Among the more disappointing things in all of this is that there is a rational, important conversation to be had about everyday awareness of security and government inflexibility. But there won't be, because she is Hillary Clinton and it is 2016.
Supposedly she got the server set up because the NSA refused to give a politician who travels frequently a secure smartphone. She (I personally believe) was likely ignorant of many of the security requirements of such a server (even one set up for unclassified e-mail), as was whoever set it up. And no-one on her staff either knew enough or was willing enough to say anything. She is also supposedly not the first Secretary of State to have an arrangement of this nature.
This feels like the very definition of systematic failure and clearly needs to change. But the conversation is almost exclusively based around a) her having nefarious motivations, because she is Hillary Clinton, or b) this all being a Republican plot to derail the Democratic candidate for President.
Supposedly she got the server set up because the NSA refused to give a politician who travels frequently a secure smartphone.
Baloney. She was the second most powerful person in the US government. If she couldn't get them to provide modern secure communications, she had the ear of the one who could.
If it was as you say, and truly that systemic a problem, then indeed heads should politically roll - starting from the top, which means her.
Handling national secrets on a cheap generic PC in one's bathroom because a subordinate huge-budget agency won't cooperate is a sign of gross incompetence on many levels. If jail time is what it's going to take to motivate people to get this systemic problem solved, them so be it. The standards are obvious, and ominously violated to a dangerous degree.
They rated the statement 'my predecessors did the exact same thing' mostly false. Editorial choice -- they could have rated the statement 'none of my predecessors followed proper procedure for email either' and found it true.
Powell maintained his own email but without the server in his house, Rice claims she avoided all email, so we have exactly 0 secretaries of state who've handled email 'the right way' in 220-some-odd years of this fine country.
Indeed. I believe she should be investigated and prosecuted for this, but I nevertheless think it remains a mostly credible claim with respect to Powell. If I understand correctly, Politifact makes the argument that Powell used a personal e-mail address at an established service whereas Clinton installed her own mail server.
As someone who believes strongly in revitalizing self-hosting, I find focusing on Hillary's use of a personal mail server (and not on the fact that it was not an official e-mail account, full stop) to be unfairly marginalizing personal mail servers or personal servers in general. There's nothing wrong about running your own mail server. The problem is running your own mail server to give yourself a personal e-mail account to use in your job as Secretary of State. But the key part is using a personal e-mail account for your job that involves dealing with highly sensitive and classified materials—an action that would get most government employees fired if not imprisoned.
I've almost entirely given up on conversations in HN threads, but the recent State Dept Inspector General's report concludes that after the server was found to be compromised, the staffers who found the issue were told to never speak of it again.
This wasn't just poor IT security, this was willful ignorance of the consequences of state secrets being in the open. It is incredibly likely she was targeted by foreign intelligence. And perhaps Russia found it useful that no one was talking about their impending invasion of Ukraine or Iran learned how desperate the administration was to cut a deal? There were a thousand ways this could have undercut US foreign policy, which has recently been disastrous (Like when Hillary hung up the phone on her Russian counterpart in 2012 when Russia was trying to negotiate a peaceful conclusion in Syria - according to the Wikileaks embassy cables).
> This wasn't just poor IT security, this was willful ignorance of the consequences of state secrets being in the open.
To be clear, this was unclassified email. Classified email is on a separate network.
Certainly having access to the Secretary of State's unclassified emails could yield valuable intelligence insights but these are not emails that are going to contain "secrets" per se.
I agree with this, but the failure is one of the government to "train" its appointed/elected members adequately. It should never be acceptable for STATE to conduct official business over private email, that just just be the rule. And while previous secretaries have also "worked around it" it is something the FBI should intervene on and enforce. The pressure of it being hard to do can lead to better funding/resources on making it easier to use, but the going in position should be "You shall not ... and if you do we're coming after you."
What's the rationale for not giving everyone secure smartphones? And I mean high-ranking officials, SoS certainly ranks considering how much she/he is in foreign countries with foreign leaders. Can someone in the know explain why the NSA would deny such requests?
Difficult to know for sure. Obama had one, Rice previously used one, but:
The NSA refused to give Clinton a device similar to the one used by Obama: a modified BlackBerry 8830 World Edition with additional cryptography installed. And while Clinton's predecessor Condaleeza Rice had obtained waivers for herself and her staff to use BlackBerry devices, Clinton's staff was told that "use [of the BlackBerry] expanded to an unmanageable number of users from a security perspective, so those waivers were phased out and BlackBerry use was not allowed in her Suite,"[1]
This being Clinton there are probably conspiracy theories (the NSA is out to get her!) but I suspect they simply didn't want to have to deal with it, and had the ability to say no. So they did.
In all fairness, Obama's use of a smartphone was unprecedented. I read (but cannot find a reasonable source now) that Obama's Blackberry was tethered to a private base station, not any kind of public network, cellular or otherwise. So "secure smartphone" is a term that really means "secure infrastructure".
Actually no, we're fortunate this isn't happening in 2017, or 2018. We can still keep her out of office, and we should, on moral grounds, not party grounds.
Unfortunately, the alternatives to her aren't that great either. I'm hedging my bets until November, hoping some sort of miracle happens. Hoping this election invokes the 12th amendment and goes to the house. I feel none of the current candidates would be eligible and we'd get a fresh start.
>Supposedly she got the server set up because the NSA refused to give a politician who travels frequently a secure smartphone.
She didn't want the one they offered her, which was an older-style Windows Mobile phone. As the emails frequently note, she is not a "computer person", she knew how to work one kind of device for accessing email and refused to use anything different. They offered her a secure computer with a dedicated outside line even inside State, but her handlers thought she wouldn't even be able to deal with the concept of accessing her email on a PC rather than a Blackberry. I am not bashing Clinton here, I am just reading back the stuff from the emails that was on JudicialWatch.
What's "depressing" to me is that I have had to handle classified material in the past and there's zero doubt what would happen to me if I handled this shit like her and her staff did, but there's going to be zero material consequences for her. I kind of feel like there's two sets of law books, ones for peons like me, and ones for special people like her.
If our Secretary of State and would-be President can't be bothered to learn how to read email on a PC, even (especially) for the sake of information security, I think that deserves a little bashing.
