An awesome workout machine I like: Ultimate Body Press.
Real Estate in North Carolina: The Peaks at Wolf Ridge.
Attention Dial-up users! Support corporate-free media by switching to IndyLink for your internet access and hosting needs:
Here's a great CD by RudePundit:
EDITOR'S NOTE: Doug De Clue was one of the IT admins and database gurus for the Orlando, Florida John Kerry presidential campaign of 2004; he is also a career engineer and programmer.
This election cycle looks like it's going to be even more intense and competitive than usual. It is critical that the progressive community educate itself as to how to secure their internal communications in the face of a conservative political movement with lowered ethical standards.
The vast majority of Republicans would never stoop so low as to wiretap an opponents political campaign; However, today's top political strategist for the Bush Administration, Karl Rove, started his career in 1970 by sneaking into the campaign office of Illinois Democrat Alan Dixon and stealing some letterhead. He then printed fliers on the letterhead promising "free beer, free food, girls and a good time for nothing" and distributed the fliers at rock concerts and homeless shelters.
Imagine the kind of damage a young Karl Rove-wannabe could do if he was able to obtain your candidates database and online-forum passwords.
To head off any sneakiness, and to encourage Republicans to behave like the upstanding citizens we know they can be, Doug has compiled his IT Security experience into a concise handbook for the benefit of the activist community. This handbook is under a Creative Commons License, so feel free to copy and distribute this work as long as you attribute this URL, the author and do not use it commercially without permission. ( www.brainshrub.com/activist-communications-security )
As we know from recent events, George Bush is apparently listening in on all of us with the tools of the National Security Agency.
Don't get me wrong - I'm not trying to make anyone paranoid here, George Bush does enough of that already without MY help with the color code alert of the day and FearNews... uh, I mean FoxNews.
But seriously, I do want to discuss the issue of security, particularly I/T and communications security with all of you especially if you are planning to work on a Democratic political campaign this year.
While it is very unlikely that ol' George is listening in on a particular Democrat running in a local or state race, the NSA scandal is an important reminder that we need to take communications and computer security seriously; as there have been regular attempts to infiltrate political movements... especially movements that work for social justice.
As someone who has worked in the telecom and cellular phone industries, and someone who also works as an I/T professional, please let me offer you the following bits of security advice - with the caveat that it is in no way complete and that you should check my advice against that offered by others to make sure that I haven't overlooked anything important or made some hideous but unforeseen error in my advice.
While we can't protect against the National Security Agency and their vast supercomputer systems - we can take care to be sure that local would-be spies for the Republican Party, or others, are not taking advantage of our carelessness or lack of awareness in security or technology matters.
For some of you, the following advice may be painfully obvious and maybe you have some advice of your own to offer - but I feel that if you know more about and practice the following tips, it will help keep out the less sophisticated would be GOP snoopers who might want to infiltrate the campaigns we all will be working on this year.
Remember before we begin that the first rule of security is that no security is ever perfect.
1) WIRELESS ROUTERS AND CABLE/DSL MODEMS: If you use wireless networking - secure it as much as possible first thing out of the box. That means:
a) Password protect your wireless router and cable modem box settings.
b) Enable WPA 128 bit or better encryption on your wireless router. (Do not use WEP anymore for anything sensitive, go invest in a newer card please.) The NSA would have little trouble cracking 128 bits but your average hacker/snooper would find it more difficult.
c) Enable MAC ID filtering on your wireless router. This means that your router will only accept connection requests from a limited number of devices which you have identified ahead of time using their serial number which is a 48 bit digital number (6 hex characters) that is unique to that device in the whole world.
