[...] Adria Richards and Paul Schmelzer have stories. « Team Coleman Fakes Website Crash Post Tools:  PrintThis Related Posts: So, about those problems…, Technical Difficulties (and Merry Christmas!), Breaking: Violence in Rochester, Cheney’s Notes Implicate Bush in Plame Affair, EXCLUSIVE — Rick Stafford To Vote For Obama,  [...]

[...] with a little more digging, it looks like Coleman’s IT group was just sloppy and lets  talk about IT Teams that should be shitcanned post-haste. Posted by Gabriel | Filed in [...]

Trying to Drag Us Back to Stupid

Repulican Coleman and his staff’s general incompetence and whiney, smarmy behavior remind me of the Bush years all over again… and just when I was starting to get over it.

God I’m glad they’re gone.

What a feckless putz he is.

@Dean W.,

I’m doing great. I’m blessed with a good heart, information about technology and the desire to help people.

The Emperor has no clothes. I’m telling grown up men their site isn’t setup right.

Do you really think if I’d called the Norm Coleman office at 7pm that night, anyone would have answered?

After the information was posted, they had another chance to resolve it and address it.

It seems that since they did not contact donors, other people, who had downloaded the database felt they needed to notify these people.

In the video at AskAdria.com – Norm Coleman’s Database Revisited, I share that previous attempts at contacted businesses about their security problems have failed. I decided to document how I found the information, what it means and how other companies can protect themselves from this security problem.

I sleep well at night.

@24AheadDotCom,
Everyone is entitled to their own opinion. Each person controls their actions and that’s where most people fail.

Norm Coleman’s office had the opportunity to be transparent about this problem, acknowledge something was wrong with their site and bring it offline. Instead they pointed the finger to politics causing their technology problems (high visitor traffic because voters were upset).

At anytime, they could have contacted a well know, local, website hosting provider…like VISI.com and said, “Look, we’re having a major problem here. Could we borrow one of your senior level guys to take a look at this? Could you keep this confidential?”. But they didn’t.

Instead, they claim they brought in the Feds, Secret Service and who knows what other Federal agencies to “look” at log files. All they needed was a really good Linux Admin (I call them Uber Admins because Linux is hard!)

Many people in the world do a lot of talking (judging, blaming, criticizing) but most won’t do the walking (action, progress, forgiveness).

It’s a logical fallacy to base the quality of my work on this single post.

This problem may have occurred because the Norm Coleman website guy was too proud to ask for help or he was not experienced in:
1. Handing a server attack
2. Handling a website attack
3. Monitoring a website during transition
4. Maintaining a secure website
5. Setting up security notifications
6. Reading log files
7. Monitoring DNS
and so on.

[...] Consultant – Thanks for the book from my Amazon wish list! Glad you liked my sleuth work on the Norm Coleman database. Need help with your blog? Contact Aden Networks ©2008 Copyright by But You’re A [...]

I think you did an awesome thing. Why do some people have their panties all bunched up over this? You did nothing wrong. It’s COLEMAN’S CAMPAIGN that erred here, in not taking people’s private financial data seriously. I think that says a lot about him, and I’m glad his days as a feeding-at-the-public-trough politician are numbered!

Thanks for posting all of this information. I found it fascinating, and your motivations are honorable.

Keep up the great work! I hope this gets you some paying gigs!

Too bad the TV news didn’t do a better job of reporting on this. They basically let the Coleman camp write the press release and took it at face value.

Excellent job!!! Thanks for going public with what you know and what you found.

@Dean W: Your nutty post reassured me that Franken is the safe and sane choice in this contest. So I’m going to alfranken.com right now to give him $100 using my debit card. I trust Franken to respect my privacy and legislate honorably and nobody can honestly say the same of Coleman.

Coleman’s campaign negligently published their donors’ private information on their website and criminally failed to notify the donors when that fact was exposed. Now the campaign is wasting law enforcement resources on a shameful attempt to blame the whistle-blowers. This only came to light because of their botched attempt to get attention by faking a website crash. None of this behavior is acceptable.

