Missouri Governor Doubles Down On 'View Source' Hacking Claim; PAC Now Fundraising Over This Bizarrely Stupid Claim
from the wtf-missouri dept
Hey Missouri: stop electing technically illiterate dipshits. First you had Claire McCaskill, one of the key sponsors of FOSTA (who is still defending it years later). You got rid of her, but replaced her with Josh Hawley, who seems to think his main job in the Senate (besides whipping up support for insurrectionists and planning his run for the Presidency) is to destroy the internet and reshape it according to his own personal vision.
And then there's your governor. We wrote about him a few years ago when he claimed (ridiculously) that the 1st Amendment meant he could withhold public records (which is not how any of this works). But, of course, last week, his tech ignorance broke into prime time after the St. Louis Post-Dispatch ethically disclosed that the state's Department of Elementary and Secondary Education (DESE) website was including teacher & administrator social security numbers in the HTML. DESE pulled down the pages, but not before calling the journalists "hackers." Parson then doubled down and called for the journalists to be prosecuted. And then kept insisting that viewing HTML source code was hacking.
For the past week people on Twitter have been repeatedly mocking Parson for this, but he just won't give up, and neither will the United Missouri PAC that is a huge Parson supporter and was even fined last year by the Missouri Ethics Commission over improper contributions and failure to report the contributions to Parson.
Earlier this week, United Missouri seemed to think that Parson's blatant technical illiteracy was worth doubling down on and turning into a culture war against "the fake news." It produced a video that is so embarrassing and cringeworthy it feels like a parody.
I mean, the transcript is so stupid that it makes me wonder about the quality of education in Missouri that someone could be this clueless.
The latest from the Missouri "fake news factory" is from the St. Louis Post-Dispatch, where a reporter has been digging around HTML code on a state website. The state technology division said the hacker took the records of at least 3 educators, decoded the HTML source code and viewed the social security numbers from the state website.
I mean, holy shit. HTML code is public. That's what "view source" is there for. There's no "digging around." And, incredibly, here United Missouri/Parson are admitting that the social security numbers were in HTML! THAT IS THE PROBLEM! No one should ever be putting SSNs in HTML. The fact that DESE put SSNs in HTML is the very problem that the reporters were highlighting. And if it wasn't actually a problem, why did DESE pull down the website in the first place? It's not hacking. It's showing that Parson's administration is incompetent.
And then, the video takes Parson's own failure to protect teachers and administrators in the state... and blames it on the reporters who (ethically) disclosed this negligent coding?
Governor Parson believes everyone is entitled to their privacy. Especially our teachers.
THEN WHY DID YOUR ADMINISTRATION REVEAL THEIR SOCIAL SECURITY NUMBERS IN HTML, YOU TECHNICALLY IGNORANT FOOLS? No one should ever be putting SSNs in HTML. The fact that they were there is the problem. Not the fact that these reporters alerted the state to their own coding (and data handling) error. The privacy breach is the state's fault, not the reporters. The reporters disclosed all of this in the most ethical manner possible: alerting the state and not publishing anything until after the leaked data was removed from the web.
Governor Parson is standing up to the fake news media and is committed to bringing to justice anyone who obtained private information. The St. Louis Post-Dispatch is purely playing politics. Exploiting private information is a squalid excuse for journalism. And hiding behind the noble principle of free speech to do it is shameful.
Note that they keep calling the St. Louis Post-Dispatch "fake news" but don't dispute a single thing they reported. So it's fake news, but also a crime? Furthermore, the only one who should be "brought to justice" is the state for putting social security numbers in HTML in the first place. And the only one "purely playing politics" appears to be Governor Mike Parson and his corrupt PAC.
And, of course, everyone with even the most basic understanding of HTML know that it's Parson who's full of shit here, as is clear from all the comments on the video:
I get that, these days, the Trumpian populists politicians think they can just make shit up and lie constantly and their ignorant base will lap it up, but this takes all that to new levels of stupid. You don't have to be a genius computer science grad to understand that you never ever put SSNs in HTML and that whoever did that is at fault here.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: data breach, ethical disclosure, hacking, html, journalism, mike parson, missouri, view source
Companies: united missouri
Reader Comments
The First Word
“"decode"
Is the ability to read so rare in Missouri that it gets called "decoding"?
Subscribe: RSS
View by: Time | Thread
Criminal, right?
[ link to this | view in chronology ]
Re: Criminal, right?
It probably was some script generating HTML on the fly that dumped the database ID numbers for the viewable entries.
Unfortunately many db admins look at things like SSNs as the perfect primary key for a user / person in a db, and fail to realize what will happen when some poor web developer uses the "personID" field in the database as a reference in their HTML widget code....
In short, it probably wasn't an intentional act by the site maintainers, let alone the state administration. But you've got to love the anal retentiveness of the state governor and the carelessness of the db admins mixing to create a dangerous "never report anything" mentality among the general public. The law of unintended consequences gets them every time.
At least that's what I hope is going on here. Otherwise this governor is practically inviting a massive hack against his state in a few years by effectively telling people to never report a cybersecurity issue to anyone under threat of lawsuits and jail time as official state policy.
