
Email security on Democratic campaigns is as bad as 2016 - idlewords
https://www.washingtonpost.com/outlook/2018/09/04/im-teaching-email-security-democratic-campaigns-its-bad/
======
dillondoyle
I work in digital D politics professionally. I can't tell you how many
Congressman use multiple @yahoo or whatever personal email accounts, social,
and wordpress accounts with very guessable and repeated passwords. Even the
young 'savvy' ones.

And I know this because the creds are shared in plain text with multiple
people over email (like me) or put into a shared google doc.

We enforce 2fa for our consultancy staff. I would love to enforce it for
campaigns but I can guarantee endless problems and troubleshooting especially
needy candidates calling because they can't figure out how to get their email.

Another big problem is shitty wordpress sites filled with plugins. Literally I
see $10k sites (FEC reports!) designed using a $100 paid drag and drop theme
with even more plugins thrown on top. It's a big pet peeve of mine and when I
can I move clients to a static plain html site hosted on s3 or similar.

My big concern here is if you have write access to wordpress I could see a
scenario where you could upload say verification-hash.html and then reclaim
ownership of a domain or regain access to email. Or perhaps some turst attack
domain.com/my-innocent-file-has-virus.file

The main D voter file GUI (votebuilder) which all campaigns use to contact
voters and work with voterfile data does have 2fa but it's still only SMS.
This is my real name so I don't want to throw too much public shade, but let's
just say when I have to work with campaign data stored in van first thing I do
is export out.

ActBlue which is increasingly the monopoly online fundraising app in my
experience has good engineering and for me personally they are the only 'tech'
provider for Dems that I jive with (don't get me started on NGPVAN or maybe
do, but over PM). AB has 2fa token support, though they should make it
mandatory given that if you have AB login access you can do a lot of damage
(I've actually had this conversation with them about campaign provided js that
shows up on donate pages, putting on separate cookie domain, iframe etc).

~~~
idlewords
Thank you for this very informative comment!

Who do you think should have overall responsibility for campaign security in
2020? The parties? DHS? Some kind of private sector consortium?

~~~
dillondoyle
I mean the government doesn't take on basic IT security responsibilities for
corporations. It's up to each campaign.

The parties can provide support but there are so many races up and down
ballot, plus primaries it's impossible. Plus why should the DCCC or whoever
waste resources on some non-winnable tiny race.

If say DHS did get involved proactively there would be huge trust and legal
issues; any top down direction from govt to politics would be perceived as
interfering with political speech/democracy.

~~~
rossdavidh
I'm a little conflicted on this. Clearly if we leave security to political
parties, for many reasons we can expect poor security in IT, which leaves our
very democracy vulnerable.

On the other hand, imagine the government mandating "if you run for office,
you and everyone in your campaign must use this email for all communications,
and if you communicate electronically outside of these approved methods we'll
come down on you". The number of ways that could be misused is mind-boggling.
Even if it isn't used to sniff on the communications of the opposition, it
could simply be raised to higher and higher levels of complexity (and perhaps
$$ cost) until new political parties (or insurgencies within a party) cannot
afford to compete, because the legal requirements for IT are too stringent.

~~~
dillondoyle
I think that's the bigger issue than disparate organization complexity/scale
(which is a huge hurdle).

Political speech is sacrosanct and despite being pretty liberal I agree with
your skepticism of Government. Not so much that it would ever be used for bad,
but I think far more likely it just becomes a huge, slow, shitty mess.

------
Someone1234
This may sound a bit glib but the Democrats should just get a contract with
Google, give all of their people GSuite accounts, and enroll them in the
Advanced Protection Program[0].

It isn't perfect but it would be a massive step up from everyone having their
own home-ground solutions that may or may not be secure.

[0]
[https://landing.google.com/advancedprotection/](https://landing.google.com/advancedprotection/)

~~~
camgunz
No Democratic organization (DNC, DSCC, DCCC, OFA) really holds sway over
campaigns. The DCCC would basically never say "hey, use these 2FA dongles or
we're not sending money" to a competitive campaign, and they definitely can't
do that over personal accounts ("hey ditch Yahoo! or we're not running any
ads"). Maybe they should, it's debatable, but there's a lot of things we
_should_ do that are on the spectrum of "unimportant in the grand scheme of
things" to "infeasible".

