Hacked - Dead Messengers
Episode Date: December 1, 2021Jordan Bloemen & Scott Francis Winder discuss one of the most dangerous jobs of all; the messenger. If you like the show and want to make sure we can keep making it, please subscribe and if you can v...isit https://www.patreon.com/hackedpodcast and show us some love. Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
First of all, good afternoon.
And thanks everybody for coming in this morning.
In October of this year, Missouri Governor Mike Parsons stepped up to the podium to deliver a terrible piece of news.
We are working to identify the teachers who information was compromised and any others that may have been compromised.
There had been a hack, and the private information social security numbers of Missouri teachers had been exposed.
It is unlawful to access encoded data.
and systems in order to examine other people's personal information.
And we are coordinating state resources to respond and utilize all legal methods available.
The damage, incalculable.
Between fixing the website the cost of law enforcement to investigate,
Parsons estimated that this was going to cost taxpayers upwards of about $50 million to remedy.
So help him God.
He will not rest until he brings those responsible to justice.
But let me be clear.
clear. This administration is standing up against any and all perpetrators who attempt to steal personal information and harm Missourians.
And now, Scott, I'd like to tell you in as much detail as I can possibly muster how the people responsible executed this hack and how you probably have to.
If you were to open a browser and go to the Missouri State Teachers website and keep up, right click on the site.
and click view source code, like the thing where you can view the HTML on a website,
or like any browser can do it, like the basic functionality.
If you were to have done this on the Missouri teachers website about a month ago,
you too would have found yourself staring at the confidential information of these teachers.
You too would be a hacker, worthy of the full weight of the Missouri legal system
slamming down on you like a cinder block.
A hacker is someone who gains unauthorized access to information or content.
This individual did not have permission to do what they did.
They had no authorization to convert or decode.
So this was clearly a hack.
But the hackers, they made one crucial mistake.
Upon discovering this, you know, vulnerability, sorry, committing this hack,
they informed the Department of Elementary and Secondary Education,
hey, your site has this vulnerability and the private information of all these teachers
is available to anyone that knows, like, how to view source code on a website.
And they did this because they were journalists reporting on the vulnerability.
And they were telling the government so the government could fix it before they went to print.
And now the government in Missouri is very, very angry about it.
And I think I'm now done being sarcastic.
We've all heard the expression, don't kill the messenger.
And Mike Parsons has endeavored to just rambo the crap out of these journalists and security researchers who had the gall to deliver the message that there was a vulnerability exposing these teachers' private information.
Not just the three that Parsons cites, but hundreds of thousands of teachers whose data was made vulnerable by this technical failure.
And this isn't the first time this kind of thing has happened.
The history of hacking and the laws governing cybersecurity is the history of people getting harmed trying to warn the authority.
that there's danger in front of them.
So that's what I want to talk about today,
about this story and a couple others
that show that sometimes in the world of hacking and cybersecurity,
just delivering the message that someone is in danger
is a great way to end up dead.
Here on hacked.
This data was not freely available
and had to be converted and decoded in order to be revealed.
So let's just get something out of the way up front.
Is viewing the HTML on a website hacking?
Scott. Oh boy, absolutely not. The, the, the, the, not only that, like I'm, this,
it's at times like this that I wish that I was a lawyer because I would love to be the
one to rip this case apart because the HTML of a website is actually sent to you from the
web server when you make the request. So when you make the request for the website,
the web server actually sends you all of that data. And then your web browser and each web browser,
does it differently renders that data into the actual web page, which any web developer will
know and hate because often they're inconsistent across multiple browsers, which makes
web development a pain in the neck. So if there's a bunch of private data embedded in
the HTML code and like hidden away so that it's not rendered on the screen, that is just god-awful
web app design. And looking at what you've been sent in a raw form is by no
means hacking. If anything, all of the negligence and liability needs to flow back to the people
that are sending that private data out through a non-confidential channel. So yeah, that's not hacking
and I'm disgusted. Yeah, to my mind, like the source code of a website is the thing
that you publish and a browser is just one way of viewing that published content. But it's not hacking.
You haven't super like gone around anything. No, if you know anything about what
constitutes confidentiality.
Like that
information is so publicly disclosed
that the server would
send it out in like
the server would send it out
in its entirety out to you.
So it's like it's not
confidential. It can't be confidential.
You're literally broadcasting it.
Therefore it is no longer confidential
information. And if it was
confidential information, the issue should be with
who broadcast it, not with
who received it.
