[HN Gopher] Governor vows criminal prosecution of reporter who f... ___________________________________________________________________ Governor vows criminal prosecution of reporter who found flaw in state website Author : davidw Score : 1086 points Date : 2021-10-14 16:57 UTC (6 hours ago) (HTM) web link (missouriindependent.com) (TXT) w3m dump (missouriindependent.com) | adrr wrote: | Do they even have jurisdiction to go after the reporter. My guess | is the site is cloud hosted in a state other than Missouri. Cross | state boundaries is a federal matter. | codegeek wrote: | sshhh. The Governor would prosecute you for saying "Cloud | Hosted". How dare you find this info that is hidden in the | clouds ? Literally only the Gods can see the clouds. | otrahuevada wrote: | Judging by his tweets, the governor seems under the impression | that "decoding" the HTML is a multi step process and breaking it | constitutes unlawful access. | | He does not, however, feel like expanding on what that means. | Several people tried to reach him on that, without success. | | Does anyone have "lawful" access to the site? I want to see for | myself how those bits of PII showed up in the markup. | wanderingmind wrote: | Can someone with knowledge of law explain if the reporter can now | file a lawsuit against the government for violating his 1A rights | or does he need to wait for this case to get thrown out first. | MrWiffles wrote: | With "leaders" this goddamn stupid, it's no wonder Russia pulls | off so many hacks against us. | kizer wrote: | "Hacked our system" -- LOL. Nothing like our conservatives for a | great laugh. What a moron. | codingclaws wrote: | "...decoded the HTML source code..." | jhinra wrote: | I know, right? By that logic, I've just decoded your comment by | reading it. | woopwoop wrote: | The governor of Montana battered a reporter for asking him a | question he didn't like [0]. There exist a number of politicians | who feel that these are reasonable responses to adversarial | press, and apparently a large number of voters who agree with | them. | | [0] https://en.wikipedia.org/wiki/Greg_Gianforte#Election- | eve_as... | blunte wrote: | When the "leaders" show themselves to be so proudly ignorant, it | makes you wonder what other decisions they have made which are | completely wrong and fully executed. | | In this case, I'm not terribly surprised since that governer is | from the party which frequently equates educated people as being | "elite" - a characteristic to be avoided. | vbo wrote: | There are developers out there that look like you and me, use the | same tools and speak the same (programming) languages, yet have | absolutely no concept of access control. | | I feel there's an enormous education/awareness gap when it comes | to basic security practices and it's going to hurt all of us | sooner or later by having our private information leaked, sold, | abused, maybe ultimately deemed irrelevant in itself -- ie what | would the world look like if all (or a significant chunk) of | private information was leaked and you couldn't trust the old | tokens of identity? | tyingq wrote: | _" No private information was publicly visible, but teacher | Social Security numbers were contained in HTML source code of the | pages."_ | | So "view source" is now hacking. | joshenberg wrote: | Quote from the St Louis Post Dispatch article is even more groan- | worthy: | | "In the letter to teachers, Education Commissioner Margie | Vandeven said "an individual took the records of at least three | educators, unencrypted the source code from the webpage, and | viewed the social security number (SSN) of those specific | educators." | | I guess webpages are kinda like encryption for idiots. | idworks1 wrote: | > echo json_encode($search_results); | | This is how I found out how much I, and all other contractors | were being paid. And also how much the contracting company was | actually charging the clients. All the data was being returned | in a json but the very little was being displayed. | | Looking at the story, this is more of a posture thing. I'm sure | the Governor is surrounded with people who can tell him that no | hacking took place, but why miss an opportunity to show you | take the privacy of Missourians to heart. | 0x262d wrote: | wow, what fraction of websites leak data I want to look at? | should I be poking at every non-tech-giant site I go to? | codegeek wrote: | You will be surprised. Do a "Inspect Element" and have fun | filtering on "XHR requests". Notice that JSON that a lot of | those requests return. but sshhhh, you didn't hear this | from me. | photochemsyn wrote: | The analogy is going up to a house and checking all the | doors and windows to see if they are locked. That's rather | like port scanning, a form of 'poking'. If you go to a | state government web site and do that, even if you don't | exfiltrate data or load it up with ransomware, it's | definitely very shady behavior, although it seems there are | no laws against it in the USA (some ISPs will ban users | caught doing this however). | | Obviously if you broke into someone's house and then asked | them to pay you for your 'vuln discovery', err... | | However, I think looking at HTML code on a public facing | web page is not that. If you hang naked pictures of | yourself on your front door, you don't get to complain when | people take pictures of them. | | 1. https://www.calyptix.com/top-threats/port-scanning- | legal-ans... | ajmurmann wrote: | The data was send to my browser. The more fitting analogy | to me is that I get a letter and a huge pile of documents | in a giant binder. Some of the documents are referenced | in the letter. Now the sender gets upset because I | started looking at the documents in the binder that | weren't referenced in their cover letter. | cmckn wrote: | Last year, when a Nintendo Switch was difficult to come by, | I found that a large retailer's API returned exact stock | counts (and even restock dates in some cases) for any | physical store you wanted. Got a Switch for myself and a | couple friends in an afternoon. | cowsup wrote: | Careful, son, you're quickly entering elite hacker turf. | samstave wrote: | Dont worry, I only do all this behind 7 proxies. Plus I | called google and they know all about it. | ncr100 wrote: | * https://oa.mo.gov/commissioners-office/news/state- | missouri-a... | | The State labeling a reporter as "a hacker". | | * https://dese.mo.gov/media/pdf/educator-data-incident- | commiss... * https://twitter.com/mocommissioner | | State Education Commissioner refers to reporter only as a | "individual". The Commissioner signs the letterhead "PhD". | Sarcastically, I presume the PhD corresponds to the increase in | level of correctness, from "hacker" to "individual". | dylan604 wrote: | If it is served via https, it is encrypted. | | Edit: sorry, forgot the /s | anm89 wrote: | if it's in plain text in the html served, it isn't | throwawaycuriou wrote: | expand the lawsuit to Apple, Google, other heathen browser | makers | dylan604 wrote: | But if you're an idiot to believe viewing source is | hacking, then you're clearly the type that viewing the | source is viewing encrypted data. | | The actual quote states that the data was first | "unencrypted" before viewing the source. This is in fact | correct if not poorly phrased, but who'd expect proper | terms used when we're talking about "these" people? | anm89 wrote: | I get what the article says and what the county claims. | That doesn't make what the parent said right. | jmull wrote: | Not once it's loaded by the browser it's not. | badRNG wrote: | jesus christ... | mikro2nd wrote: | yes...? | dylan604 wrote: | Get the Escalade | birdyrooster wrote: | With mustard and mayonnaise on the blades | MisterBastahrd wrote: | Oh shit, I'm reading your encrypted message right now! | badRNG wrote: | You should consider responsibly disclosing this | vulnerability rather than posting it here. | buitreVirtual wrote: | Don't dare disclosing it in Missouri! | willcipriano wrote: | It's ok, the disclosure is also encrypted. | navbaker wrote: | No it's not, you forgot to wrap it in an "<encrypted>" | tag. | lapetitejort wrote: | Don't forget the </encrypted> tag or else the rest of the | internet's traffic will be encrypted forever. | NoGravitas wrote: | What a nefarious ransomware attack! | iamcreasy wrote: | I didn't get the joke. Can anybody explain it? | jayd16 wrote: | Https traffic is indeed encrypted, but its encrypted for | you the user. | | Its like saying you stole documents from a sealed container | when that container had your name on it, it was addressed | to you, and you had the key. | codegeek wrote: | I knew u forgot the /s. If the Governor understood https and | encryption, he wouldn't be penalizing the reporter for "View | Source". Clearly he got caught at being incompetent and he is | doubling down on "how dare you" | cat199 wrote: | nono - 'view source' is really the 'hack this website' | button, it's just called 'view source' to keep the bad guys | from knowing about it. | Bluecobra wrote: | Well you see the Internet is not something that you just | dump something on. It's not a big truck. It's a series of | tubes! | teawrecks wrote: | "Unencrypted" in this context means "did something we don't | understand". | MrPatan wrote: | You left out the best bit: "through a multi-step process" | DebtDeflation wrote: | Right click. | | View Page Source. | | That's 2 steps. Hence, multi-step. | eightails wrote: | Could do it in a single step with F12. I suppose then you | still have to scroll/search to find the relevant nodes... | "multi-step" indeed | dillondoyle wrote: | Option+Command+U | | :) | shepherdjerred wrote: | Three steps! What hacker could envision such an elaborate | plan? | airstrike wrote: | Nice catch... Unbelievable. What isn't a multi-step process, | really? The first thing I do in the morning is to make coffee | and though I've distilled that process down to its bare | minimum so I can do it while still half asleep, it is still | very much a multi-step process... | ilaksh wrote: | I feel like not understanding basic things like that should get | you fired. The Education Commissioner and Governor of the State | of Missouri have demonstrated a lack of understanding of basic | technologies. At this point, that means they lack core | competencies to do their job, and should be fired. | mhandley wrote: | Where "unencypted" means "turned the web page over, and read | what was printed on the back of it". | | It seems stupid to us, but non-techies just won't understand | unless we come up with reasonable analogies. | rbanffy wrote: | > I guess webpages are kinda like encryption for idiots. | | I prefer to call them muggles. | jimt1234 wrote: | "unencrypted the source code" means they ran an unminify tool. | Very advanced; criminal masterminds. /s | meijer wrote: | Probably just "View Source". | [deleted] | tomxor wrote: | Probably without comments stripped. | anm89 wrote: | I sincerely doubt it was minified | klyrs wrote: | I can't wait to see the legislation that treats plaintext as | encrypted, and goes on to criminalize all written and | electronic communication. | dylan604 wrote: | We must end all encryption --FBI | dillondoyle wrote: | How relevant for education and today. The education commission | should have "send a flu shot!" lmfao | Buttons840 wrote: | Will this definition of encryption hold for HIPAA cases in | Missouri? | websap wrote: | We live in a world where everyone thinks they understand | computers and have an expectation of security and privacy, but | they don't realize how hard it is to build these systems | correctly. The best security appears to be invisible to the | consumer, but requires a lot of thought by the implementer. | | This is the same reason why I think most of the general public | don't understand how much data social media apps can collect on | them. I know a lot of average technology users, who allow every | single permission whenever an App asks them, because they're | like obviously its not going to do any harm. Without realizing | how every action they take is recorded in a database somewhere, | which will get compromised sometime in the future. | | I'm not a mobile developer, but it would be interesting if iOS | provided a service that allowed data to never leave the phone | and provided an API for Apps to get particular types of data | and showed warning levels in the App, each time more sensitive | data is accessed. The App store needs to be a place where if I | download an App from, I need to have the peace of mind that it | won't cause more harm than good. | ajmurmann wrote: | > I'm not a mobile developer, but it would be interesting if | iOS provided a service that allowed data to never leave the | phone | | I'm not sure I follow. Do you mean the app wouldn't be | allowed to send any data over the network? As soon as the app | can send any data, it's trivial to hide in there whatever the | app wants to send home. | websap wrote: | My idea is that Apple encourages Apps and features / adds | badges for those apps that only store data locally. The | local storage should be able to identify different types of | data. They provide an API that allows data to be queried so | that whenever an App queries some critically of | confidential data it throws a big warning. | ohazi wrote: | The developer would just query the sensitive field either | immediately or at a seemingly reasonable moment (along | with dozens of other sensitive and non-sensitive fields), | put everything into a blob, and then send it to the | server as an opaque web request to some innocuous looking | endpoint like POST /login. | | You either have to completely trust the developer today | and forever after, or you need to make some fundamental | advancements in homomorphic cryptography. "Secure data | store that can be queried with a permissions box" doesn't | work. | jmull wrote: | > Parson said...the reporter was "attempting to embarrass the | state and sell headlines for their news outlet." | | Literally a reporter's job. | mhh__ wrote: | This could actually become illegal in the UK. The official | secrets act might be amended to make it illegal to embarrass | the state... | BoxOfRain wrote: | An Act of Parliament which would ironically embarrass the | state in itself. Unsurprising from the same cast of muppets | who wanted to use local newsagents to verify your age for | internet pornography and make encryption illegal. | | It's not even a partisan thing, it seems like almost all our | major parties seem to lose 40 IQ points when the internet is | involved. Everyone from Blair onwards has been a tinpot | authoritarian when it comes to digital rights. | mhh__ wrote: | I don't think they had the IQ in the first place. | | More than half of sampled Maps couldn't calculate the | probability of two heads in a row from a fair coin | faeyanpiraat wrote: | -50 points from your profile | jimnotgym wrote: | ...because being an embarrassment to the state is reserved | for our government | xxpor wrote: | The fact that journalists in the UK can and have been | prosecuted for publishing leaks is completely absurd. | Europeans think the first amendment goes too far a lot of the | time, but this is the other side of it. | | https://en.wikipedia.org/wiki/New_York_Times_Co._v._United_S. | .. | nemo44x wrote: | So nearly every pol will have to be locked up. | iggldiggl wrote: | To quote Yes Minister: "The Official Secrets Act is not there | to protect secrets, it is there to protect officials." | switch007 wrote: | It is amazing how much truth they stuffed in to that show | teawrecks wrote: | A good faith reading of that statement interprets it to | mean: the act isn't intended to keep pertinent information | away from the public, but to protect the identities of | officials who were tangentially involved. | | Surely no official interprets it to mean: protecting the | _public image_ of officials by way of hiding pertinent | information from the public, right? | rchaud wrote: | It was successful, because I, a non-Missourian now know about | it, whereas in its initial state, this story would have been | voluntarily witheld. | | Those scheming reporters! /s | snarf21 wrote: | And literally protected by the 1st amendment. | 0xBA5ED wrote: | The funny thing is, the reporter successfully embarrassed the | state, then the state embarrassed itself further in response. | mmazing wrote: | Color me surprised. | | I really don't understand the whole "double down" approach to | doing things. | wonderwonder wrote: | you wouldn't; neither would most of us on this site. ~50% | of the population wouldn't. They are targeting the 50% + 1 | of their state population that voted for this man. They are | probably doing a pretty good job of it too. | gizmodo59 wrote: | We won't know it for sure. Most of the state is not technical | so it's whatever the popular media spins it. | e40 wrote: | Streisand effect, too. None of us would have heard about this | otherwise. | toomuchtodo wrote: | "I'm going to weaponize the law because you embarrassed us." | moate wrote: | I can't imagine that a large, national organization like the | ACLU or CPJ would want to dump tons of money into making this | a massive national story should that happen... | | Someone about to experience the Streisand effect in FULL | force. | mcguire wrote: | Somehow, I have the feeling the _St. Louis Post-Dispatch | 's_ lawyers are thinking, "Bring it! We haven't had this | much fun in ages." | merpnderp wrote: | I'm sure the judges likely to see this case are giggling | over what they'll say to the state prosecutors. | InitialLastName wrote: | Having read opinions by federal circuit court judges on | technical matters, it's not clear to me that the judges | who will see this case are likely to understand the | matter any better than the governor. | wonderwonder wrote: | In a state like Missouri getting sued by the ACLU is | probably something that can be used to win an election and | is seen as a badge of honor. They probably welcome it and | all it costs them is tax payer dollars. They really just | need to publicize any controversial party the ACLU | represented and claim to be standing up to the sorts of | people that would defend that behavior. | | If they lose in court it turns into a two for one as they | get to rail against 'activist judges' and whip their base | to go out and vote. | fnordfnordfnord wrote: | >Literally a reporter's job. | | And the governor's helping! | stewx wrote: | We should be treating Social Security Numbers as usernames, not | passwords, since SSNs can't be revoked when exposed in a leak. | csense wrote: | Prosecuting people for responsible disclosure? | | This governor is a fricking idiot. | FpUser wrote: | When idiot directs prosecution it becomes a crime on its own. | dylan604 wrote: | This seems to be a requirement these days for being a governor. | | I understand not everyone can know everything. The fact that it | is deemed unacceptable to admit not having all of the | information to make an informed decision/comment where someone | in a position of authority makes shit up to just sound | authoritative is a sad state of affairs. It's not like being a | governor is the same as posting things on an internet forum. | psychometry wrote: | FTFY: It's a requirement for being a governor in a red state. | good8675309 wrote: | Polarize much? Let's just go back to the general population | not trusting the government or any politician regardless of | party affiliation. They're all corrupt and ignorant, it's a | basic requirement. | psychometry wrote: | Oh, you're one of those morons who thinks both parties | are equally bad, huh? | dylan604 wrote: | We've got some presidential mis-speaks a plenty too. Some | haven't been a governor, and didn't come from a "red" | state. | psychometry wrote: | This is clearly not an example of a politician simply | "misspeaking". | dylan604 wrote: | Yet. Wait for them to evaluate the blowback, and then the | walkback from the comment. | kbenson wrote: | As much as it would be comforting if it actually was, | incompetence is not limited to either political party. | tomrod wrote: | It's seems there is a certain set of political beliefs that | enshrine intolerance of knowledge. Perhaps shared across | multiple parties. | Wistar wrote: | "Idiot" is relatively high praise. | SavantIdiot wrote: | I'm glad my Senator can speak intelligently at DefCon. | yummybear wrote: | If responsibly reporting a flaw is as bad as using it for evil, | you might as well just sell it on the dark web. | michael_michael wrote: | After the Affordable Care Act went into effect I signed our | company up for our state's marketplace. While browsing our plan | options, I noticed the url used a scheme like | marketplace.org/employers/341/plans.aspx. Of course, I tried | changing the number in the url to 342 to see what happened. To my | astonishment, it loaded up the next company's plans, including a | list of employee names, ages, plan cost, and SSNs. | | After I shopped a few other companies to see how our plans | compared, I notified the marketplace operator via the only link | on the website for customer service. Within about an hour, | someone from their IT department rang me on the phone and started | grilling me about how many other plans I browsed, and insisted | that I clear my cache and browsing history, and notified me that | they would be watching to make sure nobody at our IP address | didn't access any other plans while the issue was being fixed. | | I was pretty surprised at his response, and assumed they would be | more grateful for exposing a pretty basic flaw, but I guess a | natural human tendency in these situations is to try to | externalize the blame. Perhaps it's more difficult to hold | yourself accountable than it is to assume that others who've | found your shoddy work are malicious actors. | thrwwybnkvln wrote: | I found a similar kind of problem at a bank, though the | vulnerability was so simple I stumbled on it by accident. I | promptly switched banks but was never brave enough to report it | for fear I might wind up in a very bad situation. | [deleted] | comeonseriously wrote: | > ... someone from their IT department rang me on the phone and | started grilling me about how many other plans I browsed, and | insisted that I clear my cache and browsing history, and | notified me that they would be watching to make sure nobody at | our IP address didn't access any other plans while the issue | was being fixed. | | An IT employee who doesn't know about VPNs. Sigh. | megablast wrote: | Or phone hotspots. Or cafes. Or home internet. Or open | wifi's. Or language translation websites. Or proxies. Or a | dozen other ways that do not require