I work in digital D politics professionally. I can't tell you how many Congressman use multiple @yahoo or whatever personal email accounts, social, and wordpress accounts with very guessable and repeated passwords. Even the young 'savvy' ones.
And I know this because the creds are shared in plain text with multiple people over email (like me) or put into a shared google doc.
We enforce 2fa for our consultancy staff. I would love to enforce it for campaigns but I can guarantee endless problems and troubleshooting especially needy candidates calling because they can't figure out how to get their email.
Another big problem is shitty wordpress sites filled with plugins. Literally I see $10k sites (FEC reports!) designed using a $100 paid drag and drop theme with even more plugins thrown on top. It's a big pet peeve of mine and when I can I move clients to a static plain html site hosted on s3 or similar.
My big concern here is if you have write access to wordpress I could see a scenario where you could upload say verification-hash.html and then reclaim ownership of a domain or regain access to email. Or perhaps some turst attack domain.com/my-innocent-file-has-virus.file
The main D voter file GUI (votebuilder) which all campaigns use to contact voters and work with voterfile data does have 2fa but it's still only SMS. This is my real name so I don't want to throw too much public shade, but let's just say when I have to work with campaign data stored in van first thing I do is export out.
ActBlue which is increasingly the monopoly online fundraising app in my experience has good engineering and for me personally they are the only 'tech' provider for Dems that I jive with (don't get me started on NGPVAN or maybe do, but over PM). AB has 2fa token support, though they should make it mandatory given that if you have AB login access you can do a lot of damage (I've actually had this conversation with them about campaign provided js that shows up on donate pages, putting on separate cookie domain, iframe etc).
I mean the government doesn't take on basic IT security responsibilities for corporations. It's up to each campaign.
The parties can provide support but there are so many races up and down ballot, plus primaries it's impossible. Plus why should the DCCC or whoever waste resources on some non-winnable tiny race.
If say DHS did get involved proactively there would be huge trust and legal issues; any top down direction from govt to politics would be perceived as interfering with political speech/democracy.
I'm a little conflicted on this. Clearly if we leave security to political parties, for many reasons we can expect poor security in IT, which leaves our very democracy vulnerable.
On the other hand, imagine the government mandating "if you run for office, you and everyone in your campaign must use this email for all communications, and if you communicate electronically outside of these approved methods we'll come down on you". The number of ways that could be misused is mind-boggling. Even if it isn't used to sniff on the communications of the opposition, it could simply be raised to higher and higher levels of complexity (and perhaps $$ cost) until new political parties (or insurgencies within a party) cannot afford to compete, because the legal requirements for IT are too stringent.
I think that's the bigger issue than disparate organization complexity/scale (which is a huge hurdle).
Political speech is sacrosanct and despite being pretty liberal I agree with your skepticism of Government. Not so much that it would ever be used for bad, but I think far more likely it just becomes a huge, slow, shitty mess.
The US government does mandate numerous IT security measures for companies involved in military/defence-related projects, justified by national security concerns. The same argument could be made for regulating private organisations involved in national elections.
> I mean the government doesn't take on basic IT security responsibilities for corporations. It's up to each campaign.
Couldn't the DHS provide recommendations (e.g. practices, particular providers and configurations), and the parties provide turnkey solutions to their candidates and elected officials?
It seems foolish to leave such decisions up to such small, short-term groups that shouldn't be expected to have the IT expertise to pick a good vendor.
This may sound a bit glib but the Democrats should just get a contract with Google, give all of their people GSuite accounts, and enroll them in the Advanced Protection Program[0].
It isn't perfect but it would be a massive step up from everyone having their own home-ground solutions that may or may not be secure.
There are a couple of problems with this (and it's a good question!). One is that many campaigns are just small and don't have any in-house IT expertise, even the kind needed to run GSuite.
Another is that GSuite doesn't protect people's personal accounts, which is the big risk here.
APP is nice in theory, but I don't believe it's workable in practice for Congressional campaigns. The keys break too easily, and there is no fallback if they are lost or broken. We have one candidate trying out APP and I'll be eager to hear her feedback. But for the time being, just getting them onto 2FA with yubikeys maxes out people's mental budget for "security stuff".