[ link to this | view in chronology ]
"decode"
Is the ability to read so rare in Missouri that it gets called "decoding"?
[ link to this | view in chronology ]
Stop the insanity
Suppose someone posted confidential info like SSNs on a wall of a public building, which anyone could view from the alley. Guess what, geniuses - that's what they did on the Internet. No hacking involved. I normally believe in Hanlon's razor - "never attribute to malice that which is adequately explained by stupidity". However, I wouldn't put it past Republicans to use this to score points in the culture war.
[ link to this | view in chronology ]
Re: Stop the insanity
"I normally believe in Hanlon's razor - "never attribute to malice that which is adequately explained by stupidity". However, I wouldn't put it past Republicans to use this to score points in the culture war."
I'm normally a firm believer in that razor as well. Yet every time I try to use it on US republicans, it breaks.
These days every time these benighted morons make an obviously deranged claim I just assume they know damn well they're talking bullshit and are just bringing it up as a talking point to energize a base of voters so brain-damaged by an upbringing where the crazy uncle and fox news was the primary source of education they'll believe anything as long as it ends with "It's all the libs fault!".
[ link to this | view in chronology ]
Question...
Was it St. Louis Post-Dispatch that broke the news about the PAC breaking the law?
[ link to this | view in chronology ]
Re:
https://missouriindependent.com/2021/10/21/cybersecurity-expert-demands-apology-from-missouri-govern or-over-hacking-claims/
@ ALL
The Decode was likely Base64 encoded data in JSON.
Data that should never have been in the HTML.
[ link to this | view in chronology ]
Viewing file sent to him
He was viewing a file on his own computer that was sent to him by the web site. I don't think that's "hacking."
[ link to this | view in chronology ]
Re: Viewing file sent to him
Hacking is when you do anything with technology that tech unsavvy people don't understand.
[ link to this | view in chronology ]
No "decoding" required
HTML is mostly plain text.
[ link to this | view in chronology ]
Re: No "decoding" required
The "decoding" bit is translating it from text to something these people can understand - video.
[ link to this | view in chronology ]
The government of the state of Missouri disagrees, apparently.
[ link to this | view in chronology ]
HTML for Dummies?
Maybe the state officials wouldn't have made such a careless mistake if they had just learned to "nerd harder"!
[ link to this | view in chronology ]
Note to Missouri
A state motto is not a privacy policy.
[ link to this | view in chronology ]
GQP: The Professional Victim.
Decoder Ring output: those who A-typically screw-up, and refuse to take accountability for their OWN actions. Rather like how they were raised,.. ya think?
[ link to this | view in chronology ]
Re:
Yep - perpetual victimhood. Nothing will ever be right.
[ link to this | view in chronology ]
I am sad to report that this doesn't push the boundary ...
... of the nonsense politicians pull when they yell "fake news." Thugs assaulting the US capitol? Patriots! Tourists! Other thugs roughing up school boards? Concerned parents! Idiots who deny the existence of communicable disease? Guardians of religious freedom! Those were comparatively heavy lifts of nonsense.
At least understanding that, having stumbled upon a security leak immediately telling the leaky site and then only later publishing news about is a good thing and is pro-security is very difficult. Wait, sorry, it is not very difficult.
[ link to this | view in chronology ]
"You don't have to be a genius computer science grad to understand that you never ever put SSNs in HTML and that whoever did that is at fault here."
However, you do have to have a passing knowledge of both technology and verifiable reality to know this - and that is not the target audience. This is a play to keep angry morons angry enough to vote in 2022, then 2024 and to pretend that the reason they're failing is not due to their own actions but because of the "deep state" and "liberals".
There's no way anyone with any knowledge will fall for this - but the targets are not people with knowledge.
[ link to this | view in chronology ]
Re: This person should be fired for saying this is hacking
Yeah, so much for “protection”
[ link to this | view in chronology ]
Isn't this an example of public indecency? Or is mooning people like that allowed in public in Missouri? (Maybe it's protected by 1A?)
[ link to this | view in chronology ]
No one should ever be putting SSNs in HTML
That statement (subject) is nonsense.
[ link to this | view in chronology ]
if you put ssn nos in html text on a website you should be fired , if hacking is looking at html code then anyone who has a pc with a browser
could be a hacker, they should be grateful the problem was pointed out to them.but republican politicans seem to in a competition to pass bills that break the internet, take away users right to privacy and free speech by eroding section 230 , hacking is doing something that takes some knowledge and skill in technology that the average user would not be able to do .
[ link to this | view in chronology ]
Denial and deflection it is
Admitting that it's the government's fault for exposing the SSN's would require admitting fault and since that's clearly off the table it seems they've decided to triple-down on their blunder and exploit it by pandering to the gullible fools who still support them.
[ link to this | view in chronology ]
On TV.
Ever watch a series Called SOAP? How About BENSON?
Why do we keep hiring Idiots?
[ link to this | view in chronology ]
Re: On TV.
Ah, yes, Benson DuBois (Robert Guillaume). He was a very quick-witted actor with a great sense of timing in delivering the sting. Thanks for the memories.