So sometime in the week or so leading up to October 12th, and this was just last month, a journalist named Joshua Reneau at the St. Louis Dispatch finds himself having discovered this vulnerability, having discovered that they've published this information.
And we can speculate as to why he was looking for it.
There's some evidence to that effect later.
The point is that Missouri's Department of Elementary and Secondary Education, DESC, maintains this public-facing website that lets you look up teachers, find their basic,
publicly available information.
They're public servants, they're watching children.
Here's almost like a telephone book of who they are, where they teach.
Sure.
That's pretty much yet.
Makes sense.
Yep.
And Renault discovers that if you go to one of these profiles and you view source code,
well, now you're looking at a bunch of not public information, social security numbers,
of these teachers.
We've already talked a little bit about how that's certainly not hacking.
And we'll get to that more later.
But like, can you maybe guess why that would even happen?
happen, why that information would be in the source code at all?
Shear, like, and this is, if this sounds offensive, it's because it probably is, and it should be sheer laziness.
Because obviously that information is coming from the same, and this, like, sorry, I'm going to distract myself here, but it's like, that information is clearly coming from the same database table.
And instead of just pulling the select pieces of information that they need to make the web page, they're pulling it all.
And then they're just not rendering or showing the stuff that they shouldn't have.
They're just hiding it, which two problems with.
One, they should only be pulling what they need.
And two, the second and bigger problem is that they shouldn't be pulling from the same database table.
Like there should be, you know, a wall between private and public data.
Like if somebody hacks that web server, they shouldn't have access to,
all of the teacher's private records.
You know, socials, paying role, et cetera like that.
That stuff should all be on information that's inside of the enterprise,
not information that's sitting on the web servers
or in database servers that are accessible from the web servers.
Like that's, you know, security 101.
So not only should they not have been publishing this,
even if it was into non-visually rendered HTML,
not only should they not have published it,
but they shouldn't have even been storing it
on the same infrastructure,
if storing it at all as the content that they were trying to publish.
Yeah, 100%.
Like, if you could anything, like if you put a server outside, like in the demilitarized zone,
like out in the world, you put a server on the web,
you can assume that that server will maybe potentially get hacked at some point.
And those hackers will then have access to the network and the infrastructure that that server has access to.
And if that server has full database access to like all of the confidence,
records, then the hackers will have, you should assume that the hackers will get full database
access to all of the confidential records. So the best thing to do is to replicate over only
the data that you need to render the website to a database server that, you know, the web server
then has access to. So, you know, you put walls up between pieces of infrastructure to prevent
people from crossing through them. And the more walls between something that's public and something
that's confidential, the better. Does that make sense? Yeah, no, that makes sense. So the journalist
Renault reaches out to a cybersecurity professor at the University of Missouri-Saint-Luiz named Shaji Khan.
And Khan replies to him over emails that we now have access to, saying, quote, yeah, we've
known about this type of flaw for at least 10 to 12 years, if not more. The fact that this type
of vulnerability is still present in the D-E-S-A web application is mind-boggling. And unfortunately,
these types of flaws and poor design choices are more common than we'd like.
Local and state governments across the country are often still using applications
designed many years ago, potentially containing serious security flaws.
Khan uses a really relevant word there.
He says it's still present in these web applications.
Because this wasn't like a general observation.
This kind of thing had happened already.
And it sort of goes to explain why Renault as a journalist would have had some reason to be checking
for these basic, basic vulnerabilities on a DESE website.
The state auditor's office had previously flagged the department's data collection practices
during an audit in 2015.
And during that 2015 audit, they found that the DESE, same group, was storing students'
social security numbers and other very easily identifiable personal information in its
information system for no discernible reason whatsoever.
They had the information.
They gathered it at some point.
and for some strange reason they were continuing to store it, and it was also very vulnerable.
And the audit urged them stop doing that and start creating a comprehensive policy for responding to data breaches.
And the department said, yeah, yeah, we hear you.
We have complied, box checked, all as well.
And that was five years ago before this happened.
So, Renault makes this discovery.
DESC is still continuing to do the same thing that they got in trouble for before.
he writes his article.
There's a common practice when it comes to journalists covering like a leak of confidential
information kind of like this.
You see it a lot in whistleblower cases.
The basics, before you go to print, you have a journalistic and ethical responsibility
to go to the relevant parties and say like, hey, we're going to publish this.