I'm arguing that it's a nonstarter to hand campaign staff who had not heard of security keys at the start of the meeting an easily breakable dongle and say this is the only way to get in to your email now; don't lose it. They need fallbacks (like security codes or Google Authenticator).
One of the candidates I've trained tours his district full-time in a campaign Winnebago, and doesn't have a campaign office. He interacts with his staff mostly remotely. Almost every candidate is constantly on the road.
It's not that people are lazy or feckless. This is a genuinely hard problem for working campaigns to solve. It's a fascinating environment.
That doesn't mean that his campaign staff are going to constantly lose their security keys. Losing a security key is an infrequent-enough occurrence that the inconvenience of needing to go to campaign headquarters to get a new key shouldn't be too onerous, not to mention that the inconvenience of showing up in person to get a new key serves as the real motivator not to lose the key in the first place.
Look, even security keys may not provide "enough" security. An adversary capable of performing a targeted, in-physical-range attack will be able to sneak a keylogger onto a staffer's laptop (to steal the password) and then take advantage of an opportunity where the security key isn't guarded to swipe the security key for either momentary access or to register the attacker's key for long term access - which won't be caught without persistent auditing efforts, which most campaigns won't do. As always, the question is "how do we raise the cost of an attack while keeping the cost of defense relatively low" and that's what security keys do really well.
Edit: look, specific campaigns may have different ways of adopting the pattern. Maybe the candidate without a dedicated campaign office could keep the keys in a safe in the candidate's home. Maybe national candidates / candidates whose staffers would need to drive for an unreasonable amount of time to get a replacement key, maybe there can be local caches of keys in different cities, where some independent business figures out a way to register numbered security keys for online accounts in a relatively anonymous way for both remote businesses and whoever else. Still doesn't mean that security keys are a bad idea.
APP is great if you're traveling abroad or if there is a specific threat you need to mitigate for a few weeks, but it's not really a viable longterm solution since it disables all of the third-party apps that candidates need to use for their campaigns. For the average candidate, they're going to improve their chances of winning much more by using a CRM than by forgoing its use on the off chance a state-sponsored attacker tries to steal their data from Intercom or HubSpot or whatever. When you're starting out with zero supporters and zero dollars and need to somehow connect with over 50% of voters within the span of a few months, it just isn't a super realistic trade off to make. Especially when you can enable almost all of the same security features piecemeal without it.
Interesting. I wonder if they're just using browser extensions though to get the same functionality? Since if you have any browser plug-ins installed (e.g. AdBlock), you've got the same potential issue.
Here I will defer to everyone else who knows more about APP than I do; that one tidbit I brought up was related to me by an HN-phobe who didn't want to say it themselves. :)
Yeah I don't know much about APP. As far as I know, no one does; there doesn't seem to be any information at all about what OAuth scopes (if any) are allowed.
In general though I think we'd be better off with Google just adding more restrictive OAuth scopes and improving their logging functionality so that users can see how apps are using their data. I'm clearly biased since my app is built on Gmail OAuth, but I generally just think that for whatever issues OAuth has, pushing people toward browser extensions or IMAP is a step in the wrong direction.
No Democratic organization (DNC, DSCC, DCCC, OFA) really holds sway over campaigns. The DCCC would basically never say "hey, use these 2FA dongles or we're not sending money" to a competitive campaign, and they definitely can't do that over personal accounts ("hey ditch Yahoo! or we're not running any ads"). Maybe they should, it's debatable, but there's a lot of things we should do that are on the spectrum of "unimportant in the grand scheme of things" to "infeasible".
Campaigns I have worked with are generally eager for this kind of training and would gladly accept it if it were offered. They are aware of the hacking threat and feel out of their depth.
I think a good starting point is to simply offer in-person training at key points in the campaign (on filing, after a primary win, and before the general election).
Super agree, this would be fantastic. I'm sure there are people at the DNC and elsewhere who would happy to advocate for the (very small amount of) funding it would take -- as you wrote it should be a top priority.