The NSA is not beholden to the State Department so they could very easily have told her no. Even between different branches of the Armed Forces there is limited ability to force the issue if another branch doesn't want to do something.
It's not A or B. They are not mutually exclusive. She can be evil and the subject of a plot. In fact, given that she is a politician, A is a most certainly true. And given that she is a candidate for president, so is B.
> She is also supposedly not the first Secretary of State to have an arrangement of this nature.
Careful with the phrasing - it has been said others have used "private e-mail" but that is, to me, not the same as setting up a server and using it exclusively.
Do you know anybody with their own home email server?
I think it's one thing to have run your own email server back in the early 2000's and doing the same in the mid teens. There is much more sophistication in terms of adversarial means and methods as well as sheer number of adversaries --as well as "education" about security.
No, she didn't, on many levels. Her underlings should have known better, but if a 68-year-old politician knew anything about internet security practices, I'd vote for them!
> Supposedly she got the server set up because the NSA refused to give a politician who travels frequently a secure smartphone.
That would have made it more difficult for the NSA to spy on her. I know this sounds cynical, but really, do you think the NSA doesn't spy on our government officials?
Re smartphone NSA refused to let her use a specific phone. There were several smartphones and certified solutions available. Hillary only wanted Blackberry. Quite opposite of your statement.
Re nefarious motivations. The server and its location weren't just used for diplomatic stuff. There are nefarious things going on. She worked hard to block any FOIA requests or supeonas that would enlighten us more. The mark of an honest politician or nonprofit. ;)
Here's some more details about the state of security of her private server [0]:
>Outlook Web Access, or OWA, was running on port 80 without SSL (unencrypted)
>Remote Desktop Protocol, port 3389, was exposed through the DMZ (open to anyone on the internet.) This, at the time it was being used, was open to critical vulnerabilities that would allow for remote execution of code.
>VNC Remote Desktop, port 5900, was also exposed through the DMZ.
>SSL VPN used a self-signed certificate. This isn't inherently bad, but left them open for "spearphishing" attacks, which have already been confirmed to be received by Hillary Clinton and her staff
It's also interesting how they responded to attacks on the server [1]:
>Here is the section from page 41 of the report which references an “attack”:
> On January 9, 2011, the non-Departmental advisor to President Clinton who provided technical support to the Clinton email system notified the Secretary’s Deputy Chief of Staff for Operations that he had to shut down the server because he believed “someone was trying to hack us and while they did not get in i didnt [sic] want to let them have the chance to.” Later that day, the advisor again wrote to the Deputy Chief of Staff for Operations, “We were attacked again so I shut [the server] down for a few min.” On January 10, the Deputy Chief of Staff for Operations emailed the Chief of Staff and the Deputy Chief of Staff for Planning and instructed them not to email the Secretary “anything sensitive” and stated that she could “explain more in person.”
This is, in my opinion, the worst part of the story. Anyone who has set up a web-server on the public net knows what happens when you leave ports accessible like this to old, well-known software. There's a good chance people would target her domain/IP looking for exploits and I'd be scared to question just how many people got access to that machine.
I wouldn't say "anyone". Most people, technical or not, have no idea what they're doing when it comes to computer security and don't care enough or take the time to research best practices.
One of the commenters on the Krebs post makes a remarkable point [1]:
"It gets better. Do a dig mx clintonemail.com. You’ll see that the machine’s incoming email was filtered by mxlogic.net, a spam filtering service that works by received all your emails, filtering out the spam, and forwarding you the rest.
This is because the hosting provider, Platte River Network, sold a package along with the hosting. The package included spam filtering and full-disk off-site backup (since then seized by the FBI).
So every email received by Clinton was going through many unsecured places, including a spam filtering queue, a backup appliance and an off-site backup server. Which has already been documented."
"She" did nothing of the sort. She told someone she wanted her email available. They said, ok, we'll just host it ourselves. "Whatever, I want my daily suduko and make sure I stop getting those damn linked-in spams". "Ok boss".
Seriously, how could anyone really believe she specc'd this out herself? Her staff probably threw it together as a MVP with the full intention of revisiting the implementation "really soon".
I have spent some time talking to different people I meet/know who have security clearances.
EVERY one of tells me that if they had done what it appears Hillary did, they would fully expect to be in jail for years.
In researching this, I find that about 4.5 million Americans currently have, and maybe 1.5 million more did have in the past, security clearances.
I find it hard to believe that in Washington DC, surrounded by people with security clearances, this was unintentional and just an accident. It's like Hillary had to look far afield to find people without security clearances so that they would set this up for her.
That's because in the federal government the average employee simply doesn't have the same amount of power nor leeway that a cabinet level executive would. For one, several cabinet level appointees have original classifying authority. No regular employee has that power.
A rank and file employee obviously could not direct anyone to set up a private email server for their correspondence or request that the NSA provide them with a secure blackberry.
> I find it hard to believe that in Washington DC, surrounded by people with security clearances, this was unintentional and just an accident. It's like Hillary had to look far afield to find people without security clearances so that they would set this up for her.
Clinton certainly was wrong here and people certainly told her not to do this. But I don't think it requires malicious intent, just someone not taking the rules/guidelines seriously and/or thinking they have more power than they do.
NARA compliance is something that many people either don't know about or are confused about at State department so I could see how some might not take it as seriously as they should.
I'm sure she and her inner circle rationalized away the security risk because classified materials are not supposed to be sent to public email addresses, there's a separate network for that.
- Executive Order 13526 and 18 U.S.C Sec. 793(f) of the federal code make it unlawful to send of store classified information on personal email.
- Section 1236.22 of the 2009 National Archives and Records Administration (NARA) requirements states that:
“Agencies that allow employees to send and receive official electronic mail messages using a system not operated by the agency must ensure that Federal records sent or received on such systems are preserved in the appropriate agency record keeping system.”
- MSNBC’s Lawrence O’Donnell believes that the use of a personal emails server appears to be a preemptive move, specifically designed to circumvent FOIA:
It's quite possible the law discussed in that article was broken. The author lists the three cases of relevance: (1) whether Clinton knew she was putting classified information into an unclassified system, (2) did she willfully communicate classified information to anyone not authorized to receive it, and (3) did she remove classified information with the intent to retain such documents or materials at an unauthorized location. None of those are settled yet. The headline that "Hillary Clinton didn't break the law" is an opinion, not settled. The author is only citing what Clinton's aides and one government lawyer have said -- those are far from unbiased or conclusive. And after the state department IG's report from yesterday, it is pretty clear the violation was intentional.
It depends your perspective and who you ask. The State Department was directed to draft regulations, as is common, as the result of law. The State Department says that Clinton broke those regulations. By extension, it could be argued that she broke the law.
Department of State employees are supposed to treat any material that even could be classified as extremely sensitive, and not to leave the building. On top of the flagrant disregard for security procedure detailed in this commentary, Clinton routinely shared material with private citizens like Sid Blumenthal, who had no security clearance whatsoever.
For answers to most of your questions about the Clinton email scandal, http://www.thompsontimeline.com/ breaks all the factors in play here down in excruciating detail.
Part of the whole security clearance process is instruction on detecting misclassification, so the :%s/SECRET/SUCRETS/g defense doesn't work. At least 22 emails where later classified as top secret, there is no way to mistake top secret material for uncontrolled information. There were at least 22 chances to take a step back and wonder about the wisdom of the thing.
What do you mean "that server was for only unclassified data"? There was no other server. Clinton had a .gov account but entirely refused to use it. Meaning 100% of the email Clinton sent was sent through her insecure personal server.
Do you believe 100% of her email was entirely unclassified at the time it was sent?
As for innocuous, it's reported that her emails (unsurprisingly) included intelligence from "special access programs" which are actually classified beyond top secret.
I would say that the "3 Felonies a Day" theory applies equally if not even more-so to someone like the Secretary of State. It's probably very hard if not impossible to actually do your job as a high ranking government official and not end up breaking a few laws.
The problem is once said law-breaking becomes widely reported and results in State Department and FBI inquiries, where do you go from there? How can they come back with a recommendation not to prosecute Clinton, but yet they vigorously prosecute people like Aaron Swartz?
However, I do disagree strongly with you that if charges are pressed it has anything to do with her gender. If it were John Kerry who had been SoS when Clinton was, operating kerryemail.com, and he was now running for President, I think we would be in exactly the same position.
Given all the warnings I got when I had a secret clearance back in the 80's about protecting the information and what penalties I faced for not following the rules I've found it unimaginable that the Secretary of State didn't know or didn't care about protecting much higher level secrets.
No nefarious plot. My understanding is that it went roughly like this. Back in 2009 Clinton requested a secure smartphone from the NSA. It's a custom made device (security by obscurity?). Anyway, the president gets one. As the secretary of state she has to travel a lot, and not being able to do email on the road is highly impractical. So she thought she should get one too.
The NSA denied her request for a secure smartphone and gave her some nonsense excuse. She tried a few more times to get one, and then Clinton gave up and ordered somebody to set her up with a private email server. She used this unsecure email server for years. She used it to communicate with top level officials (including the president). That she had this server was common knowledge in the administration. She knew it wasn't secure and she's been very careful not to discuss any classified information over email at all. In a handful of cases she slipped up and some classified information ended up on email anyway.
This is the best case version (for her), and what her camp wants people to believe. Its hard to see that it's true though. The IG report is pretty clear that she willfully violated recommendations and warnings about security.
Perhaps she wasn't furtively planning to take over the world, but the evidence points to more than her just wanting to use a Blackberry - it really seems (to me) like she took significant measures to avoid keeping records.
You're acting like the NSA told her she couldn't have any smartphone, which isn't the story. The story is that the NSA said she couldn't have that smartphone.
Second, it seems to be your argument that she didn't get the IT support she wanted and so it's reasonable she did her own thing. This seems perfectly reasonable if you're trying desperately to give her the benefit of the doubt. Heck, we've all dealt with annoying IT departments!
Except, it's not like that. She was our top diplomat and 4th in line of succession to the presidency. It's a fact that classified information was discussed on the system.
I just can't believe that the best defense is "well, she didn't like the UI of Windows CE and she wanted a Blackberry, and it's not her fault the NSA wouldn't give her one -- so, she did what any of us would do -- she co-opted her husband's private server and paid a State Department employee under the table to manage it outside of the government infrastructure. She also made sure to order her subordinates to keep the email address out of the official State Dept. email registry because she didn't want to risk being forced to disclose anything. And, it's perfectly OK that when her email correspondence was subpoenaed during a FOIA lawsuit brought by Judicial Watch, the State Dept. didn't know to look on this server, and as such they didn't turn over all of the relevant materials until years later, when the private email address was made public and she felt it was OK to release hard copies of 30k emails (promising that among the 32k she deleted were only personal emails about yoga, Chelsea's wedding, etc.).
But, isn't that what we all do when the IT department is unreasonable?"
And those slipups should open her to prosecution under the Espionage Act.
A number of security professionals (I mean security in the government, Information Assurance sense) have told me that if they or I were to do anything like what Secretary Clinton did, we would be liable to be prosecuted.
This narrative doesn't address the fact that Clinton was actively opposed to FOIA requests and had sought means to keep her public work private as much as possible.
Following common sense here, her decision to ignore State Department regulations (which she lied about) and participate in classified communications (which she also lied about) on a private server immediately after she had made efforts to minimize public access to her communications, leads to the obvious conclusion that she put secrecy above transparency. If her narrative in private testimony matches the public one, then she likely perjured herself as well on the point of whether the State Department authorized the server, since they now say they did not (which again, she lied about).
I just don't believe that Hillary Clinton could not get an email account on a government email server and that somehow having exchange at her house with no controls was the last option she had. I can't think of a scenario where a server at her house is better than almost any other option.
I never really understood why the NSA couldn't have provided her with some sort of handheld digital device that wasn't that Windows CE PDA. I also don't understand why Clinton didn't just opt to use it. Having used the WinCE devices before, they're not all that bad to do email on. They're not good, but how much worse would it have been compared to a BB? I used a UT Starcomm PP6700 (or something like that) and I even kinda liked the keypad.