[ link to this | view in chronology ]
Missouri gov. shows us its #1 security technique: "hide in plain text." It was derived from the well-known "hide in plain sight" technique, which works 100% of the time in Missouri (The Show Me State) but none of the time everywhere else... till now.
[ link to this | view in chronology ]
Imagine if site owner that disables right click tries to 1201...
full title (due to character limit): Imagine if site owner that disables right click tries to 1201 claim the web inspector.
So much for “effective technical protection measures”
[ link to this | view in chronology ]
Repeat after Mike:
You apparently do have to not be Missouri Governor Mike Parson.
[ link to this | view in chronology ]
Diary of a Missouri Governor
With respects to some A-OL.
July 18 --; I just tried to connect to Missouri Online. I've heard it is the best online service I can get. They even included a free disk! I'd better hold onto it in case they don't ever send me anther one! I can't connect. I don't know what is wrong.
July 19 --; Some guy at the tech support center says my computer needs a modem. I don't see why. He's just trying to cheat me. How dumb does he think I am?
July 22 --; I bought the modem. I couldn't figure out where it goes. It wouldn't fit in the monitor or the printer. I'm confused.
July 23 --; I finally got the modem in and hooked up. That nine year old next door did it for me. But it still don't work. I cant get online.
July 25 --; That nine year old kid next door hooked me up to Missouri Online for me. He's so smart. I told the kid he was a prodigy. But he says that's just another service. What a modest kid. He's so smart and he does these services for people. Anyway he's smarter than the jerks who sold me the modem. They didn't even tell me about communications software. Bet they didn't know. And why do they put two telephone jack holes in the back of a modem when you only need one? And why do they have one labeled phone when you are not suppose to hook it to the phone jack on the wall? I thought the dial tone sounded funny! Boy, are modem makers dumb! But the kid figured it out by the sound.
July 26 --; What's the internet? I thought I was on Missouri Online. Not this internet thing. I'm confused.
July 27 --; The nine year old kid next door showed me how to use this Missouri Online stuff. I told him he must be a genius. He says that he is compared to me. Maybe he's not so modest after all.
July 28 --; I tried to use chat today. I tried to talk into my computer but nothing happened. Maybe I need to buy a microphone.
July 29 --; I found this thing called usenet. I got out of it because I'm connected to Missouri Online not usenet.
July 30 --; These people in this usenet thing keep using capital letters. How do they do that? I never figured out how to type capital letters. Maybe they have a different type of keyboard.
JULY 31 --; I CALLED THE COMPUTER MAKER I BOUGHT IT FROM TO COMPLAIN ABOUT NOT HAVING A CAPITAL LETTER KEY. THE TECH SUPPORT GUY SAID IT WAS THIS CAPS LOCK KEY. WHY DIDN'T THEY SPELL IT OUT? I TOLD HIM I GOT A CHEAP KEYBOARD AND WANTED A BETTER ONE. AND ONE OF MY SHIFT KEYS ISN'T THE SAME SIZE AS THE OTHER. HE SAID THAT'S A STANDARD. I TOLD HIM I DIDN'T WANT A STANDARD KEYBOARD BUT ANOTHER BRAND. I MUST HAVE HAD AN IMPORTANT COMPLAINT BECAUSE I HEARD HIM TELL THE OTHER SUPPORT GUYS TO LISTEN IN ON OUR CONVERSATION.
AUGUST 1 --; I FOUND THIS THING CALLED THE USENET ORACLE. IT SAYS THAT IT CAN ANSWER ANY QUESTIONS I ASK IT. I SENT IT 44 SEPARATE QUESTIONS ABOUT THE INTERNET. I HOPE IT RESPONDS SOON.
AUGUST 2 --; I FOUND A GROUP CALLED REC.HUMOR. I DECIDED TO POST THIS JOKE ABOUT THE CHICKEN THAT CROSSED THE ROAD. TO GET TO THE OTHER SIDE! HA! HA! I WASNT SURE I POSTED IT RIGHT SO I POSTED IT 56 MORE TIMES.
AUGUST 3 --; I KEEP HEARING ABOUT THE WORLD WIDE WEB. I DON'T NOW SPIDERS GREW THAT LARGE.
AUGUST 4 --; THE ORACLE RESPONDED TO MY QUESTIONS TODAY. GEEZ IT WAS RUDE. I WAS SO ANGRY THAT I POSTED AN ANGRY MESSAGE ABOUT IT TO REC.HUMOR.ORACLE. I WASNT SURE IF I POSTED RIGHT SO I POSTED IT 22 MORE TIMES.
AUGUST 5 --; SOMEONE TOLD ME TO READ THE FAQ. GEEZ THEY DIDN'T HAVE TO USE PROFANITY.
AUGUST 6 --; SOMEONE ELSE TOLD ME TO STOP SHOUTING IN ALL MY MESSAGES. WHAT A STUPID JERK. I'M NOT SHOUTING! I'M NOT EVEN TALKING! JUST TYPING! HOW CAN THEY LET THESE RUDE JERKS GO ON THE INTERNET?
