
What I Learned Trying to Secure Congressional Campaigns - pw
https://idlewords.com/2019/05/what_i_learned_trying_to_secure_congressional_campaigns.htm
======
Deimorz
Great article, as always.

I think one of the key points is how awful password managers are for non-
technical people to use. It's not necessarily the developers' fault because
it's difficult to interact with all the things they need to, but it makes it
practically impossible to get someone to use one unless they're technical
enough to be able to figure out all the random issues that come up all the
time.

I'd love to be able to get some non-technical family/friends to use one, but
there are just way too many times that showing someone how to use a password
manager goes something like: "Okay, so now you've generated a password and you
click 'Register' and... oh hold on, the page redirected for some reason and
the pop-up to save the account info is gone, so, uh... well, I think there's a
generated-password history page somewhere, let me just look through the
Settings area even though it's not a setting... okay, there it is, so it
should be this one. I'll just copy that and now I have to create a new vault
entry for the site manually by typing in everything and pasting this password
in there, and then..."

It's terrible, because a password manager that would just work and stay out of
the way could make such a huge difference to general account security, but
they all seem to still be difficult to use and require you to have a pretty
good understanding of what's going on to be able to deal with random problems.

~~~
tptacek
I think password managers could be easier to use, but that the fundamental
problem here is, well, fundamental. The major security win of a password
manager is that you end up randomizing your passwords across all your
accounts; it does no good to "manage" a series of related passwords that will
get credential-stuffed as soon as one of your providers has a breach. To get
specialized passwords for all your accounts, you have to be able to reliably
use the password manager on all your devices, which means not only configuring
it and regenerating passwords the first time, but getting it to work again and
_synchronize it_ on every new device you use.

If you're motivated, you can get this to work. But people are not generally
motivated.

Password managers are a thing I could confidently roll out as a security
officer for a startup, where people are in effect being paid to take what I
tell them about opsec seriously. They're not something I could confidently
roll out in a campaign.

If you're going to get a campaign to do 2, _maybe_ 3 things, you're going to
tackle 2FA, phishing (security keys) and attachments (Chromebooks, iPads, and
GDrive viewers). If you could do a 4th thing, I don't know that password
managers would make that list.

(For the record, I did one training with Maciej, at an NGO, not a campaign,
with rooms full of people who were, if not well-motivated, at least super
respectful of our time and who had at least the appearance of being attentive
to what we were telling them. And getting 1Password working for any of them
proved hopeless. I think even I stopped being able to make 1Password work for
a couple days after trying it with them. Unlike me, Maciej has a gift for
talking to people about this stuff, and also unlike me, he did these trainings
dozens of times. If the best password manager he could roll out was Notes.app,
people who make password managers might want to figure out why that is.)

~~~
JamesBarney
One of the things that made switching to a password manager difficult was the
lack of a smooth and secure automation workflow.

Do you think a standard/protocol for communication between platforms and
password managers would help solve this problem? Basically your password
manager could hook into events from Android/Chrome/iOS like "login requested",
"new account created" and "password updated" allowing increased automation
from password mangers.

Obviously using lots of signing/certificates/encryption/platform
verification(to become a registered password manager for chrome/iOS/android
would require a much more extensive check than a standard plugin/app) to
ensure security?

~~~
simcop2387
keepass2android added this some time ago and it has certainly helped wonders
for me there with the automation of passwords in apps on my phone and tablet.
That said it's only there on android. I'd love similar kinds of
integrations/apis available on other platforms too.

~~~
Phlarp
Password managers seem like somewhat wasted effort when you pass all the
plaintext around on Android. Feels like a security minefield; only a matter of
time until a vulnerability or outright malicious app starts reading them.

Obviously if you can't use the password manager on mobile it's functionally
worthless.

~~~
simcop2387
That's one of the reasons that android added the autofill system, so you no
longer have to pass them around in plain text on the clipboard.

[https://developer.android.com/guide/topics/text/autofill-
ser...](https://developer.android.com/guide/topics/text/autofill-services)

------
aquabeagle
I'm confused by how difficult it was to get a meeting and convince these
people to change their ways, but how easy it was to hand them a USB device and
"Collect information about what devices people are using, their email
provider, whether they have two-factor authentication, how they share
documents in the campaign, how they keep track of passwords, and so on".

Were you just some random outsider to them, coming in to do free security
training? Or did others have to vouch for you? It seems like it would be
terribly easy to do all of this under the guise of being a helpful security
person, but you're actually just sabotaging them with rogue USB devices and
learning the details of all of their security practices. Especially by getting
on their good side with things like "A friend wrote a script that did this
conversion automatically when you dragged things to a desktop folder, and I
would mention this during campaign visits. Suddenly I was no longer the
dentist, but Santa Claus come early."

Could anyone else have been doing this without being vouched for?