Somewhere in between, just based on experience from spending 1.5 years to get Rahm's phone records. I've received one week so far and now I'm working on getting as much of a sample of his phone records as possible without them invoking their usual "unduly burdensome" rejection [0]. (Hoping to have something published within the next two months or so. Crazy story.)
The level of misinterpretation of FOIA among FOIA officers, lack of domain knowledge, intentional delays and reject-if-possible mentality makes these things very difficult. Total incompetence.
Though, if you find yourself close to something juicy, you can bet your ass a lawyer will swoop in and find something technically wrong to prevent information from being released. Chicago did that to me eight months in by saying "We don't use VoIP, so your request is void." after the state's attorney general's office told Chicago to give me the info. I'd consider this mildly nefarious.
[0] As far as I'm concerned, "unduly burdensome" is just another way of saying "we're not clever enough to get that information, so you're going to have to come up with a clever way on your own, with 1% of the information we have".
"Many journalists have fallen for the conspiracy theory of government. I do assure you that they would produce more accurate work if they adhered to the cock-up theory." -Bernard Ingham
Obvious throwaway account for obvious reasons. I worked at a well known international "activism" type organization. If our data practices ever came to light, the organization wouldn't exist anymore. I promise.
Never underestimate the incompetence even by the largest of organizations.
Depends if you class lobbying as a grand nefarious plot or not. I suspect there's likely to be financial reasons for the private email server in this case.
It is "65 years old wants to skirt the rules and no in her entourage had the skills to do it properly or the balls to tell her it is a bad idea".
In a sense I am sympathetic with her - this is the type of hacking the system we at HN tend to admire. Clinton is "Uber for Email" before it was cool - dislike the rules and current infrastructure - build your own.
It almost sounds like a farce: Clinton gets indicted or loses face due to incompetence relating to the e-mail server scandal, and in her place is elected The Donald, a man who has committed worse transgressions and has the potential to do even worse things when given power.
Frankly, she doesn't sound any more incompetent than even a typical old company c. 2010: think Target, Sony, etc. It would be sad, given that her opponent will likely be Trump, if this scandal sinks her candidacy.
While I care for neither she is the bigger danger because the anti-war left will be silent with her as will many other good activist groups like they are currently silent. A complicit and complacent press and Congress is the reason we have drones killing American's abroad, Manning in jail, Snowden in Russia, Libya in disarray, and a general mess in the Middle East to say the least about increased racial issues in the states. Identity based politics is poison and it shuts down too many groups.
Donald won't catch a break from ANYONE, it will be good to have nearly every group riding the Administrations ass every single day. Let alone he really isn't bound to one party or another and likely will go down the middle and get more things fixed than a party centric politician.
tl;dr the real threat Clinton poses over Trump is that press, Congress, and activist, will be silent against her.
I really want to like Clinton for running her own server, respecting the decentralized basis of the Internet. Yet her domain name was clintonemail.com? What a pleb! Political corruption and murder is her family business, yet even with those capabilities she can't be bothered to obtain a better online identity? She may as well have been at hotmail or gmail and highlighted in blue!
Does this really indicate any private correspondence was printed via the internet? Even if a printer was set up which _was_ writable via this web address, that doesn't mean that emails from the email server itself were printed to that address rather than directly to the device, does it? In fact, presumably the printer and email were hosted on the same server so it doesn't make much sense to me that they would send one to the other via the web address.
It seems like it would be strange to give a printer a DNS name if you didn't intend to talk to it over the internet. If you're directly connected it doesn't need an IP at all.
I think the sniffing threat mentioned is overblown. As one of the commenters mentions, ISPs don't generally allow adjacent IPs to sniff traffic.
A bigger threat is that a vulnerability in the printer may have been exploited. E.g., for a long time most HP printers could have their firmware upgraded by sending them a print job. And so far the cursory look I've taken at various printer firmware has been really alarming – think thousands of calls to strcpy/memcpy and other unsafe friends.
Printer firmware and drivers are the worst. I've integrated with a software package that supplies its own printer drivers because the manufactures can't make a driver that will actually work well.
They constantly screw up the most basic of things. A good test of a network printer is to set it offline, send 20 print jobs to it (a test page is fine), then set it back online. Way too many printers will not print out all 20 print jobs, despite reporting success for all of them (This is true even of $30k printers).
I think you've misread my point. I understand this indicates an intention to talk to the printer over the internet; I don't understand why this would indicate that the emails, specifically, were printed in that manner rather than directly through a local connection. Perhaps the printer was used for printing emails locally but also was made web-accessible as a (misguided) convenience feature for printing other content.
It was on a cable internet connection. Typically that means that everything is broadcast to every customer on the same node (because cable networks are inherently broadcast-only) and the only privacy protection is a crappy 56-bit DES encryption that can be broken with a couple of dollars of compute time.
Any time in the last 10 years I setup an independent email server it had horrible deliverability rates. I wonder how they worked around that. Getting your server whitelisted with all the major providers is a major hassle.
Funny enough, State Department did in fact have issues with clintonemail.com mail ending up in Spam folders! Check the just released State Department report.
Also curious about USB - are there any USB logs and is that something logged by whatever OS her server was running? seems like it would have been really easy for things to move from email to usb...
That's a intersting point. Who knows if she even had a way to do that unless she connected remotely overseas via a secure client . Granted though it'd have to be highly secure
I seem to recall something about a CIA head getting fired because he took a Mac from work home. Does anyone recall details of this? (I tried to find it, and failed.)
Yeah, as important and fascinating as the whole story is, every time I see "ClintonEmail.com," all I can think is that surely the Clintons of all people should have the influence and power to get a hold of just "Clinton.com."
I mean the current owner of clinton.com is some investment firm that could probably do just as well something like ClintonGroup.com or ClintonInvestments.com. If I was her, I would fight for the email address "hillary@clinton.com."
> If I was her, I would fight for the email address "hillary@clinton.com."
How does one "fight for an email address"?
Once you own a domain, you own it. It doesn't matter that it just so happens to be someone else's last name.
She would have had to pay most likely a large sum to the investment firm that already owns clinton.com... and perhaps they aren't interested in selling, or they value the domain too high.
