I broke in to your house and stole your jewelry to remind you to lock the door.

That is absurd. They copied files to a folder.

where a former thief broke into people's homes to show home owners how easy it was.

A much more relevant example would be, your bank opened your personal data and accounts to outside people.

Why has no action been taken for the continued incompetence of the vendor and DNC staff?

. . . and merchandise was stolen from the store that night as a result, to be sure the store owner would want to press charges against the thieves. But he or she would also immediately fire the person who left the door open. Yet the DNC retains is vendor relationship with NGP VAN. In the world of corporate IT, if a database security flaw like that came to light, it would result in the immediate termination of the vendor relationship, as well as the engagement of a new vendor to address the security flaw. So why does the DNC continue to retain NGP VAN?j And, having failed to ensure that remedial action to fix the flaw was timely taken, where is Debbie Wasserman Schultz's resignation letter?

And this day and age you would document with video and a clear and unambiguous trail. There's a reason two others were suspended.

I am still unclear about whether the actual lists of all likely Hillary voters in Iowa were downloaded (I don't think so) or only a page of summary info. In the latter case, I would think the strategic benefit was minimal. In any event, not worth the fallout. Uretzky did NTSC cover himself with glory.

But I think you're wrong about what kind of data was released. It was voter file data, which NGP VAN covers their ass by saying doesn't reveal anything (and they admit it was voter file data). But voter file data it does have use when it's applied to a known voter registry that any campaign can get from the state parties for a price. So you export Clinton's >70 list (people who are 70% or more likely to vote for her) and then correlate it with the known voter list.

Yes, the voter file data contains no names of voters, you have to use the NGP VAN software to figure it out. However, if you know how the software works (which Ali Nikseresht most certainly does, because he was one of the architects), then you create a 0% list of all registered voters in the state, and then run the voter file on that list, the software would then generate a list of names in the range of the list you ran on it. As if your campaign workers were calling up each person and building a list of people. You could do it over the span of a week or two and no one would notice because you could just claim you had more people phone banking and gathering the data and manually inputting the data.

Now I don't think that they had that setup, but I do think that they were saving the data for the potential of doing something with it. And I think that Nikseresht getting escalation privileges right before they lost access indicated that they were beginning to work on making it useful. If NGP VAN didn't shut it down I think that the scandal would be far greater than it was.

The strategic benefit is twofold, labor saving on both exclusion lists, and target lists. It's obvious I'm sure to you but I'll explain for anyone reading.

If you have data on people who are 60+ for Clinton you don't have to waste time trying to convince them to vote for candidate, exclusion lists. If you have data on people who are 40- for Clinton you can focus all your energy on getting them to go for your candidate. This is a labor savings of twofold, if not tenfold since you don't have to build your own exclusion lists to begin with, you don't even have to bother going after unknowns until you've gone through the list the other campaign already made. It's enormously valuable data and the searches were clearly intending to get it.

Doing random range searches under 5 over the span of the list, then making a list named "This is Buggy" then saving them it to that list would be what a white hat would've done. (And we know they can name lists because they made a "Not Hilary" list, which I thought was amusing because they couldn't be bothered to spell her name right.)

"Uretsky acts as if he was a Clinton operative trying to access Sanders’ data." As if...!!

Except that he was a Sanders operative trying to access Clinton's data.

No, no I keed! I get it! Black is white and white is black.

Welcome to DU, but you're OP is a firing, an apology, and two suspensions behind the curve.

...not getting a respected third party digital investigator to do the investigation and keep all of the data completely separate from the Sanders campaign. The documented activities of the accounts linked with the Sanders campaign are, I concur, consistent with an investigation of the severity of the access control system failure. In computer systems it is often reasonable to gauge how A can access X by looking at how B can access Y (when A and X share the same relationship as B and Y - campaign staffer and file from other campaign in this case).

and I'm going to take moment here to admit I was wrong. When it first broke, my first assumption was that he was a saboteur. After reading and learning more the past couple of days I have come to the conclusion that I was mistaken.

Uretsky did not tell Bernie he did this. Probably because he was ashamed and knew Bernie would fire him.

Bernie correctly apologized to HRC tonight for the actions of his rogue staff members.

As always, I trust Bernie's judgement. Uretsky's judgement not so much.

