So the person who created the site and should be liable for gross
negligence nothing happens to, but the person who discovers it needs to
be prosecuted. Yeah makes sense... I guess if your a politician or work
for one its perfectly reasonable to be incompetent and take no
responsibility for your mistakes.
On 11/15/2021 7:12 PM, Bill Prince wrote:
Missouri Governor Doesn't Understand Responsible Disclosure
*[2021.10.18]*
<https://www.schneier.com/blog/archives/2021/10/the-missouri-governor-doesnt-understand-responsible-disclosure.html>
The Missouri governor wants to prosecute
<https://missouriindependent.com/2021/10/14/missouri-governor-vows-criminal-prosecution-of-reporter-who-found-flaw-in-state-website/>
the reporter who discovered a security vulnerability in a state’s
website, and then reported it to the state.
The newspaper agreed to hold off publishing any story while the
department fixed the problem and protected the private information
of teachers around the state.
[...]
According to the Post-Dispatch, one of its reporters discovered
the flaw in a web application allowing the public to search
teacher certifications and credentials. No private information was
publicly visible, but teacher Social Security numbers were
contained in HTML source code of the pages.
The state removed the search tool after being notified of the
issue by the Post-Dispatch. It was unclear how long the Social
Security numbers had been vulnerable.
[...]
Chris Vickery, a California-based data security expert, told The
Independent that it appears the department of education was
“publishing data that it shouldn’t have been publishing.
“That’s not a crime for the journalists discovering it,” he said.
“Putting Social Security numbers within HTML, even if it’s
‘non-display rendering’ HTML, is a stupid thing for the Missouri
website to do and is a type of boneheaded mistake that has been
around since day one of the Internet. No exploit, hacking or
vulnerability is involved here.”
In explaining how he hopes the reporter and news organization will
be prosecuted, [Gov.] Parson pointed to a state statute defining
the crime of tampering with computer data
<https://revisor.mo.gov/main/OneSection.aspx?section=569.095>.
Vickery said that statute wouldn’t work in this instance because
of a recent decision by the U.S. Supreme Court in the case of Van
Buren v. United States.
One hopes that someone will calm the governor down.
Brian Krebs has more
<https://krebsonsecurity.com/2021/10/missouri-governor-vows-to-prosecute-st-louis-post-dispatch-for-reporting-security-vulnerability/>.
--
bp
<part15sbs{at}gmail{dot}com>
--
AF mailing list
AF@af.afmug.com
http://af.afmug.com/mailman/listinfo/af_af.afmug.com