
Nearly all 2020 presidential candidates aren’t using a basic email security - sahin-boydas
https://techcrunch.com/2019/04/30/dmarc-presidential-candidates/
======
andjd
> just one presidential hopeful — Democratic candidate Elizabeth Warren — uses
> domain-based message authentication, reporting, and conformance policy — or
> DMARC.

Another reason that Warren is my favorite of the democratic candidate right
now. It's telling that the candidate with the most tech savvy is also the one
proposing to break up the FAANGs for antitrust abuses.

~~~
simonh
I'm not at all clear what a break up means. How do you break up a monolithic
single platform like Facebook? Maybe spin off the messaging stuff but who
cares about that? Google is tricky too, you could separate ad-driven search
from everything else, but then the everything else bits would just die. How
would that benefit users?

Basically picking off bits of the edges of these services is just pointless,
but splitting up the core service also seems crazy. It's like splitting up a
car company by separating out the bit that makes the engines from the bit that
makes the chassis.

I can see it with Amazon splitting AWS from the store, but in that case both
would just do fine thank you very much. Again, I'm not seeing any material
benefits to anybody. I suppose it's possible profits from the store would be
prevented from subsidising AWS, which might benefit competition. This is the
only one that makes a lick of sense but it's not really a big problem to fix
IMHO.

So what are the actual proposals, or are they just vague pontificating at this
stage?

~~~
kristianc
> I'm not at all clear what a break up means. How do you break up a monolithic
> single platform like Facebook? Maybe spin off the messaging stuff but who
> cares about that?

Facebook's platform is already pretty well broken up: you have IG, WhatsApp,
the core News Feed, Messenger.

Warren's argument isn't so much that breaking the big tech companies up would
benefit consumers in itself, but that breaking them up would enable competing
services to emerge (in the same way, she argues, that breaking up Microsoft
enabled Facebook and Google to emerge).

It's easy to forget now but in 1998 Windows was pushing Active Desktop pretty
hard and MSFT were making a big play to make the Internet something which you
consumed via the Windows desktop and via Microsoft owned products.

It's not clear that competition neccesarily _would_ emerge from more
constraints on large tech companies, but it's probably true that Facebook
making a "WeChat" type play would not be a good thing for the Open Web or
competition in any way.

~~~
AnimalMuppet
> (in the same way, she argues, that breaking up Microsoft enabled Facebook
> and Google to emerge).

Is this a reference to the consent decree? Microsoft wasn't actually broken
up, not that I recall. Nor did the consent decree permit Google to emerge - it
was emerging anyway, and before the consent decree.

What are they actually talking about here?

------
AdmiralAsshat
I'd put this in a different category than 2FA, password manager, or basic
"watch out or phishing emails" training. All of those things can be enacted by
the individual end-user if the organization doesn't enforce it. But it doesn't
look like DMARC is something the individual can turn on or off--it's
completely on their IT to set it up.

I'm not sure how easy it is to setup, either. Assuming they're paying for
Office 365 or G-Suite for outlook/gmail on campaign domains, is that something
that Microsoft and/or Google will turn on automatically for you?

