Jeff Weaver, the Vermont senator’s campaign manager, acknowledged that a low-level staffer had viewed the information but blamed a software vendor hired by the DNC for a glitch that allowed access. Weaver said one Sanders staffer was fired over the incident.

https://www.washingtonpost.com/politics/dnc-sanders-campaign-improperly-accessed-clinton-voter-data/2015/12/17/a2e2e14e-a522-11e5-b53d-972e2751f433_story.html?hpid=hp_hp-top-table-main_sandersdnc-1155pm%3Ahomepage%2Fstory

I can see why that's the story they are going with.

you are obviously a Super Spinner

a rogue low level staffer. lol

since the DNC is now withholding voter lists and such from the Sanders campaign. Interesting timing.

carefully vetted him.

Let's hatch a conspiracy theory that it was a set up to cause controversy.

The DNC has told the Sanders campaign that it will not be allowed access to the data again until it provides an explanation as well as assurances that all Clinton data has been destroyed.

The security analysts at the company I work for could go in there tomorrow and show that proof in probably an hour.

On edit: My company can do this and I'll be recommending our sales team call the Sanders campaign tomorrow.

that Sanders will be asked about this at every press conference from now on...

Sanders campaign did not hack anything. DNC's system allowed them access. A curious young person probably poked around the database for fun. Then they slap the Sanders campaign for it.

Sounds like a setup to me.

Tptb are, rightfully, scared shitless of Sanders.

"for fun" has sent many "curious young person" to prison.

I agree, that should stop, and thank goodness we have a viable politician arguing for the end of Schedule 1 classification of Marijuana!

That was my first thought when I saw the DWS DNC was involved.

DWS entrapped Bernie's campaign to hack into Clinton's campaign?

That is what you're going with?

That's a really pathetic conspiracy theory.

Expect anything and everything rotten from those who don't want Bernie elected.

The dark side sucks.

not some kid, poking round the database for fun.

The campaign's National Data Director had to know what he was doing was improper.

A 3rd party company hired to maintain the database accidentally took down the firewall while installing a patch. The lack of a firewall allowed some low level staffer to look at the Clinton campaign's data. Nothing was downloaded, nothing was printed, and the firewall is now back up. Also, this isn't the first time this company has messed this up. Gotta look at the complete story, folks.

You're such a spoilsport.

"unauthorized access".

Even if you are technically able to access something doesn't give you the permission to do so.

If you guessed somebody's password and hacked their email it's still a crime.

But is reading that person's mail if it's open right in front of you a crime? No, it isn't. It's wrong, obviously, but it's not a crime. Anyway the kid got fired, no information was taken, and the 3rd party company who botched the firewall is under review. End of story.

you're sadly mistaken.

it's going to get blown up real big.

If it's discovered that other campaigns, say Hillary's, also accessed unauthorized information. Wouldn't that be a page turner..

Last edited Fri Dec 18, 2015, 04:55 AM - Edit history (1)

That's a HUGE distinction.

Hacking involves deliberate intent and, in many cases, careful planning. If the staffer accessed the data without using Clinton campaign computers, then it would seem that information was available on the DNC servers with only software security blocking unauthorized access. If the security was down, access could have been as simple as double clicking a folder. I don't even know if this was a case of inappropriate root access, which would expose everything. Of course, "inappropriate access" isn't as sexy as some exaggerated image of Sanders creeping about, probing for logins and passwords, while twirling his handlebar mustache.

The Establishment is scared of a true progressive people's President... we should expect anything and everything from them over the next year... stay vigilant and factual Berners!!! We are many and they are few. Facts are on our side....

why the hell would the information be queryable by both sides? It is not that hard to design a database in such a way that it replicates and distributes the data out to separate databases. This is incredibly common. They could even replicate updates back to the master database (which neither party should be allowed to access).

As someone who does such work I indeed would say this is the vendor (and the DNC) for allowing this possibility to even be there. It could almost appear like they wanted this designed this way because the "firewall" is so thin.

If the data is indeed broken out into separate databases then it would suggest they accidently made the wrong odbc connection. Now if that happened it would pretty much be IMPOSSIBLE **not** to access the data.

Something sounds really incompetant of much more wrong than the description in the news.

if you accessed data beyond what you're authorized to do = hacking

I would be surprised though if they had direct ODBC connection. Don't you need a VPN or LAN to use ODBC?

If you don't understand the technology then why try to refute someone who is in the profession?

if it's web-based.

There are several other standards for connections but the they all operate similarly.

https://en.wikipedia.org/wiki/Database_connection

but I am accessing the webserver not the database directly.

I don't think you have ever written a web application before?

Browsers don't connect directly to databases.

and most Database Administrators also know how to administer web servers.

the database of "democraticunderground.com" to get posts, threads, user names.

Don't recall using a ODBC connection.

