Software

E-mail security advice for politicians

How much attention would you give e-mail security if you were running for office? One would hope that the people who run for public office in this country with promises of increased domestic security would take some pains to ensure their own security during the campaign.

One would hope that the people who run for public office in this country with promises of increased domestic security would take some pains to ensure their own security during the campaign. High priorities should of course involve things like having good bodyguards and site security teams when making public appearances, ensuring one's campaign Web site doesn't get defaced by people who disagree with one's policies, and protecting e-mail privacy.While I would dearly love to see someone with an at least marginal understanding of technology get into public office from time to time, I know that might be a bit too much to ask at this point on the national political stage. Lacking personal understanding of such matters, however, one should definitely hire people who know what they're doing and get them to advise on technical matters -- and actually listen to their advice.

I could comment at some length on the difference between people who know how to market technology or can run a technology company and those who actually know technology sufficiently to be credible advisers. In other words, I could comment on the inadvisability of hiring someone like Steve Ballmer as a technology adviser. That's not the point of this article, though. Instead, I'll just offer a short list of tips for anyone who might want to run for public office and avoid the embarrassment of failed e-mail security:

  1. First and foremost, make sure e-mail authentication is encrypted. This should apply to all e-mail, all the time, but is especially important for circumstances where having your account cracked is not only annoying, but also embarrassing, such as when running for public office on a domestic security platform. Make sure all your campaign staffers are doing so as well.
  2. Use encryption for important e-mails. Never underestimate the importance of being encrypted. Make all your campaign staffers use it too.
  3. Digitally sign e-mails, and require all campaign staffers to do the same. Use a well tested, proven, cryptographic signing technology, such as PGP or S/MIME, to sign e-mails, so that there should never be any question about the authenticity of an e-mail. While you're at it, make sure all your campaign staffers understand how to employ cryptographic digital signatures securely -- and that you understand how to use it, too.
  4. Have a specific computer set up for campaign-related business. Make sure it's set up to be as secure as possible, and make sure as many features are disabled as can be without crippling your ability to do campaign-related work. Don't use it for personal Web browsing, non-campaign related communications, or anything else that might put its security at increased risk. Make all unencrypted connections on that computer through a secure proxy. Use that computer -- and only that computer -- to access your campaign e-mail. For obvious reasons, this computer should probably be a laptop. At least the most important campaign staffers, with the most intimate relationship to the inner workings of the campaign, should employ similar measures.
  5. Use POP or IMAP for email, instead of a Webmail account. In other words, don't be Sarah Palin. This account should be associated with a domain name specific to your campaign (to make it look more official, as well as to provide greater control over e-mail security), and your campaign staffers' official communications should be carried out via addresses associated with that domain name as well -- or perhaps with a second domain created specifically for communications amongst campaign workers.

Some of these measures will of course require the help of technically proficient experts. Get one on-staff if at all possible, or at least hire one on a consulting basis. If you run a small, local campaign that doesn't have enough money to spend it on hiring an expert, make use of that six degrees of separation principle to find out who your advisers, campaign staffers, and their friends and relatives might know who would be willing to help you out. Once you get such help, listen to the advice you're given.

You don't want to be the next candidate for public office whose name is in all the papers having made amateurish mistakes with the security of campaign communications, after all.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

51 comments
paul.scott
paul.scott

I am working for one of the few campaigns that I have seen that actually has a dedicated Technology Director on staff to manage domain names, website, email, security, and tech support. Paul Scott Technology Director Andrew Martin for Nevada www.martinfornevada.com

tinyang73
tinyang73

Great, entertaining and informative article! Thanks Chad.

Colonial_Boy
Colonial_Boy

Guys! I just found this: "Obama supporter Mike Kernell (D-TN) confirms his son, David Kernell, hacked Sarah Palin???s email to help Obama" Found this @ http://hillbuzz.wordpress.com/2008/09/18/soetorobama-supporter-mike-kernell-d-tn-confirms-his-son-david-kernell-hacked-sarah-palins-email-to-help-soetorobama/ I'm going to do a little more verification work, but so far (despite some derogatories) the info on that website looks like it's accurate (and not a hoax from "Vast Right-Wing-Conspiracy").

