2016 Postmortem
Related: About this forumAs someone involved in IT work. The whole DNC "breach" thing is a cover for political gain.
Think about this a moment outside of the media brewhaa.
Imagine that Amazon; while upgrading their system, exposed customer credit cards and other personal data and customers were able to get other people's private information by doing a search. The press would not be going after customers who noticed the issue and and ran some searches to see how much came up. Everyone would be up in arms that Amazon allowed this to happen. They might well be seen to be open to a serious lawsuit and possibly government fines or worse.
Imagine if they went and tried to blame it on their customers?
As one who works in IT and is trained on data security there are so many things wrong with the picture that are *not* being covered.
It is incredibly simple and there are many ways to remove public access to such applications while you patch. Which is the least that should have happened and would have in most organizations. Then you do not return access until you have... TESTED!
And that is only one facet. There were so many security standards and practices that were obviously not in place that in the least it shows incredible incompetence. They easily may have broken Privacy laws and certainly are exposed to liabilities.
The Sanders campaign acted appropriately and did what they should.
With the press coverage, the DNC response, and the vendor blaming the customer for their massive failure, it is hard to see this as much other than political gamesmanship.
My 2 cents.
arcane1
(38,613 posts)Ferd Berfel
(3,687 posts)99th_Monkey
(19,326 posts)I wouldn't hold your breath. The vendor is in on this, up to his
eyeballs.
arcane1
(38,613 posts)Mnpaul
(3,655 posts)hedda_foil
(16,399 posts)Something that's been bothering me is that a senior IT staffer on Bernie's campaign previously worked for NGP VAN. It could mean any of a number of things but I'm uncomfortable about it.
notadmblnd
(23,720 posts)But they insist that it's all Sander's campaign's doing.
tecelote
(5,122 posts)Wasserman Schultz was campaign co-chair for Hillary Clinton's 2008 presidential campaign.
Nathaniel Pearlman (the vendor) was chief technology officer for Hillary Clinton's 2008 presidential campaign.
These two should be fired.
notadmblnd
(23,720 posts)and the DNC and HRC can't risk that now, can they?
tecelote
(5,122 posts)So they called the media and said "Bernie did it".
So transparent.
Hey... it's getting Bernie attention. Something they were trying to avoid.
Maybe they evened the field a bit unintentionally.
notadmblnd
(23,720 posts)and media attention galore. It has even knocked Donald Trump of the screen 24/7. Today msm is only talking about him 12/7
tecelote
(5,122 posts)Did you see this on MSNBC - pro-Bernie all the way!
http://www.democraticunderground.com/?com=view_post&forum=1017&pid=315875
This is who America needs for a President.
notadmblnd
(23,720 posts)This does not make the Sander's campaign look bad. This makes the DNC, Wasserman-Schultz and now (because her spokesperson essentially declared war by accusing Sander's of stealing millions) HRC look bad.
They look more desperate now than ever and Wasserman-Schultz looks like the villian.
SusanCalvin
(6,592 posts)certainly in a political sense. Aren't high-level politicos supposed to understand human nature in general and individuals in particular?
newthinking
(3,982 posts).
I know for me it is not just about the way they are attempting to paint Sander's campaign, but the same bullshit negative and manipulative crap that I consider corruption and am tired of.
notadmblnd
(23,720 posts)nt
Fantastic Anarchist
(7,309 posts)I did and it felt great.
Also, call the DNC and let them know what you did and why.
That felt even better.
Response to tecelote (Reply #16)
Name removed Message auto-removed
ViseGrip
(3,133 posts)They were not stealing anything. And why would the firewall be removed a SECOND TIME???
tecelote
(5,122 posts)And, why would they call the media?
peacebird
(14,195 posts)mindwalker_i
(4,407 posts)It's a feature.
How many people have gotten in trouble for noifying software makers that they had bugs?
Fawke Em
(11,366 posts)It's called "responsible disclosure" and most vendors welcome it.
https://en.wikipedia.org/wiki/Responsible_disclosure
Response to arcane1 (Reply #1)
Name removed Message auto-removed
LiberalArkie
(15,767 posts)randys1
(16,286 posts)notadmblnd
(23,720 posts)I rarely pay any attention to what forum I'm reading when it comes up on the latest page. You can still post in GDP, going to any ones "safe place" is for the birds if you ask me. Safe place, what a freaking 5 year old term. Poor victims "
7962
(11,841 posts)The story was listed in the "trending" or "top stories". So you post in it and are immediately banned from a group you didnt even know you were in.
