the idea that social security numbers could function like secret passwords in an effective security system should have died a long time ago
I think you’re giving them too much credit.
This was about intimidating the media and nothing else.
No, that ‘decryption’ of hers has a formal name: Reading.
She shouldn’t get her technology education from watching bad movies…
Pretty sure that horse has done left the stable. The Streisand Effect has started.
Strange how the ‘Show Me’ State doesn’t want people to look.
That’s HTTPSP, which uses TLSL for encryption. I hear it’s the preferred method of transmitting Igpay Atinlay.
To an idiot, it’s hacking. Because idiot.
Do this same thing in Australia and find the former Prime Minister’s info, and you get a thank from the guy himself.
A rather dark outcome here is that some opportunistic anti-open-web asshole dusts off their anti-view-page-source legislation, and seizes these idiots’ burning desire to redirect their municipal shame to push it all the way to congress. And we are in a very dark timeline…
From the article:
For security reasons, we try to change our Prime Minister every six months, and to never use the same Prime Minister on multiple websites
A good chuckle there
Whenever I hear “Bowling Green Massacre” I think two things. The first is “What a bunch of morons” (the HTMLM kind). The second is the sinkhole at the Corvette Museum in Bowling Green.
My take on this is less ignorance, and more saving face at all costs.
There’s definitely technical folks who have made such claims (there are stories like this all the time), who knew damn well that what they were saying was wrong.
I was explaining this to my sister, that the kids from this story were lucky the school district didn’t trump up some bogus charges to pin to the kids. Stories like these make a well-funded bureaucracy look bad, and they frequently try to do damage control by making the issue look like herculean (and malicious) efforts on the side of the person who discovered the security issue. If that means those people’s lives are ruined, fuck 'em. The bureaucracy is saved, and never has to answer for its malfeasance!
This Missouri story broke just a couple days later as the perfect example of this in action. Not that this is new at all – I have been reading stories like this for at least 20 years.
What are you talking about? You think there is a well-funded bureaucracy in the Missouri state government that has funds allocated for information security? You think the school districts in Illinois are well-funded?
I mean if we were talking about AFRL or something, I might understand. But the Missouri department of education doesn’t list a single employee that does application development. That means some poor database administrator got roped into doing something outside of her or his job description and competency because that is how the state budget was written. This wasn’t a failure of bureaucracy. It was a failure of politics. Politics, by the way, that the governor supported.
The bureaucracy itself is well funded. Not the IT departments.
You think the school districts in Illinois are well-funded?
I live here. So yes. Many are (Elk Grove is a reasonably wealthy town). But again, the district itself, but not the IT departments necessarily.
Whose nephew got the IT security position?
Again, it’s some poor DB admin who got told they had to do web development on top of their regular duties. There’s no staff in the department dedicated to programming much less info security.
Sure, there’s an element of that, too. But this particular case is so straightforward and what he’s saying is so obviously, embarrassingly absurd, it ultimately makes him look bad more than it acts as a face-saving measure. Plus, the whole Streisand effect - they could have quietly dealt with it, but they’re drawing large amounts of attention to the story that otherwise wouldn’t have been there at all.
That is surely how it has panned out, but I feel pretty certain he imagined it would indeed save face. Why bother otherwise?
Well, he clearly has no idea what he’s talking about, and neither does anyone else from that government commenting on it. I think a crippling level of wide-spread ignorance is playing a big role here.
This whole incident reminds me of the battles I have with backend developers to only provide the information I need. Even if it’s innocent, do not get in the habit of oversupplying my front end. We can add it to the API later, but really, the golden rule is:
Don’t overshare.
I once had an argument with one such a developer, about how they should not be storing unsalted SHA1 hashes for passwords. Their argument was, “There’s nothing of real interest to an attacker in the database, therefore the security of the password hashes shouldn’t matter”.
Why yes, the usernames were corporate email addresses from fortune 500 companies. Why do you ask?