Meesha
Meesha

Thanks Chad. The two things that I took away from this blog was that 1) DON'T use public delivery systems for sensitive information sharing; and 2) the old adage that "don't write/print anything you don't want your mother to see" is apropos to this issue - in this case "mother" was the public and governance was Ms. Palin's obligation. As one poster wrote earlier, her politics/governance is not the main issue, except as fodder for the political machine, but rather it's her obvious blind acceptance that a public tool such as Yahoo would be private. As I writing this I am very much reminded that this response is OUT THERE!!!!

Michael Kassner
Michael Kassner

To get BALTHOR to make three comments, and in a row is a huge kudos to you. Seriously, great post Chad and I hope it creates an immense amount of discussion as it's important.

JackOfAllTech
JackOfAllTech

her email was hacked and not the poor ethics and morals of the ones who did it? To me, it looks like an act of desperation. They can't find anything to criticize about her politics so they are attacking her personally in any way they can. How lame.

BALTHOR
BALTHOR

Any very high frequency computer can copy the entire Internet in a short time.This would be infinite frequency.I see that everything Internet is diverted.We are seeing a false Internet.

BALTHOR
BALTHOR

I now suspect that the entire Government e-mail location is being diverted.The e-mail is copied to a hacker memory system.Palin's e-mail would still exist in the Government location if it hasn't been deleted.It could be that at the upload there is a phone line split,one line to the Government,the other to the hacker.All of the e-mails ever delivered to her may still be in the Government location.It's like the hacker system is in parallel to the Government's.

BALTHOR
BALTHOR

When an e-mail is sent it gets uploaded to the Federal memory location.The e-mail sits in the Government's protection until it is deleted.Our Government is being attacked.

RipVan
RipVan

...and forget the media and political outcry if the "other" party was the one that got hacked. That part is too easy. Instead, focus on the people (all of them) who make our laws. Especially the onerous electronic information laws. All that nonsense about business backing up emails and ensuring that they are available for subpoena, and yet EVERY time politicians of EITHER party (pay attention to the "EITHER PARTY" part of that equation) are asked for their email traffic, they are unable to produce them. Lame excuses like, "our backup system didn't work", or "our equipment was too old and we thought we were saving emails but we weren't" or "the system on which we saved them isn't compatible with anything, and we can't recover them" are routine. Try to do that if you are a business. Lame excuses aren't accepted! Lame excuses are the specialty of our elected officials, and it costs them nothing. They know the sheeple are NOT paying attention!

Neon Samurai
Neon Samurai

Not to divert from the TR forums but this article seems relevant as a further information source. http://www.securityfocus.com/brief/822 I hope it wasn't really people offiliated with the group "anonymous" as I think there activism against the cult of Scientology is a good thing but anyhow.. The issue is not that someone broke into Palin's email. It was that she used Yahoo Mail for politically related email in the first place. I think any unauthorized security breaching is a sad act that exciles one from the Hacker community. That in no way excuses Palin's being oblivious to taking the minimum effort to understand her own information security though.

apotheon
apotheon

"[i]So you're saying it's her fault... her email was hacked and not the poor ethics and morals of the ones who did it?[/i]" No, that's not what I'm saying. If you would like to find out what I actually said, please read [url=http://blogs.techrepublic.com.com/security/?p=590]the article[/url].

Four-Eyes
Four-Eyes

3 replies... oh man! that's a real biggie! I think the world is coming to an end!!! AAAARRGGHHH!!!! :P

ken_dyer
ken_dyer

Believe it or not, that actualy made no sense whatsoever! LOL! Thanks anyways!

