Arkansas Can't Secure Financial Assistance Site So Governor Decides To Call The Person Discovering The Breach A Criminal
from the bless-your-soul,-Governor-Fuckwit dept
The best place for a messenger is six feet under, according to the governor of Arkansas, Asa Hutchinson. Despite being a founding chair of Governors for CS [Computer Science] (according to Slashdot), Hutchinson has decided to blame a security researcher for the state’s inability to properly secure one of its websites. Lindsey Millar, who reported the breach exposing the sensitive information of the site’s users, reports that Governor Hutchinson is trying to villainize the person who stumbled upon the unexpected data flow.
It all started innocently enough when a programmer, who had attempted to apply for financial aid via Arkansas’ Pandemic Unemployment Assistance website, discovered it was exposing Social Security numbers and bank account numbers. This person got in touch with Millar, who brought it to the attention of the state.
That’s where things went extremely wrong.
Beginning on Saturday at a news conference and continuing Monday, Hutchinson has framed the applicant who sounded the alarm as acting illegally. He announced Monday that the FBI was investigating the matter. He said he understood personal information had been “exploited.”
“Exploited” how? By informing the press after the state had ignored efforts by the programmer to get the government to fix the problem? Millar says the programmer reached out to two state agencies and received nothing in response. Obviously concerned about this very dangerous data leak, the programmer talked to the press. That’s “exploitation?” I guess it is, if you’re the governor and co-founder of a foundation that claims to be all about that tech stuff and whatnot.
The governor offered up a nonsensical statement that was supposed to reassure assistance applicants that their private financial stuff hadn’t actually been compromised. I’m sorry, but I cannot explain the following:
“We don’t believe that the data was manipulated,” Hutchinson said. “In other words, where someone would go in and change a bank account number, which is what criminals would do…”
WHAT EVEN THE FUCK
No one needs to alter actual, useful, goddamn usable routing numbers to do damage… especially when they have the Social Security numbers to work with as well. The governor followed up this bizarre explanation with one that was even worse: a justification for calling someone, who discovered a data breach, a criminal.
Asked about his rationale for framing the programmer’s actions as illegal, the governor said, “When you go in and manipulate a system in order to gain an access that you’re not allowed to have permission to access, that is a violation of the security that we want to have in place in these systems, and it would be a violation of the law as well, I would think.”
This is baseline CFAA thinking — the kind the federal government engages in when it’s convenient. A person who gains access to data on a website an entity thought was secure is a criminal because it’s assumed that, just because someone browsing the front page of a website wouldn’t stumble across the data breach, any other discovery method must be unethical… if not actually illegal.
Adding “I would think” doesn’t mean the person saying those words is actually thinking. It just means that if they decided to engage in actual thinking, it wouldn’t lead to much insight. The fact of the matter is the applicant only had to alter the URL to gain access to information the website should have locked down tight. This isn’t “manipulation.” It’s Pen Test 101 — something the government should have engaged in before allowing a site collecting bank account and Social Security info to go live.
Trying to kill the messenger doesn’t make you look any less culpable. It just makes you look like a tin pot dictator trying to execute news-makers before it can become news — with the added benefit that it make others think twice before coming forward with information that might embarrass the State.