Childish and ridiculous.
notadmblnd
(23,720 posts)I guess Personally, I can't imagine being afraid of anonymous people on the world wide web disagreeing with me. That's just how I roll though
7962
(11,841 posts)erronis
(15,818 posts)Just kidding, DUMasters.
Ferd Berfel
(3,687 posts)1: As reported elswhere in DU: Report: Sanders campaign told DNC of data issue months ago
http://thehill.com/blogs/ballot-box/presidential-races/263730-report-sanders-campaign-told-dnc-of-data-issue-months-ago
2: I worked on the DNC IT Department(db specialist) during the 2004 election. My opinion on the breach:
http://www.democraticunderground.com/?com=view_post&forum=1251&pid=912740
progressoid
(50,133 posts)VanillaRhapsody
(21,115 posts)For Sanders...
Segami
(14,923 posts)justiceischeap
(14,040 posts)Specifically about how the software patch was handled. It's obvious that the testing environment (if they have one) isn't an exact duplicate of their production environment (which, as you know, can cause issues). This should have been caught before being placed into production. That said, mistakes like this happen all too often. If I were the VAN company, I would fire whomever was in charge of QA (or hire someone if they don't have someone already).
I disagree that the Sanders campaign acted appropriately because they didn't. They signed a contract with the DNC/VAN that they would not look at other campaign's information yet they did. They should have immediately gotten on the phone with their attorney's, then on the phone with someone from VAN and talked to them about what they discovered. Instead of actually poking around in the data (which their signed contract says they aren't allowed to do), they should have taken a screenshot for proof and sent that to customer support. Involving the attorney would have let them know they couldn't do the searches they were doing.
Instead, this guy did something that may have been harmless on its face but it's become this huge scandal for Bernie (and it makes some Bernie supporters look like lunatics for starting HRC conspiracy theories) and did something that, in the contract, stated they would lose access to the system if they did this.
SusanCalvin
(6,592 posts)And I got a much-needed, if sardonic, laugh from your insinuation that the vendor might not have any QA.
ejbr
(5,859 posts)SandersDem
(592 posts)DU is doing this tonight and taking down the site for a few minutes for updates.
An original OP of much clarity!
PDittie
(8,322 posts)I appreciate the fact that merging or comparing databases from more than one vendor would be problematic, but so is the current system.
"Its a monopoly thats been created and forced down the throats of all Democrats, John Phillips, co-founder of the non-partisan political data firm Aristotle, told POLITICO. "Monopolies are notorious for overcharging their customers, screwing their customers. Thats whats been going on on the Democratic side for quite some time."
Rival vendors like Aristotle have been the most outspoken critics of the current Democratic setup, which gives the nearly 20-year old company NGP VAN sole distribution rights to the partys valuable voter file. That database includes voting history, address and contact information for registered voters, which both the Clinton and Sanders campaign rent and then supplement with their own collection of information.
Central to the NGP VAN business model is a supposedly secure firewall that keeps any information that one campaign collects away from a rival political player. But that security system was exposed this week, NGP VAN admitted, because of a software error.
http://www.politico.com/story/2015/12/democrats-data-breach-vulnerability-216955
KoKo
(84,711 posts)seems to be very risky.
Back a few years ago it was found that Dems and Repubs (in the US House) were sharing the same computer system and the Repubs had hacked system for the Dems files. Someone resigned over it, but there was little follow up about why they were using the same server to store data for rival parties which could reveal classified and internal information from Select Hearings and Investigations by Committee Chairs plus other private committeee work and discussions
erronis
(15,818 posts)And partitioned so that no individual or group can access data outside of their Access Control (or whatever.) My reading of this information that there are no Operating System (OS) constraints, just well-intentioned programming ones.
If this is enforced only by some 20+ year-old software written by people that owe their allegiance to the Clinton camp, it is unethical. I would say it is grounds for Clinton to repudiate her ties to the DLS/DWS. In fact, not just in words (which seem to be wildly different at times.
Echoing what another comment made, why is it necessary for the DNC to have access to all of this information in the first place?
When there is someone who's personal connections go to Bill and Hil, why should s/he have any position of administrative privilege? Even as assigning it to her friends/nephews/BF?
mountain grammy
(26,787 posts)or a success, if you're a Republican. She has absolutely no credibility, in my opinion.
CajunBlazer
(5,648 posts).... while taking care of it for my while i was on vacation. Then someone else went into my house and stole some of my furniture. Who would I blame - first my neighbor who was careless.
However, my real problem would be with the person who took advantage of the situation and stole my furniture - because that person broke the law, a well know rule.
