[HN Gopher] Missouri Governor Vows to Prosecute St. Louis Post-D... ___________________________________________________________________ Missouri Governor Vows to Prosecute St. Louis Post-Dispatch for Reporting Author : picture Score : 444 points Date : 2021-10-14 17:50 UTC (5 hours ago) (HTM) web link (krebsonsecurity.com) (TXT) w3m dump (krebsonsecurity.com) | justinzollars wrote: | flagged as duplicate @dang | giaour wrote: | > there was no option to decode Social Security numbers for all | educators in the system all at once | | Sure, but this was an application where you could search for any | licensed educator and get their social security number in the | response. This is about as bad a PII leak as can happen to a | state government. | YeBanKo wrote: | They gave notice and waited until the offending pages were taken | down. The article does not specify what the original html looked | like, it could be a simple artifact from testing, when someone | dumped the entire object into a template for debugging or maybe | they actually were using this as a sort of a data field and then | used it, for example, in a js call call to served. | | But the response from the AG shows they have no idea how internet | works: "They had no authorization to convert or decode, so this | was clearly a hack." | | Bigger questions: Who developed the system? Was it a contractor | or in-house? If it was a contractor, are they gonna lose | government contracts? Because, it sounds like they should. If it | was in-house, are they gonna get training or some procedure in | place to audit things going forward? | rndmind wrote: | This type of response by a high level public official is not | excusable in 2021, maybe in 2005 or 2010, but it's 2021 now. | snicker7 wrote: | Apparently, the SSNs were all embedded directly in the HTML file. | Like ... what? | Bluecobra wrote: | When I was a student at DeVry University (a national for-profit | college with 40 campuses) your SSN was your student ID. This | wasn't corrected until 2002 or 2003. :( | xxpor wrote: | This was common at many schools. | tmm wrote: | My high school rolled out an ID system in 1998 using SSNs | printed on every ID (staff and students). About a week | later, they realized this was a bad idea and reissued 1000+ | IDs without the SSN. | | I still don't know what the point of the ID cards was. They | were just laminated paper, no RFID, magstripe, or barcode | to open doors or to buy things from the cafeteria or school | store. You didn't need it to check out books from the | library and no one ever asked to see it. And we got a new | one every year. | | I guess some vendor convinced the school that they needed | ID cards and so they got them. | qorrect wrote: | Irving Campus ? I was there for those years. | nostrademons wrote: | Your SSN was your driver's license number in 29 states until | 2004, when Bush outlawed the practice. | | Many, many institutions in the USA are built on it being a | high-trust society. Now that it's falling into a low-trust | state, we can expect those institutions to fail, and perhaps | the state to as well. | not2b wrote: | Kind of a nitpick, but presidents don't outlaw things. Laws | passed by Congress do that, and you're right, it was in | 2004. Bush signed the law, but it passed by a huge | majority. | | https://www.ssa.gov/legislation/legis_bulletin_010705.html | nostrademons wrote: | I'd initially phrased it "Bush signed a bill that | outlawed...", which is much more correct, but is also an | awkward sentence construction to read. Figured people | would understand what I meant. | | ...this is also an apropos discussion for this topic, | where the Missouri governor is framing this discussion in | a way that's technically false but is going to score | points with his constituents. | Infernal wrote: | > Many, many institutions in the USA are built on it being | a high-trust society. Now that it's falling into a low- | trust state, we can expect those institutions to fail, and | perhaps the state to as well. | | Not enough people understand this, but I'm encouraged | whenever I hear from those who do. | jkepler wrote: | This raises the question of how we start planning now to | build more appropriate institutions to avoid societal | failure. | handrous wrote: | They weren't supposed to be used as any kind of important, | general ID number. It took various governments and | institutions a long time to wake up to the reality that, | because we _really, really_ need such an ID and the | government has displayed no intention of ever creating one, | social security numbers had been forced into the role by | necessity. | alexjplant wrote: | If they were using a server-side rendering framework then what | probably happened is that they used HTML comments instead of | template engine comments to "remove" the SSN <td />s without | understanding the ramifications. | plainnoodles wrote: | </tr><!