by pw on 5/28/19, 12:41 AM with 146 comments
by Deimorz on 5/28/19, 1:48 AM
I think one of the key points is how awful password managers are for non-technical people to use. It's not necessarily the developers' fault because it's difficult to interact with all the things they need to, but it makes it practically impossible to get someone to use one unless they're technical enough to be able to figure out all the random issues that come up all the time.
I'd love to be able to get some non-technical family/friends to use one, but there are just way too many times that showing someone how to use a password manager goes something like: "Okay, so now you've generated a password and you click 'Register' and... oh hold on, the page redirected for some reason and the pop-up to save the account info is gone, so, uh... well, I think there's a generated-password history page somewhere, let me just look through the Settings area even though it's not a setting... okay, there it is, so it should be this one. I'll just copy that and now I have to create a new vault entry for the site manually by typing in everything and pasting this password in there, and then..."
It's terrible, because a password manager that would just work and stay out of the way could make such a huge difference to general account security, but they all seem to still be difficult to use and require you to have a pretty good understanding of what's going on to be able to deal with random problems.
by aquabeagle on 5/28/19, 1:15 AM
Were you just some random outsider to them, coming in to do free security training? Or did others have to vouch for you? It seems like it would be terribly easy to do all of this under the guise of being a helpful security person, but you're actually just sabotaging them with rogue USB devices and learning the details of all of their security practices. Especially by getting on their good side with things like "A friend wrote a script that did this conversion automatically when you dragged things to a desktop folder, and I would mention this during campaign visits. Suddenly I was no longer the dentist, but Santa Claus come early."
Could anyone else have been doing this without being vouched for?
by kasey_junk on 5/28/19, 1:15 AM
by dillondoyle on 5/28/19, 4:41 AM
ActBlue is better at security (and just in general product) than NGP, but neither supports physical 2fa keys.
I don't want to speak too publicly about NGP VAN but I think this area is very ripe for disruption, but it would be hard to get the finance side 100% correct, automated FEC & compliance and all. This built up moat I personally believe lets them stagnate on technology. I think their API is proof they know the weakness or are afraid of easily better tools built on top (no important data in and out).
One attack vector I dont see mentioned is locking down domains and websites. Campaigns are incredibly cheap, it only took a few consultants selling shitty pre-built wordpress themes and now it's tough to get a Congressional to pay much or anything. We now build static websites for clients who pay, but I'm still worried about some actor uploading a google-verification.txt, or updating DNS to send better phishing emails.
Emailing passwords in plain text and shared twitter passwords for candidate accounts which are 'victory!2020' are VERY common and we've been trying to correct this behavior.
Though this isn't perfect we have been sending one time links with no authentication info in email plaintext. If anyone has a better solution? (remember non-technical (no PGP) campaign staff and not in same geo a lot of time).
In writing up some campaign plans this cycle I made some security notes, especially for a top 5 race target client we have (if win primary) I suggested separate senior staff office in a more secure location which no volunteers know about. This wont work at Congressional level, where anyone can get access to call time room or CMs office if they try..
Yes because I'm overly paranoid but also sadly because security in politics now means protecting from some random nut bag with a gun. Which is really scary to me.
But mostly I'm surprised at Maciej's willingness to spend money (and valuable time) doing this. Sadly I think the willingness to help anyone including 'Green Party candidate in a district the Republicans carried by 60 points' combined that with the general (and I can understand and am not judging) attitude that 'the system' is broke, is probably a factor to why he was not taken as serious as I think he would have liked.
Sorry this got really long.. I could go on and on (if @Maciej or is it @idlewords ? sees this would be happy to chat on DM).
love seeing politics on HN a topic I have specialized knowledge in for once ;0
by po on 5/28/19, 3:16 AM
by lifeisstillgood on 5/28/19, 1:26 AM
I am sure that exists in all countries just it presumably is less prevalent? Any insiders have knowledge?
Weirdly I would think that process of dialing and recording would be very automatable too
by canada_dry on 5/28/19, 2:40 AM
> telling people not to use Android
I personally use Android as I dislike the Apple-itunes-lock-in. But, you'll be able to sleep better at night if you lose your iPhone with confidential info.
...
> Google's Advanced Protection Program is almost comically unusable for campaigns. The expensive dongles break easily, and when the dongle breaks you are locked out of your fundraising spreadsheets until you can reach Google support (if such a thing exists).
Ouch.
by bsder on 5/28/19, 4:21 AM
How do you set this up!?
Every time I try to set the folks in my company up with security keys, the biggest problems are always:
1) How do I deal with the fact that someone just left? Something invariably is tied to their login, and I need to transfer control.
2) How do I deal with a broken/lost/stolen key? So many services simply will not let you install multiple keys on an account and it drives me up a tree.
by drilldrive on 5/28/19, 4:02 AM
(1) Is there an easier secure way to open attachments to Emails? This is a critical point of error in campaigns, and yet your suggested solutions are lacking in my eyes. I for one do not use a smart phone, and even when I use a Gmail account I use the html version that does not have a Google Docs option for files. So I am left with your option 3, and this could take several minutes in contrast to double clicking the file.
(2) Why do you recommend to avoid SMS but to treat Twitter/Slack as a public messaging option? Why not just treat all three as public?
(3) Why do you recommend only Chrome browser? In particular, why not Firefox or Tor?
by po on 5/28/19, 3:13 AM
True, it can be hard to get to the stored passwords for manual entry and it doesn't work with a few sites, but generally speaking it picks random passwords, saves them fairly reliably and prompts to use them with biometric protection.
by bo1024 on 5/28/19, 2:12 AM
Can you say exactly why Signal is more secure than email in this context?
by losvedir on 5/28/19, 1:10 PM
As someone who likes the "password pattern" approach (remember one thing and use it to generate passwords for all sites), what's the threat model here? How is it dangerous?
by tacosx on 5/28/19, 2:29 AM
by Bucephalus355 on 5/28/19, 1:17 AM
One thing I would like to add (and perhaps the author mentioned but I did not see). Secure your cellular accounts such as Sprint, T-Mobile, Verizon with 2FA, good password, etc. This also includes the maximum length VM password, although usually that is only between 7 digits to 10 digits sadly.
by tomohawk on 5/28/19, 8:47 AM
by miles_matthias on 5/28/19, 3:58 AM
I'd like to echo your sentiment about password managers, they are way too complicated to use for non-technical people.
by RickJWagner on 5/28/19, 1:08 AM
Biggest surprise (for me): Nobody uses Twitter.
by jammygit on 5/28/19, 1:56 AM
by ghani on 5/28/19, 5:45 AM
by jabart on 5/28/19, 1:26 AM
We are also competitors to NGP. Our users actually like us too!