SoylentNews is people
SoylentNews
from the don't-even-think-about-editing-the-URL dept.
Confused governor says looking at webpage's HTML is criminal hacking:
Gov. Mike Parson is sick and tired of all these sophisticated, no-good hackers and he's not going to take it any more. It's too bad the Missouri Republican has no idea what he's talking about.
During a Thursday press conference, the confused elected official lashed out at a journalist who reported a vulnerability in an official Department of Elementary and Secondary Education website. The reporter, notably, waited until officials fixed the error before publishing the story. The flaw? The website apparently included teachers' Social Security numbers in the HTML.
"Though no private information was clearly visible nor searchable on any of the web pages, the newspaper found that teachers' Social Security numbers were contained in the HTML source code of the pages involved," reported the St. Louis Post Dispatch.
Parson, who apparently has never heard of "view source," obliquely threatened the Post reporter with prosecution.
"The state is committing to bring to justice anyone who hacked our system and anyone who aided or encouraged them to do so — in accordance with what Missouri law allows AND requires," wrote Parson.
[... - plenty snipped - ...] Parson, in other words, has no idea what he's talking about.
canopic jug augments that with the following other sources:
Governor Mike Parson wishes that ctrl-u or f12 will become illegal. This was actually a breach of personal information, including SSANs, for over 100,000 people.
https://text.npr.org/1046124278
https://www.salon.com/2021/10/14/missouri-governor-threatens-criminal-prosecution-of-reporter-found-security-flaw-in-state-site_partner/
https://itwire.com/security/missouri-goes-after-man-who-looked-at-source-code-on-state-site.html
https://www.rollingstone.com/politics/politics-news/missouri-governor-teacher-data-hacking-1242493/
https://coldstreams.com/2021/10/14/no-it-isnt-missouri-governor-says-viewing-html-source-code-containing-private-data-the-state-published-on-every-page-is-a-crime/
https://abc17news.com/news/missouri/2021/10/14/gov-parson-threatens-legal-action-against-reporter-who-exposed-flaw-on-state-education-departments-website/
https://heavy.com/news/gov-mike-parson-html-source-code-decoded-ssn/
(Score: 4, Interesting) by isostatic on Monday October 18 2021, @11:28AM (5 children)
Correct, it's no more secure than your name. It's benefit is to disambiguate people, so "Joe Bloggs" and "Joe Bloggs" aren't mixed up (even then I believe there are edge cases where SSN have been dual-assigned, some people have more than one SSN, etc).
Passport numbers and credit card numbers are also public information -- stay in any hotel in the world and they are taken. Which is fine if it's your username.
To identify yourself in the US you present your SSN (fine, as you aluce to, mine is "isostatic"), and then you convince the person you are who you say you are.
The standard for confirming that the username is yours on this website is a password. Not great, but for the low importance of this site it's adequate.
To log into my bank I need my userid, password, and a 2fa approval, which is better, although the trust is just one-way.
A secure fashion would be to have the SSN and a public key being listed on the blockchain, and you would use your private key to authenticate yourself. The person you're authenticating with could be confirmed by you by checking the public key.
If your key were revoked on the blockchain you'd know about it, if you did that because you lose control of your private key, that's fine. If someone else revokes it you'd know.
Doesn't solve the "my private key was lost without my knowledge" issue, nor the "I lost my private key" issue, but unlike SSN your private key should not even be able to leave the device you're using to authenticate so the first is far less of a problem than the SSN.
(Score: 2) by PiMuNu on Monday October 18 2021, @01:04PM (1 child)
One can generate a private key as a QR code or similar; thus possible to have a paper back up (which is roughly as secure/insecure as a passport).
Nb: I note in Europe all of the covid vaccination certificates hold a QR code that maps to a unique ID in a database somewhere. It functions more like a username than a password, but thought it might be of interest.
(Score: 2) by isostatic on Tuesday October 19 2021, @09:40AM
I had to have a covid passport to get into an event for work in the UK, it was a time limited QR code, which is reasonable for that specific use (you can't use that QR code to pretend to be me so security isn't critical, and it's time limited so damage is limited if it leaks)
It does rely on a central database though, which I guess realistically would be the case with any government ID -- people will lose their private key (either file, printed or on a yubi key), and require a new one, which will require certain levels of protection from the government -- I guess like getting a replacement passport. And as it's people, there will be all sorts of scams where your private key is acquired and copied, through social engineering or just plain theft, possibly without you even knowing. If every transaction was stored on a blockchain you could at least get instant notification when your ID was used (and anyone like a bank using your ID without should be treated as if they haven't seen the ID)
But I'm getting dangerously close to discussing "identity theft" -- https://www.theguardian.com/commentisfree/2018/nov/25/identity-theft-is-daylight-robbery-banks [theguardian.com]
(Score: 3, Insightful) by owl on Monday October 18 2021, @04:53PM (1 child)
The problem in the US is that the SSN has been used as both user-identifier and as password (where knowledge of the SSN authenticated that "you are who you say you are"). And the worst of the lot are the businesses that use it as both user-identifier and password simultaneously. Which has led to the current state of affairs where "release" of the SSN is a "breach".
It was always only ever meant to be a user-identifier, and should never have become a password. Sadly it did become a password, leading to the current mess.
(Score: 2) by isostatic on Tuesday October 19 2021, @09:26AM
Technically it shouldn't even be used as a username (or ID - mine is 365 on this site), as it's not guaranteed to be unique
(Score: 0, Offtopic) by mcgrew on Monday October 18 2021, @06:27PM
Correct, it's no more secure than your name.
I see you've never worked with large databases, or if you did you were ineptly incompetent. Your name alone is the absolutely WORST identifier. Remember when Senator Paul Simon was on SNL with the singer Paul Simon? Unless you live in a tiny state there are a dozen people with the same name as you living in your state. I know from handling databases working for Illinois (retired now).
Carbon, The only element in the known universe to ever gain sentience