I don't really like the framing that the reporter is framed for using "view source". This reinforces the idea that the people responsible for this are just uneducated. I'm sure, at this point, someone already explained them.
That reporter is a victim of harassment, and that if it wasn't for "view source", it could be for some unrelated stuff. It's the same as protesters being arrested for all kinds of bogus reasons, or random people being arrested with planted evidence. The goal is to deter someone you don't like from exercising their legal right (journalism, protesting, standing in the street in the wrong neighbourhood), by weaponizing unrelated laws.
The only reason "view source" is being talked about is because that looked like the best case when the book was thrown at that journalist.
I hope that case remains at threats and doesn't get to actual charges.
>I don't really like the framing that the reporter is framed for using "view source". This reinforces the idea that the people responsible for this are just uneducated. I'm sure, at this point, someone already explained them.
I don't like the framing either, but for different reasons. From my reading, the journalist is being targeted for reporting the vulnerability or perhaps for exploiting the vulnerability- I'm not sure.
To be clear, most websites have some disclaimer that says "don't use this website for unauthorized purposes". This is deliberately vague and includes "don't use SSNs that we leave laying around".
Should the website leave SSNs laying around? Definitely not.
Should the web site owner have the strong arm of the law come smashing down on them? Absolutely.
Should others use those SSNs? Definitely not.
If the journalist saw the SSNs and then did nothing, leave him alone. If he did something with them, charge him. If he reported them, and he is being harassed for reporting them, then write an article about that.
Seeing it and doing nothing is worse in my eyes. That is how you create societies that ignore terrible problems for fear of law enforcement retaliation.
The only way he should be charged is if he committed identity theft or sold the numbers.
This entire debacle is a direct attack on journalists.
>This entire debacle is a direct attack on journalists.
As if this attack on a free press wasn't brazen enough, local PACs have already put out attack ads against the journalist, to frame this as the governor "holding fake news accountable." [1]
If you are young and educated, you are not the target audience of these theatrics and you’re more than likely going to bounce from the state (Columbia aside, Missouri’s version of an affordable Austin).
Conservatives are swinging for the fences with their base in decline. I can come up with no other explanation for these disingenuous actions.
For a case that could potentially embarrass the state, I'd think the prosecution would try hard to make sure the case appears on the right judge's docket.
Just because you understand it to be a ridiculous charge and view the gov as embarrassing himself, does not mean all have made that judgment for themselves. Those holdouts would latch onto a verdict as truth and view the gov as vindicated.
I’m sure the governor would rather see this all the way to the end, lose and then cry foul than just admit he is wrong too. He probably already knows he is wrong but no politician would ever admit it. Politicians will dig in their heals until they’ve dug their own grave than admit fallibility. They are incapable of it.
IANAL, but the local Missouri computer crime statute is very broad [1]. Technically, the reporter seems to have factually "Accessed a computer, a computer system, or a computer network, and intentionally examined information about another person" without "authorization." Considering the conservative PAC for the state has already pushed attack ads against the reporter [2], and the fact that the prosecutor is elected (potentially supported by conservative PACs), I definitely see a possibility of this going to court and potentially arriving at a conviction. Again, IANAL, and I don't know the jurisprudence or case history behind this particular statute.
The reporter did not access anything they did not have permission to access! It was on a publicly accessible website, posted publicly, for the purpose of public dissemination. The statue is even more restrictive than that- the part you didn't quote:
"A person commits the offense of tampering with computer data if he or she knowingly and without authorization or without reasonable grounds to believe that he has such authorization"
No one could possibly prove beyond a reasonable doubt that the reporter did not have "reasonable grounds to believe that he has such authorization". The reporter did not know that the website had private information on it when he accessed the page.
The law does allow for a civil action to be taken by the owner of the computer system (In this case the state) which would lower the standard of evidence to more likely than not- but given the facts of the case, I don't think it comes even close to meeting that bar.
I totally agree with you in principle. Everything the reporter accessed was publicly accessible.
That said, it seems like a prosecutor could articulate an argument that the reporter accessed information he had no reasonable grounds to believe he was authorized to access because he deliberately decoded some Base64-encoded strings that the reporter expected to contain sensitive information. Further, that because the reporter knew the site was using encoding to "protect" this information, by decoding the information he had believed might contain unauthorized information, he had "examined information about another person" that he had no "reasonable grounds" to believe he was authorized to access.
For every objection that is coming to your mind reading this, think to yourself whether you are confident you could convince a tech-illiterate prosecutor (who is looking to "hold fake news accountable") to see things your way. Further, is a jury or a judge going to be able to find salient AND relevant differences between "decoding" and "decrypting" or "client-side" vs "server-side" software? And are those differences great enough to affect their interpretation of the reporters actions in the context of the statute? Judges, prosecutors, and juries cannot be relied upon to unwrite bad tech laws.
> think to yourself whether you are confident you could convince a tech-illiterate prosecutor (who is looking to "hold fake news accountable") to see things your way.
“It is difficult to get a man to understand something when his salary depends upon his not understanding it.”
> information he had no reasonable grounds to believe he was authorized to access because he deliberately decoded some Base64-encoded strings that the reporter expected to contain sensitive information
From a mathematical or CS perspective, i.e. from the perspective of objectivity and rigor, the Base64-encoded strings contain precisely the same information as the decoded version.
Even from a lay perspective... it's as if the state issued a public declaration in Chinese, and translating to English was "accessing" different information than the Chinese original.
> For every objection that is coming to your mind reading this, think to yourself whether you are confident you could convince a tech-illiterate prosecutor (who is looking to "hold fake news accountable") to see things your way.
Ask the prosecutor if sharing stolen Base64-encoded SSNs would be _legal_ because Base64-encoding makes them _different information_ than the original SSNs.
You won't be able to convince the prosecutor of anything ever, but you won't get a straight answer to that question either.
If that the data was encrypted in a way that was easy to defeat, and the reporter specifically decrypted the data using a method that would not be generally available or known to a layperson without having specific tech knowledge…that reporter is going to have a tough time defending against a “hacking” claim—especially in a state with an overly broad legal definition about accessing unauthorized data. They capitalized on the data and benefitted by writing a story about it.
As a juror your job is to convict or acquit based upon the law and jury instructions given to you. Your job is not to convict or acquit based upon your opinion on what the law should be.
I suppose it's true, though, that poorly-encrypted ciphertext still contains the original information as the plaintext.
Encryption has the clear intent of removing all the plaintext information from ciphertext, producing a random string that is useless without a secret key, but this may fail, and then the plaintext information remains.
However, encoding information (in Base64 or otherwise) has the intent of removing no information.
My original formulation of argument was flawed, since it made no reference to or distinctions of intent.
Ok so let’s use the word “encoded” instead of encrypted, but the distinction between the two to a layperson might not be as nuanced as a reader on Hacker News might understand. Even the word “decoded” as opposed to decrypted would raise eyebrows to a layperson juror.
If the law is overly broad about unauthorized access of the information and if by default the information being accessed is not plainly readable without conversion requiring special knowledge or software, I think a conviction might be likely and justified.
> Even the word “decoded” as opposed to decrypted would raise eyebrows to a layperson juror
What does "raise eyebrows" mean?
You hypothesize a jury that simply doesn't understand the word "encoding," and can't be taught its meaning because it sounds like
"encryption"?
If a message were broadcast in Morse code, then you could be convicted for unlawful access if you were to decode that into letters, right? Because it's Morse "code," an encoding.
I guess juries might not convict in that case because they've heard of "Morse code", but not "Base64 encoding"?
Anyway, if communication with juries is this fragile (and maybe it is) then a jury conviction really means nothing and the trial system as a whole is pretty hopeless and certainly cannot justify imprisonment of anyone.
“Raise eyebrows” is basically an idiom that means “have skepticism for (what is being told to them)”. I think the standard lay person on a jury would not necessarily be open to a defense attorney attempting to explain that the word “decode” in goes against their base understanding of the word. The defense argument has to overcome the jury’s lay understanding of decode by arguing that although yes, we are revealing information…its not really revealing anything since it was easy to reveal in the first place for someone with the skills to do it.
To use a metaphor—if a state building is closed, but a person with certain knowledge knows that the windows on the building are easily opened by lifting and pulling in a certain way. Then, that person opens the window, enters the building, takes pictures of sensitive information, and later tells the government about the window, then writes to the world later after the government replaces the windows about how easy it was for them to enter and find that sensitive information, would they be guilty of breaking in and stealing information? I think yes.
Even if their intent was not malicious, and ultimately resulted in more secure data, they did something that was not authorized and then capitalized on it after. If the law doesn’t have a caveat for that situation and if the jury is doing its job and doesn’t have an instruction to allow the out, a conviction is likely.
I'm not asking you about the meaning of a common idiom. I'm only asking about what you mean. What are you trying to say.
> I think the standard lay person on a jury would not necessarily be open to a defense attorney attempting to explain that the word “decode” in goes against their base understanding of the word.
If they're not "open" to understand what Base64-decoding means, then they're not open to understand what the defendant did. Maybe that's true. If so it's a very deep indictment of the process. If what you are saying is true, the judge should not allow the prosecution to use the word "decode."
> To use a metaphor—if a state building is closed, but a person with certain knowledge knows that the windows on the building are easily opened
We don't need a metaphor. I used another actual example (not metaphor) of a encoding -- Morse code. A person who takes a transmission in Morse code and writes it down on paper has decoded it.
Is decoding Morse code allowed "without authorization"? Do I have a right to broadcast information on my HAM radio and then demand prosecution of any people who decode it?
It seems you would argue yes. Or else "no, but only because juries have heard of Morse but not Base64."
If the state, in this case, had used strings of "." and "-" to encode the data in Morse code, instead of Base64, do you think they would have the same case?
Or what if they had used Greek instead of English? (I think if you insisted to use a metaphor for encodings, that would actually be a good one.)
