and behold, it made zero difference to the problem. Then, he
| apparently even suggested at a management meeting (I wasn't
| there but I heard about it) that _I_ was sneaking in to the
| data centre at night or on the weekends to sabotage things,
| and that was why the new routers didn't work. Apparently they
| even asked campus security for my physical access logs, which
| revealed I hadn't been doing any such thing.
|
| Eventually, the vendor worked out the problem. When you
| install the router, there was a step you had to change the
| VRRP IDs to give every router a unique ID on the network.
| Clearly explained in the documentation, obviously essential,
| apparently our networking team didn't read that part. You
| plug one new router in, everything is fine; plug the second
| one in, well it still has the OOTB default VRRP ID, so now
| two core routers on the campus network have the same VRRP ID,
| and all the other routers got confused, and the whole thing
| fell apart. Both our networking team and the vendor's support
| team were so focused on chasing some obscure bug they didn't
| see the basic config issue.
| isoskeles wrote:
| Did that IT manager ever apologize for accusing you of
| being the problem?
| skissane wrote:
| I don't remember him ever directly apologising, although
| he was nice to me afterwards (and this was many years
| ago, memories get hazy). I think he was rather
| embarrassed by the whole incident, it turned out to be
| such a basic configuration issue and it took them so long
| to solve it. I only knew about the whole "sneaking in at
| night" allegation because my boss told me what he'd said
| at meetings to which I wasn't invited, and I don't think
| my boss was supposed to tell me what was said in those
| meetings, so I'm not even sure if he knew that I knew
| he'd accused me
| temp_praneshp wrote:
| Wow, I'll keep this in mind next time I complain about my
| manager.
| wslack wrote:
| r/talesfromtechsupport is full of these sorts of stories.
| I make a visit on days when my job is frustrating and
| inevitably feel better.
| dr-detroit wrote:
| In my experience the managers don't have the information to
| make a sound decision. The fault is putting trust in the cat
| who impressed you 20 years ago when alls you needed was 1
| sysadmin for your exchange server. He hasn't learned anything
| in 20 years and is above reproach because when I point out
| his failings him and the manager go off in a quiet room and
| he DESTROYS me with trash talk.
| miohtama wrote:
| All hacks are "sophisticated" because otherwise the other
| party would be "dumb"
| prox wrote:
| Lots of these folks (like the governor) don't even know the
| basics of IT. Zero knowledge. You can tell them anything and
| it will stick.
| soylentnewsorg wrote:
| So his issue was not that you discovered the bug. His issue was
| that after discovering it, you went on to view a bunch of other
| people's data.
|
| What you did was walk down the block, pull on the doors of
| random houses, and if you found one unlocked, went in and took
| a look around. If you found my door unlocked and left me a
| note, I would be grateful. If you went in and took a look
| around, then did it to all of my neighbors, we would have you
| arrested.
|
| The bug here is an unlocked door. It being unlocked is a
| security risk, and people are thankful if you let them know. If
| after identifying the security risk you proceed to commit a
| crime, you're surprised people aren't "grateful?"
|
| >difficult to hold yourself accountable
|
| isn't it though...
|
| >are malicious actors
|
| so you.
| [deleted]
| ljm wrote:
| There's too much moralising and too much metaphor here.
|
| It's really a lot more simple:
|
| > After I shopped a few companies to see how our plans
| compared
|
| This isn't white-hat, it's grey-hat at best. Found the vuln,
| and then used it.
|
| I don't agree with the dramatic reading that I'm responding
| to.
| [deleted]
| plainnoodles wrote:
| I think that's a PRETTY uncharitable analogy and
| interpretation of the OP's actions.
|
| I would say it's more like:
|
| You are walking down the street, and notice that there is a
| public noticeboard. It has a list of names, yours among them,
| associated with a number of steps each. It instructs you to
| walk a certain number of steps down the street, and then look
| up at the paper taped to the sidewalk that many steps down.
|
| So, you do, and upon looking down, you see some personal
| information about yourself! You are a little perplexed, since
| this doesn't seem very secure. So you take one step back, and
| look down. Wow, yep, not very secure, there's information
| there too!
|
| Being a human, you are naturally a little nosy and curious,
| and as these _are_ publicly posted, after all, you glance
| through a couple more before finally regaining control of
| your better sense of civic duty, and report to the owner of
| the notice board that there is a problem with their
| "security".
|
| I think this is a better analogy because:
|
| * browsing to a web page is NOT the same thing as going into
| someone's house. * the internet is public. * there was
| CLEARLY no malicious intent. The OP clearly didn't harm or
| intend to harm anyone here, even if perhaps he should have
| immediately stopped when he began to suspect the website had
| a flaw and he shouldn't be able to see this information. I
| see no evidence of malice here.
|
| I do agree that in general, just because a system responds
| 200 OK, you're not necessarily clear to do anything you want
| when when you're doing is obviously wrong. But at the same
| time, we should NOT be prosecuting or blaming people when
| they're able to access more than they're supposed to be able
| to PLAINLY due to the software's design insufficiencies and
| there's otherwise clearly no intent to cause harm.
|
| We really need to take a more even-handed approach to this.
| And, we REALLY need some kind of a professional bar in
| software engineering. I would expect a student in their final
| year of CS to be able to produce a more secure system than
| what the OP described, so the fact that it exists in a quasi-
| government website is a complete fucking joke, if you'll
| pardon my language.
| gwd wrote:
| > You are walking down the street, and notice that there is
| a public noticeboard. It has a list of names, yours among
| them, associated with a number of steps each. It instructs
| you to walk a certain number of steps down the street, and
| then look up at the paper taped to the sidewalk that many
| steps down.
|
| Or perhaps, "Here's a binder with numbered pages; turn to
| page 345 for your information." You wonder what's on page
| 346, so you turn the page, and lo and behold, someone
| else's information.
| slim wrote:
| You seem to be implying that accessing a competitors pricing
| is immoral. Do you think a company pricing should be private
| information in the same sense that your house is private ?
| heavyset_go wrote:
| This analogy isn't apt. What the OP did was the equivalent of
| asking, "Can you share these files with me?" and the other
| party going, "Sure, here they are!"
| sbarre wrote:
| This was not an "unlocked door".
|
| This was going to the doctor's office, and while sitting in
| the room with your files, seeing a bunch of other patient
| files just left on the desk in eyesight.
|
| Not in an unlocked filing cabinet, not in an envelope, but in
| the open.
|
| Changing a URL is not "malicious use" nor is it considered
| doing something you're not supposed to.
|
| As a web client, I should be able to change or manipulate the
| URL to my heart's content, it is 100% the server's job to
| restrict my access and make sure that I cannot access
| resources I shouldn't.
|
| This is entirely the fault of the operators, not the user,
| and they were mad at them because they _allowed_ the user to
| access things they should not.
| throwaway09223 wrote:
| It's even worse than that. I think a better analogy would
| be that you've requested the doctor mail you your records
| and instead the doctor ships you his entire filing cabinet
| with your folder taped to the top and a note saying "read
| this one." (but no mention about why the filing cabinet is
| there too)
|
| They weren't just in the open. A copy of these records were
| pushed, unsolicited, to the user's device and the user
| simply looked at what was sent to them.
| Ajedi32 wrote:
| > seeing a bunch of other patient files just left on the
| desk in eyesight
|
| ...and then proceeding to rifle through a bunch of those
| files to satisfy your curiosity.
|
| Finding a vulnerability and reporting it -> Good
|
| Continuing to exploit the vulnerability after you've found
| it just to satisfy your curiosity -> Bad
| lsaferite wrote:
| Asking the web server to give you information without lying
| or falsifying any of your request data should in no way
| equate to walking into random houses that are unlocked.
| unyttigfjelltol wrote:
| The proper analogy is-- you visit a public clerk and make a
| formal request via a form, receive the requested document
| from the clerk.
|
| Then, while you're at the clerk's counter you notice a menu
| up high above, like at a fast food restaurant, listing
| random commands with no explanation. Curiously, you call
| one out to the clerk and see what happens. The clerk
| returns with a crushed can. You call out another. The clerk
| dumps a roll of pennies on the counter.
|
| That's not fraud, it's negligent supervision and stupid
| design.
| namdnay wrote:
| I guess the argument would be that changing the number in
| the URL is lying, as you are providing an ID that was not
| assigned to you
|
| (Playing devil's advocate here)
| Talanes wrote:
| It's a public website. If we have to use the doors analogy,
| these are doors at City Hall, not people's houses.
| vadfa wrote:
| And it's a public street. It's what inside the houses
| (URLs) that is not public.
| drdeca wrote:
| Doors (holes-become-walls / walls-become-holes) are for
| controlling whether things can go through. URLs are for
| letting things through.
|
| A url is not a door, but an archway, or possibly a door
| frame.
| Spivak wrote:
| Yeah you still can't just walk into the Mayor's office just
| because it's unlocked. Access isn't authorization.
| Talanes wrote:
| And yet if I do just open the door to the Mayor's office
| and it's unlocked and I wander in, that's still not the
| same sort of trespass as entering someone's home.
|
| And, if I'm in City Hall, the mechanism that keeps me
| from entering the Mayor's office should be the security
| guards and key-cards, not my disinclination to open a
| door.
| MrOrelliOReilly wrote:
| Wow. The parent comment did not state they then sifted around
| for personal data. They checked if there was a bug and found
| it. For all we know the personal data is front and center, so
| this rudimentary check also revealed personal information.
| It's not like they said they downloaded the SSNs. Good job a
| miming the ignorance and bad faith of the nameless bureaucrat
| the parent comment mentioned though, maybe this is just
| satire and I'm missing it..
| [deleted]
| rendall wrote:
| > _After I shopped a few other companies to see how our
| plans compared..._
|
| You might have missed this part. I did, too, on first
| reading. They did sift around.
| __float wrote:
| "malicious actors" is quite a strong statement, for someone
| who was not really aiming to harm anyone or get much personal
| gain from it.
| throwaway743 wrote:
| Having worked for a NYC government vendor who, unfortunately,
| outsourced a huge chunk of dev work abroad due to low costs
| (and I assume the manager's shady relationships with
| outsourcers), the amount of bugs and blatant negligence I
| observed in the delivered code was staggering. Even with said
| mistakes the manager/project managers were more concerned with
| getting the project out the door, so once delievered, they'd
| ship usually without internal audit of the code.
|
| It makes one wonder if this is the case with the healthcare
| site you used, and whether or not this outsourcing of dev is
| common practice among government vendors? If so, it seems that
| we can only hope for something to fix these situations, given
| that government seems to only care once shit hits the fan
| justin_oaks wrote:
| I can understand outsourcing development, but I suspect part
| of the problem with outsourcing the development is that QA of
| the product is done by the same vendor.
|
| "We investigated ourselves and found ourselves clear of any
| wrongdoing."
| YeBanKo wrote:
| For IT it's often that whoever makes software, also tests
| it. When dealing with outsourcers, there comes a level of
| complexity. Government contractors don't have skin in the
| game, and hence motivation to appropriately handle this
| complexity.
| bawolff wrote:
| > After I shopped a few other companies to see how our plans
| compared
|
| Yeah once you start using a vulnerability maliciously to obtain
| confidential data for your own personal gain, even if its a
| stupid vulnerability, you're not really good-guy security
| researcher anymore.
|
| If all you did was the bare minimum to demonstrate the vuln
| exists, that's cool. If after you do that you continue to use
| it to obtain confidential info for your own gain or curiosity,
| that's not so cool.
|
| > Perhaps it's more difficult to hold yourself accountable than
| it is to assume that others who've found your shoddy work are
| malicious actors.
|
| You literally just admited to being a malicious actor in the
| paragraph above.
| bleachedsleet wrote:
| Language cheapens itself when spoken cheaply. Abusing over
| the top terminology on minute areas of controversy will
| ultimately lesson the impact of your outrage when something
| actually bad comes along. Someone browsing healthcare plans
| available to other employees of different companies is not
| something that should win you the label "malicious actor" and
| come associated with other implications. This data leaking
| harms literally nobody other than perhaps the company
| offering the worst coverage to its employees. Your response
| is the real problem here: If I had done this, reported it,
| and then been called a "malicious actor" on a forum titled
| "Hacker News" my knee jerk response would just be to shut up
| about it next time.
| bawolff wrote:
| I used the word "malicious". Its not like i used the word
| "murderer" or "evil overlord". I'm not saying OP should go
| to jail or anything.
|
| All i'm saying is if you find an exploit, and after you
| verify it works, you contunue to use it for your own
| personal ends, you're no longer benign and you shouldn't
| expect a warm welcome from the security team.
|
| The line is when you start to use exploits on computers not
| owned by yourself for your own ends instead of for the
| purpose of verifying and reporting the vuln. Sure you could
| cross that line a little bit or a lot, but you're not
| innocent if you're over it.
| gffrd wrote:
| > you contunue to use it for your own personal ends
|
| I think this is what people may have been missing from
| your original post: at some point things can go from
| innocent to malicious.
|
| "Crime of convenience" is the most common type, after
| all.
|
| "I'm not the type to steal, but the cash was left on the
| counter, and ..."
| dymax78 wrote:
| > ... and you shouldn't expect a warm welcome from the
| security team.
|
| The appropriate response from the security team (after
| verification) is to pull the site down or immediately
| patch the vulnerability, if possible. Making an outbound
| call to a third-party is pointless and irresponsible.
| bawolff wrote:
| I imagine having an assertion that the person didn't keep
| any of the data might be important to legal. (Ianal)
| BeFlatXIII wrote:
| Oh no, not the heckin' confidential insurance negotiations!
| What's the worst that can happen by those being exposed?
| gffrd wrote:
| > malicious actor
|
| malice implies intent. If we take author at their word, there
| wasn't any, though you could say they took it too far by
| looking at other stuff they probably knew it was ethically
| wrong to do so.
|
| Though, sometimes it isn't clear you're in compromising
| territory until you're in it.
|
| If any of the confidential information obtained wrongly gets
| used to advantage ... that's malice.
|
| If the parent set out to exploit the insurer by finding
| inconsistent/unfair pricing, etc etc ... that's malice.
| bawolff wrote:
| Hmm. You make a good point. Fair enough.
| Dylan16807 wrote:
| Browsing the different plans is not malicious. Jesus.
|
| And the details of different plans is not the kind of
| confidential info that innately deserves protection.
| Investigating or recording personal information would be bad,
| but they didn't do that.
| JshWright wrote:
| It wasn't just plan details though... They accessed names,
| SSNs, etc.
| jjkaczor wrote:
| Exactly... for them to "benefit", they would have to:
|
| Apply for jobs at the other companies with better plans,
| proceed with interviews, offers and then finally accept one
| and quit their job at their current employer... To reap the
| rewards of their malicious hacking...
| bawolff wrote:
| More directly, they as employees could pressure their
| bosses to renogtiate the insurance contract.