The main DSCC and DCCC can and will force campaigns to use approved vendors and they could very easily enforce google apps. This only works where they provide $ or staff though as leverage. But generally I think carrot works better than stick
Kind of and in some cases sure (most obvious is union printing), but if a campaign says "no", really all the DCCC can do is threaten to pull resources (which they wouldn't for a competitive campaign). Really this happens more as advice and political pressure.
But also consider downticket races like secretary of state or state ag. Then you're talking state parties who have almost no power at all.
So yeah I think carrot is definitely better than stick, but there basically is no stick. I do think the DCCC should set up gapps for every general campaign and provide it for free, and should probably also offer it to professional Democrats, also for free, but this is a larger tech infrastructure question that starts to include organizing tech, website tech, VAN, email tech, etc. I personally think we should provide all those things, but there are a lot of (vendor, of course) politics involved, it's not cheap, and things like 2FA are so far down the list you can't see them. Again I think we agree, I just think a lot of people think the party controls campaigns and that's largely not the case, and even when it is there are arguably more urgent issues (campaign finance law training, ex) that could benefit from any kind of standardization.
Would you be willing to chat about approved vendors? I can't find your email, but here's mine: derrick@amass.ai
My team did some work for the KS04 special election last year, and now we've developed a service for political campaigns. But traction.. maybe we're getting screwed by this approved vendors thing.
Curious why Google requires their users to use Chrome or Firefox but can't use Safari to access Google Services when enrolled in that program? "And you will only be able to use Chrome and Firefox to access your signed-in Google services like Gmail or Photos." I could see them just requiring Chrome but curious why they would block Safari over Firefox.
Google didn't support U2F for Gmail in Firefox for a long time because Chrome was incorrectly implementing the spec [1] and relied on interoperability with their previous proprietary implementation [2] of U2F, and Gmail relied on that. Apple has been a better actor in this regard than Google has, since they are planning to implement the spec as written [3].
My memory was that Firefox had implemented a newer draft (or final version?) of the spec. Sniffing the UA to avoid providing broken stuff to people isn't exactly evil.
What we're trying to protect here is people's personal accounts. So even campaigns that use GSuite have people's personal stuff just on random Gmail (or Yahoo, or AOL...)
I've been working on sensitive projects with trained professionals for 2 decades and have watched how hard it is for people to keep personal computing resources and professional ones separate. The idea that campaign staffers would be required to maintain a level of OPSEC that IT security people can't reliably maintain seems unrealistic and unproductive.
I think people have a broken idea of what a congressional campaign actually is. It's not an enterprise with a security team. It's a bunch of random people working together for a year or so, and only for a few months full time, at that. That's what makes them targets. Whatever our industry does to protect campaigns needs to engage with the reality of what a campaign is, rather than pretending they're all credit scoring firms that should have known better than to not spend all of their $13,000,000 security budget this year.
work related emails already are on gsuite. yeah they could require 2FA and other stuff, but the more friction, the more people will fall back on personal emails.
Campaign workers have like 2 days of training total. it is what it is. Even at high levels of staff, many are on sabbatical from their main careers.
Though, if there was a moment for behavior change, this would be it.
Really, it might be easiest to get campaign staff on some secure messaging app instead of email, cause trying to explain different levels of email security will simply go over laypersons heads. My region of staffers all used GroupMe -- I wouldn't be surprised if the DNC doubles down on Slack or something similar.
That would be one way to do it, but it's a lot more effort than "everyone just uses their own email, we never set anything up", which is the default and also free -- and default/zero effort/free is extremely popular. Even if there is an IT setup on a campaign it's not guaranteed everyone will be onboarded onto it. People come and go, balls get dropped, etc.
There are other bonuses to this too. The first that comes to mind are that campaigns are transient; using your own email can help you with document retention requests in the event of lawsuits. But I think mostly that political professionals use their email for a lot of different things, and keeping everything in a single account is a lot more convenient than dealing with multiple campaign accounts.
