[tptacek]

That's a great way for campaigns to get lots of WAFs, intrusion detection systems, endpoint agents, and vulnerability scans. But what campaigns need is actionable advice that breaks phishing and attachment attacks. For that: they should use iPhones and, when they use their desktop computers, Yubikeys. You don't need professionals from the cybersecurity sector to make that happen (although I am one of those); you just need someone to buy a bunch of Yubikeys and spend 15 minutes with the campaign showing how to use them and telling them to be afraid of their desktop computers.

[x0ner]

I agree with your general sentiment, but if it were that easy, we wouldn't even be having the discussion. Nation states going after a campaign are likely to succeed, it's limiting the exposure if they do. To your point, there are a number of no-brainer processes or technologies to make those compromises difficult or severely limit the damage and many do not require much to put in place. You do need someone on-staff though constantly monitoring and enforcing best practices.

[tptacek]

Campaigns :clap-emoji: never :clap-emoji: have :clap-emoji: this :clap-emoji: person :clap-emoji: on :clap-emoji: staff.

You really have to get a sense for how ragtag a political campaign is. Startups --- themselves pretty ragtag --- are raising funds and building for an imagined future in which they're big. They might engage professional IT and security (though many don't). Campaigns aren't like that; every single one of them will be "out of business" within a year and a half. They have minimal infrastructure and a mostly volunteer staff, and there are many hundreds of them every cycle.

At best, you might suggest that the upstream service providers for campaigns, like NGP VAN, should get better at security. The DNC, for instance, has an experienced CSO. But that CSO can't do all that much for individual campaigns.

[x0ner]

Just to end this out, I do agree. I was not suggesting this resource be paid, but that they should have someone dedicated, even a volunteer.

[bsder]

> you just need someone to buy a bunch of Yubikeys

This is so wrong it's hilarious. I've been doing computers for forever, and "security keys" are STILL a universally lousy user experience.

What happens when you lose one? How do I install multiple keys? How does their manager revoke their keys when they leave the company? And where is the server that controls all this, and how do you administer that? I could go on ...

If you have any pointers to tutorials how to do this, I'M ALL EARS. Seriously.

[tptacek]

The purpose of a U2F key is to break phishing. You want users to use them as much as possible (on computers), but you do not depend on them being the only second factor.

So you can buy and enroll 2 keys, or just do what Google forces you to do: enroll an additional second factor, like a code generator.

I do not understand your revocation argument at all. When you let a staffer go, you lock their account. You do not care about their keys.