a VPN. | K5EiS wrote: | Maybe he was hoping OP didnt know about VPNs, it's not an | uncommon scare tactic to imply being tracked is unavoidable. | Ph0X wrote: | Would be ironic since OP caught an exploit that their | entire team wasn't smart enough to catch... yet somehow he | wouldn't know about something as basic as VPNs? | idiotsecant wrote: | Zero chance this was an issue of an entire team not being | smart enough to check - everyone who touched this would | immediately understand it wasn't in the authenticated | flow. This smells like bad requirements being delivered | to the implementers. | judge2020 wrote: | I'm sure any further unauthorized access from random VPN | IPs would have also been blamed on OP, unfortunately. "He | found this out then an hour later random IPs exploited it. | He must have initiated those VPNs". | TedDoesntTalk wrote: | VPN doesn't matter here. OP made it clear he was logged | into the system first. Presumably all data is blocked | until you are logged in. And if you are logged in, IT | admin does not care about your IP address when they have | your username. | beerandt wrote: | Unless the IT guy was accidentally letting it slip that | there was no authorization implemented at all. | lazide wrote: | Which in context? Is very, very likely | bigfish24 wrote: | Similarly, a gov registration fee website simply disabled the | "next" button at UI layer because I was late from the deadline. | Easy bypass and paid fee, never heard anything else. | formerly_proven wrote: | I dunno, this seems pretty normal. Just today news broke that | in Germany some guy who found a flaw in a web-shop backend | leaking the data of hundreds of thousands of people got raided, | because the operator reported him to the police - and somehow | both police and state attorney found it wise to prosecute him | instead of referring the case to the GDPR officer to fine the | operator. | | It's pretty obvious that when you find a flaw you simply don't | approach the people responsible for it, unless they have an | EXCELLENT reputation of dealing with this. Otherwise do an | anonymous full disclosure (edit: _if_ you have an entity that | routinely handles this sort of thing and has an EXCELLENT | reputation, that would work too). If nothing happens, provide a | PoC. | | Of course people, even in IT, are kind of weird here. Somehow | responsible disclosure got into people's minds as The Good And | Proper Thing to do, and full disclosure being somehow | irresponsible. Analogy: Some guy finds out the mayor is | completely corrupt or does some illegal stuff. What do you do? | a) Disclose this through e.g. the press b) Approach the mayor | and try to get him to fix his stuff. Somehow, when it comes to | IT security, people wanna see hackers do b) because a) would | clearly be irresponsible. Wtf? | judge2020 wrote: | Perhaps many people are spoiled and blinded by the SV | megacorp culture of (usually) taking in bug reports and | fixing them and handing out recognition/money. It would be | nice if everyone accepted responsible disclosure, but that's | not going to be the case until some legislation comes along | to require it in the absence of malice. | LordDragonfang wrote: | It's not "spoiled" to expect, at worst, a thank you for | pointing out a serious and extremely easily exploited | vulnerability in public-facing code. You are inarguably | doing the company a favor by disclosing it to them and | helping them cover their ass and and in some cases lack of | competency. | | Something shouldn't have to be literally illegal to be | considered shitty behavior. (Of course, people are often | incentivised to be shitty, which is why legislation should | _also_ be applied to the issue) | qwertox wrote: | All this reminds me of the case of Lilith Wittmann [1], who | got sued by the CDU (Germany's majority-holding party) in May | 2021 because she discovered a security flaw in their election | campaign app "CDU connect". Data from around 100.000 visitors | and 18.500 election campaign helpers was not sufficiently | secured. | | She used responsible disclosure to let the CDU know of this | flaw, got sued in response. | | After an outcry from the community the CDU apologized to her | and retracted the complaint and the proceeding was suspended | in the end of August 2021. | | It's pretty sad to see how people who act upon their best | intentions, intentions which are beneficial to the society, | are hit so strongly by those who are afraid to admit that | they made a mistake. Hit in such a manner, that it tears | apart the daily routine in a very negative way for months. | | [1] https://lilithwittmann.medium.com/ | nerdawson wrote: | Sad to hear just how common these sorts of stories are. I | remember reading fairly recently about a guy who reported a | flaw to a company working with the NHS in the UK (should | emphasise this is an external company and not the NHS | themselves) and ended up having to crowdfund his legal | battle. | Tepix wrote: | The CDU party no longer holds the majority :-) | folli wrote: | Still can't tell if this is good or bad. | peterburkimsher wrote: | Trot Hunt from Have I Been Pwned has an "EXCELLENT | reputation". | | Perhaps responsible disclosure could pass through his entity? | | It's a way of anonymising the source to keep them safe, and | centralising the risk to someone who is already highly | regarded by companies and governments. | avereveard wrote: | You got things the other way around it's not about the | disclosure is about mitigation. | | If one contacts the corrupted major for a timed disclosure, | he gets time to hide crimes or can continue being corrupted, | but the press running the story only damages the major. | | If I run to the press with a vulnerability, everyone is | empowered in exploiting it. Sure it puts lots of pressure on | the devs, but devs can only work so fast, which creates a | window of opportunity which damages both them and their | users. A timed disclosure doesn't prevent exploitation that's | already happening, but doesn't increase the problem by itself | | The desired outcomes in the two cases are different, and it's | no surprise different strategies are optimal. | bigiain wrote: | > but devs can only work so fast, which creates a window of | opportunity which damages both them and their users. | | Sadly, time and time again, what in practice ends up | happening is the window of opportunity is wasted by the | devs being instructed to work on new features rather than | fix critical security bugs the company thinks are not | widely known. | | Apple's response to four zero days being only the most | recent high profile example of that. | dzhiurgis wrote: | Local CERT is sometimes happy to be a proxy, still best do | anonymously tho | thepete2 wrote: | That comparison is a bit off though, because exposing the | mayor's corruption doesn't put other people and their data at | risk. | klyrs wrote: | Domestic abuse is pretty "normal" too. That doesn't make it | tolerable. | wonderwonder wrote: | These 2 things are not even remotely comparable. | klyrs wrote: | So? Something being "normal" doesn't make it just. Or | even legal. | wonderwonder wrote: | Its not normal in society to commit domestic violence, | most people in western society would find themselves | ostracized from their peers if they were a known wife / | child abuser. If I told my friends the website allowed me | to see other plans and I checked them out they would just | ask if I saw anything interesting and chuckle at the | flaw. Curiosity is normal; beating your spouse is not. | klyrs wrote: | Ah, I see the misunderstanding. The behavior I'm seeing | called "normal" is people being punished in response | responsible disclosure, where the actual guilty party is | illegally leaking private information. I'm comparing | administrative abuse to domestic abuse. | | If changing a few characters in a URL was a crime, I'd be | gone for life. | | edit: and, I'm using "normal" in the same sense as the | comment I was originally responding to: to indicate an | everyday occurrence | b3morales wrote: | > a) Disclose this through e.g. the press b) Approach the | mayor and try to get him to fix his stuff. Somehow, when it | comes to IT security, people wanna see hackers do b) because | a) would clearly be irresponsible. Wtf? | | Huh? This analogy doesn't really make sense. The difference | for software is extremely basic: if you publicize a | vulnerability immediately, you give more opportunity for it | to be exploited while it's being fixed. Malicious actors who | hadn't found the vulnerability yet now get it handed to them | on a silver platter. | | Private notification simply gives the operator a head start | on closing the hole before it's more widely known by | potential attackers. | formerly_proven wrote: | That's not the point of the analogy (some other siblings | got it wrong, too, so the fault is likely mine). The point | is that it's inherently very risky for you to contact | someone about a problem they created accidentally, | negligently or possibly intentionally in order to get it | fixed (and that might result in them being fined or | otherwise punished when the issue becomes known). So you | should not do that. You should either seek a trustworthy | intermediary for you to handle the interaction (this might | be difficult / non-existent in your locale) or reveal the | issues anonymously. | | Again, it's not about Optimally Mitigating Corporate | Security Fuckups, it's much more basic than that: it's | about keeping you safe. This should _obviously_ be priority | #1. Anyone telling anyone else to do responsible disclosure | by default because That 's What Good Guys Do And You're Not | A Good Guy If You Don't is quite clearly not putting the | safety of the reporter at #1. | b3morales wrote: | I see, yes -- I certainly agree with disclosing | safely/anonymously. | kmlx wrote: | > The difference for software is extremely basic: if you | publicize a vulnerability immediately, you give more | opportunity for it to be exploited while it's being fixed. | | if it's live it's already being exploited. simple | principle, but very effective. | bryanrasmussen wrote: | this is a poor analogy because the IT department isn't doing | something illegal, they are just doing something poorly, the | proper analogy would be if you found out the mayor routinely | left the special stamp that you can use to get anyone | released from jail laying on the park bench he eats lunch at | - do you then go around telling people hey the mayor does | this or do you say hey mayor please stop taking that stamp | with you to lunch because you always forget it at the park | bench and someday somebody is going to use it to do bad | stuff! | | OR let us reverse the analogy | | You find out Facebook is running an international slave trade | by using their data to find vulnerable teenage girls sending | them invites and then kidnapping them. Do you A) approach | Facebook and try to get them to stop their practice B) alert | everyone immediately. | | The answer is you alert everyone immediately because Facebook | in this example is doing corrupt and illegal things. There is | a difference in how you should react concerning security | problems that others can take advantage of and willfully | committing illegal and corrupt acts. | TheCraiggers wrote: | > this is a poor analogy because the IT department isn't | doing something illegal | | At what point does it cross the line into IT malpractice? I | would say that not even bothering to verify the current | user has the access to view what is being requested is well | over that line. | | When you're dealing with PII, HIPAA, etc, there should be a | standard level of competence. If I go into a doctor's | office with a runny nose, and they remove my liver, simply | stating that they practiced medicine "poorly" shouldn't be | a defense. | cortesoft wrote: | Umm, this seems to imply that these security vulnerabilities | are intentional, which doesn't seem like what is happening. | In your mayor example, you wouldn't go to the mayor because | you know he is intentionally trying to break the law, so | going to him doesn't make sense. | | Incompetence is very different than malfeasance. | Miraste wrote: | The problem is that the response, as it pertains to you, is | going to be the same for incompetence or malfeasance in a | large number of organizations. Consider what the average | self-interested politician would do if you uncovered a | corruption problem in their administration they did not | know about. Are they going to fix the problem, reward you, | and risk losing the next election beneath an avalanche of | attack ads? Or are they going to bury it and crush you? | | Large governments and corporations are not your friends. | They will hurt you if it benefits them, often very short- | sightedly and regardless of the root problem. There are far | too many articles like this one to think "responsible | disclosure" is a safe practice. I remember one case where | the red team was hired by the agency involved explicitly to | perform pentesting, and when they found a vulnerability the | government pressed charges! | bigiain wrote: | > I remember one case where the red team was hired by the | agency involved explicitly to perform pentesting, and | when they found a vulnerability the government pressed | charges! | | If the case you're remembering is the one where the red | team assumed (without asking) that physically breaking | into the courthouse at night was "in scope" of their | engagement, I'm of the opinion the short-sightedness | there was not the agency... | | https://www.cnbc.com/2019/11/12/iowa-paid-coalfire-to- | pen-te... | | It's _maybe_ grey area. But there's no way I'd escalate a | pen test to breaking in to a courthouse without explicit | in writing permission from someone clearly authorised to | give it, including in writing assurances that all | relevant law enforcement had been notified (at least at | high levels, if part of the authorised physical pen test | was actually testing on-ground law enforcement | capabilities). | Miraste wrote: | That is the case I was thinking of, but I went back to | check my memory and it was not a gray area. They had a | signed contract from the Iowa Judicial Branch and its | Information Security Officer that specified gaining | physical access to the building. Source: | | https://krebsonsecurity.com/2020/01/iowa-prosecutors- | drop-ch... | | They did fail to verify that law enforcement was aware | (the client specifically asked them not to) and they seem | to have misunderstood the building's ownership structure. | The end result was that they fulfilled their contract and | were arrested for it after encountering one idiot with | power, after which the local politicians piled on in | order not to look weak. | TeMPOraL wrote: | Yeah, in my mind, the only "responsible disclosure" these | days is one made anonymously to the local data protection | authority. | Verdex wrote: | Reading through these comments gave me the same thought. | Notice a problem? Buy a raspberry pi with cash, visit | starbucks, upload report about the issue to reporters via | newly created (and never used again) gmail account, throw | away raspberry pi, never talk or think about the issue | again. | kadoban wrote: | Gmail is probably not ideal. Last I tried I needed a | phone number to create an account that actually worked. | watchdogtimer wrote: | I found a similar vulnerability in one of our vendors' online | order system. I noticed after placing an order an integer in | the order confirmation page URL. I reduced it by one and | refreshed the page. Sure enough, I got all the order details of | the previous customer's sale. Reducing _that_ URL by one got | the next previous sale details etc. I notified the company | about it. They fixed it, and in gratitude sent me a small | package containing a pen and other office kitsch branded with | their logo. Not much of a bug bounty, but the pen has proven | useful. | andrei_says_ wrote: | I think the main difference is the one between | acknowledgment, action + (small) gratitude vs. fear, | paralysis and scare tactics / trying to control the | environment instead of fixing the issue. | kirlfiend_grill wrote: | I let a company know that the url for their receipts | (including name, address etc) was simply an md5 of the order | number. They graciously offered 15% off on my next order as a | thank you. | renewiltord wrote: | Oh there are so many things like this. Ages ago, I used this to | find a whole listing of internal fax numbers for a government | org I wanted to get someone's attention at and totally slow- | spammed them using a fax API. Got a couple of reads based off | that. | | There's no way I'm telling them I did that, haha! | | Rule 1: Never tell people they're making a mistake unless you | trust them to trust you. | _dain_ wrote: | People have gone to jail for incrementing integers in URLs like | that (most famously, weev). | tailspin2019 wrote: | Looks like there is just a little bit more to that story... | | https://en.wikipedia.org/wiki/Weev | victorhooi wrote: | Yes, but "weev" is also a well-renowned internet "troll". | Basically - he appears to take joy out of denigrating, | humiliating, insulting and doxxing other people. | | https://en.wikipedia.org/wiki/Weev | | He's also a neo-Nazi and white supremacist. I do believe in | free speech, but some of the things he does seem to take it | way too far. | | And he famously doxed Kathy Sierra, a female technical writer | who created the Head First series. I actually quite like some | of the books in the series, and it's incredibly sad to hear | incidents like this which actively discourage females in | tech. | | https://en.wikipedia.org/wiki/Kathy_Sierra | | I suspect there's more to the AT&T incident than just, oh, I | found a flaw, let me responsible report this to the relevant | parties in responsible disclosure. | _dain_ wrote: | Bad laws and a corrupt justice system are infinitely more | dangerous than a single man, however unpleasant he may be. | People pointed out at the time, that the CFAA is totally | broken, but nobody listened because the victim was | unsympathetic. Well, now we see in TFA how nothing has | changed. | | "Yes, I'd give the Devil benefit of law, for my own | safety's sake!" | | And it should be noted, that weev's turn towards overt | neonazism (rather than just antisocial trolling) took place | in prison, where he was mistreated. | mcbutterbunz wrote: | Didn't he also give the data he found to Gawker before | notifying AT&T of the issue? That seems like a pretty key | difference here, but I don't know what weev was charged and | convicted for. | _dain_ wrote: | "Conspiracy to access a computer without authorization", | which was and is completely preposterous. The Gawker part | is completely immaterial, it was still a total travesty of | justice. The judgement was later overturned on procedural | grounds rather than on the merits (which it should have | been). He did nothing that merited imprisonment, and even | less so his mistreatment there. | hobofan wrote: | IIRC there was a recent story here in Germany where a court | decided that the blame is entirely on the website owner, and | incrementing an integer didn't constitute as hacking, as no | security measures were circumvented (as a lack of | authorization checks meant no security measures were in | place). | | So I'm hopeful that the courts are slowly starting to wisen | up in that respect. | andrei_says_ wrote: | Fear. The IT person is likely scared of (fill in the blank - | blame, losing their job etc. ) | | They are scared because their leadership is likely also afraid | - and so unable to provide protection by taking responsibility. | | This is the vibe of an organization where mistakes lead to | blame and punishment instead of quick resolution and learning. | coliveira wrote: | It is very easy for IT managers to put the blame on "hackers" | intruding into the network, instead of assuming they created an | insecure system. In many companies this can work. | Spivak wrote: | I very much want the blame to be on the person who broke into | my house regardless of whether my door was locked or my | window was open. | zentiggr wrote: | Which works great when there's some kind of access | restriction in place. | | If you wind up putting your tax returns in the 'little free | library' you set up on your front yard, you can't blame | others for reading them, then handing them back to you and | not telling anyone else. | | That's the proper analogy for what happened in the original | article. | skissane wrote: | Years ago, I worked at this place, they tried to install | these new core routers. The first core router worked fine, | but connect the second and the whole campus network would go | into meltdown. | | The network team could not work it out. The vendor could not | work it out. But one of the IT managers had an explanation: | me. Firstly, it was due to an OpenVPN I installed on a server | (with permission-as a stopgap measure so we could remotely | access the "next-gen data centre" because the networking team | was taking too long to get the real VPN installed and it was | blocking other teams on the project.) The explanation didn't | make any technical sense: the VPN is just an application, | nothing to do with the core routers; but he wasn't technical | enough to understand that. They told me to shut it down, so I | did (even though doing so inconvenienced the project), and lo | and behold, it made zero difference to the problem. Then, he | apparently even suggested at a management meeting (I wasn't | there but I heard about it) that _I_ was sneaking in to the | data centre at night or on the weekends to sabotage things, | and that was why the new routers didn't work. Apparently they | even asked campus security for my physical access logs, which | revealed I hadn't been doing any such thing. | | Eventually, the vendor worked out the problem. When you | install the router, there was a step you had to change the | VRRP IDs to give every router a unique ID on the network. | Clearly explained in the documentation, obviously essential, | apparently our networking team didn't read that part. You | plug one new router in, everything is fine; plug the second | one in, well it still has the OOTB default VRRP ID, so now | two core routers on the campus network have the same VRRP ID, | and all the other routers got confused, and the whole thing | fell apart. Both our networking team and the vendor's support | team were so focused on chasing some obscure bug they didn't | see the basic config issue. | isoskeles wrote: | Did that IT manager ever apologize for accusing you of | being the problem? | skissane