Pioneer Press: Donors, Data-Security Experts Blast Coleman Campaign
The St. Paul Pioneer Press has a news article this morning that is a blistering attack on the Coleman camp's latest foul-up: "As recently as late January, databases of thousands of Coleman's donors and assorted contacts sat on a public portion of the campaign's Web site. They were not password-protected, so a Minneapolis consultant was able to find them by essentially surfing the Web."
The Coleman campaign's position is that they did not believe any data was downloaded in January, and that the site might have been hacked at a later date, probably by partisan enemies. But the Pioneer Press -- which endorsed Coleman for re-election last year, by the way -- doesn't appear to be buying it.
Coleman-supporter Kelly McShane, who donated $100 online and whose job is to secure data for the banking industry, had this to say: "I'm in IT security for a bank, and I can tell you that this is so ... irresponsible that I can't believe it."
Eric Schultze, chief technology officer for a Minnesota-based computer-security company (not to be confused with DSCC spokesman and former Franken spokesman Eric Schultz) explained to the Pioneer Press that no Web site should be set up to store credit-card data on the same server as the rest of the site -- let alone in an unencrypted form. "Anybody worth their salt would not set up a Web site that way," said Schultze.
Josh
Elana
Matt
Eric
It may be that Coleman's swan song will be "Send in the Clowns." Perhaps Minnesotans are now asking themselves, 'Why did we ever elect this hapless incompetent moron to a term in the United States Senate?'
March 12, 2009 9:38 AM | Reply | Permalink
Clowns - that's exactly what I was thinking. You know, though, everyone on this site is more or less computer savvy. The idiotcy of this situation is obvious to us. Fortunately for Coleman there are many for whom "the google" and "the internets" comments made sense and who will buy his sad-face, betrayed look. They will believe the bad guys did this with great cunning and aforethought to diss a beleaguered patriot who's being robbed of his rightful due. Go Faux News!
March 12, 2009 9:58 AM | Reply | Permalink
I'll go with the clown analogy, and doesn't it describe Coleman and today's GOP?:
Be a clown, be a clown
All the world loves a clown
Be the poor silly ass
And you’ll always travel first class
Give ‘em quips, give ‘em fun
And they’ll ape and say you’re A1!
link
March 12, 2009 12:11 PM | Reply | Permalink
Between Coleman and Bachmann, America wants to know: what's wrong with Minnesota?
March 12, 2009 10:44 AM | Reply | Permalink
We've also got Keith Ellison, the first Muslim congressman in U.S. history, and we had Paul Wellstone until his untimely death in 2002, which resulted in us getting stuck with Coleman. Bachmann wasn't elected by the whole state, just the gerrymandered right-leaning district that she's in.
As a resident of the state that gave us weepy "Man Tan" Boehner and that screechy hag, Jean Schmidt, maybe you'd like to tell us what's wrong with Ohio.
March 12, 2009 11:12 AM | Reply | Permalink
hear hear
March 12, 2009 11:30 AM | Reply | Permalink
I wouldn't call it gerrymandered. There was a nonpartisan commission, though I suppose anyone who really wanted to know could look into the whole process and see just how nonpartisan it was. Redistricting was done under independent governor Ventura, with the legislature split. I personally thought it was fair, considering suburban growth.
Nonetheless, Bachmann's district is considered the most conservative in the state. Maybe she could win the second (another exurban district), but she would have no hope in the other six.
March 12, 2009 12:24 PM | Reply | Permalink
Oh SNAP!
March 12, 2009 4:44 PM | Reply | Permalink
If the Coleman sight was hacked isn't that a crime? Shouldn't they call for a criminal investigation? Why aren't they calling for criminal investigation? Something strange going on around here!
March 12, 2009 9:54 AM | Reply | Permalink
He has. He kept saying it was being investigated by the Secret Service. I just couldn't figure out why the Secret Service. Computer crime isn't really their forte.
March 12, 2009 10:00 AM | Reply | Permalink
Actually computer crime is under the Sccret Service's jurisdiction. I have no clue why but they are the lead federal agency on computer fraud.
March 12, 2009 11:37 AM | Reply | Permalink
I suspect that this is due to the fact that the secret service is under the authority of the treasury. Its creation was to investigate and prosecute counterfeiting and since a lot of computer crime has a financial or monetary component I can see why the treasury would be involved or at least interested.
