After reading all the ignorant comments recently attacking Adria Richards, an IT consultant that was one of the first to blog about the egregious security failures of the Norm Coleman website, I couldn't take it anymore. Shooting the messenger seems to be the modus operandi of many Republicans.
The story has its first origins back in late January when the Coleman campaign claimed very publicly to the media that their website crashed because so many people were coming to their site in support of their election contest and wanting to see if their votes were not being counted. This claim by the Coleman campaign was later proven false by a number of IT professionals and the real reason the site went down was that it was either done on purpose by Coleman's own IT people or accidentally because of an internal misconfiguration.
As an IT professional herself Adria Richards was curious about this story and followed up on it to see if indeed the Coleman campaign had purposely crashed their own website. She stumbled upon something else. She found that Coleman's campaign website was fraught with security problems and blogged about it in late January. Because Adria never actually downloaded any of exposed files she never realized just how sensitive the information found within these files were. A number of other people tried to raise the issue back in January as well. There was no real response from the Coleman campaign about these issues that were brought before them in a very public manner. They of course knew at the time just how sensitive the information was in the exposed files.
Now fast forward six weeks later to Wednesday March 11th. The website Wikileaks.org, which was developed as a whistle-blowing site for untraceable mass document leaking and analysis, posts a page again exposing the egregious security flaws and displays example personal information that was found within an exposed Norm Coleman donor database. As the Wikileaks blog states, "Coleman supporters only know about the issue because of our work. Had it been up to Senator Coleman, they would never have known." There are numerous laws both federal and state that dictate the proper handling of personal credit card information and any security breaches that reveal personally sensitive information. According to Minnesota Law H.F. 1758 what the Coleman campaign did is illegal because they were required to destroy the digital existence of their donor's credit card numbers within 48 hrs of first capture and not permanently store them in a digital form.
In response to what Wikileaks posted, Norm Coleman's campaign spokesman Cullen Sheenan released an email statement to its donors suggesting that the posting by Wikileaks.org was politically motivated and further suggested that people within or associated with Wikileaks.org illegally hacked the Norm Coleman website to obtain the information within the database.
Cullen Sheehan even hinted that the leak might be a work of political sabotage saying, "We don't know if last evening's e-mail is a political dirty trick or what the objective is of the person who sent the e-mail."
But Adria Richards had already revealed weeks prior that the database was just sitting there in an unprotected and rather public way. You just had to stumble into the right part of the internet to find it.
"It's not hacking," she said to the Minnesota Independent yesterday. "I didn't use any hacking tools. A browser was my tool."
"That's not hacking," Richards said. "If you can download Firefox from Firefox.com — if you download a picture from your grandma, you’re downloading a file. Is that hacking? Five-year-olds can download files."
A poster on Adria's website astutely made the following analogy. If a Bank decides to put all your money under a tarp in a public park instead of the bank vault and a passer-by finds the money under the tarp and alerts the media, do you blame the passer-by or do you blame the Bank for their complete incompetence and negligence? As a potential depositor in a bank I would thank the passer-by for letting me know, by way of the media, that this bank can't be trusted to keep my money safe.
Just because the passer-by stumbled upon this cash hidden under the tarp (and by the way doesn't take any) does not justify detractors in trying to claim that the passer-by was trying to steal the Bank's money.
With enough people stumbling around a park someone would eventually find the money.
Cullen continued the "shoot the messenger" mantra and suggested that federal authorities had been brought in to see if there was a security breach. Further they had previously claimed that the Secret Service had determined that no sensitive information had been leaked from the Norm Coleman website. As we know now either that statement is false or the Secret Service is incompetent when it comes to investigating potential cyber-crime.
The real security breach was in allowing Norm Coleman to represent the citizens of Minnesota for the past six years.
As a fellow IT consultant, I deal with security issues almost daily. I see hackers scanning websites, by way of server logs, EVERY day looking for potential openings and exploits. These hackers are using untraceable zombie computer networks from all over the world. Chinese hackers, Romanian hackers and yes many pre-teen hackers from the United Sates. Leaving gigantic security holes in your website exposed for weeks and not taking the appropriate action is inexcusable and an even more egregious offense is to not bother to inform all the donors that their information and credit card numbers were compromised.
All of the security breaches found in Norm Coleman’s website could be easily found automatically with internet scanners very similar to what Google uses to index the entire internet. I can almost guarantee you that there are Chinese and Eastern European hackers that have had this information well before Adria Richards stumbled upon it. And if you think these professional hackers are going to call up Norm’s office and let him know I have some oceanfront property in Iowa to sell you.
1 | 2