| unethical_ban wrote:
| You lost me at "maliciously".
|
| What harm was done by someone comparing prices? What
| organization lost money? Who got worse health service?
|
| "Unethical" and malicious is the current, profit-driven
| health insurance system.
|
| I know you're coming at it from an absolutist perspective,
| but I disagree entirely with passing judgement.
|
| Furthermore, the fact that you seem more upset with the
| person who glanced at a few plan prices rather than at the
| healthcare system, or the incompetent website operators, is
| telling.
| NullPrefix wrote:
| >What harm was done by someone comparing prices?
|
| It removes the information asymmetry, which protect the
| profits of the seller.
| bee_rider wrote:
| I definitely agree that this is not a big ethical breach in
| terms of magnitude, but it is still better not to look.
| Apparently this is not intended to be public information.
| If this information is private, I guess the companies want
| to derive some (slight) competitive advantage from not
| sharing it. I think you could make a strong argument that
| companies should make their healthcare offerings public
| knowledge, but they aren't currently (I guess?). In any
| case, access should be granted on the basis of an even
| playing field.
| spoonjim wrote:
| If you accessed my medical records, nobody would be
| "harmed" as they are fairly normal. It would still be
| wrong.
| Dylan16807 wrote:
| Because it would be a privacy issue. But that assumes
| they're looking at your information on purpose, and not
| just some price tags.
| dylan604 wrote:
| Within an hour you say? That's incredibly fast. I'm impressed
| by that fact alone regardless of the quality of the response.
| I'd hae been shocked for within an hour email reply.
|
| I would have thought using incrementing IDs in a URL was as
| beaten of a dead horse as sanitizing your strings in a SQL
| query. Then again, ACA websites behaved as lowest bidder was
| selected.
| kelnos wrote:
| I don't think you're coming out of this looking too great,
| either. After finding the vulnerability, you then exploited it
| to gain an advantage, in addition to reporting it.
| munk-a wrote:
| > started grilling me about how many other plans I browsed
|
| I think as soon as anything healthcare adjacent comes up most
| people will feel the need to get very nosey about what you
| accessed. It's possible they would have needed to file an
| incident (though, honestly, they should've regardless of what
| the reporter responded with) and gone through some procedure.
|
| It's unfortunate the guy was a dick about it - but asking the
| extent of the data you accessed probably isn't unreasonable and
| may have been legally mandated.
| mcguire wrote:
| I don't know, that sounds like a pretty valid response given
| that you "shopped a few other companies to see how our plans
| compared".
| klyrs wrote:
| If I ask you to show me a document, and you willingly show me
| the document, _who exactly_ is responsible for the
| disclosure?
| kamkazemoose wrote:
| Say you are invited to your friends apartment in an
| apartment building, but none of the apartments have locks.
| So you decide to open up some other random apartments and
| look through their things, who is responsible?
| frumper wrote:
| the web isn't a collection of personal apartments
| blisse wrote:
| A closer analogy might be if none of the apartments had
| doors, would you be allowed to step inside.
| Miner49er wrote:
| That's not even close to the same analogy though. This
| would be like knocking on the door, asking if you can
| come in, and the person living there letting you in. Then
| getting mad about it later even though they let you in.
| BizarroLand wrote:
| More like your friend let you into their apartment but
| then got upset that you went into the dining room when
| they only intended for you to go into the living room.
| ModernMech wrote:
| I think that's a valid response if the person letting you
| in wasn't expecting you and didn't want you there. Like,
| what are you doing knocking on random doors and going
| into random places just to look around? That's not honest
| behavior. Honest behavior is that if you know you're not
| supposed to have access to a thing, you shouldn't obtain
| access to the thing even if you technically can. I think
| it's pretty clear that you shouldn't have access to
| another company's healthcare plans. The first one is a
| mistake, maybe. The subsequent browsing and comparison
| shopping of restricted materials is definitely not okay
| though, and the harsh, suspicious response was warranted.
| jaywalk wrote:
| >if the person letting you in wasn't expecting you and
| didn't want you there.
|
| Then they shouldn't have let you in. How are you
| completely absolving them of responsibility when all they
| had to do was say "Who the hell are you? No, you can't
| come in."
| ModernMech wrote:
| Well, to go with the analogy more: I leave my door
| unlocked because I'm expecting someone. There's a knock
| at my door and I yell "Come in" without looking at who is
| at the door. Not an unreasonable thing, happens all the
| time. When I finally look, I find you in my house, going
| through all of my things, for no reason other than you
| wanted to gain insight on my financial situation.
|
| Do I bear responsibility for letting you in? Yes. Should
| you be there? No. Should you have knocked on the door?
| No. Should you have tried the same at my neighbor's house
| and every house on my block? No. In this metaphor and in
| the original context, everyone is acting with honest
| intent except the actor knowingly trying to access
| obviously confidential documents.
| jaywalk wrote:
| You let me in knowing exactly who I was. You showed me
| some stuff I wanted to see, but sitting right next to it,
| out in the open, was stuff you _didn 't_ want me to see.
| All I had to do was look somewhere other than where you
| were pointing, and I did that. And then you got mad at me
| for looking at the stuff and called the police.
| ModernMech wrote:
| > All I had to do was look somewhere other than where you
| were pointing, and I did that.
|
| The way you phrase this makes it seem like accessing the
| documents was a mistake. Maybe the first one was, but I
| think the thing you are missing about the OP's story is
| that the behavior was repeated. I think the first
| instance was arguably okay. But subsequent access with
| the knowledge that what they were accessing was not
| intended for them is in my eyes beyond a mere
| misunderstanding.
|
| You also have to remember that having physical or digital
| access to a thing is not the same as having permission to
| view the thing. For example, if a "Top Secret" document
| is delivered to your house with your name and address
| attached to it, if you read it without the appropriate
| clearance you will still be in trouble. The legality of
| such a thing is well established in that case, but the
| principle is the same: even though you have access to a
| thing and all you have to do is move your eyes in some
| direction to see it, the act of seeing it is still at
| minimum an ethical breach (why are you looking at things
| that you know don't belong to you?).
|
| I guess this is the fundamental philosophical and ethical
| question: do you believe you are entitled to know any
| information as long as you have the technical ability to
| physically or digitally access that information? What if
| I have medical records on a screen in a room you are in,
| and all you have to do is move your eyes over to see my
| most personal info? Are you entitled to read that
| information because it's visible to you? Or do you think
| you owe it to others not breach their privacy even though
| you have the ability to do so? Would you be mad if
| someone violated your privacy, and then retorted with
| "well you should have a had implemented some better
| technology to prevent me from moving my eyes in that
| direction"? I guess in that scenario you would have to
| blame yourself and your technological abilities, and not
| the person violating your privacy.
| MangezBien wrote:
| It doesn't mean I am there illegally though. Maybe I am
| there for some other reason and I thought you wanted to
| to let me in.
| ModernMech wrote:
| No one said anything about legality. I'm still going to
| yell at you to gtfo and never come back again, and I
| don't see why it would be surprising that I would.
|
| Let's drop the metaphor. The original story was that
| someone accessed a number of documents they weren't
| supposed to but technically could, and the question was
| whether or not that it was reasonable that the owners of
| the documents were upset with that.
|
| I argue there was good reason to be upset given the facts
| on the ground. In this particular situation, the original
| poster was there to access their own document. Having
| accessed someone else's document, that would be the point
| at which the behavior crosses from legitimate to
| illegitimate if it continues. Leaving at that point would
| be one appropriate response. But systematically going
| through a number of different documents goes beyond a
| mistake and into the realm of intentionally exploiting
| this security issue for unauthorized purposes. That's
| when it crosses from "honest mistake" to "dishonest
| exploitation".
|
| I have no idea about the illegality of the issue. But the
| fact is plain that this person was not the intended
| recipient of the documents, they knew they weren't the
| intended recipient, and then after realizing the nature
| of the exploit, they continued to use it.
|
| This is not the same as knocking on a door for a
| legitimate reason, being let in, and then the person
| inside being mad you're there. It's knocking on a door
| for _no_ reason or a _malicious_ reason, knowingly doing
| something inside the resident doesn 't want you to do,
| and then wondering why they are mad at you.
| MangezBien wrote:
| The only person to be upset at is the one who didn't put
| access control on the site. That was a publically
| available endpoint. The better analogy is putting
| something private on a public bulletin board and being
| mad if someone read something you didn't want them to.
| ModernMech wrote:
| A billboard is a broadcast message though, whereas an
| HTTP request is more like a back and forth exchange
| between two participants. So I think the original
| knock->response->enter is a better metaphor.
| kelnos wrote:
| No, this is more like if you asked the landlord to let
| you in, and then they did, without the permission of the
| tenant. The tenant would completely be within their
| rights to be angry about that. Both at you and the
| landlord.
| dzhiurgis wrote:
| More like - you go to supermarket bathroom, checking each
| stall and find one person is pooping without doors locked
| the_arun wrote:
| I think in this example both are equally responsible:
|
| 1. People who kept their doors unlocked
|
| 2. Person who randomly entered doors & found things.
|
| We need to take care of security of our properties,
| though stealing is wrong.
| klyrs wrote:
| Nope, opening an unlocked door is still considered
| break&enter. AFAIK, the "unlocked door" can even be a
| beaded curtain. Turns out that the legal definition of
| "break" in this context is extremely old and doesn't
| correspond to lay usage anymore.
|
| But I think that a better analogy would be asking the
| apartment manager to see your payment history and getting
| handed the entire apartment building's ledger.
| pwillia7 wrote:
| I was thinking of a similar analogy but I don't think it
| holds.
|
| The right analogy would be if I was in the apartment
| complex and I said to a door not mine "I'm home open up!"
| If the door opened and I did it intentionally, am I
| liable?
|
| I still feel like yes but since you have to request the
| document and receive it I think it's different than just
| checking locks.
| Keyframe wrote:
| I think we're all gronw-ups here and don't need analogies
| here.
| fshbbdssbbgdd wrote:
| People of all ages suffer from confirmation bias.
| Analogies can be useful because they allow someone to
| appreciate the logic of an argument while temporarily
| dissociating from strongly-held opinions. After the
| framing moves back to the question under debate, the
| logic might stick. At least all parties might understand
| everyone's perspective better after a few analogies are
| exchanged.
| sodality2 wrote:
| Not if everyone constantly shifts the analogy so their
| argument still works ;)
| bee_rider wrote:
| Indeed -- it is like if arguments were things to
| transport, and analogies were cars... wait, no, they are
| railroad cars.
|
| So the argument is a heist occurring on a train, so we've
| got the thing that we're trying to heist (which would be
| our point) and then we're shifting it from one car to
| another. And some of the analogies here are clearly like
| passenger coaches, but others are more like those... coal
| transporting car, whatever they are called... and at some
| point we move to the inappropriate railroad car and drop
| the point in the coal which obscures it.
|
| Anyway, the point is that at some point you really just
| hope that some conventional train robbers will show up
| and derail the whole thing because it has gotten too
| convoluted to follow.
| Talanes wrote:
| The analogies in this thread are mostly only furthering
| confirmation bias.
|
| Because any physical analogy is such a poor
| representation of how a website actually works, everyone
| just cherry-picks the analogy that demonstrates the logic
| they believe should apply, and then tries to constrain
| the argument to that logic via analogy.
| jerf wrote:
| Analogies are never helpful for things like this.
|
| We don't need to reach for analogies to observe that
| while the _theoretical ideal_ is to report it after just
| one false access, that no significant damage was done by
| accessing just a few more via human manipulation of the
| browser URL, with no recording or sharing of the results.
| From a human perspective, no damage was done.
|
| Whether that legally crosses a line involves a whole lot
| of details that few, if any people here, will be able to
| speak to, because of the complication of the law, and
| HN's conclusion as to the legality is of marginal
| interest even if someone competent were to give an
| opinion.
|
| We _can_ speak to the fact that _even if_ it does
| technically cross a line, a prosecutor really ought to
| use their discretion to not prosecute since nobody was
| hurt. We can say that because that 's just an opinion. I
| expect we don't have very many people here who actually
| want the book thrown here (though, as always, enough read
| this that it's probably non-zero).
| mcguire wrote:
| There's no evidence from the original comment that
| _anyone invoked any legal lines._ Instead, they seem to
| be upset that the person they reported the incident to
| _asked them questions about exactly what they did_ rather
| than being effusively grateful.
| kelnos wrote:
| I don't think quantifiable significant damage should be
| the bar we use, though that should act to moderate the
| consequences.
|
| OP admitted to _continue_ changing URLs in order to check
| out what plans other companies were getting and what they
| cost. That means OP downloaded lists of employee names,
| ages, SSNs, and other data. If I were an employee at one
| of these other companies, I 'd be pissed at OP for that.
| I'd be even more pissed at the people who built the
| marketplace website for making the rookie security
| mistake that allowed it, but it's absolutely not ok to
| download other people's information when you shouldn't
| have access to it, and use that to your own advantage.
|
| Sure, I don't think this is something that should be
| prosecuted as a CFAA violation with big fines and jail
| time. That's not a proportionate response. But I also
| don't think we should signal that it's ok to look at (and
| use!) other people's data just because someone else
| forgot to lock it up properly. I think, for example,
| something on the level of a parking ticket would be
| appropriate here.
|
| If OP had changed the URL once, found the vulnerability,
| and then immediately closed the page and reported the
| problem, I would see nothing bad in what they did. But
| they didn't merely do that, and IMO crossed the line in
| their subsequent actions.
| bawolff wrote:
| In real life, if you do it under false pretenses, you are.
| In this analogy the real-world version would be considered
| fraud.
| rtkwe wrote:
| In our version though the system can require you to show
| whatever ID or authentication the designer decides so how
| can any process as simple as changing an ID in the URL be
| fraudulent. In this example the person who browsed other
| plans either wasn't asked for any ID or the person
| fetching the documents didn't check authorization. Either
| one is negligence on the department/sites side.
| rpdillon wrote:
| Not sure I see how. More like the records office decided
| that, rather than staffing the front desk to handle
| records requests, they instead just dumped an unlocked
| filing cabinet into an alcove off the hallway with an
| arrow pointing to it labelled "Health Care Plans".
| Essentially identical to blaming users for finding an
| unsecured S3 bucket or MongoDB instance: it's on the
| operator to secure the data.
| bee_rider wrote:
| It is more like the records office decide that, but
| didn't tell the people who they were holding records for
| that they didn't feel like staffing the desk. The records
| office is of course 99% to blame for their incompetence
| here, but it is still a bummer for the people who trusted
| them, and better not to look.
| kelnos wrote:
| > _Essentially identical to blaming users for finding an
| unsecured S3 bucket or MongoDB instance_
|
| I agree that it's unreasonable to blame users for
| _finding_ things like that. But if those same users are
| downloading all the data and making use of it for their
| own purposes, that 's not ok. Finding a vulnerability and
| reporting it is an admirable thing to do; exploiting that
| vulnerability yourself is not.
