Disclaimer: I work in politics professionally, as a digital consultant.
ActBlue is better at security (and just in general product) than NGP, but neither supports physical 2fa keys.
I don't want to speak too publicly about NGP VAN but I think this area is very ripe for disruption, but it would be hard to get the finance side 100% correct, automated FEC & compliance and all. This built up moat I personally believe lets them stagnate on technology. I think their API is proof they know the weakness or are afraid of easily better tools built on top (no important data in and out).
One attack vector I dont see mentioned is locking down domains and websites. Campaigns are incredibly cheap, it only took a few consultants selling shitty pre-built wordpress themes and now it's tough to get a Congressional to pay much or anything. We now build static websites for clients who pay, but I'm still worried about some actor uploading a google-verification.txt, or updating DNS to send better phishing emails.
Emailing passwords in plain text and shared twitter passwords for candidate accounts which are 'victory!2020' are VERY common and we've been trying to correct this behavior.
Though this isn't perfect we have been sending one time links with no authentication info in email plaintext. If anyone has a better solution? (remember non-technical (no PGP) campaign staff and not in same geo a lot of time).
In writing up some campaign plans this cycle I made some security notes, especially for a top 5 race target client we have (if win primary) I suggested separate senior staff office in a more secure location which no volunteers know about. This wont work at Congressional level, where anyone can get access to call time room or CMs office if they try..
Yes because I'm overly paranoid but also sadly because security in politics now means protecting from some random nut bag with a gun. Which is really scary to me.
But mostly I'm surprised at Maciej's willingness to spend money (and valuable time) doing this. Sadly I think the willingness to help anyone including 'Green Party candidate in a district the Republicans carried by 60 points' combined that with the general (and I can understand and am not judging) attitude that 'the system' is broke, is probably a factor to why he was not taken as serious as I think he would have liked.
Sorry this got really long.. I could go on and on (if @Maciej or is it @idlewords ? sees this would be happy to chat on DM).
love seeing politics on HN a topic I have specialized knowledge in for once ;0
from Hacker News - New Comments: "WordPress" http://bit.ly/2HH4n05
via IFTTT
No comments:
Post a Comment