from the disgusting dept
Last autumn, you may recall, the St. Louis Post-Dispatch published an article revealing that the Missouri Department of Elementary and Secondary Education (DESE) was leaking the Social Security numbers of teachers and administrators, past and present, by putting that information directly in the HTML. The reporters at the paper ethically disclosed this to the state, and waited until this very, very bad security mistake had been patched before publishing the story. In response, rather than admitting that an agency under his watch had messed up, Missouri Governor Mike Parson made himself into a complete laughingstock, by insisting that the act of viewing the source code on the web page was nefarious hacking. Every chance he had to admit he fucked up, he doubled down instead.
The following month, the agency, DESE, flat out admitted it screwed up and apologized to teachers and administrators, and offered them credit monitoring… but still did not apologize to the journalists. FOIA requests eventually revealed that before Governor Parson had called the reporters hackers, the FBI had already told the state that no network intrusion had taken place and it was also revealed that the state had initially planned to thank the journalists. Instead, Parson blundered in and insisted that it was hacking and that people should be prosecuted.
Hell, three weeks after it was revealed that the FBI had told the state that no hacking had happened, Parson was still saying that he expected the journalists to be prosecuted.
Finally, late on Friday, the prosecutors said that they were not pressing charges and considered the matter closed. The main journalist at the center of this, Jon Renaud, broke his silence with a lengthy statement that is worth reading. Here’s a snippet:
This decision is a relief. But it does not repair
the harm done to me and my family.My actions were entirely legal and consistent
with established journalistic principles.Yet Gov. Mike Parson falsely accused me of
being a “hacker” in a televised press conference,
in press releases sent to every teacher across the
state, and in attack ads aired by his political action
committee. He ordered the Highway Patrol to
begin a criminal investigation, forcing me to keep
silent for four anxious months.This was a political persecution of a journalist,
plain and simple.Despite this, I am proud that my reporting
exposed a critical issue, and that it caused the state
to take steps to better safeguard teachers’ private
data.At the same time, I am concerned that the
governor’s actions have left the state more
vulnerable to future bad actors. His high-profile
threats of legal retribution against me and the
Post-Dispatch likely will have a chilling effect,
deterring people from reporting security or
privacy flaws in Missouri, and decreasing the
chance those flaws get fixed.This has been one of the most difficult seasons
of my nearly 20-year career in journalism
Later in the letter, he notes that a week earlier, Parson himself had decried the treatment of his rejected nominee to lead the state’s Department of Health and Senior Services, noting that Parson complained that “more care was given to political gain than the harm caused to a man and his family.” Renaud noted that the same could be said of Parson’s treatment of himself:
Every word Gov. Parson wrote applies equally to
the way he treated me.
He concludes by hoping that “Parson’s eyes will be opened, that he will see the harm he did to me and my family, that he will apologize, and that he will show Missourians a better way.”
And Parson showed himself to be a bigger man and did exactly that… ha ha, just kidding. Parson just kept digging, and put out a truly obnoxious statement, with no apology and continuing to insist that Renaud hacked the government’s computers even though — again, this is important, lest you just think the governor is simply technically ignorant — the FBI has already told him that there was no hacking:
“The hacking of Missouri teachers’ personally identifiable information is a clear violation of Section 56.095, RSMo, which the state takes seriously. The state did its part by investigating and presenting its findings to the Cole County Prosecutor, who has elected not to press charges, as is his prerogative.
The Prosecutor believes the matter has been properly address and resolved through non-legal means.
The state will continue to work to ensure safeguards are in place to protect state data and prevent unauthorized hacks.
This whole statement is utter hogwash and embarrassing nonsense. Again, there was no hacking whatsoever. The state messed up by putting information that should never, ever be in HTML code into HTML code, making it accessible for anyone who viewed the source on their own computer. The state messed up. The state failed to secure the data. The state sent that data to the browsers of everyone who visited certain pages on their public websites. Renaud did exactly the right thing. He discovered this terrible security flaw that the state put on the database, ethically reported it, waited until the state fixed its own error, and then reported on it.
Parson knew from the beginning that no hacking occurred. The FBI told the state that no hacking occurred. The state had prepared to thank Renaud and his colleagues at the St. Louis Post-Dispatch. It was only after Parson decided to deny, deny, deny and blame, blame, blame reporters for pointing out Parson’s own government’s failings, that this whole thing got out of hand.
The prosecutors have their own reasons for declining to prosecute, but the most likely reason is they knew they’d get laughed out of court and it would make them and Parson look even more ridiculous. Renaud chose give a heartfelt write up of what Parson’s nonsense put him through, and asked in the politest way possible for Parson to look deep inside at the harm he had caused and to apologize. Instead, Parson quadrupled down, continued to insist that his own government’s failings could be blamed on a “hack,” and insisting that he’s trying to “protect” the state when all he’s done is show why no serious tech company should do business in such a state.
Missouri: elect better politicians. Parson is an embarrassment.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: dese, ethical disclosure, hacking, jon renaud, journalism, mike parson, missouri, security flaw, view source
Companies: st. louis post-dispatch