A rough analogy for this situation would be if a company had an "employees must use blackberries" policy, but the CFO of the company outright refused because he wanted to use his iPhone. Are they going to fire the CFO over that? Possible but not likely, especially if he is doing a good job otherwise.
In the same way, the Secretary of State can also refuse to comply with government policy (not law). You can't fire the Secretary of State for using the wrong email server. It just doesn't work that way. The fact that national security is involved does change things, but organizational politics is pretty much the same all over. If Clinton's email server contained the nuclear launch codes or the contents of Area 51 then the government would have handled it differently. It's unlikely that any lasting and serious security threats were exposed.
Among the more disappointing things in all of this is that there is a rational, important conversation to be had about everyday awareness of security and government inflexibility. But there won't be, because she is Hillary Clinton and it is 2016.
Supposedly she got the server set up because the NSA refused to give a politician who travels frequently a secure smartphone. She (I personally believe) was likely ignorant of many of the security requirements of such a server (even one set up for unclassified e-mail), as was whoever set it up. And no-one on her staff either knew enough or was willing enough to say anything. She is also supposedly not the first Secretary of State to have an arrangement of this nature.
This feels like the very definition of systematic failure and clearly needs to change. But the conversation is almost exclusively based around a) her having nefarious motivations, because she is Hillary Clinton, or b) this all being a Republican plot to derail the Democratic candidate for President.
It's all very depressing.
Supposedly she got the server set up because the NSA refused to give a politician who travels frequently a secure smartphone.
Baloney. She was the second most powerful person in the US government. If she couldn't get them to provide modern secure communications, she had the ear of the one who could.
If it was as you say, and truly that systemic a problem, then indeed heads should politically roll - starting from the top, which means her.
Handling national secrets on a cheap generic PC in one's bathroom because a subordinate huge-budget agency won't cooperate is a sign of gross incompetence on many levels. If jail time is what it's going to take to motivate people to get this systemic problem solved, them so be it. The standards are obvious, and ominously violated to a dangerous degree.
Here are the results from the FOIA request that underlie that statement. The NSA certainly pushed back. https://www.judicialwatch.org/press-room/press-releases/judi...
3 replies →
Ever work in a really large oraganization and try to demand something from some far-flung other division? Not so easy.
She shouldn't have set up her own server. And the NSA should have been more sensitive to how important mobile email is to a modern diplomat.
1 reply →
The NSA isn't subordinate to the State Dept.
>> She is also supposedly not the first Secretary of State to have an arrangement of this nature.
http://www.politifact.com/truth-o-meter/statements/2016/mar/...
Politifact rates this idea mostly false.
They rated the statement 'my predecessors did the exact same thing' mostly false. Editorial choice -- they could have rated the statement 'none of my predecessors followed proper procedure for email either' and found it true.
Powell maintained his own email but without the server in his house, Rice claims she avoided all email, so we have exactly 0 secretaries of state who've handled email 'the right way' in 220-some-odd years of this fine country.
2 replies →
Indeed. I believe she should be investigated and prosecuted for this, but I nevertheless think it remains a mostly credible claim with respect to Powell. If I understand correctly, Politifact makes the argument that Powell used a personal e-mail address at an established service whereas Clinton installed her own mail server.
As someone who believes strongly in revitalizing self-hosting, I find focusing on Hillary's use of a personal mail server (and not on the fact that it was not an official e-mail account, full stop) to be unfairly marginalizing personal mail servers or personal servers in general. There's nothing wrong about running your own mail server. The problem is running your own mail server to give yourself a personal e-mail account to use in your job as Secretary of State. But the key part is using a personal e-mail account for your job that involves dealing with highly sensitive and classified materials—an action that would get most government employees fired if not imprisoned.
7 replies →
I've almost entirely given up on conversations in HN threads, but the recent State Dept Inspector General's report concludes that after the server was found to be compromised, the staffers who found the issue were told to never speak of it again.
This wasn't just poor IT security, this was willful ignorance of the consequences of state secrets being in the open. It is incredibly likely she was targeted by foreign intelligence. And perhaps Russia found it useful that no one was talking about their impending invasion of Ukraine or Iran learned how desperate the administration was to cut a deal? There were a thousand ways this could have undercut US foreign policy, which has recently been disastrous (Like when Hillary hung up the phone on her Russian counterpart in 2012 when Russia was trying to negotiate a peaceful conclusion in Syria - according to the Wikileaks embassy cables).
> This wasn't just poor IT security, this was willful ignorance of the consequences of state secrets being in the open.
To be clear, this was unclassified email. Classified email is on a separate network.
Certainly having access to the Secretary of State's unclassified emails could yield valuable intelligence insights but these are not emails that are going to contain "secrets" per se.
2 replies →
I agree with this, but the failure is one of the government to "train" its appointed/elected members adequately. It should never be acceptable for STATE to conduct official business over private email, that just just be the rule. And while previous secretaries have also "worked around it" it is something the FBI should intervene on and enforce. The pressure of it being hard to do can lead to better funding/resources on making it easier to use, but the going in position should be "You shall not ... and if you do we're coming after you."
"And no-one on her staff ... was willing to say anything
Doesn't seem to square with:
http://www.computerworld.com/article/3075347/government-it/s...
What's the rationale for not giving everyone secure smartphones? And I mean high-ranking officials, SoS certainly ranks considering how much she/he is in foreign countries with foreign leaders. Can someone in the know explain why the NSA would deny such requests?
Difficult to know for sure. Obama had one, Rice previously used one, but:
The NSA refused to give Clinton a device similar to the one used by Obama: a modified BlackBerry 8830 World Edition with additional cryptography installed. And while Clinton's predecessor Condaleeza Rice had obtained waivers for herself and her staff to use BlackBerry devices, Clinton's staff was told that "use [of the BlackBerry] expanded to an unmanageable number of users from a security perspective, so those waivers were phased out and BlackBerry use was not allowed in her Suite,"[1]
This being Clinton there are probably conspiracy theories (the NSA is out to get her!) but I suspect they simply didn't want to have to deal with it, and had the ability to say no. So they did.
[1] http://arstechnica.com/information-technology/2016/03/nsa-re...
