>Cole County Prosecutor Locke Thompson released a statement Friday saying there is an argument to be made that there was a violation of law, and that the issues at the heart of the investigation have been resolved through non-legal means, the St. Louis Post-Dispatch.
That sounds more like that "we would have prosecuted the reporter" if they hadn't discovered that the "state education commissioner initially planned to thank the newspaper for finding the problem".
They should have profusely thanked him and also given him an award.
Find a vulnerability for a big tech company, get $10,000. Find a vulnerability for the government, get prosecuted. I wonder why government IT is so far behind the private sector!
I think we shoudnt even call it a vulnerability. They send the 'secret' information in the html file, hoping that the browser does not render it (which it doesnt, so 'viewing source' was the way to see the information). I am actually surprised that the dont charge the person who set up that system; it is like broadcasting the confidential information.
> Find a vulnerability for the government, get prosecuted.
In fairness the government is, of course, not a monolith. There are multiple federal bug bounty programs out there [0] [1]. This is probably better stated as "find a vulnerability in the systems of a deeply corrupt, gerrymandered, and unpopular state's government's sites and be prosecuted in that state."
The government is so fragmented and ineffective that even if I did find a pentagon vulnerability, I'd feel like some other department would prosecute me for it.
From the Statement by Josh Renaud about Missouri investigation:
> This decision is a relief. But it does not repair the harm done to me and my family. // My deepest desire is that somehow this situation might be redeemed. And I believe it can be. // My actions were entirely legal and consistent with established journalistic principles.
Depends. Might have been a bit stressful, but this is exactly the kind of "good trouble" a good journalist hopes to be in.
They thought they had just found a mistake in the government's IT system; instead, now that have a story about a mistake in the IT system and an idiot governor who doesn't understand infosec and is too bad a leader to delegate to people who do.
I am not at all convinced that one story where the subject's reaction is out of place makes for a great career boost - though i can see ways how it achieves the opposite.
"Known to cause lots of work for legal department" could, for some bosses, be considered a negative signal in hiring. Moreover, "pisses of people with power": same.
> what it says on the résumé for any journalist worth hiring
To a good editor, yes. But I'm not sure the majority of editors are good ones, so while your point isn't exactly false, the GP's is also true (with all the other ones).
And the place is sufficiently corrupt enough to have the prosecutor walking a tightrope so Parsons doesn't go after his ass too. I found the prosecutors statement very unsettling. He basically said that the reporter conducted criminal action but they are going to let it go because he has been punished enough already. Missouri sounds like a toxic, corrupt hell hole.
Well, I think if the matter reaches the prosecutor's office and it sits there for several months before a determination is made whether to proceed, it's not a stretch for the party involved to prepare as if he will be prosecuted.
> What are the details behind «resolved through non-legal means».
The prosecutor did what the governor refused to do: Asked someone with a clue, and found out that absolutely no crime took place. Technical / factual means, not legal.
Clearly states need to start issuing equity options to govt employees on their future tax revenue. That and somehow raise property values in the middle of Missouri to $500/sq ft.
Just another reminder that DAs and prosecutors are just cops with law degrees. No interest in figuring out what really happened and furthering justice, everyone on the other side of the line is guilty and they only decide to charge or not based on whether it serves them, and most importantly they are never, ever wrong.
I read it as more of “he did nothing wrong but I can’t make the governor look bad so I’ll imply it was obvious he was guilty but we’re being magnanimous about it.”
That seems to be exactly what he's saying. People here seem to want to make the DA out to be as stupid as the governor or as a malicious person, but based on this statement he didn't actually think he had a case. Saying that something could be argued means that you're coming in with an argument that could be accepted if you overlook all sorts of details and context.
I also feel MBCook is probably right. In this particular case, however, there does not appear to be any argument for prosecution that does not immediately look preposterous as soon as you give it any thought. If this is so, then, by equivocating - for political expediency or any other reason - the DA is inviting doubts about his competence or integrity.
