I hope the Governor gets sued because that’s just messed up that someone in good faith reports a bug and then gets threatened and slandered, also if there was a violation of law as the prosecutor said, I’d think it would be by the Missouri government for failing to secure sensitive data appropriately
(I'm not a lawyer, this is not legal advice, all that) Well... no matter how insecure, if the data is not publicly available, accessing it is considered unauthorized computer access, a crime in the US. Either way though, website HTML is-and always will be-open source (assuming no fancy obfuscation from the backend). Browsers allow you to view the HTML they're rendering for many reasons, chief among them are web development and debugging. However, it is not "unauthorized." If you send the data, there is no guarantee of how it will be parsed. Therefore, any competent lawyer can easily convince a competent judge that the data was publicly available. Decoding the Base64 (a medium of transfer) does not make it any less "publicly available." After all, if that were the case, you could make the same argument for literally anything on the internet because of binary. Unfortunately, poor security is not (yet) a crime in the US. I do hope that changes though.
@BellCube If you are holding classified information, hand it to a stranger, then they tell the government you did so: then you have the right to sue the person who gave it to you if you had to fight legal proceedings. That's literally what's going on here. There's nothing illegal about hitting f12, it's actually not accessing anything not already on the page. A brief example: if a page is the color magenta, then hitting f12 would just show you the hex# for magenta. Just saying he actually has a case to sue :)
You're right, I missed that angle (hence the disclaimer). The information is itself classified. (The disclaimer from above still applies) Note that the plaintiffs would have to be the teachers in this case. That is, every teacher in Missouri could, at least in theory, sue. I see a Class-Action! As a side-note: LOVE that example!
@@BellCube you clearly didn't watch the video, or even 1/4th of it when you commented. He didn't "access private data" he viewed the sourced code which you can do right clicking a page, and reporting what he read. There was no crime, hacking, or anything negative happening here. End of story, no need to say anything more.
"Decoded HTML source code" "Multi-step process" Im honestly surprised they didnt even consider getting an opinion from any cybersecurity expert before releasing that speech. they would've clarified everything in a few words. Due to a misconfigured server, it was telling everyone who wanted the Social Security number of any teacher.
Once in IT class I used F12 to troll my friends. Then the teacher thought I was hacking the website and my parents needed to get to the school. How tf was that teacher teaching IT
@@fss1704 you could if the website is THAT badly written. almost no modern website is THAT bad, basic security practices are used by almost every skilled dev
@@St0RM33 The whole thing is a joke, my comment is a joke... You coming in here now being all serious looks less smart than you probably thought it would. 🙄
@Xi Jinping Sorry I wish that was true. My info was leaked by the VA, when an Admin left her computer in her car that was stolen. About 200,000 veteran's S.S where leaked.
@@sc3dev if you want to be technical, it is "decoding". what it isn't is "decrypting". "encoding" simply just means to put something in some data format, and "decoding" is taking it out. the text in this comment is encoded in something called UTF-8. your computer decodes it and turns it into characters you can see on your screen. things that are encoded are _meant_ to be decoded; this comment is encoded in UTF-8 so your browser can decode it and display it. meanwhile "encrypting" is to scramble something to make it purposefully hard to "decrypt" (i.e. see what the original message was).
"Governor Parson believes everyone is entitled to their privacy, ESPECIALLY OUR TEACHERS" THEN DONT FUCKING SEND UNENCRYPTED SOCIAL SECURITY NUMBERS OVER THE INTERNET IN THE FIRST PLACE!
This whole situation pissed me off so much when it was unfolding... This is the exact opposite of what you want to do against people who are responsibly disclosing security vulnerabilities. All this does is send the wrong signals and makes them look like idiots.
Those who designed the website are the ones who should be excoriated. There is no excuse for this. What moron would pump sensitive informaiton like social security numbers out like that? So sick of this itenerant nonsense. Next time they should try hiring someone other than a high school junior to do their site!!!!
It's actually insane that they're claiming the journalist breached the teacher's privacy when it was actually the government themselves! That's like them leaving a file cabinet full of sensitive documents outside in public and then suing those who open it. Fucking ridiculous.
I agree, but actually getting data by doing something (even just deleting "display: none" from the HTML) can be considered hacking in many countries (not sure about US). However, I don't think that people who report these bugs should be threatened, unless they misuse this knowledge.
Since the web servers effectively had already delivered the information to the web browser I would say it is more like delivering the information request by mail but also having another envelope enclosed with the SSN inside it.
@@mkpanda you didnt get the data yourself, it got sent to you. You press a key and can see what has been sent over to you. If this was a bad thing, why was it sent? Is it my responsibility that someone sends me data? Especially if i then don't do anything wirh said data, and report it to the government to fix? I'd consider hacking as doing things to manipulate the server, be it forgery and whatnot
@@terrsus7676 It is tricky, but yes, here it is that getting any data that you are not meant to see by manipulating the webpage in any way (even just viewing the source) counts as "hacking" and you can be sued for that. However if it is just sent to you and you never see the data, you can't be charged with anything (again depends on how you got the data, but in this case a normal user couldn't be charged with anything).
It's like they are shipping a box full of secret documents to you address. When you open it they sue you for breaking into their building and stealing documents.
@@xliquidflames i have an even better one. The ship a letter to you totally normal properly addressed to you and at the back of the paper they hid the SSNs but in Chinese number characters
It’s not even that it’s more like they ship you the box you open it see that it’s not your stuff and contact them to tell them they shipped you it on accident and they sue you for telling them.
The Governor was very tech illiterate. His campaign manager spearheaded that whole thing. That being said the Governor was more than willing to participate in publicly shaming and attacking a law abiding citizen to score a few political points and appear to be tough on crimes. And, that’s why this country is in its twilight years as far as respect and greatness.
If he sold those 100.000 security numbers on the dark web he would have made a lot of money, and avoid his life being basically ruined, so yeah people always make good guys regret their good actions
Now everybody knows that if they ever find a critical vulnerability by mistake on any official website of Missouri, they should never disclose it to anyone. The risk of getting sued for responsibly disclosing a security threat should be zero.
In germany a similar thing happend to a party. They sued the hacker, the prosecuter said. No breaking of "security functions". But the process was opened and the party got a fine for disclosing of personal data.
@Niklas Wasn't the API public, just as the data in that website was? I can't understand why calling a public API should be a hack. It does not make sense. And it especially makes no sense to sue someone with good intentions. Why? That's like killing your dog for defending your home because it is a "dangerous animal that has hurt people". And in the end, you wonder, why you got robbed...
Multi step process is the jargon they use in USA. Open browser, f12, copy paste 64, type code or use software, the hack is complete. *multi step hacking of the world*
The governor should take a real hard look at the consequences that would've occurred if this vulnerability hadn't been reported. To run the dudes name through the mud for protecting others is flat out inexcusable, and the governor should be punished.
I think this was a malicious attempt to shift the focus on the journalist and distract from the fact, that such a vulnerability should have never made it to production. Also the state should provide the teachers with some sort of security monitoring for the next years, because it's impossible to know how many social security numbers where stolen.
Never attribute to malice what can be explained by incompetence. It's a clear case of an incapable state administration that relies so much on overpriced contractors that they have nobody in house who understood what the problem was. And once the administrative started attacking, there was no way to back down without being even more ridiculous.
@@Bvic3 If an administration is incompetent, then it behooves everyone in the organization to take responsibility and frankly, oust any incompetent buffoons who put on a farce like this. Carrying out a government duty this negligently ought to be a crime.
@@spaghettiking653 It's a vicious cycle. The US culture of small government prevents the state to compete for useful services and forces the use of contractors. As a result, there is no prestige for working in state engineering. But still lots of money to distribute to contractors. As a result, capable and virtuous people avoid working for the state and you only get the power hungry morally bankrupt ones joining. And they partner with equally corrupt contractors. Meanwhile, in countries with a history of powerful states, it is prestigious to work for state enterprises and the most brilliant graduates each generate join the state. Given how the US is collapsing with its race warfare and overall rent seeking behaviours, the state isn't going to improve anytime soon.
The $50mil number comes from the security measures they will make to double check those social security accounts for fraud. It is ridiculously bloated and they use the highest estimate when the law gets involved as a bartering technique.