6 replies →
In all fairness, Obama's use of a smartphone was unprecedented. I read (but cannot find a reasonable source now) that Obama's Blackberry was tethered to a private base station, not any kind of public network, cellular or otherwise. So "secure smartphone" is a term that really means "secure infrastructure".
That infrastructure simply isn't scaleable.
[Edit: See this HN comment for sources. https://news.ycombinator.com/item?id=11306380]
1 reply →
I liked where I _thought_ you were going with that. Why not give ALL OF US secure smartphones. Indeed. Indeed.
1 reply →
Probably because they know how to pwn all of them, and are certain they are insecure or an absolute nightmare to secure.
1 reply →
Actually no, we're fortunate this isn't happening in 2017, or 2018. We can still keep her out of office, and we should, on moral grounds, not party grounds.
Unfortunately, the alternatives to her aren't that great either. I'm hedging my bets until November, hoping some sort of miracle happens. Hoping this election invokes the 12th amendment and goes to the house. I feel none of the current candidates would be eligible and we'd get a fresh start.
Sweet Meteor of Death 2016!
The house would be the opposite of a fresh start, and would likely hand it to Trump (or whatever right-leaning 'independent' might happen to show up).
1 reply →
>Supposedly she got the server set up because the NSA refused to give a politician who travels frequently a secure smartphone.
She didn't want the one they offered her, which was an older-style Windows Mobile phone. As the emails frequently note, she is not a "computer person", she knew how to work one kind of device for accessing email and refused to use anything different. They offered her a secure computer with a dedicated outside line even inside State, but her handlers thought she wouldn't even be able to deal with the concept of accessing her email on a PC rather than a Blackberry. I am not bashing Clinton here, I am just reading back the stuff from the emails that was on JudicialWatch.
What's "depressing" to me is that I have had to handle classified material in the past and there's zero doubt what would happen to me if I handled this shit like her and her staff did, but there's going to be zero material consequences for her. I kind of feel like there's two sets of law books, ones for peons like me, and ones for special people like her.
If our Secretary of State and would-be President can't be bothered to learn how to read email on a PC, even (especially) for the sake of information security, I think that deserves a little bashing.
1 reply →
>Supposedly she got the server set up because the NSA refused to give a politician who travels frequently a secure smartphone.
I have a very hard time believing that the 3rd (possibly 2nd) highest person in the US government couldn't get their IT requests fulfilled.
The NSA is not beholden to the State Department so they could very easily have told her no. Even between different branches of the Armed Forces there is limited ability to force the issue if another branch doesn't want to do something.
It's not A or B. They are not mutually exclusive. She can be evil and the subject of a plot. In fact, given that she is a politician, A is a most certainly true. And given that she is a candidate for president, so is B.
> She is also supposedly not the first Secretary of State to have an arrangement of this nature.
Careful with the phrasing - it has been said others have used "private e-mail" but that is, to me, not the same as setting up a server and using it exclusively.
Do you know anybody with their own home email server?
Maybe it was rhetorical but I know dozens of people with home email servers. I set up my first one, personally, in 1997.
1 reply →
I think it's one thing to have run your own email server back in the early 2000's and doing the same in the mid teens. There is much more sophistication in terms of adversarial means and methods as well as sheer number of adversaries --as well as "education" about security.
> This feels like the very definition of systematic failure and clearly needs to change.
> It's all very depressing.
Not at all.
Because of this fiasco, every clown with political aspirations will be using an approved and encrypted system instead of rolling their own garbage.
What about the threat of the agency who secures the system simulateously compromising it in order to gain blackmail material on its user?
6 replies →
She knew what she was doing
No, she didn't, on many levels. Her underlings should have known better, but if a 68-year-old politician knew anything about internet security practices, I'd vote for them!
18 replies →
>It's all very depressing.
It's not if you don't think about it. And given how it's not personal, that can be done.
> Supposedly she got the server set up because the NSA refused to give a politician who travels frequently a secure smartphone.
That would have made it more difficult for the NSA to spy on her. I know this sounds cynical, but really, do you think the NSA doesn't spy on our government officials?
This isn't about a secure smartphone, because you can't use a secure smartphone on insecure networks, like with regular email.
Re smartphone NSA refused to let her use a specific phone. There were several smartphones and certified solutions available. Hillary only wanted Blackberry. Quite opposite of your statement.
Re nefarious motivations. The server and its location weren't just used for diplomatic stuff. There are nefarious things going on. She worked hard to block any FOIA requests or supeonas that would enlighten us more. The mark of an honest politician or nonprofit. ;)
Ignorance of the law is not a defense.
much has been said and what comes to mind first is: sheep are sheep.
Please stop posting unsubstantive comments.
1 reply →
So does this make Trump a more qualified candidate now?
No?
Here's some more details about the state of security of her private server [0]:
>Outlook Web Access, or OWA, was running on port 80 without SSL (unencrypted)
>Remote Desktop Protocol, port 3389, was exposed through the DMZ (open to anyone on the internet.) This, at the time it was being used, was open to critical vulnerabilities that would allow for remote execution of code.
>VNC Remote Desktop, port 5900, was also exposed through the DMZ.
>SSL VPN used a self-signed certificate. This isn't inherently bad, but left them open for "spearphishing" attacks, which have already been confirmed to be received by Hillary Clinton and her staff
It's also interesting how they responded to attacks on the server [1]:
>Here is the section from page 41 of the report which references an “attack”:
> On January 9, 2011, the non-Departmental advisor to President Clinton who provided technical support to the Clinton email system notified the Secretary’s Deputy Chief of Staff for Operations that he had to shut down the server because he believed “someone was trying to hack us and while they did not get in i didnt [sic] want to let them have the chance to.” Later that day, the advisor again wrote to the Deputy Chief of Staff for Operations, “We were attacked again so I shut [the server] down for a few min.” On January 10, the Deputy Chief of Staff for Operations emailed the Chief of Staff and the Deputy Chief of Staff for Planning and instructed them not to email the Secretary “anything sensitive” and stated that she could “explain more in person.”
[0] https://np.reddit.com/r/politics/comments/4j2r94/judicial_wa...
[1] http://lawnewz.com/high-profile/clinton-tech-says-private-em...