wrote: | I don't remember him ever directly apologising, although | he was nice to me afterwards (and this was many years | ago, memories get hazy). I think he was rather | embarrassed by the whole incident, it turned out to be | such a basic configuration issue and it took them so long | to solve it. I only knew about the whole "sneaking in at | night" allegation because my boss told me what he'd said | at meetings to which I wasn't invited, and I don't think | my boss was supposed to tell me what was said in those | meetings, so I'm not even sure if he knew that I knew | he'd accused me | temp_praneshp wrote: | Wow, I'll keep this in mind next time I complain about my | manager. | wslack wrote: | r/talesfromtechsupport is full of these sorts of stories. | I make a visit on days when my job is frustrating and | inevitably feel better. | dr-detroit wrote: | In my experience the managers don't have the information to | make a sound decision. The fault is putting trust in the cat | who impressed you 20 years ago when alls you needed was 1 | sysadmin for your exchange server. He hasn't learned anything | in 20 years and is above reproach because when I point out | his failings him and the manager go off in a quiet room and | he DESTROYS me with trash talk. | miohtama wrote: | All hacks are "sophisticated" because otherwise the other | party would be "dumb" | prox wrote: | Lots of these folks (like the governor) don't even know the | basics of IT. Zero knowledge. You can tell them anything and | it will stick. | soylentnewsorg wrote: | So his issue was not that you discovered the bug. His issue was | that after discovering it, you went on to view a bunch of other | people's data. | | What you did was walk down the block, pull on the doors of | random houses, and if you found one unlocked, went in and took | a look around. If you found my door unlocked and left me a | note, I would be grateful. If you went in and took a look | around, then did it to all of my neighbors, we would have you | arrested. | | The bug here is an unlocked door. It being unlocked is a | security risk, and people are thankful if you let them know. If | after identifying the security risk you proceed to commit a | crime, you're surprised people aren't "grateful?" | | >difficult to hold yourself accountable | | isn't it though... | | >are malicious actors | | so you. | [deleted] | ljm wrote: | There's too much moralising and too much metaphor here. | | It's really a lot more simple: | | > After I shopped a few companies to see how our plans | compared | | This isn't white-hat, it's grey-hat at best. Found the vuln, | and then used it. | | I don't agree with the dramatic reading that I'm responding | to. | [deleted] | plainnoodles wrote: | I think that's a PRETTY uncharitable analogy and | interpretation of the OP's actions. | | I would say it's more like: | | You are walking down the street, and notice that there is a | public noticeboard. It has a list of names, yours among them, | associated with a number of steps each. It instructs you to | walk a certain number of steps down the street, and then look | up at the paper taped to the sidewalk that many steps down. | | So, you do, and upon looking down, you see some personal | information about yourself! You are a little perplexed, since | this doesn't seem very secure. So you take one step back, and | look down. Wow, yep, not very secure, there's information | there too! | | Being a human, you are naturally a little nosy and curious, | and as these _are_ publicly posted, after all, you glance | through a couple more before finally regaining control of | your better sense of civic duty, and report to the owner of | the notice board that there is a problem with their | "security". | | I think this is a better analogy because: | | * browsing to a web page is NOT the same thing as going into | someone's house. * the internet is public. * there was | CLEARLY no malicious intent. The OP clearly didn't harm or | intend to harm anyone here, even if perhaps he should have | immediately stopped when he began to suspect the website had | a flaw and he shouldn't be able to see this information. I | see no evidence of malice here. | | I do agree that in general, just because a system responds | 200 OK, you're not necessarily clear to do anything you want | when when you're doing is obviously wrong. But at the same | time, we should NOT be prosecuting or blaming people when | they're able to access more than they're supposed to be able | to PLAINLY due to the software's design insufficiencies and | there's otherwise clearly no intent to cause harm. | | We really need to take a more even-handed approach to this. | And, we REALLY need some kind of a professional bar in | software engineering. I would expect a student in their final | year of CS to be able to produce a more secure system than | what the OP described, so the fact that it exists in a quasi- | government website is a complete fucking joke, if you'll | pardon my language. | gwd wrote: | > You are walking down the street, and notice that there is | a public noticeboard. It has a list of names, yours among | them, associated with a number of steps each. It instructs | you to walk a certain number of steps down the street, and | then look up at the paper taped to the sidewalk that many | steps down. | | Or perhaps, "Here's a binder with numbered pages; turn to | page 345 for your information." You wonder what's on page | 346, so you turn the page, and lo and behold, someone | else's information. | slim wrote: | You seem to be implying that accessing a competitors pricing | is immoral. Do you think a company pricing should be private | information in the same sense that your house is private ? | heavyset_go wrote: | This analogy isn't apt. What the OP did was the equivalent of | asking, "Can you share these files with me?" and the other | party going, "Sure, here they are!" | sbarre wrote: | This was not an "unlocked door". | | This was going to the doctor's office, and while sitting in | the room with your files, seeing a bunch of other patient | files just left on the desk in eyesight. | | Not in an unlocked filing cabinet, not in an envelope, but in | the open. | | Changing a URL is not "malicious use" nor is it considered | doing something you're not supposed to. | | As a web client, I should be able to change or manipulate the | URL to my heart's content, it is 100% the server's job to | restrict my access and make sure that I cannot access | resources I shouldn't. | | This is entirely the fault of the operators, not the user, | and they were mad at them because they _allowed_ the user to | access things they should not. | throwaway09223 wrote: | It's even worse than that. I think a better analogy would | be that you've requested the doctor mail you your records | and instead the doctor ships you his entire filing cabinet | with your folder taped to the top and a note saying "read | this one." (but no mention about why the filing cabinet is | there too) | | They weren't just in the open. A copy of these records were | pushed, unsolicited, to the user's device and the user | simply looked at what was sent to them. | Ajedi32 wrote: | > seeing a bunch of other patient files just left on the | desk in eyesight | | ...and then proceeding to rifle through a bunch of those | files to satisfy your curiosity. | | Finding a vulnerability and reporting it -> Good | | Continuing to exploit the vulnerability after you've found | it just to satisfy your curiosity -> Bad | lsaferite wrote: | Asking the web server to give you information without lying | or falsifying any of your request data should in no way | equate to walking into random houses that are unlocked. | unyttigfjelltol wrote: | The proper analogy is-- you visit a public clerk and make a | formal request via a form, receive the requested document | from the clerk. | | Then, while you're at the clerk's counter you notice a menu | up high above, like at a fast food restaurant, listing | random commands with no explanation. Curiously, you call | one out to the clerk and see what happens. The clerk | returns with a crushed can. You call out another. The clerk | dumps a roll of pennies on the counter. | | That's not fraud, it's negligent supervision and stupid | design. | namdnay wrote: | I guess the argument would be that changing the number in | the URL is lying, as you are providing an ID that was not | assigned to you | | (Playing devil's advocate here) | Talanes wrote: | It's a public website. If we have to use the doors analogy, | these are doors at City Hall, not people's houses. | vadfa wrote: | And it's a public street. It's what inside the houses | (URLs) that is not public. | drdeca wrote: | Doors (holes-become-walls / walls-become-holes) are for | controlling whether things can go through. URLs are for | letting things through. | | A url is not a door, but an archway, or possibly a door | frame. | Spivak wrote: | Yeah you still can't just walk into the Mayor's office just | because it's unlocked. Access isn't authorization. | Talanes wrote: | And yet if I do just open the door to the Mayor's office | and it's unlocked and I wander in, that's still not the | same sort of trespass as entering someone's home. | | And, if I'm in City Hall, the mechanism that keeps me | from entering the Mayor's office should be the security | guards and key-cards, not my disinclination to open a | door. | MrOrelliOReilly wrote: | Wow. The parent comment did not state they then sifted around | for personal data. They checked if there was a bug and found | it. For all we know the personal data is front and center, so | this rudimentary check also revealed personal information. | It's not like they said they downloaded the SSNs. Good job a | miming the ignorance and bad faith of the nameless bureaucrat | the parent comment mentioned though, maybe this is just | satire and I'm missing it.. | [deleted] | rendall wrote: | > _After I shopped a few other companies to see how our | plans compared..._ | | You might have missed this part. I did, too, on first | reading. They did sift around. | __float wrote: | "malicious actors" is quite a strong statement, for someone | who was not really aiming to harm anyone or get much personal | gain from it. | throwaway743 wrote: | Having worked for a NYC government vendor who, unfortunately, | outsourced a huge chunk of dev work abroad due to low costs | (and I assume the manager's shady relationships with | outsourcers), the amount of bugs and blatant negligence I | observed in the delivered code was staggering. Even with said | mistakes the manager/project managers were more concerned with | getting the project out the door, so once delievered, they'd | ship usually without internal audit of the code. | | It makes one wonder if this is the case with the healthcare | site you used, and whether or not this outsourcing of dev is | common practice among government vendors? If so, it seems that | we can only hope for something to fix these situations, given | that government seems to only care once shit hits the fan | justin_oaks wrote: | I can understand outsourcing development, but I suspect part | of the problem with outsourcing the development is that QA of | the product is done by the same vendor. | | "We investigated ourselves and found ourselves clear of any | wrongdoing." | YeBanKo wrote: | For IT it's often that whoever makes software, also tests | it. When dealing with outsourcers, there comes a level of | complexity. Government contractors don't have skin in the | game, and hence motivation to appropriately handle this | complexity. | bawolff wrote: | > After I shopped a few other companies to see how our plans | compared | | Yeah once you start using a vulnerability maliciously to obtain | confidential data for your own personal gain, even if its a | stupid vulnerability, you're not really good-guy security | researcher anymore. | | If all you did was the bare minimum to demonstrate the vuln | exists, that's cool. If after you do that you continue to use | it to obtain confidential info for your own gain or curiosity, | that's not so cool. | | > Perhaps it's more difficult to hold yourself accountable than | it is to assume that others who've found your shoddy work are | malicious actors. | | You literally just admited to being a malicious actor in the | paragraph above. | bleachedsleet wrote: | Language cheapens itself when spoken cheaply. Abusing over | the top terminology on minute areas of controversy will | ultimately lesson the impact of your outrage when something | actually bad comes along. Someone browsing healthcare plans | available to other employees of different companies is not | something that should win you the label "malicious actor" and | come associated with other implications. This data leaking | harms literally nobody other than perhaps the company | offering the worst coverage to its employees. Your response | is the real problem here: If I had done this, reported it, | and then been called a "malicious actor" on a forum titled | "Hacker News" my knee jerk response would just be to shut up | about it next time. | bawolff wrote: | I used the word "malicious". Its not like i used the word | "murderer" or "evil overlord". I'm not saying OP should go | to jail or anything. | | All i'm saying is if you find an exploit, and after you | verify it works, you contunue to use it for your own | personal ends, you're no longer benign and you shouldn't | expect a warm welcome from the security team. | | The line is when you start to use exploits on computers not | owned by yourself for your own ends instead of for the | purpose of verifying and reporting the vuln. Sure you could | cross that line a little bit or a lot, but you're not | innocent if you're over it. | gffrd wrote: | > you contunue to use it for your own personal ends | | I think this is what people may have been missing from | your original post: at some point things can go from | innocent to malicious. | | "Crime of convenience" is the most common type, after | all. | | "I'm not the type to steal, but the cash was left on the | counter, and ..." | dymax78 wrote: | > ... and you shouldn't expect a warm welcome from the | security team. | | The appropriate response from the security team (after | verification) is to pull the site down or immediately | patch the vulnerability, if possible. Making an outbound | call to a third-party is pointless and irresponsible. | bawolff wrote: | I imagine having an assertion that the person didn't keep | any of the data might be important to legal. (Ianal) | BeFlatXIII wrote: | Oh no, not the heckin' confidential insurance negotiations! | What's the worst that can happen by those being exposed? | gffrd wrote: | > malicious actor | | malice implies intent. If we take author at their word, there | wasn't any, though you could say they took it too far by | looking at other stuff they probably knew it was ethically | wrong to do so. | | Though, sometimes it isn't clear you're in compromising | territory until you're in it. | | If any of the confidential information obtained wrongly gets | used to advantage ... that's malice. | | If the parent set out to exploit the insurer by finding | inconsistent/unfair pricing, etc etc ... that's malice. | bawolff wrote: | Hmm. You make a good point. Fair enough. | Dylan16807 wrote: | Browsing the different plans is not malicious. Jesus. | | And the details of different plans is not the kind of | confidential info that innately deserves protection. | Investigating or recording personal information would be bad, | but they didn't do that. | JshWright wrote: | It wasn't just plan details though... They accessed names, | SSNs, etc. | jjkaczor wrote: | Exactly... for them to "benefit", they would have to: | | Apply for jobs at the other companies with better plans, | proceed with interviews, offers and then finally accept one | and quit their job at their current employer... To reap the | rewards of their malicious hacking... | bawolff wrote: | More directly, they as employees could pressure their | bosses to renogtiate the insurance contract. | unethical_ban wrote: | You lost me at "maliciously". | | What harm was done by someone comparing prices? What | organization lost money? Who got worse health service? | | "Unethical" and malicious is the current, profit-driven | health insurance system. | | I know you're coming at it from an absolutist perspective, | but I disagree entirely with passing judgement. | | Furthermore, the fact that you seem more upset with the | person who glanced at a few plan prices rather than at the | healthcare system, or the incompetent website operators, is | telling. | NullPrefix wrote: | >What harm was done by someone comparing prices? | | It removes the information asymmetry, which protect the | profits of the seller. | bee_rider wrote: | I definitely agree that this is not a big ethical breach in | terms of magnitude, but it is still better not to look. | Apparently this is not intended to be public information. | If this information is private, I guess the companies want | to derive some (slight) competitive advantage from not | sharing it. I think you could make a strong argument that | companies should make their healthcare offerings public | knowledge, but they aren't currently (I guess?). In any | case, access should be granted on the basis of an even | playing field. | spoonjim wrote: | If you accessed my medical records, nobody would be | "harmed" as they are fairly normal. It would still be | wrong. | Dylan16807 wrote: | Because it would be a privacy issue. But that assumes | they're looking at your information on purpose, and not | just some price tags. | dylan604 wrote: | Within an hour you say? That's incredibly fast. I'm impressed | by that fact alone regardless of the quality of the response. | I'd hae been shocked for within an hour email reply. | | I would have thought using incrementing IDs in a URL was as | beaten of a dead horse as sanitizing your strings in a SQL | query. Then again, ACA websites behaved as lowest bidder was | selected. | kelnos wrote: | I don't think you're coming out of this looking too great, | either. After finding the vulnerability, you then exploited it | to gain an advantage, in addition to reporting it. | munk-a wrote: | > started grilling me about how many other plans I browsed | | I think as soon as anything healthcare adjacent comes up most | people will feel the need to get very nosey about what you | accessed. It's possible they would have needed to file an | incident (though, honestly, they should've regardless of what | the reporter responded with) and gone through some procedure. | | It's unfortunate the guy was a dick about it - but asking the | extent of the data you accessed probably isn't unreasonable and | may have been legally mandated. | mcguire wrote: | I don't know, that sounds like a pretty valid response given | that you "shopped a few other companies to see how our plans | compared". | klyrs wrote: | If I ask you to show me a document, and you willingly show me | the document, _who exactly_ is responsible for the | disclosure? | kamkazemoose wrote: | Say you are invited to your friends apartment in an | apartment building, but none of the apartments have locks. | So you decide to open up some other random apartments and | look through their things, who is responsible? | frumper wrote: | the web isn't a collection of personal apartments | blisse wrote: | A closer analogy might be if none of the apartments had | doors, would you be allowed to step inside. | Miner49er wrote: | That's not even close to the same analogy though. This | would be like knocking on the door, asking if you can | come in, and the person living there letting you in. Then | getting mad about it later even though they let you in. | BizarroLand wrote: | More like your friend let you into their apartment but | then got upset that you went into the dining room when | they only intended for you to go into the living room. | ModernMech wrote: | I think that's a valid response if the person letting you | in wasn't expecting you and didn't want you there. Like, | what are you doing knocking on random doors and going | into random places just to look around? That's not honest | behavior. Honest behavior is that if you know you're not | supposed to have access to a thing, you shouldn't obtain | access to the thing even if you technically can. I think | it's pretty clear that you shouldn't have access to | another company's healthcare plans. The first one is a | mistake, maybe. The subsequent browsing and comparison | shopping of restricted materials is definitely not okay | though, and the harsh, suspicious response was warranted. | jaywalk wrote: | >if the person letting you in wasn't expecting you and | didn't want you there. | | Then they shouldn't have let you in. How are you | completely absolving them of responsibility when all they | had to do was say "Who the hell are you? No, you can't | come in." | ModernMech wrote: | Well, to go with the analogy more: I leave my door | unlocked because I'm expecting someone. There's a knock | at my door and I yell "Come in" without looking at who is | at the door. Not an unreasonable thing, happens all the | time. When I finally look, I find you in my house, going | through all of my things, for no reason other than you | wanted to gain insight on my financial situation. | | Do I bear responsibility for letting you in? Yes. Should | you be there? No. Should you have knocked on the door? | No. Should you have tried the same at my neighbor's house | and every house on my block? No. In this metaphor and in | the original context, everyone is acting with honest | intent except the actor knowingly trying to access | obviously confidential documents. | jaywalk wrote: | You let me in knowing exactly who I was. You showed me | some stuff I wanted to see, but sitting right next to it, | out in the open, was stuff you _didn 't_ want me to see. | All I had to do was look somewhere other than where you | were pointing, and I did that. And then you got mad at me | for looking at the stuff and called the police. | ModernMech wrote: | > All I had to do was look somewhere other than where you | were pointing, and I did that. | | The way you phrase this makes it seem like accessing the | documents was a mistake. Maybe the first one was, but I | think the thing you are missing about the OP's story is | that the behavior was repeated. I think the first | instance was arguably okay. But subsequent access with | the knowledge that what they were accessing was not | intended for them is in my eyes beyond a mere | misunderstanding. | | You also have to remember that having physical or digital | access to a thing is not the same as having