| dragonwriter wrote:
| > In real life, if you do it under false pretenses, you
| are.
|
| Sure, but how is that relevant? What material false
| representation was made which was relied on in deciding
| to provide the data?
| Spivak wrote:
| Because servers don't decide anything. They're autonomous
| systems imperfectly carrying out the will of humans who
| make the actual authorization decisions. If a computer
| system erroneously prints an extra 0 on a check mailed
| out to you that doesn't mean you get to keep the money
| because the computer isn't the entity that decides how
| much money you're owed.
| dragonwriter wrote:
| > Because servers don't decide anything.
|
| If there was no decision, much less one based on
| materially false information, there can be no charge
| related to false pretenses. Your argument against
| decisionmaking is an argument _against_ your claim of
| false pretenses.
|
| > If a computer system erroneously prints an extra 0 on a
| check mailed out to you that doesn't mean you get to keep
| the money because the computer isn't the entity that
| decides how much money you're owed.
|
| That's neither entirely true _nor_ at all relevant to
| your false pretenses claim.
| Dylan16807 wrote:
| Asking for the next file isn't false pretenses. I don't
| know if this analogy works quite right. Even rifling
| through a file cabinet wouldn't be false pretenses, it
| would be something else.
|
| And you have to cause injury for it to be fraud. Is "Help
| I was too honest to a customer." a valid injury claim?
| bawolff wrote:
| I think the analogy would be going up to the desk and
| saying: my id number is X (when its really Y), can i have
| my file.
|
| If you convince them that you really are X and they give
| you the file, i think that would be considerd fraudulent.
| Whether or not an injury takes place to raise it to the
| level of fraud i guess depends on what was in the file,
| but in countries with strong privacy laws, someone would
| probably be in a heap of trouble.
| strofcon wrote:
| Except that's not at all what they did - they simply
| accessed files that _had been made public by the service
| provider_.
|
| To be able to login as BoBibbidyFooBar, and subsequently
| access ANY company's info in the system _without changing
| their identity_ from BoBibbidyFooBar does not, in any
| way, constitute any sort of fraud. It literally cannot,
| by any sensible definition.
| kelnos wrote:
| Intent matters. The service provider clearly did not
| intend that the files should be public. They screwed up,
| and they should take responsibility for that. But that
| doesn't make it ok to know about the security issue and
| download as many documents as you can in order to use
| them for your own purposes. Perhaps that wouldn't be
| "fraud" based on whatever definition you're using, but
| it's clearly unethical and immoral, and IMO hopefully
| illegal as well.
| tragictrash wrote:
| But they didn't do that. They just asked for a different
| file, not misrepresenting their identity.
| Retric wrote:
| He had already given his correct details to be able to
| view plans. It's like calling the cops to get your
| accident report then asking for the next higher numbers
| and they give it to you.
| jaywalk wrote:
| Nope, no way. Your analogy is wrong.
|
| A better analogy would you asking for your files, and
| then the secretary taking you to a filing cabinet
| containing everyone's files right there with yours. You
| don't have to lie about who you are, you can just look at
| other files because they're right there in the place that
| you were just given access to.
| celtain wrote:
| How is that analogy wrong? Both in terms of the technical
| implementation and the subjective user experience, you're
| making separate requests for a document each time.
|
| Analogies are always going to be imperfect, but I can't
| see the argument that the "separate request" analogy is
| any worse than yours, let alone "wrong".
| Spivak wrote:
| And even in that case you're still not allowed to look at
| other people's documents. Like it doesn't matter that
| they're right in front of you, you still haven't been
| given authorization.
| jjav wrote:
| > I think the analogy would be going up to the desk and
| saying: my id number is X (when its really Y), can i have
| my file.
|
| Not at all because what you describe involves
| impersonating someone else.
|
| In the OP case, they were authenticated in the session as
| themselves and always acted under the truthful identity
| and asked for a document and access was granted.
|
| So the analogy would be going up to the desk and saying:
| I'm John Doe, my id number is X (truthful value), could I
| see file ABC? And the attendant checks that id==X does
| have access to document ABC, and thus hands it over.
| formerly_proven wrote:
| The closest real-life equivalent to asking a computer
| server for a document and getting it is asking a human
| server (e.g. office clerk, archivist) for a document and
| getting it. If I go to the IRS to do some paperwork and
| notice it says "File #7881991" in the top right corner
| and I go to the clerk and ask them "Hey, can I have files
| 7881992 and 7881993, too?" _and they give them to me_ ,
| who is liable for that? It's quite obvious.
| tomrod wrote:
| This is 100% the correct analogy.
| Spivak wrote:
| But this is assuming that the server has more agency than
| it does. Servers don't have minds and they don't make
| authorization decisions. This is more like someone giving
| you key to a filing cabinet in order to retrieve some
| documents and while you're there you snoop on the ones
| next to yours.
|
| Is this system more trusting of people than it should be?
| Probably. Does that mean you're allowed to snoop on other
| people's documents -- nope.
| tremon wrote:
| _But this is assuming that the server has more agency
| than it does._
|
| No, it merely assumes the server is acting on authority
| of the organization identified by the domain name. It
| doesn't assume agency, only representation.
| toqy wrote:
| If you give me the key to the files and don't explicitly
| forbid me then it certainly does mean I'm "allowed" to
| look at the documents. You literally and explicitly just
| allowed me to do so by granting me access.
| tomrod wrote:
| Right. The server is not liable. The people who set up
| the server to serve application data for every client to
| any client is.
|
| Just like the IRS admin assistant in the example was, the
| agent to cause the transfer. The filing cabinet/server is
| not the agent, simply the repository responding to the
| system and practices in place.
| bawolff wrote:
| Users don't normally construct urls by hand. Wouldn't the
| equivalent more be like:
|
| You filled out some form to request a document from the
| irs. You give the form to the person they give you the
| document.
|
| You notice they dont check ids, so you change the name on
| the form, and get someone else's document.
|
| This definitely seems to fit the definition of fraud:
|
| 380 (1) Every one who, by deceit, falsehood or other
| fraudulent means, whether or not it is a false pretence
| within the meaning of this Act, defrauds the public or
| any person, whether ascertained or not, of any property,
| money or valuable security or any service [that's the
| canada definition]
| strofcon wrote:
| But... they didn't change their name on the form. They
| literally just said "I'm still me, but I want this other
| file now, please."
|
| All company data was, in OPs scenario, _made public to
| any and all authenticated users._
|
| There is no way to rationally spin this as a malicious
| act, in my view.
| bawolff wrote:
| Well they changed an id number. I guess the real life
| version would be changing the SSN number on the form.
| MangezBien wrote:
| An ssn is considered private info, the plan number
| wouldn't be.
| mcguire wrote:
| No one is claiming "I'm still me, but I want this other
| file now, please." is a malicious act.
|
| Downloading a number of them and comparing information,
| however, is not necessarily malicious but rather sketchy.
| kelnos wrote:
| I don't think simply changing the ID in the URL to see
| what would happen is itself a malicious act. But, after
| discovering the vulnerability, OP admitted to continuing
| to exploit the vulnerability so they could make use of
| the information they'd gotten, information that they
| should not have access to. _That_ part of it is
| _actively_ malicious.
| Dylan16807 wrote:
| I don't think changing the _name_ is a fair comparison.
|
| This definition of fraud doesn't define the word
| "defraud"? I don't know how I'm supposed to see if it
| fits or not.
|
| It can't mean _any_ action, or going into a store, lying
| about my name, and asking what aisle has baked beans
| would fit. Because that has "deceit" and "any service".
|
| If I interpret things as the service being minimal and
| provided for free, so that I'm not deceptively getting
| _the service_ , then we have to look at what actually
| gets _sent_ to me, and whether it 's "property, money or
| valuable security". And since it's just a copy of the
| data sent at no cost, it's much harder to argue fraud
| exists.
| kelnos wrote:
| The data in this case clearly had value; OP admitted to
| continuing to change numbers in the URL to get more
| information about what plans other companies were signing
| up for, because that information was valuable to them.
| Talanes wrote:
| You're assuming the "because that information was
| valuable to them" part. Or you're using such a broad
| definition of valuable that would also make this comment
| thread valuable because I have refreshed it multiple
| times.
|
| While you could construct hypotheticals where OP is using
| the health plan information to gain actual value, they
| are all so far-fetched I wouldn't buy them as a fictional
| plotline. Dude was probably just curious.
| White_Wolf wrote:
| "deceit, falsehood or other fraudulent means" => editing
| the URL is neither of those. Forgig a cookie for access
| is, just like randomly trying passwords and usernames.
|
| The closest real life example I can think of would be
| along the lines of: - your car is in a public parking
| space and someone look inside vs - the same car is in the
| garrage and someone breaks the door to look inside your
| car
| marcellus23 wrote:
| A closer analogy would be that you keep the name as your
| name, but change the # of the document you're requesting.
| It's the IRS's job to ensure you're allowed to retrieve
| that doc.
| kelnos wrote:
| Sure, but I guarantee you that if the IRS screwed up and
| gave you the other doc, and you made use of that
| information (rather than immediately turning around and
| saying "um, IRS, I think you made a mistake; this doc
| doesn't belong to me"), you'd be in trouble as well.
| marcellus23 wrote:
| Haha that's fair.
| kelnos wrote:
| No, it's not, because computers and humans are not the
| same. A computer might give away too much information
| because someone misconfigured it. The closet human analog
| to that would be if the human was improperly trained in
| what information they're supposed to give out. But the
| human also has other options: they could be tricked into
| giving out more information than they should, or they
| could be giving out more information because they're
| being paid off or given some other benefit.
|
| You can certainly assign various levels of blame and
| responsibility to the human "server" in those scenarios.
| But the human on the other side of the interaction, the
| one requesting information, doesn't magically become free
| of reproach. If they are requesting information they know
| they should not have access to, and then making use of
| that information for their own gain, they're guilty too.
|
| There's a _very_ narrow carve-out for the white-hat:
| requesting information with the intent of uncovering
| vulnerabilities, with the intent to help them get fixed.
| We expect a white-hat actor here to destroy and not make
| use of any information they obtain that they shouldn 't
| have.
|
| > _If I go to the IRS to do some paperwork and notice it
| says "File #7881991" in the top right corner and I go to
| the clerk and ask them "Hey, can I have files 7881992 and
| 7881993, too?" and they give them to me, who is liable
| for that? It's quite obvious._
|
| Yes, it is obvious: the clerk is liable for giving you
| something they shouldn't have, and you are liable for
| fraudulently representing yourself as someone who should
| have access to those files.
|
| I don't get where this idea of "the other person let me
| do the crime, so the crime is ok" comes from. That's just
| not how the law works in the real world. If you then
| walked out of the IRS office with those files, I would
| absolutely expect you to get arrested. (Even if you
| immediately gave the files back, you'd probably be on
| shaky legal ground.)
| benlivengood wrote:
| > Yes, it is obvious: the clerk is liable for giving you
| something they shouldn't have, and you are liable for
| fraudulently representing yourself as someone who should
| have access to those files.
|
| It's always okay to ask for things. There would be no way
| for society to adapt, progress, or change if people were
| limited to only asking for things that they knew in
| advance they were allowed to have. If it's legal for a
| telemarketer, pollster, reporter, cop, or recruiter to
| contact me and ask me questions then it's just as legal
| for me to contact and ask a web server a question. The
| correct response to unauthorized requests is a 4xx, not a
| lawsuit.
|
| More to the point, what makes it okay to ask a new web
| server for "/" without permission? Even if browse-through
| terms of service were legally enforceable they aren't
| known to the user or the browser before making the first
| connection and request.
|
| If a web server doesn't want to answer questions then
| don't connect it to the Internet.
| bawolff wrote:
| It is the intent of the act, not the act itself, that is
| important.
|
| If you know doing x will cause y, then when you do x you
| are doing y and you are responsible for the consequences
| of doing y. It doesn't matter what x was.
|
| This is especially true in the real world.
| Muromec wrote:
| It's not the point. Of course they built stupidly insecure
| system, and of course sending people to jail for finding
| out such holes is wrong, but on the other hand ethical
| person should stop their access to personal data which they
| are not supposed to see after confirming that vulnerability
| exists and not make copies of said data.
| mcguire wrote:
| Because you _can_ do a thing does not mean you _should_ do
| a thing.
|
| If the security system is broken and you do exactly what it
| should be preventing, then you report it and get upset
| because they ask questions about you doing exactly what you
| did?
| kelnos wrote:
| Accessing data that you are not authorized to view is still
| wrong. The fact that someone has misconfigured the access
| controls doesn't change that.
|
| I might forget to lock my front door one day, but that
| doesn't make it ok for you to wander into my house and look
| at all my stuff.
| BizarroLand wrote:
| If you make a library open to the public but then get
| upset they are reading the books, who is in the wrong
| here?
| qorrect wrote:
| > Accessing data that you are not authorized to view is
| still wrong.
|
| So if a piece of paper flies in my face and has company
| secrets and I manage to look at, I'm at fault here ?
|
| > I might forget to lock my front door one day, but that
| doesn't make it ok
|
| Sorry but if you're not going to secure your belongings,
| then expect to be robbed.
|
| Being 'ok' has nothing to do with it.
| bigiain wrote:
| > Sorry but if you're not going to secure your
| belongings, then expect to be robbed.
|
| It's not even "getting robbed" really. Nobody here
| deprived the owner of anything. It's more like:
|
| Sorry but if you're not going to secure your belongings,
| then expect to have people look at your stuff.
| jjk166 wrote:
| Well in this case I'm knocking on your door and you're
| opening the door saying "Come right on in!"
|
| Requesting access (ie knocking on a door/typing a url) is
| not illegal. If you grant that request (ie invite me
| in/serving a webpage), I am under no obligation to
| psychically infer that you didn't mean to and refuse your
| invitation.
| tremon wrote:
| If I send a HTTP request, and the server -who I believe
| is acting on behalf of the publishing party- sends a 200
| OK response along with the data, how am I to conclude I
| wasn't authorized? Since when is authorization the
| client's responsibility?
| bigiain wrote:
| Yep.
|
| Send me a 401 (or a 403) status and I'll know I'm not
| authorised.
|
| In the physical world, nobody would lawyer up and go to
| court if someone walked through an open door with a sign
| saying "public entry here" and saw something
| confidential.
|
| If you have confidential information around in the
| physical world, you make sure you have facilities staff
| who know the difference between "public entry here" signs
| and "authorised personnel only" signs. You also have
| facilities staff who know how to fit door locks and door
| closers, and security staff who know how to choose
| appropriate locks and to enforce compliance of locking
| doors. And if all that breaks down, it's not Joe
| Concerned-Citizen who tells you about it, or even Mallory
| from your competitor who waltzes out with trade secrets
| who gets held to account, it's the manager and/or
| executive in charge of facilities and security who'd be
| answering the difficult questions, probably with their
| lawyer at their side.
