"Democratic office broken into, laptops stolen"
That happened more than once in 2004. Democratic campaign secrets put in jeopardy because our local offices have no security plan whatsoever. It's been speculated in one case that the stolen data was used for a voter roll purge. This, in spite of us knowing full well that these sorts of things do happen.
If Dean wants to build the state parties, I hope he's reading dKos tonight, because here's a point-by-point plan on how he could be the one to fix it.
It was suggested to me since I'm a resident dKos alpha-geek that I should post a few dairies on computer security. Well, maybe I'll get around to posting something for general consumption eventually, but I'm kind of hamstrung in that "I don't do Windows" so people usually tune me out at my first piece of advice: ditch MicroSoft. I could probably secure a Windows box in a pinch, but I'm not the guy to go to for advice on that.
Instead I'm going to tackle the above: the avoidable disaster constituted by the act of allowing Democratic campaign secrets and otherwise useful data to fall into the hands of anyone bold enough to throw a brick through a streetside window after paying off the cops. (I still maintain that they should ditch Microsoft, but the below plan could be applied whether or not they wanted to do that.)
- The DNC should have a standard campaign computing "package."
- The DNC should hire someone to develop a standard software package for use in campaign operations. Any PC to be used in a campaign operation where sensitive data is to be kept would be wiped clean and installed fresh with this package. It would include:
- Base operating system with all recent security patches
- Office Suite with security tweaks
- E-mail client with integrated, user-friendly encryption
- Ecrypted file transfer utility
- "Phone home" boobytraps to catch anyone who steals it
- All uneccessary services turned off
- "Fun" software disabled or removed to discourage frivolous use
- Encrypted data file directory, accessible only by password activation
- Inactivity lockup, periodic password recheck
- Fake decoy data files
- Roadblocks to make it difficult for staffers to install unauthorized software
- Logging system to keep evidence of attempted remote attacks
- Encryption trusted key ring
I'm not going to get into the specifics of each of these, but have some recommendations on several that I would share with the DNC if they wanted to investigate this proposal, especially in the area of the "phone home" boobytraps.
This should not be done by some glossy "professional security" business firm but two or three vetted, trusted uber-hacker friends of vetted, trusted, loyal dems.
- The DNC should then train campaign office workers
- As security provisions are barely effective if proper protocols are not observed by those using them, the DNC would then ship a few people around the country to install the software and train campaign office workers, both in the use of the software, and in the proper precautions to take:
- Who is allowed to access the laptop and why
- Proper post-use document destruction
- Proper risk mitigation when information is given to low-level volunteers
- Proper office security (a safe would be nice.)
- Make them choose and memorize proper passwords
- The DNC should have a designated national incident helpdesk
- The DNC should have on staff during campaigns a person or persons who are prepared to handle incidents of data theft. That would include:
- Fielding phone-home traps and alerting local offices
- Advising local offices what to do in the event of a theft
- Working with local offices to assess damage to campaign
- Getting law enforcement involved and providing them with clues
- Handling/exploiting PR surrounding incidents
- Dealing with any generic user problems with the package
Now this may seem like a big expensive endeavor, but the whole deal doesn't have to cost more than a couple hundred thousand (excluding locally-provided hardware) -- the Democrats have a base of unemployed, angry computer professionals to draw on that would probably jump at a chance to work cheap for a good cause (or at all!). That is, if and only if the DNC folks can manage to resist the temptation to call in their slick "professional security" firms from industry run by their old frat brothers and shovel money at them.
So what do we say -- Dean, you listening up?