The DoE is complicit in this as well (from the original article):
> In the letter to teachers, Education Commissioner Margie Vandeven said “an individual took the records of at least three educators, unencrypted the source code from the webpage, and viewed the social security number (SSN) of those specific educators.”
> But in the press release, DESE called the person who discovered the vulnerability a “hacker” and said that individual “took the records of at least three educators”
This squares perfectly with my own experience. As a middle schooler I had several interactions with my school system's IT department where they baselessly accused me of hacking and malicious intent; I responsibly disclosed a method of bypassing their web content filter and they responded by going through my roaming profile and leveling charges at me of "remotely hacking computer systems" because of a screenshot of a terminal emulator they found. I was a good kid with a perfect disciplinary record. In retrospect it was a series of incompetent staffers covering for their inability by bullying a child.
The US needs to stop using public facilities (schools, the military, etc) as white-collar welfare and hire more people that actually care. Ignorance is forgivable but when combined with a steadfast opposition to personal growth it becomes malicious. It'd be better for society to fire clowns like these and administer them unemployment than to have them crowd out those that actually give a shit.
*EDIT: To clarify for anybody that would read the above as "government workers don't care": there are plenty that do. I break bread with them and want them to be able to do their jobs unimpeded by the ones that _don't_.
> The US needs to stop using public facilities (schools, the military, etc) as white-collar welfare and hire more people that actually care. Ignorance is forgivable but when combined with a steadfast opposition to personal growth it becomes malicious. It'd be better for society to fire clowns like these and administer them unemployment than to have them crowd out those that actually give a shit.
Our purest white-collar welfare system is the health insurance industry, I'd say. IIRC at one point Obama explicitly stated that a reason he didn't think single-payer and similar were viable to advance, is because they'd put too many people out of work.
The military is, obviously, our main work-required blue-collar welfare system, among other kinds of wealth-shuffling it does. Why, one can get nearly-European-standard-for-all public benefits, through that program, provided one is reasonably sound of body and mind. Healthcare, pension, housing, et c. [edit] education, too!
I do remember Obama talking about losing jobs in health care. With that kind of logic, we'd never have allowed cars because the horse and carriage industries would lose jobs.
I'm not unsympathetic to those who would lose jobs from changes in the industry. Here's my thought: if government action that disrupts an industry then that action should be done piecemeal over several years to allow a softer transition.
Its not just a matter of sympathy. Government still needs support from the populous even when the populous is short sighted. Its a practical calculation to say good but unpopular policy will ultimately fail.
Did we invent crash-proof carriages when I wasn't looking?
> Reviewing British fatality rates from previous centuries, demographer P. E. H. Hair concluded in 1971 that the “supercession of the horse by the internal combustion engine was by no means the disaster in terms of travel safety it is often supposed to have been,” and suggested that between 1840 and 1900, accidents involving horses produced an average yearly mortality rate of about five per 100,000 population
> fatality rates from horse-powered transportation occurred at a rate more than 15 times greater per mile in 1775 than from motor vehicles in 2000 (even using very conservative estimates for per-mile horse-related fatalities)
> In New York in 1900, 200 persons were killed by horses and horse-drawn vehicles. This contrasts with 344 auto-related fatalities in New York in 2003; given the modern city’s greater population, this means the fatality rate per capita in the horse era was roughly 75 percent higher than today. Data from Chicago show that in 1916 there were 16.9 horse-related fatalities for each 10,000 horse-drawn vehicles; this is nearly seven times the city’s fatality rate per auto in 1997.
> Did we invent crash-proof carriages when I wasn't looking?
Only if you've been not looking through e.g. the entire history of the NHTSA. Comparing horseless carriages under modern safety regulations to horse-drawn carriages not subject to those is a huge confounder. (And 1997-2000 sounds like a cherry-picked period; motor vehicles have been redesigned to kill significantly more pedestrians since then).
> Only if you've been not looking through e.g. the entire history of the NHTSA. Comparing horseless carriages under modern safety regulations to horse-drawn carriages not subject to those is a huge confounder.
Modifiers like that don't really matter because the comment was acting like the alternative was zero deaths.
And modern safety regulations can only have so much influence on pedestrians especially.
> (And 1997-2000 sounds like a cherry-picked period; motor vehicles have been redesigned to kill significantly more pedestrians since then).
Well I'll assume if we were using carriages en masse they'd also be going through design changes to kill more people since that seems simplest and still supports my point that there would be many deaths.
> Modifiers like that don't really matter because the comment was acting like the alternative was zero deaths.
Not necessarily, they could just mean many fewer deaths.
> Well I'll assume if we were using carriages en masse they'd also be going through design changes to kill more people since that seems simplest
It's not simple, there's a lot of complexity and path dependence to how we've ended up with these car designs and there's no reason to believe it would happen in the same way and the same order for carriages. But regardless, you have to average over such variations rather than picking one unrepresentative point.
> and still supports my point that there would be many deaths.
No it doesn't; you're cherry-picking the years when motor traffic was least deadly and comparing to a random time (or perhaps even the most deadly time?) for horse traffic.
> Not necessarily, they could just mean many fewer deaths.
Maybe but "Imagine not having" sure sounds like you remove the deaths entirely.
> you're cherry-picking the years
That's a quote of an article that only compares those years. I'll thank you not to accuse me of cherry-picking here.
> It's not simple, there's a lot of complexity and path dependence to how we've ended up with these car designs and there's no reason to believe it would happen in the same way and the same order for carriages. But regardless, you have to average over such variations rather than picking one unrepresentative point.
You wanted to consider "modern safety regulations" as a confounding factor.
I see three options here.
