View source

Nov 12, 2021 Technology Conventional-Wisdom Inappropriate-use
Share on:

View Source

I’ve been using browsers for almost 30 years and I can’t remember a time that there hasn’t been some sort of “View Source” option being present as I right click on a page. Of course there were some ham fisted attempts to hide it with JavaScript. I’ve even seen pages pull content after page load to prevent the content from being accessible with a simple mouse click. None of those tricks really work and now sites share what they are sharing, mostly (more on that further down).

The web browsers are a great tool where information can be shared in many forms. Text, audio, images, video and even immersive 3D environments. All of this is shared through an open standard of HTML, JavaScript and CSS which the reader can open and read if they are curious, need details or want to use the data in another form. This openness has changed our world for the better as it makes data available for consumption and production.

Evil option

As the world gets great new technology there is always some set of knuckleheads that don’t understand it and make public fools of themselves. Some technologies are dangerous when used improperly. I’ve accidentally cut myself with knives, but I still use them because they are one of the greatest tools we have invented. We can all list tools and problems.

There are some tools though really have no downside. View Source is one of those. Is there a problem with a font that isn’t visible, or an ad covering the content? Right click and view the source to see what you missed. Maybe even send a note to the owners of the site to let them know about the problem. I can’t see a downside to view source.

It turns out that some people don’t design their websites correctly and they end up putting things like questions and answers in the source for tests. These website creators are being lazy. This is like a teacher giving you an exam with the answers under post it notes and saying, “Once your done grade yourself by comparing your answer to the real one.” Maybe looking under the post it note while taking the exam is cheating, but I would lay the blame at the teacher’s feet.

What I described is not a hypothetical. Apparently a number of education users have been hounding Google’s Chrome development team to remove the “View Source” option for this very reason. Normally I would mark this down as a bunch of teachers who need a little education on the issue. The problem is that dev team actually listened to them and issued a patch a few days ago.

This blog entry was passed to me by a friend. Everyone who is sharing it is sharing it in alarm and disgust. Now reading into the patch notes, the Chrome team is allowing a managed browser to turn off view source on select URLs. They may view this is a simple way to quiet the request from teachers, but they have stepped down the slippery slope some more.

Rather than educate the teachers on the proper way to give an online test, they have taken a learning tool from the students. How many schools are just going to turn this on for the wildcard site setting and block view source for every pupil? I’ll bet about half, if not a lot more.

One of the comments mentioned a kid who has portable Firefox being a persecuted for having hacking tools. The poor kid that has Wireshark is going to be treated like they brought a gun to school. While this is funny to read, it is all too real. Kids curious about technology will be alienated, suppressed and just generally turned off in one more way.

Too court!

So you may think I’m being over the top on this. I realize this is a small thing, but everything big is made of smaller things. In this case we have another recent incident that is very serious around a criminal investigation of someone that actually viewed the source of a public web page.

A few weeks ago a reporter for the Saint Louis Post Dispatch wrote an article pointing out that private information, to include Social Security Numbers (SSNs) of over 100,000 school employees were available on the Missouri state department of education website. The page provided a search feature to find school personnel. The problem is that the whole list was in the page and it included the SSN for each entry. The page was not designed to show the SSN, it was just left in the data.

The reporter went to a security specialist and asked if this was a general flaw. The specialist confirmed that it was and the reporter notified the department. The department did take the site down, but when they informed the school employees of the data being leaked, the Education Commissioner Margie Vandeven wrote,

“an individual took the records of at least three educators, unencrypted the source code from the webpage, and viewed the social security number (SSN) of those specific educators.”

Let’s be clear, there was no encryption to be undone. All the reporter and security specialist had to do was right click and view the source. The education commissioner was inflating someone else’s actions to hide her own departments incompetence. The SSNs should never have been available to the website developers let alone included in the site. Her organization had already leaked the SSN of over 100,000 people before anyone else saw it. She should be happy that someone let the department know to take the page down before publishing.

We could have an uncomfortable laugh at the poor choice of words from Margie Vandeven and move on, but apparently in the “Show me state” they double down on stupid. The governor, Mike Parson has taken up this incident, called it hacking and is bringing in the Missouri State Highway Patrol’s Digital Forensic Unit to conduct an investigation. He has referred the matter for prosecution to the local counties district attorney.

Let’s lay out the timeline here in case you aren’t following things.

  • Missouri Dept of Education takes list of 100,000 names and SSNs and embeds it into a website for a search feature to return teacher names.

  • Reporter finds the list by right clicking “View Source” in their browser (probably to see why the page loaded so slowly given all the private information was sent to every browser that went to that page).

  • Reporter asks security specialist, “Can this be real?”

  • Security specialist face palms and says “Yes”.

  • Reporter notifies the department of the problem before releasing the article about how stupid an error it is.

  • Education Commissioner Margie Vandeven makes crap up about encryption and unencryption when telling people her department just released their names and SSNs in bulk on every page load.

  • Governor Mike Parson wants in on this action and calls the reporter a hacker and sicks the state highway patrol and prosecutor on him.

This is the type of string of stupid events that makes for a good Coen Brother movie.

The real solution

The real solution here is to hold the creators of flawed websites responsible for design errors. I don’t mean when a plugin is found to have a stack overflow error type thing. I mean when you include the answers to a test in the web page with the question, or even contemplate including SSNs inside a web page.

Instead we have an industry (the education industry) asking technology makers to disable a feature used for learning so they don’t have to clean up bad practices. In the worst case we have the same industry making an error so bad it showed bad intent in multiple ways and then blaming the person that informed them of hacking.

Governor Parson shouldn’t be trying to put the journalist behind bars. The journalist should be given a reward for trying to help and the team that decided to put 100,000 SSNs in a public web page should personally have to pay for any damages to the school employees.

Until we stop shifting blame and start holding bad decisions accountable we aren’t going to fix the problems. No matter how many features you take out of my browser.