That being said, our federal law enforcement has an awful lot of redundancy which leads to infighting and political posturing. While some duplication of functionality is necessary (every federal law enforcement agency deals with seized computer data and should have computer forensic people to handle that) it seems that a single agency should have a division tasked with investigating computer crime.
But that would just be too simple, wouldn't it.
March 12, 2009 1:56 PM | Reply | Permalink
It wasn't hacked because the credit cards were not used. If a hacker got the info, they would have sold it online and all of those cards would have been raided.
The idea that Coleman knew about the mistake and didn't warn any of the donors is ridiculous. He said he had in the secret service and FBI in to check and they concluded that nobody downloaded the files. Either they were wrong, or he is lying. Or he released this now to wikileaks to try to pin it on Franken and it's backfiring.
March 12, 2009 10:02 AM | Reply | Permalink
"Or he released this now to wikileaks to try to pin it on Franken and it's backfiring."
Like I said responding to DutchGuy's comment last night, all the experts seem so incredulous that this could have even happened, it suggests Occam's Razor is starting to slice this towards the OTHER simplest explanation, the one that says the Coleman camp is using this as a last-ditch distraction because they knew long ago they lost.
Sure, it may have been a simple case of extreme negligence, but consider this satement above, ""I'm in IT security for a bank, and I can tell you that this is so ... irresponsible that I can't believe it."
Ponder the last 4 words this woman says here, and you get my drift. Does she mean she's appaled at the negligence, or does she mean she doesn't believe they could have been that stupid, and it must be something else at play.
If it is impossible for the experts to believe it happened by mistake, then what is the alternative? That it was all a ruse, intentionally promulgated to desperately forestall the inevitable concession speech that Coleman will be making very soon.
March 12, 2009 11:00 AM | Reply | Permalink
I've read that offers for their sale were being circulated discreetly. That's how Wikileaks got wind of the story.
Well, probably at least a few of them.
He knew. The gummint gumshoes told him. He just claims they also told him nobody nefarious had accessed them.
Apparently not so much. This guy seems to have found them:
They were not password-protected, so a Minneapolis consultant was able to find them by essentially surfing the Web.
Could Spiny Norman and gang be hiding behind a quibble about browsing versus downloading?
Lies (and the Lying Liars Who Tell Them). A Fair and Balanced Look at the Right.
March 12, 2009 11:05 AM | Reply | Permalink
I still think the proof is in the plunder...
IF this really happened as we are being told, SOMEONE on that list of donors would have been robbed.
Until we hear that it actually happened, I will suspect it is all another Rovian ruse, intended to defer, defame and deflate.
March 12, 2009 11:15 AM | Reply | Permalink
Could Spiny Norman and gang be hiding behind a quibble about browsing versus downloading?
Which, to be a little more explicit, is of course a distinction without any difference whatsoever as I'm sure you know. But yes, I think they are quite capable of imagining there is a difference, or at least relying on the fact that most people think if they're looking at it in their browser it's still "out there" somewhere and not on their own machine.
"I'm in IT security for a bank, and I can tell you that this is so ... irresponsible that I can't believe it."
Amazing how ellipses can take all the fun and spice out of a quotation sometimes, ain't it.
March 12, 2009 1:08 PM | Reply | Permalink
Whether or not the credit card data was actually stolen and distributed is entirely beside the point. The point is that they were so negligent in handling it that they stored it in a publicly accessible portion of their website WITH the CVV codes. There's incompetence and then there's breathtaking incompetence. This is the latter.
Between this and the blundering of their crack legal team during the election contest, you have to be stunned by the sheer amateurishness of the whole Coleman organization.
March 12, 2009 11:26 AM | Reply | Permalink
Strange is right. Who would leave sensitive financial data open to the public? It is not a crime to point and click on open websites. It is a crime that incompetents are running this Coleman website.
March 12, 2009 2:00 PM | Reply | Permalink
Quimby just keeps doubling his bets going deeper and deeper in the hole.
Since he is playing with other people's money (donors and the MN Taxpayers) he just doesn't give a sh#t.
March 12, 2009 10:10 AM | Reply | Permalink
Actually, this happened exactly because Coleman for Senate is dispensing wages in the form of salt.
