Missouri state government computers were making the SSN#s of teachers public. The governor is responding prosecuting the expert and reporter who notified them of the problem. The cybersecurity community is outraged by this.
What gets lost in this discussion is what the law says.
What gets lost in this discussion is what the law says.
Obviously, everyone should be outraged when a well-meaning whistleblower pointing out government incompetence is then prosecuted by the embarrassed government. You don't need to be a computer scientist to understand the problem here.
Such "disclosure" of vulnerabilities is a standard practice in cybersecurity. Outsiders pointing out problems is pretty much the only way cybersecurity improves -- something that has been known since the late 1800s. So we are especially offended by this.
There is also the subtle issue of how they saw the SSN#s, by doing "view source" on the website, peeling off the top layer of how it looks to the underlying raw code of the page. This seems like nefarious witchcraft to muggles.
But it's a standard practice that techies do all the time. That's why the feature exists in browsers, because we use it all the time. We techies feel a bit attacked here by the ignorance of muggles.
Despite all this, the law says what the law says. Techies claim that "view source" isn't illegal, but maybe the Missouri state law says that it is indeed illegal if you are doing so in order to see SSN#s.
Twitter has this weird relationship with the law, saying that "X isn't illegal" when they mean to say "X shouldn't be illegal". The "rule of law" means that if the law says something is illegal, then it's illegal, regardless of whether you think that's what the law should say.
I am not a lawyer, so I can't read the above the above law. But if prosecutors bring a case, then it means that they believe the law says that the activity is illegal.
This tweet focuses on the other part. This is why I bring muggles vs. witchcraft into the discussion. Would the average, reasonable person (i.e. non-techie) understand that they were not authorized to see the SSN# in the source?
https://twitter.com/steve_tornio/status/1476725831267463171
You techies and I believe that if a website delivers a webpage we are authorized to read, then we are authorized to also view source. But it doesn't matter what we techies think -- it matters if an average, reasonable person believes we are authorized to view source.
The average, reasonable person believes that witchcraft is unauthorized, that any technical barrier they don't have the skills to cross is a line declaring "unauthorized past this point".
In the end, they "knowingly" read the viewstate information containing the SSN#. Their "intent" was the read that information.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
