SoylentNews is people
SoylentNews
from the don't-even-think-about-editing-the-URL dept.
Confused governor says looking at webpage's HTML is criminal hacking:
Gov. Mike Parson is sick and tired of all these sophisticated, no-good hackers and he's not going to take it any more. It's too bad the Missouri Republican has no idea what he's talking about.
During a Thursday press conference, the confused elected official lashed out at a journalist who reported a vulnerability in an official Department of Elementary and Secondary Education website. The reporter, notably, waited until officials fixed the error before publishing the story. The flaw? The website apparently included teachers' Social Security numbers in the HTML.
"Though no private information was clearly visible nor searchable on any of the web pages, the newspaper found that teachers' Social Security numbers were contained in the HTML source code of the pages involved," reported the St. Louis Post Dispatch.
Parson, who apparently has never heard of "view source," obliquely threatened the Post reporter with prosecution.
"The state is committing to bring to justice anyone who hacked our system and anyone who aided or encouraged them to do so — in accordance with what Missouri law allows AND requires," wrote Parson.
[... - plenty snipped - ...] Parson, in other words, has no idea what he's talking about.
canopic jug augments that with the following other sources:
Governor Mike Parson wishes that ctrl-u or f12 will become illegal. This was actually a breach of personal information, including SSANs, for over 100,000 people.
https://text.npr.org/1046124278
https://www.salon.com/2021/10/14/missouri-governor-threatens-criminal-prosecution-of-reporter-found-security-flaw-in-state-site_partner/
https://itwire.com/security/missouri-goes-after-man-who-looked-at-source-code-on-state-site.html
https://www.rollingstone.com/politics/politics-news/missouri-governor-teacher-data-hacking-1242493/
https://coldstreams.com/2021/10/14/no-it-isnt-missouri-governor-says-viewing-html-source-code-containing-private-data-the-state-published-on-every-page-is-a-crime/
https://abc17news.com/news/missouri/2021/10/14/gov-parson-threatens-legal-action-against-reporter-who-exposed-flaw-on-state-education-departments-website/
https://heavy.com/news/gov-mike-parson-html-source-code-decoded-ssn/
(Score: 3, Informative) by linuxrocks123 on Monday October 18 2021, @09:10PM (5 children)
This is complete and utter bullshit. It is not the case that a valid SSN should ever map to more than one person. The reverse is not true: it is quite possible that one person could have two SSNs. That's not a great thing to have happen, but sometimes it does, and the SSA can deal with it by adding the earnings under one to the earnings under the other. However, it is the case that no SSN will ever map to more than one person, unless one of them is lying and using someone else's SSN (i.e. illegal immigrants). Think about it: how would the SSA figure out what your benefit should be if it can't tell how much money you paid in Social Security tax? And how can the SSA figure out what you paid in tax if all your earnings are commingled with someone else's earnings?
If the SSA messed up and gave the same SSN to two people, they would probably cancel it and assign new numbers to each of the two people affected. If they'd both worked under the messed-up SSN, they'd have to manually go through the work history and copy the appropriate parts of the work history to the newly assigned replacement numbers.
SSNs don't work for what they are designed to do unless each one uniquely identifies a person. So, yes, they do that. That fact is orthogonal to whether they should be used as a key in a database, but don't lie and spread BS to get your way on that argument.
(Score: 0) by Anonymous Coward on Tuesday October 19 2021, @12:28AM (2 children)
When a person is deceased. The pools of available SSNs are not actually sufficient to cover every person in America past, present, or future. That said, normally they are issued out in blocks, geographically and then regionally so nowadays there should not be many duplicates happening. However back in the day thanks to clerical errors it was possible that SSN ranges got reused before one party died, or go double used by two people in adjacent areas (or rarely different states).
So yeah while the SSN was MEANT to be a unique identifier for tax purposes, it has in effect never been a definitively unique identifier.
(Score: 4, Informative) by linuxrocks123 on Tuesday October 19 2021, @01:04AM (1 child)
BULL. SHIT.
https://www.ssa.gov/history/hfaq.html [ssa.gov]
(Score: 2) by Immerman on Tuesday October 19 2021, @03:25AM
I'm not so sure about "generations to come". 9 digits means exactly 1 billion possible SS Numbers (including the invalid ones) , meaning Americans alive *today* are using roughly 1/3 of all possible numbers, While everyone who got a SS number since 1936 and subsequently died has removed numbers from the pool. We've probably got fewer never-used SS numbers available than there are currently-active numbers, and will need to revise the system within a few decades. Aka 1 to 2 generations.
(Score: 2) by Immerman on Tuesday October 19 2021, @03:31AM
Last I heard, 000-00-0000 is still by far the most popular SSN in the country, "belonging" to a huge number of lawfully admitted non-citizens.
Any time you have a required field for a non-required value, you *will* have duplicates. If you're very, very lucky there will only be one, easily identified placeholder value.
It's practically become the CS101 example of why you should *never* assume any user-supplied value is actually unique. Precisely because so many legacy programmers DID make that assumption, much to the occasional aggravation of everyone using their software for ever after.
(Score: 1, Interesting) by Anonymous Coward on Tuesday October 19 2021, @03:20PM
You're a fucking idiot. There, we've exchanged insults.
Sure, you're describing the way the whole SS system is supposed to work. Unfortunately reality is a trifle bit different.
First, the SSA doesn't knowingly issue the same number to more than one person. And yeah, once that mistake is discovered, they'll fix it by giving new numbers. But it takes a looooong fucking time. Until that long fucking time, any system that uses the numbers still has to fucking deal with the fucking problem.
Second, the reason the SSA does not guarantee unique numbers is partly to dodge any legal liability associated with such mixups, and to avoid having to deal with multiple people paying into the system under the same number, which happens all the fucking time due to illegal aliens stealing other people's SSNs.
Look, I worked in a very large state at one of their very large pension systems. We had different people claiming the same SSN all the fucking time. Sometimes it was typos on the forms their employers sent us when signing up. Rarely it was the SSA assigning the same number to different people. Usually it was identity theft. When we detected duplication, all we could do was ask the two (or more) employer agencies to double-check the SSN with the employee. If they both came back claiming that the number was correct, we weren't allowed to do anything sane like report it to the SSA, or call the fucking police, or even notify the poor employees that someone was probably stealing their identity. We tried reporting it to the SSA once, and they told us not to bother them with it. They just want the money flowing in, and they're content to wait until someone actually goes to draw on their Social Security to figure out who gets which payments. After all, if one or both of them die or get deported, then they won't have to fix it, will they?
So, yeah, sure, SSNs should only be one per person. Out in the actual world, they aren't, and real computer systems that actually do real work have to be able to deal with that shit.