March 12, 2009 10:18 AM | Reply | Permalink
The thing that is absolutely unbelievable is that they were storing the credit card information together with the CVV security codes (the three digits on the back of your card). This is irresponsible and prohibited by law.
March 12, 2009 10:48 AM | Reply | Permalink
Maybe this is all because the Coleman camp is not used to handling legitimate income...
March 12, 2009 10:55 AM | Reply | Permalink
Maybe they can get their rich Texas pals to pony up some more cash to start a private investigation.
When Texans meddle in Minnesota politics, expect some chemistry.
March 12, 2009 11:03 AM | Reply | Permalink
There you go, "prohibited by law". That is kind of what I was getting at up thread. Why hasn't the Coleman camp released a press report from the SS, FBI, or local police that says the Coleman website was hacked. I want a quote from the authorities to go along with Colemans statements. The authorities will do that. They have no problem saying we investigated and we found ... Thank you.
March 12, 2009 12:16 PM | Reply | Permalink
If Coleman had his website built by the standard Republican webmasters, that suggests there are many other sites out there with the same vulnerabilities.
March 12, 2009 11:10 AM | Reply | Permalink
I don't know what it is with Republican and Republican-lite Congressional critters. Back here in CT we had an experience with Lieberman's people when Lieberman's website crashed during election day and they tried to pin the blame on Lamont. I've seen since that both the CT AG's office and the FBI cleared Lamont's campaign, confirming Lieberman's problems were due to his own campaigns decision to go cheap on their site ISP. That was over two years ago and too many politicians don't seem to have learned the lesson. Just wait until Coleman's supporters sue the crap out out him.
March 12, 2009 11:32 AM | Reply | Permalink
As long as they don't get robbed, they might not have much of a civil case.
But if someone has their account pilfered, that is a whole different story. Coleman's campaign would be liable for that, and possibly much more.
Right now, the most severe penalties would apply to their negligence in storing those files, which would probably not be a civil case unless it went class-action.
IANAL, but it seems there's no actual victims yet, unless it is the public in general falling for this whole song and dance.
March 12, 2009 11:39 AM | Reply | Permalink
Anyone with a little bit of computer/Internet savvy can discern from reading the news reports that this breach was not the work of nefarious political opponents or even professional identity thieves. This was pure negligence and/or incompetence by Coleman's team. So it really irks me to read that they have authorities looking for a phantom bogeyman hacker, when authorities should be investigating the likely criminal negligence of the Coleman campaign. If you're hungry, stop by Norm's new restaurant and order the special - red herring, conspiracy rings, and a side of lies.
March 12, 2009 12:03 PM | Reply | Permalink
With some O.J. to wash it down.
March 12, 2009 12:31 PM | Reply | Permalink
The internet is crawling with stolen credit cards. Tens of millions of them. So don't be surprised if it's taken a few months for someone to get around to peddling them. (And a few months more, if the charges are small, for any victims to even notice.)
In cases of extreme negligence and breach of notification laws, I think that even the relatively small cost of canceling the old cards, reinstating and continuing payments and auditing the last several months of statements could lead to liability, especially if all online donors were certified as a class.
March 12, 2009 12:08 PM | Reply | Permalink
So there are many legal issues here and Coleman is trying to cover his butt, righ? If they were hacked (really) and that is how the info was found then they are ollie ollie home free. If they accidently put the info out there even if it has not been used the Coleman people are going to have to cover costs. Hmmm maybe Coleman should shut his trap and GO HOME.
March 12, 2009 12:28 PM | Reply | Permalink
"then they are ollie ollie home free."
Maybe not. If they made it so easy by ignoring encryptin and firewall requirements, then both the hacker and the site are likely culpable.
But, again, I'm still skeptical about the mystery hacker story. And all the experts here seem, at least, incredulous towards the supposed "amatuerishness" of the campaign, at this level it just seems unlikey such an egregious error would go unnoticed long enough to allow hacking.
Time will tell. If some anonymous hacker is ferretted out, I will concede my conspiracy theories are wrong, but even then, the carelessness or the collusion of the campaign is still a question mark.
March 12, 2009 12:39 PM | Reply | Permalink
Oh good grief. There is no hacker. The file was there to download. Lots of folks saw it - just sitting there to download.
