2016 Postmortem
Related: About this forumI worked on the DNC IT Department(db specialist) during the 2004 election. My opinion on the breach:
First Point: Bernie's campaign alerted the DNC to the breach in October. This is huge. If there is a known data leak, and it is allowed to persist for an extended period of time, in this case what looks to be at least 2 months, that vendor should be immediately fired and a complete security audit of the system should have taken place(proper procedures would be to lock down the sensitive data immediately, run a thorough security audit and issue a fix as time permits. It may cause some inconvenience for each campaign, but I'm sure there are other ways to get the data they need from the system, even if the DNC needs to set up a tech support ticket system for data requests). That none of this happened is utter negligence both on the part of the vendor and on the DNC. After having knowledge like this, it is their responsibility to monitor the vendor to ensure this is resolved ASAP.
Second Point: Bernie's team had access to their own data, once it was discovered that they could access the other candidates data as well, it would stand to reason that they would want to know how much of their own was compromised. Since their data is already readily available to them, the only way to know would be to see what they could access from the compromised data. In a perfect world, they could have reported the breach and asked for the results of the audit to determine this, but as my first point shows, both the vendor and the DNC were already committing gross negligence, add to it the fact that they're in the bag for Clinton, and would be attempting to cover their asses, and I wouldn't trust any info they provided. After months of this going uncorrected, the Sanders Campaign had a right to find out how much of their own data was at risk.
Third Point: There seems to be a lot of concern over the 4 different email addresses that accessed the data, and whether or not it was downloaded, etc. I'm having a hard time seeing why this is very important. Depending on who initially found the problem, there is a chance they didn't even know they were getting the data until after the fact, especially if they were running queries on a database. If the issue was that running a query for the state of Iowa, data from both campaigns got returned, finding that out would require actually viewing the data. Most of these lists are huge, 100s of MBs into the Gigs, so viewing them on the web is usually not an option, they would be downloaded. So whether or not the data was downloaded seems pointless.
Final Point: All that said, while I do think the BS the DNC pulled is not just negligent and incompetent(possibly nefarious), if any members of the Bernie Campaign, after finding out what it really was, used the data to aid the campaign, then their firing was correct. I don't know if that was the case here, and I would guess it wasn't, but if so, then they were in the wrong in that respect.
Yeah...TLDR...sorry for the rant. I will say that the DNC's database during my time there was an absolute mess, so I could easily see how any campaign could stumble on another's data. After I left, I thought Howard Deans IT team cleaned up a lot of that, but to what extent, I have no idea, and I think DWS went in a different direction, so she might have even rolled back what he put in place. So there's my 10 cents. If anyone wants me to elaborate or get into specific technical details I'll be happy to.
thereismore
(13,326 posts)Response to thereismore (Reply #1)
Name removed Message auto-removed
Ferd Berfel
(3,687 posts)Here's a good tip from a FB poster
"Regarding phone calls to the DNC, call their cash donation line instead. That number is 877-336-7200. Calling this number forces live staff to deal with you, and keeps them from getting a donation call at the same time. You can use the call to tell them why you are refusing to donate. Let them know that you won't donate another dime until they get rid of Debbie Wasserman-Schultz as DNC chair. They will take notes. They guy who took my message even seemed embarrassed and seemed to agree.
Call now, operators standing by."
dixiegrrrrl
(60,010 posts)Good on you.
Maybe put this info in a post of its own???????
dixiegrrrrl
(60,010 posts)Guess their cash donation site is only good M-F.
I just called, and the got the recording.
erronis
(15,241 posts)pnwmom
(108,977 posts)Two months ago there was a different leak. That one was fixed. Then this one happened.
cprise
(8,445 posts)during what the vendor claimed was system maintenance.
thereismore
(13,326 posts)pnwmom
(108,977 posts)And that the "window" was only open for a short period of time.
Unknown Beatle
(2,672 posts)Please provide a link.
napi21
(45,806 posts)and to do that the tech had to disable the firewall, and he(she) forgot to re-enable it. he firewall was down for about 46 minutes. I'll see if I can find a link to that info.
Go Vols
(5,902 posts)azmom
(5,208 posts)In October?
jeff47
(26,549 posts)We don't know if they literally did nothing, but they didn't fix the hole.
Options run from them thinking they fixed the hole to "oops, I ran the old procedure" to doing nothing.
azmom
(5,208 posts)In any case, the company should be held responsible.
jeff47
(26,549 posts)Can be fixed a variety of ways, but we don't know what they did to fix it. If anything.
bobbobbins01
(1,681 posts)if it is just something silly like a firewall being down, then the fix is incredibly simple and should have been fixed within a few hours. Why those datasets even reside in the same place is extremely suspect. If the data is that crucial, there are numerous ways to secure it so that it would be impossible for another campaign to access it. The vendor should be fired immediately.
jeff47
(26,549 posts)they apparently were updating the system while still allowing users to access it. And their permission system was effectively disabled during the update, allowing everyone to access everything.
So, pretty trivial to prevent (ex. shut off user access during updates), or a better design that segregates data better.
As you say, massive incompetence that should result in immediate termination of the contract.
SusanCalvin
(6,592 posts)frylock
(34,825 posts)moreover, the upgrade should have been conducted during off-hours to minimize downtime to their clients. Fucking amateur hour.
valerief
(53,235 posts)frylock
(34,825 posts)erronis
(15,241 posts)This is a cheap-ass company that built a voter registration system 20 years ago - probably in Visual Basic 6.
