Comments on: Blue Harvest? http://www.blogpi.net/blue-harvest Putting the blogosphere under a magnifying glass Thu, 18 Mar 2010 06:21:18 -0500 http://wordpress.org/?v=2.8.4 hourly 1 By: Rightroots, Big Red Tent and Slatecard: An Assessment at Blog P.I. http://www.blogpi.net/blue-harvest/comment-page-1#comment-113646 Rightroots, Big Red Tent and Slatecard: An Assessment at Blog P.I. Mon, 03 Dec 2007 06:10:23 +0000 http://www.blogpi.net/blue-harvest#comment-113646 <p>[...] ActBlue, the conservative, Republican-aligned newcomer ABC PAC/Rightroots, attendant security issues and flawed coverage often (but not exclusively) in the Washington Post. The last time I wrote about [...]</p> [...] ActBlue, the conservative, Republican-aligned newcomer ABC PAC/Rightroots, attendant security issues and flawed coverage often (but not exclusively) in the Washington Post. The last time I wrote about [...]

]]> By: JSPS http://www.blogpi.net/blue-harvest/comment-page-1#comment-30273 JSPS Thu, 22 Feb 2007 06:34:42 +0000 http://www.blogpi.net/blue-harvest#comment-30273 <p>Thank goodness Sandy Berger was out of town.</p> Thank goodness Sandy Berger was out of town.

]]> By: Not Paul Begala http://www.blogpi.net/blue-harvest/comment-page-1#comment-30236 Not Paul Begala Thu, 22 Feb 2007 03:55:30 +0000 http://www.blogpi.net/blue-harvest#comment-30236 <blockquote>"Most campaigns salt their lists (i.e. put bogus records into their database) so they can a) tell when mail is received after it drops and b) tell if someone has stolen their data. If you start getting mail addressed to a fictitious name that only appears in your database, you can tell your data has been compromised.</blockquote> <p>I've mostly heard of the FEC doing that to catch campaigns using public records, but not to many campaigns. Unless it's a really big campaign that is very cognizant of the value of their data, you don't usually see that. Even with mail delivery, cutting edge campaigns are able to to track indvidual deliveries (down to the DDU at least), so that's not even necessary anymore.</p>

“Most campaigns salt their lists (i.e. put bogus records into their database) so they can a) tell when mail is received after it drops and b) tell if someone has stolen their data. If you start getting mail addressed to a fictitious name that only appears in your database, you can tell your data has been compromised.

I’ve mostly heard of the FEC doing that to catch campaigns using public records, but not to many campaigns. Unless it’s a really big campaign that is very cognizant of the value of their data, you don’t usually see that. Even with mail delivery, cutting edge campaigns are able to to track indvidual deliveries (down to the DDU at least), so that’s not even necessary anymore.

]]> By: Timothy http://www.blogpi.net/blue-harvest/comment-page-1#comment-30157 Timothy Wed, 21 Feb 2007 20:43:45 +0000 http://www.blogpi.net/blue-harvest#comment-30157 <p><em>I don’t understand. What do you have to do to “steal” data other than viewing it?</em></p> <p>Disable its DRM and share it on limewire?</p> I don’t understand. What do you have to do to “steal” data other than viewing it?

Disable its DRM and share it on limewire?

]]> By: Ian http://www.blogpi.net/blue-harvest/comment-page-1#comment-30144 Ian Wed, 21 Feb 2007 20:25:22 +0000 http://www.blogpi.net/blue-harvest#comment-30144 <blockquote>After resolving the prolem we combed through the logs of reports accessed during the window, and the most likely case is that reports were only accessed by those who should have seen them and perhaps a few curious users (such as your source) who might have explored a link they hadn’t seen before and done nothing with the data. However, there is no way for us to completely rule out the contrary cases.</blockquote> <p>Sure there is. This guy either doesn't understand the technical side of things or is BSing. You can examine the web server logs and see every individual request made, allowing you to trace back and see exactly what every client requested. <a href="http://toolbar.netcraft.com/site_report?url=http://www.actblue.com" rel="nofollow">According to Netcraft</a>, ActBlue uses lighttpd, which of course has access logging capabilities. If the administrative features only appeared for logged in users then they could easily see exactly which users saw what data.</p> <p>Whatever the case, they must have some awful developers if something like this happened. Either the user authentication/privilege system was disabled or a number of users were erroneously marked as administrators. Either way it's a pretty big screw-up.</p> <p>And I don't see why CSV files would be difficult to handle. If you know how to view an Excel file then you know how to view a .csv.</p> <blockquote>The article doesn’t say anywhere that any data was stolen, only that it in this case it was viewed and screenshots were taken- just to clarify.</blockquote> <p>I don't understand. What do you have to do to "steal" data other than viewing it?</p>