Well the IT vendor screwed up, and maybe not for the first time, and should accept part of the blame. However, the Sander's campaign broke the rules and stole the data. They admitted as much when they fired one of their staffers over the incident.
The only reason they are suing is to get access to their data as soon as possible.
newthinking
(3,982 posts)I used an example before where we would switch this to be Amazon and during their patch customers had access to other customer's credit cards and private info. It is an apt analogy that takes away the political component.
Customers would be considered innocent in intent unless they actually used the data. Authorities would go after someone only if they try to use the information in a real, tangible way. We don't know their motives/intent until they do so.
The DNC doesn't stand a chance in a legal court unless they can prove the intent, destroy a legitimate argument of trying to see what was compromised.
It is the nature of the negligent behavior that changes the dynamics as well. Any court would throw this out because it is completely unreasonable to effectively make data that is understood to not be available available and then assign intent and blame. You just can't do that when the data was implied to be "fire-walled". It won't hold up in court. You can't make a contract component like that stick in a real world situation where the vendor does what it did. That is why those software contracts we all don't fully read are not quite as powerful as they sometimes claim.
Samantha
(9,314 posts)Recommended your thread.
Sam
MyNameGoesHere
(7,638 posts)of cc's, personal information and more. How is this one the exception?
Thinkingabout
(30,058 posts)To use your information, download it to another file to use as the hacker sees fit? It may be okay with you but it I not okay with me. Sanders fired one from his campaign staff, he knows it was wrong and made the move to get rid of the person. Should we now have a law suit filed against Sanders for firing the guy and denying him employment? I doubt if Sanders would agree.
newthinking
(3,982 posts)I don't know about you, but in my job I can be fired for making an innocent, but destructive mistake in judgement or in real terms. Just like the person who did not shut down access to the application while patching could, and would be fired by many firms for not securing the data while it was worked on.
Thinkingabout
(30,058 posts)Result in criminal charges, I would be fired and criminally charged.
Paka
(2,760 posts)The campaign staff did not use any of the information. The explored to find out out extensive the glitch was.
Thinkingabout
(30,058 posts)Was copied to Sanders which was in Hillary's portion. BTW, tell Bernie it was 't anything, he fired the guy. Is Sanders wrong to have fired the guy? The guy violated the rules agreed when access was give to the Sanders campaign. He sure did not help Sanders.
Metric System
(6,048 posts)their system and go fishing for customer information and credit cards. Am I blameless?
newthinking
(3,982 posts)a link that was accidentally placed on the wrong page? You certainly can't be convicted in court for that.
So, to continue this analogy, Amazon would likely be much more concerned about the fact this was available as well. If I created that link or removed that firewall you can be they would fire me before offerring an apology and recompense to yes, even the customer than happened upon (It is called discovered) the issue.
Actually it happens all the time: White hats find vulnerabilities and report them and they do not go to jail. They are seen as helping. People get good paying jobs this way.
BeanMusical
(4,389 posts)Lithos
(26,408 posts)The data we deal with is much larger and even more coveted. I too am incredulous about this series of events.
Either this is a series of events more coincidental and amateur as a Keystone Kops movie, or it was purposeful.
A few sample points which I have issue:
- Whole lack of test coverage for the change.
- The lack of independent pen (penetration) testing and audit controls. i.e., they were never testing their firewalls
- The lack of response when an incident is reported. (Especially when it was back in October).
- And I have a huge issue about the mixture of data. If, as reported, the data was segmented by a firewall, this would imply there were multiple database instances which would have different AAA. (Access, Authorization and Authentication) mechanisms. However, The Sanders people were able to access this data which implies this was shared data and a "firewall" was not in between. Ie, this was a failure of the AAA above which is a much more deliberate change (i.e., not due to a simple firewall change)
L-
newthinking
(3,982 posts)It sounds more like the vendor "claiming" a barrier that is not actually a firewall, but more likely some other slight degree of separation. But like you I also see that if this breach happened then obviously the degree of separation is not NIST or any other standard compliant and just pretty much a "cover their ass" argument at best.
dogknob
(2,431 posts)jalan48
(13,989 posts)Does she seriously think she will get the overwhelming support Obama received from all Democrats when he became President?
Thespian2
(2,741 posts)bigtree
(86,312 posts)...it still needed to be accessed by the campaign as it was available as a mere link indicating it was info from another campaign.
The mistake was going ahead and accessing the info. Are you saying the Sanders campaign's data director didn't know that wasn't allowed?
blackspade
(10,056 posts)valerief
(53,235 posts)Bread and Circus
(9,454 posts)Matariki
(18,775 posts)And then went on to say "firewalls don't go down, they're taken down".