Emails show what happened before Missouri gov. falsely called journalist a “hacker”

Missouri state government officials planned to publicly thank a journalist who discovered a security flaw until a drastic change in strategy resulted in the governor labeling the journalist a "hacker," while threatening both a lawsuit and prosecution. As we wrote on October 14, St. Louis Post-Dispatch reporter Josh Renaud identified a security flaw that exposed the Social Security numbers of teachers and other school employees in unencrypted form in the HTML source code of a publicly accessible website. Renaud and the Post-Dispatch handled the problem the way responsible security researchers do—by notifying the state of the security flaw and keeping it secret until after it was fixed. Despite that, Missouri Gov. Mike Parson called Renaud a "hacker" and said the newspaper's reporting was nothing more than a "political vendetta" and "an attempt to embarrass the state and sell headlines for their news outlet." The Republican governor said further that his "administration has notified the Cole County prosecutor of this matter," that the Missouri State Highway Patrol's Digital Forensic Unit would investigate "all of those involved," and that state law "allows us to bring a civil suit to recover damages against all those involved."

“We are grateful to the member of the media”

But only two days earlier, a government spokesperson was preparing a quote to publicly thank the journalist, as the Post-Dispatch reported today:

In an Oct. 12 email to officials in Gov. Mike Parson's office, Mallory McGowin, spokeswoman for DESE [Department of Elementary and Secondary Education], sent proposed statements for a press release announcing the data vulnerability the newspaper uncovered. "We are grateful to the member of the media who brought this to the state's attention," said a proposed quote from Education Commissioner Margie Vandeven. The Parson administration and DESE did not end up using that quote. The next day, on Oct. 13, the Office of Administration issued a news release calling the Post-Dispatch journalist a "hacker." And on Oct. 14, Parson held a news conference to rail against the Post-Dispatch and announce a criminal investigation by the Missouri State Highway Patrol. "We will not let this crime against Missouri teachers go unpunished," Parson said at the news conference. "And we refuse to let them be a pawn in the news outlet's political vendetta. Not only are we going to hold this individual accountable, but we will also be holding accountable all those who aided this individual and the media corporation that employs them."

The Post-Dispatch obtained the October 12 email in a public-records request. The plan to thank the journalist was apparently scrapped by 1:18 pm on October 13, when "McGowin emailed Kelli Jones and Johnathan Shiflett, who both work in the governor's office, to say Vandeven wanted her to meet with governor's office officials," the Post-Dispatch wrote. A draft news release emailed by McGowin at 3:46 pm, apparently after that meeting, referred to the journalist as an "individual." A further revision emailed by Shiflett at 4:20 pm called him a "hacker."

FBI apparently told state it wasn’t a hack

That all happened even as a Federal Bureau of Investigation official apparently told the state that the journalist was not a hacker, the Post-Dispatch reported:

Meanwhile, at 3:24 p.m. on Oct. 13, Angie Robinson, cybersecurity specialist for the state, emailed Department of Public Safety Director Sandra Karsten to inform her that she had forwarded emails from the Post-Dispatch to Kyle Storm with the FBI in St. Louis. "Kyle informed me that after reading the emails from the reporter that this incident is not an actual network intrusion," she said. Instead, she wrote, the FBI agent said the state's database was "misconfigured," which "allowed open source tools to be used to query data that should not be public."

The email from Robinson further reported that "Kyle said the FBI would speak to Gwen Carroll, the AUSA (Assistant US Attorney), with the updated information from the emails to see if this still fit the crime and if she was interested in prosecuting."

Viewing source code isn’t illegal or “hacking”

Also caught up in the October mess was Shaji Khan, a cybersecurity professor at the University of Missouri-St. Louis who helped the Post-Dispatch journalist verify the security vulnerability. After the governor's threats, Khan hired an attorney and sent a letter to Parson and other state officials saying that they violated his First Amendment "right to speak freely without the threat of government retaliation." The letter adds that the state's investigation into Khan "would violate the prohibition on malicious prosecution." Khan's letter also explained that viewing a website's unencrypted source code is not illegal or "hacking." "No statute in Missouri or on the federal level prohibits members of the general public from viewing publicly available websites or viewing the website's unencrypted source code," the letter said. "No reasonable person would think they were unauthorized to view a publicly available website, its unencrypted source code, or any of the unencrypted translations of that source code." The Missouri government website was designed to let the public search teacher certifications and credentials. But "a major security flaw" in the website caused it to "send the full Social Security number of Missouri teachers to every visitor to the website, whether the visitor was aware or not. That information was also programmed to be automatically stored in the visitors' web browsers," Khan's letter said. The source code could easily be translated into plain text. "None of the data was encrypted, no passwords were required, and no steps were taken by the State of Missouri to protect the Social Security numbers of its teachers that the State automatically sent to every website visitor," Khan's letter said.