2016 Postmortem
Related: About this forumNo surprise: Tech sites aren't buying DNC hysteria on breech
I invite you to read and grok the overall reasoning of the commentary:
http://politics.slashdot.org/story/15/12/18/1536245/bernie-sanders-campaign-blocked-from-dnc-voter-info-after-improper-access#comments
Here is how the incident hit the top stories at networkworld.com:
http://www.networkworld.com/article/3017052/security/bernie-sanders-campaign-suspended-dnc-staffer-fired-ngp-van.html
Technologists older than, say, 35 yrs know this pattern well:
1. Person reports vulnerability to company
2. Company ignores report, sweeping it under the rug
3. Person exploits vulnerability, using proof to embarrass company into action
4. Company calls police on person, accuses them of theft
Number 4 very rarely happens anymore, for good reason: IT firms have an unfortunate record of ignoring user-reported vulnerabilities, and the market will eventually turn against companies who try to prosecute or otherwise smear people who hack to inform.
And no, the company ignoring the problem are not strictly entitled to advance notice of the breech/exploit. What counts is that the hacker has a record of reporting vulnerabilities, and did not use the data they gathered.
Like it or not, Clinton fans, that is the current established protocol in IT.
What's clear is that the DNC wasted not a minute in crying Wolf! to the Washington Post. They saw the incident as an instant throw them under the bus opportunity, and are showing (or feigning) an ignorance of the way technology works in this day and age. Both the DNC and the IT vendor are run by veterans of Clinton's mudslinging 2008 campaign; They are not inclined to heed *anything* a Sanders staffer says or does unless they can use it against the Sanders campaign.
What's not so clear but bears pointing out --- Having your own campaign's data sitting exposed is absolutely intolerable. Simply exploiting the situation to gain data from the opposing campaign STILL leaves your data exposed! IOW, what the DNC is charging would be the definition of insanity as it makes zero sense.
morningfog
(18,115 posts)MissDeeds
(7,499 posts)Divernan
(15,480 posts)Hiraeth
(4,805 posts)Plucketeer
(12,882 posts)Thanks.
George II
(67,782 posts)morningfog
(18,115 posts)Clinton and DWS are as bad as Rove. Birds of a feather.
BlueMTexpat
(15,387 posts)and complete B***S*** and not worthy of any person who supports Democratic Underground.
Shame on you!
morningfog
(18,115 posts)George II
(67,782 posts)CSStrowbridge
(267 posts)They took data. This is a provably fact.
You can argue that the security was flawed, but you can't pretend Clinton is the bad guy here.
Not unless you've completely left the realm of reality.
roguevalley
(40,656 posts)TheBlackAdder
(28,355 posts).
If you are handling accounts for internal clients, and perform services for partner-firms--
SECURITY BREACHES are NOT TOLERATED--AT ALL!
The fact that there have been multiple exposures of other client's information should warrant an immediate termination of the contract. Is is quite apparent that the vendor, and the DNC do not take the issue of data security seriously!
If you logged onto your bank account or credit card system and saw someone else's account information:
WOULD YOU KEEP THAT ACCOUNT OR CANCEL IT, KNOWING SOMEONE ELSE MIGHT BE SEEING YOUR INFORMATION?
.
SusanCalvin
(6,592 posts)MyNameGoesHere
(7,638 posts)who would be taking over? I think that isn't a true representation of what would happen. It would take at least a day or two to get a replacement and longer to do a turnover, for which you would still need that terminated contractor.
Nothing like a firing after a breach to instill confidence in the shareholders. I am glad my company has a little more sense to calm down and think it through.
TheBlackAdder
(28,355 posts).
It's not like this had just popped up the other day, this was over 6-7 months in process.
There should have been contingencies in place, and plans for a migratory path staged.
===
What happens if they were housed at or near WTC-like event? What would you do for business continuity?
The fact that the DNC is sticking with this provider, when their IT architectural plans and system's designs seem woefully malconstructed, is a wonderment of possible cronyism.
===
Oh, and no, it would take a few months to transition properly. That is all an outsourcer needs to acquire a data center. Connect to the network, or get a copy of system tapes, bring up a shadow system at the outsourcer's site and study the layout.
The fact that a firewall is to blame, shows there was virtually no security, no session-state account tokens, no userid checking on the back-end side, nothing locking down the database, etc. This is a hacker's delight, not only from the outside, but from a mole.
.
