U.S. Senate See Full Big Line

(D) J. Hickenlooper*

(R) Somebody

80%

20%

(D) Joe Neguse

(D) Phil Weiser

(D) Jena Griswold

60%

60%

40%↓

Att. General See Full Big Line

(D) M. Dougherty

(D) Alexis King

(D) Brian Mason

40%

40%

30%

Sec. of State See Full Big Line

(D) George Stern

(D) A. Gonzalez

(R) Sheri Davis

40%

40%

30%

State Treasurer See Full Big Line

(D) Brianna Titone

(R) Kevin Grantham

(D) Jerry DiTullio

60%

30%

20%

CO-01 (Denver) See Full Big Line

(D) Diana DeGette*

(R) Somebody

90%

2%

CO-02 (Boulder-ish) See Full Big Line

(D) Joe Neguse*

(R) Somebody

90%

2%

CO-03 (West & Southern CO) See Full Big Line

(R) Jeff Hurd*

(D) Somebody

80%

40%

CO-04 (Northeast-ish Colorado) See Full Big Line

(R) Lauren Boebert*

(D) Somebody

90%

10%

CO-05 (Colorado Springs) See Full Big Line

(R) Jeff Crank*

(D) Somebody

80%

20%

CO-06 (Aurora) See Full Big Line

(D) Jason Crow*

(R) Somebody

90%

10%

CO-07 (Jefferson County) See Full Big Line

(D) B. Pettersen*

(R) Somebody

90%

10%

CO-08 (Northern Colo.) See Full Big Line

(R) Gabe Evans*

(D) Yadira Caraveo

(D) Joe Salazar

50%

40%

40%

State Senate Majority See Full Big Line

DEMOCRATS

REPUBLICANS

80%

20%

State House Majority See Full Big Line

DEMOCRATS

REPUBLICANS

95%

5%

Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors
September 16, 2008 10:44 PM UTC

A problem with Marilyn Musgrave's campaign website

  • 64 Comments
  • by: databoypols

(How does a web admin get it this wrong? – promoted by DavidThi808)

UPDATED BELOW

Don’t look now, but there’s a problem with the website for Rep. Musgrave’s re-election. But no one has noticed, so I guess no one ever goes there?

I should call this diary of a madman…

Why would I go to Rep. Musgrave’s site?

http://www.musgraveforcongress…

I’ve been a proud Democrat all my life (except briefly when I was 12-13 — but that’s another story), but I had received an e-mail from her opponent, Betsy Markey (her own website is: http://www.markeyforcongress.com/ and doesn’t have any problems that I can see) — well, sorry about the parentheticals! I’ll get to the main gist:

Musgrave’s site had a security hole the size of the gap between her record and her campaign. I thought I could create an account like at Barack Obama’s site, and I did. I didn’t think I should be able to re-configure the whole site! So I did — sorta. I turned off the site, like unloading a gun that you find but you really, really wish you hadn’t found it because now you’re all responsible in case any one gets hurt and why can’t this ever happen to someone else…

Anyway.

So I wrote an e-mail to the administrator of the site. I wrote an e-mail to another account at the site. NO ONE HOME. So I took the site off-line. And I wrote another e-mail.

I wonder if anyone will notice?

UPDATE: Apparently more people read this blog than administrators of Musgrave’s campaign site read (and reply to) their e-mail!

4:15pm SITE STILL DOWN! And when I locked the door behind me, I didn’t leave a “backdoor” or keep a key. As I was trying to do the right thing — imagine if you went to a store during your lunch that you WOULD NEVER SHOP, but that somebody left the keys in the locks — or even left the ability to change the locks and make new keys! You could walk away — and from the comments below, some people might say I should have — or you could contact the store manager and lock the doors behind you.

Well, that’s what I chose to do. I tried to do the right thing, but did I? Time will tell!

Comments

64 thoughts on “A problem with Marilyn Musgrave’s campaign website

  1. Not that that would change things, but someone is going to be very pissed and perhaps legally in the right.

    Log in every day so we can look for you in Egypt or Russia if you don’t……

  2. …taking her website offline is not OK. Just because you CAN do something doesn’t mean you SHOULD.