You are relying on special knowledge and understanding so it’s simple to you. It’s not necessarily simple to the 70 year old grandmother sitting on a jury. Does she understand what Morse code is, probably. Can she create an equivalence between Morse code and Base64? Well that is what a defense attorney has to do now, ain’t it?
But all of that still doesn’t matter if that reporter was in possession of data he was not authorized to have and the law prohibits that . So what you have is decoded data in possession by someone who wasn’t allowed to have it but could be valid for him to have possession if it was encoded. If that is the way the law is written or the jury instruction is given…it’s a hill for the defense to climb.
I don't know if you or the post above have any knowledge of the criminal justice system in the USA. I've been in the front-row for thousands of criminal cases and the number that got dismissed before trial, not based on evidence suppression which doesn't apply in this case, is pretty much zero. I got one dismissed based on perjured grand jury testimony, and another based on an indictment flaw, but neither of those things would apply here.
Whether a jury would convict. Juries are much more complicated than most people imagine. For a start, the prosecutor is going to show the statute and the evidence and show how the person violated the statute. There might not be a proper legal defense.
You might be thinking of jury nullification where a jury acquits a defendant even where they are proven guilty, simply because the charges are bullshit. This almost never happens. Although it really should happen much more often.
Not only legal fees (which probably will be covered by someone else in this case) but mandatory court appearances that are scheduled antagonistically and punitively.
The punishments for missing these dates are among the most extreme and disproportionate in the whole system.
(With no due process, and COVID infections for all.)
Yep. As I understand, many innocent people take guilty pleas because the time cost of court appearances is unbearable or will cost them their job. I've become pretty jaded about the justice system as I've learned more about it.
Yes, and also, the plea bargains on offer usually provide a huge reduction from the maximum risk from being found guilty. Not uncommon: plead guilty and pay $100 fine, or be found guilty and go to jail for up to 1 year. The guilty and the innocent alike are given as many reasons as possible to plead guilty.
I prefer the Verge article on this one though [1]. Relevant quote from the article:
> They turned the case over to Cole County Prosecuting Attorney Locke Thompson on Monday, December 27. Governor Parson then held a press conference on Wednesday, December 29, where he cited a state statute related to computer tampering and repeatedly suggested Thompson should use it to prosecute Renaud and the paper.
It was just earlier this week that this was turned over to the prosecutor's office. This prosecutor is an elected official, and the Missouri conservative PAC has put their money behind this by placing attack ads against the reporter, and framing this as "holding the fake news accountable" [2]. Also, IANAL but if we're going by the letter of the law, the local Missouri computer crime section certainly does seem to include the actions of the reporter [3], even if the SSNs weren't Base64 encoded. Bad law, but the fact that the law is bad doesn't have bearing on whether they'll decide to prosecute.
> The reporter discovered that the source code of the website contained Social Security numbers of educators. The reporter alerted the state about the social security numbers. After the state removed the numbers from the web page, the Post-Dispatch reported the vulnerability.
I really hate the idea that trying to do the right thing (reporter telling MO DoE about SSNs being in their HTML) results in prosecution to save face instead of reflection and congratulations. This is how you get more crime.
I think a lot of analogies miss the point that data was copied and transmitted to the client and accessed client side. I think it'd be more accurate to compare to a barcode
Imagine requesting a voter registration form and you receive a letter in the mail with all previous residents social security numbers encoded in QR codes that were added as a "convenience feature" for the voting office
In that case, it'd be ridiculous to claim you "hacked the voting office"
A similar example could be credit card strips. They actually had people's SSNs encoded in them for a while. Anyone with a reader and physical access to a card could grab them. Dateline did a report on it back in the day without having to deal with anything like this
It's not like picking a lock. It's more like turning over a sheet of paper to read what's on the other side. If this guy gets convicted, I'll eat my hat (I wear a fedora).
"Thy just thow their fedora wherever the floor is
And start doing horas and taps".
"A better analogy would be you're walking in the street past a neighbor's house and notice their front door wide open with no one around. You can see a purse and car keys near the door. You phone that neighbor, and tell them their door is open and their purse and keys are easily visible from the street. Would Parson consider this breaking and entering?"
I think a better analogy is that you requested a document about yourself from the state and a bureaucrat sent you your document and a whole bunch more you didn't ask for that was encoded using pig latin.
That's not a better analogy. The implication is that somehow the raw HTML is more valuable than the rendered webpage.
You don't get to publish a "rendered webpage"; what you publish is raw HTML. If you didn't want people to read it, you didn't ought to have published it.
[Edit] Also, taking a copy of the HTML isn't like taking keys and a purse. If you take keys and a purse, the owner has been deprived of them. That's not the case with taking a copy of a webpage.
Yep. When Google Street View cars hoovered up in-the-clear wifi data, the most they were ever punished was $25k for impeding the FCC's investigation, not for the actual data collection.
Shouting your information in public is not and should not be grounds to prosecute those who are listening.
