Missouri Governor Doubles Down On 'View Source' Hacking Claim; PAC Now Fundraising Over This Bizarrely Stupid Claim

from the wtf-missouri dept

Hey Missouri: stop electing technically illiterate dipshits. First you had Claire McCaskill, one of the key sponsors of FOSTA (who is still defending it years later). You got rid of her, but replaced her with Josh Hawley, who seems to think his main job in the Senate (besides whipping up support for insurrectionists and planning his run for the Presidency) is to destroy the internet and reshape it according to his own personal vision.

And then there’s your governor. We wrote about him a few years ago when he claimed (ridiculously) that the 1st Amendment meant he could withhold public records (which is not how any of this works). But, of course, last week, his tech ignorance broke into prime time after the St. Louis Post-Dispatch ethically disclosed that the state’s Department of Elementary and Secondary Education (DESE) website was including teacher & administrator social security numbers in the HTML. DESE pulled down the pages, but not before calling the journalists “hackers.” Parson then doubled down and called for the journalists to be prosecuted. And then kept insisting that viewing HTML source code was hacking.

For the past week people on Twitter have been repeatedly mocking Parson for this, but he just won’t give up, and neither will the United Missouri PAC that is a huge Parson supporter and was even fined last year by the Missouri Ethics Commission over improper contributions and failure to report the contributions to Parson.

Earlier this week, United Missouri seemed to think that Parson’s blatant technical illiteracy was worth doubling down on and turning into a culture war against “the fake news.” It produced a video that is so embarrassing and cringeworthy it feels like a parody.

I mean, the transcript is so stupid that it makes me wonder about the quality of education in Missouri that someone could be this clueless.

The latest from the Missouri “fake news factory” is from the St. Louis Post-Dispatch, where a reporter has been digging around HTML code on a state website. The state technology division said the hacker took the records of at least 3 educators, decoded the HTML source code and viewed the social security numbers from the state website.

I mean, holy shit. HTML code is public. That’s what “view source” is there for. There’s no “digging around.” And, incredibly, here United Missouri/Parson are admitting that the social security numbers were in HTML! THAT IS THE PROBLEM! No one should ever be putting SSNs in HTML. The fact that DESE put SSNs in HTML is the very problem that the reporters were highlighting. And if it wasn’t actually a problem, why did DESE pull down the website in the first place? It’s not hacking. It’s showing that Parson’s administration is incompetent.

And then, the video takes Parson’s own failure to protect teachers and administrators in the state… and blames it on the reporters who (ethically) disclosed this negligent coding?

Governor Parson believes everyone is entitled to their privacy. Especially our teachers.

THEN WHY DID YOUR ADMINISTRATION REVEAL THEIR SOCIAL SECURITY NUMBERS IN HTML, YOU TECHNICALLY IGNORANT FOOLS? No one should ever be putting SSNs in HTML. The fact that they were there is the problem. Not the fact that these reporters alerted the state to their own coding (and data handling) error. The privacy breach is the state’s fault, not the reporters. The reporters disclosed all of this in the most ethical manner possible: alerting the state and not publishing anything until after the leaked data was removed from the web.

Governor Parson is standing up to the fake news media and is committed to bringing to justice anyone who obtained private information. The St. Louis Post-Dispatch is purely playing politics. Exploiting private information is a squalid excuse for journalism. And hiding behind the noble principle of free speech to do it is shameful.

Note that they keep calling the St. Louis Post-Dispatch “fake news” but don’t dispute a single thing they reported. So it’s fake news, but also a crime? Furthermore, the only one who should be “brought to justice” is the state for putting social security numbers in HTML in the first place. And the only one “purely playing politics” appears to be Governor Mike Parson and his corrupt PAC.

And, of course, everyone with even the most basic understanding of HTML know that it’s Parson who’s full of shit here, as is clear from all the comments on the video:

I get that, these days, the Trumpian populists politicians think they can just make shit up and lie constantly and their ignorant base will lap it up, but this takes all that to new levels of stupid. You don’t have to be a genius computer science grad to understand that you never ever put SSNs in HTML and that whoever did that is at fault here.

Filed Under: , , , , , , ,
Companies: united missouri

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Missouri Governor Doubles Down On 'View Source' Hacking Claim; PAC Now Fundraising Over This Bizarrely Stupid Claim”

Subscribe: RSS Leave a comment
120 Comments
Anonymoussays:

Re: Criminal, right?

Can it be proven beyond doubt that social security numbers were written into the tags of the Web site,

It probably was some script generating HTML on the fly that dumped the database ID numbers for the viewable entries.

Unfortunately many db admins look at things like SSNs as the perfect primary key for a user / person in a db, and fail to realize what will happen when some poor web developer uses the "personID" field in the database as a reference in their HTML widget code….

In short, it probably wasn’t an intentional act by the site maintainers, let alone the state administration. But you’ve got to love the anal retentiveness of the state governor and the carelessness of the db admins mixing to create a dangerous "never report anything" mentality among the general public. The law of unintended consequences gets them every time.

At least that’s what I hope is going on here. Otherwise this governor is practically inviting a massive hack against his state in a few years by effectively telling people to never report a cybersecurity issue to anyone under threat of lawsuits and jail time as official state policy.

Greg Glocknersays:

Stop the insanity

Suppose someone posted confidential info like SSNs on a wall of a public building, which anyone could view from the alley. Guess what, geniuses – that’s what they did on the Internet. No hacking involved. I normally believe in Hanlon’s razor – "never attribute to malice that which is adequately explained by stupidity". However, I wouldn’t put it past Republicans to use this to score points in the culture war.