    And posting about it is a surefire way to get yourself into trouble. Ms. Musgrave does not take kindly to this sort of thing.

    1. That while I agree turning it off was wrong, I am not sure I would have been able to resist temptation (like putting up a link to a gay rights group).

      And how incompetent does her web staff have to be to do something this brain-dead. This isn’t forgetting something, this is adding functionality to the site.

      Someone choose to add this – why?

          1. We’re “press!” With a code of ethics and everything. I’m a “commentator” for ’em because I’m neck-deep in Colorado politics.  They won’t let me anywhere near the news side of things – not even the blog! Too bad, really, because I’d love to write a “news” story about how electronically backward the Musgrave folks are.

            Fair warning, though, they don’t take kindly to computer high jinks.

      1. they discuss the problem MIT had with hackers deliberately crashing their site. Their solution was ingenious: they added a command line: “Crash the system.”

        When you clicked it out of curiosity, you crashed the system, and felt like an idiot.  With even the most casual users able to crash the system, of course, the thrill was gone and the expert hackers (a term that then was an accolade) left it alone.

        I think it reset automatically in ten minutes or so, and basically solved the problem. But if pols gets a subpoena for databoypols’s ID information and he ends up in jail, I’d advise him not to pick up the soap. He did commit a crime.

        1. I was a student of yours a long– uh, some time ago!

          And one thing I remember was your story of how an earthquake (yes, here in Denver; yes, it was very minor) may have been caused by pumping at significant pressure some nasty stuff from the Rocky Mountain Arsenal very deep into a fault. You mentioned that on the one hand, it was really bad. But on the other, the DoD actually helped by loosening the tectonic grip before a bad seismic event.

          That was your example of spin. A tale proudly told, if I remember… 😉

          All spin aside: every administration function of the site was available to me once I created an ordinary account using the built-in tools. I figure that “closing the site” using the same built-in administrative tools was indeed my responsibility upon discovering how poorly the site was setup.

          Is that my example of spin?

          It may come to it: a judge may judge me right or wrong in this! I hope not, but if so….

            1. My undergraduate ethics professor did his doctoral work at Georgetown where he taught ethics to a young man named… Bill Clinton. It was always worth a few laughs in class when he retold that.  

              1. at the graduate school of public affairs at UCD. One of my first students was John Stone who later became Jeffco Sheriff during Columbine and FUBARed the public relations of the Columbine massacre. I ever after explained that if John Stone’s ability in public relations reflected my ability as an instructor, it was time to find another line of work!

        2. That in itself is an obvious track for them to follow.

          If, however, the law says “malicious” in it, then they will have a hard time proving malice given what he has posted.

          The DMCA is a strange document, however, I wouldn’t want to be Databoy.

    2. By disabling the functionality of her site, the diarist has probably run afoul of serious computer law violations.

      Hope you hid your tracks well, my friend, ’cause a bit of Black Hat activism could cost you a lot of cash or “time out”.

      1. At the time, I felt I was doing the right thing as I explained in the post. Now, I think I did what I had to in self-preservation!

        Imagine if someone else got in there after me and did real mischief!

        I figure I won’t get a big thank you from Rep. Musgrave’s office or her campaign staff, but I actually helped them (and I think I helped myself by ‘closing the door’ when I left).

        And that’s why I’m being public about this — I actually want a trail of what was done and why!

        1. I can’t stand Musgrave but what you did here is so unethical, I’m not sure where to begin.

          Get your ass off this blog and get on the phone to her campaign office and continue to play as stupid with them as you have with us here and hope she finds it within her Christian spirit not to press charges.

          1. I think it’s pretty clear the guy didn’t intend to crash the site, just to make sure no one else came in after that would screw it up in an irrecoverable way.

            I don’t think many juries would send this guy to prison for trying to do the right thing. It was an error on the Musgrave website, and he didn’t do anything that the website itself didn’t allow him to do. How does Musgrave’s stupidity mean he broke a law? He didn’t hack the site, he just used functionality (stupidly) built into the site by the campaign.

            So chill.

            1. Perhaps IT isn’t your day job?

              Giving the diarist the benefit of the doubt, he got in legitimately – no tricks, no hidden access area.

              Once there, he did something that he wasn’t supposed to do, and that no right-thinking jurist would consider to be anything less than malicious: he shut the web site down (Denial Of Service).  Being granted access to a system does not automatically grant you the right to access that system to do anything it wasn’t intended that you do.

              And, on his way toward crashing the site, he theoretically changed all the passwords or disabled access permanently for everyone – including the site administrator, who presumably needed the admin panel to get the system back up and running.  If the jury wasn’t convinced by the first action of the malicious intent of the diarist, then this secondary act should remove all doubt.

              Hacking, or more properly cracking, always involves exploiting an unintended functionality.  Assuming the diarist isn’t euphemizing the initial access, the website was poorly configured, but Denial of Service is Denial of Service, no matter how it’s initiated.

            2. Stick to being “press.” Don’t give up your day job, genius because reading comprehension is apparently as foreign to you as good manners.

              Good news, though. You’re not “kind of” a dick. You’re just a dick. Period. And I’m guessing a small one.

          1. YOU are Marilyn’s web master, and this is all a scam like when Lieberman tried to blame his website crashing on his opponent.

            I would not at all be surprised to find out that Marilyn’s site just crashed due to incompetence, and this is all just a cover for that.

            If so, then bravo, because you really do sound like an authentic over-smart but under-wise hacker.

        2. I don’t think you’ll find a friend in law enforcement, and I say this from personal experience.

          No being coy: you did real mischief – you disabled the system and threw away the key.  Last time I helped a client on that kind of action, the guy wound up with all kinds of Feds on his doorstep and the Nashville US Attorney running a grand jury.  Last I checked he was the most contrite ex-hacker on the Intertubes.

        3. I disagree

          At the time, I felt I was doing the right thing as I explained in the post. Now, I think I did what I had to in self-preservation!

          Imagine if someone else got in there after me and did real mischief!

          I figure I won’t get a big thank you from Rep. Musgrave’s office or her campaign staff, but I actually helped them (and I think I helped myself by ‘closing the door’ when I left).

          And that’s why I’m being public about this — I actually want a trail of what was done and why!

  3. 101.1) “Authorization” means the express consent of a person which may include an employee’s job description to use said person’s computer, computer network, computer program, computer software, computer system, property, or services as those terms are defined in this section.

    102.2) Any person who knowingly and without authorization uses, alters, damages, or destroys any computer, computer system, or computer network described in section 18-5.5-101 or any computer software, program, documentation, or data contained in such computer, computer system, or computer network commits computer crime.

    102.3) If the loss, damage, or thing of value taken in violation of this section is less than fifty dollars, computer crime is a class 3 misdemeanor; if fifty dollars or more but less than three hundred dollars, computer crime is a class 2 misdemeanor; if three hundred dollars or more but less than ten thousand dollars, computer crime is a class 5 felony; if ten thousand dollars or more, computer crime is a class 3 felony.

    1. …then we’re already up to Class 5 felony, or the webmaster’s seriously under-paid.

      I think it’s safe to say that the diarist didn’t have express permission, nor will the site have had an explicit document granting him that permission.  And without permission, he knowingly shut down the site, “damaging” it.  And it’s been down for several hours, potentially damaging her fund-raising efforts (this is where it could be upgraded to Class 3 Felony status…) and costing her IT staff time.

      Either that, or the poster is a complete shill and this is a stunt a la Lieberman as has been pointed out by TBTH.

      1. I imagine the people who setup this site and login arrangement get into it the same way you did.  Bad form – yes.  Make it a news story and/or tell the masses about it as a matter of fact, but don’t jeopardize yourself, Markey, or progressive techies by not allowing their people to get in.

        I must disagree with your actions here.

    2. .

      But from the sound of it, what he did actually prevented further damage.  

      Now, as a wingnut conservative, I’m more sympathetic to and rooting for Musgrave.

      I should be outraged, if he did malicious damage.  

      But I say he did her campaign a big favor.  

      I am betting that Musgrave publicly thanks the guy and wins his vote.  

      If her webmaster ever figures out there’s a problem.  

      .

      1. .

        I know that there are some smart folks computerwise who post here.  

        Please don’t make fun of me, I’m very sensitive.  

        I was able to go to the site

        http://musgraveforcongress.org and click through the pages.

        If I put the “www” in the address, that site is down.

        Are those two different sites ?  

        .

        1. Pinging musgraveforcongress.org [72.19.164.67] with 32 bytes of data

          Pinging http://www.musgraveforcongress.org [72.19.164.70] with 32 bytes of data

          They have the 2 names pointing at 2 different IP addresses. Now both could be on the same machine but that would be a very weird configuration. At the same time, you generally point both names at the same IP address.

          I wonder if the way their system goes to “updating” mode is to point at an alternate IP address and it did it only for the name he/she went in on. If so, he/she can go in on the other still.

          1. OK, I”m not an internet genius.  But in my defense, I ran a 20 seat community computer lab, I’ve done a lot of computer repair, own somewhere around 9 domain names, and am not exactly an idiot in these matters.  YET…

            I’ve noticed that some sites/servers require a www prefix, and with other URLs they don’t.  My own primary domain is either, paulv.net or wwwl.paulv.net . Both work.

            Awaiting enlightenment.

            paulv.net

            bigcottonwood.net

            verizzo.net

            thems the main ones.  

            1. Under the covers all machines are identified by an IP address like 11.22.33.44. And a given machine can have multiple IP addresses but an IP address goes to 1 machine. (Behind a firewall you can have IP addresses that are also used behind other firewalls but as they stay behind the firewall, the IP address is sill unique to a machine).

              Now all a name like http://www.paulv.net or http://www.paulv.net or paul.is.a.stud.paulv.net does is get mapped to an IP address. That’s what DNS does – the name to IP mapping. Most places map both name.com and http://www.name.com to the same IP address – but you don’t have to.

              1. All in the DNS.  I was thinking along the lines of how the server is set up.  A host I used once running Linux had a specific “WWW” folder besides the same info outside of it.  That led me to incorrect conjecture for a number of years, apparently.

                Thanks.  

                1. http://www.mydomain.com and mydomain.com are different. They could be different machines locate on different continents. But in reality the convention has been to map them both to the same web server, and for best results put a rule in your .htaccess file to rewrite the URL to one or the other. It’s a best bractice because cookies get stored under the domain. Coloradopols suffers from a bug along these lines… If you log in under coloradopols.com and then surf to a page via a link that has the www. prepended, you suddenly aren’t logged on anymore. It’s also a best practice because search engines see them as distinct web sites (as they technically could be) so your page’s significance can be divided in half.

                  I remember in the olden days the distinction was still real and if you forgot the www you’d get 404 errors. Made tech support for newbies fun. “Did you remember the WWW?”

  4. You aren’t helping the cause.

    And you have opened yourself to enormous civil and potentially criminal liability.

    And hardcore Republican John Suthers will be the guy you will have to face, as the AG’s office prosecutes computer crime. If it’s prosecuted as a federal crime, which it certainly could be since you are messing with a federal candidate’s fundraising, you’re looking at a world of hurt.

    Very, very bad form. And I don’t think you have a clue what you’ve just opened the door to, both for yourself legally and for Betsy Markey and the entire Democratic ticket.

  5. I talked to a number of other IT people and we quickly came to a concensus on what we thought was right. This was with no knowledge of the law which – as posted here would change what we would probably do.

    1) Contact the site and let them know.

    If there is no response then…

    a) If someone else getting has serious consequences, then turn it off.

    b) If someone getting in is not serious, leave it alone.

    And finally…

    Wait 24 hours before publisizing it to give them time to correct it.

    But the above discussion did not take into account the unique case of where the person who discovered it is a political opponent of the person who’s website it is. And that does change things.

    I think as there were no serious consequences to leaving it alone (they could easily wipe the disk and rebuild in a couple of hours), it should not have been touched.

    Especially since this person is a supporter of Betsy as this drags her into this – and that is not good.