March 12, 2009 12:45 PM | Reply | Permalink
That is exactly what i am suggesting, that there is no hacker. I am suggesting that it was a ruse to defer attention away from the inevitable concession, and make Norm look like he got screwed somehow.
I DO NOT THINK ANYONE STOLE ANYTHING!
GET IT?
I'm saying exactly that, that there WAS NO HACKER, especially from "partisan enemy" camps.
What we got here is a failure to communicate.
If you don't agree with me that this is some sort of ruse, tell me why. I've made my point that most of the experts seem incapable of accepting the "big mistake" excuse, too. So that leaves either a hybrid disaster of monumental confusion, or a deliberate attempt to change the discussion from the Franken-winning vote count, to the myth of the mysterious nefarious hacker.
Now do you understand? I am not suggesting I'm right, I'm just suggesting a possible scenario that seems to be hiding between the lines.
March 12, 2009 5:29 PM | Reply | Permalink
Maybe there is a Republican gene, & it is recessive on computer skills. Coleman & McCain & Holy Joe Lieberman (& Lieberman's leader, Karl Rove) never did get the hang of the internets.
March 12, 2009 12:26 PM | Reply | Permalink
A tangential point, but the post makes too much of the Pioneer Press having backed Coleman. This article comes from a news writer, while the people in the tank for Coleman are on the editorial board. They're the ones who reprint WSJ editorials and cite them as fact, like a wingnut posting on a blog. However, it looks like the news has been kept separate.
March 12, 2009 12:28 PM | Reply | Permalink
Well, then, considering the similarities between all the Republican websites, it might be a good idea to cancel.
Like I said before, if you contributed to any Republican websites, you "better shred them cards, matey, er them pirates'll be takin' yer gold!"
AARRGGHH!
Hey, Sarge, did you make any online contributions to Republicans? Better check your balance...
March 12, 2009 12:29 PM | Reply | Permalink
We need to distinguish between Coleman, his political team, and someone with insider information and/or knowledge of Coleman's actions. It seems unavoidable that the information was posted in an improper manner. Applying Occom's Razor, if someone wanted to play dirty tricks to benefit Coleman, they wouldn't make up a story about his team handling his donor's accounts in an inappropriate, stupid and possibly illegal manner that only makes Coleman look bad.
When Rove planted a bug in his own office, then accused the opponents of bugging his office (he installed a battery that would have only lasted for several hours, and when the bug was "found" it was still functional) it immediately cast doubt on his opponents. Not even the Republicans would try to spin a story that someone working for Franken broke into Coleman's computer system, and compiled a database of information that is not supposed to be saved at all, and then posted it on Coleman's site without proper protections, and then notified Coleman's donors to tell them to cancel their credit cards, after Coleman spent so much effort saving that data in the first place. That would be akin to Vitter intentionally making up the story of the diapers and prostitutes, and then leaking it (the story, not the diapers)to try to blame his opponents for the leak. Even if that worked, more people would remember the diapers than remembered the story was "fake."
The more likely scenario is that Coleman's team completely mishandled donor's confidential information, and when the story broke and pointed the finger at Coleman for both mishandling the info originally, then failing to both correct the problem and notify donors in January, they threw out the nearest shiny object by screaming, "Hackers!"
It is plausible that the breach was leaked by someone with Coleman insider information who is looking to catch the next Republican freighter, as Coleman's sinks, not to undermine Franken, but to damage Coleman in any future primary or attempts at advancement.
March 12, 2009 12:29 PM | Reply | Permalink
"Not even the Republicans would try to spin a story that *someone working for Franken broke into Coleman's computer system*,"
Isn't that where they are going with it?
AREN'T THEY DOING EXACTLY WHAT YOU SEEM TO THINK THEY WOULD NEVER DO?
Unless I missed something in this sentence from the article above; "The Coleman campaign's position is that they did not believe any data was downloaded in January, and that the site might have been hacked at a later date, probably by partisan enemies."
So, just who are those "partisan enemies" if not one of Franken's supporters?
Seriously, did you not read the article?
March 12, 2009 12:46 PM | Reply | Permalink
Either you misread my response, or I wasn't clear enough.