August 7 --; Why have a Caps Lock key if you're not suppose to use it? It's probably an extra feature that costs more money.
August 8 --; I just read this post called make money fast. I'm so excited. I'm going to make lots of money. I followed his instructions and posted it to every newsgroup I could find.
August 9 --; I just made my signature file. Its only 6 pages long. I will have to work on it some more.
August 10 --; I just looked at a group called alt.umpac.sucks. I read a few posts and I really believe that umpac should be wiped off the face of the earth. I wonder what an umpac is.
August 11 --; I was asking where to find some information about something. Some guy told me to check out ftp.netcom.com. I've looked and looked but I can't find that group.
August 12 --; I sent a post to every usenet group on the Internet asking where the ftp.netcom.com is. Hopefully someone will help. I cant ask the kid next door. His parents said that when he comes back from my house he's laughing so hard he can't eat or sleep or do his homework. So they wont let him come over anymore. I do have a great sense of humor. I don't know why the rec.humor group didn't like my chicken joke. Maybe they only like dirty stuff. Some people sent me posts about my 56 posts of the joke and they used bad words.
August 13 --; I sent another post to every usenet group on the Internet asking where the ftp.netcom.com is. I had forgot yesterday to include my new signature file which is only 8 pages long. I know everyone will want to read my favorite poem so I included it. I'm also going to add that short story I like.
August 14 --; Some guy suspended my account because of what I was doing. I told him I don't have an account at his bank. He's so dumb.
[ link to this | view in chronology ]
Re: Diary of a Missouri Governor
Oh, man, it's been a long time since I saw that classic. 😁
Damn...now I feel old...😟
[ link to this | view in chronology ]
What a Moron
He’s dumb enough his own computer has enough holes in it anyone could get in it no doubt.
[ link to this | view in chronology ]
This weeks sesame street has been brought to you by the keys 'Ctrl' and 'U'...
[ link to this | view in chronology ]
Hey, if the site is delivered over HTTPS, decryption is definitely involved...
[ link to this | view in chronology ]
Re:
Not on the copy stored on the client PC. If you're using the "view source" option in your browser, you're looking at the same decrypted copy that has already been authorised to store to view in the browser in the first place.
[ link to this | view in chronology ]
This article was seriously misunderstood by trolls on internet
There's two important facts missing from the internet discussion: 1) govt had actually hidden the SSN's by encoding them with something similar than what rot13 is, i.e. not encryption, but encoding anyway. 2) It's illegal to access protected information recardless of how you got access to it, even if it was publicly available in the html source code, accessing it is illegal.
These two pieces of information will change the whole story upsidedown. The step (1) means that the "security researchers" had to use hacking techniques to get access to the SSN's, since the information simply wasn't available to ordinary public. The step (2) means that once they found SSN's with their hacking techniques, any further actions with the data is all illegal, including reporting the blunder to its originating organisation. Given that they weren't real security researchers, but some kind of newspaper reporters, they weren't aware of the strict laws that govern security research, and thus they're doing more damage than what their "reporting" is worth.
[ link to this | view in chronology ]
Re: This article was seriously misunderstood by trolls on intern
It's fascinating to see someone fail so spectacularly at understanding how things work and what the law say.
Encoding isn't encryption. UTF-8 is an encoding, base64 is an encoding, EBDIC is an encoding and even ASCII is an encoding. If the government by mistake publishes sensitive information, albeit in an encoding that's not easily human readable by default, converting that encoding to a human readable format is not decryption in any way. Taken to it's logical conclusion, if the SSN's where published in pure ASCII you would still have to convert it to something a human could easily read, like taking the ASCII, looking up fonts and display them in a GUI.
And "hacking techniques"? Reading HTML and base64-encoded text isn't "hacking techniques" - it's basic knowledge for anyone who is somewhat conversant in making web-pages. That you think it's "hacking techniques" explains a lot, because only uneducated fools would say that or those with an agenda that's contrary to the public good. Well, and the dishonest assholes arguing in bad faith of course.
[ link to this | view in chronology ]
Re: Re: This article was seriously misunderstood by trolls on in
The law clearly says otherwise.
[ link to this | view in chronology ]
Re: Re: Re: This article was seriously misunderstood by trolls o
The witch hunt that they did to Julian Assange kinda proves you wrong. If accessing sensitive information wasn't illegal, why would USA government harrass Julian Assange at all?
[ link to this | view in chronology ]
Re: Re: Re: Re: This article was seriously misunderstood by trol
Governments can be vindictive, and besides they are not accusing Julian Assange for looking at data on WikiLeaks, but rather that he was active getting the data onto WikiLeaks. That is looking at the data once it has been made public is not illegal, but making it public may be. There is a not very subtle distinction between those two cases which you are ignoring.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: This article was seriously misunderstood by
sure, but they're accusing him of all the following:
1) accessing protected computer without permission (==hacking)
2) accessing protected documents without permission (==confidentiality breakage)
3) publishing protected documents without permission
4) fleeing the country twice (sweden->england, england->ecuador)
5) breaking his bail conditions
6) sex offenses
7) annoying powerful people
8) getting refugee status in equador
9) forgetting to pay taxes while locked inside embassy
10) 1 million bucks that police used to survellance of the ecuador embassy
11) messing with equador embassy operations
12) getting kicked away from embassy
13) etc..