And we're giving you warning to make sure you do whatever you need to do to make sure us
publishing doesn't do any harm.
Like if you're going to publish a data leak about the military, it could
put real humans who did nothing wrong in harm's way.
And so even if you have a responsibility to publish, you also have a responsibility to talk to
the people you're kind of exposing and make sure a row detail doesn't do any harm.
You have to disclose.
So, Renault, journalist who finds this, reaches out to the DESE, gets put in touch with their
spokesperson, a woman named Mallory McGowan, who replies, very spokespersony way.
We've worked with our data team in the Office of Administration to get that
search tool pulled down immediately so we can dig into the situation and learn more about what
has happened.
Kind of response you'd expect.
They're looking into it.
McGowan says on Tuesday of that week that the department's going to look at the findings
and they're going to talk to the newspaper.
We're going to get back to them with a quote by Wednesday evening.
But by 3 p.m., the spokesperson, has stopped replying to emails.
And some new character shows up into the whole play.
the department's chief counsel, their lawyer, Sarah Madden, who says, hi, I'm their lawyer.
We're not going to be talking about this anymore.
And that's when everything kind of starts to take a little bit of a turn.
And on Wednesday, the Department of Education sends out a letter, they blast up a press release,
and Mike Parsons steps up to the podium to deliver their formal, you know, response to all this.
And he delivers that speech we heard at the top of the show.
This is not a vulnerability.
This is a hack.
These are not journalists.
They're hackers.
It's going to cost us up to 50 million bucks to investigate and fix this.
And we're going to get into the laws later.
But whether or not it's a criminal charge,
we're actually legally allowed to pursue civil charges,
and you should expect them.
State statute also allows us to bring civil suit
to recover damages against all those involved.
Full scorched earth, they're not happy.
where like where does 50 million just to briefly dwell on it where the where does 50 million bucks come from like how could this cost 50 million dollars to remedy but but here's the other thing is like maybe they have to rebuild all of their data systems and they don't have the budget for it and maybe they think a civil lawsuit is going to pay for that huh like maybe this is like a man manufactured lawsuit for funding right right but it's like like the Kickstarter and what you just say is
said, saying that these problems have existed for 12 years, like, how are the teachers not a
class action lawsuit back to this organization to be like, you've been broadcasting my private
information on the internet for 12 years? Like, you're liable for that. And if you know that it's
been happening for 12 years, you're like especially liable for it. Like, you know, when you find out
there's a problem in the automotive that you're making and you don't fix it, you're even more
responsible and liable. Yeah, you're culpable for it. It's like, you're, you're, you're culpable for it.
It's like if you're broadcasting personal information on the internet,
and I'm going to keep using the word broadcasting because that's what they're doing.
And especially if they ever paid for any online advertisement to drive traffic back to their website,
they were not only broadcasting it, but they were paying and promoting it.
So it's like, you know, how is it your, I'm so baffled by the story.
But I'm assuming they have to redo all of their data systems and all the rest of it.
And they're saying that it's going to cost $50 million.
So they're essentially blaming the person who brought their attention that this problem still existed.
They're saying, well, it's going to cost $50 million to fix it.
And therefore, you owe me $50 million.
Because if you didn't bring this to my attention, we would be just fine.
Which is kind of insane.
It's like someone pointing out that your house is on fire and you get angry.
It's literally killing the messengers, the name of the whole thing.
Yeah, it's like, I call a contractor.
I'm like, hey, there's some moisture seepage.
below my window and he's like, oh, you have black mold. You have to replace your wall. And I'm like,
I'm suing you for my wall. See you in court. Yeah, see you in court.
So, Renaud and Con, you know, the journalist and researcher, are now staring down this legal
and political offensive from like the Missouri governor's office, which is a pretty crappy place
to find yourself. But as this story gets out, in the details of the vulnerability and what
Parsons is claiming, uh, become clear. People start, you know,
you know, commenting on it.
And in a sort of cross the aisle unison that gives me some small hope for the future
political discourse in the U.S., like everybody, all political stripes, all backgrounds, collectively
holding each other's hands, singing kumbayase, that is the dumbest fucking thing I've ever heard,
Mike.
Republican state representative Tony Lavasco, who, according to his biography, has, like,
worked a little bit in software deployment.
Perfect.
Tweets on Thursday of that week, it is clear that the governor's office has a fundamental
misunderstanding of both web technology and industry standard procedures for reporting security
vulnerabilities.
Journalists, responsibly sounding an alarm on data privacy, is not criminal hacking.