Yes. Coleman is screaming, "Hackers!" meaning Franken operatives. But his screech is nonsense and only a minor distraction. Even the MSM is going to be able to figure out that the real story is not whether or not there was hacking, but that the information was stored incorrectly in the first place. He mishandled donor information, stored numbers that were not supposed to be saved by anyone, ever, failed to protect the information, failed to correct the problem, and failed to inform donors as required by law. Of course hacking exists. That's why there are protocols that are supposed to be followed to protect information. And it's not hacking if the information was posted publicly.
My point was that no one would make up all these facts as a dirty trick to try to discredit Franken, which means this story got out either because of good, honest investigative journalism, or someone, most likely with insider information about Coleman's office, leaked it for their own personal or future gain.
March 12, 2009 1:09 PM | Reply | Permalink
"My point was that no one would make up all these facts as a dirty trick to try to discredit Franken,"
I disagree. It was either exactly that scenario you just said was improbable, or when they discovered an incredibly stupid error, they tried to turn lemons into lemonade and blame "partisan enemies."
I don't see many other options, and I am skeptical of the "big mistake" theory.
I guess i consider "them" more diabolical than stupid.
Anyone know, was this originally or even tangentially, one of Connell's sites? It would be worth finding out if possible, because if it was one of Connells. there may be hundreds of thousands more republican donors to many other campaigns whose bank records were similarly retained.
March 12, 2009 5:51 PM | Reply | Permalink
This brings up an interesting point; some people seem to believe that the 'hackers' should be prosecuted (word: it's not hacking if the data is in a publicly accessible area of a website). Meanwhile, what about the criminal negligence of the idiots who were responsible for securing the data?
Data theft has become a major crime issue, and usually the culprit is the corporation who failed to secure sensitive consumer data. Data crimes need to be investigated, and if it's found that industry-standard security procedures weren't followed, then there needs to be a fine, or even some form of criminal punishment.
Of course, i'm not holding my breath, since the technical level of Congress is around the level of 'teh Interweb is a series of tubes,' not to mention the howler monkey lobbyists that would be unleashed to oppose such a common-sense measure, however, this is something that is much more deep-seated and important than the foibles of Mayor Quimby's campaign.
March 12, 2009 12:37 PM | Reply | Permalink
One time, somebody "hacked" my wallet after I left it on the sidewalk. Then, these hackers called me up and told me that they had hacked my wallet and that I should be more careful. How dare they!
March 12, 2009 12:41 PM | Reply | Permalink
Nice analogy! (And nice picture btw.)
But to make the analogy more accurate: Coleman did not leave HIS wallet laying on the sidewalk but the wallets of all his donors.
And now he is mad that somebody told his donors. Because he knows he should have done that himself a long time ago. The handling of this has been imcompetent, illegal and immoral.
Oh, and it is highly improbable that the person who told him and told the donors was the person who downloaded the database. After the comments from Epic and others anyone could have downloaded this and many probably did.
March 12, 2009 1:52 PM | Reply | Permalink
People who still buy any of this "hacker" story apparently haven't seen this:
http://minnesotaindependent.com/24761/disenfranchised-voters-crash-colemans-site-unlikely-says-blogger#comment-24131
Look at the comment by "Epic".
The uptake even has screen shots.
http://the-uptake.groups.theuptake.org/en/videogalleryView/id/1765/
March 12, 2009 12:52 PM | Reply | Permalink
The comment from Epic is a good find Eric! To any security expert this completely settles any debate. It is almost impossible to leave the data more in the open.
The "somebody stole it line" will be hard to push. I've worked with many security experts and they will consider any defence of this gross negligence just too toxic for their professional standing, even if they are hardcore Republicans. It's like finding a law-professor that will claim that the president can completely ignore Congress.
As I said in an earlier (longer) post: the security code should NEVER have been in the database, the other CC info MUST be encrypted, the database should have been behind TWO firewals (instead of NONE) and they SHOULD have alerted everybody as soon as they read a post like the one from Epic.
I am not being some paranoid security nut. ALL of the above precautions are the MINIMUM for a professional website. Coleman had NONE.
And they have made matters worse imho by claiming that the hacking must have occurred later. Everybody can see that't not the case but they effectively claim that the've left the security code in the database after their negligence was uncovered (since the hackers found this data in the database). That makes them serial offenders and makes matters far more grave. I've seen a lot of sites and some people do stupid stuff but I've NEVER seen anything that was this bad.
March 12, 2009 1:37 PM | Reply | Permalink
"It's like finding a law-professor that will claim that the president can completely ignore Congress."