I'm hoping that "the issues at the heart of the investigation have been resolved through non-legal means" is a paraphrase for saying that the DA pointed out to the governor, directly or through his aides, that any attempt to prosecute would fail and bring down a heap of public ridicule.
> the DA pointed out to the governor, directly or through his aides, that any attempt to prosecute would fail and bring down a heap of public ridicule
If so, then apparently not strenuously enough: The governor went right out and issued a press release that invites just as much ridicule as his previous statements.
That was certainly my interpretation. I can't really think of a more politically savvy thing the prosecutor could have said.
"there was an argument to be made that there was a violation of law" is fantastic in the way it appears to be saying something but it's not actually saying anything.
That's some serious weasel wording. "There is an argument to be made" means that one could make that argument, not that you are making the argument, or that the argument has any merit, or whether it would be thrown out of court, or whether you consider this whole thing a waste of your time and would rather be doing your real job right now.
Sounds like he's just being diplomatic. It would sound a lot more like criticizing the governor if he were to say things like "There is no argument whatsoever that can be made. In fact I don't know how the this dumbass case ever got this far" and so forth.
There was a violation of the law: the dissemination of private information by the government. Unfortunately they are not interested in prosecuting that but it would have been nice if someone had sued them as they were sending it completely in the open. At leasr they could make some introspection in what kind of contracting process is in place because it's a complete disaster.
I like how all the statements from government employees imply "we are being nice." Like no, you're incompetent and this person did you a favor and you got butthurt that you look stupid and decided to jeopardize someone's life to throw a hissyfit and now you're backing off because you look even more stupid and refusing to admit it and so look even more childish than that. That's what happened. You didn't "decline to prosecute as is your prerogative." Just admit you were wrong, you might salvage some respect.
this is exactly the roll our judicial branch should play and so rarely does.
Step by step in America, the judicial branch has become more and more deferential to the executive branch when it comes to law enforcement. The reality is that I (and you) should have zero expectation that they will protect you from bad state actors at this point.
It is something everyone involved with the judiciary should be embarrassed about.
And now he should sue both the law enforcement department and Parson. Make them pay for this bullshit and also a precedent should be laid down like a marker in the sand. Not sure what that marker is exactly, but at the least it will be ‘don’t be batshit crazy like Mike Parson.’
How about making it illegal for a state official to explicitly make credible threats to use unjustified state violence against someone? Similar to how it’s illegal for anyone to make credible threats of unjustified violence against anyone else.
Even if it became illegal, qualified immunity would protect the offical who made the threats, so officials will likely never be personally impacted by breaking the law and so it'll keep being broken.
While many wear the badge of hacker with pride, it seems that the government officials calling him a hacker is clearly defamatory and potentially injurious to his journalism career in this situation.
The governor's argument was. The DA magnanimously acknowledging that the governor can make that argument wasn't; it was as diplomatically suave as a White House official saying the President can do what he wants with government sharpies.
The thing is though, I think this is basically correct. They probably could prosecute the reporter if they really, really wanted to. Not that I think they could actually convict someone who was obviously acting in good faith to report a security vulnerability, but security research of this kind seems like such a gray area legally speaking. In general we wouldn't treat an obvious flaw in physical security as a mitigating factor for theft. That is, if I drop my wallet in a public place it is still probably theft for someone to pick it up and take the cash inside.
To be clear, this is in NO WAY a defense of the way the government acted in this case which was both insane and harmful, but just to say that a lot of what makes things illegal is subjective judgements about intent. This is why professional pen testers (the careful ones at least) generally specify in very clear terms what the scope of their engagement is (and still sometimes end up getting arrested). I can only imagine that doing independent security research is a mine field.