--- {{ str(row) }} ---> | | I don't find it TOO much of a stretch.... | | (I don't know what it actually looked like in the html, just | saying I could see it happening pretty easily) | tomrod wrote: | Dupe | | Seriously though, it deserves to be said again. The website | operators are negligent, IMO. | diegorbaquero wrote: | _Missouri Gov. Mike Parson (R) said fixing the flaw could cost | the state $50 million_ | | Talk about waste of resources. | newsbinator wrote: | I mean it wouldn't be a weekend fix because it'll have to | involve an audit of all existing systems to identify where else | similar tomfoolery occurred. | | But 50 million is a high estimate. | nerdawson wrote: | 30 minutes removing a piece of output: $100 | | Knowing where sed output is generated: $49.9999M | nofinator wrote: | > Knowing where sed output is generated | | Is the use of "sed" intentional or a typo? Either way, I | love it. | a785236 wrote: | A minor but important correction. Krebs wrote that the Gov | claimed that "fixing the flaw could cost the state $50 | million." That's not quite right. In the press conference | linked in Kreb's post, the Governor actually claims that the | "incident alone may cost Missouri taxpayers up to $50 million." | I'd guess this number includes an estimate for the legal cost | of dealing with the data breach plus any statutory penalties | the state might incur (plus a grossly inflated price for fixing | the bug). | tinco wrote: | It's a disgrace the agency who produced this website is not | liable for this substandard quality. | | How crazy is it that code like this is deployed to production | and then the customer has to pay 50 million to get it up to | standards? The senator should be ashamed they are being scammed | like this. | willcipriano wrote: | Remove SSN field from DTO - 49 million | | Invoice Fee - 1 million | | Not bad for -1 lines of code. | christophilus wrote: | > fixing the flaw could cost the state $50 million | | It's hard to imagine the kind of contorted bureaucracy that | could turn such a fix into a $50 million change request, and | yet, I wouldn't be surprised at all if it did cost that much. | miohtama wrote: | Governor's cousin need to eat, too. | elliekelly wrote: | I would absolutely _love_ to know who provided that estimate | and how they arrived at that number. I understand that issues | are often far more complex than they appear but this just seems | ridiculous. | handrous wrote: | Turns out a bunch of other systems _rely on_ this bug to | fetch information, and no-one 's entirely sure where they | are, who's responsible for them, or what they do. Also the | page is auto-generated though some arcane CMS such that it's | really hard to figure out how to get the data off that page | while keeping it other places where it needs to be, without | restructuring the whole thing. Also deployment is manual and | you'll need to go back and forth with some unrelated | department for months to make it happen. Also there's no | testing environment, no information about how to get it | running--let alone any useful scripts or config/deployment | management--is in the repo or otherwise available at all, and | there are no tests. And it's all written in an unholy | combination of ASP.NET and Java server pages. And the | "database" is a standards-nonconforming CSV. | | (pure speculation) | tppiotrowski wrote: | Cheap solution: put a proxy in front like | Cloudworker/Lambda and modify the HTML before it gets sent | to client. | kizer wrote: | I know right. An immediate fix shouldn't cost anything, | right? Just don't send social security numbers to the | browser. | comeonseriously wrote: | What are the odds it will be going to someone he knows? | cure wrote: | I could totally fix it for $49 million. /s | vjust wrote: | Contractors in Missouri must be drooling in anticipation. | _3u10 wrote: | This is a race to the bottom and why tech workers need to | unionize. Soon someone could be fixing it for a measly $1 | million. /s | ficklepickle wrote: | I wonder if the page in question is cached in the internet | archive. | LordAtlas wrote: | Dupe: https://news.ycombinator.com/item?id=28866805 | aaroninsf wrote: | I understand the mistake of being born in MO. I understand the | mistake of settling there long ago. | | I have minimal sympathy for those who have chosen to stay | recently. | | I have contempt for those who would move there now, or seek out | business there. | zzzeek wrote: | > "And then to react in this way where you don't say 'thank you' | but actually turn on the reporter and researchers and go after | them...it's just weird." | | it's not "weird", it's an elected official trying to deflect from | being exposed as completely endangering the PII of state | employees. while trying to bring charges here is ridiculous, it | might not be the case in a few years as we watch the continued | crumbling of institutions, where bad faith arguments made up on | the fly by anyone in power become excuses to do anything. like | trying to extort the government of Ukraine to work on behalf of | the official's personal reelection campaign, for example. | CivBase wrote: | It's kind of weird. After all, it's not like the governor is | directly responsible for the flaw. Even if his opposition could | have indirectly linked his administration to the flaw, his | response has certainly done far more damage to his reputation | than that ever could. | weatherlight wrote: | Most likely voters don't understand how computers work. I'm | not sure it'll matter much. | not2b wrote: | For more complex cases this could be an issue, but this one | is dead simple: you could do "view source" and see | teachers' social security numbers. If they go to trial this | case will be laughed out of court. | treeman79 wrote: | I'm fairly sure he doesn't understand. Language used makes | it sounds he has no clue how html works. | | Back in 90s, I was constantly being accused of hacking | things just for knowing how to build a website. This was | also the era of when the news would run phone polls on | whether the Internet should be allowed or not. | | I learn to keep my mouth shut about what I could do unless | I was sure it was a tech savvy crowd. | | This dude brings back a lot of those memories | bee_rider wrote: | > This was also the era of when the news would run phone | polls on whether the Internet should be allowed or not. | | Given the way things are going, perhaps we should revisit | this decision. It seems that there's a population that | isn't quite ready for this level of access to | [mis]information. | handrous wrote: | > This was also the era of when the news would run phone | polls on whether the Internet should be allowed or not. | | Clearly, people answered those polls incorrectly. | | It should definitely not be allowed. | denton-scratch wrote: | I agree. Only elites should be allowed to use stuff like | LSD, computers and the internet. This can be arranged | simply by criminalising it; along with a social | convention that elites don't get prosecuted. /s | handrous wrote: | No, no, no. More LSD. Less Internet. | EtherTyper wrote: | I still think the governor can be seen as indirectly | responsible, since this is a result of insufficient security | auditing. | EtherTyper wrote: | Right, or allegedly trying to extort the government of Ukraine | to end an investigation against the official's relatives. | Corruption on all sides unfortunately. | [deleted] | [deleted] | [deleted] | dkarl wrote: | I wouldn't be surprised if the governor acted more because he | sensed an opportunity than out of fear of the story. By playing | the story this way, he gets to act out the feelings of a | constituency that feels judged by educated urbanites and unable | to keep up with a changing world. He is standing up for the | honor of Missouri against the sneering condescension of the | fancy city reporter. From that point of view, he isn't dealing | with a threat so much as feasting on a political opportunity. | tibbydudeza wrote: | It is like pipes. | dylan604 wrote: | or tubes | masswerk wrote: | Is this the beginning of the War on Developer Tools? | austincheney wrote: | Not likely. More likely the start of law suits against | information technology owners who provide insecure access and | threaten people. | busymom0 wrote: | > fixing the flaw could cost the state $50 million | | Ummmmm how does something need that much money for a bug fix??? | Bilal_io wrote: | I'd be happy to fix it for half. | PennRobotics wrote: | https://news.ycombinator.com/item?id=28866805 | Gunax wrote: | This is exactly what happened to weev. He found that information | that was intended to be private was made publicly available by | AT&T. | | Weev went to prison for typing in URLs that he should not have. | They were criminal URLs, just loke thess. | mikeyouse wrote: | Kind of... The AT&T data wasn't public, Weev & Co. had to build | a script to generate plausible ICCIDs which they then | 'challenged' the AT&T servers with the URL containing the | ICCID. If it was a valid iPad ICCID and registered with AT&T, | the server would reply with the email address registered to it. | | That seems materially different to just F12ing a website and | seeing plaintext Social Security numbers. | Infernal wrote: | > "hacker took the records of at least three educators, decoded | the HTML source code, and viewed the social security number of | those specific educators." | | There's so much wrong here - am I to understand that if the state | sends you SSNs in plaintext and you read them, _you're_ at fault? | mike_d wrote: | > if the state sends you SSNs in plaintext | | No no no. It was decoded from HTML, a process so