|
| It sad that the legal system hasn't yet started to hold
| people to account for having incompetent web developers
| and server operators.
| solveit wrote:
| Being wary of the guy, sure. But it's a terrible response in
| general. The correct response is to _take the site down_!
| Monitoring IP addresses? Really?
|
| First, it's trivial to just use a different IP address.
| Second, even if you could track people perfectly, which you
| can't, who the hell thinks it's okay for data to get leaked
| as long as you know who it gets leaked to?
| throwaway894345 wrote:
| It's not a _nice_ response, but IT needs to be able to
| answer questions about the extent of a given breach (what
| info was accessed by whom and when). This is a legal
| requirement in the case of health information. Ideally
| people could be courteous while fulfilling their legal
| obligations, but IT folks aren't generally chosen for their
| public relations or customer service skills.
| frumper wrote:
| If he can monitor ip addresses to make sure this guy
| isn't browsing anymore, then he should be able to check
| those same logs to answer his own question. If you want
| people that have zero obligation to help you then you
| should probably be nice to them. The nefarious criminal
| isn't going to report things like this to you.
| throwaway894345 wrote:
| I already agreed that this doesn't warrant unkindness.
| vageli wrote:
| In those situations you get a third-party in for
| forensics, you don't typically ask the people who
| breached how large the breach is (why would you take them
| at their word anyway? aren't they incentivized to
| downplay, etc).
| marcus0x62 wrote:
| Yes, and they need to do that based on the forensic data
| available to them, even if the answer is "we don't know,
| it could be everything.". Asking the person who caused
| the breach to explain the extent of your data loss is not
| an acceptable, or reliable, practice.
| throwaway894345 wrote:
| I don't expect that it is sufficient, but it probably
| gives the IT person something to tell their boss in the
| short term: "We'll verify, but he says he only accessed
| X".
| ajmurmann wrote:
| Assessing the scope of the breach, sure. "Fixing" the
| breach by monitoring a single IP addresses access
| patterns not so much. The site needed to be taken down
| till a mitigation has been deployed.
| throwaway894345 wrote:
| Agreed.
| dymax78 wrote:
| Vehemently agree. The response demonstrates, if nothing
| else, the lack of an appropriate Incident Response Plan. A
| competent legal team would not vet and approve such a
| response, instead redirecting it through the appropriate
| channels if they felt the need to respond directly.
| invisible wrote:
| What's bonkers is that _your own data_ was also accessible.
| Who's to say other users didn't get that data and choose to not
| report and kept the data?
|
| Your own outrage to your data being exposed would have been
| perfectly reasonable.
| rapind wrote:
| "No, I didn't look at any other plans, but I've notified our
| lawyer who is now compiling the list of exposed company plans
| before she contacts each of these companies for class action
| suit proceedings".
| vmception wrote:
| its best to assume Responsible Disclosure(tm) is a psyop to
| find gullible people
| cm2187 wrote:
| How is it a bad response? They want to know what data has been
| exposed and ensure you delete that data. That's data leak 101.
| Why would you be defensive about it?
| bbarnett wrote:
| When someone is kind, helpful, and goes out of their way to
| help you, for free!!, you have no business demanding,
| insisting, or threatening a single thing.
|
| Proper response would have been "Wow! Thanks!" and at worst
| "Please don't share what you saw, and thanks again."
| lazide wrote:
| Because he was clearly trying to threaten him?
| yonixw wrote:
| The point being that the IT guy made sure this guy will never
| try to report on anything again. As they will ".. would be
| watching .. at our IP address .. while the issue was being
| fixed."
|
| Instead of a normal company having a bug bounty and sometimes
| even with cash prizes.
|
| Do you think google "will watch your IP" after you reported a
| bug? or will they give yo money?
|
| What helps in the short run? and what helps in the long run?
| munk-a wrote:
| > Do you think google "will watch your IP" after you
| reported a bug? or will they give yo money?
|
| I honestly think they'll do both - but they won't tell you
| they're watching your IP because it's needlessly
| antagonistic.
| sbassi wrote:
| > They want to know what data has been exposed
|
| They should check their own logs instead of relaying on a 3rd
| party that may not tell the truth. This shows incompetence.
| olyjohn wrote:
| Because you have no way of knowing if they deleted the data
| or not from their system. It's a pointless exercise, unless
| you're just gonna take their word for it.
| spoonjim wrote:
| When you went to 342 you were white hat. When you went to 343
| you became black hat.
| websap wrote:
| Obviously this person from the IT department has very little
| understanding of how computers work, and I'm not saying they
| should.
|
| Each time a breach like this or in the original post happens,
| it makes me feel that our tools are just not there yet. If
| there were simple tools that caught vulnerabilities like this
| we would improve the standard of security.
| dataviz1000 wrote:
| I did that once a long, long time ago with the organization
| that monitors maritime piracy around the world. They have a
| mailing list which I accidentally stumbled on that included I
| assume since I only saw the one page of email addresses that
| ended in top level domains like un.org and navy.mil thousands
| of email addresses. I contacted through email the people
| running the organization that I accidentally stumbled on the
| page and they should probably hide it which they responded
| thank you. If you have ever been to Washington DC you would
| know the amount of money military contractors spend to show the
| latest navy vessel to everyone at the Foggy Bottom metro
| station and other places where such ads seem unlikely. That was
| the mother of all B2B email lists for militaries and shipping
| companies around the world. I didn't want to play any games
| with it.
|
| EDIT: Remembering it now, there were also email addresses with
| the Iranian navy as they coordinate with other navies to fight
| piracy too. Perhaps instead of sending a Rickroll I could have
| sent a mass email with Lennon's "Give Peace a Chance."
| walrus01 wrote:
| Huge missed opportunity for mass email of URL shortener link
| to the youtube Rick Astley video.
| dataviz1000 wrote:
| There were cia.gov email addresses in there too. When these
| guys don't get a joke and fixate on you, they really fixate
| on you. They are more clingy than that song.
| agustif wrote:
| Redacted.
| Ph0X wrote:
| I think you just missed the entire point of the comment
| you replied to...
| Talanes wrote:
| I think you just missed the joke of the comment you
| replied to...
| jjk166 wrote:
| Are you saying that the CIA is never going to give him
| up?
| samstave wrote:
| Well, they're never gonna let him go, that's for sure.
|
| And they may also hurt him.
| walrus01 wrote:
| well they're definitely never gonna say goodbye
| jameshart wrote:
| Unfortunately, this is the top comment and it has led to a
| lengthy discussion about the ethics of altering a url to
| retrieve a resource you should not have access to.
|
| Which is a fascinating discussion, but has _nothing_ to do with
| the case at hand which is where the underlying html on a
| publicly accessible search result page contained SSNs of the
| teachers returned in the search.
|
| All the analogies about 'it's like asking the IRS for another
| document' are all wonderfully applicable to this comment, but
| not remotely applicable to the actual article.
| askvictor wrote:
| On the other hand, to a non-techie person, where do you draw
| the line? Accessing the HTML of a public webpage is trivial
| to you and me. But what about decompiling or extracting
| strings from an .apk? Almost exactly the same thing as
| pressing F12 in the browser, but a tad more 'active'. It is
| relevant to this article, as it asks what hacking is OK, and
| what isn't
| woodruffw wrote:
| This entire thread is a great microcosm of how _difficult_ it
| actually is to talk precisely and intelligibly about
| "hacking", permissions, intended access, etc!
| datavirtue wrote:
| URLs are not secrets. End of discussion.
| michael_michael wrote:
| I am now questioning the wisdom of having shared this story,
| and I apologize for derailing the discussion.
| jameshart wrote:
| It's a relevant comment, and people evidently found it
| interesting.
| wslack wrote:
| It's a good story and relevant. Not your fault the internet
| got spun up in a totally other direction with it.
| WarOnPrivacy wrote:
| * The newspaper said it found that teachers' Social Security
| numbers were contained in the HTML source code of the pages
| involved. In other words, the information was available to anyone
| with a web browser who happened to also examine the site's public
| code using Developer Tools or simply right-clicking on the page
| and viewing the source code.*
|
| The state's website was sending SSNs to the browser of every
| visitor. Visitors didn't ask for that info but got it anyway.
| Everything the state sent was viewable thru View Source.
| Wistar wrote:
| The reporter hacked our water system, maliciously held his hand
| under the faucet and then revealed to us that the water was WET!
| josefresco wrote:
| FYI the "Governor" is Mike Parson
|
| "As governor, Parson signed a bill criminalizing abortion after
| eight weeks of pregnancy and opposed Medicaid expansion. He
| oversaw the state's response to the COVID-19 pandemic, where he
| issued a temporary stay-at-home order in April 2020, allowed
| schools districts to decide whether or not to close, and limited
| postal voting during the 2020 U.S. elections. Parson also oversaw
| Missouri's reaction to the George Floyd protests, during which he
| pledged to pardon Mark and Patricia McCloskey, the couple
| involved in the St. Louis gun-toting controversy, if they were
| convicted of any crimes; he issued their pardons in August 2021."
|
| Sounds like a _great_ guy.
| handrous wrote:
| I am reliably informed by people with some insight into
| Missouri government that Parson is _exceptionally_ terrible.
| Incompetent or malicious, depending on the day.
|
| I gather the previous (also Republican) governor, Greitens, who
| may or may not have been into some weird/illegal sex stuff and
| was forced out over it, was actually pretty good. Seemed to
| truly care about governing well and improving the functions of
| state government, at least, which Parson _does not_.
| Splendor wrote:
| He is terrible, but in today's GOP there is nothing
| exceptional about Governor Parson.
| mmmpop wrote:
| Soapbox much?
|
| The dude's clearly a moron but this isn't a thread about any of
| the topics mentioned in your quote. You're actively making HN a
| shittier place with comments like this.
| sophacles wrote:
| > You're actively making HN a shittier place with comments
| like this.
|
| Please find your way to the nearest mirror and take a very
| hard, long look.
| josefresco wrote:
| The title only said "Governor" so I was like "gee, who is
| this guy/gal?" and so I RTFA and went back to the comments.
| Many were still referring to him as "Governor" and not by
| name so I thought it would be useful to mention his name. I
| then started reading his Wikipedia page and discovered he's a
| real piece of crap (IMHO) and decided to include that summary
| in my post. Am I starting crap? Maybe, but I think some
| background on his recent decisions in his role as Governor
| would be relevant to an article questioning a recent decision
| in his role as Governor.
| [deleted]
| logicalmonster wrote:
| What is the source of the pasted quote? I have no idea what
| kind of person the Governor is (outside of being technically
| illiterate) and am not interested in a partisan bickering
| match, but despite disagreeing with some points there, some of
| the actions listed there are arguably great moves (with the
| devil being in a lot of nuanced details that your list didn't
| go into)
| josefresco wrote:
| It's from his Wikipedia page.
| [deleted]
| jll29 wrote:
| The distribution of the SSNs to the client, where they can be
| seen by everyone using a Web browser by clicking on a standard
| menu function is clearly the government's fault.
|
| They are obviously trying to deflect their incompetence - nobody
| audited the design nor the resulting implementation.
|
| If the journalist acted as described it is professional behavior
| (notify and postpone publication to give the Website operator a
| chance to fix things), it is ethical and complies with security
| disclosure best practices.
| betwixthewires wrote:
| This governor is an idiot and should be removed from office for
| this.
| comeonseriously wrote:
| > ... unencrypted the source code from the webpage
|
| So now 'View Source' is an decryption tool use by those pesky
| "hacker" types?
| heavyset_go wrote:
| This is just standard fare for the governor to rile up his base
| by attacking the press.
| bastardoperator wrote:
| The only crime here is that this uninformed governor is going to
| spend taxpayer dollars and time to chase ghosts. His staff are
| either terrible, or this is all political theatre. I don't expect
| everyone to understand the internet at a technical level but no
| one under this guy could explain that this is a Missouri problem
| not a hacker problem?
| ROARosen wrote:
| > No private information was publicly visible, but teacher Social
| Security numbers were contained in HTML source code of the pages
|
| How is an HTML page source not considered "publicly visible"?!
| thewileyone wrote:
| This is probably unpopular, but I want to see this go to court so
| that this moron can be exposed for all to see.
| fabianhjr wrote:
| Best outcome would be for the courts to dismiss the case
| outright. (Bonus points for snark against the governor)
| CivBase wrote:
| > "A hacker is someone who subverts computer security with
| malicious or criminal intent," the statement continued. "Here,
| there was no breach of any firewall or security and certainly no
| malicious intent. [...]"
|
| Then I guess HN better find a new name.
|
| Seriously though, this defense bugs me because it outright
| dismisses the idea of ethical hacking by re-defining "hacker" as
| someone with "malicious or criminal intent". They should
| embracing the label and explaining the difference between white
| hat hackers and black hats (the actual criminals).
|
| Our world needs more white hat hackers. All it takes is one
| security flaw to compromise a system and the deck is always
| stacked against those securing it. Re-defining "hacker" as a term
| to describe criminals stacks that deck even worse by dissuading
| future would-be white hats.
| fak3r wrote:
| Once again, Gov Parsons makes me embarrassed to be a Missouri
| resident.
| C19is20 wrote:
| Why?
| mcguire wrote:
| Aside from everything else,
|
| " _According to the Post-Dispatch, one of its reporters
| discovered the flaw in a web application allowing the public to
| search teacher certifications and credentials. No private
| information was publicly visible, but teacher Social Security
| numbers were contained in HTML source code of the pages._ "
|
| I expect there will be no consequences for the mindless idiot who
| put SSNs in the HTML output.
| Threeve303 wrote:
| Do not make yourself even suspected of anything computer related
| to state or federal authorities. It is never a good idea.
| scc wrote:
| This news should not surprise anybody who has used government
| websites in Missouri. Here is an example:
| https://mydssapp.mo.gov/CitizenPortal/application.do
|
| The website takes a LONG time to load because of how many
| javascripts it loads!!
| suzzer99 wrote:
| I gave up, and my browser was still semi-borked for a while
| after clicking back to HN.
| basedbertram wrote:
| Holy cow, that's incredible
| frumper wrote:
| you aren't kidding, that's pretty impressive really
| salynchnew wrote:
| TFW the governor doesn't realize that HTML is a document that
| they proactively published on the internet.
|
| "The hacking is coming from inside the (state) house!" /s
| mmazing wrote:
| Do you want to stop responsible disclosure of bugs like this in
| your state, Missouri? Just leave it for people who will actually
| misuse it?
|
| Because that's what you seem to want ... quit electing morons.
