"This was a political persecution of a journalist, plain and simple."
February 12, 2022 7:35 AM Subscribe
Yesterday evening, the Cole County, Missouri prosecutor declined to file charges against Josh Renaud, a journalist from the St. Louis Post-Dispatch who discovered a flaw in a state website exposing private information and ethically disclosed the vulnerability to the state before the paper published its story. Renaud's statement begins: "This decision is a relief. But it does not repair the harm done to me and my family. My actions were entirely legal and consistent with established journalistic principles."
In October, Renaud discovered a public-facing state website was transmitting unencrypted Social Security numbers of Missouri teachers. He alerted the state's Department of Elementary and Secondary Education to give them time to fix the problem before the paper published its story. The department initially planned to say it was "grateful to the member of the media who brought this to the state's attention" before the press release's language was changed to instead call the journalist an "individual" and finally, a "hacker".
After the story was published, Missouri Governor Mike Parson held a press conference, where he vowed "We will not let this crime against Missouri teachers go unpunished, and we refuse to let them be a pawn in the news outlet’s political vendetta."
The Missouri Highway Patrol opened an investigation despite the state being told by the FBI "this incident is not an actual network intrusion" and that the database was "misconfigured".
While the Governor admitted in a TV interview that he was "no computer expert. I’ll be the first to admit that," he also attempted to describe the situation: “They pretty well spun the story from day one that it was a right click,” he said. “Well trust me, it’s much more than a right click. Because you got to talk about decoders and all these kinds of things that were used.”
The data being sent by the state's website was encoded, but not encrypted.
The Governor was roundly criticized for his handling of the situation, including by Republican Representative Tony Lovasco, who tweeted: "It's clear the Governor's office has a fundamental misunderstanding of both web technology and industry standard procedures for reporting security vulnerabilities. Journalists responsibly sounding an alarm on data privacy is not criminal hacking."
So far, the Governor has refused to apologize.
In October, Renaud discovered a public-facing state website was transmitting unencrypted Social Security numbers of Missouri teachers. He alerted the state's Department of Elementary and Secondary Education to give them time to fix the problem before the paper published its story. The department initially planned to say it was "grateful to the member of the media who brought this to the state's attention" before the press release's language was changed to instead call the journalist an "individual" and finally, a "hacker".
After the story was published, Missouri Governor Mike Parson held a press conference, where he vowed "We will not let this crime against Missouri teachers go unpunished, and we refuse to let them be a pawn in the news outlet’s political vendetta."
The Missouri Highway Patrol opened an investigation despite the state being told by the FBI "this incident is not an actual network intrusion" and that the database was "misconfigured".
While the Governor admitted in a TV interview that he was "no computer expert. I’ll be the first to admit that," he also attempted to describe the situation: “They pretty well spun the story from day one that it was a right click,” he said. “Well trust me, it’s much more than a right click. Because you got to talk about decoders and all these kinds of things that were used.”
The data being sent by the state's website was encoded, but not encrypted.
The Governor was roundly criticized for his handling of the situation, including by Republican Representative Tony Lovasco, who tweeted: "It's clear the Governor's office has a fundamental misunderstanding of both web technology and industry standard procedures for reporting security vulnerabilities. Journalists responsibly sounding an alarm on data privacy is not criminal hacking."
So far, the Governor has refused to apologize.
well, this turned out much better than the querystring guy.
changing
https://att.com/whatever?icc-id=1234
to
https://att.com/whatever?icc-id=2345
via scripting was not a hack. but it was a successful prosecution.
posted by j_curiouser at 8:00 AM on February 12, 2022 [4 favorites]
changing
https://att.com/whatever?icc-id=1234
to
https://att.com/whatever?icc-id=2345
via scripting was not a hack. but it was a successful prosecution.
posted by j_curiouser at 8:00 AM on February 12, 2022 [4 favorites]
Yeah, this guy isn't a Nazi.
posted by Pope Guilty at 9:32 AM on February 12, 2022 [5 favorites]
posted by Pope Guilty at 9:32 AM on February 12, 2022 [5 favorites]
I wish there were some kind of analogue to barratry that Parsons could be prosecuted under.
posted by humbug at 10:10 AM on February 12, 2022 [4 favorites]
posted by humbug at 10:10 AM on February 12, 2022 [4 favorites]
What a rough time Josh Renaud has had.