If I throw a sack of potatoes into the street, I don't think it would be theft to take a picture of them and mail it to me saying "hey bro you dropped yer taters"
The keys and purse don’t represent the raw html, they represent the social security numbers that were visible in the raw html. The front door was wide open in that this information should have been kept in the backend, not the frontend.
It's not a good analogy because your browser is your house.
The "open front door" analogy works in some instances of "hacking," like enumerating an ID field in a URL. But in those cases you are making an active request to "enter the door" for each ID. That's not the case here – you downloaded a page you have access to, and the server included more data in the page than it should have, without you asking for it.
It's like somebody tossed a phone book into your open door, and then prosecuted you for reading it.
Does it really matter whether you're in your own house or standing on the public street? The good Samaritan in the analogy didn't go through the open door. They just phoned their neighbor to warn them: "Hey, your door is open, leaving your purse in plain view. You should probably fix that!"
A bad actor would have actually stolen the purse. Just like a bad actor would have used the social security numbers to commit identify fraud. Since neither of those things happened, prosecuting anyone is ridiculous, in both the analogy and real life.
What's visible depends on what you use to view the webpage.
GET / HTTP/1.1
If you don't happen to have a GUI ([Edit] or something like Lynx), that's how you read a website. It's not reverse engineering, or de-compiling; that's just displaying exactly what the server served.
Say your neighbor has an atrium and gets medication delivered. Said medication is clearly labeled as light/heat sensitive, and the package is left by the delivery person in direct sunlight. Their front door is unlocked.
You open the door and tuck the package safely inside.
Breaking and entering?
Anyone telling me that qualifies has some serious thinking on Mens Rea to do.
You had me in the first half. I think the better completion of this analogy would be:
You ordered some medication, and the delivery guy drops it in your atrium. You open the package and find that it includes your neighbor's medication, too. You tell the delivery guy that he sent your neighbor's medication. The delivery guy calls the police and requests you be arrested.
Technically yes, you are breaking and entering under what I can find as the legal definition of breaking and entering in the US (IANAL and don't live in the US even):
Breaking and entering is the entering of a building through force without authorization. The slightest force including pushing open a door is all that is necessary. Breaking also includes entering a building through fraud, threats, or collusion. To constitute entering, it is sufficient if any part of the accused’s body is introduced within a building. It is not considered breaking and entering if the premises are at the time open to the public or the person is licensed or privileged to enter.
So the fact that you wanted to do a good deed is not relevant for it being considered breaking and entering. If only the door was already open and you shoved the package inside without actually ever even having an atom of your fingertip enter the house itself, then it would not have been "breaking and entering".
I completely agree though that nobody in their right mind should want to prosecute you for this. This is the differences between the actual letter of the law as it would be applied by a computer algorithm automatically and a good judge / jury that interprets the law and the facts.
>Breaking and entering is the entering of a building through force without authorization.
Where's the force? Door unlocked. I'll give ya the lack of auth though as I'm not willing to die on the hill of unlocked doors being an implied grant of authorization.
You ignored the second sentence of what I am quoting. Here it is again:
The slightest force including pushing open a door is all that is necessary.
Not my words. That said, force does not imply amplitude of said force, except colloquially. This is legal stuff though, which, like say physics, has slightly different use of certain words than most people are used to from day to day life.
As in, I would agree with you that force in regular use is usually used in the sense of a large force. But that is not the actual definition and o ly possible use of the word.
I don't think the analogies about "someone else's house" work in the reporter's favor, whether the door was open or not. The data was included in source code that the server sent to the client in the normal course of operations.
It's more like if the New York Times dropped a newspaper at your house with the answers to next week's crossword puzzle included on the page.
The process is the punishment here. The only adequate protection against capricious prosecution is that in principle you can make a stink and vote out the elected officials abusing their power.
I was reading these attempts at better analogies, kept wondering why someone wasn’t making an analogy akin to writing or books, left to read the article, then came back and saw your comment.
Your analogy is much more apropos. Nothing was tampered with or “pulled” from another location, virtual or otherwise. Everything the reporter saw was already there and accessible (the public website), they just knew how to use their lens (browser) in a perfectly legal way to see it.
I'm aware that there are people here who object to fedoras! TBH I guess I was trolling them.
I don't know what it is; maybe they think it's vanity and fashion. If you asked anyone I know whether that matched me, they'd all burst out laughing - I'm a notorious slob.
I wear a hat because my natural scalp insulation is wearing out, and when I buy things I like to buy good things. A good felt hat with a brim is resistant to heavy rain, for example, and makes a brolly unnecessary.
I like to cook; but I don't know how to cook rabbit-fur felt so that it can be chewed. And my digestion isn't that great. Maybe I went too far, saying I'd do that.
I saw in a thread somewhere else a while ago a bit more detailed explanation:
The web page used an old .NET framework that serialized the application state, base64 encoded it, then dumped it in a hidden form field at the bottom. When you navigate pages, the data is POSTd back to the server to achieve a "stateless" web app on the server side
The reporter had to view source and base64 decode the data
Obviously still trivial but I think the laws are also very ambiguous on "decoding" and "accessing"
> The web page used an old .NET framework that serialized the application state, base64 encoded it, then dumped it in a hidden form field at the bottom.