~~~
idlewords
Campaigns I have worked with are generally eager for this kind of training and
would gladly accept it if it were offered. They are aware of the hacking
threat and feel out of their depth.

I think a good starting point is to simply offer in-person training at key
points in the campaign (on filing, after a primary win, and before the general
election).

~~~
camgunz
Super agree, this would be fantastic. I'm sure there are people at the DNC and
elsewhere who would happy to advocate for the (very small amount of) funding
it would take -- as you wrote it should be a top priority.

------
matt4077
Note the plural: _campaigns_ , hinting at the explanation: There are many
campaigns, and they operate entirely independent from each other, at least
when it comes to technology infrastructure.

The reason for that is something that HN would usually respect, namely the
attempt to keep ownership of information. So of course the old discussion
about cloud services is being replayed here: "Why would you trust Google?" /
"Why do you think my small company has better security than Google" / ...

I'm pretty sure their next presidential candidate will activate 2-factor
authentication etc.

~~~
mushufasa
One of the interesting experiments of the 2016 election was that all local and
national campaigns were rolled into one Coordinated Campaign. With shared
offices/tech/infrastructure.

That brings downsides, but also upsides: it becomes feasible to give everyone
a standard security solution for tech.

Still hard to train everyone to use it, but not impossible.

------
jakewins
Are there any good PPT decks, workshop material or some such you all recommend
to build on top of? I'd be keen to teach a few classes or run a few workshops
for local campaigns, and it seems this area must be ripe with smart people
having put together material to build on already

~~~
tptacek
The stuff on [https://techsolidarity.org/](https://techsolidarity.org/) has
been peer-reviewed and battle-tested repeatedly, and is where I would start.
When it comes to this stuff I think it's as much about what you _don 't_ train
as what you do. There's a lot of security nerd orthodoxy that is of negative
value when you've only got an hour, one time, to raise the level of a
campaign.

------
mediocrejoker
Interesting comparing this with the Risky Business interview with Bob Lord
(the incoming CSO for the DNC) a few weeks back. There seems to be a bit of a
disconnect between the security posture of the DNC and the individual
campaigns discussed in this story.

[https://risky.biz/510_feature/](https://risky.biz/510_feature/)

~~~
idlewords
I think the problem is at DCCC, which is supposed to be the liaison for
Congressional campaigns.

------
forapurpose
I understand the challenges of end users and security, but why not give them
Signal or at least Whatsapp? Email is never going to be secure, regardless,
and many users can handle the new messaging applications.

~~~
idlewords
We do! But then the DCCC emails them an Excel spreadsheet the next day (not
joking).

It's very hard to move people entirely off of email. A big part of campaign
security training is to move people onto Signal or Whatsapp, though, and I'm
glad you brought it up.

------
dboreham
Hmm...reading the headline I thought "Wait...Bob Lord works for them, surely
everyone there has to have an NFC smart card surgically embedded into their
skull at this point, so knowing their passwords is useless??". But then I
realized he's at the DNC and the article is about _campaigns_ which presumably
are separate organizations?

~~~
idlewords
Yeah. Each campaign is its own (tiny) organization. The group that is supposed
to help House campaigns is the DCCC (Democratic Congressional Campaign
Committee) and for Senate campaigns, it's the DSCC (Democratic Senatorial
Campaign Committee).

------
jerkstate
any word on Republican campaign security?

~~~
perlgeek
It is likely that those Republican campaigns aren't any more secure, but that
the threat is somewhat asymmetric.

------
rossdavidh
Reading the phrase "political truffle pig" is a win regardless of anything
else you may think about this article.

~~~
jessaustin
The standard political nomenclature is "bundler", but I don't think I've ever
witnessed a bundler describing himself as such. They prefer euphemism.

~~~
idlewords
You can call me a bundler if you want, but I believe that term means something
different than what I do. This site, of all places, should respect technical
terminology!

