Hacker News new | past | comments | ask | show | jobs | submit login
Governor vows criminal prosecution of reporter who found flaw in state website (missouriindependent.com)
1300 points by davidw on Oct 14, 2021 | hide | past | favorite | 678 comments



After the Affordable Care Act went into effect I signed our company up for our state's marketplace. While browsing our plan options, I noticed the url used a scheme like marketplace.org/employers/341/plans.aspx. Of course, I tried changing the number in the url to 342 to see what happened. To my astonishment, it loaded up the next company's plans, including a list of employee names, ages, plan cost, and SSNs.

After I shopped a few other companies to see how our plans compared, I notified the marketplace operator via the only link on the website for customer service. Within about an hour, someone from their IT department rang me on the phone and started grilling me about how many other plans I browsed, and insisted that I clear my cache and browsing history, and notified me that they would be watching to make sure nobody at our IP address didn't access any other plans while the issue was being fixed.

I was pretty surprised at his response, and assumed they would be more grateful for exposing a pretty basic flaw, but I guess a natural human tendency in these situations is to try to externalize the blame. Perhaps it's more difficult to hold yourself accountable than it is to assume that others who've found your shoddy work are malicious actors.


Unfortunately, this is the top comment and it has led to a lengthy discussion about the ethics of altering a url to retrieve a resource you should not have access to.

Which is a fascinating discussion, but has nothing to do with the case at hand which is where the underlying html on a publicly accessible search result page contained SSNs of the teachers returned in the search.

All the analogies about ‘it’s like asking the IRS for another document’ are all wonderfully applicable to this comment, but not remotely applicable to the actual article.


This entire thread is a great microcosm of how difficult it actually is to talk precisely and intelligibly about "hacking", permissions, intended access, etc!


On the other hand, to a non-techie person, where do you draw the line? Accessing the HTML of a public webpage is trivial to you and me. But what about decompiling or extracting strings from an .apk? Almost exactly the same thing as pressing F12 in the browser, but a tad more 'active'. It is relevant to this article, as it asks what hacking is OK, and what isn't


I wouldn't call any of your examples hacking, at least not in the "hacking other people's systems" sense. It's accessing information the other party actively sent to users. The fault lies with the one distributing and potentially exposing sensitive information through negligence.


If someone distributed a .apk that contained plaintext SSNs of their employees, I don't think I would call someone who noticed a 'hacker'.


I would say that finding and reporting exploits is ok in every circumstance. I would draw the line at using those exploits for malicious purposes.


Yes, it looks like it was built to search educator SSNs[1], so the devs just... put them all in the js. How's that for caching? Ouch.

1: https://web.archive.org/web/20210428154433/https://apps.dese...


I am now questioning the wisdom of having shared this story, and I apologize for derailing the discussion.


It’s a relevant comment, and people evidently found it interesting.


Yours is an interesting story. And very relevant. It just isn’t applicable to one interesting aspect of the article being discussed which is that the sensitive data was sent to every user but was “hidden” by html.

But the shoot the messenger aspect of reporting vulnerabilities is also very relevant. It’s just the nature of forums like this that some things bubble up to the top and dominate the discussion. Hard to say it’s your fault for retelling a story.


It's a good story and relevant. Not your fault the internet got spun up in a totally other direction with it.


fwiw, I found it relevant. It's obviously not _exactly_ the same thing, but "sending an HTTP GET request to a URL" is similar to "viewing HTML source" in that both are totally normally things to expect from a user, so it's hard to see how either could count as "hacking".


URLs are not secrets. End of discussion.


End of a different discussion than the one this news article warrants.


I found a similar vulnerability in one of our vendors' online order system. I noticed after placing an order an integer in the order confirmation page URL. I reduced it by one and refreshed the page. Sure enough, I got all the order details of the previous customer's sale. Reducing _that_ URL by one got the next previous sale details etc. I notified the company about it. They fixed it, and in gratitude sent me a small package containing a pen and other office kitsch branded with their logo. Not much of a bug bounty, but the pen has proven useful.


I let a company know that the url for their receipts (including name, address etc) was simply an md5 of the order number. They graciously offered 15% off on my next order as a thank you.


I feel like that would be a decent option for a surrogate key for public identification of an item and potentially cheaper than generating a uuid or something else. Maybe combine that with a salt and you have alright protection. How did you figure out that it was an md5 of the order number?


Presumably order numbers are easily guessable, so the md5 really offers no protection at all in this case and is no better than just using the order number


And the thing is, even if they can't be guessed, it's only 999,999 calls to try every 6-digit possibility. And you'd only take 11 days if you were nice and paced yourself to 1 req/sec.


Searching for that MD5 would probably be sufficient to find that out.


I think the main difference is the one between acknowledgment, action + (small) gratitude vs. fear, paralysis and scare tactics / trying to control the environment instead of fixing the issue.


I notified the State of Ohio about the unemployment site displaying full blown debug information in error messages (it genuinely errored out on me while doing legit stuff). The amount of information was very interesting and detailed, basically begging a malicious actor to probe further. I sent screenshots and a detailed writeup about what my next moves would be if I were a "hacker" straight to the CISO/CTO and their boss (my info is in that system!). No response...thankfully.


I did that once a long, long time ago with the organization that monitors maritime piracy around the world. They have a mailing list which I accidentally stumbled on that included I assume since I only saw the one page of email addresses that ended in top level domains like un.org and navy.mil thousands of email addresses. I contacted through email the people running the organization that I accidentally stumbled on the page and they should probably hide it which they responded thank you. If you have ever been to Washington DC you would know the amount of money military contractors spend to show the latest navy vessel to everyone at the Foggy Bottom metro station and other places where such ads seem unlikely. That was the mother of all B2B email lists for militaries and shipping companies around the world. I didn't want to play any games with it.

EDIT: Remembering it now, there were also email addresses with the Iranian navy as they coordinate with other navies to fight piracy too. Perhaps instead of sending a Rickroll I could have sent a mass email with Lennon's "Give Peace a Chance."


Huge missed opportunity for mass email of URL shortener link to the youtube Rick Astley video.


There were cia.gov email addresses in there too. When these guys don't get a joke and fixate on you, they really fixate on you. They are more clingy than that song.


Are you saying that the CIA is never going to give him up?


Well, they're never gonna let him go, that's for sure.

And they may also hurt him.


well they're definitely never gonna say goodbye


Redacted.


I think you just missed the entire point of the comment you replied to...


I think you just missed the joke of the comment you replied to...


> ... someone from their IT department rang me on the phone and started grilling me about how many other plans I browsed, and insisted that I clear my cache and browsing history, and notified me that they would be watching to make sure nobody at our IP address didn't access any other plans while the issue was being fixed.

An IT employee who doesn't know about VPNs. Sigh.


Maybe he was hoping OP didnt know about VPNs, it's not an uncommon scare tactic to imply being tracked is unavoidable.


I'm sure any further unauthorized access from random VPN IPs would have also been blamed on OP, unfortunately. "He found this out then an hour later random IPs exploited it. He must have initiated those VPNs".


VPN doesn’t matter here. OP made it clear he was logged into the system first. Presumably all data is blocked until you are logged in. And if you are logged in, IT admin does not care about your IP address when they have your username.


Unless the IT guy was accidentally letting it slip that there was no authorization implemented at all.


Which in context? Is very, very likely


Would be ironic since OP caught an exploit that their entire team wasn't smart enough to catch... yet somehow he wouldn't know about something as basic as VPNs?


Zero chance this was an issue of an entire team not being smart enough to check - everyone who touched this would immediately understand it wasn't in the authenticated flow. This smells like bad requirements being delivered to the implementers.


Or phone hotspots. Or cafes. Or home internet. Or open wifi's. Or language translation websites. Or proxies. Or a dozen other ways that do not require a VPN.


It is very easy for IT managers to put the blame on "hackers" intruding into the network, instead of assuming they created an insecure system. In many companies this can work.


Years ago, I worked at this place, they tried to install these new core routers. The first core router worked fine, but connect the second and the whole campus network would go into meltdown.

The network team could not work it out. The vendor could not work it out. But one of the IT managers had an explanation: me. Firstly, it was due to an OpenVPN I installed on a server (with permission-as a stopgap measure so we could remotely access the “next-gen data centre” because the networking team was taking too long to get the real VPN installed and it was blocking other teams on the project.) The explanation didn’t make any technical sense: the VPN is just an application, nothing to do with the core routers; but he wasn’t technical enough to understand that. They told me to shut it down, so I did (even though doing so inconvenienced the project), and lo and behold, it made zero difference to the problem. Then, he apparently even suggested at a management meeting (I wasn’t there but I heard about it) that I was sneaking in to the data centre at night or on the weekends to sabotage things, and that was why the new routers didn’t work. Apparently they even asked campus security for my physical access logs, which revealed I hadn’t been doing any such thing.

Eventually, the vendor worked out the problem. When you install the router, there was a step you had to change the VRRP IDs to give every router a unique ID on the network. Clearly explained in the documentation, obviously essential, apparently our networking team didn’t read that part. You plug one new router in, everything is fine; plug the second one in, well it still has the OOTB default VRRP ID, so now two core routers on the campus network have the same VRRP ID, and all the other routers got confused, and the whole thing fell apart. Both our networking team and the vendor’s support team were so focused on chasing some obscure bug they didn’t see the basic config issue.


Wow, I'll keep this in mind next time I complain about my manager.


r/talesfromtechsupport is full of these sorts of stories. I make a visit on days when my job is frustrating and inevitably feel better.


Did that IT manager ever apologize for accusing you of being the problem?


I don’t remember him ever directly apologising, although he was nice to me afterwards (and this was many years ago, memories get hazy). I think he was rather embarrassed by the whole incident, it turned out to be such a basic configuration issue and it took them so long to solve it. I only knew about the whole “sneaking in at night” allegation because my boss told me what he’d said at meetings to which I wasn’t invited, and I don’t think my boss was supposed to tell me what was said in those meetings, so I’m not even sure if he knew that I knew he’d accused me


Lots of these folks (like the governor) don’t even know the basics of IT. Zero knowledge. You can tell them anything and it will stick.


All hacks are ”sophisticated” because otherwise the other party would be ”dumb”


Hey, the only people we have to convince that it's not hacking are the insurance companies. When they start charging their clients for their absurd levels of risk and liability, we'll start to see actual change.


I very much want the blame to be on the person who broke into my house regardless of whether my door was locked or my window was open.


Which works great when there's some kind of access restriction in place.

If you wind up putting your tax returns in the 'little free library' you set up on your front yard, you can't blame others for reading them, then handing them back to you and not telling anyone else.

That's the proper analogy for what happened in the original article.


This doesn’t track at all. This is me telling you that your forms are on my desk and throwing you the keys to my office. And then after getting your papers you go rummaging around other stuff.

Like sure I’m accepting a risk that you could do that but you’re still a dick if you actually do.


Content you're serving on a public URL is content you have published. It's not your house and you didn't extend anyone any trust or limited access. You put it in The New York Times. Maybe you hoped no one would find it because it's on page B30 and most people only read A1. But people are allowed to read page B30 if they want to.


The point is that there's no keys involved, nothing in your private office. No rummaging either.

Publishing to a public web server is analogous to that little free library, out in the yard. No keys, anyone can look in it at any time. If you accidentally put something sensitive in there, where anyone can see it without any access control, you can't blame them for doing so.


Having worked for a NYC government vendor who, unfortunately, outsourced a huge chunk of dev work abroad due to low costs (and I assume the manager's shady relationships with outsourcers), the amount of bugs and blatant negligence I observed in the delivered code was staggering. Even with said mistakes the manager/project managers were more concerned with getting the project out the door, so once delievered, they'd ship usually without internal audit of the code.

It makes one wonder if this is the case with the healthcare site you used, and whether or not this outsourcing of dev is common practice among government vendors? If so, it seems that we can only hope for something to fix these situations, given that government seems to only care once shit hits the fan


I can understand outsourcing development, but I suspect part of the problem with outsourcing the development is that QA of the product is done by the same vendor.

"We investigated ourselves and found ourselves clear of any wrongdoing."


For IT it’s often that whoever makes software, also tests it. When dealing with outsourcers, there comes a level of complexity. Government contractors don’t have skin in the game, and hence motivation to appropriately handle this complexity.


People have gone to jail for incrementing integers in URLs like that (most famously, weev).


IIRC there was a recent story here in Germany where a court decided that the blame is entirely on the website owner, and incrementing an integer didn't constitute as hacking, as no security measures were circumvented (as a lack of authorization checks meant no security measures were in place).

So I'm hopeful that the courts are slowly starting to wisen up in that respect.


Looks like there is just a little bit more to that story...

https://en.wikipedia.org/wiki/Weev


Didn't he also give the data he found to Gawker before notifying AT&T of the issue? That seems like a pretty key difference here, but I don't know what weev was charged and convicted for.


"Conspiracy to access a computer without authorization", which was and is completely preposterous. The Gawker part is completely immaterial, it was still a total travesty of justice. The judgement was later overturned on procedural grounds rather than on the merits (which it should have been). He did nothing that merited imprisonment, and even less so his mistreatment there.


It's more accurate to say it was a travesty of law, but probably not of justice.


Yes, but "weev" is also a well-renowned internet "troll". Basically - he appears to take joy out of denigrating, humiliating, insulting and doxxing other people.

https://en.wikipedia.org/wiki/Weev

He's also a neo-Nazi and white supremacist. I do believe in free speech, but some of the things he does seem to take it way too far.

And he famously doxed Kathy Sierra, a female technical writer who created the Head First series. I actually quite like some of the books in the series, and it's incredibly sad to hear incidents like this which actively discourage females in tech.

https://en.wikipedia.org/wiki/Kathy_Sierra

I suspect there's more to the AT&T incident than just, oh, I found a flaw, let me responsible report this to the relevant parties in responsible disclosure.


Bad laws and a corrupt justice system are infinitely more dangerous than a single man, however unpleasant he may be. People pointed out at the time, that the CFAA is totally broken, but nobody listened because the victim was unsympathetic. Well, now we see in TFA how nothing has changed.

"Yes, I'd give the Devil benefit of law, for my own safety's sake!"

And it should be noted, that weev's turn towards overt neonazism (rather than just antisocial trolling) took place in prison, where he was mistreated.


Weev was very much a neo-nazi even before he was imprisoned, but I suspect he limited it to private channels.

I once infiltrated some of the IRC channels he used in 2010 or so and have logs of him saying extremely antisemitic things in earnest.

(The groups I infiltrated also doxxed people and used that information in smear campaigns, which is why I'm using a throwaway for this comment. I checked HN's rules and guidelines and couldn't see anything against this; if I'm wrong about this, I apologise.)


The GNAA was probably the first tech group to play the "am I Nazi or am I just joking?" dogwhistle with the earnestness we often see today.


in some public transport company ticket ordering website, someone discovered that the ticket's price parameter is coming from the client side. he decided to bought a very cheap one, then reported the incident. next day the National Terror Defence knocked on his door.


“No, I didn’t look at any other plans, but I’ve notified our lawyer who is now compiling the list of exposed company plans before she contacts each of these companies for class action suit proceedings”.


I dunno, this seems pretty normal. Just today news broke that in Germany some guy who found a flaw in a web-shop backend leaking the data of hundreds of thousands of people got raided, because the operator reported him to the police - and somehow both police and state attorney found it wise to prosecute him instead of referring the case to the GDPR officer to fine the operator.

It's pretty obvious that when you find a flaw you simply don't approach the people responsible for it, unless they have an EXCELLENT reputation of dealing with this. Otherwise do an anonymous full disclosure (edit: if you have an entity that routinely handles this sort of thing and has an EXCELLENT reputation, that would work too). If nothing happens, provide a PoC.

Of course people, even in IT, are kind of weird here. Somehow responsible disclosure got into people's minds as The Good And Proper Thing to do, and full disclosure being somehow irresponsible. Analogy: Some guy finds out the mayor is completely corrupt or does some illegal stuff. What do you do? a) Disclose this through e.g. the press b) Approach the mayor and try to get him to fix his stuff. Somehow, when it comes to IT security, people wanna see hackers do b) because a) would clearly be irresponsible. Wtf?


All this reminds me of the case of Lilith Wittmann [1], who got sued by the CDU (Germany's majority-holding party) in May 2021 because she discovered a security flaw in their election campaign app "CDU connect". Data from around 100.000 visitors and 18.500 election campaign helpers was not sufficiently secured.

She used responsible disclosure to let the CDU know of this flaw, got sued in response.

After an outcry from the community the CDU apologized to her and retracted the complaint and the proceeding was suspended in the end of August 2021.

It's pretty sad to see how people who act upon their best intentions, intentions which are beneficial to the society, are hit so strongly by those who are afraid to admit that they made a mistake. Hit in such a manner, that it tears apart the daily routine in a very negative way for months.

[1] https://lilithwittmann.medium.com/


Sad to hear just how common these sorts of stories are. I remember reading fairly recently about a guy who reported a flaw to a company working with the NHS in the UK (should emphasise this is an external company and not the NHS themselves) and ended up having to crowdfund his legal battle.


The CDU party no longer holds the majority :-)


No party ever held a majority in the Federal Republic of Germany. But the CDU was the largest party in the previous parliament, and part of the governing majority.


There is by definition almost always a party holding a relative majority (more seats than any other party), which the CDU did for the longest time.

You are correct that they did not hold an absolute majority (more seats than everybody else combined), ensuring that they always had to form a coalition to achieve that.


I've never heard of the word "majority" meaning "relative majority" without that qualifier, but I also wouldn't use the phrase "relative majority" to refer to what to me is clearly a minority, so what do I know :)

Nevertheless, it might be better to use unambiguous terms like "plurality", or define ones terms, when writing for an international audience.


Still can't tell if this is good or bad.


> a) Disclose this through e.g. the press b) Approach the mayor and try to get him to fix his stuff. Somehow, when it comes to IT security, people wanna see hackers do b) because a) would clearly be irresponsible. Wtf?

Huh? This analogy doesn't really make sense. The difference for software is extremely basic: if you publicize a vulnerability immediately, you give more opportunity for it to be exploited while it's being fixed. Malicious actors who hadn't found the vulnerability yet now get it handed to them on a silver platter.

Private notification simply gives the operator a head start on closing the hole before it's more widely known by potential attackers.


That's not the point of the analogy (some other siblings got it wrong, too, so the fault is likely mine). The point is that it's inherently very risky for you to contact someone about a problem they created accidentally, negligently or possibly intentionally in order to get it fixed (and that might result in them being fined or otherwise punished when the issue becomes known). So you should not do that. You should either seek a trustworthy intermediary for you to handle the interaction (this might be difficult / non-existent in your locale) or reveal the issues anonymously.

Again, it's not about Optimally Mitigating Corporate Security Fuckups, it's much more basic than that: it's about keeping you safe. This should obviously be priority #1. Anyone telling anyone else to do responsible disclosure by default because That's What Good Guys Do And You're Not A Good Guy If You Don't is quite clearly not putting the safety of the reporter at #1.


I see, yes -- I certainly agree with disclosing safely/anonymously.


> The difference for software is extremely basic: if you publicize a vulnerability immediately, you give more opportunity for it to be exploited while it's being fixed.

if it’s live it’s already being exploited. simple principle, but very effective.


Certainly. I said "more" opportunity.


Yeah, in my mind, the only "responsible disclosure" these days is one made anonymously to the local data protection authority.


