Politicians are our brightest and best, right?
Sent from my iPhone
> On Nov 15, 2021, at 6:12 PM, Bill Prince <part15...@gmail.com> wrote:
>
>
> Missouri Governor Doesn't Understand Responsible Disclosure
>
> [2021.10.18] The Missouri governor wants to prosecute the reporter who
> discovered a security vulnerability in a state’s website, and then reported
> it to the state.
>
> The newspaper agreed to hold off publishing any story while the department
> fixed the problem and protected the private information of teachers around
> the state.
>
> [...]
>
> According to the Post-Dispatch, one of its reporters discovered the flaw in a
> web application allowing the public to search teacher certifications and
> credentials. No private information was publicly visible, but teacher Social
> Security numbers were contained in HTML source code of the pages.
>
> The state removed the search tool after being notified of the issue by the
> Post-Dispatch. It was unclear how long the Social Security numbers had been
> vulnerable.
>
> [...]
>
> Chris Vickery, a California-based data security expert, told The Independent
> that it appears the department of education was “publishing data that it
> shouldn’t have been publishing.
>
> “That’s not a crime for the journalists discovering it,” he said. “Putting
> Social Security numbers within HTML, even if it’s ‘non-display rendering’
> HTML, is a stupid thing for the Missouri website to do and is a type of
> boneheaded mistake that has been around since day one of the Internet. No
> exploit, hacking or vulnerability is involved here.”
>
> In explaining how he hopes the reporter and news organization will be
> prosecuted, [Gov.] Parson pointed to a state statute defining the crime of
> tampering with computer data. Vickery said that statute wouldn’t work in this
> instance because of a recent decision by the U.S. Supreme Court in the case
> of Van Buren v. United States.
>
> One hopes that someone will calm the governor down.
>
> Brian Krebs has more.
>
> --
> bp
> <part15sbs{at}gmail{dot}com>
> --
> AF mailing list
> AF@af.afmug.com
> http://af.afmug.com/mailman/listinfo/af_af.afmug.com
--
AF mailing list
AF@af.afmug.com
http://af.afmug.com/mailman/listinfo/af_af.afmug.com