And to my understanding, Gov. Hee Haw isn't even running for re-election. He embarrassed himself merely for the pleasure of trying to "stiggit" to the Post Dispatch. You see, Missouri Republicans hate the free press.
Well you can't let lawmakers get away with something that absurd. This is why math and tech literacy are so vital. Nobody who was informed would have called that "hacking" and it's dangerous to let anyone do so. That's how progress and science get stifled. I am not a lawyer, but I get the feeling the ACLU would have a field day with that one.
I don't know if they would need to sue them for money to make the point, but there should be some public awareness about what really constitutes malicious "hacking" versus what is a laudable exploration of technology and/or math. Seems like the kind of thing the ACLU would be interested in protecting.
This is a prime example of why states should have "technical courts" where the judge is a technically literate person who actually knows what he's talking about
@@reprovedcandy That's true but with the amount of technology that will be in the future, they could at least have someone on standby who is technically literate to help the judge better understand what happening.
@@volactic8495 well, that’s what external experts are for. In this sense, reprovedcandy is right: if you combine competences too much, you won’t have enough people who can do it. This ain’t gonna work in practice. There are procedures for this. Apparently, they aren’t good enough.
What's really needed IMO is just general technical education. In a court room, experts are frequently brought in to explain these sorts of things. What's disgusting is the fact that this sort of case was even considered. If we're going to build a society reliant entirely on technology, people needed to have at least a basic concept of how it works.
I can’t even begin to explain how many times non-technical execs and program managers have had no clue what is going on with the technology that they rely on for business. This is not a hack. This is a simple step that should have been followed by their development team to verify the security policy compliance of their code before pushing it to production. It’s deplorable that malicious ignorance results in attacks on good Samaritans. Then people don’t understand why the sense of community has disappeared from our hometowns and favorite places to visit. Thanks for pointing out this story. This ignorance deserves to be put in check.
Literally all they had to do is to install postman, thunder client or other similar software/IDE extension and fiddle with the API a little to see how it handles malformed input and what it responds with... Hearing about all of this I bet they've got some SQL injection just waiting there to wreck their backend completely...
Like how the hell do you sue someone for using F12, that's a feature built-in to all most every web browser and like, if you get hack using this, it is your bad web lmao
@@henrym5034 yeah. 1. Observe screen 2. Respond by moving your index finger to the F12 key 3. Move it downwards, this will cause the key to be pressed down. Hacker
This is both super stupid and malicious on the part of the government. F12 is something everyone can use and the journalist just found a vulnerability in the website. If anything, the journalist should be thanked for doing a service.
It´s frightening to see someone with so much power putting someone through hell due to stupidity and opportunism. I sincerely hope the journalist gets reimbursed and the governor put in his place. Shamefull behavior.
Shameful. A reporter discovered a ridiculous bug and reported it, but the government is too embarrassed to accept the fact that they are not doing a great job of protecting important datas for their people, and they proceed to blackmail the reporter. Shameful.
I actually wrote up a paper on this for one of my college classes. I decided to print out the HTML of an NPR article that I used as a reference, because at the top of their page is a "Now Hiring Programmers" box that you can only see by looking at the source code. Obviously this is a fairly common practice, but I thought it would resonate more with the person grading my paper if they actually saw it with their own eyes what this journalist is being attacked for doing.
@@trueriver1950 probably. It's probably some rule that they have to use an outside vendor for this and when a vendor said "Sure! " they charged them for their stupidity.
There seriously needs to be an age limit for people in government. If the internet is still foreign to them, they should start living in a retirement home
@@mickl3073 nice ad hominem fallacy but you shouldnt be in any sort of power of any part of the US if you cant even use something as important as the internet
@@PefectPiePlace2 If the ones in power are so behind in times that they don't even understand how the internet works, then they're in no position to make any claims or judgements about anything related to it.
Government: sends teachers' private in nearly plain text information to everyone Journalist: "you got an issue, please fix" Government: WE'VE BEEN HACKED!
How did nobody find this sooner? Also, how did that journalist have to get a lawyer? If anything, the government violated the teacher's privacy by sending the data in the first place.
@@roberto8650 i mean, sure, it's still a lawsuit. but it's such a baseless accusation that shouldn't even go to court. "the defendant is charged for pressing a key on his keyboard and revealing information leaked by a government website."
Our ‘fuck up’ is going cost you the ordinary tax payer 50million because of this malicious attack. * behind closed doors “ we’ve done it Gary! We are going to be rich! Pay that programmer $500 to fix the bug and let’s get the fuck out of here”
You'd be surprised how much BAD web design is out there. Granted, it's waaay better than it used to be, but for rural and small government offices? It's a joke.
You do have to be really careful, I did something similar to this, but with my schools email software (I emailed one other student, which was not supposed to be possible), and got kicked out of my tech classes (in fear of the future) and suspended for a week (later reduced to 1 day). People are stupid, and no matter how many times you explain things to them, they will still be stupid
my school had the same initial password for their LMS accounts so I literally had to tell people to change their passwords I got into like 2 or 3 random accounts at that time lmao
@@danmakufan Same thing with me lol, I was on a random school computer once and somebody had their account saved (but logged out) so i tried putting in the initial passcode and it worked.
My school exclusively used chrome os, left the terminal so it could be used, and left devmode on, I found out that you could type anybody's username in (which being on chrome was their publicly available, school assigned email address) And the terminal would return their email/computer password. And on another occasion, I found out that one of the teachers used "admin1" as her username, and password to the unrestricted internet, I don't think my school put much thought towards security
Yet another one of the (Dark verified comment bot nets) Crazy=100% bot, for sure.. reselling accounts, just like Dark, X, A, B, and all the other verified Dark bots
Journalist: *Reports bug privately and responsibly, not revealing any information to the public and not causing "Major embarrassment"* Governor: THIS'LL COST MILLIONS
I remember this. Lol saying that it would cost you 50 million dollars in damages is a self report. If your government is that inefficient they have serious problems.
This level of technical ignorance by politicians should warrant an impeachment of that person. Whether it was pure incompetence or there was a malicious intent, it's equally disturbing and unacceptable.
the level of digital illiteracy in the us government is frankly frightening and infuriating. Yes, it's highly unethical that the teachers' private information was able to be abused but it was in no way the fault of the reporter, just the complete and utter incompetence of the state of missouri.
I got sued once for making a server admin aware that hes running a outdated server version of Teamspeak 3, that had a serious vulnerability. You really can't make this sh*t up anymore..
This video had me in tears. I wish I could've become a pentester by simply viewing a public webpage and decoding a b64 string. I would've saved so much money
Hope the Journalist set up a crowd funding for this event, if he doesn't have the budget to fight, I'm sure a lot of people who understand exactly what is happening here are willing to help, including myself.
Reminds me of that great multi-step bank heist I committed when I was a kid; I went to the local savings bank, deposited some cash I had made shovelling snow for my neighbours, took a piece of candy from the bowl at the counter, and when offered by the teller said I had already taken one but was told I could have another for being such a nice young man. These two pieces of candy cost my local savings bank at least 40 trillion dollars, and is the clear reason why it closed down. I have yet to be brought to justice and still take candy when offered to this day.
First casualty in Politics is the truth- this was just something to score political brownie point. If I was the 100,000 teachers I'd sue the State for shoddy workmanship under their state Data Protection.
the same thing happened to me when I tried to responsibly disclose ppi being leaked by a pager vendor. I was thanked by the IT at the health care provider, then served a cease and desist by the vendor.
For shame on the vendor’s part, but that’s why you can go public after 90 days I guess. PR wankery on the vendor’s part should never be the MO when it actively hurts their security posture. Did you publicly disclose it in the end? And did they fix it in time?
Is our governor actually this incompetent? A simple Google search could've prevented this embarrassment. Also I'm pissed for that journalist. He did the right thing and got sued for it.
This is the equivalent of sending someone a letter in the mail with accidental personal information left in it, and then the recipient getting sued for reading it.
