I hope the Governor gets sued because that’s just messed up that someone in good faith reports a bug and then gets threatened and slandered, also if there was a violation of law as the prosecutor said, I’d think it would be by the Missouri government for failing to secure sensitive data appropriately

$50 million to fix this?! 🤯 That's it. I'm moving to Missouri! They obviously pay their programmers gooood. 😄

"Decoded HTML source code" "Multi-step process" Im honestly surprised they didnt even consider getting an opinion from any cybersecurity expert before releasing that speech. they would've clarified everything in a few words. Due to a misconfigured server, it was telling everyone who wanted the Social Security number of any teacher.

Journalist: **Presses F12** Governor: *What they did is beyond unethical.*

This whole situation pissed me off so much when it was unfolding... This is the exact opposite of what you want to do against people who are responsibly disclosing security vulnerabilities. All this does is send the wrong signals and makes them look like idiots.

I think this was a malicious attempt to shift the focus on the journalist and distract from the fact, that such a vulnerability should have never made it to production. Also the state should provide the teachers with some sort of security monitoring for the next years, because it's impossible to know how many social security numbers where stolen.

Once in IT class I used F12 to troll my friends. Then the teacher thought I was hacking the website and my parents needed to get to the school. How tf was that teacher teaching IT

Those teachers should sue the government for literally sharing their social security number to anyone who asks, they just need to decode it.

this multi-step video had me on the edge of my seat

It's actually insane that they're claiming the journalist breached the teacher's privacy when it was actually the government themselves! That's like them leaving a file cabinet full of sensitive documents outside in public and then suing those who open it. Fucking ridiculous.

"decoded the html source code" Thats must be the funniest thing I heard today.

As a developer this hurts, I have lost about 300 brain cells just even seeing that governor’s face.

It's like they are shipping a box full of secret documents to you address. When you open it they sue you for breaking into their building and stealing documents.

Now everybody knows that if they ever find a critical vulnerability by mistake on any official website of Missouri, they should never disclose it to anyone. The risk of getting sued for responsibly disclosing a security threat should be zero.

This is a prime example of why states should have "technical courts" where the judge is a technically literate person who actually knows what he's talking about

The governor should take a real hard look at the consequences that would've occurred if this vulnerability hadn't been reported. To run the dudes name through the mud for protecting others is flat out inexcusable, and the governor should be punished.

There seriously needs to be an age limit for people in government. If the internet is still foreign to them, they should start living in a retirement home

And this is how a well intended ethical hacker and security specialist says "Screw this shit" and goes to the dark side.

Journalist: *Reports bug privately and responsibly, not revealing any information to the public and not causing "Major embarrassment"* Governor: THIS'LL COST MILLIONS

the level of digital illiteracy in the us government is frankly frightening and infuriating. Yes, it's highly unethical that the teachers' private information was able to be abused but it was in no way the fault of the reporter, just the complete and utter incompetence of the state of missouri.

It´s frightening to see someone with so much power putting someone through hell due to stupidity and opportunism. I sincerely hope the journalist gets reimbursed and the governor put in his place. Shamefull behavior.

This is both super stupid and malicious on the part of the government. F12 is something everyone can use and the journalist just found a vulnerability in the website. If anything, the journalist should be thanked for doing a service.

Government: sends teachers' private in nearly plain text information to everyone Journalist: "you got an issue, please fix" Government: WE'VE BEEN HACKED!

The journalist even helped and they still wanted to sue him

This Governor has clearly never accidentally hit the F12 key. "A multi step process to hack our systems" (Hacker presses F12) Guess I'm going to jail.

Honestely i hate this kind of crap When a politician decides to fuck over someones life just for his campaign

I actually wrote up a paper on this for one of my college classes. I decided to print out the HTML of an NPR article that I used as a reference, because at the top of their page is a "Now Hiring Programmers" box that you can only see by looking at the source code. Obviously this is a fairly common practice, but I thought it would resonate more with the person grading my paper if they actually saw it with their own eyes what this journalist is being attacked for doing.

This whole situation is basically analogous to this: "Hey here's a package, do whatever you want with it!" "Ok... *reads the contents of the package"* "POLICE! HE HAS CLASSIFIED INFORMATION!"