Lots of small issues... But the key takeaway is that the main problem is the access to protected documents.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: This article was seriously misunderstood
No, the main problem was exposing governments for the clucks they are.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: This article was seriously misunderstood
In other words, all the sort of monkey shit that the US justice department flings in the direction of people that they have decided to target.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: This article was seriously misunderstood
The sex offenses were eventually dropped, but you only wish that you were powerful enough that governments would move mountains to arrest people who annoy you.
[ link to this | view in chronology ]
Re: Re: Re: This article was seriously misunderstood by trolls o
What law would that be? Please be specific.
[ link to this | view in chronology ]
Re: Re: Re: Re: This article was seriously misunderstood by trol
https://www.law.cornell.edu/uscode/text/18/1905
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: This article was seriously misunderstood by
Did you actually read that the law said before posting a random link? 18 USC 93 is about public officers and government employees and §1905 is specifically about them disclosing confidential information.
I don't understand what that has to do with your claim that it's illegal to read sensitive information the government published by mistake.
Perhaps read and understand the information you link to, it does lessen the "I'm an idiot" factor a bit.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: This article was seriously misunderstood
It has the following keywords: "to be seen or examined by any person except as provided by law"... This basically forbids external entities from seeing or examining the confidential material once govt makes a mistake.
otoh, I don't know where that thread continues in the law. The piece I pasted was really bradley manning is doing evil stuff -kind of piece, but it doesn't talk about julian assange. But it indicates the activity is illegal, but I don't know where assange's full ruleset is described in the law. But maybe you can follow the law dependencies and find the "seeing or examining" keywords and watch where they lead to?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: This article was seriously misunders
No, it doesn't. The first sentence of the law specifically states which persons are bound by it and what you quoted is one of the conditions that determines if the law has been broken by those people. You have yet again demonstrated that you don't know what you are talking about.
[ link to this | view in chronology ]
Re: Re: This article was seriously misunderstood by trolls on in
If you're looking for facts and law, you'll never find them in one of tp's posts.
[ link to this | view in chronology ]
Re: This article was seriously misunderstood by trolls on intern
The U.S. Supreme Court says otherwise. Florida Star v. B.J.F., 491 U.S. 524 (1989).
[ link to this | view in chronology ]
Re: Re: This article was seriously misunderstood by trolls on in
The current case isn't about newspaper reporters photographing police department's bulletin board. Instead sophisticated hackers are using view-source mechanism to uncover decoded data that contains SSN's after hackers decoded the information. The knowledge that the data contains SSN's is dangerous, given that only illegal hacking techniques can uncover that information. And as such, that information needs to be considered confidential, and thus not to be distributed outside of explicitly permissible area of the world. Any actions taken with the knowledge that data contains SSN's is illegal, including distributing the encoded or decoded data in dark web, passing any of the decoded SSN's to other parts of government services, or publishing the fact that the web site contains SSN's, linking the web site and the information that it contains SSN's, uploading/downloading the encoded or decoded data or simply any other ways of helping black hat hackers to obtain the SSN's. Basically even the techdirt discussion about the subject is illegal.
Confidential subject matter is special kind of stuff in the world, because information flow needs to be restricted when handling that material. While the damage already happened when newspapers published the info, any subsequent publications need to be carefully evaluated whether such information flow is necessary. Good plan is to place the information inside large wall of text, so that new readers of the material cannot find the relevant information and black hat hackers have trouble indentifying which part of the text wall contains the confidential material.
[ link to this | view in chronology ]
Re: Re: Re: This article was seriously misunderstood by trolls o
Oh give me a break. Social security numbers are issued by the federal government and according to the issuing agency are not to be used as a means of identification, the act of using a social security number as a piece of Personal Identifying Information or PPI is itself a crime. The unfortunate thing here is that the many States have decided to use this for that very purpose. It's a damn account number to your Federal Pension. If it's not paired with many other pieces of information on specific individuals it's really useless. The US supreme court has ruled on this 100s of times. Do your damn research.
[ link to this | view in chronology ]
Re: Re: Re: This article was seriously misunderstood by trolls o
If you think viewing HTML for a web-page is "sophisticated hacking", that explains a lot about why you are such a failure.
[ link to this | view in chronology ]
Re: Re: Re: Re: This article was seriously misunderstood by trol
With view-source, you can only uncover encoded information. At that point, you don't even have information that the web site is handling SSN's.
The sophisticated hacking techniques are needed for 1) installing compiler 2) writing base64 or rot13 decoding routines or finding them from a library 3) compiling the software, 4) recognizing the encoded information format and then copy-pasting the encoded information to the software as input 5) examining the result and finding SSN's hidden within the feed.
Basically it's not so simple as clicking view-source.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: This article was seriously misunderstood by
What you call "sophisticated" is what I call basic understanding of web-based content. Also, there is no need to write any code at all, since most the tools for viewing HTML-content and base64 encoded is available in most OS's by default, and if that's not the case there are online tools or editors that allows you to do it.