permission to | view the thing. For example, if a "Top Secret" document | is delivered to your house with your name and address | attached to it, if you read it without the appropriate | clearance you will still be in trouble. The legality of | such a thing is well established in that case, but the | principle is the same: even though you have access to a | thing and all you have to do is move your eyes in some | direction to see it, the act of seeing it is still at | minimum an ethical breach (why are you looking at things | that you know don't belong to you?). | | I guess this is the fundamental philosophical and ethical | question: do you believe you are entitled to know any | information as long as you have the technical ability to | physically or digitally access that information? What if | I have medical records on a screen in a room you are in, | and all you have to do is move your eyes over to see my | most personal info? Are you entitled to read that | information because it's visible to you? Or do you think | you owe it to others not breach their privacy even though | you have the ability to do so? Would you be mad if | someone violated your privacy, and then retorted with | "well you should have a had implemented some better | technology to prevent me from moving my eyes in that | direction"? I guess in that scenario you would have to | blame yourself and your technological abilities, and not | the person violating your privacy. | MangezBien wrote: | It doesn't mean I am there illegally though. Maybe I am | there for some other reason and I thought you wanted to | to let me in. | ModernMech wrote: | No one said anything about legality. I'm still going to | yell at you to gtfo and never come back again, and I | don't see why it would be surprising that I would. | | Let's drop the metaphor. The original story was that | someone accessed a number of documents they weren't | supposed to but technically could, and the question was | whether or not that it was reasonable that the owners of | the documents were upset with that. | | I argue there was good reason to be upset given the facts | on the ground. In this particular situation, the original | poster was there to access their own document. Having | accessed someone else's document, that would be the point | at which the behavior crosses from legitimate to | illegitimate if it continues. Leaving at that point would | be one appropriate response. But systematically going | through a number of different documents goes beyond a | mistake and into the realm of intentionally exploiting | this security issue for unauthorized purposes. That's | when it crosses from "honest mistake" to "dishonest | exploitation". | | I have no idea about the illegality of the issue. But the | fact is plain that this person was not the intended | recipient of the documents, they knew they weren't the | intended recipient, and then after realizing the nature | of the exploit, they continued to use it. | | This is not the same as knocking on a door for a | legitimate reason, being let in, and then the person | inside being mad you're there. It's knocking on a door | for _no_ reason or a _malicious_ reason, knowingly doing | something inside the resident doesn 't want you to do, | and then wondering why they are mad at you. | MangezBien wrote: | The only person to be upset at is the one who didn't put | access control on the site. That was a publically | available endpoint. The better analogy is putting | something private on a public bulletin board and being | mad if someone read something you didn't want them to. | ModernMech wrote: | A billboard is a broadcast message though, whereas an | HTTP request is more like a back and forth exchange | between two participants. So I think the original | knock->response->enter is a better metaphor. | kelnos wrote: | No, this is more like if you asked the landlord to let | you in, and then they did, without the permission of the | tenant. The tenant would completely be within their | rights to be angry about that. Both at you and the | landlord. | dzhiurgis wrote: | More like - you go to supermarket bathroom, checking each | stall and find one person is pooping without doors locked | the_arun wrote: | I think in this example both are equally responsible: | | 1. People who kept their doors unlocked | | 2. Person who randomly entered doors & found things. | | We need to take care of security of our properties, | though stealing is wrong. | klyrs wrote: | Nope, opening an unlocked door is still considered | break&enter. AFAIK, the "unlocked door" can even be a | beaded curtain. Turns out that the legal definition of | "break" in this context is extremely old and doesn't | correspond to lay usage anymore. | | But I think that a better analogy would be asking the | apartment manager to see your payment history and getting | handed the entire apartment building's ledger. | pwillia7 wrote: | I was thinking of a similar analogy but I don't think it | holds. | | The right analogy would be if I was in the apartment | complex and I said to a door not mine "I'm home open up!" | If the door opened and I did it intentionally, am I | liable? | | I still feel like yes but since you have to request the | document and receive it I think it's different than just | checking locks. | Keyframe wrote: | I think we're all gronw-ups here and don't need analogies | here. | fshbbdssbbgdd wrote: | People of all ages suffer from confirmation bias. | Analogies can be useful because they allow someone to | appreciate the logic of an argument while temporarily | dissociating from strongly-held opinions. After the | framing moves back to the question under debate, the | logic might stick. At least all parties might understand | everyone's perspective better after a few analogies are | exchanged. | sodality2 wrote: | Not if everyone constantly shifts the analogy so their | argument still works ;) | bee_rider wrote: | Indeed -- it is like if arguments were things to | transport, and analogies were cars... wait, no, they are | railroad cars. | | So the argument is a heist occurring on a train, so we've | got the thing that we're trying to heist (which would be | our point) and then we're shifting it from one car to | another. And some of the analogies here are clearly like | passenger coaches, but others are more like those... coal | transporting car, whatever they are called... and at some | point we move to the inappropriate railroad car and drop | the point in the coal which obscures it. | | Anyway, the point is that at some point you really just | hope that some conventional train robbers will show up | and derail the whole thing because it has gotten too | convoluted to follow. | Talanes wrote: | The analogies in this thread are mostly only furthering | confirmation bias. | | Because any physical analogy is such a poor | representation of how a website actually works, everyone | just cherry-picks the analogy that demonstrates the logic | they believe should apply, and then tries to constrain | the argument to that logic via analogy. | jerf wrote: | Analogies are never helpful for things like this. | | We don't need to reach for analogies to observe that | while the _theoretical ideal_ is to report it after just | one false access, that no significant damage was done by | accessing just a few more via human manipulation of the | browser URL, with no recording or sharing of the results. | From a human perspective, no damage was done. | | Whether that legally crosses a line involves a whole lot | of details that few, if any people here, will be able to | speak to, because of the complication of the law, and | HN's conclusion as to the legality is of marginal | interest even if someone competent were to give an | opinion. | | We _can_ speak to the fact that _even if_ it does | technically cross a line, a prosecutor really ought to | use their discretion to not prosecute since nobody was | hurt. We can say that because that 's just an opinion. I | expect we don't have very many people here who actually | want the book thrown here (though, as always, enough read | this that it's probably non-zero). | mcguire wrote: | There's no evidence from the original comment that | _anyone invoked any legal lines._ Instead, they seem to | be upset that the person they reported the incident to | _asked them questions about exactly what they did_ rather | than being effusively grateful. | kelnos wrote: | I don't think quantifiable significant damage should be | the bar we use, though that should act to moderate the | consequences. | | OP admitted to _continue_ changing URLs in order to check | out what plans other companies were getting and what they | cost. That means OP downloaded lists of employee names, | ages, SSNs, and other data. If I were an employee at one | of these other companies, I 'd be pissed at OP for that. | I'd be even more pissed at the people who built the | marketplace website for making the rookie security | mistake that allowed it, but it's absolutely not ok to | download other people's information when you shouldn't | have access to it, and use that to your own advantage. | | Sure, I don't think this is something that should be | prosecuted as a CFAA violation with big fines and jail | time. That's not a proportionate response. But I also | don't think we should signal that it's ok to look at (and | use!) other people's data just because someone else | forgot to lock it up properly. I think, for example, | something on the level of a parking ticket would be | appropriate here. | | If OP had changed the URL once, found the vulnerability, | and then immediately closed the page and reported the | problem, I would see nothing bad in what they did. But | they didn't merely do that, and IMO crossed the line in | their subsequent actions. | bawolff wrote: | In real life, if you do it under false pretenses, you are. | In this analogy the real-world version would be considered | fraud. | rtkwe wrote: | In our version though the system can require you to show | whatever ID or authentication the designer decides so how | can any process as simple as changing an ID in the URL be | fraudulent. In this example the person who browsed other | plans either wasn't asked for any ID or the person | fetching the documents didn't check authorization. Either | one is negligence on the department/sites side. | rpdillon wrote: | Not sure I see how. More like the records office decided | that, rather than staffing the front desk to handle | records requests, they instead just dumped an unlocked | filing cabinet into an alcove off the hallway with an | arrow pointing to it labelled "Health Care Plans". | Essentially identical to blaming users for finding an | unsecured S3 bucket or MongoDB instance: it's on the | operator to secure the data. | bee_rider wrote: | It is more like the records office decide that, but | didn't tell the people who they were holding records for | that they didn't feel like staffing the desk. The records | office is of course 99% to blame for their incompetence | here, but it is still a bummer for the people who trusted | them, and better not to look. | kelnos wrote: | > _Essentially identical to blaming users for finding an | unsecured S3 bucket or MongoDB instance_ | | I agree that it's unreasonable to blame users for | _finding_ things like that. But if those same users are | downloading all the data and making use of it for their | own purposes, that 's not ok. Finding a vulnerability and | reporting it is an admirable thing to do; exploiting that | vulnerability yourself is not. | dragonwriter wrote: | > In real life, if you do it under false pretenses, you | are. | | Sure, but how is that relevant? What material false | representation was made which was relied on in deciding | to provide the data? | Spivak wrote: | Because servers don't decide anything. They're autonomous | systems imperfectly carrying out the will of humans who | make the actual authorization decisions. If a computer | system erroneously prints an extra 0 on a check mailed | out to you that doesn't mean you get to keep the money | because the computer isn't the entity that decides how | much money you're owed. | dragonwriter wrote: | > Because servers don't decide anything. | | If there was no decision, much less one based on | materially false information, there can be no charge | related to false pretenses. Your argument against | decisionmaking is an argument _against_ your claim of | false pretenses. | | > If a computer system erroneously prints an extra 0 on a | check mailed out to you that doesn't mean you get to keep | the money because the computer isn't the entity that | decides how much money you're owed. | | That's neither entirely true _nor_ at all relevant to | your false pretenses claim. | Dylan16807 wrote: | Asking for the next file isn't false pretenses. I don't | know if this analogy works quite right. Even rifling | through a file cabinet wouldn't be false pretenses, it | would be something else. | | And you have to cause injury for it to be fraud. Is "Help | I was too honest to a customer." a valid injury claim? | bawolff wrote: | I think the analogy would be going up to the desk and | saying: my id number is X (when its really Y), can i have | my file. | | If you convince them that you really are X and they give | you the file, i think that would be considerd fraudulent. | Whether or not an injury takes place to raise it to the | level of fraud i guess depends on what was in the file, | but in countries with strong privacy laws, someone would | probably be in a heap of trouble. | strofcon wrote: | Except that's not at all what they did - they simply | accessed files that _had been made public by the service | provider_. | | To be able to login as BoBibbidyFooBar, and subsequently | access ANY company's info in the system _without changing | their identity_ from BoBibbidyFooBar does not, in any | way, constitute any sort of fraud. It literally cannot, | by any sensible definition. | kelnos wrote: | Intent matters. The service provider clearly did not | intend that the files should be public. They screwed up, | and they should take responsibility for that. But that | doesn't make it ok to know about the security issue and | download as many documents as you can in order to use | them for your own purposes. Perhaps that wouldn't be | "fraud" based on whatever definition you're using, but | it's clearly unethical and immoral, and IMO hopefully | illegal as well. | tragictrash wrote: | But they didn't do that. They just asked for a different | file, not misrepresenting their identity. | Retric wrote: | He had already given his correct details to be able to | view plans. It's like calling the cops to get your | accident report then asking for the next higher numbers | and they give it to you. | jaywalk wrote: | Nope, no way. Your analogy is wrong. | | A better analogy would you asking for your files, and | then the secretary taking you to a filing cabinet | containing everyone's files right there with yours. You | don't have to lie about who you are, you can just look at | other files because they're right there in the place that | you were just given access to. | celtain wrote: | How is that analogy wrong? Both in terms of the technical | implementation and the subjective user experience, you're | making separate requests for a document each time. | | Analogies are always going to be imperfect, but I can't | see the argument that the "separate request" analogy is | any worse than yours, let alone "wrong". | Spivak wrote: | And even in that case you're still not allowed to look at | other people's documents. Like it doesn't matter that | they're right in front of you, you still haven't been | given authorization. | jjav wrote: | > I think the analogy would be going up to the desk and | saying: my id number is X (when its really Y), can i have | my file. | | Not at all because what you describe involves | impersonating someone else. | | In the OP case, they were authenticated in the session as | themselves and always acted under the truthful identity | and asked for a document and access was granted. | | So the analogy would be going up to the desk and saying: | I'm John Doe, my id number is X (truthful value), could I | see file ABC? And the attendant checks that id==X does | have access to document ABC, and thus hands it over. | formerly_proven wrote: | The closest real-life equivalent to asking a computer | server for a document and getting it is asking a human | server (e.g. office clerk, archivist) for a document and | getting it. If I go to the IRS to do some paperwork and | notice it says "File #7881991" in the top right corner | and I go to the clerk and ask them "Hey, can I have files | 7881992 and 7881993, too?" _and they give them to me_ , | who is liable for that? It's quite obvious. | tomrod wrote: | This is 100% the correct analogy. | Spivak wrote: | But this is assuming that the server has more agency than | it does. Servers don't have minds and they don't make | authorization decisions. This is more like someone giving | you key to a filing cabinet in order to retrieve some | documents and while you're there you snoop on the ones | next to yours. | | Is this system more trusting of people than it should be? | Probably. Does that mean you're allowed to snoop on other | people's documents -- nope. | tremon wrote: | _But this is assuming that the server has more agency | than it does._ | | No, it merely assumes the server is acting on authority | of the organization identified by the domain name. It | doesn't assume agency, only representation. | toqy wrote: | If you give me the key to the files and don't explicitly | forbid me then it certainly does mean I'm "allowed" to | look at the documents. You literally and explicitly just | allowed me to do so by granting me access. | tomrod wrote: | Right. The server is not liable. The people who set up | the server to serve application data for every client to | any client is. | | Just like the IRS admin assistant in the example was, the | agent to cause the transfer. The filing cabinet/server is | not the agent, simply the repository responding to the | system and practices in place. | bawolff wrote: | Users don't normally construct urls by hand. Wouldn't the | equivalent more be like: | | You filled out some form to request a document from the | irs. You give the form to the person they give you the | document. | | You notice they dont check ids, so you change the name on | the form, and get someone else's document. | | This definitely seems to fit the definition of fraud: | | 380 (1) Every one who, by deceit, falsehood or other | fraudulent means, whether or not it is a false pretence | within the meaning of this Act, defrauds the public or | any person, whether ascertained or not, of any property, | money or valuable security or any service [that's the | canada definition] | strofcon wrote: | But... they didn't change their name on the form. They | literally just said "I'm still me, but I want this other | file now, please." | | All company data was, in OPs scenario, _made public to | any and all authenticated users._ | | There is no way to rationally spin this as a malicious | act, in my view. | bawolff wrote: | Well they changed an id number. I guess the real life | version would be changing the SSN number on the form. | MangezBien wrote: | An ssn is considered private info, the plan number | wouldn't be. | mcguire wrote: | No one is claiming "I'm still me, but I want this other | file now, please." is a malicious act. | | Downloading a number of them and comparing information, | however, is not necessarily malicious but rather sketchy. | kelnos wrote: | I don't think simply changing the ID in the URL to see | what would happen is itself a malicious act. But, after | discovering the vulnerability, OP admitted to continuing | to exploit the vulnerability so they could make use of | the information they'd gotten, information that they | should not have access to. _That_ part of it is | _actively_ malicious. | Dylan16807 wrote: | I don't think changing the _name_ is a fair comparison. | | This definition of fraud doesn't define the word | "defraud"? I don't know how I'm supposed to see if it | fits or not. | | It can't mean _any_ action, or going into a store, lying | about my name, and asking what aisle has baked beans | would fit. Because that has "deceit" and "any service". | | If I interpret things as the service being minimal and | provided for free, so that I'm not deceptively getting | _the service_ , then we have to look at what actually | gets _sent_ to me, and whether it 's "property, money or | valuable security". And since it's just a copy of the | data sent at no cost, it's much harder to argue fraud | exists. | kelnos wrote: | The data in this case clearly had value; OP admitted to | continuing to change numbers in the URL to get more | information about what plans other companies were signing | up for, because that information was valuable to them. | Talanes wrote: | You're assuming the "because that information was | valuable to them" part. Or you're using such a broad | definition of valuable that would also make this comment | thread valuable because I have refreshed it multiple | times. | | While you could construct hypotheticals where OP is using | the health plan information to gain actual value, they | are all so far-fetched I wouldn't buy them as a fictional | plotline. Dude was probably just curious. | White_Wolf wrote: | "deceit, falsehood or other fraudulent means" => editing | the URL is neither of those. Forgig a cookie for access | is, just like randomly trying passwords and usernames. | | The closest real life example I can think of would be | along the lines of: - your car is in a public parking | space and someone look inside vs - the same car is in the | garrage and someone breaks the door to look inside your | car | marcellus23 wrote: | A closer analogy would be that you keep the name as your | name, but change the # of the document you're requesting. | It's the IRS's job to ensure you're allowed to retrieve | that doc. | kelnos wrote: | Sure, but I guarantee you that if the IRS screwed up and | gave you the other doc, and you made use of that | information (rather than immediately turning around and | saying "um, IRS, I think you made a mistake; this doc | doesn't belong to me"), you'd be in trouble as well. | marcellus23 wrote: | Haha that's fair. | kelnos wrote: | No, it's not, because computers and humans are not the | same. A computer might give away too much information | because someone misconfigured it. The closet human analog | to that would be if the human was improperly trained in | what information they're supposed to give out. But the | human also has other