
Security Guidelines for Congressional Campaigns - stablemap
https://techsolidarity.org/resources/congressional_howto.html
======
tptacek
On the off chance this heads off any super-unproductive debates:

When you're advising/training at-risk end users, it's not enough that it be
possible to achieve some kind of security with a given load-out. It needs to
be secure without trying hard.

So for the purposes of this document, we don't really need to litigate this
phone or that browser. We just have to note that for non-specialist end-users
in high-stakes environments:

* It has to work.

* It has to stand a good chance of retaining secure without trying.

* It has to be incredibly simple to get everyone set up the same way.

~~~
codinghorror
A casual read says the safest easiest setup is everyone doing all their work
on a recent iPhone model. Good news is, assuming the budget requirement can be
met, this is pretty close to what is already happening for most people.

~~~
jsmthrowaway
Indeed; most Washington types who used to live on Blackberry (excluding those
who haven’t yet had to give their precious up) moved to iPhones over Android,
in my anecdotal experience. Outlook is the name of the game, and that runs
quite well on iOS. Though it sounds like this training would push people
toward the Gmail app, which is just fine.

One point I would make is that it’s rather easy to make Siri only respond
after unlocking, but that’s probably out of scope of this training — and not
something staffers are going to remember. For added security, disable Hey
Siri, too, because that’s a hot mic. (But again, scope.)

~~~
tptacek
Can we just all be clear that these aren't "Washington types" we're talking
about? These are random businesspeople in random Congressional districts
scattered throughout the US.

~~~
jsmthrowaway
I don’t follow what you’re correcting or why you’re using my comment to launch
off on that correction to everyone, because I was agreeing with Jeff on the
broader motion to iOS based on my anecdotal experience with Washington
staffers in general, not limited to a Congressional campaign. That being said,
the senior ranks of any successful national campaign are _always_ Washington
types (one notable, recent outlier notwithstanding), and they benefit
dramatically from this training, so it’s not even an unfair observation in the
context you’re asserting.

(Unless you’re saying a gaggle of Chamber of Commerce suits from Topeka can
navigate party politics, secure funding, get attention, get nominated, then
somehow win without DC experience and connections in leadership.)

Edit: 'idlewords — I tried to reply to you before you deleted; _Congress_ or a
_Congressional campaign_ means a national race, and toned my replies here. You
and Thomas are talking about state legislature races, apparently, which was
not obvious until your deleted comment. We don’t identify state-level
legislative bodies as Congress, which is a term that means the entire national
legislative body, not just the House. It’d be half appropriate to say
_congressional_ without a capital C, but still weird. Gotta enunciate state.

I genuinely thought you were training early campaigns for next national, the
way you worded it. You should, honestly. They don’t get awesome advice.

------
idlewords
I want to give a little bit of context to this guide. So far I've done this
training with six congressional campaigns, and a very similar one with about
two dozen journalists.

Everyone has a limited mental budget for security hassle, and it's a challenge
to fit the most important bits of advice into that budget. The hardest bits
are those things that are relatively easy to use, but a beast to set
up—password managers and security keys.

There's a lot more that could be in this guide, but I've found that it's the
most material that I can fit into an hour, and even then the people running
for office find it intimidating. However, they are also very glad to get
actionable advice, and in a format that is not too technical.

By far the most surprising thing to people on this list is the admonition to
turn off anti-virus software.

~~~
philipodonnell
Can you briefly explain about turning off anti-virus? I see that but nothing
about why, or why Windows Defender is still ok and how that differs from the
general category of anti virus?

Maybe its in your course so you don't want to spill the beans, but all of your
other advice seems consistently good, this one could use some more explanation
for the uninitiated who have heard the exact opposite for, like, ever. :-)

~~~
Anderkent
The problem is that many AVs are not tested well, and prone to actually making
you more vulnerable by bugs in their analysis code.

Basically, think of receiving an email with a malware attachment. If you have
good hygiene, you won't open it yourself. But your AV will open it to 'scan'
it, and that gives it an opportunity to compromise it.