MyNameGoesHere
(7,638 posts)I am going to wait on forensics reports to be released, if they are.
artislife
(9,497 posts)It just may. From personal servers, to DNC data banks to social media, lets face it, h is not doing too well.
Maybe Luddites will always love her?
roguevalley
(40,656 posts)keep the sarcasm thingo handy.
RKP5637
(67,112 posts)morningfog
(18,115 posts)Whet she can really mess shit up.
Metric System
(6,048 posts)LiberalArkie
(15,765 posts)proof, they say you stole it. Look at the log, the guy labeled everything as _bernie. He left the audit trail all the way through it.
cprise
(8,445 posts)...there was no attempt otherwise to conceal.
LiberalArkie
(15,765 posts)by Chris Johnson (580)
NGP-VAN, the company that stores this data, which is run by an old Clinton hand who worked for them in 1992, the company paid $34,000 by Ready For Hillary, was repeatedly dropping their firewall between the two major Dem campaigns, Clinton and Sanders.
A guy whos now fired from the Sanders team observed this. They complained once and were given assurances by the company that it was a mistake and wouldnt happen again. Then it happened again. The guy decided to gauge how deeply the Clinton campaign was able to read into the Sanders campaign, by experimenting to see how much of the Clinton data he could get. Thats a bad call but by information security standards its not unthinkable: itd be called a white hat intrusion, seeing how much of the firewall was down by probing the other side and assuming your own data was revealed exactly the same way. It does matter, but you still have to fire the guy.
One thing we can be sure of is, anything open to stealing on the Clinton side was just as open on the Sanders side, literally. Its the same system and the same firewall, and if the firewall keeps mysteriously going down for no good reason you have to wonder whats up and more relevantly whats being made available to those on the other side of the firewall, which might explain why the firewalls going down like that.
The Sanders people did NOT throw a fit the first time this happened. But this time, the Sanders guy got caught crossing the nonexistent firewall. We have no information at all on whether anybody from the Clinton side was doing the same thing. During that time there WAS NO firewall and the guy wasnt hacking, he was browsing, as anybody on either side could have done during those windows.
I think thats accurate so far. The behavior of the firewall is important, whether or not its suspicious as a planned exploit of the Sanders data run by Clinton people who are at the DNC and at NGP-VAN.
In response to the Sanders guy browsing over and seeing data (how do they know? Because HE TOLD THEM. The Sanders team were the ones reporting this, thats part of the story), the DNC suspended access by the Sanders campaign to THEIR OWN DATA at a crucial time. In order to get access back, at least as of this morning, the requirement is for the Sanders campaign to prove it has destroyed all data that it didnt necessarily even download (remember, Sanders guy claims he was exploring the Clinton system because it would mirror the vulnerability of the Sanders system, and hes not IN the Clinton system to go and browse the Sanders side to see how much is revealed, but he was IN the Sanders side and could look at the Clinton side and reasonably conclude that his own side was equally compromised)
And social media is blowing the hell up, not unreasonably, because its a goddamn hatchet job combined with a kneecapping to yank access by the Bernie campaign to its OWN DATA because a guy from the Bernie campaign passively browsed through a firewall he didnt himself disable, a firewall run by a company controlled by Clinton partisans which had been going down already for reasons unknown.
cprise
(8,445 posts)If they tried to repeat the DNC bullcrap to their tech peers, they know they'd get their asses handed to them. Slashdot has a robust moderation system.
If the DNC presses on with this, they will face an ever-widening credibility gap as non-techies make more and more references to the tech press.
George II
(67,782 posts)......and several other very useful data sets saved it.
One doesn't "passively browse" selected data, and one doesn't save "passively browsed" data.
Dustlawyer
(10,502 posts)got access to and downloaded, or had the DNC and/or their Vendor, send them the Sanders campaign's information? I know that forensic IT can recover deleted info, but not if it was overwritten many times. I also know that it can be time consuming and expensive to do this. I don't know much about audit trails and the like. Can someone answer this for me?
I find it transparent that neither the DNC nor the Clinton campaign criticized the Vendor. The young guy that ordered the download had to be very frustrated since they had already complained of the dropped firewall and been assured by both the DNC and the Vendor it wouldn't happen again.
I am also worried when I see Rachel Maddow run a "Special Report" first on a serious situation that has been around at least since the mayor of Flint declared a state of emergency a week or two ago. She then spent a relatively small amount of time on this story before going to Trump and the Republicans. She did not even mentioning that this was at least the second time this has happened, and that Bernie's team had brought it to their attention and was given the assurances it wouldn't happen again. This is pretty key to the story!
morningfog
(18,115 posts)notadmblnd
(23,720 posts)SusanCalvin
(6,592 posts)as the firewall, at the time, was NOT THERE.
arcane1
(38,613 posts)SusanCalvin
(6,592 posts)cprise
(8,445 posts)data entered by the Clinton campaign. Otherwise, the queries might come back looking like nothing was amiss.
The two campaigns essentially share the same database. Its the specific tags that each campaign puts on the voter data that is critical; Like the campaigns themselves, the data is focused on voters in the early states.
IOW: When hacking a bank to show a gaping (but ignored) hole, you don't restrict yourself to poor people.
SusanCalvin
(6,592 posts)Explanations like this are why I read DU.
Divernan
(15,480 posts)Champion Jack
(5,378 posts)JDPriestly
(57,936 posts)Could beba lot off reasons. Or could have been unintentional and for no reason.
Do we know whether Hillary saw any of Bernie's information?
joshcryer
(62,297 posts)That's all I am going to say.
cprise
(8,445 posts)or being so wide that they fetch the whole database.
What he did, and leaving the queries with 'bernie' tags, makes complete sense from the standpoint of documenting the problem.
arcane1
(38,613 posts)No hiding, no secrecy. They did exactly what they claimed to have done: proved that the data was vulnerable and exposed.
joshcryer
(62,297 posts)It could just as well have been the system appending it.
arcane1
(38,613 posts)System-generated usernames don't usually look like that.
joshcryer
(62,297 posts)arcane1
(38,613 posts)RandySF
(61,442 posts)LiberalArkie
(15,765 posts)DVRacer
(711 posts)cprise
(8,445 posts)2. The DNC beat him to the press.
SusanCalvin
(6,592 posts)99th_Monkey
(19,326 posts)JaneyVee
(19,877 posts)cprise
(8,445 posts)99Forever
(14,524 posts)Dirty campaigns use dirty tricks. Lots of 'em.
It ain't just by chance or for no good reason that the majority of American don't trust Hillary Clinton and those that do her dirty work even less.
LiberalArkie
(15,765 posts)by Chris Johnson (580)
NGP-VAN, the company that stores this data, which is run by an old Clinton hand who worked for them in 1992, the company paid $34,000 by Ready For Hillary, was repeatedly dropping their firewall between the two major Dem campaigns, Clinton and Sanders.
A guy whos now fired from the Sanders team observed this. They complained once and were given assurances by the company that it was a mistake and wouldnt happen again. Then it happened again. The guy decided to gauge how deeply the Clinton campaign was able to read into the Sanders campaign, by experimenting to see how much of the Clinton data he could get. Thats a bad call but by information security standards its not unthinkable: itd be called a white hat intrusion, seeing how much of the firewall was down by probing the other side and assuming your own data was revealed exactly the same way. It does matter, but you still have to fire the guy.
One thing we can be sure of is, anything open to stealing on the Clinton side was just as open on the Sanders side, literally. Its the same system and the same firewall, and if the firewall keeps mysteriously going down for no good reason you have to wonder whats up and more relevantly whats being made available to those on the other side of the firewall, which might explain why the firewalls going down like that.
The Sanders people did NOT throw a fit the first time this happened. But this time, the Sanders guy got caught crossing the nonexistent firewall. We have no information at all on whether anybody from the Clinton side was doing the same thing. During that time there WAS NO firewall and the guy wasnt hacking, he was browsing, as anybody on either side could have done during those windows.
I think thats accurate so far. The behavior of the firewall is important, whether or not its suspicious as a planned exploit of the Sanders data run by Clinton people who are at the DNC and at NGP-VAN.
In response to the Sanders guy browsing over and seeing data (how do they know? Because HE TOLD THEM. The Sanders team were the ones reporting this, thats part of the story), the DNC suspended access by the Sanders campaign to THEIR OWN DATA at a crucial time. In order to get access back, at least as of this morning, the requirement is for the Sanders campaign to prove it has destroyed all data that it didnt necessarily even download (remember, Sanders guy claims he was exploring the Clinton system because it would mirror the vulnerability of the Sanders system, and hes not IN the Clinton system to go and browse the Sanders side to see how much is revealed, but he was IN the Sanders side and could look at the Clinton side and reasonably conclude that his own side was equally compromised)
And social media is blowing the hell up, not unreasonably, because its a goddamn hatchet job combined with a kneecapping to yank access by the Bernie campaign to its OWN DATA because a guy from the Bernie campaign passively browsed through a firewall he didnt himself disable, a firewall run by a company controlled by Clinton partisans which had been going down already for reasons unknown.
winter is coming
(11,785 posts)mindwalker_i
(4,407 posts)Here's the main point: Clinton/DWS are complaining because a Sanders dude accessed data when Clinton/DWS compromised their own fucking system! Clinton/DWS have no standing for outrage.
arcane1
(38,613 posts)THAT is something I am most definitely curious about. Especially since it was basically Clinton's people dropping the firewall in the first place.
Divernan
(15,480 posts)navarth
(5,927 posts)I'm glad I wasn't swallowing my coffee when I read that
Divernan
(15,480 posts)A term coined by Betsey Wright, Clinton's gubernatorial campaign manager in Arkansas.
https://en.wikipedia.org/wiki/Betsey_Wright
James Carville and Paul Begala worked on the squad during the Washington years. There's a lot of documentation on the web about this, just waiting to be dragged out again in the general election campaign if HRC is the nominee.
navarth
(5,927 posts)...I took it as referring to a certain group of posters on DU, since it was so very descriptive.
Thanks for the info...and the laugh.
Response to LiberalArkie (Reply #15)
Post removed
arcane1
(38,613 posts)Their actions don't make zero sense if they were making a conscious effort to discredit their biggest opponent.
WillyT
(72,631 posts)TxDemChem
(1,918 posts)This is ridiculous. The DNC has royally pissed off a lot of people.
Enthusiast
(50,983 posts)Dont call me Shirley
(10,998 posts)BeanMusical
(4,389 posts)jalan48
(13,984 posts)And you can bet once in office it will roll the same way. Goldman Sachs anyone?
Enthusiast
(50,983 posts)Response to cprise (Original post)
billhicks76 This message was self-deleted by its author.
pnwmom
(109,061 posts)be satisfied or very enthusiastic to see her as the Democratic nominee.
mythology
(9,527 posts)Expecting a fact based response is unlikely to be fruitful.
billhicks76
(5,082 posts)This was known since Oct. Of course she knew. She could turn out to be secretly working for Bush or an Alien and you would still support her. This time her campaign messed up bad. Watch.
billhicks76
(5,082 posts)Liberal pundits are lining up saying they will boycott her and vote third party. She's tearing apart the party. At this point it's selfish to support her. And by the way Clinton could access all Bernies voting data too. He was the one who altered to this in October. I know the Wall St War Machine wants Hillary but there are waaaaay more of us then them. Hillary will implode....again. There's so little to attack Bernie on and no racist innuendo like she did with Obama.
pnwmom
(109,061 posts)billhicks76
(5,082 posts)You do not. No more nightmares please.
billhicks76
(5,082 posts)They knew a lawsuit would bring the facts to the light of day. They are that both campaigns could read each other's data. Bernie reported this in October. We all know Hillary was accessing because her family friend and CEO of the data company wouldn't fix it. They didn't need to download to view and could've done a lot by hand. Smarter maybe. But way dirtier.
SusanCalvin
(6,592 posts)but does that mean the lawsuit is off? I hope not. I want discovery. And I'd happily donate extra specifically to get that.
Response to cprise (Original post)
Post removed
cprise
(8,445 posts)Fire-able and illegal are two very different things in this case.
And no... Its not illegal if you already reported the hole and you left the evidence intact and and you highlighted it and you didn't use the data to your own advantage. Sorry, that is a bucket of fail that the IT industry will never line up for (though DWS is lining YOU up for it...) and the legal precedents agree.
This accusation could have worked 20 years ago. Too bad its 2015 and MSM do not define what is acceptable practice in technology.
SusanCalvin
(6,592 posts)Oh, I hope not. I'm afraid they will try. And hearing that Maddow hardly covered it really worries me.
Dustlawyer
(10,502 posts)I hope Berniemroadts their ass tomorrow night!
SusanCalvin
(6,592 posts)chervilant
(8,267 posts)I was up in the wee hours last night, when this crap first hit the fan. The timing, the allegations, the "immediacy" of the accusations of data theft--all stunk like a dead skunk.
So, DWS, you've stepped in it BIG time. We, the vast Hoi Polloi, are not buying this Rovian ruse.
aspirant
(3,533 posts)Erich Bloodaxe BSN
(14,733 posts)or are being robbed.
passiveporcupine
(8,175 posts)If Clinton is such a lock, as her supporters keep saying...why go to all this trouble to discredit and knee cap Sander's campaign efforts?