Like most neophytes they didn't use real authentication but probably set up their own internal login system.
Having worked for several government and international companies that work with trust, there is no fuckin' way that a little home-grown company can handle true authentication/authorization without relying on the OS.
Just like Hil's "private" email server (operated by the same f-ups), there was no real security.
I run robots all the time to scan for available data. If it is open to public access, I will probably touch it and download what looks interesting.
If the DLC/DNC wanted to be secure and private they should have spent a few more mega-$s doing it with people that know what they're doing, rather than DWS's nephew!
tblue37
(65,340 posts)PDittie
(8,322 posts)"Its a monopoly thats been created and forced down the throats of all Democrats, John Phillips, co-founder of the non-partisan political data firm Aristotle, told POLITICO. "Monopolies are notorious for overcharging their customers, screwing their customers. Thats whats been going on on the Democratic side for quite some time."
Rival vendors like Aristotle have been the most outspoken critics of the current Democratic setup, which gives the nearly 20-year old company NGP VAN sole distribution rights to the partys valuable voter file. That database includes voting history, address and contact information for registered voters, which both the Clinton and Sanders campaign rent and then supplement with their own collection of information.
Central to the NGP VAN business model is a supposedly secure firewall that keeps any information that one campaign collects away from a rival political player. But that security system was exposed this week, NGP VAN admitted, because of a software error.
bjobotts
(9,141 posts)The DNC should go after the vendor and not the Sanders campaign. They have no right to "prevent"a competition and this will not fare well for Clinton. Seems DWS is her Titanic.
newthinking
(3,982 posts)Nothing rocket science here.
Even if it were a "new" breach, even less than careful Administrative staff would do this if only to safeguard their own ass. The multiple layers of security incompetence this involved is hard to even grasp how a company like this would even be allowed to touch confidential data.
The fact that blame is being misdirected is kind of sleazy.
Considering that part of the reason that Clinton lost ground and ultimately lost to Obama was the idea that unfair tactics were being played should give pause. The DNC may well hurt the Clinton campaign.
Hepburn
(21,054 posts)Glad to hear from someone who knows the ins and outs.
KNR
Jarqui
(10,123 posts)"There seems to be a lot of concern over the 4 different email addresses that accessed the data, and whether or not it was downloaded, etc. I'm having a hard time seeing why this is very important."
Apparently, the guy they fired created the 4th email address during the breach. Sounds sinister right? Probably wrong (in my opinion). What I strongly suspect he was trying to prove was if anyone - even with a newly created email address - could access the data. He might do that trying to answer "How extensive was the security breach"?
bobbobbins01
(1,681 posts)You may be correct, he may have been creating a new user with different access rights to see if people with lower security settings could access it as well. Its also possible(but much less likely unless he was a complete idiot) that he was trying to hide his accessing the data by using an account not linked to him(very implausible though, since the data was also accessed by his account).
Jarqui
(10,123 posts)And he claimed that he knew their activities could be traced - probably from the last breach.
This could turn very ugly for Clinton if they have email addresses/IP addresses of who breached the Sanders data last October. Today, the Sanders campaign called for the audit being expanded to last October's breach. It's pretty tough for the DNC to ignore that under the scrutiny of the media. It could really blow up in the Clinton campaign's face if a member of their staff gets caught doing that last October because they didn't come clean.
bobbobbins01
(1,681 posts)DWS isn't going to let anyone touch her, and the vendor used to work for Hillary as well, so it is very unlikely data that implicates her campaign will ever see the light of day...unless someone managed to grab the log files during one of the breaches.
Jarqui
(10,123 posts)bobbobbins01
(1,681 posts)I'm sure they do have the info, I just wouldn't put it past them to scrub that info of any Clinton staffer's emails before releasing it. I don't think the Sanders campaign has direct access to that data, so there would be no way to verify its validity.
Jarqui
(10,123 posts)I saw some email addresses in article including the fake new one Josh created
Plucketeer
(12,882 posts)that this was ALLOWED to continue until innocent transgressions could be intentionally used to hinder Sanders. The DETERMINATION of DWS and the DNC to STEER this whole cycle leaves NO doubt they'd stoop to any shady doings.
bobbobbins01
(1,681 posts)This flaw would most likely have been occurring every time the vendor did a similar change to the system, which means by the time the Sanders campaign pointed it out it probably had occurred many times without notice. Yet 24 hours after the latest incident this happens. That means they knew about the flaw, knew they hadn't fixed it, and were watching very closely.
Divernan
(15,480 posts)Here insert HRC's horsey, snorting laugh.
peacebird
(14,195 posts)navarth
(5,927 posts)jwirr
(39,215 posts)everything clean.
frylock
(34,825 posts)Jarqui
(10,123 posts)But they should have a backup .... (but that'll probably be missing too)
valerief
(53,235 posts)He already established he had access to more data than he should have. He needed to establish who else had access to this data.
This whole deal is dirty, and DWS's attack on Sanders rather than the s/w vendor is enough proof for me she's been hellbent on sabotaging Sanders all along.
Jarqui
(10,123 posts)Obviously, from their reactions, they put a fair amount of effort into this data. Much more than one field or one file. And they've referenced multiple files in the articles. Voters, campaign contacts, etc.
