Colem4n g0t Haxz0red?

On Tuesday, March 10th, the website published two files anonymously obtained in connection to the Coleman campaign's server crash on January 28th. (As an aside, was also responsible for publishing the content of Sarah Palin's email account; a University of Tennessee student was eventually charged.)

To understand how this data became available, let's recall what I wrote on January 28th with regard to this topic:

Now to cover the issue of the "fake" controversy associated with Norm's website. Norm's website was not intentionally taken down by anybody within the campaign. The site is run from a remote location. I have logically concluded that his site crashed for one of two reasons, (i) either an extreme amount of traffic, or (ii) poor coding resulting in a memory leak. If the site was getting hit with a decent amount of traffic, which does appear to be the case, the number of database connections may have exceeded the allowable limit due to poor coding. When this happens there is essentially nothing that can be done from a remote location. The server is inaccessible because the processor is always trying to catch up with the current number of requests. In order to fix the problem, the admin would need access to the server, but they could not gain access because the server was constantly busy. Their solution was to redirect traffic to the IP address They would have been wise to setup of an error page on another server and redirect to that, but I don't know the details.

Whenever the IP address is changed, the new address must propagate back through the internet; this can take up to 72 hours. To compensate for this delay, they changed the TTL to 600 for the IP address, which is a very small amount of time in this application. They wanted the dummy address to propagate to as many people as possible as fast as possible so that they could attempt to fix the original error. In changing the TTL they are able to gain access to the original server faster, without the new address propagating through the internet over the actual server address. In changing the address they made a calculated decision; one I would guess they currently regret.

When their old server came back online, each and every file they had hosted was available for download. There were documents available that would not have justified any publicity stunt. My guess is that somebody outside of the campaign initially discovered the outage and began to push the "excessive traffic from voter database leads to crash" story. At this point the story was picked up by and the Coleman was really left with really no choice but to propel the story. If they had actually acknowledged the problem, the news would have spread faster than they could have fixed; which happened anyway, but it took some time for people to figure out that files were available. I do not believe the initial crash was intentional, I believe it was a very poor implementation of technology that forced the Coleman campaign to run with the spin.

Source: Litigation, Day 3 via

After Wednesday's litigation proceedings, Norm Coleman directly addressed the issues relating to the leaked information:

The contents of Coleman's donor list and voluteer roster were released Tuesday night at about 9 PM by after the affected individuals were notified, via email, of their inclusion within the leaked database. According to, the uncompressed MySql database comprises 4,300 MBs across 36 individual tables; the compressed table was named "database.tar.gz" and was listed as 205 MBs in size. Two of the leaked tables contain illegal, personal information and a description of their contents is presented below, as quoted from


Contains campaign contribution information. Unique ID number, first name, last name, city, state, zip, phone, e-mail, employer, title, type of credit card used, name on card, last four of credit card, CVV2 value of the card, donation amount, authorization code from credit card processor, AVS (address verification) match, and a timestamp.


Stores significant information about web views, including user agents and IP addresses. ALSO CONTAINS ALL POST DATA -- THIS INCLUDES UNENCRYPTED CREDIT CARD INFORMATION.


The contribution table contains the "card security code" as defined below within Minnesota Stat. § 325E.64; possession of this data beyond the initial 48 hours of the electronic transaction is illegal:


Subdivision 1. Definitions. (a) For purposes of this section, the terms defined in this subdivision have the meanings given them.


(d) "Card security code" means the three-digit or four-digit value printed on an access device or contained in the microprocessor chip or magnetic stripe of an access device which is used to validate access device information during the authorization process.


Subd. 2. Security or identification information; retention prohibited. No person or entity conducting business in Minnesota that accepts an access device in connection with a transaction shall retain the card security code data, the PIN verification code number, or the full contents of any track of magnetic stripe data, subsequent to the authorization of the transaction or in the case of a PIN debit transaction, subsequent to 48 hours after authorization of the transaction. A person or entity is in violation of this section if its service provider retains such data subsequent to the authorization of the transaction or in the case of a PIN debit transaction, subsequent to 48 hours after authorization of the transaction.

Source: 325E.64, 2008 Minnesota Statutes via Minnesota Office of the Revisor of Statutes

The loadtime table also may contain illegal information in correlation with Minnesota Stat. § 325E.61:


Subdivision 1. Disclosure of personal information; notice required. (a) Any person or business that conducts business in this state, and that owns or licenses data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of this state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in paragraph (c), or with any measures necessary to determine the scope of the breach, identify the individuals affected, and restore the reasonable integrity of the data system.


(e) For purposes of this section and section 13.055, subdivision 6, "personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when the data element is not secured by encryption or another method of technology that makes electronic data unreadable or unusable, or was secured and the encryption key, password, or other means necessary for reading or using the data was also acquired:

(1) Social Security number;

(2) driver's license number or Minnesota identification card number; or

(3) account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.

Source: 25E.61, 2008 Minnesota Statutes via Minnesota Office of the Revisor of Statutes

The singular presence of credit card numbers would not constitute "personal information," but in culmination with the contribution table, it would likely become possible for a diligent wrong-doer to associate a singular credit card number with the names listed in the contribution table. I cannot say this for certain as I have not seen the contents of the loadtime table, but it seems very likely, that with some basic data parsing skills, it would be possible to access the financial account of some if not all individuals listed within the contribution table.

Norm Coleman's campaign appears to have unintentionally violated the law, based upon the information provided by and the referenced legal statues.

These icons link to social bookmarking sites where readers can share and discover new web pages.
  • bodytext
  • Furl
  • NewsVine
  • Reddit
  • SphereIt
  • Technorati
  • YahooMyWeb
  • Ma.gnolia
  • StumbleUpon
Your Ad Here

0 Response(s) to Colem4n g0t Haxz0red?

Leave a Reply:

Name: (Defaults to Anonymous)
Type the characters you see in the image below:
(Word Verification)
Electoral College Projection Map
Senate Projection Map