I believe mail is actually protected by Federal Law at least in the US and you can actually get in trouble for that. I could be mistaken, but you're willfully opening the letter you know is not for you and can read who is the sender. So you'll know it is information you should not be viewing, should not have gotten this, and should not open this. In the case of F12 you're looking at the information sent to you, or a letter sent to you for you with information they didn't mean to give you.
@@Buglin_Burger7878 My example implies that the recipient of the letter was the intended recipient, but the sender accidentally left private information in the letter, and then sued the recipient for reading the letter that was addressed to them.
I think especially since this was politician making the claims of "hacking" he was playing the malicious card as a way of diverting the attention away from his governments flaws, and when that back fired he played dumb.
That's exactly what I said in my comment. If it got out that their website was _that insecure,_ it would be a huge embarrassment. The governor seems like a savy, career politician. He knew exactly how to spin an embarrassment into a campaign strength. The reporter was a convenient scapegoat. Luckily for the journalist, everyone saw right through it.
@@xliquidflames Unfortunately, I doubt everyone was that smart. Unless his opponent's PAC used it to attack him; I could definitely see that happening.
We had something similar in Germany, an app from our conservative party had a security issue where you could get personal data by using an open REST API (aka just typing the right URL to your browser). A hacker informed the party about that, and as a response, they tried to sue her. That some people actually vote for guys like that to run our country baffles me every time.
Any infant could have pressed F12 and 'accidentally' copy-pasted the information somewhere. I was perfectly capable of using HTML in elementary school.
You could make the argument that since the base64-encoded social security numbers were part of the HTML code, and he indeed decoded them, he did technically decode the HTML code (at least the part that needed decoding). Though you're right, the people writing this had no idea what they were talking about.
@@ThePC007 yes technically the phrase was correct but coming out to the public to say all that was the funny part of all and i really admire the person who wrote that speech.
The campaign ad makes it obvious the governor knew exactly what he was doing. He may have never heard of HTML before but he's not dumb. What he knew is if it got out that the website was _that insecure,_ it would be a huge embarrassment. It might even lead to lawsuits from anyone that had info stored in their databases. The prosecutor calls it what it is, a data breach, not a hack. That prosecutor's press release goes on to talk about how they have zero tolerance for "improper taking and using of personal information." They conspicuously omit the word "storage" from that sentence. Improper storage of personal information was the problem here. No one took anything. It was in plain sight. I don't think the governor is intimidating journalists. I think he was seizing an opportunity and turning an embarrassment into a campaign strength. I mean, look at the guy. He's been in politics for a long time. He knew exactly how to handle this and spin it in his favor. The journalist was a convenient scapegoat.
He could also choose not to go public in the first place. The journalist said he would not post anything about it (if he did, that could be considered as a crime). Governor had two options either go public and twist the situation in his favor or ask anybody with at least two braincells if this is a good idea.
@@slickrick2420 honestly, democrats do too, I don't think any official is elected for their ability to lead, I think the campaigns always come down to who can talk the smoothest
@@_underscore_9271 Everyone of every group can be evil, it is so rare for people to realize both sides of the coin are corrupt. It makes me happy seeing someone recognize this.
Similar stuff happened a while back in germany where the addresses of voluntary electorial assistants were exposed through an api by changing the parameters in the url. The researcher did not make a big fuss and went the responsible disclosure route, but than after it got fixed and it went public she got hit with a lawsuit. IIRC in the end the lawsuit got dropped becuse she just accessed publicly available data, but the CCC said they won’t ever report any security issues to that party in the case they find one again. Shooting the messenger is not cool, especially if you got no knowledge on the topic and the whole thing is just a shitshow.
Not only is it not cool, it's just terrible policy. It means if someone finds it who doesn't want you harmed, they won't tell you, so you can't fix it before someone who *does* want you harmed finds it too
Good luck finding security experts after fucking with the CCC, 90% of the people there won't work with you no matter what, 9.9% will not work with you because they might get a lawsuit and that 0.1% who will work will make you pay 50x more or just plain black hats.
Now, I am not saying that this can’t happen with any party (heck, or any country), but I still can’t suppress my urge to add salt to the wound and not add the information that this happened to, well, let‘s say the German party that would exactly be the one this Missouri Governor would be from, were he to be active in german politics. 😅
This is ridiculous... Do American law markers not take advice from other people? Like if you don't know something just ask. It's not a sign of weakness.
That's just the system their - politicians have to take extreme stances on issues and be exact opposite of... opposition. Also typical boomer being out of touch
Considering that he read the word “HTML” as if it was the first time he ever saw it, I assume he didn't even write the script himself. So, I suppose he already got the advice from other people, except those people had no idea what they were talking about either.
“There is an argument to be made that there was a violation of law.” Didn’t interpret this as a red flag as you said, but rather as a creative jab at the Governor. Almost like “There is an argument to be made that the earth is flat.”
The people who are in the Government are the best and brightest in our nation. So smart they pay 50 million for a problem that can be done for practically nothing. 😆 🤣
I think I'm just going with Hanlon's razor: Never attribute to malice that which is adequately explained by stupidity. But I'm not even sure if this is better or worse. It's bad enough that they governor had no idea what he was talking about, but it is even worse that there still isn't a federal law that protects cybersecurity whistleblowers.
The problem wasn't that the speaking face wasn't technically literate, most executives aren't. The issue is that there was no internal IT department to handle the issue. The US rotten culture of small government leads to that mess. State organisations are forced to hire absurdly expensive contractors because they aren't allowed to have state software development agencies.
I'm going to say that regardless of intent, this almost certainly fits the legal definition of actual malice. Someone (and someone in a position of authority no less) has decided to repeatedly make false claims and pass them off as fact, with disregard for their truth and what effect they would have, arguably for their own gain. Even if the journalist can't recover damages for legal fees, he could almost certainly sue for slander. (not a lawyer, but I have seen way too many legaleagle videos where he has to explain the legal definition of actual malice.)
Add in to the number of "dog whistles" the governor throws out (He actually says "fake news media" combining the claim of fake news and the discrediting of news reporters), I could identify his party affiliation even if I didn't know which party was in control of Missouri. The way things are going, I don't think I'll be able to trust a statement made by an Elephant politician ever again. If one pointed at the Sun, I would need to find another source to confirm that he's not really pointing at the Moon.
@@andrewdreasler428 Democrats and Republicans are both owned by the same corporations that own the Media, distrusting the media isn't a dog whistle, it's common sense.
This shit is so stupid it doesn't even need any specialist in any field, a normal person who uses the internet would be able to tell you what's going on 😭
One very important thing to remember about the US government at ANY level... they're not stupid, they know what they're doing and they never do anything unless they themselves directly benefit from it.
It was both malicious and stupid. It is the dynamics of a abusive relationship. The abuser attempting to turn every thing around and make themselves the victim when they get exposed. The stupid part was thinking everyone else would be stupid enough not to see it for what it is.
Next in the news: "Old man doesn't understand how the internet works." If it was intentional I doubt he would have mentioned specifics and would have used vague wording which sounds more intimidating. At least the prosecutor realised what was going on and that it wouldn't stand in court.
Not to mention the way he pronounced HTML as if he never heard of it before. He clearly had no idea what he was talking about. Which does beg the question, though. If this is indeed the first time he read about HTML, who wrote the script?
@@ThePC007 Probably an aid. He probably had seen the name before during the meeting, but wasn't quite familiar enough with it to pronounce it with confidence.
It baffles me they called it "private information". If something is sent to any and all browsers that access the site without a need for authorization, it is a public information. Therefore, all those security numbers became publicly available information.
Shows the level of advisors and tech competency of politicians. There should be popular documentaries produced to highlight the absurdity of this situation and how the 'government' can bully journalists or citizens to mask their incompetence. The old git should be held accountable for throwing his weight around without understanding the facts.
The school and governor defamed the journalist to avoid taking responsibility for incompetent and negligent handling of personal data. Like WTF! Why would a publicly accessible web server serve SSN to clients visiting a publicly accessible page? Why the duck does a public web server even store or have access to personal SSNs to begin with! WTF!
This is not the first time a politician blew something stupid out of all proportions. Of course, the website should NOT have been sending the teacher's SSNOs to the webpage. Perhaps this was more a deflection to escape repsonsibility for such a slipshod website design??? Politicans. Bureaucrats. Monkeys. Which one throws the bone up in the air better? :)
USA becoming more like the USSR every day... deflection of responsibilities, propaganda, scare tactics, blaming the enemy instead yourself, "you will own nothing"...