So he likely had his people checking the various fields and files that were exposed - getting samples of each - screen shots, sample reports, sample downloads, etc to map out the full exposure/breach. And the only logical place to store that would be on the campaign computers being used - not the vendor's machine.
I feel for the guy who got fired because I would have done the same thing (except gone after O'Malley's data instead - avoiding Clinton to help keep my nose clean - which would suffice to prove the problem if his campaign has data on there ...)
valerief
(53,235 posts)access. The faulty vendor did.
Jarqui
(10,123 posts)where they had access to some parts and no access to other parts.
But it sounds like it was a pretty major breach - like they could go nearly anywhere or many places and see nearly anything or a lot of things.
valerief
(53,235 posts)blackspade
(10,056 posts)Maybe they did and it's not being reported.
If that is the case then this will conclusively show that this is a ratfuck.
The fact that Sanders has filed a suit means that there will be discovery involved....
rjsquirrel
(4,762 posts)All 29 of O'Malley's voters were compromised.
As someone who has developed and managed complex database platforms for a quarter of a century, there is some bullsh/t masquerading as expertise in this thread.
blackspade
(10,056 posts)And way to take a piss on O'Malley.
Several posters seem quite knowledgeable and the tech community largely agrees.
Explain what is bullshit.
Enthusiast
(50,983 posts)elehhhhna
(32,076 posts)Jarqui
(10,123 posts)Obviously, the DNC are not too sharp on the security issues
DhhD
(4,695 posts)LiberalArkie
(15,715 posts)thing when you report a problem "It can't happen" and nothing is EVER done unless the customer takes the time and gives the vendor evidence that it happened. Then they MIGHT look at it and believe the customer.
Sanders reported the problem in October and nothing happened. I think the vendor kept denying it, maybe because they wanted to, maybe because the leak was supposed to be there, who knows only them.
Bernin4U
(812 posts)And gained full control remotely. They basically had to hang a knife over Chrysler to get them to do something about it, before some real bad guys got any ideas.
LiberalArkie
(15,715 posts)Jarqui
(10,123 posts)It is typically the responsibility of the user to demonstrate the software problem with screen shots, reports, data examples, etc - as much real evidence as possible/reasonable. We don't support needle-in-the-haystack fishing expeditions. Evidence helps pin the software problem down faster. You don't do that to be mean or lazy. You have to do it to stay in business - to work efficiently in a competitive market.
According to the Sanders folks today, they know they took a hit last October. So it looks like they were making sure they could pin down how they took that hit this time. I do not blame this person they fired at all from what I've heard so far. If he was gathering evidence so that the campaign could go back at the vendor to prove the problem, he was doing his job. And the only way for him to do that since he always had access to his own data would be with someone else's data. And then he could infer that the other campaigns could have similar access to his campaign's data.
bobbobbins01
(1,681 posts)I tried to touch on this in my OP, but you said it better.
Bernin4U
(812 posts)Or I should say, used to be in QA. Back when they had such a thing.
Now it's farmed out to India, with no quality. Let the customers be the alpha testers.
Industry's gone to shit being"competitive".
valerief
(53,235 posts)PosterChild
(1,307 posts).... it was a security issue in a very sensitive area. Regardless of their intent, it was stupid and unprofessional to do what they did. They should not have done any investigation unless explicitly requested by the vendor to do so.
In order to escalate the issue they had only to report it to the Clinton campaign and then both go to the vendor and the dnc together . It would have gotten the attention it needed.
Jarqui
(10,123 posts)My boss says "What did we lose? To who? How did this happen?"
Me: "Oh, I don't have a clue. I phoned the software vendor right away and he just shut things down. We have little proof of anything."
My Boss "So if we suffer damages and want to sue our vendor, what evidence do we have?"
Me: "My testimony and a couple of the other folks that we had a general problem but we don't have any specifics .. so pretty tough to sue with that"
Not a proud moment. Your duty is to protect the data of outfit you're working for. You get some facts quickly before someone pulls the plug or covers their tracks. Who is logged in if possible, logs of access, if possible, screen shots, stuff that can define the extent of the problem.
Do nothing and just call the software vendor? Not me. I get what I can quickly first so the software vendor can't cover his tracks.
If they didn't get that stuff, the software vendor could have said "oh, it was just a 30 second glitch while we patched something - nothing to worry about (sucker)"
PosterChild
(1,307 posts).... "use the breach to fish around in our competitor's database. Do some searches just to see whaat you can find, how bad this is, and what they might be able go see in our database." That would have been stupid and unethical.
And it was stupid and unethical for bernie's operative to do so.
It would have been much better to report the security hole to both the dnc and clinton's team. Let them know that their data is exposed and that you know that they know that your data is exposed. That would have been the smart way to play it. It would have gotten the attention it needed right away and there would have been no "appearance of missconduct".
pugetres
(507 posts)when he hacked into flight controls during a flight after Boeing and gov't agencies kept ignoring his warnings about the huge security risk they were taking by not separating the entertainment systems from the flight control systems.
upaloopa
(11,417 posts)Why not just say "they are in the bag for Clinton" and leave it at that?
That line makes the whole post a piece of worthless propaganda rather then a bit of technical information.
I was hoping you could teach me something but my loss I shouldn't give some people the benefit of the doubt.
jeff47
(26,549 posts)You'll find none of those words say "they are in the bag for Clinton" or anything similar.