God bless this man.
God bless this man.
I know nothing about him, but hopefully God bless this man.
I'm sure that's something they would say in Missouri, so.
God bless you, sir.
Joseph Martinow, the attorney for the newspaper, came out saying, I like this one,
A hacker is someone who subverts computer security with malicious or criminal intent.
Here, there was no breach of firewall or security and certainly no maliciousness of intent.
And like, intent gets kind of muddy.
We're going to talk about the laws a little bit later because it can mean a lot of different things.
But Chris Vickery kind of spoke to what you were talking about, Scott.
A California-based data security expert told a journalist who reported on this that the Department of Education was, quote,
publishing data it shouldn't have been publishing, and that's not a crime for journalists to discover
it. Putting social security numbers within HTML, even non-display rendering, which you brought up,
is a stupid thing for the Missouri website to do and is the type of boneheaded mistake that has been
around since day one of the internet. No exploit, no hacking or vulnerabilities involved here.
You mentioned non-display rendering HTML. There are parts of the source code of a website that are
meant to not be seen by the viewer, right?
Oh, there's loads of it.
Like, I would say, like, most of it is just instructions to the browser, right?
Like, HTML is literally just a markup language to tell the browser what to do with things.
Style sheets are now the predominant way of, like, styling it and making it look quite ways.
But you can put an infinite amount of information in a website and hide it.
Like, there's basic instructions for how to hide stuff in there.
Like, truthfully, if you look at some websites, there's funny,
little messages sometimes embedded in the headers and things like that.
Like some people put like asky art like drawings of small ducks.
Like, you know, like there's often little Easter eggs.
Like for funny like hacker websites and stuff like that.
Like you'll often find stuff in the source code because everybody looks at it.
Also, that guy sounds great.
Whoever said the exact same things as me sounds like a really great guy.
Yeah, real champ.
We're going to quote him again in a second.
Vickery seems to know what's up.
So in explaining how Governor Parsons hopes, you know,
this reporter and the news organization are going to be prosecuted,
he points to a state statute defining the crime of tampering with computer data
where a court ruled that someone violates the law
when they access files or other information that is off limits to them.
In Missouri, Chris Vickery, same guy,
says that the state was, quote,
publishing the HTML source to the public internet
with no hurdles of a password or other requisite forms of authentication challenge,
meaning the public can reasonably assume to be authorized.
to view that content for the purposes of laws related to computer trespass forms of offense.
So if this story starts as, you know, what is a hack are these hackers, it does end on a bit
of a definition beyond just did they mean to, which is that you got to circumvent something,
a password, a policy, a program, like a person at a desk that's supposed to say no who you get
to say yes, even according to the most abstract broad definition of hacking.
Just viewing content that someone publishes in a way other than how they intended it to be viewed is not hacking.
Twitter user Rachel Tobach wrote, by this definition,
my cat walking across my keyboard and sitting on the F-12 key is now a serious punishable cybercrime.
You shall now hereby named Advanced Persistent Pet, which I just like that pun.
You know, HTML is the thing that is to.
delivered from the web server, your browser is simply a renderer for it.
But literally, you can, like the raw HTML is the thing being broadcast by you.
So if you're putting confidential information in there, that's your fault.
So it's like, I don't know.
I hope that this one gets tossed on its head.
And I hope there's a civil lawsuit on the other direction.
And I hope somebody retires peacefully after having to deal with all this BS.
Yeah, if there's one thing I've noticed about,
governors, it's they love admitting a mistake and stepping down in shame. Hey, I'm sure that, I'm sure the,
I'm sure the farther that he starts keeps putting good money after bad and the, you know,
the same sentiment with like, you know, social, uh, social influence. No longer he keeps
persisting that this is a hack, the worse it's going to be when the civil lawsuit comes back on
them. Yeah. He has a, he has one last move and we're going to get to it right at the end,
because it's pretty amazing.
I think there's like a temptation when a person of a certain, you know,
technological background, certain age, whatever,
get something this wrong to assume that it's coming purely from a place of ignorance.
And like guaranteed Mike Parsons does not seem to know a lot about how computers work.
But that's not the only reason he's doing this.
And we know why he's a little bit more about why he's doing this because of,
a really, really incredible piece of political advertising that he ran explaining why he's doing it.
And we're going to get to that.
But before we do, this all got me wondering, you know, what are some of the other motivations
people have for going after the person delivering the message of a vulnerability?