Was this done intentionally? I do tech support for a living, and I garuntee you that as he read “HTML” he didn’t even understand the concept of what it was. He’s an old man that is rich enough to pay others to understand technology for him, and through some absence if grey matter had somehow connected the description of what happened to “hack”.
They probably just had a rulebook of steps to follow in order to qualify for insurance money to cover the identity theft protection that they'll need to buy for the 100,000 teachers.
The governor believes everyone is entitled to their privacy. That's why he doesn't give a fig about ensuring state databases are secure and instead of spending money on cybersecurity he goes after citizens trying to help secure teacher's social security numbers.
has anyone looked into whether there was a IT contractor who could be blamed? if yes there's always the possibility that said contractor might have links to the governor
True story, I found a decent security vulnerability in a payment processing service. I wont disclose the name, but they are similar to square. Anyway, I was able to obtain the business names and products of each of their clients. That itself I suppose isn't the end of the world, but it was definitely a bug, and at least would have made me uncomfortable being them. So I composed a report and sent it over to them. They then told me I was wrong. I so badly wanted to just compile the list and send it to them. But we were using their services and had spent a great deal of time setting our system up to do so. So I didn't compromise our relationship with them, I just let it go. Two months later, they issued an email to our their customers requiring their action, a layer of authentication had been added they said. Without getting into too much detail, it was a fix to the bug I found. Wish they would have at least given me some credit. My guess, whatever technician my report originally reach, got escalated to some senior tech, who naively and stubbornly insisted it was impossible. Then went home and while sleeping that night went over it in his head and eventually came to the "oh fuck maybe he's right" realization. Then too embarrassed never emailed me back thanking me. Then took them two months of fix it, requiring all their users to take manual action to correct their bug.
If they were willing to ditch you as a client over you being right, maybe you shouldn't be their client. But that's between you and them. At least they fixed the issue though.
@@justincombs7433 You're not wrong at all. But after spending as long as we did reverse engineering their api and integrating it with our product. It just wasn't worth it. The company we went with here, also had some decent / favorable ways in which their contract treats the user payment information. So for example, I think with square if you part ways with them, they are not obligated to transfer the credit card information and such of your customers. With this platform they are, which was important to us. And didn't seem common. But yeah I totally agree with you.
@@davidt01 Yeah that was my initial correspondence with them when sending the report over. I asked if they had one and they said no but they would take a look at what I had and maybe could work something out if it was legitimate. But then told me I was wrong. Which I wasn't lol. So yeah, was either just ignorance or denial. I appreciate your response though. Yeah that was my initial interest. I know google for example has some pretty large bounties.
Maybe it's childish, but I would have been far less forgiving in that situation. I'm sure some of those exposed companies would've liked to know what was accessible on that site, even if the information reached them anonymously.
Journalist: **Presses F12**
Governor: *What they did is beyond unethical.*
55 likes and no comments, let me fix that.
I'll help. :) There.
I wonder what they would say if they really stole their data and sold it
Blazing applause erupts from the NFT crowd (all 12 of them). “Show em, Mike!”, a moonbro named “HodlThePhone69” yells from within the crowd.
What the governor did is beyond unethical!
I hope the Governor gets sued because that’s just messed up that someone in good faith reports a bug and then gets threatened and slandered, also if there was a violation of law as the prosecutor said, I’d think it would be by the Missouri government for failing to secure sensitive data appropriately
(I'm not a lawyer, this is not legal advice, all that)
Well... no matter how insecure, if the data is not publicly available, accessing it is considered unauthorized computer access, a crime in the US.
Either way though, website HTML is-and always will be-open source (assuming no fancy obfuscation from the backend).
Browsers allow you to view the HTML they're rendering for many reasons, chief among them are web development and debugging. However, it is not "unauthorized." If you send the data, there is no guarantee of how it will be parsed. Therefore, any competent lawyer can easily convince a competent judge that the data was publicly available. Decoding the Base64 (a medium of transfer) does not make it any less "publicly available." After all, if that were the case, you could make the same argument for literally anything on the internet because of binary.
Unfortunately, poor security is not (yet) a crime in the US. I do hope that changes though.
@BellCube If you are holding classified information, hand it to a stranger, then they tell the government you did so: then you have the right to sue the person who gave it to you if you had to fight legal proceedings. That's literally what's going on here. There's nothing illegal about hitting f12, it's actually not accessing anything not already on the page. A brief example: if a page is the color magenta, then hitting f12 would just show you the hex# for magenta. Just saying he actually has a case to sue :)
End gerontocracy!
You're right, I missed that angle (hence the disclaimer). The information is itself classified.
(The disclaimer from above still applies) Note that the plaintiffs would have to be the teachers in this case. That is, every teacher in Missouri could, at least in theory, sue. I see a Class-Action!
As a side-note: LOVE that example!
@@BellCube you clearly didn't watch the video, or even 1/4th of it when you commented. He didn't "access private data" he viewed the sourced code which you can do right clicking a page, and reporting what he read. There was no crime, hacking, or anything negative happening here. End of story, no need to say anything more.
As a developer this hurts, I have lost about 300 brain cells just even seeing that governor’s face.
I lost 4 months of my life, because I don’t think that blood pressure spike is healthy.
I lost 10years of my life as madscientist kid at 11 who programs!
@@mohammedothman5667 bro what?
@@mohammedothman5667mad scientist?
@@HalbolonennIt's so cool! Sonuvabitch.
"Decoded HTML source code"
"Multi-step process"
Im honestly surprised they didnt even consider getting an opinion from any cybersecurity expert before releasing that speech. they would've clarified everything in a few words. Due to a misconfigured server, it was telling everyone who wanted the Social Security number of any teacher.
Lol literally EVERYONE who visited the website had those numbers, they simply didn't notice it
the fact they could've just blacklisted those values instead of storing them in html just doesnt make sense. ntm base64 as "encryption"
@@user-6b7973 They could have run the SS#s through a hash tag and stored them on a sequel server using a Tolkien ring.
It wouldn’t even need to be an "expert", just literally anyone who has had a computer for some time and likes to try things
This matter is a serious matter!
Once in IT class I used F12 to troll my friends. Then the teacher thought I was hacking the website and my parents needed to get to the school. How tf was that teacher teaching IT
To be honest, you can do some crazy shit using f12 if you know how
@@fss1704 you could if the website is THAT badly written.
almost no modern website is THAT bad, basic security practices are used by almost every skilled dev
@@giviko1709 You'd be really surprized at what you can do with some creativity
@@fss1704I really wouldn't
Do you know that South Park episode where Mr. Mackey teaches computer class and the kids all just play Call of Duty (S12E14)?
There’s your answer.
$50 million to fix this?! 🤯
That's it. I'm moving to Missouri! They obviously pay their programmers gooood. 😄
he meant damages..even when the issue was disclosed and fixed before the announcement.. seytonic didn't listen well but still what a CLOWN
@@St0RM33 The whole thing is a joke, my comment is a joke...
You coming in here now being all serious looks less smart than you probably thought it would. 🙄
Plus the benefit of if you make an error someone else gets to be the scapegoat!
@Xi Jinping Sorry I wish that was true. My info was leaked by the VA, when an Admin left her computer in her car that was stolen. About 200,000 veteran's S.S where leaked.
I fix that for 49 million ... and I ain't even a programmer.
Those teachers should sue the government for literally sharing their social security number to anyone who asks, they just need to decode it.
I would say they just need to read the language, even decode is a bad word for this situation
they didn't even know this happened because if they don't stay up to date with politics they wouldn't have known this happened
its base64 its barely even decoding just put it in a website/literal 3 line script and youre done
@@sc3dev if you want to be technical, it is "decoding". what it isn't is "decrypting".
"encoding" simply just means to put something in some data format, and "decoding" is taking it out. the text in this comment is encoded in something called UTF-8. your computer decodes it and turns it into characters you can see on your screen. things that are encoded are _meant_ to be decoded; this comment is encoded in UTF-8 so your browser can decode it and display it.
meanwhile "encrypting" is to scramble something to make it purposefully hard to "decrypt" (i.e. see what the original message was).
