Coleman Camp Accuses Political Enemies Of Hacking Data, Frightening Donors
Norm Coleman just delivered a statement outside the Minnesota courtroom, addressing the breach of security on his online donors' data -- and putting the blame squarely on political opponents, who are allegedly attempting to scare Coleman's supporters out of donating.
"It is obviously an attack on this campaign," said Coleman. "But beyond that, just in terms of the campaign we're involved in a very expensive legal proceeding. Online fundraising is a very critical element of that, and clearly the theft of this information, the publication of this information undermines that. But this is more about my campaign or the ability to fund a legal effort or campaign. We do so much online. Politics today relies on online fundraising, and unfortunately we find ourselves in a situation where the level of trust and confidentially in that information is severely undermined."
Coleman attorney Fritz Knaak took questions from reporters, and claimed that the campaign became aware of a possible data breach in late January, which was investigated by the Secret Service and the state Bureau of Criminal Apprehension, whose analysis found that no downloads had taken place -- which leads him to believe that further hacking has taken place over time.
"We thought that we had fended off an effort at that point," said Knaak. "Clearly more efforts have occurred. Still we have every reason to believe that what was attempted in January was not successful."
The accusation made by Wikileaks.org is that the data wasn't actually hacked, but that the campaign for a few hours in January stored the entire unencrypted database of their site in a publicly-accessible location. Noah Kunin, a reporter at The Uptake, also just announced that he personally knows people who had downloaded it and told him about it at that time, and who posted the news online.
A reporter asked Knaak if he thought this was a hack performed by partisan opponents. "Who else?" he asked rhetorically. "I honestly think that if this were the so-called Russian Mafia or someone else, you wouldn't be seeing it on a Web site."
One other thing that has to be noted, as well: Vendors are not supposed to store the three-digit security code of a credit card on their servers -- it's meant to be used solely for a vendor to clear a card with the credit company, and then deleted. But in fact, the downloaders were able to get those, too.
Professor David Schultz, who teaches election law at Hamline University, tells TPM via e-mail that the Coleman campaign could be in serious legal trouble, assuming this was the product of their own negligence:
His campaign potentially violated state law by not promptly notifying card holders of the disclosure of their card info. Assume the campaign did suffer a breach in security, his campaign faces fines under state law and it is possible a card holder could sue the campaign for any damages. It would be hard for the donors to sue Coleman personally and prevail.
Coleman's spokesman has not responded to an e-mailed request for comment on Schultz's analysis.
(Coleman presser c/o The Uptake.)
Josh
Elana
Matt
Eric
C'mon, admit it. Is there anything really, truly sadder in this country in the year 2009, than a whiny white guy who always blames everyone else when he can't get his own act together?
Multiply that by many thousand-fold, and you have today's Republican Party.
March 11, 2009 6:43 PM | Reply | Permalink
I smell another Coleman style frivolous lawsuit comin on! Or is this more like the time Karl Rove called all the reporters in town telling them he "found" a bug in his office when his candidate was about to lose a debate? Or is Norm Coleman just dumber than Rush Limbaugh's taint?
March 11, 2009 6:48 PM | Reply | Permalink
It does have the stench of a turd blossom special...
March 11, 2009 6:54 PM | Reply | Permalink
I was thinking of the exact same example! But it doesn't make sense that Coleman would have personal knowledge or involvement in this, since it sounds like the original storage, even before publication, may have been an actionable breach, with nothing for him to gain. However, when considering Rovian politics, this could just as easily be someone inside Coleman's campaign or insider Republican operative who sees Coleman as a fading star and wants to help out the next contender against Franken, than a current Coleman opponent.
Tactically, this does not point to anyone on the Dem side. If the Dems knew of this they would have addressed it to the proper authorities AND made it known that the authorities had been contacted.
March 11, 2009 6:58 PM | Reply | Permalink
The more I contemplate it, the more I realize that Rush Limbaugh's taint grew feet and legs, taught itself to walk, and changed its name to Norm Coleman.
March 11, 2009 7:10 PM | Reply | Permalink
Infinity Snake,
Being an IT guy, I hope they're dumb enough to try to turn this into a hacking lawsuit, especially if (since?) somebody downloaded the data.
