704 comments

[ 2.9 ms ] story [ 292 ms ] thread
Prosecuting people for responsible disclosure?

This governor is a fricking idiot.

This seems to be a requirement these days for being a governor.

I understand not everyone can know everything. The fact that it is deemed unacceptable to admit not having all of the information to make an informed decision/comment where someone in a position of authority makes shit up to just sound authoritative is a sad state of affairs. It's not like being a governor is the same as posting things on an internet forum.

FTFY: It's a requirement for being a governor in a red state.
We've got some presidential mis-speaks a plenty too. Some haven't been a governor, and didn't come from a "red" state.
This is clearly not an example of a politician simply "misspeaking".
Yet. Wait for them to evaluate the blowback, and then the walkback from the comment.
As much as it would be comforting if it actually was, incompetence is not limited to either political party.
Polarize much? Let's just go back to the general population not trusting the government or any politician regardless of party affiliation. They're all corrupt and ignorant, it's a basic requirement.
Oh, you're one of those morons who thinks both parties are equally bad, huh?
Could you please stop posting flamewar comments? You've been doing it a lot lately, and we ban such accounts regardless of what they're flaming for or against. I don't want to ban you because you've also posted good things, but we've had to warn you about this multiple times in the past and that's not cool.

If you wouldn't mind reviewing https://news.ycombinator.com/newsguidelines.html and taking the intended spirit of the site more to heart, we'd be grateful.

It's seems there is a certain set of political beliefs that enshrine intolerance of knowledge. Perhaps shared across multiple parties.
"Idiot" is relatively high praise.
When idiot directs prosecution it becomes a crime on its own.
I'm glad my Senator can speak intelligently at DefCon.
From the article, it sounds like nothing even remotely questionable was done by the reporter who found the flaw:

> "According to the Post-Dispatch, one of its reporters discovered the flaw in a web application allowing the public to search teacher certifications and credentials. No private information was publicly visible, but teacher Social Security numbers were contained in HTML source code of the pages."

Oh that is so bad.

It's events and negligence like this that give credence to credentialing requirements for software engineering.

Imagine if we had credentialing requirements for elected office…
We do. It's called an election. What you want is credentialing requirements for voting.
I'm pretty sure I want credentialing requirements for anyone running for any public office. I'd settle for automatic exclusion of anyone displaying narcissistic, psychopathic, or sociopathic tendencies and inclusion of rational pragmatists.
I would also "settle" for picking the people I like.

Also, pretty sure that you have to be at least somewhat narcissistic to think that you should be president, and somewhat sociopathic to actually succeed.

(comment deleted)
And US used to have them too. The basic approach was that if you have land, you have a stake in the future of the republic. It was debated as to whether landless would have the same stake.
I don't think the issue is that elected officials are dumb. I think it's the opposite, most are quite intelligent. It's more that they are evil/corrupt/self-serving, and acting dumb is part of how they get away with it.
We've always known that using DevTools was a criminal activity. In fact, the sheer number of people using them places this at criminal conspiracy levels. Better start filing those RICO cases against the browser devs. /s
How dare you did "View Source", you hacker.
What's "view source", some kind of hacking instructions? Sounds like you're abetting.
As long as you're not aiding at the same time. Aiding & abetting is a no-no. Aiding OR abetting is not claimed to be an issue.
you mean Aiding XOR abetting. consider the forum.
why does it have to be exclusive? If both are false, then there's no confusion on making a charge. If only one is true, then someone being lazy might think it matches.

along your lines of considering the forum, wouldn't it need to be aiding && abetting? i don't know how to bitwise compare aiding to abetting.

I think "view source" is a hacking tool invented by the notorious hacker group "4chan". I say we start a change.org petition to get Google to remove it from Chrome.
In all seriousness, considering Google's track record of discontinuing useful services and features, I expect Chrome to drop View Source any release now. It will be a sad day.
Who browses the web without the DevTools exposed by default? I don't know how to make the web work without "fixing" web pages before attempting to read them.
Who browses the web with Dev Tools exposed by default? Why do you feel the need to "fix" every web page you look at?
websites attempting to poorly comply with cookie banners and other GDPR regs that block a site from working without accepting something. I just display:none the offending elements and then remove the overflow:hidden. Disabling JS usually works, but sometimes the images in the page are lazy loaded via JS and will not load without.
FYI, that's not the View Source feature.
No, but it's infinitely more useful. All of those SAP that has 4 lines of HTML when View Source is used, but the Inspector shows exactly what elements are currently in the DOM that have been loaded by JS. Of course, you're aware of that just like I'm aware of the difference in tools.
(comment deleted)
That would also be the day people would have a far harder time optimizing for Chrome. So they'd probably actually help the browser market by doing so.
I think "view source" was actually invented by the Russians, then leaked by "4chan" - They're an individual, not a group.

You probably got it mixed up with Lunix, that was invented by "4chan".

Completely tangential, but have you seen LUnix (Little Unix)? It's actually pretty impressive for something on the C64. Full on preemptive multitasking seems pretty impressive for something as little as the Commodore.

https://en.wikipedia.org/wiki/LUnix

I hadn't, but I may be trying to rig that up in an emulator later, that seems awesome!
I've only played with it a bit, certainly not enough to make any real definitive statements about it, but I think for what it is it's pretty impressive...stuff like that always makes me wonder why Commodore wasn't more successful [1].

[1] I know LUnix didn't come out until 1993, so it would have been too late to save Commodore, and certainly past the C64's prime. It just demonstrates what the C64 was capable of.

