Missouri governor threatens to prosecute journalist for sharing web security flaw


Missouri Governor Mike Parson might want to read up on the differences between disclosing and exploiting security flaws. According to The Missouri Independent, Parson accused a St. Louis Post-Dispatch reporter of being a “hacker” for having the audacity to… report security holes. The journalist disclosed a Department of Elementary and Secondary Education web app flaw that let anyone see over 100,000 teachers’ Social Security numbers in site source code, and Parson interpreted this as a “political game” meant to “embarrass the state” — that is, a malicious hack.







JEFFERSON CITY, MO - MAY 29: Gov. Mike Parson listens to a media question during a press conference to discuss the status of license renewal for the St. Louis Planned Parenthood facility on May 29, 2019 in Jefferson City, Missouri. Parson stated that the facility still had until Friday to comply with the state in order to renew the license. (Photo by Jacob Moscovitch/Getty Images)


© Jacob Moscovitch via Getty Images
JEFFERSON CITY, MO – MAY 29: Gov. Mike Parson listens to a media question during a press conference to discuss the status of license renewal for the St. Louis Planned Parenthood facility on May 29, 2019 in Jefferson City, Missouri. Parson stated that the facility still had until Friday to comply with the state in order to renew the license. (Photo by Jacob Moscovitch/Getty Images)

The governor has already referred the case to the Cole County Prosecutor, and even has the Missouri Highway State Patrol investigating. An attorney for The Post-Dispatch maintained that the reporter “did the responsible thing” by sharing the flaw with the government to get it fixed. The lawyer also helpfully refreshed Parson on his internet lingo. A hacker is someone who “subverts” security with sinister intent, not a reporter trying to bolster security by sharing publicly available information.

Loading...

Load Error

This flaw wasn’t recent, either. University of Missouri-St. Louis professor Shaji Khan told The Post-Dispatch that this kind of vulnerability had been known for “at least” 10 years, and that it was “mind boggling” the Department would let these problems linger. Audits in 2015 and 2016 had highlighted data collection issues at both the Department and school districts.

No, prosecutors probably won’t file charges. It’s a bit difficult to convict someone whose ‘hack’ effectively amounted to clicking “view page source” in their browser. However, this highlights an all-too-familiar problem with politicians that don’t understand tech. It doesn’t just lead to embarrassments, such as

Source…