Like John Yoo, huh?
March 12, 2009 5:16 PM | Reply | Permalink
You're right, it's a painfully absurd claim. I'm looking at the screen shot of the open index and that is simply what you get when you don't have a page in your directory named "index.htm" or some other designated form. In the absence of such a page, if you put in the URL of the directory ending in a trailing slash rather than a filename, Apache, which is what it looks like they're using, will simply display an automatically generated page that lists out links to all the items in the directory (i.e., what is actually denoted by the term "index" page). UNLESS YOU CONFIGURE THE BLOODY THING correctly. It should automatically default to an error message that says "You do not have permission to view this page." This isn't "web security," it's basic server configuration 101.
If getting to such an auto-generated index on an improperly configured server is "hacking," then I'm Steven Hawking.
March 12, 2009 2:08 PM | Reply | Permalink
Eric, if I read the Minnesota Independent you linked to there is another nugget there.
This is the same day the Coleman campaign took their websit offline (proven by the fact that they rerouted the website to 1.1.1.1) blaming a DOS attack by the Franken camp.
People like Epic come snooping and notice that the server is still online (why has the DOS attack not brought it down?) and by the way the database is online and someone should warn the Coleman campaign.
The most positive spin you can give this is that they rerouted the website after the DOS attack and while doing that where stupid enough to leave the server unprotected. But why would you disable all security while doing that?
I think two other explanations are more probable:
1) They pulled the same lame stunt as Lieberman (taking the website offline and blaming the opponent) and ended up shooting themselves in the foot because of their own imcompetence.
2) Somebody found out he could download their database and warned them. They then took the website offline in a panic and blamed it on Franken, adding another lie to the cover-up. They woke up from their nothing has gone wrong dream by an email to all their donors.
What do you guys think? I think there has to be a connection. They took the website offline (blaming Franken) on the same day that someone warns them that the database was downloaded. Fishy no?
March 12, 2009 2:51 PM | Reply | Permalink
You are right, there probably is a connection.
My guess is that they were trying to shut the site down because they found out about the security leak, but failed to even do that properly. That would explain why the redirect was 1.1.1.1. That was there best attempt - instead of *actually* shutting it down, they redirected the dns. Because they didn't actually shut down, the IP address was still accessible.
Blaming it on a DOS attack, that was just their way to try to cover. It was quickly called out as BS, and now we probably know the real reason they pulled this.
March 12, 2009 3:30 PM | Reply | Permalink
Seems like we agree: the "DOS attack" was a cover-up.
My wife (a web site developer herself)also agrees that this is the most likely course of action but she is mystified by the lengths to which they have gone to be negligent. It is almost as if someone knew what he was doing: don your tinfoil hat Jed07!
I am just wondering if this will be the MSM POV anytime soon. Could someone include this in an TPM article to give it some traction? It might even be a scoop for TPM...
March 12, 2009 3:51 PM | Reply | Permalink
"she is mystified by the lengths to which they have gone to be negligent."
That gave me a chuckle; it is a good way to put it.
Negligence is not something you can go to great lengths doing. It is the act of not acting.
Hey Dutchguy, where'd you get that avatar of Jeb Stuart?
Just kidding, you look like remarkably like a famous (or infamous, depending on which side of the Mason-Dixon line you claim) civil-war general.
March 12, 2009 5:34 PM | Reply | Permalink
I'm afraid I would be one of those who thought him infamous although he seems to have been a pretty courageous, flamboyant and competent fellow.
If you add the rest of my face (www.living-structures.com) the differences become more apparent (and my beard is shorter).
I thought you would like the fishy angle. I guess I'm just not paranoid enough ;) As I said: don't blame on conspiracy what you can blame on incompetence (and Coleman has that in spades).
But maybe I'm wrong on that too. I read someone reacting on the Pioneer Press article claiming that the site must have been hacked because senator Coleman was too competent and experienced to leave his site vulnerable like that. Sigh.
March 12, 2009 5:55 PM | Reply | Permalink
Isn't Joe Lieberman claiming it was Ned Lamont and his old campaign team that is behind all this?
March 12, 2009 12:56 PM | Reply | Permalink
Coleman, a man who truly loves America almost as much as he loves his donors credit card data, is obviously the victim of liberals gaming the internet system.
