Missouri Gov. Mike Parson (R) .. vowed his administration would seek to prosecute and investigate .. anyone who aided the publication in its "attempt to embarrass the state and sell headlines for their news outlet."
Embarrassing governments is the natural outcome of the press doing it's job. This is what the extra constitutional protections are for.
This is why my outlook on the future is growing dim. Politicians are threatening revenge, using the power and purse of the state, against people who embarrass them.
The only thing that would lead it to being successful is if people are convinced that the attempt itself isn't alarming, and don't act aggressively to do something about it.
The US state has successfully suppressed free expression in a number of instances (Henry Miller and Wilhelm Reich come to mind).
The US isn't special as a democracy and it's been pretty shoddy at quite a number of times, though now isn't necessarily the worst moment. The constitution is only strong on free speech and freedom of the press if people defend it.
Edit: It's especially notable that the degree that governments in the US are run as personal fief where officials lash out at anyone who inconveniences them (as is happening here), is strongly related to how far the government is from urban centers.
Chattel slavery, the Civil War, the Trail of Tears, the internment of Japanese Americans... need I go on? Anybody who thinks America might be in a worse state now than ever before needs a serious reality check.
I do believe the 2nd President successfully jailed journalists for this for years, leading to the Supreme Court deciding to you know, do something about it.
Things are only as strong as the political will believes they are strong. There was a period in the 1800s where the Supreme Court was ignored for example. The Supreme Court of the late 1700s did want to protect the 1st Amendment and they did win the political battle vs Adams. But under different circumstances, a different result could have very much happened.
I hadn't realised the US had kept lèse-majesté when it broke with the UK (even in the UK, the last prosecution was in 1715, so this is particularly retro of his governorship...)
> Calling it a left/right issue just diverts from the real problem
Alternatively, arguments like that divert from the "real" problem that half of the political discourse of this country is predicated on an "anti-press" sentiment that allows political actors to lie at will.
Yes, there have been abuses against journalists throughout history. And because of that, it's possible to take a long view that "journalism" as a whole will win, given at least a little protection. Society will survive the occasional corrupt leader. It always has.
But the current climate where republicans can simply ignore reporting by mainstream outlets and cite their own alternative media instead is somewhat unique, historically. Something like two thirds of republican voters simply... don't believe in the results of a recent election, because their thought leaders won't tell them straight what the results were. This seems like rather a more pressing threat to democracy.
I highly recommend The Boys on the Bus by Timothy Crouse[1] for some fantastic contemporaneous analysis of Richard Nixon and his relationship with the press. One part that stood out to me: Crouse believes (and presents compelling evidence) that Nixon was one of the first presidents to really understand the press, particularly the press of the nascent information age. Goldwater and Agnew were of the more reactionary anti-press strain, as other commenters have noted; Nixon (per Crouse) genuinely loved the press (if not reporters themselves) and relished in his control over it.
Everyone is kind of right here. I'd phrase it this way. R administrations expand the attacks on journalists (and everyone who exposes Gov wrongdoing) that were done by previous D administrations.
Trump's method to reduce accountability was to nurture animosity specifically against journalism. Behind the scenes, his admin's revenge on whistleblowers carried on pretty much the same as his predecessors.
My long position is that US press coverage has been continually (but not exclusively) deferential to authoritarianism. We see that US coverage of unconstitutional executive domestic actions is often nonexistent, until whistleblowers drag news orgs into doing their jobs (Mark Klein's evidence of NSA+AT&T collusion wasn't enough to overcome the giant press yawn. Snowden's mountain of evidence was impossible to ignore.)
The US press is somewhat better at covering the misdeeds of R administrations than of D administrations (eg: US coverage of Holder's efforts to target journalists was muted, at best.) The difference is primarily a matter of competence. We've proven repeatedly that focusing on bias instead of ineptitude just leads to the 'view from nowhere'.
But he’s not speaking in his capacity as the individual and citizen Michael Parson. He’s speaking in his capacity as Governor Michael Parson. We know this because he’s threatening to use his governing powers to employ government resources.