Scary Devil Monasterysays:

Re: Stop the insanity

"I normally believe in Hanlon’s razor – "never attribute to malice that which is adequately explained by stupidity". However, I wouldn’t put it past Republicans to use this to score points in the culture war."

I’m normally a firm believer in that razor as well. Yet every time I try to use it on US republicans, it breaks.

These days every time these benighted morons make an obviously deranged claim I just assume they know damn well they’re talking bullshit and are just bringing it up as a talking point to energize a base of voters so brain-damaged by an upbringing where the crazy uncle and fox news was the primary source of education they’ll believe anything as long as it ends with "It’s all the libs fault!".

freelunchsays:

I am sad to report that this doesn't push the boundary ...

… of the nonsense politicians pull when they yell "fake news." Thugs assaulting the US capitol? Patriots! Tourists! Other thugs roughing up school boards? Concerned parents! Idiots who deny the existence of communicable disease? Guardians of religious freedom! Those were comparatively heavy lifts of nonsense.

At least understanding that, having stumbled upon a security leak immediately telling the leaky site and then only later publishing news about is a good thing and is pro-security is very difficult. Wait, sorry, it is not very difficult.

PaulTsays:

"You don’t have to be a genius computer science grad to understand that you never ever put SSNs in HTML and that whoever did that is at fault here."

However, you do have to have a passing knowledge of both technology and verifiable reality to know this – and that is not the target audience. This is a play to keep angry morons angry enough to vote in 2022, then 2024 and to pretend that the reason they’re failing is not due to their own actions but because of the "deep state" and "liberals".

There’s no way anyone with any knowledge will fall for this – but the targets are not people with knowledge.

Anonymoussays:

The latest from the Missouri "fake news factory" is from the St. Louis Post-Dispatch, where a reporter has been digging around HTML code on a state website. The state technology division said the hacker took the records of at least 3 educators, decoded the HTML source code and viewed the social security numbers from the state website.

Isn’t this an example of public indecency? Or is mooning people like that allowed in public in Missouri? (Maybe it’s protected by 1A?)

Anonymoussays:

if you put ssn nos in html text on a website you should be fired , if hacking is looking at html code then anyone who has a pc with a browser
could be a hacker, they should be grateful the problem was pointed out to them.but republican politicans seem to in a competition to pass bills that break the internet, take away users right to privacy and free speech by eroding section 230 , hacking is doing something that takes some knowledge and skill in technology that the average user would not be able to do .

Bobvioussays:

Diary of a Missouri Governor

With respects to some A-OL.

July 18 –; I just tried to connect to Missouri Online. I’ve heard it is the best online service I can get. They even included a free disk! I’d better hold onto it in case they don’t ever send me anther one! I can’t connect. I don’t know what is wrong.
July 19 –; Some guy at the tech support center says my computer needs a modem. I don’t see why. He’s just trying to cheat me. How dumb does he think I am?
July 22 –; I bought the modem. I couldn’t figure out where it goes. It wouldn’t fit in the monitor or the printer. I’m confused.
July 23 –; I finally got the modem in and hooked up. That nine year old next door did it for me. But it still don’t work. I cant get online.
July 25 –; That nine year old kid next door hooked me up to Missouri Online for me. He’s so smart. I told the kid he was a prodigy. But he says that’s just another service. What a modest kid. He’s so smart and he does these services for people. Anyway he’s smarter than the jerks who sold me the modem. They didn’t even tell me about communications software. Bet they didn’t know. And why do they put two telephone jack holes in the back of a modem when you only need one? And why do they have one labeled phone when you are not suppose to hook it to the phone jack on the wall? I thought the dial tone sounded funny! Boy, are modem makers dumb! But the kid figured it out by the sound.
July 26 –; What’s the internet? I thought I was on Missouri Online. Not this internet thing. I’m confused.
July 27 –; The nine year old kid next door showed me how to use this Missouri Online stuff. I told him he must be a genius. He says that he is compared to me. Maybe he’s not so modest after all.
July 28 –; I tried to use chat today. I tried to talk into my computer but nothing happened. Maybe I need to buy a microphone.
July 29 –; I found this thing called usenet. I got out of it because I’m connected to Missouri Online not usenet.
July 30 –; These people in this usenet thing keep using capital letters. How do they do that? I never figured out how to type capital letters. Maybe they have a different type of keyboard.
JULY 31 –; I CALLED THE COMPUTER MAKER I BOUGHT IT FROM TO COMPLAIN ABOUT NOT HAVING A CAPITAL LETTER KEY. THE TECH SUPPORT GUY SAID IT WAS THIS CAPS LOCK KEY. WHY DIDN’T THEY SPELL IT OUT? I TOLD HIM I GOT A CHEAP KEYBOARD AND WANTED A BETTER ONE. AND ONE OF MY SHIFT KEYS ISN’T THE SAME SIZE AS THE OTHER. HE SAID THAT’S A STANDARD. I TOLD HIM I DIDN’T WANT A STANDARD KEYBOARD BUT ANOTHER BRAND. I MUST HAVE HAD AN IMPORTANT COMPLAINT BECAUSE I HEARD HIM TELL THE OTHER SUPPORT GUYS TO LISTEN IN ON OUR CONVERSATION.
AUGUST 1 –; I FOUND THIS THING CALLED THE USENET ORACLE. IT SAYS THAT IT CAN ANSWER ANY QUESTIONS I ASK IT. I SENT IT 44 SEPARATE QUESTIONS ABOUT THE INTERNET. I HOPE IT RESPONDS SOON.
AUGUST 2 –; I FOUND A GROUP CALLED REC.HUMOR. I DECIDED TO POST THIS JOKE ABOUT THE CHICKEN THAT CROSSED THE ROAD. TO GET TO THE OTHER SIDE! HA! HA! I WASNT SURE I POSTED IT RIGHT SO I POSTED IT 56 MORE TIMES.
AUGUST 3 –; I KEEP HEARING ABOUT THE WORLD WIDE WEB. I DON’T NOW SPIDERS GREW THAT LARGE.
AUGUST 4 –; THE ORACLE RESPONDED TO MY QUESTIONS TODAY. GEEZ IT WAS RUDE. I WAS SO ANGRY THAT I POSTED AN ANGRY MESSAGE ABOUT IT TO REC.HUMOR.ORACLE. I WASNT SURE IF I POSTED RIGHT SO I POSTED IT 22 MORE TIMES.
AUGUST 5 –; SOMEONE TOLD ME TO READ THE FAQ. GEEZ THEY DIDN’T HAVE TO USE PROFANITY.
AUGUST 6 –; SOMEONE ELSE TOLD ME TO STOP SHOUTING IN ALL MY MESSAGES. WHAT A STUPID JERK. I’M NOT SHOUTING! I’M NOT EVEN TALKING! JUST TYPING! HOW CAN THEY LET THESE RUDE JERKS GO ON THE INTERNET?
August 7 –; Why have a Caps Lock key if you’re not suppose to use it? It’s probably an extra feature that costs more money.
August 8 –; I just read this post called make money fast. I’m so excited. I’m going to make lots of money. I followed his instructions and posted it to every newsgroup I could find.
August 9 –; I just made my signature file. Its only 6 pages long. I will have to work on it some more.
August 10 –; I just looked at a group called alt.umpac.sucks. I read a few posts and I really believe that umpac should be wiped off the face of the earth. I wonder what an umpac is.
August 11 –; I was asking where to find some information about something. Some guy told me to check out http://ftp.netcom.com. I’ve looked and looked but I can’t find that group.
August 12 –; I sent a post to every usenet group on the Internet asking where the http://ftp.netcom.com is. Hopefully someone will help. I cant ask the kid next door. His parents said that when he comes back from my house he’s laughing so hard he can’t eat or sleep or do his homework. So they wont let him come over anymore. I do have a great sense of humor. I don’t know why the rec.humor group didn’t like my chicken joke. Maybe they only like dirty stuff. Some people sent me posts about my 56 posts of the joke and they used bad words.
August 13 –; I sent another post to every usenet group on the Internet asking where the http://ftp.netcom.com is. I had forgot yesterday to include my new signature file which is only 8 pages long. I know everyone will want to read my favorite poem so I included it. I’m also going to add that short story I like.
August 14 –; Some guy suspended my account because of what I was doing. I told him I don’t have an account at his bank. He’s so dumb.