After resolving the prolem we combed through the logs of reports accessed during the window, and the most likely case is that reports were only accessed by those who should have seen them and perhaps a few curious users (such as your source) who might have explored a link they hadn’t seen before and done nothing with the data. However, there is no way for us to completely rule out the contrary cases.

Sure there is. This guy either doesn’t understand the technical side of things or is BSing. You can examine the web server logs and see every individual request made, allowing you to trace back and see exactly what every client requested. According to Netcraft, ActBlue uses lighttpd, which of course has access logging capabilities. If the administrative features only appeared for logged in users then they could easily see exactly which users saw what data.

Whatever the case, they must have some awful developers if something like this happened. Either the user authentication/privilege system was disabled or a number of users were erroneously marked as administrators. Either way it’s a pretty big screw-up.

And I don’t see why CSV files would be difficult to handle. If you know how to view an Excel file then you know how to view a .csv.

The article doesn’t say anywhere that any data was stolen, only that it in this case it was viewed and screenshots were taken- just to clarify.

I don’t understand. What do you have to do to “steal” data other than viewing it?

]]> By: Molly http://www.blogpi.net/blue-harvest/comment-page-1#comment-30098 Molly Wed, 21 Feb 2007 16:55:49 +0000 http://www.blogpi.net/blue-harvest#comment-30098 <p><i>The real danger inherent in the ActBlue data being stolen is the fact that it’s direct from the source, so there would be no way to know if someone had pilfered your donor data.</i></p> <p>The article doesn't say anywhere that any data was stolen, only that it in this case it was viewed and screenshots were taken- just to clarify.</p> The real danger inherent in the ActBlue data being stolen is the fact that it’s direct from the source, so there would be no way to know if someone had pilfered your donor data.

The article doesn’t say anywhere that any data was stolen, only that it in this case it was viewed and screenshots were taken- just to clarify.

]]> By: Turk http://www.blogpi.net/blue-harvest/comment-page-1#comment-30093 Turk Wed, 21 Feb 2007 16:25:12 +0000 http://www.blogpi.net/blue-harvest#comment-30093 <p>Most campaigns salt their lists (i.e. put bogus records into their database) so they can a) tell when mail is received after it drops and b) tell if someone has stolen their data. If you start getting mail addressed to a fictitious name that only appears in your database, you can tell your data has been compromised.</p> <p>The real danger inherent in the ActBlue data being stolen is the fact that it's direct from the source, so there would be no way to know if someone had pilfered your donor data.</p> Most campaigns salt their lists (i.e. put bogus records into their database) so they can a) tell when mail is received after it drops and b) tell if someone has stolen their data. If you start getting mail addressed to a fictitious name that only appears in your database, you can tell your data has been compromised.

The real danger inherent in the ActBlue data being stolen is the fact that it’s direct from the source, so there would be no way to know if someone had pilfered your donor data.

]]> By: Andrew Pass http://www.blogpi.net/blue-harvest/comment-page-1#comment-30066 Andrew Pass Wed, 21 Feb 2007 14:45:13 +0000 http://www.blogpi.net/blue-harvest#comment-30066 <p>I think you are absolutely correct. Security issues will be a fact of life forever. But actually, this probem just creates an opportunity for people to be creative and develop new ways to eliminate the threat. I don't have the slightest idea as to where to begin. or actually continue since the process began a long time ago. But, thankfully many others would. </p> <p>Andrew Pass http://www.pass-ed.com/Living-Textbook.html</p> I think you are absolutely correct. Security issues will be a fact of life forever. But actually, this probem just creates an opportunity for people to be creative and develop new ways to eliminate the threat. I don’t have the slightest idea as to where to begin. or actually continue since the process began a long time ago. But, thankfully many others would.

Andrew Pass
http://www.pass-ed.com/Living-Textbook.html

]]>