Missouri's Governor Still Insists Reporter Is A Hacker, Even As Prosecutors Decline To Press Charges
from the disgusting dept
Last autumn, you may recall, the St. Louis Post-Dispatch published an article revealing that the Missouri Department of Elementary and Secondary Education (DESE) was leaking the Social Security numbers of teachers and administrators, past and present, by putting that information directly in the HTML. The reporters at the paper ethically disclosed this to the state, and waited until this very, very bad security mistake had been patched before publishing the story. In response, rather than admitting that an agency under his watch had messed up, Missouri Governor Mike Parson made himself into a complete laughingstock, by insisting that the act of viewing the source code on the web page was nefarious hacking. Every chance he had to admit he fucked up, he doubled down instead.
The following month, the agency, DESE, flat out admitted it screwed up and apologized to teachers and administrators, and offered them credit monitoring... but still did not apologize to the journalists. FOIA requests eventually revealed that before Governor Parson had called the reporters hackers, the FBI had already told the state that no network intrusion had taken place and it was also revealed that the state had initially planned to thank the journalists. Instead, Parson blundered in and insisted that it was hacking and that people should be prosecuted.
Hell, three weeks after it was revealed that the FBI had told the state that no hacking had happened, Parson was still saying that he expected the journalists to be prosecuted.
Finally, late on Friday, the prosecutors said that they were not pressing charges and considered the matter closed. The main journalist at the center of this, Jon Renaud, broke his silence with a lengthy statement that is worth reading. Here's a snippet:
This decision is a relief. But it does not repair the harm done to me and my family.
My actions were entirely legal and consistent with established journalistic principles.
Yet Gov. Mike Parson falsely accused me of being a “hacker” in a televised press conference, in press releases sent to every teacher across the state, and in attack ads aired by his political action committee. He ordered the Highway Patrol to begin a criminal investigation, forcing me to keep silent for four anxious months.
This was a political persecution of a journalist, plain and simple.
Despite this, I am proud that my reporting exposed a critical issue, and that it caused the state to take steps to better safeguard teachers’ private data.
At the same time, I am concerned that the governor’s actions have left the state more vulnerable to future bad actors. His high-profile threats of legal retribution against me and the Post-Dispatch likely will have a chilling effect, deterring people from reporting security or privacy flaws in Missouri, and decreasing the chance those flaws get fixed.
This has been one of the most difficult seasons of my nearly 20-year career in journalism
Later in the letter, he notes that a week earlier, Parson himself had decried the treatment of his rejected nominee to lead the state's Department of Health and Senior Services, noting that Parson complained that "more care was given to political gain than the harm caused to a man and his family." Renaud noted that the same could be said of Parson's treatment of himself:
Every word Gov. Parson wrote applies equally to the way he treated me.
He concludes by hoping that "Parson's eyes will be opened, that he will see the harm he did to me and my family, that he will apologize, and that he will show Missourians a better way."
And Parson showed himself to be a bigger man and did exactly that... ha ha, just kidding. Parson just kept digging, and put out a truly obnoxious statement, with no apology and continuing to insist that Renaud hacked the government's computers even though -- again, this is important, lest you just think the governor is simply technically ignorant -- the FBI has already told him that there was no hacking:
"The hacking of Missouri teachers' personally identifiable information is a clear violation of Section 56.095, RSMo, which the state takes seriously. The state did its part by investigating and presenting its findings to the Cole County Prosecutor, who has elected not to press charges, as is his prerogative.
The Prosecutor believes the matter has been properly address and resolved through non-legal means.
The state will continue to work to ensure safeguards are in place to protect state data and prevent unauthorized hacks.
This whole statement is utter hogwash and embarrassing nonsense. Again, there was no hacking whatsoever. The state messed up by putting information that should never, ever be in HTML code into HTML code, making it accessible for anyone who viewed the source on their own computer. The state messed up. The state failed to secure the data. The state sent that data to the browsers of everyone who visited certain pages on their public websites. Renaud did exactly the right thing. He discovered this terrible security flaw that the state put on the database, ethically reported it, waited until the state fixed its own error, and then reported on it.
Parson knew from the beginning that no hacking occurred. The FBI told the state that no hacking occurred. The state had prepared to thank Renaud and his colleagues at the St. Louis Post-Dispatch. It was only after Parson decided to deny, deny, deny and blame, blame, blame reporters for pointing out Parson's own government's failings, that this whole thing got out of hand.
The prosecutors have their own reasons for declining to prosecute, but the most likely reason is they knew they'd get laughed out of court and it would make them and Parson look even more ridiculous. Renaud chose give a heartfelt write up of what Parson's nonsense put him through, and asked in the politest way possible for Parson to look deep inside at the harm he had caused and to apologize. Instead, Parson quadrupled down, continued to insist that his own government's failings could be blamed on a "hack," and insisting that he's trying to "protect" the state when all he's done is show why no serious tech company should do business in such a state.
Missouri: elect better politicians. Parson is an embarrassment.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: dese, ethical disclosure, hacking, jon renaud, journalism, mike parson, missouri, security flaw, view source
Companies: st. louis post-dispatch
Reader Comments
Subscribe: RSS
View by: Time | Thread
I'm pretty sure this would meet the malicious intent hurdles of a slander/libel case against the governor. The governor was told by multiple sources that the information he was speaking was incorrect, yet kept on doing it.
