Isn;t this just like the Schwarzenegger gaffe which was stolen off a California state computer hacked by his opponent's campaign.

Seems like a cottage industry of digital larceny has taken root in Democrat ranks

When you have no plans, in fact the democrats don't have a clue, then you have to steal the other guys work.

Interesting development. The question is how much ink will this generate? If Klobuchar was the Republican we could expect a lot. However, I suspect the Strib will spend a lot of time looking the other way and deciding other things are more worthy of being covered. The Kennedy campaign, party leaders and allies in the new media will more than likely have to do the heavy lifting to make sure this gets the play it deserves.

Ken

I'm working on a Minnesota Stories Investigative Report showing just how easy and legal it is to find campaign ads on the unsecure web site of Mark Kennedy's ad man. That's assuming knowing how to use a web browser is legal...

Power Line and MDE: Crazy liars?

Yeah Chuck -- we'll be looking for that report.

If it's so legal Chuck, why did the Klobuchar campaign feel it prudent to report it to the FBI?!?

Perhaps MN dem bloggers can use their web browsers to access a law dictionary and look up the definition of "larceny".

Hints. the crime does not require force or even the knowledge of the victim at the time it is committed. And negligence on the victim's part is no defense to the crime.

I also wonder that since Howell's firm is in Dallas whether the perp can be prosecuted under TEXAS criminal statutes?

Hey, Kevin, great post! It's stories like this that show why I visit this site numerous times a day. :)

I think it shows the Republicans also need to start getting their system administrators to brush up on security as well. Not excusing the Dems at all by this. A thief sneaking through an open window is still a thief. But a security guard who leaves a window open needs his job re-evaluated as well.

Since it's obvious there is a culture of hacking and electronic Watergating in the Democratic party the Reps need to be more vigilant.

>I think it shows the Republicans also need to start getting their system administrators to brush up on security as well.

That was my initial accessment as well...

But after thinking about it I changed my mind.

The damage done to the Dems by them breaking the law is worth far more than a few campaign vids. Heck, I think Republicans should make it as easy as possible for the Dems to break the law.

I don't want Republican Sys Admins tighening serurity, I just want them keeping very good server logs. lol

When?

1) Calling the FBI was a way for Klobuchar to play it safe, look tough, and distance herself from this incident. Pretty smart, but quite an overreaction IMO.

2) The giant problem with what you posted here is that the page in question was a publicly available page. All that so-called-password page does is redirect to a public client page. Kunin could have easily forwarded that direct link to anyone and they wouldn't have needed any password to watch the video. It was all unprotected and public.

Chuck, you cannot be that dense. The moment that clown entered a password that was *not* assigned to him by the firm's system administrator he committed a crime. Whether he guessed right the first time or ran a cracker program to come up with one that would allow him to proceed is irrelevant; whether the page he was directed to was "public" to all approved users of the system is irrelevant. He falsely assumed the identity of the person whose password he used to gain access to the ad agency's property, and then disseminated said property.

Ipso facto, he's down for committing fraud, theft, and dealing in stolen goods.

You're wrong on all accounts.

Most importantly, this is not a password screen - it's a redirect. Here's proof. I'm sure the word "password" made his poor clients feel better, but this screen is completely useless.

Besides that, because the page redirects to a public page that you could discover and access anyway, typing a word in this page is not illegal.

Furthermore, providing a link to a public web page is not "disseminating stolen property."

Information Warfare,
It's not just for breakfast anymore.

No matter how poorly it's implemented, the "password" request makes the INTENT of the ad agency clear, and that's what matters legally. I suspect that the Klobuchar folks turned themselves in because they knew it would be traced back to their informant, and from him, then to the campaign.

If we're talking about the Digital Millennium Copyright Act, it states that a technological measure “effectively controls access to a work” if the measure, in the ordinary course of its operation, requires the application of information, or a process or a treatment, with the authority of the copyright owner, to gain access to the work.

Here, one can gain access to the work without any such requirements. But yeah, it's in the hands of lawyers now.

Chuck, if you accidentally go out one day and leave your door unlocked, is it OK for me to go in and take whatever I want? After all, your door didn't actually implement any security controls, it just redirected me to another part of your house. And presumably your house can be seen from the street, so you should have no expectation of privacy.