But there is definitely one. On a site like this there is an application server that it resides on and it connects to a database server. It is easier than you might think to mix up connection strings if you don't audit your work.

There are quite a few ways this could happen where it would basically throw the wrong data in front of a client before they were even aware.

If they use a similar schema (save money, repurpose similar databases) and they are not careful with protections it could be incredibly easy to restore from the wrong database copy while doing an upgrade.

The article does not precisely say what happened but if there were ANY chance this could happen then I would place that entirely on the vendor. They should never have reopened it to the client until they had tested and looked at what results it was serving up.

This article raises incredible alarms about sloppy standards. But of course that is way complicated and certainly for that reason it can be used to attempt to smear another campaign.

Never let a good smear go unvoiced...even if there is really nothing to it.

according to Bloomberg, was fired for improperly accessing the data.

He would be the one who's supposed to be telling everyone else what the rules are, not breaking them himself.

Even the title of the article you posted says "improperly accessed', which has completely different connotations.

= hack.

I work in data security and improper access is NOT a hack. It's improper access.

And, it happens a lot. But, when it happens and is reported quickly, as it was in this case, it's not usually treated as a crime. It's treated as a teaching opportunity and policy and procedure review should be enacted so that it doesn't happen again.

Sounds to me like the entity at fault was the third-party vendor. Who takes down a firewall without a security backup to install patches?

if I use SQL injection to dump a website's database, is that hacking AKA improper access?

The fact that a firewall was involved shows that it was a low level technique used to access data. Not at the application layer.

It was the vendor.

They're the problem.

“After discussion with the DNC it became clear that one of our staffers accessed some modeling data from another campaign,” Briggs said. “That behavior is unacceptable and that staffer was immediately fired.”

your will to do so since you want something to show up as bad on Bernie.

No, it's NOT the same thing as leaving your door open. The average person would reasonably know that your house was not their own house. The same can't be said of a bunch of files on a server.

I have seen this: an employee is poking around and looking for a file, they have inadvertently been given access to a set of file data they were not supposed to have access to, they open this file data looking for whatever they were originally in search of. After reading a few files, they realize it's something else and report it to their supervisor. The supervisor then calls the person who should be in charge of ensuring that this access wasn't given out freely and reports the issue. Bernie's campaign did this.

That all this happened in 30 minutes fits this scenario.

BTW, the vendor company and the DNC probably would not have known anything about this had Bernie's campaign not alerted them.

A person entering your house probably wouldn't call the police on themselves.

“After discussion with the DNC it became clear that one of our staffers accessed some modeling data from another campaign,” Briggs said. “That behavior is unacceptable and that staffer was immediately fired.”

That would be even worse than other scenarios I can think of.

This is obviously not what our excellent headline fantasy media would like to claim.

I am not sure how a campaign can protect themselves from this kind of thing if the media misreports it and the other side takes advantage of it.

This clearly smells of sloppy work and not testing. And how did everyone likely find out about it? I would bet money that it was not caught until the customer called the vendor to report it before it was noticed by the vendor.

This is a catch 22 situation. If it happens and you don't call and let it sit waiting for the vendor to notice they will say you took advantage on purpose. If you call to report it they will say "how did you know? You must of been reading through the data.....

says was fired for improperly accessing the data.

Shouldn't he have known better?

I'm pretty sure you just want to intentionally conflate the terms because "hacking" sounds worse, since this had already been explained to you, but just in case I'll try using your analogy which actually helps...

Breaking and entering = hacking
Criminal trespass = unauthorized access

What people have been trying to tell you (and is absolutely true when it comes to industry terminology), is that the term hacking is incorrect in the context of unauthorized access to information if it was made available to you without having to bypass ("hack&quot access controls.

Hack (v) - To use one's skill in computer programming to gain illegal or unauthorized access to a file or network

Keywords: "use one's skill in computer programming"

The firewall was disabled by the 3rd party company by accident, allowing all campaigns to access each others' data. It doesn't take any skill in computer programming to double click a file that is freely accessible. It's the same as opening 'My Documents' on your computer.

access data beyond what they were authorized to do so.

Sounds like hacking to me.

That disagree with you. Sorry, hill.

Staffer - "oh look, there is a new network folder today, wonder what is in it?"

Dws - "Sanders is a computer hacker !!!11!!

According to BuzzFeed:

if you access information without authorization that's a crime

If that were the case, millions of Americans would be in jail every time they were inadvertently given access to servers they shouldn't have access to, which happens so often, no one even really knows how often.

BTW, when that does happen, it's the fault of the IT administrator who didn't properly secure the access, not the low-level employee who probably didn't realize they weren't supposed to have access to it.

During that period, the Sanders campaign discovered the breach, accessed the Clinton campaign’s data, then called the vendor to point out the flaw, according to the official.

is the phrase of the day
the ostracism from the party begins
whose party?

Though given how frantic certain people were over Clinton's emails, I assume we'll be getting calls from these fine, principled individuals for investigations into this confidential information being compromised.

unauthorized access of a computer system.

How's that not a hack?

If the staffer deliberately accessed the information knowing they weren't authorized to have access to it, then it would be criminal computer trespass.

If the staffer just didn't know what they were doing and accessed information that had become available due to someone else's carelessness, then there's no malicious intent, and not criminal.

Hmmmm

It's like schools who have a "no tolerance" policy on fighting. Even if you were defending yourself against a bully, if you also threw a punch, you're suspended, too.

BTW, neither is guessing someone's password. Technically, that's called social engineering.

The vendor responsible may end up with some penalties, but as long as the Sanders campaign can prove they kept no data they will be given re-access to the master list.

Truth be told, I think more damage is done to the DNC than any other political party in this story. My guess would be Hillary is furious a lapse happened.

We finally agree on something.

The vendor looks incompetent in this story.

As I said above, what novice takes down a firewall without using a secure backup to install patches. At least I'll applaud them for installing patches. Poor patching is the No. 1 vulnerability that real hackers use to exploit an organization's servers.

And I hope you've seen that I rarely subscribe to the outage du jour...on either side.

If I were Hillary, I'd be a lot more pissed at the vendor who was responsible for security! I wonder if this was the same group that worked for Hillary on her home server? Most of those kind of jobs are gotten through political connections and not proven talent alone. Maybe we'll see in the days to come.

Nobody on the Sanders team is being accused of hacking from what I can tell, one person from the Bernie campaign is being accused of viewing data that should have been secured but was left wide open for anyone to access. That is not a hack.

if I leave my front door open and you come in without permission that's criminal trespass

You are alleging that a crime was commited, but it does not appear that any criminal investigation is happening. You better send your evidence to the FBI so they can get on the case.

So, that makes your post a lie.

Running scared, I see.

Total FAIL.

PEACE
LOVE
BERNIE

Right after Bernie wins the DFA poll by 88% to Hill's 10%, and right after he picks up some big endorsements. They're truly getting desperate, and I'm sure it's not the last dirty trick that they'll try!

But I am told Sanders Supporters would NEVER stoop so low as cheating online polls even

Hacking if fine, as long as Bernie does it! Feel the bern, FEEL THE BERN!!!

ahhhh.. Glass houses and all that.

The low-level staffer was given access to the information by an apparently incompetent third-party vendor who made the boneheaded move to take down the firewall to install patches.

What IS of concern, however, is that state-sponsored hackers probably did have access to Hill's private email server. BTW, that's not necessarily her fault, either, which is why the FBI is looking at her provider, currently. What is her fault is deciding to have a private server and not telling anyone in the IT department at State.

"accidently" fired her to for something that was "allegedly" not her fault? Right, glad you brought up the "Hillary's e-mail" GOP talking point too.

A low level staffer (RIGHT) accidentally stumbles across Hillary's campaign info, and Bernie's campaign conveniently fires her.

It's a "zero tolerance" policy.

Sucks when it's not your fault, but it's a common policy when it comes to data security.

I am a security professional that deals with unauthorized electronic intrusion (i.e. "hacking&quot regularly. Nothing about what happened in this story comes close to "hacking." From what is sounds like, no laws were broken.

Kudos to Sanders' staff for erring on the side of integrity and taking strong action to remedy a situation that is a mild impropriety at best.

Punitive.

No one hacked anything.

I work in data security and can tell you that a third-party vendor inadvertently giving unauthorized personnel access to data isn't hacking. It's a third-party vendor inadvertently giving unauthorized personnel access.

The access was reported in 30 minutes, too, which is record time for a security breach. Most organizations are "hacked" for months before they figure out that they have been breached.

Mr Data Security

https://www.fbi.gov/newyork/press-releases/2014/u.k.-computer-hacker-charged-in-manhattan-federal-court-with-hacking-into-federal-reserve-computer-system

This guy has been charged for using SQL injection on a federal system.

Still want to say it's the fault of the IT administrators?

They didn't use a SQL injection.

Apples and oranges.

what happened.

Even if it was a folder marked "CLinton Campaign Secret Data" he should not have opened the folder.

All we know is the following comments from the Sanders campaign

“After discussion with the DNC it became clear that one of our staffers accessed some modeling data from another campaign,” Briggs said. “That behavior is unacceptable and that staffer was immediately fired.”

their companies - especially when you're a low-level employee.

You figure if you can see it and have access to it, you have been given rights to open it.

WASHINGTON — An internal investigation by the C.I.A. has found that its officers penetrated a computer network used by the Senate Intelligence Committee in preparing its damning report on the C.I.A.’s detention and interrogation program.

