[joshenberg]

Quote from the St Louis Post Dispatch article is even more groan-worthy:

"In the letter to teachers, Education Commissioner Margie Vandeven said “an individual took the records of at least three educators, unencrypted the source code from the webpage, and viewed the social security number (SSN) of those specific educators.”

I guess webpages are kinda like encryption for idiots.

[websap]

We live in a world where everyone thinks they understand computers and have an expectation of security and privacy, but they don't realize how hard it is to build these systems correctly. The best security appears to be invisible to the consumer, but requires a lot of thought by the implementer.

This is the same reason why I think most of the general public don't understand how much data social media apps can collect on them. I know a lot of average technology users, who allow every single permission whenever an App asks them, because they're like obviously its not going to do any harm. Without realizing how every action they take is recorded in a database somewhere, which will get compromised sometime in the future.

I'm not a mobile developer, but it would be interesting if iOS provided a service that allowed data to never leave the phone and provided an API for Apps to get particular types of data and showed warning levels in the App, each time more sensitive data is accessed. The App store needs to be a place where if I download an App from, I need to have the peace of mind that it won't cause more harm than good.

[ajmurmann]

> I'm not a mobile developer, but it would be interesting if iOS provided a service that allowed data to never leave the phone

I'm not sure I follow. Do you mean the app wouldn't be allowed to send any data over the network? As soon as the app can send any data, it's trivial to hide in there whatever the app wants to send home.

[websap]

My idea is that Apple encourages Apps and features / adds badges for those apps that only store data locally. The local storage should be able to identify different types of data. They provide an API that allows data to be queried so that whenever an App queries some critically of confidential data it throws a big warning.

[ohazi]

The developer would just query the sensitive field either immediately or at a seemingly reasonable moment (along with dozens of other sensitive and non-sensitive fields), put everything into a blob, and then send it to the server as an opaque web request to some innocuous looking endpoint like POST /login.

You either have to completely trust the developer today and forever after, or you need to make some fundamental advancements in homomorphic cryptography. "Secure data store that can be queried with a permissions box" doesn't work.

[CRConrad]

> it would be interesting if iOS provided a service that allowed data to never leave the phone

But it would probably be even more interesting if you could send out, say, the adress of a Web page you wanted to see in your browser.

[josephg]

> but they don't realize how hard it is to build these systems correctly.

In this case, it sounds like the SSNs were included in their entirety in the HTML. My first response is that its a stupid and obvious mistake, but I think it might be too suspiciously easy to only blame the developers here.

I think we have a larger problem - which is that there's a hidden cost to adding extra layers of magic to software. And on the web, we seem to just not be able to help ourselves. The cost is that developers often skip actually understanding how the new layers work. And the abstractions are leaky with respect to performance and security, and sometimes functionality.

Its easy to imagine how this bug slipped through. They had a database query which fetched the data for rendering. Then they used some "magic" framework which does server side rendering & hydration. So the server sent the JSON it used to render to the client to dehydrate the page, and that JSON happened to include the raw database rows (with SSNs). The system is magic enough so you don't have to understand how that process works; but not magic enough to protect you from the consequences.

Junior devs use the magic anyway and get stuck, or make mistakes like this. Senior devs feel like we have to learn everything and get overwhelmed.

Other examples of this:

- Recently I wanted to use some rust code (compiled to wasm via wasm-pack) in a svelte project with snowpack or rollup. I know how to include wasm in a webpage, but the bundlers needed special plugins to handle this. And the plugins for wasm are halfbaked, poorly maintained and janky.

- I worked with a team a few years ago who was using some graphql wrapper around contentful. (Before contentful had an official graphql endpoint). The wrapper was very good, but we needed to run some queries that weren't supported by the wrapper. This was close to impossible. Nobody on the team was strong enough to read the graphql code to figure out how to solve our problem. I did it eventually - via some custom endpoints. But I shouldn't have. After I left the team had no idea how to maintain or modify the code I wrote, and they were entirely stuck.

- The "web obesity crisis" comes from projects pulling giant amounts of javascript into their webpages. Our tooling makes this easy (npm install) and safe (incompatible versions of the same package are included separately). So its easy to end up with libraries like web3, which include about a dozen different versions of bn.js resulting in 2.3mb of uncompressed JS which takes nearly a second to parse on a modern computer. - [1] https://github.com/ChainSafe/web3.js/issues/1178

I don't know what the answer here is, but I know when I was writing qbasic as a kid it wasn't like this. Maybe we need to stop going "up the stack", and instead go sideways - throwing things out as we add more. I worry this whole problem will get much worse before it gets any better.