Anyone who seriously think you need to write and compile code to view the source for web-based content is so far out of touch with reality it's ridiculous.
Regardless, it doesn't matter one bit. If the government publicly publishes sensitive information in whatever format, it's they that are breaking the law, not the ones reporting the governments mistake.
The correct action when citizens point out a problem is to act on the problem, not try to punish the citizens, and it shouldn't matter one bit what profession those citizens have. Or perhaps you think it's okay for the government to publish sensitive information as long as nobody points it out in fear of retribution?
Your every argument falls flat because they are so blindingly stupid it's mindboggling.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: This article was seriously misunderstood
This is where you're wrong. Since government had done their web page correctly by encoding the information, it's the hackers who get access to the information that are outside of the law. It's perfectly fine approach for government to use legal means (as opposed to technical barriers) to protect their content. And probably web page performance reasons are preventing using encryption, so the base64 stuff is enough for the content they're handling. The legal barrier still exist and anyone who can access the information inside those encoded boxes can be legally procecuted. This is exactly what they're doing, once people decode the information inside these confidential areas, they can be procecuted for hacking related laws.
But good luck decoding web pages without hacking techniques. You can try to do that in my https://meshpage.org/view.php the drag&drop data is base64 encoded, so good luck decoding it without hacking techniques.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: This article was seriously misunders
Name the law that makes my statement wrong. I want to see you fail spectacularly again, it's a common theme when it comes to you.
Not in this context, and funnily enough you actually posted a link to one of the laws governing this but you totally failed to understand it.
echo WW91IGFyZSBzdWNoIGEgbG9zZXIK | base64 -d -
"Sophisticated hacking techniques"... pfft..
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: This article was seriously misun
If you had actually tried to decode the data from my web site, you'd have noticed that it's not actually base64 encoded. So you're a failure.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: This article was seriously m
Why would I waste time digging through your website, it's enough that you think using base64 is "sophisticated hacking techniques" which is a clear indication that your level of computer literacy is sub-par.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: This article was serious
But your computer literacy isn't any better when you cannot keep browser's view-source dialog and the commandline tricks doing base64 decoding as separate operations. If you truly think that base64 decoding is part of view-source operation, your computer literacy is worse than sub-par.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: This article was ser
"If you truly think that base64 decoding is part of view-source operation, your computer literacy is worse than sub-par."
Says the guy who doesn't know what encoding he uses, or given some comments here what the difference is between that and encryption.
Just in case there's anyone reading who is less ignorant than you (like, say, my cat), it's worth pointing out that "plain text" can include information that's encoded. Decoding base64 plain text is no different to opening up a dictionary to translate an unfamiliar word. I wouldn't be surprised if your litany of insane demands now extends to making the understanding of what you're reading illegal, but as usual the rest of us can be glad that your insane fantasy world still only has one resident.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: This article was
The legal statues that make the hacking activity illegal, already activates when the info is being decoded from its encoded form. I.e. the protections that control the usage of the confidential material does not need to be bulletproof. Even if persistent hackers manage to crack the protections, the legal framework gives encoded information possibility to sue the violators of hacking laws. This is why distributing DeCss for cracking dvd disks is illegal activity, even though entertainment industry failed to protect their intellectual property from persistent hackers. You've yourself mentioned that all and any copy-protection mechanism is fundamentally crackable, so you cannot now reverse and demand usage of encryption. A mere encoding is enough to protect government's valuable intellectual property, and legal framework can handle the violations.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: This article
"The legal statues that make the hacking activity illegal, already activates when the info is being decoded from its encoded form"
No, it really doesn't. That might apply to encryption, but not encoding, and your should be embarrassed not to know the difference.
"DeCss"
CSS is encryption, you raving dumbass.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: This art
The fact that some people cracked their encryption is no reason to avoid liability under the law. Circumvention of technological protection measures is activating when they keep cracking copy-protections and avoiding the practices that entertainment industry put in place to protect against unauthorised copying of the material. The current case is no different, it still deals with unauthorised access of the protected content. You cannot claim that the access wasn't unauthorised.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: This
"The fact that some people cracked their encryption is no reason to avoid liability under the law"
Yes, and there's no such law that applies to encoded data.
"The current case is no different, it still deals with unauthorised access of the protected content"
Again, the data was sent as a response to a request on a public website with no protection. It was authorised. It should not have been authorised, but the person viewing the authorised data is not liable for their screw up.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
This doesn't mean that its authorised. Some web protocol cannot mess with the legal paperwork. You actually need to sign contract or something before you are properly authorised. If some 3rd party web module decides to send the data to anyone in the world does not mean that your authorisation paperwork is in order.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
"This doesn't mean that its authorised."
Yes it does. If something is on a public website that does not require any direct authorisation to view, it's authorised for the public to view. That someone behind the website screwed up and authorised something that should not have been authorised does not change the implicit authorisation that comes with every publicly available website.