tpsays:

This article was seriously misunderstood by trolls on internet

There’s two important facts missing from the internet discussion: 1) govt had actually hidden the SSN’s by encoding them with something similar than what rot13 is, i.e. not encryption, but encoding anyway. 2) It’s illegal to access protected information recardless of how you got access to it, even if it was publicly available in the html source code, accessing it is illegal.

These two pieces of information will change the whole story upsidedown. The step (1) means that the "security researchers" had to use hacking techniques to get access to the SSN’s, since the information simply wasn’t available to ordinary public. The step (2) means that once they found SSN’s with their hacking techniques, any further actions with the data is all illegal, including reporting the blunder to its originating organisation. Given that they weren’t real security researchers, but some kind of newspaper reporters, they weren’t aware of the strict laws that govern security research, and thus they’re doing more damage than what their "reporting" is worth.

Rockysays:

Re: This article was seriously misunderstood by trolls on intern

It’s fascinating to see someone fail so spectacularly at understanding how things work and what the law say.

  1. Encoding isn’t encryption. UTF-8 is an encoding, base64 is an encoding, EBDIC is an encoding and even ASCII is an encoding. If the government by mistake publishes sensitive information, albeit in an encoding that’s not easily human readable by default, converting that encoding to a human readable format is not decryption in any way. Taken to it’s logical conclusion, if the SSN’s where published in pure ASCII you would still have to convert it to something a human could easily read, like taking the ASCII, looking up fonts and display them in a GUI.

  2. It’s not illegal to read sensitive information if the government publishes it. It’s not illegal to point out to the government that they have published sensitive information. It’s not illegal to report on the governments failures to safeguard sensitive information. If it where, there would be no incentive to actually point out leaks of sensitive information. That you can’t even logically see how broken your reasoning is, is quite telling.

And "hacking techniques"? Reading HTML and base64-encoded text isn’t "hacking techniques" – it’s basic knowledge for anyone who is somewhat conversant in making web-pages. That you think it’s "hacking techniques" explains a lot, because only uneducated fools would say that or those with an agenda that’s contrary to the public good. Well, and the dishonest assholes arguing in bad faith of course.

Anonymoussays:

Re: Re: Re: Re: This article was seriously misunderstood by trol

Governments can be vindictive, and besides they are not accusing Julian Assange for looking at data on WikiLeaks, but rather that he was active getting the data onto WikiLeaks. That is looking at the data once it has been made public is not illegal, but making it public may be. There is a not very subtle distinction between those two cases which you are ignoring.

tpsays:

Re: Re: Re: Re: Re: This article was seriously misunderstood by

sure, but they’re accusing him of all the following:
1) accessing protected computer without permission (==hacking)
2) accessing protected documents without permission (==confidentiality breakage)
3) publishing protected documents without permission
4) fleeing the country twice (sweden->england, england->ecuador)
5) breaking his bail conditions
6) sex offenses
7) annoying powerful people
8) getting refugee status in equador
9) forgetting to pay taxes while locked inside embassy
10) 1 million bucks that police used to survellance of the ecuador embassy
11) messing with equador embassy operations
12) getting kicked away from embassy
13) etc..