Every network card or wireless network card has a unique MAC ID. When MAC ID filtering is enabled, then only those allowed devices will be able to connect to your network. (Hackers can still spoof MAC ID's if they can "sniff" them however.)
d) Disable SSID broadcast so that your wireless router is not advertising itself to the whole world. Your computer can still connect with this SSID name broadcast disabled but people who turn on their laptops nearby won't see the name on their list of available wireless networks and won't know to connect to it as easily.
e) Enable NAT or Network Address Translation. This means that a different set of IP addresses that identify your PC will exist on the home side of your router than will appear on the modem side of your router. This makes it harder for hackers to hack into your system from the modem (internet) side of the system.
f) Enable DHCP or Dynamic Host Configuration Protocol for all your network devices so that the router automatically assigns addresses based on which machine has been turned on or off or connected to the network most recently. This is better than static addresses because then your address is the same all the time and it makes it that much harder on a hacker.
g) Limit the available addresses by configuring your addresses to the tightest address scheme that makes sense. For instance:
Set your gateway to 192.168.7.3 or something similar(please don't pick 192.168.0.1 or 192.168.1.1 since that is what it usually factory defaults to and that is what hackers love.) You will usually have to configure both your modem and your wireless router in tandem to make sure they have compatible addressing schemes.
Set your mask to 255.255.255.0 (you can even make this mask tighter if you want.)
Limit your valid DHCP address range for computers, printers, etc. connecting to your router to 192.168.7.1 to 192.168.7.15.
h) Remember to disable pinging and all time of day, chargen and similar features on your routers as well as your PC's and other network devices.
i) Remember to check your router's and your cable modem or DSL modem's own software for updates from the manufacturer on a regular basis. Just like those Windows patches you may have loaded, network devices also get patches issued when their manufacturers discover security issues.
j) Enable logging on all your network routers and modems so that you can track events such as would be hackers. Review logs regularly for intrusions.
k) Put your cable modem and wireless router on a power strip so that you can easily turn them off and on with a single switch press. Whenever you are not using your wireless network turn it off so that would be hackers can't get into it by parking outside your house and hacking into your network with a laptop and a wireless card.
l) Set your wireless power levels to the minimum setting that works practically. Don't try to set up a system that works for a half a mile. Remember the smaller your broadcast power, the smaller the footprint for a hacker to find. Also remember that just because YOU can't pick up your wireless network from the curb doesn't mean that a hacker with a special antenna and wireless card can't do so.
m) Remember that a broadband connection is a very high speed connection to your PC which means that a hacker can steal data or do malicious things to your computer that much faster when you are using it so that is why it is that much more important to take your network security seriously when using broadband than it was in the old dial up days and why it is so important to turn off the wireless and the cable modem when you aren't actually on line.
n) Do not use your campaign laptop computer or PDA on public unsecured WiFi networks like at coffee shops, hotels, restaurants, airports etc. as these are very unsecure locations and make you very vulnerable to would be data pick pockets.
2) COMPUTER OPERATING SYSTEM SECURITY:
a) I am assuming that you are running Windows on an Intel platform. If you are running MacIntosh, Linux, or another operating system, then you need to learn the security features and weaknesses of that operating system and find yourself an expert in security for that O/S who can help you.
b) Please run either Windows XP Pro or Windows 2000 running the latest service packs and security patches. Any other Windows operating system just has too many holes in it to even consider using for campaign purposes. Windows XP Home lacks the security features of XP Pro and Windows ME, 98, 95 and Win 3.1 are all leaps and bounds worse. While NT 4.0 is fairly secure, it still has security issues and it would be better to just upgrade it to XP Pro.
c) Disable all unnecessary and unused services on your PC which should in most cases include:
Server, Norton Unerase Protection, SSDP Discovery Service, ClipBook, Fast User Switching, Help and Support, Indexing Service, Messenger, Alerter, NetMeeting, Network DDE, Network DDE DSDM, Remote Desktop Help Session Manager, Remote Procedure Call Locator, Remote Registry, Remote Shell Service, Routing and Remote Access, Secondary Logon, Terminal Services, Telnet, TCP/IP NetBIOS Helper, Universal Plug and Play Device Host, and User Name Mapping.
d) Personally I also usually disable Workstation, Computer Browser, Volume Shadow Copy, and System Restore Service on my system but you may not want to unless you understand the ramifications of doing so.
