Several months ago, our governor began an attack on Josh Renaud, a reporter for our local newspaper, the St. Louis Post-Dispatch, about an article that he wrote about a vulnerability he found in a state website. Since then there has been plenty of coverage by the paper, including the latest events this week showing the governor’s efforts were wrong, misplaced, and counter-productive. (And Brian Krebs also covered it this week as well.) I exchanged some email with Renaud, and he suggested I use my platform to explain my POV and shed some light on what happened. So here goes a letter that I will also send to Parson.
Dear Governor Parson:
The hardest thing about being a great leader is to admit you made a mistake. I am writing to try to convince you that your course of action in trying to prosecute Josh Renaud and the St. Louis Post/Dispatch is not just wrong-headed but taking our state down a dangerous path.
As a computer security technologist and reporter, here is my perspective. First, the state education website that was identified by Renaud had major security weaknesses as it was originally constructed, because it could easily reveal Social Security numbers. The recent police report documents these were in place for a decade when the site was constructed. Renaud was actually doing the state a favor by identifying this weakness, and the agency was given time to fix this vulnerability before the Post was going to publish his story. Think of it as building a house without a proper foundation.
Second, the county prosecutor was doing the right thing by declining prosecution. There was no crime committed by anyone here, which was further corroborated by the police investigation.
Third, by continuing to refer to the vulnerability as a hack you don’t really understand the nature of either the vulnerability or what hackers or journalists do. The best way for the state to “continue to work to ensure [data] safeguards and prevent unauthorized hacks,” as your office stated, is for journalists and other third parties to uncover these vulnerabilities so that bad actors can’t take advantage of them. As the state agency recently stated, Renaud accessed “open public data” that would be available to anyone.
Your statements about “hacking” is where you do more harm to the state – both perceptually in the greater computer security community and also in terms of journalists who are trying to report on these vulnerabilities in the future. By using the power of your office with promoting these sham investigations, you also make it more difficult for journalists and security researchers to do their jobs in the future when they find other computer security vulnerabilities. As others have already mentioned, numerous tech companies have “bug bounty” programs in place to encourage researchers to find exactly these vulnerabilities that Renaud found and gladly pay them too!
Renaud could have published his story prior to the state’s fixing the vulnerability. But he tried to work with the state agency to fix the problem he found. He acted responsibly and honorably. It is time to admit your mistakes in both your language and intent and thank him for protecting the data of our citizens.
Kudos! Needed to be said.
Well said, David. Looks like this man need some educating.
A very reasonable letter.
Spot on David. Nicely stated!
Important and well said.
Glad you wrote Gov. Parson and I sincerely hope he will listen. It’s a scary example of “shooting the messenger” – the state had ample opportunities to rectify the situation, and did not. I’m also glad you mentioned tech companies’ “bug bounty” programs. I don’t know if governments can do bug bounties, but it’s something to think about.
Send it to Gov Parson via snail mail. You’ll get more attention than if you send him an email. Maybe mark it “To be opened only by Gov Parson”, to keep the functionaries away, because they might otherwise bury it. If you do not get a prompt response either from Parson or one of his minions, resort to any and all social media to publicize your case for Renaud, you, me and others.
Gov. Parson obviously is being advised by non-technical ignorant individuals. Well delivered message – Back Off Gov. Parson, Back OFF!
David-
A very much needed letter well said.
Pete
David,
I admire your courage for writing this letter. I wish more people speak the truth.
Neal