No, it's the stuff in the personal accounts that's a more interesting target. You're trying to dredge up stuff on J. Random Candidate (or their manager, or staffer) that will distract and derail the campaign. Pictures of someone doing a bong rip in college, details of interpersonal drama, that kind of thing.
The Podesta emails show how much more mileage attackers got out of drama than substance.
Probably not the using the Advanced Protection Program, though. It would have made the accounts much harder to break into since you need a physical key to log in to the account.
Since support for APP seems to be limited to specific browsers/hardware, why not at least do TFA with a one-time passcode app? That seems to be much more widely supported, and it considerably better than whatever they may/may not be doing today..
That does not guard against the phishing scenario that is one of the biggest threats to campaigns. Any kind of two-factor auth short of a security key is inadequate against that threat.
Why do we need a physical key though? Why don't browsers communicate the url to the password/totp app, and the app only respond or allow fill-ins for matching domains?
Because phones aren't trustworthy. Operating systems can be hacked, privileges can be granted to flawed apps, etc. U2F hardware is single-purpose with a trusted stack end to end.
> the phishing scenario that is one of the biggest threats to campaigns
What phishing scenario, and how is TFA completely defeated by it? The article just says "the best defense against phishing is a 'security key'", but doesn't explain why other options like TFA are inadequate.
I didn't say TFA would be the ultimate solution, but that it's likely to be supported by more things that people use (like apple devices..). If you choose a solution that might be technically superior but require people to make major workflow changes, you'll find they won't use it. TFA seems like a good compromise to me, so I'd really like to understand why you think it is not.
If I show you an impostor website purporting to be Gmail, and get you to type in your password plus authenticator code / SMS code / app notification code, I can get into your email account.
If I do the same and your second factor is a security key, I get a useless binary blob that I can't turn around and hand to Google.
The U2F key gets the actual URL of the page you are on from the browser, so it can't be fooled by impostor websites, however clever. That's the difference, and the reason that Google moved their employees onto security keys. Too many people were getting phished otherwise.
> so it can't be fooled by impostor websites, however clever
Can't this be defeated by DNS poisoning? TLS/HSTS would help, but that assume folks are verifying that the hostname matches the cert... (big assumption)
In any case, I see your point, thank you for explaining it.
I believe there's an additional moving part in the U2F standard (channel ID) that is supposed to mitigate even if someone with a valid cert hijacks the session. But I don't believe it's implemented, and I defer to greater nerds to describe it.
Not all browsers do that, and many major ones display a warning that users have been trained to click through because of at least a decade of similar browser warnings.
I seem to remember Podesta, whose email was leaked, was already using GMail, either because the campaign used it, or he was using a personal account. Activating 2-factor auth would probably have stopped the attack.
It also bears repeating that the leaked emails contained nothing illegal or even immoral beyond a few peeks of how the sausage is made that were only outrageous for people looking for a reason to be outraged. This discussion sometimes gets dangerously close to victim blaming.
I wonder if the reaction to the hacking would have been different if dirt was found. A greater good argument might have prevailed even though it was a crime, like it the public generally has sympathy for Snowden. Breaking in and finding nothing just looks bad from top to bottom though for the hackers and those associated.
The greater good argument already prevailed with a big chunk of the country. Whether the dirt was real or outlandish made-up satanism allegations didn't wind up mattering.
Turns out you can hack an inbox and claim it contained anything. People won't read. They just want their tribal allegiances confirmed.
Note the plural: campaigns, hinting at the explanation: There are many campaigns, and they operate entirely independent from each other, at least when it comes to technology infrastructure.
The reason for that is something that HN would usually respect, namely the attempt to keep ownership of information. So of course the old discussion about cloud services is being replayed here: "Why would you trust Google?" / "Why do you think my small company has better security than Google" / ...
I'm pretty sure their next presidential candidate will activate 2-factor authentication etc.
One of the interesting experiments of the 2016 election was that all local and national campaigns were rolled into one Coordinated Campaign. With shared offices/tech/infrastructure.
That brings downsides, but also upsides: it becomes feasible to give everyone a standard security solution for tech.
Still hard to train everyone to use it, but not impossible.
