Several months ago, our governor began an attack on Josh Renaud, a reporter for our local newspaper, the St. Louis Post-Dispatch, about an article that he wrote about a vulnerability he found in a state website. Since then there has been plenty of coverage by the paper, including the latest events this week showing the governor’s efforts were wrong, misplaced, and counter-productive. (And Brian Krebs also covered it this week as well.) I exchanged some email with Renaud, and he suggested I use my platform to explain my POV and shed some light on what happened. So here goes a letter that I will also send to Parson.
Dear Governor Parson:
The hardest thing about being a great leader is to admit you made a mistake. I am writing to try to convince you that your course of action in trying to prosecute Josh Renaud and the St. Louis Post/Dispatch is not just wrong-headed but taking our state down a dangerous path.
As a computer security technologist and reporter, here is my perspective. First, the state education website that was identified by Renaud had major security weaknesses as it was originally constructed, because it could easily reveal Social Security numbers. The recent police report documents these were in place for a decade when the site was constructed. Renaud was actually doing the state a favor by identifying this weakness, and the agency was given time to fix this vulnerability before the Post was going to publish his story. Think of it as building a house without a proper foundation.
Second, the county prosecutor was doing the right thing by declining prosecution. There was no crime committed by anyone here, which was further corroborated by the police investigation.
Third, by continuing to refer to the vulnerability as a hack you don’t really understand the nature of either the vulnerability or what hackers or journalists do. The best way for the state to “continue to work to ensure [data] safeguards and prevent unauthorized hacks,” as your office stated, is for journalists and other third parties to uncover these vulnerabilities so that bad actors can’t take advantage of them. As the state agency recently stated, Renaud accessed “open public data” that would be available to anyone.
Your statements about “hacking” is where you do more harm to the state – both perceptually in the greater computer security community and also in terms of journalists who are trying to report on these vulnerabilities in the future. By using the power of your office with promoting these sham investigations, you also make it more difficult for journalists and security researchers to do their jobs in the future when they find other computer security vulnerabilities. As others have already mentioned, numerous tech companies have “bug bounty” programs in place to encourage researchers to find exactly these vulnerabilities that Renaud found and gladly pay them too!
Renaud could have published his story prior to the state’s fixing the vulnerability. But he tried to work with the state agency to fix the problem he found. He acted responsibly and honorably. It is time to admit your mistakes in both your language and intent and thank him for protecting the data of our citizens.