Downloaded data carries/contains more than just the financials. It carries the linking path information that led to it being downloadable. So if somebody gets sued for "hacking" they just need to turn over the machine that downloaded it (sorry if they have porn or something like that on it, because that would be visible too...) for some forensic examination.
If, as reported, it was a Coleman camp screw up, that would become immediately provable (was it unencrypted, require no passwords/pins/UIDs, etc.), and that would plop him in a nasty legal stock pot for breach of confidentiality and a few other things for which he could have his pants sued straight off his lily-white butt cheeks.
Might just end all this foot-dragging crap. At least, one can always hope.
March 11, 2009 11:59 PM | Reply | Permalink
This is a lot of fun. The best part is that they keep swearing that their "analysis" shows that no one ever downloaded the data...when the Wikileaks email contained the data in a spreadsheet, along with a full report of how it was obtained through a vulnerability that Coleman has admitted existed.
Coleman's position: the vulnerability was there, but no one (including Wikileaks) ever used it...so obviously Wikileaks must have gotten the spreadsheet through some other nefarious hacking activity, rather than the trivially simple method they claim and Coleman admits would have worked.
March 11, 2009 6:56 PM | Reply | Permalink
This was not a "breach" in the security sense of the word. They left the file world readable on the web site, and it's been there for weeks, and they knew about it back in January:
http://minnesotaindependent.com/24817/crashgate-reveals-unprotected-database-on-colemans-site
This is Coleman trying to provide another distraction.
March 11, 2009 7:55 PM | Reply | Permalink
Considering the amount of money this had to represent, and putting that many people at risk of identity theft, means he has to claim foul play from malicious outside sources as a defensive posture. If it's negligence inside his organization (woe betide the IT guy who screwed that particular pooch), the only lawsuits likely to result are from all his donors.
What a sad thing (so why am I LOL???)
March 12, 2009 12:17 AM | Reply | Permalink
Coleman has probably been illegally using the credit cards to keep funding his lawyers - he's been paying them in lap tops, ipods and internet porno sites.
March 11, 2009 6:59 PM | Reply | Permalink
And if the credit cards haven't been used, it means they were not hacked. If hackers have all of that information, you can be damn sure it's going to be sold and used.
Somebody in Coleman's camp leaked this to wikileaks yesterday in order to make political hay with it today. I mean his first response is "Franken did it!".
March 11, 2009 7:02 PM | Reply | Permalink
Even if it HAS been hacked, the campaign was criminally negligent to be storing those three-digit numbers permanently. That's strictly a no-no — in fact, that's the whole reason they exist in the first place.
March 11, 2009 7:40 PM | Reply | Permalink
A couple of weeks ago in the Coleman contest of the MN recount, the lead atty. Friedberg objected strenuously to the introduction of a spreadsheet that was data derived from 2 MN voter databases. It became clear that the problem was that Friedberg didn't understand how databases work, or maybe the simpler concept of what a database is.
If his lack of awareness is any measure of the sophistication the Coleman folks have about technology, this whole incident doesn't surprise me at all. Databases like the one on his website get hacked all the time if there are insufficient protections. They get hacked by those who hack for the joy of it, i.e. to annoy the heck out of the owners. They get hacked by data miners and identity theft experts. Those who maintain online databases must expect to be hacked and take serious measures to protect their data. They can't reasonably adopt an attitude of surprise and hurt afterwards and start pointing fingers.
Is hacking a new issue? Hardly. Remember the movie War Games when Matthew Broderick was a sweet-faced teenager? Yes, a crime has occured, and perhaps financial data has been compromised. Whose fault is this? Hold up your hand, Norm!
March 11, 2009 6:59 PM | Reply | Permalink
I was thinking the same thing. These people are technologically clueless. In fact, this wasn't even a "hack". They left this stuff in publicly available areas. It's like leaving your personal correspondence on the front sidewalk and complaining that people looked at it.
