Most states allow you to lookup teacher licenses using last name and they have a “secure” version of the same site for employers and employees to update data. Most of the secure sites use a combination of last names, dob, and/or SSNs to authenticate teachers.
I don't get what you mean by front-facing website. Do you mean accessible by the public? Isn't that the point of websites that allows the public to look up professional licenses? I would imagine that there are similar websites for all other licensed professionals.
When you say secured version of a site, I had assumed that you were talking about something that's meant for administrative employees and only internally visible, not something that is open to any visitor. I can't imagine the workflow in allowing a random user to make these queries.
If only there were legislation in place to subject those breaching this misinformation to legal recourse, so the current administration can enforce which problems exist in the public's eyes. Some real legal tools the government can use to enforce truths from falsehoods, wired right into the platforms that disseminate this kind misinformation. After all, elected representatives are known for their intellectual honesty and predictably virtuous behavior.
If only there were legislation in place to subject those breaching this misinformation to legal recourse
The SSN wasn't supposed to be used for identification at all, at first. [1] But the government decided that didn't apply to them, and then they decided that it didn't apply to anyone else.
But if everyone asks for last four then it also means everyone has it. You are one shitty site leak away from having all the info needed to identify you available publicly.
Thats just ViewState (throw it in http://viewstatedecoder.azurewebsites.net/ if curious) of the schools array. Nothing special on the page. I suspect whats suspect is the lookup portion on the server side.
> Though no private information was clearly visible nor searchable on any of the web pages, the newspaper found that teachers’ Social Security numbers were contained in the HTML source code of the pages involved.
And the layout of that site - I suspect when you clicked through to look at a teacher, it would display the Name + last 4 of their social security number with their teaching credentials. I suspect that if you viewed source on that page, the full SSN was in the retrieved data but the page was just displaying the last 4 digits.
Can't confirm without the Archive site actually pulling live data but it seems to line up.
what they prolly meant is reporter went to the debugger network tab and saw the JSON response which had the full social returned. "HTML source code" is lingo for "I have no idea whats going on"
From the looks of the page I doubt the output was anything as fancy as JSON. This looks like a classic pre-rendered page from the early 00s, made by the nephew of the CEO or equivalent. I'm actually surprised there's JS running on these pages at all.
There's a bunch of <input type="hidden"> elements in the search page, so I guess they did something similar to hide the information from their `select *` that wasn't meant for public consumption.
Edit: looking at the code (directly referencing XMLHttpRequest etc.) it might also be raw HTML being injected into a table somewhere...
Edit 2: based on the "base64" comments, I'm guessing the "view state" (ASP term?) was not encrypted and contained some secret info. There are other systems from other states running on similar tech, but they seem to encrypt their viewstates...
This is the search form. Pretty sure it's the results you would get after the search that has the full ssn in the html source. Still interesting in that it allows searching by the last 4 of the ssn.
And the source seems to indicate this is the "public ssn search", and that a "search by full ssn" probably also exists.
E.g.:
let SSNSearch = document.querySelector("#pnlSSNSearchHeader");
let SSNPublicSearch = document.querySelector("#pnlSSNPublicSearchContent");
I think it is possible that there was SSN data poorly encoded into the source of the page or one of the scripts
From the original Post-Dispatch article: "Though no private information was clearly visible nor searchable on any of the web pages, the newspaper found that teachers’ Social Security numbers were contained in the HTML source code of the pages involved."
While not immediately visible, all the names and SSNs are in embedded javascript so if you inspect the source they're all there.
I presume this is a poorly executed attempt to be fast and responsive by "pre-loading" all of the data required and then using the search box as a filter on the client.
Edit: My mistake - I misinterpreted wrong IDs, these are not immediately here.
Funny, with the Governor first doubling down on his "leet hackers" drivel, but now trying to bury it with new unrelated tweets to push his earlier rants down.
You know the guys who made the site were telling their bosses: We got hacked, but we're in control of the situation. They weren't saying, we screwed up and made private info public.
Fun fact. In Sweden it's available to anyone. Anyone can also find out find out where you're living, whom you're living with and what vehicle you're driving (among other things). It's a part of offentlighetprincipen[1].
Does that not lead to the potential sticky situations that my mind immediately jumps to?
Edit: I read through your link and did some light browsing of my own (later stonewalled by the fact that I don't speak any of the Scandinavian languages). I don't see anywhere that a citizen can re-assert their right to privacy but that would seem to be necessary in some cases (e.g. Twitch streamers wanting to remain incognito to avoid getting SWATted or otherwise frequently visited by police).
This is actually pretty commonplace in the LA area. I mean, you can take a tour bus that points out dozens of celebrity’s homes. It’s why many actors and influencers hire private security.