Whether state actors have a right to free speech is not, as I understand it, a settled matter of law.
It was added as an amendment, therefore it is an extra constitutional protection. Some people (a broad coalition that included both Federalists and anti-Federalists) were concerned that the Constitution, as originally written, did not ensure a protection of human rights. That's why they pushed through the Bill Of Rights.
The freedom of the press isn’t about cast, but it is about context.
For example based on Chaplinsky v. New Hampshire it’s constitutional to prohibit “fighting words.” Which would mean some things are fine in print but you can’t say to someone’s face because they would provoke violence.
And suppressing opposition is the natural outcome of the government doing its job. The problem isn’t whether one group or another is “doing its natural job.” The problem is that what the reporter is doing is good, and what the government is doing is bad.
"And suppressing opposition is the natural outcome of the government doing its job. " - no it isn't. It's the natural outcome of shitty people being elected. The JD isn't "jackboots on necks" or whatever.
Your original intention, I believe, was to comment on the natural tendency of the system we've put in place. The phrasing "doing their job" has a slightly different implication, I think, of a system doing what it's "supposed" to do and not what it actually does.
Then the question is who is doing the "supposing"? I'd say if every government I've ever seen or heard of routinely engages in suppression of opposition, I'm going to suppose that the next government I encounter will as well. It's not like these are random government employees doing the suppression unprompted: they are in roles expressly intended to suppress opposition.
A minor but important correction. Krebs wrote that the Gov claimed that “fixing the flaw could cost the state $50 million.” That’s not quite right. In the press conference linked in Kreb's post, the Governor actually claims that the “incident alone may cost Missouri taxpayers up to $50 million.” I’d guess this number includes an estimate for the legal cost of dealing with the data breach plus any statutory penalties the state might incur (plus a grossly inflated price for fixing the bug).
It's a disgrace the agency who produced this website is not liable for this substandard quality.
How crazy is it that code like this is deployed to production and then the customer has to pay 50 million to get it up to standards? The senator should be ashamed they are being scammed like this.
> fixing the flaw could cost the state $50 million
It's hard to imagine the kind of contorted bureaucracy that could turn such a fix into a $50 million change request, and yet, I wouldn't be surprised at all if it did cost that much.
Seems quite intentional. As it is a levenshtein distance of 2, along with i being physically far away from e and a on most commonly used keyboard layouts.
I would absolutely love to know who provided that estimate and how they arrived at that number. I understand that issues are often far more complex than they appear but this just seems ridiculous.
Turns out a bunch of other systems rely on this bug to fetch information, and no-one's entirely sure where they are, who's responsible for them, or what they do. Also the page is auto-generated though some arcane CMS such that it's really hard to figure out how to get the data off that page while keeping it other places where it needs to be, without restructuring the whole thing. Also deployment is manual and you'll need to go back and forth with some unrelated department for months to make it happen. Also there's no testing environment, no information about how to get it running—let alone any useful scripts or config/deployment management—is in the repo or otherwise available at all, and there are no tests. And it's all written in an unholy combination of ASP.NET and Java server pages. And the "database" is a standards-nonconforming CSV.
Yeah maybe the current system is an emalgamation of 20 such cheap solutions accrued over decades. If they are not i a crisis, they should do ot properly
> “And then to react in this way where you don’t say ‘thank you’ but actually turn on the reporter and researchers and go after them…it’s just weird.”
it's not "weird", it's an elected official trying to deflect from being exposed as completely endangering the PII of state employees. while trying to bring charges here is ridiculous, it might not be the case in a few years as we watch the continued crumbling of institutions, where bad faith arguments made up on the fly by anyone in power become excuses to do anything. like trying to extort the government of Ukraine to work on behalf of the official's personal reelection campaign, for example.
I wouldn't be surprised if the governor acted more because he sensed an opportunity than out of fear of the story. By playing the story this way, he gets to act out the feelings of a constituency that feels judged by educated urbanites and unable to keep up with a changing world. He is standing up for the honor of Missouri against the sneering condescension of the fancy city reporter. From that point of view, he isn't dealing with a threat so much as feasting on a political opportunity.
