
How a Political Engineering Firm Exposed Their Code Base - michaeljbishop
https://www.upguard.com/breaches/aggregate-iq-part-one
======
snowwrestler
The description of "Mamba-Jamba" sounds similar to what Harper Reed's team
built for Obama's campaign in 2012.

In terms of illegality, there would only be a problem if AggregateIQ was not
properly compensated for their work by the U.S. political campaigns--i.e. if
AggregateIQ improperly provided value to the campaign as "in kind" donations
of work.

If the campaigns paid AggregateIQ for their work, there's nothing illegal or
even improper. Campaigns are allowed to purchase products or services from
foreign sources.

~~~
jnbiche
> Campaigns are allowed to purchase products or services from foreign sources.

It's not quite so simple. It's true that US campaigns can purchase products
and services from foreign vendors, but only to the extent that those services
do not include any management or strategic decision-making services. So you
could hire a Canadian firm to make data visualizations for you, but the firm
could not tell the US campaign, "we recommend you target group x" based on
that visualization.

But I agree, based on what is described here, there may be nothing here. Very
much unlike certain Cambridge Analytica activities across the pond.

------
spdustin
Based on this tweet†, it seems that Chris downloaded the repos and put them
online, encrypted using some of his personal information as a sort of "dead
man's switch".

†
[https://twitter.com/VickerySec/status/978056901677146112](https://twitter.com/VickerySec/status/978056901677146112)

~~~
sterlind

      For posterity:
      <14-character non-dictionary word>+<My current CA DL number>+<Streetname of my residence during 1st grade>
      Schema: aaaaaaaaaaaaaa+Annnnnnn+Aaaa Aaaaaaa
      (a=lower alpha, A=upper alpha, n=numeric)
      md5 those 36-characters. Hash is the passphrase
    

Driver's license numbers are likely sequential, so the keyspace is likely
guessable, or recoverable from credit data breaches. Street name is an easier
find, from public records.

Since we know that non-dictionary word is 14-characters, and assuming English,
entropy should much less than 26^14.

anyone willing to give it a spin?

~~~
ExactoKnight
Chris lived in BC, so this would be what his driver's license looked like:
[http://www.metronews.ca/news/vancouver/2013/02/15/new-b-c-
id...](http://www.metronews.ca/news/vancouver/2013/02/15/new-b-c-identity-
card-combining-msp-number-and-drivers-licence-now-available.html)

It's an 8 digit number.

The keyspace for the streets would be a list of every street in Greater
Victoria.

------
adamiscool8
This looks like a tool for tracking voter canvassing, hardly a smoking gun of
anything?

The selective publication and inflammatory language makes me less likely to
believe this is of any importance, other than tut-tutting at the server
insecurity.

The disinformation and jumping to conclusions in the comments of that tweet
thread is extraordinary.

~~~
zzzeek
the issue would be if it were provided by a foreign entity without
compensation so that it is essentially a campaign donation, or if a foreign
entity is found to be in a strategic role for a US campaign, which violates US
election law.

See [http://abcnews.go.com/Politics/exclusive-cambridge-
analytica...](http://abcnews.go.com/Politics/exclusive-cambridge-analytica-
accused-violating-us-election-laws/story?id=54010145) for a story today
breaking on this.

~~~
danjoc
>the issue would be if it were provided by a foreign entity without
compensation so that it is essentially a campaign donation

Have you ever tried to write off open source work as a donation? I don't think
this works the way you want it to. Software isn't a donation. Software is
speech. Phil Zimmerman proved that rather nicely when he printed PGP as a
book.

~~~
snowwrestler
U.S. federal election law is pretty clear on this. If a company that is
normally paid for a service provides that service to a federal election
campaign for free, it counts as material support of that campaign, at the
value that that service would have cost at regular price.

> Have you ever tried to write off open source work as a donation? I don't
> think this works the way you want it to. Software isn't a donation.

If you typically charge for your software development time hourly, and you
provide 10 hours of software development to a 501(c)3, you indeed can write
that off as a donation. You will just need a receipt from the org to which you
donated your time.

You can't write off typical open source work as a donation because you're not
donating anything. Under most open source licenses you keep your IP, but
provide a free license to anyone who downloads the code. Even if a nonprofit
uses your code, you set the price to $0.00, so there's nothing to write off.

------
michaeljbishop
Interesting followup by Seth Abramson.

[https://twitter.com/SethAbramson/status/978329921192906752](https://twitter.com/SethAbramson/status/978329921192906752)

~~~
tptacek
Seth Abramson sure is someone to talk about poor journalism and analysis.
Really: HN doesn't need to be the first to break out stories like this. If
someone important has been found here, someone will cover it seriously outside
of tweets. HN should start penalizing tweet stories.

~~~
ExactoKnight
Why would HN penalize tweet links!? Hacker news is a perfect place for stories
that intersect technical and journalistic expertise to be explored more in
depth with a focus on truth. In journalism tweets are how evidence of a story
evolves. Taking away twitter linking from journalistic minded HN users would
be like taking away the ability for a coder to link to github...