> you hacker

What a "hacker" is is a matter of definition.

But, the fact is the state was using "encryption" with such a level of security that pressing one button on any computer with a browser is all that is required to defeat it.

And I'll bet even the governor has access to this decryption software - he's got it installed on his phone, even! He must be hacking on the go.
Better hope they only used View Source. Could you imagine the federal crime of using curl or wget to retrieve this data?
Counterpoint that might get some attention:

"The Governor is in possession of software on his personal computer that allows him to decrypt the personal details of thousands of constituents who may have voted for or against him."

The "software" being a web browser, of course.

Some serious Jedi business going on here
That's why at my current client, DevTools in the browser is blocked through Group Policy...

/not sarcasm, I wish I was joking...

The US Government has a STIG (Security Technical Implementation Guide [1], a government-proprietary term for "IT policy") that requires that you disable Dev Tools in IE [2], Edge [3] and Chrome[4]. Their justification (from [1]):

> Information needed by an attacker to begin looking for possible vulnerabilities in a web browser includes any information about the web browser and plug-ins or modules being used. When debugging or trace information is enabled in a production web browser, information about the web browser, such as web browser type, version, patches installed, plug-ins and modules installed, type of code being used by the hosted application, and any back-ends being used for data storage may be displayed

I wish I were making this up.

[1] https://en.wikipedia.org/wiki/Security_Technical_Implementat...

[2] https://stigviewer.com/stig/microsoft_internet_explorer_11/2...

[3] https://www.stigviewer.com/stig/microsoft_edge/2021-02-16/fi...

[4] https://www.stigviewer.com/stig/google_chrome_current_window...

I can think of at least one legitimate reason to block the dev console. There are these posts I've seen over the years that say to "press the hotkey to open the Javascript console, and paste this Javascript blob" (obviously in much more persuading terms) to get a discount on RayBands or something. Disabling it prevents a possible information leak vector.
There's a legitimate reason for doing _almost anything_ - it's a question of likelihood, impact, and knock-on effects.

I can only imagine how much taxpayer money has been set on fire by developers having to debug single-page applications running on these systems without the aid of Dev Tools... these types of material wastages are created in an imperfect attempt to prevent the mere possibility of something that could be more effectively mitigated through training and web content filtering.

I've never seen one in the wild, thought it would be interesting to see what they want you to paste into the console, probably something to transmit them your session token. I know Facebook has a huge warning about it when you open devtools on their site.
Yeah - they added that warning because of these precise things. I haven't kept one around but I've definitely seen them since I fell for it many, many years ago.
This seems really lazy. Duh, it's gov't, but I'm talking about the attacker. If they can use JS to gather all of that info to display in the console hoping to get a user to read it back to them or whatever, why not just save it all and submit back via ajax?
Translation: search for a certification on the public website, receive an SSN in response. Only 'hacking' by reporter was to then press 'Ctrl+U' in the browser and read the characters.
He used the basic reading skills that are taught in ever public and private education system in the country to hack us!
Imagine if the reporter had used curl…
Like redacting a public document by making the redacted parts have a black background with black text. If people can't see it, it is secure.
Tell me if I'm reading this wrong. I want to be reading this wrong.

Is this saying that when you viewed a certain page (which I assume had only one person's SSN visible, or perhaps other teacher information like names), the "invisible" SSNs were just hidden with `display: none` or similar?

I think what actually happened is that there was a page where you could get information about a particular educator. In the HTML source the server returned for that page private information about *that educator* was included in non-displaying elements.
Makes sense. Jesus, though.
Tell me you don't understand computers without telling me you don't understand computers.
Senators too! We must end finstas! https://www.youtube.com/watch?v=TGt1Ukg7q4Y
So that quote is actually taken out of context. The Senator knows that finstas are, and is using it to drive a different argument - that Instagram is incentivized to help teenagers bypass parental control https://www.theverge.com/2021/10/1/22704308/finsta-instagram...

> “Finstas are fake Instagram accounts. Finstas are kids’ secret second accounts. Finstas often are intended to avoid parents’ oversight. Basically, Facebook depends on teens for growth,” Blumenthal said. “Facebook also knows that nearly every teen in the United States has an Instagram account; it can only add more users as fast as there are new 13-year-olds.”

Even with the added context, it's pretty clear he has a very limited grasp on how finstas work. It's reasonable to be concerned about that when he is demanding they be banned.
Tell me you're the Republican governor of a deep red regressive shithole state without telling me you're the Republican governor of a deep red regressive shithole state.
Authoritarian blue states do this crap too. This has nothing to do with the set of policy positions on your party's official platform and everything to do with being a totalitarian jerk, a characteristic that abounds among politicians and high level government officials in general across many parties and nations.
It’s a consequence of having people 80 years old who can barely write an email and still use Internet Explorer on AOL run things. Party is irrelevant in this case for sure
Well done. Authoritarianism is alive and well across the political spectrum.
Yea but at least in a decently blue state I expect the jurors in an actual courtroom eventually to side with reason whereas I expect red state jurors to lap up this tough on crime crap like its mother's milk.

GOP/Red States are the way they are because the people are too stupid for their own good.

He understands computers, but it's easier for him to blame the press for his government's failings. His base laps this sort of thing up.
> No private information was publicly visible, but teacher Social Security numbers were contained in HTML source code of the pages.

If it was in the HTML source code, then it was publicly visible, so it is unclear what the article is trying to say.

To laypersons HTML comments or display:none is invisible. But I agree, this is like a blast from the 90’s when View Source was leet hacking.
Every browser have access to the HTML source, even it is merely right click here and there. If the SSN is in the HTML source, then the blame should be on the webmaster who designed that code. Of course, accountability is not part of their tenet, it is too foreign for them.

And look at the age of the governor, clearly shows that he is inept with the fundamental of the internet.

I forgot to add one more thing. Did they not realize that there are scrappers who will scrap every bit of information of everything including the HTML code. I wonder how mcuh scammers/ID theft scrapped the data before this come to light?

I don't understand the age excuse, honestly. My mother is about the same age. She is not technical, but she has used computers for the last 30+ years. Just like anyone any other white collar worker. She would have wrangled with WordPerfect control codes to format insurance quotes in the 80s. Document markup (and stuff hidden in the markup) is not esoteric knowledge, or I wouldn't think it is. Except apparently it is.
> the blame should be on the webmaster who designed that code.

“Webmasters”, where they exist at all anymore, tend not to “design code”.

> Did they not realize that there are scrappers who will scrap every bit of information of everything including the HTML code. I

“...scrapers who scrape...” should be the concern here, not “...scrappers who scrap...”

> And look at the age of the governor, clearly shows that he is inept with the fundamental of the internet.

Gov. Parsons is 12 years younger than Vint Cerf and the same age as Sir Tim Berners-Lee.

Mike Parson is twenty-two days older than I am. I've been using View Source for a lot longer than twenty-two days.
Perhaps opening and reading HTML source code is widely viewed as an esoteric skill.
Given that other recent article about university students who don't know what files are, I wouldn't be surprised in the slightest if this is considered esoteric.
So when do we start prosecuting for malicious prosecution and gross incompetence?
“Hacked our system” — LOL. Nothing like our conservatives for a great laugh. What a moron.
Quote from the St Louis Post Dispatch article is even more groan-worthy:

"In the letter to teachers, Education Commissioner Margie Vandeven said “an individual took the records of at least three educators, unencrypted the source code from the webpage, and viewed the social security number (SSN) of those specific educators.”

I guess webpages are kinda like encryption for idiots.

If it is served via https, it is encrypted.

Edit: sorry, forgot the /s

if it's in plain text in the html served, it isn't
But if you're an idiot to believe viewing source is hacking, then you're clearly the type that viewing the source is viewing encrypted data.

The actual quote states that the data was first "unencrypted" before viewing the source. This is in fact correct if not poorly phrased, but who'd expect proper terms used when we're talking about "these" people?

I get what the article says and what the county claims. That doesn't make what the parent said right.
expand the lawsuit to Apple, Google, other heathen browser makers
Just wait. I wouldn’t be surprised.
Not once it's loaded by the browser it's not.
Oh shit, I'm reading your encrypted message right now!
You should consider responsibly disclosing this vulnerability rather than posting it here.
It's ok, the disclosure is also encrypted.
No it's not, you forgot to wrap it in an "<encrypted>" tag.
Don't forget the </encrypted> tag or else the rest of the internet's traffic will be encrypted forever.
I knew u forgot the /s. If the Governor understood https and encryption, he wouldn't be penalizing the reporter for "View Source". Clearly he got caught at being incompetent and he is doubling down on "how dare you"
Well you see the Internet is not something that you just dump something on. It's not a big truck. It's a series of tubes!
nono - 'view source' is really the 'hack this website' button, it's just called 'view source' to keep the bad guys from knowing about it.
I didn't get the joke. Can anybody explain it?
Https traffic is indeed encrypted, but its encrypted for you the user.

Its like saying you stole documents from a sealed container when that container had your name on it, it was addressed to you, and you had the key.

"unencrypted the source code" means they ran an unminify tool. Very advanced; criminal masterminds. /s
Probably just "View Source".
Probably without comments stripped.
(comment deleted)
I sincerely doubt it was minified
What meijer said ^^. It’s html, just view source.

Now they’ll sue browser makers for distibuting hacking tools.

I can't wait to see the legislation that treats plaintext as encrypted, and goes on to criminalize all written and electronic communication.
We must end all encryption --FBI
> echo json_encode($search_results);

This is how I found out how much I, and all other contractors were being paid. And also how much the contracting company was actually charging the clients. All the data was being returned in a json but the very little was being displayed.

Looking at the story, this is more of a posture thing. I'm sure the Governor is surrounded with people who can tell him that no hacking took place, but why miss an opportunity to show you take the privacy of Missourians to heart.

wow, what fraction of websites leak data I want to look at? should I be poking at every non-tech-giant site I go to?
Careful, son, you're quickly entering elite hacker turf.
Dont worry, I only do all this behind 7 proxies. Plus I called google and they know all about it.
The analogy is going up to a house and checking all the doors and windows to see if they are locked. That's rather like port scanning, a form of 'poking'. If you go to a state government web site and do that, even if you don't exfiltrate data or load it up with ransomware, it's definitely very shady behavior, although it seems there are no laws against it in the USA (some ISPs will ban users caught doing this however).

Obviously if you broke into someone's house and then asked them to pay you for your 'vuln discovery', err...

However, I think looking at HTML code on a public facing web page is not that. If you hang naked pictures of yourself on your front door, you don't get to complain when people take pictures of them.

1. https://www.calyptix.com/top-threats/port-scanning-legal-ans...