complex Chrome | is able to consume an entire modern desktop computer doing so. | prepend wrote: | Only if you decode the plaintext with your eyes. | kizer wrote: | I think the governor ought to resign. He's taking something that | is, ultimately, HIS fault and trying to pin it of course on "the | media". The SSN numbers were in the page; they were in the source | code. "View source" is not decrypting a webpage. God, I know he | just has no technical understanding but even then he should be | smart enough to get the details and realize they weren't | "hacked". This person clearly doesn't understand what a free | press is --- they could have legally ran the story without even | alerting the state agency, but they did the right thing and this | idiot governor is still trying to deflect blame. | c-swa wrote: | As a citizen of the pitiful state, we tried to vote him out | last election cycle. He wasn't even elected before this, | something along the lines of Nixon's transfer of power to Ford | is what happened in my state. | | Yet he was re-elected. | mgamache wrote: | This is embarrassing, so lets pretend it's a crime for the | reporter to report the truth. This tactic might work for the NSA, | but I hope it doesn't work here. | [deleted] | throwawaymanbot wrote: | a little odd to have this stance No? Its almost as if hes | punishing the reporter for the discovery .. which makes me wonder | was it being siphoned politically beforehand and hes trying to | direct the story away from whoever may have been siphoning it..to | the false story of ... the reporter discovering the siphoning. | kyleblarson wrote: | This reminds me of the US senator demanding that FB commit to | ending 'finsta'. He clearly had no idea what that term means. | https://www.youtube.com/watch?v=TGt1Ukg7q4Y | afrcnc wrote: | duplicate: https://news.ycombinator.com/item?id=28866805 | theunraveler wrote: | $50m to fix? Seems a little ridiculous... | WarOnPrivacy wrote: | _Missouri Gov. Mike Parson (R) .. vowed his administration would | seek to prosecute and investigate .. anyone who aided the | publication in its "attempt to embarrass the state and sell | headlines for their news outlet."_ | | Embarrassing governments is the natural outcome of the press | doing it's job. This is what the extra constitutional protections | are for. | tshaddox wrote: | And suppressing opposition is the natural outcome of the | government doing its job. The problem isn't whether one group | or another is "doing its natural job." The problem is that what | the reporter is doing is good, and what the government is doing | is bad. | lostcolony wrote: | "And suppressing opposition is the natural outcome of the | government doing its job. " - no it isn't. It's the natural | outcome of shitty people being elected. The JD isn't | "jackboots on necks" or whatever. | tshaddox wrote: | > no it isn't. It's the natural outcome of shitty people | being elected. | | Okay, well it's the outcome of literally every government | of non-trivial size and duration. | idiotsecant wrote: | Your original intention, I believe, was to comment on the | natural tendency of the system we've put in place. The | phrasing "doing their job" has a slightly different | implication, I think, of a system doing what it's | "supposed" to do and not what it actually does. | [deleted] | jrs235 wrote: | This is why my outlook on the future is growing dim. | Politicians are threatening revenge, using the power and purse | of the state, against people who embarrass them. | cortesoft wrote: | Politicians are always threatening revenge for stuff like | this, for as long as there has been politics. | | It is only concerning if the threat is successful. | RIMR wrote: | The only thing that would lead it to being successful is if | people are convinced that the attempt itself isn't | alarming, and don't act aggressively to do something about | it. | speedybird wrote: | _Peacefully_ donating to the ACLU should be sufficient, I | don 't agree that violence is presently warranted. If the | courts fail, then we can talk. | vipa123 wrote: | This is as old as the country itself, the constitution is | stronger than these thugs. | joe_the_user wrote: | The US state has successfully suppressed free expression in | a number of instances (Henry Miller and Wilhelm Reich come | to mind). | | The US isn't special as a democracy and it's been pretty | shoddy at quite a number of times, though now isn't | necessarily the worst moment. The constitution is only | strong on free speech and freedom of the press if people | defend it. | | Edit: It's especially notable that the degree that | governments in the US are run as personal fief where | officials lash out at anyone who inconveniences them (as is | happening here), is strongly related to how far the | government is from urban centers. | speedybird wrote: | > _though now