1. Let's assume carriages would have undergone the same evolution of safety. That means modern carriages would have a lower death rate than old ones. It also makes the possible cherry-picking matter a lot less because the increasing menace of transportation over the last 20 years would be the same either way.
2. We say it's too complex and ignore those factors.
3. We invent an entire alternate history in excruciating detail.
Option 2 is bad, of course. I think option 1 is fine. If you want option 3, you're on your own.
> 1. Let's assume carriages would have undergone the same evolution of safety. That means modern carriages would have a lower death rate than old ones. It also makes the possible cherry-picking matter a lot less because the increasing menace of transportation over the last 20 years would be the same either way.
That's like saying it's fine to compare the cost of houses in New York and San Francisco by comparing the cost of a house in New York in 1998 to the cost of a house in San Francisco in 2009, because house prices change at more or less the same rate everywhere in the country. It's true that house prices tend to go up or down at a similar rate everywhere, but it's still a problem if you cherry-pick the two years you're making a comparison with!
You can criticize their choice of sources, you can dig deeper and provide more comprehensive data, but going post after post admonishing them for cherry-picking data that is just gauche. They didn't pick the years!
They picked the sources, and their sources use apparently arbitrary dates that are particularly unrepresentative. Maybe that's just an unfortunate coincidence, but even if so, the net effect is the same as cherry-picking.
Well, no it's not. Because if they were cherry-picking, then your needling them repeatedly over the data could actually produce a reaction that gets you more accurate data.
But since they are just presenting you with the most commonly available data, nothing you say will make them produce different results.
I'm not disagreeing, but the advances in medicine between the periods mentioned should be kept in mind. A more precise comparison might be, how many fatalities occurred at the site of the accident, that would remove quite a few other variables. Perhaps those numbers are already showing that but if it is then it's not clear from the quote.
In the US military as an officer you have a specified amount of time to make the next grade. If you are passed over for promotion too many times career over. Unsurprisingly this gets more challenging the higher you get with only a 2% chance of moving from O6 to O7. There are also educational requirements, both military and civilian, for each grade as well.
So it’s not completely welfare. The benefits offered exist for retention. The military can offer nice benefits because it is the largest employer in the world. It’s like the healthcare and other benefits you get from a corporate employer but much better. The larger the employer the better the benefits tend to get.
> Unsurprisingly this gets more challenging the higher you get with only a 2% chance of moving from O6 to O7.
This sounds very stark, but it doesn’t tell the whole story.
1. O6 to O7 is colonel to general (or captain to admiral in the navy). Yes, 2% is a heavy cull. Then again, I think everyone involved sort of wants that cull for the top of the military. O7+ are essentially the equivalent of corporate executives. (Edit: just checked the numbers… I believe 2% is the number of generals expected out of a given class of 2lt. Promotion from colonel to general is a much higher percentage).
2. It’s fairly easy, if motivated and not socially, physically, or intellectually limited, to make it 20 years as an officer. Folks typically end up as majors (career-path bound or lower competence) or lieutenant colonels. Colonels tend to be solid all around, even if some of them have a tragic flaw. Folks capped at major usually retire at 20. Folks capped at lt col usually retire at 24-26 years.
3. Promotion from 2lt to 1lt is pretty much automatic around 2-3 years. Ditto 1lt to captain at around 4-6 years total. The first cull is from captain to major, but a big part of that cull is simply folks who don’t want to re-enlist. Most people who stay in plan on staying for 20 to get retirement. Some folks who want to stay in can’t, but this is relativity rare and is typically due to (lack of) need of the military of their skill, general lack of competence, medical issues, or legal issues (dui, etc.). I wouldn’t feel sorry for most of these people except the medical ones.
To get back to the original point, officers don’t quite look like the “welfare” that was being referred to.
That said, some of the jobs that veterans are able to get are absolutely middle class welfare.
Most vets in federal jobs are awesome and are good at what they do. That said, there is a small percentage of vets in federal jobs who are hellbent on being deadweight.
In the reserves it actually is a 2% chance to make O7. A factor less present in the active duty is old age. Vacant slots are harder to find and fill for a variety of factors.
But the job does actually need to be done. They're just not paying enough to consistently attract and keep people who can do it well. What can't compete is the pay.
Exactly this. The ratio of equipment to staff is usually very high, the equipment is usually very old, demands are sometimes complex, and pay is governed by a formula developed for white collar workers without better options. The good ones normally leave after one year.
One thing to note is that hiring skilled IT workers is often outside budget capabilities. It’s not that they want to hire someone incompetent, they simply can’t afford to hire someone competent.
It doesn't help that they used a Soviet method of denying shortcomings in hopes that fantasy will overrule reality. What can you do when you have limited resources to make your situation worse? Punish people who are helping you for free.
Incompetent people will do anything they can to avoid admitting that they are incompetent.
One of the more interesting possible outcomes of a UBI I hope to see in my lifetime is the ejection of many of the seat-warmers currently occupying IT positions in western public sector organisations.
Sounds like a good opportunity to teach the kids about solar. The solar ovens were such a memorable experience, but I suppose the cloudy days would be tough. Teaching the kids about DC to AC conversions at the same time as office politics would be a valuable life lesson!
I disagree - it sounds like a good opportunity for the school to either stop pinching pennies so absurdly or for the district to actually start funding education at a reasonable level.
I checked, the top paid IT person in my local Bay Area school district makes $168,000 a year (he’s the CIO). There’s a “L4” software developer making $131,000 a year. The next highest is a DBA earning $129,000 a year. So it would appear at least my district isn’t budgeting a competitive amount for technical talent. These salaries are far below market rate, to the point that many of these people might qualify for subsidized housing.