March 11, 2009 9:26 PM | Reply | Permalink
Hmmm... this sounds so familiar... I think I remember something happening back in 06... neocon senator from Connecticut... craptackular web operation... hack aide *cough, Dangerstein, cough* accusing enemies of criminal behavior when it was obvious that the campaign's own incompetence was to blame...
Maybe it's just my imagination.
March 11, 2009 7:00 PM | Reply | Permalink
Just wait until the Mighty Right-wing Wurlitzer gets hold of this. Hannity, Limbaugh, O'Reilly will outdo each other trying to pin this on the Dems.
March 11, 2009 7:05 PM | Reply | Permalink
I never thought I'd be writing this, but I think I have run out of things to say about the ongoing Quimby "Charlie Foxtrot". This latest leaves me wondering just who is running things, and how dumb are they?
Norman, you're obviously too careless with your information to belong in the Senate. Maybe a nice retail job somewhere?
March 11, 2009 7:12 PM | Reply | Permalink
I don't know who's running things, but how dumb are they? VERY DUMB.
This is what happens with a typical Republican approach to business and government - instead of putting out bids and hiring competent people, we hire our good ol' drinkin' buddy Joe who's done a website or two, has a shell company in Antigua, and who's sure to kick a few bucks back our way when the time comes.
March 11, 2009 7:23 PM | Reply | Permalink
It's classic Coleman. He gets caught doing something bad and immediately turns himself into the victim.
When it was found out that his sugar daddy funneled money to him via his wife and the company she worked for, it was "How dare you attack my wife! My family is off limits! You can attack me but don't attack my wife!" Well, Norm, if you don't want her in the line of fire, don't use her as a shield.
March 11, 2009 7:24 PM | Reply | Permalink
There is some (at least plausible) word on the street here that Norman's done a bit of that himself. And not in the press.
All I know is I've heard it from multiple sources that don't know each other, and the claims pretty well line up.
This in addition to his well-known skirt-chasing (Where are the "investigative reporters" on that?) and other such creepy-to-repulsive behavior.
Norman's a bad, bad person, in so many ways.
March 11, 2009 7:48 PM | Reply | Permalink
I've heard this rumor too... too consistent to be dismissed out of hand.
March 11, 2009 11:17 PM | Reply | Permalink
Actually, he didn't so much use her as a shield, but allowed her to accept money eventually intended for him. But she took the money, as well as the legal risk. Gosh, there's some analogy in this of disreputable guys who somehow use women to obtain money...
March 11, 2009 10:45 PM | Reply | Permalink
Shades of Joe Lieberman! Didn't he claim that his site was "hacked" because it wasn't set up to handle the traffic? That should tell you as much about Lieberman as it does about Coleman.
March 11, 2009 7:33 PM | Reply | Permalink
Coleman has the moral rectitude of a flea (apologies to fleas). He could have alerted his donors (by private email) back in JAN when the hack was first suspected; or he could have issued a public press release alerting EVERYONE of the campaign's concerns. BUT: (per usual) he was more concerned with CYA (his own) than with the thousands of HIS loyal donors. Coleman has a new moniker (COWARD). Once again, instead of alerting his donors PRIVATELY (by email) since he now NEEDS a DISTRACTION, Coleman comes public BLAMING his opposition. (Like Franken needs Coleman donors to make a buck). It's worth noting that Coleman donors (*those STILL supporting the coward after THIS latest fiasco) DESERVE whatever happens to their financial data. Imagine if people all over MINNESOTA began ORDERING PIZZAS, CABS, SNOW PLOWING, etc ...
You'd HAVE to be a conservative Republican NOT to find all this amusing. Maybe Rush will make-up for any/all losses - out of the generosity of his OVERLY-giant (HEART).
March 11, 2009 7:57 PM | Reply | Permalink
Karen, I agree with the spirit of everything you said, EXCEPT, and please everyone, let's get this right...
THERE WAS NO "HACK"!!!
If you leave your billfold in the middle of the road and someone takes it, you don't get to call it "Breaking and Entering", even if they steal your money, max out your credit cards, and sell the empty wallet on eBay.
By the same reasoning, a person who downloads a file that was left in a public place may do something unscrupulous or even illegal with the contents of the file, but that does not mean the downloader "hacked the site".
If that were the case I would be hacking TPM every time I visit here, because I would be reading files (articles, images, PDF documents, comments) that TPM placed in a public location.
March 11, 2009 11:07 PM | Reply | Permalink
Karen, I agree with the spirit of everything you said, EXCEPT, and please everyone, let's get this right...
THERE WAS NO "HACK"!!!
If you leave your billfold in the middle of the road and someone takes it, you don't get to call it "Breaking and Entering", even if they steal your money, max out your credit cards, and sell the empty wallet on eBay.
By the same reasoning, a person who downloads a file that was left in a public place may do something unscrupulous or even illegal with the contents of the file, but that does not mean the downloader "hacked the site".
If that were the case I would be hacking TPM every time I visit here, because I would be reading files (articles, images, PDF documents, comments) that TPM placed in a public location.
March 11, 2009 11:09 PM | Reply | Permalink
Given that Norman is Norman's worst enemy, one might be forgiven the expectation that Norman should have seen this coming and taken appropriate steps to protect Norman's interests.
Seriously: Norman expects us to believe that Norman didn't know Norman's enemy was gunning for Norman?
Hell, everyone watching this farce Norman is perpetrating on the electoral process can see the petard that Norman is
constructing for Norman.
March 11, 2009 8:21 PM | Reply | Permalink
Coleman could say 'someone told him' Franken has been carousing around Minneapolis having tea parties with terrorists who hate America using bogus credit cards...but McCain tried something similar....
March 11, 2009 8:50 PM | Reply | Permalink
It's like Lieberman vs. Lamont in the '06 primary. Leak hazy technical bogeyman story to press without technical expertise and watch them do an 'even-handed' report on a baseless smear.
March 11, 2009 9:24 PM | Reply | Permalink
I have been responsible for websites like this and to me it sounds like Coleman is guilty on three fronts:
A) Not protecting private data adequately.
B) Storing security codes in the database.
C) Not notifying credit card holders of the breach.
A) About protecting data adequately.
I was once responsible for a website where we proposed putting a database with customer info (just adresses, no credit card info, let alone security codes) behind a firewall because we where in a hurry. Company security was livid. They claimed that if the firewall was breached it would lead to very expensive lawsuits and damage to the image of the company.
Right now a professional website developer uses three tiers:
1) The website itself is on the Internet.
2) The form where the customer enters his/her data is behind a firewall (in the so called demilitarized zone) and can only be accessed through the specific link on the website and not directly from another computer on the Internet.
3) The database is behind a second firewall that can only be accessed from the form and only by very specific requests. There is no access to the database file itself, just to the data.
In short: my computer can reach the website, the website can reach a webform and the webform can reach the database. And all use "secret handshakes".
But Coleman's website builder stored the database directly behind one (insufficient or absent) firewall and the database file itself was directly accessible from the hackers computer.
This is beyond sloppy.
B) Storing security codes in the database is probably (I'm not sure) an offence in itself. The whole point of the security code is that you do not retain it.
C) Not notifying credit card holders is probably the biggest offence. That is why Mr. Knaak is saying (contrary to the warning they got from wikileaks and the evidence that was provided) that the site must have been hacked long AFTER they had been told the site had been hacked. They gambled that this would not come out and now that they lost that gamble they are screwed.
I'm very curious what the Secret Service and Bureau of Criminal Apprehension have told them exactly. I've yet to meet the security expert who would claim that "no downloads have taken place, period". They probably told them something like "we cannot find evidence of a download".
Do not underestimate what happened here. Coleman tries to spin it like someone who does not like his campaign pulled a sick prank. But there have apparently been multiple downloads. Had I uncovered this leak I would have been aware of the fact that others had access to this information too and that chances where that it would end up in the hands of criminals (who would not tell anybody but simply use the accounts).
IMHO the downloaders had the civic duty of forcing Coleman to warn his contributors that their money is at risk. This has nothing to do with being a Coleman supporter or not. It has to do with protecting the money of fellow citizens and with fighting crime. These people trusted Coleman with their money. He first failed them by being sloppy with the database and by illegally storing the security code. And then he failed to inform them that their money was in danger.