Wow. I was a C# developer for many years and I never realised that ViewState encryption was _opt in_[1].
Someone interviewed for my company last month. One of his previous experiences was listed as "dynamic SQL". My third question was how do you prevent SQL injection attacks. He didn't know.
> If those identifiers contain sensitive data, such as customer IDs, you should encrypt the view state data in addition to or instead of sending the page over SSL.
It would be hilarious if those docs got updated to say customer IDs or SSNs. Lol.
The craziest part is that if you had made that same mistake and leaked a bunch of SSNs the same government would be fining you and accusing you of being negligent. It's insane.
I can't believe the defense wouldn't be able to present an expert witness / cross-examine the prosecution's on the distinctions between "encoding" and "encrypting."
I guess base64 is cryptographically a substitution cipher with a public pad. Which... you'd think using a ~2000+ year old method in a known-harmful way would stretch the term.
State makes the personal information of state employees freely available to anyone with an internet connection and a web browser.
Reporter notices, reports it to the state, waits for it to be fixed, then runs the story.
State governor goes after reporter.
The state governor is either an idiot, or trying to cover up iltheir incompetence, or both. And doing so in a way that makes him look like more of an idiot.
If the prosecutor takes this up then either they're an idiot or being pressured to do so, by the idiot in charge.
I don't think it is that big a stretch. There's more details in the Verge article[1]:
> They turned the case over to Cole County Prosecuting Attorney Locke Thompson on Monday, December 27. Governor Parson then held a press conference on Wednesday, December 29, where he cited a state statute related to computer tampering and repeatedly suggested Thompson should use it to prosecute Renaud and the paper.
As of the time of writing this comment, that was four days ago, and during the holidays. It certainly seems like charges will be brought unless Thompson chooses to side against the Governor and decline to pursue charges (I'm not sure what the political implications of that would be in either direction.) State statute is here [2]. IANAL, but this statute seems very broad. Especially sections 3, 4, and 5:
>A person commits the offense of tampering with computer data if he or she knowingly and without authorization or without reasonable grounds to believe that he has such authorization: [...] (3) Discloses or takes data, programs, or supporting documentation, residing or existing internal or external to a computer, computer system, or computer network; or
(4) Discloses or takes a password, identifying code, personal identification number, or other confidential information about a computer system or network that is intended to or does control access to the computer system or network;
(5) Accesses a computer, a computer system, or a computer network, and intentionally examines information about another person;
Like, yeah, factually the reporter did examine information about another person without authorization. This law sucks, but it is not a stretch to think they will prosecute the reporter.
The STL Dispatch covered every single angle of responsibility before and during taking this action. Even if they violated the letter of some law, the only outcome of a court case will be to embarass the state by exposing how incompetent they were, and how responsible the reporter and the paper were in disclosure.
My guess is the prosecutor will decline to pursue.
Thompson is a small-town Missourian elected prosecutor, facing pressure from fellow conservatives to "hold the fake news accountable" as stated in the latest attack ad against the reporter from a conservative PAC [1]. At best it's a coin toss imo.
Having watched a few of the sessions held by congress questioning social media CEOs and the like, I think this story is quite plausible.
In between the grandstanding some of the politicians asked such odd questions, I think an introduction to digital safety should be a requisite course for all public servants along side antidiscrimination and inclusivity.
I wouldn't be surprised if there is someone already in jail who has been charged and convicted to a similar action.
They aren't dependent on the feds to bring charges.
The feds' involvement would be for prosecuting the reporter for CFAA violations. Missouri has its own computer intrusion legislation that would be the basis for charges from the state.
Am I to understand that a state governer has the power to instruct some lacky-lawyer to charge someone with a crime, and to prosecute them for that crime? In the land of the free, this is not an independent process?
You are surprised? We already know that a prosecutor will try for higher sentences near an election and... well, they are elected. It isn't hard to imagine that an elected official works with other elected officials, especially if they want to do other things in government.
I don't know why you're surprised. The courts have shown time and again that they are part of the establishment (that includes the civil service and government), and will act in accordance with government wishes most of the time.
"Yes, Minister" was documentary not fiction (also, since we seem to be remaking/rebooting everything good, can we have an updated version of this, please?)
They did remake Yes Minister. It was Not Very Good.
This, incidentally, is precisely the sort of thing that Humphrey would stop Hacker doing, if Hacker had the ability, which he didn’t. The only times Humphrey lets Hacker indulge in overreach are to put him in a situation that Humphrey can then save him from.
> They did remake Yes Minister. It was Not Very Good.
Thanks, I must have missed it. I'll check it out (even if it's crap).
I agree with your take on it, I was more indicating that the way Things Are Supposed To Work is almost not How They Actually Work, and usually that's How The Old Boy Network Want Them To Work.