> district makes $168,000 a year (he’s the CIO). There’s a “L4” software developer making $131,000 a year.
I think that really says more about the absolutely absurd cost of living and non-rational real estate costs in the SF bay area than it does about the school district. In many places with normal cost of living, if your US W2 take home is $129k a year, you can live a very comfortable upper middle class lifestyle. Whether or not you have a spouse or partner with their own career and your combined W2 gross income might be $210k a year.
Same as what I said above also applies to absurd real estate and cost of living in Seattle, Vancouver, New York, etc.
> You have to compare the salary to local living costs to be comparable.
This is not accurate in a globalized economy, where purchasing power parity (PPP) becomes a bit of a lie. No one is going to ask you if you're from Cambodia or another country, when you'll want to rent a server from AWS, or buy an iPhone, or maybe even a car. Global corporations aren't running charities and are instead concerned with making their products profitable - if anything, they would only use your location to increase the prices of products further if you're capable of buying them, but that's not a widespread practice nowadays for a variety of reasons.
I actually wrote a bit more about it in my blog article, "On finances and savings": https://blog.kronis.dev/articles/on-finances-and-savings
which showed how much money i've made over the years while working as a software developer in Latvia (currently around 18'000 euros a year), which means that my ability to make savings is ~5x lower than many of the software developers in the US or other well paid countries - which directly impacts my ability to create a startup and pay for external services/infrastructure, should i so choose.
Of course, on the flip side, one can also talk about how much you're disadvantaging yourself by catering to a clientele of local companies: i generate my company ~20x less profits than an average engineer in Google would for their company.
By local living costs, I do mean whatever costs are required to live in the area one lives. Whether or not those products or services are the same everywhere or not.
But the fact of the matter is, the costs that make up the largest portion of most people's lives are locally spent.
True, but tech is not the dominant industry in all areas, and industries needing IT are not strictly limited to tech companies -
blaming education administrators specifically for not having enough funds to pay competitively is drastically different than saying there is a structural problem with the local economy such that only industry X can competitively source IT talent.
in these conversations, comparing tech job X vs other job Y is relevant, because we are talking about 'jobs and wages within local economy as a whole'
What about the many costs that stay static? Flights, smart phones, and so much more don’t become a lot cheaper just because of location. Or for flights, Departing location.
Hiring DBA or a developer for a school is extremely inefficient use of the budget. School IT must be standardized and automated to the point where you only need 2 sysadmins and few more first line support people per 50-100 schools to run operations and 4-5 companies developing school management systems for the entire national market, with standardized interoperability.
I work with school districts and there are these companies. And they are absolutely atrocious. And they make it difficult to transfer. So schools are somewhat stuck in the old way. Literally every district level person hates the software, but they can't change it.
This is where government should be able to help with regulation. Nobody should be able to enter or stay on the market without ensuring interoperability, security and accessibility and without transferring certain rights to customers. I’m pretty sure the market will remain attractive for business even with the open source requirement.
America recently had an administration that prided itself on killing two pieces of regulation for each piece it added. There's a strong social issue with even bringing up the R word right now.
That standardization and automation you're talking about costs money too. Schools deal with technical debt on the IT infra level much like SaaS companies do.
Of course, you should be able to cut a $129k/yr DBA if you just spend the millions needed to streamline the IT systems.
Simple search shows that there are 130 000 schools in the USA. Spending 10M to develop reasonable IT standards and 120M more on compliant software is just $1000 per school. And this is not a military software, it can actually be developed offshore by decent engineers earning half of that DBA salary (that is, you get 2000 _man-years_ of work for those money).
I don’t think it’s malicious intent. Hanlon’s razor: never ascribe to malice what can be explained by incompetence. It’s simply that nobody at any level takes actual responsibility for outcomes. People at the bottom of the system (teachers, parents) can see problems but are usually disempowered and voiceless, and can’t fix them on their own. And people at the top are either ignorant of the real problems or lack real leadership and incentives to fix them. (Or they feel overburdened and overwhelmed).
An old friend of mine teaches the first year CS curriculum at a local university. By all reports he’s phenomenally good at his job. He truly cares and his students adore him. But he’s making a fraction of the salary he could be making in industry. At some point he’s probably going to quit to do a job he’s not as good at, and doesn’t enjoy as much. Why is he paid many times less than he’s worth? Because the university wants to pay CS lecturers who teach 2000 students the same as they pay people who teach poetry to a class of 5. So my friend can’t get a competitive salary without entire departments revolting. Who’s fault is that? I don’t believe it’s malicious intent. It’s just a boring, systematic failure high up in the org chart leading to bland mediocrity. The only people who can do something about it don’t care about outcomes enough to fix the problem.
> Because the university wants to pay CS lecturers who teach 2000 students the same as they pay people who teach poetry to a class of 5.
Maybe I'm wrong, but does University gain more profit from a class of 2000 students? If so, could it be the case that your friend does not sell himself at a market price for the teaching position? Probably there's another place which pays more for similar teaching.
There's no blame at all, sometimes people like to sell their time mostly not for money, but for emotions, that's completely understandable.
The university gets paid per student-year. So, yes.
But I can also see an argument that more advanced classes in later years (eg Advanced AI) are at least as valuable for the university compared to earlier subjects. They might have smaller class sizes, but if the subject material is more difficult, it'd be harder to find sufficiently knowledgable teachers. And the availability of classes like that (arguably) sets good schools apart from bad ones.
Its certainly a difficult problem. But it sounds like they aren't solving it well, and I think they're slowly driving out one of their best teachers.
> The only people who can do something about it don’t care about outcomes enough to fix the problem.