The data was send to my browser. The more fitting analogy to me is that I get a letter and a huge pile of documents in a giant binder. Some of the documents are referenced in the letter. Now the sender gets upset because I started looking at the documents in the binder that weren't referenced in their cover letter.
Sorry to add some more to my own analogy: some of the unreferenced pages in the giant binder also sometimes will contain wiretapping devices.
You will be surprised. Do a "Inspect Element" and have fun filtering on "XHR requests". Notice that JSON that a lot of those requests return. but sshhhh, you didn't hear this from me.
Last year, when a Nintendo Switch was difficult to come by, I found that a large retailer’s API returned exact stock counts (and even restock dates in some cases) for any physical store you wanted. Got a Switch for myself and a couple friends in an afternoon.
With the move to client-side rendering, too many. The backend becomes dumber and dumber and all logic such as filtering data moves to the frontend. You'd be surprised what you can find poking around at APIs that client-side apps use.
Will this definition of encryption hold for HIPAA cases in Missouri?
You left out the best bit: "through a multi-step process"
Nice catch... Unbelievable. What isn't a multi-step process, really? The first thing I do in the morning is to make coffee and though I've distilled that process down to its bare minimum so I can do it while still half asleep, it is still very much a multi-step process...
Taking a shit is a multi step process! The absurdity of the phrase is boggling my mind.
Right click.

View Page Source.

That's 2 steps. Hence, multi-step.

Option+Command+U

:)

Three steps! What hacker could envision such an elaborate plan?
Don't worry. A listener for contextmenu with a good ol' preventDefault() will stop those pesky hackers!
Could do it in a single step with F12. I suppose then you still have to scroll/search to find the relevant nodes... "multi-step" indeed
"Unencrypted" in this context means "did something we don't understand".
We live in a world where everyone thinks they understand computers and have an expectation of security and privacy, but they don't realize how hard it is to build these systems correctly. The best security appears to be invisible to the consumer, but requires a lot of thought by the implementer.

This is the same reason why I think most of the general public don't understand how much data social media apps can collect on them. I know a lot of average technology users, who allow every single permission whenever an App asks them, because they're like obviously its not going to do any harm. Without realizing how every action they take is recorded in a database somewhere, which will get compromised sometime in the future.

I'm not a mobile developer, but it would be interesting if iOS provided a service that allowed data to never leave the phone and provided an API for Apps to get particular types of data and showed warning levels in the App, each time more sensitive data is accessed. The App store needs to be a place where if I download an App from, I need to have the peace of mind that it won't cause more harm than good.

> I'm not a mobile developer, but it would be interesting if iOS provided a service that allowed data to never leave the phone

I'm not sure I follow. Do you mean the app wouldn't be allowed to send any data over the network? As soon as the app can send any data, it's trivial to hide in there whatever the app wants to send home.

My idea is that Apple encourages Apps and features / adds badges for those apps that only store data locally. The local storage should be able to identify different types of data. They provide an API that allows data to be queried so that whenever an App queries some critically of confidential data it throws a big warning.
The developer would just query the sensitive field either immediately or at a seemingly reasonable moment (along with dozens of other sensitive and non-sensitive fields), put everything into a blob, and then send it to the server as an opaque web request to some innocuous looking endpoint like POST /login.

You either have to completely trust the developer today and forever after, or you need to make some fundamental advancements in homomorphic cryptography. "Secure data store that can be queried with a permissions box" doesn't work.

> but they don't realize how hard it is to build these systems correctly.

In this case, it sounds like the SSNs were included in their entirety in the HTML. My first response is that its a stupid and obvious mistake, but I think it might be too suspiciously easy to only blame the developers here.

I think we have a larger problem - which is that there's a hidden cost to adding extra layers of magic to software. And on the web, we seem to just not be able to help ourselves. The cost is that developers often skip actually understanding how the new layers work. And the abstractions are leaky with respect to performance and security, and sometimes functionality.

Its easy to imagine how this bug slipped through. They had a database query which fetched the data for rendering. Then they used some "magic" framework which does server side rendering & hydration. So the server sent the JSON it used to render to the client to dehydrate the page, and that JSON happened to include the raw database rows (with SSNs). The system is magic enough so you don't have to understand how that process works; but not magic enough to protect you from the consequences.

Junior devs use the magic anyway and get stuck, or make mistakes like this. Senior devs feel like we have to learn everything and get overwhelmed.

Other examples of this:

- Recently I wanted to use some rust code (compiled to wasm via wasm-pack) in a svelte project with snowpack or rollup. I know how to include wasm in a webpage, but the bundlers needed special plugins to handle this. And the plugins for wasm are halfbaked, poorly maintained and janky.

- I worked with a team a few years ago who was using some graphql wrapper around contentful. (Before contentful had an official graphql endpoint). The wrapper was very good, but we needed to run some queries that weren't supported by the wrapper. This was close to impossible. Nobody on the team was strong enough to read the graphql code to figure out how to solve our problem. I did it eventually - via some custom endpoints. But I shouldn't have. After I left the team had no idea how to maintain or modify the code I wrote, and they were entirely stuck.

- The "web obesity crisis" comes from projects pulling giant amounts of javascript into their webpages. Our tooling makes this easy (npm install) and safe (incompatible versions of the same package are included separately). So its easy to end up with libraries like web3, which include about a dozen different versions of bn.js resulting in 2.3mb of uncompressed JS which takes nearly a second to parse on a modern computer. - [1] https://github.com/ChainSafe/web3.js/issues/1178

I don't know what the answer here is, but I know when I was writing qbasic as a kid it wasn't like this. Maybe we need to stop going "up the stack", and instead go sideways - throwing things out as we add more. I worry this whole problem will get much worse before it gets any better.