According to David B. Buckley, the C.I.A. inspector general, three of the agency’s information technology officers and two of its lawyers “improperly accessed or caused access” to a computer network designated for members of the committee’s staff working on the report to sift through millions of documents at a C.I.A. site in Northern Virginia. The names of those involved are unavailable because the full report has not yet been made public.

seems quite a similar issue but it almost set off a constitutional battle

Opening a file is NOT hacking. The staffer, at least from what I've read, opened a file. The staffer didn't use any hacking techniques to access this file. The third-party vendor dropped the firewall, which allowed the staffer to have access to the file, so they opened it.

I don't have to install Poodle or Heartbleed to open a freaking file on my company's server and neither does anyone else.

In fact, the entity at fault here is the third-party vendor for being boneheaded enough to not protect the data while the firewall was down.

knew that the firewall (whatever that means) was down, they should not have poked around.

Which they did.

Which makes it unauthorized access AKA hacking.

At least as the Sanders campaign described it, a staffer accessed material he or she was not supposed to, while access was improperly given by the DNC. There is no hard evidence of ill intent right now.

Since I tend to believe people unless there is evidence to the contrary, I choose to believe that unless other evidence comes to light. I also note that the Clinton campaign has declined to comment on this, which is honorable of them.

Having said that, I have absolutely no doubt that if it was the Clinton campaign that had done this, there would be hyperbolic statements about how Clinton can't be trusted and that this is exactly the kind of thing she would do. (In fact, somewhat ridiculously, I've already seen online comments suggesting that this whole thing is a trap engineered by the Clinton campaign.)

down to install a patch? What do the odds gotta be ?

Bernie, and Bernie alone is the ONLY stand up guy in this campaign. There HAS to be a plausible (BS) explanation for all of this. There just hasta be!

You're choosing not to listen.

and its as entertaining as hell!

This wasn't a hack.

Who reports their own hack?

"Hillary has allot answer for where her e-mails are concerned. She and her campaign are SOOOOOOOOOO untrustworthy its almost criminal! Criminal I tells ya! We would NEVER be caught doing something like that!"

HRC's hands will be clean. Clintons aren't amateurs ya know? It will be interesting to see if HRC does win what the payoff will be for little Debbie. What cabinet position do you think she'd settle for? Or maybe she'd go big- like the VP slot?

think maybe Bernie can get his staff to hack ERRRRRRRRRRRRRR... accidently have a staffer stumble onto that information for you?

and time is what Bernie has very little of left. I guess that "accidental access of info" makes sense.

amIright?

Who reports their own hack (unless they're white hat hacker hired by the company to do so)?

This was opened, discovered and reported in THIRTY MINUTES.

Here's a stat for you:

and downtime- if scheduled, was done when activity was at its lowest, generally after midnight. If there was a system or app crash and it required a fix on the fly, no one would be able to determine ahead of time when that was going to occur (unless you're psychic) because no one can predict when a crash will occur.

It's just odd to me that someone would be at their terminal at precisely the time the fire wall is down and the patch was being installed- attempting to access the database. In fact where I worked, users would be required to log offand the sysadmin would take control of the server and the files be made unavailable during maintenance lest lost work or file corruption occur.

Or am I wrong?

I can't imagine how this could have happened, even in an emergency.

There was no "firewall" taken down. They were patching the software. Someone apparently uses the term "firewall" to designate some software or schema boundary. Though with this kind of confidential data there should be no sharing of schemas in the first place.

The way it is worded reminds me of someone technical making a big booboo and then using terminology like "firewall" to direct away attention from the something that should not have been able to occur.

(probably ridicule them even) for their lack of understanding of basic processes and terminology.

for improperly accessing the information if he did nothing wrong?

If it was a file why was it not cleaned before it was placed somewhere another client could access it?

If it was web based access then there was a severe goof at the least and a breaking of numerous security standards.

It comes off to me like it was a HUGE oops by a contractor. That "firewall" should not be needed in the first place if they respected the integrity of their customer's databases. And even so there are so many ways to block off access until you have TESTED!!!!! and made sure that "firewall" is not open that this reads incompetency all over.

installing a patch and allowing user access while said patch is being installed would risk corruption of the entire database, don't you think?

a customer's access to me.

But then again, our wonderful media has so many scruples they would never misreport, misrepresent, or mislead the facts in order to get more web hits right?

I ask that the Sanders campaign be given access back immediately while this plays out. I wouldn't want them to be deprived of access to voter databases at this critical time-- it's simply not fair.

the Saturday before Christmas

There is no allegation that it was intentional. Your definition of hacking is so wide as to be meaningless. By your definition the feds should be knocking my door in as I routinely violate the DMCA to make back ups of DVDs. And I regularly ignore EULA as well like the fiend that I am.

You'd probably be horrified to know that I run Mac OSX on a Dell Latitude and Ubuntu on a Chromebook.