A Missouri Reporter Is Getting Blamed For the Security Flaw He Exposed
A Missouri Reporter Is Getting Blamed For the Security Flaw He Exposed
The governor wants to prosecute a journalist for uncovering a security problem. Critics worry the ordeal could stifle good-faith vulnerability research.
JEFFERSON CITY, MO - MAY 17: Missouri Governor Mike Parson addresses the media on the last day of legislative session at the Missouri State Capitol Building on May 17, 2019 in Jefferson City, Missouri. Photographer: Michael B. Thomas/Getty Images North America
ByJack Gillum
11 January 2022, 11:45 GMT
Share this article
What to know in tech
Get insights from reporters around the world in the Fully Charged newsletter.
Email
Enter your email
Sign Up
Bloomberg may send me offers and promotions.
By submitting my information, I agree to the Privacy Policy and Terms of Service.
Hi everyone, it’s Jack in Washington. A Missouri reporter found a security problem on a state website. The governor claims that’s a criminal offense. But first...
Today’s top tech news:
Take-Two Interactive is paying $11 billion for FarmVille-maker Zynga
Moxie Marlinspike is stepping down as the CEO of Signal
Rivian’s stock fell on the news its COO departed
From right-click to ‘hacker’
St. Louis Post-Dispatch reporter Josh Renaud discovered a major security flaw on a Missouri state website last October. With a simple right-click and some elementary decoding, he found that anyone with a web browser could view thousands of educators’ Social Security numbers. Soon after, the governor of Missouri vowed to prosecute him for “hacking.”
The episode resurfaced two weeks ago when Governor Mike Parson said he expects a local prosecutor to file charges against Renaud. It’s not clear that a case will be brought, but the blowup has surprised me and fellow security journalists. Even in a post-Trump era where “fake news” barbs have become commonplace, it’s altogether different to sic law enforcement on the Fourth Estate for essentially hitting the F12 key and examining a website’s source code. (A spokeswoman recently emailed me to say that “Hacking is NOT journalism.”)
As security experts have pointed out, such rhetoric can create a chilling effect for those who expose government security flaws in good faith. That’s a particularly worrisome problem as severe hacks continue to show the vulnerability of U.S. infrastructure.
Why did the governor decide to go after the reporter? I recently obtained several hundred pages of emails sent among the governor’s staff that showed the hour-by-hour decision-making by Parson’s top aides, such as first describing Renaud as an “individual” before dubbing him a “hacker.”
Some of those notes were first reported by the Post-Dispatch, while others I received under open-records laws revealed general disinclination to speak to the press. For example, in response to a request to appear on Brian Stelter’s “Reliable Sources” on CNN, Parson’s office cheerily responded: “Unfortunately, Governor Parson is not available. Take care!”
In reply after reply, Parson’s spokespeople tried to paint Renaud’s journalism as “more than just a right click” on a web browser. In the emails, one draft talking point mirrored language earlier used by Parson’s top lawyer, Andrew Bailey, alleging the reporter took “eight separate steps” to get the Social Security numbers (one of which, I’m told, was opening a new tab in Google Chrome).
The governor’s office may have also seen a political benefit in warring with the media: Days after the initial press conference, a pro-Parson political action committee aired an ad decrying the “squalid excuse for journalism.”
Security experts, however, say the exposure of the Social Security numbers was the real problem. Even if someone publishes a secret in, say, Morse code, they’re still responsible for publishing the secret.
“The problem here is the state’s accidental disclosure of information,” says Alex Abdo, the litigation director at the Knight First Amendment Institute at Columbia University who’s been involved with sensitive national security issues. “We should be celebrating the fact that someone discovered this flaw and reported it.”
Jones, the governor’s spokeswoman, said the state was “owning its part” in the incident. But she warned that officials were committed “to bring to justice anyone who hacked our system and anyone who aided or encouraged him to do so—in accordance with what Missouri law allows AND requires.”
For me, the ordeal echoes Georgia Governor Brian Kemp’s 2018 claims that the state Democratic Party hacked Georgia’s voter-registration website, after security researchers pointed out vulnerabilities in the system. (Kemp oversaw the state’s elections at the time and was in a close gubernatorial race with Democrat Stacey Abrams.) My colleagues and I at ProPublica found the state quietly fixed the very problems it said didn’t exist. And documents later released under open-records laws ultimately discredited Kemp’s hacking allegations.
As Parson awaits a criminal complaint, the website that Renaud warned about is back online. This time, it omits Social Security numbers.
“The computer-security community has been paying close attention to the situation,” said Kurt Opsahl, the general counsel and deputy executive editor of the Electronic Frontier Foundation. And he warned that there will be drawbacks to going after anyone who points out the inevitable vulnerabilities in U.S. cybersecurity. Said Opsahl: “If the state goes through with charging the reporter, it will discourage reporting flaws.” —Jack Gillum
The governor wants to prosecute a journalist for uncovering a security problem. Critics worry the ordeal could stifle good-faith vulnerability research.
