Politicians are our brightest and best, right? Sent from my iPhone
> On Nov 15, 2021, at 6:12 PM, Bill Prince <part15...@gmail.com> wrote: > > > Missouri Governor Doesn't Understand Responsible Disclosure > > [2021.10.18] The Missouri governor wants to prosecute the reporter who > discovered a security vulnerability in a state’s website, and then reported > it to the state. > > The newspaper agreed to hold off publishing any story while the department > fixed the problem and protected the private information of teachers around > the state. > > [...] > > According to the Post-Dispatch, one of its reporters discovered the flaw in a > web application allowing the public to search teacher certifications and > credentials. No private information was publicly visible, but teacher Social > Security numbers were contained in HTML source code of the pages. > > The state removed the search tool after being notified of the issue by the > Post-Dispatch. It was unclear how long the Social Security numbers had been > vulnerable. > > [...] > > Chris Vickery, a California-based data security expert, told The Independent > that it appears the department of education was “publishing data that it > shouldn’t have been publishing. > > “That’s not a crime for the journalists discovering it,” he said. “Putting > Social Security numbers within HTML, even if it’s ‘non-display rendering’ > HTML, is a stupid thing for the Missouri website to do and is a type of > boneheaded mistake that has been around since day one of the Internet. No > exploit, hacking or vulnerability is involved here.” > > In explaining how he hopes the reporter and news organization will be > prosecuted, [Gov.] Parson pointed to a state statute defining the crime of > tampering with computer data. Vickery said that statute wouldn’t work in this > instance because of a recent decision by the U.S. Supreme Court in the case > of Van Buren v. United States. > > One hopes that someone will calm the governor down. > > Brian Krebs has more. > > -- > bp > <part15sbs{at}gmail{dot}com> > -- > AF mailing list > AF@af.afmug.com > http://af.afmug.com/mailman/listinfo/af_af.afmug.com
-- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com