The other reason folks, you know, shoot the messenger in stories like this.
So we're going to take a look at another one of those stories and some of the laws behind it
before getting to Mike Parsons' incredible political advertising.
right after this break.
Think about the last time you heard a breach story on this show.
It always starts the same way.
Someone somewhere saw something too late.
An alert buried, a signal missed, an SOC that just couldn't keep up.
Arctic Wolf set out to solve that problem by rebuilding security operations from the ground up
for a world where attackers are already using AI.
They created the Aurora superintelligence platform with fully agenic system powered by the swarm of experts.
Instead of single-purpose bots or lucky-guess LLMs, this swarm is full of deterministic agents that handle whole entire workflows.
Humans stay in the loop and on the loop to validate the critical decisions and keep everything trustworthy.
And all of this is just off running on their secure operations graph.
A constantly updating intelligence engine fueled by more than 9 trillion telemetry events every week and over a decade of real-world incident response.
The system reasons on real signals and real context not synthetic training data.
and the result is the new Aurora Agent SOC.
It's the first SOC that is agent led by design.
You get agents that coordinate, agents that investigate,
agents that respond at machine speed,
and hundreds more that automate the repetitive work
that normally buries human analysts.
Arctic Wolf didn't try and bolt AI onto an old model.
They rebuilt the model entirely.
What makes it even more effective is how it works
with Arctic Wolf's concierge experience.
The team brings customer-specific context directly into the platform
so every AI-driven decision reflects your environment instead of generic assumptions.
The automation frees your concierge security team to focus on higher value strategy and proactive risk reductions while the agents handle the grind.
If you want to see what trustworthy, production-ready AI and security operations actually looks like,
go to arcticwolf.com slash hacked.
Ever feel like cyber threats are evolving faster than anyone can keep up?
Last year, 2025 was nothing short of a record-breaking,
year for major breaches, from sophisticated ransomware operators to AI-enabled attacks that
turned defenses on their head. Organizations around the world saw headlines they never expected
and cybersecurity teams were tested like never before, but here's the thing. These incidents
aren't just news headlines. They're learning opportunities. And that's why Arctic Wolf is hosting a
live webinar on February 5th diving to the most impactful breaches of 2025. Their field CTO and
security leaders are going to unpack not just what happened, but why these attacks succeeded. And
most importantly, what businesses can do to fortify their defenses for it's too late.
You're going to walk away with real insights into how threat actors are evolving, how defenders
are responding, and what strategies can help you stay ahead of the next big breach.
It's not fearmongering.
It's practical, actionable, intelligence from experts in the trenches.
Register now at arcticwolf.com slash hacked.
Here's a fun story.
It takes place way back in March of 2016.
And this one isn't quite as cut and dry.
It's the story of a dead messenger, but it's not quite the same as the story of Renault,
Khan, and Mike Parsons.
It's a little bit kind of foggier.
And it's the story of a security researcher named David Michael Levin at the time 31 years old of Estero, Florida.
David is a security researcher.
He runs a cybersecurity company called Vanguard.
And one day, right before the 2016 U.S. election, he decides to crack open a piece of free SQL testing software called Havage,
we're testing, you know, SQL injection vulnerabilities.
Broadly speaking, Scott, what is an SQL vulnerability?
Well, Jordan, an SQL injection vulnerability,
because there's multiple SQL vulnerabilities,
but injection vulnerability is essentially,
I can break this down in something easy
so that people understand it.
Say I'm on a website and there's a form that lets me like search
for certain pieces of data.
Maybe there's like six filter fields and there's,
form. Like imagine I'm looking at like a some form of data records from a store or a store is
perfect. I'm looking at inventory items or previous orders that I've had and I can filter that
by you know date ranges or order number or whatever. Typically the whatever you type in that like
search box becomes a part of an SQL query that goes off to the server and says hey like you
know this person's searching for orders and they've asked that any order that has this in the
title and then it returns that to the web server which then sends back the HTML code which
then gets rendered into the web page. So an SQL injection vulnerability is inside of that box on
the page if I can figure out how to pass in alternative pieces of SQL code. So maybe the filter
field is like description searching but in the description stuff that I type into that box I've
pulled myself out of the piece of text that it's going to look for, and then I add additional
information. Like, you know, I want to see anything that has description that equals, you know,
order, and I want to see user ID equals this, and I want to see this, and I add additional
search functions or additional pieces of query into the box, which then the server takes in
and actually executes.