It's kind of weird. After all, it's not like the governor is directly responsible for the flaw. Even if his opposition could have indirectly linked his administration to the flaw, his response has certainly done far more damage to his reputation than that ever could.
I’m fairly sure he doesn’t understand. Language used makes it sounds he has no clue how html works.
Back in 90s, I was constantly being accused of hacking things just for knowing how to build a website.
This was also the era of when the news would run phone polls on whether the Internet should be allowed or not.
I learn to keep my mouth shut about what I could do unless I was sure it was a tech savvy crowd.
> This was also the era of when the news would run phone polls on whether the Internet should be allowed or not.
Given the way things are going, perhaps we should revisit this decision. It seems that there's a population that isn't quite ready for this level of access to [mis]information.
I agree. Only elites should be allowed to use stuff like LSD, computers and the internet. This can be arranged simply by criminalising it; along with a social convention that elites don't get prosecuted. /s
For more complex cases this could be an issue, but this one is dead simple: you could do "view source" and see teachers' social security numbers. If they go to trial this case will be laughed out of court.
The underlying issue here is that there is no national legal standard for responsible disclosure. ...and with all the news of foreign ransomeware gang causing havoc, prosecutors and politicians are HUNGRY to prosecute "hackers".
My advice to a client would be not to disclose any vulnerability on a government system, due to the unfortunate legal liability. ...and if they did feel the need to disclose (which I admire), to do so anonymously to a 3rd party security researcher with the history and reputation for that sort of work (ie a reputation that even an old IT-clueless judge cannot deny).
Don't put yourself in the cross-hairs of some overzealous prosecutor who wants to show his boss/party/public that he's the one prosecutor that busted a bunch of evil hackers.
Right, or allegedly trying to extort the government of Ukraine to end an investigation against the official's relatives. Corruption on all sides unfortunately.
It seems that in both cases the accused was acquitted or the investigation against them was closed. That's hardly a reasonable indicator of innocence though, as just like you said above, powerful people can often make up excuses to get away with crimes and corruption scot-free. You might be entirely right that one example really happened and the other didn't.
> “hacker took the records of at least three educators, decoded the HTML source code, and viewed the social security number of those specific educators.”
There's so much wrong here - am I to understand that if the state sends you SSNs in plaintext and you read them, _you're_ at fault?
This is so idiotic. Does Missouri really want to discourage people from reporting security vulnerabilities? It sounds like this reporter did the responsible thing and alert all affected parties. I can almost guarantee that if a decent person found this, a dozen less-decent people did too. If a decent person is afraid to report a security issue, even more less-decent folks are going to have access to this information.
I think the governor ought to resign. He’s taking something that is, ultimately, HIS fault and trying to pin it of course on “the media”. The SSN numbers were in the page; they were in the source code. “View source” is not decrypting a webpage. God, I know he just has no technical understanding but even then he should be smart enough to get the details and realize they weren’t “hacked”. This person clearly doesn’t understand what a free press is —- they could have legally ran the story without even alerting the state agency, but they did the right thing and this idiot governor is still trying to deflect blame.
As a citizen of the pitiful state, we tried to vote him out last election cycle. He wasn’t even elected before this, something along the lines of Nixon’s transfer of power to Ford is what happened in my state.
When I was a student at DeVry University (a national for-profit college with 40 campuses) your SSN was your student ID. This wasn’t corrected until 2002 or 2003. :(
Your SSN was your driver's license number in 29 states until 2004, when Bush outlawed the practice.
Many, many institutions in the USA are built on it being a high-trust society. Now that it's falling into a low-trust state, we can expect those institutions to fail, and perhaps the state to as well.
They weren't supposed to be used as any kind of important, general ID number. It took various governments and institutions a long time to wake up to the reality that, because we really, really need such an ID and the government has displayed no intention of ever creating one, social security numbers had been forced into the role by necessity.
> Many, many institutions in the USA are built on it being a high-trust society. Now that it's falling into a low-trust state, we can expect those institutions to fail, and perhaps the state to as well.