Add the fact that most AV runs with high privileges and is not sandboxes, and
this is a pretty bad state.

------
walterbell
The grugq (Nov 20) on campaign information security:
[https://medium.com/@thegrugq/campaign-information-
security-f...](https://medium.com/@thegrugq/campaign-information-security-
ff6ac49966e1)

~~~
tptacek
The Grugq's post is strong. The Harvard campaign security report he links to
is _not_ ; it's actually pretty bad.

~~~
grugq
I didn't like their report which is why I wrote my guide.

------
jacobkg
It would be worth adding to the article registering your Google account for
the Advanced Protection Program:
[https://landing.google.com/advancedprotection/](https://landing.google.com/advancedprotection/)

------
Teodolfo
The guide suggests gmail and two factor, but why not also
[https://landing.google.com/advancedprotection/](https://landing.google.com/advancedprotection/)
?

------
abrichr
> Under no circumstances use the Tor browser (it's okay to use Tor, but do it
> with Chrome, and seek additional training on how to set it up).

Is this just because Tor Browser prompts the user to update while Chrome
updates silently on restart, or something else?

~~~
tptacek
No, it's because Tor Browser is the worst possible combination of attributes:
a lagged fork of what is currently (despite heroic efforts from Mozillians)
the least secure mainstream browser, packaged in a way that disproportionate
numbers of high-value targets use it.

~~~
grugq
Fully laid out and explained here: [https://medium.com/@thegrugq/tor-and-its-
discontents-ef51648...](https://medium.com/@thegrugq/tor-and-its-discontents-
ef5164845908)

------
neandrake
Does anyone have insight as to why they recommend only using Chrome, including
using Tor with Chrome and not the Tor browser (fork of Firefox)? Is this just
to keep things consistent or are there privacy/security concerns over using
Firefox?

~~~
jimrandomh
Chrome has a process-sandbox architecture that is significantly protective
against new exploits; Firefox's equivalent, Electrolysis, isn't ready yet. In
the 2017 Pwn2Own competition, Firefox was cracked and Chrome wasn't.

The Tor browser is almost certainly better at avoiding accidental disclosure
of your IP address, but worse at general exploit-resistance. Making use of Tor
in a way that fully protects their identity is probably beyond the
capabilities of a Congressional candidate anyways, so it would at best create
a sense of anonymity that was false.

~~~
tptacek
If we're really nerding out about browser security, it's important to
understand that while Firefox's sandboxing is not as sophisticated as
Chrome's, it's not a lack of sandboxing that puts Firefox behind Chrome (and
probably Edge), but also _all the other stuff_ that goes into browser
security, most notably runtime hardening and ancillary vulnerability research.

People tend to look for a simple explanation for these kinds of differences,
like, "iPhones are more secure because they have a Secure Enclave", or "Chrome
is more secure because it has better sandboxing". But the real answers are
rarely that simple. There's a lot more that goes into both iPhone and Chrome
security than those simple things.

~~~
pcwalton
Can you elaborate as to what you mean by Chrome having better "runtime
hardening"?

For what it's worth, I tend to think the biggest issues are the weaker sandbox
(the GPU driver is exposed in Firefox, which WebRender is taking a big step
toward fixing) and, in the future, Site Isolation (which I think is oversold,
but it would help sites like Gmail).

------
invisiblep
@tptacek and @idlewords can you share how you are teaching these non-tech
people how to use a password manager?

In my experience it's far from intuitive even if you're using 1Password. Just
the first step of explaining how to create a master password that is strong
enough to protect all the other secrets is a challenge. I try and describe the
diceware process because it will yield a better result than what the user will
come up with.

Anything you can share would be appreciated.

------
seanwilson
> You must use an iPhone, model SE or later. Android phones are not safe to
> use.

> If possible, consider getting a Chromebook. This is a simplified computer,
> far more secure than an ordinary laptop, that can only run the Chrome
> browser.

Reducing attack vectors in this way seems very sensible to be honest. It's
crazy to expect users to understand the ins and outs of computers to remain
secure. I remember it being common that people would comment that you can't
drive a car without a license so you should have something similar for being
allowed to use a computer.

------
gok
> Siri can reveal information about your contacts even when the phone is
> locked.

So can swiping to the right on iOS 11... or just getting a message
notification from Signal with its default settings. For that matter, shouldn’t
this guide contain some guidelines about where your contacts should be stored
if that’s considered sensitive?

------
blfr
This is the same advice I give to my mom. Especially opening everything she
receives, in particular from her students, through Google Drive/Docs.

However, do you really trust Google to be the safekeeper of important data for
elections? This is at most a temporarily valid advice for democrats.

------
seanieb
Without teaching folks what a password manager is and how to use it, it's
useless advice. I've seen folks use 1Password with their old password for
everything... A 2min demo and an explanation why they should use unique
passwords is needed for most.