"Most critics focused on the absence of forensic evidence, charging that Petersson's case was made up of speculation and circumstantial evidence."
But if the case is officially resolved, well that's all good then. Nobody followed the Prime Minister to the theater and waited for him to leave in the dark of night. No stalking to see here, because Sweden. Move along.
The official conclusion was that the murderer did probably spot the Palmes as they entered the cinema, giving him time to go and borrow a revolver and get back in time to kill him once the movie was over. I don’t know any definition of stalking that would include that sequence of events. But the topic was data privacy - I strongly doubt that the facts that Palme’s person number and address were public contributed to his death.
> I don't see anywhere that a citizen can re-assert their right to privacy
Rights depend on jurisdiction. I’m not aware of any right to privacy regarding place of residence or tax returns in Sweden.
A resident is entitled to file for a “protected identity” which would obscure their address, phone number and person number on these types of services. Even celebrities tend to avoid doing that unless they have a persistent stalker, because it leads to all sorts of practical problems when dealing with everyday administration.
Very topical. Agneta used to have a pretty persistent stalker. I believe she eventually married him for a while. Pretty sad story but no stabbing involved.
Sure there is. In Sweden, no one locks their doors at night. They don't lock their cars, even in the densest cities. It's well known that in Sweden, the only significant category of crime is petty theft, most often pickpocketing, where the thief will remove a small "finder's fee" and return the rest of the wallet, contents intact. (https://www.brookings.edu/research/the-rise-of-sweden-democr...)
I live in Rural TN and we too neglect to lock our doors (and our cars, I might add). In fact, my in-laws leave the keys to their cars IN THE CAR, and unlocked.
I'd argue this has a lot more to do with high trust local communities, rather than high trust "societies". Maybe I'm nitpicking, but the implication seems to be that somehow "American society" (whatever that means) is inherently low-trust. But the fact is America is so diverse, trying to create a useful comparative analysis there is difficult.
In the United States SSNs are treated as secret. I shouldn't have t care if other people know my DOB or SSN, but I have to care because tons of companies and government offices use these as proof of ID.
For an even clearer example. There's this list of the 25 most searched for people last year: https://www.ratsit.se/info/omtalade/mest-eftersokta-forra-ar... . I can recognize several celebrities there, most of them artists, and even our prime minister.
You can see addresses, if they own dogs, which cars they own, what salary they have (the site I linked needs payment for that, but there's other ways to get it for free), the companies they own or own a part of.
> the sites have publishing certificates, which gives them the same constitutional protection as the media. They are not covered by the GDPR and the Data Inspectorate can therefore not examine them. It is also written that the authority has been critical of the fact that the sites can receive constitutional protection through the publication certificate. [1]
I’m sure they get direct mailings from purveyors of exclusive consumer products. Just like I’m already getting mail about buying a house because I bought an apartment last year. What’s the harm?
Yes. America’s problem is that they use the SSN as a secret. Knowing it means you can impersonate someone.
Whereas in Sweden the “person number” is public information and identity is authenticated and authorized in other ways (by showing a driving license or using a “bank id” app etc).
In the nordics how much tax you pay (meaning for most people you can just divide by twelve to determine salary) is also public info. As is how much houses sell for etc.
The public library probably have the local "Tax-calendar" (taxeringskalendern). Like an old fashioned phone book except instead of phone numbers it has the taxed income for everyone in your town for the last year (there is of course web sites with this info too but no free service that I know of). Spent an hour at the library looking up my coworkers salaries when prepping for my first pay negotiation many years ago.
I wonder if the publicity works well against work via tax evasion. Anyone can combine whatever you do with your ID. If you earn a lot of money black on the side (e.g. via drugs dealing), while your income is public and you got this expensive car, then its not just suspicious. Anyone can look you up, figure out you're a sham, and report you.
True, people with low income and flashy spending habits regularly attracts the attention of the tax authorities. So a little bit more savvy criminals funnels their black money through a legit company, in effect paying taxes on a little bit of it. Restaurants was/is popular for this (mostly cash). Used car businesses too.
SSN isn’t even a well-kept secret, considering you have to give it out for banking, medical, or anywhere else that needs to identify you.
We should have a kind of username / password system instead, where everyone has a unique ID and a separate private ID. We could even use something like RSA so you never have to give out your private ID to anyone.
According to this article, if you get accidentally declared dead in the US, companies and institutions make their own copies of the death records and they aren't kept in sync with the governments. So even after you become alive again, at any moment, someone might switch the bit on their database, and you become dead to few companies again.
