The DoE is complicit in this as well (from the original article):
> In the letter to teachers, Education Commissioner Margie Vandeven said “an individual took the records of at least three educators, unencrypted the source code from the webpage, and viewed the social security number (SSN) of those specific educators.”
> But in the press release, DESE called the person who discovered the vulnerability a “hacker” and said that individual “took the records of at least three educators”
This squares perfectly with my own experience. As a middle schooler I had several interactions with my school system's IT department where they baselessly accused me of hacking and malicious intent; I responsibly disclosed a method of bypassing their web content filter and they responded by going through my roaming profile and leveling charges at me of "remotely hacking computer systems" because of a screenshot of a terminal emulator they found. I was a good kid with a perfect disciplinary record. In retrospect it was a series of incompetent staffers covering for their inability by bullying a child.
The US needs to stop using public facilities (schools, the military, etc) as white-collar welfare and hire more people that actually care. Ignorance is forgivable but when combined with a steadfast opposition to personal growth it becomes malicious. It'd be better for society to fire clowns like these and administer them unemployment than to have them crowd out those that actually give a shit.
*EDIT: To clarify for anybody that would read the above as "government workers don't care": there are plenty that do. I break bread with them and want them to be able to do their jobs unimpeded by the ones that _don't_.
> The US needs to stop using public facilities (schools, the military, etc) as white-collar welfare and hire more people that actually care. Ignorance is forgivable but when combined with a steadfast opposition to personal growth it becomes malicious. It'd be better for society to fire clowns like these and administer them unemployment than to have them crowd out those that actually give a shit.
Our purest white-collar welfare system is the health insurance industry, I'd say. IIRC at one point Obama explicitly stated that a reason he didn't think single-payer and similar were viable to advance, is because they'd put too many people out of work.
The military is, obviously, our main work-required blue-collar welfare system, among other kinds of wealth-shuffling it does. Why, one can get nearly-European-standard-for-all public benefits, through that program, provided one is reasonably sound of body and mind. Healthcare, pension, housing, et c. [edit] education, too!
One thing to note is that hiring skilled IT workers is often outside budget capabilities. It’s not that they want to hire someone incompetent, they simply can’t afford to hire someone competent.
> The US needs to stop using public facilities (schools, the military, etc) as white-collar welfare and hire more people that actually care.
In my experience, most IT/CS people who seek to work for state/federal government do care.
Unfortunately the combination of extreme red tape, low pay, inability to fire lazy employees, and occasionally being punching bags for politicians trying to score cheap points with their constituents, take their toll over time.
Part of this is general attitude towards all hacking - that systems can “never be secured”, it is never the designer/implementer’s fault, and we should just blame the bad actors.
When banks/financial systems can get away with not upgrading a decade old Java framework with 6 month old struts vulnerability, and just blame the hacker, it is not surprising the average school sysadmin will do the same.
The military and education do hire people that care, insinuating that they don't seems very wrong. What I do see here, is that someone is speaking far outside their domain of expertise. Software Engineers love to do this on a lot of subjects. Having a deep background in Systems it's amusing at times, but I certainly wouldn't say they don't care.
Back in the 80's, my computer teacher kicked me out of class because I had logged into my friends account at another school and downloaded instructions for an "assassination game" (pick a name from a hat, 'assassinate' your victim with a toy gun) which we never played because we just weren't that interested. The teacher was going through the trash and "discovered" my "hacking" because everything was printed on paper. Fortunately for me, I had access to other computers and went on to a long, successful career in computers. No thanks to you, shitty computer teacher.
Similar experience, their reasoning why it was so stern was because the password acquired was valid throughout the entire district, and used for multiple core systems (security, AD, grades, etc..)
No one thought to ask IT why they used the same PW 5+ times for critical infra, its all just the kids fault for finding one of them
> The US needs to stop using public facilities (schools, the military, etc) as white-collar welfare and hire more people that actually care. Ignorance is forgivable but when combined with a steadfast opposition to personal growth it becomes malicious. It'd be better for society to fire clowns like these and administer them unemployment than to have them crowd out those that actually give a shit.
That presumes that the purpose of school is perceived by the participants to be something other than printing credentials that justify trans-generational wealth and power accrual.
> I responsibly disclosed a method of bypassing their web content filter
If you don't mind me asking... why on Earth did you do this? My goal as a teenager was to find ways to get around content filters in middle school for fun, not so I could tell the teacher about them.
> It'd be better for society to fire clowns like these and administer them unemployment than to have them crowd out those that actually give a shit.
Administrators that "gave a shit" would be fighting to remove overzealous content filters, not reinforce them.
- The CS professor whose expert opinion was quoted by the newspaper article is demanding an apology and legal expenses from the state, alleging that the governor defamed and violated his free speech rights.
- The governor's political fundraising committee is running ads making this a "fake news" issue.
The email that the reporter sent, in advance of publishing the article revealing the state education website's data leakage:
> “I recently discovered a significant exposure of the sensitive data of more than 100,000 teachers on a DESE website,” Renaud wrote to the agency’s communications chief, Mallory McGowin. “At this point I am confident what I found is a genuine vulnerability — I have confirmed with three teachers from different districts that their data was exposed. I also have consulted an UMSL cybersecurity researcher who verified my findings. The P-D plans to publish a story about this sensitive data exposure, but we wanted to inform DESE first so that you would have a chance to mitigate the problem.”
> Renaud shared his timeline for publishing the story and asked for interviews with officials from DESE and the Missouri Office of Administration’s Information Technology Services Division. In a second email sent about 45 minutes later, he described the steps he’d taken in finding and confirming the vulnerability.
Thanks for the update. Not surprised to see the governor making the "fake news" argument rather than trying to criminalize the reading of HTML code - in browsers only - across the state of Missouri.
The governor's stance is just posture. "We take these matters seriously".
It reminds me of that time, a few years after I was out of college and into a job. My professor contacted me to demo my class project to her students. To give them an idea of what they can do with web development. Her assistant told me that they couldn't figure out how to run it.
Of course, I took a day off from work, opened back up my school project, fixed the annoying bug. The web page required IIS to run so I could make Ajax requests. I decided to hardcode the data in json instead. So I went to school to present my project.
The professor was double clicking the file and it wasn't displaying properly. I inserted my USB stick, and ran it from there instead. The coral reef restaurant website appeared on the big screen. I explained that I had to make some changes so it would work locally. Before, I was using a web server.
"Web server?" she shouted. "You are not allowed to use a web server. So you guys cheated!"
At first, I thought she was just kidding. I explained that Chapter 12 specifically asks to boot up IIS in order to make use of Ajax. During my time, the rest of the class stopped at chapter 10. I completed the entire book because I was just in love with learning JavaScript. So unless you get to chapter 12, you don't learn about Ajax.
"I'll have to report you. They board might revoke your grade. Not just you but all your group."
You can only imagine how pale I became. But I understood what was happening. She had tried to run the project multiple times and failed. She couldn't debug it or figure out the issue. To save face in front of the class, she accused me of having cheated. This is the exact thing the Missourians officials are doing.
No, at the end of the day my grades were not revokes. Plus I had dropped out of college and was working in the field for a few couple years already. But it goes to show you the length people would go just to save face.
All I've learned from this entire escapade is that the next time someone finds a major vulnerability in a Missouri state website, they will know that the best path forward is to sell it to criminals.
They make some money and they don't have the Governor attacking their reputation.
> All I've learned from this entire escapade is that the next time someone finds a major vulnerability they will know that the best path forward is to sell it to criminals.
The state is not proceeding with any legal actions, right? And they're not, because they've already concluded the governor is full of crap, right?
So far all I've seen here is the governor repeatedly make a fool of himself while the rest of the state is backing away slowly from the crazy old man.
The STL Dispatch actually really wants the state to try to sue here, and I don't think Parsons quite appreciates just how much trouble his statements can get him in.
As of this week, the governor is still making noise about investigating and pressing charges.
> Despite mounting public backlash, Missouri Gov. Michael Parson isn’t backing down from threatening to prosecute a journalist for accessing personal information of Missouri teachers to expose a security lapse in the state’s website.
..
> Yet, the governor’s office continues to contend Renaud is open to prosecution for his actions. An email to The Record from Kelli Jones, communications director for the governor’s office, said an investigation into Renaud’s actions is ongoing, but described his action as a “hack” that was more than just “a right click,” and that Renaud broke Missouri law.
“The facts are that an individual accessed source code and then went a step further to convert and decode that data in order to obtain Missouri teachers’ personal information,” Jones wrote in an email.
..