You gotta be the most obtuse dude I've run into this month, chuck (and with some of the clients I have, that is saying something!).
You cannot gain access from that page to *anything* without "the application of information." No matter how shoddy the underlying code might be constructed (and you can be sure the idiot who built that site is unemployed now for being... well, an idiot), it does not say "click here to proceed." The firm's intent is clear when it asks for a password. If there is a sign on a door that says "Do Not Enter" or "Employees Only," saying "it was wasn't locked!" is not a defense for crossing the threshold without permission.

No judge or jury is gonna give a damn about the code being flawed.

Say, by chuck's "logic," maybe crime didn't really go up during Klobuchar's tenure as County Attorney in Hennepin County after all.

Maybe the citizens she was supposed to serve failed to protect their own lives and property from crime. How can we blame the poor criminals for breaking through such flimsy locks?

Chuck, when can we expect your report? I'm not interested in the part about how easy it was, I don't doubt that part of the story, but rather the expert legal analysis of accessing the video. Just because it was easy doesn't make it legal.

Cousin Dave: If you come to my web site, and download one of my videos, can I throw you in jail? That analogy doesn't work. We're talking about PUBLICLY AVAILABLE FILES, which you people don't seem to understand.

Leather Penguin: I take it you're not a lawyer either, so you're talking out of your ass. I'm sure intent is a factor, but so is the functionality and the fact that these pages are publicly available, regardless of whether the client redirect page even exists.

Tom: I'm not a lawyer, so there will be no "expert legal analysis." But you don't need to be a legal expert to know we can access public web pages without breaking the law.

As to whether Noah broke the law - I posted what I think is the relevant bit of the DMCA above. You'll draw your own conclusions regardless of whatever I say here. Like I said, it's really up to the lawyers. But there's strong support of no law being broken.

Ethics -- that's another matter. I think most people agreee it was not smart to send this to the Klobuchar campaign. The Klobuchar campaign took rather decisive and moral action. Most voters won't really give a rat's ass about the minutae of how a blogger accessed the ad anyway.

The page that was linked to by this redirect was a public page, simply not otherwise directly linked to from the site's top level pages. On my dinkytoy home page I still have old pages sitting there that are no longer directly linked from the top page, but which one could get to simply by typing the complete URL to that page in the browser. These pages can also be located if you search for the right keywords in Google.

Now at this point the "Allen" page has been removed or closed off due to this brouhaha, but what if, instead of finding it by typing in the "password" field, Noah had come across it via Google or some other search?

Saying that this is a crime is like saying that "I left a box on the curb in front of my house. I can get to it from my yard via an unlocked gate. Someone looked in the box after coming through my yard. Crime!! Oh, but if they looked in it after walking up the street, that would be OK."

Kunin is quite ensconced in the Culture of Corruption, as illustrated by his company's client list:
* The Democratic National Committee

* MoveOn.org Political Action

* Democratic Congressional Campaign Committee

* The Center for American Progress

* Working America

* People For The American Way

* Yes on C&D (Colorado Referenda)

* Forests Forever

* The Media Fund

* Common Cause

* ACORN

* Pennsylvania Coordinated Campaign

* Washington Coordinated Campaign

* Amnesty International

Dirty tricks are to be expected. I hope he's prosecuted big time.

Kunin a liberal blogger? Never would have guessed that from the photo.

Sorry, guys I think Chuck is dead right on this one and there's no way anyone will be convicted of a crime here.

Your analogy of locks and signs and doors makes sense only if you understand that this site is like a house with a door but no walls!

You're basically arguing that having a door with a sign on it saying "No Admittance" would allow you to convict someone of breaking and entering if they *look* at what's plainly visible behind the door.

The problem with the story is that the relevant evidence probably isn't archived on google cache or archive.org

What's relevant is whether the virtual directory listing was allowed prior to the breach. If you could browse the directory simply by chopping off a legitimate URL that's not a security system, it's fair game. Any Scott Howell & Company client would know the relevant directory and could pass that on to this blogger who could browse through the portfolio to his heart's content without ever getting to that password screen, without ever *seeing* the password screen.

In other words, the logs may tell us the story but it's not a slam dunk case and we should be cautious on this one.

My credentials on this are over 15 years as a network administrator starting in the early 90s and my continuing work in the field. Personally, I'm a libertarian with a strong antipathy toward the Democrat party but diving into the fever swamps doesn't do anybody any favors no matter how tempting.

Rheinhard-

How convaluted is your "analogy"? Try again-it's awful.

If your analogy is correct than why did Klobuchar ask McGuiness to resign? Why did she report it to the FBI?

Honestly I could take you step by step through what is so wrong with your analogy but it would take too long and I think you are beyond being just.