Someone anonymous on Twitter threatens to kill you. You go to the front desk of your local police and they say "You have our sympathies, but we have limited resources, and we don't know whether it's really a serious matter or not, or even if the perpetrator is within our jurisdiction."
You threaten on Twitter to kill your MP. They go to the head of the local police force who decides it _is_ a serious matter, looks into it and finds you _are_ in their jurisdiction, and some police officers come knocking at your door.
Is this the rule of law operating as intended, reflecting the reality that MPs have been murdered before, and in a world unfortunately constrained by finite policing budgets?
Or is it a double-standard, where a wealth of usually-unenforced laws allow the powerful to oppress their opponents?
As European, I find it insane that I could elect the prosecutor or even the police. And in some ways that politicians would have any word on this apart from deciding the funding and laws...
I don't disagree with your point but how a prosecutor must be selected then? If someone is not chosen by a public and popular vote, it must be chosen differently. Any mechanism of choice will have an inherent bias.
For example, you could decide that a prosecutor is the best at knowing the law, so let's have a law exam where the one with the best score is named prosecutor. However, being a good prosecutor can't always be reduced to a technical know-how. And those good at laws might be those who were able to pay to go to the best universities, buy the textbooks, be allowed to study for years without working, etc. So you also have a bias on wealthy families.
I don't think that the problem of allocation of power in our modern societies is a solved problem...
Just because any system could or do have biases, that’s no good defence of a system we know has terrible pernicious biases that are visibly compromising it’s integrity. I’m a Brit, and I’d have good expectations of being treated fairly if I faced prosecution as an innocent person here in the UK, in France, Germany, or plenty of other countries. I have no such confidence about the USA. Especially so if the crime I was accused of was politicised. I actually know someone in the US who’s life was destroyed by that system, he spent a year in prison and it took years more to clear his name.
Politicisation is endemic to the US justice and policing system, it’s an absolute disgrace. I agree no system is perfect, we have miscarriages of justice here in the UK too, but perfection is not the enemy of the good and your system is below mediocre. You can do, and deserve, a lot better.
Germany just had Pimmelgate (Pimmel is a synonym for penis). Hamburg's Senator of the Interior did something and some random guy wrote "you're such a dick" ("du bist so 1 pimmel"). The Senator apparently was very annoyed and asked the state attorney to go after the guy. They summoned him to the precinct, he went, said that he wrote that tweet and declined to say anything else without a lawyer present. They then got a judge to sign a search warrant against his ex-girlfriend (and mother of his children who live with her), and executed it, which was unnecessary (they knew who did it and he had already confessed) and meant to punish extra-judicially since the case would likely be thrown out in court.
The state attorneys and police are part of the executive branch and subject to directives of the politician in charge. Theoretically, electing the state attorneys directly would motivate them to not just do whatever the administration wants, be that legally reasonable or not. In practice it probably does not matter.
Like I said, no system is perfect. It’s a matter of the overall results. You’ll always find individual lapses unfortunately, and we always need to hold authorities to account. Anyway it’s good that there was an uproar about that case.
Specially when the public side is underfunded and defending yourself is insanely expensive. Not that law is cheap anywhere, but from recent cases like Kyle Rittenhouse and officer Potter it seems just stupid and broken.
After both looking into the details myself and watching LegalEagle's analysis of the case, I'm not convinced that there was anything wrong with the Rittenhouse trial. Rittenhouse was stupid for driving into the city in the first place, but each of the times he fired his gun seemed perfectly reasonable. And I had initially thought that he was looking for an excuse to shoot black people, but then found out that all 3 people he shot were white.
Did you disagree with the result of the Potter case? I am unfamiliar with it but it seems like they charged a police officer who "mistakenly used a handgun instead of a Taser"? Am I missing something here?
It varies by country. For instance, in Ireland, the Office of the Director of Public Prosecutions is a civil service bureaucracy. It's lead by the director, who's appointed by the government for a ten year term and must be an experienced barrister or solicitor. The director is a civil service executive, not a dictator, so the amount of damage a bad or corrupt one can do is somewhat limited.
Until the 70s, the role was filled by the office of the attorney general, who's a direct government appointee (strictly speaking appointed by the president on direction of the government). The separate agency was created to defend against bias.
The current setup where only official prosecutors can prosecute crimes is historically recent. I don't know what would be better, but these officials becoming too cozy with other officials is what you'd expect a priori.
Didn't Craig Murray go to prison for contempt of court?
As Wikipedia recalls it, a judge in a sexual harassment and attempted rape trial issued an order to keep the accusers anonymous. Mr Murray was found to have broken that order. Unless you want to elaborate on the specifics, I think your comment is without merit
"Jigsaw identification" is a nebulous broad claim that could have been applied equally to any reporting on the trial, but was only applied to one independent journalist who has been critical of the state.
The state Attorney General is part of the executive branch and takes orders from the governor. This is the case in most states and the equivalent is true at the federal level. People seem to think it is an "apolitical" post but that just isn't true.