Reading through these comments gave me the same thought. Notice a problem? Buy a raspberry pi with cash, visit starbucks, upload report about the issue to reporters via newly created (and never used again) gmail account, throw away raspberry pi, never talk or think about the issue again.


Gmail is probably not ideal. Last I tried I needed a phone number to create an account that actually worked.


this is a poor analogy because the IT department isn't doing something illegal, they are just doing something poorly, the proper analogy would be if you found out the mayor routinely left the special stamp that you can use to get anyone released from jail laying on the park bench he eats lunch at - do you then go around telling people hey the mayor does this or do you say hey mayor please stop taking that stamp with you to lunch because you always forget it at the park bench and someday somebody is going to use it to do bad stuff!

OR let us reverse the analogy

You find out Facebook is running an international slave trade by using their data to find vulnerable teenage girls sending them invites and then kidnapping them. Do you A) approach Facebook and try to get them to stop their practice B) alert everyone immediately.

The answer is you alert everyone immediately because Facebook in this example is doing corrupt and illegal things. There is a difference in how you should react concerning security problems that others can take advantage of and willfully committing illegal and corrupt acts.


> this is a poor analogy because the IT department isn't doing something illegal

At what point does it cross the line into IT malpractice? I would say that not even bothering to verify the current user has the access to view what is being requested is well over that line.

When you're dealing with PII, HIPAA, etc, there should be a standard level of competence. If I go into a doctor's office with a runny nose, and they remove my liver, simply stating that they practiced medicine "poorly" shouldn't be a defense.


That comparison is a bit off though, because exposing the mayor's corruption doesn't put other people and their data at risk.


Trot Hunt from Have I Been Pwned has an "EXCELLENT reputation".

Perhaps responsible disclosure could pass through his entity?

It's a way of anonymising the source to keep them safe, and centralising the risk to someone who is already highly regarded by companies and governments.


Perhaps many people are spoiled and blinded by the SV megacorp culture of (usually) taking in bug reports and fixing them and handing out recognition/money. It would be nice if everyone accepted responsible disclosure, but that's not going to be the case until some legislation comes along to require it in the absence of malice.


It's not "spoiled" to expect, at worst, a thank you for pointing out a serious and extremely easily exploited vulnerability in public-facing code. You are inarguably doing the company a favor by disclosing it to them and helping them cover their ass and and in some cases lack of competency.

Something shouldn't have to be literally illegal to be considered shitty behavior. (Of course, people are often incentivised to be shitty, which is why legislation should also be applied to the issue)


Umm, this seems to imply that these security vulnerabilities are intentional, which doesn't seem like what is happening. In your mayor example, you wouldn't go to the mayor because you know he is intentionally trying to break the law, so going to him doesn't make sense.

Incompetence is very different than malfeasance.


The problem is that the response, as it pertains to you, is going to be the same for incompetence or malfeasance in a large number of organizations. Consider what the average self-interested politician would do if you uncovered a corruption problem in their administration they did not know about. Are they going to fix the problem, reward you, and risk losing the next election beneath an avalanche of attack ads? Or are they going to bury it and crush you?

Large governments and corporations are not your friends. They will hurt you if it benefits them, often very short-sightedly and regardless of the root problem. There are far too many articles like this one to think "responsible disclosure" is a safe practice. I remember one case where the red team was hired by the agency involved explicitly to perform pentesting, and when they found a vulnerability the government pressed charges!


> I remember one case where the red team was hired by the agency involved explicitly to perform pentesting, and when they found a vulnerability the government pressed charges!

If the case you’re remembering is the one where the red team assumed (without asking) that physically breaking into the courthouse at night was “in scope” of their engagement, I’m of the opinion the short-sightedness there was not the agency…

https://www.cnbc.com/2019/11/12/iowa-paid-coalfire-to-pen-te...

It’s _maybe_ grey area. But there’s no way I’d escalate a pen test to breaking in to a courthouse without explicit in writing permission from someone clearly authorised to give it, including in writing assurances that all relevant law enforcement had been notified (at least at high levels, if part of the authorised physical pen test was actually testing on-ground law enforcement capabilities).


That is the case I was thinking of, but I went back to check my memory and it was not a gray area. They had a signed contract from the Iowa Judicial Branch and its Information Security Officer that specified gaining physical access to the building. Source:

https://krebsonsecurity.com/2020/01/iowa-prosecutors-drop-ch...

They did fail to verify that law enforcement was aware (the client specifically asked them not to) and they seem to have misunderstood the building's ownership structure. The end result was that they fulfilled their contract and were arrested for it after encountering one idiot with power, after which the local politicians piled on in order not to look weak.


Local CERT is sometimes happy to be a proxy, still best do anonymously tho


You got things the other way around it's not about the disclosure is about mitigation.

If one contacts the corrupted major for a timed disclosure, he gets time to hide crimes or can continue being corrupted, but the press running the story only damages the major.

If I run to the press with a vulnerability, everyone is empowered in exploiting it. Sure it puts lots of pressure on the devs, but devs can only work so fast, which creates a window of opportunity which damages both them and their users. A timed disclosure doesn't prevent exploitation that's already happening, but doesn't increase the problem by itself

The desired outcomes in the two cases are different, and it's no surprise different strategies are optimal.


> but devs can only work so fast, which creates a window of opportunity which damages both them and their users.

Sadly, time and time again, what in practice ends up happening is the window of opportunity is wasted by the devs being instructed to work on new features rather than fix critical security bugs the company thinks are not widely known.

Apple’s response to four zero days being only the most recent high profile example of that.


I think B would be blackmail?


Domestic abuse is pretty "normal" too. That doesn't make it tolerable.


These 2 things are not even remotely comparable.


So? Something being "normal" doesn't make it just. Or even legal.


Its not normal in society to commit domestic violence, most people in western society would find themselves ostracized from their peers if they were a known wife / child abuser. If I told my friends the website allowed me to see other plans and I checked them out they would just ask if I saw anything interesting and chuckle at the flaw. Curiosity is normal; beating your spouse is not.


Ah, I see the misunderstanding. The behavior I'm seeing called "normal" is people being punished in response responsible disclosure, where the actual guilty party is illegally leaking private information. I'm comparing administrative abuse to domestic abuse.

If changing a few characters in a URL was a crime, I'd be gone for life.

edit: and, I'm using "normal" in the same sense as the comment I was originally responding to: to indicate an everyday occurrence


How is it a bad response? They want to know what data has been exposed and ensure you delete that data. That's data leak 101. Why would you be defensive about it?


The point being that the IT guy made sure this guy will never try to report on anything again. As they will ".. would be watching .. at our IP address .. while the issue was being fixed."

Instead of a normal company having a bug bounty and sometimes even with cash prizes.

Do you think google "will watch your IP" after you reported a bug? or will they give yo money?

What helps in the short run? and what helps in the long run?


> Do you think google "will watch your IP" after you reported a bug? or will they give yo money?

I honestly think they'll do both - but they won't tell you they're watching your IP because it's needlessly antagonistic.


Because you have no way of knowing if they deleted the data or not from their system. It's a pointless exercise, unless you're just gonna take their word for it.


When someone is kind, helpful, and goes out of their way to help you, for free!!, you have no business demanding, insisting, or threatening a single thing.

Proper response would have been "Wow! Thanks!" and at worst "Please don't share what you saw, and thanks again."


> They want to know what data has been exposed

They should check their own logs instead of relaying on a 3rd party that may not tell the truth. This shows incompetence.


Because he was clearly trying to threaten him?


Obviously this person from the IT department has very little understanding of how computers work, and I'm not saying they should.

Each time a breach like this or in the original post happens, it makes me feel that our tools are just not there yet. If there were simple tools that caught vulnerabilities like this we would improve the standard of security.


> started grilling me about how many other plans I browsed

I think as soon as anything healthcare adjacent comes up most people will feel the need to get very nosey about what you accessed. It's possible they would have needed to file an incident (though, honestly, they should've regardless of what the reporter responded with) and gone through some procedure.

It's unfortunate the guy was a dick about it - but asking the extent of the data you accessed probably isn't unreasonable and may have been legally mandated.


Oh there are so many things like this. Ages ago, I used this to find a whole listing of internal fax numbers for a government org I wanted to get someone's attention at and totally slow-spammed them using a fax API. Got a couple of reads based off that.

There's no way I'm telling them I did that, haha!

Rule 1: Never tell people they're making a mistake unless you trust them to trust you.


Serious question: how do you figure out when this is the case?


Fear. The IT person is likely scared of (fill in the blank - blame, losing their job etc. )

They are scared because their leadership is likely also afraid - and so unable to provide protection by taking responsibility.

This is the vibe of an organization where mistakes lead to blame and punishment instead of quick resolution and learning.


I found a similar kind of problem at a bank, though the vulnerability was so simple I stumbled on it by accident. I promptly switched banks but was never brave enough to report it for fear I might wind up in a very bad situation.


What's bonkers is that _your own data_ was also accessible. Who's to say other users didn't get that data and choose to not report and kept the data?

Your own outrage to your data being exposed would have been perfectly reasonable.


its best to assume Responsible Disclosure™ is a psyop to find gullible people


Within an hour you say? That's incredibly fast. I'm impressed by that fact alone regardless of the quality of the response. I'd hae been shocked for within an hour email reply.

I would have thought using incrementing IDs in a URL was as beaten of a dead horse as sanitizing your strings in a SQL query. Then again, ACA websites behaved as lowest bidder was selected.


Similarly, a gov registration fee website simply disabled the “next” button at UI layer because I was late from the deadline. Easy bypass and paid fee, never heard anything else.


Good one.

A friend of mine bought a book online, that was just a link to a pdf in an S3 url.

I chopped off the /book.pdf part, and it was just in an S3 bucket with all the other books they sell.


I worked for a government contractor and I understand that behavior completely. The person you spoke with was tasked specifically with damage control. I am positive _somebody_ was grateful for your input, but those people aren't tasked with chatting on the phone. I know because I was dispatched for fixing and quantifying the scope of a similar issue, where a URL was allowing users to download treatment plans of other users. Being healthcare this is taken rather serious. While I was happy to fix the problem and grateful someone reported it, I was tasked with regularly reporting the progress of my work and scope of the breach throughout the incident. My only irk with the person who reported it was that they literally called the governor of the state after casually browsing hundreds of treatment plans, when they could've just called IT support. But yeah, I didn't talk to to them, a low-level IT lackey was given that task while I fixed the problem.

Oy vey, that was a mess though. Breaches happen, everyone knows it, even companies dealing with PHI that are beholden to crazy HIPAA fines. My report ended up conflicting with a bunch of dates a former supervisor, who at that point wasn't even involved in the department, had knowingly misrepresented to the state. After the fix was merged and I documented the whole scope of the breach, I go and look at the emails and reports on the matter. She's gone told the state all about the scope of the breach, misquoted release dates of the fixes, just minimized a bunch of things with which my report directly conflicted. This person who wasn't in our department anymore shouldn't have even been involved in the first place, yet here I am looking at publishing a report that'll land her in trouble. It put me in a difficult spot. I didn't want to get her in trouble and I thought about misrepresenting my own report. In the end I figured she made her bed, my report was the definitive statement on the matter and her emails were largely reactive so maybe they'd just forget what she said. It was, and they did.

The most important thing you need to do during a breach is be honest. On the other end be vocal and trust in the fact what you're doing is ultimately helpful. The government doesn't want to fine businesses. The only thing that'll end up screwing a company is if they're found to be negligent or dishonest. Negligence is easy to avoid because all you need to do is reasonably try to fix the problem once you've been made aware of it. Dishonesty on the other hand is a foot... that like a diaper-bound chubby baby, some people can't help shoving into their mouths. Don't throw IT under the bus though man, even if that guy on the phone was rude there were some good people on the matter. Some people just don't know how to act when they're caught up in a problem.


There is a 0% chance this story is true.


So his issue was not that you discovered the bug. His issue was that after discovering it, you went on to view a bunch of other people's data.

What you did was walk down the block, pull on the doors of random houses, and if you found one unlocked, went in and took a look around. If you found my door unlocked and left me a note, I would be grateful. If you went in and took a look around, then did it to all of my neighbors, we would have you arrested.

The bug here is an unlocked door. It being unlocked is a security risk, and people are thankful if you let them know. If after identifying the security risk you proceed to commit a crime, you're surprised people aren't "grateful?"

>difficult to hold yourself accountable

isn't it though...

>are malicious actors

so you.


This was not an "unlocked door".

This was going to the doctor's office, and while sitting in the room with your files, seeing a bunch of other patient files just left on the desk in eyesight.

Not in an unlocked filing cabinet, not in an envelope, but in the open.

Changing a URL is not "malicious use" nor is it considered doing something you're not supposed to.

As a web client, I should be able to change or manipulate the URL to my heart's content, it is 100% the server's job to restrict my access and make sure that I cannot access resources I shouldn't.

This is entirely the fault of the operators, not the user, and they were mad at them because they _allowed_ the user to access things they should not.


It's even worse than that. I think a better analogy would be that you've requested the doctor mail you your records and instead the doctor ships you his entire filing cabinet with your folder taped to the top and a note saying "read this one." (but no mention about why the filing cabinet is there too)

They weren't just in the open. A copy of these records were pushed, unsolicited, to the user's device and the user simply looked at what was sent to them.


> instead the doctor ships you his entire filing cabinet with your folder taped to the top

and as soon as you get this data and you read all that information sent to you by mistake instead of seeing it's not yours and stopping, you have committed a crime. what exactly is it that you don't understand here? what the op did is literally against the law.

>pushed

you should look up how http works. the request to get the data comes from the client browser. it's called a GET. the op requested to GET someone else's records from the server, after knowing the GET request he sent to the server would get him this information.

so again I ask - what is it that you don't GET here? The OP very literally committed a crime. a crime being very easy to commit, does not make it legal.


> and as soon as you get this data and you read all that information sent to you by mistake instead of seeing it's not yours and stopping, you have committed a crime.

There's no such crime. If you disagree, by all means cite a statute.

> you should look up how http works.

I'm intimately familiar with http. Upon issuing a request for your records (the request, GET or otherwise), you receive a response, pushed to you, with records you did not request.

I think you may want to re-read my comment, this time more carefully and thoughtfully.


"push" means the data is pushed. as in without a request from you. it's mind boggling how you are not getting this. exchange is an example of this - you get email pushed to a listener on your mail client, without requesting that data. if you use pop3 however, you request the data and receive a response. you are arguing a request - a GET - the literal opposite of a push, is a push. this is something anyone who has used email would know, so you are being purposely dense, and this conversation is done - I will not read your reply.

as far as the crime, it's called unauthorized access to a computer system, and many people are in jail for it. whether that system is password protected or not makes absolutely zero legal difference.


We don't have to continue the discussion but I'll wrap this up regardless for the peanut gallery.

As I've mentioned, my metaphor is request, response. This additional data is included, unsolicited, piggybacking on the response. I think this is clear.

Regarding the crime, no, this is completely incorrect. It sounds like you're referencing 18 USC § 1030. This law cannot apply whatsoever to this situation because there is no unauthorized access. The data was pushed, unsolicited, as part of an authorized access. It's being sent to all users when they use the system in a normal authorized fashion.

Viewing the data takes place on the user's own device, because the state itself put the information there. We are all authorized to access our own devices as much as we please.

The suggestion that the CFAA might apply here is nothing short of absurd.


But where are you getting your whole "piggybacking" idea from? The original story was that the user "verified" that he could get anyone's data by changing an integer in the URL. Typing a new URL into his browser makes it, in Web terms, a new request, not anything "piggybacking" on an old one.

So the data was pushed, very much solicited, as part of a new access. That the user's browser held an authorization (cookie?) for a previous access to the user's own data doesn't quite, AFAICS, mean that this new access to other data was also actually authorized.


> Changing a URL is not "malicious use"

the law disagrees

as far as your doctor's office strawman - it's a strawman. To see those files, you don't have to actively do anything, if they are left at the desk. Now, if you pick up one of those closed folders, open it, then start looking through it - you have an equivalent comparison. You also have an arrest record.

But don't argue with me. What he did is literally illegal.


> seeing a bunch of other patient files just left on the desk in eyesight

...and then proceeding to rifle through a bunch of those files to satisfy your curiosity.

Finding a vulnerability and reporting it -> Good

Continuing to exploit the vulnerability after you've found it just to satisfy your curiosity -> Bad


I think that's a PRETTY uncharitable analogy and interpretation of the OP's actions.

I would say it's more like:

You are walking down the street, and notice that there is a public noticeboard. It has a list of names, yours among them, associated with a number of steps each. It instructs you to walk a certain number of steps down the street, and then look up at the paper taped to the sidewalk that many steps down.

So, you do, and upon looking down, you see some personal information about yourself! You are a little perplexed, since this doesn't seem very secure. So you take one step back, and look down. Wow, yep, not very secure, there's information there too!

Being a human, you are naturally a little nosy and curious, and as these are publicly posted, after all, you glance through a couple more before finally regaining control of your better sense of civic duty, and report to the owner of the notice board that there is a problem with their "security".

I think this is a better analogy because:

* browsing to a web page is NOT the same thing as going into someone's house. * the internet is public. * there was CLEARLY no malicious intent. The OP clearly didn't harm or intend to harm anyone here, even if perhaps he should have immediately stopped when he began to suspect the website had a flaw and he shouldn't be able to see this information. I see no evidence of malice here.

I do agree that in general, just because a system responds 200 OK, you're not necessarily clear to do anything you want when when you're doing is obviously wrong. But at the same time, we should NOT be prosecuting or blaming people when they're able to access more than they're supposed to be able to PLAINLY due to the software's design insufficiencies and there's otherwise clearly no intent to cause harm.

We really need to take a more even-handed approach to this. And, we REALLY need some kind of a professional bar in software engineering. I would expect a student in their final year of CS to be able to produce a more secure system than what the OP described, so the fact that it exists in a quasi-government website is a complete fucking joke, if you'll pardon my language.


> You are walking down the street, and notice that there is a public noticeboard. It has a list of names, yours among them, associated with a number of steps each. It instructs you to walk a certain number of steps down the street, and then look up at the paper taped to the sidewalk that many steps down.

Or perhaps, "Here's a binder with numbered pages; turn to page 345 for your information." You wonder what's on page 346, so you turn the page, and lo and behold, someone else's information.


Which as I said would be perfectly fine. You then tell the owner of the binder that confidential information for other people is in the binder, and you get gratitude.

If once you find the information on page 346, you then keep flipping and looking at people's private information on the next hundred pages like the OP did, you have now committed a crime. The fact that you can easily access something, does not give you the right to access it. If you think otherwise, you think malware that steals your contact and banking info is legal. No, not the one that hacks into your computer. The solitaire game you download and install that has a trojan in it.

After all, you gave the solitaire game access to your hard drive to save and read its own games. Perfectly fine for it to scan the rest of your files. You gave it access to your network card so you can upload your scores. Perfectly fine for it to capture all other network traffic. All trojans are now legal as long as they're packaged with software you voluntarily install.


> If once you find the information on page 346, you then keep flipping and looking at people's private information on the next hundred pages like the OP did, you have now committed a crime.

I agree that morally, the guy should certainly not have continued to look through what he knew was private information he wasn't meant to have access to. I'm not sure the law sees a difference between looking at pages 347-350 and and looking at page 346 however.