[...] it was this blog post or [...]

This was more than something “a five year old” could do, and you know it. I don’t know any five year olds that go around “pinging” for IP address.

You were deliberately poking around where you knew, or certainly should have known you were not supposed to be. You could have contacted the website administrators and informed them of their error, but instead, you then made a conscious decision to put the finances of hundreds of people who have never done you any harm, in jeopardy.

Your actions, excuses, and complete lack of conscience, as well as the reaction of Franken’s supporters speak volumes about just how low the left has sunk.

I’m no lawyer, but I hope there is a really mad one among the people whose identities you’ve put at risk.

It’s too bad your technical training didn’t include any lessons on ethics. You’re no better than a common thief.

@Angela, I guess a bank robber’s criminal defense should be “obviously the bank didn’t take the necessary precautions to protect their customers’ money.” You people have never been much on ethics, though, have you.

@Bob, Wow Bob you really are an idiot. She didn’t take anything she didn’t break in. All she did was point out to Coleman that someone could easily break in.

Not really a crime, Now Norm doing nothing about is actually a crime

Who are “You people”? If you’re going to talk about a lack of ethics, better look at Coleman’s campaign people who didn’t properly protect their donors’ data.

Typical neocon, trying to blame liberals for your own party’s misdeeds.

Here’s a shoe horn to get your granny panties unbunched.

@Bob, Bob, who are “you people”? And your bank analogy is inaccurate: banks have a duty to take appropriate steps to safeguard their depositors’ money. This means they do not, for example, leave the money in a shoebox by the side of the road. Essentially, by leaving contributors’ data in a public area of the website, the Coleman campaign has done something very much like that. Can you show me that the author of this site has done anything actionable by exposing that fact? And if the Franken campaign had made the same error, and had failed to take reasonable steps to secure sensitive contributor data from public view, the error would be just as egregious — failure to meet a basic standard of care isn’t a political issue.

@Bob,
Everyone can make choices on what they think about other people.

@schtum,
I love that example!
“…under a tarp”

@adria.richards, I will concede one thing regarding the capacities of five year olds.

Most five year old children have a more mature understanding of right and wrong than I see displayed here, and elsewhere regarding this issue.

[...] his finger at unidentified “hackers” as being responsible. But it was Norm Coleman who first posted the data on the public internet, and he needs to take responsibility for that [...]

Did she actually publish the contents of the database? NO. Did she use this as an example of how to protect your website? YES. Did the Coleman people take the wrong steps in hopes of pointing to Democrats to make himself look better and help his failing case? Yes. Coleman is the culprit. He runs the shootin match and so he has to take the fall. Shutting down the site immediately, good idea. Leaving it open and calling the Feds, stupid and a bad idea. I hope the majority of the people that live in MN are not as dumb as some of the people that have posted comments on this. Sheesh…. Give me, and us all, a friggin break.

“Do you really think if I’d called the Norm Coleman office at 7pm that night, anyone would have answered?”

Well, maybe they would have and maybe they wouldn’t have. But since you didn’t do that, it’s a bit specious to claim they *wouldn’t* have.

If you had taken your information to a credible source, such as a major newspaper…I bet Coleman would have answered *their* calls. Putting this information front and center in the public eye prior to giving Coleman’s team a heads up wasn’t the best display of ethics.

If you found a zero-day flaw in IE or Firefox, would you call MS or publish your info to the web for it to be exploited?

Go read how Dan Kaminsky handled the DNS vulnerability. He didn’t show the world because he knew it would cripple the internet. He worked with people to solve the problem prior to publishing the full knowledge.

In this case you didn’t care that posting the info could cripple Coleman or his donors.

disclaimer: I’m an IT person as well, and fully support Franken. I’m happy to see Coleman’s lack of security broadcast. This just wasn’t the proper manner to do it.

@Pixelpusher220,
I agree that notifying companies of exploits to their software and code is important and doing it in a way that does not comprimise data or users before a patch is developed helps everyone have a happy computer.

I decided this was “breaking news” and that I was going to document my findings.