So, you know, you can bypass a lot of security
if you can get the SQL server to believe
or to essentially execute SQL language
that you're passing in.
Does that make sense?
I feel like that's a lot of sense.
A harder concept to kind of get across with you quickly.
Yeah, no, it does make sense.
It's almost like the questions and comments box,
that little slot that you put the comment through.
That's the forum on a website,
and this is a vulnerability to let someone get into something
they're not supposed to through that little slot in that box.
Yeah. So like the, one of the things, well, a long time ago in a world, a long, long time ago,
you used to be able, there was back when there was internet cafes, they were often very locked down,
and you could just have access to the web browser and you couldn't get access to anything else.
Or maybe the web browser would only let you look at a specific web page.
You could use the search form on a lot of those web pages to actually get access to the file explorer
and actually get access to the real computer
just by simply searching for C-colon slash Windows
slash Explorer.E.
And then it would pop you up a link to it,
which Internet Explorer would execute on
and actually open you a copy of File Explorer.
So all of a sudden you've taken full access
and gotten full control to one of these internet PCs
at a random Internet cafe in Thailand, per se.
And then you could do whatever you wanted.
You could open up your own version of,
of the web browser.
You could go to whatever website you felt like,
or you could spend more time on it
than you were supposed to be allocated, et cetera, et cetera.
So all of these like search and HTML and SQL injections
have always been like a classic web hacking tool.
So Levin takes this classic tool,
and he hops over to the Lee County Elections website.
And he checks it out, and what do you know,
he discovers a critical SQL injection vulnerability,
which allows him to get access,
as you said, to the site's database,
including usernames and passwords.
So Levin, security researcher, responsibly reports the vulnerability to the respective authorities,
and over the weeks that follows, helps them pass all the loopholes on the elections website.
So far so good.
This is what you want to see.
Everyone's cooperating.
A researcher finds the vulnerability reports it, and they all work together to fix it.
Great.
Then, Levin goes on an interview show with a guy named Dan Sinclair, who at the time was running as supervisor of alexer.
against the incumbent a woman named Sharon Harrington. Dan Sinclair is running to supervise elections.
Levin goes on and says here was this big vulnerability in the elections website.
Explains what happens, talks about the vulnerability, and it kind of immediately becomes a little bit of a
football, politically speaking, because this is really good for Sinclair. He wants to supervise elections.
Look how vulnerable they are. Here's a security researcher to unpack all of it.
Almost two weeks after that video goes up online, Florida police,
Raid Levin, the researcher's house, and sees his computers when he was arrested and charged for allegedly breaking into this election's website, the one where he found the vulnerability and helped them fix it.
He then spent six hours in jail before being released on $15,000 bond.
Florida police claimed that Levin never asked for permission prior to doing this pen testing on any of these state-owned servers.
Sinclair, the guy running for office, said, no, Levin was the one who helped the authorities fix it.
he shouldn't be in trouble.
So at first, this one reads a lot like Mike Parsons in Missouri.
Someone finds a vulnerability and then gets just railroaded for helping.
Yish.
Ish.
Big ish on this one.
But there's two differences.
The first one, I think you've already figured out because he actually did technically do a hack.
But there's another little thing going on here.
See, it turns out that Levin, researcher, was actually good friends with Sinclair before all of this,
the guy running for this position, the one whose YouTube show he went on.
And it got the authorities kind of looking into, you know, where did this, why were you
looking into this vulnerability? And they started discovering that there was this friendship
between Levin and Sinclair. It turns out, according to Sinclair, that this all started when Levin
calls him back in December after taking an online federal course with some DOD people on pen testing.
And Levin comes to him and says, you know the supervisor position that you're running for overseeing these elections in this website?
I could really, really easily get into that website.
The arrest report makes clear that Sinclair didn't ask Levin to hack into it, but that Levin, the second he did it, calls Sinclair up to tell him what he'd done.
So this whole thing starts kind of looking a little bit like maybe a political stunt, which Harrington, the incumbent agrees with.
She says the timing of this is all very interesting.
Mm-hmm.
David Michael Levin pleads guilty misdemeanor account in connection with hacking the website.
He serves 20 days in jail.
The whole thing kind of goes away.
And this one, you already kind of caught up on part of what makes it interesting.
It's interesting because what he did was, I think, good.
Like he found a vulnerability and he reported it.
Should that be considered hacking?
I'm not really sure.