options: they could be tricked into | giving out more information than they should, or they | could be giving out more information because they're | being paid off or given some other benefit. | | You can certainly assign various levels of blame and | responsibility to the human "server" in those scenarios. | But the human on the other side of the interaction, the | one requesting information, doesn't magically become free | of reproach. If they are requesting information they know | they should not have access to, and then making use of | that information for their own gain, they're guilty too. | | There's a _very_ narrow carve-out for the white-hat: | requesting information with the intent of uncovering | vulnerabilities, with the intent to help them get fixed. | We expect a white-hat actor here to destroy and not make | use of any information they obtain that they shouldn 't | have. | | > _If I go to the IRS to do some paperwork and notice it | says "File #7881991" in the top right corner and I go to | the clerk and ask them "Hey, can I have files 7881992 and | 7881993, too?" and they give them to me, who is liable | for that? It's quite obvious._ | | Yes, it is obvious: the clerk is liable for giving you | something they shouldn't have, and you are liable for | fraudulently representing yourself as someone who should | have access to those files. | | I don't get where this idea of "the other person let me | do the crime, so the crime is ok" comes from. That's just | not how the law works in the real world. If you then | walked out of the IRS office with those files, I would | absolutely expect you to get arrested. (Even if you | immediately gave the files back, you'd probably be on | shaky legal ground.) | benlivengood wrote: | > Yes, it is obvious: the clerk is liable for giving you | something they shouldn't have, and you are liable for | fraudulently representing yourself as someone who should | have access to those files. | | It's always okay to ask for things. There would be no way | for society to adapt, progress, or change if people were | limited to only asking for things that they knew in | advance they were allowed to have. If it's legal for a | telemarketer, pollster, reporter, cop, or recruiter to | contact me and ask me questions then it's just as legal | for me to contact and ask a web server a question. The | correct response to unauthorized requests is a 4xx, not a | lawsuit. | | More to the point, what makes it okay to ask a new web | server for "/" without permission? Even if browse-through | terms of service were legally enforceable they aren't | known to the user or the browser before making the first | connection and request. | | If a web server doesn't want to answer questions then | don't connect it to the Internet. | bawolff wrote: | It is the intent of the act, not the act itself, that is | important. | | If you know doing x will cause y, then when you do x you | are doing y and you are responsible for the consequences | of doing y. It doesn't matter what x was. | | This is especially true in the real world. | Muromec wrote: | It's not the point. Of course they built stupidly insecure | system, and of course sending people to jail for finding | out such holes is wrong, but on the other hand ethical | person should stop their access to personal data which they | are not supposed to see after confirming that vulnerability | exists and not make copies of said data. | mcguire wrote: | Because you _can_ do a thing does not mean you _should_ do | a thing. | | If the security system is broken and you do exactly what it | should be preventing, then you report it and get upset | because they ask questions about you doing exactly what you | did? | kelnos wrote: | Accessing data that you are not authorized to view is still | wrong. The fact that someone has misconfigured the access | controls doesn't change that. | | I might forget to lock my front door one day, but that | doesn't make it ok for you to wander into my house and look | at all my stuff. | BizarroLand wrote: | If you make a library open to the public but then get | upset they are reading the books, who is in the wrong | here? | qorrect wrote: | > Accessing data that you are not authorized to view is | still wrong. | | So if a piece of paper flies in my face and has company | secrets and I manage to look at, I'm at fault here ? | | > I might forget to lock my front door one day, but that | doesn't make it ok | | Sorry but if you're not going to secure your belongings, | then expect to be robbed. | | Being 'ok' has nothing to do with it. | bigiain wrote: | > Sorry but if you're not going to secure your | belongings, then expect to be robbed. | | It's not even "getting robbed" really. Nobody here | deprived the owner of anything. It's more like: | | Sorry but if you're not going to secure your belongings, | then expect to have people look at your stuff. | jjk166 wrote: | Well in this case I'm knocking on your door and you're | opening the door saying "Come right on in!" | | Requesting access (ie knocking on a door/typing a url) is | not illegal. If you grant that request (ie invite me | in/serving a webpage), I am under no obligation to | psychically infer that you didn't mean to and refuse your | invitation. | tremon wrote: | If I send a HTTP request, and the server -who I believe | is acting on behalf of the publishing party- sends a 200 | OK response along with the data, how am I to conclude I | wasn't authorized? Since when is authorization the | client's responsibility? | bigiain wrote: | Yep. | | Send me a 401 (or a 403) status and I'll know I'm not | authorised. | | In the physical world, nobody would lawyer up and go to | court if someone walked through an open door with a sign | saying "public entry here" and saw something | confidential. | | If you have confidential information around in the | physical world, you make sure you have facilities staff | who know the difference between "public entry here" signs | and "authorised personnel only" signs. You also have | facilities staff who know how to fit door locks and door | closers, and security staff who know how to choose | appropriate locks and to enforce compliance of locking | doors. And if all that breaks down, it's not Joe | Concerned-Citizen who tells you about it, or even Mallory | from your competitor who waltzes out with trade secrets | who gets held to account, it's the manager and/or | executive in charge of facilities and security who'd be | answering the difficult questions, probably with their | lawyer at their side. | | It sad that the legal system hasn't yet started to hold | people to account for having incompetent web developers | and server operators. | solveit wrote: | Being wary of the guy, sure. But it's a terrible response in | general. The correct response is to _take the site down_! | Monitoring IP addresses? Really? | | First, it's trivial to just use a different IP address. | Second, even if you could track people perfectly, which you | can't, who the hell thinks it's okay for data to get leaked | as long as you know who it gets leaked to? | throwaway894345 wrote: | It's not a _nice_ response, but IT needs to be able to | answer questions about the extent of a given breach (what | info was accessed by whom and when). This is a legal | requirement in the case of health information. Ideally | people could be courteous while fulfilling their legal | obligations, but IT folks aren't generally chosen for their | public relations or customer service skills. | frumper wrote: | If he can monitor ip addresses to make sure this guy | isn't browsing anymore, then he should be able to check | those same logs to answer his own question. If you want | people that have zero obligation to help you then you | should probably be nice to them. The nefarious criminal | isn't going to report things like this to you. | throwaway894345 wrote: | I already agreed that this doesn't warrant unkindness. | vageli wrote: | In those situations you get a third-party in for | forensics, you don't typically ask the people who | breached how large the breach is (why would you take them | at their word anyway? aren't they incentivized to | downplay, etc). | marcus0x62 wrote: | Yes, and they need to do that based on the forensic data | available to them, even if the answer is "we don't know, | it could be everything.". Asking the person who caused | the breach to explain the extent of your data loss is not | an acceptable, or reliable, practice. | throwaway894345 wrote: | I don't expect that it is sufficient, but it probably | gives the IT person something to tell their boss in the | short term: "We'll verify, but he says he only accessed | X". | ajmurmann wrote: | Assessing the scope of the breach, sure. "Fixing" the | breach by monitoring a single IP addresses access | patterns not so much. The site needed to be taken down | till a mitigation has been deployed. | throwaway894345 wrote: | Agreed. | dymax78 wrote: | Vehemently agree. The response demonstrates, if nothing | else, the lack of an appropriate Incident Response Plan. A | competent legal team would not vet and approve such a | response, instead redirecting it through the appropriate | channels if they felt the need to respond directly. | invisible wrote: | What's bonkers is that _your own data_ was also accessible. | Who's to say other users didn't get that data and choose to not | report and kept the data? | | Your own outrage to your data being exposed would have been | perfectly reasonable. | rapind wrote: | "No, I didn't look at any other plans, but I've notified our | lawyer who is now compiling the list of exposed company plans | before she contacts each of these companies for class action | suit proceedings". | vmception wrote: | its best to assume Responsible Disclosure(tm) is a psyop to | find gullible people | cm2187 wrote: | How is it a bad response? They want to know what data has been | exposed and ensure you delete that data. That's data leak 101. | Why would you be defensive about it? | bbarnett wrote: | When someone is kind, helpful, and goes out of their way to | help you, for free!!, you have no business demanding, | insisting, or threatening a single thing. | | Proper response would have been "Wow! Thanks!" and at worst | "Please don't share what you saw, and thanks again." | lazide wrote: | Because he was clearly trying to threaten him? | yonixw wrote: | The point being that the IT guy made sure this guy will never | try to report on anything again. As they will ".. would be | watching .. at our IP address .. while the issue was being | fixed." | | Instead of a normal company having a bug bounty and sometimes | even with cash prizes. | | Do you think google "will watch your IP" after you reported a | bug? or will they give yo money? | | What helps in the short run? and what helps in the long run? | munk-a wrote: | > Do you think google "will watch your IP" after you | reported a bug? or will they give yo money? | | I honestly think they'll do both - but they won't tell you | they're watching your IP because it's needlessly | antagonistic. | sbassi wrote: | > They want to know what data has been exposed | | They should check their own logs instead of relaying on a 3rd | party that may not tell the truth. This shows incompetence. | olyjohn wrote: | Because you have no way of knowing if they deleted the data | or not from their system. It's a pointless exercise, unless | you're just gonna take their word for it. | spoonjim wrote: | When you went to 342 you were white hat. When you went to 343 | you became black hat. | websap wrote: | Obviously this person from the IT department has very little | understanding of how computers work, and I'm not saying they | should. | | Each time a breach like this or in the original post happens, | it makes me feel that our tools are just not there yet. If | there were simple tools that caught vulnerabilities like this | we would improve the standard of security. | dataviz1000 wrote: | I did that once a long, long time ago with the organization | that monitors maritime piracy around the world. They have a | mailing list which I accidentally stumbled on that included I | assume since I only saw the one page of email addresses that | ended in top level domains like un.org and navy.mil thousands | of email addresses. I contacted through email the people | running the organization that I accidentally stumbled on the | page and they should probably hide it which they responded | thank you. If you have ever been to Washington DC you would | know the amount of money military contractors spend to show the | latest navy vessel to everyone at the Foggy Bottom metro | station and other places where such ads seem unlikely. That was | the mother of all B2B email lists for militaries and shipping | companies around the world. I didn't want to play any games | with it. | | EDIT: Remembering it now, there were also email addresses with | the Iranian navy as they coordinate with other navies to fight | piracy too. Perhaps instead of sending a Rickroll I could have | sent a mass email with Lennon's "Give Peace a Chance." | walrus01 wrote: | Huge missed opportunity for mass email of URL shortener link | to the youtube Rick Astley video. | dataviz1000 wrote: | There were cia.gov email addresses in there too. When these | guys don't get a joke and fixate on you, they really fixate | on you. They are more clingy than that song. | agustif wrote: | Redacted. | Ph0X wrote: | I think you just missed the entire point of the comment | you replied to... | Talanes wrote: | I think you just missed the joke of the comment you | replied to... | jjk166 wrote: | Are you saying that the CIA is never going to give him | up? | samstave wrote: | Well, they're never gonna let him go, that's for sure. | | And they may also hurt him. | walrus01 wrote: | well they're definitely never gonna say goodbye | jameshart wrote: | Unfortunately, this is the top comment and it has led to a | lengthy discussion about the ethics of altering a url to | retrieve a resource you should not have access to. | | Which is a fascinating discussion, but has _nothing_ to do with | the case at hand which is where the underlying html on a | publicly accessible search result page contained SSNs of the | teachers returned in the search. | | All the analogies about 'it's like asking the IRS for another | document' are all wonderfully applicable to this comment, but | not remotely applicable to the actual article. | askvictor wrote: | On the other hand, to a non-techie person, where do you draw | the line? Accessing the HTML of a public webpage is trivial | to you and me. But what about decompiling or extracting | strings from an .apk? Almost exactly the same thing as | pressing F12 in the browser, but a tad more 'active'. It is | relevant to this article, as it asks what hacking is OK, and | what isn't | woodruffw wrote: | This entire thread is a great microcosm of how _difficult_ it | actually is to talk precisely and intelligibly about | "hacking", permissions, intended access, etc! | datavirtue wrote: | URLs are not secrets. End of discussion. | michael_michael wrote: | I am now questioning the wisdom of having shared this story, | and I apologize for derailing the discussion. | jameshart wrote: | It's a relevant comment, and people evidently found it | interesting. | wslack wrote: | It's a good story and relevant. Not your fault the internet | got spun up in a totally other direction with it. | WarOnPrivacy wrote: | * The newspaper said it found that teachers' Social Security | numbers were contained in the HTML source code of the pages | involved. In other words, the information was available to anyone | with a web browser who happened to also examine the site's public | code using Developer Tools or simply right-clicking on the page | and viewing the source code.* | | The state's website was sending SSNs to the browser of every | visitor. Visitors didn't ask for that info but got it anyway. | Everything the state sent was viewable thru View Source. | Wistar wrote: | The reporter hacked our water system, maliciously held his hand | under the faucet and then revealed to us that the water was WET! | josefresco wrote: | FYI the "Governor" is Mike Parson | | "As governor, Parson signed a bill criminalizing abortion after | eight weeks of pregnancy and opposed Medicaid expansion. He | oversaw the state's response to the COVID-19 pandemic, where he | issued a temporary stay-at-home order in April 2020, allowed | schools districts to decide whether or not to close, and limited | postal voting during the 2020 U.S. elections. Parson also oversaw | Missouri's reaction to the George Floyd protests, during which he | pledged to pardon Mark and Patricia McCloskey, the couple | involved in the St. Louis gun-toting controversy, if they were | convicted of any crimes; he issued their pardons in August 2021." | | Sounds like a _great_ guy. | handrous wrote: | I am reliably informed by people with some insight into | Missouri government that Parson is _exceptionally_ terrible. | Incompetent or malicious, depending on the day. | | I gather the previous (also Republican) governor, Greitens, who | may or may not have been into some weird/illegal sex stuff and | was forced out over it, was actually pretty good. Seemed to | truly care about governing well and improving the functions of | state government, at least, which Parson _does not_. | Splendor wrote: | He is terrible, but in today's GOP there is nothing | exceptional about Governor Parson. | mmmpop wrote: | Soapbox much? | | The dude's clearly a moron but this isn't a thread about any of | the topics mentioned in your quote. You're actively making HN a | shittier place with comments like this. | sophacles wrote: | > You're actively making HN a shittier place with comments | like this. | | Please find your way to the nearest mirror and take a very | hard, long look. | josefresco wrote: | The title only said "Governor" so I was like "gee, who is | this guy/gal?" and so I RTFA and went back to the comments. | Many were still referring to him as "Governor" and not by | name so I thought it would be useful to mention his name. I | then started reading his Wikipedia page and discovered he's a | real piece of crap (IMHO) and decided to include that summary | in my post. Am I starting crap? Maybe, but I think some | background on his recent decisions in his role as Governor | would be relevant to an article questioning a recent decision | in his role as Governor. | [deleted] | logicalmonster wrote: | What is the source of the pasted quote? I have no idea what | kind of person the Governor is (outside of being technically | illiterate) and am not interested in a partisan bickering | match, but despite disagreeing with some points there, some of | the actions listed there are arguably great moves (with the | devil being in a lot of nuanced details that your list didn't | go into) | josefresco wrote: | It's from his Wikipedia page. | [deleted] | jll29 wrote: | The distribution of the SSNs to the client, where they can be | seen by everyone using a Web browser by clicking on a standard | menu function is clearly the government's fault. | | They are obviously trying to deflect their incompetence - nobody | audited the design nor the resulting implementation. | | If the journalist acted as described it is professional behavior | (notify and postpone publication to give the Website operator a | chance to fix things), it is ethical and complies with security | disclosure best practices. | betwixthewires wrote: | This governor is an idiot and should be removed from office for | this. | comeonseriously wrote: | > ... unencrypted the source code from the webpage | | So now 'View Source' is an decryption tool use by those pesky | "hacker" types? | heavyset_go wrote: | This is just standard fare for the governor to rile up his base | by attacking the press. | bastardoperator wrote: | The only crime here is that this uninformed governor is going to | spend taxpayer dollars and time to chase ghosts. His staff are | either terrible, or this is all political theatre. I don't expect | everyone to understand the internet at a technical level but no | one under this guy could explain that this is a Missouri problem | not a hacker problem? | ROARosen wrote: | > No private information was publicly visible, but teacher Social | Security numbers were contained in HTML source code of the pages | | How is an HTML page source not considered "publicly visible"?! | thewileyone wrote: | This is probably unpopular, but I want to see this go to court so | that this moron can be exposed for all to see. | fabianhjr wrote: | Best outcome would be for the courts to dismiss the case | outright. (Bonus points for snark against the governor) | CivBase wrote: | > "A hacker is someone who subverts computer security with | malicious or criminal intent," the statement continued. "Here, | there was no breach of any firewall or security and certainly no | malicious intent. [...]" | | Then I guess HN better find a new name. | | Seriously though, this defense bugs me because it outright | dismisses the idea of ethical hacking by re-defining "hacker" as | someone with "malicious or criminal intent". They should | embracing the label and explaining the difference between white | hat hackers and black hats (the actual criminals). | | Our world needs more white hat hackers. All it takes is one | security flaw to compromise a system and the deck is always | stacked against those securing it. Re-defining "hacker" as a term | to describe criminals stacks that deck even worse by dissuading | future would-be white hats. | fak3r wrote: | Once again, Gov Parsons makes me embarrassed to be a Missouri | resident. | C19is20 wrote: | Why? | mcguire wrote: | Aside from everything else, | | " _According to the Post-Dispatch, one of its reporters | discovered the flaw in a web application allowing the public to | search teacher certifications and credentials. No private | information was publicly visible, but teacher Social Security | numbers were contained in HTML source code of the pages._ " | | I expect there will be no consequences for the mindless idiot who | put SSNs in the HTML output. | Threeve303 wrote: | Do not make yourself even suspected of anything computer related | to state or federal authorities. It is never a good idea. | scc wrote: | This news should not surprise anybody who has used government | websites in Missouri. Here is an example: | https://mydssapp.mo.gov/CitizenPortal/application.do | | The website takes a LONG time to load because of how many | javascripts it loads!! | suzzer99 wrote: | I gave up, and my browser was still semi-borked for a while | after clicking back to HN. | basedbertram wrote: | Holy cow, that's incredible | frumper wrote: | you aren't kidding, that's pretty impressive really | salynchnew wrote: | TFW the governor doesn't realize that HTML is a document that | they proactively published on the internet. | | "The hacking is coming from inside the (state) house!" /s | mmazing wrote: | Do you want to stop responsible disclosure of bugs like this in | your state, Missouri? Just leave it for people who will actually | misuse it? | | Because that's what you seem to want ... quit electing morons. | ChrisMarshallNY wrote: | Gosh ... this should end well. <call | target="broker"> <communication command="buy"> | <stock>Orville Redenbacher</stock> </communication> | </call> | nimbius wrote: | Governor Parson, While in the Army, attended night classes at the | University of Maryland and the University of Hawaii, without | completion of a degree. | | Its not hard to see how someone with only a rural sixties | highschool education might conflate this particular revelation | with treasonous intent. | kgeist wrote: | If I witness a crime and tell police about it, am I an accomplice | according to Mr Parson? | Johnny555 wrote: | _"The state is committed to bring to justice anyone who hacked | our system and anyone who aided and abetted them to do so," | Parson said_ | | I assume they'll start with the head of the Office of | Administration Information Technology Services Division whose | team allowed such a glaring vulnerability in the first place. | | If IT management held some responsibility for breaches, then | maybe it wouldn't be so hard to get funding for security | measures. | Buttons840 wrote: | I commented days ago about a state website that was returning all | kinds of nicely formatted NPI in JSON from an API response, but | the NPI was not displayed. I donned my black hat and other hacker | attire and pressed F12 to open the browser's developers tools (a | tool created by a shifty company named Google most people have | never heard of), and there it was, plain as day, SSNs, addresses, | etc. I closed the page and never touched it again. I knew what's | happening in this story could happen to me. I knew my side of the | story would rarely be told and that my fate would lie in the | hands of a judge who views the F12 key with distrust and fear and | a jury of my "peers" who are not actually my peers in any skill | or know-how related to the case. | onychomys wrote: | At least make a throwaway email account somewhere and email the | state's IT department to let them know. I doubt it'd ever get | fixed (given state budgets), but still. | dragonwriter wrote: | In states that have state-level IT departments (usually, in | addition to opposed to agency-internal ones), the state-level | one mostly does IT project and contracting policy and | oversight (often limited to large projects for active | overisght), and maybe executes enterprise contracts for | infrastructure that is used across agencies. | | For an in-production system, there is a good chance that they | have no responsibility for ongoing maintenance, and no | special information beyond what is on the website as to who | is responsible for maintenance. | | You are better off contacting (anonymously or otherwise) the | responsible agency. But, sadly, probably the most effective | way to get it changed (after the flurry of butt covering) is | to anonymously notify the media. | TheSpiceIsLife wrote: | I remember being _more free_ during the Cold War. | | Many politicians are much older than me. | | At their brains just hard-wired to see an enemy everywhere? | arbuge wrote: | This story just gets worse and worse: | | https://news.stlpublicradio.org/government-politics-issues/2... | | "Missouri Gov. Mike Parson on Thursday launched a criminal | investigation of a St. Louis Post-Dispatch reporter... The | investigation begins today, and Parson said the investigation | could cost taxpayers as much as $50 million but did not detail | those costs or take questions at a news conference Thursday." | | $50m over this now? They say never to assume malice when outright | incompetence will do, but I'm beginning to wonder if some corrupt | dealings involving IT contractors might be going on under the | table. | | Whichever one it is, at this point I think the governor should | just apologize and resign immediately. Not holding my breath. | | Edit: Looks like the governor is tweeting about this now. | Straight from the horse's mouth: | | https://twitter.com/GovParsonMO/status/1448697768311132160 | | Really couldn't make this stuff up if I tried: "This individual | did not have permission to do what they did. They had no | authorization to convert and decode the code." | skeeter2020 wrote: | "... teachers' Social Security numbers were contained in the HTML | source code of the pages involved..." | | My bet is the SSN was used as the GUID for a table row or list | item. | suzzer99 wrote: | I'm going to guess a value in a hidden form field. | droptablemain wrote: | Can't determine if this allegation is malicious in nature or | simply based on technological incompetence. Maybe some | combination of the two. | samuelizdat wrote: | Remember when a guy "Hacked" AT&T when the new iPad came out in | 2010? I wonder what happened to that guy? lol | buitreVirtual wrote: | The news is not only the lack of understanding of what hacking is | and what a security fuck up is. The news is the cowardice of this | clown of a governor trying to deflect blame to those reporting | the vulnerability. If he is too embarrassed to admit his | government's fault, he will be rewarded with twice the | embarrassment for reacting like a corrupt despot. | allemagne wrote: | >Republican state Rep. Tony Lovasco, who according to his | legislative biography has worked in software deployment and | maintenance, tweeted Thursday that "it's clear the Governor's | Office has a fundamental misunderstanding of both web technology | and industry standard procedures for reporting security | vulnerabilities. | | >"Journalists responsibly sounding an alarm on data privacy is | not criminal hacking," he said. | | I worry that we're heading in a direction where somebody like | Lovasco won't be willing to break with somebody of the same | political party even for something like this. | | It's already incredibly easy to code this story as a PR "win" for | Democrats by embarrassing a prominent Republican. | | So then isn't giving a common-sense perspective in this | circumstance kind of just a betrayal of everything your side | stands for? | | I mean it's pretty unlikely that anything of legal import | actually happens to the reporter, so for the "greater good" of | accomplishing your wider agenda, or perhaps even more importantly | preventing the other side's agenda, it might be better to just | stay quiet and let this blow over as partisan bickering. | jaywalk wrote: | The fact that it happened here should calm your worries at | least a little bit. | giantg2 wrote: | "... Social Security numbers were contained in HTML source code | of the pages." | | "Gov. Mike Parson was labeling the Post-Dispatch reporter a | 'hacker' and vowing to seek criminal prosecution." | | L O L. Everyone who has hit F12 in a browser is now considered a | hacker. | | I hope the prosecutors and law enforcement come to the right | conclusion quickly and tell the governor no crime was committed. | My experiences have left me with little faith of that happening. | AnimalMuppet wrote: | "You can look like idiots now. Or you can try to keep from | looking like idiots, and look like even bigger idiots very | quickly. Your choice." | RHSeeger wrote: | And, in the process, double down and cost the reporter his | career and entire life savings as he pays for a lawyer to | keep himself out of jail. | giantg2 wrote: | Usually the better publications have, or pay for, counsel | for work related issues like this. | | I don't think this will cost them their career. Every semi- | intelligent person can see what's going on. It will | certainly create some shortterm headaches though. | black_puppydog wrote: | Good. Let this go all the way to the top, this is someone who at | least in theory should be backed by an institution (and various | amendments...) so this should establish a nice precedence that | no, you can't shoot to the messenger. The only "tiny" detail | would be how to shield the individual reporter from the fall-out | in the meantime. And while we're at it, holding an office should | not protect you from personal liability for the harm done to said | messenger during the process. | | Terribly idealistic, I know. One can dream... :| | weddpros wrote: | No better than patent trolls | _0ffh wrote: | I don't think I can blame a politician for being technically | illiterate, especially one that old. But what the heck is up with | the state bureaucrats who report to that guy? | | I mean _someone_ it the freaking state bureaucratic hierarchy | should at least be lucid enough to consult someone who has an | actual clue about things as these. | mindcrime wrote: | _I don 't think I can blame a politician for being technically | illiterate, especially one that old._ | | I don't think age should excuse this guy at all, nor do I buy | into the meme that age has much of anything to do with | technical literacy. Consider that Brian Kernighan is ~78, Tim | Berners-Lee is 66 (the same age as Governor Parsons here), | James Gosling is also 66, Rob Pike is 65, Steve Wozniak is 71, | Geoffrey Hinton is 73, and so on. And that's not even | considering folks who were around so early they've already | passed away, like Marvin Minsky, Dennis Ritchie, John McCarthy, | etc. | cle wrote: | > I don't think I can blame a politician for being technically | illiterate, especially one that old. | | Given the impact of technology on society, we absolutely can | and should blame politicians who are technically illiterate. | birdman3131 wrote: | I don't blame a politician for being not tech savvy. | | I can and will blame them for not getting (And listening to!) | a tech savvy advisor. | barbazoo wrote: | And maybe blame the highly partisan electorate too? | mindcrime wrote: | I would think it depends on how "tech savvy" we're talking | about. It's one thing to ask them to write a UNIX shell in | C++, or construct a neural network model... I don't see any | reason to demand that level of technical sophistication | from a governor. But surely there has to be _some_ baseline | level of technological literacy that should be expected, | no? Something beyond "push this button and the computer | turns on" and "Yes, I checked and it's plugged into the | wall"?? | fencepost wrote: | _I don 't think I can blame a politician for being technically | illiterate, especially one that old._ | | That right there (probably without the age bit) would be the | _ideal_ one liner response from the reporter or an attorney | from the paper. | javajosh wrote: | I can't stress how differently _power_ works in the Southern | States (EDIT: Missouri is a midwestern state officially, but I | 've always considered it part of the South). It's a very | traditional place, where you do not dare contradict, let alone | correct, your boss. There is none of this "avoid surrounding | yourself with sycophants because they will only tell you what | you want to hear" business. There is no upside to speaking up | in meetings if what you're saying is not in direct support of | the boss. If you do this, you will be branded a trouble-maker, | lose favor with the hierarchy, and eventually you will be | expelled. Politeness and deference matters _far_ more than | _any_ other quality. Loyalty beats integrity every time in the | south. | | This incident is just one example of this in action. | CountDrewku wrote: | If you think that's a "southern" trait I've got news for | you... | | This attitudes fits the majority of workplaces. I know it | probably makes you feel better to pass the blame off on a | specific group that you can try to avoid but I've worked all | over the US and it's the same crap everywhere you go. | jeremyjh wrote: | Missouri is not even remotely considered to be in "the | south". At least not by those who live there or in | neighboring states. | handrous wrote: | I know a lot of people who regard it as a hybrid | southern/midwestern state. Plenty of confederate flags to | be found in Missouri, certainly, and the MU/KU rivalry is, | on our side at least, _heavy_ on "bleeding Kansas" | rhetoric and imagery, which keeps Missouri's Southern- | sympathizing role in the war alive in our popular culture | (such as it is). Lots and lots of our local icons, oft- | mentioned historical figures, et c., relate back to the | war, and especially folks who supported the Confederacy. | County seats with those late-addition cheap confederate | soldier memorial-statutes outside the courthouse are, | AFAIK, quite common in the state. | jeremyjh wrote: | You can find racists and rebels anywhere. If you order a | sweet tea in any restaurant in Missouri they will look at | you like you have three heads. | handrous wrote: | Not true at all, but the sweet tea they serve you will | probably be mediocre at best, that's true. A few places | will serve you unsweet tea (all they have, as a cost- | savings measure) with sugar packets, as if that's the | same thing, which admittedly is an offense worthy of | challenging your server and/or the restaurant owner to a | duel. | CountDrewku wrote: | You can find Confederate flags in northern states and all | over the US. That doesn't suddenly make it more | "southern". I live in CO now and I see more confederate | flags than I ever saw in MO. | javajosh wrote: | You're right! It's part of the midwest officially. | Apparently it does share at least _some_ of the classic | characteristics of the southern states. | daltont wrote: | University of Missouri sports teams are in the | Southeastern Conference (SEC). Part of me wanted them in | the Big-10 since I identify more as being from the | northern mid-west. Got to follow the $$$. | jeremyjh wrote: | I think it has no more in common with them than other | non-southern red states. | dragonwriter wrote: | > Missouri is not even remotely considered to be in "the | south". | | No, but it is both South-adjacent and is considered to be | largely within the Bible Belt, which is almost exactly | coextensive with the South, except that it excludes parts | of Southern Florida and includes all or part of several | South-adjacent states, so it's not an entirely hard fo | understand mistake. | smartscience wrote: | As a species I feel we need a means to overcome this problem | within organizations, and demonstrate convincingly to others | that we have done so. Chernobyl and Fukushima were also both | created by a culture of deference to higher-ups. The anti- | nuclear crowd were wrong about the science, but may have had | a point once you consider human fallibility. | nolson wrote: | > Chernobyl and Fukushima were also both created by a | culture of deference to higher-ups | | Chernobyl suffered from compounding of reactor and test | design flaws and human error. Fukushima suffered from | (retrospectively) insufficient risk assessments, which | resulted in a design meeting a rare event beyond it design | limit sooner than expected.* | | I'm unaware of a human society, in fact any animal society, | where politeness does not involve some degree of deference. | So saying these accidents were caused by a culture of | deference is essentially meaningless without some more | "who, what, why, how" and importantly 'how much' and | 'compared to what'. | | From the IAEA report: "This common mode failure reached a | scale considerably beyond that usually addressed in the | assessment of BDBAs. [ed: beyond design basis accident]". | https://www- | pub.iaea.org/MTCD/Publications/PDF/AdditionalVol... | | https://www.coursera.org/lecture/intercultural- | communication... | throwaway0a5e wrote: | The south sounds exactly like my experience in two fairly | non-political (as non-political as government can be) | departments of state government that provide non- | controversial social services in a state in the northeast. | vram22 wrote: | Why? | mabub24 wrote: | I think you're under-estimating how much this is just the | governor cravenly trying to save face. He's a just a spineless | politician who is afraid that this "hack" will be used against | him. Because the public was notified of the obvious fuck-up in | the html, he felt he needed to "respond to their concerns" and | is doing so in the only way he understands, or that that group | of the public "under attack" understands as well: criminal | charges. | | He's using the public's fear to try to gain political points by | looking "hard on crime". | | Obviously, he's stupid. But part of the problem is the public | _also think this was a "hack"_. Basic understanding of the web | is not apparent amongst an enormous swathe of the public. | [deleted] | ladyattis wrote: | This is why you have tech literate experts to correct you and | help you make a decision. Just like how you go to your doctor | for help with an illness and get advice for what to do next. | This isn't hard to do, it's just not politically powerful | messaging. Parson wants to look big and powerful and so he'll | just blow smoke up his AG's butt to do something which will | quietly be dismissed afterwards with almost zero political cost | to him. | lotsofpulp wrote: | > I mean someone it the freaking state bureaucratic hierarchy | should at least be lucid enough to consult someone who has an | actual clue about things as these. | | Why are you letting the leader off the hook and charging the | underlings for being responsible for something a leader should | be responsible for? Age of the leader is irrelevant because the | leader chose to become a leader. | dragonwriter wrote: | Gov. Parsons' technical ignorance, such as it may be, is not | the source of this. This is a power-oriented political | narrative. To the extent it invokes inaccurate explicit or | implicit characterizations, that is not because Parsons doesn't | understand the truth (he may or may not, that's just | irrelevant), but because the descriptions and implications | serve the desired narrative. | laserlight wrote: | Why should age excuse incompetence? If they are incompetent in | tech, they should at least know that and shut up. | prepend wrote: | I'm guessing it went like this... | | Politician: Socials are on the web site, who fucked up? | | IT: the web page is encrypted, we didn't fuck up, the hacker | decrypted the source | | Politician: sounds good to me, no fuckup on our part, let's | call the cops and prosecutors | lotsofpulp wrote: | Politician [intentionally looking to pass the buck to | entities outside their purview and choosing not to research | further]: sounds good to me, no fuckup on our part, let's | call the cops and prosecutors | Clubber wrote: | You have no idea what lengths some state employees will go | through to cover their ass and not get fired. It's especially | dangerous when cops and prosecutors do it. | throwaway0a5e wrote: | Exactly. When you've endured 15yr of this kind of bullshit | and enduring five more gets you an extra 10% on your pension | you shut the f up and do what's good for you, organization | and taxpayers be damned. | | Now imagine what this situation teaches all the younger | bureaucrats who think they can work hard and make things | better. | duxup wrote: | Yeah this should be a "get a the computers guy in here" moment. | Then someone explains and everyone moves on. | handrous wrote: | It is my understanding that Parson is not the kind of fellow to | give a shit what a state bureaucrat tells him, if it's not what | he wants to hear, assuming he'd listen to them in the first | place. | RHSeeger wrote: | > I don't think I can blame a politician for being technically | illiterate, especially one that old. | | I certainly can. They have plenty of money to hire staff, and | that should include people to make sure they understand the | technology that is integral to the every day lives of their | constituents, or at least to push back when they do/say | something completely counter to how the world works. | cantbudgeit wrote: | If you have an f12 key on your keyboard, you are now a hacker. | Bad ass. | ianhawes wrote: | If the scenario being proposed is that the reporter publicly | searched teachers on the site and then noticed that SSNs were | returned in hidden HTML or an endpoint returned it from an API | directly, that is a facepalm and they're fine. | | If the reporter searched teachers and located (for example) their | teacher ID, then discovered an endpoint (from looking at the JS) | that took the ID as input and returned an SSN, they have | potentially violated the CFAA (as written). | | Do I agree that they should be prosecuted? No. | | Is the CFAA a terrible law that criminalizes most netsec | research? Yes. | vngzs wrote: | The EFF will likely take this case. Have the reporters contacted | them? | danso wrote: | One thing a newspaper has is lawyers (including plenty of | places that will do pro bono on 1st Amendment cases) | JohnTHaller wrote: | 'Parson said Thursday that he wasn't sure why the reporter | accessed the information. He claimed it was part of a "political | game by what is supposed to be one of Missouri's news outlets."' | | Yes, everything that makes us look bad is part of a conspiracy by | the other team. Ignore the facts, please. Pressing CTRL-U is | hacking! | CivBase wrote: | The weird thing is even if this was a conspiracy to discredit | an administration... it's a _really bad one_. Perhaps you could | link the security flaw to a budget issue, but I can 't imagine | something like this seriously affecting a governor's chance for | re-election. His response has obviously done more damage than | the flaw ever could. | dr_orpheus wrote: | "No private information was publicly visible, but teacher Social | Security numbers were contained in HTML source code of the | pages." | | They definitely have a different definition of "publicly visible" | SMAAART wrote: | "Shoot the messenger" what a great strategy! /-s | codegeek wrote: | Of course he would. It is the typical political response these | days. Double down on your mistakes and never accept | responsibility on your end. So what if a bunch of SSN's were | exposed ? It was only in "View Source" which is hacking . Come on | now. /s | ball_of_lint wrote: | Until the US has dramatically clearer and more sane laws around | hacking and responsible disclosure our security will not improve. | gdsdfe wrote: | Why it's always the dumbest people that are elected to govern ?! | tgdnt wrote: | This is a matter of job security, the reporter is embarrassing | the state and that's Parson's