Lots of small issues… But the key takeaway is that the main problem is the access to protected documents.

Rockysays:

Re: Re: Re: Re: Re: This article was seriously misunderstood by

Did you actually read that the law said before posting a random link? 18 USC 93 is about public officers and government employees and §1905 is specifically about them disclosing confidential information.

I don’t understand what that has to do with your claim that it’s illegal to read sensitive information the government published by mistake.

Perhaps read and understand the information you link to, it does lessen the "I’m an idiot" factor a bit.

tpsays:

Re: Re: Re: Re: Re: Re: This article was seriously misunderstood

I don’t understand what that has to do with your claim that it’s illegal to read sensitive information the government published by mistake.

It has the following keywords: "to be seen or examined by any person except as provided by law"… This basically forbids external entities from seeing or examining the confidential material once govt makes a mistake.

otoh, I don’t know where that thread continues in the law. The piece I pasted was really bradley manning is doing evil stuff -kind of piece, but it doesn’t talk about julian assange. But it indicates the activity is illegal, but I don’t know where assange’s full ruleset is described in the law. But maybe you can follow the law dependencies and find the "seeing or examining" keywords and watch where they lead to?

Rockysays:

Re: Re: Re: Re: Re: Re: Re: This article was seriously misunders

It has the following keywords: "to be seen or examined by any person except as provided by law"… This basically forbids external entities from seeing or examining the confidential material once govt makes a mistake.

No, it doesn’t. The first sentence of the law specifically states which persons are bound by it and what you quoted is one of the conditions that determines if the law has been broken by those people. You have yet again demonstrated that you don’t know what you are talking about.

tpsays:

Re: Re: This article was seriously misunderstood by trolls on in

Florida Star v. B.J.F., 491 U.S. 524 (1989).

The current case isn’t about newspaper reporters photographing police department’s bulletin board. Instead sophisticated hackers are using view-source mechanism to uncover decoded data that contains SSN’s after hackers decoded the information. The knowledge that the data contains SSN’s is dangerous, given that only illegal hacking techniques can uncover that information. And as such, that information needs to be considered confidential, and thus not to be distributed outside of explicitly permissible area of the world. Any actions taken with the knowledge that data contains SSN’s is illegal, including distributing the encoded or decoded data in dark web, passing any of the decoded SSN’s to other parts of government services, or publishing the fact that the web site contains SSN’s, linking the web site and the information that it contains SSN’s, uploading/downloading the encoded or decoded data or simply any other ways of helping black hat hackers to obtain the SSN’s. Basically even the techdirt discussion about the subject is illegal.

Confidential subject matter is special kind of stuff in the world, because information flow needs to be restricted when handling that material. While the damage already happened when newspapers published the info, any subsequent publications need to be carefully evaluated whether such information flow is necessary. Good plan is to place the information inside large wall of text, so that new readers of the material cannot find the relevant information and black hat hackers have trouble indentifying which part of the text wall contains the confidential material.

THOMAS AUSTINsays:

Re: Re: Re: This article was seriously misunderstood by trolls o

Oh give me a break. Social security numbers are issued by the federal government and according to the issuing agency are not to be used as a means of identification, the act of using a social security number as a piece of Personal Identifying Information or PPI is itself a crime. The unfortunate thing here is that the many States have decided to use this for that very purpose. It’s a damn account number to your Federal Pension. If it’s not paired with many other pieces of information on specific individuals it’s really useless. The US supreme court has ruled on this 100s of times. Do your damn research.

tpsays:

Re: Re: Re: Re: This article was seriously misunderstood by trol

If you think viewing HTML for a web-page is "sophisticated hacking"

With view-source, you can only uncover encoded information. At that point, you don’t even have information that the web site is handling SSN’s.

The sophisticated hacking techniques are needed for 1) installing compiler 2) writing base64 or rot13 decoding routines or finding them from a library 3) compiling the software, 4) recognizing the encoded information format and then copy-pasting the encoded information to the software as input 5) examining the result and finding SSN’s hidden within the feed.

Basically it’s not so simple as clicking view-source.

Rockysays:

Re: Re: Re: Re: Re: This article was seriously misunderstood by

What you call "sophisticated" is what I call basic understanding of web-based content. Also, there is no need to write any code at all, since most the tools for viewing HTML-content and base64 encoded is available in most OS’s by default, and if that’s not the case there are online tools or editors that allows you to do it.

Anyone who seriously think you need to write and compile code to view the source for web-based content is so far out of touch with reality it’s ridiculous.

Regardless, it doesn’t matter one bit. If the government publicly publishes sensitive information in whatever format, it’s they that are breaking the law, not the ones reporting the governments mistake.

The correct action when citizens point out a problem is to act on the problem, not try to punish the citizens, and it shouldn’t matter one bit what profession those citizens have. Or perhaps you think it’s okay for the government to publish sensitive information as long as nobody points it out in fear of retribution?

Your every argument falls flat because they are so blindingly stupid it’s mindboggling.

tpsays:

Re: Re: Re: Re: Re: Re: This article was seriously misunderstood

Regardless, it doesn’t matter one bit. If the government publicly publishes sensitive information in whatever format, it’s they that are breaking the law, not the ones reporting the governments mistake.

This is where you’re wrong. Since government had done their web page correctly by encoding the information, it’s the hackers who get access to the information that are outside of the law. It’s perfectly fine approach for government to use legal means (as opposed to technical barriers) to protect their content. And probably web page performance reasons are preventing using encryption, so the base64 stuff is enough for the content they’re handling. The legal barrier still exist and anyone who can access the information inside those encoded boxes can be legally procecuted. This is exactly what they’re doing, once people decode the information inside these confidential areas, they can be procecuted for hacking related laws.