isn 't necessarily the worst moment._ | | Chattel slavery, the Civil War, the Trail of Tears, the | internment of Japanese Americans... need I go on? Anybody | who thinks America _might_ be in a worse state now than | ever before needs a serious reality check. | elliekelly wrote: | Your edit reminds me of an absolutely _insane_ article I | read a few days ago about an elected Juvenile Court Judge | in Tennessee: https://www.propublica.org/article/black- | children-were-jaile... | et1337 wrote: | I live in LA and its full of personal fiefdoms. I think | you just see more talent at obfuscating it. | dragonwriter wrote: | > the constitution is stronger than these thugs. | | The Constitution is exactly as strong as the people who | _don't_ dismissively pretend it is self-enforcing. | dragontamer wrote: | Alien and Sedition acts argue otherwise. | | I do believe the 2nd President successfully jailed | journalists for this for years, leading to the Supreme | Court deciding to you know, do something about it. | | Things are only as strong as the political will believes | they are strong. There was a period in the 1800s where the | Supreme Court was ignored for example. The Supreme Court of | the late 1700s did want to protect the 1st Amendment and | they did win the political battle vs Adams. But under | different circumstances, a different result could have very | much happened. | dd36 wrote: | Media used to have more dry powder for fights before | Facebook and Google intermediated everything. | [deleted] | _3u10 wrote: | There's no extra constitutional protections. It's all under | free speech. Everyone is equal. | elliekelly wrote: | But he's not speaking in his capacity as the individual and | citizen Michael Parson. He's speaking in his capacity as | Governor Michael Parson. We know this because he's | threatening to use his _governing_ powers to employ | _government_ resources. | | Whether state actors have a right to free speech is not, as I | understand it, a settled matter of law. | mmcdermott wrote: | x1000 this. | | The freedom of the press is a right granted to all citizenry | of the United States, not a specialized permission granted to | an elite caste. | Retric wrote: | The freedom of the press isn't about cast, but it is about | context. | | For example based on Chaplinsky v. New Hampshire it's | constitutional to prohibit "fighting words." Which would | mean some things are fine in print but you can't say to | someone's face because they would provoke violence. | lkrubner wrote: | It was added as an amendment, therefore it is an extra | constitutional protection. Some people (a broad coalition | that included both Federalists and anti-Federalists) were | concerned that the Constitution, as originally written, did | not ensure a protection of human rights. That's why they | pushed through the Bill Of Rights. | rsynnott wrote: | > attempt to embarrass the state | | I hadn't realised the US had kept lese-majeste when it broke | with the UK (even in the UK, the last prosecution was in 1715, | so this is particularly retro of his governorship...) | kizer wrote: | Exactly. Thank you nosy media. This anti-press stuff started | with Trump. Terrifying how authoritarian the right has become. | | Reporters, please continue "embarrassing" all states. The sane | leaders and citizens will be thanking you. | NoGravitas wrote: | > This anti-press stuff started with Trump. | | * gestures vaguely in the direction of Richard Nixon, waits | for historians to chime in with earlier examples. | dragonwriter wrote: | > Richard Nixon | | There's a case that Spiro ("nattering nabobs of | negativism") Agnew is a better Nixon-era example than Nixon | himself, not that it started then, either. | woodruffw wrote: | I highly recommend The Boys on the Bus by Timothy Crouse[1] | for some fantastic contemporaneous analysis of Richard | Nixon and his relationship with the press. One part that | stood out to me: Crouse believes (and presents compelling | evidence) that Nixon was one of the first presidents to | _really understand_ the press, particularly the press of | the nascent information age. Goldwater and Agnew were of | the more reactionary anti-press strain, as other commenters | have noted; Nixon (per Crouse) genuinely loved the press | (if not reporters themselves) and relished in his control | over it. | | [1]: https://en.wikipedia.org/wiki/The_Boys_on_the_Bus | nostrademons wrote: | I'll leave this here: | | https://en.wikipedia.org/wiki/Censorship_in_the_United_Stat | e... | krapp wrote: | Trump literally called the press the enemy of the people. | | Traditionally, that's the sort of rhetoric a leader uses | when they're about to send out the hit squads. | kasey_junk wrote: | If 'kizer had said "was extremely increased" by Trump it | would be an accurate statement. | | It's frankly one of the planks of the shadow platform