Not enough people understand this, but I'm encouraged whenever I hear from those who do.
Locally, generally. Remember Gall's Law: "A complex system that works is inevitably found to have evolved from a simple system that works." Also much easier to rebuild trust in a smaller community.
I'd kinda love to blog about blue-sky social theories, but I suspect that without grounding in actual working social systems, they would remain theories.
Kind of a nitpick, but presidents don't outlaw things. Laws passed by Congress do that, and you're right, it was in 2004. Bush signed the law, but it passed by a huge majority.
I'd initially phrased it "Bush signed a bill that outlawed...", which is much more correct, but is also an awkward sentence construction to read. Figured people would understand what I meant.
...this is also an apropos discussion for this topic, where the Missouri governor is framing this discussion in a way that's technically false but is going to score points with his constituents.
Using your SSN for your driver's license would have been fine in a society where the SSN wasn't also being treated by banks etc. as a way to authenticate you for credit/loans/accounts.
My high school rolled out an ID system in 1998 using SSNs printed on every ID (staff and students). About a week later, they realized this was a bad idea and reissued 1000+ IDs without the SSN.
I still don’t know what the point of the ID cards was. They were just laminated paper, no RFID, magstripe, or barcode to open doors or to buy things from the cafeteria or school store. You didn’t need it to check out books from the library and no one ever asked to see it. And we got a new one every year.
I guess some vendor convinced the school that they needed ID cards and so they got them.
If they were using a server-side rendering framework then what probably happened is that they used HTML comments instead of template engine comments to "remove" the SSN <td />s without understanding the ramifications.
Being from Texas, I feel like Texas and Florida are in a race to wherever it is they think they are going. I feel like there needs to be a state level rivalry like colleges. Brings a new meaning to Texas State vs Florida State. Maybe they can have halftime shows too. I also think state laws should be copyrightable so that when other states copy their asinine laws, the originating state gets royalties.
You are a glutten for punishment! I moved out of Texas and moved to the west coast for a bit. I then eventually moved back to Texas for family reasons. Moving back was much worse of culture shock. Yes, I knew what to expect, but after being away from it and then dropped back in just reminds you of how bad different it is. Kind of like a boiling frog growing up, but then being the lobster as an adult.
I just moved to Florida after New York completely lost the fucking plot. Literally my neighborhood (Hell's Kitchen) reverted to its 1980s self, street-walking prostitutes included. Homeless encampments as far as the eye can see.
They gave notice and waited until the offending pages were taken down. The article does not specify what the original html looked like, it could be a simple artifact from testing, when someone dumped the entire object into a template for debugging or maybe they actually were using this as a sort of a data field and then used it, for example, in a js call call to served.
But the response from the AG shows they have no idea how internet works:
“They had no authorization to convert or decode, so this was clearly a hack.”
Bigger questions: Who developed the system? Was it a contractor or in-house? If it was a contractor, are they gonna lose government contracts? Because, it sounds like they should. If it was in-house, are they gonna get training or some procedure in place to audit things going forward?
Kind of... The AT&T data wasn't public, Weev & Co. had to build a script to generate plausible ICCIDs which they then 'challenged' the AT&T servers with the URL containing the ICCID. If it was a valid iPad ICCID and registered with AT&T, the server would reply with the email address registered to it.
That seems materially different to just F12ing a website and seeing plaintext Social Security numbers.
How on earth in any reasonable estimate of what it costs to solve this problem does he come up with a crazy wack-a-doodle estmate of 50 Million? Also if they just fixed the problem when notified (prior to releasing the story) and kept a low profile we would be less likely to be reading about it. What a moron!!!!
Also, if the owners of the web site had spent a couple of dollars on a Pen-Test they would have found this low hanging fruit long before it got into production.
This is embarrassing, so lets pretend it's a crime for the reporter to report the truth. This tactic might work for the NSA, but I hope it doesn't work here.
> there was no option to decode Social Security numbers for all educators in the system all at once
Sure, but this was an application where you could search for any licensed educator and get their social security number in the response. This is about as bad a PII leak as can happen to a state government.