In other words, malicious intent the whole way down. Though I'm sure it feels good to blame the faceless "bureaucracy" and leave it at that...that way no one has to take responsibility.
No, it doesn't feel good to blame a faceless bureaucracy. It makes me feel kind of powerless and awful. But I still think that description is more accurate.
Its possible we're using different definitions though. Malicious intent sounds to me like "I am glad you are underpaid because I enjoy your misery". Or "You might be suffering but I don't care." I can count on one hand the number of people I've heard about in the workplace who are like that.
On the other hand, go talk to people near the top of any medium-to-large org chart. You'll find a mountain of people who feel like they're overwhelmed by the minutia of the company's day to day concerns, and they don't have time to do strategic leadership. That they aren't meeting the demands their role is placing on them. Or they're failing the people below them in the org chart due to their own vague mediocrity.
I don't think hating people in this position helps. Your scorn isn't going to magically make them better at their jobs. I see it as a symptom of our crappy organisation structures failing at larger sizes. We habitually centralize power into the hands of a few people. And then the people at the top of the org chart are overwhelmed by choice and indecision. And the people at the bottom are knowledgable but powerless, and are structurally forbidden from solving their own problems. (Or, sadly, people develop a learned helplessness about solving problems in the organisation at all.)
Is it worth it though? If a few teachers have their identity stolen, will that in any way hurt the school? I mean, it should hurt them, but it's unlikely that it will. The only people who might feel bad are the moral IT folk who created the problem.
I mean, is there really any risk of that anymore? Equifax had already seen to it that basically every adult in America's personal information is out there.
Most non-core-business organizations can't afford to hire someone competent, and therefore hire someone else.
But obviously that person isn't going to say "Gee, I'm really not great at this computer stuff, but I'll do what I can." They say "Sure, I know all about all the computer stuff!"
And then you have their leadership (who doesn't know any details), taking whatever they report up at face value.
The governor probably believed he had a leg to stand on here, because I'm sure that's exactly what his people told him.
> The governor probably believed he had a leg to stand on here, because I'm sure that's exactly what his people told him.
My money's on this being purely a political decision. And for that, considering who it is and their position in the political landscape, I think it's too early to definitively call it a blunder.
I think it's a pretty terrible political decision regardless of the outcome. Whenever you take a stance on a highly technical issue like this you're rolling the dice and hoping that you don't actually have a number of technical minded folks in your state. It can backfire amazingly.
It's much easier to play political games on much more abstract issues where it's harder to evaluate the options.
I don't think many tech folks, even in Missouri, are among this guy's voters, and the ones who are, aren't turning "blue" over this (they're probably in it for religious reasons, i.e. abortion).
Meanwhile, he's received national attention.
We'll see, but it may yet be a smart play, politically speaking. I'm not saying it for-sure is, I just don't think that result's anywhere near being off the table.
I fled to Canada over a decade ago so take my opinion here with a grain of salt but... I think that folks still talk to other folks on a local and familial level so a cousin of mine that's anti-vax has reached out to talk about technical news occasionally and you'll tend to chat with neighbors.
So having someone technically minded in your general blob of associations is generally enough for these sorts of obviously stupid moves to get politicians in serious trouble.
The stakes are a lot lower obviously - but this is a much clearer case of technical malpractice than anything having to do with Snowden and reminds me of Morris[1]'s case - basically it's complete BS and a misuse of the law.
1. https://en.wikipedia.org/wiki/Robert_Tappan_Morris (I might be thinking of someone else - I thought there was a teenager that got the book thrown at them back in the early days of the web but maybe I'm just misremebering things)
Have you written about this anywhere? I'd love to hear more about the motivation (not that it's hard to guess possibilities) and what the process actually looked like. I hear people threatening to move to Canada all the time, but there don't seem to be too many who go through with it!
Oh - I met a partner in Canada and when we looked at the costs to immigrate one way or the other it made a lot more sense to move up to Canada. Additionally the service offering was quite attractive up here, I'm in BC so there isn't any free pharmacare but there still is a pretty large provincial subsidy program.
Additionally I was pleasantly surprised, when I moved up, to learn that Canada doesn't have the same culture of greed. I feel like, if you aren't making every cent possible in America that you could - if you aren't constantly extracting the absolute maximum revenue - you're looked down on. Up here I've found a much nicer focus on balancing work with interests.
Having a dept of 1 engineer is not great [1]. You'd want ideally 3 or 4. Whick is kinda no-man's-land between 50k and 500k. Say 125k,which would get you good, but not stellar. (and would be an improvement over 10 somewhat incompetent.)
[1] having just 1 creates lots of bigger issues ;
Availability (what happens when he's sick or on vacation).
Technical documentation (there is none, its all in his head).
Role transfer (when he leaves there is short intense handover, then nothing).
Opinioned design - he does it his way, no discussion necessary - some will be good, but some will be bad.
When he leaves, you can't replace him. 500k engineers won't work for a place where you just maintain the system the last guy designed and wrote - they want to design and write their own stuff from scratch.
I could go on, but programming depts of 1 are usually a bad idea...
> Hiring a top engineer for 500k would go a lot further than hiring 10 mediocre engineers for 50k apiece.
That sounds reasonable, unless you're an elected government official in a state where salaries of government employees are public information. Local media outlets and your political opponents will have a field day over a government employee making a half-a-million dollar salary.
The public won't ever be able to understand or accept why one talented person should be made so wealthy in relation to the value they provide. However, the public will be fine with the same amount of money being spread out across 10 employees, since it still keeps all recipients in the poor house together with everyone else.
A regional bank headquartered in my area of upstate NY, which is also a publicly traded company, paid, in 2019, three out of their five C-level executives whose salary is disclosed, a base salary of $500K or less.
