The Nerds Weigh In On the DNC 'Data Breach'

The situation between the DNC and the Sanders campaign seems to have reached some kind of resolution. While that's good to hear, it doesn't mean all questions have been answered about what actually happened.

Some of the comments in a discussion of the story at slashdot are rather interesting, in that they bring up more technical awareness of what happened, or didn't happen, than the media has generally been able to present.

Here's a selection:

From what the news stories are saying, this firewall-dropping was happening repeatedly. So:

NGP-VAN, the company that stores this data, which is run by an old Clinton hand who worked for them in 1992, the company paid $34,000 by Ready For Hillary, was repeatedly dropping their firewall between the two major Dem campaigns, Clinton and Sanders.

A guy who's now fired from the Sanders team observed this. They complained once and were given assurances by the company that it was a mistake and wouldn't happen again. Then it happened again. The guy decided to gauge how deeply the Clinton campaign was able to read into the Sanders campaign, by experimenting to see how much of the Clinton data he could get. That's a bad call but by information security standards it's not unthinkable: it'd be called a white hat intrusion, seeing how much of the firewall was down by probing the other side and assuming your own data was revealed exactly the same way. It does matter, but you still have to fire the guy.

One thing we can be sure of is, anything open to 'stealing' on the Clinton side was just as open on the Sanders side, literally. It's the same system and the same firewall, and if the firewall keeps mysteriously going down for no good reason you have to wonder what's up and more relevantly what's being made available to those on the other side of the firewall, which might explain why the firewall's going down like that.

The Sanders people did NOT throw a fit the first time this happened. But this time, the Sanders guy got caught crossing the nonexistent firewall. We have no information at all on whether anybody from the Clinton side was doing the same thing. During that time there WAS NO firewall and the guy wasn't hacking, he was browsing, as anybody on either side could have done during those windows.

I think that's accurate so far. The behavior of the firewall is important, whether or not it's suspicious as a planned exploit of the Sanders data run by Clinton people who are at the DNC and at NGP-VAN.

In response to the Sanders guy browsing over and seeing data (how do they know? Because HE TOLD THEM. The Sanders team were the ones reporting this, that's part of the story), the DNC suspended access by the Sanders campaign to THEIR OWN DATA at a crucial time. In order to get access back, at least as of this morning, the requirement is for the Sanders campaign to prove it has destroyed all data that it didn't necessarily even download (remember, Sanders guy claims he was exploring the Clinton system because it would mirror the vulnerability of the Sanders system, and he's not IN the Clinton system to go and browse the Sanders side to see how much is revealed, but he was IN the Sanders side and could look at the Clinton side and reasonably conclude that his own side was equally compromised)

And social media is blowing the hell up, not unreasonably, because it's a goddamn hatchet job combined with a kneecapping to yank access by the Bernie campaign to its OWN DATA because a guy from the Bernie campaign passively browsed through a firewall he didn't himself disable, a firewall run by a company controlled by Clinton partisans which had been going down already for reasons unknown.

His volunteer in charge of data caught the vendor with the firewall down, allowing the Clinton campaign access to all of the Sanders data.

This whole thing stinks, it stinks because the co-owner of NGP VAN was Clinton's chief technology officer for her 2008 campaign. If there was proof that her campaign has had access to all of the DNC data during the entire campaign it wouldn't surprise me... It doesn't really mean anything for Clinton's former CTO to say that he pinky-swears that their campaign never accessed the other side. It also makes no sense that anyone running a sensitive system would keep that system online while the firewall is offline for maintenance. If the data is important enough to have a firewall there, then before you take the firewall down you need to make sure that the data isn't going to be accessed or compromised in the meantime.

Let's try a somewhat-analogous scenario as a thought exercise:

I find out that on my bank's website, I can easily see my neighbor's bank account by doing some obvious URL manipulation. I immediately tell the bank that I'm worried about the security of my own account because I know that I could go into anyone else's. The bank locks me, and only me, from accessing any bank accounts, including my own.