job. Fingers crossed he goes on | strike after this. | dusted wrote: | hanging the heroes.. | wonderwonder wrote: | This is what happens now when the media is portrayed as a | political actor and everything can be "the other sided". | | "political game by what is supposed to be one of Missouri's news | outlets." Now they get to ignore any and all responsibility and | the governor is seen as standing up to the liberal media. It did | not even have to be a big deal, just fix it, say its been | resolved and move on. Everything is gamified and politicized now; | to the point they are willing to send someone to jail over their | own flaw. Its not even about being good leaders and helping | citizens its just about winning elections and owning the libs or | conservatives or your favorite brand of "snowflake". Human | decency has left the building. I wish we could go back to | business as usual but we have really entered a post truth | society. | didibus wrote: | I'm not American, just got interested in how their politics | devolved to that, and apparently this was an intentional power | play which started from republicans: | | > "a race to the bottom to see who can be meaner and madder and | crazier. It is not enough to be conservative anymore. You have | to be vicious." The viciousness doesn't necessarily reside in | the individual souls of Republican leaders. It flows from the | party's politics, which seeks to delegitimize opponents and | institutions, purify the ranks through purges and coups, and | agitate followers with visions of apocalypse | | I feel this article summarize it well: | https://www.theatlantic.com/ideas/archive/2018/12/how-did-re... | | Newt Gingrich seems to be responsible for that more recent | attempt at this, and everything happening now seems to be the | end game of what he started, though the party seems to have a | history of it to some extent. | | I know some people might say that the Atlantic is partisan and | maybe Democratic leaning (I think?), but personally except for | the part where the article seems to say they don't like what | the Republican party is making of democracy, everything else | seems pretty accurate and factual to me. I'd love to hear | counterpoints, like is there anyone who doesn't think this | characterizes the Republican party properly? | jorblumesea wrote: | Feels like the traditional foundation of US democracy, free | press, is being constantly undermined more and more every year. | Doing even basic investigative work puts you in the crosshairs of | someone. | stack_framer wrote: | > Parson said he had referred the matter to the Cole County | Prosecutor and has asked the Missouri State Highway Patrol to | investigate. | | Was this a drive-by "view source"? Why is the highway patrol | investigating? | dragonwriter wrote: | > Was this a drive-by "view source"? Why is the highway patrol | investigating? | | In a number of states, the "Highway Patrol" is--either through | role expansion, merger with a preexisting State Police, or | otherwise--the general-jurisdiction law enforcement agency of | the State. | yingbo wrote: | The reporter should prosecute the government: not suitable for | their jobs. | WarOnPrivacy wrote: | Competing with Florida looks weird. | TigeriusKirk wrote: | So is this illegal? | | I'm not asking if it should or shouldn't be. | | I'm asking if it is, with the laws as written and interpreted | today. | atmin wrote: | Any sufficiently advanced search engine is indistinguishable from | hacking. | e-clinton wrote: | Someone once took a photo in a hospital waiting room. There was a | screen in the photo with a browser window that listed the queue | of patients waiting to be seen (first name + last initial). I | zoomed into the photo, typed the URL in my home machine and sure | enough, the list of patients actively waiting to be seen loaded | up. | | To make matters worse, incrementing a number in the URL cycled | through different hospital waiting rooms. | | I emailed the vendor who build the tool about the issue and they | responded letting me know that system worked as it was designed, | and that no HIPPA violations existed since there was no full last | name. | | I meant to make a bigger deal about this, but then got busy. | JangoSteve wrote: | So they included the SSNs in the HTML source, and then said the | reporter hacked and unencrypted the HTML by reading the non- | displayed SSNs in the source. That's like taping the SSNs up to | the inside of a tinted window and then saying the reporter | committed breaking and entering by shining a flashlight on the | window. | mdek wrote: | From the article, it sounds like nothing even remotely | questionable was done by the reporter who found the flaw: | | > "According to the Post-Dispatch, one of its reporters | discovered the flaw in a web application allowing the public to | search teacher certifications and credentials. No private | information was publicly visible, but teacher Social Security | numbers were contained in HTML source code of the pages." | unyttigfjelltol wrote: | Translation: search for a certification on the public website, | receive an SSN in response. Only 'hacking' by reporter was to | then press 'Ctrl+U' in the browser and read the characters. | BizarroLand wrote: | He used the basic reading skills that are taught in ever | public and private education system in the country to hack | us! | ghayes wrote: | Imagine if the reporter had used curl... | ollien wrote: | Tell me if I'm reading this wrong. I want to be reading this | wrong. | | Is this saying that when you viewed a certain page (which I | assume had only one person's SSN visible, or perhaps other | teacher information like names), the "invisible" SSNs were just | hidden with `display: none` or similar? | ihumanable wrote: | I think what actually happened is that there was a page where | you could get information about a particular educator. In the | HTML source the server returned for that page private | information about *that educator* was included in non- | displaying elements. | ollien wrote: | Makes sense. Jesus, though. | adrr wrote: | Like redacting a public document by making the redacted parts | have a black background with black text. If people can't see | it, it is secure. | tomrod wrote: | Oh that is so bad. | | It's events and negligence like this that give credence to | credentialing requirements for software engineering. | daviddever23box wrote: | Imagine if we had credentialing requirements for elected | office... | mywittyname wrote: | I don't think the issue is that elected officials are dumb. | I think it's the opposite, most are quite intelligent. It's | more that they are evil/corrupt/self-serving, and acting | dumb is part of how they get away with it. | solveit wrote: | We do. It's called an election. What you want is | credentialing requirements for voting. | WkndTriathlete wrote: | I'm pretty sure I want credentialing requirements for | anyone running for any public office. I'd settle for | automatic exclusion of anyone displaying narcissistic, | psychopathic, or sociopathic tendencies and inclusion of | rational pragmatists. | solveit wrote: | I would also "settle" for picking the people I like. | | Also, pretty sure that you have to be at least somewhat | narcissistic to think that you should be president, and | somewhat sociopathic to actually succeed. | [deleted] | A4ET8a8uTh0 wrote: | And US used to have them too. The basic approach was that | if you have land, you have a stake in the future of the | republic. It was debated as to whether landless would | have the same stake. | dylan604 wrote: | We've always known that using DevTools was a criminal activity. | In fact, the sheer number of people using them places this at | criminal conspiracy levels. Better start filing those RICO | cases against the browser devs. /s | alexjplant wrote: | The US Government has a STIG (Security Technical | Implementation Guide [1], a government-proprietary term for | "IT policy") that requires that you disable Dev Tools in IE | [2], Edge [3] and Chrome[4]. Their justification (from [1]): | | > Information needed by an attacker to begin looking for | possible vulnerabilities in a web browser includes any | information about the web browser and plug-ins or modules | being used. When debugging or trace information is enabled in | a production web browser, information about the web browser, | such as web browser type, version, patches installed, plug- | ins and modules installed, type of code being used by the | hosted application, and any back-ends being used for data | storage may be displayed | | I wish I were making this up. | | [1] https://en.wikipedia.org/wiki/Security_Technical_Implemen | tat... | | [2] https://stigviewer.com/stig/microsoft_internet_explorer_1 | 1/2... | | [3] https://www.stigviewer.com/stig/microsoft_edge/2021-02-16 | /fi... | | [4] https://www.stigviewer.com/stig/google_chrome_current_win | dow... | ollien wrote: | I can think of at least one legitimate reason to block the | dev console. There are these posts I've seen over the years | that say to "press the hotkey to open the Javascript | console, and paste this Javascript blob" (obviously in much | more persuading terms) to get a discount on RayBands or | something. Disabling it prevents a possible information | leak vector. | alexjplant wrote: | There's a legitimate reason for doing _almost anything_ - | it's a question of likelihood, impact, and knock-on | effects. | | I can only imagine how much taxpayer money has been set | on fire by developers having to debug single-page | applications running on these systems without the aid of | Dev Tools... these types of material wastages are created | in an imperfect attempt to prevent the mere possibility | of something that could be more effectively mitigated | through training and web content filtering. | _fat_santa wrote: | I've never seen one in the wild, thought it would be | interesting to see what they want you to paste into the | console, probably something to transmit them your session | token. I know Facebook has a huge warning about it when | you open devtools on their site. | ollien wrote: | Yeah - they added that warning because of these precise | things. I haven't kept one around but I've definitely | seen them since I fell for it many, many years ago. | dylan604 wrote: | This seems really lazy. Duh, it's gov't, but I'm talking | about the attacker. If they can use JS to gather all of | that info to display in the console hoping to get a user to | read it back to them or whatever, why not just save it all | and submit back via ajax? | codegeek wrote: | How dare you did "View Source", you hacker. | jaycroft wrote: | Counterpoint that might get some attention: | | "The Governor is in possession of software on his personal | computer that allows him to decrypt the personal details of | thousands of constituents who may have voted for or against | him." | | The "software" being a web browser, of course. | dylan604 wrote: | Better hope they only used View Source. Could you imagine | the federal crime of using curl or wget to retrieve this | data? | jakelazaroff wrote: | What's "view source", some kind of hacking instructions? | Sounds like you're abetting. | dylan604 wrote: | As long as you're not aiding at the same time. Aiding & | abetting is a no-no. Aiding OR abetting is not claimed to | be an issue. | amirhirsch wrote: | you mean Aiding XOR abetting. consider the forum. | dylan604 wrote: | why does it have to be exclusive? If both are false, then | there's no confusion on making a charge. If only one is | true, then someone being lazy might think it matches. | | along your lines of considering the forum, wouldn't it | need to be aiding && abetting? i don't know how to | bitwise compare aiding to abetting. | tombert wrote: | I think "view source" is a hacking tool invented by the | notorious hacker group "4chan". I say we start a | change.org petition to get Google to remove it from | Chrome. | Shared404 wrote: | I think "view source" was actually invented by the | Russians, then leaked by "4chan" - They're an individual, | not a group. | | You probably got it mixed up with Lunix, _that_ was | invented by "4chan". | tombert wrote: | Completely tangential, but have you seen LUnix (Little | Unix)? It's actually pretty impressive for something on | the C64. Full on preemptive multitasking seems pretty | impressive for something as little as the Commodore. | | https://en.wikipedia.org/wiki/LUnix | Shared404 wrote: | I hadn't, but I may be trying to rig that up in an | emulator later, that seems awesome! | tombert wrote: | I've only played with it a bit, certainly not enough to | make any real definitive statements about it, but I think | for what it is it's pretty impressive...stuff like that | always makes me wonder why Commodore wasn't more | successful [1]. | | [1] I know LUnix didn't come out until 1993, so it would | have been too late to save Commodore, and certainly past | the C64's prime. It just demonstrates what the C64 was | capable of. | theandrewbailey wrote: | In all seriousness, considering Google's track record of | discontinuing useful services and features, I expect | Chrome to drop View Source any release now. It will be a | sad day. | Sebb767 wrote: | That would also be the day people would have a far harder | time optimizing for Chrome. So they'd probably actually | help the browser market by doing so. | dylan604 wrote: | Who browses the web without the DevTools exposed by | default? I don't know how to make the web work without | "fixing" web pages before attempting to read them. | jaywalk wrote: | Who browses the web _with_ Dev Tools exposed by default? | Why do you feel the need to "fix" every web page you | look at? | dylan604 wrote: | websites attempting to poorly comply with cookie banners | and other GDPR regs that block a site from working | without accepting something. I just display:none the | offending elements and then remove the overflow:hidden. | Disabling JS usually works, but sometimes the images in | the page are lazy loaded via JS and will not load | without. | jaywalk wrote: | Here you go: | https://chrome.google.com/webstore/detail/super-agent- | automa... | dylan604 wrote: | Thanks for playing, but I do not use Chrome. Also, I'm a | bit perverse in my enjoyment of doing this on my own. | theandrewbailey wrote: | FYI, that's not the View Source feature. | dylan604 wrote: | No, but it's infinitely more useful. All of those SAP | that has 4 lines of HTML when View Source is used, but | the Inspector shows exactly what elements are currently | in the DOM that have been loaded by JS. Of course, you're | aware of that just like I'm aware of the difference in | tools. | [deleted] | Buttons840 wrote: | > you hacker | | What a "hacker" is is a matter of definition. | | But, the fact is the state was using "encryption" with such | a level of security that pressing one button on any | computer with a browser is all that is required to defeat | it. | jaycroft wrote: | And I'll bet even the governor has access to this | decryption software - he's got it installed on his phone, | even! He must be hacking on the go. | hoppla wrote: | Some serious Jedi business going on here | jjkaczor wrote: | That's why at my current client, DevTools in the browser is | blocked through Group Policy... | | /not sarcasm, I wish I was joking... | jahabrewer wrote: | Tell me you don't understand computers without telling me you | don't understand computers. | calderarrow wrote: | Senators too! We must end finstas! | https://www.youtube.com/watch?v=TGt1Ukg7q4Y | mediumdeviation wrote: | So that quote is actually taken out of context. The Senator | knows that finstas are, and is using it to drive a different | argument - that Instagram is incentivized to help teenagers | bypass parental control | https://www.theverge.com/2021/10/1/22704308/finsta- | instagram... | | > "Finstas are fake Instagram accounts. Finstas are kids' | secret second accounts. Finstas often are intended to avoid | parents' oversight. Basically, Facebook depends on teens for | growth," Blumenthal said. "Facebook also knows that nearly | every teen in the United States has an Instagram account; it | can only add more users as fast as there are new 13-year- | olds." | rory wrote: | Even with the added context, it's pretty clear he has a | very limited grasp on how finstas work. It's reasonable to | be concerned about that when he is demanding they be | banned. | psychometry wrote: | Tell me you're the Republican governor of a deep red regressive | shithole state without telling me you're the Republican | governor of a deep red regressive shithole state. | throwaway0a5e wrote: | Authoritarian blue states do this crap too. This has nothing | to do with the set of policy positions on your party's | official platform and everything to do with being a | totalitarian jerk, a characteristic that abounds among | politicians and high level government officials in general | across many parties and nations. | atkailash wrote: | It's a consequence of having people 80 years old who can | barely write an email and still use Internet Explorer on | AOL run things. Party is irrelevant in this case for sure | TimTheTinker wrote: | Well done. Authoritarianism is alive and well across the | political spectrum. | aynyc wrote: | Examples? | NovemberWhiskey wrote: | Cuomo. | psychometry wrote: | That's a person not an example. | axx0 wrote: | New York... | NovemberWhiskey wrote: | It's both! But e.g. | https://www.thecity.nyc/2021/3/11/22326532/tough-guy- | cuomos-... | voidfunc wrote: | Yea but at least in a decently blue state I expect the | jurors in an actual courtroom eventually to side with | reason whereas I expect red state jurors to lap up this | tough on crime crap like its mother's milk. | | GOP/Red States are the way they are because the people are | too stupid for their own good. | vkou wrote: | He understands computers, but it's easier for him to blame the | press for his government's failings. His base laps this sort of | thing up. | giaour wrote: | Nobody tell the gov how savagely he's being raked over the coals | in these comments, or tomorrow's headline will be about a RICO | case launched against the hacker collective known as "Hacker | News." | codegeek wrote: | Someone should tweet this discussion to him or his office. | #stopclickingviewsource | MereInterest wrote: | Now that they've shot the messenger, I'm sure that everything | will be perfectly fine, right? | exporectomy wrote: | Worth realizing that a lot of pre-internet systems like | bureaucracies and phone networks were full of known and actively | exploited vulnerabilities but they relied on obscurity and the | law to discourage excessive exploitation so white-hat hacking | didn't make sense. | | Somebody who's been out of touch for the past 20 years could | easily see responsible disclosure as the beginning of an | extortion attempt. "I can access your data and I'll publish | sensitive information about it in 30 days." sounds like it's | about to be followed up with "...unless you send me a pile of | money in unmarked bills". | heavymark wrote: | "In a press release Wednesday, the Office of Administration | Information Technology Services Division said that through a | multi-step process, a "hacker took the records of at least three | educators, decoded the HTML source code, and viewed the social | security number of those specific educators." Ha, or summarized a | user clicked "View Source" in their browser. Well I guess the | first of the multi-set process is open said browser. | cortesoft wrote: | I mean, everything is a multistep process if you are pedantic | enough. | jonnycomputer wrote: | The governor is making a fool of himself. | mindcrime wrote: | I try to be an optimistic person, I really do. I try to remind | myself that the sky isn't literally falling, and that the world | is a more generally pleasant and peaceful place today than what | it has been throughout much of history. | | But. | | Every time I see something like this, it just about drains my | spirit to nothingness. I want to embrace nihilism and just quit | giving a fuck about anything or anybody when I see stupidity on | this level, and displayed by somebody who managed to get elected | governor of a %@%#ng US state. It really is hard sometimes, to | not just withdraw into a shell of isolation and decide "fuck it, | this world is too damned stupid for me to bother with." | | I don't _like_ feeling that way mind you, and I actively try to | fight the urge to give in to that kind of thinking, but it seems | to get harder and harder with every passing year. Am I weird in | this regard, or are other people experiencing this as well? | natechols wrote: | Read more history! (Especially read what the Wilson | administration did to the Socialists - the origin of the phrase | "yelling fire in a crowded theater." Many of us would riot if | this happened today.) Stories like this have been happening | since long before I was born, and will continue to happen long | after I die, because voters will continue to elect stupid | people some fraction of the time. The correct response isn't | nihilism, but constant vigilance, and constant shaming of | elected officials who abuse their powers. | mindcrime wrote: | _The correct response isn 't nihilism, but constant | vigilance, and constant shaming of elected officials who | abuse their powers._ | | I want to believe that, but after watching the Trump | administration and how people seemed to embrace him more and | more despite his continuing shameful acts, it's just hard to | sustain belief that this all leads anywhere. | | Sorry guys, not trying to be Debbie Downer here. I guess I'm | just in a shitty mood today for some reason. | saruken wrote: | > it's just hard to sustain belief that this all leads | anywhere | | I'm with you 100%. I don't want to be there, but there I | am. And sometimes it all feels utterly pointless - | civilization, the human endeavour, everything. My | particular slippery slope goes like this: | Humanity is going to waste the one-time gift of fossil fuel | accreting the already-grotesque hoards of a few hundred | individuals. Then these people will die, nothing will have | been gained on the whole, and instead of infrastructure | which we could have used to pivot to some recognizable | future, our descendants will be left with nothing but | unrest and some variety of ecological hot potato. And then | we will all die out or revert to a pre-technological state, | and either way all the gains of science and human ingenuity | will be lost. | | Is that how yours goes too? | | I don't know what to do about all that, but usually I can | convince myself that working on some tiny project to help | things _not go that way_ is a worthwhile effort. And of | course it 's pretty much all I can do. | | Also here are a couple quotes that help me get out of such | perspective ruts: | | * "Even though I'm always in pain, it's worth sticking | around to make my corner of the world a slightly better | place." -Ricky Gervais' character from After Life | | * "I cringe at my arrogance. Actually, cringing at my | arrogance is just another, more rarified, level of | arrogance." -Alison Bechdel | | * "Goodness: You got to make it out of badness. Because | there isn't anything else to make it out of." -Robert Penn | Warren | NoGravitas wrote: | Yeah, even leaving aside the T-word; there's a broad swath | of the US population who are willing to believe anything | that is expected of them by their chosen authorities | (mainstream Democrats are as guilty of this as Republicans, | they just chose different authority figures). Sometimes, | insanity is the only sane response to an insane world. | somebehemoth wrote: | > Democrats are as guilty as Republicans | | No they aren't. Not even remotely close. I'm exhausted by | "both sides". "Both sides" arguments cause apathy in | people because what is even the point in voting if, "both | sides". | MangezBien wrote: | The politicization of COVID was the final straw for. me. I have | no more faith in humans in a collective sense. I don't see how | we can expect democracy to work when people are willfully | ignorant of their world and unwilling to do the work to learn. | heavyset_go wrote: | I wouldn't say this is the result of stupidity. This is the | result of a governor riling up his base by attacking the press. | jonas21 wrote: | > _It really is hard sometimes, to not just withdraw into a | shell of isolation and decide "fuck it, this world is too | damned stupid for me to bother with."