Do you or have you worked in a place where "engineers" make $500K? Have you thought about what they outsource to people making 1/10th or less, and why?
My spouse is a teacher and has practically made a game of "which low-status jobs would match my current benefits-inclusive income, while never making me take work home or making me deal with kids' mental health issues, which is incredibly stressful?" With current wage hikes in the service industry, the proportion that make the cut is going up daily.
I think it varies wildly by area, too. The teachers in my area appear to make a reasonable salary once you include pension. Admittedly, the stress level of the job comes into play, too...
> The US needs to stop using public facilities (schools, the military, etc) as white-collar welfare and hire more people that actually care.
In my experience, most IT/CS people who seek to work for state/federal government do care.
Unfortunately the combination of extreme red tape, low pay, inability to fire lazy employees, and occasionally being punching bags for politicians trying to score cheap points with their constituents, take their toll over time.
So much this. Pay and working conditions are such a joke for so many government jobs compared to the private sector. Government workers make nothing compared to the private sector, we expect them to be miracle workers, we refuse to acknowledge them when they do work miracles, and then we get mad and want to slash the budget when they can't.
It really sucks because I'd happily work for slightly under market rate to do work for a government office, but I just can't work for 1/3-1/2 of the pay I make working in the private sector, not with housing prices the way they are.
Federal govt IT is basically competitive on salary but the hiring process is rigged. The job descriptions are tightly bound to specific experience that only other govt workers or contractors could know and understand.
Last I checked $140k is about the going rate for government contractor software engineering work in the DC/Northern Virginia area. Add $10-20k for a Secret clearance or Public Trust and $30-50k for a Top Secret clearance (though you'll probably have to deal with working in a SCIF at least some of the time with a clearance). I'm pretty sure you can push that latter number even higher if you get a TS/SCI and start doing spooky stuff.
The SSNs were base64 encoded I believe, which is strange to consider encryption, but they also seem to be conflating the "decryption" of that with viewing the source code. This is just so ridiculous of them.
They were. It was the _VIEWSTATE thing that ASP.NET sticks into pages. The developers put the full SSN into the _VIEWSTATE object, which is base64 encoded into the pages.
Encoding is not encryption. That’s like if I got the raw bytes of Unicode characters and converted them to legible text. Or another way, that’s like two people talking about me in a language I don’t understand, and then I respond to them in said language.
That’s a terrific analogy. And it’s one that a jury will relate to. Sadly, if it goes to court, the poor guy’s lawyer is gonna have to spend a lot of time explaining how the State’s servers were sending this information in clear text to everyone who requested the page, refuting the false equivalence that the prosecution will make between “hacking” and “view source->decode to ASCII”.
It wasn't encrypted. It was written using Base64 – the computer equivalent of the phonetic alphabet. Anyone can “decode” it by hand, like Morse code, and the practised can read it off directly.
This Base64 was placed inside an HTML document. That's a bit like a Word document, except the formatting (bold, underline, big, small, Comic Sans) is written next to the text, so the computer knows how to display it. HTML is designed to be human-readable; in fact, it's designed for humans to write directly, using a text editor.
Here's an example of an HTML document, and here's a Base64 decoding table. (There's also a printout from Wikipedia, if you want to know how people can do it in their heads.) The jury should be able to read this SSN off, with no prior experience, in about ten minutes.
This was sent, by the State's computers, to every user of the system, due to a programming error.
<!DOCTYPE html>
<html>
<head>
<title>My Webpage</title>
</head>
<body>
<h1>This is an HTML document</h1>
<p>
It might not look like much, but it's a website!
This is what they look like to computers, and
web developers. There is usually other code behind
the scenes, where sensitive data should be stored,
but this is the public part.
</p>
<!-- Internal state (public component).
Should not contain sensitive data! -->
<input type="hidden"
name="__VIEWSTATE"
id="__VIEWSTATE"
value="dDwxMjM7dDxwPGw8
U1NOOz47bDw5MTIt
MzgtNjU0Nzs+Pjs7
Pg==">
</body>
</html>
Given this, I think the journalist over-simplified the situation in their story and that the "F12" jokes are unjustified. Recognizing there's a disclosure of private information here requires a lot more technical knowledge beyond the ability to view the HTML source.
The governor is still wrong for pursuing this and what the newspaper did was right, given that they disclosed it to the responsible parties and didn't publish until the problem site was taken down.
I feel like the F12 jokes are fine, since they don't even match the Governor's exaggerated rhetoric about "hacking". Pasting the base64 into one of many online decoders isn't much of an extra step. The Governor kept calling it a complicated 8 step process or something similar to that.
Base64 can be done by hand with two tables: one splitting every character in three times two bits and one that takes four pairs of bits and looks it up in the ascii table. Done.
It can also be done using a few small books, mapping strings of 4 base 64 characters into 3 ASCII characters. With 100 printable characters (according to Python), and assuming you can get 96 per page (4 columns of 24; possible with clever layout), that would fill about 50 books.
Okay, maybe that's not very efficient.
Each pair of Base 64 characters contains a single ASCII character, plus some change. That would take three lookup tables of about 1000 entries each; given that the “change” letters could use character ranges, that would take 3 or 4 sheets of A4 (or A3, if you wanted large print).
Part of this is general attitude towards all hacking - that systems can “never be secured”, it is never the designer/implementer’s fault, and we should just blame the bad actors.
When banks/financial systems can get away with not upgrading a decade old Java framework with 6 month old struts vulnerability, and just blame the hacker, it is not surprising the average school sysadmin will do the same.
