Bruce Schneier (Wikipedia)

Bruce Schneier (Wikipedia)

Norm Coleman’s attorney, Fritz Knaak, stated Thursday that the campaign had “a high degree of confidence” that the late-January exposure of its unprotected donor database didn’t result in the loss of sensitive data. A day earlier, Knaak initially leveled the claim, noting that Secret  Service investigators looking into the database breach “did not discover that any individual had been able to obtain confidential, personal financial information.”

But this week’s news that Wikileaks.org had obtained the 4.3 gigabyte database casts doubt on that statement — and so does Bruce Schneier, the Twin Cities-based technology expert dubbed a “security guru” by The Economist. Reached by phone at a Washington, D.C., technology conference late Thursday, Schneier characterized the campaign’s claim as “complete and utter bullshit.”

“It’s impossible to make that claim,” he said. “Either they misunderstood what the [Secret Service] said or they’re out-and-out lying. How can you determine the absence of something happening?”

The Secret Service has confirmed for the Minnesota Independent that an investigation is under way but said it couldn’t comment on ongoing cases.

Schneier said he didn’t know that IT professional Adria Richards had uncovered the security flaw with no advanced tools, but after learning it from the Minnesota Independent, he said of the Coleman campaign’s tech security: “It sounds like they didn’t have any, if what you’re saying is true. That seems pretty sloppy.”

He noted that it’s correct to call the exposure of the database a “breach,” as the campaign has done. “When someone who’s not authorized does it, we’d consider it a breach.”

But he wouldn’t call what Richards did — find and take a screen capture of an unprotected public Web directory — hacking.

“It’s not like it’s skilled hacking,” he said. “If I walk into an open door and steal a purse, am I cat burglar? … It’s not in the fine tradition of hacking because it took not a lot of skill. I wouldn’t use the term, but others might.”

He acknowledged that the law surrounding online security is “squirrely.” For instance, he said he’s unclear on whether viewing the unprotected Web directory where, for a few hours on Jan. 28, the directory existed could be considered a criminal act or whether this reporter could be prosecuted for clicking a direct link to the database that was left in comments in January at Minnesota Independent. (For the record, I didn’t download the file.)

“This law is still evolving, and some of it is really stupid,” he said. “People have been convicted for this. … It’s possible you would’ve been prosecuted.”

The exposure of the donor information, which included credit card numbers and three-digit security codes for them, is big news, he said, mainly because it involves a former U.S. senator who’s now locked in a political battle to regain his seat.

But he says such breaches — and mistakes about security for sensitive information — happen all the time.

“Companies do this, governments do this again and again and again,” he said. “While they definitely should know better, we’ve learned repeatedly that organizations don’t know better. It’s not, ‘Oh, God, look what they’ve done!’ It’s more: ‘Oh. It happened again.’”

“This couldn’ve happened to anybody – and it does.”