"You actually need to sign contract or something before you are properly authorised"
Which authorisation did you sign to read the comments here? Which authorisation is required before people click on your links and laugh at your shoddy website?
"If some 3rd party web module decides to send the data to anyone in the world does not mean that your authorisation paperwork is in order."
Then, your problem is with the 3rd party, not the people who viewed the data that you mistakenly authorised through them. The person viewing the site had implicit authorisation to download it as part of the HTML code provided when they requested the public page.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
my website with 3d models is slightly different than government's web site handling SSN's... I do not require any special kind of authorisation to access the data I created. But you cannot assume authorisation simply because some protocol uses 200 OK rest message.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
"my website with 3d models is slightly different than government's web site handling SSN's"
No, it's not. You type the URL into your browser or click a link and the site is loaded.
"But you cannot assume authorisation simply because some protocol uses 200 OK rest message."
No, but you can assume that when that page is not behind any kind of login screen and the served to you on a publicly available URL that you're authorised to see it.
Again, you're deliberately confusing the issue here. Public authorisation was given when the data was served to the public. The fact that someone on the back end fucked up and the site served something they shouldn't have served is a totally different issue, and nothing to do with the people visiting the site.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
This kind of assumption leads to very illegal place.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
"This kind of assumption leads to very illegal place."
According to you. The fun fact is that if your insane distortion of the facts was true, you could be held legally liable for viewing my comment here. Before you even reply to me, according to your idiotic interpretation of facts, you could be prosecuted before you typed a letter in response.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
Yes. If you keep posting confidential information, or copyright infringements, then obviously anyone viewing your comments will be liable too. The law has concepts for direct infringer and secondary infringer and those need to be somehow linked to make a proper copyright case. And the whole bunch will be procecuted.
I always knew that exploring techdirt was dangerous activity given that the people there had stupid copyright position. Guess we've got the message to you too now. Now we're just waiting what you do to fix the situation.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: This article was ser
I never said it was, but that you think using base64-decoding is "sophisticated hacking techniques" is a clear indication of your sub-par computer literacy.
I should note that I have applied some of those "sophisticated hacking techniques" and my web-browser actually opens up my editor of choice when I do view-source, which happens to have built in base64 handling among other things.
And if I hadn't changed the settings in my web-browser, I could have used another "sophisticated hacking technique", copy & paste. Imagine that, showing off my leet skillz in such a brazen way!
And if I was particularly bored I could have used curl, grep & sed to feed base64 encoded text into a base64-decoder. Leet skillz indeed...
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: This article was seriously m
"the drag&drop data is base64 encoded"
"it's not actually base64 encoded"
Well, I mean nobody can really disprove your stupid claim if you can't decide what the claim is in the first place...
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: This article was serious
They also cannot do it if you fail to use those awesome hacking skills you as a blackhat hacker own....
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: This article was ser
We're talking about the ability to parse text and your inability to understand the technology you supposedly work with. If this is awesome to you, then you're even more incompetent and ignorant than we thought - which, honestly is a hell of a trick given the low bar you usually set for yourself...
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: This article was
There's very low bar in the law for considering your hacking skills criminally awesome. It's enough that you explore to areas of technology which in unavailable to other people due to legal problems. Basically, there's 3 main ways how it could happen: 1) bypassing login systems 2) circumvention of technological protection measures, 3) copyright infringement
All of them has the aspect where the hacker needs to explore illegal areas simply to do their hacking operations.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: This article
"Basically, there's 3 main ways how it could happen: 1) bypassing login systems 2) circumvention of technological protection measures, 3) copyright infringement"
None of which happened in the story you're failing to understand. There was no login to bypass, the files were authorised to be received in plain text, there was no copyright applicable.
Once again, you're confusing yourself by trying to apply random things that only exist in your mind instead of the facts of the real world that everyone else is addressing.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: This art
This isn't true. The SSN numbers were probably behind logins when the data was generated/stored in the servers.
This definitely isn't true. Government simply doesn't authorize general public from accessing SSN numbers in bulk.
This might be true.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: This
"The SSN numbers were probably behind logins when the data was generated/stored in the servers."
No, they weren't. The whole point of the issue is that they were sent as part of the HTML accessed via the public website. The entire story is that they were publicly available.
As ever, you're unable to deal with the facts at hand, so you invent a fictional scenario in which you're correct.
"Government simply doesn't authorize general public from accessing SSN numbers in bulk."
They do when they include them in the HTML sent as part of a request on a public site. They shouldn't be doing that of course, but they did.
"This might be true."
Of course it's true. So why did you pretend that it did?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
Well, you as a web page reader need to filter out confidential information. Any documents where there's clear signs of "confidential" or "company confidential" or something like that, and you need to stop reading the material immediately, even if it was publicly posted to the dark web website.
Basically the whole idea that web servers are offering authorisation to all users is completely bogus stuff and whoever tries that are completely outside legal boundaries. I would call it fake authorisation attempt and belongs to the same category as spam emails or nigerian scams.
[ link to this | view in chronology ]
Now I await your disingenuous attempt to move the goal post once again.
