So I surf on over to The UpTake this afternoon to see if the winter storm we got last night will make it hard for Franken's witnesses to make it to the courtroom today -- the Franken team won't rest now until tomorrow because of the danged storm -- and this greets me at the front page:
The short story: The Coleman campaign claimed about six weeks ago that his website was allegedly crashed by thousands of people looking to see if their absentee ballots were on Norm's list of rejected absentee ballots. Local blogger MNPublius showed evidence indicating that Norm's people may have 'crashed' their own site by hiding it for a period of time so they could blame the disappearance on being overwhelmed by visitors. IT security consultant Adria Richards decided to investigate the situation -- and found a security nightmare:
I had to see what all the fuss was about. Was there really an attempt to bring down the website due to political unrest with these ballots in my state? Were the allegations of a poorly coded website true?
What I got instead was a plain text listing of directories…
The Database of Norm Coleman
That's right: She stumbled upon Norm Coleman's donor database. Complete with credit-card information, home addresses, and phone numbers.
Now, most campaigns, faced with abundant bad publicity and made aware of a significant security leak, would fix the problem. But it seems Norm's a little too distracted by his hopeless recount battle to bother with such trivia.
This, as we shall see, could lead Norm to spend yet more time in courtrooms:
[UPDATE : Norm could be in serious legal hot water over this. Neglecting to fix a known vulnerability on a site charged with securing credit-card data is a big, big no-no.]
He and his lawyers are desperately trying to spin this as evil mean hackers attacking poor pathetic them for partisan purposes. Au contraire: it seems the database was released by people annoyed by the Coleman crew's inaction on addressing the original security breach. Besides, no hacking was necessary:
Congratulations, Norm! It looks like you're in the running for Most Incompetent Con 2009. Al Franken's whuppin' your ass, but you might just win something this year.
The accusation made by Wikileaks.org is that the data wasn't actually hacked, but that the campaign for a few hours in January stored the entire unencrypted database of their site in a publicly-accessible location.
One other thing that has to be noted, as well: Vendors are not supposed to store the three-digit security code of a credit card on their servers -- it's meant to be used solely for a vendor to clear a card with the credit company, and then deleted. But in fact, the downloaders were able to get those, too.