@@thezipcreator yeah
Sueing a Bug Hunter is crazy.
Actually should sue the State for Publicizing the SSN.
100%
I would do 2 counter sues, 1 for wasting my time and another for publishing social security numbers unencrypted
How does an idiot understand it's an idiot? Especially if it has power over you.
"Governor Parson believes everyone is entitled to their privacy, ESPECIALLY OUR TEACHERS"
THEN DONT FUCKING SEND UNENCRYPTED SOCIAL SECURITY NUMBERS OVER THE INTERNET IN THE FIRST PLACE!
This governor should resign. What a clown.
This whole situation pissed me off so much when it was unfolding... This is the exact opposite of what you want to do against people who are responsibly disclosing security vulnerabilities. All this does is send the wrong signals and makes them look like idiots.
Helping is a crime now.. lol
Next time the journalist ain't gonna bother telling the gov. He'll be selling the SSNs, then creating a guide on wikiHow.
@@BjornGrylls Exactly... Responsible disclosure is something you should really encourage! Who'd want to do that if you run the risk of being sued?!
Those who designed the website are the ones who should be excoriated. There is no excuse for this. What moron would pump sensitive informaiton like social security numbers out like that?
So sick of this itenerant nonsense. Next time they should try hiring someone other than a high school junior to do their site!!!!
@@friedrichdergroe9664 Probably a future dev idea that went into Production
It's actually insane that they're claiming the journalist breached the teacher's privacy when it was actually the government themselves! That's like them leaving a file cabinet full of sensitive documents outside in public and then suing those who open it. Fucking ridiculous.
The hypocracy is real, but it's about money and power, even when unjust
I agree, but actually getting data by doing something (even just deleting "display: none" from the HTML) can be considered hacking in many countries (not sure about US). However, I don't think that people who report these bugs should be threatened, unless they misuse this knowledge.
Since the web servers effectively had already delivered the information to the web browser I would say it is more like delivering the information request by mail but also having another envelope enclosed with the SSN inside it.
@@mkpanda you didnt get the data yourself, it got sent to you. You press a key and can see what has been sent over to you.
If this was a bad thing, why was it sent? Is it my responsibility that someone sends me data?
Especially if i then don't do anything wirh said data, and report it to the government to fix?
I'd consider hacking as doing things to manipulate the server, be it forgery and whatnot
@@terrsus7676 It is tricky, but yes, here it is that getting any data that you are not meant to see by manipulating the webpage in any way (even just viewing the source) counts as "hacking" and you can be sued for that. However if it is just sent to you and you never see the data, you can't be charged with anything (again depends on how you got the data, but in this case a normal user couldn't be charged with anything).
It's like they are shipping a box full of secret documents to you address. When you open it they sue you for breaking into their building and stealing documents.
Oh, that's good. I'm a sucker for a good analogy and that's a good one.
And that boys and girls is called entrapment.
@@xliquidflames i have an even better one. The ship a letter to you totally normal properly addressed to you and at the back of the paper they hid the SSNs but in Chinese number characters
It’s not even that it’s more like they ship you the box you open it see that it’s not your stuff and contact them to tell them they shipped you it on accident and they sue you for telling them.
@@Xaddre so accurate tbh
Even toasting my fucking bread is a "multi step process"
Ah! The complex multi step process of pressing F12, Ctrl+C, googling "base 64", clicking the first result and Ctrl+V! The horror!
The Governor was very tech illiterate. His campaign manager spearheaded that whole thing. That being said the Governor was more than willing to participate in publicly shaming and attacking a law abiding citizen to score a few political points and appear to be tough on crimes. And, that’s why this country is in its twilight years as far as respect and greatness.
And this is how a well intended ethical hacker and security specialist says "Screw this shit" and goes to the dark side.
If he sold those 100.000 security numbers on the dark web he would have made a lot of money, and avoid his life being basically ruined, so yeah people always make good guys regret their good actions
@@essem4979 he also probably would have been arrested lol
@@oodlescanoodles people get away for much more serious stuff, he won't get caught if he knows how these things work
@@essem4979 idk man selling 100,000 peoples social security numbers on the deep web is pretty serious
@@oodlescanoodles There's a lot of ways to avoid that lmao.
Good guy for not doing that, so sad what happened
Now everybody knows that if they ever find a critical vulnerability by mistake on any official website of Missouri, they should never disclose it to anyone. The risk of getting sued for responsibly disclosing a security threat should be zero.
In germany a similar thing happend to a party. They sued the hacker, the prosecuter said. No breaking of "security functions". But the process was opened and the party got a fine for disclosing of personal data.
@@danielbrenzel292 Yeah, the CDUconnect app was not the most secure app 😅
@Niklas Wasn't the API public, just as the data in that website was? I can't understand why calling a public API should be a hack. It does not make sense. And it especially makes no sense to sue someone with good intentions. Why? That's like killing your dog for defending your home because it is a "dangerous animal that has hurt people". And in the end, you wonder, why you got robbed...
@@BlenderDefender by german definition this is not hacking. Public APIs are not called public for no reason 😅
@@niklas8565 Well, the CDU had another definition of hacking. Fortunately, the lawsuit was not successful.
this multi-step video had me on the edge of my seat
Edgy words indeed
Multi step process is the jargon they use in USA.
Open browser, f12, copy paste 64, type code or use software, the hack is complete.
*multi step hacking of the world*
You are a bot, and you need to get a job kid because its obvious
Fantasy .. Yet another one of the (Dark verified comment bot nets)
@@semikolondev Dude, its a bot, you replied to a bot that uses a thesaurus... 100% for sure kid... lol
Politicians should be banned from even talking about things they don't understand, but then they'd have to never talk again
The governor should take a real hard look at the consequences that would've occurred if this vulnerability hadn't been reported. To run the dudes name through the mud for protecting others is flat out inexcusable, and the governor should be punished.
Exactly. They should be grateful this guy caught it, and not someone else. (Well, hopefully...)
I think this was a malicious attempt to shift the focus on the journalist and distract from the fact, that such a vulnerability should have never made it to production. Also the state should provide the teachers with some sort of security monitoring for the next years, because it's impossible to know how many social security numbers where stolen.
Never attribute to malice what can be explained by incompetence.
It's a clear case of an incapable state administration that relies so much on overpriced contractors that they have nobody in house who understood what the problem was.
And once the administrative started attacking, there was no way to back down without being even more ridiculous.
@@Bvic3 If an administration is incompetent, then it behooves everyone in the organization to take responsibility and frankly, oust any incompetent buffoons who put on a farce like this. Carrying out a government duty this negligently ought to be a crime.
@@spaghettiking653 It's a vicious cycle. The US culture of small government prevents the state to compete for useful services and forces the use of contractors.
As a result, there is no prestige for working in state engineering. But still lots of money to distribute to contractors.
As a result, capable and virtuous people avoid working for the state and you only get the power hungry morally bankrupt ones joining. And they partner with equally corrupt contractors.
Meanwhile, in countries with a history of powerful states, it is prestigious to work for state enterprises and the most brilliant graduates each generate join the state.
Given how the US is collapsing with its race warfare and overall rent seeking behaviours, the state isn't going to improve anytime soon.
@@Bvic3 I see. Thanks for the insight
Has the site been patched?
"decoded the html source code" Thats must be the funniest thing I heard today.
Decoded it into...?
@cdorman11 .txt obviously
More html @@cdorman11
frr
its funny because it was found by specifically *not* decoding it
This Governor has clearly never accidentally hit the F12 key. "A multi step process to hack our systems" (Hacker presses F12) Guess I'm going to jail.
You know too much.
@@Anvilshock Image when he (the governor) finds out about JS and CSS!!!!
@@tablettablete186 Or un-hiding extensions for known filetypes.
"This Governor has clearly never accidentally hit the F12 key". I'm willing to bet that this guy doesn't even know how to use a computer.
@@ronmcleod4717 he doesn't have a pc in his office
The $50mil number comes from the security measures they will make to double check those social security accounts for fraud.
It is ridiculously bloated and they use the highest estimate when the law gets involved as a bartering technique.