Ashley Tate

Same question to you.

Tim Lutas

That doesn't work. The blogger has already admitted to typing in the *password*-Allen. Also his mal-intent is evidenced by his passing the *info* gained to the OPPOSITION.

I think the analogy to someone not locking the door the their home is pretty poor. It's more like not locking the door to your business. Public websites are in general places that their owners want others to visit.

The blogger who guessed a password that gave him access to the ad might have some legal liability; but if that 'password' page really is as ludicrously bad as chuck says it is, and returns a direct link to the add, then no one else who viewed it using that link should have any liability at all. Firing the staffer seems to me like a huge overreaction in an attempt to limit political damage.

You are all wrong.
the Democracts are on the side of RIGHT. It is obvious by their policies, and we who disagree with them can only do so because we are morally wrong.
Therefore, it is ok to violate the law, the law only applies to civilized people on the side of RIGHT. i.e. those who agree with me.

Hitler, Lenin, Stalin, Mao, Che, Castro, all knew this simple truth. All of them were also on the political left. It is time we woke up and smelled the proletariat.

they did nothing wrong, in fact, we should commend them!

Rory:

"just" (n) = in all cases, the conclusion which makes Republicans happy.

Yeah I guess I'm just incapable of being "just".

As to the FBI deal, I think it's generally the case that most politicians and campaigns have not a clue how the Internet really works. Witness Lieberman's campaign lying about how their website was "hacked", when in fact it collapsed due to their own technical incompetence and inability to handle high traffic loads expected on the day of one of the most closely watched primaries in the nation. In Klobuchar's case, I'm pretty sure it's a case of wanting to avoid even an appearance of impropriety, even if there is, in fact, nothing illegal about the underlying act.

Well nevermind trying to answer the questions-Klobuchar's OWN spokesman has-

In a prepared statement, Klobuchar campaign manager Ben Goldfarb said that communications director Tara McGuinness was contacted by a local blogger last Saturday who sent her a link to the Kennedy ad.

"The blogger indicated to Ms. McGuinness that he had gained access to the advertisement by use of passwords," Goldfarb said in the statement. "Exercising poor judgment, Ms. McGuinness opened the link, watched the advertisement and asked others on our campaign to watch it."

Source Channel 11

Chuck:

Furthermore, providing a link to a public web page is not "disseminating stolen property."

Why defend the indefensible? Kunin was a naive fool. (This is made even more apparent by the fact that he's found himself in a hole and has decided to get out of it by digging harder. He writes that the access page "Was in no way secured." That's going to play well for your average technically-challenged juror when they see the word "password" on the access page. Get a lawyer quick, Noah.) McGuinness was simply an idiot.

For what it's worth, at least Klobuchar's campaign recognized the problem and dealt with it, no matter how clumsily; and who knows, maybe they can document an FBI request to keep quiet about it pending initial inquiries. In my opinion people should give Klobuchar the benefit of a doubt on this one.

Sorry, Rory, but a password without a username isn't a password, whatever you call it.

Would you use a Web-based email provider who provided you with *only* a password but no username? Of couse not, because anyone could stumble into your email account even by simply mistyping their "password".

I'd love to hear you take apart my analogy, and I'd love to hear you explain why I'm "beyond just". I assume you think I'm biased? Well, check out my blog(s). I happen to be a software engineer/architect who understands the technology thoroughly and I'm also *extremely* conservative.

Reinhard:

Now at this point the "Allen" page has been removed or closed off due to this brouhaha, but what if, instead of finding it by typing in the "password" field, Noah had come across it via Google or some other search?

That might have been a defense if (a) it could be shown that the pages were crawled-and-cached by Google and (b) if Kunin himself hadn't detailed using the word "Allen" to get past the access screen.

And Ashley, just because the security on the site inhaled hard doesn't mean the intent wasn't there to secure it. Somehow Kunin found the magic word when he clearly wasn't meant to find it. Again, he had better hope he doesn't find himself in front of a jury.

From my extensive legal experience gained by watching too much "Law & Order", there seems to be this thing called "inevitable discovery", by which evidence acquired through illegal means can be found to be admissible in court if it can be shown that other aspects of the investigation would have come upon the same evidence through legal channels. Now I don't think this is a good analogy to the current situation because I don't believe there was any a-priori illegality here, but consider with regard to your observation:

That might have been a defense if (a) it could be shown that the pages were crawled-and-cached by Google and (b) if Kunin himself hadn't detailed using the word "Allen" to get past the access screen.

Let us assume, for the moment, that (a) is true. I don't know whether it's the case or not but expect that if this gets investigated that will certainly be checked. But if for the sake of argument (a) is true, then Kunin could well have said "Huh, I've found this public site with a simple keyword guess, let's see if I can turn it up with Google?" nd being able to get to it via an alternative method would render (b) irrelevant.

Rheinhard-
So now your arguing against Klobuchar?

Again I'll post what KLOBUCHAR's spokesperson said-

n a prepared statement, Klobuchar campaign manager Ben Goldfarb said that communications director Tara McGuinness was contacted by a local blogger last Saturday who sent her a link to the Kennedy ad.

"The blogger indicated to Ms. McGuinness that he had gained access to the advertisement by use of passwords," Goldfarb said in the statement. "Exercising poor judgment, Ms. McGuinness opened the link, watched the advertisement and asked others on our campaign to watch it."

Address that. The Channel 11 article also says that they FIRED her-not asked her to resign but FIRED her.

At least Klobachur has a sense of right and wrong even if you all don't.

The INFO was used AGAINST Kennedy to keep him from ATTAINING A JOB. At least that would be the intent. It's not the same as walking past a box of "stuff" in someone's yard.

Honestly it

I therefore typed in the name 'Allen.' Nothing more, nothing less.

What a coincidence! The name 'Allen' is the very first word that pops into my head when confronted by a password screen too!

Really, isn't that kind of fishy? If he had used MKennedy or MarkK or even Kronos, I could see where that would come from. But "Allen?" Where did that come from? That's like asking us to believe he would have Rumpelstiltskin's name on the first try!

isn't this an electronic Watergate??

Chuck simply confuses the "letter of the law" with the "spirit of the law", something most children do to take advantage of a situation when trying to worm their way out of responsibility for screwing up.
This is not exclusive to the Democratic side of the fence but a snapshot tally indicates it is more prevalent.
The only question remaining seems to be;
Will more children or responsible adults be voting in the upcoming elections?

Rory:

Bwahahahahaha! And you say *my* analogy is convoluted?? Oooh, it's so evil to campaign against someone because it would stop them from ATTAINING A JOB!!!1!one! Are Kennedy's campaign ads attempting to deny Klobuchar the same job not equally evil then?

And *you* are the one who originally wrote about "asking her to resign", not me! Now I'm at fault for your inaccuracy too?

And Hogarth, if you'd read Kunin's comment, I think it makes the reason for trying "Allen" pretty straightforward:

CLARIFICATION: The word “Allen” was used because Scott Howell has also been retained by Senator George Allen. No user was asked for.

There is one, and only one, question here, and that is whether access to the video on the public website was illegal. The point of my "convoluted" analogy is to explain why, since the so called "password" page links to an open page which is likely publicly searchable, the actions described can hardly be characterized as some kind of breakin.

Michael Steele, Schwartzenegger, and now this. Looks like the list of Democrat theft is starting to get pretty long.

And don't forget that a low-level Bush staff member pleaded guilty to stealing debate materials and giving them to the Kerry campaign during the 2004 Presidential race.

These are the guys who went nuts because the NSA was monitoring communications "without a warrant." Ironic, isn't it.

Mike: Ironic indeed that a party that has no problem with the president wiretapping the whole nation finds posting a link to a public web page to be a high crime deserving of life imprisonment, or at least some good waterboarding.

Good times. Vaguely reminds of Manny Miranda, who was chief counsel for Orinn Hatch, until Hatch fired him because he'd broken into the Democrats' strategy memos (except, of course, the memos in question weren't publicly available on the web). Miranda's defense, as I recall, was that the Democrats' security was really easy to bypass, and so it didn't count as theft. Or something.

Ah, the memories of the days when Republican lawbreaking was simple theft.

Sounds like a typical response from a child: "It just happened! I don't know how!" (does the two hands waved in the air indicating 'clueless' a la Seinfeld)

I blame Karl Rove!

Rheinhard, "a party that has no problem with the president wiretapping the whole nation"

So you mean Clinton, then? I seem to recall Clintonistas creating and installing "black boxes" in various ISPs without warrants to collect who knows what info from American citizens. As well all know, there were no terrorist threats until George W. Bush came to power in 2001.

And lest we forget Hillary Clinton mysteriously losing and then finding a pile of files that the FBI dug up on their opponents for her and her co-President.

So that is what you are referring to, right? I don't believe the perfectly legal (as reviewed by the courts) security powers the President has to conduct surveillance of foreign agents even if half of the conversation ends up in the USA. Right?

Basically, chuck is saying that it was possible for the accused to reach the page without entering the password.

Assuming he had the URL from some 3rd party source, this is true. However, from his account, this doesn't seem to be the case. He saw the password screen first, then realized you could bypass that entirely.

He, at least, appears to be on the hook. Unless he notified those he forwarded it to what he was doing, they are probably not, having simply clicked on what they assumed was a public URL.

Um, the "break in and take things from house" analogy is inappropriate--only one person can possess an item of physical property and houses are definitely not public spaces.

URLs that are unprotected by passwords, encryption, etc. are available to anyone who knows the URL. PRetty much a public space, even if somewhat off the beaten path. Imagine a house with glass walls and no fence where anyone can look in from the street, so long as they know the address. And looking into such houses is no crime. Cover up the walls if you don't like people looking in.

And it sounds like that "password" was pretty much directing the client (or interloper) to the unprotected URL. The password is really just a navigational aid to the publicly available information.

So someone who used the password function and someone who found the URL without using the password function are able to see the same thing. Neither party is authorized. But the former is in trouble, while the latter is not, solely because of the password page use?

I'm not sure that makes sense, except in the odd world of "if you use the word password on navigational aids, but do not otherwise protect a URL, it changes things."

I wouldn't necessarily have known or assumed that guessing a password (or knowing a password) to a website was a crime. For one thing, lots of stuff that seems rather unethical isn't a crime on the internet, because the laws haven't caught up with the technology. In addition, one might simply presume that if you're clever enough to figure out the pass then the welcome mat is out. Finally, is it illegal to "crash" a "private" party, when you're not on the guest list? Wouldn't this be similar? If not, why not?

I'm not really questioning the conclusions. The ethics are clearly questionable, but that doesn't necessarily mean the legalities are clear.

hmm, what happened to my and other comments in this thread? deleted?

i'm done here i guess.

Why is it when a conservative site is "hacked" or information was removed it is a minor offense, but when the Demorats in Congress actually did allow unfettered access to their judicial screening information, the republican staffer was to be "frog marched out" and his head placed on a pike? Unlike these obvious intrusions to "secure" (or seemingly secure) areas, the congressional access was GIVEN by it's placement in the open registry of the network.

I think Chuck is actually speaking perfect sense. It sounds like there was essentially zero protection on these files. I mean, the source code GAVE the end URL to the user -- all one had to do was fill in the missing blank, which turned out to be terribly obvious (but indeed simple for the customer!). Is that a crime? Perhaps in the court of public opinion, where most people have irrational fears about computer security, and we're already aligned with our partisan causes. But in any real court, this case would never come close to being heard. When someone publishes information on a public webserver, it's fair game for public viewing. There is nothing illegal about accessing unsecured content on a publicly-accessible web server. This consultant's "password" prompt is nice, but in the end, it simply redirects to an unsecure page with the "password" contained in the URL. That's not even shoddy security, that's just not security at all.

The better house/door analogy would be, say that I have a photograph mounted in my store that I don't want seen by passersby, only by select customers. So I pull the shade on the front window. But, it sounds like Kennedy's consulting firm neglected to note there was also a huge side window with no shade or curtains at all.

I imagine that this whole thing got filtered through a computer-illiterate type at Klobuchar's campaign, and they overreacted with the fear of hacking scandals etc. But it's nothing of the sort. And now Mark Kennedy is playing drama queen, taking down his public web site, which wasn't even affected. And as if he's mirroring his consultant's so-called "security", he doesn't even take down the site or hide the pages -- he just adds a simple "redirect" to the code, so each pages flashes on the screen momentarily (and can be stopped & downloaded easily) before redirecting to his "urgent security message".

I'm with chuck on this. There is no warning on this page or any description whatsoever.

If it is truly a redirect then its not like a front door left open. Its like a front door out in the middle of the yard, with the contents sitting right behind it. All you have to do is walk around it.

I think they'll beat it.

That being said, wtf were they thinking?

The legal issues aren't the primary political problem.

Certainly, the appearance is that someone did something wrong. Clearly Klobuchar takes this view by reporting the event to the FBI and firing the worker who viewed it.

So, if there is at least cause to investigate, the question becomes WHY delay the report several days after they knew about it? Was it to get past the debate, so no embarassing questions could be asked about the incident?

The pressing question now is: "What did Amy Klobuchar know, and when did she know it?"