| ChrisMarshallNY wrote:
| Gosh ... this should end well. <call
| target="broker"> <communication command="buy">
| <stock>Orville Redenbacher</stock> </communication>
| </call>
| nimbius wrote:
| Governor Parson, While in the Army, attended night classes at the
| University of Maryland and the University of Hawaii, without
| completion of a degree.
|
| Its not hard to see how someone with only a rural sixties
| highschool education might conflate this particular revelation
| with treasonous intent.
| kgeist wrote:
| If I witness a crime and tell police about it, am I an accomplice
| according to Mr Parson?
| Johnny555 wrote:
| _"The state is committed to bring to justice anyone who hacked
| our system and anyone who aided and abetted them to do so,"
| Parson said_
|
| I assume they'll start with the head of the Office of
| Administration Information Technology Services Division whose
| team allowed such a glaring vulnerability in the first place.
|
| If IT management held some responsibility for breaches, then
| maybe it wouldn't be so hard to get funding for security
| measures.
| Buttons840 wrote:
| I commented days ago about a state website that was returning all
| kinds of nicely formatted NPI in JSON from an API response, but
| the NPI was not displayed. I donned my black hat and other hacker
| attire and pressed F12 to open the browser's developers tools (a
| tool created by a shifty company named Google most people have
| never heard of), and there it was, plain as day, SSNs, addresses,
| etc. I closed the page and never touched it again. I knew what's
| happening in this story could happen to me. I knew my side of the
| story would rarely be told and that my fate would lie in the
| hands of a judge who views the F12 key with distrust and fear and
| a jury of my "peers" who are not actually my peers in any skill
| or know-how related to the case.
| onychomys wrote:
| At least make a throwaway email account somewhere and email the
| state's IT department to let them know. I doubt it'd ever get
| fixed (given state budgets), but still.
| dragonwriter wrote:
| In states that have state-level IT departments (usually, in
| addition to opposed to agency-internal ones), the state-level
| one mostly does IT project and contracting policy and
| oversight (often limited to large projects for active
| overisght), and maybe executes enterprise contracts for
| infrastructure that is used across agencies.
|
| For an in-production system, there is a good chance that they
| have no responsibility for ongoing maintenance, and no
| special information beyond what is on the website as to who
| is responsible for maintenance.
|
| You are better off contacting (anonymously or otherwise) the
| responsible agency. But, sadly, probably the most effective
| way to get it changed (after the flurry of butt covering) is
| to anonymously notify the media.
| TheSpiceIsLife wrote:
| I remember being _more free_ during the Cold War.
|
| Many politicians are much older than me.
|
| At their brains just hard-wired to see an enemy everywhere?
| arbuge wrote:
| This story just gets worse and worse:
|
| https://news.stlpublicradio.org/government-politics-issues/2...
|
| "Missouri Gov. Mike Parson on Thursday launched a criminal
| investigation of a St. Louis Post-Dispatch reporter... The
| investigation begins today, and Parson said the investigation
| could cost taxpayers as much as $50 million but did not detail
| those costs or take questions at a news conference Thursday."
|
| $50m over this now? They say never to assume malice when outright
| incompetence will do, but I'm beginning to wonder if some corrupt
| dealings involving IT contractors might be going on under the
| table.
|
| Whichever one it is, at this point I think the governor should
| just apologize and resign immediately. Not holding my breath.
|
| Edit: Looks like the governor is tweeting about this now.
| Straight from the horse's mouth:
|
| https://twitter.com/GovParsonMO/status/1448697768311132160
|
| Really couldn't make this stuff up if I tried: "This individual
| did not have permission to do what they did. They had no
| authorization to convert and decode the code."
| skeeter2020 wrote:
| "... teachers' Social Security numbers were contained in the HTML
| source code of the pages involved..."
|
| My bet is the SSN was used as the GUID for a table row or list
| item.
| suzzer99 wrote:
| I'm going to guess a value in a hidden form field.
| droptablemain wrote:
| Can't determine if this allegation is malicious in nature or
| simply based on technological incompetence. Maybe some
| combination of the two.
| samuelizdat wrote:
| Remember when a guy "Hacked" AT&T when the new iPad came out in
| 2010? I wonder what happened to that guy? lol
| buitreVirtual wrote:
| The news is not only the lack of understanding of what hacking is
| and what a security fuck up is. The news is the cowardice of this
| clown of a governor trying to deflect blame to those reporting
| the vulnerability. If he is too embarrassed to admit his
| government's fault, he will be rewarded with twice the
| embarrassment for reacting like a corrupt despot.
| allemagne wrote:
| >Republican state Rep. Tony Lovasco, who according to his
| legislative biography has worked in software deployment and
| maintenance, tweeted Thursday that "it's clear the Governor's
| Office has a fundamental misunderstanding of both web technology
| and industry standard procedures for reporting security
| vulnerabilities.
|
| >"Journalists responsibly sounding an alarm on data privacy is
| not criminal hacking," he said.
|
| I worry that we're heading in a direction where somebody like
| Lovasco won't be willing to break with somebody of the same
| political party even for something like this.
|
| It's already incredibly easy to code this story as a PR "win" for
| Democrats by embarrassing a prominent Republican.
|
| So then isn't giving a common-sense perspective in this
| circumstance kind of just a betrayal of everything your side
| stands for?
|
| I mean it's pretty unlikely that anything of legal import
| actually happens to the reporter, so for the "greater good" of
| accomplishing your wider agenda, or perhaps even more importantly
| preventing the other side's agenda, it might be better to just
| stay quiet and let this blow over as partisan bickering.
| jaywalk wrote:
| The fact that it happened here should calm your worries at
| least a little bit.
| giantg2 wrote:
| "... Social Security numbers were contained in HTML source code
| of the pages."
|
| "Gov. Mike Parson was labeling the Post-Dispatch reporter a
| 'hacker' and vowing to seek criminal prosecution."
|
| L O L. Everyone who has hit F12 in a browser is now considered a
| hacker.
|
| I hope the prosecutors and law enforcement come to the right
| conclusion quickly and tell the governor no crime was committed.
| My experiences have left me with little faith of that happening.
| AnimalMuppet wrote:
| "You can look like idiots now. Or you can try to keep from
| looking like idiots, and look like even bigger idiots very
| quickly. Your choice."
| RHSeeger wrote:
| And, in the process, double down and cost the reporter his
| career and entire life savings as he pays for a lawyer to
| keep himself out of jail.
| giantg2 wrote:
| Usually the better publications have, or pay for, counsel
| for work related issues like this.
|
| I don't think this will cost them their career. Every semi-
| intelligent person can see what's going on. It will
| certainly create some shortterm headaches though.
| black_puppydog wrote:
| Good. Let this go all the way to the top, this is someone who at
| least in theory should be backed by an institution (and various
| amendments...) so this should establish a nice precedence that
| no, you can't shoot to the messenger. The only "tiny" detail
| would be how to shield the individual reporter from the fall-out
| in the meantime. And while we're at it, holding an office should
| not protect you from personal liability for the harm done to said
| messenger during the process.
|
| Terribly idealistic, I know. One can dream... :|
| weddpros wrote:
| No better than patent trolls
| _0ffh wrote:
| I don't think I can blame a politician for being technically
| illiterate, especially one that old. But what the heck is up with
| the state bureaucrats who report to that guy?
|
| I mean _someone_ it the freaking state bureaucratic hierarchy
| should at least be lucid enough to consult someone who has an
| actual clue about things as these.
| mindcrime wrote:
| _I don 't think I can blame a politician for being technically
| illiterate, especially one that old._
|
| I don't think age should excuse this guy at all, nor do I buy
| into the meme that age has much of anything to do with
| technical literacy. Consider that Brian Kernighan is ~78, Tim
| Berners-Lee is 66 (the same age as Governor Parsons here),
| James Gosling is also 66, Rob Pike is 65, Steve Wozniak is 71,
| Geoffrey Hinton is 73, and so on. And that's not even
| considering folks who were around so early they've already
| passed away, like Marvin Minsky, Dennis Ritchie, John McCarthy,
| etc.
| cle wrote:
| > I don't think I can blame a politician for being technically
| illiterate, especially one that old.
|
| Given the impact of technology on society, we absolutely can
| and should blame politicians who are technically illiterate.
| birdman3131 wrote:
| I don't blame a politician for being not tech savvy.
|
| I can and will blame them for not getting (And listening to!)
| a tech savvy advisor.
| barbazoo wrote:
| And maybe blame the highly partisan electorate too?
| mindcrime wrote:
| I would think it depends on how "tech savvy" we're talking
| about. It's one thing to ask them to write a UNIX shell in
| C++, or construct a neural network model... I don't see any
| reason to demand that level of technical sophistication
| from a governor. But surely there has to be _some_ baseline
| level of technological literacy that should be expected,
| no? Something beyond "push this button and the computer
| turns on" and "Yes, I checked and it's plugged into the
| wall"??
| fencepost wrote:
| _I don 't think I can blame a politician for being technically
| illiterate, especially one that old._
|
| That right there (probably without the age bit) would be the
| _ideal_ one liner response from the reporter or an attorney
| from the paper.
| javajosh wrote:
| I can't stress how differently _power_ works in the Southern
| States (EDIT: Missouri is a midwestern state officially, but I
| 've always considered it part of the South). It's a very
| traditional place, where you do not dare contradict, let alone
| correct, your boss. There is none of this "avoid surrounding
| yourself with sycophants because they will only tell you what
| you want to hear" business. There is no upside to speaking up
| in meetings if what you're saying is not in direct support of
| the boss. If you do this, you will be branded a trouble-maker,
| lose favor with the hierarchy, and eventually you will be
| expelled. Politeness and deference matters _far_ more than
| _any_ other quality. Loyalty beats integrity every time in the
| south.
|
| This incident is just one example of this in action.
| CountDrewku wrote:
| If you think that's a "southern" trait I've got news for
| you...
|
| This attitudes fits the majority of workplaces. I know it
| probably makes you feel better to pass the blame off on a
| specific group that you can try to avoid but I've worked all
| over the US and it's the same crap everywhere you go.
| jeremyjh wrote:
| Missouri is not even remotely considered to be in "the
| south". At least not by those who live there or in
| neighboring states.
| handrous wrote:
| I know a lot of people who regard it as a hybrid
| southern/midwestern state. Plenty of confederate flags to
| be found in Missouri, certainly, and the MU/KU rivalry is,
| on our side at least, _heavy_ on "bleeding Kansas"
| rhetoric and imagery, which keeps Missouri's Southern-
| sympathizing role in the war alive in our popular culture
| (such as it is). Lots and lots of our local icons, oft-
| mentioned historical figures, et c., relate back to the
| war, and especially folks who supported the Confederacy.
| County seats with those late-addition cheap confederate
| soldier memorial-statutes outside the courthouse are,
| AFAIK, quite common in the state.
| jeremyjh wrote:
| You can find racists and rebels anywhere. If you order a
| sweet tea in any restaurant in Missouri they will look at
| you like you have three heads.
| handrous wrote:
| Not true at all, but the sweet tea they serve you will
| probably be mediocre at best, that's true. A few places
| will serve you unsweet tea (all they have, as a cost-
| savings measure) with sugar packets, as if that's the
| same thing, which admittedly is an offense worthy of
| challenging your server and/or the restaurant owner to a
| duel.
| CountDrewku wrote:
| You can find Confederate flags in northern states and all
| over the US. That doesn't suddenly make it more
| "southern". I live in CO now and I see more confederate
| flags than I ever saw in MO.
| javajosh wrote:
| You're right! It's part of the midwest officially.
| Apparently it does share at least _some_ of the classic
| characteristics of the southern states.
| daltont wrote:
| University of Missouri sports teams are in the
| Southeastern Conference (SEC). Part of me wanted them in
| the Big-10 since I identify more as being from the
| northern mid-west. Got to follow the $$$.
| jeremyjh wrote:
| I think it has no more in common with them than other
| non-southern red states.
| dragonwriter wrote:
| > Missouri is not even remotely considered to be in "the
| south".
|
| No, but it is both South-adjacent and is considered to be
| largely within the Bible Belt, which is almost exactly
| coextensive with the South, except that it excludes parts
| of Southern Florida and includes all or part of several
| South-adjacent states, so it's not an entirely hard fo
| understand mistake.
| smartscience wrote:
| As a species I feel we need a means to overcome this problem
| within organizations, and demonstrate convincingly to others
| that we have done so. Chernobyl and Fukushima were also both
| created by a culture of deference to higher-ups. The anti-
| nuclear crowd were wrong about the science, but may have had
| a point once you consider human fallibility.
| nolson wrote:
| > Chernobyl and Fukushima were also both created by a
| culture of deference to higher-ups
|
| Chernobyl suffered from compounding of reactor and test
| design flaws and human error. Fukushima suffered from
| (retrospectively) insufficient risk assessments, which
| resulted in a design meeting a rare event beyond it design
| limit sooner than expected.*
|
| I'm unaware of a human society, in fact any animal society,
| where politeness does not involve some degree of deference.
| So saying these accidents were caused by a culture of
| deference is essentially meaningless without some more
| "who, what, why, how" and importantly 'how much' and
| 'compared to what'.
|
| From the IAEA report: "This common mode failure reached a
| scale considerably beyond that usually addressed in the
| assessment of BDBAs. [ed: beyond design basis accident]".
| https://www-
| pub.iaea.org/MTCD/Publications/PDF/AdditionalVol...
|
| https://www.coursera.org/lecture/intercultural-
| communication...
| throwaway0a5e wrote:
| The south sounds exactly like my experience in two fairly
| non-political (as non-political as government can be)
| departments of state government that provide non-
| controversial social services in a state in the northeast.
| vram22 wrote:
| Why?
| mabub24 wrote:
| I think you're under-estimating how much this is just the
| governor cravenly trying to save face. He's a just a spineless
| politician who is afraid that this "hack" will be used against
| him. Because the public was notified of the obvious fuck-up in
| the html, he felt he needed to "respond to their concerns" and
| is doing so in the only way he understands, or that that group
| of the public "under attack" understands as well: criminal
| charges.
|
| He's using the public's fear to try to gain political points by
| looking "hard on crime".
|
| Obviously, he's stupid. But part of the problem is the public
| _also think this was a "hack"_. Basic understanding of the web
| is not apparent amongst an enormous swathe of the public.
| [deleted]
| ladyattis wrote:
| This is why you have tech literate experts to correct you and
| help you make a decision. Just like how you go to your doctor
| for help with an illness and get advice for what to do next.
| This isn't hard to do, it's just not politically powerful
| messaging. Parson wants to look big and powerful and so he'll
| just blow smoke up his AG's butt to do something which will
| quietly be dismissed afterwards with almost zero political cost
| to him.
| lotsofpulp wrote:
| > I mean someone it the freaking state bureaucratic hierarchy
| should at least be lucid enough to consult someone who has an
| actual clue about things as these.
|
| Why are you letting the leader off the hook and charging the
| underlings for being responsible for something a leader should
| be responsible for? Age of the leader is irrelevant because the
| leader chose to become a leader.