March 11, 2009 9:34 PM | Reply | Permalink
Storing the security code is indeed illegal.
Credit card info should be encrypted.
If you store CC info you are indeed liable in case of theft.
Believe me: this is not a trick to pin something on Franken. This is a BIG problem for Coleman.
Some more info on what you need to do: http://www.mollerus.net/tom/blog/2007/05/my_best_practices_for_online_credit_card_security.html
The official guidelines: https://www.pcisecuritystandards.org/security_standards/pci_dss_download.html
March 11, 2009 9:51 PM | Reply | Permalink
"This is beyond sloppy."
Surely you aren't suggesting they did this as some sort of intentional ruse, so they might later attach guilt to "someone", and by sheer implication "someone" associated with the opposition?
Hey, Dutchguy, you need to repost this here at TPM as a blog, see who might add to it, your perspective is revealing.
March 11, 2009 9:58 PM | Reply | Permalink
"Believe me: this is not a trick to pin something on Franken."
Might it have started that way, then gone horribly awry?
March 11, 2009 9:59 PM | Reply | Permalink
I really do not think you would intentionally trigger an action that leads to all your supporters getting this email form wikileaks:
"Following our earlier email over the Coleman leak, we have discovered that all
on-line Coleman contributors had their full credit card details released onto
the Internet on 28 of Jan, 2009 by Coleman's staff.
Senator Coleman was made aware of this yet elected not to inform supporters in
violation of Minnesota Statute 325E.61.
We provide proof of here (Windows Excel spreadsheet), which if you are a
contributor will provide the last 4 digits of your Credit card and the security
numbers on the back.
Since the database has been floating around the internet, we suggest you call your bank and cancel the card."
March 11, 2009 10:08 PM | Reply | Permalink
"I really do not think you would intentionally trigger an action that leads to all your supporters getting this email form wikileaks:"
Actually, we disagree here. I think tey would do anything in their sleazy power to defy the public will if it goes against them. Here's the $64,000 question: Have any accounts been pilfered?
If not, there's a logic conundrum to address; if it really happened as described, and these big-money accounts were accessible, wouldn't there have been an outbreak of identity theft and lots of dubious charges to those accounts?
Can't say why I know, but I get the feeling no self respecting hacker would let that gold mine go unmined, so where's the beef?
Have any of Coleman's donors been robbed yet?
If not, I suggest the story may have been concocted, and the thought that their donors might have to cut up one of their credit cards would be a negligible moral barrier in front of their very immoral ambitions.
But I'm known for wearing an official Tin-Foil Deerstalker, so you can take it for as many grains of salt as you might. I EXPECT them to do things you don't think they are capable of.
March 11, 2009 10:18 PM | Reply | Permalink
PS; Why would a campaign KEEP those numbers?
I managed a campaign before, and our donations came via Act Blue and a Paypal button, and I also manage a retail store website, which sells Swedish imports, and we do all our business with Paypal and we never need to take that information to get paid.
So I guess it just strikes me as odd that they had so many actual bank records, when they really did not need to gather it in the first place. Like I said, the campaigns I worked on never actually got bank records, we just got contributions.
But those were Democrats and these are Republicans...they may be using one of Mike Connell's systems, (rest his soul) instead of one paypal or another services, and thereby retained that information as standard procedure.
But in this day and age, there's no reason for any campaign to have that information to get a contribution, unless someone is making regular monthly or intermittent payments, and not one-time or ccasional contributions.
SO WHY did Coleman have those stats in the first place? Just wanted to add that to the discussion.
March 11, 2009 10:36 PM | Reply | Permalink
They collected ALL information about the website in one database. Even your blogposts, who you send articles too and the administrator paswords. Everything.
You are right that it is perfectly logical not to store credit card info in your database. Many companies don't want to store the information because of incidents like this.
My guess that they didn't think it through and simply wanted to retain ALL information "just in case".
I am fond of saying that you must not attribute to conspiracy what you can attribute to incompetency.