I can’t even begin to explain how many times non-technical execs and program managers have had no clue what is going on with the technology that they rely on for business. This is not a hack. This is a simple step that should have been followed by their development team to verify the security policy compliance of their code before pushing it to production. It’s deplorable that malicious ignorance results in attacks on good Samaritans. Then people don’t understand why the sense of community has disappeared from our hometowns and favorite places to visit. Thanks for pointing out this story. This ignorance deserves to be put in check.

Both. Stupid AND malicious. The reporter should definitely sue.

This governor should resign. What a clown.

The way I understand it, it’s obsessively being addressed as a hack and as a ‘multi step process’ because the sensitive data is not out there, as in you don’t just load the website in your browser and wabbam, you got the SSN on display, but you got multiple steps to it, like go to the website, search for a specific name, hit F12, take the base64 text, and translate it. So basically the incompetency of the developer is covered up by minute details.

Wonder if they fooled him into believing this "html hack" was so sophisticated it would cost $50m to fix.

"clearly a hack" Clearly wasn't Seen this covered by somebody before, but this has more detail, and is much better. Makes me want to press F12 more.

That is why you grab all the sensitive data for yourself, before you tell the organisation. Then you can sell it on the black matket to pay for your lawyer in case they try this BS.

The $50mil number comes from the security measures they will make to double check those social security accounts for fraud. It is ridiculously bloated and they use the highest estimate when the law gets involved as a bartering technique.

You do have to be really careful, I did something similar to this, but with my schools email software (I emailed one other student, which was not supposed to be possible), and got kicked out of my tech classes (in fear of the future) and suspended for a week (later reduced to 1 day). People are stupid, and no matter how many times you explain things to them, they will still be stupid

Similar stuff happened a while back in germany where the addresses of voluntary electorial assistants were exposed through an api by changing the parameters in the url. The researcher did not make a big fuss and went the responsible disclosure route, but than after it got fixed and it went public she got hit with a lawsuit. IIRC in the end the lawsuit got dropped becuse she just accessed publicly available data, but the CCC said they won’t ever report any security issues to that party in the case they find one again. Shooting the messenger is not cool, especially if you got no knowledge on the topic and the whole thing is just a shitshow.

Working in software development me and my colleagues had a blast watching this video.

Hope the Journalist set up a crowd funding for this event, if he doesn't have the budget to fight, I'm sure a lot of people who understand exactly what is happening here are willing to help, including myself.

This video had me in tears. I wish I could've become a pentester by simply viewing a public webpage and decoding a b64 string. I would've saved so much money

The Governor was very tech illiterate. His campaign manager spearheaded that whole thing. That being said the Governor was more than willing to participate in publicly shaming and attacking a law abiding citizen to score a few political points and appear to be tough on crimes. And, that’s why this country is in its twilight years as far as respect and greatness.

Question is: Why were those SSNs hidden in that website in the 1st place? If I was a teacher and were to find out about that, I'd set that circus ABLAZE

Such an absolute embarrassment to everyone involved

This is how tech savvy the average US politician is, and why ransomeware works so well in the States

So the journalist did the technological equivalent of holding a publicly available government pamphlet up to the light and seeing the teachers' social security numbers on them and reported that to the proper authorities but got charged with breaking and entering or espionage as thanks. Great. Way to win the trust and respect of the tech community.

This is like delivering all of your valuables to someone's front door, then saying they robbed you. They would have been destroyed in court.

I just hate how they always act so sure of themselves, and then get angry at others for calling them out for their bullshit

that's actually really sad. how can such powerful people not even have a normal basic understanding of the internet

I find it annnoy that they claimed their action were beyond unethical, when I’m fact, all they did was browse a public website. And once they found the bug, they first reported it, and when it was fixed, they published news about it. To me, that seems like the most ethical thing to do

Both the paper and the individual reporter surely have grounds to sue for damages over this absolute disaster

Someone should get sued, but it's not the journalist!

This level of technical ignorance by politicians should warrant an impeachment of that person. Whether it was pure incompetence or there was a malicious intent, it's equally disturbing and unacceptable.

Shows the level of advisors and tech competency of politicians. There should be popular documentaries produced to highlight the absurdity of this situation and how the 'government' can bully journalists or citizens to mask their incompetence. The old git should be held accountable for throwing his weight around without understanding the facts.

Wow, such incompetence & a public humiliation, guess its time to retire...

Politicians nowadays are literally every movie that says "I'll create a GUI interface to trace the IP address on the mainframe"

First casualty in Politics is the truth- this was just something to score political brownie point. If I was the 100,000 teachers I'd sue the State for shoddy workmanship under their state Data Protection.