No, the state governor does not have the power to order a county prosecutor to prosecute. He can't even order the attorney general to prosecute. Might be able to put political pressure on them to do so, though.
On the other hand, the President of the United States does have some constitutional power over the Department of Justice, and appoints the US Attorney General (With confirmation by the Senate), and can fire the AG, so at the Federal level, there is a direct line of such power.
It is all politics. Prosecutors are sometimes elected with political ambitions. And on higher level in same corrupt parties are those on state level... Thus pressure to do things...
A person should be able to email security@domain without legal ramifications. They should encourage these good guys with bounties as well. Edit: I would guess its much cheaper in the long run, although i dont have a source.
Seen from abroad USA seems like a parody of themselves, not a one particularly funny.
Greatest country for greatest opportunities, still many politicians seem incredibly dumb, or ar least as dumb as italian ones, which are really really dumb, on average.
Just remember the US isn't exactly one entity, but a collection of 50 states. Still it's sad that the least educated states seem to have so much power lately.
I hope they charge him, because it's going to be very hard to prosecute I believe, and a victory would enshrine legal rights to 'Right Click' and view source.
I think the trial would come under enormous scrutiny.
If the reporter lost the case in local banana republic courts, I do believe it would go up to Federal or Supreme and it would win.
The case being hard to prosecute doesn't mean that paying for a legal defense will be cheap. The same goes for suing the state for damages afterwards; lawyers will require retainers to investigate the likelihood of a settlement. Suing the government is not a simple matter, by design.
The goal of threatening reporters with prosecution is to intimidate others and prevent them from investigating areas that could embarrass the state government.
From a tort perspective, it seems like the client assumes all the risk of an HTTP request: I made a request for this URI - without (obviously) knowing its contents - and you send me some contents. Even if I as the client attempt to send a malicious payload, etc. the server can transmit back whatever it would like any time - that's the rules of the game.
So the server holds all the power, and as long as I got a "200 OK" response with whatever contents you sent me, you have absolved the client of wrongdoing without a much bigger burden of proof of fraud, identity theft, etc...
Otherwise, the Internet literally becomes unusable - if even submitting this comment might result in me receiving illegal content, how does one proceed?
Sidenote: this is tangentially similar to the CitiGroup Revlon case, where Citi accidentally paid out the full principal on a loan to Revlon to a bunch of small lenders, and the lenders refused to return the money.
The court ruling is interesting, in that as long as the lenders assumed the money was sent on purpose - that that was the intention of CitiGroup - then there was no reason to send the money back. But if they assumed the money was sent on accident, then it was illegal to keep it.
The court ruled that under good faith argumentation ("discharge of value") that if someone owes you money and they pay it back, even "on accident" or otherwise, you have no obligation to return it.
And again, it hinged not on the individual case per se but the effect of ruling otherwise - that you could never truly spend money that was sent to you because someone might come later and claw it back, which would just grind the financial industry to a halt.
I think the same conclusion would have to be made here: if you send something and stick a 200 on it, the recipients are entitled to what you sent them.
>I think the same conclusion would have to be made here: if you send something and stick a 200 on it, the recipients are entitled to what you sent them.
Disclaimer: I don't work with web tech, but wouldn't that also permit a lot of activities we would absolutely consider unethical, like SQL injection? It seems like you could certainly craft a request to circumvent security controls to receive a 200 response back that we'd absolutely consider to be unethical.
Disappearing View Source is stupid in a world in which you can curl or use dev tools to get at the same data. Wouldnt even be shocked if some applications/workflows depended on it.
I don't think it's about education. It's about bad faith and cynical politicians abusing the justice system to intimidate reporters. There is nothing to be done about it but vote those people out.
The HTML document revealed by "view source" isn't something "behind" the web page -- it IS the web page. The State effectively made a document containing the confidential info available to everyone and is now complaining because someone looked at it. I agree with the prior commentators that this is more about politics than law.
I find it overly amusing that the article is tagged with "CHRIST WHAT AN ASSHOLE". After clicking through to see other stories with the same tag, it's...apt.
It was more than "View Source". It was decoding viewstate.
Reading someone's postcard in the mailbox is like looking at the source.
He opened the letter that was in the encoded viewstate.
The envelope doesn't offer any real security but it is illegal to open someone else's mail, and decoding a site's viewstate might technically be illegal as well, but unless you tell someone you did it no one will know.
The reporter should have notified them directly, anonymously, or kept their mouth shut.
If you send information to the client, it is your responsibility to make sure it doesn't contain private information.
The reporter should probably not be prosecuted, pardoned if convicted, and we should repeal the laws that make using anything sent to client illegal.
If you are sent something you didn't order in the mail the FTC says you don't have to pay:
"By law, companies can’t send unordered merchandise to you, then demand payment. That means you never have to pay for things you get but didn’t order. You also don’t have to return unordered merchandise. You’re legally entitled to keep it as a free gift."
This reporter was gifted some viewstate because it came to his computer.
Edit:
To the person claiming it is "another language", I don't know anyone that does Base64 decoding in their head, and this is clearly not meant for human consumption.
