GOP CD accumulates data, but data is not secured

Let’s suppose I got the Republican CD advocating the marriage amendment in the mail. And let’s assume — and remember this is a hypothetical here — I had enough intelligence to decompile the program and figure out what data is being captured and sent. Could I do it?

Yes. Someone did.

No.”, “Time”, “Source”, “Destination”, “Protocol”, “Info”

“1”, “17:11:52.780492305”, “***.1**.***.*2*”, “*0.2.*.81”, “TCP”, “1106 > http [SYN] Seq=0 Ack=0 Win=64240 Len=0 MSS=1460”

“2”, “17:11:52.794481754”, “**.*.*.**”, “***.***.1*5.***”, “TCP”, “http > 1106 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1460”

(Update 9:08 p.m.: This is not the available data. This is the internal stream as we ran the program. We’re not going to show any of the data we actually found and in the image below, you’re not going to get any useful data. We’ll show the actual contents of the packets if the subcontractor denies the existence of the information. We’re not interested in exposing the subcontractor to a malicious attack while this information is still available. This is a privacy issue, not about how to compromise the site with the information. )

Now that’s pretty basic stuff: what your IP is, what your CPU is, what your operating system is. But is it possible for me to find out how you vote in elections? What your position on abortion is? Or even how long it takes you to answer those questions? ? Can I get your private phone number, your address, your name, your spouse’s name, your IP?

Yes. Someone did.

Using the stream indicated above, people way smarter than me were able to figure out the destination for the data being accumulated, and then poked around and found the site. And the data was not secured at the site.

I checked to see if two entries I made via the CD — one for Tim Pawlenty and one for Joe Blow — showed up in the database. Yep. This must be the place.

The screenshot above is a sample of several we took. Another has the answers along with the code of the submittor, the identity of whom can be ascertained easily with the data above.

What’s worse, the information is on an unsecured Web site. I’m not going to tell you what site we found it on (until it’s been secured), just to let you know that the data is there. And it can be found by anyone who can decompile the program on the CD.

We could — if we were malicious (and we’re not ) — change the questions that are “on the CD” because they’re really not on the CD. The program connects to a database and provides the questions.

Imagine if thousands of CDs arrived in homes with the question “do you like Siegried and Roy?”

We could steal the data. In fact, the mailing list of more than 259,000 25,000 names is also on the site, and is easily downloaded into a spreadsheet. Cool. Twenty-five-thousand names and addresses. Free.

This is a significant security flaw. And it’s coming to a mailbox near you in a few days.

It also leaves a cookie behind on your computer, although we haven’t figured out what that does yet. (Update: The cookie is likely nothing – just a way to autofill some information if you decide to go back later and resubmit your answers.)

This is why it matters when someone raises concerns about data. This is why it matters if someone asks you if you’re collecting it. This is why it matters if someone asks you what you’ll do it with it. This is why it matters if someone asks if you’re protecting it. Privacy concerns are bipartisan.

But didn’t anyone ask these questions already?

  • grateful listener

    Good work. Thanks!

  • Just another skeptic

    Sorry, but the IP addresses you have on the packet snipet are not valid. Public IP addresses cannot fall in the 192.168.xxx.xxx or 10.xxx.xxx.xxx ranges because they fall in the ranges reserved for internal networks only, which means you can’t use them anywhere other than in your own network.

    Show us the real contents of the packets, unless this is all just another nutty conspiracy theory.

  • I agree, can we see the entire contents of the packets? Those of us with a bit of tech-savvy might be able to parse a bit more information out of it. However, the fact that this data is being made public is a very worrisome sign…..

  • um, that really doesn’t say anything… as the skeptic said, those are internal IP ranges. Before you continue to run your posts about how bad the GOP is, perhaps you should show us a) what is actually being sent, and b) any privacy policy or what’s on the packaging…

  • Ron Dumsfeld

    In other words, “Trust me. The GOP is playing fast and loose. I saw it, but I won’t tell you where.”

    Thanks….for nothing.

  • Bob Collins

    Yep, we’ll show you the actual packets AFTER the information has been secured by the subcontractor. I’m not going to make information available that can be used tonight to launch an attack on a subcontractor’s server AND allow people to get information that — and I guess this is the point that keeps getting lost — they shouldn’t be seeing.

    If you want to do that, go to the GOP, ask for a copy of the CD, and decompile to your heart’s content. But I don’t know who any of you are, especially since most of you are providing phony e-mail addresses when filling out the form and — in case you haven’t noticed — I don’t trust people to safeguard data.

    If you disagree, fine. Like I said, go get your own copy. But I’m protecting this one, and the data it exposes.

    Someone’s got to.

  • anonymous

    The author mentioned that he’s not going to tell us the destination IP address. So, of course he’s using 10.- and 192.168.-. He also mentioned this is coming soon to a mailbox. So, this is verifiable. Let’s check it out.

    The question is (a) whether anyone can verify it from the CD (without posting the destination IP, and (b) is the GOP any worse than many others?

  • lontlont

    Wow. What you probably got to look at is part of the Republican “voter file.” (They call it voter/wol or voter vault) This is THE tool for winning elections in the field: once you’ve identified the political leanings of voters, you know which voters you want to come out and vote, and which you can stop wasting your targeted money (mail/phone calls, etc.) on. Think about that: if you already know how people are going to vote IF they come out and vote, then you know exactly who you want to come to the polls and who you don’t.

    Both parties have voter files, and updating it is the main part of what the field operations of both parties work on every campaign season. It’s extremely important.

    And if it weren’t illegal to use that propriotary data, Democrats would KILL to be able to see the Republican voter file (and vice-versa). It would be worth litterally MILLIONS of dollars to them.

    So I guess what I’m ultimately saying is that the fact that it was insecure had to be unintenional. As I said, having anyone being able to see that data is ultra-super-mega-bad for the Republican party. They have, in many ways, a far far greater monetary and strategic incentive to keep it completely protected and secure than even the privacy concerns of the people who are being tracked.

  • Wow! This is been very interesting to follow… Great work Bob, keep it up!

    Someone else commented a day or two ago about a polling call they got asking similar questions. I also got a call like this. I don’t remember asking who they were except their questions were very leading, and obviously from a right leaning group. I did ask how they got my contact info, and they asked if I voted recently. When I confirmed I did, they said they got it from the voter’s registration. I didn’t know that was public information.

    I wonder if I’ll be lucky enough to get a CD? Can I be Tim Pawlenty too?

  • Whether the data is publicly available or not is not an issue – you’re right, it probably is coming straight out of the GOP voter file system. It’s how this poll data is collected that’s an issue. If the CD really is “phoning home” with personally identifiable data, whether it’s just an IP address, or name-identified information, and doing so without a privacy statement which specifically states that it’s doing so, it could be defined as spyware. Do a quick search on the Sony Rootkit scandal, and you’ll have a good idea of the kind of furor this can ignite.

    Also, Bob, I didn’t know quite what to say in response. I’m definitely not using a phony email address – try it if you’re interested. If you want to protect the sub-contractor for any reason, then can you confirm that the IP address packets are being sent to is NOT in the 10.xxx.xxx.xxx or 192.168.xxx.xxx ranges?

  • Awesome. I just hope you can survive the fall out from this.

  • C’mon folks – of course the private range addresses will be rewritten at the firewall into the public range addresses. Sheesh.

    This story isn’t merely criminal, it isn’t merely negligence, it’s tar-and-feathers quality mindboggling criminal negligence… the mind reels.

  • Yeesh, they’ve already got damage control running on this baby.

  • Beth

    Damn that’s scary. Damned political mind-miners!

  • ob1

    I think it’s funny, from just the one little screenshot that there are so many fake names on the list – “Slap Happy” “Slappy Slapperson” “Luck Strike” (M.I. is “E” I bet), “Rick James”… That information would be useful indeed. Or, is the screenshot also masked to prevent us from doing our own research???

  • Welcome! http://www.dirare.com/India/ business yellowpages. international directory: SMART Yellow Pages, About DIRare, Search in Business Category. Also [url]http://www.dirare.com/China/[/url] and [link=http://www.dirare.com]companies of the world[/link] from yellow pages .

  • hello! http://www.dirare.com/Sweden/ online directory. SMART Yellow Pages, About DIRare, Search in Business Category. From online directory .