But good luck decoding web pages without hacking techniques. You can try to do that in my https://meshpage.org/view.php the drag&drop data is base64 encoded, so good luck decoding it without hacking techniques.

Rockysays:

Re: Re: Re: Re: Re: Re: Re: This article was seriously misunders

This is where you’re wrong.

Name the law that makes my statement wrong. I want to see you fail spectacularly again, it’s a common theme when it comes to you.

It’s perfectly fine approach for government to use legal means (as opposed to technical barriers) to protect their content.

Not in this context, and funnily enough you actually posted a link to one of the laws governing this but you totally failed to understand it.

But good luck decoding web pages without hacking techniques. You can try to do that in my meshpage the drag&drop data is base64 encoded, so good luck decoding it without hacking techniques.

echo WW91IGFyZSBzdWNoIGEgbG9zZXIK | base64 -d -

"Sophisticated hacking techniques"… pfft..

tpsays:

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: This article was serious

a clear indication that your level of computer literacy is sub-par.

But your computer literacy isn’t any better when you cannot keep browser’s view-source dialog and the commandline tricks doing base64 decoding as separate operations. If you truly think that base64 decoding is part of view-source operation, your computer literacy is worse than sub-par.

PaulTsays:

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: This article was ser

"If you truly think that base64 decoding is part of view-source operation, your computer literacy is worse than sub-par."

Says the guy who doesn’t know what encoding he uses, or given some comments here what the difference is between that and encryption.

Just in case there’s anyone reading who is less ignorant than you (like, say, my cat), it’s worth pointing out that "plain text" can include information that’s encoded. Decoding base64 plain text is no different to opening up a dictionary to translate an unfamiliar word. I wouldn’t be surprised if your litany of insane demands now extends to making the understanding of what you’re reading illegal, but as usual the rest of us can be glad that your insane fantasy world still only has one resident.

tpsays:

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: This article was

Says the guy who doesn’t know what encoding he uses, or given some comments here what the difference is between that and encryption.

The legal statues that make the hacking activity illegal, already activates when the info is being decoded from its encoded form. I.e. the protections that control the usage of the confidential material does not need to be bulletproof. Even if persistent hackers manage to crack the protections, the legal framework gives encoded information possibility to sue the violators of hacking laws. This is why distributing DeCss for cracking dvd disks is illegal activity, even though entertainment industry failed to protect their intellectual property from persistent hackers. You’ve yourself mentioned that all and any copy-protection mechanism is fundamentally crackable, so you cannot now reverse and demand usage of encryption. A mere encoding is enough to protect government’s valuable intellectual property, and legal framework can handle the violations.

PaulTsays:

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: This article

"The legal statues that make the hacking activity illegal, already activates when the info is being decoded from its encoded form"

No, it really doesn’t. That might apply to encryption, but not encoding, and your should be embarrassed not to know the difference.

"DeCss"

CSS is encryption, you raving dumbass.

tpsays:

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: This art

CSS is encryption, you raving dumbass.

The fact that some people cracked their encryption is no reason to avoid liability under the law. Circumvention of technological protection measures is activating when they keep cracking copy-protections and avoiding the practices that entertainment industry put in place to protect against unauthorised copying of the material. The current case is no different, it still deals with unauthorised access of the protected content. You cannot claim that the access wasn’t unauthorised.

PaulTsays:

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: This

"The fact that some people cracked their encryption is no reason to avoid liability under the law"

Yes, and there’s no such law that applies to encoded data.

"The current case is no different, it still deals with unauthorised access of the protected content"

Again, the data was sent as a response to a request on a public website with no protection. It was authorised. It should not have been authorised, but the person viewing the authorised data is not liable for their screw up.

tpsays:

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:

Again, the data was sent as a response to a request on a public website with no protection. It was authorised.

This doesn’t mean that its authorised. Some web protocol cannot mess with the legal paperwork. You actually need to sign contract or something before you are properly authorised. If some 3rd party web module decides to send the data to anyone in the world does not mean that your authorisation paperwork is in order.

PaulTsays:

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:

"This doesn’t mean that its authorised."

Yes it does. If something is on a public website that does not require any direct authorisation to view, it’s authorised for the public to view. That someone behind the website screwed up and authorised something that should not have been authorised does not change the implicit authorisation that comes with every publicly available website.

"You actually need to sign contract or something before you are properly authorised"

Which authorisation did you sign to read the comments here? Which authorisation is required before people click on your links and laugh at your shoddy website?

"If some 3rd party web module decides to send the data to anyone in the world does not mean that your authorisation paperwork is in order."

Then, your problem is with the 3rd party, not the people who viewed the data that you mistakenly authorised through them. The person viewing the site had implicit authorisation to download it as part of the HTML code provided when they requested the public page.

tpsays:

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:

Which authorisation is required before people click on your links and laugh at your shoddy website?

my website with 3d models is slightly different than government’s web site handling SSN’s… I do not require any special kind of authorisation to access the data I created. But you cannot assume authorisation simply because some protocol uses 200 OK rest message.

PaulTsays:

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:

"my website with 3d models is slightly different than government’s web site handling SSN’s"

No, it’s not. You type the URL into your browser or click a link and the site is loaded.

"But you cannot assume authorisation simply because some protocol uses 200 OK rest message."

No, but you can assume that when that page is not behind any kind of login screen and the served to you on a publicly available URL that you’re authorised to see it.

Again, you’re deliberately confusing the issue here. Public authorisation was given when the data was served to the public. The fact that someone on the back end fucked up and the site served something they shouldn’t have served is a totally different issue, and nothing to do with the people visiting the site.