~~~
ceejayoz
This is mentioned.

> You should understand that there are a zillion people and groups out there
> who want to do tech experiments on campaigns, and without someone to vouch
> for you, you will make no headway.

~~~
sdoering
For me Chrome password management works fine. I have all passwords on my work
Mac, had to switch Macs about 9 times due to Apple's quality issues in the
last year and passwords were always available after logging in to chrome.

And they are also always available on my Android.

But. I need to trust Google.

I also have 1password (without cloud sync). Works great on my Mac. But
switching devices is a pain. And syncing to mobile doesn't work at all
currently.

So my state with managed passwords is somewhat of a mixed bag.

PS: Well, due to policy changes I need to create a central password for
logging into my computer and company systems in the future. And I need to type
it multiple times per day. And need to change passwords regularly. I am not
really looking forward to that form of "security".

------
kasey_junk
Only because I'm one of Maciej's number one fans am I going to point out the
delicious irony that more skill in digital advertising would have been helpful
to his mission this time.

------
dillondoyle
Disclaimer: I work in politics professionally, as a digital consultant.

ActBlue is better at security (and just in general product) than NGP, but
neither supports physical 2fa keys.

I don't want to speak too publicly about NGP VAN but I think this area is very
ripe for disruption, but it would be hard to get the finance side 100%
correct, automated FEC & compliance and all. This built up moat I personally
believe lets them stagnate on technology. I think their API is proof they know
the weakness or are afraid of easily better tools built on top (no important
data in and out).

One attack vector I dont see mentioned is locking down domains and websites.
Campaigns are incredibly cheap, it only took a few consultants selling shitty
pre-built wordpress themes and now it's tough to get a Congressional to pay
much or anything. We now build static websites for clients who pay, but I'm
still worried about some actor uploading a google-verification.txt, or
updating DNS to send better phishing emails.

Emailing passwords in plain text and shared twitter passwords for candidate
accounts which are 'victory!2020' are VERY common and we've been trying to
correct this behavior.

Though this isn't perfect we have been sending one time links with no
authentication info in email plaintext. If anyone has a better solution?
(remember non-technical (no PGP) campaign staff and not in same geo a lot of
time).

In writing up some campaign plans this cycle I made some security notes,
especially for a top 5 race target client we have (if win primary) I suggested
separate senior staff office in a more secure location which no volunteers
know about. This wont work at Congressional level, where anyone can get access
to call time room or CMs office if they try..

Yes because I'm overly paranoid but also sadly because security in politics
now means protecting from some random nut bag with a gun. Which is really
scary to me.

But mostly I'm surprised at Maciej's willingness to spend money (and valuable
time) doing this. Sadly I think the willingness to help anyone including
'Green Party candidate in a district the Republicans carried by 60 points'
combined that with the general (and I can understand and am not judging)
attitude that 'the system' is broke, is probably a factor to why he was not
taken as serious as I think he would have liked.

Sorry this got really long.. I could go on and on (if @Maciej or is it
@idlewords ? sees this would be happy to chat on DM).

love seeing politics on HN a topic I have specialized knowledge in for once ;0

~~~
jonathanwallace
How can I best connect with you? I did a quick stint in politics and would
love to chat.

~~~
dillondoyle
dillon @ 4degre.es or send me a message on fb dillondoyle or ig dillonjdoyle
sometimes email doesn't get filtered so i see it from cold contacts.

------
po
I have great hope that the upcoming Web Authn standard
([https://webauthn.io](https://webauthn.io)) will greatly improve server-side
security and make phishing a thing of the past but I worry about how the
threat model will then turn towards securing access to the user's personal
devices. Endpoint security is going to get even harder. People double-click
and blindly run whatever on their devices all the time.

------
lifeisstillgood
From a UK perspective the "call time" seemed amazing - the amount of time
dedicated to that, and the eco system around it (EMILY's list?)

I am sure that exists in all countries just it presumably is less prevalent?
Any insiders have knowledge?

Weirdly I would think that process of dialing and recording would be very
automatable too

~~~
cavisne
This stood out to me also, things that are unique about the US compared to
other countries

1) Relatively low personal and corporate donation limits - a lot more phone
calls are needed to raise the same amount of money

2) Low rate of voting - you need an entire get out the vote campaign along
with your existing campaign

3) Hatch act - your congressional staff cant work on your campaign, so you
need two sets of staff, this combined with 2 year election cycle is probably
what makes "campaign ronin" a viable career path and a also more expensive

4) Presidential system - a bit counterintuitive but i think in a parliamentary
system house races are less important as people are more voting for the party

~~~
ineedasername
Being in the US, the whole idea that UK doesn't elect their leader directly
always struck me as odd, until I realized that their PM's generally feel much
more beholden to their party's platform than politicians in the US. In which
case, it really is less relevant who the particular person is and more than
the party you support is in power.

