Newly Revealed Details Show That Missouri Government Totally Knew That Journalists Were Not At Fault For Teacher Data Vulnerability
from the of-course-they-knew dept
Kudos for open records laws proving to us that not only is Missouri Governor Mike Parson a technologically illiterate hack, but he's a lying one as well. You'll recall, of course, that in October, the St. Louis Post-Dispatch reported on how the state's Department of Elementary and Secondary Education (DESE) website was designed in such a dangerous way that it was exposing the social security numbers of state teachers and administrators, and rather than thanking the journalists for their ethical disclosure of this total security fail by the state, DESE and Governor Parson called them hackers and asked law enforcement to prosecute them. Governor Parson continued to double down for weeks, insisting that reporting this vulnerability (and failed security by the government he runs) was malicious hacking until DESE finally admitted it fucked up and apologized to the over 600,000 teachers and administrators whose data was vulnerable -- but never apologizing to the journalists.
The Post-Dispatch, whose reporters potentially still face charges, put out an open records request to find out more about what the government was saying and discovered, somewhat incredibly, that before DESE referred to them as hackers, it already knew that it was at fault here and even initially planned to thank the journalists. As the documents reveal, the FBI flat out told DESE that this was a DESE fuckup and DESE had sent Gov. Parson a planned statement that thanked the journalists:
In an Oct. 12 email to officials in Gov. Mike Parson’s office, Mallory McGowin, spokeswoman for DESE, sent proposed statements for a press release announcing the data vulnerability the newspaper uncovered.
“We are grateful to the member of the media who brought this to the state’s attention,” said a proposed quote from Education Commissioner Margie Vandeven.
The Parson administration and DESE did not end up using that quote.
The next day, on Oct. 13, the Office of Administration issued a news release calling the Post-Dispatch journalist a “hacker.”
This is truly incredible. As are the details of the conversation between a Missouri employee and a local FBI agent.
Meanwhile, at 3:24 p.m. on Oct. 13, Angie Robinson, cybersecurity specialist for the state, emailed Department of Public Safety Director Sandra Karsten to inform her that she had forwarded emails from the Post-Dispatch to Kyle Storm with the FBI in St. Louis.
“Kyle informed me that after reading the emails from the reporter that this incident is not an actual network intrusion,” she said.
Instead, she wrote, the FBI agent said the state’s database was “misconfigured.”
“This misconfiguration allowed open source tools to be used to query data that should not be public,” she wrote.
So, by the time of the "hacker" statement by DESE, it was already pretty clear to people within DESE that it was DESE at fault and not journalists ethically disclosing DESE's terribly bad security practices. However, the report also notes that the FBI and the local Assistant US Attorney were still investigating whether or not they could bring criminal charges against the journalists:
“Kyle said the FBI would speak to Gwen Carroll, the AUSA (Assistant U.S. Attorney), with the updated information from the emails to see if this still fit the crime and if she was interested in prosecuting,” Robinson said.
Oh, and even worse: technically the criminal investigation is still ongoing:
As of Tuesday, the Highway Patrol’s investigation was still active, Capt. John Hotz told the Post-Dispatch.
That investigation needs to be closed, and everyone involved from DESE to Governor Parson to the Highway Patrol owe the St. Louis Post-Dispatch, its reporters, and the citizens of Missouri a massive apology.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: data breach, dese, ethical disclosure, mike parson, missouri, right click, view source, vulnerability
Companies: st. louis post-dispatch
Reader Comments
The First Word
“better to blowhard on DESE nuts
Subscribe: RSS
View by: Time | Thread
the truth is always what is said the loudest by the one who has most to lose/most to gain! the governor in this case just likes the sound of his own voice and wants to appear to be 'the good guy'! too many politicians are the same, with too little brain!
[ link to this | view in chronology ]
Now I'll just wait for tp to come here and apologize for how wrong he was.
Oh wait, Satan just called and said that Hell isn't due to freeze over anytime soon...
[ link to this | view in chronology ]
Re: tp
tp's only skill is sophistry. Admission of error is completely anathema to that.
[ link to this | view in chronology ]
Mike Parsons makes a habit of ignoring data when it disagrees with his imagined reality. He is denying masks work despite evidence to the contrary from cities in his own state.
[ link to this | view in chronology ]
Re:
TLDR: A ploitician is being a politician
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Does no one listen to their advisors or department managers anymore? I mean that IS why you hired them isn't it? To advise you on topics you aren't an expert on so you can make the best informed decision.
[ link to this | view in chronology ]
Re:
Apparently it is better to be a blowhard idiot? That is the only thing I can come up with.
[ link to this | view in chronology ]
Re: Re:
Or pandering to a voter base of idiots who believe conspiracy theories.