~~~
idlewords
That's one of the reasons a text guide isn't enough, you need a briefing.
Also, the installation procedure for 1password is an absolute nightmare.
Ideally people shouldn't even see it.

------
wonderous
To me, “if you can remember your password, it is likely not strong enough“ —
conflicts with suggesting it is okay for a user to use “a six-digit key code”
on their iPhone.

Any thoughts or clarifications?

~~~
tptacek
Yes: your six-digit PIN is physically secured in ways your online passwords
aren’t.

~~~
tonyztan
To expand on that, the iPhone hardware (secure encalve) limits the number and
rate of PIN attempts. Depending on configuration, after a number of incorrect
attempts, it either takes an increasingly long time to make a guess or just
wipes the device (by destroying the encryption key).

------
lordofmoria
Very good advice.

Couple thoughts:

First, Google’s Password Alert extension should be added to the list of
extensions. Best protection against spear phishing.

Secondly, “Assume that anything you say on Slack or in Twitter direct messages
will one day be public. It's fine to use Slack for coordinating and
organizing, but be mindful of the conversations you have there. Move private
discussions to Signal.”

This “eventually public” argument they say is the best framing of the benefit
of end-to-end encryption I’ve seen so far. It’s not about “hackers could hack
Slack and own your data now!” as much as “eventually any interesting cloud
data that’s unencrypted will be made public.”

------
codinghorror
Android: unsafe at any speed, apparently.

~~~
tptacek
Specialists with carefully chosen phones can achieve security that is
asymptotically as good as a recent iPhone.

We can spare ourselves the world's dumbest HN thread if we stipulate that by
far the largest problem with Android is that it means a zillion different
things. Campaign workers (or NGO employees) with "Android phones" are people
that have every conceivable random phone that happens to be running some
variant of Android.

~~~
marcoperaza
> _Specialists with carefully chosen phones can achieve security that is
> asymptotically as good as a recent iPhone._

Who cares? Security conditional on expertise, extraordinary caution, and time
investment is WORTHLESS.

Security is more about guiding (or forcing) human beings to the right behavior
than it is about making technical mechanisms available for the willing and
able. Your security model should assume that the user is stupid, grossly
negligent, and in the case they are the employee or other agent of an
organization, somewhat hostile to the interests of the organization.

~~~
idlewords
I believe tqbf is just trying to head off unproductive Android vs. iOS
arguments, and agrees with you.

------
MechEStudent
Is this written by the Russians? The Chinese? Are you kidding? iPhone or
Android? They are both highly porous and highly perforated. Gmail? Chrome?

Here is some on secure browsers:
[https://www.techworld.com/security/best-8-secure-
browsers-32...](https://www.techworld.com/security/best-8-secure-
browsers-3246550/)

Boeing Black? [https://economictimes.indiatimes.com/slideshows/tech-
life/5-...](https://economictimes.indiatimes.com/slideshows/tech-life/5-most-
secure-smartphones-in-the-world/boeing-black/slideshow/53883006.cms)

... just a little work would give something actually secure. This is like
playing charades with guns.

