Doubling down on view source
View source, next chapter
A few weeks ago I wrote about a travesty of technology where officials in Missouri shifted the blame for making a mistake to a reporter for finding it. To sum it up,
-
People in their organization made a series of mistakes that resulted in hundreds of thousands of people in education having their SSNs put on the open internet.
-
A reporter found this, asked an expert about it and reported it before publishing about it.
-
Various state officials tried to change the narrative from a mistake of their staff to a reporter hacking.
We have a reporter that was trying to help and ended up being referred for investigation of a crime by the governor. This level of stupid made me write a blog entry as viewing source of a web page can never be a crime and officials need to fix problems not shift blame. The former is anticryptography. The later is key to good governance.
But wait there is more
The St. Louis Dispatch reported a few days ago that there had been conflicting internal discussions before the governor made his statements.
On Oct 12th Mallory McGowin, spokeswoman for DESE, sent an email to the governor’s office that had the education commissioner Margie Vandeven thanking the journalist for bringing the problem to their attention.
On the next day the governor’s office put out a press release calling the journalist a hacker. They do make a claim that the SSNs were only available one individual at a time, which if true would mean that someone would have to lawn mower the the affected system to gain large amounts of data via view source. I don’t put a lot of stock in this as other statements in the press release are twisted away from honest discourse, and the SSNs were still on a public website where they should never be available.
Then one more day later on the 14th the governor makes a statement saying it was clearly a hack. You can watch local news coverage here.
The governor then goes on to make statements weeks later about it as hacking.
He even says someone should have tried to help by telling officials there is a problem, which is exactly what the reporter did. The governor continues on talking about a “right click” is not the truth and that “decoders” were required. What is he talking about? You can read HTML and a SSN (like 123-45-6789) stands out fairly well in any data set. Take a look at the view source output below and see if the SSN requires “decoding”.
The current score
Right now we have Mallory McGowin and Margie Vandeven trying to make a statement that is correct. That statement seems to be ignored by the governor’s office so it can make noise about hacking reporters. So not only is the governor’s office and the governor himself making uniformed statements, they had been given correct statements before hand. This moves Mike Parson’s statements from being made in ignorance to going against emerging evidence.
Ars Technica is even reporting that the FBI responded that it isn’t network intrusion and that the database was misconfigured. I would argue that the term misconfigured is a very gentle description as it shouldn’t include SSNs if those records were being directly queried by a public web server. To be safe they would need field level permissions and even then why would SSNs ever need to be there?
Solutions
The governor makes a case that SSNs must be stored on the website for verification purposes and that no one can remove them. This is false and wrong. First off, the SSN can be used for verification without storing it on a website by comparing hashes of the SSN or even just hashes of the last 4 digits. Second, I don’t know what the law states in Missouri, but SSNs should never be stored or even near a public facing website like this. I’m not even sure how this arrangement passed standard security audits (which should be a requirement by the Missouri government).
At this point Mike Parson and his office should make a statement that they have made a mistake. An investigation should continue, but not as a criminal matter against the reporter. Instead they should be reviewing internal processes before websites go live and data is made available. Doing so will set the correct tone that system designers need to be careful with security from design through implementation.
“errare humanum est, sed perseverare diabolicum: ‘to err is human, but to persist (in the mistake) is diabolical.” — Seneca