> it would be interesting if iOS provided a service that allowed data to never leave the phone

But it would probably be even more interesting if you could send out, say, the adress of a Web page you wanted to see in your browser.

How relevant for education and today. The education commission should have "send a flu shot!" lmfao
> I guess webpages are kinda like encryption for idiots.

I prefer to call them muggles.

I feel like not understanding basic things like that should get you fired. The Education Commissioner and Governor of the State of Missouri have demonstrated a lack of understanding of basic technologies. At this point, that means they lack core competencies to do their job, and should be fired.
I would totally not expect an old white guy politician to be up on web protocols. No worries about that.

He either has staffers who told him the real issues and he discounted them to score points, or hired incompetent staffers who gave him B.S., or he hasn’t found anyone to give him the real info. Those are the disqualifiers.

Memories of Mitt Romney appearing to actually dig into tunneling and adhesives during an investigation of Big Dig flaws in Massachusetts. He might have been posturing but at least it was the right posture.

Where "unencypted" means "turned the web page over, and read what was printed on the back of it".

It seems stupid to us, but non-techies just won't understand unless we come up with reasonable analogies.

Nothing, and I mean nothing could give me a grimmer impression of cops' abilities to deal with tech. I guess all of the technically capable cops are busy installing government surveillance systems.

About 12 years ago, someone smashed the window of my car and grabbed my messenger bag, including my cheap prepaid smart phone and shitty laptop— I was a line cook at the time, and those were my most valuable possessions except my knives. Filed a report and moved on. Hours later, I later saw a picture of a person I didn't know standing next to a car with a visible license plate automatically auto-uploaded to my Facebook account from my stolen phone. I called up the detective assigned to the case, but as soon as I said "uploaded" he said I needed to talk to the "computer guy," who called me the next day. After— no shit— 15 minutes of back-and-forth, this expert absolutely could not understand that I wasn't trying to report the new crime of someone accessing my Facebook account without authorization. He had no clue how it possibly could have been related to a telephone. In 2009.

Before I cooked, I'd worked in support from entry-level call centers to code level third-tier support. I am completely confident in my ability to explain WAY more complicated technical ideas to folks who've never used computers before... but I just had to give up. I didn't know what else to do. He was possibly the least technically capable person I've ever encountered and I used to help 90 year olds remove spyware from windows 98 machines. I said never mind and hung up the phone. Depressing.

> Parson said...the reporter was “attempting to embarrass the state and sell headlines for their news outlet.”

Literally a reporter's job.

“I’m going to weaponize the law because you embarrassed us.”
I can't imagine that a large, national organization like the ACLU or CPJ would want to dump tons of money into making this a massive national story should that happen...

Someone about to experience the Streisand effect in FULL force.

Somehow, I have the feeling the St. Louis Post-Dispatch's lawyers are thinking, "Bring it! We haven't had this much fun in ages."
I'm sure the judges likely to see this case are giggling over what they'll say to the state prosecutors.
Having read opinions by federal circuit court judges on technical matters, it's not clear to me that the judges who will see this case are likely to understand the matter any better than the governor.
In a state like Missouri getting sued by the ACLU is probably something that can be used to win an election and is seen as a badge of honor. They probably welcome it and all it costs them is tax payer dollars. They really just need to publicize any controversial party the ACLU represented and claim to be standing up to the sorts of people that would defend that behavior.

If they lose in court it turns into a two for one as they get to rail against 'activist judges' and whip their base to go out and vote.

This could actually become illegal in the UK. The official secrets act might be amended to make it illegal to embarrass the state...
To quote Yes Minister: "The Official Secrets Act is not there to protect secrets, it is there to protect officials."
It is amazing how much truth they stuffed in to that show
A good faith reading of that statement interprets it to mean: the act isn't intended to keep pertinent information away from the public, but to protect the identities of officials who were tangentially involved.

Surely no official interprets it to mean: protecting the public image of officials by way of hiding pertinent information from the public, right?

...because being an embarrassment to the state is reserved for our government
So nearly every pol will have to be locked up.
An Act of Parliament which would ironically embarrass the state in itself. Unsurprising from the same cast of muppets who wanted to use local newsagents to verify your age for internet pornography and make encryption illegal.

It’s not even a partisan thing, it seems like almost all our major parties seem to lose 40 IQ points when the internet is involved. Everyone from Blair onwards has been a tinpot authoritarian when it comes to digital rights.

I don't think they had the IQ in the first place.

More than half of sampled Maps couldn't calculate the probability of two heads in a row from a fair coin

The funny thing is, the reporter successfully embarrassed the state, then the state embarrassed itself further in response.
Color me surprised.

I really don't understand the whole "double down" approach to doing things.

you wouldn't; neither would most of us on this site. ~50% of the population wouldn't. They are targeting the 50% + 1 of their state population that voted for this man. They are probably doing a pretty good job of it too.
We won’t know it for sure. Most of the state is not technical so it’s whatever the popular media spins it.
Streisand effect, too. None of us would have heard about this otherwise.
I had already heard about it on a local security mailing list, but most of us on the list would have preferred to be spared the international embarrassment.
Parsons knew what he was doing, he won’t be embarrassed. It’s a Trumpian move to stir up resentment against the “liberal media” – not something meant to be evaluated critically.
And literally protected by the 1st amendment.
It was successful, because I, a non-Missourian now know about it, whereas in its initial state, this story would have been voluntarily witheld.