e) Disable your trashcan and Norton trashcan. When you delete something don't make it trivial for some mole to undelete it.
f) Change your administrator account name to something besides administrator, like admin12_04J12a that a hacker would not be likely to guess.
g) Don't run in the administrator account unless you are doing something specifically administrative in nature. Create a regular user account and make a habit of using your computer using the user account. If your computer gets hacked while you are running in an admin account then the hacker will probably get administrator level privileges. If he hacks you while you are in a regular account, then he will usually only get regular user privileges.
h) Sign off your computer when you are not using it. Better yet turn it off.
i) Enable screensaver with password to kick in after 4 minutes. That is long enough not to be annoying but short enough that if you forget to sign off that the risk will be minimal.
j) Make all your hard drives NTFS format, not FAT32. NTFS is more secure than FAT (not secure, just more secure.)
k) Keep all critical campaign information in encrypted folders which you can enable from explorer or my computer. Don't pick obvious passwords please...
l) Don't name folders with totally obvious names like C:\John Smith for Congress Financial Records.
m) Make sure to set ownership and privilege properties on these folders so that access is as limited as possible.
n) Make sure that you disable ALL folder sharing including the $ administrative shares, the server service, on all your hard drives.
o) Disable the guest account and any account not in use. If a campaign worker is fired, quits, or otherwise is asked to leave, immediately disable his or her account, make sure you get all their work BEFORE they leave and change all passwords to which they had access. Please remove any personal MAC IDs of theirs from your network and take back your security IDs and any keys from them and rekey or reprogram door locks if practical.
p) Create user account names that can not easily be guessed. If you have a campaign worker named John Smith, please don't create an account called SmithJ or JSmith or JohnSmith, etc. All a hacker has to do is get your list of volunteers and then start to hack at your system if you do this. Make account names like xyq12grhj_ .
q) Enforce a password change policy that forces users to change their passwords on a regular basis. In normal business operations that would be about every 45 days. In the compressed world of campaigns, that perhaps should be tighter, perhaps every 20 days. Do not allow users to reuse old passwords or pick guessable passwords like wives, husbands, girlfriends, boyfriends, childrens names, birthdates, etc.
r) Enforce a strong password policy, a minimum 8 character password that contains both numbers, letters, capital and lowercase and special characters like underscore. Do not allow the use of common names that can be guessed by what is commonly called a "dictionary" tool.
s) Adopt user security policies that are as strict as practical in terms of number of failed logons before lockout, etc. (3 failed logons and then a 12 hour timeout or requires an admin to unlock.),
t) Enable logging of all events pass and fail and keep as large a log file as practical.
u) Buy and install a good software based firewall in addition to the built in firewall of your router. Norton/Symantec Internet Security, McAfee, and Black Ice are some of the better known brands.
v) Disable all unused network protocols and block all unused ports using your firewall software. Disable all TCP services like ping, time of day, chargen etc so that hackers can not get easy ID that your system even exists.
w) Disable all ActiveX, Java, scripting, and other client side active content and only allow these items to work on a website by website exception basis which most good internet security tools will allow you to do.
x) Buy and install a good antivirus program (this may be included in your product such as with Norton Internet Security or it may not be.)
y) Run regular updating of patches to both your O/S and to your security software tools. Microsoft updates generally on a monthly basis but will do special updates for urgent security problems.
z) Set your machines to run regular nightly security tool sweeps like anti virus, anti spyware, etc. every night during your down time.
aa) Make sure that all your important data is backed up to tape and stored in a secure off site location preferably in a commercial grade fire resistant safe in a building with an commercial alarm system.
ab) Beware of people with USB data sticks. These devices can hold huge amounts of data (1GB or larger) and should not be allowed around campaign computers by anyone but the most trusted staff.
ac) The commercial anti virus software is OK but there are several other anti-spyware/anti-spam/anti-virus tools that are free or cheap and which you should also install and use on a regular basis:
i) Trend Micro Anti Spyware.
ii) LavaSoft Ad-Aware.
iii) WebRoot SpySweeper.
iv) SpyBot Search and Destroy.
ad) Harris Corporation (which is part of Harris over in Melbourne Florida) makes a software product called STAT or Strategic Threat Analysis Tool which has been purchased by various agencies of the US government including the U.S. Army, NASA, and the Federal Aviation Administration.
