Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Government United States Politics

Only a Few 2020 US Presidential Candidates Are Using a Basic Email Security Feature (techcrunch.com) 88

Just one-third of the 2020 U.S. presidential candidates are using an email security feature that could prevent a similar attack that hobbled the Democrats during the 2016 election. From a report: Out of the 21 presidential candidates in the race, according to Reuters, only seven Democrats are using and enforcing DMARC, an email security protocol that verifies the authenticity of a sender's email and rejects spoofed emails, which hackers often use to try to trick victims into opening malicious links from seemingly known individuals. It's a marked increase from April, where only Elizabeth Warren's campaign had employed the technology. Now, the Democratic campaigns of Joe Biden, Kamala Harris, Michael Bloomberg, Amy Klobuchar, Cory Booker, Tulsi Gabbard and Steve Bullock have all improved their email security. The remaining candidates, including presidential incumbent Donald Trump, are not rejecting spoofed emails. Another seven candidates are not using DMARC at all.
This discussion has been archived. No new comments can be posted.

Only a Few 2020 US Presidential Candidates Are Using a Basic Email Security Feature

Comments Filter:
  • Email-server in the basement?

    • by Anonymous Coward

      A guy supposedly gets mugged on his way home from a night on the town, but still has his wallet on him afterwards...

    • While chuckling at your joke, I'm also going to say that yes, it's that basic. I've worked at some companies that hired me and others because they REALLY needed to improve their security. Lots of low-hanging fruit, bad security practices everywhere. None of them were missing SPF or DKIM (the components of DMARC) when I joined, however. They all got at least that part right. Even if the DMARC was running on a "server" under some guy's desk.

  • Comment removed based on user account deletion
  • by SmaryJerry ( 2759091 ) on Thursday November 28, 2019 @11:26AM (#59466742)
    This seems like a feature gmail and everyone should have implemented.. That and encryption. With billions in fraud every year you would think the country and companies would start cracking down, not fighting against secure email for citizens.
    • "With billions in fraud every year you would think the country and companies would start cracking down, not fighting against secure email for citizens."

      Lots of civil servants already have problems reading unencrypted emails.

      • by Anonymous Brave Guy ( 457657 ) on Thursday November 28, 2019 @12:15PM (#59466958)

        Lots of civil servants already have problems reading unencrypted emails.

        It doesn't help that the likes of Google have become so aggressive in fighting spam using fifteen different quasi-standardised protocols that their false positive rates are insane.

        Remember, any time you have to go find a genuine message in some sort of junk folder, that was a fail on the part of the email software.

        Any time you don't get a genuine message delivered at all, that was an epic fail on the part of the email software.

        And any time you don't get a genuine message delivered at all and it's a silent failure so the sender doesn't even know, that's an off-the-charts fail on the part of the email software that has regressed the state of the art by several decades.

        • by Corbets ( 169101 )
          Your UID is low enough that you ought to remember the pre-gmail days of spam. I’ll take a few false positives over that, thanks.
          • I do indeed, but I never had much difficulty filtering it out, just as I don't today (as someone not using one of the big mail services). It simply isn't that big a deal.

            Meanwhile, the number of times I have significant problems with business dealings these days, from both customer and business sides, because someone's email got lost in a junk folder or apparently never arrived at all is certainly noticeable, and it's almost always down to a service like Google Mail being too aggressive with filtering when

          • Who paid for all that spam? Enquiring minds want to know...

        • I'm not seeing "insane" false positive rates. If anything, they're still not aggressive enough in blocking spam.

          • One of my businesses is a pretty standard online service, with email and password for the basic user authentication. When you have customers who aren't getting your emails at all because their ISP screwed something up and has no apparent mechanism for fixing it, or customers who aren't getting password reset emails that they've just explicitly requested because the messages are being rejected as UCE, that's a problem. This sort of stuff happens all the time. (For avoidance of doubt, yes our mail systems are

      • by gtall ( 79522 )

        And your evidence for this is what, precisely? Or are you just ragging on civil servants because of ideology?