[idworks1]

> echo json_encode($search_results);

This is how I found out how much I, and all other contractors were being paid. And also how much the contracting company was actually charging the clients. All the data was being returned in a json but the very little was being displayed.

Looking at the story, this is more of a posture thing. I'm sure the Governor is surrounded with people who can tell him that no hacking took place, but why miss an opportunity to show you take the privacy of Missourians to heart.

[0x262d]

wow, what fraction of websites leak data I want to look at? should I be poking at every non-tech-giant site I go to?

[codegeek]

You will be surprised. Do a "Inspect Element" and have fun filtering on "XHR requests". Notice that JSON that a lot of those requests return. but sshhhh, you didn't hear this from me.

[r1ch]

With the move to client-side rendering, too many. The backend becomes dumber and dumber and all logic such as filtering data moves to the frontend. You'd be surprised what you can find poking around at APIs that client-side apps use.

[cowsup]

Careful, son, you're quickly entering elite hacker turf.

[samstave]

Dont worry, I only do all this behind 7 proxies. Plus I called google and they know all about it.

[photochemsyn]

The analogy is going up to a house and checking all the doors and windows to see if they are locked. That's rather like port scanning, a form of 'poking'. If you go to a state government web site and do that, even if you don't exfiltrate data or load it up with ransomware, it's definitely very shady behavior, although it seems there are no laws against it in the USA (some ISPs will ban users caught doing this however).

Obviously if you broke into someone's house and then asked them to pay you for your 'vuln discovery', err...

However, I think looking at HTML code on a public facing web page is not that. If you hang naked pictures of yourself on your front door, you don't get to complain when people take pictures of them.

1. https://www.calyptix.com/top-threats/port-scanning-legal-ans...

[ajmurmann]

The data was send to my browser. The more fitting analogy to me is that I get a letter and a huge pile of documents in a giant binder. Some of the documents are referenced in the letter. Now the sender gets upset because I started looking at the documents in the binder that weren't referenced in their cover letter.

[ajmurmann]

Sorry to add some more to my own analogy: some of the unreferenced pages in the giant binder also sometimes will contain wiretapping devices.

[cmckn]

Last year, when a Nintendo Switch was difficult to come by, I found that a large retailer’s API returned exact stock counts (and even restock dates in some cases) for any physical store you wanted. Got a Switch for myself and a couple friends in an afternoon.

[chefandy]

Nothing, and I mean nothing could give me a grimmer impression of cops' abilities to deal with tech. I guess all of the technically capable cops are busy installing government surveillance systems.

About 12 years ago, someone smashed the window of my car and grabbed my messenger bag, including my cheap prepaid smart phone and shitty laptop— I was a line cook at the time, and those were my most valuable possessions except my knives. Filed a report and moved on. Hours later, I later saw a picture of a person I didn't know standing next to a car with a visible license plate automatically auto-uploaded to my Facebook account from my stolen phone. I called up the detective assigned to the case, but as soon as I said "uploaded" he said I needed to talk to the "computer guy," who called me the next day. After— no shit— 15 minutes of back-and-forth, this expert absolutely could not understand that I wasn't trying to report the new crime of someone accessing my Facebook account without authorization. He had no clue how it possibly could have been related to a telephone. In 2009.

Before I cooked, I'd worked in support from entry-level call centers to code level third-tier support. I am completely confident in my ability to explain WAY more complicated technical ideas to folks who've never used computers before... but I just had to give up. I didn't know what else to do. He was possibly the least technically capable person I've ever encountered and I used to help 90 year olds remove spyware from windows 98 machines. I said never mind and hung up the phone. Depressing.

[dylan604]

If it is served via https, it is encrypted.

Edit: sorry, forgot the /s

[codegeek]

I knew u forgot the /s. If the Governor understood https and encryption, he wouldn't be penalizing the reporter for "View Source". Clearly he got caught at being incompetent and he is doubling down on "how dare you"

[Bluecobra]

Well you see the Internet is not something that you just dump something on. It's not a big truck. It's a series of tubes!

[cat199]

nono - 'view source' is really the 'hack this website' button, it's just called 'view source' to keep the bad guys from knowing about it.

[jmull]

Not once it's loaded by the browser it's not.

[MisterBastahrd]

Oh shit, I'm reading your encrypted message right now!

[badRNG]

You should consider responsibly disclosing this vulnerability rather than posting it here.