I am sure the law sees the difference. Intent is what makes the difference between a murder charge and the death penalty, and supervision with a suspended sentence for manslaughter, when you hit a person driving drunk.

Page 346 was an accident - your intent was to read Your data. In viewing Further pages, as the OP stated for the explicit purpose of viewing other people's confidential medical data, the intent is a crime. It's the same thing as walking up to someone's desk in an office you're allowed to be in, and looking through their files.


You didn't know for sure that page 346 would have private data, and that you'd be able to turn the page; but there was a reasonable probability that you would in fact see private data. If someone died instead of having their privacy violated, it would certainly be classified as manslaughter (i.e., you were doing something you knew might be "dangerous") rather than just a plain accident where there was no fault.

I don't know what the actual law is, but given the benefits to society of "good people" reporting this kind of issue, I think that toying around with something like that should be considered not a crime at all, rather than being considered a lower-severity crime.


I never claimed page 346 was breaking the law. I claimed after you discover that the action reveals private data, and you repeat that action a bunch of times for the explicit purpose of getting more private data, you are now a criminal. This is what the OP very clearly stated he did.

He did not report the issue after finding it. He abused the security hole for his own benefit. He is a criminal.

Low severity? In civil court, they can take every penny he has, every penny he'll ever earn, and his house. In criminal court, he can be charged with unauthorized access to a computer system, one charge each time he did it. And he did it a lot, and they have logs. Which is all literally in his post.

Viewing other people's medical information is not a low severity crime btw.


It's a public website. If we have to use the doors analogy, these are doors at City Hall, not people's houses.


And it's a public street. It's what inside the houses (URLs) that is not public.


Doors (holes-become-walls / walls-become-holes) are for controlling whether things can go through. URLs are for letting things through.

A url is not a door, but an archway, or possibly a door frame.


..and you're not allowed to walk into someone's house if they only have a door frame instead of a locked door. they are for preventing criminals from forcefully breaking in. but you don't have to break in to commit the crime. that's why it's called "breaking and entering" - there are two criminal acts committed.


An arch is not something that merely isn’t locked, but something that isn’t meant to even be closed.


Yeah you still can't just walk into the Mayor's office just because it's unlocked. Access isn't authorization.


And yet if I do just open the door to the Mayor's office and it's unlocked and I wander in, that's still not the same sort of trespass as entering someone's home.

And, if I'm in City Hall, the mechanism that keeps me from entering the Mayor's office should be the security guards and key-cards, not my disinclination to open a door.


And if you walk in there, realize it's a restricted area, and start opening up file cabinets and reading confidential documents, you're now in jail. the security guard being there or not makes zero legal difference - things not being locked or blocked does not give you rights to them. thank you for proving yourself wrong.

you mistakenly wandering in is not illegal. however your strawman is not what the OP did. it's a paragraph of text for crying out loud. please at least read the story before commenting.


Asking the web server to give you information without lying or falsifying any of your request data should in no way equate to walking into random houses that are unlocked.


The proper analogy is-- you visit a public clerk and make a formal request via a form, receive the requested document from the clerk.

Then, while you're at the clerk's counter you notice a menu up high above, like at a fast food restaurant, listing random commands with no explanation. Curiously, you call one out to the clerk and see what happens. The clerk returns with a crushed can. You call out another. The clerk dumps a roll of pennies on the counter.

That's not fraud, it's negligent supervision and stupid design.


I guess the argument would be that changing the number in the URL is lying, as you are providing an ID that was not assigned to you

(Playing devil’s advocate here)


you are falsifying what customer you are. the guy literally said he put in different customer IDs into the URL after he discovered what part of the string was a customer ID. It would equate to a guy walking to your door, saying he's from the electric company, then reading the medical documents on your desk after you let him in.


This analogy isn't apt. What the OP did was the equivalent of asking, "Can you share these files with me?" and the other party going, "Sure, here they are!"


It's interesting you completely omit the part where he figures out the string in the URL that's a company's ID, and uses that to request a file. In your example it would be "I'm this other person, can you share my own files with me?" Except he's lying, and he's not the other person.

Tell me, what happens if you, heavyset_go, send an invoice to Apple, and the invoice says you're "Cisco" and they pay it. Do you get to keep the money, or does the prison get to keep you?


> It's interesting you completely omit the part where he figures out the string in the URL that's a company's ID, and uses that to request a file. In your example it would be "I'm this other person, can you share my own files with me?

The OP was already authorized and authenticated on their own company account. They never falsified their authorization or their identity, they just requested documents at a specific URL and the other party had no problem replying with said documents.


"malicious actors" is quite a strong statement, for someone who was not really aiming to harm anyone or get much personal gain from it.


There's too much moralising and too much metaphor here.

It's really a lot more simple:

> After I shopped a few companies to see how our plans compared

This isn't white-hat, it's grey-hat at best. Found the vuln, and then used it.

I don't agree with the dramatic reading that I'm responding to.


Wow. The parent comment did not state they then sifted around for personal data. They checked if there was a bug and found it. For all we know the personal data is front and center, so this rudimentary check also revealed personal information. It’s not like they said they downloaded the SSNs. Good job a miming the ignorance and bad faith of the nameless bureaucrat the parent comment mentioned though, maybe this is just satire and I’m missing it..


> After I shopped a few other companies to see how our plans compared...

You might have missed this part. I did, too, on first reading. They did sift around.


Wow. You are missing it. You are missing where they explicitly stated they sifted around for personal data, numerous times, and you are missing that sifting being what the company was complaining about. Personal as in insurance plans other people have. He explicitly states he did that after he found the bug. You're missing reading most of the post actually.

If that company decided to file charges against him, this HN post is an admission of guilt for a crime.


You seem to be implying that accessing a competitors pricing is immoral. Do you think a company pricing should be private information in the same sense that your house is private ?


When you went to 342 you were white hat. When you went to 343 you became black hat.


I don't think you're coming out of this looking too great, either. After finding the vulnerability, you then exploited it to gain an advantage, in addition to reporting it.


I don't know, that sounds like a pretty valid response given that you "shopped a few other companies to see how our plans compared".


If I ask you to show me a document, and you willingly show me the document, who exactly is responsible for the disclosure?


In real life, if you do it under false pretenses, you are. In this analogy the real-world version would be considered fraud.


Asking for the next file isn't false pretenses. I don't know if this analogy works quite right. Even rifling through a file cabinet wouldn't be false pretenses, it would be something else.

And you have to cause injury for it to be fraud. Is "Help I was too honest to a customer." a valid injury claim?


The closest real-life equivalent to asking a computer server for a document and getting it is asking a human server (e.g. office clerk, archivist) for a document and getting it. If I go to the IRS to do some paperwork and notice it says "File #7881991" in the top right corner and I go to the clerk and ask them "Hey, can I have files 7881992 and 7881993, too?" and they give them to me, who is liable for that? It's quite obvious.


This is 100% the correct analogy.


But this is assuming that the server has more agency than it does. Servers don't have minds and they don't make authorization decisions. This is more like someone giving you key to a filing cabinet in order to retrieve some documents and while you're there you snoop on the ones next to yours.

Is this system more trusting of people than it should be? Probably. Does that mean you're allowed to snoop on other people's documents -- nope.


The humans who administer the server have agency. They went and purchased an apparatus for publishing information to the world. They connected it to the world. They pointed it at that information. They turned it on.

A printing press also isn’t sentient and can’t guess whether its operators really mean to share every sentence on the plate. But browsers and readers of printed materials (that are left in public places) have no obligations to the publisher’s state of mind. Why should browsers of digital materials?


> This is more like someone giving you key to a filing cabinet in order to retrieve some documents

No. It's like someone asking you what you need, you telling them "I want all my documents and the ones from my neighbours because I feel like it", and them proceeding to hand you everything you asked for neatly collected in a folder.


You’re still ascribing agency and authority to a fancy vending machine. The server has absolutely zero authority to grant you authorization to the documents. It can only grant you access. The servers are not representatives of the government or the site-owners, they are just machines. And just because the vending machine is broken and works without you paying doesn’t make it not stealing.


The fact that the server cannot make decisions that were not predetermined is exactly why the responsibility for its behaviour lies with the people running it. They make the rules, they are the ones whose job it is to read the manual. And when someone makes a technically valid request (instead of, say, SQL injection attacks) it's not the user's fault for an incorrect response. They might not even be aware that they're not allowed to do a specific request: it's reasonable to assume IDs in the URL are not sensitive information, as URLs are public and unprotected by default.

Of course it's on the user if they know they're not supposed to have access to some info and they use it to their advantage regardless. If they're a nice person they'll even report the issue (though less likely after news like this).

> just because the vending machine is broken and works without you paying doesn’t make it not stealing

So if it's broken and doesn't work despite me paying, does that make my payment a donation? No. Though it probably is theft if I knowingly abuse the error for profit.


I feel like I'm taking crazy pills here. We're specifically talking about someone who knew that they weren't supposed to access other business' data and did purposefully for their own gain. How is that not abusing the error for profit?

Like you can say "URLs aren't sensitive by default" up until the guy admits that he knows it's an error and he's accessing the private data he's not supposed to see. That changes the situation completely.


Right. The server is not liable. The people who set up the server to serve application data for every client to any client is.

Just like the IRS admin assistant in the example was, the agent to cause the transfer. The filing cabinet/server is not the agent, simply the repository responding to the system and practices in place.


But this is assuming that the server has more agency than it does.

No, it merely assumes the server is acting on authority of the organization identified by the domain name. It doesn't assume agency, only representation.


Which also seems nuts. Like they’re servers. How anyone assumes that some Ruby code can be acting as an authoritative representative of the government is silly.


Yes, how could anyone assume that the ATM down the street can be acting as an authoritative representative of your bank when you insert your card? That's just silly.

/s


But that’s exactly right! It’s not. If the machine has a bug and reports the wrong balance or gives you too much or not enough money on withdrawals it’s explicitly not authoritative and you can get it corrected by an actual representative of the bank.


If human in government office has a bug and reports wrong result when queried, it can be corrected by their higher-up.


If you give me the key to the files and don’t explicitly forbid me then it certainly does mean I’m “allowed” to look at the documents. You literally and explicitly just allowed me to do so by granting me access.


No, it's not, because computers and humans are not the same. A computer might give away too much information because someone misconfigured it. The closet human analog to that would be if the human was improperly trained in what information they're supposed to give out. But the human also has other options: they could be tricked into giving out more information than they should, or they could be giving out more information because they're being paid off or given some other benefit.

You can certainly assign various levels of blame and responsibility to the human "server" in those scenarios. But the human on the other side of the interaction, the one requesting information, doesn't magically become free of reproach. If they are requesting information they know they should not have access to, and then making use of that information for their own gain, they're guilty too.

There's a very narrow carve-out for the white-hat: requesting information with the intent of uncovering vulnerabilities, with the intent to help them get fixed. We expect a white-hat actor here to destroy and not make use of any information they obtain that they shouldn't have.

> If I go to the IRS to do some paperwork and notice it says "File #7881991" in the top right corner and I go to the clerk and ask them "Hey, can I have files 7881992 and 7881993, too?" and they give them to me, who is liable for that? It's quite obvious.

Yes, it is obvious: the clerk is liable for giving you something they shouldn't have, and you are liable for fraudulently representing yourself as someone who should have access to those files.

I don't get where this idea of "the other person let me do the crime, so the crime is ok" comes from. That's just not how the law works in the real world. If you then walked out of the IRS office with those files, I would absolutely expect you to get arrested. (Even if you immediately gave the files back, you'd probably be on shaky legal ground.)


> Yes, it is obvious: the clerk is liable for giving you something they shouldn't have, and you are liable for fraudulently representing yourself as someone who should have access to those files.

It's always okay to ask for things. There would be no way for society to adapt, progress, or change if people were limited to only asking for things that they knew in advance they were allowed to have. If it's legal for a telemarketer, pollster, reporter, cop, or recruiter to contact me and ask me questions then it's just as legal for me to contact and ask a web server a question. The correct response to unauthorized requests is a 4xx, not a lawsuit.

More to the point, what makes it okay to ask a new web server for "/" without permission? Even if browse-through terms of service were legally enforceable they aren't known to the user or the browser before making the first connection and request.

If a web server doesn't want to answer questions then don't connect it to the Internet.


It is the intent of the act, not the act itself, that is important.

If you know doing x will cause y, then when you do x you are doing y and you are responsible for the consequences of doing y. It doesn't matter what x was.

This is especially true in the real world.


I think misdirected mail might be a better analogy. My understanding is that, even if it is delivered to your mailbox, it is still a felony (in the US) to open mail that is not addressed to you.


Users don't normally construct urls by hand. Wouldn't the equivalent more be like:

You filled out some form to request a document from the irs. You give the form to the person they give you the document.

You notice they dont check ids, so you change the name on the form, and get someone else's document.

This definitely seems to fit the definition of fraud:

380 (1) Every one who, by deceit, falsehood or other fraudulent means, whether or not it is a false pretence within the meaning of this Act, defrauds the public or any person, whether ascertained or not, of any property, money or valuable security or any service [that's the canada definition]


But... they didn't change their name on the form. They literally just said "I'm still me, but I want this other file now, please."

All company data was, in OPs scenario, made public to any and all authenticated users.

There is no way to rationally spin this as a malicious act, in my view.


I don't think simply changing the ID in the URL to see what would happen is itself a malicious act. But, after discovering the vulnerability, OP admitted to continuing to exploit the vulnerability so they could make use of the information they'd gotten, information that they should not have access to. That part of it is actively malicious.


No one is claiming "I'm still me, but I want this other file now, please." is a malicious act.

Downloading a number of them and comparing information, however, is not necessarily malicious but rather sketchy.


Well they changed an id number. I guess the real life version would be changing the SSN number on the form.


An ssn is considered private info, the plan number wouldn't be.


"deceit, falsehood or other fraudulent means" => editing the URL is neither of those. Forgig a cookie for access is, just like randomly trying passwords and usernames.

The closest real life example I can think of would be along the lines of: - your car is in a public parking space and someone look inside vs - the same car is in the garrage and someone breaks the door to look inside your car


> Users don't normally construct urls by hand

You never typed google.com into the browser? I doubt it. Maybe you just mean "construct" as in edit the url to access another site - well, that's still a perfectly normal use-case. I regularly change reddit urls to old.reddit because it gives me a better user interface. Or access a subreddit by adding an "r/subname". Sure, those aren't alphanumeric IDs, but that distinction is meaningless. Some unique IDs on the web do actually consist exclusively of english words. And some numeric IDs are harmless page numbers or pagination info.


I don't think changing the name is a fair comparison.

This definition of fraud doesn't define the word "defraud"? I don't know how I'm supposed to see if it fits or not.

It can't mean any action, or going into a store, lying about my name, and asking what aisle has baked beans would fit. Because that has "deceit" and "any service".

If I interpret things as the service being minimal and provided for free, so that I'm not deceptively getting the service, then we have to look at what actually gets sent to me, and whether it's "property, money or valuable security". And since it's just a copy of the data sent at no cost, it's much harder to argue fraud exists.


The data in this case clearly had value; OP admitted to continuing to change numbers in the URL to get more information about what plans other companies were signing up for, because that information was valuable to them.


You're assuming the "because that information was valuable to them" part. Or you're using such a broad definition of valuable that would also make this comment thread valuable because I have refreshed it multiple times.

While you could construct hypotheticals where OP is using the health plan information to gain actual value, they are all so far-fetched I wouldn't buy them as a fictional plotline. Dude was probably just curious.


A closer analogy would be that you keep the name as your name, but change the # of the document you're requesting. It's the IRS's job to ensure you're allowed to retrieve that doc.


Sure, but I guarantee you that if the IRS screwed up and gave you the other doc, and you made use of that information (rather than immediately turning around and saying "um, IRS, I think you made a mistake; this doc doesn't belong to me"), you'd be in trouble as well.


Haha that's fair.


I think the analogy would be going up to the desk and saying: my id number is X (when its really Y), can i have my file.

If you convince them that you really are X and they give you the file, i think that would be considerd fraudulent. Whether or not an injury takes place to raise it to the level of fraud i guess depends on what was in the file, but in countries with strong privacy laws, someone would probably be in a heap of trouble.


Except that's not at all what they did - they simply accessed files that had been made public by the service provider.

To be able to login as BoBibbidyFooBar, and subsequently access ANY company's info in the system without changing their identity from BoBibbidyFooBar does not, in any way, constitute any sort of fraud. It literally cannot, by any sensible definition.


Intent matters. The service provider clearly did not intend that the files should be public. They screwed up, and they should take responsibility for that. But that doesn't make it ok to know about the security issue and download as many documents as you can in order to use them for your own purposes. Perhaps that wouldn't be "fraud" based on whatever definition you're using, but it's clearly unethical and immoral, and IMO hopefully illegal as well.


> I think the analogy would be going up to the desk and saying: my id number is X (when its really Y), can i have my file.

Not at all because what you describe involves impersonating someone else.

In the OP case, they were authenticated in the session as themselves and always acted under the truthful identity and asked for a document and access was granted.

So the analogy would be going up to the desk and saying: I'm John Doe, my id number is X (truthful value), could I see file ABC? And the attendant checks that id==X does have access to document ABC, and thus hands it over.


Nope, no way. Your analogy is wrong.

A better analogy would you asking for your files, and then the secretary taking you to a filing cabinet containing everyone's files right there with yours. You don't have to lie about who you are, you can just look at other files because they're right there in the place that you were just given access to.


How is that analogy wrong? Both in terms of the technical implementation and the subjective user experience, you're making separate requests for a document each time.

Analogies are always going to be imperfect, but I can't see the argument that the "separate request" analogy is any worse than yours, let alone "wrong".


And even in that case you're still not allowed to look at other people's documents. Like it doesn't matter that they're right in front of you, you still haven't been given authorization.


But they didn't do that. They just asked for a different file, not misrepresenting their identity.


He had already given his correct details to be able to view plans. It’s like calling the cops to get your accident report then asking for the next higher numbers and they give it to you.


Not sure I see how. More like the records office decided that, rather than staffing the front desk to handle records requests, they instead just dumped an unlocked filing cabinet into an alcove off the hallway with an arrow pointing to it labelled "Health Care Plans". Essentially identical to blaming users for finding an unsecured S3 bucket or MongoDB instance: it's on the operator to secure the data.


> Essentially identical to blaming users for finding an unsecured S3 bucket or MongoDB instance

I agree that it's unreasonable to blame users for finding things like that. But if those same users are downloading all the data and making use of it for their own purposes, that's not ok. Finding a vulnerability and reporting it is an admirable thing to do; exploiting that vulnerability yourself is not.


It is more like the records office decide that, but didn't tell the people who they were holding records for that they didn't feel like staffing the desk. The records office is of course 99% to blame for their incompetence here, but it is still a bummer for the people who trusted them, and better not to look.


In our version though the system can require you to show whatever ID or authentication the designer decides so how can any process as simple as changing an ID in the URL be fraudulent. In this example the person who browsed other plans either wasn’t asked for any ID or the person fetching the documents didn’t check authorization. Either one is negligence on the department/sites side.


> In real life, if you do it under false pretenses, you are.

Sure, but how is that relevant? What material false representation was made which was relied on in deciding to provide the data?


Because servers don't decide anything. They're autonomous systems imperfectly carrying out the will of humans who make the actual authorization decisions. If a computer system erroneously prints an extra 0 on a check mailed out to you that doesn't mean you get to keep the money because the computer isn't the entity that decides how much money you're owed.