> “A hacker is someone who gains unauthorized access to information or content,” Parson said during a recent press conference. “This individual did not have permission to do what they did." He said Renaud was simply attempting to "embarrass the state" and "sell headlines." "We will not let this crime go unpunished," Parson said.
I know nothing about law, but would there be ground for some form of defamation here? At this point, the governor has had what the reporter did thoroughly explained to him, and he keeps claiming that this is "hacking" seemingly just because he's embarrassed. From my perspective, it seems like he's outright lying and making accusations of criminal activity, in order to besmirch the name of someone he doesn't like.
As a Missouri resident, what is the best method of contacting these baffons (and their opponents) to voice my displeasure with this appalling response from state officials?
This is all setting up for a lawsuit against the government for libel. Especially as the governor now is amplifying his attack rather than backing down. When they first went on the attack you could play it off with an excuse that they didn't know any better, but after they were informed, it's now into the territory of libel. However IANAL.
It looks like part of the attack on the free press, and on dissent generally, by the governor's political grouping. Freedom won't survive unless the public makes it a higher priority than political power. People who support that political grouping need to make it clear to their representatives that liberty comes first.
I know that "bleeds it leads" is the rule for journalism, but I sort of wish there were a way to tell people to stop giving this story oxygen.
The governor knows his claims are foolish and he knows he's building a controversy out of thin air. It's playing great with his constituents, and the fact that his position of power inclines people to take him seriously means he can get away with it.
I understand your point, but what's the alternative? The answer can't be roll over and ignore people negligently/dangerously ignorant people in positions of power.
If your premise is true (that the harder those who understand this push against it, the harder he will push back, and the voters of his state like him for that) then there is no winning strategy here.
Why would refusing to cover the story stop that problem? He’s literally running ads with it so it’s going to get plenty of oxygen no matter what. Might as well true to get the actual truth out there as well.
This is absolutely one of those cases where public attention and pressure can spare someone from getting lost in the legal system. Burying the story only helps those abusing their power.
The title truncation is so unhelpful and IMO editorialising. Is it ", judge said", meaning case closed and the statement can be said as fact? Is it maybe a quote from an institution like the EFF, defending him?
I tried every variation to get the hed to fit under 80 chars — it was either “emails said” or “Missouri”
In any case, the “nothing out of line” comes from a security expert reviewing the emails:
> While Missouri officials redacted most of Renaud’s second email, Katie Moussouris, the CEO of Luta Security, told StateScoop it appears he took all the right steps in disclosing a vulnerability.
> “Nothing in what you’ve shared with me looks like it was out of line with sensible coordinated vulnerability disclosure activities of any researcher trying to protect victims of sensitive data exposure,” said Moussouris, a co-author of the international standards for vulnerability disclosures.
[+] [-] alexjplant|4 years ago|reply
> In the letter to teachers, Education Commissioner Margie Vandeven said “an individual took the records of at least three educators, unencrypted the source code from the webpage, and viewed the social security number (SSN) of those specific educators.”
> But in the press release, DESE called the person who discovered the vulnerability a “hacker” and said that individual “took the records of at least three educators”
This squares perfectly with my own experience. As a middle schooler I had several interactions with my school system's IT department where they baselessly accused me of hacking and malicious intent; I responsibly disclosed a method of bypassing their web content filter and they responded by going through my roaming profile and leveling charges at me of "remotely hacking computer systems" because of a screenshot of a terminal emulator they found. I was a good kid with a perfect disciplinary record. In retrospect it was a series of incompetent staffers covering for their inability by bullying a child.
The US needs to stop using public facilities (schools, the military, etc) as white-collar welfare and hire more people that actually care. Ignorance is forgivable but when combined with a steadfast opposition to personal growth it becomes malicious. It'd be better for society to fire clowns like these and administer them unemployment than to have them crowd out those that actually give a shit.
*EDIT: To clarify for anybody that would read the above as "government workers don't care": there are plenty that do. I break bread with them and want them to be able to do their jobs unimpeded by the ones that _don't_.
[+] [-] handrous|4 years ago|reply
Our purest white-collar welfare system is the health insurance industry, I'd say. IIRC at one point Obama explicitly stated that a reason he didn't think single-payer and similar were viable to advance, is because they'd put too many people out of work.
The military is, obviously, our main work-required blue-collar welfare system, among other kinds of wealth-shuffling it does. Why, one can get nearly-European-standard-for-all public benefits, through that program, provided one is reasonably sound of body and mind. Healthcare, pension, housing, et c. [edit] education, too!
[+] [-] ivalm|4 years ago|reply
One thing to note is that hiring skilled IT workers is often outside budget capabilities. It’s not that they want to hire someone incompetent, they simply can’t afford to hire someone competent.
[+] [-] nend|4 years ago|reply
The people that give a shit are making 10x as much by not working for a public middle school.
Fire the current lot if you want, but they'll just be replaced by the next set of people who aren't skilled enough to make market rate.
[+] [-] CoastalCoder|4 years ago|reply
In my experience, most IT/CS people who seek to work for state/federal government do care.
Unfortunately the combination of extreme red tape, low pay, inability to fire lazy employees, and occasionally being punching bags for politicians trying to score cheap points with their constituents, take their toll over time.
[+] [-] hn_throwaway_99|4 years ago|reply
Because "reading HTML" is now "unencrypting".
People got caught with their pants down and are now just trying to lie their way out of it, nothing new but still sad.
[+] [-] harikb|4 years ago|reply
When banks/financial systems can get away with not upgrading a decade old Java framework with 6 month old struts vulnerability, and just blame the hacker, it is not surprising the average school sysadmin will do the same.
[+] [-] kodah|4 years ago|reply
[+] [-] mixmastamyk|4 years ago|reply
[+] [-] butterfi|4 years ago|reply
[+] [-] chucksta|4 years ago|reply
No one thought to ask IT why they used the same PW 5+ times for critical infra, its all just the kids fault for finding one of them
[+] [-] RNCTX|4 years ago|reply
That presumes that the purpose of school is perceived by the participants to be something other than printing credentials that justify trans-generational wealth and power accrual.
[+] [-] seattle_spring|4 years ago|reply
If you don't mind me asking... why on Earth did you do this? My goal as a teenager was to find ways to get around content filters in middle school for fun, not so I could tell the teacher about them.
> It'd be better for society to fire clowns like these and administer them unemployment than to have them crowd out those that actually give a shit.
Administrators that "gave a shit" would be fighting to remove overzealous content filters, not reinforce them.
[+] [-] causi|4 years ago|reply
[+] [-] danso|4 years ago|reply
Recent developments:
- The CS professor whose expert opinion was quoted by the newspaper article is demanding an apology and legal expenses from the state, alleging that the governor defamed and violated his free speech rights.
- The governor's political fundraising committee is running ads making this a "fake news" issue.
The email that the reporter sent, in advance of publishing the article revealing the state education website's data leakage:
> “I recently discovered a significant exposure of the sensitive data of more than 100,000 teachers on a DESE website,” Renaud wrote to the agency’s communications chief, Mallory McGowin. “At this point I am confident what I found is a genuine vulnerability — I have confirmed with three teachers from different districts that their data was exposed. I also have consulted an UMSL cybersecurity researcher who verified my findings. The P-D plans to publish a story about this sensitive data exposure, but we wanted to inform DESE first so that you would have a chance to mitigate the problem.”
> Renaud shared his timeline for publishing the story and asked for interviews with officials from DESE and the Missouri Office of Administration’s Information Technology Services Division. In a second email sent about 45 minutes later, he described the steps he’d taken in finding and confirming the vulnerability.
[+] [-] dangle1|4 years ago|reply
https://www.stltoday.com/news/local/govt-and-politics/more-c...
Best online comment on the article:
"When the building's on fire, don't call the fire department or Parson will accuse you of arson.
[+] [-] docmechanic|4 years ago|reply
[+] [-] threatofrain|4 years ago|reply
https://www.youtube.com/watch?v=9IBPeRa7U8E
If anyone is curious what the political ad looks like.
[+] [-] TigeriusKirk|4 years ago|reply
[+] [-] idworks1|4 years ago|reply
It reminds me of that time, a few years after I was out of college and into a job. My professor contacted me to demo my class project to her students. To give them an idea of what they can do with web development. Her assistant told me that they couldn't figure out how to run it.
Of course, I took a day off from work, opened back up my school project, fixed the annoying bug. The web page required IIS to run so I could make Ajax requests. I decided to hardcode the data in json instead. So I went to school to present my project.
The professor was double clicking the file and it wasn't displaying properly. I inserted my USB stick, and ran it from there instead. The coral reef restaurant website appeared on the big screen. I explained that I had to make some changes so it would work locally. Before, I was using a web server.
"Web server?" she shouted. "You are not allowed to use a web server. So you guys cheated!"
At first, I thought she was just kidding. I explained that Chapter 12 specifically asks to boot up IIS in order to make use of Ajax. During my time, the rest of the class stopped at chapter 10. I completed the entire book because I was just in love with learning JavaScript. So unless you get to chapter 12, you don't learn about Ajax.
"I'll have to report you. They board might revoke your grade. Not just you but all your group."
You can only imagine how pale I became. But I understood what was happening. She had tried to run the project multiple times and failed. She couldn't debug it or figure out the issue. To save face in front of the class, she accused me of having cheated. This is the exact thing the Missourians officials are doing.
No, at the end of the day my grades were not revokes. Plus I had dropped out of college and was working in the field for a few couple years already. But it goes to show you the length people would go just to save face.
[+] [-] mabbo|4 years ago|reply
They make some money and they don't have the Governor attacking their reputation.
[+] [-] jimt1234|4 years ago|reply
[+] [-] karlkloss|4 years ago|reply
I fixed that for you.
[+] [-] dekhn|4 years ago|reply
So far all I've seen here is the governor repeatedly make a fool of himself while the rest of the state is backing away slowly from the crazy old man.
The STL Dispatch actually really wants the state to try to sue here, and I don't think Parsons quite appreciates just how much trouble his statements can get him in.
[+] [-] mikeyouse|4 years ago|reply
> Despite mounting public backlash, Missouri Gov. Michael Parson isn’t backing down from threatening to prosecute a journalist for accessing personal information of Missouri teachers to expose a security lapse in the state’s website.
..
> Yet, the governor’s office continues to contend Renaud is open to prosecution for his actions. An email to The Record from Kelli Jones, communications director for the governor’s office, said an investigation into Renaud’s actions is ongoing, but described his action as a “hack” that was more than just “a right click,” and that Renaud broke Missouri law. “The facts are that an individual accessed source code and then went a step further to convert and decode that data in order to obtain Missouri teachers’ personal information,” Jones wrote in an email.
..
> “A hacker is someone who gains unauthorized access to information or content,” Parson said during a recent press conference. “This individual did not have permission to do what they did." He said Renaud was simply attempting to "embarrass the state" and "sell headlines." "We will not let this crime go unpunished," Parson said.
https://stlrecord.com/stories/610107500-we-will-not-let-this...
[+] [-] tombert|4 years ago|reply
[+] [-] tppiotrowski|4 years ago|reply
[+] [-] depaya|4 years ago|reply
[+] [-] the_only_law|4 years ago|reply
[+] [-] dncornholio|4 years ago|reply
[+] [-] infogulch|4 years ago|reply
[+] [-] Clubber|4 years ago|reply
[+] [-] wolverine876|4 years ago|reply
[+] [-] themitigating|4 years ago|reply
[+] [-] mlindner|4 years ago|reply
[+] [-] wolverine876|4 years ago|reply
[+] [-] randombits0|4 years ago|reply
[+] [-] shadowgovt|4 years ago|reply
The governor knows his claims are foolish and he knows he's building a controversy out of thin air. It's playing great with his constituents, and the fact that his position of power inclines people to take him seriously means he can get away with it.
[+] [-] BeefySwain|4 years ago|reply
If your premise is true (that the harder those who understand this push against it, the harder he will push back, and the voters of his state like him for that) then there is no winning strategy here.
[+] [-] afavour|4 years ago|reply
[+] [-] TillE|4 years ago|reply
Doubtful.
This is absolutely one of those cases where public attention and pressure can spare someone from getting lost in the legal system. Burying the story only helps those abusing their power.
[+] [-] obiwan14|4 years ago|reply
[deleted]
[+] [-] bellyfullofbac|4 years ago|reply
Nope, it's ", emails said"...
[+] [-] danso|4 years ago|reply
In any case, the “nothing out of line” comes from a security expert reviewing the emails:
> While Missouri officials redacted most of Renaud’s second email, Katie Moussouris, the CEO of Luta Security, told StateScoop it appears he took all the right steps in disclosing a vulnerability.
> “Nothing in what you’ve shared with me looks like it was out of line with sensible coordinated vulnerability disclosure activities of any researcher trying to protect victims of sensitive data exposure,” said Moussouris, a co-author of the international standards for vulnerability disclosures.