Kind of interesting how this HN post shows that transparency is important, because fixing an error like erroneous death in other countries isn't as bad as it is in the US.
Anyway I ended up writing about it as a use case for crypto, because the blockchain part of a transparent ledger is important for being a companion to the public memory: your birth, your marriage, your relationships with relatives, and your death.
I believe Offentlighetsprincipen is one of the main foundations of the success of Sweden as a democracy. It acts like a filter on corruption. Dumb politicians are regularly exposed early in their careers. Only really smart, subtly corrupt politicians make it to the top level of government.
It strikes me as irresponsible to redouble the harm of the original oversight on the part of the developers by disseminating a link to an archived copy of the leaked PII. And no, I haven't taken a look.
Why would there, you haven't searched for anything. Even ASP.NET isn't terrible enough to send over the entire freaking database when just loading the form.
It’s easy to imagine that ssns are in search results. Eg it’s plausible that when you search for a teacher, the returned html contains tags with id where that is the primary key in the DB, which happens to be the Ssn etc.
As far as I've seen, no one has given a clear description of the actual vulnerability. Just what they imagine it was based on 3rd or 4th hand relayed descriptions.
I think we as a profession have made a fundamental error of not internalizing the idea that we have different “colors” of data that need to be treated as such at all times. At rest, and in motion.
We have bespoke solutions to keep passwords and numbers out of logs by obscuring certain key, value pairs, but that’s exactly what it is. Bespoke.
Those fields should be protected at all levels. I don’t know if I would go so far as calling it a cross cutting concern, but there is definitely a problem with stringly typed data that is a mix of PII, privileged data and common knowledge.
We've started to treat anything that even sounds like PII as if it were high level radioactive waste. We have a single unified model for our problem domain with special attributes on those properties which are PII-sensitive.
Any time our model is to be exposed to an unsecure context, it is reflected for these PII attributes and mapped into a special redacted variant of the same model.
For purposes of troubleshooting, the redacted model properties receive the sensitive data as a hash after it has been passed through salted SHA256. This allows for us to correlate sensitive things like SSNs between multiple log entries for the same work item, but unable to correlate across different work items.
About half the places I've worked, and all the place with more than a couple dozen employees, have had formal security levels on emails, data, and documents. It is common enough practice that plugins exist to set the levels in MS Office tools. These covers PII as well as confidentiality and simply "internal only" levels of content.
If you haven't worked in a large company in recent years, maybe you haven't seen it, but it feels fairly standard these days.
My guess from looking at this is once you select a district, it would have populated a dropdown with teachers. The teachers were keyed off SSN as the ids in the select element. Not clearly visible in source, but would appear right away if you did "inspect element" after selecting a district.
101 comments
[ 5.5 ms ] story [ 171 ms ] threadhttps://news.ycombinator.com/item?id=28866805
https://news.ycombinator.com/item?id=28867562
BTW, California has a similar website that allows employers to put in SSN and DOB to lookup a teacher's license: https://www.ctc.ca.gov/commission/lookup
It seems that Missouri had a similar setup that required a teacher's last name and the last 4 SSN digits.
The SSN wasn't supposed to be used for identification at all, at first. [1] But the government decided that didn't apply to them, and then they decided that it didn't apply to anyone else.
1: https://www.nytimes.com/1998/07/26/weekinreview/the-nation-n...
Edit: that massive string on line 203 is awfully suspicious...
Double edit: there's another massive string a few lines above that, and the script on line 1188 is pretty interesting too
> Though no private information was clearly visible nor searchable on any of the web pages, the newspaper found that teachers’ Social Security numbers were contained in the HTML source code of the pages involved.
And the layout of that site - I suspect when you clicked through to look at a teacher, it would display the Name + last 4 of their social security number with their teaching credentials. I suspect that if you viewed source on that page, the full SSN was in the retrieved data but the page was just displaying the last 4 digits.
Can't confirm without the Archive site actually pulling live data but it seems to line up.
There's a bunch of <input type="hidden"> elements in the search page, so I guess they did something similar to hide the information from their `select *` that wasn't meant for public consumption.
Edit: looking at the code (directly referencing XMLHttpRequest etc.) it might also be raw HTML being injected into a table somewhere...
Edit 2: based on the "base64" comments, I'm guessing the "view state" (ASP term?) was not encrypted and contained some secret info. There are other systems from other states running on similar tech, but they seem to encrypt their viewstates...
And the source seems to indicate this is the "public ssn search", and that a "search by full ssn" probably also exists.
E.g.:
From the original Post-Dispatch article: "Though no private information was clearly visible nor searchable on any of the web pages, the newspaper found that teachers’ Social Security numbers were contained in the HTML source code of the pages involved."