The military and education do hire people that care, insinuating that they don't seems very wrong. What I do see here, is that someone is speaking far outside their domain of expertise. Software Engineers love to do this on a lot of subjects. Having a deep background in Systems it's amusing at times, but I certainly wouldn't say they don't care.
It's a good thing that's not what I did then... I said that the bad workers "crowd out those that actually give a shit", which means that there _are_ indeed people that care (albeit fewer than there should be).
> What I do see here, is that someone is speaking far outside their domain of expertise.
I spent 15 years working in government contracting, specifically in defense. I've worked with a _lot_ of civilian DoD employees (many of whom I respect immensely on a professional basis and consider my friends). I also am related to and am friends with a number of former public school teachers that left their field for greener pastures. Institutional rot isn't exactly a secret.
Yeah, your corrected statement still seems wrong. I disagreed with your assessment, I didn't "assume bad faith".
My personal disagreement is blaming individual people. There should be funding and education resources set up to ensure that people who make calls like this are educated enough to do so. You're in the business of personal accountability and I'm in the business of saying the people are a byproduct of the failing system. I'll bet my next paycheck if you wash out everyone that you deem lackluster and replace them with people you find to be excellent, the same outcome will be had over a matter of time.
Back in the 80's, my computer teacher kicked me out of class because I had logged into my friends account at another school and downloaded instructions for an "assassination game" (pick a name from a hat, 'assassinate' your victim with a toy gun) which we never played because we just weren't that interested. The teacher was going through the trash and "discovered" my "hacking" because everything was printed on paper. Fortunately for me, I had access to other computers and went on to a long, successful career in computers. No thanks to you, shitty computer teacher.
Similar experience, their reasoning why it was so stern was because the password acquired was valid throughout the entire district, and used for multiple core systems (security, AD, grades, etc..)
No one thought to ask IT why they used the same PW 5+ times for critical infra, its all just the kids fault for finding one of them
> The US needs to stop using public facilities (schools, the military, etc) as white-collar welfare and hire more people that actually care. Ignorance is forgivable but when combined with a steadfast opposition to personal growth it becomes malicious. It'd be better for society to fire clowns like these and administer them unemployment than to have them crowd out those that actually give a shit.
That presumes that the purpose of school is perceived by the participants to be something other than printing credentials that justify trans-generational wealth and power accrual.
> I responsibly disclosed a method of bypassing their web content filter
If you don't mind me asking... why on Earth did you do this? My goal as a teenager was to find ways to get around content filters in middle school for fun, not so I could tell the teacher about them.
> It'd be better for society to fire clowns like these and administer them unemployment than to have them crowd out those that actually give a shit.
Administrators that "gave a shit" would be fighting to remove overzealous content filters, not reinforce them.
- The CS professor whose expert opinion was quoted by the newspaper article is demanding an apology and legal expenses from the state, alleging that the governor defamed and violated his free speech rights.
- The governor's political fundraising committee is running ads making this a "fake news" issue.
The email that the reporter sent, in advance of publishing the article revealing the state education website's data leakage:
> “I recently discovered a significant exposure of the sensitive data of more than 100,000 teachers on a DESE website,” Renaud wrote to the agency’s communications chief, Mallory McGowin. “At this point I am confident what I found is a genuine vulnerability — I have confirmed with three teachers from different districts that their data was exposed. I also have consulted an UMSL cybersecurity researcher who verified my findings. The P-D plans to publish a story about this sensitive data exposure, but we wanted to inform DESE first so that you would have a chance to mitigate the problem.”
> Renaud shared his timeline for publishing the story and asked for interviews with officials from DESE and the Missouri Office of Administration’s Information Technology Services Division. In a second email sent about 45 minutes later, he described the steps he’d taken in finding and confirming the vulnerability.
I’m trying to find the statistic, but it’s something like 75% of crime reporters in the US end up facing prosecution - i.e. if you report a fire, there’s a good chance you’ll face arson charges - if you phone the police to report an assault, there’s a good chance they’ll arrest you for calling them. Made that mistake as a kid when I saw a guy dragging his girlfriend down the street by her hair - turns out the guy was a local politician’s son, and I ended up facing a civil suit for her emotional distress caused by me interfering.
I’ve found vulnerabilities in US government technology, and I know that the sensible and sane thing to do is just move on, ignore it, let it be someone else’s problem - I have no desire to end up in prison for being a Good Samaritan.
If some greater fool can deal with it, let them deal with it. People don’t want help. They want someone to blame.
Thanks for the update. Not surprised to see the governor making the "fake news" argument rather than trying to criminalize the reading of HTML code - in browsers only - across the state of Missouri.
A few years ago an American lawyer wrote a book called Three Felonies a Day [0] whose premise is that "the average professional in this country wakes up in the morning, goes to work, comes home, eats dinner, and then goes to sleep, unaware that he or she has likely committed several federal crimes that day". If pressing F12 is a crime, the average software developer must be committing three felonies an hour.
As I recall, that book was considered pretty good but the consensus was that the title was off by large amount. I.e. most people definitely do not commit three felonies a day. Maybe a few a month. Which is still bad, yes.
FWIW, I can't remember the last time I pressed F12 ;-)
That is intriguing. Within the source code of its HTML, the White House included an easter bunny encouraging people to apply for jobs if they are reading this message!
Would I be slandered and jailed for applying to this job offering by the US Gov't? What do you think Parson would have done in this situation? I did have to press F12, so this is quite the predicament! /s
It depends on how you count, but I can say someone in my house is in near-continuous possession of illegal drugs (cannabis). So there’s one felony. Then maybe I bypass paywalls (potentially a CFAA violation) scrolling through the morning news. And then maybe I jump through a closing train door, which I’ve been warned before is considered “interfering with a railroad’s operation.” So there, three felonies before I’m in the office.