    • With billions in fraud every year you would think the country and companies would start cracking down, not fighting against secure email for citizens.

      Maybe some folks in country and companies are earning a good percent on those billions . . . ?

    • by AmiMoJo ( 196126 ) on Thursday November 28, 2019 @12:27PM (#59467010) Homepage Journal

      Gmail does have DMARC. It's been enabled since 2016.

    • by rtb61 ( 674572 )

      Government agencies should not do it. Technically speaking they should strive to uphold the law and hence they should have a two stage email process, an email honeypot as you will, that accepts all email and second server that filters out an passed bad email to the authorities for action. Filtering and ignoring would be very bad form for government agencies, those bad emails should be passed to the authorities for investigatory and prosecutorial actions, evidence of crimes should never be deleted, really qu

    • The major email providers have already enabled DMARC. However, anyone with a custom domain name (such as the candidates) need to set up their encryption keys and publish them on the DNS in order to enable DMARC. DMARC is based on SPF and DKIM. SPF publishes the range of IP addresses that emails from that domain would be coming from while DKIM publishes a public encryption key that can be used to verify the header of emails sent from that domain.

      For most businesses, DMARC is not a big deal to set up. It is a

  • Hobbled? (Score:2, Flamebait)

    by grasshoppa ( 657393 )

    Poor email security wasn't what hobbled the democrats in 2016. It was a shitty candidate. It was an obviously rigged primary CHOOSING that shitty candidate.

    No email security in the world could have gotten her into the whitehouse; she was and is verifiably horrible, as she went on to demonstrate by the multi-year whining campaign about her losing.

    Ah, thanksgiving and politics. It's like peanut butter and chocolate.

    • by gl4ss ( 559668 )

      plenty of people voted for her. I doubt the primaries were rigged in any other way than people not caring for them due to her having been in the race. it's not like that she was unpopular. far from it. if anything people thought her to be more popular and didn't even bother going to vote, which is a common occurrance.

      saying that she wasn't popular is just dishonest. now of course that says nothing about her being a horrible person or not having any actual policies or whatever, but that's an entirely separat

    • Poor email security wasn't what hobbled the democrats in 2016. It was a shitty candidate....

      BS. It was unending, unfounded personal attacks with few facts/evidence and poor arguments to back them up. Exactly like this post. This one of course has 0 facts/evidence/arguments. But a good example of how she lost because mindless negativity trumped logic. Pretty common in politics.

      Back on topic, the article is completely right. I remember pretty much the only reality-based argument against her that I ever heard from people was about emails & security practices. So people voted for these [mediamatters.org] gu [americanoversight.org]

      • BS. It was unending, unfounded personal attacks with few facts/evidence and poor arguments to back them up.

        I mean, welcome to politics? Are you really trying to tell me that you never noticed that before this election, nor that you didn't see her engaging in precisely the same behavior?

        Deplorable.

        Anyway, in all seriousness; the email server hack wasn't the problem. It was the horrible crap that was under the surface that was the problem. Blaming the hack is literally shooting the messenger.

        • I mean, welcome to politics?

          Ya I know. Doesn't mean we shouldn't call it out. But that part isn't the crux of my point.

          you didn't see her engaging in precisely the same behavior?

          No, not even close. Personally exalting violence against your opposition, both the candidate and even just supporters. Publicly encouraging racist myths. The first end result was a guy shooting up a Pizza joint. So, no, she did nothing like that.

          Deplorable.

          Ya I have to agree that was a poor choice of words, and I think she even admitted it publicly. But it's not like she doubled down w/ it and made tshirts. Almost every n

      • Poor email security wasn't what hobbled the democrats in 2016. It was a shitty candidate....