| dragonwriter wrote:
| Gov. Parsons' technical ignorance, such as it may be, is not
| the source of this. This is a power-oriented political
| narrative. To the extent it invokes inaccurate explicit or
| implicit characterizations, that is not because Parsons doesn't
| understand the truth (he may or may not, that's just
| irrelevant), but because the descriptions and implications
| serve the desired narrative.
| laserlight wrote:
| Why should age excuse incompetence? If they are incompetent in
| tech, they should at least know that and shut up.
| prepend wrote:
| I'm guessing it went like this...
|
| Politician: Socials are on the web site, who fucked up?
|
| IT: the web page is encrypted, we didn't fuck up, the hacker
| decrypted the source
|
| Politician: sounds good to me, no fuckup on our part, let's
| call the cops and prosecutors
| lotsofpulp wrote:
| Politician [intentionally looking to pass the buck to
| entities outside their purview and choosing not to research
| further]: sounds good to me, no fuckup on our part, let's
| call the cops and prosecutors
| Clubber wrote:
| You have no idea what lengths some state employees will go
| through to cover their ass and not get fired. It's especially
| dangerous when cops and prosecutors do it.
| throwaway0a5e wrote:
| Exactly. When you've endured 15yr of this kind of bullshit
| and enduring five more gets you an extra 10% on your pension
| you shut the f up and do what's good for you, organization
| and taxpayers be damned.
|
| Now imagine what this situation teaches all the younger
| bureaucrats who think they can work hard and make things
| better.
| duxup wrote:
| Yeah this should be a "get a the computers guy in here" moment.
| Then someone explains and everyone moves on.
| handrous wrote:
| It is my understanding that Parson is not the kind of fellow to
| give a shit what a state bureaucrat tells him, if it's not what
| he wants to hear, assuming he'd listen to them in the first
| place.
| RHSeeger wrote:
| > I don't think I can blame a politician for being technically
| illiterate, especially one that old.
|
| I certainly can. They have plenty of money to hire staff, and
| that should include people to make sure they understand the
| technology that is integral to the every day lives of their
| constituents, or at least to push back when they do/say
| something completely counter to how the world works.
| cantbudgeit wrote:
| If you have an f12 key on your keyboard, you are now a hacker.
| Bad ass.
| ianhawes wrote:
| If the scenario being proposed is that the reporter publicly
| searched teachers on the site and then noticed that SSNs were
| returned in hidden HTML or an endpoint returned it from an API
| directly, that is a facepalm and they're fine.
|
| If the reporter searched teachers and located (for example) their
| teacher ID, then discovered an endpoint (from looking at the JS)
| that took the ID as input and returned an SSN, they have
| potentially violated the CFAA (as written).
|
| Do I agree that they should be prosecuted? No.
|
| Is the CFAA a terrible law that criminalizes most netsec
| research? Yes.
| vngzs wrote:
| The EFF will likely take this case. Have the reporters contacted
| them?
| danso wrote:
| One thing a newspaper has is lawyers (including plenty of
| places that will do pro bono on 1st Amendment cases)
| JohnTHaller wrote:
| 'Parson said Thursday that he wasn't sure why the reporter
| accessed the information. He claimed it was part of a "political
| game by what is supposed to be one of Missouri's news outlets."'
|
| Yes, everything that makes us look bad is part of a conspiracy by
| the other team. Ignore the facts, please. Pressing CTRL-U is
| hacking!
| CivBase wrote:
| The weird thing is even if this was a conspiracy to discredit
| an administration... it's a _really bad one_. Perhaps you could
| link the security flaw to a budget issue, but I can 't imagine
| something like this seriously affecting a governor's chance for
| re-election. His response has obviously done more damage than
| the flaw ever could.
| dr_orpheus wrote:
| "No private information was publicly visible, but teacher Social
| Security numbers were contained in HTML source code of the
| pages."
|
| They definitely have a different definition of "publicly visible"
| SMAAART wrote:
| "Shoot the messenger" what a great strategy! /-s
| codegeek wrote:
| Of course he would. It is the typical political response these
| days. Double down on your mistakes and never accept
| responsibility on your end. So what if a bunch of SSN's were
| exposed ? It was only in "View Source" which is hacking . Come on
| now. /s
| ball_of_lint wrote:
| Until the US has dramatically clearer and more sane laws around
| hacking and responsible disclosure our security will not improve.
| gdsdfe wrote:
| Why it's always the dumbest people that are elected to govern ?!
| tgdnt wrote:
| This is a matter of job security, the reporter is embarrassing
| the state and that's Parson's job. Fingers crossed he goes on
| strike after this.
| dusted wrote:
| hanging the heroes..
| wonderwonder wrote:
| This is what happens now when the media is portrayed as a
| political actor and everything can be "the other sided".
|
| "political game by what is supposed to be one of Missouri's news
| outlets." Now they get to ignore any and all responsibility and
| the governor is seen as standing up to the liberal media. It did
| not even have to be a big deal, just fix it, say its been
| resolved and move on. Everything is gamified and politicized now;
| to the point they are willing to send someone to jail over their
| own flaw. Its not even about being good leaders and helping
| citizens its just about winning elections and owning the libs or
| conservatives or your favorite brand of "snowflake". Human
| decency has left the building. I wish we could go back to
| business as usual but we have really entered a post truth
| society.
| didibus wrote:
| I'm not American, just got interested in how their politics
| devolved to that, and apparently this was an intentional power
| play which started from republicans:
|
| > "a race to the bottom to see who can be meaner and madder and
| crazier. It is not enough to be conservative anymore. You have
| to be vicious." The viciousness doesn't necessarily reside in
| the individual souls of Republican leaders. It flows from the
| party's politics, which seeks to delegitimize opponents and
| institutions, purify the ranks through purges and coups, and
| agitate followers with visions of apocalypse
|
| I feel this article summarize it well:
| https://www.theatlantic.com/ideas/archive/2018/12/how-did-re...
|
| Newt Gingrich seems to be responsible for that more recent
| attempt at this, and everything happening now seems to be the
| end game of what he started, though the party seems to have a
| history of it to some extent.
|
| I know some people might say that the Atlantic is partisan and
| maybe Democratic leaning (I think?), but personally except for
| the part where the article seems to say they don't like what
| the Republican party is making of democracy, everything else
| seems pretty accurate and factual to me. I'd love to hear
| counterpoints, like is there anyone who doesn't think this
| characterizes the Republican party properly?
| jorblumesea wrote:
| Feels like the traditional foundation of US democracy, free
| press, is being constantly undermined more and more every year.
| Doing even basic investigative work puts you in the crosshairs of
| someone.
| stack_framer wrote:
| > Parson said he had referred the matter to the Cole County
| Prosecutor and has asked the Missouri State Highway Patrol to
| investigate.
|
| Was this a drive-by "view source"? Why is the highway patrol
| investigating?
| dragonwriter wrote:
| > Was this a drive-by "view source"? Why is the highway patrol
| investigating?
|
| In a number of states, the "Highway Patrol" is--either through
| role expansion, merger with a preexisting State Police, or
| otherwise--the general-jurisdiction law enforcement agency of
| the State.
| yingbo wrote:
| The reporter should prosecute the government: not suitable for
| their jobs.
| WarOnPrivacy wrote:
| Competing with Florida looks weird.
| TigeriusKirk wrote:
| So is this illegal?
|
| I'm not asking if it should or shouldn't be.
|
| I'm asking if it is, with the laws as written and interpreted
| today.
| atmin wrote:
| Any sufficiently advanced search engine is indistinguishable from
| hacking.
| e-clinton wrote:
| Someone once took a photo in a hospital waiting room. There was a
| screen in the photo with a browser window that listed the queue
| of patients waiting to be seen (first name + last initial). I
| zoomed into the photo, typed the URL in my home machine and sure
| enough, the list of patients actively waiting to be seen loaded
| up.
|
| To make matters worse, incrementing a number in the URL cycled
| through different hospital waiting rooms.
|
| I emailed the vendor who build the tool about the issue and they
| responded letting me know that system worked as it was designed,
| and that no HIPPA violations existed since there was no full last
| name.
|
| I meant to make a bigger deal about this, but then got busy.
| JangoSteve wrote:
| So they included the SSNs in the HTML source, and then said the
| reporter hacked and unencrypted the HTML by reading the non-
| displayed SSNs in the source. That's like taping the SSNs up to
| the inside of a tinted window and then saying the reporter
| committed breaking and entering by shining a flashlight on the
| window.
| mdek wrote:
| From the article, it sounds like nothing even remotely
| questionable was done by the reporter who found the flaw:
|
| > "According to the Post-Dispatch, one of its reporters
| discovered the flaw in a web application allowing the public to
| search teacher certifications and credentials. No private
| information was publicly visible, but teacher Social Security
| numbers were contained in HTML source code of the pages."
| unyttigfjelltol wrote:
| Translation: search for a certification on the public website,
| receive an SSN in response. Only 'hacking' by reporter was to
| then press 'Ctrl+U' in the browser and read the characters.
| BizarroLand wrote:
| He used the basic reading skills that are taught in ever
| public and private education system in the country to hack
| us!
| ghayes wrote:
| Imagine if the reporter had used curl...
| ollien wrote:
| Tell me if I'm reading this wrong. I want to be reading this
| wrong.
|
| Is this saying that when you viewed a certain page (which I
| assume had only one person's SSN visible, or perhaps other
| teacher information like names), the "invisible" SSNs were just
| hidden with `display: none` or similar?
| ihumanable wrote:
| I think what actually happened is that there was a page where
| you could get information about a particular educator. In the
| HTML source the server returned for that page private
| information about *that educator* was included in non-
| displaying elements.
| ollien wrote:
| Makes sense. Jesus, though.
| adrr wrote:
| Like redacting a public document by making the redacted parts
| have a black background with black text. If people can't see
| it, it is secure.
| tomrod wrote:
| Oh that is so bad.
|
| It's events and negligence like this that give credence to
| credentialing requirements for software engineering.
| daviddever23box wrote:
| Imagine if we had credentialing requirements for elected
| office...
| mywittyname wrote:
| I don't think the issue is that elected officials are dumb.
| I think it's the opposite, most are quite intelligent. It's
| more that they are evil/corrupt/self-serving, and acting
| dumb is part of how they get away with it.
| solveit wrote:
| We do. It's called an election. What you want is
| credentialing requirements for voting.
| WkndTriathlete wrote:
| I'm pretty sure I want credentialing requirements for
| anyone running for any public office. I'd settle for
| automatic exclusion of anyone displaying narcissistic,
| psychopathic, or sociopathic tendencies and inclusion of
| rational pragmatists.
| solveit wrote:
| I would also "settle" for picking the people I like.
|
| Also, pretty sure that you have to be at least somewhat
| narcissistic to think that you should be president, and
| somewhat sociopathic to actually succeed.
| [deleted]
| A4ET8a8uTh0 wrote:
| And US used to have them too. The basic approach was that
| if you have land, you have a stake in the future of the
| republic. It was debated as to whether landless would
| have the same stake.
| dylan604 wrote:
| We've always known that using DevTools was a criminal activity.
| In fact, the sheer number of people using them places this at
| criminal conspiracy levels. Better start filing those RICO
| cases against the browser devs. /s
| alexjplant wrote:
| The US Government has a STIG (Security Technical
| Implementation Guide [1], a government-proprietary term for
| "IT policy") that requires that you disable Dev Tools in IE
| [2], Edge [3] and Chrome[4]. Their justification (from [1]):
|
| > Information needed by an attacker to begin looking for
| possible vulnerabilities in a web browser includes any
| information about the web browser and plug-ins or modules
| being used. When debugging or trace information is enabled in
| a production web browser, information about the web browser,
| such as web browser type, version, patches installed, plug-
| ins and modules installed, type of code being used by the
| hosted application, and any back-ends being used for data
| storage may be displayed
|
| I wish I were making this up.
|
| [1] https://en.wikipedia.org/wiki/Security_Technical_Implemen
| tat...
|
| [2] https://stigviewer.com/stig/microsoft_internet_explorer_1
| 1/2...
|
| [3] https://www.stigviewer.com/stig/microsoft_edge/2021-02-16
| /fi...
|
| [4] https://www.stigviewer.com/stig/google_chrome_current_win
| dow...
| ollien wrote:
| I can think of at least one legitimate reason to block the
| dev console. There are these posts I've seen over the years
| that say to "press the hotkey to open the Javascript
| console, and paste this Javascript blob" (obviously in much
| more persuading terms) to get a discount on RayBands or
| something. Disabling it prevents a possible information
| leak vector.
| alexjplant wrote:
| There's a legitimate reason for doing _almost anything_ -
| it's a question of likelihood, impact, and knock-on
| effects.
|
| I can only imagine how much taxpayer money has been set
| on fire by developers having to debug single-page
| applications running on these systems without the aid of
| Dev Tools... these types of material wastages are created
| in an imperfect attempt to prevent the mere possibility
| of something that could be more effectively mitigated
| through training and web content filtering.
| _fat_santa wrote:
| I've never seen one in the wild, thought it would be
| interesting to see what they want you to paste into the
| console, probably something to transmit them your session
| token. I know Facebook has a huge warning about it when
| you open devtools on their site.
| ollien wrote:
| Yeah - they added that warning because of these precise
| things. I haven't kept one around but I've definitely
| seen them since I fell for it many, many years ago.
| dylan604 wrote:
| This seems really lazy. Duh, it's gov't, but I'm talking
| about the attacker. If they can use JS to gather all of
| that info to display in the console hoping to get a user to
| read it back to them or whatever, why not just save it all
| and submit back via ajax?
| codegeek wrote:
| How dare you did "View Source", you hacker.
| jaycroft wrote:
| Counterpoint that might get some attention:
|
| "The Governor is in possession of software on his personal
| computer that allows him to decrypt the personal details of
| thousands of constituents who may have voted for or against
| him."
|
| The "software" being a web browser, of course.
| dylan604 wrote:
| Better hope they only used View Source. Could you imagine
| the federal crime of using curl or wget to retrieve this
| data?
| jakelazaroff wrote:
| What's "view source", some kind of hacking instructions?
| Sounds like you're abetting.
| dylan604 wrote:
| As long as you're not aiding at the same time. Aiding &
| abetting is a no-no. Aiding OR abetting is not claimed to
| be an issue.
| amirhirsch wrote:
| you mean Aiding XOR abetting. consider the forum.
| dylan604 wrote:
| why does it have to be exclusive? If both are false, then
| there's no confusion on making a charge. If only one is
| true, then someone being lazy might think it matches.
|
| along your lines of considering the forum, wouldn't it
| need to be aiding && abetting? i don't know how to
| bitwise compare aiding to abetting.