> someone in my house is in near-continuous possession of illegal drugs (cannabis). So there’s one felony
Unless they've already been convicted in the past, that is a misdemeanor.
The railroad example is more interesting, though I can't find anything truly on point. All the legislation I have seen suggests you'd 1) have to intend to disrupt the service, and 2) put something on or near the tracks. I couldn't find anything even hinting that delaying a train through normal passenger controls constituted interference with a railroad.
Even if those were all felonies, I think most people don't even lead that exciting an existence :).
But is the intent to disrupt the train? No, it's to hold it long enough to get on board. The law is written such that you'd have to want to disrupt the service for nefarious reasons, not to board it.
Here in Europe disruption to board the train is enough to get police called on you and have them fine you, the fine grows with every minute of disruption. Not a crime, but definitely not legal. Stopping a moving train without necessary cause is criminal.
Very often the conductor will let you board a train late by signalling you with hand or speaking... But disobeying the conductor's signal whistle is where you step into potential illegality, because the train might (and sometimes really will) start moving that same moment.
All of this doesn't apply to city public transport - trams, metro etc. But it does apply to trains passing through the city.
Of course the GP's premise assumes that most devs are web frontend types that care about the HTML. Based on modern frontend libraries, is there really any default HTML that view source would see other than enough to load up the megabytes of JS code?
Yes, consider the case of server side rendering. Or even companies like Basecamp that disavow single page applications. Or massive legacy ASP, PHP and Java web apps.
Do you even need to press F12? Is looking at the HTML is the problem? What if I just download the page? I now have leaked SSNs saved to my computer. Is that criminal under in governor's mind?
Each received TCP packet is a separate charge. After conviction, sentences will be served reliably and in order. Errors will be detected and punished severely.
The book is already a decade old. Surely technology has allowed us to inadvertently commit a greater number of felonies faster and with more efficiency!
I love the term fake news. As soon as someone uses it in some genuine fashion, I know that I don't have to take anything else they may say seriously. (Unless, of course, I become the direct target.)
I almost never wade into the cesspool that is YT comments but just this once I read through a number. Every single one made fun of the governor and the PAC that put together the video. That was mildly heartening.
The governor's stance is just posture. "We take these matters seriously".
It reminds me of that time, a few years after I was out of college and into a job. My professor contacted me to demo my class project to her students. To give them an idea of what they can do with web development. Her assistant told me that they couldn't figure out how to run it.
Of course, I took a day off from work, opened back up my school project, fixed the annoying bug. The web page required IIS to run so I could make Ajax requests. I decided to hardcode the data in json instead. So I went to school to present my project.
The professor was double clicking the file and it wasn't displaying properly. I inserted my USB stick, and ran it from there instead. The coral reef restaurant website appeared on the big screen. I explained that I had to make some changes so it would work locally. Before, I was using a web server.
"Web server?" she shouted. "You are not allowed to use a web server. So you guys cheated!"
At first, I thought she was just kidding. I explained that Chapter 12 specifically asks to boot up IIS in order to make use of Ajax. During my time, the rest of the class stopped at chapter 10. I completed the entire book because I was just in love with learning JavaScript. So unless you get to chapter 12, you don't learn about Ajax.
"I'll have to report you. They board might revoke your grade. Not just you but all your group."
You can only imagine how pale I became. But I understood what was happening. She had tried to run the project multiple times and failed. She couldn't debug it or figure out the issue. To save face in front of the class, she accused me of having cheated. This is the exact thing the Missourians officials are doing.
No, at the end of the day my grades were not revokes. Plus I had dropped out of college and was working in the field for a few couple years already. But it goes to show you the length people would go just to save face.
All I've learned from this entire escapade is that the next time someone finds a major vulnerability in a Missouri state website, they will know that the best path forward is to sell it to criminals.
They make some money and they don't have the Governor attacking their reputation.
Then don't tell them the source. Just "Hey, I've got 100,000 full names of living people with valid social security numbers, what will you pay me for them?".
I have no idea what the market for those are, but I can imagine it being a better deal than having politicians trying to have you arrested.
> All I've learned from this entire escapade is that the next time someone finds a major vulnerability they will know that the best path forward is to sell it to criminals.
The state is not proceeding with any legal actions, right? And they're not, because they've already concluded the governor is full of crap, right?
So far all I've seen here is the governor repeatedly make a fool of himself while the rest of the state is backing away slowly from the crazy old man.
The STL Dispatch actually really wants the state to try to sue here, and I don't think Parsons quite appreciates just how much trouble his statements can get him in.
As of this week, the governor is still making noise about investigating and pressing charges.
> Despite mounting public backlash, Missouri Gov. Michael Parson isn’t backing down from threatening to prosecute a journalist for accessing personal information of Missouri teachers to expose a security lapse in the state’s website.
..
> Yet, the governor’s office continues to contend Renaud is open to prosecution for his actions. An email to The Record from Kelli Jones, communications director for the governor’s office, said an investigation into Renaud’s actions is ongoing, but described his action as a “hack” that was more than just “a right click,” and that Renaud broke Missouri law.
“The facts are that an individual accessed source code and then went a step further to convert and decode that data in order to obtain Missouri teachers’ personal information,” Jones wrote in an email.
..
> “A hacker is someone who gains unauthorized access to information or content,” Parson said during a recent press conference. “This individual did not have permission to do what they did." He said Renaud was simply attempting to "embarrass the state" and "sell headlines." "We will not let this crime go unpunished," Parson said.