PaulTsays:

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:

"This kind of assumption leads to very illegal place."

According to you. The fun fact is that if your insane distortion of the facts was true, you could be held legally liable for viewing my comment here. Before you even reply to me, according to your idiotic interpretation of facts, you could be prosecuted before you typed a letter in response.

tpsays:

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:

The fun fact is that if your insane distortion of the facts was true, you could be held legally liable for viewing my comment here.

Yes. If you keep posting confidential information, or copyright infringements, then obviously anyone viewing your comments will be liable too. The law has concepts for direct infringer and secondary infringer and those need to be somehow linked to make a proper copyright case. And the whole bunch will be procecuted.

I always knew that exploring techdirt was dangerous activity given that the people there had stupid copyright position. Guess we’ve got the message to you too now. Now we’re just waiting what you do to fix the situation.

Rockysays:

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: This article was ser

But your computer literacy isn’t any better when you cannot keep browser’s view-source dialog and the commandline tricks doing base64 decoding as separate operations. If you truly think that base64 decoding is part of view-source operation, your computer literacy is worse than sub-par.

I never said it was, but that you think using base64-decoding is "sophisticated hacking techniques" is a clear indication of your sub-par computer literacy.

I should note that I have applied some of those "sophisticated hacking techniques" and my web-browser actually opens up my editor of choice when I do view-source, which happens to have built in base64 handling among other things.

And if I hadn’t changed the settings in my web-browser, I could have used another "sophisticated hacking technique", copy & paste. Imagine that, showing off my leet skillz in such a brazen way!

And if I was particularly bored I could have used curl, grep & sed to feed base64 encoded text into a base64-decoder. Leet skillz indeed…

PaulTsays:

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: This article was ser

We’re talking about the ability to parse text and your inability to understand the technology you supposedly work with. If this is awesome to you, then you’re even more incompetent and ignorant than we thought – which, honestly is a hell of a trick given the low bar you usually set for yourself…

tpsays:

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: This article was

If this is awesome to you, then you’re even more incompetent and ignorant than we thought

There’s very low bar in the law for considering your hacking skills criminally awesome. It’s enough that you explore to areas of technology which in unavailable to other people due to legal problems. Basically, there’s 3 main ways how it could happen: 1) bypassing login systems 2) circumvention of technological protection measures, 3) copyright infringement

All of them has the aspect where the hacker needs to explore illegal areas simply to do their hacking operations.

PaulTsays:

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: This article

"Basically, there’s 3 main ways how it could happen: 1) bypassing login systems 2) circumvention of technological protection measures, 3) copyright infringement"

None of which happened in the story you’re failing to understand. There was no login to bypass, the files were authorised to be received in plain text, there was no copyright applicable.

Once again, you’re confusing yourself by trying to apply random things that only exist in your mind instead of the facts of the real world that everyone else is addressing.

tpsays:

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: This art

There was no login to bypass,

This isn’t true. The SSN numbers were probably behind logins when the data was generated/stored in the servers.

the files were authorised to be received in plain text,

This definitely isn’t true. Government simply doesn’t authorize general public from accessing SSN numbers in bulk.

there was no copyright applicable.

This might be true.

PaulTsays:

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: This

"The SSN numbers were probably behind logins when the data was generated/stored in the servers."

No, they weren’t. The whole point of the issue is that they were sent as part of the HTML accessed via the public website. The entire story is that they were publicly available.

As ever, you’re unable to deal with the facts at hand, so you invent a fictional scenario in which you’re correct.

"Government simply doesn’t authorize general public from accessing SSN numbers in bulk."

They do when they include them in the HTML sent as part of a request on a public site. They shouldn’t be doing that of course, but they did.

"This might be true."

Of course it’s true. So why did you pretend that it did?

tpsays:

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:

They do when they include them in the HTML sent as part of a request on a public site. They shouldn’t be doing that of course, but they did.

Well, you as a web page reader need to filter out confidential information. Any documents where there’s clear signs of "confidential" or "company confidential" or something like that, and you need to stop reading the material immediately, even if it was publicly posted to the dark web website.

Basically the whole idea that web servers are offering authorisation to all users is completely bogus stuff and whoever tries that are completely outside legal boundaries. I would call it fake authorisation attempt and belongs to the same category as spam emails or nigerian scams.

Rockysays:

Re: Re:

You are one stupid and dishonest fucker, a first grade liar with a poor grasp on reality. Let’s go back to exactly what you said:

Basically the whole idea that web servers are offering authorisation to all users is completely bogus stuff and whoever tries that are completely outside legal boundaries.

Which has fuck all to do with a website of dubious legality, but that’s what you do, isn’t it? Always moving the goal post, because you know you are wrong. And if you lack the self awareness to realize that you are wrong, you should seek professional help with your mental problems.

PaulTsays:

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:

"Well, you as a web page reader need to filter out confidential information"

Which is of course not possible, since you don’t know what will be displayed before you type in a URL or follow a link.

"Basically the whole idea that web servers are offering authorisation to all users is completely bogus stuff"

It’s weird, I knew you didn’t know how collaboration and creativity worked, but since you managed to get a working website online I didn’t realise you didn’t know how web servers worked…

tpsays:

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:

Which is of course not possible, since you don’t know what will be displayed before you type in a URL or follow a link.

You can always immediately stop reading the page whenever you encounter confidential information. It doesn’t matter if you typed in the url or followed a link, but google analytics will be your proof that you stopped reading the page immediately after detecting wrongdoing.

since you managed to get a working website online I didn’t realise you didn’t know how web servers worked…

Legal position of other technology vendors is always difficult to guess. Some of their positions are downright stupid, i.e. even pirate sites have a legal position, even though it isn’t very good one. But even if you aren’t a pirate site, you can still filter out complete nonsense from your evaluation, like that web server authors would be able to change authorisation settings of the government entity.