March 12, 2009 4:22 PM | Reply | Permalink
This is awesome. I hope reporters ask Coleman a couple of questions until they get a good answer: "Were you wrong about political opponents being responsible for your data travails? And if so, what information led you to accuse your opponents of being responsible?" (And the obvious followup: "Is it irresponsible to accuse people of crimes based on no evidence whatsoever?")
What a knee-jerk f*ckstick. Would you want this guy fighting a parking ticket for you, let alone representing you in the United States Senate?
March 12, 2009 4:17 PM | Reply | Permalink
I'm drowning in schadenfreude ... those poor, poor Republican donors. ;-)
March 12, 2009 5:23 PM | Reply | Permalink
Couldn't happen to a nicer bunch...
March 12, 2009 5:43 PM | Reply | Permalink
Check out Adria Richards' website for more details:
http://butyoureagirl.com/2009/01/28/did-norm-coleman-fake-his-own-website-death/
She was involved in researching the "crash" in January, and took screen shots of the database and directory while it was available for public viewing. She offers her explanation in a video post. I'm not a techie, but my understanding of her explanation is that Coleman's office saved a backup of the website (to the directory?) (on the same website?) while transferring to a different server, rather than turning off the server or using a safer protocol for the exchange.
March 12, 2009 5:28 PM | Reply | Permalink
The most flattering explanation is that they were very careless and temporarily put the backup copy of the database in the publicly accessible directory of the website while doing something temporarily (like moving to another server).
It still means they shot themselves in the foot by incompetently handling the so called "crash" that was no crash.
However, it could also be that the (backup) database was accessible all the time and they shut down the website when somebody found out.
However, the fact that is was a backup (I should have noticed right away that it was an archive. Sorry.) means that they did not completely structure the website in a bad way.
It just means they put the backup of the site in a public place (and of course they should have encrypted the CC data and should never have retained the security code).
March 12, 2009 6:14 PM | Reply | Permalink
Can we all agree that Coleman's toast?
March 12, 2009 5:42 PM | Reply | Permalink
last PS; how about a RE-VOTE NOW?
Coleman can charge it to his donors.
March 12, 2009 6:01 PM | Reply | Permalink
Sorry, late to the comment game here, first time commenter.
But I thought it important to point out just how simple it would have been for Coleman's IT person to protect this file from search engine crawlers. It's called a "robots.txt" file.
http://en.wikipedia.org/wiki/Robots.txt
In the same folder as the home page, you simply add a file named "robots.txt" that includes the following text:
for the entire folder, or for the spreadsheet file itself (these are examples of file/folder names... Coleman's were surely different.)That's it. No "web surfers" would have located it via Google or Yahoo, etc. Beyond that, there may have been other means of finding it, but those do begin to delve into the more difficult realm of the hack.
Anyone here would have known this had they spent even a month in web service.
March 12, 2009 8:47 PM | Reply | Permalink
Perhaps there really was a hacker, one who compromised a poorly secured website and decided to make it's compromised nature as obvious as possible by storing a dump of the database in an obvious place. That doesn't change the fact that the site was poorly secured in the first place and stored information that it shouldn't have.
For example, even a double-firewalled site can have its database compromised via an SQL injection attack. The server itself might have been compromised via an unrepaired bug in apache or php and its configuration changed to make it's entire directory tree visible (perhaps even modifiable). Hackers do these things all the time, impressing each other with just how bad they pwned a site. And all too many sites are vulnerable because it's actually fairly hard to find a site admin who keeps up to date on the nature of the threat.
None of this excuses the obvious mistakes and omissions by the Coleman camp. But I've seen first-hand what a hacker can do, and see no reason to discount the claim that the Coleman site was hacked.
March 13, 2009 3:16 AM | Reply | Permalink
Good option! That would be typical hacker humour and would explain what I called (in an earlier post) "the length to which they have gone to be negligent". They didn't. The hacker did.
Very difficult to discard this option. (Did God bury dinosaur bones to test our faith?)
So let's forget the speculation and concentrate on what we know fairly certain?:
1) Jan 29th the Coleman site was unreachable for the public. Coleman claimed (but did not prove) a DOS attack. During at least part of the time traffic was redirected while the original server was up (I have not calculated how long but you could from the different posts on the Internet).