    On the flip side, it would definitely have been legit for him/her to email the press to tell them how to register and they could then see for themselves the functionality to verify it. And the press could then run with it after waiting a couple of hours for MM to get her site fixed.

    And everyone in security has a different opinion of how long to wait before publisizing a security hole. And I can’t recall any case before where the one reporting wanted to “harm” the one they were reporting on – although many do take some glee in pointing out security holes in Microsoft’s products.

    Anyways, I think the turning it off was dumb, but it was arguably a responsible (although maybe not legal) move.

    1. agreed that it smells fishy and fake, but when i checked at 9p it was still down.  

      my guess is that the number of likely voters still undecided in that race likely to hit MM’s website for any info is somewhere in the 0-5 range.

  6. Today has been an interesting day! And while opinions here in the comments are generally negative (Ouch! I thought that could happen– the commenters here are generations more evolved than most other places on the web), the story over at the Colorado Independent is bit on the fanciful side. “Exploits…”? Hardly!

    And yes, the other sites for Musgrave’s campaign are still up. And no, I’m not about to try and create any more accounts like I did during lunchtime at http://www.musgraveforcongress.org.

    Really, it’s a mundane situation, and yes I did have express permission to do what I did, as I quote an e-mail sent (automatically) by the account creation system:

    aRegisteredDemocrat,

    Thank you for registering at Marilyn Musgrave for Congress. You may now log in to http://www.musgraveforcongress… using the following username and password:

    username: aRegisteredDemocrat

    I’m obviously not a lawyer, but shouldn’t a website have a “Terms of Use”? — But this site welcomed me with, well, open everything. I think that even out of the box, the default install conditions of the CMS that the site is using isn’t as insecure as what I found!

    And when I clicked on the link in the e-mail that confirmed my newly created account, there was a menu at the website right under my new account name allowing me to “administer” the site. Play time was over! What I thought was a pre-release interactive feature when I signed up was turning into a horrible chasm of incompetence! I took screen shots and deleted my blog entries (I apologize to the Pols, I’ll never stray again).

    Now (cue defensive mode), by the time that I had already sent two e-mails to different addresses that were listed on the site about the problems. I had no idea who received them — did I just tell the entire hemisphere about a problematic website? — I had a choice to make. As the newest expressly installed administrator of http://www.musgraveforcongress.org, I made a choice: with a simple checkbox and a click of a submit button, I could close down the site from myself and anyone else.

    At that point, I turned off the lights and closed the door.

    I think I would have been that kind to a democratic candidate’s website as well. And in that situation, I might have come straight here to the Pols site, too!  

    1. I don’t think registering gives you explicit permission to alter or damage the site in the way that you did.

      Colorado’s computer crime law is much more explicit than most; the wording of the authorization definition is pretty specific.  “Express consent” means that you must receive explicit permission from the site owner, not just to log in and access the system, but to do specific things on the system.

      If the door to a house is open, do you go in and turn off the power, then change the lock and close the door “just in case”?

      (PS – I’m giving you a real benefit of the doubt here when responding – personally, I think you’re a tongue-in-cheek wise-ass hacker looking to glorify his conquest.)

      1. What he describes can get him in a world of trouble – years of jail time and tens if not hundreds of thousands of dollars in criminal fines per incident.  And that’s assuming he only ever violates state statutes and never traverses state lines – which, assuming he lives here in CO, he apparently did, since the server appears to reside in Kansas.

        He has, even under the best interpretation, caused the Musgrave campaign hundreds of dollars in IT fees; my guess is that for 8 hours of downtime and a complete system migration (the server is now at a different IP address), the costs to the campaign were $1,000+ for third-party admin work.  The costs to the ISP may be enormous.  A server that’s been hacked at an admin level cannot be guaranteed safe – and depending on the paranoia level, that could include all of the other virtual servers that may have resided on the same physical system as the compromised system.  Restoring confidence in a compromised system is costly and time-consuming.

    2. And you did it under the name “aRegisteredDemocrat?”  Do you realize that this gives them further ammo to claim that this was an organized attack by Democratic party operatives – which it is not.  Stupid, stupid, stupid.

      Hopefully you will learn from your mistake.  And part of me hopes you are caught so that others can learn from your mistake.

