I think one of the key points is how awful password managers are for non-technical people to use. It's not necessarily the developers' fault because it's difficult to interact with all the things they need to, but it makes it practically impossible to get someone to use one unless they're technical enough to be able to figure out all the random issues that come up all the time.
I'd love to be able to get some non-technical family/friends to use one, but there are just way too many times that showing someone how to use a password manager goes something like: "Okay, so now you've generated a password and you click 'Register' and... oh hold on, the page redirected for some reason and the pop-up to save the account info is gone, so, uh... well, I think there's a generated-password history page somewhere, let me just look through the Settings area even though it's not a setting... okay, there it is, so it should be this one. I'll just copy that and now I have to create a new vault entry for the site manually by typing in everything and pasting this password in there, and then..."
It's terrible, because a password manager that would just work and stay out of the way could make such a huge difference to general account security, but they all seem to still be difficult to use and require you to have a pretty good understanding of what's going on to be able to deal with random problems.
I think password managers could be easier to use, but that the fundamental problem here is, well, fundamental. The major security win of a password manager is that you end up randomizing your passwords across all your accounts; it does no good to "manage" a series of related passwords that will get credential-stuffed as soon as one of your providers has a breach. To get specialized passwords for all your accounts, you have to be able to reliably use the password manager on all your devices, which means not only configuring it and regenerating passwords the first time, but getting it to work again and synchronize it on every new device you use.
If you're motivated, you can get this to work. But people are not generally motivated.
Password managers are a thing I could confidently roll out as a security officer for a startup, where people are in effect being paid to take what I tell them about opsec seriously. They're not something I could confidently roll out in a campaign.
If you're going to get a campaign to do 2, maybe 3 things, you're going to tackle 2FA, phishing (security keys) and attachments (Chromebooks, iPads, and GDrive viewers). If you could do a 4th thing, I don't know that password managers would make that list.
(For the record, I did one training with Maciej, at an NGO, not a campaign, with rooms full of people who were, if not well-motivated, at least super respectful of our time and who had at least the appearance of being attentive to what we were telling them. And getting 1Password working for any of them proved hopeless. I think even I stopped being able to make 1Password work for a couple days after trying it with them. Unlike me, Maciej has a gift for talking to people about this stuff, and also unlike me, he did these trainings dozens of times. If the best password manager he could roll out was Notes.app, people who make password managers might want to figure out why that is.)
Browser password management is simply not enough. For one, they just save the terrible password that the user entered (the same password they use everywhere else, incl. their bank), they don't generate one. And sure it's really easy to use with websites, but what about apps? What about computer logins? What if the website changed their login domain? What if they changed to a 2-step form and it doesn't autofill anymore? What if you tried to change your password and the browser updated but the website didn't? (Hint: you need history.)
Browser password managers are terrible as soon as you inch a tiny bit off of the "happy path" and need anything above "autofill the same password I used last time".
Both Chrome and Safari generate passwords for you. In Safari's case, it also uses the OS/platform-provided secret storage and sync facilities, works in mobile apps, etc. I don't think you're accurately describing the current state of in-browser password management at all.
> I think password managers could be easier to use, but that the fundamental problem here is, well, fundamental. [...] To get specialized passwords for all your accounts, you have to be able to reliably use the password manager on all your devices, which means not only configuring it and regenerating passwords the first time, but getting it to work again and synchronize it on every new device you use.
All of the major password managers pretty much have the "work again" (use of a saved password) and synchronize part pretty much nailed by now -- good enough for government work anyway. (that's an old US idiom for non-US or millenial folks.) It's really just the first time (enrollment) problem that is the UX bugaboo. It could be solved. So I wouldn't call it a fundamental problem, in the sense that it can't be overcome.
I think a solution hasn't been pushed because being able to more thoroughly decipher enrollment forms is a competitive edge. And as long as it's a problem everyone (all password managers) have, that edge can be honed. Password managers are companies also. They need revenue and market share, not universal solutions that also make the job easier for their competitors.
One of the things that made switching to a password manager difficult was the lack of a smooth and secure automation workflow.
Do you think a standard/protocol for communication between platforms and password managers would help solve this problem? Basically your password manager could hook into events from Android/Chrome/iOS like "login requested", "new account created" and "password updated" allowing increased automation from password mangers.
Obviously using lots of signing/certificates/encryption/platform verification(to become a registered password manager for chrome/iOS/android would require a much more extensive check than a standard plugin/app) to ensure security?
keepass2android added this some time ago and it has certainly helped wonders for me there with the automation of passwords in apps on my phone and tablet. That said it's only there on android. I'd love similar kinds of integrations/apis available on other platforms too.
Password managers seem like somewhat wasted effort when you pass all the plaintext around on Android. Feels like a security minefield; only a matter of time until a vulnerability or outright malicious app starts reading them.
Obviously if you can't use the password manager on mobile it's functionally worthless.
Don't iOS and Android have some sort of support for at least the first event? I seem to recall them allowing third-party password managers to present their passwords when requested.
Are these issues that a "dumber" password manager would have? I'm thinking of one that would run in a standalone app and only have the ability to generate passwords and save them for a given website identifier (presumably the domain name), look up passwords given the identifier, and delete entries when no longer needed. The passwords here could be all encrypted with a single password that the user has to remember, and then the user can just copy/paste the password from the manager to the browser as needed. I think OS X has something like this built-in (I think it's called Keychain, although I'm not a Mac user, so I'm not sure if it actually has the exact semantics described here). My guess is that a lot of the issues you're talking about mostly stem from trying to interact directly with the webpage, which I'm not convinced is a robust model if the goal is to optimize for non-technical users.
I use one of those. It's open source software and I have the password safe file on my Dropbox account so it is everywhere and backed up. That way I need to remember at most two passwords (Dropbox and my password manager).
Works great for me and I have used it for small teams as well.
Current versions of iOS have a built-in password manager as part of Mobile Safari - it feels like this could be a much more user-friendly option, I'd love to see some formal usability studies of how it compares to 1Password et al.
The iOS password manager also works in properly designed apps as well.
Websites and apps must test themselves with the popular password managers and ensure it is a smooth experience — otherwise they are being security hostile.
The other dumb thing is forcing there to be a password for an account. If I reset my password via an email reset, just let me click on a link to login into the app (ensure things like deep linking into apps work). A one time token is way better than any password. Let me go through that flow on multiple devices without resetting the first device. Send me an email every time a new device receives a sign in.
If email is weakest link (password reset) don’t make me even less secure by requiring me to dream up another password. Now there are two vectors to crack me.
It works really well provided you enable iCloud and use safari as both desktop and mobile browser, which I think is probably a lot of people in the author’s orbit.
Outside of what you describe (the little edge case issue that pop up 5% of the time), I found the biggest problem for on boarding for password managers is just time.
I was able to successfully get my Dad to switch to LastPass, but it took a lot of time to recontextualize what he knew about passwords before, and how to work LastPass into his daily life. After the initial setup (which involved setting up the account, showing how it works, and migrating about 25% of his passwords), he would ask me questions about it every few days. Just basic stuff like what to do when some sites don't work nice with it, LastPass not saving a password correctly, and other stuff.
Once he did learn it though, it has been pretty much smooth sailing. I am only really familiar with KeePass and LastPass, but both programs have pretty terrible on boarding. LastPass has an ok 'how it works' [1] page, but what these apps really need is a guided tour/tutorial explaining what a password manager is, how to use it, and how to migrate your current password setup over to theirs. Using a password manager almost has it's own language, and teaching the users that language is the hardest part in my limited experience.
I tried getting an older friend of mine to use a password manager. After a few hours, we were back to using one password. I'm now convinced that the way forward with the technically unsophisticated is indeed abstinence. Do not bank online, treat the internet as a place where everything you do is public, and deal with threats as they arise. As far as password managers have come, they're still only usable by power users, normal users can be educated to use them, but the truly unsophisticated really should just stay offline. Fear is a far easier sell than mastery.
For better or worse, banks tend to use back-end risk-prediction and risk-prevention methods. Those stop-loss much, though by no means all, fraud losses.
One unified model of understanding all the FIRE sector (finance, insurance, real estate) is to consider them as fundamentally attendant to the question of managing risk. To a vastly greater extant than any other economic sector.
I just introduced 1Password in our company, to our mostly non-technical staff and being a long time 1Password user myself it was indeed surprisingly complicated and involved more friction than most of us here would expect.
One of the major barriers was explaining that the actual process of moving to secure, unique passwords requires changing them manually at every service in a repeated sequence of back and forth between the service' configuration and 1Password. Users expected the changes made in 1Password to apply and automatically sync to whatever service they were changing at the moment, which is of course not possible.
Another issue were domains, which are basically the only way to connect a 1Password entry to a website. Naturally I had to explain to keep the website/domain attribute as short as possible to avoid problems like 1Password not recognizing that the current website at foo.ebay.com does in fact belong to the entry with the attribute bar.ebay.com. This isn't helped by the fact that 1Password automatically suggest creating entries it recognizes as new, which often include specific login domains and urls. Setting ebay.com as website attribute is the right way to do it, but of course this is rather confusing for most people.
I'd argue that most people might be better off without the browser extension and should instead start with the simplified copy and paste process of manually opening 1Password whenever a sign in is required.
> Users expected the changes made in 1Password to apply and automatically sync to whatever service they were changing at the moment, which is of course not possible.
Of course it is possible, it's just not implemented. There have been proposals for standard URLs that would accomplish this, but none of these have taken off.
Just wasn't sure if you meant not possible "today" or not possible "at all".
Yes, I know - we had this discussion about a potential standard set of user configuration URLs just recently here on HN, but in my comment it was meant as not possible right now.
I put my mom on LastPass. She has 2FA enabled and working, we can share passwords to each other, she’s happy to access via PC browser extension or iPhone, and she can’t possibly screw it up.