Pringles86
Pringles86

I wish I could divert the entire internet... Not even the entire internet, just some of its traffic so I could make some money with affiliate programs or something. This must have been a special occasion. The Great BALTHOR replied 3 times to one topic!

whollyfool
whollyfool

That's the best way I've heard it put yet.

thomas
thomas

I have over 10 email accounts. Many are decoys to give to web sites which want an email address. I just let them fill with spam because those sites "leak" the addresses for a profit I am sure. If some one were to guess my password, all they would get would be 600 spam messages. But seriously, if I were a hacker, I would have to be pretty stupid to hack an account guarenteed to get the Secret Service on my tail.

apotheon
apotheon

. . . but I didn't figure such pontifications on politics would be really appropriate in the context of this article in particular, so I resisted the temptation to talk about her any more than I did.

seanferd
seanferd

I find your comment... refreshing.

Colonial_Boy
Colonial_Boy

Once Gov Palin's email address was published in the MSM, it was easy enough for the perps to go to the Yahoo! portal and use their flimsy "I forgot my password" protection scheme to change it to whatever they liked. I just tested it, and all I had to do was key in my zip code (Wasilla's still pretty small, there's only one for physical address & 3 more for PO Boxes), the weird control code (warped numbers and letters), and answer a simple question (in my case it was what is the name of my pet? AIR, other possible difficult questions were: What is my father's middle name?, Where was my mother born?). All of this information is easily available on the web. I suspect that Yahoo! thought that identity theft (which is how this incident would be prosecuted) now being a federal felony would be enough to deter invasions of privacy like this. I can see that I now need to review all of my web-based email accounts (Yahoo!, GMail, MS Office Live & etc) to see how vulnerable I am to my service suppliers allowing others to change my passwords.

JamesRL
JamesRL

....then its time to reassess your mental state. James

apotheon
apotheon

"[i]The Great BALTHOR replied 3 times to one topic![/i]" Yeah -- I feel honored.

jdclyde
jdclyde

who do not have a job in IT. Yahoo is a big name, and people think it is reasonable to be able to trust it. Blame the user or make assumptions about that specific users, and it casts that same shadow over much of the world. I have known very brilliant people that didn't know how to use a computer. It was not something they had required, and so never added that as a skill.

apotheon
apotheon

I haven't checked the comments at the new article in a while, so I don't know if you've already done so -- but if not, that'd be the place to drop the URL into discussion.

Neon Samurai
Neon Samurai

I suspect you have but if you haven't, the actual members of Anonymous gave a talk at HOPE 2008. I've dropped the url enough but I can offer it up again if you like.

Neon Samurai
Neon Samurai

Nothing elegant, nothing whitty or ingenious.. nothing new even.. it was just copying what other's have long been able to do.. willfull intent to break the law.. a monkey could have broken into the mail account with no more than a four line howto. Nothing about this break in justifies the term or title "Hacker".. just the media reaching for the latest hip name for boogieman again.. it's not about accuracy of terminology.. it's about scaring more eyeballs into looking.

apotheon
apotheon

I don't think that a culprit should get a lighter sentence just because someone's lack of attention to security made it easier to commit the crime in the first place.

NetMan1958
NetMan1958

I get it that Palin made a bad decision in using Yahoo for email (although their security mechanisms are pretty much the same as my bank uses for online account access). What do you think about the guy that hacked it? Should he get off lightly for this? I mean even if I leave the keys in my car, if someone steals it, they broke the law same as if they had to hot-wire the car.

apotheon
apotheon

I made it up on the spot. Thanks.

jdclyde
jdclyde

Sorry, but I hardly consider a password reset a real "hack".... If this would have been the some of a Republican Senator, it would be everywhere with calls for the senator to step down.

santeewelding
santeewelding

Evocative word picture. Is it yours? Kudos if it is. Even if not.