~~~
jacquesm
The US _also_ does not elect their leader directly.

~~~
thrower123
Most people seem to have slept through their civics classes where the
mechanism of how this works was detailed. A startling number of people are
under the mistaken assumption that it is or was intended to be, a direct
democracy.

~~~
ineedasername
I think at this point, with two recent disparities between the popular vote
and electoral points, most people realize there's an abstraction layer in
between their vote for president. My point stands though: In the US, you vote
for the specific individual you want to be president. In the UK, you do not
vote for the specific person you want to be PM.

------
canada_dry
Couple tidbits.

> telling people not to use Android

I personally use Android as I dislike the Apple-itunes-lock-in. But, you'll be
able to sleep better at night if you lose your iPhone with confidential info.

...

> Google's Advanced Protection Program is almost comically unusable for
> campaigns. The expensive dongles break easily, and when the dongle breaks
> you are locked out of your fundraising spreadsheets until you can reach
> Google support (if such a thing exists).

Ouch.

~~~
po
I think one other major factor is that if you (as the technical nerd who can
figure this stuff out) give a non-technical user a fully updated secured
Android phone today and then come back to that user in 6 months, it's way less
likely to still be secure. Apple does a much better job of maintaining
security over the lifetime of the device by pushing updates out.

~~~
ineedasername
How does google compare when you get their updates ASAP with a pixel? Is it on
par with iOS then?

~~~
kasey_junk
The issue _isnt_ with Android flagships, especially the pixel line. The issue
is that by banning android you van hundreds of low quality phones. Every
iPhone is high quality & only a low % of android are.

~~~
ineedasername
Oh, absolutely. Though as for security updates, I think even most non-pixel
flagships are out of luck on timely updates.

------
bsder
> backup U2F key

How do you set this up!?

Every time I try to set the folks in my company up with security keys, the
biggest problems are always:

1) How do I deal with the fact that someone just left? Something _invariably_
is tied to their login, and I need to transfer control.

2) How do I deal with a broken/lost/stolen key? So many services simply will
not let you install multiple keys on an account and it drives me up a tree.

------
drilldrive
Great writeup Maciej. I do have some questions:

(1) Is there an easier secure way to open attachments to Emails? This is a
critical point of error in campaigns, and yet your suggested solutions are
lacking in my eyes. I for one do not use a smart phone, and even when I use a
Gmail account I use the html version that does not have a Google Docs option
for files. So I am left with your option 3, and this could take several
minutes in contrast to double clicking the file.

(2) Why do you recommend to avoid SMS but to treat Twitter/Slack as a public
messaging option? Why not just treat all three as public?

(3) Why do you recommend only Chrome browser? In particular, why not Firefox
or Tor?

~~~
idlewords
Thank you! Answers in order:

1) I can't think of a safe alternative for you, but maybe someone else here
can.

2) Signal is a drop-in replacement for SMS, while there is no real replacement
for Twitter or Slack. That's why I tell people to treat it as public, rather
than move off those sites.

3) The consensus among my security friends is that Chrome is the safest
mainstream browser, though Firefox is making big strides. The Tor browser is
not safe for the reasons tptacek outlines here:
[https://news.ycombinator.com/item?id=19981733](https://news.ycombinator.com/item?id=19981733)
I explain elsewhere in the post that I like to tell people to use a specific
product. If they really love Firefox, I don't fight them.

------
po
Maciej, do you consider the built in keychain functionality of iOS/MacOS to be
a "password manager"? I only ask because I typically have found that when
setting up non-technical people with iPhones or new laptops, that it has
recently passed the bar of 'easy enough for non technical people'.

True, it can be hard to get to the stored passwords for manual entry and it
doesn't work with a few sites, but generally speaking it picks random
passwords, saves them fairly reliably and prompts to use them with biometric
protection.

~~~
idlewords
Yeah, for sure. If people were already using it, I gave them a thumbs up. In
my mind it occupies some middle ground between a password manager and "I keep
my passwords in this note app", but only because it doesn't tie in to Chrome.

~~~
skybrian
What do you think about Chrome's built-in password management?

~~~
coredog64
One flaw for people who aren’t political campaigns is that frequently you’ll
need to log in to something that’s not using a browser window.

After years of headaches and literal tears, I broke down and bought LastPass
for my kids. My wife isn’t technical, and I would come home to kids that had
lost/forgotten their Minecraft password. They took it out on their mom, so
instead of post-work no-tech downtime, I was coming home to Sev1 incidents
that were already out of SLA.

------
bo1024
Great article!