~~~
my_first_acct
In the secure-browser article cited in the parent comment, number eight is the
Yandex Browser. Quoting from the article: "Yandex, which is based on Chromium,
uses the 'Blink' engine which runs checks through downloads and even uses
Kaspersky's antivirus to scan for malicious content." I find this
recommendation a bit surprising.

------
secfirstmd
Sorry. I don't even know where to start here but so much of it is really bad
advice that doesn't accurately make assessment of user workflows and effective
threat modelling.

~~~
idlewords
I'm open to criticism, so maybe pick the worst piece of advice and tell me
what it should be instead?

~~~
kasey_junk
The fact that you don’t have a line item that says “Don’t feed the trolls”
seems problematic.

~~~
idlewords
Trolls gotta eat

------
fencepost
I found this to have a lot of holes at best. If this is for end-users working
with a campaign some of this might be appropriate, but really the campaign
should have people in charge of security and a lot of things should be
funneled through them. If this is for end-users then the advice about
antivirus, etc. should be removed because that should NOT be an end-user
decision.

First thing: How is the campaign going to be operating and handling documents?
Security for the scenarios is going to be different.

* If it's going to be in one or more offices with tightly restricted access from outside those offices that's probably the best for security but may be less convenient. Primary approach: restrict access to a limited pool of "trusted" devices and keep those secure.

* Entirely cloud-based (e.g. GMail, Google Docs, etc. or perhaps the business/enterprise Office365 and OneDrive). Primary approach: Tightly control document access at the storage side, probably primarily based on user accounts, while allowing many devices.

* Using online storage but traditional desktop programs, etc. is a second option, but may be harder to control. Primary approach: None, this is a hybrid and I think it has all the weaknesses of both other approaches.

Second, be aware of the kinds of threats you need to be ready for. Big areas
of concern that jump out at me:

* Data theft/exfiltration of sensitive campaign documents.

* Data loss/destruction - via malicious trashing by an intruder or via failure of key systems.

* Loss of access at key times - are there times where temporary loss of access to systems has a major impact? (I'm used to thinking in terms of electronic medical records for doctors' offices, where at the least a down EMR puts a huge crimp in ability to see patients.)

* Possibly addressing of faked documents, but I'm not sure that's an internal security matter that can be addressed beyond being able to say with confidence "Our network has not been breached and we have access/audit logs to prove it."

Focusing on what I'd recommend as the best option from a security standpoint
(documents, etc. are stored within the network, documents can be accessed only
from within the network, network access is tightly controlled, document
storage is appropriately partitioned with security groups to limit access)
some thoughts. This is also the kind of network I'm most familiar with - I'd
never consider having any medical client using any kind of cloud storage for
practice documents that could contain PHI/PII (Protected Health
Information/Personally Identifiable Information).

 _Re: Updates_ , absolutely, everything should be kept up-to-date. Ideally
patch status, etc. should be monitored for all systems. This includes network
equipment as well, most notably routers and any wireless equipment.

 _Re: Anti-virus_ , I disagree - Choose a good managed AV product, use it,
have someone whose job includes getting alerts from it and reviewing logs it
generates. I'm partial to Bitdefender, but Emsisoft may also be a good choice
and also uses Bitdefender's virus definitions as one component. I'd avoid
Kaspersky these days. I say this because I see the logs for managed
Bitdefender blocking of known and suspected phishing and malware sites and I
get alerts when malware is blocked. A good AV product should also help protect
against both hacked websites visited by campaign staff and spearphishing.

 _Re: Email_ , why is this document talking about personal email? Do not use
personal email for campaign work. Do not use personal email on campaign
systems (assuming the "closed network" approach). If staff need to deal with
personal email because their sister-in-law just sent them the newest Elf
Bowling, they can do it on their phones and/or their own time.

 _Re: Email_ , if using an email system that supports 2-factor auth, use it.

 _Re: Email Attachments_ , assume malice. The advice to open documents on a
phone instead is not unreasonable since the phone viewer is unlikely to have
the same vulnerabilities as a desktop program. Viewing documents in a
different program may also be a viable option, particularly if your internal
use of that program isn't well known (e.g. Word-based attacks are unlikely to
impact LibreOffice).

 _Re: Email_ , Inbound email should be going through all sorts of filtering
which may not stop all attacks but should at least be able to cut down on
possible noise. As an example with Office365 Exchange, there are a bunch of
options (under "International Spam") to block messages based on the language
encoding, the country/region it was sent from, etc.

 _Re: Passwords_ , 1Password is a good option. 1Password Teams is probably a
better one.

 _Re: Phones_ , the advice to use iPhones is probably good, particularly
because current-enough iPhones all get software updates where Android phones
from different vendors are all over the map. Possible exception: If you're
using the all-cloud approach on Google services, the Pixel phones should be a
viable choice. If feasible, something that can be remotely wiped (at least
email) by a mail administrator is probably not a bad idea.

 _Re: Laptops_ , yep, full disk encryption, etc. and never plug in USB
devices, but on a management side assume that laptops are a weak point and
take steps to ensure that the damage from a compromised laptop can be limited.

 _Re: Wireless access for Phones, Laptops, Tablets, etc._ : Consider not using
Wifi AT ALL. If Wifi is used, lock it down to recognized devices, which should
not include ANY personally owned devices, particularly including phones,
tablets, etc. Any device that end-users are allowed to install software on is
a device that should not be connecting directly to your network. If you're
unfortunate enough to have a campaign office in the basement of a steel
building, set up a separate "Devices" network (still with authentication) that
those devices can connect to.

 _Re: Messaging_ , yep, Signal. Regard just about anything else particularly
including SMS as being plain-text that a skilled attacker could read. Also be
wary of apps like Join, MightyText, etc. that allow handling of messages and
device notifications from desktops.

 _Re: Browser_ , I'm not sure I agree with a Chrome-only approach (why no
Firefox?), but I don't have a big problem with it. One advantage particularly
for individual installations is that it will auto-update in the background,
and with process-per-tab I believe new tabs will get created on updated
versions (can anyone who's read this wall of text confirm?). I agree with the
use of uBlock Origin and HTTPS Everywhere - compromised ad networks
particularly with targeted ads could be a real risk.

 _Re: Mobile Browser_ , Even more than incognito mode, Firefox Focus may be a
good choice as a default for browsing that doesn't require logins to sites.

Did I leave any gaping holes? This is kind of off the top of my head.

