A St. Louis Post-Dispatch story this week exposed a major security flaw in a website run by Missouri's education department—but the newspaper didn't get a thank-you note from Gov. Mike Parson. Instead, the Republican governor vowed to investigate and prosecute the paper and the "hacker" who uncovered the vulnerability, NPR reports. The Post-Dispatch said the HTML source code for the state website contained the Social Security numbers of more than 100,000 teachers and other school employees. The newspaper said it waited for the Department of Elementary and Secondary Education to remove the pages involved before it released its report.
Parson said Thursday the reporter and the newspaper had "unlawfully" accessed the information and complained it could cost around $50 million to fix the issue, per Krebs on Security. He said the "hacker"—and "all those who aided this individual and the media corporation that employs them"—would be held accountable. The governor said prosecutors have been notified and the Missouri State Highway Patrol's digital forensic unit will be investigating all those involved. "We will not let this crime against Missouri teachers go unpunished," Parson said.
But exposing the flaw didn't require "brilliant technological wizardry," writes Philip Bump at the Washington Post, who describes the governor's rhetoric as "over the top to the point of near hilarity." Bump notes that Parson accused reporter Josh Renaud of "decoding" the information, when all he did was view the page's source code, which is only a few clicks away for any user. Since fixing the issue would require "little more than changing an ASP template to remove the embedded numbers," it's not clear why the governor thinks it would cost $50 million, Bump writes.
Post-Dispatch attorney Joseph Martineau said the reporter had done the responsible thing by reporting the issue to the state. "A hacker is someone who subverts computer security with malicious or criminal intent," Martineau said in a statement. "Here, there was no breach of any firewall or security and certainly no malicious intent." Cyber law expert Peter Swire at the Georgia Institute of Technology's School of Cybersecurity and Privacy tells the AP that reporting security flaws in publicly accessible websites is a "public service," not a crime. "Right clicking does not count as criminal hacking,” Swire says.
(Read more Missouri