apotheon
apotheon

"[i] It was Yahoo's security error, not the Governor's.[/i]" Are you trying to tell me that selecting a tool that provides no credible security is not a security error? So, for instance . . . if I decide to lock the front door of my home with a padlock made out of dried frosting, and someone comes along and gets past the front door by squirting water on the padlock (and watching it immediately dissolve), that means I didn't make any security mistakes. Oh, no, I didn't make any bad decisions at all. It's entirely the guys who manufacture padlocks from dried frosting. My choice to use one of their padlocks was actually a [b]good[/b] security choice. "[i]the weird control code (warped numbers and letters)[/i]" That's called CAPTCHA, and it's meant to differentiate between humans and software. "[i]answer a simple question (in my case it was what is the name of my pet? AIR, other possible difficult questions were: What is my father's middle name?, Where was my mother born?)[/i]" Of course, you could select "What is your father's middle name?" for your security question, and provide "Mongo the Magnificent, and his dancing spider monkey" as your answer. The fact it's asking for your father's middle name doesn't mean you have to actually [b]use[/b] your father's middle name. . . . but then, if you just go with the obvious choice, and someone else can easily guess it because it's [b]obvious[/b], that's not your fault! You didn't make a poor security choice. No, not at all. "[i]I can see that I now need to review all of my web-based email accounts (Yahoo!, GMail, MS Office Live & etc) to see how vulnerable I am to my service suppliers allowing others to change my passwords.[/i]" No kidding. Now, [b]that[/b] is a good security decision. Another would be to make sure that you aren't using Webmail for anything you care about. See the article for more on that subject.

TonytheTiger
TonytheTiger

"[b]And[/b] perhaps" instead of [b]or[/b] perhaps".

apotheon
apotheon

What does that have to do with my question? Don't bother answering. This is a rhetorical question (as was the previous question).

apotheon
apotheon

It's not just the fault of the people who are ignorant of the existence of other OSes. It's not just the fault of the other OSes' marketing (or lack thereof). It isn't even just the fault of the market dominators. All three have a hand in it. All three are to blame. Willful ignorance, laziness and extremism, and anticompetitive practices are all part of the problem. It's irrational to excuse part of the problem just because there are other parts.

jdclyde
jdclyde

This is hardly a case of being a dumb user. Three things. First, a lot of everyday people will relate to this. Second, the fact that there was NOTHING in there to embarrass her with says even more about her. Third, that the son of a Democrat senator would illegally gain access to her account to try to hurt her politically says a lot for the political system. Anyone wanna bet the punk doesn't do any time? Suckers bet, really.

jdclyde
jdclyde

It is about marketing. Remember when Windows95 came out and they had the big release at midnight? EVERYONE knew the name of Windows95, even if they had never used a computer before. MS put out a lot of money to get that brand recognition. Who has got the name out to the average user on the streets that there is an alternative other than spending a lot more on a Mac? How many times have you heard anyone refer to a facial tissue as a "Kleenex" or ran to "xerox" off a copy, when the do not have that specific name brand to use? Who do you blame, the user, or the people that did NOT get their message out as well?

jdclyde
jdclyde

but that is an overly simplified question... ;\ My grandpa-in-law, a retired chemical engineer, very smart man, can not use a computer more than a simple email, and doesn't care to learn more.

apotheon
apotheon

There are many people who, in effect if not in fact, believe: 1. There are only two political parties. One of them is right, and the other is wrong. 2. "PC" means it runs "Windows". 3. Linux is "a hacker's OS", and if people can see the source code that makes it dangerous. 4. Having more melanin or more X chromosomes in the White House means "change". 5. Using more corn ethanol will help save the environment. 6. The FDA is there to help us, and people would be dropping like flies without it. 7. Antivirus software is necessary for computer security. 8. It doesn't matter if the government spies on me, because I don't have anything to hide. 9. The war in Iraq is all about oil. 10. The war in Iraq is all about defending freedom and democracy. Don't you think that people who subscribe to this sort of de facto beliefs have an oversimplified worldview?

wyattharris
wyattharris

This case reminds me of 95 percent of the calls I receive. ID 10t error, loose nut behind the keyboard or simply dumb user mistakes. You know what I'm talking about. Unfortunately for the Governor no matter how much a user she is, she can't afford to look like one.

apotheon
apotheon

Since when can 99-ish percent of people [b]not[/b] be described as having an oversimplified view of the world in which they live?

Editor's Picks