Android3.14
(5,402 posts)dorkzilla
(5,141 posts)and that is the response? How fucking embarrassing. If its too long to fit on a bumper sticker it doesnt count.
Bluenorthwest
(45,319 posts)in the way of the narrative train?
bobbobbins01
(1,681 posts)The Sanders Campaign thinks they are in the bag for Clinton, which makes the data they receive from them untrustworthy in their eyes, which would be a reason they would want to see what information was available on their own. Plus if the breach was unfixed for months, someones going to try to cover their ass, which again makes reports from them unreliable. My feelings on the DNC are irrelevant to my previous comment, I'm showing how it would be perceived though the lens of the Sanders campaign.
hedda_foil
(16,373 posts)The system apparently has all the individual campaigns' data AND all the DNC datasets separated very superficially from each other. Simple permissions settings shouldn't be all that's required to make the candidates' data directly accessible to their competition, should they? The thing is, I'm no IT wonk, but even I would think that the entire setup was very poorly designed in the first place. I would have expected each campaign to secure their own proprietary database separately, at locations (physical or virtual )of their own choosing, with at least 2 separate sets so if the building explodes one night, the data would still be accessible. It makes absolutely no sense to me that the DNC's contractor apparently holds the only set of keys to every campaigns' own data. Is this as sloppy as it looks to me or am I misunderstanding what seems to be going on?
bobbobbins01
(1,681 posts)It looks like your assumptions are probably correct. Obviously I don't have access to the back end of the system, but my guess just by seeing the front is that all the data is most likely housed in one place, and the only thing really separating who gets what are the database queries. Its very insecure even without the huge hole they left in it. I'm thinking most people with a technical background could get access to all the data very easily even with the current exploit patched.
I would imagine that each campaign would keep a copy of their own data, so I think the data Sanders is fighting for are the DNC voters who have yet to be contacted by any campaign, either that or they willingly gave their data without keeping it for themselves(which would make very little sense).
Depending on the amount of data, they should be running backups every night at the very least. With this much, I'd say hourly, and the backups would go to different regions in case a server farm goes down, its accessible from multiple locations. And having all the data in one place as the vendor did, is ridiculous.
The vendor storing competing campaigns data in the same place like this is just shoddy.
hedda_foil
(16,373 posts)I'm a little stunned that my non-tech guesswork seems to have been fairly close to the mark. If I were one of the candidates, I'd be contemplating a lawsuit against the vendor at the very least. Clinton's IT folk seem curiously inept at their jobs.
Maybe she and DWS really do believe that data involves a cloth.
99th_Monkey
(19,326 posts)so stating this widespread observation is not "propaganda", any more than pointing out that
STU TREVELYAN (CEO, NGP VAN) worked both in the 1992 Clinton-Gore "War Room," and then in the
Clinton White House.
stupidicus
(2,570 posts)hopefully not because that's your only strong suit
artislife
(9,497 posts)Tommy2Tone
(1,307 posts)Last edited Fri Dec 18, 2015, 06:40 PM - Edit history (1)
Someone was fired so it is hardly a my bad as you paint it. I also see a lot of hypocrisy from Bernie supporters who show up every day to tell us how bad Clinton behaves. You might want to concentrate on cleaning your own house before commenting on another's.
bobbobbins01
(1,681 posts)Yes, someone was fired, but people get fired for "my bads" as you put it every day. And as I said, 4 accounts and 25 searches means nothing. Querying the database 25 times would be very easy to do without even knowing you were getting that kind of data. Only once you look at the actual results, would it become clear. I'm sure more than one person would be pulling lists from that database for their campaign, so I'm surprised it was only 4 accounts and not more.
The firing was probably because after it was reported, the data was accessed again. But I couldn't say I wouldn't have done the same. If the problem was still ongoing months after I'd reported it, I'd go look again too, if for any reason, just to see if things didn't get worse. But as I said, if they do find out he used the data in other ways, then his firing was completely justified. If it was the former, then he was just taking one for the team.
JaneyVee
(19,877 posts)bobbobbins01
(1,681 posts)This had occurred before, and was never fixed. The DNC even stated they reported it previously.
jeff47
(26,549 posts)and both of them run through an assessment. That way they could each ensure the other side didn't permanently get data.
For example, Clinton person adds a fake new entry, Sanders person searches for it and sees if he can read it.
But I have no idea how practical that would actually be.
bobbobbins01
(1,681 posts)But he probably doesn't know the counterpart or how trustworthy that person is, or if the Clinton campaign was aware of the issue. Giving them that info could be helpful, but more likely they might just download the entire data set use it for themselves. Plus going to another campaign and not the DNC themselves seems like a major breach of protocol.
jeff47
(26,549 posts)bobbobbins01
(1,681 posts)No, it isn't practical and I wanted to explain why, but if I came off sounding rude or anything in my reply, that was not my intention and I apologize.
jeff47
(26,549 posts)Btw, great OP.
Le Taz Hot
(22,271 posts)bigwillq
(72,790 posts)K and R.
Maedhros
(10,007 posts)Your assessment is spot on.
I think it was entirely prudent of the Sanders campaign to fire the individuals who accessed the data. Further, I think it shows great integrity on the part of the campaign - rather than try and rationalize the situation, they took immediate and decisive action.
The HNC, on the other hand, is thoroughly inept and corrupt.