Many of them stay out of the way. I use a more technical one (Browserpass) and even that is a generate password once and it automatically syncs with Google Drive or whatever file sync service you want.
A password manager provides the exact same benefits as the website hashing the users password client side with a salt - before sending the password as per usual (over SSL and then hashing the hashed password server side also).
If I key in the same password "PAssword123" for site A and site B, it makes absolutely zero difference if it's hashed before sending on site A if site B is storing it in plain text, because once retrieved from site B it can be used to log in to site A regardless of A's password handling process.
The only way round this is to make sure that B doesn't have any information which can be used to compromise A, by sending the password from an external program.
(You could just about achieve this from client-side salt+hash as an external program instead of a password manager, but then it's a big pain to change passwords when B is compromised.)
Most people wouldn't do that because it's effectively redundant if you trust TLS and that the server is not compromised. However I think your proposed technique would be useful in cases where TLS is broken or the server is in some way compromised, running on low trust hardware, etc. So it's a good precautionary measure.
Grandparent is also right that your users password can still be compromised on other services, giving an attacker a way into your own. Password managers don't have that problem.
Then your password is just the hash and salt. And presumeably you're generating those with JavaScript, which adds a surface to target to exfiltrate passwords. No need to get into the server, just inject some JS or redirect a CDN or...
It doesn't actually add any security is the short story.
> Yes, and by that it appears random. Which is exactly what we want and what password managers provide.
Good sources of randomness, that aren't susceptible to side-channel attacks have only really appeared in browsers (Crypto.getRandomValues) in March of _this_ year.
Random is only good if it is a decent CRNG, and we haven't had time to roadtest if we can rely on that yet.
Bad random is predictable, in which case you're removing security.
> Are you sure?
Yes. You're _adding_ a platform that can be attacked, but not introducing anything that is more secure than what is already possible.
I don't see what security we would be removing. I am for keeping SSL and server side hashing. I am just suggesting the addition of client side hashing also.
I'm confused by how difficult it was to get a meeting and convince these people to change their ways, but how easy it was to hand them a USB device and "Collect information about what devices people are using, their email provider, whether they have two-factor authentication, how they share documents in the campaign, how they keep track of passwords, and so on".
Were you just some random outsider to them, coming in to do free security training? Or did others have to vouch for you? It seems like it would be terribly easy to do all of this under the guise of being a helpful security person, but you're actually just sabotaging them with rogue USB devices and learning the details of all of their security practices. Especially by getting on their good side with things like "A friend wrote a script that did this conversion automatically when you dragged things to a desktop folder, and I would mention this during campaign visits. Suddenly I was no longer the dentist, but Santa Claus come early."
Could anyone else have been doing this without being vouched for?
It varied a lot across campaigns. I had an easier time getting meetings once the Washington Post article came out. In fairness to the DCCC, they also vouched for me when campaigns called to check my bona fides. The Progressive Change Campaign Committee also opened a lot of doors.
That said, there are people who will absolutely meet with you sight unseen and put random USB stuff in their laptop. One candidate left me and a friend to watch his open laptop in a San Francisco cafe, two minutes after we met.
> You should understand that there are a zillion people and groups out there who want to do tech experiments on campaigns, and without someone to vouch for you, you will make no headway.
For me Chrome password management works fine. I have all passwords on my work Mac, had to switch Macs about 9 times due to Apple's quality issues in the last year and passwords were always available after logging in to chrome.
And they are also always available on my Android.
But. I need to trust Google.
I also have 1password (without cloud sync). Works great on my Mac. But switching devices is a pain. And syncing to mobile doesn't work at all currently.
So my state with managed passwords is somewhat of a mixed bag.
PS: Well, due to policy changes I need to create a central password for logging into my computer and company systems in the future. And I need to type it multiple times per day. And need to change passwords regularly. I am not really looking forward to that form of "security".
Only because I'm one of Maciej's number one fans am I going to point out the delicious irony that more skill in digital advertising would have been helpful to his mission this time.
Disclaimer: I work in politics professionally, as a digital consultant.
ActBlue is better at security (and just in general product) than NGP, but neither supports physical 2fa keys.
I don't want to speak too publicly about NGP VAN but I think this area is very ripe for disruption, but it would be hard to get the finance side 100% correct, automated FEC & compliance and all. This built up moat I personally believe lets them stagnate on technology. I think their API is proof they know the weakness or are afraid of easily better tools built on top (no important data in and out).
One attack vector I dont see mentioned is locking down domains and websites. Campaigns are incredibly cheap, it only took a few consultants selling shitty pre-built wordpress themes and now it's tough to get a Congressional to pay much or anything. We now build static websites for clients who pay, but I'm still worried about some actor uploading a google-verification.txt, or updating DNS to send better phishing emails.
Emailing passwords in plain text and shared twitter passwords for candidate accounts which are 'victory!2020' are VERY common and we've been trying to correct this behavior.