I know nothing about law, but would there be ground for some form of defamation here? At this point, the governor has had what the reporter did thoroughly explained to him, and he keeps claiming that this is "hacking" seemingly just because he's embarrassed. From my perspective, it seems like he's outright lying and making accusations of criminal activity, in order to besmirch the name of someone he doesn't like.
In the U.S., defamation is generally covered by state law, with very few exceptions. There's also usually substantial immunity for officials acting in an official capacity (Parsons is addressing an issue of governmental embarrassment not personal embarrassment).
I think the better route is impeachment for failing to take care that the laws are faithfully executed and abuse of office. But it's not clear that Missouri provides a way for the newspaper or any individual to force that issue.
you're turning the case around- yes, you're right, the reporter and academic could sue, but it's not worth it (the defamation wasn't particularly effective) IMHO. It would mainly just make money for lawyers and mildly embarass the state.
Realistically, there's an IT executive in the Missouri government who screwed up, and the newspaper should be suing the state for criminal infosec practices (they did, after all, leak individual SSNs).
As a Missouri resident, what is the best method of contacting these baffons (and their opponents) to voice my displeasure with this appalling response from state officials?
As much as this feels good to say this there are still Republicans that are ethical, responsible people.. and plenty of Democrats who are not.. so let's refrain from stereotyping.
Agreed, what people fail to grasp when they're frothing at the mouth about how their opponents are evil (which is reflected back at them by people on the other side) is that this state of extreme division is the fuel that perpetuates the problem. Your participation in "putting the other side down" is the very thing that fuels a mutually beneficial relationship that is best characterized as symbiotic not oppositional.
The only out is ending the symbiotic relationship at the place that fuels it and breaking the duopoly. And not giving in to cynicism.
This is all setting up for a lawsuit against the government for libel. Especially as the governor now is amplifying his attack rather than backing down. When they first went on the attack you could play it off with an excuse that they didn't know any better, but after they were informed, it's now into the territory of libel. However IANAL.
It looks like part of the attack on the free press, and on dissent generally, by the governor's political grouping. Freedom won't survive unless the public makes it a higher priority than political power. People who support that political grouping need to make it clear to their representatives that liberty comes first.
I know that "bleeds it leads" is the rule for journalism, but I sort of wish there were a way to tell people to stop giving this story oxygen.
The governor knows his claims are foolish and he knows he's building a controversy out of thin air. It's playing great with his constituents, and the fact that his position of power inclines people to take him seriously means he can get away with it.
I understand your point, but what's the alternative? The answer can't be roll over and ignore people negligently/dangerously ignorant people in positions of power.
If your premise is true (that the harder those who understand this push against it, the harder he will push back, and the voters of his state like him for that) then there is no winning strategy here.
Your role in this game is to get angry at the stupidity of the governor. Your prize is rage. The winning strategy is not to play, let the courts battle this crap. If you want to do something, donate to the EFF or another organization or this prof’s legal fund (if he has one?).
Why would refusing to cover the story stop that problem? He’s literally running ads with it so it’s going to get plenty of oxygen no matter what. Might as well true to get the actual truth out there as well.
This is absolutely one of those cases where public attention and pressure can spare someone from getting lost in the legal system. Burying the story only helps those abusing their power.
To a lot of us, that looks like nonsense, but you have to remember how far through the looking-glass a lot of the conservative populace has gone... The press is now the enemy in their mind, and they don't understand technology well enough to get why these claims are ridiculous. So he gets to build steam and any pushback is just seen as more "fake news" coverage that would (of course) support their fellows in the media.
It's deeply frustrating because it's a form of social jujitsu built atop existing mistrust, and there aren't good ways to combat it.
The title truncation is so unhelpful and IMO editorialising. Is it ", judge said", meaning case closed and the statement can be said as fact? Is it maybe a quote from an institution like the EFF, defending him?
I tried every variation to get the hed to fit under 80 chars — it was either “emails said” or “Missouri”
In any case, the “nothing out of line” comes from a security expert reviewing the emails:
> While Missouri officials redacted most of Renaud’s second email, Katie Moussouris, the CEO of Luta Security, told StateScoop it appears he took all the right steps in disclosing a vulnerability.
> “Nothing in what you’ve shared with me looks like it was out of line with sensible coordinated vulnerability disclosure activities of any researcher trying to protect victims of sensitive data exposure,” said Moussouris, a co-author of the international standards for vulnerability disclosures.
I understand why. It doesn't make it any less laughable. Don't editorialize the title, except we're going to make it impossible not to. eyerolllikeimateenager
> In the letter to teachers, Education Commissioner Margie Vandeven said “an individual took the records of at least three educators, unencrypted the source code from the webpage, and viewed the social security number (SSN) of those specific educators.”
> But in the press release, DESE called the person who discovered the vulnerability a “hacker” and said that individual “took the records of at least three educators”
This squares perfectly with my own experience. As a middle schooler I had several interactions with my school system's IT department where they baselessly accused me of hacking and malicious intent; I responsibly disclosed a method of bypassing their web content filter and they responded by going through my roaming profile and leveling charges at me of "remotely hacking computer systems" because of a screenshot of a terminal emulator they found. I was a good kid with a perfect disciplinary record. In retrospect it was a series of incompetent staffers covering for their inability by bullying a child.
The US needs to stop using public facilities (schools, the military, etc) as white-collar welfare and hire more people that actually care. Ignorance is forgivable but when combined with a steadfast opposition to personal growth it becomes malicious. It'd be better for society to fire clowns like these and administer them unemployment than to have them crowd out those that actually give a shit.
*EDIT: To clarify for anybody that would read the above as "government workers don't care": there are plenty that do. I break bread with them and want them to be able to do their jobs unimpeded by the ones that _don't_.