  7. As a software developer myself, and an observer of the Internet, we know all sorts of stories of desecration of candidate Web sites.

    Anyone could have posted deceptive material.  A downed Web site is no big deal compared to, say, changing what the “Issues” section says an enraging otherwise-would-be-supporters.

    No one will remember the few hours the site was down.  But, desecration might have ended up being a long-running joke about the security of the site.

    I’d a desecrated the damned thing, just as she desecrates Coloradans every day.

    MARKEY ’08.

    1. As someone who’s been a CISSP and deals with sysadmin stuff every day, once a server’s been compromised, you can’t trust anything on it.

      You may think you’re saving the campaign a potential PR headache, but what you really did is to undermine their entire system integrity, at least in the eyes of an ISP security response team or other competent admin.

      And as an immediate proof, according to David’s post earlier compared to a DNS lookup now, the system has been moved to a new server (different IP, now .191, including the non-www site).  In all likelihood, they restored from a backup point; if DBP isn’t lucky, they preserved the old system for forensics use.

      1. The fact that anyone could have done this means others may have already done so, but made subtle changes that no one noticed yet. If this guy did nothing other than notify them, they still should have assumed that it was compromised.

          1. another dirty trick by millionaire Markey.

            I’m offering 8-5 that’s exactly what they do. With enemies as dumb as  Databoypols, Marily doesn’t need friends.

        1. Though if they were notified in an innocent ‘I tried to do this and got more than I expected’ user kind of way, they would probably assume it was a short term misconfiguration and let it slide.

          By actively using the administrative functions to disable access and the website itself, the assumed security risk was raised.

          Rule of every job I’ve had as a sysadmin and support tech: everyone wants to assume that they’ll be okay, even after the same system gets re-hacked within 15 minutes of fixing the known security hole.  Maybe people just assume it’s like a BSOD – reboot and the problem will be solved.

  8. …I’d like to share a little story.

    When my two oldest boys were about 13 and 14, they were visiting my folks in Aurora. They came home from the mall one afternoon to find the house locked and no one home.

    There was an optional way in–through the back yard (safe, since the dog knew them) and in through the unlocked kitchen window. Unfortunately, a neighbor spotted them who did NOT know them as well as the dog did.  

    A few minutes after the boys got in, cops knocked on the door! The boys explained, but naturally the cops wanted some proof.

    So Kenny led them into the den and offered to fire up my dad’s computer (an 8088 running DOS, if memory serves) and prove that he was a legal resident of the home, since he had the password for some BBSs loaded on it.

    He made this offer in a room COVERED in family photographs, many of which the two boys were actually featured in.

    My point is that, while there are of course techie types who are the exceptions that prove the rule, many of these folks look at problems as they relate to the actual tech part of the matter first, and the human interaction part second.

    It’s my opinion that Databoypols was genuinely intending to do the right thing. After this, he has probably picked up some new ideas about what the BEST right thing to do would be if a similar situation comes up. But in any case, I think it would be nice for people to give him the benefit of the doubt.

    1. she files a criminal complaint against Betsy, charging it was done by her campaign. The Da is , who, Buck? He plays with it for a few days while the press writes it up. You don’t need a conviction, just a few headlines and more stories on how dirty the Democrats are.

      In case you haven’t realized this yet, gentlemen, Team Marilyn knows how to play hardball.

      I like your tale, neonnurse, but whether or not databoypols intended to do the right thing (which is only true if vandalism has suddenly become the right thing) the point is that such stupid things bring discredit on the cam;aign you support.  I forget the detail, but didn’t Karl Rove once vandalize his own candidate’s office so he could blame it on the other candidate? The tale was told in “Bush’s brain.”

Leave a Comment

Recent Comments


Posts about

Donald Trump
SEE MORE

Posts about

Rep. Lauren Boebert
SEE MORE

Posts about

Rep. Yadira Caraveo
SEE MORE

Posts about

Colorado House
SEE MORE

Posts about

Colorado Senate
SEE MORE

34 readers online now

Newsletter

Subscribe to our monthly newsletter to stay in the loop with regular updates!