~~~
jessaustin
_...I began visiting rural congressional campaigns to help progressive
candidates with fundraising. As a self-employed programmer, I was able to
travel and serve as a kind of political truffle pig for tech workers who
wanted to donate to candidates but didn’t know where to begin._

What would have to change about that description to make it the description of
the actions of a bundler?

~~~
idlewords
My understanding of a bundler is someone who delivers high-dollar donations
aggregated from a bloc of wealthy donors.

I tweet about campaigns and people I don't know give or not based on that. The
modal donation is something like $50.

If that's "bundling", I'm fine with the term. But in my eyes bundling is
showing up at a campaign office knowing how much you can deliver, and from
whom.

~~~
jessaustin
Haha yeah if it's all done through tweets that's a better look...

------
laurentMiguel
I think that's because email, fundamentally just isn't very secure.

Lots of email servers support fallback to non-encrypted, plaintext
transmission, which can expose entire chains of replies to MITM attacks with a
single message being routed questionably. [0,1,2] End-to-end encryption, via
user-defined keys is _actively discouraged_ by those who might assuredly know
better, and be in a position to change minds. Usually, the cop out comes in
the form of "too complicated for non-technical/less-technical users, and thus
potentially harmful to profits."

As if to say, we've been espousing the use of an insecure method of
communication for decades, so, to suddenly reverse our position, and encourage
bring-your-own-encryption might provoke discussions of liability, or
something. Nevermind, the premise of ad tech and scanning user messages, to
sell data.

But you know, running your own server, and hiring people who can't be bothered
to go deeper than using word art in MS PowerPoint slides, well, hey. Bring a
horse to water... know what I'm saying?

PGP is easy to use. At this point, I'd like to think people are fatigued
enough by the bottomless pit of nightmares we've fallen into, that they'd step
up and tell people: yes, people are using SSH keys and SSL keys billions of
times a day. It's okay to use PGP on your email. Go ahead, start doing it.

Or, you know, whatever. Lose another election. Right?

[0]
[https://en.wikipedia.org/wiki/Email_encryption](https://en.wikipedia.org/wiki/Email_encryption)

[1] [https://blog.filippo.io/the-sad-state-of-smtp-
encryption/](https://blog.filippo.io/the-sad-state-of-smtp-encryption/)

[2] [https://security.stackexchange.com/questions/51552/how-
insec...](https://security.stackexchange.com/questions/51552/how-insecure-is-
pop-imap-smtp)

~~~
tptacek
PGP addresses literally none of the operational security problems
congressional campaigns have. No matter how you protect individual emails, for
most users (and probably every single congressional campaign staffer) your
email account is still the most important account you have, the key to every
other account you control. And PGP doesn't do a thing about incoming emails
with malicious attachments.

People think PGP is important for campaigns because they want it to be
important, not because there's any empirical evidence that it is important.

~~~
arcliteIndira
Wow, so, you really believe that asking people to lock up their important
messages to you, using a public key that you've provided through a verified,
alternate non-email channel really won't work?

PGP actually does do something about incoming email attachments. It offers the
opportunity to programmatically reject anything that is non-encrypted ASCII
text, and renders malicious files as non-executable ASCII text, when such
policies are properly enforced. At this point, the promiscuous user is
protected from delving deeper into emails. The server can effectively isolate
attachments entirely, by proxying mail delivery, and refusing to decrypt
attachments automatically. This would further defend against account
compromise, through practices that require special handling of attachments.
Email then becomes a medium of communication, rather than file transfer, and
file transfer is pushed to other protocols and applications.

Sort of like a point-and-call policy. Forcing a user to cognitively jump
through hoops to discover the contents of an attachment, when they should
really be using email for the exchange of messages with humans, or automated
control messages, such as multi-factor auth. Doing something like this limits
email to character data only, rather than interpretable instructions. You
know, much in the way we don't execute JavaScript from an email context.

