Sample Blog Header
< The GOP CD | Main | Lockdown >

GOP CD accumulates data, but data is not secured

Posted at 6:38 PM on February 28, 2006 by Bob Collins (18 Comments)

Let's suppose I got the Republican CD advocating the marriage amendment in the mail. And let's assume -- and remember this is a hypothetical here -- I had enough intelligence to decompile the program and figure out what data is being captured and sent. Could I do it?

Yes. Someone did.

No.", "Time", "Source", "Destination", "Protocol", "Info" "1", "17:11:52.780492305", "***.1**.***.*2*", "*0.2.*.81", "TCP", "1106 > http [SYN] Seq=0 Ack=0 Win=64240 Len=0 MSS=1460" "2", "17:11:52.794481754", "**.*.*.**", "***.***.1*5.***", "TCP", "http > 1106 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1460"

(Update 9:08 p.m.: This is not the available data. This is the internal stream as we ran the program. We're not going to show any of the data we actually found and in the image below, you're not going to get any useful data. We'll show the actual contents of the packets if the subcontractor denies the existence of the information. We're not interested in exposing the subcontractor to a malicious attack while this information is still available. This is a privacy issue, not about how to compromise the site with the information. )

Now that's pretty basic stuff: what your IP is, what your CPU is, what your operating system is. But is it possible for me to find out how you vote in elections? What your position on abortion is? Or even how long it takes you to answer those questions? ? Can I get your private phone number, your address, your name, your spouse's name, your IP?

Yes. Someone did.

Using the stream indicated above, people way smarter than me were able to figure out the destination for the data being accumulated, and then poked around and found the site. And the data was not secured at the site.

I checked to see if two entries I made via the CD -- one for Tim Pawlenty and one for Joe Blow -- showed up in the database. Yep. This must be the place.

The screenshot above is a sample of several we took. Another has the answers along with the code of the submittor, the identity of whom can be ascertained easily with the data above.

What's worse, the information is on an unsecured Web site. I'm not going to tell you what site we found it on (until it's been secured), just to let you know that the data is there. And it can be found by anyone who can decompile the program on the CD.


We could -- if we were malicious (and we're not ) -- change the questions that are "on the CD" because they're really not on the CD. The program connects to a database and provides the questions.

Imagine if thousands of CDs arrived in homes with the question "do you like Siegried and Roy?"

We could steal the data. In fact, the mailing list of more than 259,000 25,000 names is also on the site, and is easily downloaded into a spreadsheet. Cool. Twenty-five-thousand names and addresses. Free.

This is a significant security flaw. And it's coming to a mailbox near you in a few days.

It also leaves a cookie behind on your computer, although we haven't figured out what that does yet. (Update: The cookie is likely nothing - just a way to autofill some information if you decide to go back later and resubmit your answers.)

This is why it matters when someone raises concerns about data. This is why it matters if someone asks you if you're collecting it. This is why it matters if someone asks you what you'll do it with it. This is why it matters if someone asks if you're protecting it. Privacy concerns are bipartisan.

But didn't anyone ask these questions already?

Comments (18)

Good work. Thanks!

Posted by grateful listener | February 28, 2006 7:59 PM

Sorry, but the IP addresses you have on the packet snipet are not valid. Public IP addresses cannot fall in the 192.168.xxx.xxx or 10.xxx.xxx.xxx ranges because they fall in the ranges reserved for internal networks only, which means you can't use them anywhere other than in your own network.
Show us the real contents of the packets, unless this is all just another nutty conspiracy theory.

Posted by Just another skeptic | February 28, 2006 8:18 PM

I agree, can we see the entire contents of the packets? Those of us with a bit of tech-savvy might be able to parse a bit more information out of it. However, the fact that this data is being made public is a very worrisome sign.....

Posted by MN Campaign Report | February 28, 2006 8:55 PM

um, that really doesn't say anything... as the skeptic said, those are internal IP ranges. Before you continue to run your posts about how bad the GOP is, perhaps you should show us a) what is actually being sent, and b) any privacy policy or what's on the packaging...

Posted by a geek | February 28, 2006 9:10 PM

In other words, "Trust me. The GOP is playing fast and loose. I saw it, but I won't tell you where."

Thanks....for nothing.

Posted by Ron Dumsfeld | February 28, 2006 9:19 PM

Yep, we'll show you the actual packets AFTER the information has been secured by the subcontractor. I'm not going to make information available that can be used tonight to launch an attack on a subcontractor's server AND allow people to get information that -- and I guess this is the point that keeps getting lost -- they shouldn't be seeing.

If you want to do that, go to the GOP, ask for a copy of the CD, and decompile to your heart's content. But I don't know who any of you are, especially since most of you are providing phony e-mail addresses when filling out the form and -- in case you haven't noticed -- I don't trust people to safeguard data.

If you disagree, fine. Like I said, go get your own copy. But I'm protecting this one, and the data it exposes.

Someone's got to.

Posted by Bob Collins | February 28, 2006 9:26 PM

The author mentioned that he's not going to tell us the destination IP address. So, of course he's using 10.- and 192.168.-. He also mentioned this is coming soon to a mailbox. So, this is verifiable. Let's check it out.

The question is (a) whether anyone can verify it from the CD (without posting the destination IP, and (b) is the GOP any worse than many others?

Posted by anonymous | February 28, 2006 9:31 PM

Wow. What you probably got to look at is part of the Republican "voter file." (They call it voter/wol or voter vault) This is THE tool for winning elections in the field: once you've identified the political leanings of voters, you know which voters you want to come out and vote, and which you can stop wasting your targeted money (mail/phone calls, etc.) on. Think about that: if you already know how people are going to vote IF they come out and vote, then you know exactly who you want to come to the polls and who you don't.

Both parties have voter files, and updating it is the main part of what the field operations of both parties work on every campaign season. It's extremely important.

And if it weren't illegal to use that propriotary data, Democrats would KILL to be able to see the Republican voter file (and vice-versa). It would be worth litterally MILLIONS of dollars to them.

So I guess what I'm ultimately saying is that the fact that it was insecure had to be unintenional. As I said, having anyone being able to see that data is ultra-super-mega-bad for the Republican party. They have, in many ways, a far far greater monetary and strategic incentive to keep it completely protected and secure than even the privacy concerns of the people who are being tracked.

Posted by lontlont | February 28, 2006 10:52 PM

Wow! This is been very interesting to follow... Great work Bob, keep it up!

Someone else commented a day or two ago about a polling call they got asking similar questions. I also got a call like this. I don't remember asking who they were except their questions were very leading, and obviously from a right leaning group. I did ask how they got my contact info, and they asked if I voted recently. When I confirmed I did, they said they got it from the voter's registration. I didn't know that was public information.

I wonder if I'll be lucky enough to get a CD? Can I be Tim Pawlenty too?

Posted by gml4 | February 28, 2006 11:33 PM

Whether the data is publicly available or not is not an issue - you're right, it probably is coming straight out of the GOP voter file system. It's how this poll data is collected that's an issue. If the CD really is "phoning home" with personally identifiable data, whether it's just an IP address, or name-identified information, and doing so without a privacy statement which specifically states that it's doing so, it could be defined as spyware. Do a quick search on the Sony Rootkit scandal, and you'll have a good idea of the kind of furor this can ignite.

Also, Bob, I didn't know quite what to say in response. I'm definitely not using a phony email address - try it if you're interested. If you want to protect the sub-contractor for any reason, then can you confirm that the IP address packets are being sent to is NOT in the 10.xxx.xxx.xxx or 192.168.xxx.xxx ranges?

Posted by MN Campaign Report | March 1, 2006 6:32 AM

Awesome. I just hope you can survive the fall out from this.

Posted by Taylor | March 1, 2006 7:43 AM

C'mon folks - of course the private range addresses will be rewritten at the firewall into the public range addresses. Sheesh.

This story isn't merely criminal, it isn't merely negligence, it's tar-and-feathers quality mindboggling criminal negligence... the mind reels.

Posted by Albatross | March 1, 2006 10:55 AM

Yeesh, they've already got damage control running on this baby.

Posted by AnonymousCoward | March 1, 2006 11:21 AM

Damn that's scary. Damned political mind-miners!

Posted by Beth | March 3, 2006 8:48 AM

I think it's funny, from just the one little screenshot that there are so many fake names on the list - "Slap Happy" "Slappy Slapperson" "Luck Strike" (M.I. is "E" I bet), "Rick James"... That information would be useful indeed. Or, is the screenshot also masked to prevent us from doing our own research???

Posted by ob1 | March 8, 2006 6:47 PM

Welcome! http://www.dirare.com/India/ business yellowpages. international directory: SMART Yellow Pages, About DIRare, Search in Business Category. Also [url]http://www.dirare.com/China/[/url] and [link=http://www.dirare.com]companies of the world[/link] from yellow pages .

Posted by yellow pages main | April 18, 2006 1:27 AM

hello! http://www.dirare.com/Sweden/ online directory. SMART Yellow Pages, About DIRare, Search in Business Category. From online directory .

Posted by online directory main | April 18, 2006 1:27 AM

dorhuya http://www.apples.com ; Thanks!

Posted by dorhuya | May 2, 2006 1:43 PM

Post a comment

The following HTML tags are allowed in your comments:
+ Bold: <b>Text</b>
+ Italic: <i>Text</i>
+ Link: <a href="http://url" target="_blank">Link</a>
Fields marked with * are required.


Comment Preview appears above this form upon pressing the "preview" button. Edit your comment and press "preview" again, until you are satisfied with your comment.

Your comment may not appear on the blog until several minutes after it was submitted.

February 2006
S M T W T F S
      1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28        


Master Archive

Recent Entries

MPR News
Radio

Listen Now

On Air

MPR Presents

Schedule

Shortcuts
Hourly Newscast
Hosts
Station Map

Other Radio Streams from MPR

Classical MPR
Radio Heartland

Services

Become a Sponsor

In The Spotlight

  • Sound Learning

    Looking for ways to ensure your students are doing quality research from credible sources? Sound Learning is a launching point to Minnesota Public Radio's content on the Web.

  • The Current Music Blog

    Your daily note for good music, news and pop culture. With attempted jokes.