        BS. It was unending, unfounded personal attacks with few facts/evidence and poor arguments to back them up. Exactly like this post. This one of course has 0 facts/evidence/arguments. But a good example of how she lost because mindless negativity trumped logic. Pretty common in politics.

        We just saw that for two weeks, with Adam Schiff holding "court" with a dozen witnesses who either said they knew no facts, just their opinion - or, in the case of the ONLY real, first-hand witness Ambassador Sondland - that it was EXPLICITLY stated there would be nothing back, no quid pro quo.

        But we all know (wink wink Nancy, Adam, and Jerry) that he didn't mean any of that, he's a meanie, and really wanted everyone to do exactly the opposite of what he asked. Because Orange Man Bad.

    • by GlennC ( 96879 )

      And here I am with no mod points.

      Neither of the Party's candidates should have been allowed to lead a Cub Scout pack, let alone a nation.

    • by gtall ( 79522 )

      Errrm....this is also reflected on the Republican side where the Whiner in Chief is on a multi-year whining campaign still thinking he's running against her and/or Obama. Once he gets a thought in his head, there's no getting it out.

      • In a sense President Trump is still running against the disastrously failed bipartisan neoliberal economic policy consensus for which Obama was the most recent figurehead.

    • she was and is verifiably horrible

      No question. Cheeto does not make America look smarter though.

  • I was told last time around by the DNC it wasn't a big deal.
    • I was told by Trump that he wants to "drain the swamp" and lock up criminals, but he hasn't resigned and checked himself into prison. What's your point?
  • by MyFirstNameIsPaul ( 1552283 ) on Thursday November 28, 2019 @12:07PM (#59466924) Journal

    In practice, DMARC is only for proof-of-work to the oligopolist email providers that shit on anyone who doesn't have 1 million per hour hitting their servers. Admins ignore DMARC on the receiving end. Even Google sends p=reject to the spam folder.

    If they want to look at something that matters, pay attention to blacklists. These opaque organizations have near total autonomy to block any mail server they desire. Even when you email experienced admins that they are using spamassassin to block legit mail because they refuse to learn how to use spamassassin, they tell you that you are stupid and go away.

    • Everyone is wrong about something pretty much every day. I've been hired as a "subject matter expert" multiple times; yesterday at work I was wrong twice in a single email. In a single sentence, actually.

      "experienced admins ... tell you that you are stupid and go away."

      When everyone who would know tells you that you're being stupid ...
      maybe you're - wrong.

      It's cool, being wrong sometimes is normal. Refusing to learn when everyone tells you that you were wrong would be silly.

      • Do you have experience configuring and maintaining mail servers?

        • by raymorris ( 2726007 ) on Thursday November 28, 2019 @03:36PM (#59467514) Journal

          Yes, I've been managing mail servers on and off for 20 years. At one point I founded and ran a business similar to Constant Contact. I had input into turning DomainKeys into DKIM. Over this period, I learned both the standards (RFC s etc) and real life - which are sometimes different.

          For most of my career, I've been in security. Currently I'm responsible for the spam and malware filters that sit in front our Exchange servers and O365. Other people are responsible for getting the mail delivered after I filter it.

          Sometimes one can correctly point to an RFC which suggests one thing, while real-life experience in the years since the idea was first adopted leads to something a little different being done in production networks. Remember RFCs are written as suggestions for discussion BEFORE they are widely implemented. Sometimes the industry rightly adopts something a little different from the initial suggestion based on experience.

          Other times, things are broadly implemented "wrong" when they SHOULD have followed the RFCs, by people who apparently never read the RFCs. A striking example is early "CDNs", which are simply large networks of http proxies. The writers of the HTTP RFCs thought carefully about how proxies needed to work in order to avoid problems. The first large CDN companies utterly ignored the standards and broke a lot of things.