Though this isn't perfect we have been sending one time links with no authentication info in email plaintext. If anyone has a better solution? (remember non-technical (no PGP) campaign staff and not in same geo a lot of time).
In writing up some campaign plans this cycle I made some security notes, especially for a top 5 race target client we have (if win primary) I suggested separate senior staff office in a more secure location which no volunteers know about. This wont work at Congressional level, where anyone can get access to call time room or CMs office if they try..
Yes because I'm overly paranoid but also sadly because security in politics now means protecting from some random nut bag with a gun. Which is really scary to me.
But mostly I'm surprised at Maciej's willingness to spend money (and valuable time) doing this. Sadly I think the willingness to help anyone including 'Green Party candidate in a district the Republicans carried by 60 points' combined that with the general (and I can understand and am not judging) attitude that 'the system' is broke, is probably a factor to why he was not taken as serious as I think he would have liked.
Sorry this got really long.. I could go on and on (if @Maciej or is it @idlewords ? sees this would be happy to chat on DM).
love seeing politics on HN a topic I have specialized knowledge in for once ;0
Making a throwaway because I too work in politics and have worked with your firm before. Also I might disagree with lots of your points but if you actually want to build something better than what currently exists there are tons of resources, Higher Ground Labs is probably a good place to start [0]
ActBlue is better at security... than NGP
By what metric? They're vastly different products serving completely different end users. That's like saying that Uber is better at security than Oracle.
I don't want to speak too publicly about NGP VAN but I think this area is very ripe for disruption
Your comments show that you have some understanding of the ecosystem but I'm not sure what you're getting at here. First, NGP VAN serves two different purposes - NGP does FEC compliance while VAN handles voter files and direct volunteer contact.
Automated compliance is really hard, a lot of companies do this but none are as good at NGP. More than 40 companies are register with the FEC to provide this service [1] with some of the larger ones being Aristotle, Blue Utopia, and Trail Blazer (this does not include R only companies like CMDI).
Managing voter data is also really hard [2] ots of other companies do that too though. Off the top of my head I can think of NationBuilder, PDI, L2, Crowdskout, and VoterHub. There's also a whole group of start ups working on new voter files, including one backed by Reid Hoffman [3] and one with Howard Dean [4]. Note for non political folks: VAN does not provide data, it's the software platform used to slice and dice data that the DNC + others collect. I'm getting off track but while VAN is far from perfect (and could be better!) it's a pretty great solution when all is said and done [5].
I think their API is proof they know the weakness or are afraid of easily better tools built on top (no important data in and out).
Well that's just false. VAN has both import [6] and export [7] functionality via API. The older NGPs don't have all these feature but the newest version does too.
Campaigns are incredibly cheap
Yes lol so much yes.
I'm still worried about some actor uploading a google-verification.txt, or updating DNS to send better phishing emails.
I also agree that this is a risk. If I were you I'd start by updating DMARC, DNS, and SMTP records on your firms website minimize the chance of your clients being phished.
Though this isn't perfect we have been sending one time links with no authentication info in email plaintext. If anyone has a better solution?
Use Signal. Everyone involved with a campaign should have Signal on their phone.
I didn't want to go point for point but I started writing and this will be my last reply:
AB engineering and security is way better from the outside looking in.
NGP does have a contribution form product so I think it's a fair comparison. Also comparing UI, speed, API, and willingness of staff to communicate and work together is fair IMHO. I've found and seen AB fix security critical bugs. the AB UI is pretty good and most important the donate pages & donate api is fast and I've never experienced catastrophic failure over many years when it matters. AB is also great to work with, quick, willing to listen and work together. NGPVAN on the other hand...
I agree on the compliance that's what I wrote I think they have that moat and while I think it would be fairly easy to make a better product I dont think it would be easy for a new product to get compliance correct right out of the gate (which is what would need to happen).
the actual (now kind of combined UI design) NGP VAN UI I think is poor and even basic queries / lookups are slow. i also think in terms of toolset there is a lot of room for innovation (e.g. from voter contacts ML for me similar voters, better leverage data across platforms, and much more I dont want to write publicly since we offer some of these patchwork services ourselves). if you've ever had to use their email platform that alone speaks for itself to this point...
plus ngpvan routinely suffers from 'going down for maintenance' or 'adding capacity' during peak problems that from the outside looking in seem to come from legacy tech/problems.
The VAN side of API does allow more data in, NGP not at all. I can't add any custom data to users, I can only tag an external ID and add what's basically a tag to a person. Most important I can't get donation data out. Last I talked to them I kind of off hand mentioned I could script against their internal api and they shut me down with TOS. While the VAN API does at least allow for some data in, the export jobs you give are pretty limiting imho and maybe even an example of legacy choices or internal fears I can't tell I dont work there. a counter example for AB is we subscribe to webhooks which POST json of all incoming data; even the idea of an NGPVAN API is somewhat new if I remember.. trying to scratch head I think I remember NGP only accepted like XML SOAP requests not that long ago (like a cycle or two). Whenever I do data work with VAN first step I do is export it all and dump into bigquery lol.
the thing with managing voter data is that I dont think the party provides as much value as they could (should). anyone can get voter file data either through state SOS or buy it from one of many companies; you mention a few. i dont think the party does a good job of collecting and using data across clients across cycles and i think there are a few R for-profits that do a better job at generating value here; but there are a lot of obstacles e.g. each campaign wants to control their own data, what about primaries, etc. for instance you dont see the party enabling/selling 3rd party targeting via oracle on issue scores collected from voter contacts across clients across cycles like a few R companies have done.