Rockysays:

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:

You can always immediately stop reading the page whenever you encounter confidential information.

Define how to detect confidential information that works in all contexts. I don’t expect you to be able to, since you aren’t smart enough to understand context. What we’ll see though is you moving the goal post or offer up some idiocy.

Also, your legal theories aren’t.

tpsays:

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:

Define how to detect confidential information that works in all contexts.

You just check for keywords like "confidential" or "company confidential"…

Then you can look for signs of social security numbers for example. Or if it contains unpublished company secrets?

Humans have no problems detecting such things.

PaulTsays:

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:

"You can always immediately stop reading the page whenever you encounter confidential information."

By the time I have the option to read it, the information is already downloaded, so you fail. Again.

"like that web server authors would be able to change authorisation settings of the government entity."

So, since nobody did that, you agree that the blame is with your fellow incompetents who offered the information publicly and not the person reading what they were given in response to a legal request?

tpsays:

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:

The information is already downloaded

This assumes that the only concern is if some network-side tracking entity notices you’re reading the material. But this isn’t the main concern in the legal sphere. In fact, this indicates that you just want to get away with your illegal acts by hiding your network traffic from trackers.

But the real concern is your access to information which you’re unable to handle. For example wikileaks have revealed tons of war memos which contain information that ordinary humans are not supposed to know about, and it could even be dangerous if read by children who do not appreciate the seriousness of the actions contained within the material. Some poor children learn that such activities are allowed within our system, and they use that information instincticly 50 years later when they have gained good position as a wingman of some army general. This all could be dangerous and the confidential information limitations are actually protecting consumers from the harms contained in the material.

It isn’t just embarrasements of governments or hiding wrongdoing that confidential flags in documents are closing. It’s also information that is too sensitive or flamboyant that it needs to be closed from the world.

PaulTsays:

Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:

"In fact, this indicates that you just want to get away with your illegal acts by hiding your network traffic from trackers."

No, it indicates that you started with a story about people viewing what they’d been authorised to download, and now you’re making up insane bullshit to avoid the fact that the problem is with the person who sent the data, not the person who requested the publicly available webpage.

You’d get along a lot better in life if instead of spending days spinning fictional alternate versions of what’s in front of you, you just dealt with reality.

This is simple – person goes to a public webpage, sees that they have access to data they shouldn’t have been given, notifies the page that they shouldn’t have given it to him, the page is fixed. It’s only you and incompetent politicians pretending this has anything to so with the person who visited the page, but at least we know the politician has a profit motive for his incompetence.

Anonymoussays:

Gov noise box.

Bottom line, under no circumstances EVER do you publish sensitive data thru a publicly accessible system, there should be isolation. Encrypted, encoded – does not matter, you don’t do it. That is the real crime, the Gov is making noise to cover this huge, big bad, no no. Hey look over here…those are the bad guys, don’t look at your trusted state Government for the bad guys and stupid people. These people that told you about it, they are the bad guys, after all "he who smelt it, delt it", right? After all that’s the states proud motto!

THOMAS AUSTINsays:

Governor,
I am a US Army Vet and conservative. You sir are a complete and uter moron. Ask any 12 year old and they can tell you that the source code is public. The developer dropped the ball and you want to punish a guy who pointed that out? Let me give you a comparative analysis. A guy walks into a pharmacy to pick his prescription up. He consults the pharmacist for the detailed prescribing information and it is provided to him. He reads it. Now Governor Dumb Ass wants him convicted for manufacturing a drug without a license because he read the chemical makeup of the drug available to the public. That’s the equivalent scenerio playing out. Or here is another… A guy walks into a library and picks up one of the many volumes of the Missouri Revised Statutes. He opens the book. Governor Dumb Ass wants him prosecuted for practicing law without a license.

Anonymoussays:

Re: Criminal, right?

Can it be proven beyond doubt that social security numbers were written into the tags of the Web site,

It probably was some script generating HTML on the fly that dumped the database ID numbers for the viewable entries.

Unfortunately many db admins look at things like SSNs as the perfect primary key for a user / person in a db, and fail to realize what will happen when some poor web developer uses the "personID" field in the database as a reference in their HTML widget code….

In short, it probably wasn’t an intentional act by the site maintainers, let alone the state administration. But you’ve got to love the anal retentiveness of the state governor and the carelessness of the db admins mixing to create a dangerous "never report anything" mentality among the general public. The law of unintended consequences gets them every time.

At least that’s what I hope is going on here. Otherwise this governor is practically inviting a massive hack against his state in a few years by effectively telling people to never report a cybersecurity issue to anyone under threat of lawsuits and jail time as official state policy.

Rockysays:

Re: This article was seriously misunderstood by trolls on intern

It’s fascinating to see someone fail so spectacularly at understanding how things work and what the law say.

  1. Encoding isn’t encryption. UTF-8 is an encoding, base64 is an encoding, EBDIC is an encoding and even ASCII is an encoding. If the government by mistake publishes sensitive information, albeit in an encoding that’s not easily human readable by default, converting that encoding to a human readable format is not decryption in any way. Taken to it’s logical conclusion, if the SSN’s where published in pure ASCII you would still have to convert it to something a human could easily read, like taking the ASCII, looking up fonts and display them in a GUI.

  2. It’s not illegal to read sensitive information if the government publishes it. It’s not illegal to point out to the government that they have published sensitive information. It’s not illegal to report on the governments failures to safeguard sensitive information. If it where, there would be no incentive to actually point out leaks of sensitive information. That you can’t even logically see how broken your reasoning is, is quite telling.

