[slg]

If you believe the Sanders camp, this sounds a lot like the Instagram bug bounty issue [1] that appeared on HN recently. Someone from the Sanders campaign identified a bug and to prove their was an issue grabbed private data that they should have never had the ability to access. That is questionable ethically whether they looked at the data or not. The DNC also can't immediately tell if it is the truth or if the data was taken maliciously. Given that, I don't think it is unreasonable to temporarily shut out the Sander campaign until it was fixed. Although if I was in charge, I would shut out all campaigns until the matter is fully investigated. It isn't fair to disable one campaign if there was nothing malicious happening. (Never mind, see edit)

EDIT: Actually on seconding reading the Sander's lockout was not for security reasons and was only done by the DNC in awaiting full details from the campaign. In that instance it wouldn't make sense to suspend any other campaign's access. They are punishing the Sanders campaign in hopes that it causes a quick confession of the exact details of what data the campaign accessed and retained. I still don't think that response is as unreasonable as some Sander supporters are alleging.

[1] - https://news.ycombinator.com/item?id=10754194

[smadge]

I think it is pretty unreasonable. As you note, there is no technical reason to deny the Bernie campaign access to their data. The Bernie campaign has fully indicated they want and are willing to cooperate with a third party investigation into the data breach, which would require investigating both campaigns, the DNC, and NPG VAN. Given they are already willing to share everything they know about the incident, there is absolute no legitimate reason for the DNC to intentionally sabotage the campaign.

[slg]

There is no technical reason, but that doesn't mean there is no reason. Sanders campaign may have violated rules. The DNC has thrown them in jail without bail in hopes that it gets things resolved quickly. I have no problem with that. If the DNC drags this process out that would be a very different story.

[smadge]

It's way too early for the DNC to take punitive actions against any campaign. They shouldn't do that until there is evidence that data was misused. Currently there is no evidence, and I doubt any will appear.

[mrgordon]

There is a reason we don't normally throw people into jail without bail...

[morganvachon]

Actually we (in the U.S.) do, if the charges are serious enough or if the suspect is a flight risk. It varies by jurisdiction, but in general misdemeanor charges have pre-set bonds, and usually felony warrants will have a bond set by the judge at the time the warrant is issued, though for serious charges the warrant may be issued with no bond set.

[mrgordon]

Thats why I said "normally"

[dragonwriter]

It appears that the DNC violated rules by cutting off access in violation of the contract (until the Sanders campaign sued on that point, at which point a resolution was almost immediately reached.)

[nimblegorilla]

Seems pretty unreasonable to me. It's pretty obvious that the DNC would not have taken access away from Clinton if the situation were reversed.

[Zikes]

Because of the audit, they were quickly able to identify who was accessing data they shouldn't have been able to access. Presumably the temporary lockout is not to prevent further data breaches, as that bug was already fixed, but to minimize the potential damage of the data breach they did identify.

[noobermin]

Every time something like this happens, non-technical people don't know how to respond to it. Just look at the DNC Chairwoman's response[0],

"That is just like if you walked into someone's home when the door was unlocked and took things that don't belong to you in order to use them for your own benefit."

Essentially, "gray-hat" hacking isn't always seen as a friendly warning to the vulnerable as much as it might be an attack. One has to wonder, if one could draw a physical parallel between a trespassing and gray-hat style hack, if you did enter someones house, take their gold watch from their bedroom, then walk down to you sitting at your breakfast table and tap you on the shoulder, and then say, "Hey bro, your door was open, and you didn't even secure your jewelry in a safe with a key in case someone did break in. I did this to demonstrate your house's vulnerabilities, you should be grateful! May be even give me a little something for my troubles..."

Of course, the parallel might not be fair, since one can't draw a parallel between a private house and a server with a public facing access point to sensitive material, so the closest proxy I can think of is a bank. Still, a similar parable can be drawn here: You rob a bank without tripping alarms and hand the manager $30000 of stolen money, and claim you did it to warn him/er of issues with the vault's security. In that case, it's plausible to assume s/he might not be that receptive.

I think it's great that penetration testers and people of the like are very willing to do the hard work of finding holes in security systems--and not use it for nefarious purposes, but actually disclose it to companies so that they can holster their systems--but how exactly is the hacked party supposed to take it?

[0]http://www.cnn.com/2015/12/18/politics/bernie-sanders-campai...

[noobermin]

can't edit, but my "you's" got switched up in my story about breaking into someone's house.