I presume this is a poorly executed attempt to be fast and responsive by "pre-loading" all of the data required and then using the search box as a filter on the client.
Edit: My mistake - I misinterpreted wrong IDs, these are not immediately here.
[1] [PDF] https://www.regeringen.se/4a76f3/contentassets/2c767a1ae4e84...
Edit: I read through your link and did some light browsing of my own (later stonewalled by the fact that I don't speak any of the Scandinavian languages). I don't see anywhere that a citizen can re-assert their right to privacy but that would seem to be necessary in some cases (e.g. Twitch streamers wanting to remain incognito to avoid getting SWATted or otherwise frequently visited by police).
It’s Jane Smith
Later that day…
[0]https://en.wikipedia.org/wiki/Rebecca_Schaeffer
[0]https://en.wikipedia.org/wiki/Olof_Palme
Btw his place of residence was hardly secret, but it wouldn’t have been if he were prime minister of any other particular country either.
But if the case is officially resolved, well that's all good then. Nobody followed the Prime Minister to the theater and waited for him to leave in the dark of night. No stalking to see here, because Sweden. Move along.
That's because you usually can't.
In extreme cases you may be eligible for protected identity[1], but that status is not easily achieved.
[1] https://skatteverket.se/servicelankar/otherlanguages/inengli...
Rights depend on jurisdiction. I’m not aware of any right to privacy regarding place of residence or tax returns in Sweden.
A resident is entitled to file for a “protected identity” which would obscure their address, phone number and person number on these types of services. Even celebrities tend to avoid doing that unless they have a persistent stalker, because it leads to all sorts of practical problems when dealing with everyday administration.
Anyway, I'm pretty sure there's no such thing as a "high trust" society.
(https://en.wikipedia.org/wiki/Crime_in_Sweden)
I'd argue this has a lot more to do with high trust local communities, rather than high trust "societies". Maybe I'm nitpicking, but the implication seems to be that somehow "American society" (whatever that means) is inherently low-trust. But the fact is America is so diverse, trying to create a useful comparative analysis there is difficult.
You can see addresses, if they own dogs, which cars they own, what salary they have (the site I linked needs payment for that, but there's other ways to get it for free), the companies they own or own a part of.
[1] https://www-svt-se.translate.goog/nyheter/inrikes/jurist-tar...
Whereas in Sweden the “person number” is public information and identity is authenticated and authorized in other ways (by showing a driving license or using a “bank id” app etc).
In the nordics how much tax you pay (meaning for most people you can just divide by twelve to determine salary) is also public info. As is how much houses sell for etc.
https://www.officialdata.org/ca-property-tax/
The wage secrecy in the US must be one of the factors contributing to the perpetual inequality.
We should have a kind of username / password system instead, where everyone has a unique ID and a separate private ID. We could even use something like RSA so you never have to give out your private ID to anyone.
https://www.todayifoundout.com/index.php/2019/01/how-exactly...
Kind of interesting how this HN post shows that transparency is important, because fixing an error like erroneous death in other countries isn't as bad as it is in the US.
Anyway I ended up writing about it as a use case for crypto, because the blockchain part of a transparent ledger is important for being a companion to the public memory: your birth, your marriage, your relationships with relatives, and your death.
https://www.dyingtowrite.com/posts/2021/33_crypto-isnt-what-...
I wouldn’t call those subtle.
Now, if you’re referring to only those politicians in your own country, then I have no reference for levels of subtlety involved.
The original stltoday article said the information was "contained in the HTML source code" but that seems to be not the case.
In my opinion, the "html source" means the document as it was sent over the wire before JavaScript modifies the document.
It’s easy to imagine that ssns are in search results. Eg it’s plausible that when you search for a teacher, the returned html contains tags with id where that is the primary key in the DB, which happens to be the Ssn etc.
Still interesting, but this page doesn't answer many questions.
We have bespoke solutions to keep passwords and numbers out of logs by obscuring certain key, value pairs, but that’s exactly what it is. Bespoke.
Those fields should be protected at all levels. I don’t know if I would go so far as calling it a cross cutting concern, but there is definitely a problem with stringly typed data that is a mix of PII, privileged data and common knowledge.
Any time our model is to be exposed to an unsecure context, it is reflected for these PII attributes and mapped into a special redacted variant of the same model.
For purposes of troubleshooting, the redacted model properties receive the sensitive data as a hash after it has been passed through salted SHA256. This allows for us to correlate sensitive things like SSNs between multiple log entries for the same work item, but unable to correlate across different work items.
If you haven't worked in a large company in recent years, maybe you haven't seen it, but it feels fairly standard these days.
https://news.ycombinator.com/item?id=28866805