[ link to this | view in chronology ]
Re:
Parson would probably claim it was opinion, not a statement of fact. And since there has been no trial or acquittal of the reporter, he might pull that off. (IANAL)
[ link to this | view in chronology ]
Could an elected official be successfully sued for slander since he is on record having called this journalist a hacker multiple times? Or do you think they would claim qualified immunity?
[ link to this | view in chronology ]
For defamation specifically, I don't know. But knowingly using your office's power like this is a pretty clear violation of the First Amendment.
For reference, here's what happened when Texas governor Greg Abbott tried using his position to stomp out the FFRF.
https://ffrf.org/news/news-releases/item/38830-breaking-news-ffrf-wins-major-court-victory-aga inst-gov-abbott-censorship
And do note that this case found itself in front of the notoriously government-abuse-friendly Fifth Circuit multiple times. They sided AGAINST Abbott every single one of them.
[ link to this | view in chronology ]
Mike Parson wants to distract from what a terrible job he is doing. Blame the messenger type of guy. What a turd.
[ link to this | view in chronology ]
Parson is an Idiot
But he is a Republican ... and that's enough. thoughts of a Republican voter
[ link to this | view in chronology ]
Re: Parson is an Idiot
Oh, thats what the R stands for, I thought it meant something else
[ link to this | view in chronology ]
oh doh!
hope the canned good industry does not hear of this Gub'ner's antics, we might be arrested for READING THE INGREDIENTS printed on the label!
[ link to this | view in chronology ]
Game Theory
Lets do some basic maths. So, you have 2 axis, a boolean "report" and "dont report", not a lot of wiggle room between the 2. On the other axis, you have intent. Lets start with "journalist" and "criminal". The outcome of the axis is "security of data".
"Journalist Reports": data can be secured
"Journalist Doesn't Report: data still isn't secure
"Criminal Reports": odd, but data has leaked but can be secured after the data has likely been swiped
"Criminal Doesn't Report": data definitely stolen
So that gives a broad 25% chance the data can be kept safe, and a hard 50% chance that the data has been stolen.
Now add into that a middleground for nefariousness, like common citizen, and the likelyhood that the data is safe drops to 16%.
Granted, those a broad figures and would need more detailed numbers on how many criminals there are out there, but doubling down on blaming the one vector that could have brought light to the leakage is the dumbest possible choice.
What was he even trying to achieve? The only logical outcome would be for him to paint everyone who understands computers as a threat.
But even more so, he went down that route, what IT professional would go anywhere near his campaign and potentially protect his sites/campaigns/profiles if thats how he views it?
[ link to this | view in chronology ]
On Brand
Entirely predictable that for a modern GOP politician "reading" equals "hacking"...
[ link to this | view in chronology ]
Mene, mene, tekel, Parson
"weighed in the balance and found wanting"
The writing is on the wall, or, in this case, in plaintext in the HTML.
[ link to this | view in chronology ]
From the code on governor.mo.gov
/** @file
*/
[ link to this | view in chronology ]
So knowing how to right click makes you a hacker. Missouri's idiot governor's like a dog who thinks his owner is God because he knows how to work a doorknob.
[ link to this | view in chronology ]
I blame the mouse and keyboard manufacturers. How dare they offer right clicks and function keys so that you can view source code! Bastards!
[ link to this | view in chronology ]
Given the ever increasing list of right wing websites that have turned out to be security disasters, I can't wait for the big push to ban the view source functionality from browsers as though that would somehow stop it happening. Should be fun to see the usual suspects here doing logic backflips to defend it.
[ link to this | view in chronology ]
Man, when even your prosecution arm is telling you that you're fighting a completely lost case and your response is to double down...
[ link to this | view in chronology ]
Same motivation.
Both parties are simply following the most likely path to keep their job. The job evaluation of Parson is done by the voters of Missouri. There is no point in letting a scapegoat off the hook when a voting majority would not be able to tell the difference anyhow.
[ link to this | view in chronology ]
Re: Same motivation.
His job evaluation is done by the party bosses and the lobbyists. They decide if he gets the money and machinery to run.
The voters are an afterthought.
[ link to this | view in chronology ]
Here is where the Post-Dispatch went wrong. They should have asked permission for their hacking first. Possibly with an enclosed campaign contribution, or a promise to write the story as somehow the Democrat's fault. Then it would have been an authorized hack.
[ link to this | view in chronology ]
'He wouldn't be so confident if he was wrong, so...'
Disgusting, but not surprising. He's already declared who the guilty party is and as their Dear Leader showed by example you never admit when you're wrong, instead just keep insisting you're right and enough gullible(at best) people will take your confidence as confirmation of begin correct.
[ link to this | view in chronology ]
Political hack, claims hack.
Supporters have already decided that the Russians were behind the smear campagin & will triple their support of a man who shouldn't be trusted with a box of crayons let alone running a state.
[ link to this | view in chronology ]
[ link to this | view in chronology ]