...as a....
The Governor should pay the guy and publish a public apology video.
Honestely i hate this kind of crap
When a politician decides to fuck over someones life just for his campaign
And to my understanding, Gov. Hee Haw isn't even running for re-election. He embarrassed himself merely for the pleasure of trying to "stiggit" to the Post Dispatch. You see, Missouri Republicans hate the free press.
Nice pfp
based pfp
Both. Stupid AND malicious. The reporter should definitely sue.
Uno reverse card
absolutely.
Well you can't let lawmakers get away with something that absurd. This is why math and tech literacy are so vital. Nobody who was informed would have called that "hacking" and it's dangerous to let anyone do so. That's how progress and science get stifled. I am not a lawyer, but I get the feeling the ACLU would have a field day with that one.
I don't know if they would need to sue them for money to make the point, but there should be some public awareness about what really constitutes malicious "hacking" versus what is a laudable exploration of technology and/or math. Seems like the kind of thing the ACLU would be interested in protecting.
This is a prime example of why states should have "technical courts" where the judge is a technically literate person who actually knows what he's talking about
judges need law degrees.. not too many technical people with law degrees
@@reprovedcandy That's true but with the amount of technology that will be in the future, they could at least have someone on standby who is technically literate to help the judge better understand what happening.
@@volactic8495 well, that’s what external experts are for. In this sense, reprovedcandy is right: if you combine competences too much, you won’t have enough people who can do it. This ain’t gonna work in practice.
There are procedures for this. Apparently, they aren’t good enough.
What's really needed IMO is just general technical education. In a court room, experts are frequently brought in to explain these sorts of things. What's disgusting is the fact that this sort of case was even considered. If we're going to build a society reliant entirely on technology, people needed to have at least a basic concept of how it works.
2:50 H..T..M..L
Don't remember the last time someone said it that slowly
*presses CTRL + SHIFT + I or F12 while in browser*
Missouri: You're getting sued.
I can’t even begin to explain how many times non-technical execs and program managers have had no clue what is going on with the technology that they rely on for business.
This is not a hack. This is a simple step that should have been followed by their development team to verify the security policy compliance of their code before pushing it to production.
It’s deplorable that malicious ignorance results in attacks on good Samaritans. Then people don’t understand why the sense of community has disappeared from our hometowns and favorite places to visit.
Thanks for pointing out this story. This ignorance deserves to be put in check.
Literally all they had to do is to install postman, thunder client or other similar software/IDE extension and fiddle with the API a little to see how it handles malformed input and what it responds with... Hearing about all of this I bet they've got some SQL injection just waiting there to wreck their backend completely...
Like how the hell do you sue someone for using F12, that's a feature built-in to all most every web browser and like, if you get hack using this, it is your bad web lmao
@@shapelessed and 1=1 should let you know without trying
@@raginranga3494 a multi-step process
@@henrym5034 yeah.
1. Observe screen
2. Respond by moving your index finger to the F12 key
3. Move it downwards, this will cause the key to be pressed down.
Hacker
This is both super stupid and malicious on the part of the government. F12 is something everyone can use and the journalist just found a vulnerability in the website. If anything, the journalist should be thanked for doing a service.
It’s utterly preposterous to the point of my personal infuriation.
Not to mention for "free"
People seem to give good people a slap in the face before thanking them for finding the problem
1 word, propaganda
The government being stupid and malicious? Noooooo, they would never.
It´s frightening to see someone with so much power putting someone through hell due to stupidity and opportunism. I sincerely hope the journalist gets reimbursed and the governor put in his place. Shamefull behavior.
Blown up to epic proportions. Had no ground, so made some with lies and confidence.
@@terrsus7676 that's called an agenda. Missouri's governor is not known for his insight, flexibility, or openness.
@@justincombs7433 He has made every effort to mirror Trump, making no secret of it.
He should be the one getting 50 Million dollars lmao
The “governor”belongs in a nursing home.
Shameful. A reporter discovered a ridiculous bug and reported it, but the government is too embarrassed to accept the fact that they are not doing a great job of protecting important datas for their people, and they proceed to blackmail the reporter. Shameful.
I actually wrote up a paper on this for one of my college classes. I decided to print out the HTML of an NPR article that I used as a reference, because at the top of their page is a "Now Hiring Programmers" box that you can only see by looking at the source code.
Obviously this is a fairly common practice, but I thought it would resonate more with the person grading my paper if they actually saw it with their own eyes what this journalist is being attacked for doing.
Wonder if they fooled him into believing this "html hack" was so sophisticated it would cost $50m to fix.
They just need another reason to burn tax payers money. How else would you justify taking high taxes if they aren't spend on the spot
I swear I heard him say "HTLM"
I am wondering if that's what the State paid to have it fixed...
@@trueriver1950 probably. It's probably some rule that they have to use an outside vendor for this and when a vendor said "Sure! " they charged them for their stupidity.
@@weston5614 htm ellen
There seriously needs to be an age limit for people in government. If the internet is still foreign to them, they should start living in a retirement home
word
wow someone has daddy issues; calm down there tiger.
@@mickl3073 nice ad hominem fallacy
but you shouldnt be in any sort of power of any part of the US if you cant even use something as important as the internet
@@PefectPiePlace2 really not, if someones going to have power such as this they should be able to keep up in the modern world.
@@PefectPiePlace2 If the ones in power are so behind in times that they don't even understand how the internet works, then they're in no position to make any claims or judgements about anything related to it.
Government: sends teachers' private in nearly plain text information to everyone
Journalist: "you got an issue, please fix"
Government: WE'VE BEEN HACKED!
How did nobody find this sooner? Also, how did that journalist have to get a lawyer? If anything, the government violated the teacher's privacy by sending the data in the first place.
Why wouldn't he have to get a lawyer?
@@roberto8650 i mean, sure, it's still a lawsuit. but it's such a baseless accusation that shouldn't even go to court. "the defendant is charged for pressing a key on his keyboard and revealing information leaked by a government website."
Our ‘fuck up’ is going cost you the ordinary tax payer 50million because of this malicious attack.
* behind closed doors “ we’ve done it Gary! We are going to be rich! Pay that programmer $500 to fix the bug and let’s get the fuck out of here”
"clearly a hack"
Clearly wasn't
Seen this covered by somebody before, but this has more detail, and is much better.
Makes me want to press F12 more.
Don't you'll run into legal trouble viewing public information!
You'd be surprised how much BAD web design is out there. Granted, it's waaay better than it used to be, but for rural and small government offices? It's a joke.
but the decoded the h.t.m.ellen trough a multi-step process!!!!!
You do have to be really careful, I did something similar to this, but with my schools email software (I emailed one other student, which was not supposed to be possible), and got kicked out of my tech classes (in fear of the future) and suspended for a week (later reduced to 1 day). People are stupid, and no matter how many times you explain things to them, they will still be stupid
my school had the same initial password for their LMS accounts so I literally had to tell people to change their passwords
I got into like 2 or 3 random accounts at that time lmao
@@danmakufan Same thing with me lol, I was on a random school computer once and somebody had their account saved (but logged out) so i tried putting in the initial passcode and it worked.
although, my school does say that people should change their passwords when they first login but people dont care
My school exclusively used chrome os, left the terminal so it could be used, and left devmode on, I found out that you could type anybody's username in (which being on chrome was their publicly available, school assigned email address)
And the terminal would return their email/computer password.
And on another occasion, I found out that one of the teachers used "admin1" as her username, and password to the unrestricted internet,
I don't think my school put much thought towards security
@@_underscore_9271 bruhhh atleast my school disables linux terminal lmao. Crosh shell isnt though
Such an absolute embarrassment to everyone involved
Yet another one of the (Dark verified comment bot nets)
Crazy=100% bot, for sure.. reselling accounts, just like Dark, X, A, B, and all the other verified Dark bots
bot
@@dertythegrower you are on a seytonic video but dont know the definition of a botnet lol
@@emilyisoffline it's not a botnet. it's an account that copies other liked comments
@@sierra991 I know what it is. That is my point. They do not know what they are saying lmao
As a citizen of Kansas, I'm encouraged to laugh at Missouri for being this silly!