This indeed could have been someone hacking their site and them trying to disguise it as a relatively innocent DOS attack.
2) While this server was up people noticed there was a large database in the public domain (left by hackers?) that Wikileaks and others claim contained user information, including CC and security code. Coleman admits that there was downloadable data that should not have been because they checked with the authorities who (they say) assured them that nothing was downloaded after looking at the log files.
3) Wikileaks shows up with a complete database for everybody to inspect that contains CC info that should have been encrypted and security numbers that should not have been in there. The Coleman campaign does not deny this database is the real thing.
4) The Coleman camp claims that the data must have been obtained at another time (presumably so they are not held responsible for not alerting their donors immediately) but this also has a negative side for them. It means that the data was available (including unencrypted CC data and security codes) at a later date. So they did not clean up their act sufficiently, even though they had a very clear wake-up call.
Simplest solution I can think of is this:
They needed to transfer the site to a new server after traffic increased (blaming Al Franken for the downtime). Then they had a problem moving the site due to their own security (it happens all the time, believe me). Because they wanted the new site up quickly they made a backup that they moved over the Internet. Somebody left that backup on the Internet a little bit too long.
More data please! It is intriguing...
March 13, 2009 5:15 AM | Reply | Permalink
Just a minor correction DutchGuy - In part (1) you said that Coleman claimed the problem was a DOS attack, but that's not what was originally reported by the right-wing blog Minnesota Democrats Exposed on January 28th. MDE is the propaganda blog of the MN-GOP and their writer Ryan Flynn reported on the evening of January 28th that Coleman's site was crashed after "millions of concerned Minnesota voters" went there to view a database of names of voters whose uncounted absentee ballots were being "disenfranchised by the Franken Campaign". Although Coleman's site did in fact host such a database for public view, a check at SiteAnalytics.com (a third party site which monitors traffic stats for domains) showed that Coleman's site received no additional traffic than they normally received at any other given time. Speculation is that Coleman's web people redirected their DNS to 1.1.1.1 to give the impression that the site was indeed being over-trafficed which would give credence to media reports that Coleman's site was being swamped by concerened voters who wanted their absentee ballots counted.
Only after this ruse was proven to be an abject failure did Team Coleman's meme turn from "too much traffic" to "denial of service attack perpetrated by Franken partisans".
FOX-9 News in Mineapolis basically cut-and-pasted the story being pushed by MDE on their website, which has since been scrubbed. Other mainstream online, print and broadcast media in the Twin Cities reported the updated "denial of service attack" claim as the cause of the outage due to the "too many visitors" claim being so quickly debunked by bloggers. There have been no follow-ups by anyone other than bloggers into Coleman's claims and all traditional media outlets simply report Coleman's many different (and conflicting) claims like good little stenographers without any real investigating.
Either way, both theories are bunk. There was obvious skullduggery in Team Coleman's attempt to show to the local media that Coleman's site was getting hammered to make the courts (and Minnesotans) believe that his arguments (re: absentee ballots) had not only merit but the backing of millions of absentee voters. Unfortunately for Coleman, Adria Richards used the site DNSwatch.info to not only find that Coleman's site was intentionally pointed to the non-existant 1.1.1.1 address but also found the original IP address for the site. She simply bypassed DNS and went straight to Coleman's server via the IP address and found the site backup file sitting in the root directory for all to see.
Case closed, Coleman's lies are exposed and he can't put the manure back into the goose.
References:
Minnesota Democrats Exposed original reporting on the "crash"
http://www.minnesotademocratsexposed.com/2009/01/28/thousands-of-hits-crash-coleman-website/
Reporting by the liberal blog MNPublius on the evening of 1/28 (including a sort-of "live blog" of Adria Richards' finding and reporting of the site/database backup file)
http://mnpublius.com/2009/01/team-coleman-fakes-website-crash/
March 13, 2009 2:40 PM | Reply | Permalink
Norm is not much on practicing what he preaches:
Oh the Hypocrisy
March 13, 2009 8:16 AM | Reply | Permalink
Funnily enough, the PCI Compliance Guide website has, at the top of the page, an article which talks about how Minnesota's Plastic Card Security Act 2007:
Quimby's operation may escape sanction based on that last sentence, but it still had a duty to inform donors. Basic fraking PCI compliance.
March 13, 2009 5:18 PM | Reply | Permalink