~~~
idlewords
I'm not sure you understand what a Congressional campaign is like. Outside a
few really rich districts, you'll have the candidate, a campaign manager, a
media person, someone in charge of fundraising, and people to manage
volunteers. Using social media is routine, and everything that doesn't involve
money is connected to people's regular accounts.

If you're lucky, the campaign staff will have an analytics person, and they
(or the most technically adept member of the campaign) become de facto tech
support for everyone else.

Many of the people the campaign staff need to work with will be volunteers who
are already task saturated on campaigning, and have no capacity to learn
whatever security processes you have in place.

The overriding priorities of the campaign will be fundraising and outreach.
Everything else will be subordinate, and anything that makes those two things
harder will be ignored.

I don't know what situation your comments are appropriate for, but they will
not work for the people we are trying to protect.

~~~
fencepost
Thanks, I didn't realize how small most campaigns were, and I can see why it
wouldn't be something where a third-party could set up to provide the services
- way too cyclical.

~~~
idlewords
The Democratic party apparatus steps in to some extent, but only after the
primaries, and they're not too clueful, either.

The guide here is an attempt to see how much we can bring up the level of
security on a campaign without IT infrastructure. It's meant to be the "wash
hands, boil water" of security advice, not an ultimate security guide. So
thanks for understanding the context!