This is incredibly shameful. He has no idea what HTML is.
Journalist: *Reports bug privately and responsibly, not revealing any information to the public and not causing "Major embarrassment"*
Governor: THIS'LL COST MILLIONS
This is how tech savvy the average US politician is, and why ransomeware works so well in the States
We Germans simply avoid all cyber attacks not through cyber security, but through good ol' fax machines
I remember this. Lol saying that it would cost you 50 million dollars in damages is a self report. If your government is that inefficient they have serious problems.
The only one that should get sued is the one in charge of maintaining the website by the teachers
This level of technical ignorance by politicians should warrant an impeachment of that person. Whether it was pure incompetence or there was a malicious intent, it's equally disturbing and unacceptable.
the level of digital illiteracy in the us government is frankly frightening and infuriating.
Yes, it's highly unethical that the teachers' private information was able to be abused but it was in no way the fault of the reporter, just the complete and utter incompetence of the state of missouri.
I just hate how they always act so sure of themselves, and then get angry at others for calling them out for their bullshit
I got sued once for making a server admin aware that hes running a outdated server version of Teamspeak 3, that had a serious vulnerability.
You really can't make this sh*t up anymore..
Its like 'cheating' on a test where the answers where already given.
This video had me in tears. I wish I could've become a pentester by simply viewing a public webpage and decoding a b64 string. I would've saved so much money
It was actually an incredibly sophisticated multi-step process that involved decoding the encoded html source code
Politicians nowadays are literally every movie that says "I'll create a GUI interface to trace the IP address on the mainframe"
Going to need a lot of RAM to do that
@@ngkngk875 Nah, a Gigabyte of RAM should do the trick.
@@ThePC007 you sure you don't need a good motherboard with 10 ram boards with 4gb each?
It appears you have a feedback loop in the induction coils of your DB3 signal processor.
Extra underrated
Hope the Journalist set up a crowd funding for this event, if he doesn't have the budget to fight, I'm sure a lot of people who understand exactly what is happening here are willing to help, including myself.
I'm from India and I'd donate to this
@@guptabhishek go care about your own problems, rly
I'm in.
1:21 it's just a way of displaying text, like text can be displayed in morse code or binary, or French 😭
Reminds me of that great multi-step bank heist I committed when I was a kid; I went to the local savings bank, deposited some cash I had made shovelling snow for my neighbours, took a piece of candy from the bowl at the counter, and when offered by the teller said I had already taken one but was told I could have another for being such a nice young man.
These two pieces of candy cost my local savings bank at least 40 trillion dollars, and is the clear reason why it closed down. I have yet to be brought to justice and still take candy when offered to this day.
Someone should get sued, but it's not the journalist!
First casualty in Politics is the truth- this was just something to score political brownie point. If I was the 100,000 teachers I'd sue the State for shoddy workmanship under their state Data Protection.
the same thing happened to me when I tried to responsibly disclose ppi being leaked by a pager vendor. I was thanked by the IT at the health care provider, then served a cease and desist by the vendor.
For shame on the vendor’s part, but that’s why you can go public after 90 days I guess. PR wankery on the vendor’s part should never be the MO when it actively hurts their security posture. Did you publicly disclose it in the end? And did they fix it in time?
I love how they call it a multi-step hack, when its literally one click of the f12 button.
Is our governor actually this incompetent? A simple Google search could've prevented this embarrassment. Also I'm pissed for that journalist. He did the right thing and got sued for it.
This is the equivalent of sending someone a letter in the mail with accidental personal information left in it, and then the recipient getting sued for reading it.
I believe mail is actually protected by Federal Law at least in the US and you can actually get in trouble for that. I could be mistaken, but you're willfully opening the letter you know is not for you and can read who is the sender.
So you'll know it is information you should not be viewing, should not have gotten this, and should not open this.
In the case of F12 you're looking at the information sent to you, or a letter sent to you for you with information they didn't mean to give you.
@@Buglin_Burger7878 My example implies that the recipient of the letter was the intended recipient, but the sender accidentally left private information in the letter, and then sued the recipient for reading the letter that was addressed to them.
I think especially since this was politician making the claims of "hacking" he was playing the malicious card as a way of diverting the attention away from his governments flaws, and when that back fired he played dumb.
That's exactly what I said in my comment. If it got out that their website was _that insecure,_ it would be a huge embarrassment. The governor seems like a savy, career politician. He knew exactly how to spin an embarrassment into a campaign strength. The reporter was a convenient scapegoat. Luckily for the journalist, everyone saw right through it.
@@xliquidflames Unfortunately, I doubt everyone was that smart. Unless his opponent's PAC used it to attack him; I could definitely see that happening.
that's actually really sad. how can such powerful people not even have a normal basic understanding of the internet
We had something similar in Germany, an app from our conservative party had a security issue where you could get personal data by using an open REST API (aka just typing the right URL to your browser). A hacker informed the party about that, and as a response, they tried to sue her.
That some people actually vote for guys like that to run our country baffles me every time.
Any infant could have pressed F12 and 'accidentally' copy-pasted the information somewhere. I was perfectly capable of using HTML in elementary school.
when he said "Decoded the HTML code"
...i was so shocked that i almost choked from my own laugh
Man's a browser
You could make the argument that since the base64-encoded social security numbers were part of the HTML code, and he indeed decoded them, he did technically decode the HTML code (at least the part that needed decoding). Though you're right, the people writing this had no idea what they were talking about.
@@ThePC007 yes technically the phrase was correct but coming out to the public to say all that was the funny part of all and i really admire the person who wrote that speech.
The campaign ad makes it obvious the governor knew exactly what he was doing. He may have never heard of HTML before but he's not dumb. What he knew is if it got out that the website was _that insecure,_ it would be a huge embarrassment. It might even lead to lawsuits from anyone that had info stored in their databases.
The prosecutor calls it what it is, a data breach, not a hack. That prosecutor's press release goes on to talk about how they have zero tolerance for "improper taking and using of personal information." They conspicuously omit the word "storage" from that sentence. Improper storage of personal information was the problem here. No one took anything. It was in plain sight.
I don't think the governor is intimidating journalists. I think he was seizing an opportunity and turning an embarrassment into a campaign strength. I mean, look at the guy. He's been in politics for a long time. He knew exactly how to handle this and spin it in his favor. The journalist was a convenient scapegoat.
He could also choose not to go public in the first place. The journalist said he would not post anything about it (if he did, that could be considered as a crime). Governor had two options either go public and twist the situation in his favor or ask anybody with at least two braincells if this is a good idea.
Republicans always play dirty politics like that
@@slickrick2420 honestly, democrats do too, I don't think any official is elected for their ability to lead, I think the campaigns always come down to who can talk the smoothest
@@slickrick2420 99% of politicians in general, all over the world they're a social disease
@@_underscore_9271 Everyone of every group can be evil, it is so rare for people to realize both sides of the coin are corrupt. It makes me happy seeing someone recognize this.
Eating soup with a spoon is a multi-step process... They just needed to add more meaningless words to make it sound serious
I think it’s a lawyer thing where they can try to prove the intent to hack because accessing the data required taking multiple steps
how can they possibly say "they decoded it from OUR HTML" and not think maybe the "hacker" wasn't doing anything
Similar stuff happened a while back in germany where the addresses of voluntary electorial assistants were exposed through an api by changing the parameters in the url. The researcher did not make a big fuss and went the responsible disclosure route, but than after it got fixed and it went public she got hit with a lawsuit. IIRC in the end the lawsuit got dropped becuse she just accessed publicly available data, but the CCC said they won’t ever report any security issues to that party in the case they find one again. Shooting the messenger is not cool, especially if you got no knowledge on the topic and the whole thing is just a shitshow.
Not only is it not cool, it's just terrible policy. It means if someone finds it who doesn't want you harmed, they won't tell you, so you can't fix it before someone who *does* want you harmed finds it too
Good luck finding security experts after fucking with the CCC, 90% of the people there won't work with you no matter what, 9.9% will not work with you because they might get a lawsuit and that 0.1% who will work will make you pay 50x more or just plain black hats.