PADemD
(4,482 posts)So now, if I call up a name to make a phone call, and there is information there that I did not enter, what do I do? Do I assume that someone from the campaign I'm working for has entered the data or is it data from another campaign because the vendor took down the firewall? Is there any liability on my part just by looking at the data?
Maedhros
(10,007 posts)It will say something like this:
"Warning! This network and associated computer and information systems are the Property of the Democratic National Committee. This system is for the use of authorized users only. Any other use is a violation of Title 18 United States Code Section 1030, and is subject to criminal penalties and civil damages. Individuals using this computer system without authority, or in excess of their authority, are subject to having all of their activities on this system monitored and recorded by systems personnel. In the course of monitoring individuals improperly using this system, or in the course of system maintenance, the activities of authorized users may also be monitored. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible criminal activity, system personnel may provide the evidence of such monitoring to law enforcement officials."
Do you see such a message?
In any case, what you describe would be NOT be considered "in excess of your authority" because you are using the system for approved purposes. The problem lies with the person who allowed the wrong information to be displayed to you.
murielm99
(30,736 posts)if you are working for Bernie's campaign? I thought all Bernie campaign staff and volunteers were locked out until this issue could be resolved.
If you use Votebuilder, you know that the data is being updated constantly. It is updated as people walk and call. If Bernie's campaign still has access, why the lawsuit?
PADemD
(4,482 posts)There are multiple campaigns in many states with access to Votebuilder.
My question was generic, how to recognize that any notations on individual voters were made by someone from the campaign for which you are calling and not because some firewall was down. For example, there could be a notation that a voter was called previously and the results of that call.
murielm99
(30,736 posts)The last time I used it was for the Quinn campaign in Illinois.
I don't know how you would tell who entered the data. Every time you turn in a call or walk sheet, the data on that sheet is used to update the software. Someone from the campaign does the updating, most likely, in your case, a field organizer who is in charge of that part of the campaign. Not everyone has the ability to access and update the software. As a campaign worker, someone entered your info into the database, giving you access to that part of the list that pertains to your campaign and the specific work you are doing.
I don't think you have to worry about some firewall being down. I think if you saw any unauthorized data, you would be able to figure it out. Turn in your data. Ask your campaign or office manager who is entering the data. I think they can answer your questions. If there is a problem with the software, they will tell someone from VAN about the problem.
I think there will be many questions like yours in the coming days. I am sure there will be field reps for VAN who will help your campaign and answer questions.
Since you are using this software, you know how useful it is to campaigns. I hate to see all this speculation and sneering on DU.
Fawke Em
(11,366 posts)I'm not an analyst, but I work for a data security company and I agree, as well.
840high
(17,196 posts)magical thyme
(14,881 posts)Ferd Berfel
(3,687 posts)your analysis sounds on point.
Well done
PS: DOes the DNC keep credit card info in this data base?
bobbobbins01
(1,681 posts)Now if only someone at Sanders HQ was reading this. I hear there is a job opening recently became available...
Ferd Berfel
(3,687 posts)You get MY vote.
Bernie, you need this guy, but you'll have to pay him more than $15/hr
Jim Lane
(11,175 posts)Sanders supporters on DU should send the campaign earmarked contributions -- to be used only to hire you.
Thanks for the informative OP!
bobbobbins01
(1,681 posts)I offered to volunteer IT services to the campaign a few times, but they never got in touch with me. I'm sure they have a good pool of talent for those kinds of things. As of this morning, they haven't posted a job opening on their site for that position, but I'd give my right arm to actually be inside the Sanders campaign.
I've been a member here a long time, but I don't post nearly enough for anyone to recognize my username or anything, so I'm thinking using DU contributions to get me the job would be about as successful as DWS's attempt to derail Sanders.
Samantha
(9,314 posts)I think you are correct, but I also think there might more of a political perspective in play than one might think. This announcement broke quietly yesterday but ballooned into a fireball this afternoon. Friday afternoon. The Sanders campaign has a lot of work to do before the Iowa and New Hampshires caucuses, and the inability to access their data grinds that work to a halt. You probably know how close these races are, and you probably also know a win or a loss in either or both states will be very influential to Bernie Sanders' destiny.
So while many are so focused on the technicalities of this event, I am more interested in the repercussions of the denial of data to Sanders this close to those elections. How will they even work this weekend without that info?
I find the timing very suspect, and if it were truly that important the DNC would have remedied the situation when the Sanders campaign first reported it three months ago. Waiting until today for a leak to the press to explode election conversation is not in my opinion a coincidence.
And for anyone to make horrendous accusations against Sanders integrity is mindblowing to me. Disagreeing with him on issues and electing to vote for someone else - fine. Challenging his integrity - not fine without absolute proof of the premise.
This is a signal things are going to get extremely vicious from this point on.
Sam
bobbobbins01
(1,681 posts)I tried to stay away from the political component in my OP and just look at things from the view point of an IT professional. I agree with what you say though, the timing is incredibly suspect, and the way it was handled by the DNC was misguided at best, and at worst malicious.
I wonder how long they'll deny them access to that data. DFA is coming out swinging for Bernie right now, and every day they don't have that data is a day that hundreds of thousands of grassroots organizers are ineffective.
6chars
(3,967 posts)Here you go: It is effectively a death penalty for the campaign. Kind of a big decision for DNC to make.
You're welcome.
kenfrequed
(7,865 posts)That was a fairly thoughtful analysis. Well reasoned.