There are many tools for consuming it through decoding and deserializing but that doesn't make it legal. There are tools for decoding DVDs which meet this same category.
What is this “encoded viewstate” of which you speak?
It’s my impression that the reporter didn’t have to go so far as thumbing over to the network tab or otherwise open any envelopes, the social security numbers were instead embedded in HTML, just not visible in the painted layout. Kudos for attempting a framing for the prosecution, but I don’t think there are laws against opening mail addressed to me.
Edit: just saw the comment about .net using base64 encoded state, so I understand your argument better now. In that case, if a ROT13 encrypted message was sent to me without the key, being trivial to crack doesn’t imply I have the right to share state secrets… agreed the case is a little more complicated than journalists have made it appear, go figure.
People publish stuff they find in improperly redacted documents fairly frequently. Sometimes what happens is that the black bars covering the text in a PDF are just cosmetic, and the text is still there. Even if there's a state secret under there, it's not something people get prosecuted for (in the US). You generally have the right to publish state secrets that fall into your lap, even if they were obscured and might have required some technical spelunking inside a document.
This is an incorrect assessment. The analogy is a postcard written in a language you don't understand.
The outside of the letter is a kind of lock, like encryption.
You don't violate the laws for translating the French on the back of the postcard to English if you happen to see it right?
Opening the letter is illegal, and breaking that lock is where the act becomes a crime. He didn't do that. He only translated what was delivered to him.
The main difference is that the postcard is addressed to someone else and the law is very clear that you can’t open mail addressed to someone else. Also, I don’t really buy that “decoding” counts as an additional step, since all the contents of every web page are already decoded by the browser.
stunning..and scary...
the root problem here (or at least one of the root problems) is that government workers are not hired or promoted on merit. That leads to people of lesser intelligence being bosses. As evidenced here. That is a bad thing, in my opinion. You want smart people in charge. That's a good thing!
Has I said in another comment, it is not about education or intelligence. Read the article. The politicians trying to intimidate the St Louis Post Dispatch have a history of intimidation against journalists. Demagoguery is unfortunately a chronic condition of democracy.
What's democracy? Is that when stuff gets done to you by corrupt politicians, and you have to shut up and suck it, except that every few years you get to swap one bunch of corrupt politicians for another bunch?
Not having a single person be the executive likely helps. In a parliamentary democracy, the prime minister would have to tell the justice minister to do this. The justice minister would likely refuse. The prime minister’s recourse would be to fire the justice minister and get a new one appointed, but that’s a big step. Assuming that’s overcome, the new compliant justice minister would have to tell the public prosecutor to do it. In many countries that’s an independent office, and the justice minister wouldn’t have much standing. So you’re back to trying to fire people, and the petty vindictive prosecution is turning into a government-ending event; the PM is likely to be seeking alternative employment…
Executive presidency/governor systems, like those used in the US, have a generally higher dependency on individuals behaving properly.
In theory. I believe the system was setup to ensure that the judicial system is independent from the executive branch. However, we have seen the nefarious influence of money in politics which is now starting to encroach on the judicial system too:
This is nothing to do with government worker competence. Undoubtedly, the governor has been advised that there is no case. It's legal harassment, and a sign of (a) a structurally flawed system (the executive should be in no position to make this sort of threat in the first place) and (b) a sick political system (even if the executive is legally able to make such a threat, it should be politically impossible for them to do so).
Maybe, but there a possibility they know it's not a valid argument but believe they can still use it effectively. Just because someone supports a position doesn't mean they know it's valid, not that they know it's moral. Plenty of people, and especially politicians of some persuasions, are happy to spout known lies and deceptions to get to their preferred outcome.
That no offence was comitted here should be apparent to 10 year old of average intelligence. The governor is either very stupid, very ignorant or very cynical. Or some combination of the 3.
If I were to guess they probably know nothing will happen. It seems like the point here might just be to send a message -- sure, perhaps nothing will happen this time, but are you going to take that chance next time?
We are very much on the slippery slope of elected officials making prosecutors punish people they don't like. Short hop and a jump to Putin like rule. We are not going in the right direction in the US.
This is a fascinating question. I can see strong arguments on both sides. Just because something is publicly accessible, it doesn't make it free to take or use. Of course there will never be a strict line, so one needs to take into account the intent, intensity, and the usual parameters.
Another perspective is that the private data was extracted and conveyed by the state website to the end user completely without their request or consent!
I find it reasonable that the government should be held legally liable for introducing users to the hazard of accidental exposure to confidential data.
That reporter is a victim of harassment, and that if it wasn't for "view source", it could be for some unrelated stuff. It's the same as protesters being arrested for all kinds of bogus reasons, or random people being arrested with planted evidence. The goal is to deter someone you don't like from exercising their legal right (journalism, protesting, standing in the street in the wrong neighbourhood), by weaponizing unrelated laws.
The only reason "view source" is being talked about is because that looked like the best case when the book was thrown at that journalist.
I hope that case remains at threats and doesn't get to actual charges.