Did that journalist really hack the Missouri state education website?

a close up side-view of a laptop that is partially open. the screen and keyboard glows. Photo credit phinehas adams xH3cUqeAUm0 via unsplash

Last fall, there was a minor kerfuffle out of Missouri (among so many others…can anyone keep up anymore?) that caught our attention because of just how absurd it was: Governor Parson accused a Post-Dispatch reporter (who notified the state prior to publishing his story on the topic) of “hacking” the Department of Elementary and Secondary Education (DESE)’s website:

The governor’s office deemed the reporter’s actions as criminal and, despite experts chiming in to explain and defend that reporter, doubled down on their original accusations–referring the case to the State Patrol for investigation and painting a whistleblower as a criminal.

What is “hacking” anyway?

There is regular chatter around the BIPi offices about “hacks”. One of our favorite ones recently was the “GENIUS AVOCADO HACK” that the Whole30 brand shared on Instagram:

… we are very enthusiastic around here about keeping half avocados from going bad. But this is a perfect example of the word “hack” being thrown around in a casual context, and keeping an avocado fresh is certainly not a criminal matter.

Wikipedia boils it down really well:

A hacker is a person skilled in information technology who uses their technical knowledge to achieve a goal or overcome an obstacle, within a computerized system by non-standard means. Though the term hacker has become associated in popular culture with a security hacker – someone who utilizes their technical know-how of bugs or exploits to break into computer systems and access data which would otherwise be unavailable to them – hacking can also be utilized by legitimate figures in legal situations.

Obviously, that avocado isn’t a computerized system… and immersing it in water isn’t the same thing as that reporter discovering a weakness in the DESE site. But it is useful to remember that as language changes and evolves, things can become more ambiguous…and we’re pretty sure that that’s what got Governor Parsons all riled up.

Here at BIPi, when we talk about hacking (avocado freshness aside), we’re talking about malicious access to websites or other digital tools (like your gmail or your Instagram account) that results in that tool being defaced or harmed in some way. We’ve run into plenty of website hacks over the years – everything from very obvious website defacement, where the hacker replaced the main content of the site with scary-looking words and visuals, to small changes to code that website visitors never see but that force anyone clicking on a link to a site in search engine results to end up on scammy pharmaceutical websites — and they can be a real pain in the butt to deal with. Cleanup can take hours to weeks, and sometimes the site has to be rebuilt from scratch. With WordPress running around 30% of the websites out there, it can be an easy target for someone who’d like to do the digital equivalent of TP-ing your front lawn.

Parsons was clearly referring to a “security hacker”, but in our opinion he took that word (which does have a bit of sinister nature inside that ambiguity) a step too far (Bloomberg has an excellent exploration of why that pretty much sums up our perspective and concerns).

The “hacking” we’re doing on our clients’ behalf

The actions that the Post-Dispatch reporter took in discovering this security flaw are relatively similar to the kind of work that we do on a weekly basis for our support clients. We’ve got plenty of security measures in place (everything from how we handle passwords internally, to ongoing monitoring of various aspects of website code, all the way down to the hosting company we choose). The number of times a day that we use that “F12 / view source” tool in our browsers to check in our own clients’ sites is incalculable.

That reporter was essentially investigating – and he was investigating a space that was easily accessible. Even if you put up “no trespassing” signs (which is essentially Governor Parson’s stance – that the MO state law Section 569.095, RSMo. was a “no trespassing” sign that the reporter blithely ignored), when the door is left unlocked and big file cabinets of sensitive information are sitting directly inside in a well-lit area… well, we’d be pretty happy to know that the folks in charge of that sensitive information aren’t caring for it properly. We want the services of that whistleblower, and we’d want the folks in charge to be notified before someone else – someone who might want to use that sensitive information in malicious ways – gets their hands on it first.

It’s not possible for all of us to be keeping an eye on every square inch of our homes every moment. When you translate that into your digital home, it’s even more impossible. And, in this case, it wasn’t even in a home – the folks whose SSNs could be easily accessed off that site had given their information to their employer (“giving” here being a somewhat poor choice of words, since those employees had to hand over their SSNs as a condition of employment), expecting it to be kept safe by people who ostensibly knew better and who were obligated to do so.

Feeling a little lost?

If you’re concerned about the health or security of your website, but you don’t have someone you’re comfortable reaching out to with questions, you need website support! Find out more and download our “5 Signs You Need Website Support” eBook.

A (somewhat) happy ending

On 2/11/2022, the investigation was officially closed by Cole County Prosecutor Locke Thompson; on 2/21/22, the Post-Dispatch posted the police report in its entirety and noted in an accompanying article that the Missouri State Highway Patrol had spent about 175 hours on the investigation. Per a very helpful summary of the whole thing by Ars Technica:

…the resulting police report confirms in detail that Renaud did exactly what he said from the beginning: He identified a security flaw by viewing publicly available HTML code on a misconfigured state website and delayed publishing an article on his findings until after the state closed the security hole.

So… thankfully, that reporter has been vindicated and the security flaw in that website has been fixed.

The tech-related news stories just keep coming, and they’re not getting any easier to understand

As we increase the frequency of our blog posting, we’ll be sharing news and perspectives like this with you. While we’re happy for you to just read our thoughts, our primary concern is that our clients (be they former, current, or prospective) feel comfortable reaching out to us for clarity on facts or advice on concerns about the health of their digital properties. If you:

  • get a suspicious email about your website or your domain
  • see a news story that concerns or confuses you
  • want advice on how current events might impact your website

drop us a note. We’re always here to fix something that breaks, of course, but we’re also here to offer advice and help you make smart decisions.

by | Last Updated: Feb 3, 2022 | shop talk