          For example, one very popular CDN stripped off the query string for caching purposes, so that a PHP session ID or other per-client query string wouldn't break caching. I emailed their support to clarify, asking:

          Are you telling me that your CDN doesn't know the difference between this page:
          http://google.com?search=its+a... [google.com]
          And this one:?
          http://google.com?search=a+hol... [google.com]

          Tech support replied that indeed their product doesn't know the difference between its and a hole in the ground.

          The CDN implementation was undoubtedly "wrong". It was also very popular. Therefore many other systems needed to be "wrong" I order to not break when that CDN came into play. The right thing to do was to make your software wrong. If it were coded "correctly" it would break. That sucks, but it's reality and we have to do deal with reality.

          • That's interesting.

            Why would it be useful to block your users from email they need to receive? That is what happens when cargo cult admins who pretend to know everything but know very little about mail server administration do when they configure a remote list manager that operates with no accountability the power to block legitimate access to your own server.

            • When somebody sends spam to a honeypot, an email domain setup and for no other purpose than to catch spammers, then tu sender is a spammer. Are you upset about that fact because you routinely get caught sending crap to honeypots? If so, I can understand it would be frustrating for you - and you're still a spammer.

  • by Anonymous Coward

    helo
    mail from: putin@kremlin.ru
    rcpt to: trump@whitehouse.gov
    data
    From: Boss <putin@kremlin.ru>
    Subject: advice

    Start talking shit about the Deutsche Bank guy to throw everyone off your trail. Tell everyone he was a Democrat. It will sound totally convincing and then everyone will realize you're innocent.

    BTW, how much longer until sanctions lifted?

    .

  • After all, they interfered with the 2016 election [politico.com]. But we can't have the deep ties of Ukraine and Democrat power-players [washingtontimes.com] exposed, so let's deflect attention.
    • The article you linked to says:

      "There’s little evidence of such a top-down effort by Ukraine. Longtime observers suggest that the rampant corruption, factionalism and economic struggles plaguing the country — not to mention its ongoing strife with Russia — would render it unable to pull off an ambitious covert interference campaign in another country’s election. And President Petro Poroshenko’s administration, along with the Ukrainian Embassy in Washington, insists that Ukrai
  • by Stonefish ( 210962 ) on Thursday November 28, 2019 @03:58PM (#59467556)

    Email security combines a number of features. DMARC is only a reporting/policy layer. All politicians and organisations using email as a medium for communication should be signing their emails with SMIME. That's the proper way to provide integrity. It's the same as HTTPS on websites.
    SPF (RFC 7208) tell servers where your emails should come from, if they're coming from somewhere else, refuse them/drop them.
    DKIM (6376) places a signed header in the emails so a receiver can check that you' the sender, if an email purporting to come from a domain fails this test, drop it.
    All DMARC does is tell the receiver what to do if a check fails and report back to the sender. Why this is required is apparently that email senders don't know what they're doing and that dropping emails that fail the checks is too much tough love.
    What should be happening is that emails that fail the checks just should be dropped period, no ifs but or otherwise.
    There are too many organisations which have a soft option configured in their SPF records ie a ~all rather this -all
    The tilde in front of the all says I think that this is all my email servers but I'm not sure. In other words I'm clueless and disorganised and don't know where my emails should be coming from.
    A minus in front of the all says the list is front is all of my servers, ie I have a clue.
    A couple of examples
    gmail ~all (weak)
    google.com ~all (weak)
    Microsoft.com -all (good)
    dhs.gov -all (good)
    amazon.com -all (good)
    apple.com ~all (weak)

    • by MikeS2k ( 589190 )

      The problem I have found with DMARC, is that a lot of spammers get round this by trying to make the FROM: name something a victim will fall for - as a lot of e-mail clients, Apples in particular, do not automatically show the e-mail address.

      A spam campaign targetted my company. The e-mails sent out were forged Mr CEO ceo@mycompany.com. As they were forged, from a non DMARC IP address, these were all rejected, job done, DMARC worked great.
      So the spammers simply just changed to Mr CEO comp@account.ug

news: gotcha

Working...