| tombert wrote:
| I think "view source" is a hacking tool invented by the
| notorious hacker group "4chan". I say we start a
| change.org petition to get Google to remove it from
| Chrome.
| Shared404 wrote:
| I think "view source" was actually invented by the
| Russians, then leaked by "4chan" - They're an individual,
| not a group.
|
| You probably got it mixed up with Lunix, _that_ was
| invented by "4chan".
| tombert wrote:
| Completely tangential, but have you seen LUnix (Little
| Unix)? It's actually pretty impressive for something on
| the C64. Full on preemptive multitasking seems pretty
| impressive for something as little as the Commodore.
|
| https://en.wikipedia.org/wiki/LUnix
| Shared404 wrote:
| I hadn't, but I may be trying to rig that up in an
| emulator later, that seems awesome!
| tombert wrote:
| I've only played with it a bit, certainly not enough to
| make any real definitive statements about it, but I think
| for what it is it's pretty impressive...stuff like that
| always makes me wonder why Commodore wasn't more
| successful [1].
|
| [1] I know LUnix didn't come out until 1993, so it would
| have been too late to save Commodore, and certainly past
| the C64's prime. It just demonstrates what the C64 was
| capable of.
| theandrewbailey wrote:
| In all seriousness, considering Google's track record of
| discontinuing useful services and features, I expect
| Chrome to drop View Source any release now. It will be a
| sad day.
| Sebb767 wrote:
| That would also be the day people would have a far harder
| time optimizing for Chrome. So they'd probably actually
| help the browser market by doing so.
| dylan604 wrote:
| Who browses the web without the DevTools exposed by
| default? I don't know how to make the web work without
| "fixing" web pages before attempting to read them.
| jaywalk wrote:
| Who browses the web _with_ Dev Tools exposed by default?
| Why do you feel the need to "fix" every web page you
| look at?
| dylan604 wrote:
| websites attempting to poorly comply with cookie banners
| and other GDPR regs that block a site from working
| without accepting something. I just display:none the
| offending elements and then remove the overflow:hidden.
| Disabling JS usually works, but sometimes the images in
| the page are lazy loaded via JS and will not load
| without.
| jaywalk wrote:
| Here you go:
| https://chrome.google.com/webstore/detail/super-agent-
| automa...
| dylan604 wrote:
| Thanks for playing, but I do not use Chrome. Also, I'm a
| bit perverse in my enjoyment of doing this on my own.
| theandrewbailey wrote:
| FYI, that's not the View Source feature.
| dylan604 wrote:
| No, but it's infinitely more useful. All of those SAP
| that has 4 lines of HTML when View Source is used, but
| the Inspector shows exactly what elements are currently
| in the DOM that have been loaded by JS. Of course, you're
| aware of that just like I'm aware of the difference in
| tools.
| [deleted]
| Buttons840 wrote:
| > you hacker
|
| What a "hacker" is is a matter of definition.
|
| But, the fact is the state was using "encryption" with such
| a level of security that pressing one button on any
| computer with a browser is all that is required to defeat
| it.
| jaycroft wrote:
| And I'll bet even the governor has access to this
| decryption software - he's got it installed on his phone,
| even! He must be hacking on the go.
| hoppla wrote:
| Some serious Jedi business going on here
| jjkaczor wrote:
| That's why at my current client, DevTools in the browser is
| blocked through Group Policy...
|
| /not sarcasm, I wish I was joking...
| jahabrewer wrote:
| Tell me you don't understand computers without telling me you
| don't understand computers.
| calderarrow wrote:
| Senators too! We must end finstas!
| https://www.youtube.com/watch?v=TGt1Ukg7q4Y
| mediumdeviation wrote:
| So that quote is actually taken out of context. The Senator
| knows that finstas are, and is using it to drive a different
| argument - that Instagram is incentivized to help teenagers
| bypass parental control
| https://www.theverge.com/2021/10/1/22704308/finsta-
| instagram...
|
| > "Finstas are fake Instagram accounts. Finstas are kids'
| secret second accounts. Finstas often are intended to avoid
| parents' oversight. Basically, Facebook depends on teens for
| growth," Blumenthal said. "Facebook also knows that nearly
| every teen in the United States has an Instagram account; it
| can only add more users as fast as there are new 13-year-
| olds."
| rory wrote:
| Even with the added context, it's pretty clear he has a
| very limited grasp on how finstas work. It's reasonable to
| be concerned about that when he is demanding they be
| banned.
| psychometry wrote:
| Tell me you're the Republican governor of a deep red regressive
| shithole state without telling me you're the Republican
| governor of a deep red regressive shithole state.
| throwaway0a5e wrote:
| Authoritarian blue states do this crap too. This has nothing
| to do with the set of policy positions on your party's
| official platform and everything to do with being a
| totalitarian jerk, a characteristic that abounds among
| politicians and high level government officials in general
| across many parties and nations.
| atkailash wrote:
| It's a consequence of having people 80 years old who can
| barely write an email and still use Internet Explorer on
| AOL run things. Party is irrelevant in this case for sure
| TimTheTinker wrote:
| Well done. Authoritarianism is alive and well across the
| political spectrum.
| aynyc wrote:
| Examples?
| NovemberWhiskey wrote:
| Cuomo.
| psychometry wrote:
| That's a person not an example.
| axx0 wrote:
| New York...
| NovemberWhiskey wrote:
| It's both! But e.g.
| https://www.thecity.nyc/2021/3/11/22326532/tough-guy-
| cuomos-...
| voidfunc wrote:
| Yea but at least in a decently blue state I expect the
| jurors in an actual courtroom eventually to side with
| reason whereas I expect red state jurors to lap up this
| tough on crime crap like its mother's milk.
|
| GOP/Red States are the way they are because the people are
| too stupid for their own good.
| vkou wrote:
| He understands computers, but it's easier for him to blame the
| press for his government's failings. His base laps this sort of
| thing up.
| giaour wrote:
| Nobody tell the gov how savagely he's being raked over the coals
| in these comments, or tomorrow's headline will be about a RICO
| case launched against the hacker collective known as "Hacker
| News."
| codegeek wrote:
| Someone should tweet this discussion to him or his office.
| #stopclickingviewsource
| MereInterest wrote:
| Now that they've shot the messenger, I'm sure that everything
| will be perfectly fine, right?
| exporectomy wrote:
| Worth realizing that a lot of pre-internet systems like
| bureaucracies and phone networks were full of known and actively
| exploited vulnerabilities but they relied on obscurity and the
| law to discourage excessive exploitation so white-hat hacking
| didn't make sense.
|
| Somebody who's been out of touch for the past 20 years could
| easily see responsible disclosure as the beginning of an
| extortion attempt. "I can access your data and I'll publish
| sensitive information about it in 30 days." sounds like it's
| about to be followed up with "...unless you send me a pile of
| money in unmarked bills".
| heavymark wrote:
| "In a press release Wednesday, the Office of Administration
| Information Technology Services Division said that through a
| multi-step process, a "hacker took the records of at least three
| educators, decoded the HTML source code, and viewed the social
| security number of those specific educators." Ha, or summarized a
| user clicked "View Source" in their browser. Well I guess the
| first of the multi-set process is open said browser.
| cortesoft wrote:
| I mean, everything is a multistep process if you are pedantic
| enough.
| jonnycomputer wrote:
| The governor is making a fool of himself.
| mindcrime wrote:
| I try to be an optimistic person, I really do. I try to remind
| myself that the sky isn't literally falling, and that the world
| is a more generally pleasant and peaceful place today than what
| it has been throughout much of history.
|
| But.
|
| Every time I see something like this, it just about drains my
| spirit to nothingness. I want to embrace nihilism and just quit
| giving a fuck about anything or anybody when I see stupidity on
| this level, and displayed by somebody who managed to get elected
| governor of a %@%#ng US state. It really is hard sometimes, to
| not just withdraw into a shell of isolation and decide "fuck it,
| this world is too damned stupid for me to bother with."
|
| I don't _like_ feeling that way mind you, and I actively try to
| fight the urge to give in to that kind of thinking, but it seems
| to get harder and harder with every passing year. Am I weird in
| this regard, or are other people experiencing this as well?
| natechols wrote:
| Read more history! (Especially read what the Wilson
| administration did to the Socialists - the origin of the phrase
| "yelling fire in a crowded theater." Many of us would riot if
| this happened today.) Stories like this have been happening
| since long before I was born, and will continue to happen long
| after I die, because voters will continue to elect stupid
| people some fraction of the time. The correct response isn't
| nihilism, but constant vigilance, and constant shaming of
| elected officials who abuse their powers.
| mindcrime wrote:
| _The correct response isn 't nihilism, but constant
| vigilance, and constant shaming of elected officials who
| abuse their powers._
|
| I want to believe that, but after watching the Trump
| administration and how people seemed to embrace him more and
| more despite his continuing shameful acts, it's just hard to
| sustain belief that this all leads anywhere.
|
| Sorry guys, not trying to be Debbie Downer here. I guess I'm
| just in a shitty mood today for some reason.
| saruken wrote:
| > it's just hard to sustain belief that this all leads
| anywhere
|
| I'm with you 100%. I don't want to be there, but there I
| am. And sometimes it all feels utterly pointless -
| civilization, the human endeavour, everything. My
| particular slippery slope goes like this:
| Humanity is going to waste the one-time gift of fossil fuel
| accreting the already-grotesque hoards of a few hundred
| individuals. Then these people will die, nothing will have
| been gained on the whole, and instead of infrastructure
| which we could have used to pivot to some recognizable
| future, our descendants will be left with nothing but
| unrest and some variety of ecological hot potato. And then
| we will all die out or revert to a pre-technological state,
| and either way all the gains of science and human ingenuity
| will be lost.
|
| Is that how yours goes too?
|
| I don't know what to do about all that, but usually I can
| convince myself that working on some tiny project to help
| things _not go that way_ is a worthwhile effort. And of
| course it 's pretty much all I can do.
|
| Also here are a couple quotes that help me get out of such
| perspective ruts:
|
| * "Even though I'm always in pain, it's worth sticking
| around to make my corner of the world a slightly better
| place." -Ricky Gervais' character from After Life
|
| * "I cringe at my arrogance. Actually, cringing at my
| arrogance is just another, more rarified, level of
| arrogance." -Alison Bechdel
|
| * "Goodness: You got to make it out of badness. Because
| there isn't anything else to make it out of." -Robert Penn
| Warren
| NoGravitas wrote:
| Yeah, even leaving aside the T-word; there's a broad swath
| of the US population who are willing to believe anything
| that is expected of them by their chosen authorities
| (mainstream Democrats are as guilty of this as Republicans,
| they just chose different authority figures). Sometimes,
| insanity is the only sane response to an insane world.
| somebehemoth wrote:
| > Democrats are as guilty as Republicans
|
| No they aren't. Not even remotely close. I'm exhausted by
| "both sides". "Both sides" arguments cause apathy in
| people because what is even the point in voting if, "both
| sides".
| MangezBien wrote:
| The politicization of COVID was the final straw for. me. I have
| no more faith in humans in a collective sense. I don't see how
| we can expect democracy to work when people are willfully
| ignorant of their world and unwilling to do the work to learn.
| heavyset_go wrote:
| I wouldn't say this is the result of stupidity. This is the
| result of a governor riling up his base by attacking the press.
| jonas21 wrote:
| > _It really is hard sometimes, to not just withdraw into a
| shell of isolation and decide "fuck it, this world is too
| damned stupid for me to bother with."_
|
| In moderation, I think this is actually the correct response.
| Unless you live in Missouri, who cares what stupid things the
| Governor of Missouri says?
|
| In a previous era, you never would have heard about this story
| at all. It's just a politician in a minor state trying to score
| some political points. It's very unlikely they'll actually
| charge the reporter with anything, much less convince a jury to
| convict.
|
| In today's connected world, it's easy to get news from anywhere
| at anytime and be outraged. Sometimes you just have to ignore
| it for your own sanity.
| tshaddox wrote:
| > Unless you live in Missouri, who cares what stupid things
| the Governor of Missouri says?
|
| Because that person literally rules over millions of people,
| the overwhelming majority of which didn't vote for him (1.7m
| votes out of the 6.1m population). Right now he is literally
| threatening state violence against a reporter for looking at
| a government website that accidentally leaked personal
| information.
| dghlsakjg wrote:
| Grandstanding politicians are one thing.
|
| Getting a prosecutor to risk their career on prosecuting a
| journalist for politics is quite a bit more difficult.
| Journalists are well aware of their rights, and have
| lawyers between them and law enforcement.
|
| I think its dumb, but as a former photojournalist who had a
| very large oil company (Haliburton) use a very small police
| department to come after me for trespassing, I can assure
| you that the newsroom is NOT scared right now.
| decebalus1 wrote:
| Welcome to the club. The tipping point for me was the
| politization of Covid.
| merpnderp wrote:
| It isn't stupidity. Government officials know this kind of
| thing will ultimately be a loser for them. But they know the
| mere threat of putting someone through the process of
| prosecution is punishment enough.
|
| This is what we need to work on correcting. If a judge laughs
| your case out of court, there should be a severe penalty,
| especially if you're the government.
| hn_throwaway_99 wrote:
| > It isn't stupidity.
|
| Hard disagree. If you're arguing that it's malice, and not
| stupidity, on the part of governor and others that put out
| this nonsense, then at least they are surely depending on the
| stupidity of their constituents at large for not laughing
| them out of office.
|
| And to be clear, I'm not _at all_ taking the position that
| people who don 't have a deep depth of technology are stupid.
| But pretty much everyone in the US knows how to use a web
| browser these days, and believing people will buy the
| governor's completely lobotomized argument [1] is totally
| embarrassing, either for the governor or his constituents
| that elected him.
|
| 1. https://twitter.com/GovParsonMO/status/1448750830857904129
| n8cpdx wrote:
| I'm with you. It is really hard. First big wake up call was
| Brexit and the election of DJT. Are my countrymen really
| willing to shit on dedicated public servants and throw away the
| foundation of our remarkably safe and prosperous world? Sadly,
| yes, and the europeans are just as eager; madness everywhere.
|
| I stepped out of public engagement for a while, then moved to
| Portland when I was ready to get back in. That was a whole new
| lesson: the lefty/progressive types are just as bad at
| governing. And the leftist/progressive voters are just as
| likely as the right to treat politics like a team sport.
| Portland is more dangerous for black people than Chicago now
| #BlackLivesMatter. Developers keep pulling out of affordable
| housing developments because of planning bullshit, and the city
| thinks its a good idea to mandate that contractors be women
| owned. Meanwhile, thousands are sleeping rough.
|
| The politicians are awful, but in a democracy, the fault for
| that lies 100% with the people. Elected office, like next-door,
| doesn't make people bad; it simply reflects the rotten core of
| 21st century civil society.
|
| Absolutely maddening is the lack of interest in concrete policy
| or actually using data to analyze changes and measure success.