Those scheming reporters! /s

The reporter hacked our water system, maliciously held his hand under the faucet and then revealed to us that the water was WET!
FYI the "Governor" is Mike Parson

"As governor, Parson signed a bill criminalizing abortion after eight weeks of pregnancy and opposed Medicaid expansion. He oversaw the state's response to the COVID-19 pandemic, where he issued a temporary stay-at-home order in April 2020, allowed schools districts to decide whether or not to close, and limited postal voting during the 2020 U.S. elections. Parson also oversaw Missouri's reaction to the George Floyd protests, during which he pledged to pardon Mark and Patricia McCloskey, the couple involved in the St. Louis gun-toting controversy, if they were convicted of any crimes; he issued their pardons in August 2021."

Sounds like a great guy.

Soapbox much?

The dude's clearly a moron but this isn't a thread about any of the topics mentioned in your quote. You're actively making HN a shittier place with comments like this.

> You're actively making HN a shittier place with comments like this.

Please find your way to the nearest mirror and take a very hard, long look.

The title only said "Governor" so I was like "gee, who is this guy/gal?" and so I RTFA and went back to the comments. Many were still referring to him as "Governor" and not by name so I thought it would be useful to mention his name. I then started reading his Wikipedia page and discovered he's a real piece of crap (IMHO) and decided to include that summary in my post. Am I starting crap? Maybe, but I think some background on his recent decisions in his role as Governor would be relevant to an article questioning a recent decision in his role as Governor.
(comment deleted)
What is the source of the pasted quote? I have no idea what kind of person the Governor is (outside of being technically illiterate) and am not interested in a partisan bickering match, but despite disagreeing with some points there, some of the actions listed there are arguably great moves (with the devil being in a lot of nuanced details that your list didn't go into)
(comment deleted)
I am reliably informed by people with some insight into Missouri government that Parson is exceptionally terrible. Incompetent or malicious, depending on the day.

I gather the previous (also Republican) governor, Greitens, who may or may not have been into some weird/illegal sex stuff and was forced out over it, was actually pretty good. Seemed to truly care about governing well and improving the functions of state government, at least, which Parson does not.

He is terrible, but in today's GOP there is nothing exceptional about Governor Parson.
This is probably unpopular, but I want to see this go to court so that this moron can be exposed for all to see.
Best outcome would be for the courts to dismiss the case outright. (Bonus points for snark against the governor)
The news is not only the lack of understanding of what hacking is and what a security fuck up is. The news is the cowardice of this clown of a governor trying to deflect blame to those reporting the vulnerability. If he is too embarrassed to admit his government's fault, he will be rewarded with twice the embarrassment for reacting like a corrupt despot.
I don't think I can blame a politician for being technically illiterate, especially one that old. But what the heck is up with the state bureaucrats who report to that guy?

I mean someone it the freaking state bureaucratic hierarchy should at least be lucid enough to consult someone who has an actual clue about things as these.

I’m guessing it went like this…

Politician: Socials are on the web site, who fucked up?

IT: the web page is encrypted, we didn’t fuck up, the hacker decrypted the source

Politician: sounds good to me, no fuckup on our part, let’s call the cops and prosecutors

Politician [intentionally looking to pass the buck to entities outside their purview and choosing not to research further]: sounds good to me, no fuckup on our part, let’s call the cops and prosecutors
> I don't think I can blame a politician for being technically illiterate, especially one that old.

Given the impact of technology on society, we absolutely can and should blame politicians who are technically illiterate.

I don't blame a politician for being not tech savvy.

I can and will blame them for not getting (And listening to!) a tech savvy advisor.

And maybe blame the highly partisan electorate too?
I would think it depends on how "tech savvy" we're talking about. It's one thing to ask them to write a UNIX shell in C++, or construct a neural network model... I don't see any reason to demand that level of technical sophistication from a governor. But surely there has to be some baseline level of technological literacy that should be expected, no? Something beyond "push this button and the computer turns on" and "Yes, I checked and it's plugged into the wall"??
I don't think I can blame a politician for being technically illiterate, especially one that old.

That right there (probably without the age bit) would be the ideal one liner response from the reporter or an attorney from the paper.

I think you're under-estimating how much this is just the governor cravenly trying to save face. He's a just a spineless politician who is afraid that this "hack" will be used against him. Because the public was notified of the obvious fuck-up in the html, he felt he needed to "respond to their concerns" and is doing so in the only way he understands, or that that group of the public "under attack" understands as well: criminal charges.

He's using the public's fear to try to gain political points by looking "hard on crime".

Obviously, he's stupid. But part of the problem is the public also think this was a "hack". Basic understanding of the web is not apparent amongst an enormous swathe of the public.

(comment deleted)
> I mean someone it the freaking state bureaucratic hierarchy should at least be lucid enough to consult someone who has an actual clue about things as these.

Why are you letting the leader off the hook and charging the underlings for being responsible for something a leader should be responsible for? Age of the leader is irrelevant because the leader chose to become a leader.

You have no idea what lengths some state employees will go through to cover their ass and not get fired. It's especially dangerous when cops and prosecutors do it.
Exactly. When you've endured 15yr of this kind of bullshit and enduring five more gets you an extra 10% on your pension you shut the f up and do what's good for you, organization and taxpayers be damned.

Now imagine what this situation teaches all the younger bureaucrats who think they can work hard and make things better.

Yeah this should be a "get a the computers guy in here" moment. Then someone explains and everyone moves on.
I can't stress how differently power works in the Southern States (EDIT: Missouri is a midwestern state officially, but I've always considered it part of the South). It's a very traditional place, where you do not dare contradict, let alone correct, your boss. There is none of this "avoid surrounding yourself with sycophants because they will only tell you what you want to hear" business. There is no upside to speaking up in meetings if what you're saying is not in direct support of the boss. If you do this, you will be branded a trouble-maker, lose favor with the hierarchy, and eventually you will be expelled. Politeness and deference matters far more than any other quality. Loyalty beats integrity every time in the south.