------
chillingeffect
I'm not picking on or defending anyone, I'm just weary of the last years'
worth of articles that keep claiming "smoking guns."

Can anyone explain how this is illegal or damning? It appears the biggest
reveal is some database/statistical tools. Do they do anything illegal? Is it
illegal to outsource a project, especially to an ally like Canada?

It seems they were developed as the result of an outsourced project, but does
that count for anything?

We knew CA was hired to help them win the election. I don't understand how
that itself is wrong, legally either.

------
ggg9990
I don't see evidence here of anything more than the application of techniques
long-used by advertisers like General Motors and Unilever to the political
arena. It may be odious, and may make the world a worse place, but it is not
particularly unusual, unexpected, or illegal as far as I know.

------
TAForObvReasons
> using a custom version of popular code repository Gitlab, located at the web
> address gitlab.aggregateiq.com. Entering the URL, Gitlab prompts the user to
> register to see the contents - a free process which simply requires
> supplying an email address. Once registered, contents of the dozens of
> separate code repositories operated on the AggregateIQ Gitlab subdomain are
> entirely downloadable.

Is this (anyone can register with an email address) the default mode for a
self-hosted gitlab deployment?

~~~
JetSpiegel
You can always blacklist or whitelist certain email domains.

You will want to make all your repositories private, which makes you whitelist
all access.

------
ExactoKnight
Where can we download the codebase. Seriously interested in seeing it.

------
craftyguy
This is basically just some screenshots of a private gitlab instance? It would
be trivial to fabricate this story.. Did he post the files publicly?

~~~
peterhadlaw
If this is true, what are the ramifications for unauthorized computer access?

Update: looks like the registration link was still listed / open, but my
question still stands

~~~
Moogs
According to the first article, the code was hosted with a custom version of
Gitlab, with the register link still functioning. Once an account was created
all the repos were public. If that's true, then it's a public site being
accessed through features of the site.

~~~
peterhadlaw
I'm sure it also depends on if the site was intended to be accessed "publicly"
or not. Let's say, visually, all registration links were removed, but (as
someone with internal knowledge of GitLab here did) could "breach" into the
registration page.

------
fortean
Very informative! Thank you!!!

------
soared
Actual write up: [https://www.upguard.com/breaches/aggregate-iq-part-
one](https://www.upguard.com/breaches/aggregate-iq-part-one)

Important to note this leak only (as of now) ever mentions ted cruz - nothing
to do with Trump's campaign beside some handwavy connections between this
marketing agency and cambridge analytica. Bannon is also literally never
mentioned in the write up.

~~~
codeulike
The Guardian has an article here [https://www.theguardian.com/uk-
news/2018/mar/24/aggregateiq-...](https://www.theguardian.com/uk-
news/2018/mar/24/aggregateiq-data-firm-link-raises-leave-group-questions)
about the links between AIQ and Cambridge Analytica. AIQ were used by the
Brexit 'Vote Leave' group which is why the Guardian were looking at them.

------
danjoc
"There is no serious person out there who would suggest somehow that you could
even rig America's elections" \--Barrack Obama

[https://www.youtube.com/watch?v=y7F7eRM1oiU](https://www.youtube.com/watch?v=y7F7eRM1oiU)

~~~
eli
He's right. There was no voter fraud. People really did vote for Donald Trump.
Voters may have been distracted with leaked emails or lied to by "fake news"
but the votes were real. The election wasn't "rigged."

------
StanislavPetrov
If all the "breaking news" about the tactics used by the Trump team in last
year's election were limited strictly to "new" tactics used by the Trump
crowd, the volume of "news" released would shrink to a tiny fraction of what
it is now. Unfortunately, as always, the problem lies with the ignorance of
the American people. Its easy to portray underhanded and/or illegal tactics as
being somehow unique to the Trump crowd when most people are entirely ignorant
about how our political system works (and has worked) for decades. The fact is
that campaigns on every level - local, state, and federal - have used data
mining techniques, social media platforms, algorithms, and data of all sorts
(both foreign and domestic) to influence everyone that possibly could in every
way possible. Shining a bright light on any corner of our putrid political
system (as is being done in the case of the Trump crowd) will uncover a host
of shady, disreputable and/or illegal acts. It doesn't matter what corner you
shine the light on or what party you choose to focus on.

As someone who didn't vote for Trump, and doesn't support him, that's one of
the (many) things I find so disheartening about this entire process.
Pretending that Trump is somehow a unique problem that needs to be solved
rather just another corrupt politician is to whitewash the rest of the crooks
running our government. It isn't an accident that Trump is being portrayed as
a unique menace. The levers of power in our government (and their minions in
media) are very careful to paint the picture of this being an aberration. They
are playing on the myth of "American exceptionalism". That's where the whole
Russian-conspiracy nonsense plays in, because naturally, the American people
would never vote to reject the establishment in favor of a despicable con-man
like Trump unless they were influenced or fooled by evil Russians! If we can
just get rid of Trump (and the free and open internet that allowed the evil
Russians to influence us), then we can return to the wonderful status quo of
the "Liberal Western Order" AKA monopolar US global hegemony, that is great
for everyone!

