Comments on: Coleman camp’s claim about January data breach is ‘bullshit,’ tech expert says http://minnesotaindependent.com/28793/bruce-schneier-on-coleman-database-breach News. Politics. Media. Wed, 30 Nov 2011 23:48:28 +0000 hourly 1 http://wordpress.org/?v=3.1 By: MJB784533 http://minnesotaindependent.com/28793/bruce-schneier-on-coleman-database-breach/comment-page-1#comment-27643 MJB784533 Wed, 25 Mar 2009 17:14:17 +0000 http://minnesotaindependent.com/?p=28793#comment-27643 The question of whether the site was hacked or if any card data was published on the web is no longer the main point. This information discloses that the Coleman campaign retained the verification code numbers that are usually on the back of the card. The mere fact that they retained these code numbers is itself a violation of Minnesota law AND the agreement contracts with the credit card organizations. Forget about the possible hacking, forget about who might have done or not done it. The fact remains that the retention of these code numbers alone puts the Coleman campaign in violation of the law. “No person or entity conducting business in Minnesota… shall retain the card security code data, the PIN verification code data, or the full contents of any track of magnetic stripe data,” says state statute 325E.64. “A person or entity is in violation of this section if its service provider retains such data subsequent to the authorization of the transaction.” The question of whether the site was hacked or if any card data was published on the web is no longer the main point. This information discloses that the Coleman campaign retained the verification code numbers that are usually on the back of the card. The mere fact that they retained these code numbers is itself a violation of Minnesota law AND the agreement contracts with the credit card organizations. Forget about the possible hacking, forget about who might have done or not done it. The fact remains that the retention of these code numbers alone puts the Coleman campaign in violation of the law.

“No person or entity conducting business in Minnesota… shall retain the card security code data, the PIN verification code data, or the full contents of any track of magnetic stripe data,” says state statute 325E.64. “A person or entity is in violation of this section if its service provider retains such data subsequent to the authorization of the transaction.”

]]> By: Tim Barsness http://minnesotaindependent.com/28793/bruce-schneier-on-coleman-database-breach/comment-page-1#comment-26886 Tim Barsness Sat, 14 Mar 2009 18:39:13 +0000 http://minnesotaindependent.com/?p=28793#comment-26886 Looks to me like Coleman canned his staff and just left the lights on in the website with no one home. Reminds me of the MN Dept. of Vehicle Services doing the same thing, to save money in a Pawlenty state worker cut all the admins at DVS were canned. When the leg. auditor came by no recommended security work was done to secure the credit card payment for car plate tabs. There were no people in charge. The site was shut down before any known breach. Made the front page of the old fashioned "newspapers" for a week. Pawlenty recovered nicely by a no bid cost plus monopoly contract for all state credit card payments through US Bank. His pals all made out great and the campaign money flowed like a Red River flood. Does not look like that will happen for Norm, just a kick in the pants and maybe jail. Looks to me like Coleman canned his staff and just left the lights on in the website with no one
home. Reminds me of the MN Dept. of Vehicle Services doing the same thing, to save money
in a Pawlenty state worker cut all the admins at DVS were canned. When the leg. auditor came by no recommended security work was done to secure the credit card payment for car plate tabs. There were no people in charge. The site was shut down before any known breach. Made the front page of the old fashioned “newspapers” for a week.

Pawlenty recovered nicely by a no bid cost plus monopoly contract for all state credit card payments through US Bank. His pals all made out great and the campaign money flowed like a Red River flood.

Does not look like that will happen for Norm, just a kick in the pants and maybe jail.

]]> By: PJN2112 http://minnesotaindependent.com/28793/bruce-schneier-on-coleman-database-breach/comment-page-1#comment-26855 PJN2112 Fri, 13 Mar 2009 23:41:05 +0000 http://minnesotaindependent.com/?p=28793#comment-26855 Karen: WHOIS shows that the registrant and admin for colemanforsenate.com has been Brandon Grey Internet Services (dba namejuice.com) since at least May 2008 (the last time the whois was updated). WHOIS for namejuice.com lists the registrar, admin, and techincal contact as Brandon Grey who is located in Markham, Ontario, Canada. Granted, just because the domain is registered to a Canadian doesn't mean that the same individual is responsible for the maintenance of the website - Prior reporting on crashgate mentioned that Coleman's name servers are located at Minneapolis-based VISI.com, so one could probably assume that Coleman's website is hosted in VISI's data center probably on one of their servers which also hosts sites for other VISI clients. VISI's NOC would be responsible for the upkeep of the server but not for the website - Judging from the problems Norm's had with his website I think it's safe to say that he more than likely didn't hire outside professionals to manage his site (assuming any professional worth paying wouldn't be quite as careless and stupid about doing their jobs as to leave an archived site backup in the webroot) so it's likely that someone working directly for the campaign handled the website admin chores. If it's a salaried employee of the campaign, you wouldn't find that out from a FEC report. Karen:

WHOIS shows that the registrant and admin for colemanforsenate.com has been Brandon Grey Internet Services (dba namejuice.com) since at least May 2008 (the last time the whois was updated).

WHOIS for namejuice.com lists the registrar, admin, and techincal contact as Brandon Grey who is located in Markham, Ontario, Canada.

Granted, just because the domain is registered to a Canadian doesn’t mean that the same individual is responsible for the maintenance of the website – Prior reporting on crashgate mentioned that Coleman’s name servers are located at Minneapolis-based VISI.com, so one could probably assume that Coleman’s website is hosted in VISI’s data center probably on one of their servers which also hosts sites for other VISI clients. VISI’s NOC would be responsible for the upkeep of the server but not for the website – Judging from the problems Norm’s had with his website I think it’s safe to say that he more than likely didn’t hire outside professionals to manage his site (assuming any professional worth paying wouldn’t be quite as careless and stupid about doing their jobs as to leave an archived site backup in the webroot) so it’s likely that someone working directly for the campaign handled the website admin chores. If it’s a salaried employee of the campaign, you wouldn’t find that out from a FEC report.

]]> By: PJN2112 http://minnesotaindependent.com/28793/bruce-schneier-on-coleman-database-breach/comment-page-1#comment-26853 PJN2112 Fri, 13 Mar 2009 23:17:12 +0000 http://minnesotaindependent.com/?p=28793#comment-26853 Aaron - Fair enough explanation. Since the link you provided in that update is 404 I assumed that nothing came of it. That won't stop the partisans on the other side from giving Adria grief. She did mention that the database contained credit card info - So she either found this out via an unmentioned source who passed this revelation on to her or she did indeed open the file. Whatever the case, she kind of plopped herself into the spotlight by reporting what she found - Granted, she did it with a benevolent purpose (to bring the breach to light), she'll still be an target. Republicans love to torment whistleblowers, especially ones who do their whistling on Progressive sites. Aaron – Fair enough explanation. Since the link you provided in that update is 404 I assumed that nothing came of it. That won’t stop the partisans on the other side from giving Adria grief. She did mention that the database contained credit card info – So she either found this out via an unmentioned source who passed this revelation on to her or she did indeed open the file. Whatever the case, she kind of plopped herself into the spotlight by reporting what she found – Granted, she did it with a benevolent purpose (to bring the breach to light), she’ll still be an target. Republicans love to torment whistleblowers, especially ones who do their whistling on Progressive sites.

]]> By: Karen Lee http://minnesotaindependent.com/28793/bruce-schneier-on-coleman-database-breach/comment-page-1#comment-26850 Karen Lee Fri, 13 Mar 2009 22:49:50 +0000 http://minnesotaindependent.com/?p=28793#comment-26850 Have you checked Coleman's campaign FINANCE REPORTS for its web creator culprit? By law, every expenditure made by a political campaign MUST BE ITEMIZED in their campaign finance reports. HAS ANYBODY RESEARCHED what firm(s) were used to create the Coleman website as well as monthly monitoring of the Coleman server, etc. >???? Have you checked Coleman’s campaign FINANCE REPORTS for its web creator culprit?

By law, every expenditure made by a political campaign MUST BE ITEMIZED in their campaign finance reports.
HAS ANYBODY RESEARCHED what firm(s) were used to create the Coleman website as well as monthly monitoring of the Coleman server, etc. >????

]]> By: Aaron http://minnesotaindependent.com/28793/bruce-schneier-on-coleman-database-breach/comment-page-1#comment-26849 Aaron Fri, 13 Mar 2009 22:48:04 +0000 http://minnesotaindependent.com/?p=28793#comment-26849 PJN2112- I did post that, but I was incorrect. Adria Richards did not broadcast the contents -- she just broadcasted what she did and the screenshots as described. PJN2112-

I did post that, but I was incorrect. Adria Richards did not broadcast the contents — she just broadcasted what she did and the screenshots as described.

]]> By: PJN2112 http://minnesotaindependent.com/28793/bruce-schneier-on-coleman-database-breach/comment-page-1#comment-26844 PJN2112 Fri, 13 Mar 2009 21:10:00 +0000 http://minnesotaindependent.com/?p=28793#comment-26844 If, as Schneier says, “People have been convicted for this. … It’s possible you would’ve been prosecuted.” with regards to simply clicking the file's link and viewing it's contents then Adria Richards might be at risk. Aaron Landry at <a href="http://mnpublius.com/2009/01/coleman-allows-donor-and-supporter-database-to-leak/" rel="nofollow">MNPublius</a> wrote a post on January 29th that included as an update this: <a href="http://tinyurl.com/askadriaustream" rel="nofollow">Adria Richards will broadcast the contents of Coleman’s database at 3:30 PM CT today.</a> If, as Schneier says, “People have been convicted for this. … It’s possible you would’ve been prosecuted.” with regards to simply clicking the file’s link and viewing it’s contents then Adria Richards might be at risk. Aaron Landry at MNPublius wrote a post on January 29th that included as an update this:

Adria Richards will broadcast the contents of Coleman’s database at 3:30 PM CT today.

]]>