I agree with @dan tynan that there is no proof I was the first one to find the server’s files.

I saw the tweet on Twitter at approx 5pm
I found the files and database approx 7pm
I posted photos to Flickr approx 7:30pm
By 12 midnight, the site had been updated with a password screen

You can see all the Norm Coleman database photos on Flickr

@Karen,
Thank you for your nice words!

Cool! I did not see this play by play of how things developed. this blog post helped spell it out. I also made a video on YouTube “How I Found Norm Coleman’s Website Database in 2 Minutes”

You can hear me on MPR’s broadcast Coleman warns donors after data breach where I say:

“It’s like putting your filing cabinet outside of your house”

MPR “All Things Considered”
Aired Wednesday 3/11/2009 at 5:20pm.
Talked with Mark Zdechlik at approx 1:30pm. He recorded our conversation for the show.

Thanks for the support. I really mean it. People, technology clients and friends who know me are supporting me on this. Although it was a racy move, I was frustrated yet again to see information that people expected to be secure, publicly available online.

The goal was to create exposure of the issue and raise awareness; Security and Data privacy…not Democrats vs Republicans.

Okay, I couldn’t take it anymore after reading all the ignorant comments attacking Adria. I am a fellow IT consultant and I deal with security issues every day. I see hackers scanning my clients sites EVERY day looking for potential openings and exploits. These hackers are using untraceable zombie networks from all over the world. Chinese hackers, Romanian hackers and yes many pre-teen US hackers.

Just because Bob and the rest of the computer illiterate posters here have no clue about technology does not mean that anyone else should remain as clueless as they are. The fact of the manner is an IT consultant responsible for my client’s web technology and any sensitive information associated with their websites I ABSOLUTELY want an Adria to point this out as quickly as possible so that I can act on it rather than have multiple GIGANTIC security holes remain exposed for weeks with hundreds of untraceable IP connections downloading the information. All of these security breaches can be easily found AUTOMATICALLY with internet scanners very similar to what Google uses to index the entire internet. I hate to break this to you Bob but I can almost guarantee you that their are Chinese and Eastern European hackers that have had this information well before Adria found it. And if you think they are going to call up Norm and let him know I have some oceanfront property in Iowa to sell you.

The fact of the matter is that Norm Coleman and the people working for him are either completely incompetent or blatantly negligent. Adria was not the first person to alert the Norm Coleman campaign to the potential problems and yet they continued to ignore their duties to A) FIX THE PROBLEM B) Alert the donors of their mistake and C) TAKE THE DAMN SITE DOWN. It takes 2 minutes to do this until you can figure out what the problem is. Instead the Coleman campaign claimed their site was hacked for political purposes, claimed they contacted the Secret Service to investigate and who then unbelievably and incorrectly said that no sensitive information had leaked out.

So the question should be Bob, as a donor would you not want Norm or someone else alert you to the fact that your credit card information has most assuredly fallen into the hands of international hackers?

@E Nelson,
Wow, your comment has blown me away.

So much so that I turned it into a YouTube video!

Check it out!

YouTube Video
Hey Bob, I’ve Got Something For You…Re: Norm Coleman Database

@E Nelson,
Nice reporting!

I think your article brings up a very valid point that the information was sitting out there for anyone to access due to the choices the website adminstrator at Norm Coleman’s office made.

Norm Coleman and Identity Theft Gate: Is Your Online Donation to Norm Coleman Safe?

[...] techie and consultant Adria Richards visited the site and published her tour of it on her blog. March 13, 2009 | Filed Under Family, Political [...]

Adria,

Please marry me! You are my hero.

Love,
Al

@adria.richards,
I agree with Pixelpusher. You found an unlocked door, walked in, looked around and took pictures. Rather than notify the owner, you chose to put a big sign in the front yard announcing that the door is unlocked and posted pictures of the contents for everyone to see. For a technology professional, this is an ethical question, not a political one.

You said it yourself, you thought it was “news” and that is lens through which you filtered your decisions. Your desire to be part of a news story outweighed your duty to act responsibly, and you helped to expose sensitive personal data that might not have been otherwise. It doesn’t matter that you were not the first on the scene.