This is not like dropping a wallet in a public place. This is literally the equivalent of sending your wallet to my house amongst other things that I actually requested. When you visit a website you are essentially trusting the website and giving it permission to download arbitrary data (in the form of HTML, CSS, and Javascript) to your machine. Now imagine if that website gave you more data than you intended to the point where it made you liable as an owner of something you neither intended to have nor wanted.
In terms of delivering something malicious to someone under no presumption of its deliverance, it's analogous to the extreme case of someone shipping a whole bunch of cocaine in a package with a book that you ordered. If we want to get closer to the actual problem, it's like you finding a paper shipped with your book and seeing a whole bunch of social securities numbers on it that may have included your own! Now if you have reasonable indication that this list was being sent out to everyone who ordered books from a specific place, of course you'd want to inform the people sending books to stop doing this so you could feel safe about your personal information.
Now imagine instead of protecting the information which has been going out to random people, the company decided to get angry and attempt to prosecute you for pointing out their negligence. It's absolute idiocracy.
As one of the Missouri residents who had their social security number exposed in this way I'd be furious at those who were delivering it.
Right, you should be furious at the people who created the site because they are absolutely at fault. But X is at fault for ludicrously bad security practices and Y exploited said bad security illegally are not mutually exclusive.
But to use your example, if you accidentally ship you credit card to me amongst a bunch of other papers, it would still be illegal for me to sell the information on the dark web. Likewise, if the reporter in question took the SSNs and sold them on the dark web that would presumably be prosecutable as well. Now if I just took the credit card and returned it to you, I don't think any reasonable person would consider that illegal (and I certainly hope that no prosecutor would try and bring a case for it). My only point is that we ultimately are making judgements about malicious intent.
To be clear I don't mean to imply this is just some misunderstanding either. Obviously the MO governor is just being a blowhard to try and deflect blame for a really bone-headed screw up. But I see a lot of discussions in security/hacker circles where people seemingly think that if security is bad enough, then whatever you do to exploit it cannot possibly be illegal. But I don't think that is true and people should keep it in mind.
> but security research of this kind seems like such a gray area legally speaking.
Security research in general is a grey area. “Security research” of this kind is like spotting that the entire database is on file in a public library, with confidential data “encrypted” using Pig Latin, then reporting it to the librarian.
You're right, I shouldn't have said "of this kind" because in this case I don't think any sane person would think this was nefarious. But my point was just that, to use you example, the only way you would know that said database had confidential information in it would be to "decrypt" it. Then it is a question of why you did that. Was it malicious? No, but a sufficiently bad faith actor my try to argue that it was so you should be careful.
Take another example. Say you fire up Wireshark in on a public network like a coffee shop and see some unencrypted network traffic with confidential information in it. The packets were delivered to your computer and there for anyone to see. But why are you capturing traffic that wasn't intended for you (in the broader sense)? What if the traffic IS encrypted but with weak encryption that is easily cracked? As soon as you step off the path of "I am viewing information which was clearly meant for me" you're in a gray area. Of course as a society we should recognize that people who do these things and then responsibly disclose them are doing a valuable public service, but not everyone understands these things. Or in this particular case, some people are heavily incentivized to make bad faith arguments in order to deflect blame from their own screw ups. So it's worth being careful.
> But my point was just that, to use you example, the only way you would know that said database had confidential information in it would be to "decrypt" it.
While it looks obscure to the uninitiated, anyone with a day-to-day familiarity with Pig Latin (e.g. a schoolchild) would be able to just read the information straight off, with little-to-no conscious “decoding” stage.
> As soon as you step off the path of "I am viewing information which was clearly meant for me" you're in a gray area.
People say that, but the law is usually quite explicit about such matters. Your “grey area” is just ignorance of the law. (And I'll go on record as saying that the law around this is usually really silly.)
Quote: ""The state did its part by investigating and presenting its findings to the Cole County prosecutor, who has elected not to press charges, as is his prerogative," spokeswoman Kelli Jones said."
