I have seen some silly things said even by Bernie Sanders fans about the NGP VAN\/DNC case. Some of my knowledge about this case comes from having used NGP VAN in the Elizabeth Warren campaign.<\/p>\n
The DNC “wants the data back” makes no sense to me. What ever data was taken was copied, the DNC did not lose anything that needs to be given back. NGP\/VAN’s rationale that their failure was not serious because the breech only allowed “search and view, but not export” is equally silly. Have the computer experts at NGP Van ever heard of taking a screen shot? The person who viewed the data and made a copy did so for the purpose of substantiating the case of what NGP VAN did. What was he supposed to do, go before a judge and say, “NGP VAN exposed the data, but I can’t prove it to you because making a copy for evidence would be a crime”?<\/p>\n
In my 40 years experience in the computer industry, I have heard of too many cases where the person who tries to bring attention to a computer security breech ends up being severely punished. I almost fell into that trap myself.<\/p>\n
I found evidence where I worked that many employees computer accounts were using the default password that the company gave them when they got their accounts. I sent an email to tech support with a list of some of the culprits. I was called in and severely chastised for publishing this information in an email which could have been seen by too many people. The only way I escaped being fired was to agree wholeheartedly that my sending an email was a stupid thing to do, and it was. I didn’t point out that the way that the IT department set the passwords was instrumental in my being able to discover what was going on. That would have seemed like I was trying to defend what I had done. Given my knowledge of the treatment of others making such reports, I knew that IT would not listen and change their practices. They only would have gotten angrier.<\/p>\n
If you are curious about what I mean that IT needed to change the way they set passwords, here is the explanation.<\/p>\n
I’ll talk about what happens in a Linux\/Unix system because that is what we were using. The practice is common in other computer operating systems. <\/p>\n
In Linux\/Unix, passwords are stored in encrypted form in a publicly viewable file. This encrypted form uses a one way encryption technique. This means that the password can be encrypted, but the encrypted password cannot be decrypted. The way the computer determines if you have entered the right password is to encrypt what you have entered and then see if it matches the encrypted password in its file.<\/p>\n
To prevent people from inferring passwords in the publicly viewable file, the encryption uses a seed character to do the encryption. Using different seed characters completely changes the way the same password looks when encrypted. In order for the computer to know how to encrypt the password you just entered to compare it to your password as recorded in the file, the encrypted password in the file includes the seed character in the encrypted password.<\/p>\n
The program that Linux\/Unix provides the user to set the password, randomly chooses the seed character every time you change your password. That way, when different users happen to use the same password, these common passwords will look completely different in the publicly viewable file.<\/p>\n
What the IT department must have done was to enter the encrypted password into the file with a text editor rather than use the program. The IT department used the same seed for everybody’s default password that the user was then supposed to change via the program that used random seeds.<\/p>\n
I had a legitimate reason to be looking at the password file. I happened to notice a common encrypted password in many cases. I started to wonder how this could be possible. It was then that I realized that the password must be the default password that everyone was given when their accounts were created. I used an encryption program to encrypt this password and use the clearly evident seed. Lo and behold, it came up with the encryption that I was seeing in the file.<\/p>\n","protected":false},"excerpt":{"rendered":"
I have seen some silly things said even by Bernie Sanders fans about the NGP VAN\/DNC case. Some of my knowledge about this case comes from having used NGP VAN in the Elizabeth Warren campaign. The DNC “wants the data back” makes no sense to me. What ever data was taken was copied, the DNC […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[166],"tags":[],"class_list":{"0":"post-22162","1":"post","2":"type-post","3":"status-publish","4":"format-standard","6":"category-stevegsposts","7":"czr-hentry"},"_links":{"self":[{"href":"https:\/\/ssgreenberg.name\/PoliticsBlog\/wp-json\/wp\/v2\/posts\/22162","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ssgreenberg.name\/PoliticsBlog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ssgreenberg.name\/PoliticsBlog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ssgreenberg.name\/PoliticsBlog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/ssgreenberg.name\/PoliticsBlog\/wp-json\/wp\/v2\/comments?post=22162"}],"version-history":[{"count":10,"href":"https:\/\/ssgreenberg.name\/PoliticsBlog\/wp-json\/wp\/v2\/posts\/22162\/revisions"}],"predecessor-version":[{"id":22172,"href":"https:\/\/ssgreenberg.name\/PoliticsBlog\/wp-json\/wp\/v2\/posts\/22162\/revisions\/22172"}],"wp:attachment":[{"href":"https:\/\/ssgreenberg.name\/PoliticsBlog\/wp-json\/wp\/v2\/media?parent=22162"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ssgreenberg.name\/PoliticsBlog\/wp-json\/wp\/v2\/categories?post=22162"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ssgreenberg.name\/PoliticsBlog\/wp-json\/wp\/v2\/tags?post=22162"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}