And about robbing bank accounts. I know a lot of hackers that like nothing better than to break into a system but I've never met one that would actually steal. Very few hackers hack for profit.
March 11, 2009 10:58 PM | Reply | Permalink
I wasn't snarkin' about Connell, he was the Big Dog Republican webmaster in the not too distant past, answering directly to Rove.
I would imagine that his talents went to the top R tickets, which Coleman certainly has always been.
Connell died recently in a small plane crash.
So, (just food for thought,) if these sites all use similar systems, it may be possible they all keep that unnecessary bank information as part of their programming.
Again, I may be wrong about the origins of Coleman's website, but it seems likely the R's put their best stuff out there for Coleman, and that, conceivably, means all their other sites have similar systems, and potentially similar vulnerabilities.
March 11, 2009 11:49 PM | Reply | Permalink
So if you contributed to any Republican websites, should you be worried?
Better shred that card, matey, er them pirates'll be takin' yer gold....
March 11, 2009 11:56 PM | Reply | Permalink
I second that.
March 11, 2009 10:50 PM | Reply | Permalink
Re: posting as a blog bit, DutchGuy, you're providing very interesting useful background.
March 11, 2009 10:52 PM | Reply | Permalink
Thanks JEP07 and snig but I'll be going to bed now. It's kind of late here.
March 11, 2009 11:17 PM | Reply | Permalink
AAARRRGGGHHH!
March 12, 2009 12:05 AM | Reply | Permalink
I third it. All in favor, say "Aye!"
March 11, 2009 11:30 PM | Reply | Permalink
So are you saying Norm Coleman can't blame this on Al Franken, liberals or people who hate America?
A Republican must take (@#/&%@$..ahem) responsibility for a major blunder?
March 11, 2009 10:06 PM | Reply | Permalink
Life happens...
March 11, 2009 10:14 PM | Reply | Permalink
I thought it was a sign of their marginally improving maturity that this is not somehow Bill Clinton's fault.
March 11, 2009 10:54 PM | Reply | Permalink
As I thought: the authorities did not tell them the data was not compromised. They simply "did not find evidence that our database was downloaded" says Coleman Campain Manager Sheen on wikileaks.
In other words:
"Although we had been warned that your credit card data was out in the open on the Internet (for which we are by law responsible) and although we had not encrypted this data (which we had the obligation to do) and although we had illegally stored your security code in our database, the authorities we asked could not prove that something was downloaded and so we chose to ignore what happened and not to tell you anything. I hope you understand that it is all the fault of this nasty person who was not supposed to tell you all this."
March 11, 2009 10:40 PM | Reply | Permalink
Didn't Al gore invent the internet, without which this would never have happened?
March 11, 2009 11:05 PM | Reply | Permalink
Oh, I forget. The fact that they say it was caused by later hacking (which we know not to be true) makes it even worse.
Because it implies that they have not improved their security, have not encrypted the database and are still storing the security number, even though they had this pretty urgent wake-up call.
So first they argue (totally unconvincingly) that the first leak was not the real leak and then they admit that they took no action to fix things after the first leak. This looks bleaker and bleaker.
March 11, 2009 11:39 PM | Reply | Permalink
It's not just that vendors are 'not supposed to' store the three digit security number in an unsecure location. Vendors are not permitted to store that number ANYWHERE ever. If they do, they are in violation of their merchant agreement with the credit card companies and their merchant accounts can be and must be closed.
March 11, 2009 11:14 PM | Reply | Permalink
Exactly.
But the fact that the information already got out makes it even worse.
Does anyone have any idea what the (potential) penalty for this is? I was told by corporate security that in Holland it's potentially 2000 euro for every set of customer data that get's out there (even when there is no credit card info and no theft). Seems to me this is worse...
March 11, 2009 11:32 PM | Reply | Permalink
Ah, but those Evil Hackers retroactively recovered that data too, and reinserted it into the database, which is a big mushy sort of spongy thing inside the computer where you can put stuff if you're a Hacker!
Virtuous people don't know these things. It's the philosophy of conservatives not to know things that involve science 'n' stuff because that way leads to perdition! Darwin! Bad thoughts! Sex!