I'd say the reason is closer to parochialism and/or intraparty rivalry in primaries. The beginning of every campaign is buying information and the end is selling it.
Ever donate to a candidate? Notice an increase in emails from same-party candidates afterwards?
Are there any good PPT decks, workshop material or some such you all recommend to build on top of? I'd be keen to teach a few classes or run a few workshops for local campaigns, and it seems this area must be ripe with smart people having put together material to build on already
The stuff on https://techsolidarity.org/ has been peer-reviewed and battle-tested repeatedly, and is where I would start. When it comes to this stuff I think it's as much about what you don't train as what you do. There's a lot of security nerd orthodoxy that is of negative value when you've only got an hour, one time, to raise the level of a campaign.
Interesting comparing this with the Risky Business interview with Bob Lord (the incoming CSO for the DNC) a few weeks back. There seems to be a bit of a disconnect between the security posture of the DNC and the individual campaigns discussed in this story.
I understand the challenges of end users and security, but why not give them Signal or at least Whatsapp? Email is never going to be secure, regardless, and many users can handle the new messaging applications.
We do! But then the DCCC emails them an Excel spreadsheet the next day (not joking).
It's very hard to move people entirely off of email. A big part of campaign security training is to move people onto Signal or Whatsapp, though, and I'm glad you brought it up.
Hmm...reading the headline I thought "Wait...Bob Lord works for them, surely everyone there has to have an NFC smart card surgically embedded into their skull at this point, so knowing their passwords is useless??". But then I realized he's at the DNC and the article is about _campaigns_ which presumably are separate organizations?
Yeah. Each campaign is its own (tiny) organization. The group that is supposed to help House campaigns is the DCCC (Democratic Congressional Campaign Committee) and for Senate campaigns, it's the DSCC (Democratic Senatorial Campaign Committee).
You can call me a bundler if you want, but I believe that term means something different than what I do. This site, of all places, should respect technical terminology!
...I began visiting rural congressional campaigns to help progressive candidates with fundraising. As a self-employed programmer, I was able to travel and serve as a kind of political truffle pig for tech workers who wanted to donate to candidates but didn’t know where to begin.
What would have to change about that description to make it the description of the actions of a bundler?
My understanding of a bundler is someone who delivers high-dollar donations aggregated from a bloc of wealthy donors.
I tweet about campaigns and people I don't know give or not based on that. The modal donation is something like $50.
If that's "bundling", I'm fine with the term. But in my eyes bundling is showing up at a campaign office knowing how much you can deliver, and from whom.
Are you familiar with the term 'beating a dead horse'? There's absolutely no chance of having a productive discussion around that topic. Everyone knows that what she did was bad, it's now illegal, the ship has sailed, move on.
On a different topic, is it your impression that other political parties are better at email security than the Democrats? If so, why is that? If not, why is the media focus on Democrats?
I think that's because email, fundamentally just isn't very secure.
Lots of email servers support fallback to non-encrypted, plaintext transmission, which can expose entire chains of replies to MITM attacks with a single message being routed questionably. [0,1,2] End-to-end encryption, via user-defined keys is actively discouraged by those who might assuredly know better, and be in a position to change minds. Usually, the cop out comes in the form of "too complicated for non-technical/less-technical users, and thus potentially harmful to profits."
As if to say, we've been espousing the use of an insecure method of communication for decades, so, to suddenly reverse our position, and encourage bring-your-own-encryption might provoke discussions of liability, or something. Nevermind, the premise of ad tech and scanning user messages, to sell data.
But you know, running your own server, and hiring people who can't be bothered to go deeper than using word art in MS PowerPoint slides, well, hey. Bring a horse to water... know what I'm saying?
PGP is easy to use. At this point, I'd like to think people are fatigued enough by the bottomless pit of nightmares we've fallen into, that they'd step up and tell people: yes, people are using SSH keys and SSL keys billions of times a day. It's okay to use PGP on your email. Go ahead, start doing it.
Or, you know, whatever. Lose another election. Right?
