I'm confused by how difficult it was to get a meeting and convince these people to change their ways, but how easy it was to hand them a USB device and "Collect information about what devices people are using, their email provider, whether they have two-factor authentication, how they share documents in the campaign, how they keep track of passwords, and so on".
Were you just some random outsider to them, coming in to do free security training? Or did others have to vouch for you? It seems like it would be terribly easy to do all of this under the guise of being a helpful security person, but you're actually just sabotaging them with rogue USB devices and learning the details of all of their security practices. Especially by getting on their good side with things like "A friend wrote a script that did this conversion automatically when you dragged things to a desktop folder, and I would mention this during campaign visits. Suddenly I was no longer the dentist, but Santa Claus come early."
Could anyone else have been doing this without being vouched for?
It varied a lot across campaigns. I had an easier time getting meetings once the Washington Post article came out. In fairness to the DCCC, they also vouched for me when campaigns called to check my bona fides. The Progressive Change Campaign Committee also opened a lot of doors.
That said, there are people who will absolutely meet with you sight unseen and put random USB stuff in their laptop. One candidate left me and a friend to watch his open laptop in a San Francisco cafe, two minutes after we met.
> You should understand that there are a zillion people and groups out there who want to do tech experiments on campaigns, and without someone to vouch for you, you will make no headway.
For me Chrome password management works fine. I have all passwords on my work Mac, had to switch Macs about 9 times due to Apple's quality issues in the last year and passwords were always available after logging in to chrome.
And they are also always available on my Android.
But. I need to trust Google.
I also have 1password (without cloud sync). Works great on my Mac. But switching devices is a pain. And syncing to mobile doesn't work at all currently.
So my state with managed passwords is somewhat of a mixed bag.
PS: Well, due to policy changes I need to create a central password for logging into my computer and company systems in the future. And I need to type it multiple times per day. And need to change passwords regularly. I am not really looking forward to that form of "security".
Were you just some random outsider to them, coming in to do free security training? Or did others have to vouch for you? It seems like it would be terribly easy to do all of this under the guise of being a helpful security person, but you're actually just sabotaging them with rogue USB devices and learning the details of all of their security practices. Especially by getting on their good side with things like "A friend wrote a script that did this conversion automatically when you dragged things to a desktop folder, and I would mention this during campaign visits. Suddenly I was no longer the dentist, but Santa Claus come early."
Could anyone else have been doing this without being vouched for?