Bernie Sanders
Related: About this forumFrom the tech community on /. about the DNC "breakin"
by Chris Johnson (580)
NGP-VAN, the company that stores this data, which is run by an old Clinton hand who worked for them in 1992, the company paid $34,000 by Ready For Hillary, was repeatedly dropping their firewall between the two major Dem campaigns, Clinton and Sanders.
A guy whos now fired from the Sanders team observed this. They complained once and were given assurances by the company that it was a mistake and wouldnt happen again. Then it happened again. The guy decided to gauge how deeply the Clinton campaign was able to read into the Sanders campaign, by experimenting to see how much of the Clinton data he could get. Thats a bad call but by information security standards its not unthinkable: itd be called a white hat intrusion, seeing how much of the firewall was down by probing the other side and assuming your own data was revealed exactly the same way. It does matter, but you still have to fire the guy.
One thing we can be sure of is, anything open to stealing on the Clinton side was just as open on the Sanders side, literally. Its the same system and the same firewall, and if the firewall keeps mysteriously going down for no good reason you have to wonder whats up and more relevantly whats being made available to those on the other side of the firewall, which might explain why the firewalls going down like that.
The Sanders people did NOT throw a fit the first time this happened. But this time, the Sanders guy got caught crossing the nonexistent firewall. We have no information at all on whether anybody from the Clinton side was doing the same thing. During that time there WAS NO firewall and the guy wasnt hacking, he was browsing, as anybody on either side could have done during those windows.
I think thats accurate so far. The behavior of the firewall is important, whether or not its suspicious as a planned exploit of the Sanders data run by Clinton people who are at the DNC and at NGP-VAN.
In response to the Sanders guy browsing over and seeing data (how do they know? Because HE TOLD THEM. The Sanders team were the ones reporting this, thats part of the story), the DNC suspended access by the Sanders campaign to THEIR OWN DATA at a crucial time. In order to get access back, at least as of this morning, the requirement is for the Sanders campaign to prove it has destroyed all data that it didnt necessarily even download (remember, Sanders guy claims he was exploring the Clinton system because it would mirror the vulnerability of the Sanders system, and hes not IN the Clinton system to go and browse the Sanders side to see how much is revealed, but he was IN the Sanders side and could look at the Clinton side and reasonably conclude that his own side was equally compromised)
And social media is blowing the hell up, not unreasonably, because its a goddamn hatchet job combined with a kneecapping to yank access by the Bernie campaign to its OWN DATA because a guy from the Bernie campaign passively browsed through a firewall he didnt himself disable, a firewall run by a company controlled by Clinton partisans which had been going down already for reasons unknown.
http://politics.slashdot.org/story/15/12/18/1536245/bernie-sanders-campaign-blocked-from-dnc-voter-info-after-improper-access#comments
appalachiablue
(41,146 posts)Unfortunately, neither of the 2 MSNBC shows I watched tonight had any explanation close to this or people with tech experience to explain, but they're pundits. Chuck Todd was surprisingly sharp with the DNC Communications Director he interviewed at 5 PM.
Lithos
(26,403 posts)For someone from the Sanders campaign to be able to access the shared database which included Clinton's team had supplied implies the data was stored in the same instance. Firewalls do not come into effect at this level.
To access a different instance would mean knowledge of the particular connection details to this instance. Also in a proper environment, instances are secured by specific user ids which would ideally *never* be shared, especially in such a common thing.
This would be true for any SQL (Oracle, DB2, SQL Server, etc.) and non-SQL database (Cassandra, Hadoop, etc.)
There is something not being told here.
L-
LiberalArkie
(15,719 posts)And in my thinking the system had to have been set up in the beginning to be able to be "gamed" since you are supposed to have access to certain data or your not. When they sent through the "buggy" patch that removed the permissions to allow HRC to go into Sanders stuff and then they sent another "Patch" to put the permissions back in place.
But I am too old to know much about how it done these days.
Lithos
(26,403 posts)SQL or Non-SQL - no patch would open you up like that. Typically such access is granted by an external data authorization/authentication service such as Kerberos or LDAP or is stored internally in the database itself in a data table. No patch would change the connection to Kerberos or LDAP or would alter the data of the database itself.
L-
LiberalArkie
(15,719 posts)it and then close it off again with another "patch" or authorization file.
Lithos
(26,403 posts)In a database access is typically granted either by an internal mechanism maintained in an internal database table, or via an external source such as Kerberos or LDAP. Patches update binary (executable) code, but not data.
So, for the two possible data access methods - either two instances, or a single shared instance, access/authorization would go like this:
1) Two separate database instances. For the non-technical (and please forgive me those who are technical). This would require two different connections (think of URLs) with two different users. Sort of like accessing "Discussionist.com" vs "DemocraticUnderground.com" - In a proper environment, Sanders would never have access to this. (i.e., HillaryDatabase.com) while Sanders would only have access to "SandersDatabase.com"
2) One database instance. i.e., this would be equivalent to two different topics where you would have a Hillary Forum and a Bernie Sanders forum where access is controlled by the Forum admins. Ie, a private, invite only forum. Access is controlled by either database settings, or by an external access control system such as Active Directory/LDAP/Kerberos.
For case (1) - there is no way that a patch would compromise this as the Sanders team would be completely isolated from this w/ no possible access. Access and knowledge of the second instance would have to be deliberately given. Doubtful.
For case (2) - This implies that someone tampered with the access capabilities in the database..
LiberalArkie
(15,719 posts)sent or deleted to enable or disable security protocols. The patch being something along the lines of a .conf file.
Lithos
(26,403 posts)It would mean things which updated the database to update ACL's.
Ie, in SQL terms - GRANTS
L-
mackerel
(4,412 posts)That is exactly what I said when my mother explained this all to me.
Fawke Em
(11,366 posts)Here: http://www.democraticunderground.com/?com=view_post&forum=1251&pid=912986
Didn't say much, but I honestly believe this was a feature (to the Clinton campaign) and not a bug. It's just that Bernie's folks are all far more tech savvy than the Clinton team thought they were and figured it out.
Doctor_J
(36,392 posts)Probably why the party is circling the drain.
SmittynMo
(3,544 posts)Whom from NGP-VAN will be terminated for their failure to secure the firewall?
Flying Squirrel
(3,041 posts)For the word "who" to be used in a grammatically correct manner.
SmittynMo
(3,544 posts)I thought about about it afterwards. As I get older, the brain cells aren't what they use to be.