"I’m thankful for the Post-Dispatch, which never wavered in its commitment to me."
Good to hear.
posted by brainwane at 10:45 AM on February 12, 2022 [16 favorites]
"I’m thankful for the Post-Dispatch, which never wavered in its commitment to me."
Good to hear.
posted by brainwane at 10:45 AM on February 12, 2022 [16 favorites]
Lee Enterprises owns the St. Louis Post-Dispatch. Alden Global Capital tried to buy Lee, but was rebuffed a few months ago. I doubt Alden would have been as supportive
posted by CheeseDigestsAll at 11:52 AM on February 12, 2022 [9 favorites]
posted by CheeseDigestsAll at 11:52 AM on February 12, 2022 [9 favorites]
Also, what's up with states using the Highway Patrol as private militias? This happened on Montana recently when the AG used the patrol to try and bully a local hospital into providing ivermectin.
posted by CheeseDigestsAll at 11:58 AM on February 12, 2022 [12 favorites]
posted by CheeseDigestsAll at 11:58 AM on February 12, 2022 [12 favorites]
as someone who lives in a state where Lee has bought up any newspaper of any size whatsoever and gutted their newsrooms to syndicate the same articles to all the newspapers, I'm shocked that they did support him. (this has saved me money - subscribe to the biggest paper in the state and it's like subscribing to them all).
Alden Global Capital is so much worse, but Lee Enterprises is bad as media owners too, overall.
posted by jkosmicki at 1:38 PM on February 12, 2022 [6 favorites]
Alden Global Capital is so much worse, but Lee Enterprises is bad as media owners too, overall.
posted by jkosmicki at 1:38 PM on February 12, 2022 [6 favorites]
Bullies never apologize.
posted by interogative mood at 1:47 PM on February 12, 2022 [5 favorites]
posted by interogative mood at 1:47 PM on February 12, 2022 [5 favorites]
The AT&T querystring guy is totally different. Whether it was hard or not, they went in with illegal activity in mind and deserved what they got. This case is a journalist who ethically warned the state and got smeared by an administration with a political agenda.
posted by freecellwizard at 3:18 PM on February 12, 2022 [8 favorites]
posted by freecellwizard at 3:18 PM on February 12, 2022 [8 favorites]
There sure are a lot of people in Missouri state government who should be put in jail over going after a private citizen, all the way up to and including the fucking governor.
posted by They sucked his brains out! at 5:41 PM on February 12, 2022 [6 favorites]
posted by They sucked his brains out! at 5:41 PM on February 12, 2022 [6 favorites]
I've been following Missouri politics closely for over 20 years now, and this takes the cake as the dumbest political scandal in that period.
All the gov had to do was say "Hey thanks for the heads up about this problem (which was 100% caused by the previous administration which was run other party cough cough cough). We're right on it now and we're going to fix it right." This is exactly what the Dept of Education wanted to do - but they were overruled by the gov.
With an apology and promise to fix the problem, the whole thing would have been a 6 hour minor news story, come and gone in a day. The administration would have looked smart and proactive.
(Even though they actually weren't.)
Instead it's a months long dragged out news disaster for the gov, where he looks dumber and dumber at each step.
Step 1. Point gun at own foot.
Step 2. Pull trigger repeatedly.
posted by flug at 11:39 PM on February 12, 2022 [10 favorites]
All the gov had to do was say "Hey thanks for the heads up about this problem (which was 100% caused by the previous administration which was run other party cough cough cough). We're right on it now and we're going to fix it right." This is exactly what the Dept of Education wanted to do - but they were overruled by the gov.
With an apology and promise to fix the problem, the whole thing would have been a 6 hour minor news story, come and gone in a day. The administration would have looked smart and proactive.
(Even though they actually weren't.)
Instead it's a months long dragged out news disaster for the gov, where he looks dumber and dumber at each step.
Step 1. Point gun at own foot.
Step 2. Pull trigger repeatedly.
posted by flug at 11:39 PM on February 12, 2022 [10 favorites]
Does anyone have any more information on the nature of the "encoding"? My nerd self is just curious about just how obvious the SSN's were.
posted by ftm at 7:31 AM on February 13, 2022
posted by ftm at 7:31 AM on February 13, 2022
From this I gather that encoding meant html encoding, so decoding meant looking at the html source and seeing "012-34-5678" there.
posted by hypnogogue at 7:57 AM on February 13, 2022 [1 favorite]
posted by hypnogogue at 7:57 AM on February 13, 2022 [1 favorite]
Does anyone have any more information on the nature of the "encoding"? My nerd self is just curious about just how obvious the SSN's were. — ftm
IIRC there hasn't been a lot of confirmation as to the specifics by the people involved, but there's speculation that it was base64.
posted by brentajones at 9:18 AM on February 13, 2022 [2 favorites]
IIRC there hasn't been a lot of confirmation as to the specifics by the people involved, but there's speculation that it was base64.
posted by brentajones at 9:18 AM on February 13, 2022 [2 favorites]
Ah, that makes good sense. So encoded, but not in any sense obfuscated or encrypted or hidden.
posted by ftm at 10:34 AM on February 13, 2022 [1 favorite]
posted by ftm at 10:34 AM on February 13, 2022 [1 favorite]
Well, it was disguised just well enough to prevent incompetent tools and audits that scan for SSNs from detecting it; anything searching for “123-45-6789” would have missed it. I’m not sure if that state is governed by sunshine laws, but I feel like it’d be interesting to ask whether the base64 encoding was added at the same time, or later than, the SSN itself.
posted by Callisto Prime at 10:52 AM on February 14, 2022
posted by Callisto Prime at 10:52 AM on February 14, 2022
I would guess that Parson's background in law enforcement -- he's the former sheriff of a small, rural county -- paired with his desire to stick it to the media at every opportunity makes him inclined to see crimes where they don't exist.
posted by HiddenInput at 10:55 AM on February 14, 2022 [2 favorites]
posted by HiddenInput at 10:55 AM on February 14, 2022 [2 favorites]
If you are interested in following this story further: Josh Renaud, the journalist at the center of the story, will be on St. Louis Public Radio's talk show today at noon (Central time).
Disclaimer: I work for the radio station (I avoided including our coverage in the OP) but I am not regularly involved in the talk show and wasn't privy to anything about Josh being on today. It was, in fact, a surprise to me.
posted by brentajones at 8:23 AM on February 16, 2022 [1 favorite]
Disclaimer: I work for the radio station (I avoided including our coverage in the OP) but I am not regularly involved in the talk show and wasn't privy to anything about Josh being on today. It was, in fact, a surprise to me.
posted by brentajones at 8:23 AM on February 16, 2022 [1 favorite]
Further update: The newspaper got information related to the police investigation of the "hacking", which found that the vulnerability "would have been there since 2011, when the application was implemented," according to an education department spokesperson. The spokesperson also told the police that the journalist hadn't accessed "anything that was not publicly available, nor was he in a place he should not have been."
The paper reported that the police spent about 175 hours investigating, with three officers assisting, but the state didn't provide a cost estimate.
posted by brentajones at 11:50 AM on February 21, 2022 [1 favorite]
The paper reported that the police spent about 175 hours investigating, with three officers assisting, but the state didn't provide a cost estimate.
posted by brentajones at 11:50 AM on February 21, 2022 [1 favorite]
« Older Another little life saved | "Hi there, my name is Leo and I run a studio on... Newer »
This thread has been archived and is closed to new comments
Remember: any sentence is true if you are allowed to redefine the words.
posted by ricochet biscuit at 7:42 AM on February 12, 2022 [14 favorites]