‘What I Learned Trying to Secure Congressional Campaigns’

Maciej Cegłowski:

Practical campaign security is a wood chipper for your hopes and dreams. It sits at the intersection of 19 kinds of status quo, each more odious than the last. You have to accept the fact that computers are broken, software is terrible, campaign finance is evil, the political parties are inept, the DCCC exists, politics is full of parasites, tech companies are run by arrogant man-children, and so on.

Putting aside the urge to fix these broken systems long enough to help people get work done is the great unsolved problem of campaign security. You will start out a descriptivist and end up a zealot, like I did. Trying to secure a modern campaign is like doing surgery with a scalpel made out of anthrax spores. At some point you will throw down the anthrax scalpel and say “this is impossible!”, as it disappears in a puff of lethal dust. But the patient still needs you!

Noble effort. Outstanding writing.

Getting regular people—let alone regular people who are also working for a political campaign—to spend any extra time on securing their digital accounts is a daunting task, but it makes for a deeply interesting story.

I think my main takeaway, security-related at least, was how malicious attachments are still a primary vector of attack. An email containing a spreadsheet titled “donor-list.xls” will almost certainly be opened. And for folks not using a device that makes dubious .xls files benign (like a Chromebook or something running iOS), then it doesn’t matter how strong your email password is—game’s over.