Now, I am not saying that this can’t happen with any party (heck, or any country), but I still can’t suppress my urge to add salt to the wound and not add the information that this happened to, well, let‘s say the German party that would exactly be the one this Missouri Governor would be from, were he to be active in german politics. 😅
This is ridiculous... Do American law markers not take advice from other people? Like if you don't know something just ask. It's not a sign of weakness.
That's just the system their - politicians have to take extreme stances on issues and be exact opposite of... opposition. Also typical boomer being out of touch
Considering that he read the word “HTML” as if it was the first time he ever saw it, I assume he didn't even write the script himself. So, I suppose he already got the advice from other people, except those people had no idea what they were talking about either.
“There is an argument to be made that there was a violation of law.” Didn’t interpret this as a red flag as you said, but rather as a creative jab at the Governor. Almost like “There is an argument to be made that the earth is flat.”
right "...but i wont be the one making it" is the addendum
"This matter is a serious matter"
"Decoded the HTML source code" is my new favorite sentence
The government talk about this like I write about a missing CSP header
The people who are in the Government are the best and brightest in our nation. So smart they pay 50 million for a problem that can be done for practically nothing. 😆 🤣
I think I'm just going with Hanlon's razor: Never attribute to malice that which is adequately explained by stupidity.
But I'm not even sure if this is better or worse. It's bad enough that they governor had no idea what he was talking about, but it is even worse that there still isn't a federal law that protects cybersecurity whistleblowers.
The problem wasn't that the speaking face wasn't technically literate, most executives aren't. The issue is that there was no internal IT department to handle the issue.
The US rotten culture of small government leads to that mess. State organisations are forced to hire absurdly expensive contractors because they aren't allowed to have state software development agencies.
@@Bvic3 Oh my god
I'm going to say that regardless of intent, this almost certainly fits the legal definition of actual malice. Someone (and someone in a position of authority no less) has decided to repeatedly make false claims and pass them off as fact, with disregard for their truth and what effect they would have, arguably for their own gain. Even if the journalist can't recover damages for legal fees, he could almost certainly sue for slander.
(not a lawyer, but I have seen way too many legaleagle videos where he has to explain the legal definition of actual malice.)
Add in to the number of "dog whistles" the governor throws out (He actually says "fake news media" combining the claim of fake news and the discrediting of news reporters), I could identify his party affiliation even if I didn't know which party was in control of Missouri.
The way things are going, I don't think I'll be able to trust a statement made by an Elephant politician ever again. If one pointed at the Sun, I would need to find another source to confirm that he's not really pointing at the Moon.
@@andrewdreasler428 Democrats and Republicans are both owned by the same corporations that own the Media, distrusting the media isn't a dog whistle, it's common sense.
Especially considering they want $50M for it... that REALLY sounds like they just want an excuse to blow through $50M..
Governor deserves to be trolled. What a clown. Didn't even bother getting a cybersecurity expert's opinion before jumping in.
This shit is so stupid it doesn't even need any specialist in any field, a normal person who uses the internet would be able to tell you what's going on 😭
One very important thing to remember about the US government at ANY level... they're not stupid, they know what they're doing and they never do anything unless they themselves directly benefit from it.
It was both malicious and stupid. It is the dynamics of a abusive relationship. The abuser attempting to turn every thing around and make themselves the victim when they get exposed. The stupid part was thinking everyone else would be stupid enough not to see it for what it is.
Next in the news: "Old man doesn't understand how the internet works."
If it was intentional I doubt he would have mentioned specifics and would have used vague wording which sounds more intimidating. At least the prosecutor realised what was going on and that it wouldn't stand in court.
Not to mention the way he pronounced HTML as if he never heard of it before. He clearly had no idea what he was talking about.
Which does beg the question, though. If this is indeed the first time he read about HTML, who wrote the script?
@@ThePC007 Probably an aid. He probably had seen the name before during the meeting, but wasn't quite familiar enough with it to pronounce it with confidence.
This could be used as a South Park script
This is horrible. I'm relieved that Gov Parson is terming out in 2024. He should be punished.
It baffles me they called it "private information". If something is sent to any and all browsers that access the site without a need for authorization, it is a public information. Therefore, all those security numbers became publicly available information.
Shows the level of advisors and tech competency of politicians. There should be popular documentaries produced to highlight the absurdity of this situation and how the 'government' can bully journalists or citizens to mask their incompetence. The old git should be held accountable for throwing his weight around without understanding the facts.
Waiting for "Getting sued for existing"
Getting sued for not existing
Dear god, this was painful to learn about.
The school and governor defamed the journalist to avoid taking responsibility for incompetent and negligent handling of personal data. Like WTF! Why would a publicly accessible web server serve SSN to clients visiting a publicly accessible page? Why the duck does a public web server even store or have access to personal SSNs to begin with! WTF!
Ignorance has no limits, that governor just embarrassed himself and probably doesn't even realize it.
This is not the first time a politician blew something stupid out of all proportions. Of course, the website should NOT have been sending the teacher's SSNOs to the webpage.
Perhaps this was more a deflection to escape repsonsibility for such a slipshod website design???
Politicans. Bureaucrats. Monkeys. Which one throws the bone up in the air better? :)
USA becoming more like the USSR every day...
deflection of responsibilities, propaganda, scare tactics, blaming the enemy instead yourself, "you will own nothing"...
Was this done intentionally? I do tech support for a living, and I garuntee you that as he read “HTML” he didn’t even understand the concept of what it was. He’s an old man that is rich enough to pay others to understand technology for him, and through some absence if grey matter had somehow connected the description of what happened to “hack”.
shhh don't tell him they're paying us loads for easy fixes
They probably just had a rulebook of steps to follow in order to qualify for insurance money to cover the identity theft protection that they'll need to buy for the 100,000 teachers.
Both the paper and the individual reporter surely have grounds to sue for damages over this absolute disaster
The governor believes everyone is entitled to their privacy. That's why he doesn't give a fig about ensuring state databases are secure and instead of spending money on cybersecurity he goes after citizens trying to help secure teacher's social security numbers.
has anyone looked into whether there was a IT contractor who could be blamed? if yes there's always the possibility that said contractor might have links to the governor
True story, I found a decent security vulnerability in a payment processing service. I wont disclose the name, but they are similar to square. Anyway, I was able to obtain the business names and products of each of their clients. That itself I suppose isn't the end of the world, but it was definitely a bug, and at least would have made me uncomfortable being them. So I composed a report and sent it over to them. They then told me I was wrong. I so badly wanted to just compile the list and send it to them. But we were using their services and had spent a great deal of time setting our system up to do so. So I didn't compromise our relationship with them, I just let it go. Two months later, they issued an email to our their customers requiring their action, a layer of authentication had been added they said. Without getting into too much detail, it was a fix to the bug I found. Wish they would have at least given me some credit.
My guess, whatever technician my report originally reach, got escalated to some senior tech, who naively and stubbornly insisted it was impossible. Then went home and while sleeping that night went over it in his head and eventually came to the "oh fuck maybe he's right" realization. Then too embarrassed never emailed me back thanking me. Then took them two months of fix it, requiring all their users to take manual action to correct their bug.
If they were willing to ditch you as a client over you being right, maybe you shouldn't be their client. But that's between you and them. At least they fixed the issue though.
@@justincombs7433 You're not wrong at all. But after spending as long as we did reverse engineering their api and integrating it with our product. It just wasn't worth it. The company we went with here, also had some decent / favorable ways in which their contract treats the user payment information. So for example, I think with square if you part ways with them, they are not obligated to transfer the credit card information and such of your customers. With this platform they are, which was important to us. And didn't seem common. But yeah I totally agree with you.
You should have checked if they had a bug bounty program, because you can get paid for reporting vulnerabilities if they do.
@@davidt01 Yeah that was my initial correspondence with them when sending the report over. I asked if they had one and they said no but they would take a look at what I had and maybe could work something out if it was legitimate. But then told me I was wrong. Which I wasn't lol. So yeah, was either just ignorance or denial. I appreciate your response though. Yeah that was my initial interest. I know google for example has some pretty large bounties.
Maybe it's childish, but I would have been far less forgiving in that situation. I'm sure some of those exposed companies would've liked to know what was accessible on that site, even if the information reached them anonymously.