Missouri’s Governor Is Threatening Hacking Charges Against a Newspaper Because He Has No Clue How the Internet Works
Jacob Moscovitch/Getty Images
Gov. Mike Parson (R-MO) is threatening the St. Louis Post-Dispatch with criminal charges because he is apparently unable to grasp the concept of web page HTML source codes.
If you’re not familiar, the source code of a web page can be viewed by anyone who knows how to find it. For example, in Google Chrome for desktop, simply right clicking on a page will give you the option to “View Page Source.” Selecting this option will allow you to view the HTML source code underlying what you see on the page.
Viewing the source code is how the Post-Dispatch found a glaring security issue with a website maintained by Missouri Department of Elementary and Secondary Education (DESE). The paper discovered teachers’ social security numbers contained in the code, though the SSNs were not clearly visible on the web pages themselves.
Now the governor is furious at the Post-Dispatch, even though it alerted the DESE of the vulnerability on Tuesday, and delayed publication of its story by reporter Josh Renaud until the pages were removed.
As the paper reported on Thursday,
The Post-Dispatch discovered the vulnerability in a web application that allowed the public to search teacher certifications and credentials. The department removed the affected pages from its website Tuesday after being notified of the problem by the Post-Dispatch.
Based on state pay records and other data, more than 100,000 Social Security numbers were vulnerable.
The newspaper delayed publishing this report to give the department time to take steps to protect teachers’ private information, and to allow the state to ensure no other agencies’ web applications contained similar vulnerabilities.
In response, Parson nonsensically suggested the Post-Dispatch had hacked the website.
“We are coordinating state resources to respond and utilize all legal methods available,” he said on Thursday. “My administration has notified the Cole County prosecutor of this matter. The Missouri State Highway Patrol’s digital forensic unit will also be conducting an investigation of all of those involved.”
Again, the source code of any website is publicly available to anyone accessing the site with just a few clicks.
Parson also took to Twitter, where he doubled down on his ignorance and reiterated his threat to press freedom. He claimed, “Through a multistep process, an individual took the records of at least three educators, decoded the source code, and viewed the SSN of those specific educators.”
“Decoded the HTML source code” is gibberish. The source code is there for anyone to view. There is nothing to decode.
So to recap, after viewing code accessible to anyone on the site in question, the Post-Dispatch discovered more than 100,000 social security numbers were vulnerable. The paper flagged this to the government and held its story until the pages were removed. The Post-Dispatch then ran its story, and the governor responded by threatening Post-Dispatch employees with prosecution.
“We stand by our reporting and our reporter who did everything right,” said Publisher Ian Caso. “It’s regrettable the governor has chosen to deflect blame onto the journalists who uncovered the website’s problem and brought it to DESE’s attention.”
Nevertheless, Parson wants people to know that this is all very “serious.”
Despite the fact that Parson has made heavy though ultimately foolish threats against the Post-Dispatch, he has said little if anything about why teachers’ social security numbers were left vulnerable in the first place. After all, that might require an inquiry into how one of his government agencies screwed up.