This incident is just one example of this in action.

The south sounds exactly like my experience in two fairly non-political (as non-political as government can be) departments of state government that provide non-controversial social services in a state in the northeast.
Missouri is not even remotely considered to be in "the south". At least not by those who live there or in neighboring states.
You're right! It's part of the midwest officially. Apparently it does share at least some of the classic characteristics of the southern states.
I think it has no more in common with them than other non-southern red states.
University of Missouri sports teams are in the Southeastern Conference (SEC). Part of me wanted them in the Big-10 since I identify more as being from the northern mid-west. Got to follow the $$$.
> Missouri is not even remotely considered to be in "the south".

No, but it is both South-adjacent and is considered to be largely within the Bible Belt, which is almost exactly coextensive with the South, except that it excludes parts of Southern Florida and includes all or part of several South-adjacent states, so it's not an entirely hard fo understand mistake.

I know a lot of people who regard it as a hybrid southern/midwestern state. Plenty of confederate flags to be found in Missouri, certainly, and the MU/KU rivalry is, on our side at least, heavy on "bleeding Kansas" rhetoric and imagery, which keeps Missouri's Southern-sympathizing role in the war alive in our popular culture (such as it is). Lots and lots of our local icons, oft-mentioned historical figures, et c., relate back to the war, and especially folks who supported the Confederacy. County seats with those late-addition cheap confederate soldier memorial-statutes outside the courthouse are, AFAIK, quite common in the state.
You can find Confederate flags in northern states and all over the US. That doesn't suddenly make it more "southern". I live in CO now and I see more confederate flags than I ever saw in MO.
You can find racists and rebels anywhere. If you order a sweet tea in any restaurant in Missouri they will look at you like you have three heads.
Not true at all, but the sweet tea they serve you will probably be mediocre at best, that's true. A few places will serve you unsweet tea (all they have, as a cost-savings measure) with sugar packets, as if that's the same thing, which admittedly is an offense worthy of challenging your server and/or the restaurant owner to a duel.
County seats with those late-addition cheap confederate soldier memorial-statutes outside the courthouse are, AFAIK, quite common in the state.

This seems libelous. Can you provide a single example of such a statue? I drive through several county seats in Missouri multiple times a week. There are WWII and Vietnam memorials, and actually several Civil War Union memorials, but not a single confederate memorial.

As a species I feel we need a means to overcome this problem within organizations, and demonstrate convincingly to others that we have done so. Chernobyl and Fukushima were also both created by a culture of deference to higher-ups. The anti-nuclear crowd were wrong about the science, but may have had a point once you consider human fallibility.
> Chernobyl and Fukushima were also both created by a culture of deference to higher-ups

Chernobyl suffered from compounding of reactor and test design flaws and human error. Fukushima suffered from (retrospectively) insufficient risk assessments, which resulted in a design meeting a rare event beyond it design limit sooner than expected.*

I'm unaware of a human society, in fact any animal society, where politeness does not involve some degree of deference. So saying these accidents were caused by a culture of deference is essentially meaningless without some more "who, what, why, how" and importantly 'how much' and 'compared to what'.

From the IAEA report: "This common mode failure reached a scale considerably beyond that usually addressed in the assessment of BDBAs. [ed: beyond design basis accident]". https://www-pub.iaea.org/MTCD/Publications/PDF/AdditionalVol...

https://www.coursera.org/lecture/intercultural-communication...

If you think that's a "southern" trait I've got news for you...

This attitudes fits the majority of workplaces. I know it probably makes you feel better to pass the blame off on a specific group that you can try to avoid but I've worked all over the US and it's the same crap everywhere you go.

This is why you have tech literate experts to correct you and help you make a decision. Just like how you go to your doctor for help with an illness and get advice for what to do next. This isn't hard to do, it's just not politically powerful messaging. Parson wants to look big and powerful and so he'll just blow smoke up his AG's butt to do something which will quietly be dismissed afterwards with almost zero political cost to him.
Why should age excuse incompetence? If they are incompetent in tech, they should at least know that and shut up.
I don't think I can blame a politician for being technically illiterate, especially one that old.

I don't think age should excuse this guy at all, nor do I buy into the meme that age has much of anything to do with technical literacy. Consider that Brian Kernighan is ~78, Tim Berners-Lee is 66 (the same age as Governor Parsons here), James Gosling is also 66, Rob Pike is 65, Steve Wozniak is 71, Geoffrey Hinton is 73, and so on. And that's not even considering folks who were around so early they've already passed away, like Marvin Minsky, Dennis Ritchie, John McCarthy, etc.

Nobody tries to deny that old people can be top notch computer scientists. It's just a fact that computer technology has only arrived in the daily life of the greater population a few decades ago and therefore older people are statistically less likely to be familiar and comfortable with it the way younger people are. I'm surprised I have to write this.
It's just a fact that computer technology has only arrived in the daily life of the greater population a few decades ago

I would question that assertion, depending on how exactly we choose to define "few". Computers have been a fairly ubiquitous part of our society (in developed nations anyway) for a good 40 years or more now. And they've been absolutely ubiquitous for probably a good 30 years... ubiquitous enough that it's hard to see how any person who considers themselves an educated, competent adult wouldn't have had the opportunity to develop some baseline of technical literacy.