[willcipriano]

It's ok, the disclosure is also encrypted.

[navbaker]

No it's not, you forgot to wrap it in an "<encrypted>" tag.

[lapetitejort]

Don't forget the </encrypted> tag or else the rest of the internet's traffic will be encrypted forever.

[buitreVirtual]

Don't dare disclosing it in Missouri!

[iamcreasy]

I didn't get the joke. Can anybody explain it?

[jayd16]

Https traffic is indeed encrypted, but its encrypted for you the user.

Its like saying you stole documents from a sealed container when that container had your name on it, it was addressed to you, and you had the key.

[anm89]

if it's in plain text in the html served, it isn't

[dylan604]

But if you're an idiot to believe viewing source is hacking, then you're clearly the type that viewing the source is viewing encrypted data.

The actual quote states that the data was first "unencrypted" before viewing the source. This is in fact correct if not poorly phrased, but who'd expect proper terms used when we're talking about "these" people?

[anm89]

I get what the article says and what the county claims. That doesn't make what the parent said right.

[throwawaycuriou]

expand the lawsuit to Apple, Google, other heathen browser makers

[quantified]

Just wait. I wouldn’t be surprised.

[badRNG]

jesus christ...

[mikro2nd]

yes...?

[dylan604]

Get the Escalade

[birdyrooster]

With mustard and mayonnaise on the blades

[ncr100]

* https://oa.mo.gov/commissioners-office/news/state-missouri-a...

The State labeling a reporter as "a hacker".

* https://dese.mo.gov/media/pdf/educator-data-incident-commiss... * https://twitter.com/mocommissioner

State Education Commissioner refers to reporter only as a "individual". The Commissioner signs the letterhead "PhD". Sarcastically, I presume the PhD corresponds to the increase in level of correctness, from "hacker" to "individual".

[MrPatan]

You left out the best bit: "through a multi-step process"

[airstrike]

Nice catch... Unbelievable. What isn't a multi-step process, really? The first thing I do in the morning is to make coffee and though I've distilled that process down to its bare minimum so I can do it while still half asleep, it is still very much a multi-step process...

[lethoso]

Taking a shit is a multi step process! The absurdity of the phrase is boggling my mind.

[DebtDeflation]

Right click.

View Page Source.

That's 2 steps. Hence, multi-step.

[eightails]

Could do it in a single step with F12. I suppose then you still have to scroll/search to find the relevant nodes... "multi-step" indeed

[dillondoyle]

Option+Command+U

:)

[shepherdjerred]

Three steps! What hacker could envision such an elaborate plan?

[tentacleuno]

Don't worry. A listener for contextmenu with a good ol' preventDefault() will stop those pesky hackers!

[jimt1234]

"unencrypted the source code" means they ran an unminify tool. Very advanced; criminal masterminds. /s

[meijer]

Probably just "View Source".

[tomxor]

Probably without comments stripped.

[anm89]

I sincerely doubt it was minified

[quantified]

What meijer said ^^. It’s html, just view source.

Now they’ll sue browser makers for distibuting hacking tools.

[klyrs]

I can't wait to see the legislation that treats plaintext as encrypted, and goes on to criminalize all written and electronic communication.

[dylan604]

We must end all encryption --FBI

[mhandley]

Where "unencypted" means "turned the web page over, and read what was printed on the back of it".

It seems stupid to us, but non-techies just won't understand unless we come up with reasonable analogies.

[teawrecks]

"Unencrypted" in this context means "did something we don't understand".

[Buttons840]

Will this definition of encryption hold for HIPAA cases in Missouri?

[ilaksh]

I feel like not understanding basic things like that should get you fired. The Education Commissioner and Governor of the State of Missouri have demonstrated a lack of understanding of basic technologies. At this point, that means they lack core competencies to do their job, and should be fired.

[quantified]

I would totally not expect an old white guy politician to be up on web protocols. No worries about that.

He either has staffers who told him the real issues and he discounted them to score points, or hired incompetent staffers who gave him B.S., or he hasn’t found anyone to give him the real info. Those are the disqualifiers.

Memories of Mitt Romney appearing to actually dig into tunneling and adhesives during an investigation of Big Dig flaws in Massachusetts. He might have been posturing but at least it was the right posture.

[rbanffy]

> I guess webpages are kinda like encryption for idiots.

I prefer to call them muggles.

[dillondoyle]

How relevant for education and today. The education commission should have "send a flu shot!" lmfao