Campaigns have not replaced email with signal no matter how hard tech people want them too it's just not the same functionality and use case as email. in the case of sending a temporary password idk seems apples to oranges as a 'one time secret' link in the end just dont want someone who gains access to email to also gain access to plaintext passwords which are routinely emailed (but idk maybe there is a better solution which is why I asked). even if did have signal in the first place, prob dont have on the computer they are trying to login on (copy and paste password)
I have great hope that the upcoming Web Authn standard (https://webauthn.io) will greatly improve server-side security and make phishing a thing of the past but I worry about how the threat model will then turn towards securing access to the user's personal devices. Endpoint security is going to get even harder. People double-click and blindly run whatever on their devices all the time.
This stood out to me also, things that are unique about the US compared to other countries
1) Relatively low personal and corporate donation limits - a lot more phone calls are needed to raise the same amount of money
2) Low rate of voting - you need an entire get out the vote campaign along with your existing campaign
3) Hatch act - your congressional staff cant work on your campaign, so you need two sets of staff, this combined with 2 year election cycle is probably what makes "campaign ronin" a viable career path and a also more expensive
4) Presidential system - a bit counterintuitive but i think in a parliamentary system house races are less important as people are more voting for the party
In the UK, there's a total campaign spending limit.
And it's low - the maximum a candidate can spend in the 25 days before polling day is ~$21000 (The national party has a separate budget - and rules about which expenses go against which budget)
The consequence of this is parties are relatively less dependent on raising money - and it's relatively more important to get volunteers, as the spending limit isn't enough to mail two letters per voter.
Being in the US, the whole idea that UK doesn't elect their leader directly always struck me as odd, until I realized that their PM's generally feel much more beholden to their party's platform than politicians in the US. In which case, it really is less relevant who the particular person is and more than the party you support is in power.
The system operates in different ways depending on how big the majority is; large majorities (Tony Blair) mean the leader can tell the party what to do and run their own personal platform. Small majorities (Theresa May) are prone to collapse and tend to get overtaken by the fringe elements.
It was always a virtue of the Westminster system that failing to pass legislation could collapse the government and force elections - no "shutdowns" or "gridlock" here - until the Lib Dems vandalised that bit of the constitution with the Fixed Term Parliaments Act. The first three months of this year showed us what a disaster that was.
Most people seem to have slept through their civics classes where the mechanism of how this works was detailed. A startling number of people are under the mistaken assumption that it is or was intended to be, a direct democracy.
I think at this point, with two recent disparities between the popular vote and electoral points, most people realize there's an abstraction layer in between their vote for president. My point stands though: In the US, you vote for the specific individual you want to be president. In the UK, you do not vote for the specific person you want to be PM.
That is only partially true. In the US, we are able to vote for the specific person we support, a huge difference over UK's system for PM, and never has the electoral college gone against the outcome of that vote.
> never has the electoral college gone against the outcome of that vote
That's factually incorrect. The electoral college precluded the winner of the popular vote from becoming president in the last elections, so no. You can vote for the specific person you support but that does not guarantee the outcome.
The parent is making the correct claim that the voting outcome by state (or CD, in the states that split their vote) fully determines the winner, and the electoral college is a procedural formality. The way the votes are weighted is different from "count the popular vote nationwide", but that doesn't mean we don't directly elect the President.
Electors are independent agents and in theory could cast votes differently than one would expect, 'procedural formalities' could be abolished but this actually has a real effect.
No not incorrect, you misunderstood what I said, which was my fault because I was imprecise. I didn't say the popular vote was reflected by the electoral college vote. I said the electoral college has always themselves voted along with the result of the votes, i.e., voting in accordance with what each state voted.
In fact they have not. Yes, the end result was the same in all but one case. But some electors chose to do whatever they thought was right instead of what they were supposed to do on multiple occasions. See other comment in this thread.
You clearly know a bit about this side of history, so at this point I'm not sure if you are purposely misinterpreting what I say. Adams one by 3 electoral votes, and there was only one single "faithless elector" in that election. The other electors that voted Adams against their state's popular vote still did so in accordance with the rules for apportioning electoral votes
I've been the sole "tech guy" on a few campaigns over the years; it was mind blowing to see call time, my first time around. I spent several days asking other campaign officers why I couldn't just automate it; dialing, doing the money ask, collecting donation information, all totally automatable. I was told a number of reasons, with the overarching theme being that the more human effort went into it, the better the outcome would be. The people doing the calls had been at it for years, had a system, and didn't want the disruption caused by automation. They would work better if it was their job start to finish.