> Because servers don't decide anything.

If there was no decision, much less one based on materially false information, there can be no charge related to false pretenses. Your argument against decisionmaking is an argument against your claim of false pretenses.

> If a computer system erroneously prints an extra 0 on a check mailed out to you that doesn't mean you get to keep the money because the computer isn't the entity that decides how much money you're owed.

That's neither entirely true nor at all relevant to your false pretenses claim.


Accessing data that you are not authorized to view is still wrong. The fact that someone has misconfigured the access controls doesn't change that.

I might forget to lock my front door one day, but that doesn't make it ok for you to wander into my house and look at all my stuff.


Well in this case I'm knocking on your door and you're opening the door saying "Come right on in!"

Requesting access (ie knocking on a door/typing a url) is not illegal. If you grant that request (ie invite me in/serving a webpage), I am under no obligation to psychically infer that you didn't mean to and refuse your invitation.


Unfortunately, it's never that simple. So much of it is about intent.

If I could simply use the excuse "well, the computer gave me the information", then there would be no such thing as hacking. It's always a case of the computer sending the information to you.


It's not about intent, it's about authority. If I have the authority to access something, it's legal for me to access it, regardless of my intent. I may be breaking other laws depending on what my intent is, but it's not hacking.

Compare to a restaurant: simply walking into a restaurant is not illegal, but an owner can restrict access and ban someone from their restaurant. It takes no technical skill to break into the restaurant, the door is wide open, but without authority it is trespassing. However, it is on the owner of the restaurant to actually ban someone. For a public space, be it a restaurant or a webpage, by default you are permitted access. Attempting to enter a restaurant you've never been to before is not breaking and entering, nor is accessing a URL hacking.

If a website has some user agreement saying you will not access certain portions, or even if there is just a notice on a website saying this site is not public, then they have done all they need to do to revoke someone's authority, even though they would be incredibly easy to "hack." But as laid out under Van Buren v US, you don't lose authority to access things simply because you possess some intent undesirable to the owner. If you invite me into your home and I sleep with your wife, I haven't trespassed; if you tell me to get out and I don't leave then I have.

Further, there's a distinction between accessing something by normal, legal means and accessing something by other methods. For example if you invite me into your home only after I give you a false identity, I'm trespassing because I was never legitimately given authority to enter. Likewise if you hack a system with say a stolen password, you don't have authority to access the system no matter how easy it was. But if you grant authority to someone without them having to do anything nefarious, then they have authority regardless of whether you should have done it or not. If you have something sensitive, don't put it in a place (in the real world or online) where authority to access is granted automatically and without oversight.


If I send a HTTP request, and the server -who I believe is acting on behalf of the publishing party- sends a 200 OK response along with the data, how am I to conclude I wasn't authorized? Since when is authorization the client's responsibility?


Yep.

Send me a 401 (or a 403) status and I’ll know I’m not authorised.

In the physical world, nobody would lawyer up and go to court if someone walked through an open door with a sign saying “public entry here” and saw something confidential.

If you have confidential information around in the physical world, you make sure you have facilities staff who know the difference between “public entry here” signs and “authorised personnel only” signs. You also have facilities staff who know how to fit door locks and door closers, and security staff who know how to choose appropriate locks and to enforce compliance of locking doors. And if all that breaks down, it’s not Joe Concerned-Citizen who tells you about it, or even Mallory from your competitor who waltzes out with trade secrets who gets held to account, it’s the manager and/or executive in charge of facilities and security who’d be answering the difficult questions, probably with their lawyer at their side.

It sad that the legal system hasn’t yet started to hold people to account for having incompetent web developers and server operators.


If you make a library open to the public but then get upset they are reading the books, who is in the wrong here?


I generally agree with this, but there is more nuance involved- like what if the library has a sign that says "Keep out"? Does the trespasser then bear some responsibility? i.e. Being served a 403, then appending some URL param that grants access. I wouldn't call this hacking, but it's something else- like "Digital trespassing", after all the 403 is a sign, not a cop. All of this to say The Simpsons did it.


> Accessing data that you are not authorized to view is still wrong.

So if a piece of paper flies in my face and has company secrets and I manage to look at, I'm at fault here ?

> I might forget to lock my front door one day, but that doesn't make it ok

Sorry but if you're not going to secure your belongings, then expect to be robbed.

Being 'ok' has nothing to do with it.


> Sorry but if you're not going to secure your belongings, then expect to be robbed.

It’s not even “getting robbed” really. Nobody here deprived the owner of anything. It’s more like:

Sorry but if you're not going to secure your belongings, then expect to have people look at your stuff.


A public web service is not the threshold of your home. If you want to make a domestic analogy, it's the box you drop off at Goodwill. You put something in there that you didn't mean to, and you understandably feel violated now that people are browsing it on Goodwill's shelves, but you can hardly blame the shoppers for that.


It's not the point. Of course they built stupidly insecure system, and of course sending people to jail for finding out such holes is wrong, but on the other hand ethical person should stop their access to personal data which they are not supposed to see after confirming that vulnerability exists and not make copies of said data.


Because you can do a thing does not mean you should do a thing.

If the security system is broken and you do exactly what it should be preventing, then you report it and get upset because they ask questions about you doing exactly what you did?


Say you are invited to your friends apartment in an apartment building, but none of the apartments have locks. So you decide to open up some other random apartments and look through their things, who is responsible?


Analogies are never helpful for things like this.

We don't need to reach for analogies to observe that while the theoretical ideal is to report it after just one false access, that no significant damage was done by accessing just a few more via human manipulation of the browser URL, with no recording or sharing of the results. From a human perspective, no damage was done.

Whether that legally crosses a line involves a whole lot of details that few, if any people here, will be able to speak to, because of the complication of the law, and HN's conclusion as to the legality is of marginal interest even if someone competent were to give an opinion.

We can speak to the fact that even if it does technically cross a line, a prosecutor really ought to use their discretion to not prosecute since nobody was hurt. We can say that because that's just an opinion. I expect we don't have very many people here who actually want the book thrown here (though, as always, enough read this that it's probably non-zero).


I don't think quantifiable significant damage should be the bar we use, though that should act to moderate the consequences.

OP admitted to continue changing URLs in order to check out what plans other companies were getting and what they cost. That means OP downloaded lists of employee names, ages, SSNs, and other data. If I were an employee at one of these other companies, I'd be pissed at OP for that. I'd be even more pissed at the people who built the marketplace website for making the rookie security mistake that allowed it, but it's absolutely not ok to download other people's information when you shouldn't have access to it, and use that to your own advantage.

Sure, I don't think this is something that should be prosecuted as a CFAA violation with big fines and jail time. That's not a proportionate response. But I also don't think we should signal that it's ok to look at (and use!) other people's data just because someone else forgot to lock it up properly. I think, for example, something on the level of a parking ticket would be appropriate here.

If OP had changed the URL once, found the vulnerability, and then immediately closed the page and reported the problem, I would see nothing bad in what they did. But they didn't merely do that, and IMO crossed the line in their subsequent actions.


There's no evidence from the original comment that anyone invoked any legal lines. Instead, they seem to be upset that the person they reported the incident to asked them questions about exactly what they did rather than being effusively grateful.


I added it, anticipating future comments.


That's not even close to the same analogy though. This would be like knocking on the door, asking if you can come in, and the person living there letting you in. Then getting mad about it later even though they let you in.


More like your friend let you into their apartment but then got upset that you went into the dining room when they only intended for you to go into the living room.


No, this is more like if you asked the landlord to let you in, and then they did, without the permission of the tenant. The tenant would completely be within their rights to be angry about that. Both at you and the landlord.


I think that's a valid response if the person letting you in wasn't expecting you and didn't want you there. Like, what are you doing knocking on random doors and going into random places just to look around? That's not honest behavior. Honest behavior is that if you know you're not supposed to have access to a thing, you shouldn't obtain access to the thing even if you technically can. I think it's pretty clear that you shouldn't have access to another company's healthcare plans. The first one is a mistake, maybe. The subsequent browsing and comparison shopping of restricted materials is definitely not okay though, and the harsh, suspicious response was warranted.


>if the person letting you in wasn't expecting you and didn't want you there.

Then they shouldn't have let you in. How are you completely absolving them of responsibility when all they had to do was say "Who the hell are you? No, you can't come in."


Well, to go with the analogy more: I leave my door unlocked because I'm expecting someone. There's a knock at my door and I yell "Come in" without looking at who is at the door. Not an unreasonable thing, happens all the time. When I finally look, I find you in my house, going through all of my things, for no reason other than you wanted to gain insight on my financial situation.

Do I bear responsibility for letting you in? Yes. Should you be there? No. Should you have knocked on the door? No. Should you have tried the same at my neighbor's house and every house on my block? No. In this metaphor and in the original context, everyone is acting with honest intent except the actor knowingly trying to access obviously confidential documents.


It doesn't mean I am there illegally though. Maybe I am there for some other reason and I thought you wanted to to let me in.


No one said anything about legality. I'm still going to yell at you to gtfo and never come back again, and I don't see why it would be surprising that I would.

Let's drop the metaphor. The original story was that someone accessed a number of documents they weren't supposed to but technically could, and the question was whether or not that it was reasonable that the owners of the documents were upset with that.

I argue there was good reason to be upset given the facts on the ground. In this particular situation, the original poster was there to access their own document. Having accessed someone else's document, that would be the point at which the behavior crosses from legitimate to illegitimate if it continues. Leaving at that point would be one appropriate response. But systematically going through a number of different documents goes beyond a mistake and into the realm of intentionally exploiting this security issue for unauthorized purposes. That's when it crosses from "honest mistake" to "dishonest exploitation".

I have no idea about the illegality of the issue. But the fact is plain that this person was not the intended recipient of the documents, they knew they weren't the intended recipient, and then after realizing the nature of the exploit, they continued to use it.

This is not the same as knocking on a door for a legitimate reason, being let in, and then the person inside being mad you're there. It's knocking on a door for no reason or a malicious reason, knowingly doing something inside the resident doesn't want you to do, and then wondering why they are mad at you.


The only person to be upset at is the one who didn't put access control on the site. That was a publically available endpoint. The better analogy is putting something private on a public bulletin board and being mad if someone read something you didn't want them to.


A billboard is a broadcast message though, whereas an HTTP request is more like a back and forth exchange between two participants. So I think the original knock->response->enter is a better metaphor.


You let me in knowing exactly who I was. You showed me some stuff I wanted to see, but sitting right next to it, out in the open, was stuff you didn't want me to see. All I had to do was look somewhere other than where you were pointing, and I did that. And then you got mad at me for looking at the stuff and called the police.


> All I had to do was look somewhere other than where you were pointing, and I did that.

The way you phrase this makes it seem like accessing the documents was a mistake. Maybe the first one was, but I think the thing you are missing about the OP's story is that the behavior was repeated. I think the first instance was arguably okay. But subsequent access with the knowledge that what they were accessing was not intended for them is in my eyes beyond a mere misunderstanding.

You also have to remember that having physical or digital access to a thing is not the same as having permission to view the thing. For example, if a "Top Secret" document is delivered to your house with your name and address attached to it, if you read it without the appropriate clearance you will still be in trouble. The legality of such a thing is well established in that case, but the principle is the same: even though you have access to a thing and all you have to do is move your eyes in some direction to see it, the act of seeing it is still at minimum an ethical breach (why are you looking at things that you know don't belong to you?).

I guess this is the fundamental philosophical and ethical question: do you believe you are entitled to know any information as long as you have the technical ability to physically or digitally access that information? What if I have medical records on a screen in a room you are in, and all you have to do is move your eyes over to see my most personal info? Are you entitled to read that information because it's visible to you? Or do you think you owe it to others not breach their privacy even though you have the ability to do so? Would you be mad if someone violated your privacy, and then retorted with "well you should have a had implemented some better technology to prevent me from moving my eyes in that direction"? I guess in that scenario you would have to blame yourself and your technological abilities, and not the person violating your privacy.


I was thinking of a similar analogy but I don't think it holds.

The right analogy would be if I was in the apartment complex and I said to a door not mine "I'm home open up!" If the door opened and I did it intentionally, am I liable?

I still feel like yes but since you have to request the document and receive it I think it's different than just checking locks.


I think we're all gronw-ups here and don't need analogies here.


People of all ages suffer from confirmation bias. Analogies can be useful because they allow someone to appreciate the logic of an argument while temporarily dissociating from strongly-held opinions. After the framing moves back to the question under debate, the logic might stick. At least all parties might understand everyone’s perspective better after a few analogies are exchanged.


The analogies in this thread are mostly only furthering confirmation bias.

Because any physical analogy is such a poor representation of how a website actually works, everyone just cherry-picks the analogy that demonstrates the logic they believe should apply, and then tries to constrain the argument to that logic via analogy.


Not if everyone constantly shifts the analogy so their argument still works ;)


Indeed -- it is like if arguments were things to transport, and analogies were cars... wait, no, they are railroad cars.

So the argument is a heist occurring on a train, so we've got the thing that we're trying to heist (which would be our point) and then we're shifting it from one car to another. And some of the analogies here are clearly like passenger coaches, but others are more like those... coal transporting car, whatever they are called... and at some point we move to the inappropriate railroad car and drop the point in the coal which obscures it.

Anyway, the point is that at some point you really just hope that some conventional train robbers will show up and derail the whole thing because it has gotten too convoluted to follow.


A closer analogy might be if none of the apartments had doors, would you be allowed to step inside.


the web isn't a collection of personal apartments


I think in this example both are equally responsible:

1. People who kept their doors unlocked

2. Person who randomly entered doors & found things.

We need to take care of security of our properties, though stealing is wrong.


Nope, opening an unlocked door is still considered break&enter. AFAIK, the "unlocked door" can even be a beaded curtain. Turns out that the legal definition of "break" in this context is extremely old and doesn't correspond to lay usage anymore.

But I think that a better analogy would be asking the apartment manager to see your payment history and getting handed the entire apartment building's ledger.


More like - you go to supermarket bathroom, checking each stall and find one person is pooping without doors locked


Being wary of the guy, sure. But it's a terrible response in general. The correct response is to take the site down! Monitoring IP addresses? Really?

First, it's trivial to just use a different IP address. Second, even if you could track people perfectly, which you can't, who the hell thinks it's okay for data to get leaked as long as you know who it gets leaked to?


It’s not a nice response, but IT needs to be able to answer questions about the extent of a given breach (what info was accessed by whom and when). This is a legal requirement in the case of health information. Ideally people could be courteous while fulfilling their legal obligations, but IT folks aren’t generally chosen for their public relations or customer service skills.


Yes, and they need to do that based on the forensic data available to them, even if the answer is “we don’t know, it could be everything.”. Asking the person who caused the breach to explain the extent of your data loss is not an acceptable, or reliable, practice.


I don’t expect that it is sufficient, but it probably gives the IT person something to tell their boss in the short term: “We’ll verify, but he says he only accessed X”.


If he can monitor ip addresses to make sure this guy isn't browsing anymore, then he should be able to check those same logs to answer his own question. If you want people that have zero obligation to help you then you should probably be nice to them. The nefarious criminal isn't going to report things like this to you.


I already agreed that this doesn’t warrant unkindness.


Assessing the scope of the breach, sure. "Fixing" the breach by monitoring a single IP addresses access patterns not so much. The site needed to be taken down till a mitigation has been deployed.


Agreed.


In those situations you get a third-party in for forensics, you don't typically ask the people who breached how large the breach is (why would you take them at their word anyway? aren't they incentivized to downplay, etc).


Vehemently agree. The response demonstrates, if nothing else, the lack of an appropriate Incident Response Plan. A competent legal team would not vet and approve such a response, instead redirecting it through the appropriate channels if they felt the need to respond directly.


> After I shopped a few other companies to see how our plans compared

Yeah once you start using a vulnerability maliciously to obtain confidential data for your own personal gain, even if its a stupid vulnerability, you're not really good-guy security researcher anymore.

If all you did was the bare minimum to demonstrate the vuln exists, that's cool. If after you do that you continue to use it to obtain confidential info for your own gain or curiosity, that's not so cool.

> Perhaps it's more difficult to hold yourself accountable than it is to assume that others who've found your shoddy work are malicious actors.

You literally just admited to being a malicious actor in the paragraph above.


Language cheapens itself when spoken cheaply. Abusing over the top terminology on minute areas of controversy will ultimately lesson the impact of your outrage when something actually bad comes along. Someone browsing healthcare plans available to other employees of different companies is not something that should win you the label “malicious actor” and come associated with other implications. This data leaking harms literally nobody other than perhaps the company offering the worst coverage to its employees. Your response is the real problem here: If I had done this, reported it, and then been called a “malicious actor” on a forum titled “Hacker News” my knee jerk response would just be to shut up about it next time.


I used the word "malicious". Its not like i used the word "murderer" or "evil overlord". I'm not saying OP should go to jail or anything.

All i'm saying is if you find an exploit, and after you verify it works, you contunue to use it for your own personal ends, you're no longer benign and you shouldn't expect a warm welcome from the security team.

The line is when you start to use exploits on computers not owned by yourself for your own ends instead of for the purpose of verifying and reporting the vuln. Sure you could cross that line a little bit or a lot, but you're not innocent if you're over it.


> you contunue to use it for your own personal ends

I think this is what people may have been missing from your original post: at some point things can go from innocent to malicious.

"Crime of convenience" is the most common type, after all.

"I'm not the type to steal, but the cash was left on the counter, and …"


> ... and you shouldn't expect a warm welcome from the security team.

The appropriate response from the security team (after verification) is to pull the site down or immediately patch the vulnerability, if possible. Making an outbound call to a third-party is pointless and irresponsible.


I imagine having an assertion that the person didn't keep any of the data might be important to legal. (Ianal)


Browsing the different plans is not malicious. Jesus.

And the details of different plans is not the kind of confidential info that innately deserves protection. Investigating or recording personal information would be bad, but they didn't do that.


Exactly... for them to "benefit", they would have to:

Apply for jobs at the other companies with better plans, proceed with interviews, offers and then finally accept one and quit their job at their current employer... To reap the rewards of their malicious hacking...


More directly, they as employees could pressure their bosses to renogtiate the insurance contract.


It wasn't just plan details though... They accessed names, SSNs, etc.


Not on purpose, and they didn't keep or memorize it.


The GP comment says "After I shopped a few other companies to see how our plans compared". That sounds pretty "on purpose" to me.

What does "keep or memorize" have to do with anything? They intentionally abused a misconfiguration to view private information.

I think it's reasonable to disagree about the ethics of that, but I don't think it's really debatable that it was intentional.


They were intentionally viewing plan information. The personal information wasn't the goal and wasn't retained.

"private" information is too vague of a term.


> malicious actor

malice implies intent. If we take author at their word, there wasn't any, though you could say they took it too far by looking at other stuff they probably knew it was ethically wrong to do so.

Though, sometimes it isn't clear you're in compromising territory until you're in it.

If any of the confidential information obtained wrongly gets used to advantage … that's malice.

If the parent set out to exploit the insurer by finding inconsistent/unfair pricing, etc etc … that's malice.


Hmm. You make a good point. Fair enough.


You lost me at "maliciously".

What harm was done by someone comparing prices? What organization lost money? Who got worse health service?

"Unethical" and malicious is the current, profit-driven health insurance system.

I know you're coming at it from an absolutist perspective, but I disagree entirely with passing judgement.

Furthermore, the fact that you seem more upset with the person who glanced at a few plan prices rather than at the healthcare system, or the incompetent website operators, is telling.


I definitely agree that this is not a big ethical breach in terms of magnitude, but it is still better not to look. Apparently this is not intended to be public information. If this information is private, I guess the companies want to derive some (slight) competitive advantage from not sharing it. I think you could make a strong argument that companies should make their healthcare offerings public knowledge, but they aren't currently (I guess?). In any case, access should be granted on the basis of an even playing field.


>What harm was done by someone comparing prices?

It removes the information asymmetry, which protect the profits of the seller.


Exactly. So, no harm to any real people.


If you accessed my medical records, nobody would be “harmed” as they are fairly normal. It would still be wrong.


Because it would be a privacy issue. But that assumes they're looking at your information on purpose, and not just some price tags.


Oh no, not the heckin' confidential insurance negotiations! What's the worst that can happen by those being exposed?


Quote from the St Louis Post Dispatch article is even more groan-worthy:

"In the letter to teachers, Education Commissioner Margie Vandeven said “an individual took the records of at least three educators, unencrypted the source code from the webpage, and viewed the social security number (SSN) of those specific educators.”

I guess webpages are kinda like encryption for idiots.


We live in a world where everyone thinks they understand computers and have an expectation of security and privacy, but they don't realize how hard it is to build these systems correctly. The best security appears to be invisible to the consumer, but requires a lot of thought by the implementer.

This is the same reason why I think most of the general public don't understand how much data social media apps can collect on them. I know a lot of average technology users, who allow every single permission whenever an App asks them, because they're like obviously its not going to do any harm. Without realizing how every action they take is recorded in a database somewhere, which will get compromised sometime in the future.

I'm not a mobile developer, but it would be interesting if iOS provided a service that allowed data to never leave the phone and provided an API for Apps to get particular types of data and showed warning levels in the App, each time more sensitive data is accessed. The App store needs to be a place where if I download an App from, I need to have the peace of mind that it won't cause more harm than good.


> I'm not a mobile developer, but it would be interesting if iOS provided a service that allowed data to never leave the phone

I'm not sure I follow. Do you mean the app wouldn't be allowed to send any data over the network? As soon as the app can send any data, it's trivial to hide in there whatever the app wants to send home.


My idea is that Apple encourages Apps and features / adds badges for those apps that only store data locally. The local storage should be able to identify different types of data. They provide an API that allows data to be queried so that whenever an App queries some critically of confidential data it throws a big warning.


The developer would just query the sensitive field either immediately or at a seemingly reasonable moment (along with dozens of other sensitive and non-sensitive fields), put everything into a blob, and then send it to the server as an opaque web request to some innocuous looking endpoint like POST /login.

You either have to completely trust the developer today and forever after, or you need to make some fundamental advancements in homomorphic cryptography. "Secure data store that can be queried with a permissions box" doesn't work.


> it would be interesting if iOS provided a service that allowed data to never leave the phone

But it would probably be even more interesting if you could send out, say, the adress of a Web page you wanted to see in your browser.


> but they don't realize how hard it is to build these systems correctly.

In this case, it sounds like the SSNs were included in their entirety in the HTML. My first response is that its a stupid and obvious mistake, but I think it might be too suspiciously easy to only blame the developers here.

I think we have a larger problem - which is that there's a hidden cost to adding extra layers of magic to software. And on the web, we seem to just not be able to help ourselves. The cost is that developers often skip actually understanding how the new layers work. And the abstractions are leaky with respect to performance and security, and sometimes functionality.

Its easy to imagine how this bug slipped through. They had a database query which fetched the data for rendering. Then they used some "magic" framework which does server side rendering & hydration. So the server sent the JSON it used to render to the client to dehydrate the page, and that JSON happened to include the raw database rows (with SSNs). The system is magic enough so you don't have to understand how that process works; but not magic enough to protect you from the consequences.

Junior devs use the magic anyway and get stuck, or make mistakes like this. Senior devs feel like we have to learn everything and get overwhelmed.

Other examples of this:

- Recently I wanted to use some rust code (compiled to wasm via wasm-pack) in a svelte project with snowpack or rollup. I know how to include wasm in a webpage, but the bundlers needed special plugins to handle this. And the plugins for wasm are halfbaked, poorly maintained and janky.

- I worked with a team a few years ago who was using some graphql wrapper around contentful. (Before contentful had an official graphql endpoint). The wrapper was very good, but we needed to run some queries that weren't supported by the wrapper. This was close to impossible. Nobody on the team was strong enough to read the graphql code to figure out how to solve our problem. I did it eventually - via some custom endpoints. But I shouldn't have. After I left the team had no idea how to maintain or modify the code I wrote, and they were entirely stuck.

- The "web obesity crisis" comes from projects pulling giant amounts of javascript into their webpages. Our tooling makes this easy (npm install) and safe (incompatible versions of the same package are included separately). So its easy to end up with libraries like web3, which include about a dozen different versions of bn.js resulting in 2.3mb of uncompressed JS which takes nearly a second to parse on a modern computer. - [1] https://github.com/ChainSafe/web3.js/issues/1178

I don't know what the answer here is, but I know when I was writing qbasic as a kid it wasn't like this. Maybe we need to stop going "up the stack", and instead go sideways - throwing things out as we add more. I worry this whole problem will get much worse before it gets any better.


> echo json_encode($search_results);

This is how I found out how much I, and all other contractors were being paid. And also how much the contracting company was actually charging the clients. All the data was being returned in a json but the very little was being displayed.

Looking at the story, this is more of a posture thing. I'm sure the Governor is surrounded with people who can tell him that no hacking took place, but why miss an opportunity to show you take the privacy of Missourians to heart.


wow, what fraction of websites leak data I want to look at? should I be poking at every non-tech-giant site I go to?


You will be surprised. Do a "Inspect Element" and have fun filtering on "XHR requests". Notice that JSON that a lot of those requests return. but sshhhh, you didn't hear this from me.


With the move to client-side rendering, too many. The backend becomes dumber and dumber and all logic such as filtering data moves to the frontend. You'd be surprised what you can find poking around at APIs that client-side apps use.


Careful, son, you're quickly entering elite hacker turf.


Dont worry, I only do all this behind 7 proxies. Plus I called google and they know all about it.


The analogy is going up to a house and checking all the doors and windows to see if they are locked. That's rather like port scanning, a form of 'poking'. If you go to a state government web site and do that, even if you don't exfiltrate data or load it up with ransomware, it's definitely very shady behavior, although it seems there are no laws against it in the USA (some ISPs will ban users caught doing this however).

Obviously if you broke into someone's house and then asked them to pay you for your 'vuln discovery', err...

However, I think looking at HTML code on a public facing web page is not that. If you hang naked pictures of yourself on your front door, you don't get to complain when people take pictures of them.

1. https://www.calyptix.com/top-threats/port-scanning-legal-ans...


The data was send to my browser. The more fitting analogy to me is that I get a letter and a huge pile of documents in a giant binder. Some of the documents are referenced in the letter. Now the sender gets upset because I started looking at the documents in the binder that weren't referenced in their cover letter.


Sorry to add some more to my own analogy: some of the unreferenced pages in the giant binder also sometimes will contain wiretapping devices.


Last year, when a Nintendo Switch was difficult to come by, I found that a large retailer’s API returned exact stock counts (and even restock dates in some cases) for any physical store you wanted. Got a Switch for myself and a couple friends in an afternoon.


Nothing, and I mean nothing could give me a grimmer impression of cops' abilities to deal with tech. I guess all of the technically capable cops are busy installing government surveillance systems.

About 12 years ago, someone smashed the window of my car and grabbed my messenger bag, including my cheap prepaid smart phone and shitty laptop— I was a line cook at the time, and those were my most valuable possessions except my knives. Filed a report and moved on. Hours later, I later saw a picture of a person I didn't know standing next to a car with a visible license plate automatically auto-uploaded to my Facebook account from my stolen phone. I called up the detective assigned to the case, but as soon as I said "uploaded" he said I needed to talk to the "computer guy," who called me the next day. After— no shit— 15 minutes of back-and-forth, this expert absolutely could not understand that I wasn't trying to report the new crime of someone accessing my Facebook account without authorization. He had no clue how it possibly could have been related to a telephone. In 2009.

Before I cooked, I'd worked in support from entry-level call centers to code level third-tier support. I am completely confident in my ability to explain WAY more complicated technical ideas to folks who've never used computers before... but I just had to give up. I didn't know what else to do. He was possibly the least technically capable person I've ever encountered and I used to help 90 year olds remove spyware from windows 98 machines. I said never mind and hung up the phone. Depressing.


If it is served via https, it is encrypted.

Edit: sorry, forgot the /s


I knew u forgot the /s. If the Governor understood https and encryption, he wouldn't be penalizing the reporter for "View Source". Clearly he got caught at being incompetent and he is doubling down on "how dare you"


Well you see the Internet is not something that you just dump something on. It's not a big truck. It's a series of tubes!


nono - 'view source' is really the 'hack this website' button, it's just called 'view source' to keep the bad guys from knowing about it.


Not once it's loaded by the browser it's not.


Oh shit, I'm reading your encrypted message right now!


You should consider responsibly disclosing this vulnerability rather than posting it here.


It's ok, the disclosure is also encrypted.


No it's not, you forgot to wrap it in an "<encrypted>" tag.


Don't forget the </encrypted> tag or else the rest of the internet's traffic will be encrypted forever.


What a nefarious ransomware attack!


Don't dare disclosing it in Missouri!


I didn't get the joke. Can anybody explain it?


Https traffic is indeed encrypted, but its encrypted for you the user.

Its like saying you stole documents from a sealed container when that container had your name on it, it was addressed to you, and you had the key.


if it's in plain text in the html served, it isn't


But if you're an idiot to believe viewing source is hacking, then you're clearly the type that viewing the source is viewing encrypted data.

The actual quote states that the data was first "unencrypted" before viewing the source. This is in fact correct if not poorly phrased, but who'd expect proper terms used when we're talking about "these" people?


I get what the article says and what the county claims. That doesn't make what the parent said right.


expand the lawsuit to Apple, Google, other heathen browser makers


Just wait. I wouldn’t be surprised.


jesus christ...


yes...?


Get the Escalade


With mustard and mayonnaise on the blades


* https://oa.mo.gov/commissioners-office/news/state-missouri-a...

The State labeling a reporter as "a hacker".

* https://dese.mo.gov/media/pdf/educator-data-incident-commiss... * https://twitter.com/mocommissioner

State Education Commissioner refers to reporter only as a "individual". The Commissioner signs the letterhead "PhD". Sarcastically, I presume the PhD corresponds to the increase in level of correctness, from "hacker" to "individual".


You left out the best bit: "through a multi-step process"


Nice catch... Unbelievable. What isn't a multi-step process, really? The first thing I do in the morning is to make coffee and though I've distilled that process down to its bare minimum so I can do it while still half asleep, it is still very much a multi-step process...


Taking a shit is a multi step process! The absurdity of the phrase is boggling my mind.


Right click.

View Page Source.

That's 2 steps. Hence, multi-step.


Could do it in a single step with F12. I suppose then you still have to scroll/search to find the relevant nodes... "multi-step" indeed


Option+Command+U

:)


Three steps! What hacker could envision such an elaborate plan?


Don't worry. A listener for contextmenu with a good ol' preventDefault() will stop those pesky hackers!


"unencrypted the source code" means they ran an unminify tool. Very advanced; criminal masterminds. /s


Probably just "View Source".


Probably without comments stripped.


I sincerely doubt it was minified


What meijer said ^^. It’s html, just view source.

Now they’ll sue browser makers for distibuting hacking tools.


I can't wait to see the legislation that treats plaintext as encrypted, and goes on to criminalize all written and electronic communication.


We must end all encryption --FBI


Where "unencypted" means "turned the web page over, and read what was printed on the back of it".

It seems stupid to us, but non-techies just won't understand unless we come up with reasonable analogies.


"Unencrypted" in this context means "did something we don't understand".


Will this definition of encryption hold for HIPAA cases in Missouri?


I feel like not understanding basic things like that should get you fired. The Education Commissioner and Governor of the State of Missouri have demonstrated a lack of understanding of basic technologies. At this point, that means they lack core competencies to do their job, and should be fired.


I would totally not expect an old white guy politician to be up on web protocols. No worries about that.

He either has staffers who told him the real issues and he discounted them to score points, or hired incompetent staffers who gave him B.S., or he hasn’t found anyone to give him the real info. Those are the disqualifiers.

Memories of Mitt Romney appearing to actually dig into tunneling and adhesives during an investigation of Big Dig flaws in Massachusetts. He might have been posturing but at least it was the right posture.


> I guess webpages are kinda like encryption for idiots.

I prefer to call them muggles.


How relevant for education and today. The education commission should have "send a flu shot!" lmfao


From the article, it sounds like nothing even remotely questionable was done by the reporter who found the flaw:

> "According to the Post-Dispatch, one of its reporters discovered the flaw in a web application allowing the public to search teacher certifications and credentials. No private information was publicly visible, but teacher Social Security numbers were contained in HTML source code of the pages."


We've always known that using DevTools was a criminal activity. In fact, the sheer number of people using them places this at criminal conspiracy levels. Better start filing those RICO cases against the browser devs. /s


The US Government has a STIG (Security Technical Implementation Guide [1], a government-proprietary term for "IT policy") that requires that you disable Dev Tools in IE [2], Edge [3] and Chrome[4]. Their justification (from [1]):

> Information needed by an attacker to begin looking for possible vulnerabilities in a web browser includes any information about the web browser and plug-ins or modules being used. When debugging or trace information is enabled in a production web browser, information about the web browser, such as web browser type, version, patches installed, plug-ins and modules installed, type of code being used by the hosted application, and any back-ends being used for data storage may be displayed

I wish I were making this up.

[1] https://en.wikipedia.org/wiki/Security_Technical_Implementat...

[2] https://stigviewer.com/stig/microsoft_internet_explorer_11/2...

[3] https://www.stigviewer.com/stig/microsoft_edge/2021-02-16/fi...

[4] https://www.stigviewer.com/stig/google_chrome_current_window...


I can think of at least one legitimate reason to block the dev console. There are these posts I've seen over the years that say to "press the hotkey to open the Javascript console, and paste this Javascript blob" (obviously in much more persuading terms) to get a discount on RayBands or something. Disabling it prevents a possible information leak vector.


There's a legitimate reason for doing _almost anything_ - it's a question of likelihood, impact, and knock-on effects.

I can only imagine how much taxpayer money has been set on fire by developers having to debug single-page applications running on these systems without the aid of Dev Tools... these types of material wastages are created in an imperfect attempt to prevent the mere possibility of something that could be more effectively mitigated through training and web content filtering.


I've never seen one in the wild, thought it would be interesting to see what they want you to paste into the console, probably something to transmit them your session token. I know Facebook has a huge warning about it when you open devtools on their site.


Yeah - they added that warning because of these precise things. I haven't kept one around but I've definitely seen them since I fell for it many, many years ago.


This seems really lazy. Duh, it's gov't, but I'm talking about the attacker. If they can use JS to gather all of that info to display in the console hoping to get a user to read it back to them or whatever, why not just save it all and submit back via ajax?


How dare you did "View Source", you hacker.


What's "view source", some kind of hacking instructions? Sounds like you're abetting.


As long as you're not aiding at the same time. Aiding & abetting is a no-no. Aiding OR abetting is not claimed to be an issue.


you mean Aiding XOR abetting. consider the forum.


why does it have to be exclusive? If both are false, then there's no confusion on making a charge. If only one is true, then someone being lazy might think it matches.

along your lines of considering the forum, wouldn't it need to be aiding && abetting? i don't know how to bitwise compare aiding to abetting.


[flagged]


In all seriousness, considering Google's track record of discontinuing useful services and features, I expect Chrome to drop View Source any release now. It will be a sad day.


That would also be the day people would have a far harder time optimizing for Chrome. So they'd probably actually help the browser market by doing so.


Who browses the web without the DevTools exposed by default? I don't know how to make the web work without "fixing" web pages before attempting to read them.


Who browses the web with Dev Tools exposed by default? Why do you feel the need to "fix" every web page you look at?


websites attempting to poorly comply with cookie banners and other GDPR regs that block a site from working without accepting something. I just display:none the offending elements and then remove the overflow:hidden. Disabling JS usually works, but sometimes the images in the page are lazy loaded via JS and will not load without.



Thanks for playing, but I do not use Chrome. Also, I'm a bit perverse in my enjoyment of doing this on my own.


Can websites fingerprint visitors by the particular set of browser extensions/plugins/whatever they have installed? If so, wouldn't extensions such as this one be self-defeating, once you have a handful of them?


FYI, that's not the View Source feature.


No, but it's infinitely more useful. All of those SAP that has 4 lines of HTML when View Source is used, but the Inspector shows exactly what elements are currently in the DOM that have been loaded by JS. Of course, you're aware of that just like I'm aware of the difference in tools.


I think "view source" was actually invented by the Russians, then leaked by "4chan" - They're an individual, not a group.

You probably got it mixed up with Lunix, that was invented by "4chan".


Completely tangential, but have you seen LUnix (Little Unix)? It's actually pretty impressive for something on the C64. Full on preemptive multitasking seems pretty impressive for something as little as the Commodore.

https://en.wikipedia.org/wiki/LUnix


I hadn't, but I may be trying to rig that up in an emulator later, that seems awesome!


I've only played with it a bit, certainly not enough to make any real definitive statements about it, but I think for what it is it's pretty impressive...stuff like that always makes me wonder why Commodore wasn't more successful [1].

[1] I know LUnix didn't come out until 1993, so it would have been too late to save Commodore, and certainly past the C64's prime. It just demonstrates what the C64 was capable of.


Counterpoint that might get some attention:

"The Governor is in possession of software on his personal computer that allows him to decrypt the personal details of thousands of constituents who may have voted for or against him."

The "software" being a web browser, of course.


> you hacker

What a "hacker" is is a matter of definition.

But, the fact is the state was using "encryption" with such a level of security that pressing one button on any computer with a browser is all that is required to defeat it.


And I'll bet even the governor has access to this decryption software - he's got it installed on his phone, even! He must be hacking on the go.


Better hope they only used View Source. Could you imagine the federal crime of using curl or wget to retrieve this data?


Some serious Jedi business going on here


That's why at my current client, DevTools in the browser is blocked through Group Policy...

/not sarcasm, I wish I was joking...


Translation: search for a certification on the public website, receive an SSN in response. Only 'hacking' by reporter was to then press 'Ctrl+U' in the browser and read the characters.


He used the basic reading skills that are taught in ever public and private education system in the country to hack us!


Imagine if the reporter had used curl…


Oh that is so bad.

It's events and negligence like this that give credence to credentialing requirements for software engineering.


Imagine if we had credentialing requirements for elected office…


I don't think the issue is that elected officials are dumb. I think it's the opposite, most are quite intelligent. It's more that they are evil/corrupt/self-serving, and acting dumb is part of how they get away with it.


We do. It's called an election. What you want is credentialing requirements for voting.


And US used to have them too. The basic approach was that if you have land, you have a stake in the future of the republic. It was debated as to whether landless would have the same stake.


I'm pretty sure I want credentialing requirements for anyone running for any public office. I'd settle for automatic exclusion of anyone displaying narcissistic, psychopathic, or sociopathic tendencies and inclusion of rational pragmatists.


I would also "settle" for picking the people I like.

Also, pretty sure that you have to be at least somewhat narcissistic to think that you should be president, and somewhat sociopathic to actually succeed.


Like redacting a public document by making the redacted parts have a black background with black text. If people can't see it, it is secure.


Tell me if I'm reading this wrong. I want to be reading this wrong.

Is this saying that when you viewed a certain page (which I assume had only one person's SSN visible, or perhaps other teacher information like names), the "invisible" SSNs were just hidden with `display: none` or similar?


I think what actually happened is that there was a page where you could get information about a particular educator. In the HTML source the server returned for that page private information about *that educator* was included in non-displaying elements.


Makes sense. Jesus, though.


> Parson said...the reporter was “attempting to embarrass the state and sell headlines for their news outlet.”

Literally a reporter's job.


The funny thing is, the reporter successfully embarrassed the state, then the state embarrassed itself further in response.


Streisand effect, too. None of us would have heard about this otherwise.


I had already heard about it on a local security mailing list, but most of us on the list would have preferred to be spared the international embarrassment.


Color me surprised.

I really don't understand the whole "double down" approach to doing things.


you wouldn't; neither would most of us on this site. ~50% of the population wouldn't. They are targeting the 50% + 1 of their state population that voted for this man. They are probably doing a pretty good job of it too.


We won’t know it for sure. Most of the state is not technical so it’s whatever the popular media spins it.


Parsons knew what he was doing, he won’t be embarrassed. It’s a Trumpian move to stir up resentment against the “liberal media” – not something meant to be evaluated critically.


This could actually become illegal in the UK. The official secrets act might be amended to make it illegal to embarrass the state...


To quote Yes Minister: "The Official Secrets Act is not there to protect secrets, it is there to protect officials."


A good faith reading of that statement interprets it to mean: the act isn't intended to keep pertinent information away from the public, but to protect the identities of officials who were tangentially involved.

Surely no official interprets it to mean: protecting the public image of officials by way of hiding pertinent information from the public, right?


It is amazing how much truth they stuffed in to that show


The fact that journalists in the UK can and have been prosecuted for publishing leaks is completely absurd. Europeans think the first amendment goes too far a lot of the time, but this is the other side of it.

https://en.wikipedia.org/wiki/New_York_Times_Co._v._United_S...


An Act of Parliament which would ironically embarrass the state in itself. Unsurprising from the same cast of muppets who wanted to use local newsagents to verify your age for internet pornography and make encryption illegal.

It’s not even a partisan thing, it seems like almost all our major parties seem to lose 40 IQ points when the internet is involved. Everyone from Blair onwards has been a tinpot authoritarian when it comes to digital rights.


I don't think they had the IQ in the first place.

More than half of sampled Maps couldn't calculate the probability of two heads in a row from a fair coin


...because being an embarrassment to the state is reserved for our government


-50 points from your profile


So nearly every pol will have to be locked up.


“I’m going to weaponize the law because you embarrassed us.”


I can't imagine that a large, national organization like the ACLU or CPJ would want to dump tons of money into making this a massive national story should that happen...

Someone about to experience the Streisand effect in FULL force.


In a state like Missouri getting sued by the ACLU is probably something that can be used to win an election and is seen as a badge of honor. They probably welcome it and all it costs them is tax payer dollars. They really just need to publicize any controversial party the ACLU represented and claim to be standing up to the sorts of people that would defend that behavior.

If they lose in court it turns into a two for one as they get to rail against 'activist judges' and whip their base to go out and vote.


Somehow, I have the feeling the St. Louis Post-Dispatch's lawyers are thinking, "Bring it! We haven't had this much fun in ages."


I'm sure the judges likely to see this case are giggling over what they'll say to the state prosecutors.


Having read opinions by federal circuit court judges on technical matters, it's not clear to me that the judges who will see this case are likely to understand the matter any better than the governor.


And literally protected by the 1st amendment.


It was successful, because I, a non-Missourian now know about it, whereas in its initial state, this story would have been voluntarily witheld.

Those scheming reporters! /s


>Literally a reporter's job.

And the governor's helping!


I try to be an optimistic person, I really do. I try to remind myself that the sky isn't literally falling, and that the world is a more generally pleasant and peaceful place today than what it has been throughout much of history.

But.

Every time I see something like this, it just about drains my spirit to nothingness. I want to embrace nihilism and just quit giving a fuck about anything or anybody when I see stupidity on this level, and displayed by somebody who managed to get elected governor of a %@%#ng US state. It really is hard sometimes, to not just withdraw into a shell of isolation and decide "fuck it, this world is too damned stupid for me to bother with."

I don't like feeling that way mind you, and I actively try to fight the urge to give in to that kind of thinking, but it seems to get harder and harder with every passing year. Am I weird in this regard, or are other people experiencing this as well?


I'm with you. It is really hard. First big wake up call was Brexit and the election of DJT. Are my countrymen really willing to shit on dedicated public servants and throw away the foundation of our remarkably safe and prosperous world? Sadly, yes, and the europeans are just as eager; madness everywhere.

I stepped out of public engagement for a while, then moved to Portland when I was ready to get back in. That was a whole new lesson: the lefty/progressive types are just as bad at governing. And the leftist/progressive voters are just as likely as the right to treat politics like a team sport. Portland is more dangerous for black people than Chicago now #BlackLivesMatter. Developers keep pulling out of affordable housing developments because of planning bullshit, and the city thinks its a good idea to mandate that contractors be women owned. Meanwhile, thousands are sleeping rough.

The politicians are awful, but in a democracy, the fault for that lies 100% with the people. Elected office, like next-door, doesn't make people bad; it simply reflects the rotten core of 21st century civil society.

Absolutely maddening is the lack of interest in concrete policy or actually using data to analyze changes and measure success.

I think I'm about ready to stop caring and have a nice life while my species hurtles towards the great filter. Life and the universe are meaningless anyway.


> The politicians are awful, but in a democracy, the fault for that lies 100% with the people.

Democracy is a convenient way for the ruling class to hand-pick the people who are allowed to run for office and blame the voters for any bad results. There's research showing that there's very little correlation between the policy goals of the voting public and policy outcomes, but there's a strong correlation between policy goals of the ruling class and policy outcomes.


seems tautological.

If you accept that there is such a thing as a 'ruling class', then presumably the only way to define them is 'the people who get their policy goals accomplished'. Because that's what 'ruling' means.


It seems awfully naive to pretend there isn't a class that generally is catered to by government. They're typically some or all of these:

- in the top .1% of net worth

- in executive leadership positions

- attend elite universities

- frequently possessing generational wealth

I hope this helps.


> The politicians are awful, but in a democracy, the fault for that lies 100% with the people.

Yes and no. Yes in that the politicians are selected from people they represent (in theory), but also no in that once a person becomes a politician, their incentives change and they are no longer representing the people that elected them.

Further, once in power, the systems can be "rigged" into maintaining that power (gerrymandering is an example of this). DJT couldn't become King of America without first becoming president. Once he became president, though, he definitely tried to rig the system to make him, effectively, King of America.


> It really is hard sometimes, to not just withdraw into a shell of isolation and decide "fuck it, this world is too damned stupid for me to bother with."

In moderation, I think this is actually the correct response. Unless you live in Missouri, who cares what stupid things the Governor of Missouri says?

In a previous era, you never would have heard about this story at all. It's just a politician in a minor state trying to score some political points. It's very unlikely they'll actually charge the reporter with anything, much less convince a jury to convict.

In today's connected world, it's easy to get news from anywhere at anytime and be outraged. Sometimes you just have to ignore it for your own sanity.


> Unless you live in Missouri, who cares what stupid things the Governor of Missouri says?

Because that person literally rules over millions of people, the overwhelming majority of which didn’t vote for him (1.7m votes out of the 6.1m population). Right now he is literally threatening state violence against a reporter for looking at a government website that accidentally leaked personal information.


Grandstanding politicians are one thing.

Getting a prosecutor to risk their career on prosecuting a journalist for politics is quite a bit more difficult. Journalists are well aware of their rights, and have lawyers between them and law enforcement.

I think its dumb, but as a former photojournalist who had a very large oil company (Haliburton) use a very small police department to come after me for trespassing, I can assure you that the newsroom is NOT scared right now.


> Grandstanding politicians are one thing.

But that's what's got me so depressed over the past 5 years or so. It used to be, in the not too distant past, that politicians were embarrassed to be caught in an easily demonstrable lie or stupid gaffe.

These days they just yell "fake news", repeat the lie/gaffe louder and more frequently (which is EXACTLY what the governor is doing on Twitter [1]), perhaps maybe pair it with a catchy slogan, and that seems to be a winning strategy.

1. https://twitter.com/GovParsonMO/status/1448750830857904129


The politicization of COVID was the final straw for. me. I have no more faith in humans in a collective sense. I don't see how we can expect democracy to work when people are willfully ignorant of their world and unwilling to do the work to learn.


Welcome to the club. The tipping point for me was the politization of Covid.


It isn't stupidity. Government officials know this kind of thing will ultimately be a loser for them. But they know the mere threat of putting someone through the process of prosecution is punishment enough.

This is what we need to work on correcting. If a judge laughs your case out of court, there should be a severe penalty, especially if you're the government.


> It isn't stupidity.

Hard disagree. If you're arguing that it's malice, and not stupidity, on the part of governor and others that put out this nonsense, then at least they are surely depending on the stupidity of their constituents at large for not laughing them out of office.

And to be clear, I'm not at all taking the position that people who don't have a deep depth of technology are stupid. But pretty much everyone in the US knows how to use a web browser these days, and believing people will buy the governor's completely lobotomized argument [1] is totally embarrassing, either for the governor or his constituents that elected him.

1. https://twitter.com/GovParsonMO/status/1448750830857904129


I wouldn't say this is the result of stupidity. This is the result of a governor riling up his base by attacking the press.


I think The Good Place really nailed this one on the head: as our world has become more connected, it no longer fits in our heads. It becomes impossible to know for sure what impact we are having, or even what we might want to change.

Basically, we are living inside a spaghetti mess of a civilisation.

But I’ve also spent twenty years working in various big balls o’ mud codebases, at companies that had big systematic problems that got them that way, and in that time I’ve found some strategies that can make positive changes, even under conditions of extreme chaos & status-obsessed executives. And they all start the same way:

Find a coworker, ask them how their work is going, and then really listen.

Don’t go in with any agenda except building a relationship with you coworker. If the have stuff they are proud of, tell them what you like about it. If they have stuff they are struggling with, you can commiserate. You might be able to help, but probably not: you are both living in a giant mess of a disaster world full of incentive systems that push people to behave the ways they are behaving.

But by setting that aside, by prioritizing your relationship with even just one other person over that perverse system that exists today, you are resisting. Authentic, caring conversations that prioritize people over process are radical acts.

Maybe the first person or the first dozen aren’t interested. That’s okay. Eventually you’ll have a second genuine conversation, and now you have two relationships. You can introduce those two people to each other, and suddenly you have a community.

A community can get things done none of us could do alone.

I learned these techniques from the grouchiest, grumpiest old grey beards I worked with, because they were how they built support for the infrastructure they wanted to use. I’ve use the technique for different purposes (livable code, low alert volumes, sufficient time & space to mentor junior engineers into being the mentors of junior engineers, not selling contracts to Palentir, more than two weeks vacation time, fixing user problems before adding shiny new whistles to get the PM promoted, not planning two years of work at once, etc), but fundamentally it is the same. Positive changes start with building a tiny little corner where we set aside our doubt, gather up our courage and build a community rooted in sufficiency and willing to trust.


Read more history! (Especially read what the Wilson administration did to the Socialists - the origin of the phrase "yelling fire in a crowded theater." Many of us would riot if this happened today.) Stories like this have been happening since long before I was born, and will continue to happen long after I die, because voters will continue to elect stupid people some fraction of the time. The correct response isn't nihilism, but constant vigilance, and constant shaming of elected officials who abuse their powers.


The correct response isn't nihilism, but constant vigilance, and constant shaming of elected officials who abuse their powers.

I want to believe that, but after watching the Trump administration and how people seemed to embrace him more and more despite his continuing shameful acts, it's just hard to sustain belief that this all leads anywhere.

Sorry guys, not trying to be Debbie Downer here. I guess I'm just in a shitty mood today for some reason.


> it's just hard to sustain belief that this all leads anywhere

I'm with you 100%. I don't want to be there, but there I am. And sometimes it all feels utterly pointless – civilization, the human endeavour, everything. My particular slippery slope goes like this:

    Humanity is going to waste the one-time gift of fossil fuel accreting the already-grotesque hoards of a few hundred individuals. Then these people will die, nothing will have been gained on the whole, and instead of infrastructure which we could have used to pivot to some recognizable future, our descendants will be left with nothing but unrest and some variety of ecological hot potato. And then we will all die out or revert to a pre-technological state, and either way all the gains of science and human ingenuity will be lost.
Is that how yours goes too?

I don't know what to do about all that, but usually I can convince myself that working on some tiny project to help things not go that way is a worthwhile effort. And of course it's pretty much all I can do.

Also here are a couple quotes that help me get out of such perspective ruts:

* "Even though I'm always in pain, it's worth sticking around to make my corner of the world a slightly better place." -Ricky Gervais' character from After Life

* "I cringe at my arrogance. Actually, cringing at my arrogance is just another, more rarified, level of arrogance." -Alison Bechdel

* "Goodness: You got to make it out of badness. Because there isn't anything else to make it out of." -Robert Penn Warren


Yeah, even leaving aside the T-word; there's a broad swath of the US population who are willing to believe anything that is expected of them by their chosen authorities (mainstream Democrats are as guilty of this as Republicans, they just chose different authority figures). Sometimes, insanity is the only sane response to an insane world.


> Democrats are as guilty as Republicans

No they aren't. Not even remotely close. I'm exhausted by "both sides". "Both sides" arguments cause apathy in people because what is even the point in voting if, "both sides".


Yep. It is explicit propaganda to try to keep people from resisting their attempts to guarantee permanent minority rule.


Why is everyone here acting like the governor is merely stupid? He is not arguing from ignorance, he is arguing in bad faith. Mike Parson wants to feed the narrative that the American free press is the "enemy of the people" because it suits his politics, nothing more.

The only message here is "be careful embarrassing fascists."


Nearly all politicians act like this when they're in power. The general public is easily mislead.

HN notices it when it's a tech issue, but it happens in economics, medicine, basically everywhere. They have zero incentives to accept responsibility.


Nearly all politicians prosecute reporters? No, I'm pretty sure that is just the fascists.


> pretty sure that is just the fascists.

i’m not from the US, but is it common in the US to use these kinds of accusations? seems ultra far fetched.


From the extremists, yes, it is common. The "other" side's elected officials are nearly always labelled "fascists". However, the majority of the electorate is smart enough to recognize that it's just a failed appeal to emotion, and nothing more. (except maybe exhausting)


Yes. Most online discourse about politics will eventually have someone claim fascism or make a Hilter reference.

If you aren't among one of the two sides it can be humorous to watch at times.


and there's the 3rd response: the enlightened centrist.


"The creator of Godwin’s Law explains why some Nazi comparisons don’t break his famous Internet rule"

https://www.washingtonpost.com/news/the-intersect/wp/2017/08...

"It’s Time to Call Nazis ‘Nazis’"

https://www.thedailybeast.com/its-time-to-call-nazis-nazis

Chap behind Godwin's law suspends his own rule for Charlottesville fascists: 'By all means, compare them to Nazis'

https://www.theregister.com/2017/08/14/godwins_law_creator_r...

And there's the law itself. Mike Godwin takes pains to clarify that it's not about valid or invalid comparison, or who's "winning" or "losing" the discussion, as it is an observation that productive discussion within the thread is over.

Specifically:

  So - *WHAT DOES IT MEAN*? 

   Fine, fine - it means that somebody's eventually going to say
  something about the Nazis in any thread that lasts very long.  When it
  happens, the thread is going to start either degenerating into a long
  flamewar over Nazi Germany or about Godwin's Law.  Either way, the thread
  is effectively over, and you can safely killfile the thread and move on.
...

  2.  What happens if we're actually talking about Nazis?
 
   Then you've already invoked Godwin's Law, and the chances are that
  your thread isn't going to last all that much longer as a sane discussion.
  Them's the breaks.
  
  3.  What about arguing with Neo-Nazis?

   Arguing with Neo-Nazis is probably the quickest path to getting
  Nazi invocations, because, well, they're actually accurate.  Still, trying
  to invoke Godwin's Law near a Neo-Nazi isn't really a good idea because
  it's not terribly original and they'll probably get off on it anyway.
  Just ignore them and occasionally publish a FAQ detailing what actually
  happened during the Holocaust and such; arguing probably isn't going to
  help you.
http://wiki.killfile.org/projects/usenet/faqs/godwin/

This thread has reached the discussion-of-Godwin's-law stage, so there's that.

And remember that "it can't happen here" is also a fallacy.


Is prosecuting reporters not, like, definitionally fascist?


Right, you don't need any other supporting information and you don't have to bring political parties into it. If a politician is prosecuting a reporter for embarrassing the state - not for committing a crime - they are a fascist.


i don’t think either of you is correct. there are many tenets of fascism, and prosecuting (or straight up imprisoning) journalists is a common occurance in socialist and capitalist countries. by your definition a lot of capitalist and socialist countries around the world are fascist, which is false.


I don't think they meant to imply that all people who imprison reporters are definitionally fascist, but that fascists definitely imprison reporters as a matter of course. The claim was that accusing someone of imprisoning reporters of being fascist is "ultra far fetched". But if imprisoning reporters is something that fascists are wont to do, then it doesn't seem to me that questioning if these people are fascist is "ultra far fetched". You could also want to know if they were socialists if that's the thing you believe socialists do.


I used to recoil at these kinds of statements until I saw what the Trump administration was doing.

It's not an exaggeration. Stephen Miller, Steve Bannon, Richard Spencer, all these people in Trump's inner circle are self-described "alt-right," "white nationalist," or some other euphemism for ethno-fascist.

Racism and fascism in the US are very real, serious problems, and have become synonymous with the Republican party.

edit, here is a link or two:

https://www.vanityfair.com/news/2017/05/stephen-miller-duke-...

https://www.npr.org/2019/11/26/783047584/leaked-emails-fuel-...


Just think how much trouble we would have saved if only we'd been able to call Mussolini a Fascist in the 30s.


Mussolini called himself a fascist, and certainly didn't mind when everyone else did as well.


Substitute whistleblower for reporter and yes, nearly all politicians will use the criminal justice system to silence their critics.

Was Obama a fascist? I have no desire to engage in whataboutism, they all show their true colors when they're in power and shown corrupt or incompetent.


>I have no desire to engage in whataboutism

Then don't.

I think Snowden should be pardoned and considered a national hero, but he unquestionably committed a very serious crime. There was no crime committed in the State of Missouri on this matter.


Because of HN no-politics type of policy, the only time HN can get riled up is when the politics involve tech. It's not that HN readers have no interest in these other topics. There's limitations on what the man will allow you to discuss about the other man. Hi dang!!!


I wonder if he's trying to "control the narrative" in the hopes that he (or the state) isn't sued for releasing private teachers' data to the public.


I think we're using Hanlon's Razor. All else equal, it's more likely he's merely ignorant than that he's trying to tear down the first amendment. Is there any evidence to the contrary?