[ link to this | view in chronology ]
Re:
check piratebay, i'm sure there exist legal paperwork that declares piratebay illegal even though its just offering html pages...
[ link to this | view in chronology ]
Re: Re:
And here we have it, you moving the goal-post once again as I predicted. It's like you can't stop yourself from proving that you are a disingenuous loser.
[ link to this | view in chronology ]
Re: Re: Re:
Yes, when you write something stupid, I need to move goal posts to adjust to the changed reality. I simply cannot know beforehand how you want to go forward. So the goalposts are moving to the direction that YOU take it.
[ link to this | view in chronology ]
I do wonder who the idiot was who conflated a government web-site with the pirate bay... It's nothing a reasonable person would do...
[ link to this | view in chronology ]
Re:
You're the one who claimed that html pages cannot be outside of the law's boundaries... just found example which proves your statement was invalid.
[ link to this | view in chronology ]
Re: Re:
You are one stupid and dishonest fucker, a first grade liar with a poor grasp on reality. Let's go back to exactly what you said:
Which has fuck all to do with a website of dubious legality, but that's what you do, isn't it? Always moving the goal post, because you know you are wrong. And if you lack the self awareness to realize that you are wrong, you should seek professional help with your mental problems.
[ link to this | view in chronology ]
Re: Re: Re: Re:
[Projects facts not in evidence]
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
"Well, you as a web page reader need to filter out confidential information"
Which is of course not possible, since you don't know what will be displayed before you type in a URL or follow a link.
"Basically the whole idea that web servers are offering authorisation to all users is completely bogus stuff"
It's weird, I knew you didn't know how collaboration and creativity worked, but since you managed to get a working website online I didn't realise you didn't know how web servers worked...
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
You can always immediately stop reading the page whenever you encounter confidential information. It doesn't matter if you typed in the url or followed a link, but google analytics will be your proof that you stopped reading the page immediately after detecting wrongdoing.
Legal position of other technology vendors is always difficult to guess. Some of their positions are downright stupid, i.e. even pirate sites have a legal position, even though it isn't very good one. But even if you aren't a pirate site, you can still filter out complete nonsense from your evaluation, like that web server authors would be able to change authorisation settings of the government entity.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
Define how to detect confidential information that works in all contexts. I don't expect you to be able to, since you aren't smart enough to understand context. What we'll see though is you moving the goal post or offer up some idiocy.
Also, your legal theories aren't.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
You just check for keywords like "confidential" or "company confidential"...
Then you can look for signs of social security numbers for example. Or if it contains unpublished company secrets?
Humans have no problems detecting such things.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
"You can always immediately stop reading the page whenever you encounter confidential information."
By the time I have the option to read it, the information is already downloaded, so you fail. Again.
"like that web server authors would be able to change authorisation settings of the government entity."
So, since nobody did that, you agree that the blame is with your fellow incompetents who offered the information publicly and not the person reading what they were given in response to a legal request?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
This assumes that the only concern is if some network-side tracking entity notices you're reading the material. But this isn't the main concern in the legal sphere. In fact, this indicates that you just want to get away with your illegal acts by hiding your network traffic from trackers.
But the real concern is your access to information which you're unable to handle. For example wikileaks have revealed tons of war memos which contain information that ordinary humans are not supposed to know about, and it could even be dangerous if read by children who do not appreciate the seriousness of the actions contained within the material. Some poor children learn that such activities are allowed within our system, and they use that information instincticly 50 years later when they have gained good position as a wingman of some army general. This all could be dangerous and the confidential information limitations are actually protecting consumers from the harms contained in the material.
It isn't just embarrasements of governments or hiding wrongdoing that confidential flags in documents are closing. It's also information that is too sensitive or flamboyant that it needs to be closed from the world.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
"In fact, this indicates that you just want to get away with your illegal acts by hiding your network traffic from trackers."
No, it indicates that you started with a story about people viewing what they'd been authorised to download, and now you're making up insane bullshit to avoid the fact that the problem is with the person who sent the data, not the person who requested the publicly available webpage.
You'd get along a lot better in life if instead of spending days spinning fictional alternate versions of what's in front of you, you just dealt with reality.
This is simple - person goes to a public webpage, sees that they have access to data they shouldn't have been given, notifies the page that they shouldn't have given it to him, the page is fixed. It's only you and incompetent politicians pretending this has anything to so with the person who visited the page, but at least we know the politician has a profit motive for his incompetence.
[ link to this | view in chronology ]
Gov noise box.
Bottom line, under no circumstances EVER do you publish sensitive data thru a publicly accessible system, there should be isolation. Encrypted, encoded - does not matter, you don't do it. That is the real crime, the Gov is making noise to cover this huge, big bad, no no. Hey look over here...those are the bad guys, don't look at your trusted state Government for the bad guys and stupid people. These people that told you about it, they are the bad guys, after all "he who smelt it, delt it", right? After all that's the states proud motto!
[ link to this | view in chronology ]
Re: Gov noise box.
It's the old story of shooting the messenger because you didn't like what he said, and if you can't shoot the messenger, just make baseless accusation.
[ link to this | view in chronology ]
[ link to this | view in chronology ]