Mike Parsons is a low-down no-good son of a bitch.

[nakedfrog]

Well I would say the right thing to do in a moral not legal sense would be for the newspaper to have made significant efforts to alert the government about the vulnerability privately so that they can fix it prior to publishing a story about it. But for all I know, they did.

That's typically how these things are done, and when they ignore you, you go public with intent of shaming them into fixing their shit.

 

[woolfe9998]

Well I would say the right thing to do in a moral not legal sense would be for the newspaper to have made significant efforts to alert the government about the vulnerability privately so that they can fix it prior to publishing a story about it. But for all I know, they did.

The original story says they did in fact do that.

Newspaper staff reportedly alerted DESE of the findings and delayed publishing the story to give the agency time to protect teachers' personal information and enable the state to check other websites for similar risks.

Would have been extremely irresponsible for them not to as that would have alerted the world at large that anyone with a web browser could access the SS numbers of these state employees. Given that they did, in fact, do this, Parsons is completely out of order with all of these things he's saying about the newspaper.

 

[brycejones]

Well I would say the right thing to do in a moral not legal sense would be for the newspaper to have made significant efforts to alert the government about the vulnerability privately so that they can fix it prior to publishing a story about it. But for all I know, they did.

They didn't publish until AFTER the data was removed. The Post-Dispatch acted very ethically in this situation.

 

[Lanyap]

I'm baffled at why the SSN would be in the HTML at all if it's not being displayed. Something tells me that whatever device the data is stored on (at this point I'm not even going to be so bold as to assume it's stored in a database...) probably isn't all that secure either.

You need to haxor into their system and test your theory.

 

[brycejones]

Sunshine hurts your eyes.

The MO sunshine law is extremely weak. Just look up the shit that Grietens got away with.

 

[brycejones]

You need to haxor into their system and test your theory.

You mean probably find the unsecured datastore on AWS?

 

[woolfe9998]

I'm baffled at why the SSN would be in the HTML at all if it's not being displayed. Something tells me that whatever device the data is stored on (at this point I'm not even going to be so bold as to assume it's stored in a database...) probably isn't all that secure either.

That's a good question and I'm wondering it myself. I assume this information was imported from an employee database to start with. What is strange is SS numbers remaining in the source code. Not an html expert, but to hide them from view on the front end, you might do something like use a comment tag in the code? But why go to the trouble of doing that instead of just deleting the SS numbers from the source code? I mean, whoever set up this website knows well how easy it is to access the source code, so...

 

[interchange]

That's a good question and I'm wondering it myself. I assume this information was imported from an employee database to start with. What is strange is SS numbers remaining in the source code. Not an html expert, but to hide them from view on the front end, you might do something like use a comment tag in the code? But why go to the trouble of doing that instead of just deleting the SS numbers from the source code? I mean, whoever set up this website knows well how easy it is to access the source code, so...

It's entirely possible that it's not a static website but something like a php script that pulls from a database and puts everything in the generated html instead of building the site dynamically with javascript requests. There's a number of ways to have something be contained within the html code but not visible on the screen that are apart from comments. One possibility, for example, would be that the coder just did a SELECT * database query (get every field available instead of specific ones you are looking for) and coded it to assign the values as html attributes, ending up looking something like this:

<div firstName="Jim" lastName="Smith" position="Principal" ssn="111-11-1111">
    stuff
</div>

Now, those aren't actually valid attributes. The code won't validate. But any browser would still create an element and assign attributes with those names to it that you could access via javascript for display.

In particular, if you hire someone at the lowest cost who doesn't know what they're doing they are liable to slap a bunch of example code together from various sources until the output looks the way they want.

 

[woolfe9998]

It's entirely possible that it's not a static website but something like a php script that pulls from a database and puts everything in the generated html instead of building the site dynamically with javascript requests. There's a number of ways to have something be contained within the html code but not visible on the screen that are apart from comments. One possibility, for example, would be that the coder just did a SELECT * database query (get every field available instead of specific ones you are looking for) and coded it to assign the values as html attributes, ending up looking something like this:

<div firstName="Jim" lastName="Smith" position="Principal" ssn="111-11-1111">
    stuff
</div>

Now, those aren't actually valid attributes. The code won't validate. But any browser would still create an element and assign attributes with those names to it that you could access via javascript for display.

In particular, if you hire someone at the lowest cost who doesn't know what they're doing they are liable to slap a bunch of example code together from various sources until the output looks the way they want.

This actually makes sense, and it's probably correct. If it's dynamic, then any change in employee information in the database would automatically update the profile on the website. But if you're pulling information dynamically from a database, can't you decide to access certain fields and not others? Why was the SS number being pulled from the database at all?