|
| I think I'm about ready to stop caring and have a nice life
| while my species hurtles towards the great filter. Life and the
| universe are meaningless anyway.
| what_is_orcas wrote:
| > The politicians are awful, but in a democracy, the fault
| for that lies 100% with the people.
|
| Yes and no. Yes in that the politicians are selected from
| people they represent (in theory), but also no in that once a
| person becomes a politician, their incentives change and they
| are no longer representing the people that elected them.
|
| Further, once in power, the systems can be "rigged" into
| maintaining that power (gerrymandering is an example of
| this). DJT couldn't become King of America without first
| becoming president. Once he became president, though, he
| definitely tried to rig the system to make him, effectively,
| King of America.
| mullingitover wrote:
| > The politicians are awful, but in a democracy, the fault
| for that lies 100% with the people.
|
| Democracy is a convenient way for the ruling class to hand-
| pick the people who are allowed to run for office and blame
| the voters for any bad results. There's research showing that
| there's very little correlation between the policy goals of
| the voting public and policy outcomes, but there's a strong
| correlation between policy goals of the ruling class and
| policy outcomes.
| nonesuchluck wrote:
| Why is everyone here acting like the governor is merely stupid?
| He is not arguing from ignorance, he is arguing in bad faith.
| Mike Parson wants to feed the narrative that the American free
| press is the "enemy of the people" because it suits his politics,
| nothing more.
|
| The only message here is "be careful embarrassing fascists."
| SamPatt wrote:
| Nearly all politicians act like this when they're in power. The
| general public is easily mislead.
|
| HN notices it when it's a tech issue, but it happens in
| economics, medicine, basically everywhere. They have zero
| incentives to accept responsibility.
| jeremyjh wrote:
| Nearly all politicians prosecute reporters? No, I'm pretty
| sure that is just the fascists.
| SamPatt wrote:
| Substitute whistleblower for reporter and yes, nearly all
| politicians will use the criminal justice system to silence
| their critics.
|
| Was Obama a fascist? I have no desire to engage in
| whataboutism, they all show their true colors when they're
| in power and shown corrupt or incompetent.
| jeremyjh wrote:
| >I have no desire to engage in whataboutism
|
| Then don't.
|
| I think Snowden should be pardoned and considered a
| national hero, but he unquestionably committed a very
| serious crime. There was no crime committed in the State
| of Missouri on this matter.
| kmlx wrote:
| > pretty sure that is just the fascists.
|
| i'm not from the US, but is it common in the US to use
| these kinds of accusations? seems ultra far fetched.
| cowpig wrote:
| I used to recoil at these kinds of statements until I saw
| what the Trump administration was doing.
|
| It's not an exaggeration. Stephen Miller, Steve Bannon,
| Richard Spencer, all these people in Trump's inner circle
| are self-described "alt-right," "white nationalist," or
| some other euphemism for ethno-fascist.
|
| Racism and fascism in the US are very real, serious
| problems, and have become synonymous with the Republican
| party.
|
| edit, here is a link or two:
|
| https://www.vanityfair.com/news/2017/05/stephen-miller-
| duke-...
|
| https://www.npr.org/2019/11/26/783047584/leaked-emails-
| fuel-...
| mbg721 wrote:
| Just think how much trouble we would have saved if only
| we'd been able to call Mussolini a Fascist in the 30s.
| Dylan16807 wrote:
| Is prosecuting reporters not, like, _definitionally_
| fascist?
| jeremyjh wrote:
| Right, you don't need any other supporting information
| and you don't have to bring political parties into it. If
| a politician is prosecuting a reporter for embarrassing
| the state - not for committing a crime - they are a
| fascist.
| kmlx wrote:
| i don't think either of you is correct. there are many
| tenets of fascism, and prosecuting (or straight up
| imprisoning) journalists is a common occurance in
| socialist and capitalist countries. by your definition a
| lot of capitalist and socialist countries around the
| world are fascist, which is false.
| [deleted]
| ModernMech wrote:
| I don't think they meant to imply that _all_ people who
| imprison reporter are definitionally fascist, but that
| fascists definitely imprison reporters as a matter of
| course. The claim was that accusing someone of
| imprisoning reporters of being fascist is "ultra far
| fetched". But if imprisoning reporters is something that
| fascists are wont to do, then it doesn't seem to me that
| questioning if these people are fascist is "ultra far
| fetched". You could also want to know if they were
| socialists if that's the thing you believe socialists do.
| SamPatt wrote:
| Yes. Most online discourse about politics will eventually
| have someone claim fascism or make a Hilter reference.
|
| If you aren't among one of the two sides it can be
| humorous to watch at times.
| lloydgrossman wrote:
| and there's the 3rd response: the enlightened centrist.
| stronglikedan wrote:
| From the extremists, yes, it is common. The "other"
| side's elected officials are nearly always labelled
| "fascists". However, the majority of the electorate is
| smart enough to recognize that it's just a failed appeal
| to emotion, and nothing more. (except maybe exhausting)
| dylan604 wrote:
| Because of HN no-politics type of policy, the only time HN
| can get riled up is when the politics involve tech. It's not
| that HN readers have no interest in these other topics.
| There's limitations on what the man will allow you to discuss
| about the other man. Hi dang!!!
| philote wrote:
| I wonder if he's trying to "control the narrative" in the hopes
| that he (or the state) isn't sued for releasing private
| teachers' data to the public.
| dreamcompiler wrote:
| One time I walked down a little-used alley and noticed my
| neighbor had left his garage door open. The open door was not
| visible from the street but anyone who happened to walk down the
| alley would have seen it. I called the neighbor to tell him he
| might want to close his garage door. He accused me of burglary
| and called the cops.
|
| No this didn't actually happen but it's the analogy that came to
| mind.
| [deleted]
| unethical_ban wrote:
| I wish that a conservative outlet would call the governor out. I
| feel like a thousand articles from Wired, NPR, the New York
| Times, and the founder of the WWW could all describe in
| wonderful, simple terms how bombastic and willfully ignorant and
| hostile this action is, and it would be construed as partisan.
| croes wrote:
| Something similar happened in Germany. A programmer found a bug
| his customers shop system, he disclosed the bug to the shop
| provider and they reported him, there was a house search at his
| company and his computers were confiscated.
| matt123456789 wrote:
| Recently, I had to submit a bunch of information (name, address,
| DOB) into a Google Forms page in order to request a COVID-19
| vaccine CDC card from my state's health department. This Google
| Form was run by a contractor for the state's health department
| and was misconfigured to allow viewing all previous responses
| after submitting. One click on "view previous responses" on the
| post-submission Google Forms page and you can view everyone
| else's names, addresses, DOBs, and information like which vaccine
| they received and in what arm.
|
| I almost didn't report it, since the kind of shit as described in
| the link above gets reported so regularly. But I did, and it got
| fixed quickly. Now I'm just sat here hoping I don't get served a
| lawsuit next week by some idiot hoping to cover their ass and
| make me out to be some kind of malicious actor. (Advice
| welcome...)
| rbanffy wrote:
| I can't wait for the time politicians will be people with at
| least a rudimentary grasp on modern technology.
| DeWilde wrote:
| I wonder what his reaction will be when people start hacking the
| state's websites and outright leaking stuff to just spite him.
|
| Dumb move on his part.
| jpmattia wrote:
| > _No private information was publicly visible, but teacher
| Social Security numbers were contained in HTML source code of the
| pages._
|
| If it was in the HTML source code, then it was publicly visible,
| so it is unclear what the article is trying to say.
| Isthatablackgsd wrote:
| Every browser have access to the HTML source, even it is merely
| right click here and there. If the SSN is in the HTML source,
| then the blame should be on the webmaster who designed that
| code. Of course, accountability is not part of their tenet, it
| is too foreign for them.
|
| And look at the age of the governor, clearly shows that he is
| inept with the fundamental of the internet.
|
| I forgot to add one more thing. Did they not realize that there
| are scrappers who will scrap every bit of information of
| everything including the HTML code. I wonder how mcuh
| scammers/ID theft scrapped the data before this come to light?
| dragonwriter wrote:
| > the blame should be on the webmaster who designed that
| code.
|
| "Webmasters", where they exist at all anymore, tend not to
| "design code".
|
| > Did they not realize that there are scrappers who will
| scrap every bit of information of everything including the
| HTML code. I
|
| "...scrapers who scrape..." should be the concern here, not
| "...scrappers who scrap..."
|
| > And look at the age of the governor, clearly shows that he
| is inept with the fundamental of the internet.
|
| Gov. Parsons is 12 years younger than Vint Cerf and the same
| age as Sir Tim Berners-Lee.
| cafard wrote:
| Mike Parson is twenty-two days older than I am. I've been
| using View Source for a lot longer than twenty-two days.
| retrac wrote:
| I don't understand the age excuse, honestly. My mother is
| about the same age. She is not technical, but she has used
| computers for the last 30+ years. Just like anyone any other
| white collar worker. She would have wrangled with WordPerfect
| control codes to format insurance quotes in the 80s. Document
| markup (and stuff hidden in the markup) is not esoteric
| knowledge, or I wouldn't think it is. Except apparently it
| is.
| AlexCoventry wrote:
| Perhaps opening and reading HTML source code is widely viewed
| as an esoteric skill.
| coldacid wrote:
| Given that other recent article about university students who
| don't know what files are, I wouldn't be surprised in the
| slightest if this is considered esoteric.
| eloisius wrote:
| To laypersons HTML comments or display:none is invisible. But I
| agree, this is like a blast from the 90's when View Source was
| leet hacking.
| rossdavidh wrote:
| The usefulness of having state legislators from a variety of
| backgrounds:
|
| Republican state Rep. Tony Lovasco, who according to his
| legislative biography has worked in software deployment and
| maintenance, tweeted Thursday that "it's clear the Governor's
| Office has a fundamental misunderstanding of both web technology
| and industry standard procedures for reporting security
| vulnerabilities.
|
| "Journalists responsibly sounding an alarm on data privacy is not
| criminal hacking," he said.
| 1270018080 wrote:
| I'm from Missouri, this might be the first embarrassment many of
| you've seen from him, but there have been alot more prior. Truly
| not a good look for the state that this guy got reelected.
| tgdnt wrote:
| Same here. And don't look up how he first came upon the job
| either.
| C19is20 wrote:
| ...spare me the anxiety. Got a link or something?
| diego_sandoval wrote:
| This article reminded me that I had to report a data leak I found
| on an ecommerce website from my country some months ago, so I
| just did that. I reported it to a government agency responsible
| for cybersecurity in my country, which apparently accepts reports
| about private companies.
|
| Any precautions that you recommend when reporting this kind of
| vulnerability/data leak? (Apart from "do not access other
| people's data if you can avoid it")
| akomtu wrote:
| Helping authorities with such matters is like feeding alligators:
| they'll bite you if they can and they won't be grateful.
| FpUser wrote:
| So when do we start prosecuting for malicious prosecution and
| gross incompetence?
| avgDev wrote:
| Seriously, the government should have experts on hand who can
| translate tech into concepts they can understand. This is
| unacceptable.
|
| Imagine HTML is a TV in Social Security office. The way the
| storage of SS numbers was designed, is that they are hidden in a
| backroom, however, anyone can come into the office and scream a
| persons name to view all the information on the screen. The flaw
| is clearly in the system.
|
| I found flaws in Costco system before, I guess I should be in
| prison for letting them know and saving them thousands of
| dollars.
| tigerwager wrote:
| The states Chief Information Security Officer left the post on
| Friday https://www.govtech.com/workforce/missouri-ciso-stephen-
| meye... didnt see anyone mention that elsewhere in relation to
| this story.
|
| getting a 403 here without a vpn, but
| https://cybersecurity.mo.gov/ doesn't look like its been
| updated since 2018 The last CISO left in 2018 (~3months after
| the current governor took office), and the current ciso was
| appointed by interim then
| https://www.govtech.com/blogs/lohrmann-on-cybersecurity/miss...
| [deleted]
| [deleted]
| dbish wrote:
| Yet another example of how political leaders are completely out
| of the loop on all things tech. Software is such a large part of
| the world nowadays that we need to change this or the US is going
| to have even more issues going forward. I don't think the current
| parties are amenable to making changes and bringing in tech-savvy
| people anymore, and I firmly believe the only way forward is
| going to be to find a way to create a new party that can get
| traction at the grassroots level that is tech-forward and led by
| people who aren't career politicians/lawyers. The two party
| system makes this very hard though
| TrispusAttucks wrote:
| [1] Parson commits $50M to investigate alleged hack of Missouri
| educator database. Includes video press conference by Parson
| himself.
|
| [1] https://fox2now.com/news/missouri/missouri-education-
| departm...
| jjkaczor wrote:
| $50m? Wouldn't that be better spent on the actual education
| system and educators itself?
|
| Talk about corruption - spending taxpayer money to cover-up
| mistakes made by government employeers - AND libellous
| statements made by government officials...
| TrispusAttucks wrote:
| Maybe with $50M they could fix the website flaw.
| Wistar wrote:
| I notice a "Suggest Corrections" button at the bottom, of that
| article. Perhaps a suggestion that the Governor's entire story
| is a load of crap?
| alexfromapex wrote:
| Is this how the Governor saves face?
| DeWilde wrote:
| Tweet from the governor: "Through a multi-step process, an
| individual took the records of at least three educators, decoded
| the HTML source code, and viewed the SSN of those specific
| educators."
|
| >Through a multi-step process >decoded the HTML source code
|
| Somebody has been watching B-list hacker movies.
| mminer237 wrote:
| Step one: Press Ctrl
|
| Step two: Press U
| suzzer99 wrote:
| 1. Click View in menu bar
|
| 2. Hover over developer menu item
|
| 3. Click View Source
|
| Three-step process - even more nefarious!
| bastardoperator wrote:
| Y'all are going to prison now, I hope it was worth it! =]
| mullingitover wrote:
| It's only a matter of time before the inevitable class action
| lawsuit settles the question of culpability for this breach and
| assigns it 100% to the state. The teachers are going to get at
| minimum state-sponsored credit protection services for a few
| years, and the governor is going to get some egg on his face
| since it was his employees who created this breach.
|
| I honestly pity him a bit, because he has no clue about any of
| the technical details, but on the bright side he's about to get a
| crash course.
|
| I have to wonder what he's thinking, though, with the brazen
| slander. He must have some very deep pockets.
| wnevets wrote:
| Right Click -> View Source is now a multistep hacking process
| according this man.
| ripe wrote:
| As a hobby, I have been writing little explainers for non-
| technical people on my blog. I wrote one for this particular
| incident:
|
| https://www.robotsinplainenglish.com/e/2021-10-14-blame-sham...
|
| I hope HN readers will (gently) correct any mistakes or provide
| clarifications to make it better. Thanks!
___________________________________________________________________
(page generated 2021-10-14 23:00 UTC)