If they would've continued, then the prosecutor would've been laughed out off the court by the judge. The lawyer defending the journalist would've called this the easiest case of his/her career. This statement is made to look official to save face. Plain truth is that the state simply fucked up badly, starting from the head all the way down to the tail.
Unfortunately that's not necessarily true. There are plenty of examples of prosecutorial over reach and unfair sentencing because our laws were written by people who fundamentally don't understand technology. It will probably take a few generations to fix that.
Common sense won out in the case, but it certainly helped that the target was a reporter instead of a security researcher or ordinary citizen.
> people who fundamentally don't understand technology. It will probably take a few generations to fix that.
No, it won’t be fixed. You seem to imply that people are actually deciding things based on their understanding of the facts. I don’t think so.
I think that people in these positions don’t care if they understand technology or not. They care about how they will look. If they can get away with pleasing their confederates by pretending they don’t understand technology, they will do so. If they could please them by pretending to understand technology and do the truthful thing, they would do that. They might (or might not) actually understand technology, but this has nothing whatsoever to do with what they will actually do. They will do the most profitable thing they can plausibly get away with. In a few generations, as you say, people might have less room to blatantly pretend they don’t understand a certain level of technology, but I have a feeling that techology itself will have become proportionally more complex, too, so nothing will change in practice.
No, I think GP is correct in saying that the case would be laughed out of court.
Persuing this case would have been a gift to the Post-Dispatch and Ian would have been a hero.
Not only is this whole thing over literally right-clicking html, but this is a Reporter working for a local newspaper.
Imagine for a moment that this story was about a regular person who is not employed as reporter with credentials and a portfolio. Depending on that individuals circumstances, it could easily be a life-ruiner. I could think of a few people.
My impression from previously looking into this case is that there probably was a violation of the law here, but that it would be absurd to prosecute it.
The mistake here would be to assume that officials always correctly avoid absurd prosecutions.
He assessed a public web-page, found base64 encoded content, and decoded it. Please explain in exacting detail what you're claiming here both in terms of facts AND law.
> If they would've continued, then the prosecutor would've been laughed out off the court by the judge. The lawyer defending the journalist would've called this the easiest case of his/her career.
Yes, I'm sure that would be true.
Of course, I was ALSO sure that no governor would spend months (even after being well-informed about the matter by his advisors) railing against the journalist who reported this.
I HOPE I'm right that the judicial system isn't suffering from the same malaise. But I'm not longer as sure of that as I used to be.
BTW the accused reporter is an occasional HN user who maintains a blog[1] and wiki[2] about BBS software. He started that site after seeing that Wikipedia was deleting pages about BBS software[3].
The prosecutor’s statement is just normal posturing. It’s common language; a prosecutor will never state ‘the charges were baseless and are a waste of our time’. But that’s essentially what their statement means.
This fact tells how much the Judicial system needs improvement. The fact it depends on who's sitting on a chair to determine whether a journalist should be charged for helping the public. Unbelievable...
Agreed, but this issue goes far beyond the judicial system.
The way the governor handled this situation really showed how much of a liability he feared this story would be to him and his party politically. Instead of examining the underlying conditions of the state agency responsible for the data breach, he chose to go after the messenger.
Given that every single time a company gets caught like this, the first thing we all point to is how stingy they are when it comes to security. A conservative governor doesn't want to be in a position where the solution to the problem is to spend money, so he went after the journalist instead.
If you look into the history of this specific governor and Missouri politics it makes more sense that he's an ideologue that refuses to accept any kind of bad press or even that mistakes can happen. This is the same politician that claimed he solved Missouri "covid problem" but ranks middle of the pack. It's a mindset that is all too common in politics today. Everything inconvenient is fake news. Every embarrassing headlines needs to be countered in the culture wars. Silence dissent, crush free press, etc etc.
And I'm sure none of his base will notice or care that months later the reporter isn't actually being prosecuted. The political points scored still count.
I would campaign on this alone. Say how the opposing party wants people to be insecure, exposed and that they will try prosecuting you for doing the right thing cause they have such fragile egos.
You have pointed out a weakness, but it seems in this case that it is working.
The judiciary, legislative, and executive branches of govt., as well as the other independent institutions of civil society, such as academia and the press, all must be strongly independent of each other for a democracy to survive.
In an autocracy, all of the institutions are coerced to bend to the will of the executive.
In this case, the executive (governor) made it very clear that he wanted this journalist prosecuted, a blatant attempt to bend the press to his will. In this case, it wasn't even the judiciary, but the prosecution, which is still in the executive branch, so nominally under the governor, who basically told the gov to go pound sand.
So, whenever you see executives undermining the independence of other branches or institutions, be VERY suspicious; it's a dead giveaway that they are interested in only their own power and not working to benefit the citizens they serve.
Would there not also be a grand jury involved at some point? If there is, the prosecutor's decision is more like a single point of failure in the prosecution than a single decider.
What crimes require a grand jury is state-specific.
About half of states require grand juries for some crimes. Of those, a bunch (minnesota, georgia are good examples) restrict grand juries to crimes that can be punished by life imprisonment/death require grand jury indictments.
Others require them for any felony (New york is a good example)
People who watched a lot of law and order think grand juries get everything, because in new york, grand juries are required for all felony cases.
The other half of states do not require grand juries for indictments.
My recollection (take with grain of salt) of Kansas is:
1. A prosecutor can, but is not required to, present to a grand jury for a felony case.
They can also just indict directly
2. Citizens can actually empanel a grand jury. It's something like 100 people min + 2% of the voters in the county.
3. If that grand jury indicts, prosecutor can still dismiss it, but it requires leave of the court (rather than them just being able to do it out of hand).
Really? It looks as though the system worked in this case.
A technical violation of the law was not prosecuted as a result of the exercise of prosecutorial discretion not to pursue a prosecution which was not in the public interest.
Grand juries are not a solution to this problem. One glance at the shockingly high percentage of cases in which grand juries indict should be sufficient to cast doubt that they are truly filtering out bad prosecutions. That the proceedings occur in the absence of the accused and therefore deprive them of procedural fairness is another problem.
The responsibility properly lies with the prosecutor.
> A technical violation of the law was not prosecuted
This part I was not clear on. I was under the impression that what the reporter did was not a violation of the law. Or does term “technical violation” have a specific legal meaning that I’m not aware of?
I probably should have said arguable, not technical. That's what's in the article. I guess we never really know if the law was broken at all unless a jury gives a verdict, so it's all a bit hypothetical.
Suppose there's a law that says you can't film other people without their permission. You catch a thief breaking into someone's house, film them, and give it authorities enabling their identification, then delete the footage. I'd describe this as a technical breach of the law. It probably shouldn't be prosecuted.
This is kind of analogous to the present situation, a bit of a rough analogy I admit. Whether or not a law was broken, the journalist did something that was a net positive to society, with no real victim except a red-faced politician.
I think the argument would go something like "just because there was a flaw in the security doesn't mitigate malicious exploitation of that flaw." To take an analogy, if a bug in a banks website allowed you to make negative transfers (i.e. "pay" someone a negative sum and move money from their account to yours) then you would almost certainly be prosecuted for exploiting that bug. Even exploiting it as a proof of concept so you could report the vulnerability to the bank would probably be dicey territory.
Ultimately there has to be a judgement of intent which at some level requires subjective assessment. In this case it is blindingly obvious that the reporter was acting in good faith so ti seems unlikely any reasonable prosecutor would pursue this case, or if they did any reasonable juror would convict.
That's not an issue with the system per se, it's an issue that there's no specific carve-out in law for this kind of behavior. This could be solved by Congress in a hot minute.
There's no carve-out in law for this behavior because there doesn't need to be. Same reason we don't need a law permitting breathing, eating, etc. - it wasn't illegal in the first place.
You can clarify things like “it’s legal to film police officers in public” every single year but at some point you have to stop assuming the confusion is in good faith
> I'm not in a position to help improving it, but my impression is relying on a single person is not a good idea.
> Having to face judicial charges - in this case criminal ones, perhaps - would be a tremendous stress and financial loss to this journalist. It's unacceptable that we subject citizens to face this kind of risk at the hands of a single person.
I'm not in a position to help improving it, but my impression is relying on a single person is not a good idea.
Having to face judicial charges - in this case criminal ones, perhaps - would be a tremendous stress and financial loss to this journalist. It's unacceptable that we subject citizens to face this kind of risk at the hands of a single person.
> Having to face judicial charges - in this case criminal ones, perhaps - would be a tremendous stress and financial loss to this journalist.
This is intentional, the governor explicitly wanted to inflict such pain to a citizen. I don't see a path to meaningful change in how the legal system is weaponized against the public as long as wealth is the primary driver of power in this country:
The legal system has always benefited the rich and powerful at the expense of everyone else.
This isn't very constructive, FWIW.
If you say it's unacceptable, but can't define acceptable except as "not this", it's kind of worthless. Why is a single person better/worse than a group? Do you have any evidence to back it up?
There are all sorts of tradeoffs involved in how this sort of thing is done, and why, and those tradeoffs have evolved over thousands of years of legal systems existing.
In this case, the common tradeoff is that this is an elected official who is accountable to voters for the decisions they make.
There are states where they are appointed.
There are states which require grand juries.
All of these have tradeoffs - there is no "best", nor do statistics say that any of them end up any more fundamentally fair than each other. Nor do any of them have a significantly different rate of indicting objectively or subjectively innocent people (last i looked).
It's unclear exactly what you think a system should look like - i would argue any system with sufficient safeguards is not going to look very different than a preliminary hearing anyway.
Particularly your complaint about the stress/loss/etc seems unavoidable. That occurs starting with when people are investigated in the first place.
I'm really not in a position to help build a better solution, I have zero experience or knowledge on this sort of thing.
But I think it's still healthy to voice our concerns in a respectful and civil way.
I respect your view that we we should only voice a concern when we're in a position to directly help building a solution, I just don't find it (personal opinion) a healthy conduct as a citizen.
If you have zero experience or knowledge how are you so sure it is a bad idea?
It's not healthy conduct to express strong opinions on things that you have zero experience or knowledge about.
Healthy conduct would instead be to ask questions and try to learn about those things, prior to holding a strong opinion. Or leave them alone if you don't have the time.
This unhealthy conduct is precisely one of the huge problems in society today, and i'm somewhat surprised you can't see this.
See, e.g., people in the US holding super-strong opinions about universal healthcare despite having zero knowledge or experience with it.
I cannot offer you details, but many articles get redistributed as an exact copy in dozens of other sites. Either it is a network, or there is legal legitimacy to copy, or the article is proposed to many...
It's part of how the Associated Press operates; it's why you can read about a big Missouri news story in a newspaper in California (or wherever) without the Los Angeles Times (or whoever) needing to send their own journalist to Missouri to cover it. (And likewise, a newspaper in Missouri can cover the big local news out of California even if they don't have the budget to fly their own journalists across the country on a regular basis.)
>As part of their cooperative agreement with the AP, most member news organizations grant automatic permission for the AP to distribute their local news reports.
Yes. It was a public webpage. They sent a normal request and received a normal response. That response just so happen to contain Base64 encoded SSNs in the page state.
There's no actual legal merit to any argument that this was unauthorized computer access. Suggesting that decoding base64 is somehow "hacking" is nonsense.
That sounds more like that "we would have prosecuted the reporter" if they hadn't discovered that the "state education commissioner initially planned to thank the newspaper for finding the problem".
They should have profusely thanked him and also given him an award.