of | the Trump Republican Party that journalists are enemies. | InvaderFizz wrote: | Anti-press goes back decades, centuries even. | | Calling it a left/right issue just diverts from the real | problem of government overreach and negative reaction to the | exposure of malfeasance. | | If you seriously think anti-press is a Trump phenomenon, I | encourage you to look into the creation and use of the Alien | and Sedition acts. | | Or maybe how Lincoln treated press that was not acting as a | propaganda arm of the Federal government. | | If you want a more contemporary example, take a look at | Obamas use of wiretapping against journalists and other | attacks on press freedom. | | When you treat this as a thing that only happens because of | one "side", nothing is done to address the root cause. | newacct583 wrote: | > Calling it a left/right issue just diverts from the real | problem | | Alternatively, arguments like that divert from the "real" | problem that half of the political discourse of this | country is _predicated_ on an "anti-press" sentiment that | allows political actors to lie at will. | | Yes, there have been abuses against journalists throughout | history. And because of that, it's possible to take a long | view that "journalism" as a whole will win, given at least | a little protection. Society will survive the occasional | corrupt leader. It always has. | | But the current climate where republicans can simply ignore | reporting by mainstream outlets and cite their own | alternative media instead is somewhat unique, historically. | Something like two thirds of republican voters simply... | don't believe in the results of a recent election, because | their thought leaders won't tell them straight what the | results were. This seems like rather a more pressing threat | to democracy. | christophilus wrote: | The Julian Assange fiasco predates Trump's rise to power, and | was (at least in my opinion) a very clear anti-press action | on the part of the US. | mikeyouse wrote: | Though it got much more dire under Trump.. | | https://www.theguardian.com/media/2021/sep/27/senior-cia- | off... | [deleted] | 234023048230948 wrote: | https://itwire.com/security/infosec-researchers-slam-ex-wapo... | tombert wrote: | This is so idiotic. Does Missouri really want to discourage | people from reporting security vulnerabilities? It sounds like | this reporter did the responsible thing and alert all affected | parties. I can almost guarantee that if a decent person found | this, a dozen less-decent people did too. If a decent person is | afraid to report a security issue, even more less-decent folks | are going to have access to this information. | wrs wrote: | Don't try to bring logic, reason, and/or prudence into it -- | this is politics, which is a whole other thing. | geerlingguy wrote: | Oh hey, my home state is on Hacker News! | | Oh... sigh. | hangonhn wrote: | _hugs_ | | My home state is Florida. It will be alright. | busterarm wrote: | I just moved to Florida after New York completely lost the | fucking plot. Literally my neighborhood (Hell's Kitchen) | reverted to its 1980s self, street-walking prostitutes | included. Homeless encampments as far as the eye can see. | | Loving it here so far. | selectodude wrote: | Thanks for your input. | krapp wrote: | (waves from Texas) | tombert wrote: | As a fellow Florida-raised human, I feel your pain. | dylan604 wrote: | Being from Texas, I feel like Texas and Florida are in a | race to wherever it is they think they are going. I feel | like there needs to be a state level rivalry like colleges. | Brings a new meaning to Texas State vs Florida State. Maybe | they can have halftime shows too. I also think state laws | should be copyrightable so that when other states copy | their asinine laws, the originating state gets royalties. | tombert wrote: | Just to make sure that I got both experiences, I also | lived in Texas for three years after leaving Florida. | dylan604 wrote: | You are a glutten for punishment! I moved out of Texas | and moved to the west coast for a bit. I then eventually | moved back to Texas for family reasons. Moving back was | much worse of culture shock. Yes, I knew what to expect, | but after being away from it and then dropped back in | just reminds you of how bad different it is. Kind of like | a boiling frog growing up, but then being the lobster as | an adult. | mindcrime wrote: | Right there with ya (my home state is NC). | handrous wrote: | At least y'all have beaches and something resembling real | mountains. :-/ | busterarm wrote: | Like most Missourians I know (mostly who have left their state | though), it's fair to say that you've transcended where you're | from. | | Thanks for all you've done -- I use your work daily. ___________________________________________________________________ (page generated 2021-10-14 23:00 UTC)