_ | | In moderation, I think this is actually the correct response. | Unless you live in Missouri, who cares what stupid things the | Governor of Missouri says? | | In a previous era, you never would have heard about this story | at all. It's just a politician in a minor state trying to score | some political points. It's very unlikely they'll actually | charge the reporter with anything, much less convince a jury to | convict. | | In today's connected world, it's easy to get news from anywhere | at anytime and be outraged. Sometimes you just have to ignore | it for your own sanity. | tshaddox wrote: | > Unless you live in Missouri, who cares what stupid things | the Governor of Missouri says? | | Because that person literally rules over millions of people, | the overwhelming majority of which didn't vote for him (1.7m | votes out of the 6.1m population). Right now he is literally | threatening state violence against a reporter for looking at | a government website that accidentally leaked personal | information. | dghlsakjg wrote: | Grandstanding politicians are one thing. | | Getting a prosecutor to risk their career on prosecuting a | journalist for politics is quite a bit more difficult. | Journalists are well aware of their rights, and have | lawyers between them and law enforcement. | | I think its dumb, but as a former photojournalist who had a | very large oil company (Haliburton) use a very small police | department to come after me for trespassing, I can assure | you that the newsroom is NOT scared right now. | decebalus1 wrote: | Welcome to the club. The tipping point for me was the | politization of Covid. | merpnderp wrote: | It isn't stupidity. Government officials know this kind of | thing will ultimately be a loser for them. But they know the | mere threat of putting someone through the process of | prosecution is punishment enough. | | This is what we need to work on correcting. If a judge laughs | your case out of court, there should be a severe penalty, | especially if you're the government. | hn_throwaway_99 wrote: | > It isn't stupidity. | | Hard disagree. If you're arguing that it's malice, and not | stupidity, on the part of governor and others that put out | this nonsense, then at least they are surely depending on the | stupidity of their constituents at large for not laughing | them out of office. | | And to be clear, I'm not _at all_ taking the position that | people who don 't have a deep depth of technology are stupid. | But pretty much everyone in the US knows how to use a web | browser these days, and believing people will buy the | governor's completely lobotomized argument [1] is totally | embarrassing, either for the governor or his constituents | that elected him. | | 1. https://twitter.com/GovParsonMO/status/1448750830857904129 | n8cpdx wrote: | I'm with you. It is really hard. First big wake up call was | Brexit and the election of DJT. Are my countrymen really | willing to shit on dedicated public servants and throw away the | foundation of our remarkably safe and prosperous world? Sadly, | yes, and the europeans are just as eager; madness everywhere. | | I stepped out of public engagement for a while, then moved to | Portland when I was ready to get back in. That was a whole new | lesson: the lefty/progressive types are just as bad at | governing. And the leftist/progressive voters are just as | likely as the right to treat politics like a team sport. | Portland is more dangerous for black people than Chicago now | #BlackLivesMatter. Developers keep pulling out of affordable | housing developments because of planning bullshit, and the city | thinks its a good idea to mandate that contractors be women | owned. Meanwhile, thousands are sleeping rough. | | The politicians are awful, but in a democracy, the fault for | that lies 100% with the people. Elected office, like next-door, | doesn't make people bad; it simply reflects the rotten core of | 21st century civil society. | | Absolutely maddening is the lack of interest in concrete policy | or actually using data to analyze changes and measure success. | | I think I'm about ready to stop caring and have a nice life | while my species hurtles towards the great filter. Life and the | universe are meaningless anyway. | what_is_orcas wrote: | > The politicians are awful, but in a democracy, the fault | for that lies 100% with the people. | | Yes and no. Yes in that the politicians are selected from | people they represent (in theory), but also no in that once a | person becomes a politician, their incentives change and they | are no longer representing the people that elected them. | | Further, once in power, the systems can be "rigged" into | maintaining that power (gerrymandering is an example of | this). DJT couldn't become King of America without first | becoming president. Once he became president, though, he | definitely tried to rig the system to make him, effectively, | King of America. | mullingitover wrote: | > The politicians are awful, but in a democracy, the fault | for that lies 100% with the people. | | Democracy is a convenient way for the ruling class to hand- | pick the people who are allowed to run for office and blame | the voters for any bad results. There's research showing that | there's very little correlation between the policy goals of | the voting public and policy outcomes, but there's a strong | correlation between policy goals of the ruling class and | policy outcomes. | nonesuchluck wrote: | Why is everyone here acting like the governor is merely stupid? | He is not arguing from ignorance, he is arguing in bad faith. | Mike Parson wants to feed the narrative that the American free | press is the "enemy of the people" because it suits his politics, | nothing more. | | The only message here is "be careful embarrassing fascists." | SamPatt wrote: | Nearly all politicians act like this when they're in power. The | general public is easily mislead. | | HN notices it when it's a tech issue, but it happens in | economics, medicine, basically everywhere. They have zero | incentives to accept responsibility. | jeremyjh wrote: | Nearly all politicians prosecute reporters? No, I'm pretty | sure that is just the fascists. | SamPatt wrote: | Substitute whistleblower for reporter and yes, nearly all | politicians will use the criminal justice system to silence | their critics. | | Was Obama a fascist? I have no desire to engage in | whataboutism, they all show their true colors when they're | in power and shown corrupt or incompetent. | jeremyjh wrote: | >I have no desire to engage in whataboutism | | Then don't. | | I think Snowden should be pardoned and considered a | national hero, but he unquestionably committed a very | serious crime. There was no crime committed in the State | of Missouri on this matter. | kmlx wrote: | > pretty sure that is just the fascists. | | i'm not from the US, but is it common in the US to use | these kinds of accusations? seems ultra far fetched. | cowpig wrote: | I used to recoil at these kinds of statements until I saw | what the Trump administration was doing. | | It's not an exaggeration. Stephen Miller, Steve Bannon, | Richard Spencer, all these people in Trump's inner circle | are self-described "alt-right," "white nationalist," or | some other euphemism for ethno-fascist. | | Racism and fascism in the US are very real, serious | problems, and have become synonymous with the Republican | party. | | edit, here is a link or two: | | https://www.vanityfair.com/news/2017/05/stephen-miller- | duke-... | | https://www.npr.org/2019/11/26/783047584/leaked-emails- | fuel-... | mbg721 wrote: | Just think how much trouble we would have saved if only | we'd been able to call Mussolini a Fascist in the 30s. | Dylan16807 wrote: | Is prosecuting reporters not, like, _definitionally_ | fascist? | jeremyjh wrote: | Right, you don't need any other supporting information | and you don't have to bring political parties into it. If | a politician is prosecuting a reporter for embarrassing | the state - not for committing a crime - they are a | fascist. | kmlx wrote: | i don't think either of you is correct. there are many | tenets of fascism, and prosecuting (or straight up | imprisoning) journalists is a common occurance in | socialist and capitalist countries. by your definition a | lot of capitalist and socialist countries around the | world are fascist, which is false. | [deleted] | ModernMech wrote: | I don't think they meant to imply that _all_ people who | imprison reporter are definitionally fascist, but that | fascists definitely imprison reporters as a matter of | course. The claim was that accusing someone of | imprisoning reporters of being fascist is "ultra far | fetched". But if imprisoning reporters is something that | fascists are wont to do, then it doesn't seem to me that | questioning if these people are fascist is "ultra far | fetched". You could also want to know if they were | socialists if that's the thing you believe socialists do. | SamPatt wrote: | Yes. Most online discourse about politics will eventually | have someone claim fascism or make a Hilter reference. | | If you aren't among one of the two sides it can be | humorous to watch at times. | lloydgrossman wrote: | and there's the 3rd response: the enlightened centrist. | stronglikedan wrote: | From the extremists, yes, it is common. The "other" | side's elected officials are nearly always labelled | "fascists". However, the majority of the electorate is | smart enough to recognize that it's just a failed appeal | to emotion, and nothing more. (except maybe exhausting) | dylan604 wrote: | Because of HN no-politics type of policy, the only time HN | can get riled up is when the politics involve tech. It's not | that HN readers have no interest in these other topics. | There's limitations on what the man will allow you to discuss | about the other man. Hi dang!!! | philote wrote: | I wonder if he's trying to "control the narrative" in the hopes | that he (or the state) isn't sued for releasing private | teachers' data to the public. | dreamcompiler wrote: | One time I walked down a little-used alley and noticed my | neighbor had left his garage door open. The open door was not | visible from the street but anyone who happened to walk down the | alley would have seen it. I called the neighbor to tell him he | might want to close his garage door. He accused me of burglary | and called the cops. | | No this didn't actually happen but it's the analogy that came to | mind. | [deleted] | unethical_ban wrote: | I wish that a conservative outlet would call the governor out. I | feel like a thousand articles from Wired, NPR, the New York | Times, and the founder of the WWW could all describe in | wonderful, simple terms how bombastic and willfully ignorant and | hostile this action is, and it would be construed as partisan. | croes wrote: | Something similar happened in Germany. A programmer found a bug | his customers shop system, he disclosed the bug to the shop | provider and they reported him, there was a house search at his | company and his computers were confiscated. | matt123456789 wrote: | Recently, I had to submit a bunch of information (name, address, | DOB) into a Google Forms page in order to request a COVID-19 | vaccine CDC card from my state's health department. This Google | Form was run by a contractor for the state's health department | and was misconfigured to allow viewing all previous responses | after submitting. One click on "view previous responses" on the | post-submission Google Forms page and you can view everyone | else's names, addresses, DOBs, and information like which vaccine | they received and in what arm. | | I almost didn't report it, since the kind of shit as described in | the link above gets reported so regularly. But I did, and it got | fixed quickly. Now I'm just sat here hoping I don't get served a | lawsuit next week by some idiot hoping to cover their ass and | make me out to be some kind of malicious actor. (Advice | welcome...) | rbanffy wrote: | I can't wait for the time politicians will be people with at | least a rudimentary grasp on modern technology. | DeWilde wrote: | I wonder what his reaction will be when people start hacking the | state's websites and outright leaking stuff to just spite him. | | Dumb move on his part. | jpmattia wrote: | > _No private information was publicly visible, but teacher | Social Security numbers were contained in HTML source code of the | pages._ | | If it was in the HTML source code, then it was publicly visible, | so it is unclear what the article is trying to say. | Isthatablackgsd wrote: | Every browser have access to the HTML source, even it is merely | right click here and there. If the SSN is in the HTML source, | then the blame should be on the webmaster who designed that | code. Of course, accountability is not part of their tenet, it | is too foreign for them. | | And look at the age of the governor, clearly shows that he is | inept with the fundamental of the internet. | | I forgot to add one more thing. Did they not realize that there | are scrappers who will scrap every bit of information of | everything including the HTML code. I wonder how mcuh | scammers/ID theft scrapped the data before this come to light? | dragonwriter wrote: | > the blame should be on the webmaster who designed that | code. | | "Webmasters", where they exist at all anymore, tend not to | "design code". | | > Did they not realize that there are scrappers who will | scrap every bit of information of everything including the | HTML code. I | | "...scrapers who scrape..." should be the concern here, not | "...scrappers who scrap..." | | > And look at the age of the governor, clearly shows that he | is inept with the fundamental of the internet. | | Gov. Parsons is 12 years younger than Vint Cerf and the same | age as Sir Tim Berners-Lee. | cafard wrote: | Mike Parson is twenty-two days older than I am. I've been | using View Source for a lot longer than twenty-two days. | retrac wrote: | I don't understand the age excuse, honestly. My mother is | about the same age. She is not technical, but she has used | computers for the last 30+ years. Just like anyone any other | white collar worker. She would have wrangled with WordPerfect | control codes to format insurance quotes in the 80s. Document | markup (and stuff hidden in the markup) is not esoteric | knowledge, or I wouldn't think it is. Except apparently it | is. | AlexCoventry wrote: | Perhaps opening and reading HTML source code is widely viewed | as an esoteric skill. | coldacid wrote: | Given that other recent article about university students who | don't know what files are, I wouldn't be surprised in the | slightest if this is considered esoteric. | eloisius wrote: | To laypersons HTML comments or display:none is invisible. But I | agree, this is like a blast from the 90's when View Source was | leet hacking. | rossdavidh wrote: | The usefulness of having state legislators from a variety of | backgrounds: | | Republican state Rep. Tony Lovasco, who according to his | legislative biography has worked in software deployment and | maintenance, tweeted Thursday that "it's clear the Governor's | Office has a fundamental misunderstanding of both web technology | and industry standard procedures for reporting security | vulnerabilities. | | "Journalists responsibly sounding an alarm on data privacy is not | criminal hacking," he said. | 1270018080 wrote: | I'm from Missouri, this might be the first embarrassment many of | you've seen from him, but there have been alot more prior. Truly | not a good look for the state that this guy got reelected. | tgdnt wrote: | Same here. And don't look up how he first came upon the job | either. | C19is20 wrote: | ...spare me the anxiety. Got a link or something? | diego_sandoval wrote: | This article reminded me that I had to report a data leak I found | on an ecommerce website from my country some months ago, so I | just did that. I reported it to a government agency responsible | for cybersecurity in my country, which apparently accepts reports | about private companies. | | Any precautions that you recommend when reporting this kind of | vulnerability/data leak? (Apart from "do not access other | people's data if you can avoid it") | akomtu wrote: | Helping authorities with such matters is like feeding alligators: | they'll bite you if they can and they won't be grateful. | FpUser wrote: | So when do we start prosecuting for malicious prosecution and | gross incompetence? | avgDev wrote: | Seriously, the government should have experts on hand who can | translate tech into concepts they can understand. This is | unacceptable. | | Imagine HTML is a TV in Social Security office. The way the | storage of SS numbers was designed, is that they are hidden in a | backroom, however, anyone can come into the office and scream a | persons name to view all the information on the screen. The flaw | is clearly in the system. | | I found flaws in Costco system before, I guess I should be in | prison for letting them know and saving them thousands of | dollars. | tigerwager wrote: | The states Chief Information Security Officer left the post on | Friday https://www.govtech.com/workforce/missouri-ciso-stephen- | meye... didnt see anyone mention that elsewhere in relation to | this story. | | getting a 403 here without a vpn, but | https://cybersecurity.mo.gov/ doesn't look like its been | updated since 2018 The last CISO left in 2018 (~3months after | the current governor took office), and the current ciso was | appointed by interim then | https://www.govtech.com/blogs/lohrmann-on-cybersecurity/miss... | [deleted] | [deleted] | dbish wrote: | Yet another example of how political leaders are completely out | of the loop on all things tech. Software is such a large part of | the world nowadays that we need to change this or the US is going | to have even more issues going forward. I don't think the current | parties are amenable to making changes and bringing in tech-savvy | people anymore, and I firmly believe the only way forward is | going to be to find a way to create a new party that can get | traction at the grassroots level that is tech-forward and led by | people who aren't career politicians/lawyers. The two party | system makes this very hard though | TrispusAttucks wrote: | [1] Parson commits $50M to investigate alleged hack of Missouri | educator database. Includes video press conference by Parson | himself. | | [1] https://fox2now.com/news/missouri/missouri-education- | departm... | jjkaczor wrote: | $50m? Wouldn't that be better spent on the actual education | system and educators itself? | | Talk about corruption - spending taxpayer money to cover-up | mistakes made by government employeers - AND libellous | statements made by government officials... | TrispusAttucks wrote: | Maybe with $50M they could fix the website flaw. | Wistar wrote: | I notice a "Suggest Corrections" button at the bottom, of that | article. Perhaps a suggestion that the Governor's entire story | is a load of crap? | alexfromapex wrote: | Is this how the Governor saves face? | DeWilde wrote: | Tweet from the governor: "Through a multi-step process, an | individual took the records of at least three educators, decoded | the HTML source code, and viewed the SSN of those specific | educators." | | >Through a multi-step process >decoded the HTML source code | | Somebody has been watching B-list hacker movies. | mminer237 wrote: | Step one: Press Ctrl | | Step two: Press U | suzzer99 wrote: | 1. Click View in menu bar | | 2. Hover over developer menu item | | 3. Click View Source | | Three-step process - even more nefarious! | bastardoperator wrote: | Y'all are going to prison now, I hope it was worth it! =] | mullingitover wrote: | It's only a matter of time before the inevitable class action | lawsuit settles the question of culpability for this breach and | assigns it 100% to the state. The teachers are going to get at | minimum state-sponsored credit protection services for a few | years, and the governor is going to get some egg on his face | since it was his employees who created this breach. | | I honestly pity him a bit, because he has no clue about any of | the technical details, but on the bright side he's about to get a | crash course. | | I have to wonder what he's thinking, though, with the brazen | slander. He must have some very deep pockets. | wnevets wrote: | Right Click -> View Source is now a multistep hacking process | according this man. | ripe wrote: | As a hobby, I have been writing little explainers for non- | technical people on my blog. I wrote one for this particular | incident: | | https://www.robotsinplainenglish.com/e/2021-10-14-blame-sham... | | I hope HN readers will (gently) correct any mistakes or provide | clarifications to make it better. Thanks! ___________________________________________________________________ (page generated 2021-10-14 23:00 UTC)