And "hacking techniques"? Reading HTML and base64-encoded text isn’t "hacking techniques" – it’s basic knowledge for anyone who is somewhat conversant in making web-pages. That you think it’s "hacking techniques" explains a lot, because only uneducated fools would say that or those with an agenda that’s contrary to the public good. Well, and the dishonest assholes arguing in bad faith of course.

Anonymoussays:

Re: Re: Re: Re: This article was seriously misunderstood by trol

Governments can be vindictive, and besides they are not accusing Julian Assange for looking at data on WikiLeaks, but rather that he was active getting the data onto WikiLeaks. That is looking at the data once it has been made public is not illegal, but making it public may be. There is a not very subtle distinction between those two cases which you are ignoring.

tpsays:

Re: Re: Re: Re: Re: This article was seriously misunderstood by

sure, but they’re accusing him of all the following:
1) accessing protected computer without permission (==hacking)
2) accessing protected documents without permission (==confidentiality breakage)
3) publishing protected documents without permission
4) fleeing the country twice (sweden->england, england->ecuador)
5) breaking his bail conditions
6) sex offenses
7) annoying powerful people
8) getting refugee status in equador
9) forgetting to pay taxes while locked inside embassy
10) 1 million bucks that police used to survellance of the ecuador embassy
11) messing with equador embassy operations
12) getting kicked away from embassy
13) etc..

Lots of small issues… But the key takeaway is that the main problem is the access to protected documents.

Scary Devil Monasterysays:

Re: Stop the insanity

"I normally believe in Hanlon’s razor – "never attribute to malice that which is adequately explained by stupidity". However, I wouldn’t put it past Republicans to use this to score points in the culture war."

I’m normally a firm believer in that razor as well. Yet every time I try to use it on US republicans, it breaks.

These days every time these benighted morons make an obviously deranged claim I just assume they know damn well they’re talking bullshit and are just bringing it up as a talking point to energize a base of voters so brain-damaged by an upbringing where the crazy uncle and fox news was the primary source of education they’ll believe anything as long as it ends with "It’s all the libs fault!".

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...
Older Stuff
13:40 It's Great That Winnie The Pooh Is In The Public Domain; But He Should Have Been Free In 1982 (Or Earlier) (35)
12:06 Norton 360 Now Comes With Crypto Mining Capabilities And Sketchy Removal Process (28)
10:45 Chinese Government Dragnet Now Folding In American Social Media Platforms To Silence Dissent (14)
10:40 Daily Deal: The 2022 Ultimate Cybersecurity Analyst Preparation Bundle (0)
09:29 A Fight Between Facebook And The British Medical Journal Highlights The Difficulty Of Moderating 'Medical Misinformation' (9)
06:29 Court Ruling Paves The Way For Better, More Reliable Wi-Fi (4)
20:12 Eighth Circuit (Again) Says There's Nothing Wrong With Detaining Innocent Minors At Gunpoint (15)
15:48 China's Regulatory War On Its Gaming Industry Racks Up 14k Casualties (10)
13:31 Chinese Government Fines Local Car Dealerships For Surveilling While Not Being The Government (5)
12:08 Eric Clapton Pretends To Regret The Decision To Sue Random German Woman Who Listed A Bootleg Of One Of His CDs On Ebay (29)
10:44 ICE Is So Toxic That The DHS's Investigative Wing Is Asking To Be Completely Separated From It (29)
10:39 Daily Deal: The 2022 Complete Raspberry Pi And Arduino Developer Bundle (0)
09:31 Google Blocked An Article About Police From The Intercept... Because The Title Included A Phrase That Was Also A Movie Title (24)
06:22 Wireless Carriers Balk At FAA Demand For 5G Deployment Delays Amid Shaky Safety Concerns (16)
19:53 Tenth Circuit Denies Qualified Immunity To Social Worker Who Fabricated A Mother's Confession Of Child Abuse (35)
15:39 Sci-Hub's Creator Thinks Academic Publishers, Not Her Site, Are The Real Threat To Science, And Says: 'Any Law Against Knowledge Is Fundamentally Unjust' (34)
13:32 Federal Court Tells Proud Boys Defendants That Raiding The Capitol Building Isn't Covered By The First Amendment (25)
12:14 US Courts Realizing They Have A Judge Alan Albright Sized Problem In Waco (17)
10:44 Boston Police Department Used Forfeiture Funds To Hide Purchase Of Surveillance Tech From City Reps (16)
10:39 Daily Deal: The Ultimate Microsoft Excel Training Bundle (0)
09:20 NY Senator Proposes Ridiculously Unconstitutional Social Media Law That Is The Mirror Opposite Of Equally Unconstitutional Laws In Florida & Texas (25)
06:12 Telecom Monopolies Are Exploiting Crappy U.S. Broadband Maps To Block Community Broadband Grant Requests (7)
12:00 Funniest/Most Insightful Comments Of 2021 At Techdirt (17)
10:00 Gaming Like It's 1926: Join The Fourth Annual Public Domain Game Jam (6)
09:00 New Year's Message: The Arc Of The Moral Universe Is A Twisty Path (33)
19:39 DHS, ICE Begin Body Camera Pilot Program With Surprisingly Good Policies In Place (7)
15:29 Remembering Techdirt Contributors Sherwin And Elliot (1)
13:32 DC Metro PD's Powerful Review Panel Keeps Giving Bad Cops Their Jobs Back (6)
12:11 Missouri Governor Still Expects Journalists To Be Prosecuted For Showing How His Admin Leaked Teacher Social Security Numbers (39)
10:48 Oversight Board Overturning Instagram Takedown Of Ayahuasca Post Demonstrates The Impossibility Of Content Moderation (10)
More arrow
This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it