Can you say exactly why Signal is more secure than email in this context?

~~~
idlewords
Signal is end-to-end encrypted, so your message is stored only on your device
and the recipient's. If you want, you can have it auto-delete after a
configurable period of time.

Email wanders across the Internet and is stored on multiple servers by design.
It can be tampered with or spoofed in ways that Signal messages can't, and
your email account can potentially be broken into by an adversary.

~~~
rediguanayum
Just wanted to point out that Gmail has a Confidential Mode that can prevent
forwarding, auto-deletes and allows the sender to control access to a sent
email including removing access.
[https://support.google.com/mail/answer/7674059?co=GENIE.Plat...](https://support.google.com/mail/answer/7674059?co=GENIE.Platform%3DDesktop&hl=en)
Understood that Signal has other useful security properties but this is useful
for folks that use email.

Disclaimer: I work at Google.

~~~
bo1024
(Sorry I saw this a few days late.)

I think it's very misleading to call this "confidential mode for email". It's
just putting the message on a webpage and sending the person a link to
authorize access to the page, right? (And maybe messing with the gmail
interface to hide that this is happening.) It's a really different concept
altogether than email. If I understand right, it's basically like creating a
google doc and sharing it with only certain recipients (and ability to revoke
later).

------
losvedir
> _For example, we told campaigns it was best to have a password manager, okay
> to have a written list of random passwords, dangerous to have a password
> pattern you would modify across sites, and unacceptable to re-use a single
> password across sites._

As someone who likes the "password pattern" approach (remember one thing and
use it to generate passwords for all sites), what's the threat model here? How
is it dangerous?

~~~
lostphilosopher
The general answer: Your pattern is a single point of failure. If someone
figures it out they can figure out your passwords to multiple sites.

The most likely threat is your password to one site leaks or gets fished and
then the hackers recognizes it as pattern generated and reverse engineers the
pattern. Then they just start trying that pattern on other sites.

Not doing this is good general advice. Your specific risk level varies based
on the pattern you use.

------
tacosx
It is amazing when you consider both the number of and the sheer depth of the
problems that would be fixed instantly by moving to publicly financed
campaigns.

~~~
kasey_junk
What single thing in this article is solved by that?

(Note I’m extremely sympathetic to publicly financed campaigns)

~~~
9nGQluzmnq3M
Congressional campaigns are largely about fundraising, so if fundraising is no
longer required, most of the problems listed here also cease to be a problem.

That's a mighty big "if", though.

------
Bucephalus355
Good write up that I think extends to many environments beyond congressional
campaigns.

One thing I would like to add (and perhaps the author mentioned but I did not
see). Secure your cellular accounts such as Sprint, T-Mobile, Verizon with
2FA, good password, etc. This also includes the maximum length VM password,
although usually that is only between 7 digits to 10 digits sadly.

------
tomohawk
Interesting that the end result of campaign finance reform is that candidates
spend way more time on fundraising than they ever did, and are beholden to
more people than ever.

------
miles_matthias
Great job!

I'd like to echo your sentiment about password managers, they are way too
complicated to use for non-technical people.

------
RickJWagner
A good read, thanks to the author.

Biggest surprise (for me): Nobody uses Twitter.

~~~
microcolonel
Twitter users tend to be under the impression that everyone is on Twitter.

~~~
dswalter
Depending on who you follow, it's one of the best link aggregation sites
around. Care deeply about refugee rights in Myanmar? Follow a few folks and
you'll gain insight into the kinds of things like-minded folks are thinking
about. There is the on-Twitter conversation, too, but the best thing about the
site is what people are linking to out of it.

~~~
microcolonel
Sure, I'm a Twitter user too, just pointing out the tendency of people to
forget that there's a world outside their own, especially if they spend enough
time in their own little curated space on a site structured like Twitter.

------
jammygit
Why does only chrome support the security keys? It seems to imply that apple
doesn’t support them very well also. I thought they were more widely
supported?

~~~
idlewords
Firefox supports them now. There's supposed to be a Yubikey with a Lightning
connector coming out that you can use in an iPhone. Fingers crossed!

~~~
bigiain
I hear "its coming" for Safari too - sure some of the developer previews have
it (last time I checked you had to spoof your user agent because none of the
FIDO sites believed it was gonna work in Safari and didn't offer it...)

~~~
bigiain
Just in case anyone's still reading here. I can confirm that Safari Technology
Preview release 83 works with my Blue Yubi key to do FIDO 2FA with gmail right
now...

------
ghani
This was a good read, thanks.

------
jabart
This is why my company (Campaign Deputy) bundles Web, DNS, and Email hosting
along with our Fundraising platform for political campaigns. Not mentioned was
DMARC and SPF, which is really tough to setup when you don't have direct
access to the Domain Registrar.

We are also competitors to NGP. Our users actually like us too!