 

[IronWing]

I suspect that the SS numbers were being used as unique record identifiers.

User: Is Sally Smith a state certified teacher?
Database: Sally Smith is record 111223333, return attributes for 111223333, including record identifier. Only display other attributes.

 

[woolfe9998]

I suspect that the SS numbers were being used as unique record identifiers.

User: Is Sally Smith a state certified teacher?
Database: Sally Smith is record 111223333, return attributes for 111223333, including record identifier. Only display other attributes.

I think you figured it out. If the SS number is in the html, then that is used as the unique identifier whenever the website queries the database for updates.

So the problem could be in the database. Why not just use a standard number series starting with, say employee 1, 2, 3 etc.? Answer: probably because when the database was set up, they did not anticipate a website which was set up later needing to query it, and no one wanted to do the work of modifying the database. Meaning the explanation is sloth.

 

[nakedfrog]

I think you figured it out. If the SS number is in the html, then that is used as the unique identifier whenever the website queries the database for updates.

So the problem could be in the database. Why not just use a standard number series starting with, say employee 1, 2, 3 etc.? Answer: probably because when the database was set up, they did not anticipate a website which was set up later needing to query it, and no on wanted to do the work of modifying the database. Meaning the explanation is sloth.

I mean, the amount of effort to add a unique ID column to a database is pretty trivial... for anyone who knows what they're doing, or is at least lightly proficient with a search engine.

 

[brycejones]

I mean, the amount of effort to add a unique ID column to a database is pretty trivial... for anyone who knows what they're doing, or is at least lightly proficient with a search engine.

Developers are lazy people and usually do what is easiest at that moment in time. Especially if it’s a contract for the state where the only thing that mattered was being the low bid.

 

[woolfe9998]

Developers are lazy people and usually do what is easiest at that moment in time. Especially if it’s a contract for the state where the only thing that mattered was being the low bid.

Too bad about that laziness then, since the state will undoubtedly sue the developer to recoup the costs it is now incurring, likely putting them into bankruptcy.

 

[nakedfrog]

Developers are lazy people and usually do what is easiest at that moment in time. Especially if it’s a contract for the state where the only thing that mattered was being the low bid.

Hey, I resemble that comment!
But I guess that's what separates me from all the schmucks I've interviewed that make me lose faith in humanity... just being lazy doesn't mean doing a bad job.

 

[interchange]

Not necessarily bad to have an SSN in the database if you need it for something. It would be bad to have it as your key. Even still, the web designer could easily keep this information from getting out of the server.

One thing this made me think of is that the field containing the SSN is actually named something like "id" in the database itself and isn't stored as a string with dashes included. The web developer might not even realize they were SSNs.

There are companies that audit things looking for security vulnerabilities, though...

 

[nakedfrog]

Not necessarily bad to have an SSN in the database if you need it for something. It would be bad to have it as your key. Even still, the web designer could easily keep this information from getting out of the server.

One thing this made me think of is that the field containing the SSN is actually named something like "id" in the database itself and isn't stored as a string with dashes included. The web developer might not even realize they were SSNs.

There are companies that audit things looking for security vulnerabilities, though...

Or if they were from a different country, they might not even recognize it as significant data.

 

[woolfe9998]

College professor who consulted with the Dispatch is demanding a public apology from Parsons.

Cybersecurity expert demands apology from Missouri governor over hacking claims • Missouri Independent

A cybersecurity expert targeted for investigation by Gov. Mike Parson wants a public apology and payment for damage to his reputation.

missouriindependent.com

He shouldn't hold his breath. Looks like the guy could be a Muslim too, which made it a "double" for Parsons to go after the press and a dirty Muslim at the same time.

But I kid, of course, because Parsons is clearly a man of conviction. It's obvious this exposure of their rank incompetence must not stand!

 

[brycejones]

All you need to know about Parsons is he won't pardon a guy even the prosecutor's office now says is innocent and has been in prison for almost 40 years. But he will pardon those shit heads from St. Louis who brandished guns at the Black Lives Matter protesters.

 

[Lost_in_the_HTTP]

A: SSNs should never be used as employee identifiers. Employers can easily assign a different number. SSNs should be closely held and used for tax and SSA contacts only. Even Medicare is assigning new numbers instead of using the SSN.

B: Without some text field calling it out, how would one recognize an SSN among the source code of a webpage? Sure, they have a specific format and if they're in the same place in relation to a series of names, one could infer, but why would anyone be looking so closely? Did the reporter get a tip from someone else?