~~~
twunde
Email security enforcement is not turned on automatically, but is relatively
easy to set up for GSuite or Office365. Typically the easiest implementation
is to create a DNS validation record. With that caveat, SPF and DKIM are
easier to setup, because it's just creating a validation record. DMARC
typically means that you're now getting 10-20 emails a day from major email
providers all containing XML files that need to be analyzed. There aren't a
ton of good solutions to analyze the contents of the XML files

~~~
medmunds
Postmark has a free service that will handle the DMARC XML analysis for you,
sending you a human-readable summary report once a week. (You don't have to be
sending through Postmark to use it; I've been surprised at how many spammers
attempt to spoof my personal domains.)

[http://dmarc.postmarkapp.com/](http://dmarc.postmarkapp.com/)

------
lostphilosopher
I see this as a reflection of the candidates ability to find and listen to
experts. I don't expect a candidate to understand how to do tech "right" \-
I'm in the industry and still get half of it wrong! However, when you're
running a multi million dollar campaign you can afford to bring in experts to
set this stuff up and audit your practices. In fact, I assume these candidates
are already doing this and that if they are still not following some basic
best practices it's because they are actively ignoring the experts they
brought on to help them. That's what worries me. If they can't find or listen
to these people now, what makes me think they'll be able to in office?
(Related: "The internet is not a big truck...")

------
jeffreyrogers
This stuff is easy to setup (in G suite you can do in in a hour or two if you
know what needs to be done), but like most computer security best practices,
the knowledge is out there but not well distributed, and not in the hands of
the people who need to know it.

------
js2
I enabled dmarc for my domain about a year ago enabling just reporting. So I
get a dmarc report or two emailed to me daily. I have yet to actually check
the reports.

Can anyone recommend a free or cheap service or something I can run myself to
summarize dmarc reports?

edit: this Quora mentions some free services:

[https://www.quora.com/What-is-the-best-way-to-make-an-
analys...](https://www.quora.com/What-is-the-best-way-to-make-an-analysis-of-
DMARC)

And I found this on Github:

[https://github.com/techsneeze/dmarcts-report-
viewer](https://github.com/techsneeze/dmarcts-report-viewer)

Any other recs?

------
dontbenebby
> _I see this as a reflection of the candidates ability to find and listen to
> experts._

The problem isn't finding experts. There's a lot of smart, well intentioned
people in DC. (For example, everyone I met from 18F impressed me greatly, and
nonprofit organizations like Mozilla have a presence in DC)

The problem is that both congressional offices and political campaigns are
_extremely_ hierarchical.

The culture in a political campaign or senate office is that junior staffers
are supposed to be given orders and figure out how to implement them - not
suggest different sets of orders.

~~~
daveFNbuck
It's easy to find experts, but not everyone does. Some politicians prefer
loyalty to expertise. At least one candidate was able to overcome the
hierarchy of her campaign and get basic email security.

~~~
bluGill
Was that luck though, or active intent.

------
lawlessone
To be fair i don't think the incumbent needs to be worried about that.

------
idlewords
Say what you will about Hillary Clinton—at least that woman could run an email
server.

~~~
lohszvu
Do you really think she was the one running it?

------
astazangasta
I am sure i will get hundreds of downvotes for this but i still dont accept
that the Russians targeted the DNC. Wikileaks says otherwise, the only people
who examined the servers are a nakedly anti-Russian security outfit hired by
the DNC and to date zero hard evidence has been presented this is true. There
are so many holes in this narrative, and given the total lack of credibility
the press has after the Russiagate collusion story we shouldnt also allow this
piece to slip through as accepted fact.

~~~
belltaco
There's some substantial evidence.

[https://nos.nl/nieuwsuur/artikel/2213767-dutch-
intelligence-...](https://nos.nl/nieuwsuur/artikel/2213767-dutch-intelligence-
first-to-alert-u-s-about-russian-hack-of-democratic-party.html)

[https://arstechnica.com/tech-policy/2018/03/dnc-lone-
hacker-...](https://arstechnica.com/tech-policy/2018/03/dnc-lone-hacker-
guccifer-2-0-pegged-as-russian-spy-after-opsec-fail/)

~~~
astazangasta
I've read both those accounts. The Dutch intelligence bit is unrelated to the
DNC; they claim the same outfit they were surveilling is involved. They did
not observe the Russians hacking the DNC. Read the story carefully to see the
timing.

As for Guccifer, the evidence indicates he operates out of CST (based on
tweets and uploaded file timestamps), hardly where a Russian hacker would be
situated.

These are both pretty weak as evidence, not what i'd call substantial.

~~~
belltaco
And yet Wikileaks denial of them getting the emails from Russia without any
proof whatsoever is somehow not weak? How would Wikileaks even verify that
they were not dealing with a stooge of Russian intelligence?

~~~
astazangasta
Easy: they would have direct correspondence with the leaker and could easily
validate it's a DNC insider. To be clear, I don't consider this to be strong
evidence, I just consider it to be counterevidence that should cause us to be
suspicious of the main narrative.

Meanwhile, of the above two articles, one (the Dutch intelligence bit) has
nothing to do with the DNC. This leaves only a rather shady character,
Guccifer 2.0, whose actions are pretty unprecedented in history: a hacker who
announces what they did, seeks interviews, and crows on social media.

Why, exactly, would Russian intelligence set up such a persona? If their
intent is to aid Wikileaks, why would they undermine the Wikileaks narrative
that it was a leak, not a hack? Guccifer makes no kind of sense unless we
believe that his entire purpose is to point the finger back at the Russians,
as he quickly succeeded in doing.