What are they afraid of if she's already got all the votes?
murielm99
(30,872 posts)by snooping.
Electric Monk
(13,869 posts)murielm99
(30,872 posts)We know that Bernie's campaign did.
BTW, if you can prove Clinton's campaign used it, which they did not, and Bernie's did, how is it wrong for Clinton and not Bernie?
"They did it first!" is not an argument, except for children on the playground. And Clinton's campaign did not do it. Bernie's campaign is at fault.
concreteblue
(626 posts)BECAUSE THEY REPORTED IT!
THe real tell is did the Clinton campaign use the disappearing firewall to THEIR advantage? How many times? What data did they steal?
IF the lawsuit continues we will find these things out. Which explains perfectly why DWS caved so quickly.
I personally will contribute to fund the lawsuit's continuation, and will urge the Sander's campaign via telephone and emailto do so.
Hepburn
(21,054 posts)with the big endorsements Bernie has gotten in the last few days, their fear is showing.
Enthusiast
(50,983 posts)ViseGrip
(3,133 posts)BlueMTexpat
(15,387 posts)b. A gap or rift, especially in a solid structure such as a dike or fortification.
2. A violation or infraction, as of a contract, law, legal obligation, or promise.
3. A breaking up or disruption of friendly relations; an estrangement.
4. A leap of a whale from the water.
5. The breaking of waves or surf.
Breech (usually used in the term "breech birth"
Just to be clear on terms ... homonyms are a bitch.
Enthusiast
(50,983 posts)ccinamon
(1,696 posts)lots of real-time issues....I learned pretty quick that whether or not your program that is at fault, you have to get as much evidence as possible proving 1) what happened, why, and what the permanent fix ; 2) it is not your program(s) ; and/or 3) what program/area is the problem.
So 24+ searches done is totally reasonable to DEBUG the problem and give as much info as possible to show the vendor how big of a hole there is.
BTW, great post, matches my experience, and links to info....bookmarked so I can refute posts by non-techies who like to distort and lie and have no clue as to how technology works.
mnhtnbb
(31,503 posts)RoccoR5955
(12,471 posts)They would have found a way to purge the log files. These database web apps are not rocket surgery or brain science, many people can hack them.
The log files are intact, thus they WANTED the vulnerability to be found.
rladdi
(581 posts)support Clinton. She MUST RESIGN.
DhhD
(4,695 posts)in getting this corrected in October?
DanTex
(20,709 posts)Yes, obviously his campaign was stealing sensitive data from Clinton just to prove to the DNC that it was possible. Couldn't possibly have anything to do with, umm, the actual campaign they are running.
Babel_17
(5,400 posts)lol, that was semi-obligatory.
l.o.o.s.e.e-2
(53 posts)Thanks for the link.
mhatrw
(10,786 posts)GoneOffShore
(17,356 posts)Uncle Joe
(58,907 posts)Thanks for the thread, cprise.
Babel_17
(5,400 posts)And this is now news, when it didn't have to be.
grendelsd
(23 posts)(Source, I am a chief architect / vp of engineering for internet companies for the last 17 years).
I am very confused by the explanations coming for the DNC and vendor. There is not such thing as a 'firewall' that works this way. This is not how databases and security systems work.
A firewall prevents improper connections to a server / network. For example, most web sites are behind firewalls that block all incoming traffic except on port 80 and 443, which is port that web browsers hit (HTTP and HTTPS respectively).
Firewalls can also be configured to block people from behind the firewall from getting to certain sites ("The Great Firewall of China" is just one example.
Firewall in general do not filter or block content that is sent over one of the open points. Since the are probably using the secure protocol (HTTPS), that would be extraordinarily expensive.
More important, the content that was improperly served up was valid content that was sent to the wrong user. Firewalls have no concept of the person login on. Identity would be handled by the web applications.
Since the web application knows the identity of the person accessing the site, it is responsible for serving up the content. This is usually done through some sort of access control list (ACL). This is very old and well known technology which even predates the internet.
Nothing in their explanation of what went wrong makes any sense at any level. The idea that you could 'turn off' a firewall and give someone access to content is, well basically, insane. In nerd speak, 'it does not parse'.
To get the effect they had, someone would have to either have screwed up the initial configuration of the ACLs or someone purposefully reconfigured them. The former is in competence, the latter, well, why.
There are many other technical details and safeguards that would have 'come out of the box' meaning are basically free to implement.
I will be happy to answer any questions.