Josh Renaud’s ordeal illustrates the pitfalls of overly-broad hacking laws
Correction: This post has been updated to clarify Renaud’s process identifying the web flaw.
St. Louis Post-Dispatch reporter and developer Josh Renaud believed he was helping teachers when he broke the story of a major flaw in a Missouri government website.
He had followed all the rules to responsibly disclose the flaw, which made the Social Security numbers of more than 500,000 state educators findable on the public Internet. That included alerting the state in advance and making sure the bug could not be exploited by the time his story published.
But Renaud became a poster child for the way vague and outdated hacking laws can be twisted — to attack good Samaritans who point out dangerous software bugs, evade responsibility for cybersecurity failures and even punish political opponents.
Missouri Gov. Mike Parson (R) accused Renaud of hacking the state website rather than helping to fix it, and he spent four months fearing a prosecution that would wreak havoc on his family.
“The uncertainty causes your stomach to churn,” Renaud told me in an interview.
He feared attacks and harassment by supporters of the governor, who denounced Renaud in a news conference and described him in a fundraising video as a member of the “fake news media,” invoking a term made famous by former president Donald Trump.
When the attacks began, Renaud swiftly set about removing all of his personal information from social media and other sites, fearful that it would be used to attack him or to broadcast his personal information in a process called doxing, he told me.
“It’s entirely political,” he said. “With the history of the previous president’s attacks on the press, dehumanizing the press, calling them the enemy of the people, it seemed like he was following that playbook.”
Parson’s office didn’t respond to my request for comment.
Overly broad hacking laws
Renaud’s anxiety only ebbed last month when Cole County prosecutor Locke Thompson (R) declined to bring charges and said there was nothing malicious in Renaud’s actions. He also suggested the state legislature consider revising the law Parson claimed Renaud violated, the Missouri Independent reported, calling it “so vague that it basically describes someone using a computer to look up someone’s information” as hacking.
That assessment was echoed by Shaji Khan, a University of Missouri-St. Louis cybersecurity professor who helped Renaud verify the vulnerability and was interview as part of the criminal investigation. He compared the governor’s charges to shouting out Social Security numbers in Chinese then charging anyone who understands the language with a crime, according to the investigation report, which was released in response to a Post-Dispatch public information request.
Those laws have almost certainly made the Internet less safe — by making people fearful of reporting bugs in the first place.
The Missouri law is particularly egregious. It states a person commits a crime if he “accesses a computer … and intentionally examines information about another person” — wording so vague it could apply to viewing someone’s Facebook profile.
- In Renaud’s case, the teachers’ Social Security numbers were publicly available in the source code of a state-run database that he was examining for a news project.
- The governor’s office has repeatedly insisted that Renaud did more than merely right-click on the site, the standard way of viewing source code.
- That appears to refer to the fact that instructions he sent the state’s education department for how to reproduce his findings included using a decoding tool that is available on Google, according to the investigation report.
- Those tools are designed to translate language that can be read by computers into language that can be read by humans and are commonly used by software coders. They’re never used to uncover secret information.
- Upon realizing the source code might make Social Security numbers visible, Renaud verified with three teachers he knew personally that each of their Social Security numbers was indeed exposed.
Renaud told me he “never had any doubts” that he and the newspaper acted correctly and would be ultimately vindicated. He was less sanguine, however, that he wouldn’t be dragged through a long and damaging trial first.
He also fears that the governor’s actions will make it far likelier that similar dangerous computer bugs will go unreported, leaving Missouri residents more vulnerable to hacking. The state’s track record isn’t good on that score. A separate website connected to the state teacher’s pension system suffered a significant data breach that was discovered last year.
“I feel like the governor still has a chance to address this. If he were to admit they made a mistake … apologize for not safeguarding people’s data, say we want responsible disclosure that could repair some of the damage,” Renaud said. “I want to live in a state where people feel free to report those vulnerabilities.”
A reversal doesn’t seem likely anytime soon. The governor told reporters during a business event that he still has questions about the case. Among other things, he suggested Renaud may have secretly removed and retained teacher data from the vulnerable site — a finding that is not suggested anywhere in the investigation report.