So therefore it had to be Hackers, buhcuz how would a virtuous guy like Norm even get that data in his database in the first place?
March 13, 2009 6:31 AM | Reply | Permalink
Norman Quimby Coleman:
Too F*in incompetent to be a Senator.
March 11, 2009 11:23 PM | Reply | Permalink
Since January 2005, more than 255 million data records of U.S. residents have been exposed due to security breaches, according to the Privacy Rights Clearinghouse (www.privacyrights.org). Most breaches are due to negligence or lax security practices. Norm's campaign screwed up and could be facing legal liability under state and federal law, and financial sanction under the Payment Card Industry Data Security Standard. Of course they want to portray this as an attack from outside sources, if not for political reasons, then for reasons of legal exposure.
March 12, 2009 12:00 AM | Reply | Permalink
Does anybody know what percentage faced what sanctions for their negligence and lax security practices?
March 12, 2009 6:08 AM | Reply | Permalink
Don't have that information and can't find it compiled anywhere in list form (and don't have time to continue searching). But I did find a nifty data breach cost calculator at tech-404.com. Based on 50,000 records exposed, Norm's campaign could be looking at a total cost of around $8 million for investigation, notification, crisis management, and potential fines/lawsuit claims.
March 12, 2009 1:21 PM | Reply | Permalink
Nice find!
Although that sounds like a lot of money it is far less than the $3000 (2000 euro) per person figure I was once told by security (when they thought I was sloppy). That way you could get to 150 million. I'll settle for 8 though...
March 12, 2009 4:39 PM | Reply | Permalink
This is what happens when Luddites try to go hi-tech. I can't wait to see the RNC's "beyond bleeding edge" web ops that Steele was promising. Can you say "crack bait"?
March 12, 2009 12:42 AM | Reply | Permalink
In organisations I've worked for I've noticed that if the guy's at the top do not get new technology, the organisation will not be using the new technology in an optimal way.
That's why it's so important that Obama knows how to use a computer (as opposed to McCain) and why it is so great to have guys like Steven Chu on our energy problems.
One of the problems in Holland is that there's too many legal and economic types in politics and they often do not understand the technology either (although the average age is lower and that helps).
March 12, 2009 6:14 AM | Reply | Permalink
Reminds me of something that happened during my brief stint in the software business. The product our company was rolling out had a number of serious problems -- the most obvious being that it did not support keyboard shortcuts for every function, so you HAD to use a mouse to do some things.
When we pointed this out to the project manager at a meeting his response was, "Well the CEO has been using it at home and he didn't find the lack of shortcuts a problem." So, no problem. :|
March 12, 2009 12:26 PM | Reply | Permalink
p.s. I'm not even sure if that company exists anymore, but I left just as they were issuing their IPO, and less than a year later it was a penny stock.
March 12, 2009 12:27 PM | Reply | Permalink
Enjoyed your posts above, Dutchguy. Just want to add two bits as a web professional myself. For all the reasons you cite and more, step one for virtually all the clients I deal with is: use an outside vendor for these transactions. You don't want to deal with this stuff as a side project--give it to someone for whom it's a 24/7 occupation. Real web security is hard. Dunno what the standards are in political campaigns but this is like handling uranium. Don't mess with it if you don't even believe in Darwin.
Second, following up the original link from wikileaks etc: the original outside discovery of the "hack" was the publication of a screen shot showing what appeared to be an auto-generated index page, the default list of files that Apache puts up if there's no "index.html" page or the equivalent and--this is obviously the key thing--Apache has not been configured to put up a "You don't have permission to view this page" block. This is so basic that I hate to even refer to it as "web security." It's on the same level as not leaving your car on the street with the doors unlocked and keys in the ignition.
If this is correct, the entire "hack" consists of someone seeing the index when they entered the URL with just a trailing slash and no filename, saying "Huh, wonder if this really is what it says it is," and clicking the link.
March 13, 2009 7:13 AM | Reply | Permalink
I've heard that when it rolls out it's gonna be "off da hook."
March 12, 2009 12:23 PM | Reply | Permalink