While STAT is not free, it is affordable and worthwhile if you want to improve your security of your networked PC's.
This software will do a very thorough job (although no tool is perfect) of analyzing computers for security weaknesses including open ports, unknown services, bad security policies, bad for security registry settings, etc., much more thorough than the list I have given above which is just a start to networking and computer O/S security issues.
ae) Also make sure all computers have BIOS security enabled and are not bootable from any device but the hard drive - no portable drives, CD-ROMS, DVD's, floppy drives, USB memory sticks or any device but the hard drive.
af) Remember email communications are NEVER secure. Never send anything truly confidential or sensitive by email.
ag) When sending emails its best to get a disposable campaign related account that is not your personal account.
ah) When sending emails, don't use the to: or cc: lines to send out a blast email to your distribution list. Use the bcc: line and make the to address be a bogus address like:
noreply@somecampaignforCongress.com
If you fail to do this then people will collect other people's email addresses which is particularly bad if there is a mole out there trying to map out the people in your organization.
ai) Hold all burned CD and DVD ROMs, floppies and data tapes containing sensitive data in a secure location like a safe until the election is over or thoroughly destroy them before disposal. Just because you burned a "coaster" or bad disk doesn't mean that it can't be read by some smart techie.
3) COMPUTER APPLICATIONS SECURITY:
a) Keep all software applications on a need for access basis only. Don't allow newcomers access to PC's until they have earned your trust. Don't allow them access to sensitive data until they have shown themselves to be true believers AND you have an actual need to grant them this access. The old gov't adage about "need to know" access is tried and true and you should practice it too.
b) Use applications that offer password control and encryption for databases, spreadsheets, and other critical documents. Store all critical or sensitive work product files in a secure network server in a controlled access server room, not on local workstations.
c) Don't allow access to critical data from workstations located where basic entry level volunteers are doing entry level tasks. It's all too easy for spies to connect a USB key to one of these machines and down load or sabotage critical info.
d) Remember that http: pages are not secure. HTTPS: pages are considered 128 bit secure on modern browsers. Make sure all campaign websites require logons and use 128 bit secure pages for sensitive areas like donations, entering volunteer forms, etc.
e) Make sure that all webservers are secured by the ISP and are regularly tested to make sure they stay secure. Learn what their webserver security policies are and have a competent I/T web professional review these policies in detail for weaknesses and possible improvements.
f) Make sure that all browser and PC histories, web caches, swap files, etc. get automatically cleared at sign on and sign off and when a web page is closed.
4) PHYSICAL SECURITY:
a) Keep hard drives, laptops, USB keys, floppies, tapes, DVD's, CD's and other portable media or devices locked in a commercial safe when not in use.
b) Try to make sure that the campaign facility is occupied by trusted staff 24x7 if possible.
c) Keep the offices, desks, file cabinets, safes, server rooms -clear, clean and locked when not occupied by trusted staff.
d) Get a commercial alarm system installed that will call the police if activated.
e) Get security cameras installed inside and outside your offices. Preferably get an office with full time on site security staff on a third or higher floor and controlled parking to prevent easy anonymous physical access.
f) Require a state or federally issued photo ID of all volunteers. Get name, address, telephone number and verify them by calling. Conduct an interview of all volunteers to see where they first heard of your candidate, why they want to help you, and what they can do to help. Often times this will trip up the casual would-be spy who probably hadn't thought to rehearse that much of a cover story.
g) Verify volunteers and staff ID info before putting them to work on a campaign. Don't put them to work the same day they first show up. Get them photo ID badges if possible indicating their first name (but not their last) and what their job function is if possible. Key card badges that control access to the building and particular offices are the best but that may be impractically expensive. Credential all media as well. Don't just let unknown people wander around your offices unsupervised and unescorted.
