- The CS professor whose expert opinion was quoted by the newspaper article is demanding an apology and legal expenses from the state, alleging that the governor defamed and violated his free speech rights.
- The governor's political fundraising committee is running ads making this a "fake news" issue.
The email that the reporter sent, in advance of publishing the article revealing the state education website's data leakage:
> “I recently discovered a significant exposure of the sensitive data of more than 100,000 teachers on a DESE website,” Renaud wrote to the agency’s communications chief, Mallory McGowin. “At this point I am confident what I found is a genuine vulnerability — I have confirmed with three teachers from different districts that their data was exposed. I also have consulted an UMSL cybersecurity researcher who verified my findings. The P-D plans to publish a story about this sensitive data exposure, but we wanted to inform DESE first so that you would have a chance to mitigate the problem.”
> Renaud shared his timeline for publishing the story and asked for interviews with officials from DESE and the Missouri Office of Administration’s Information Technology Services Division. In a second email sent about 45 minutes later, he described the steps he’d taken in finding and confirming the vulnerability.
I’m trying to find the statistic, but it’s something like 75% of crime reporters in the US end up facing prosecution - i.e. if you report a fire, there’s a good chance you’ll face arson charges - if you phone the police to report an assault, there’s a good chance they’ll arrest you for calling them. Made that mistake as a kid when I saw a guy dragging his girlfriend down the street by her hair - turns out the guy was a local politician’s son, and I ended up facing a civil suit for her emotional distress caused by me interfering.
I’ve found vulnerabilities in US government technology, and I know that the sensible and sane thing to do is just move on, ignore it, let it be someone else’s problem - I have no desire to end up in prison for being a Good Samaritan.
If some greater fool can deal with it, let them deal with it. People don’t want help. They want someone to blame.
Thanks for the update. Not surprised to see the governor making the "fake news" argument rather than trying to criminalize the reading of HTML code - in browsers only - across the state of Missouri.
A few years ago an American lawyer wrote a book called Three Felonies a Day [0] whose premise is that "the average professional in this country wakes up in the morning, goes to work, comes home, eats dinner, and then goes to sleep, unaware that he or she has likely committed several federal crimes that day". If pressing F12 is a crime, the average software developer must be committing three felonies an hour.
As I recall, that book was considered pretty good but the consensus was that the title was off by large amount. I.e. most people definitely do not commit three felonies a day. Maybe a few a month. Which is still bad, yes.
FWIW, I can't remember the last time I pressed F12 ;-)
That is intriguing. Within the source code of its HTML, the White House included an easter bunny encouraging people to apply for jobs if they are reading this message!
Would I be slandered and jailed for applying to this job offering by the US Gov't? What do you think Parson would have done in this situation? I did have to press F12, so this is quite the predicament! /s
It depends on how you count, but I can say someone in my house is in near-continuous possession of illegal drugs (cannabis). So there’s one felony. Then maybe I bypass paywalls (potentially a CFAA violation) scrolling through the morning news. And then maybe I jump through a closing train door, which I’ve been warned before is considered “interfering with a railroad’s operation.” So there, three felonies before I’m in the office.
> someone in my house is in near-continuous possession of illegal drugs (cannabis). So there’s one felony
Unless they've already been convicted in the past, that is a misdemeanor.
The railroad example is more interesting, though I can't find anything truly on point. All the legislation I have seen suggests you'd 1) have to intend to disrupt the service, and 2) put something on or near the tracks. I couldn't find anything even hinting that delaying a train through normal passenger controls constituted interference with a railroad.
Even if those were all felonies, I think most people don't even lead that exciting an existence :).
But is the intent to disrupt the train? No, it's to hold it long enough to get on board. The law is written such that you'd have to want to disrupt the service for nefarious reasons, not to board it.
Here in Europe disruption to board the train is enough to get police called on you and have them fine you, the fine grows with every minute of disruption. Not a crime, but definitely not legal. Stopping a moving train without necessary cause is criminal.
Very often the conductor will let you board a train late by signalling you with hand or speaking... But disobeying the conductor's signal whistle is where you step into potential illegality, because the train might (and sometimes really will) start moving that same moment.
All of this doesn't apply to city public transport - trams, metro etc. But it does apply to trains passing through the city.
Of course the GP's premise assumes that most devs are web frontend types that care about the HTML. Based on modern frontend libraries, is there really any default HTML that view source would see other than enough to load up the megabytes of JS code?
Yes, consider the case of server side rendering. Or even companies like Basecamp that disavow single page applications. Or massive legacy ASP, PHP and Java web apps.
Do you even need to press F12? Is looking at the HTML is the problem? What if I just download the page? I now have leaked SSNs saved to my computer. Is that criminal under in governor's mind?
Each received TCP packet is a separate charge. After conviction, sentences will be served reliably and in order. Errors will be detected and punished severely.
The book is already a decade old. Surely technology has allowed us to inadvertently commit a greater number of felonies faster and with more efficiency!
I love the term fake news. As soon as someone uses it in some genuine fashion, I know that I don't have to take anything else they may say seriously. (Unless, of course, I become the direct target.)
I almost never wade into the cesspool that is YT comments but just this once I read through a number. Every single one made fun of the governor and the PAC that put together the video. That was mildly heartening.
Recent developments:
- The CS professor whose expert opinion was quoted by the newspaper article is demanding an apology and legal expenses from the state, alleging that the governor defamed and violated his free speech rights.
- The governor's political fundraising committee is running ads making this a "fake news" issue.
The email that the reporter sent, in advance of publishing the article revealing the state education website's data leakage:
> “I recently discovered a significant exposure of the sensitive data of more than 100,000 teachers on a DESE website,” Renaud wrote to the agency’s communications chief, Mallory McGowin. “At this point I am confident what I found is a genuine vulnerability — I have confirmed with three teachers from different districts that their data was exposed. I also have consulted an UMSL cybersecurity researcher who verified my findings. The P-D plans to publish a story about this sensitive data exposure, but we wanted to inform DESE first so that you would have a chance to mitigate the problem.”
> Renaud shared his timeline for publishing the story and asked for interviews with officials from DESE and the Missouri Office of Administration’s Information Technology Services Division. In a second email sent about 45 minutes later, he described the steps he’d taken in finding and confirming the vulnerability.