> No private information was publicly visible, but teacher Social Security numbers were contained in HTML source code of the pages.

If it was in the HTML source code, then it was publicly visible, so it is unclear what the article is trying to say.


Every browser have access to the HTML source, even it is merely right click here and there. If the SSN is in the HTML source, then the blame should be on the webmaster who designed that code. Of course, accountability is not part of their tenet, it is too foreign for them.

And look at the age of the governor, clearly shows that he is inept with the fundamental of the internet.

I forgot to add one more thing. Did they not realize that there are scrappers who will scrap every bit of information of everything including the HTML code. I wonder how mcuh scammers/ID theft scrapped the data before this come to light?


I don't understand the age excuse, honestly. My mother is about the same age. She is not technical, but she has used computers for the last 30+ years. Just like anyone any other white collar worker. She would have wrangled with WordPerfect control codes to format insurance quotes in the 80s. Document markup (and stuff hidden in the markup) is not esoteric knowledge, or I wouldn't think it is. Except apparently it is.


> the blame should be on the webmaster who designed that code.

“Webmasters”, where they exist at all anymore, tend not to “design code”.

> Did they not realize that there are scrappers who will scrap every bit of information of everything including the HTML code. I

“...scrapers who scrape...” should be the concern here, not “...scrappers who scrap...”

> And look at the age of the governor, clearly shows that he is inept with the fundamental of the internet.

Gov. Parsons is 12 years younger than Vint Cerf and the same age as Sir Tim Berners-Lee.


Mike Parson is twenty-two days older than I am. I've been using View Source for a lot longer than twenty-two days.


To laypersons HTML comments or display:none is invisible. But I agree, this is like a blast from the 90’s when View Source was leet hacking.


Perhaps opening and reading HTML source code is widely viewed as an esoteric skill.


Given that other recent article about university students who don't know what files are, I wouldn't be surprised in the slightest if this is considered esoteric.


This story just gets worse and worse:

https://news.stlpublicradio.org/government-politics-issues/2...

"Missouri Gov. Mike Parson on Thursday launched a criminal investigation of a St. Louis Post-Dispatch reporter... The investigation begins today, and Parson said the investigation could cost taxpayers as much as $50 million but did not detail those costs or take questions at a news conference Thursday."

$50m over this now? They say never to assume malice when outright incompetence will do, but I'm beginning to wonder if some corrupt dealings involving IT contractors might be going on under the table.

Whichever one it is, at this point I think the governor should just apologize and resign immediately. Not holding my breath.

Edit: Looks like the governor is tweeting about this now. Straight from the horse's mouth:

https://twitter.com/GovParsonMO/status/1448697768311132160

Really couldn't make this stuff up if I tried: "This individual did not have permission to do what they did. They had no authorization to convert and decode the code."


>Republican state Rep. Tony Lovasco, who according to his legislative biography has worked in software deployment and maintenance, tweeted Thursday that “it’s clear the Governor’s Office has a fundamental misunderstanding of both web technology and industry standard procedures for reporting security vulnerabilities.

>“Journalists responsibly sounding an alarm on data privacy is not criminal hacking,” he said.

I worry that we're heading in a direction where somebody like Lovasco won't be willing to break with somebody of the same political party even for something like this.

It's already incredibly easy to code this story as a PR "win" for Democrats by embarrassing a prominent Republican.

So then isn't giving a common-sense perspective in this circumstance kind of just a betrayal of everything your side stands for?

I mean it's pretty unlikely that anything of legal import actually happens to the reporter, so for the "greater good" of accomplishing your wider agenda, or perhaps even more importantly preventing the other side's agenda, it might be better to just stay quiet and let this blow over as partisan bickering.


The fact that it happened here should calm your worries at least a little bit.


The fact that it happening is a notable exception to recent political practice should jangle those worries right back up.


Nobody tell the gov how savagely he’s being raked over the coals in these comments, or tomorrow’s headline will be about a RICO case launched against the hacker collective known as “Hacker News.”


Someone should tweet this discussion to him or his office. #stopclickingviewsource


Someone once took a photo in a hospital waiting room. There was a screen in the photo with a browser window that listed the queue of patients waiting to be seen (first name + last initial). I zoomed into the photo, typed the URL in my home machine and sure enough, the list of patients actively waiting to be seen loaded up.

To make matters worse, incrementing a number in the URL cycled through different hospital waiting rooms.

I emailed the vendor who build the tool about the issue and they responded letting me know that system worked as it was designed, and that no HIPPA violations existed since there was no full last name.

I meant to make a bigger deal about this, but then got busy.


Similarly, but much smaller potatoes: Went to pick up an order at Ikea and their online queue system lists your place in line. Nice. Except it also lists everyone else in line. Including their first name, last initial, and make and model of car. And I could still access the list after we left.


Post a URL here, then I'm sure vendor would reconsider


I don't think I can blame a politician for being technically illiterate, especially one that old. But what the heck is up with the state bureaucrats who report to that guy?

I mean someone it the freaking state bureaucratic hierarchy should at least be lucid enough to consult someone who has an actual clue about things as these.


I think you're under-estimating how much this is just the governor cravenly trying to save face. He's a just a spineless politician who is afraid that this "hack" will be used against him. Because the public was notified of the obvious fuck-up in the html, he felt he needed to "respond to their concerns" and is doing so in the only way he understands, or that that group of the public "under attack" understands as well: criminal charges.

He's using the public's fear to try to gain political points by looking "hard on crime".

Obviously, he's stupid. But part of the problem is the public also think this was a "hack". Basic understanding of the web is not apparent amongst an enormous swathe of the public.


I’m guessing it went like this…

Politician: Socials are on the web site, who fucked up?

IT: the web page is encrypted, we didn’t fuck up, the hacker decrypted the source

Politician: sounds good to me, no fuckup on our part, let’s call the cops and prosecutors


Politician [intentionally looking to pass the buck to entities outside their purview and choosing not to research further]: sounds good to me, no fuckup on our part, let’s call the cops and prosecutors


I can't stress how differently power works in the Southern States (EDIT: Missouri is a midwestern state officially, but I've always considered it part of the South). It's a very traditional place, where you do not dare contradict, let alone correct, your boss. There is none of this "avoid surrounding yourself with sycophants because they will only tell you what you want to hear" business. There is no upside to speaking up in meetings if what you're saying is not in direct support of the boss. If you do this, you will be branded a trouble-maker, lose favor with the hierarchy, and eventually you will be expelled. Politeness and deference matters far more than any other quality. Loyalty beats integrity every time in the south.

This incident is just one example of this in action.


As a species I feel we need a means to overcome this problem within organizations, and demonstrate convincingly to others that we have done so. Chernobyl and Fukushima were also both created by a culture of deference to higher-ups. The anti-nuclear crowd were wrong about the science, but may have had a point once you consider human fallibility.


> Chernobyl and Fukushima were also both created by a culture of deference to higher-ups

Chernobyl suffered from compounding of reactor and test design flaws and human error. Fukushima suffered from (retrospectively) insufficient risk assessments, which resulted in a design meeting a rare event beyond it design limit sooner than expected.*

I'm unaware of a human society, in fact any animal society, where politeness does not involve some degree of deference. So saying these accidents were caused by a culture of deference is essentially meaningless without some more "who, what, why, how" and importantly 'how much' and 'compared to what'.

From the IAEA report: "This common mode failure reached a scale considerably beyond that usually addressed in the assessment of BDBAs. [ed: beyond design basis accident]". https://www-pub.iaea.org/MTCD/Publications/PDF/AdditionalVol...

https://www.coursera.org/lecture/intercultural-communication...


If you think that's a "southern" trait I've got news for you...

This attitudes fits the majority of workplaces. I know it probably makes you feel better to pass the blame off on a specific group that you can try to avoid but I've worked all over the US and it's the same crap everywhere you go.


The south sounds exactly like my experience in two fairly non-political (as non-political as government can be) departments of state government that provide non-controversial social services in a state in the northeast.


Missouri is not even remotely considered to be in "the south". At least not by those who live there or in neighboring states.


I know a lot of people who regard it as a hybrid southern/midwestern state. Plenty of confederate flags to be found in Missouri, certainly, and the MU/KU rivalry is, on our side at least, heavy on "bleeding Kansas" rhetoric and imagery, which keeps Missouri's Southern-sympathizing role in the war alive in our popular culture (such as it is). Lots and lots of our local icons, oft-mentioned historical figures, et c., relate back to the war, and especially folks who supported the Confederacy. County seats with those late-addition cheap confederate soldier memorial-statutes outside the courthouse are, AFAIK, quite common in the state.


County seats with those late-addition cheap confederate soldier memorial-statutes outside the courthouse are, AFAIK, quite common in the state.

This seems libelous. Can you provide a single example of such a statue? I drive through several county seats in Missouri multiple times a week. There are WWII and Vietnam memorials, and actually several Civil War Union memorials, but not a single confederate memorial.


You can find Confederate flags in northern states and all over the US. That doesn't suddenly make it more "southern". I live in CO now and I see more confederate flags than I ever saw in MO.


You can find racists and rebels anywhere. If you order a sweet tea in any restaurant in Missouri they will look at you like you have three heads.


Not true at all, but the sweet tea they serve you will probably be mediocre at best, that's true. A few places will serve you unsweet tea (all they have, as a cost-savings measure) with sugar packets, as if that's the same thing, which admittedly is an offense worthy of challenging your server and/or the restaurant owner to a duel.


> Missouri is not even remotely considered to be in "the south".

No, but it is both South-adjacent and is considered to be largely within the Bible Belt, which is almost exactly coextensive with the South, except that it excludes parts of Southern Florida and includes all or part of several South-adjacent states, so it's not an entirely hard fo understand mistake.


You're right! It's part of the midwest officially. Apparently it does share at least some of the classic characteristics of the southern states.


University of Missouri sports teams are in the Southeastern Conference (SEC). Part of me wanted them in the Big-10 since I identify more as being from the northern mid-west. Got to follow the $$$.


I think it has no more in common with them than other non-southern red states.


> I don't think I can blame a politician for being technically illiterate, especially one that old.

Given the impact of technology on society, we absolutely can and should blame politicians who are technically illiterate.


I don't blame a politician for being not tech savvy.

I can and will blame them for not getting (And listening to!) a tech savvy advisor.


I would think it depends on how "tech savvy" we're talking about. It's one thing to ask them to write a UNIX shell in C++, or construct a neural network model... I don't see any reason to demand that level of technical sophistication from a governor. But surely there has to be some baseline level of technological literacy that should be expected, no? Something beyond "push this button and the computer turns on" and "Yes, I checked and it's plugged into the wall"??


And maybe blame the highly partisan electorate too?


I don't think I can blame a politician for being technically illiterate, especially one that old.

I don't think age should excuse this guy at all, nor do I buy into the meme that age has much of anything to do with technical literacy. Consider that Brian Kernighan is ~78, Tim Berners-Lee is 66 (the same age as Governor Parsons here), James Gosling is also 66, Rob Pike is 65, Steve Wozniak is 71, Geoffrey Hinton is 73, and so on. And that's not even considering folks who were around so early they've already passed away, like Marvin Minsky, Dennis Ritchie, John McCarthy, etc.


Nobody tries to deny that old people can be top notch computer scientists. It's just a fact that computer technology has only arrived in the daily life of the greater population a few decades ago and therefore older people are statistically less likely to be familiar and comfortable with it the way younger people are. I'm surprised I have to write this.


It's just a fact that computer technology has only arrived in the daily life of the greater population a few decades ago

I would question that assertion, depending on how exactly we choose to define "few". Computers have been a fairly ubiquitous part of our society (in developed nations anyway) for a good 40 years or more now. And they've been absolutely ubiquitous for probably a good 30 years... ubiquitous enough that it's hard to see how any person who considers themselves an educated, competent adult wouldn't have had the opportunity to develop some baseline of technical literacy.

Personally I believe that anybody who is a functioning adult in our society today, who doesn't have that technical literacy, lacks it due to their choices not due to their age.


Sure. In 1984, 37 years ago, a whopping 8.2% of US households sported a computer. So yeah, ubiquitous indeed.

Younger people tend to be more open to new things and less set in their ways, which certainly makes a difference in this case. Note that I'm again not talking in absolutes, but about matters of tendency. Naturally, in the individual case all things come down to opportunity and choice, but it seems curious to deny the statistics of the matter.


The presence of a computer in the home is not the only measure of the prevalence of computers in society at large. I'm not ignoring anything. I was there, I lived it. And I know that being 66 is no excuse for lacking technical knowledge. It's willful ignorance, not a byproduct of happenstance.

Younger people tend to be more open to new things and less set in their ways

Even if that were true - and that's a pretty dubious claim, IMO - it does not necessarily follow that

... certainly makes a difference in this case.


> I was there, I lived it.

Yes, so did I. I find it curious that we seem to remember that period so differently.

I can easily find sources saying things like "between the ages of 25 and 60 people's ability to use websites declines by 0.8% per year", that's 28 percentage points difference in the ability to use a website.

But I'll stop arguing, it doesn't seem very promising at this point.


> I mean someone it the freaking state bureaucratic hierarchy should at least be lucid enough to consult someone who has an actual clue about things as these.

Why are you letting the leader off the hook and charging the underlings for being responsible for something a leader should be responsible for? Age of the leader is irrelevant because the leader chose to become a leader.


I don't think I can blame a politician for being technically illiterate, especially one that old.

That right there (probably without the age bit) would be the ideal one liner response from the reporter or an attorney from the paper.


This is why you have tech literate experts to correct you and help you make a decision. Just like how you go to your doctor for help with an illness and get advice for what to do next. This isn't hard to do, it's just not politically powerful messaging. Parson wants to look big and powerful and so he'll just blow smoke up his AG's butt to do something which will quietly be dismissed afterwards with almost zero political cost to him.


Gov. Parsons’ technical ignorance, such as it may be, is not the source of this. This is a power-oriented political narrative. To the extent it invokes inaccurate explicit or implicit characterizations, that is not because Parsons doesn't understand the truth (he may or may not, that's just irrelevant), but because the descriptions and implications serve the desired narrative.


> I don't think I can blame a politician for being technically illiterate, especially one that old.

I certainly can. They have plenty of money to hire staff, and that should include people to make sure they understand the technology that is integral to the every day lives of their constituents, or at least to push back when they do/say something completely counter to how the world works.


Why should age excuse incompetence? If they are incompetent in tech, they should at least know that and shut up.


It is my understanding that Parson is not the kind of fellow to give a shit what a state bureaucrat tells him, if it's not what he wants to hear, assuming he'd listen to them in the first place.


Yeah this should be a "get a the computers guy in here" moment. Then someone explains and everyone moves on.


You have no idea what lengths some state employees will go through to cover their ass and not get fired. It's especially dangerous when cops and prosecutors do it.


Exactly. When you've endured 15yr of this kind of bullshit and enduring five more gets you an extra 10% on your pension you shut the f up and do what's good for you, organization and taxpayers be damned.

Now imagine what this situation teaches all the younger bureaucrats who think they can work hard and make things better.


The usefulness of having state legislators from a variety of backgrounds:

Republican state Rep. Tony Lovasco, who according to his legislative biography has worked in software deployment and maintenance, tweeted Thursday that “it’s clear the Governor’s Office has a fundamental misunderstanding of both web technology and industry standard procedures for reporting security vulnerabilities.

“Journalists responsibly sounding an alarm on data privacy is not criminal hacking,” he said.


Tweet from the governor: "Through a multi-step process, an individual took the records of at least three educators, decoded the HTML source code, and viewed the SSN of those specific educators."

>Through a multi-step process >decoded the HTML source code

Somebody has been watching B-list hacker movies.


Step one: Press Ctrl

Step two: Press U


1. Click View in menu bar

2. Hover over developer menu item

3. Click View Source

Three-step process - even more nefarious!


Y'all are going to prison now, I hope it was worth it! =]


1. Rest finger softly on the F12 key

2. Press finger downward


Tell me you don't understand computers without telling me you don't understand computers.


Senators too! We must end finstas! https://www.youtube.com/watch?v=TGt1Ukg7q4Y


So that quote is actually taken out of context. The Senator knows that finstas are, and is using it to drive a different argument - that Instagram is incentivized to help teenagers bypass parental control https://www.theverge.com/2021/10/1/22704308/finsta-instagram...

> “Finstas are fake Instagram accounts. Finstas are kids’ secret second accounts. Finstas often are intended to avoid parents’ oversight. Basically, Facebook depends on teens for growth,” Blumenthal said. “Facebook also knows that nearly every teen in the United States has an Instagram account; it can only add more users as fast as there are new 13-year-olds.”


Even with the added context, it's pretty clear he has a very limited grasp on how finstas work. It's reasonable to be concerned about that when he is demanding they be banned.


He understands computers, but it's easier for him to blame the press for his government's failings. His base laps this sort of thing up.


[flagged]


Authoritarian blue states do this crap too. This has nothing to do with the set of policy positions on your party's official platform and everything to do with being a totalitarian jerk, a characteristic that abounds among politicians and high level government officials in general across many parties and nations.


Examples?


Cuomo.


That's a person not an example.



New York...


It’s a consequence of having people 80 years old who can barely write an email and still use Internet Explorer on AOL run things. Party is irrelevant in this case for sure


Well done. Authoritarianism is alive and well across the political spectrum.


"... Social Security numbers were contained in HTML source code of the pages."

"Gov. Mike Parson was labeling the Post-Dispatch reporter a 'hacker' and vowing to seek criminal prosecution."

L O L. Everyone who has hit F12 in a browser is now considered a hacker.

I hope the prosecutors and law enforcement come to the right conclusion quickly and tell the governor no crime was committed. My experiences have left me with little faith of that happening.


"You can look like idiots now. Or you can try to keep from looking like idiots, and look like even bigger idiots very quickly. Your choice."


And, in the process, double down and cost the reporter his career and entire life savings as he pays for a lawyer to keep himself out of jail.


Usually the better publications have, or pay for, counsel for work related issues like this.

I don't think this will cost them their career. Every semi-intelligent person can see what's going on. It will certainly create some shortterm headaches though.


Seriously, the government should have experts on hand who can translate tech into concepts they can understand. This is unacceptable.

Imagine HTML is a TV in Social Security office. The way the storage of SS numbers was designed, is that they are hidden in a backroom, however, anyone can come into the office and scream a persons name to view all the information on the screen. The flaw is clearly in the system.

I found flaws in Costco system before, I guess I should be in prison for letting them know and saving them thousands of dollars.


The states Chief Information Security Officer left the post on Friday https://www.govtech.com/workforce/missouri-ciso-stephen-meye... didnt see anyone mention that elsewhere in relation to this story.

getting a 403 here without a vpn, but https://cybersecurity.mo.gov/ doesn't look like its been updated since 2018 The last CISO left in 2018 (~3months after the current governor took office), and the current ciso was appointed by interim then https://www.govtech.com/blogs/lohrmann-on-cybersecurity/miss...


It's only a matter of time before the inevitable class action lawsuit settles the question of culpability for this breach and assigns it 100% to the state. The teachers are going to get at minimum state-sponsored credit protection services for a few years, and the governor is going to get some egg on his face since it was his employees who created this breach.

I honestly pity him a bit, because he has no clue about any of the technical details, but on the bright side he's about to get a crash course.

I have to wonder what he's thinking, though, with the brazen slander. He must have some very deep pockets.