Sure, you didn’t unlock the door or store information that isn’t supposed to be stored unencrypted, but you did tell as many people as you could about the vulnerability, and did so before the door was locked. You could have publicized the negligent actions of the site administrator after the vulnerability was dealt with. You would have made your point without unnecessarily exposing people to identity theft or credit card fraud.

It’s an easy mistake to make given the current emphasis on instant communication, Internet fame and the view that data nearly valueless. If nothing else, this incident serves as another case study for Information Assurance and Business Ethics students.

@Adria Richards, Okay, I can accept that…Then, perhaps a flower for your efforts?

8″”=”"8′ “88a88′
.. .;88m a8 ,8″” “8
“8″‘ “88″ A” 8;
“8, “8 8 “8,
“8 8, 8, “8
8, “8, “8, ___8,
“8, “8, “8mm”"”"”"8m.
“8,am888i”‘ ,mm”
,8″ _8″ .m888″
,88P”"”"”I888888
“‘ “I888
“I8
“I8_
,mmeem.m”"i, I8″” ,mmeem,’.
m”" . “8.8 I8 ,8″ . “88
i8 . ‘ ,mi”"8I8 ,8 . ‘ ,8″
88.’ ,mm”" “8I88″m,,mm’”
“8_m”" “I8 “

@adria.richards,

Adria – I agree with Becki, this was definitely not ethical. It’s irrelevant that it was a political site (and I don’t care who wins). It’s irrelevant that they may or may not have had professionals managing the site. It is relevant that they exposed data. Someone with more intelligence about such an issue – and how to fix it – such as yourself, had two choices. One was to find a way to address the problem, to contact someone – ANYONE. From 7pm to 730, you discovered more and collected your evidence. Sadly, you took the 2nd choice. You didn’t address the problem, you publicized it – even insisting on your website that it was okay to publish the pictures, “as long as you credit me”. Wouldn’t an IT professional such as yourself better serve the public and help the weak by fixing the problem? Your own website says “I like to help people”. Who did you help? I might have missed it, but I didn’t get the impression that the Coleman people ignored your pleadings, your evidence, your *desire* to help them. Instead, you went for the 15 minutes of fame in this 2.0 world, even giving props to Twitter. For what, getting you on TV? You used your experience and greater IT knowledge for personal gain. But this too will fade. The legacy you could have left for this event could have been an ethical one. It’s too bad it won’t be.

[...] She details the process of how she found the open database (in less than two minutes) on her But You’re a Girl blog. (She says, however, that she did not download [...]

@TJSwift,TJSwift, you really don’t have any idea what your talking about. Entering an IP address into a browser is not illegal or uncommon. And finding a Direcroy structure when you get there, and looking through it is legal and common too. it is assumed that if you find a directory structure, you can look through it. This is how it was back in the early days of the internet, and the practice is still used.

What I find questionable is that there was a tarball (a zip file to you) of the database in a publicly accessible directory. This is either a huge mistake made by a complete beginner, or a plant. There are plenty of way to have kept this information, this file, from being found, by the method in which Adria found it. (It shouldn’t have been there in the first place). So much so that I believe it was done on purpose. Nobody, nobody, that is in the business of building web sites for a living would put credit card information out on a open directory. This smells bad.

@Dean W., For God sakes! Put down the Anne Colture books, turn off Fox, go buy a nice cd of polka music to play in your car. Get a grip before it is too late! Let rational thinking and vigorous curiosity return to that place it has long since vacated.

[...] she is my new heroine [...]

@Minnesota Central,
Agreed. The real issue at hand is the development of insecure websites.

If you bought a car that you could not lock, it would get stolen often.

If you adopted a puppy that was not vaccinated properly, it would need to see the vet.

If a website collects information from people, especially financial information, it is a must to plan out the data workflow.

Instead of storing the credit card information, they could have just collected the name, email, address and sent the financial portion onto a payment gateway processor like Authorize.net.