It is a bit Ludite in nature, but when I beta tested an autodialing system, the person making the calls seemed more surprised, less ready for the call, and had less immediate knowledge about who they were calling. The act of scrolling through the list, identifying the next viable name (and reading all of the information we had about that person), dialing the number, etc, gave the caller time to mentally prepare and digest what they knew about the person they soon would be speaking to. They were more engaging during the ask, and overall were more successful.
Kind of missing the point. Call time is about "access" to the candidate. Most large campaigns already have call center operations for low-dollar donors. Donors that max out do so because they have the candidate's attention for a period of time. Not possible to automate (and automating it would defeat the purpose).
Ah thanks for the correction! I misunderstood the article's description of "call time" as a synonym for "call bank", as it consists of volunteers calling and asking for donations. I can see how automation is not feasible with this definition.
The important part of call time is the phone number or caller ID, shows the candidates name. We have automated it some, but paper is still quick and easy to write on to later be entered at the end of the day
Agree, and with the unfortunate history of robo-calls, more and more people are letting calls go straight to voicemail. At what point will cold-calling not be essentially worth the effort?
I personally use Android as I dislike the Apple-itunes-lock-in. But, you'll be able to sleep better at night if you lose your iPhone with confidential info.
...
> Google's Advanced Protection Program is almost comically unusable for campaigns. The expensive dongles break easily, and when the dongle breaks you are locked out of your fundraising spreadsheets until you can reach Google support (if such a thing exists).
With technically savvy users, I think it's safe to say that you can get a flagship Android phone asymptotically as secure as an iPhone. But most users aren't savvy, and need clear guidance, and if you say "Android phone" to them, you're effectively clearing them to use the worst smartphones on the market. Like, "I found this thing on the street and stuck my SIM card into it" bad.
I think one other major factor is that if you (as the technical nerd who can figure this stuff out) give a non-technical user a fully updated secured Android phone today and then come back to that user in 6 months, it's way less likely to still be secure. Apple does a much better job of maintaining security over the lifetime of the device by pushing updates out.
The issue isnt with Android flagships, especially the pixel line. The issue is that by banning android you van hundreds of low quality phones. Every iPhone is high quality & only a low % of android are.
Even android flagship phones like the pixel only get about 3 years of updates officially. Five year old (or more) iPhones are still officially updated. Now if only I didn't hate how iOS looked and felt
Google's Adavnced Protection isn't quite as precarious as Maciej makes it sound. APP requires you to have two keys, one to store for backup, so it's hard to lock yourself out.
The recent trouble with their rebranded Feitan keys was kind of troubling, though.
The thing is, in a campaign context the backup key is often inaccessible. If you put it in a safe place (like your safe deposit box or home office) and are halfway across the district, it won't help you.
I'm also not exaggerating how fragile the things were when I tested them. The head of the APP program had a broken one on his keychain.
Disclosure: I'm an engineer with the Advanced Protection Program.
Thanks for your work securing campaigns! I forwarded your post to my team because a major goal of ours is to be useful for this purpose.
Advanced Protection has improved a lot since early days. For example it works with Apple's native Mail, Contacts and Calendar apps on iOS.
Advanced Protection doesn't require any specific model of security key. The blue YubiKeys work just fine and even Touch ID is supported (as a U2F key).
Multiple backup keys are supported. And the same key can be used on multiple accounts.
Breaking or losing a key doesn't cause an immediate lockout. A key is required at first sign in on a new device or browser session but not thereafter. I don't even carry a key most of the time.
I'm sure there's more we could do to build great account security for campaigns. Please keep the feedback coming!
I'm glad to hear about all these improvements. I hope you will consider field-testing this with a real campaign, understanding that the biggest adversary APP faces by far in this domain is Google Legal.
>Advanced Protection doesn't require any specific model of security key. The blue YubiKeys work just fine and even Touch ID is supported (as a U2F key).
But it still requires one Wireless key -- why is this? I can't activate it only with my Yubikey NEO and blue Yubikey registered.
Every time I try to set the folks in my company up with security keys, the biggest problems are always:
1) How do I deal with the fact that someone just left? Something invariably is tied to their login, and I need to transfer control.
2) How do I deal with a broken/lost/stolen key? So many services simply will not let you install multiple keys on an account and it drives me up a tree.
(1) Is there an easier secure way to open attachments to Emails? This is a critical point of error in campaigns, and yet your suggested solutions are lacking in my eyes. I for one do not use a smart phone, and even when I use a Gmail account I use the html version that does not have a Google Docs option for files. So I am left with your option 3, and this could take several minutes in contrast to double clicking the file.
(2) Why do you recommend to avoid SMS but to treat Twitter/Slack as a public messaging option? Why not just treat all three as public?
(3) Why do you recommend only Chrome browser? In particular, why not Firefox or Tor?