Prosecuting people for responsible disclosure?

This governor is a fricking idiot.


This seems to be a requirement these days for being a governor.

I understand not everyone can know everything. The fact that it is deemed unacceptable to admit not having all of the information to make an informed decision/comment where someone in a position of authority makes shit up to just sound authoritative is a sad state of affairs. It's not like being a governor is the same as posting things on an internet forum.


[flagged]


We've got some presidential mis-speaks a plenty too. Some haven't been a governor, and didn't come from a "red" state.


This is clearly not an example of a politician simply "misspeaking".


As much as it would be comforting if it actually was, incompetence is not limited to either political party.


Yet. Wait for them to evaluate the blowback, and then the walkback from the comment.


Polarize much? Let's just go back to the general population not trusting the government or any politician regardless of party affiliation. They're all corrupt and ignorant, it's a basic requirement.


[flagged]


Could you please stop posting flamewar comments? You've been doing it a lot lately, and we ban such accounts regardless of what they're flaming for or against. I don't want to ban you because you've also posted good things, but we've had to warn you about this multiple times in the past and that's not cool.

If you wouldn't mind reviewing https://news.ycombinator.com/newsguidelines.html and taking the intended spirit of the site more to heart, we'd be grateful.


It's seems there is a certain set of political beliefs that enshrine intolerance of knowledge. Perhaps shared across multiple parties.


"Idiot" is relatively high praise.


I'm glad my Senator can speak intelligently at DefCon.


When idiot directs prosecution it becomes a crime on its own.


If the scenario being proposed is that the reporter publicly searched teachers on the site and then noticed that SSNs were returned in hidden HTML or an endpoint returned it from an API directly, that is a facepalm and they’re fine.

If the reporter searched teachers and located (for example) their teacher ID, then discovered an endpoint (from looking at the JS) that took the ID as input and returned an SSN, they have potentially violated the CFAA (as written).

Do I agree that they should be prosecuted? No.

Is the CFAA a terrible law that criminalizes most netsec research? Yes.


The reporter hacked our water system, maliciously held his hand under the faucet and then revealed to us that the water was WET!


'Parson said Thursday that he wasn’t sure why the reporter accessed the information. He claimed it was part of a “political game by what is supposed to be one of Missouri’s news outlets.”'

Yes, everything that makes us look bad is part of a conspiracy by the other team. Ignore the facts, please. Pressing CTRL-U is hacking!


The weird thing is even if this was a conspiracy to discredit an administration... it's a really bad one. Perhaps you could link the security flaw to a budget issue, but I can't imagine something like this seriously affecting a governor's chance for re-election. His response has obviously done more damage than the flaw ever could.


I commented days ago about a state website that was returning all kinds of nicely formatted NPI in JSON from an API response, but the NPI was not displayed. I donned my black hat and other hacker attire and pressed F12 to open the browser's developers tools (a tool created by a shifty company named Google most people have never heard of), and there it was, plain as day, SSNs, addresses, etc. I closed the page and never touched it again. I knew what's happening in this story could happen to me. I knew my side of the story would rarely be told and that my fate would lie in the hands of a judge who views the F12 key with distrust and fear and a jury of my "peers" who are not actually my peers in any skill or know-how related to the case.


At least make a throwaway email account somewhere and email the state's IT department to let them know. I doubt it'd ever get fixed (given state budgets), but still.


In states that have state-level IT departments (usually, in addition to opposed to agency-internal ones), the state-level one mostly does IT project and contracting policy and oversight (often limited to large projects for active overisght), and maybe executes enterprise contracts for infrastructure that is used across agencies.

For an in-production system, there is a good chance that they have no responsibility for ongoing maintenance, and no special information beyond what is on the website as to who is responsible for maintenance.

You are better off contacting (anonymously or otherwise) the responsible agency. But, sadly, probably the most effective way to get it changed (after the flurry of butt covering) is to anonymously notify the media.


Other comments are talking about how Missouri will spend millions investigating this "hack". I don't know how to reliable mask my identity against a million dollars worth of criminal investigators.

This was many years ago, a few years after it first happened I looked again and it had been fixed.


This news should not surprise anybody who has used government websites in Missouri. Here is an example: https://mydssapp.mo.gov/CitizenPortal/application.do

The website takes a LONG time to load because of how many javascripts it loads!!


I gave up, and my browser was still semi-borked for a while after clicking back to HN.


Holy cow, that's incredible


you aren't kidding, that's pretty impressive really


This is probably unpopular, but I want to see this go to court so that this moron can be exposed for all to see.


Best outcome would be for the courts to dismiss the case outright. (Bonus points for snark against the governor)


The distribution of the SSNs to the client, where they can be seen by everyone using a Web browser by clicking on a standard menu function is clearly the government's fault.

They are obviously trying to deflect their incompetence - nobody audited the design nor the resulting implementation.

If the journalist acted as described it is professional behavior (notify and postpone publication to give the Website operator a chance to fix things), it is ethical and complies with security disclosure best practices.


"... teachers’ Social Security numbers were contained in the HTML source code of the pages involved..."

My bet is the SSN was used as the GUID for a table row or list item.


I'm going to guess a value in a hidden form field.


FYI the "Governor" is Mike Parson

"As governor, Parson signed a bill criminalizing abortion after eight weeks of pregnancy and opposed Medicaid expansion. He oversaw the state's response to the COVID-19 pandemic, where he issued a temporary stay-at-home order in April 2020, allowed schools districts to decide whether or not to close, and limited postal voting during the 2020 U.S. elections. Parson also oversaw Missouri's reaction to the George Floyd protests, during which he pledged to pardon Mark and Patricia McCloskey, the couple involved in the St. Louis gun-toting controversy, if they were convicted of any crimes; he issued their pardons in August 2021."

Sounds like a great guy.


I am reliably informed by people with some insight into Missouri government that Parson is exceptionally terrible. Incompetent or malicious, depending on the day.

I gather the previous (also Republican) governor, Greitens, who may or may not have been into some weird/illegal sex stuff and was forced out over it, was actually pretty good. Seemed to truly care about governing well and improving the functions of state government, at least, which Parson does not.


He is terrible, but in today's GOP there is nothing exceptional about Governor Parson.


[flagged]


The title only said "Governor" so I was like "gee, who is this guy/gal?" and so I RTFA and went back to the comments. Many were still referring to him as "Governor" and not by name so I thought it would be useful to mention his name. I then started reading his Wikipedia page and discovered he's a real piece of crap (IMHO) and decided to include that summary in my post. Am I starting crap? Maybe, but I think some background on his recent decisions in his role as Governor would be relevant to an article questioning a recent decision in his role as Governor.


> You're actively making HN a shittier place with comments like this.

Please find your way to the nearest mirror and take a very hard, long look.


What is the source of the pasted quote? I have no idea what kind of person the Governor is (outside of being technically illiterate) and am not interested in a partisan bickering match, but despite disagreeing with some points there, some of the actions listed there are arguably great moves (with the devil being in a lot of nuanced details that your list didn't go into)


It's from his Wikipedia page.


“The state is committed to bring to justice anyone who hacked our system and anyone who aided and abetted them to do so,” Parson said

I assume they'll start with the head of the Office of Administration Information Technology Services Division whose team allowed such a glaring vulnerability in the first place.

If IT management held some responsibility for breaches, then maybe it wouldn't be so hard to get funding for security measures.


The news is not only the lack of understanding of what hacking is and what a security fuck up is. The news is the cowardice of this clown of a governor trying to deflect blame to those reporting the vulnerability. If he is too embarrassed to admit his government's fault, he will be rewarded with twice the embarrassment for reacting like a corrupt despot.


TFW the governor doesn't realize that HTML is a document that they proactively published on the internet.

"The hacking is coming from inside the (state) house!" /s


Yet another example of how political leaders are completely out of the loop on all things tech. Software is such a large part of the world nowadays that we need to change this or the US is going to have even more issues going forward. I don’t think the current parties are amenable to making changes and bringing in tech-savvy people anymore, and I firmly believe the only way forward is going to be to find a way to create a new party that can get traction at the grassroots level that is tech-forward and led by people who aren’t career politicians/lawyers. The two party system makes this very hard though


> No private information was publicly visible, but teacher Social Security numbers were contained in HTML source code of the pages

How is an HTML page source not considered "publicly visible"?!


Do they even have jurisdiction to go after the reporter. My guess is the site is cloud hosted in a state other than Missouri. Cross state boundaries is a federal matter.


sshhh. The Governor would prosecute you for saying "Cloud Hosted". How dare you find this info that is hidden in the clouds ? Literally only the Gods can see the clouds.


The governor of Montana battered a reporter for asking him a question he didn't like [0]. There exist a number of politicians who feel that these are reasonable responses to adversarial press, and apparently a large number of voters who agree with them.

[0] https://en.wikipedia.org/wiki/Greg_Gianforte#Election-eve_as...


The government of my country passed a law requiring all companies to provide some documentation yearly under the threat of giant fines for noncompliance. Unfortunately the first year it was due was last year, and that complicated things so as governments do they opened up their pockets and paid bug for this upload form.

My friend attempted to submit his and when he tried to download the paperwork that needs filing he discovered that not only was it very slow but they basically threw a webserver at a Windows PC’s C drive and turned indexes on and proxied it into a subfolder. So he could browse the entire computer and similarly could access the private data of every employer and their employees in the country. He wrote a few emails to relevant places and by the next day the entire thing was offline. I believe they never put it back up, and I know for sure they delayed applying the law by an entire year, maybe through some emergency decrees or idk. They didn’t really publicise it outside of saying that it’s been delayed. You now have to submit it in person.


[1] Parson commits $50M to investigate alleged hack of Missouri educator database. Includes video press conference by Parson himself.

[1] https://fox2now.com/news/missouri/missouri-education-departm...


$50m? Wouldn't that be better spent on the actual education system and educators itself?

Talk about corruption - spending taxpayer money to cover-up mistakes made by government employeers - AND libellous statements made by government officials...


Maybe with $50M they could fix the website flaw.


I notice a "Suggest Corrections" button at the bottom, of that article. Perhaps a suggestion that the Governor's entire story is a load of crap?


When the "leaders" show themselves to be so proudly ignorant, it makes you wonder what other decisions they have made which are completely wrong and fully executed.

In this case, I'm not terribly surprised since that governer is from the party which frequently equates educated people as being "elite" - a characteristic to be avoided.


People in power seem to confuse actual security designed to prevent unauthorized access with security by obscurity, and are shockingly willing to believe that calling a system secure makes it so.

Remember when the state of Florida labelled an epidemiologist, who they had previously fired for not cooking the books on covid cases to make the state look less bad, a "hacker" because she sent email to a state-run mailing list? https://www.tampabay.com/news/health/2020/12/07/florida-poli...

The mailing list was claimed to be "secure", but there was nothing secure about it. Other than the fact that merely by convention only certain people were supposed to know about it and use it, it was completely unsecured.


If you have an f12 key on your keyboard, you are now a hacker. Bad ass.


So they included the SSNs in the HTML source, and then said the reporter hacked and unencrypted the HTML by reading the non-displayed SSNs in the source. That's like taping the SSNs up to the inside of a tinted window and then saying the reporter committed breaking and entering by shining a flashlight on the window.


I wish that a conservative outlet would call the governor out. I feel like a thousand articles from Wired, NPR, the New York Times, and the founder of the WWW could all describe in wonderful, simple terms how bombastic and willfully ignorant and hostile this action is, and it would be construed as partisan.


> "A hacker is someone who subverts computer security with malicious or criminal intent," the statement continued. “Here, there was no breach of any firewall or security and certainly no malicious intent. [...]"

Then I guess HN better find a new name.

Seriously though, this defense bugs me because it outright dismisses the idea of ethical hacking by re-defining "hacker" as someone with "malicious or criminal intent". They should embracing the label and explaining the difference between white hat hackers and black hats (the actual criminals).

Our world needs more white hat hackers. All it takes is one security flaw to compromise a system and the deck is always stacked against those securing it. Re-defining "hacker" as a term to describe criminals stacks that deck even worse by dissuading future would-be white hats.


This is what happens now when the media is portrayed as a political actor and everything can be "the other sided".

“political game by what is supposed to be one of Missouri’s news outlets.” Now they get to ignore any and all responsibility and the governor is seen as standing up to the liberal media. It did not even have to be a big deal, just fix it, say its been resolved and move on. Everything is gamified and politicized now; to the point they are willing to send someone to jail over their own flaw. Its not even about being good leaders and helping citizens its just about winning elections and owning the libs or conservatives or your favorite brand of "snowflake". Human decency has left the building. I wish we could go back to business as usual but we have really entered a post truth society.


I'm not American, just got interested in how their politics devolved to that, and apparently this was an intentional power play which started from republicans:

> "a race to the bottom to see who can be meaner and madder and crazier. It is not enough to be conservative anymore. You have to be vicious." The viciousness doesn’t necessarily reside in the individual souls of Republican leaders. It flows from the party’s politics, which seeks to delegitimize opponents and institutions, purify the ranks through purges and coups, and agitate followers with visions of apocalypse

I feel this article summarize it well: https://www.theatlantic.com/ideas/archive/2018/12/how-did-re...

Newt Gingrich seems to be responsible for that more recent attempt at this, and everything happening now seems to be the end game of what he started, though the party seems to have a history of it to some extent.

I know some people might say that the Atlantic is partisan and maybe Democratic leaning (I think?), but personally except for the part where the article seems to say they don't like what the Republican party is making of democracy, everything else seems pretty accurate and factual to me. I'd love to hear counterpoints, like is there anyone who doesn't think this characterizes the Republican party properly?


Of course he would. It is the typical political response these days. Double down on your mistakes and never accept responsibility on your end. So what if a bunch of SSN's were exposed ? It was only in "View Source" which is hacking . Come on now. /s


Something similar happened in Germany. A programmer found a bug his customers shop system, he disclosed the bug to the shop provider and they reported him, there was a house search at his company and his computers were confiscated.


There are developers out there that look like you and me, use the same tools and speak the same (programming) languages, yet have absolutely no concept of access control.

I feel there's an enormous education/awareness gap when it comes to basic security practices and it's going to hurt all of us sooner or later by having our private information leaked, sold, abused, maybe ultimately deemed irrelevant in itself -- ie what would the world look like if all (or a significant chunk) of private information was leaked and you couldn't trust the old tokens of identity?


> Parson said he had referred the matter to the Cole County Prosecutor and has asked the Missouri State Highway Patrol to investigate.

Was this a drive-by "view source"? Why is the highway patrol investigating?


> Was this a drive-by "view source"? Why is the highway patrol investigating?

In a number of states, the “Highway Patrol” is—either through role expansion, merger with a preexisting State Police, or otherwise—the general-jurisdiction law enforcement agency of the State.


"No private information was publicly visible, but teacher Social Security numbers were contained in HTML source code of the pages."

They definitely have a different definition of "publicly visible"


I'm from Missouri, this might be the first embarrassment many of you've seen from him, but there have been alot more prior. Truly not a good look for the state that this guy got reelected.


Same here. And don't look up how he first came upon the job either.


...spare me the anxiety. Got a link or something?


Good. Let this go all the way to the top, this is someone who at least in theory should be backed by an institution (and various amendments...) so this should establish a nice precedence that no, you can't shoot to the messenger. The only "tiny" detail would be how to shield the individual reporter from the fall-out in the meantime. And while we're at it, holding an office should not protect you from personal liability for the harm done to said messenger during the process.

Terribly idealistic, I know. One can dream... :|


* The newspaper said it found that teachers’ Social Security numbers were contained in the HTML source code of the pages involved. In other words, the information was available to anyone with a web browser who happened to also examine the site’s public code using Developer Tools or simply right-clicking on the page and viewing the source code.*

The state's website was sending SSNs to the browser of every visitor. Visitors didn't ask for that info but got it anyway. Everything the state sent was viewable thru View Source.


The EFF will likely take this case. Have the reporters contacted them?


One thing a newspaper has is lawyers (including plenty of places that will do pro bono on 1st Amendment cases)


This governor is an idiot and should be removed from office for this.


Recently, I had to submit a bunch of information (name, address, DOB) into a Google Forms page in order to request a COVID-19 vaccine CDC card from my state’s health department. This Google Form was run by a contractor for the state’s health department and was misconfigured to allow viewing all previous responses after submitting. One click on “view previous responses” on the post-submission Google Forms page and you can view everyone else’s names, addresses, DOBs, and information like which vaccine they received and in what arm.

I almost didn’t report it, since the kind of shit as described in the link above gets reported so regularly. But I did, and it got fixed quickly. Now I’m just sat here hoping I don’t get served a lawsuit next week by some idiot hoping to cover their ass and make me out to be some kind of malicious actor. (Advice welcome...)


"In a press release Wednesday, the Office of Administration Information Technology Services Division said that through a multi-step process, a “hacker took the records of at least three educators, decoded the HTML source code, and viewed the social security number of those specific educators.” Ha, or summarized a user clicked "View Source" in their browser. Well I guess the first of the multi-set process is open said browser.


I mean, everything is a multistep process if you are pedantic enough.


This article reminded me that I had to report a data leak I found on an ecommerce website from my country some months ago, so I just did that. I reported it to a government agency responsible for cybersecurity in my country, which apparently accepts reports about private companies.

Any precautions that you recommend when reporting this kind of vulnerability/data leak? (Apart from "do not access other people's data if you can avoid it")


Use a secure service to report these things.

For example here is one from the Guardian: https://www.theguardian.com/securedrop. Here is one from the Washington Post: https://www.washingtonpost.com/anonymous-news-tips/


Aside from everything else,

"According to the Post-Dispatch, one of its reporters discovered the flaw in a web application allowing the public to search teacher certifications and credentials. No private information was publicly visible, but teacher Social Security numbers were contained in HTML source code of the pages."

I expect there will be no consequences for the mindless idiot who put SSNs in the HTML output.


As a hobby, I have been writing little explainers for non-technical people on my blog. I wrote one for this particular incident:

https://www.robotsinplainenglish.com/e/2021-10-14-blame-sham...

I hope HN readers will (gently) correct any mistakes or provide clarifications to make it better. Thanks!


One time I walked down a little-used alley and noticed my neighbor had left his garage door open. The open door was not visible from the street but anyone who happened to walk down the alley would have seen it. I called the neighbor to tell him he might want to close his garage door. He accused me of burglary and called the cops.

No this didn't actually happen but it's the analogy that came to mind.


It’s more like your neighbor put his social security number on a big sign in his window and then another sign that said “please don’t look at the other sign.”


Judging by his tweets, the governor seems under the impression that "decoding" the HTML is a multi step process and breaking it constitutes unlawful access.

He does not, however, feel like expanding on what that means. Several people tried to reach him on that, without success.

Does anyone have "lawful" access to the site? I want to see for myself how those bits of PII showed up in the markup.


I wonder what his reaction will be when people start hacking the state's websites and outright leaking stuff to just spite him.

Dumb move on his part.


The only crime here is that this uninformed governor is going to spend taxpayer dollars and time to chase ghosts. His staff are either terrible, or this is all political theatre. I don't expect everyone to understand the internet at a technical level but no one under this guy could explain that this is a Missouri problem not a hacker problem?


To be frank, I believe this is one of the factors driving people with such skills into black-hat hacking. If they're going to get slammed for using their skills, they may as well get paid in the process.

It's a damn shame such political dinosaurs have such a major impact in hacking.