h) Put new volunteers and staff into low security tasks and evaluate them first before giving them more critical responsibilities.
i) All documents MUST at least be cross cut shredded before disposal. Go buy at least 2 of these for your campaign and depending on the scope of the campaign (Presidential for example) you may need several more. Rule of thumb - one for every printer station.
j) Hold sensitive shredded paper trash in a locked room for several days before throwing it out to prevent it's timely use.
k) Haul sensitive trash directly to the landfill yourself so that dumpster divers won't find it so easy to go through your trash.
l) Make sure all P.C.'s are in reasonably secure lockable cases that can't be opened without a key and which are secured by at least a locking cable to large desk or other immovable object and that all P.C's are in lockable offices that have deadbolt locks.
m) Remember however good your software, wireless and PC security is - it is of little value if you do not also practice good physical security.
n) Make sure that you have persons on your campaign staff who are trained and certified in CPR/AED and First Aid by the Red Cross, that all staff and volunteers know what to do in the event of a fire, medical emergency, police emergency or natural disaster situation.
o) Make sure that parking facilities are safe and secure and that all persons are escorted to their cars or monitored from a secure location as they go to and from their cars.
p) Keep private office doors, curtains or blinds shut whenever possible. Don't make it easy for people to track you or eavesdrop from room to room.
q) Do not keep contact lists, email lists, or phone lists or volunteer rosters in plain sight where any mole can see and copy them. This information should be restricted under lock and key to key trusted staff and the volunteer coordinator (who is also key staff). If it is in public sight it can be copied and then a mole might call up all your volunteers on GOTV day and tell them they aren't needed or some other malicious dirty trick. Keep this info on a need to know basis.
5) HOME AND PERSONAL SECURITY:
a) All of the above should also apply at home or on personal time as much as possible. Additionally:
b) Vary your schedule and driving routes so that you don't fall into a predictable pattern.
c) Don't travel alone, always take someone with you and let trusted staff know where you will be but don't give your schedule to untrusted strangers.
d) Keep a close watch on your personal belongings, PDA's, laptops, memory sticks, wallets, purses, cellphones, keys, credit cards, etc.
e) Remember items bought with credit cards, checks and other electronic means are pretty easy to track these days.
f) Be careful what you discuss on the phone, cell or landline as these can be tapped or in some cases picked up with radio scanners.
g) If it looks fishy, it probably is - don't be afraid to call 911. BE OBSERVANT, and ALERT - PAY ATTENTION. (This also means get enough rest because it is hard to be observant, alert or pay attention when you are too tired.)
The Watergate Burglars got caught because the security guard (Frank Wells?) noticed a piece of tape on a door keeping it from locking properly. He removed the first piece of tape thinking it was done by the building engineers during the day. On his second round he noticed the tape was back again and called the cops who fortunately showed up in an unmarked unit which kept the lookout across the street from recognizing the cops and thus they were caught by surprise.
h) If it looks fishy don't let on to the possible perpetrator that you know that they are up to something. Get description, license plates, names, and whatever information you can get safely at a distance and without giving up that you know that they are up to something and find a way to get out of their presence and to a secure location and call the police right away.
i) Buy a good high quality home safe with a combination lock that is fire rated, have it professionally bolted to your foundation in a closet or other less than visible location and keep all sensitive documents, laptops, PDA's, memory sticks, CD's, DVD's etc. in this safe when not in actual use.
j) Get an alarm company for your house and good locks and doors.
k) If you can, get a decent sized dog. Dogs make for good home security in most cases because they are very alert and have excellent hearing and eyesight and can tell when something is wrong and will bark. Most would be burglars don't want to go near a house with a dog for fear of being bitten and because of the noise.
This doesn't mean you need a rotweiler or pit bull or some other dog which could end up being dangerous to you or your family. Consider that there ARE substantial personal safety risks with larger dogs especially if you have small children or you are small yourself.
l) Keep doors and windows locked and alarms activated whenever possible.
m) Keep doors and curtains and blinds shut whenever possible. Don't make it easy to track your movements from room to room.