Agony
(2,605 posts)and kept accidentally typing GRANT ALL ON *.* TO 'allusers@'world';
jeez, this ain't rocket science, you have to wipe the pizza crumbs off sometime?
Those keys are just right next to each other...happens to me all the time!
DVRacer
(707 posts)My impression is that the door was left open on purpose to allow HRC access to Bernie's info. When the Bernie campaign found the open door in October they were blown off with yeah we will fix that. Well it never got closed so Bernie's guy went in to data log the extent of the open door and have proof. When the DNC realized this could look bad for them leaving the door open they attempted to say it was Bernie's fault that he went through the open door. This reinforces my notions of HRC being corrupt due to all involved with the DNC are people that once worked for her or her husband. I support Bernie so I know I'm biased but this is what I see.
bobbobbins01
(1,681 posts)And given the vendors missteps I wouldn't rule it out, but you leave the door open for one campaign and not the others, so it doesn't make much sense that they wouldn't do that unless they were either lazy or incompetent. But maybe they left it open just to create some dirt on Bernie's campaign.
Curmudgeoness
(18,219 posts)that both campaigns had access to all the data, and the Clinton campaign also accessed Sanders' data. But they have only noticed that the Sanders campaign was looking at forbidden data. I have no doubt that, if this was available to all of them, the Clinton campaign also got data from Sanders.
bobbobbins01
(1,681 posts)And probably part of the reason the DNC caved so quickly. An audit of the system by a third party would show if the DNC turned a blind eye to it in Clinton's case.
NorthCarolina
(11,197 posts)allow HRC team access to Sanders data. Common sense would tend to imply that is exactly why the DNC caved so quickly in response to the lawsuit.
Dont call me Shirley
(10,998 posts)boston bean
(36,221 posts)Jessum chrissum the fired guy said so right on msnnc with kornacki.
bobbobbins01
(1,681 posts)I don't think I saw that interview, but if you have some info about the database I'd love to hear it. It might change my analysis if the database was structured differently than what my current understanding is.
boston bean
(36,221 posts)Of months ago was a different database. Not the one being discussed in the media today ie the VAN database.
bobbobbins01
(1,681 posts)I don't think that changes much of my intial assumption. It sounds like two databases with the same flaw, which is very common in situations like this. My guess is the vendor patched one but not the other...still negligent, and the Sanders team still probably wanted to test to make sure the data was safe, regardless of which database was in use.
boston bean
(36,221 posts)In regards to this event. Makes it seem like there was an issue with this one database for months. When in fact there wasn't.
Like we told them about many months ago when in fact they did not tell them about any issues with this particular database that they downloaded records and then saved as files.
bobbobbins01
(1,681 posts)The vendor knows their systems. If a bug or flaw is pointed out that is in several different places, the vendor should know this and apply the fix universally. It isn't the Sanders campaigns job to point it out on every database. They showed the flaw, the vendor failed to fix it, end of story.
And from an architecture standpoint, if the vendor did their job right to begin with, they'd only need to correct the flaw in one place to fix it across the board.
IllinoisBirdWatcher
(2,315 posts)Originally NGP handled donors, call lists, and quarterly fundraising reports.
Over the years they purchased stand-alone products like a broadcast email system and a web hosting system, and then linked them with poorly-designed but functional user interfaces.
The VAN was a much later separate product which was integrated into NGP's "turn-key" campaign system.
Yes, ideally from an architecture standpoint, they should be able to apply one fix which applies everwhere. But my guess is that the back ends of NPG's "turn-key integrated" system are still separate databases designed over the years by separate software development teams.
Concerning the security breach in October, I tend to believe what NGP CEO Stu Trevelyan said in his posted apology to the DNC, Clinton campaign, and Sanders campaign - it wasnt actually within the VAN VoteBuilder system, it was another system. However, he carefully does not identify which piece of the NGP turnkey system was breached.
Your first statement is the key: "The vendor knows their systems." One cannot expect campaign staffers, even seasoned IT managers, to know the back-end design of someone else's software.
questionseverything
(9,654 posts)it has always been the van data base that is the problem
great op btw
paleotn
(17,912 posts)....Regardless who, what and when, do you think it's acceptable that the Sanders campaign be barred from accessing data that belongs to them? That data is property, you know. I would expect such from Rethugs, but from unabashed Hillary supporters?.....Well, yes I would expect dirty tricks from Hillbots actually. Saw enough of that crap in 2008.
OilemFirchen
(7,143 posts)Yes, Uretsky stated such.
An amazingly long OP and a remarkable number of comments from supposed professionals about something that didn't happen.
Glad they don't work for me.
bobbobbins01
(1,681 posts)If there is more information I was unaware of, I'll be happy to take it into account and provide you with my thoughts. I can only work with what I currently know, and there are still a lot of questions in the air and misinformation making the rounds.
OilemFirchen
(7,143 posts)I pretty much stopped at this:
... and glazed over the rest.
Uretsky stated in his interview with Kornacki that this alleged breach was not on the system in question.
Please note that I'm not accusing you of intentionally misstating this fact, but it did deter me from investing the time in reading the rest.
Perhaps you could summarize your observations with this in mind?
bobbobbins01
(1,681 posts)It was the same breach that should have been fixed by the same vendor. Whether or not it happened on a different system this time doesn't mean it was a different flaw. If that were the case, the vendor didn't fix the flaw universally, and all my points still stand.
Number23
(24,544 posts)OilemFirchen
(7,143 posts)In the interim, we now have dozens of "expert" "analyses" from "professionals", all predicated on this lie. There's a new one, repeated as an OP, that states unequivocally that the "firewall kept going down" - and that's why the "white hat" Sanders IT staff extracted proprietary data. You. Can. Not. Make. This. Shit. Up.
OT, but I'm so tickled that a number of our longtime members are just now revealing themselves as "former lawyers". What a treat!
Number23
(24,544 posts)Sanders' abysmal support in minority communities became an issue.
It was everybody's fault on the planet but the Sanders campaign for what happened. And my favorite excuse is the idea that because the campaign allegedly reported the security issues in October, that somehow makes their rifling through files they KNOW they have no business accessing okay in DECEMBER.
OilemFirchen
(7,143 posts)"Since we got no response in October, let's rifle through someone else's files in December and NOT TELL ANYONE!"
"Dude! Totally upworthy!"
ejbr
(5,856 posts)that this is based on his experience and DWS may have changed things...so chill out.
saidsimplesimon
(7,888 posts)could have been avoided by all parties involved. The MSM has something to talk about besides the Don and that's almost welcome.
elfin
(6,262 posts)She is so outrageously partisan for HRC in the primary process, that she hurts the whole party and even her preferred candidate IMO.
She is not doing her official job as has been pointed out in many other areas and ways over tha past year on DU.
pnwmom
(108,977 posts)There was a DIFFERENT leak a couple months ago, that was addressed at the time. The new leak today just happened today and was only occurring for a short time before someone reported it to the vendor (not the Sanders's campaign) and the vendor investigated and plugged it.
bobbobbins01
(1,681 posts)I could be wrong though, so if it has been said otherwise, please show me where I can read about it. Seems like every time this vendor did some work on the servers, they left a gaping security flaw. The Sander's campaign says they alerted the DNC previously, are there facts that show otherwise?
pnwmom
(108,977 posts)the whole two months.
And suppose you walked by a bank and noticed the back door was unlocked, and you reported that to the authorities. Two months later you walk by again, check it, and it's unlocked again. Is it okay for you to walk in and help yourself?
bobbobbins01
(1,681 posts)My whole OP pretty much goes against all of that, and the previous glitch was the same one that did not get corrected, so that point is irrelevant.
pnwmom
(108,977 posts)to walk through it and so did the campaign -- which is why they fired him.
bobbobbins01
(1,681 posts)and that person finds a flaw allowing competitors to access that data. The next time that flaw occurs, that person is going to check to make sure their data is still safe. As I said, this was all mentioned in the OP, not sure why I need to repeat myself.
pnwmom
(108,977 posts)You call the vendor or the DNC.
valerief
(53,235 posts)pnwmom
(108,977 posts)if it weren't immediately fixed.
He had no legal or moral right to steal the HRC campaign data just because he could.
valerief
(53,235 posts)pnwmom
(108,977 posts)That would have been far preferable to going in and stealing data.
valerief
(53,235 posts)SusanCalvin
(6,592 posts)WillyT
(72,631 posts)highprincipleswork
(3,111 posts)GoneFishin
(5,217 posts)at the chance to feign victim status to justify screwing over Bernie yet again.
PatrickforO
(14,572 posts)I very much appreciate this post and am saving it for further reference.
As a Bernie supporter, I got so pissed about this that I donated more money to Bernie, signed a MoveOn and DFA petitions calling for Wasserman Schultz to resign and directly called the DNC to make my feelings known.
I urge other Bernie supporters who might read this post to do the same. Here are some links:
https://secure.actblue.com/contribute/page/duforbernie
(Note: Omaha Steve is terminally ill: So let's get in there and send Bernie another few million in small contributions!)
http://petitions.moveon.org/sign/remove-debbie-wasserman?source=s.tw&r_by=10417644
http://act.democracyforamerica.com/sign/dnc_sanders_van?akid=s120223..hgBpUE
Here's a good tip from a FB poster
"Regarding phone calls to the DNC, call their cash donation line instead. That number is 877-336-7200. Calling this number forces live staff to deal with you, and keeps them from getting a donation call at the same time.
George II
(67,782 posts)And as for your second point, you're telling us that in order to find out how much their own data was compromised they compromised the data of another candidate? Highly implausible explanation. They could very easily have accessed their own data as an "outsider" to see how much it was compromised.
bobbobbins01
(1,681 posts)I worked there many years ago, but I, like most people who do what I do, stay educated in my field, so I still know what I'm talking about.
And for my second point, you respectfully don't know what you're talking about. Very quickly, if I have a data admin account for Bernies campaign and I notice I can access Clintons info...what outside account could I create with the same access rights to test my own data? I couldn't, unless I could create accounts for other campaigns, in which case I'd still be breaching(in a much more egregious way) another campaign.
tularetom
(23,664 posts)This is just a sample of what we can expect from a Clinton presidency. Every friggin action will be a cause for controversy, there will be insinuations and accusations of favoritism and unethical behavior. Nothing positive will be accomplished. She'll spend her entire term telling us she is not a crook.
Divernan
(15,480 posts)baldguy
(36,649 posts)I think we need to comb through all of Bernie's email for the last 10 yrs.
After all, you never know what sort of wrongdoing might be uncovered.
Paka
(2,760 posts)Thank you for this very well written analysis. As someone who is completely ignorant when it comes to IT, you made it clear enough for me to understand.
Indepatriot
(1,253 posts)I guess if you can rationalize Operation Murderous Rampage this one's cake...
PosterChild
(1,307 posts)..... they should never have accessed anyone else's data. Whether it was understandable or notmp, whether it was of actual material benifit to them or not, it just should not have been done.
It's like the official who gets entrapped in a sting operation and then claims he was trying to conduct his own investigation . True or not, no one is going to believe you.
bobbobbins01
(1,681 posts)But honestly, coming from an IT perspective, if I noticed a breach like that, it probably wouldn't even occur to me that I was doing something wrong. I'd have ended up doing the same thing, in an attempt to figure out what the error is, and possibly pass that info on to the vendor.
They didn't get it fixed on their own, so any extra data that a user can provide to help pinpoint the problem is helpful. I pull my hair out because most users of a system describe errors they encounter in such vague terms that its almost impossible to fix.
So yes, the right thing to do would have been to stop, but I don't think a firing was in order unless that data was used improperly.
glinda
(14,807 posts)ChiciB1
(15,435 posts)There's been something fishy about her from DAY ONE! Bill Press has been known as a Hillary supporter and even HE'S talking crap ABOUT DWS!
There may be a shit storm coming, and I can only hope DWS gets her ass handed to her!
cascadiance
(19,537 posts)If one early on sensed that there was a breach of security in Bernie's data, and there were concerns how much others could get to it, they might also want to know if it was selectively a breach that just exposed Bernie's data, and not Hillary's.
If it was just a big mistake, then arguably, then data for both sets of candidate would be equally exposed in a bad way. But if it was only exposing Bernie's data, and not Hillary's, then that might mean that there was some intentional exposure of the security of Bernie's data and that there could have been complicity with some pro-Hillary elements of the DNC trying to make "available" Bernie's data to spy on. That of course would be very bad, but would be something that Bernie's campaign would like to try and assess independently, if they felt there might have been an inside effort to complicitly just expose Bernie's data. I don't know if it were concerns like that that might have lead to the attempts to get to Hillary's data to see if the same apparent holes existed for both parties' data, but that might explain what happened there.
I guess I'm just trying to note that if there were concern of some various different complicit actions by the DNC trying to favor the Clinton campaign (where it seems like this atmosphere has already been created the way the debates have been handled, etc.), then I can't fault them for at least trying to access the data to see if each candidates had different levels of EFFECTIVE security over their data, and could understand why in that context why they might not want to work directly with the DNC in this instance to do this, if they suspected some possibility of DNC complicity there.
As you note though, if they went ahead and later used a lot of that accessed data to work against the Clinton campaign, then that is something that should not be acceptable within the campaign, which would justify firing of some people.
I think for the DNC leadership to have not had sufficient oversight to allow this sort of data breach to happen should have them being a lot more bending over backwards to fix this problem, and then working extra hard to work with each of the campaigns to help them with accessing the data properly, instead of tightening up the data for official use so much that it hurts any of the campaigns when they do so. That's incompetent management in the DNC, and incompetent management that should be fired.
Thespian2
(2,741 posts)blackspade
(10,056 posts)Good read and well reasoned. K&R
moondust
(19,979 posts)is how long DWS/DNC have known about this without making it public. Have they been sitting on it for a while? Have they been waiting for just the right moment to release it to achieve maximum destructive effect? Along come the DFA/CWA endorsements, pretty good poll numbers, and a record number of contributions on the eve of a debate and...NOW! BOOM!
Have the media said much about this happening in the context of recent petitions to replace DWS for her handling of the debate schedule?
Spitfire of ATJ
(32,723 posts)emsimon33
(3,128 posts)She is obviously a Republican at heart...and soul...as this type of evil. dirty behavior I am used to from Republicans.
Response to emsimon33 (Reply #147)
Douglas Carpenter This message was self-deleted by its author.
emsimon33
(3,128 posts)LS_Editor
(893 posts)Right... Nothing was hacked. This information was readily available to everyone, and the first guy that got fired left a trail no one would leave if they had nefarious motives. The story that he was trying to seem how the Sanders campaign's information was compromised is credible.
Well done to the Clinton campaign and Hillary shill Debbie Wasserman Schultz, says the satirical source.
Imagine how much money the Sanders campaign will be donated thanks to them.
This shouldn't be surprising considering Wasserman Schultz's record of losing elections across the country.
DNC Changes Name to "Elect Hillary Clinton President 2016"
+
More at link...
rladdi
(581 posts)or resign. They knew of the issue and made no effort to fix it. I was thinking the DNC was smarter then the GOP, but guess not. How can we support an incompetent DNC. They need to resign NOW. I do NOT fault Bernie campaign, anyone would have done the same, as all data was exposed to anyone.
cherokeeprogressive
(24,853 posts)bobbobbins01
(1,681 posts)I've seen their show, its old and tired. They're all toothless.
SoapBox
(18,791 posts)Good post.
It's really been making me more and more mad, about the amateurish and incompetent actions of DWS over this...not to mention how blatant she has been in supporting the Hill campaign.
Be afraid Dems...be very afraid of the incompetence.
Uncle Joe
(58,355 posts)Thanks for the thread, bobbobbins.