PGP addresses literally none of the operational security problems congressional campaigns have. No matter how you protect individual emails, for most users (and probably every single congressional campaign staffer) your email account is still the most important account you have, the key to every other account you control. And PGP doesn't do a thing about incoming emails with malicious attachments.
People think PGP is important for campaigns because they want it to be important, not because there's any empirical evidence that it is important.
Wow, so, you really believe that asking people to lock up their important messages to you, using a public key that you've provided through a verified, alternate non-email channel really won't work?
PGP actually does do something about incoming email attachments. It offers the opportunity to programmatically reject anything that is non-encrypted ASCII text, and renders malicious files as non-executable ASCII text, when such policies are properly enforced. At this point, the promiscuous user is protected from delving deeper into emails. The server can effectively isolate attachments entirely, by proxying mail delivery, and refusing to decrypt attachments automatically. This would further defend against account compromise, through practices that require special handling of attachments. Email then becomes a medium of communication, rather than file transfer, and file transfer is pushed to other protocols and applications.
Sort of like a point-and-call policy. Forcing a user to cognitively jump through hoops to discover the contents of an attachment, when they should really be using email for the exchange of messages with humans, or automated control messages, such as multi-factor auth. Doing something like this limits email to character data only, rather than interpretable instructions. You know, much in the way we don't execute JavaScript from an email context.
We've banned this account and numerous others. It's a violation of the site guidelines to use HN that way, especially when the accounts are used also to break the site guidelines. Could you please not do this?
PGP is so easy to use that the first day I attempted to configure it, I accidentally emailed my friends my private, rather than public, key.
I await the day that a great PGP client for everyone might emerge, but I'm not sure that it is possible, nor am I certain that people will want it. There is substantial utility involved in letting Google read all of my email for spam/malware filtering and more.
Yeah, there's no accounting for glaring cluelessness. Leaving S3 buckets open to the world, and totally unencrypted, for example. Downloading and running *.exe email attachments, destroying systems with ransomware, and so on.
Encryption can be its own foot gun. It can aid attackers, by totally destroying evidence that might exonerate you from being framed for other crimes. It can cost people dearly, in terms of lost data. Consider how many people have lost old bitcoin wallets, containing small fortunes, and similar tails of woe.
But look at how that plays out. A dropped bitcoin wallet, gone forever. The failure mode of something like that is often a better look than things going the other way. Imagine that same bitcoin wallet getting stolen, and seeing the thief profit from it. Sort of like watching elections get stolen, no?
So, think about that, the next time you warn someone against forcing you to exchange PGP keys, in order to communicate more securely.
U2F keys were invented in part because the glaringly clueless employees at Google were routinely shown to be phishable. People who dismiss phishing as a threat vector betray a lack of understanding of how difficult it is to mitigate reliably.
And I know this because the creds are shared in plain text with multiple people over email (like me) or put into a shared google doc.
We enforce 2fa for our consultancy staff. I would love to enforce it for campaigns but I can guarantee endless problems and troubleshooting especially needy candidates calling because they can't figure out how to get their email.
Another big problem is shitty wordpress sites filled with plugins. Literally I see $10k sites (FEC reports!) designed using a $100 paid drag and drop theme with even more plugins thrown on top. It's a big pet peeve of mine and when I can I move clients to a static plain html site hosted on s3 or similar.
My big concern here is if you have write access to wordpress I could see a scenario where you could upload say verification-hash.html and then reclaim ownership of a domain or regain access to email. Or perhaps some turst attack domain.com/my-innocent-file-has-virus.file
The main D voter file GUI (votebuilder) which all campaigns use to contact voters and work with voterfile data does have 2fa but it's still only SMS. This is my real name so I don't want to throw too much public shade, but let's just say when I have to work with campaign data stored in van first thing I do is export out.
ActBlue which is increasingly the monopoly online fundraising app in my experience has good engineering and for me personally they are the only 'tech' provider for Dems that I jive with (don't get me started on NGPVAN or maybe do, but over PM). AB has 2fa token support, though they should make it mandatory given that if you have AB login access you can do a lot of damage (I've actually had this conversation with them about campaign provided js that shows up on donate pages, putting on separate cookie domain, iframe etc).