1) I can't think of a safe alternative for you, but maybe someone else here can.
2) Signal is a drop-in replacement for SMS, while there is no real replacement for Twitter or Slack. That's why I tell people to treat it as public, rather than move off those sites.
3) The consensus among my security friends is that Chrome is the safest mainstream browser, though Firefox is making big strides. The Tor browser is not safe for the reasons tptacek outlines here: https://news.ycombinator.com/item?id=19981733 I explain elsewhere in the post that I like to tell people to use a specific product. If they really love Firefox, I don't fight them.
Maciej, do you consider the built in keychain functionality of iOS/MacOS to be a "password manager"? I only ask because I typically have found that when setting up non-technical people with iPhones or new laptops, that it has recently passed the bar of 'easy enough for non technical people'.
True, it can be hard to get to the stored passwords for manual entry and it doesn't work with a few sites, but generally speaking it picks random passwords, saves them fairly reliably and prompts to use them with biometric protection.
Yeah, for sure. If people were already using it, I gave them a thumbs up. In my mind it occupies some middle ground between a password manager and "I keep my passwords in this note app", but only because it doesn't tie in to Chrome.
Ah yeah I forgot that your strategy revolved around Chrome due to the Yubi keys. Each browser offers a critical feature: cross device password management vs. easy hardware 2FA. I have a feeling Apple sees their iOS devices as Yubi keys and Google doesn't want chrome reading/writing to a 3rd party keychain. Not a great situation.
One flaw for people who aren’t political campaigns is that frequently you’ll need to log in to something that’s not using a browser window.
After years of headaches and literal tears, I broke down and bought LastPass for my kids. My wife isn’t technical, and I would come home to kids that had lost/forgotten their Minecraft password. They took it out on their mom, so instead of post-work no-tech downtime, I was coming home to Sev1 incidents that were already out of SLA.
Keychain is a decent enough password manager, but there are some considerations you have to make if you're deciding whether you want it to be your default.
+ It uses Triple-DES encryption. This is probably not enough when it comes to a political campaign. It can be broken with commodity hardware. 3DES has a lot of collision attacks against it, and is deprecated in most software, and NIST consider it to only be effectively around 80-112bits.
+ It doesn't encrypt all your data fields. Only the password or Secure Note is encrypted. Other fields like URL are in plain text, which may leak enough information to be sensitive, depending on what you consider sensitive.
+ However, on iOS, Keychain items are only accessible to the app that generated them, which is a huge plus.
+ It can sync across devices easily, because of iCloud integration, which is great for usability, but with weak encryption means if someone gains access to your iCloud, those passwords may be gone.
Are there technical reasons preventing Apple from addressing these weaknesses? Or is the native password manager deliberately weaker to enable 3rd-party apps?
I'm not qualified to answer. I'm hoping someone else can chime in.
I was somewhat surprised that it's still using 3DES.
However, a perusal through what I believe is the latest source [0] shows me the latest updates (that I could find) where in 2010 - when 3DES was still widely used, and considered by most to be fairly secure. (Flaws were mostly revealed in 2014, and the complete exploits came in 2017).
Signal is end-to-end encrypted, so your message is stored only on your device and the recipient's. If you want, you can have it auto-delete after a configurable period of time.
Email wanders across the Internet and is stored on multiple servers by design. It can be tampered with or spoofed in ways that Signal messages can't, and your email account can potentially be broken into by an adversary.
Just wanted to point out that Gmail has a Confidential Mode that can prevent forwarding, auto-deletes and allows the sender to control access to a sent email including removing access.
https://support.google.com/mail/answer/7674059?co=GENIE.Plat...
Understood that Signal has other useful security properties but this is useful for folks that use email.
I think it's very misleading to call this "confidential mode for email". It's just putting the message on a webpage and sending the person a link to authorize access to the page, right? (And maybe messing with the gmail interface to hide that this is happening.) It's a really different concept altogether than email. If I understand right, it's basically like creating a google doc and sharing it with only certain recipients (and ability to revoke later).
> For example, we told campaigns it was best to have a password manager, okay to have a written list of random passwords, dangerous to have a password pattern you would modify across sites, and unacceptable to re-use a single password across sites.
As someone who likes the "password pattern" approach (remember one thing and use it to generate passwords for all sites), what's the threat model here? How is it dangerous?
The general answer: Your pattern is a single point of failure. If someone figures it out they can figure out your passwords to multiple sites.
The most likely threat is your password to one site leaks or gets fished and then the hackers recognizes it as pattern generated and reverse engineers the pattern. Then they just start trying that pattern on other sites.
Not doing this is good general advice. Your specific risk level varies based on the pattern you use.
Two things off the top of my head: computers today can chew through a frightening number of passwords per second, so your pattern is almost certainly guessable. And second, you're more susceptible to phishing than if you used a password manager.
It is amazing when you consider both the number of and the sheer depth of the problems that would be fixed instantly by moving to publicly financed campaigns.
Congressional campaigns are largely about fundraising, so if fundraising is no longer required, most of the problems listed here also cease to be a problem.
Good write up that I think extends to many environments beyond congressional campaigns.
One thing I would like to add (and perhaps the author mentioned but I did not see). Secure your cellular accounts such as Sprint, T-Mobile, Verizon with 2FA, good password, etc. This also includes the maximum length VM password, although usually that is only between 7 digits to 10 digits sadly.
Interesting that the end result of campaign finance reform is that candidates spend way more time on fundraising than they ever did, and are beholden to more people than ever.
Depending on who you follow, it's one of the best link aggregation sites around. Care deeply about refugee rights in Myanmar? Follow a few folks and you'll gain insight into the kinds of things like-minded folks are thinking about. There is the on-Twitter conversation, too, but the best thing about the site is what people are linking to out of it.
Sure, I'm a Twitter user too, just pointing out the tendency of people to forget that there's a world outside their own, especially if they spend enough time in their own little curated space on a site structured like Twitter.
Twitter has always seemed to be of very minimal utility to me compared to other social media. It basically takes the vacuous shouting into the void of Facebooks wall, and makes it the only feature. I'm kind of not surprised that people don't use it.
Why does only chrome support the security keys? It seems to imply that apple doesn’t support them very well also. I thought they were more widely supported?
I hear "its coming" for Safari too - sure some of the developer previews have it (last time I checked you had to spoof your user agent because none of the FIDO sites believed it was gonna work in Safari and didn't offer it...)
Just in case anyone's still reading here. I can confirm that Safari Technology Preview release 83 works with my Blue Yubi key to do FIDO 2FA with gmail right now...
FIDO2 etc are widely supported, it is just that their usage is a pain in the ass. Like PGP, the tools to use them suck. Especially for non-technical people, they just won't use them. The real solution is to make using them transparent, which hasn't been solved and there isn't enough uptake for anyone to fix it, because the easy option is to just reuse passwords. Once security keys are that easy, then they'll be used.
Even if you use a password manager to generate a 100 char password, who the hell is going to type that into a phone? no one, if they can't find a solution simply, they simply won't use it.
I've run into one important (investment brokerage) site does user-agent sniffing and dropped immediately to calling your registered phone number instead of letting Firefox continue to use the Yubikey that it does actually support.
Maciej has a well known track record as a security expert. He has testified very recently before the US Congress [0] on these matters as well as single-handedly (to the best of my knowledge) built and maintains the fantastic Pinboard bookmarking service [1]. Just because he has a mixed content warning on a image of a fish (his site logo it appears) and has a Google search form inline (not ajax mind you, an actual standard HTML form with a real submit button) should not cause you to consider him unskilled or untrustworthy. Furthermore, lack of HSTS or a CSP shouldn't be a red flag since it is his own personal blog, therefore it's probably not worth his own time to configure either. I'm not sure what your personal threat model looks like, but I think we can assume most people that read HN wouldn't worry about such things.
Full disclosure: I am a Pinboard lifetime member but to the best of my knowledge have never contacted or been contacted by Maciej, and obviously he didn't ask me to vouch for him, these are my thoughts alone.
To be a brief Devil's advocate: I can sort of see the OPs point from a layman's point of view. If a security expert cannot (I use "cannot" here from the layman's point) secure the website (According to a tool that shows scary red X's) then what chance does a mere mortal have, or is it that important?
Now, we know that spending the time securing a personal blog the whole nine yards is probably not worth it; but to an uninformed person who cannot make that judgement? Black and White is so much easier than greyscale.
This is why I usually go all or nothing in this kind of situation. Of course doing nothing would probably have resulted in a "His site isn't even https!".
Damned if you do and damned if you don't. At least take solace in the fact that the comment has been judged appropriately and you have admirers correcting the superficial opinion.
This is why my company (Campaign Deputy) bundles Web, DNS, and Email hosting along with our Fundraising platform for political campaigns. Not mentioned was DMARC and SPF, which is really tough to setup when you don't have direct access to the Domain Registrar.
We are also competitors to NGP. Our users actually like us too!
I think one of the key points is how awful password managers are for non-technical people to use. It's not necessarily the developers' fault because it's difficult to interact with all the things they need to, but it makes it practically impossible to get someone to use one unless they're technical enough to be able to figure out all the random issues that come up all the time.
I'd love to be able to get some non-technical family/friends to use one, but there are just way too many times that showing someone how to use a password manager goes something like: "Okay, so now you've generated a password and you click 'Register' and... oh hold on, the page redirected for some reason and the pop-up to save the account info is gone, so, uh... well, I think there's a generated-password history page somewhere, let me just look through the Settings area even though it's not a setting... okay, there it is, so it should be this one. I'll just copy that and now I have to create a new vault entry for the site manually by typing in everything and pasting this password in there, and then..."
It's terrible, because a password manager that would just work and stay out of the way could make such a huge difference to general account security, but they all seem to still be difficult to use and require you to have a pretty good understanding of what's going on to be able to deal with random problems.