I love the thought that they probably ditched the whole thanking him thing and instead resorted to blowing this whole thing out of proportion to make him look like a dangerous hacker, all just so they could not embarrass themselves, but ended up making a bigger fool out of themselves than if they had just accepted they screwed up with their website and moved on.

I love how they call it a multi-step hack, when its literally one click of the f12 button.

the same thing happened to me when I tried to responsibly disclose ppi being leaked by a pager vendor. I was thanked by the IT at the health care provider, then served a cease and desist by the vendor.

I think especially since this was politician making the claims of "hacking" he was playing the malicious card as a way of diverting the attention away from his governments flaws, and when that back fired he played dumb.

How did nobody find this sooner? Also, how did that journalist have to get a lawyer? If anything, the government violated the teacher's privacy by sending the data in the first place.

I can't believe the devs just put the social security number in the front-end code, and they tried to "secure" it with base64. I'm truly dissapointed in the government and the devs.

This is the equivalent of sending someone a letter in the mail with accidental personal information left in it, and then the recipient getting sued for reading it.

The campaign ad makes it obvious the governor knew exactly what he was doing. He may have never heard of HTML before but he's not dumb. What he knew is if it got out that the website was _that insecure,_ it would be a huge embarrassment. It might even lead to lawsuits from anyone that had info stored in their databases. The prosecutor calls it what it is, a data breach, not a hack. That prosecutor's press release goes on to talk about how they have zero tolerance for "improper taking and using of personal information." They conspicuously omit the word "storage" from that sentence. Improper storage of personal information was the problem here. No one took anything. It was in plain sight. I don't think the governor is intimidating journalists. I think he was seizing an opportunity and turning an embarrassment into a campaign strength. I mean, look at the guy. He's been in politics for a long time. He knew exactly how to handle this and spin it in his favor. The journalist was a convenient scapegoat.

As for the 50 million bucks, aside from the contractors that need to fix the website - which shouldn’t be expensive, I’m sure ALL the teachers in that database are entitled to credit monitoring, on behalf of the state.

I laughed so much when he said "decoded the html code" LMAO🤣

This could be used as a South Park script

It was both malicious and stupid. It is the dynamics of a abusive relationship. The abuser attempting to turn every thing around and make themselves the victim when they get exposed. The stupid part was thinking everyone else would be stupid enough not to see it for what it is.

So by their logic, if they publicly posted the SSN in clear text on the homepage of a website, and I saw it, I would be breaking the law.

This is like the mechanic blaming the driver for finding out the brakes don't work upon pressing down on the pedal.

I'm going to say that regardless of intent, this almost certainly fits the legal definition of actual malice. Someone (and someone in a position of authority no less) has decided to repeatedly make false claims and pass them off as fact, with disregard for their truth and what effect they would have, arguably for their own gain. Even if the journalist can't recover damages for legal fees, he could almost certainly sue for slander. (not a lawyer, but I have seen way too many legaleagle videos where he has to explain the legal definition of actual malice.)

As a web developer, I know that the HTML I send to the client is not proprietary, copyrightable, or protected and open to anyone who has access to the browser. In short, I JUST don't send private data from someone other than the requestee, what a bunch of fools. 😂😂

The governor should be stripped from his post, because this is no small mistake!

Ignorance has no limits, that governor just embarrassed himself and probably doesn't even realize it.

“There is an argument to be made that there was a violation of law.” Didn’t interpret this as a red flag as you said, but rather as a creative jab at the Governor. Almost like “There is an argument to be made that the earth is flat.”

Next in the news: "Old man doesn't understand how the internet works." If it was intentional I doubt he would have mentioned specifics and would have used vague wording which sounds more intimidating. At least the prosecutor realised what was going on and that it wouldn't stand in court.

wow, I love how that dude talked into the mic. My brain, "Is this real!?'

so, in other words, he leaves a poster on the door with all the SSNs, somebody knocks and says : "hey, you're having the SSNs visible by anyone" and their response is : "hey, you broke in our house and stole the data (that we publicly posted on our door)" :p

Dear god, this was painful to learn about.

It may have been done intentionally because if I'm not mistaken, it was his office who was responsible for the security of that website.

True story, I found a decent security vulnerability in a payment processing service. I wont disclose the name, but they are similar to square. Anyway, I was able to obtain the business names and products of each of their clients. That itself I suppose isn't the end of the world, but it was definitely a bug, and at least would have made me uncomfortable being them. So I composed a report and sent it over to them. They then told me I was wrong. I so badly wanted to just compile the list and send it to them. But we were using their services and had spent a great deal of time setting our system up to do so. So I didn't compromise our relationship with them, I just let it go. Two months later, they issued an email to our their customers requiring their action, a layer of authentication had been added they said. Without getting into too much detail, it was a fix to the bug I found. Wish they would have at least given me some credit. My guess, whatever technician my report originally reach, got escalated to some senior tech, who naively and stubbornly insisted it was impossible. Then went home and while sleeping that night went over it in his head and eventually came to the "oh fuck maybe he's right" realization. Then too embarrassed never emailed me back thanking me. Then took them two months of fix it, requiring all their users to take manual action to correct their bug.

has anyone looked into whether there was a IT contractor who could be blamed? if yes there's always the possibility that said contractor might have links to the governor

when he said "Decoded the HTML code" ...i was so shocked that i almost choked from my own laugh

Something like this happened while I was studying, it was 2017 I think. But some kid found a way into school servers using the schools own website and realised that's how examination papers were getting leaked, he reported the vulnerability to the school and instead of getting a pat on the back he gets expelled from school, I felt bad because everyone knew it wasn't him, but the school wanted a scapegoat (?) Or someone to blame it on and since he told management about the vulnerability it's obviously him who leaks it. God I hate boomers.

Illiteracy. This is just wild.

Waiting for "Getting sued for existing"

Eating soup with a spoon is a multi-step process... They just needed to add more meaningless words to make it sound serious

I'm surprised the teachers union hasn't launched a class action suit against the state for violating their duty of care of personal data. There are laws designed to protect personal data, and their job to protect against "multi step" processes that can disclose it. I would want to know every single instance my data was ever transmitted. But maybe this is exactly the state's reason to "spin" the story in this way - afraid of being sued and wanting to make people believe it wasn't their fault.

That was a governor on a power trip who read about how one of his institutions fucked up in the news and decided to go on the offense to turn his embarrassment into a power move. Unfortunately for this governor, his illiteracy in IT made what was a serious issue with security into a serious issue of management as a whole. Meaning i am sure there's PLENTY more of these flaws across this governing body's sites as the governor actually believes that any leaks that get into anyone else's hands is not a fault of theirs but the fault of those who got the information. I WISH that was true... For all but those i cared about... Because then i could just send some incriminating data to another person as a text message using an anonymous source and then he or she is a criminal. Imagine how simple it would be to get rid of competition this way... Just send something to someone and BOOM, they are in jail.

Was this done intentionally? I do tech support for a living, and I garuntee you that as he read “HTML” he didn’t even understand the concept of what it was. He’s an old man that is rich enough to pay others to understand technology for him, and through some absence if grey matter had somehow connected the description of what happened to “hack”.

The people who are in the Government are the best and brightest in our nation. So smart they pay 50 million for a problem that can be done for practically nothing. 😆 🤣

This is very upsetting. The journalist found that the state was leaking people's PII, did the right thing, and was then slandered. This reeks of a lawsuit for defamation from the governor, and the whoever paid for those ads.

There’s probably something in the hacking statute that says a “hack” has to be a multi step thing to be considered illegal .

This is ridiculous... Do American law markers not take advice from other people? Like if you don't know something just ask. It's not a sign of weakness.

I think I'm just going with Hanlon's razor: Never attribute to malice that which is adequately explained by stupidity. But I'm not even sure if this is better or worse. It's bad enough that they governor had no idea what he was talking about, but it is even worse that there still isn't a federal law that protects cybersecurity whistleblowers.

ANOTHER RECENT STORY: Last week’s Friday I have this buddy who was having trouble trying to obtain my instructor’s lecture reader PDF (he’s a tutor and the instructor had issues making the company to give access to her lecture note to the tutor), and because this guy is majoring in cyber security, all he did was hit F12, look at the HTML source code, extract the PDF, and submit a report to the company saying they need to fix the vulnerability. The company started to get angry

Web and app security is an absolute joke. Bad database queries and unsanitized user input are everywhere. Governments and multi-million dollar corporations aren't immune, its really sad.

Yet another case of: Shoot the messenger!

This is scary just how broken the system is.