Hacker News new | past | comments | ask | show | jobs | submit login

The only thing interesting about this story is that whoever did it got caught. Sort of.

Is there anyone here who really believes that every major campaign organization since, say, 2004 hasn't been completely owned up? What, you think the people that build the software and IT environments for campaigns --- sites that by design have millions of users with persistent accounts, and thousands of staff members at varying levels of privilege --- are the creme de la creme of software security talent?

Because, sure, I mean, everyone I know in software security and pentesting tells me "my first career choice is to go work in IT for the DNC and the GOP", but somehow along the way Google manages after a mighty struggle to outbid the 70k/year cost-center IT organizations offer for security talent.

If there was any interesting "oppo research" on McCain in the DNC servers during the '08 election, I will bet all the money in my pocket versus all the money in yours that the Chinese read all of it long before everyone on the official CC list did.




Is blase indifference how we respond to national level security breaches now?

If this was somebody's health records, the organization responsible for the disclosure would be under serious investigation (HIPPA), and throwing down retainers to every law firm in town.

Thomas, is it your opinion that those responsible for securing this data shouldn't be held responsible?


I think it's awfully silly to pretend that campaign IT organizations should be falling on their swords when the largest, most-talented, best-funded software security organizations in the industry do only a marginally better job when evaluated by outcome.

But, more importantly: I meant what I said. The only interesting thing about this story is that whoever hacked the DNC got attributed. You think the GOP isn't owned up?


Now? The only thing opensource advocates, hobbyist developers, large tech companies, the "security" industry and the government have been able to consistently agree on for the last 15 years is that there should be little enforcement of quality standards, in contrast with essentially every other industry.


> What, you think the people that build the software and IT environments for campaigns ... are the creme de la creme of software security talent?

No, but I've always considered the competence of the IT people to likely fluctuate wildly from person to person, as I assumed many were politically motivated and donating at least some of their expected compensation level. I think the bigger problem would be in an organization with lots of volunteers, at least at the lower levels, and that gets at least partially rebuilt every few years, operational security is probably very hard to enforce for multiple reasons.


Who would you say has the creme de la creme of software security talent, and can you with a straight face say that they have not been compromised at some level?

Security is hard, but I wonder if it's P VS NP?


Google, Facebook, Apple, Microsoft. And, no.


No mention of Intel, IOActive, Matasano, Rapid7, FireEye, CheckPoint, Trend Micro, Kaspersky Labs, UCF, JHU, APL, MITRE, and of course, NSA?

Sure, the ones you mentioned have the biggest paychecks. But they won't give you indemnity and extended resources to find weaknesses in critical infrastructure. Some people like breaking bigger toys.


Just the tech giants have the best security people? How about large banks, hedgefunds and other financial services, security contractors/private military and governments?


We have large banks blocking pasting in password fields [1], and suggesting users not use password managers.

I'd actually say security research firms have pretty high quality security people, however, and not just the tech giants.

1. http://www.iphoneincanada.ca/news/1password-open-letter-bank...


This doesn't mean all financial institutions are bad at security. Some are cutting edge and hire some of the best.


Goldman Sachs - they're way far ahead of any other large bank or financial services company.


Citadel is one I know for sure is pretty cutting edge, and I'd wager their security can rival any large tech company.


Everyone you know in infosec is also probably not highly motivated to work around politics. Those that do will be trying to work either directly for a campaign, or the DNC, or companies like NGP VAN, the largest tech contractor for Democratic campaigns. Those people are motivated to do their jobs well so their candidate/party will win.

That said, the CIA & NSA probably owned them all up well before, and whomever has them in their pocket will have an upper hand as well. It's not like blackhats and foreign states are the only interested parties.


The interesting implication is that campaign IT has to have protection, similar to the way that the candidates themselves get SS protection.

Further, that private email servers for public function should never be again. The damage wasn't that a classified email was read; it was that any information was read before it was deemed safe for the rest of the world to read.

It's astounding to me that NSA and DHS hasn't been all over this for years. Although I suppose if all those systems were secure it would be harder for NSA to spy on their owners.


Watergate comes to mind. That was in 1972.

I'm really not liking the cream comparison for a couple reasons. One is that I like cream.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: