How a Political Engineering Firm Exposed Their Code Base
upguard.comThe description of "Mamba-Jamba" sounds similar to what Harper Reed's team built for Obama's campaign in 2012.
In terms of illegality, there would only be a problem if AggregateIQ was not properly compensated for their work by the U.S. political campaigns--i.e. if AggregateIQ improperly provided value to the campaign as "in kind" donations of work.
If the campaigns paid AggregateIQ for their work, there's nothing illegal or even improper. Campaigns are allowed to purchase products or services from foreign sources.
> Campaigns are allowed to purchase products or services from foreign sources.
It's not quite so simple. It's true that US campaigns can purchase products and services from foreign vendors, but only to the extent that those services do not include any management or strategic decision-making services. So you could hire a Canadian firm to make data visualizations for you, but the firm could not tell the US campaign, "we recommend you target group x" based on that visualization.
But I agree, based on what is described here, there may be nothing here. Very much unlike certain Cambridge Analytica activities across the pond.
What about if 'a foreign entity is found to be in a strategic role for a US campaign'?
Based on this tweet†, it seems that Chris downloaded the repos and put them online, encrypted using some of his personal information as a sort of "dead man's switch".
I'm not sure I understand the point of this.
He wants us to open the file but he wants it to be annoying?
Driver's license numbers are likely sequential, so the keyspace is likely guessable, or recoverable from credit data breaches. Street name is an easier find, from public records.For posterity: <14-character non-dictionary word>+<My current CA DL number>+<Streetname of my residence during 1st grade> Schema: aaaaaaaaaaaaaa+Annnnnnn+Aaaa Aaaaaaa (a=lower alpha, A=upper alpha, n=numeric) md5 those 36-characters. Hash is the passphraseSince we know that non-dictionary word is 14-characters, and assuming English, entropy should much less than 26^14.
anyone willing to give it a spin?
Chris lived in BC, so this would be what his driver's license looked like: http://www.metronews.ca/news/vancouver/2013/02/15/new-b-c-id...
It's an 8 digit number.
The keyspace for the streets would be a list of every street in Greater Victoria.
"non-dictionary" is 14-characters long
Time to fire up hashcat on aws.
This looks like a tool for tracking voter canvassing, hardly a smoking gun of anything?
The selective publication and inflammatory language makes me less likely to believe this is of any importance, other than tut-tutting at the server insecurity.
The disinformation and jumping to conclusions in the comments of that tweet thread is extraordinary.
the issue would be if it were provided by a foreign entity without compensation so that it is essentially a campaign donation, or if a foreign entity is found to be in a strategic role for a US campaign, which violates US election law.
See http://abcnews.go.com/Politics/exclusive-cambridge-analytica... for a story today breaking on this.
As I understand it, these aren't foreign apps gifted to a US campaign, this is software from a subcontractor of Cambridge Analytica?
Whether CA CEO Nix as a foreign national played a key strategic role is a different, perhaps thornier, issue.
There's a lot more about the kinds of legal trouble this software implies in the EU here: https://gizmodo.com/aggregateiq-created-cambridge-analyticas... this has a lot to do with Brexit.
Sure, but the thrust of this data release wasn't exactly "perhaps there was improper coordination of marketing funds between Brexit campaign groups".
Frankly, I'm just amazed at the amount of effort that continues to go into locating a smoking gun and a technical devious explanation for Trump/Brexit success beyond "a lot of people really are unhappy with the status quo".
HN is really fixated on the idea that the current political situation is somehow un-extraordinary. As has been pointed out, the hatred that Repbulicans had for all eight years of Obama cannot be overstated, yet nothing like what is happening now with apparent election interference by Russia was noted at all. Is there really that much of a massive left-wing conspiracy, that nobody questioned Obama's presidency beyond laughable "birther" claims yet is able to produce an enormous, Republican-led federal investigation into the current president based on nothing, yet despite this massive reach it somehow it allowed DT to be elected president in the first place? Here's a place where Occam's Razor might work. What is more likely - that DT is really a dishonest grifter who foolishly played into the hands of the Russian intelligence agents a bit too much, or that he is truly some kind of Ronald Reagan-esque figure and all 30-odd intelligence agencies pointing to Russia as an instigator are just making it up at the behest of DNC dark actors?
> HN is really fixated on the idea that the current political situation is somehow un-extraordinary.
I don't think that's true; I think there is a highly vocal set of people on HN fixated on selling that idea, but I don't think HN as a whole is.
I'm replying to one just above. Trump won because "a lot of people really are unhappy with the status quo". Really, that's it ? Despite the largest popular vote loss for an electoral college winner in history? All the things Mueller notes in his indictments at https://www.justice.gov/file/1035477/download, wouldn't matter; social media being gamed by a foreign adversary, targeted to exactly those regions for which the electoral college would need to be manipulated as documented in the indictment is provably completely irrelevant to the election results.
edit: just on this thread:
"As someone who didn't vote for Trump, and doesn't support him, that's one of the (many) things I find so disheartening about this entire process. Pretending that Trump is somehow a unique problem that needs to be solved rather just another corrupt politician is to whitewash the rest of the crooks running our government. It isn't an accident that Trump is being portrayed as a unique menace. The levers of power in our government (and their minions in media) are very careful to paint the picture of this being an aberration."
https://news.ycombinator.com/item?id=16681901 - e.g. this person is picking the conspiracy theory answer of occam's razor. That it really is a wild and massive left/right wing conspiracy to make all this happen, controlling both houses of congress, the justice department, and all media (including Fox who has to play the tricky hand of being against the investigations, yet is unable to produce a compelling reason why they should actually be ended), yet DT was elected in the first place.
"I'm not picking on or defending anyone, I'm just weary of the last years' worth of articles that keep claiming "smoking guns." https://news.ycombinator.com/item?id=16681776
these come out immediately on every story about this.
Dude Obama's team was the first to spearhead true micro targeting. Their Voter Activation Network (VAN) was even bought by the Liberal Party of Canada, and forms the core of their Liberalist voter tracking software.
did they have foreign nationals advising their campaign? because using facebook APIs is not the issue. breaking federal election law is.
They all do. I have Canadian friends I know from all the parties working on campaigns. They're basically Americans, just looking for career opportunities. They are not foreign agents with a foreign agenda, and this is not the scandal you are making it out to be.
>the issue would be if it were provided by a foreign entity without compensation so that it is essentially a campaign donation
Have you ever tried to write off open source work as a donation? I don't think this works the way you want it to. Software isn't a donation. Software is speech. Phil Zimmerman proved that rather nicely when he printed PGP as a book.
U.S. federal election law is pretty clear on this. If a company that is normally paid for a service provides that service to a federal election campaign for free, it counts as material support of that campaign, at the value that that service would have cost at regular price.
> Have you ever tried to write off open source work as a donation? I don't think this works the way you want it to. Software isn't a donation.
If you typically charge for your software development time hourly, and you provide 10 hours of software development to a 501(c)3, you indeed can write that off as a donation. You will just need a receipt from the org to which you donated your time.
You can't write off typical open source work as a donation because you're not donating anything. Under most open source licenses you keep your IP, but provide a free license to anyone who downloads the code. Even if a nonprofit uses your code, you set the price to $0.00, so there's nothing to write off.
Having run a US political campaign, this isn't showing confidence that you understand the issue. You're blurring two, different definitions of donation: the IRS and FEC meanings. In the past, I've had to count website or technical work as an in-kind donation, especially if I would normally charge.
Interesting followup by Seth Abramson.
Seth Abramson sure is someone to talk about poor journalism and analysis. Really: HN doesn't need to be the first to break out stories like this. If someone important has been found here, someone will cover it seriously outside of tweets. HN should start penalizing tweet stories.
Why would HN penalize tweet links!? Hacker news is a perfect place for stories that intersect technical and journalistic expertise to be explored more in depth with a focus on truth. In journalism tweets are how evidence of a story evolves. Taking away twitter linking from journalistic minded HN users would be like taking away the ability for a coder to link to github...
please don't retweet Seth Abramson, he is a manipulative conspiracy theorist which is not something that helps the liberal cause:
https://www.washingtonpost.com/news/the-intersect/wp/2017/12...
https://www.pastemagazine.com/articles/2017/04/stop-listenin...
https://thinkprogress.org/blue-detectives-collapse-trump-rus...
Yet he has been cited [1] by and contacted by congress for his research on pro-Trump FBI agents leaking to True Pundit.
It seems that the media can't make up their mind about him either: At times, discrediting him; other times, recommending his work. [2]
[1] https://democrats-judiciary.house.gov/sites/democrats.judici...
[2] https://twitter.com/SethAbramson/status/971909060294561792
It looks like they cite him because he happened to have a screenshot of some comments on another conspiracy website that may refer to actual information about something. So they are in fact poking at what they themselves call a "fringe conspiracy website" in that letter. This doesn't really indicate he's suddenly a serious journalist, just that they saw something in the conspiracy community that interested them.
That's a surprisingly dismissive reading. The first external source cited is Abramson. Every other source cited in the letter was also cited by Abramson in his original thread [1].
The letter summarizes Abramson's allegations: "The facts point to a coordinated effort by some in the FBI to change the course of the Clinton investigation by leaking sensitive information to the public, and by threatening to leak additional information after the investigation was closed."
There are no two ways about it: Either Abramson is onto a huge story that hasn't been reported elsewhere -or- sitting members of congress take investigative actions based on the ramblings of an irresponsible conspiracy theorist. Both are concerning.
[1] https://threadreaderapp.com/thread/939432544008921088.html
Rebuttal by one of the reporters: https://twitter.com/dellcam/status/978345305635770368
He discounts the importance of figuring out how modern election data shops work (and what tools they use/build) with regards to elections, which may be important for us to fight these firms down the road and build laws against unscrupulous data collection. The mechanical details definitely matter here, and that can be found by looking at source code.
I don't necessarily agree that gizmodo should have led with tying this open repository of code to AIQ/SCL/CA to Bannon/Trump/Russia. Finding the tools and explaining what they do was more important given this was found today.
It's not like they can't write follow-up articles which explain the larger issues.
Thanks for that; that was a much more comprehensible summary.
I'm not picking on or defending anyone, I'm just weary of the last years' worth of articles that keep claiming "smoking guns."
Can anyone explain how this is illegal or damning? It appears the biggest reveal is some database/statistical tools. Do they do anything illegal? Is it illegal to outsource a project, especially to an ally like Canada?
It seems they were developed as the result of an outsourced project, but does that count for anything?
We knew CA was hired to help them win the election. I don't understand how that itself is wrong, legally either.
I don't see evidence here of anything more than the application of techniques long-used by advertisers like General Motors and Unilever to the political arena. It may be odious, and may make the world a worse place, but it is not particularly unusual, unexpected, or illegal as far as I know.
> using a custom version of popular code repository Gitlab, located at the web address gitlab.aggregateiq.com. Entering the URL, Gitlab prompts the user to register to see the contents - a free process which simply requires supplying an email address. Once registered, contents of the dozens of separate code repositories operated on the AggregateIQ Gitlab subdomain are entirely downloadable.
Is this (anyone can register with an email address) the default mode for a self-hosted gitlab deployment?
You can always blacklist or whitelist certain email domains.
You will want to make all your repositories private, which makes you whitelist all access.
Where can we download the codebase. Seriously interested in seeing it.
This is basically just some screenshots of a private gitlab instance? It would be trivial to fabricate this story.. Did he post the files publicly?
If this is true, what are the ramifications for unauthorized computer access?
Update: looks like the registration link was still listed / open, but my question still stands
This is the most interesting question. The company is based in Canada so supposedly Canadian laws would apply but I suppose it depends on where the Gitlab instance is hosted. Also the author cannot argue that they were bug hunting in good faith as an ethical security researcher would cease activity after breaching the repository and report their findings. If American laws apply the CFAA is extremely selectively enforced but if I was the author of this I would be extremely fucking concerned about going up against the Trump entourage.
According to the first article, the code was hosted with a custom version of Gitlab, with the register link still functioning. Once an account was created all the repos were public. If that's true, then it's a public site being accessed through features of the site.
I'm sure it also depends on if the site was intended to be accessed "publicly" or not. Let's say, visually, all registration links were removed, but (as someone with internal knowledge of GitLab here did) could "breach" into the registration page.
Isn't it typically “breaking or entering”, not “breaking and entering”?
Very informative! Thank you!!!
Actual write up: https://www.upguard.com/breaches/aggregate-iq-part-one
Important to note this leak only (as of now) ever mentions ted cruz - nothing to do with Trump's campaign beside some handwavy connections between this marketing agency and cambridge analytica. Bannon is also literally never mentioned in the write up.
The Guardian has an article here https://www.theguardian.com/uk-news/2018/mar/24/aggregateiq-... about the links between AIQ and Cambridge Analytica. AIQ were used by the Brexit 'Vote Leave' group which is why the Guardian were looking at them.
Thanks, we’ve updated the link from https://twitter.com/VickerySec/status/978314282097033216.
"There is no serious person out there who would suggest somehow that you could even rig America's elections" --Barrack Obama
He's right. There was no voter fraud. People really did vote for Donald Trump. Voters may have been distracted with leaked emails or lied to by "fake news" but the votes were real. The election wasn't "rigged."
Absolutely not relevant to the topic posted. If you would like to discuss this video I recommend you make a post and stop derailing threads like these into your own discussion.
"If you would like to discuss this video I recommend you make a post"
Whereupon it will promptly be buried. So went Digg, so goes HN.
You don't have a right to be heard.
If all the "breaking news" about the tactics used by the Trump team in last year's election were limited strictly to "new" tactics used by the Trump crowd, the volume of "news" released would shrink to a tiny fraction of what it is now. Unfortunately, as always, the problem lies with the ignorance of the American people. Its easy to portray underhanded and/or illegal tactics as being somehow unique to the Trump crowd when most people are entirely ignorant about how our political system works (and has worked) for decades. The fact is that campaigns on every level - local, state, and federal - have used data mining techniques, social media platforms, algorithms, and data of all sorts (both foreign and domestic) to influence everyone that possibly could in every way possible. Shining a bright light on any corner of our putrid political system (as is being done in the case of the Trump crowd) will uncover a host of shady, disreputable and/or illegal acts. It doesn't matter what corner you shine the light on or what party you choose to focus on.
As someone who didn't vote for Trump, and doesn't support him, that's one of the (many) things I find so disheartening about this entire process. Pretending that Trump is somehow a unique problem that needs to be solved rather just another corrupt politician is to whitewash the rest of the crooks running our government. It isn't an accident that Trump is being portrayed as a unique menace. The levers of power in our government (and their minions in media) are very careful to paint the picture of this being an aberration. They are playing on the myth of "American exceptionalism". That's where the whole Russian-conspiracy nonsense plays in, because naturally, the American people would never vote to reject the establishment in favor of a despicable con-man like Trump unless they were influenced or fooled by evil Russians! If we can just get rid of Trump (and the free and open internet that allowed the evil Russians to influence us), then we can return to the wonderful status quo of the "Liberal Western Order" AKA monopolar US global hegemony, that is great for everyone!