According to The Verge, Missouri Gov. Mike Parson doesn't understand how the site works. He held a news conference in St. Louis earlier this week to reiterate again his desire to prosecute a St. Louis Post reporter who looked at the source code of the state's Department of Primary and Secondary Education (DESE) website.
In October 2021, journalist Josh Renaud reported that the SOURCE code of the DESE website exposed the social security numbers of more than 100,000 school teachers, administrators and counselors. He only released the story after the problem was reported to the state government and the vulnerability was resolved.
Parson and DESE were clearly not grateful to the reporter and immediately accused Renaud of "hacking" the DESE website. Missouri Commissioner of Education Margie Vandeven wrote to educators, "One person took the records of at least three educators, decrypted the source code from a web page, and looked at the social security numbers of those specific educators. ”
According to records obtained by the St. Louis Post, the FBI told the state that the site was "misconfigured" and that Renaud's actions were "not an actual cyber intrusion."
It is reported that the source code is not encrypted. The source code of a website is usually available to anyone who uses a web browser. While getting it will take some technical knowledge, just looking at it will be as simple as opening the Developer Tools option in almost all web browsers, including Chrome, Safari, Firefox, and Edge. According to Parsons and DESE's logic, anyone who uses "developer tools" on a website they don't own is a hacker.
While a serious misunderstanding of how a website works can be interesting by a state agency and the governor, Parson's behavior is inconceivable. Based on public records obtained by the St. Louis Post, Vandeven initially planned to thank the newspaper for finding the vulnerability. Her attitude changed only after meeting with staff at the governor's office.
Parson also ordered the Missouri Highway Patrol to conduct an "investigation" of reporters. They transferred the case to Cole County Prosecutor Locke Thompson on Dec. 27. Parson then held a press conference on Dec. 29 in which he cited state regulations related to computer tampering and repeatedly advised Thompson to use it to prosecute Renaud and the St. Louis Post.
At a press conference, Parson likened Renaud's behavior to a person using a lockscreen to enter a person's home without permission. The Verge argues that this is by no means an appropriate metaphor. The website is public-facing. They resemble public buildings, not residences. A more appropriate analogy would be if a person is in a state-owned building, passing by a locked room, and sees someone posting a pile of sensitive information on a window for anyone to see, whether they have a key or not.
Personally, I wish someone had knocked on the door to point out the issue without fear of being sued by an embarrassing person who doesn't grasp how the site works.