I don't think Josh is a bad person, I just think he was over-enthusiastic when he saw he could access HRC's early state data. And then he made a poor judgement call.

As I said, in most organizations this would not be a big deal. However a national campaign is different, there is no room for moral gray areas. Also according to his LinkedIn profile he is an experienced political operative. So while his intentions may have been limited to assessing the problem, he should have known that even glancing at Clinton's data was asking for trouble.

Damn, that's cold.

It's a little more complicated than that.

This will not fit on a bumper sticker and make any sense.

I have been reading several of the techie sites, and I've been surprised I could understand a lot of it...I'm not technologically inclined.

Mostly it will fall on deaf ears here, though. Too many minds are made up. Uretsky left a trail with Bernie's name attached....who would do that for nefarious reasons?

Thanks.

http://www.democraticunderground.com/1251916203

He had a point to prove. He made his point. He then got fired for it. He's obviously unfit for inside the beltway.

but it is not his job as a campaign staffer to investigate the breach, it is his job to report the breach to his superiors an to the vendor.

And he did it, what, 24, 25 times.

If that were true would that change your mind?

http://www.ibtimes.com/bernie-sanders-campaign-suspends-2-aides-over-clinton-data-breach-2233608

According to a timeline of the entire episode, posted by Democratic Party’s chief Amy Dacey, Uretsky and three other aides were seen making more than 25 targeted searches of Clinton’s voter data. Dacey’s account also details attempts by one of the aides to delete records to hide his tracks, contradicting Uretsky’s earlier claim that he was trying to establish proof of a data breach, not to peek into the Clinton campaign.

. . . from CNN's reporting:

So, this index of turnout/enthusiasm/support, is a database field created by, and the property of, the Clinton campaign. If Uretsky's intent had been merely investigative, he could have included that field in a select query, with no particular selection criteria specified, in order to test whether proprietary fields were exposed. There would have been no need to place any particular selection criteria on that field in the query, much less to filter it in a way that would yield information that could be specifically useful to the Sanders campaign. As for not attempting to cover his tracks, I'm sure Uretsky was aware that it is EXTREMELY difficult to get around a database's audit logs (that is, it is extremely difficult if the designers of the database had even minimal competency), and thus knew better than to even try (as the attempt itself would have raised red flags). Instead, he figured that if the queries came to light, he could pass them off as having been investigative in nature. Uretsky knew the security vulnerability was there. I think he figured that since they had previously reported that vulnerability, and nothing had been done about it, he could get away with exploiting that vulnerability to the benefit of the Sanders campaign, and that if any question should arise, he could claim his intent was investigative, citing the fact that he didn't try to cover his tracks to support that claim.

In the end, it was a monumentally stupid move by a campaign staffer, and he deserved to be fired because of it. When it came to light, the Sanders campaign took immediate, appropriate and effective remedial action. And THAT fact -- i.e., that the Sanders campaign had already taken timely, appropriate and effective remedial action, is what made the DNC's attempt to 'punish' the Sanders campaign so outrageous. The DNC's and Wasserman Schultz's disingenuousness is revealed for exactly what it is by the fact that the DNC was notified of a major security flaw in October, and two months later, no corrective action had been taken. I work in legal IT for a major international law firm. In my world, if a flaw like that had come to light, the vendor relationship would be immediately terminated, because it demonstrates the vendor's rank incompetence in database design. So why had the DNC not compelled NGP VAN to fix the flaw? That's anybody's guess. Why did the DNC not terminate the vendor relationship with NGP Van? Gee, do you think it could possibly have something to do with the fact that Stu Trevelyan, the CEO of NGP VAN, was a '92 staffer in the Clinton-Gore campaign, and a White House staffer during the Clinton presidency?

Wasserman Shultz is correct that an "open door" does not provide cover for someone who exploits it in order to access something they would not otherwise have access to. But there's another part of that analogy that points a finger back at the management of the DNC under Wasserman Schultz. Think of a retail store whose manager one night forgot to lock the doors upon closing, and the store, as it happened, was robbed that night. The owner of the store will certainly want to press charges against the thieves; but that owner will also most certainly fire the person who left the door open in the first place!

... after informing them that the data can be accessed.

Also Why didn't he just filter out the Clinton data?! The DB logs show he and others searched on the Clinton data that they KNEW should've been hidden from them.