The biggest problem here was the management of the server and website. The Coleman office could have hired an experienced Linux and website administrator to lead the website rollout, audit the site and read through the error logs. Instead, they brought in the “Secret Service” who found “nothing”.

@Jachra,
Please see YouTube video

Why upload Coleman photos to Flickr?

@Adria Richards,
Did you know the site was hosted by Visi? I don’t think it is now, but it looks like it was when you took the screen shots. They have 24×7 phone support BTW.

: dig -x 208.42.168.251

; <> DiG 9.4.2-P2 <> -x 208.42.168.251
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48770
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;251.168.42.208.in-addr.arpa. IN PTR

;; ANSWER SECTION:
251.168.42.208.in-addr.arpa. 900 IN PTR v-208-42-168-251.mn.visi.com.

;; AUTHORITY SECTION:
168.42.208.in-addr.arpa. 900 IN NS ns.visi.com.
168.42.208.in-addr.arpa. 900 IN NS ns2.visi.com.

;; ADDITIONAL SECTION:
ns.visi.com. 807 IN A 209.98.98.1
ns2.visi.com. 807 IN A 66.254.98.138

;; Query time: 76 msec
;; SERVER: 68.11.16.25#53(68.11.16.25)
;; WHEN: Mon Mar 16 21:33:32 2009
;; MSG SIZE rcvd: 154

@Jachra,
I really appreciate you taking the time to watch the video and post back to the blog with your updated comments. Everyone has a right to their opinion about my actions.

i have learned to always think twice before i post crazy stuff i find on the internet. the ethical questions are not so simple as they seem at first glance.

if what you find is truly important to society, you can always keep copies, and then upload what you found, later.

journalists have big databases of notes and documents that they dont show to just anyone… they have all sorts of guidelines and judgement calls they have to make about what they can reveal, vs what they cant, and the effects it might have on the lives of various people, including their sources.

the hacker culture is a bit different from the journalism culture, thats imho maybe part of the problem with the internet and events like this. it wasnt the first event, (ayone remember when AOL published a bunch of ‘anonymized’ search queries?), and im sure it wont be the last event like this to happen.

hopefully the computer professors will start taking a little advice from the journalism professors and start teaching this stuff in their courses.

[...] busy as a nonpartisan media pundit on web security matters. Adria’s social media habits and reporting on her blog went on to influence stories in more [...]

[...] of what she’d found online after she made the discovery.  An IT consultant  for 10 years, she published her findings on her blog to educate others about the risks of improperly managed websites, she [...]

結婚　相談
お見合いパーティー
海水魚
吉田不動産
貸し事務所
エアコン　故障
エルメス　バッグ
家電　レンタル
弁護士　銀座
株　初心者
J-Payment
お見合い
アヴァンス
ハワイ旅行
オフィス　レイアウト
介護
car insurance
債務整理　無料相談
DVDコピー
株式　情報
時計修理
USBドングル
折込広告
老人ホーム　横浜
恵比寿　賃貸
カイロプラクティック
厨房機器
バイク便
川西賃貸
ECサイト　構築
ピアノレンタル
教員採用試験
債務整理
越谷　不動産
小さな靴
カフェポッド
商品先物取引
福生市　不動産
募金
三軒茶屋　マンション
ピアノ教室
RMT
マンション　貸す
過払い
婚活
コーヒーワゴンサービス
彫刻刀
オーガニックコットン
スキューバダイビング
港区　不動産
子宮筋腫　漢方
グッチ　バッグ
店舗デザイン
今井クリニック
育毛　東京
日商簿記
志木　一戸建て
冬虫夏草
乳がん
オフィス賃貸
ビジネス英会話
ビジネススクール　英語
ナース服
レストラン　求人
立川市　不動産
調布市　不動産
八王子市　不動産
福生市　不動産
あきる野市　不動産
黄体機能不全　漢方

Thanks Amanda! Yes, the 1 year anniverary of that blog post was yesterday and I’m planning to do a blog post on it next week.

Ah for “CrashGate”?

With Coleman’s website down, where will people go to remind him regularly that he has lost?