“If you just wanted to disclose there’s a problem, okay, you could have done that without taking anybody’s personal information,” Parson said. “That’s where the real problem is, and I think the answer still has to be said: Where’s that information at?”
TikTok is developing a state media policy after Ukraine pressure
The Chinese-owned social media app has long tried to avoid topics like propaganda, misinformation and state-controlled media, but the Russia-Ukraine conflict is forcing it to do so, Gerrit De Vynck, Cat Zakrzewski and Elizabeth Dwoskin report. But now TikTok says it’s developing a policy for dealing with state-controlled media, and it has begun using the words “war” and “Ukraine” in public statements.
That could bring the company, which is owned by the Chinese firm ByteDance, more in line with Instagram, YouTube and Twitter — all of which have been “flooded by a confusing mishmash of propaganda, images repurposed from previous conflicts, and real footage of actual events in Ukraine over the past week,” my colleagues write. “Under pressure from Ukrainian, American and E.U. officials, all of the companies have blocked Russian state media in Europe and taken down some misleading and false posts about the war.”
TikTok continues to “respond to the war in Ukraine with increased safety and security resources to detect emerging threats and remove harmful misinformation and other violations of our Community Guidelines,” spokeswoman Jamie Favazza said.
Russian state media outlet RT America’s production company is closing
RT America’s production company said it is laying off its staff because of “unforeseen business interruption events,” Jeremy Barr reports. It comes after U.S. satellite television giant DirectTV said it was dropping RT America from its lineup and social media companies restricted access to RT in Europe in the wake of Russia’s invasion of Ukraine. The move was first reported by CNN and the Daily Beast.
“RT — originally standing for ‘Russia Today’ — was launched by Vladimir Putin in 2005 as his answer to global media networks like CNN, with outlets in several Western nations, including the U.S., sharing the Kremlin’s perspective on world events,” Jeremy writes. “In the U.S., RT America has lately covered Russia’s bloody invasion of Ukraine as a minor incursion intended for defensive purposes, drawing increasingly loud criticism.”
RT’s U.S. production company T&R Productions registered as a foreign agent in 2017 after the Justice Department concluded that it had to do so. U.S. officials determined that RT and its Russia-funded owner, TV-Novosti, were “proxies of the Russian Government.”
ICANN declined to cut Russia off from the Internet
Ukraine had asked Internet governance nonprofit ICANN to revoke the “.ru” domain and help get rid of their security certificates — moves that would have effectively prevented people outside Russia from accessing Russian websites and made it more difficult for people within Russia to access sites outside of the country. ICANN rejected the request, telling Ukraine that it “has been built to ensure that the Internet works, not for its coordination role to be used to stop it from working,” CyberScoop’s Tonya Riley reports.
If Ukraine had succeeded, it could have fractured the Internet and made Russian users more vulnerable to hacks, experts have warned. The move also could have closed the country off from news challenging Kremlin narratives.
Former cyber officials push quick confirmation for Fed nominee
It’s critical to quickly confirm Federal Reserve vice chair nominee Sarah Bloom Raskin because “the potential for significant cyber impacts is ever more apparent and urgent,” former cyber officials write in a letter to Senate leaders shared with the Cybersecurity 202.
Senate Republicans have boycotted Raskin’s nomination as they scrutinize her role on a financial technology firm’s board. Raskin led an initiative as deputy secretary of the Treasury Department during the Obama administration to standardize approaches to cybersecurity in the financial sector among G-7 nations.
The letter was signed by former White House cybersecurity coordinator Michael Daniel, former DHS deputy secretary Jane Holl Lute, former DHS undersecretary Suzanne Spaulding and former State Department cyber coordinator Chris Painter. It was addressed to the Senate Majority Leader Charles E. Schumer (D-N.Y.) and Minority Leader Mitch McConnell (R-Ky.), as well as top lawmakers on the Senate Banking Committee, where her nomination has stalled.
- Top intelligence and law enforcement officials testify before the House Intelligence Committee on worldwide threats on Tuesday at 10 a.m.
- CISA Executive Director Brandon Wales speaks at an Aspen Institute event on Tuesday at 2 p.m.
- CISA Executive Assistant Director Eric Goldstein speaks at a Billington Cybersecurity event on Thursday at noon.
Thanks for reading. See you Monday.