Example:

    
    
      -----BEGIN PGP PUBLIC KEY BLOCK-----
       
      mQENBFuPKDYBCAC6xIbamQ3hTFCp8qcu8fLiz8XrSMXod/Xo5/iV/7FbqN8pE6uB
      9EFyrWX1gy6ZNP+EGXrQ017sNcGHL7LquV74m+Z4/CRZlKpHMR2U9WEIhjgfL46c
      vtQP/l9MB39P/VK3xsPXHTWSBiVdDdhWQTTZ5Tl88Zwo5n81ToOMFDLSXqZThlBl
      CjUNOmHt1nLpkUzyn5h8c9/x2gNe/ArD2nY6DewHZCALLSDAEKLqrru+v2N6ABRh
      Ad7GTVaHrD7aM84nlDMYiJmWSbx+IX2i4sxOeescjFPCmgjIuLLfIv94Oc7a6cV/
      O7JzaX5Vyr+wBiHqhG2Xrwo+/V6+hRLv3Aj7ABEBAAG0H2xhdXJlbnQgbWlndWVs
      IDxsbUBleGFtcGxlLmNvbT6JAVQEEwEIAD4WIQRrmP8aKYfcI7jMLtoYF2U5ECzk
      nQUCW48oNgIbAwUJA8JnAAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRAYF2U5
      ECzkneaeCACVHmasl2V+gz2dDKJr3ELuCM82ZGltq44kSj2Wod5KyvAulb8XB4Ox
      d5LXw8rdLuHiGl8vFrPljRO1do+8ahQyPy6Sk5UNb73zi8ujubhLHm/jpSdO5lUO
      ryb/TN4lnBnGSDeYkUtKn2FUr0+i4EgnqAi2L2svQoDwzzyyeWrkXBgqqm1NT0bw
      hbBhQfozdafqvFF3gBfaBqrFpD/KAgHzmTe3YejrD9tJTVJamTsEvmMXNMhaXF3s
      FVqlWGoGr0/17Ft75SyuKj+ssJ7oxeblxhocUum8XvtmVlu8Ee/wxqugApeDLN0x
      6cqEH837QIU6vQgx3mGK7Vv035uRru1yuQENBFuPKDYBCADC1Hea+6AMj7gwNnfX
      tOIJ8X/rKeqw6u3Up1vt7DC3IOrml0AQHk08bklLbXokO/GlW0uUwX/tqKeIz35y
      l+uzqBooR62H99CQc36trN96GD6zxeVYlbMpWdTzPqgxSVmEx9EvfCPhsgCueTz1
      oTJw5SW4dUOHuL3k8R/cEFraJJpigp8PceXJWsxinUTOVSKH1VhWsZaActRRicf4
      Y9GOcEJhgFhNlvVgFW+x/+hYL3vLXeUNTb6UCH6O9X0I+zv03VbLO/GdZFGA3Vps
      MYzzk8y/n93DkAIAD6vCPZAvcOLGMXaEv5GER2Scpv/sgINefh67+ExH/Vc8ZrUl
      C421ABEBAAGJATwEGAEIACYWIQRrmP8aKYfcI7jMLtoYF2U5ECzknQUCW48oNgIb
      DAUJA8JnAAAKCRAYF2U5ECzknTEMB/0ZcvUYZq5IlqsBNYdZjCaXY5KQqWqKnQlW
      jISSM7RmjCQwDqjTgyOVfl19PeVpj63h/tAPTXcsJ31LlpyHUklBVAeQmXuvMRry
      WMfLeHa5nAQmS3VgZNyahFyps+mGFiDChy7Zz14v/bpfUAeqBIY4txVHwT4fLWEM
      M1ZRbu8DcgwUErXt5xe5kOJZRWd8Q/xnspn9Tg+QvdWF67xi4CZ7RTl2+aL8MshT
      051atXtkskDomQD/kNhP757cUuvDBkC4FydP8rztMdNLUiiC0L1R6V4bxhr4Yhsh
      dbf+w0XrcuUaSnaka5TAeh+NCK//CoUsnVF/fun2bJ8bRikMPwxy
      =/JKx
      -----END PGP PUBLIC KEY BLOCK-----

~~~
laurentMiguel
You can downvote all you want, but you're simply matadoring behavioral issues
as if they are technical hurtles, and that's dishonest.

~~~
pvg
"Matadoring the technical hurtles" should be some startup's slogan.

~~~
kasey_junk
Matadoring behavioral issues is my bands name.