JEFFERSON CITY, MO - MAY 17: Missouri Governor Mike Parson addresses the media on the last day of legislative session at the Missouri State Capitol Building on May 17, 2019 in Jefferson City, Missouri. Photographer: Michael B. Thomas/Getty Images North America
ByJack Gillum
11 January 2022, 11:45 GMT
Share this article
What to know in tech
Get insights from reporters around the world in the Fully Charged newsletter.
Enter your email
Sign Up
Bloomberg may send me offers and promotions.
By submitting my information, I agree to the Privacy Policy and Terms of Service.
Hi everyone, it’s Jack in Washington. A Missouri reporter found a security problem on a state website. The governor claims that’s a criminal offense. But first...
Today’s top tech news:
Take-Two Interactive is paying $11 billion for FarmVille-maker Zynga
Moxie Marlinspike is stepping down as the CEO of Signal
Rivian’s stock fell on the news its COO departed
From right-click to ‘hacker’
St. Louis Post-Dispatch reporter Josh Renaud discovered a major security flaw on a Missouri state website last October. With a simple right-click and some elementary decoding, he found that anyone with a web browser could view thousands of educators’ Social Security numbers. Soon after, the governor of Missouri vowed to prosecute him for “hacking.”
The episode resurfaced two weeks ago when Governor Mike Parson said he expects a local prosecutor to file charges against Renaud. It’s not clear that a case will be brought, but the blowup has surprised me and fellow security journalists. Even in a post-Trump era where “fake news” barbs have become commonplace, it’s altogether different to sic law enforcement on the Fourth Estate for essentially hitting the F12 key and examining a website’s source code. (A spokeswoman recently emailed me to say that “Hacking is NOT journalism.”)
As security experts have pointed out, such rhetoric can create a chilling effect for those who expose government security flaws in good faith. That’s a particularly worrisome problem as severe hacks continue to show the vulnerability of U.S. infrastructure.
Why did the governor decide to go after the reporter? I recently obtained several hundred pages of emails sent among the governor’s staff that showed the hour-by-hour decision-making by Parson’s top aides, such as first describing Renaud as an “individual” before dubbing him a “hacker.”
Some of those notes were first reported by the Post-Dispatch, while others I received under open-records laws revealed general disinclination to speak to the press. For example, in response to a request to appear on Brian Stelter’s “Reliable Sources” on CNN, Parson’s office cheerily responded: “Unfortunately, Governor Parson is not available. Take care!”
In reply after reply, Parson’s spokespeople tried to paint Renaud’s journalism as “more than just a right click” on a web browser. In the emails, one draft talking point mirrored language earlier used by Parson’s top lawyer, Andrew Bailey, alleging the reporter took “eight separate steps” to get the Social Security numbers (one of which, I’m told, was opening a new tab in Google Chrome).
The governor’s office may have also seen a political benefit in warring with the media: Days after the initial press conference, a pro-Parson political action committee aired an ad decrying the “squalid excuse for journalism.”
Security experts, however, say the exposure of the Social Security numbers was the real problem. Even if someone publishes a secret in, say, Morse code, they’re still responsible for publishing the secret.
“The problem here is the state’s accidental disclosure of information,” says Alex Abdo, the litigation director at the Knight First Amendment Institute at Columbia University who’s been involved with sensitive national security issues. “We should be celebrating the fact that someone discovered this flaw and reported it.”
Jones, the governor’s spokeswoman, said the state was “owning its part” in the incident. But she warned that officials were committed “to bring to justice anyone who hacked our system and anyone who aided or encouraged him to do so—in accordance with what Missouri law allows AND requires.”
For me, the ordeal echoes Georgia Governor Brian Kemp’s 2018 claims that the state Democratic Party hacked Georgia’s voter-registration website, after security researchers pointed out vulnerabilities in the system. (Kemp oversaw the state’s elections at the time and was in a close gubernatorial race with Democrat Stacey Abrams.) My colleagues and I at ProPublica found the state quietly fixed the very problems it said didn’t exist. And documents later released under open-records laws ultimately discredited Kemp’s hacking allegations.
As Parson awaits a criminal complaint, the website that Renaud warned about is back online. This time, it omits Social Security numbers.
“The computer-security community has been paying close attention to the situation,” said Kurt Opsahl, the general counsel and deputy executive editor of the Electronic Frontier Foundation. And he warned that there will be drawbacks to going after anyone who points out the inevitable vulnerabilities in U.S. cybersecurity. Said Opsahl: “If the state goes through with charging the reporter, it will discourage reporting flaws.” —Jack Gillum