[ link to this | view in chronology ]
Re: Re:
better to blowhard on DESE nuts
[ link to this | view in chronology ]
Re:
A thought.
he wont back down until someone higher tells him to.
The Citizens are ashamed because they though they had someone smart in office.
And if he backs down, he will look like a loser.
And as with the masks, he will declare he won. Even if 2 times the people Die, and it can be proven.
Has be past the idea that the sick stay home and not goto the hospital yet?
Just waiting for it.
[ link to this | view in chronology ]
Re: Re:
It's sad really. He thinks that apologising and amending his world view makes him weak. If he did that, it would actually make him look like he had taken the time to actually understand something. THAT would make him look, not only SMART, but STRONG. He has shown that he doesn't have the capacity to be either.
[ link to this | view in chronology ]
Re:
I mean that IS why you hired them isn't it?
Supposedly. Then again, being the governor is from the party of 'personal responsibility' the only thing he's probably learned is that he needs to install more simple-minded ignorant Luddites in those positions.
Only then, can they sit back, assume they can do no wrong, and blame any fuckup of theirs that they clearly don't understand as 'derp, must've been a hacker. ZOMG!'
[ link to this | view in chronology ]
Dorsey has been more supportive of free speech than many on the American political right ̶m̶i̶g̶h̶t̶ ̶t̶h̶i̶n̶k̶ .
Fixed.
[ link to this | view in chronology ]
Re:
Derp. Wrong article. Not sure how i managed that.
[ link to this | view in chronology ]
'That would be smart and honest, but not personally gainful...'
I imagine the deciding factor was simply 'What would benefit me/us more, admitting that the state screwed up or blaming someone else?', with such minor tidbits like actual guilt and whether or not they were ensuring that the next massive security screwup by the state will only be found out after it's been fully exploited or is publicly announced set aside as inconsequential in comparison to personal gains.
[ link to this | view in chronology ]
Re: 'That would be smart and honest, but not personally gainful.
A Republican admitting they made a mistake is rarer than a unicorn.
[ link to this | view in chronology ]
Re: "actual guilt"
this does bear some resemblance to cops and DAs railroading people into prison, and then when evidence fully proves the innocence of the convicted, the same parties, now including courts and legislatures, will dance in circles, demanding that the wronfully imprisoned are guilty, and even if they are not, it doesn't matter.
bit of a pattern.
[ link to this | view in chronology ]
Re: 'That would be smart and honest, but not personally gainful.
But can they actually gain something by claiming what everyone and their mother know to be false?
Is the rightwing base too stupid to realize it's BS or does is just not0 care as long as the liberal media are blamed?
[ link to this | view in chronology ]
Re: Re: 'That would be smart and honest, but not personally gain
Their right wing base, and some of the politicians, are so far into conspiracy theories that their grasp on reality has gone awol.
[ link to this | view in chronology ]
Re: Re: 'That would be smart and honest, but not personally gain
Is the rightwing base too stupid to realize it's BS or does is just not0 care as long as the liberal media are blamed?
Oh do I hope that was a rhetorical/sarcastic question. On the off chance that it wasn't though...
An ongoing pandemic with a body count of well over half a million in the US alone has been politicized and is being used to keep the Trump cultists riled up about how the dastardly libs are out to steal their freedom (from personal consequences) with a deadly effect.
Yes, they are that stupid.
[ link to this | view in chronology ]
Politicians never letting truth get in the way of the constant campaigning for reelection.
[ link to this | view in chronology ]
Charges?
In the UK at least, a person can be charged with "wasting police time". Does this exist in the State of Misery, err, Missouri? Was even a millisecond of "police time" wasted on this? If so, is the Guv going to be charged?
[ link to this | view in chronology ]
Re: Charges?
If only. I think the best that can happen here is libel. But if these FOIs are anything to go by, that is dead certain, which will make MP look really stupid
[ link to this | view in chronology ]
Please, Mike, use the proper technical terms: Mike Parson is full of shit.
[ link to this | view in chronology ]
'That investigation needs to be closed, and everyone involved from DESE to Governor Parson to the Highway Patrol owe the St. Louis Post-Dispatch, its reporters, and the citizens of Missouri a massive apology'
i doubt if that'll happen because it's gonna make everyone from DESE and, of course, more importantly, Governor Parsons, look like the massive c***s that they are.
the problem is that this sort of thing is not the first, nor will it be the last incident of this type. the even bigger problem is that it's so much easier for those who have made the massive fuck-up to blame others or to threaten others with legal action than to hold their hands up, say 'thank you' to those pointing out what's wrong, and correct the issue(s). no one likes it when it's pointed out that screw ups have been made but to pass the buck because it's embarrassing is a very poor way for people in positions of trust, amongst others, is pathetic!
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]