6) Telephone and radio security.
a) Never discuss sensitive matters over the telephone, cell phone or over walkie talkie type radios (GMRS/FRS, etc.) remember - NO electronic communications are ever 100% secure.
b) If you have reason to believe your offices are otherwise bugged or that you are being watched or monitored, please consult a security professional and the police and conduct sensitive conversations in another location until you are certain that you can safely conduct conversations again in your offices.
c) Analog telephones are more or less a thing of the past but if you own one of these dinosaurs don't use it on a campaign as they are trivial for people with scanners to listen in on.
d) The best type of cell phones for security purposes are the CDMA (code division multiple access) because they use so-called a "spread spectrum" system that makes it harder to monitor or jam these calls (although not impossible.) These calls are coded (although not really encrypted) with what is called orthogonal P-N codes that require sophisticated equipment to allow a snooper to listen to it.
http://www.webopedia.com/TERM/C/CDMA.html
CDMA is better than either GSM or TDMA based systems from both a security and just a simple reliability of connections basis.
e) Make your caller ID outbound number for your phone banks be "unavailable" if possible. Keep unlisted phone numbers in reserve as well. In a recent campaign, Republican operatives jammed the GOTV phone bank with constant incoming calls to defeat the Democratic GOTV effort. The Democrat lost and now the Republican operatives are all going to jail but it doesn't unlose the election for the Democrat. Remember - time is the one commodity in an election that can not be replaced - don't allow Republican dirty tricks to compromise your time that you need to accomplish critical tasks.
7) Final remarks:
Real security and safety is a philosophy or strategy and not just a simple collection of tactics:
Safety and security are best practiced in depth, i.e. have multiple overlapping layers of security so that if and when one method fails, another will likely catch the problem. BE PREPARED - HAVE A PLAN FOR ALL REASONABLE EMERGENCIES - KNOW THE PLAN - MAKE SURE OTHERS WHO NEED TO KNOW, KNOW THE PLAN. MAKE SURE THAT THOSE WHO DON'T HAVE A LEGITIMATE NEED TO KNOW - DON'T KNOW THE PLAN.
Don't ever take either safety, security or technology for granted. Often new technology opens new and unanticipated security threats or invites us to take it for granted and become too reliant on it. Make sure you learn all you can about computers and information technology and make sure you have trusted competent I/T professionals on your campaign staff who can both manage your I/T problems and protect your I/T and communications security.
Remember that the above security tips I have offered are just a BEGINNING to better security, not an END. No security is ever fool proof or perfect.
Here are some additional security links on the web for you to learn more about security issues particularly as it relates to technology and communications:
http://www.stayinvisible.com/index.pl/basic_security_tips
http://www.cisilion.com/pdfs/Cyber%20Security%20Tips.pdf
http://www.securitypipeline.com/news/54200804
http://www.eweek.com/article2/0,1895,1642446,00.asp
http://www-personal.umich.edu/~cgaunt/security.html
http://www.us-cert.gov/cas/tips/ST05-019.html
http://www.kevincoffee.com/money/atm_safety_and_security_tips.htm
http://www.us-cert.gov/cas/tips/ST04-002.html
http://www.us-cert.gov/cas/tips/
http://www.homesecurityinformation.com/home-security-review.htm
http://www.homesecurityinformation.com/
http://www.nh.gov/safety/divisions/emergservices/documents/terrorism_handbook_2003.pdf
Of course there are an endless variety of these links; just Google up "security tips"..and read on. If you have tips of your own or feel I am wrong about something that I have written here, please let me know and I will try to correct the record.
Read counterpoint here.
Summary: IT communications security advice to political activists and Democrats.
Credits: The cartoon at the start of this handbook was by _Yet Another Comic_.
Bookmark/Search this post with: 
| 
| 
| 
| 
| 
| 
| 
People who register with Brainshrub.com get the following features: