Collection of legal threats against good faith Security Researchers; vulnerability disclosure gone wrong. A continuation of work started by @attritionorg
On October 12th, the Missouri Department of Elementary & Secondary Education was made aware of a vulnerability in a portal that was leaking personal information of Missouri educators. Missouri Gov. Mike Parson, in a press conference stated that at least 3 educators' data was specifically accessed. It is not known whether these 3 educators' data were used to validate the vulnerability, or whether they were specifically targeted by the researcher. It was stated that it would not be possible to download all of the personal data at once. Under 2017 Statute 569.095 of Missouri Law: "A person commits the offense of tampering with computer data if he or she knowingly and without authorization or without reasonable grounds to believe that he has such authorization: Accesses a computer, a computer system, or a computer network, and intentionally examines information about another person; a class A misdemeanor." The Gov. stated that this may cost at least $50 million dollars to patch, diverting Missouri State resources for Legal costs, the Cole County Prosecutor, and Missouri State Highway Patrol Digital Forensics Unit to investigate the alleged wrongdoing. Therein lies the issue, that had this vulnerability not been reported to the vendor, it would remain to be vulnerable. To complicate matters for both the researcher and the vendor (ITSD who programs & maintains the portal), it was alluded to during the press conference that the researcher was going to use the information for political gain, under the guise of research. In Missouri, it is unlawful to access "encoded" data, which may include viewing HTML source code and systems to Compromise to embarrass the state and allegedly, "sell headlines," for their new outlet. Two issues that should be highlighted in this event is that is can be argued that is a Class A misdemeanor in Missouri to push the F12 key while browsing a website, but the researcher has also been alleged to either be employed by or have provided the data to a local news outlet, as a, "political vendetta," which could fall under bad-faith research, or hacktivism, if the data was published. Regardless, the embarrassment of a leaky portal lies with the developer of the website, and the St. Louis Post-Dispath, stated "The newspaper delayed publishing this report to give the department time to take steps to protect teachers’ private information, and to allow the state to ensure no other agencies’ web applications contained similar vulnerabilities."
State law vs. Good-faith research, alleged hacktivism.
On October 12th, the Missouri Department of Elementary & Secondy Education was made aware of a vulnerability in a portal that was leaking personal information of Missouri educators. Missouri Gov. Mike Parson, in a press conference stated that at least 3 educators' data was specifically accessed. It is not know whether these 3 educators' data were used to validate the vulnerability, or whether they were specifically targeted by the researcher. It was stated that it would not be possible to download all of the personal data at once. Under 2017 Statute 569.095 of Missouri Law: "A person commits the offense of tampering with computer data if he or she knowingly and without authorization or without reasonable grounds to believe that he has such authorization: Accesses a computer, a computer system, or a computer network, and intentionally examines information about another person; a class A misdemeanor." The Gov. stated that this may cost at least $50 million dollars to patch, diverting Missouri State resources for Legal costs, the Cole County Prosecutor, and Missouri State Highway Patrol Digital Forensics Unit to investigate the alleged wrongdoing. Therein lies the issue, that had this vulnerability not been reported to the vendor, it would remain to be vulnerable. To complicate matters for both the researcher and the vendor (ITSD who programs & maintains the portal), it was alluded to during the press conference that the researcher was going to use the information for political gain, under the guise of research. In Missouri, it is unlawful to access "encoded" data, which may include viewing HTML source code and systems to Compromise to embarass the state and allegedly, "sell headlines," for their new outlet. Two issues that should be highlighted in this event is that is can be argued that is a Class A missdemeanour in Missouri to push the F12 key while browsing a website, but the researcher has also been alleged to either be employed by or have provided the data to a local news outlet, as a, "political vendetta," which could fall under bad-faith research, or hacktivism, if the data was published. Regardless, the embarassment of a leaky portal lies with the developer of the website, and the St. Louis Post-Dispath, stated "The newspaper delayed publishing this report to give the department time to take steps to protect teachers’ private information, and to allow the state to ensure no other agencies’ web applications contained similar vulnerabilities."
Albonycal
commented
2 years ago
Mobile friendly:
On October 12th, the Missouri Department of Elementary & Secondary Education was made aware of a vulnerability in a portal that was leaking personal information of Missouri educators. Missouri Gov. Mike Parson, in a press conference stated that at least 3 educators' data was specifically accessed. It is not known whether these 3 educators' data were used to validate the vulnerability, or whether they were specifically targeted by the researcher. It was stated that it would not be possible to download all of the personal data at once. Under 2017 Statute 569.095 of Missouri Law: "A person commits the offense of tampering with computer data if he or she knowingly and without authorization or without reasonable grounds to believe that he has such authorization: Accesses a computer, a computer system, or a computer network, and intentionally examines information about another person; a class A misdemeanor." The Gov. stated that this may cost at least $50 million dollars to patch, diverting Missouri State resources for Legal costs, the Cole County Prosecutor, and Missouri State Highway Patrol Digital Forensics Unit to investigate the alleged wrongdoing. Therein lies the issue, that had this vulnerability not been reported to the vendor, it would remain to be vulnerable. To complicate matters for both the researcher and the vendor (ITSD who programs & maintains the portal), it was alluded to during the press conference that the researcher was going to use the information for political gain, under the guise of research. In Missouri, it is unlawful to access "encoded" data, which may include viewing HTML source code and systems to Compromise to embarrass the state and allegedly, "sell headlines," for their new outlet. Two issues that should be highlighted in this event is that is can be argued that is a Class A misdemeanor in Missouri to push the F12 key while browsing a website, but the researcher has also been alleged to either be employed by or have provided the data to a local news outlet, as a, "political vendetta," which could fall under bad-faith research, or hacktivism, if the data was published. Regardless, the embarrassment of a leaky portal lies with the developer of the website, and the St. Louis Post-Dispath, stated "The newspaper delayed publishing this report to give the department time to take steps to protect teachers’ private information, and to allow the state to ensure no other agencies’ web applications contained similar vulnerabilities."