He did hack, but he did it theoretically for the right reason, for the wrong reason.
You're entering a very philosophical conversation about the law.
But I will say that the difference is very profound, I would say.
Somebody looking at the source code that's being broadcast to them.
For sure.
It's like, it's insane to consider that hacking, actually insane.
Somebody pen testing a server without permission.
It's getting dodgy, yeah.
You're getting very close.
You know?
Like, the difference between this being a, oh, he's definitely hacking.
And what do we think about this philosophically is the fact that he reported it.
Yeah, for sure.
You know?
The second guy was hacking.
It's like, he did the right thing with the information that he acquired for a bad reason,
potentially.
Correct.
This is, uh, this is, let's just say a lesson that young Scott learned in his life.
As somebody who helped friends secure things.
Yeah, very different story to be asked to do it and reduces your exposure if somebody's requesting that you perform a service rather than you just doing it out of the goodwill of your heart.
It's very hard to justify goodwill with a paper trail, if that makes sense.
So there's two pieces of federal law in the U.S., and there's parallel versions of them in other countries that have modeled their laws after them that are relevant in both these stories.
The Computer Fraud and Abuse Act of 1986, CFAA, and the DMCA, Digital Millennium Copyright Act.
These are the two big laws that have been used to go after researchers.
Whether or not they were hacking, those are the two laws in the middle of all this.
These two stories and countless others.
And as we get into this, I think it's worth saying that these laws were written for fundamentally different digital worlds than the ones that we live in right now.
And they include penalties for behavior that I think is pretty vital for security testing.
And neither one of them carves out any kind of general or permanent exemption that makes any legal
distinction between a researcher trying to help and intentionally malicious behavior that the laws
were written to prohibit.
So the term bug bounty was coined in 1995 by Netscape.
And it was for their program that they'd set up to reward people who reported bugs with, you know, prizes.
depending on how big that bug was.
And even in this earliest version of what a bug bounty was,
it acknowledged that users who were reporting security bugs
were one of the most valuable contributions
in keeping their system secure.
They'd figured that out way back in 1995.
And right now, a lot of companies have sort of followed along
in that general sentiment.
They have, you know, disclosure programs are incredibly common
and they carve out a little bit of a niche
in their terms of service for making sure that if a researcher,
regardless of why they were digging around,
does find a report of vulnerability,
they have some kind of a protection.
But those are corporate policies, not laws.
And the laws are not forgiving in this case.
And researchers have very rarely found a receptive audience
with companies whose products they are testing.
The laws just aren't on their side.
When they wrote the CFA, the big law in question here,
it was three years before Tim Berners-Lee even invented the World Wide Web,
Congress passed the CFA in 1986.
It was written for a different internet by a Congress who was thinking about just a different kind of cybercrime.
The House Judiciary Committee called the 1983 film War Games, which we've talked about here,
which for anyone that doesn't remember that episode, is about a Seattle teen who's hunting for video games
and it breaks into like a nuclear warhead silo.
They refer to that film in Congress on the record as a quote,
realistic representation of the access capabilities of the personal computer.
And that law, CFA, makes it illegal to access any computer, quote, without authorization,
which is a really important term in all this.
And it's the kind of vague language that is empowered maybe the worst versions of this type of story.
Again, importantly, based on what Parsons threatened to do to Renault and the journalist,
the CFA also carves out a big exemption allowing companies to sue in civil court alleging CFA violations,
even if law enforcement doesn't pursue charges.
And all of this is built on a foundation that doesn't define what accessing a computer without
authorization means or what it means to exceed authorization.
And for most of the last couple decades, there have been different conflicting interpretations
of what those terms mean at different levels of court.
And this sort of just sustained absence of clarity has allowed this law, CFAA, to be used
as like a cudgel to stop countless different security researchers from looking at products.
It's been used to limit competition between companies, and it's been used to go after people for engaging in normal internet behavior like viewing the source code on a website.
Researchers report regularly getting cease and desist letters, citing a possible CFA violation.
And it's just sort of become this really common tool for intimidation by companies that don't want the bad press of a vulnerability.
In cases that did go to court, we see this pattern where that crucial word authorized in the CFAA had no consistent.
insistently enforced technical definition, and was just sort of, in most cases, defined by that
company's terms of service.
In other words, the companies kind of get to write the law themselves on a case-by-case basis.
It's the law that Parsons and the Missouri Governor's Office are citing and going after Renault.
It's the law in the middle of all this.