Personally I believe that anybody who is a functioning adult in our society today, who doesn't have that technical literacy, lacks it due to their choices not due to their age.

Sure. In 1984, 37 years ago, a whopping 8.2% of US households sported a computer. So yeah, ubiquitous indeed.

Younger people tend to be more open to new things and less set in their ways, which certainly makes a difference in this case. Note that I'm again not talking in absolutes, but about matters of tendency. Naturally, in the individual case all things come down to opportunity and choice, but it seems curious to deny the statistics of the matter.

The presence of a computer in the home is not the only measure of the prevalence of computers in society at large. I'm not ignoring anything. I was there, I lived it. And I know that being 66 is no excuse for lacking technical knowledge. It's willful ignorance, not a byproduct of happenstance.

Younger people tend to be more open to new things and less set in their ways

Even if that were true - and that's a pretty dubious claim, IMO - it does not necessarily follow that

... certainly makes a difference in this case.

(comment deleted)
> I was there, I lived it.

Yes, so did I. I find it curious that we seem to remember that period so differently.

I can easily find sources saying things like "between the ages of 25 and 60 people's ability to use websites declines by 0.8% per year", that's 28 percentage points difference in the ability to use a website.

But I'll stop arguing, it doesn't seem very promising at this point.

It is my understanding that Parson is not the kind of fellow to give a shit what a state bureaucrat tells him, if it's not what he wants to hear, assuming he'd listen to them in the first place.
> I don't think I can blame a politician for being technically illiterate, especially one that old.

I certainly can. They have plenty of money to hire staff, and that should include people to make sure they understand the technology that is integral to the every day lives of their constituents, or at least to push back when they do/say something completely counter to how the world works.

Gov. Parsons’ technical ignorance, such as it may be, is not the source of this. This is a power-oriented political narrative. To the extent it invokes inaccurate explicit or implicit characterizations, that is not because Parsons doesn't understand the truth (he may or may not, that's just irrelevant), but because the descriptions and implications serve the desired narrative.
The EFF will likely take this case. Have the reporters contacted them?
One thing a newspaper has is lawyers (including plenty of places that will do pro bono on 1st Amendment cases)
'Parson said Thursday that he wasn’t sure why the reporter accessed the information. He claimed it was part of a “political game by what is supposed to be one of Missouri’s news outlets.”'

Yes, everything that makes us look bad is part of a conspiracy by the other team. Ignore the facts, please. Pressing CTRL-U is hacking!

The weird thing is even if this was a conspiracy to discredit an administration... it's a really bad one. Perhaps you could link the security flaw to a budget issue, but I can't imagine something like this seriously affecting a governor's chance for re-election. His response has obviously done more damage than the flaw ever could.
Of course he would. It is the typical political response these days. Double down on your mistakes and never accept responsibility on your end. So what if a bunch of SSN's were exposed ? It was only in "View Source" which is hacking . Come on now. /s
The reporter should prosecute the government: not suitable for their jobs.
Nobody tell the gov how savagely he’s being raked over the coals in these comments, or tomorrow’s headline will be about a RICO case launched against the hacker collective known as “Hacker News.”
Someone should tweet this discussion to him or his office. #stopclickingviewsource
I wish that a conservative outlet would call the governor out. I feel like a thousand articles from Wired, NPR, the New York Times, and the founder of the WWW could all describe in wonderful, simple terms how bombastic and willfully ignorant and hostile this action is, and it would be construed as partisan.
I wonder what his reaction will be when people start hacking the state's websites and outright leaking stuff to just spite him.

Dumb move on his part.

I'm from Missouri, this might be the first embarrassment many of you've seen from him, but there have been alot more prior. Truly not a good look for the state that this guy got reelected.
Same here. And don't look up how he first came upon the job either.
...spare me the anxiety. Got a link or something?
Seriously, the government should have experts on hand who can translate tech into concepts they can understand. This is unacceptable.

Imagine HTML is a TV in Social Security office. The way the storage of SS numbers was designed, is that they are hidden in a backroom, however, anyone can come into the office and scream a persons name to view all the information on the screen. The flaw is clearly in the system.

I found flaws in Costco system before, I guess I should be in prison for letting them know and saving them thousands of dollars.

The states Chief Information Security Officer left the post on Friday https://www.govtech.com/workforce/missouri-ciso-stephen-meye... didnt see anyone mention that elsewhere in relation to this story.

getting a 403 here without a vpn, but https://cybersecurity.mo.gov/ doesn't look like its been updated since 2018 The last CISO left in 2018 (~3months after the current governor took office), and the current ciso was appointed by interim then https://www.govtech.com/blogs/lohrmann-on-cybersecurity/miss...

Tweet from the governor: "Through a multi-step process, an individual took the records of at least three educators, decoded the HTML source code, and viewed the SSN of those specific educators."

>Through a multi-step process >decoded the HTML source code

Somebody has been watching B-list hacker movies.

Step one: Press Ctrl

Step two: Press U

1. Click View in menu bar

2. Hover over developer menu item

3. Click View Source

Three-step process - even more nefarious!

Y'all are going to prison now, I hope it was worth it! =]
1. Rest finger softly on the F12 key

2. Press finger downward

Do they even have jurisdiction to go after the reporter. My guess is the site is cloud hosted in a state other than Missouri. Cross state boundaries is a federal matter.
sshhh. The Governor would prosecute you for saying "Cloud Hosted". How dare you find this info that is hidden in the clouds ? Literally only the Gods can see the clouds.