You know, the cases like this bring to light, you know, things like bug bounty programs and
and internal security researchers,
and, you know, the companies that clearly take security seriously
look for this stuff, they pay people to look for this stuff,
they pay professionals who are good at this to do this.
And that's if you really care about security.
If you don't care about security and you just care about, you know, obscurity,
then you, you know, file charges to anybody that shows that there's a weakness in your vulnerability,
that you have a vulnerability.
You know, that is the last thing you want to do.
you know the when you know Microsoft is i think pivoted in that light you know since way old old days
Microsoft every time somebody found another iAS problem it was this you know hackers and this
to now being like you know big on this stuff and being like oh my god thanks for reporting it we'll
fix it right away and everybody takes it very seriously you know amazing disclosure programs yeah yeah yeah
and that's just it's like you can you can see the the innovation the transition that the corporate
world's going through.
Like, I can't remember who it was.
I think it was Tesla.
Tesla used to have a bug bounty program that paid a fortune.
Because they know.
They get it.
They get it.
That they know that if they have a massive security breach that allows somebody to take
over somebody else's moving vehicle, that it's going to cost them way more than it
will if they can fix that problem.
Like, giving you $500,000 as a comprehensive.
compensation for finding that problem is way cheaper than the 50 million that they're going to pay out in legal fees and lawsuits or 500 million, you know?
Well, and if the five world-class engineers that were paying couldn't find it, clearly it's worth something.
Totally, totally.
In his press release and at this event, Governor Parsons, I think, showed his hand a little on the subject of why he was pursuing these charges.
And I have to imagine that at some point between them learning about this and then making the announcement that someone explained to him, you know, this is not a hack, these are not hackers.
But there's a couple key lines, not from the official release, which very carefully avoided this sentiment, but from his speech that I think reveal what's happening here, why his office chose to go after the messenger.
Quote, this person is not a victim.
They were acting to compromise personal information to embarrass the state and sell headlines for their news outlet.
Which brings us to this.
An advertisement created and published within, I think, seven days.
There's a quick turnaround on the subject of this hack.
Latest from the Missouri's fake news factory is from the St. Louis Post Dispatch,
where a reporter has been digging around HTML code on a state website.
The state technology division said,
hacker took the records of at least three educators, decoded the HTML source code,
and viewed the social security numbers of teachers from a state website.
Governor Parsons believes everyone is entitled to their privacy, especially our teachers.
Governor Parsons is standing up to the fake news media and is committed to bring to
justice anyone who obtained private information. The St. Louis Post Dispatch
is purely playing politics. Exploiting private information is a squalid excuse for
journalism and hiding behind the noble principle of free speech to do it.
Shameful.
Oh my God.
Seven days.
They turned it around quick.
Hey, Jordan, to be fair, we could have done it in one day.
Yeah, I think we could have knocked this out a little bit quicker.
This is a very strange way to go on the offensive against somebody who probably doesn't like
you very much publicly.
Oh, my God.
If you embarrass a powerful person or company or institution on the grounds of their technology,
there is a non-zero chance they're going to call you a hacker.
And it doesn't matter whether you didn't hack them like Renault,
or you maybe kind of hacked them, but maybe to help them, like, you know, Levin.
If you embarrass them with internet stuff, they might come at you.
And as long as these laws governing that are vaguely written and inconsistent,
enforced, they might actually pull it off. And that kind of really sucks. Because the more times
this happens, the more it tells the next person who discovers that something is broken and needs
to be fixed, that maybe they should just keep that to themselves. Because maybe they're going to get
in a ton of trouble for doing generally the right thing. Maybe they should let someone else get
hurt so that they don't. Forty-one minutes of cybercrime law. That's right.
Patrons on Fisheron, you just empowered 41 straight minutes of cybercrime law stories and
fuf, does it just mean the world to me.
To our new patrons this month, Trev, Trev Goldring, Hacker X, I'm just going to nancyate these
too much. Trev Goldring, thank you. Hacker X, Y, Z, thank you. Matthew St. Vincent, Mathis
Gareth, Josh, and Nick Owens, you're our new patrons. You're, you are responsible for this.
You did this.
And if you wanted to support the show,
visit patreon.com slash hack the podcast.
That's patreon.com slash hacked podcast if you want to support our little show.
Put a tuning in the tip jar, as we call them up here in Canada.
Thank you so much for listening.
Thank you so much for making it at the end of this one.
It means the world.
Catch you on the next one.