Ah yes, the classic 'shut it down for a few minutes' defense. Stops 'em every time.
"i didnt [sic] want to let them have the chance to"
Can you imagine if this was how Google and Amazon handled security?
1 reply →
This is, in my opinion, the worst part of the story. Anyone who has set up a web-server on the public net knows what happens when you leave ports accessible like this to old, well-known software. There's a good chance people would target her domain/IP looking for exploits and I'd be scared to question just how many people got access to that machine.
I wouldn't say "anyone". Most people, technical or not, have no idea what they're doing when it comes to computer security and don't care enough or take the time to research best practices.
2 replies →
haha amazing
the government should have a bug bounty program instead of the current hacker pogrom
One of the commenters on the Krebs post makes a remarkable point [1]:
"It gets better. Do a dig mx clintonemail.com. You’ll see that the machine’s incoming email was filtered by mxlogic.net, a spam filtering service that works by received all your emails, filtering out the spam, and forwarding you the rest.
This is because the hosting provider, Platte River Network, sold a package along with the hosting. The package included spam filtering and full-disk off-site backup (since then seized by the FBI).
So every email received by Clinton was going through many unsecured places, including a spam filtering queue, a backup appliance and an off-site backup server. Which has already been documented."
http://krebsonsecurity.com/2016/05/did-the-clinton-email-ser...
Haha yeah I've actually seen her supporters claim the MX filtering meant it was "secure"! facepalm
oh my god, this is depressing sad.
She could have hired a team of machine learning grad students to build her a personalized spam filter.
but she went with the cheapest option.
this is going to keep me upset for a while.
"She" did nothing of the sort. She told someone she wanted her email available. They said, ok, we'll just host it ourselves. "Whatever, I want my daily suduko and make sure I stop getting those damn linked-in spams". "Ok boss".
Seriously, how could anyone really believe she specc'd this out herself? Her staff probably threw it together as a MVP with the full intention of revisiting the implementation "really soon".
And then they lost interest.
3 replies →
> She could have hired a team of machine learning grad students to build her a personalized spam filter.
Or instead of reinventing the wheel, installed an existing spam detection product like SpamAssassin on the email server.
2 replies →
I have spent some time talking to different people I meet/know who have security clearances.
EVERY one of tells me that if they had done what it appears Hillary did, they would fully expect to be in jail for years.
In researching this, I find that about 4.5 million Americans currently have, and maybe 1.5 million more did have in the past, security clearances.
I find it hard to believe that in Washington DC, surrounded by people with security clearances, this was unintentional and just an accident. It's like Hillary had to look far afield to find people without security clearances so that they would set this up for her.
That's because in the federal government the average employee simply doesn't have the same amount of power nor leeway that a cabinet level executive would. For one, several cabinet level appointees have original classifying authority. No regular employee has that power.
A rank and file employee obviously could not direct anyone to set up a private email server for their correspondence or request that the NSA provide them with a secure blackberry.
> I find it hard to believe that in Washington DC, surrounded by people with security clearances, this was unintentional and just an accident. It's like Hillary had to look far afield to find people without security clearances so that they would set this up for her.
Clinton certainly was wrong here and people certainly told her not to do this. But I don't think it requires malicious intent, just someone not taking the rules/guidelines seriously and/or thinking they have more power than they do.
NARA compliance is something that many people either don't know about or are confused about at State department so I could see how some might not take it as seriously as they should.
I'm sure she and her inner circle rationalized away the security risk because classified materials are not supposed to be sent to public email addresses, there's a separate network for that.
The emails themselves sent from Clinton's server were unencrypted for several months, so unencrypted printing is just more of the same.
There's no reasonable question anymore that laws on handling classified data were broken, the only question is will charges actually be brought?
What laws regarding handling classified information were broken?
http://www.latimes.com/opinion/op-ed/la-oe-0330-mcmanus-clin...
Here are the two obvious one, and another one that's well. . . more in the vein of the Clinton's being the Clinton's IMHO.
http://www.ijreview.com/2015/03/264655-3-federal-laws-hillar...
- Executive Order 13526 and 18 U.S.C Sec. 793(f) of the federal code make it unlawful to send of store classified information on personal email.
- Section 1236.22 of the 2009 National Archives and Records Administration (NARA) requirements states that:
“Agencies that allow employees to send and receive official electronic mail messages using a system not operated by the agency must ensure that Federal records sent or received on such systems are preserved in the appropriate agency record keeping system.”
- MSNBC’s Lawrence O’Donnell believes that the use of a personal emails server appears to be a preemptive move, specifically designed to circumvent FOIA:
8 replies →
It's quite possible the law discussed in that article was broken. The author lists the three cases of relevance: (1) whether Clinton knew she was putting classified information into an unclassified system, (2) did she willfully communicate classified information to anyone not authorized to receive it, and (3) did she remove classified information with the intent to retain such documents or materials at an unauthorized location. None of those are settled yet. The headline that "Hillary Clinton didn't break the law" is an opinion, not settled. The author is only citing what Clinton's aides and one government lawyer have said -- those are far from unbiased or conclusive. And after the state department IG's report from yesterday, it is pretty clear the violation was intentional.
10 replies →
It depends your perspective and who you ask. The State Department was directed to draft regulations, as is common, as the result of law. The State Department says that Clinton broke those regulations. By extension, it could be argued that she broke the law.
Assuming the data was classified (HRC has stated that it was not), what laws were broken?
Department of State employees are supposed to treat any material that even could be classified as extremely sensitive, and not to leave the building. On top of the flagrant disregard for security procedure detailed in this commentary, Clinton routinely shared material with private citizens like Sid Blumenthal, who had no security clearance whatsoever.
For answers to most of your questions about the Clinton email scandal, http://www.thompsontimeline.com/ breaks all the factors in play here down in excruciating detail.
1 reply →
That server was for only unclassified data though. Some stuff was later called "Classified", but many innocuous things are classified.
Part of the whole security clearance process is instruction on detecting misclassification, so the :%s/SECRET/SUCRETS/g defense doesn't work. At least 22 emails where later classified as top secret, there is no way to mistake top secret material for uncontrolled information. There were at least 22 chances to take a step back and wonder about the wisdom of the thing.
5 replies →
What do you mean "that server was for only unclassified data"? There was no other server. Clinton had a .gov account but entirely refused to use it. Meaning 100% of the email Clinton sent was sent through her insecure personal server.
Do you believe 100% of her email was entirely unclassified at the time it was sent?
As for innocuous, it's reported that her emails (unsurprisingly) included intelligence from "special access programs" which are actually classified beyond top secret.
3 replies →
I was unaware the clintonemail.com email server could differentiate between unclassified and classified content.
7 replies →
There are numerous more egregious cases of senior US political officials breaking the law and/or violating their constitution with no consequences.
If charges are pressed in this case it'll be because of her gender.
I would say that the "3 Felonies a Day" theory applies equally if not even more-so to someone like the Secretary of State. It's probably very hard if not impossible to actually do your job as a high ranking government official and not end up breaking a few laws.
The problem is once said law-breaking becomes widely reported and results in State Department and FBI inquiries, where do you go from there? How can they come back with a recommendation not to prosecute Clinton, but yet they vigorously prosecute people like Aaron Swartz?
However, I do disagree strongly with you that if charges are pressed it has anything to do with her gender. If it were John Kerry who had been SoS when Clinton was, operating kerryemail.com, and he was now running for President, I think we would be in exactly the same position.
Because of her gender? No way.
Because she's unpopular with a large segment of the population, and therefore has less political cover than some of those other people? Maybe.
Because we're getting less tolerant of "senior officials" who can ignore the rules? Hopefully that.
Does Poe's law apply here?
Given all the warnings I got when I had a secret clearance back in the 80's about protecting the information and what penalties I faced for not following the rules I've found it unimaginable that the Secretary of State didn't know or didn't care about protecting much higher level secrets.
This story just keeps getting better. There is either a grand nefarious plot, or worse, horrific incompetence. I just can't find a third possibility.
No nefarious plot. My understanding is that it went roughly like this. Back in 2009 Clinton requested a secure smartphone from the NSA. It's a custom made device (security by obscurity?). Anyway, the president gets one. As the secretary of state she has to travel a lot, and not being able to do email on the road is highly impractical. So she thought she should get one too.
The NSA denied her request for a secure smartphone and gave her some nonsense excuse. She tried a few more times to get one, and then Clinton gave up and ordered somebody to set her up with a private email server. She used this unsecure email server for years. She used it to communicate with top level officials (including the president). That she had this server was common knowledge in the administration. She knew it wasn't secure and she's been very careful not to discuss any classified information over email at all. In a handful of cases she slipped up and some classified information ended up on email anyway.
This is the best case version (for her), and what her camp wants people to believe. Its hard to see that it's true though. The IG report is pretty clear that she willfully violated recommendations and warnings about security.
I'm inclined to believe accounts like this: https://news.ycombinator.com/item?id=9149363
Perhaps she wasn't furtively planning to take over the world, but the evidence points to more than her just wanting to use a Blackberry - it really seems (to me) like she took significant measures to avoid keeping records.
2 replies →
You're acting like the NSA told her she couldn't have any smartphone, which isn't the story. The story is that the NSA said she couldn't have that smartphone.
Second, it seems to be your argument that she didn't get the IT support she wanted and so it's reasonable she did her own thing. This seems perfectly reasonable if you're trying desperately to give her the benefit of the doubt. Heck, we've all dealt with annoying IT departments!
Except, it's not like that. She was our top diplomat and 4th in line of succession to the presidency. It's a fact that classified information was discussed on the system.
I just can't believe that the best defense is "well, she didn't like the UI of Windows CE and she wanted a Blackberry, and it's not her fault the NSA wouldn't give her one -- so, she did what any of us would do -- she co-opted her husband's private server and paid a State Department employee under the table to manage it outside of the government infrastructure. She also made sure to order her subordinates to keep the email address out of the official State Dept. email registry because she didn't want to risk being forced to disclose anything. And, it's perfectly OK that when her email correspondence was subpoenaed during a FOIA lawsuit brought by Judicial Watch, the State Dept. didn't know to look on this server, and as such they didn't turn over all of the relevant materials until years later, when the private email address was made public and she felt it was OK to release hard copies of 30k emails (promising that among the 32k she deleted were only personal emails about yoga, Chelsea's wedding, etc.).
But, isn't that what we all do when the IT department is unreasonable?"
And those slipups should open her to prosecution under the Espionage Act.
A number of security professionals (I mean security in the government, Information Assurance sense) have told me that if they or I were to do anything like what Secretary Clinton did, we would be liable to be prosecuted.
12 replies →
This narrative doesn't address the fact that Clinton was actively opposed to FOIA requests and had sought means to keep her public work private as much as possible.
Following common sense here, her decision to ignore State Department regulations (which she lied about) and participate in classified communications (which she also lied about) on a private server immediately after she had made efforts to minimize public access to her communications, leads to the obvious conclusion that she put secrecy above transparency. If her narrative in private testimony matches the public one, then she likely perjured herself as well on the point of whether the State Department authorized the server, since they now say they did not (which again, she lied about).
3 replies →
Do you have any sources for that?
The story I keep hearing is that she had this set up to make FOIA requests more difficult/impossible to fulfil.
The really out there stuff is that this was to hide any cash-for-favors exchanges that happened with relation to The Clinton Foundation.
9 replies →
I just don't believe that Hillary Clinton could not get an email account on a government email server and that somehow having exchange at her house with no controls was the last option she had. I can't think of a scenario where a server at her house is better than almost any other option.
8 replies →
I never really understood why the NSA couldn't have provided her with some sort of handheld digital device that wasn't that Windows CE PDA. I also don't understand why Clinton didn't just opt to use it. Having used the WinCE devices before, they're not all that bad to do email on. They're not good, but how much worse would it have been compared to a BB? I used a UT Starcomm PP6700 (or something like that) and I even kinda liked the keypad.
http://arstechnica.com/information-technology/2016/03/this-i...
1 reply →
That's the most believable version I've heard so far by a long shot.
Somewhere in between, just based on experience from spending 1.5 years to get Rahm's phone records. I've received one week so far and now I'm working on getting as much of a sample of his phone records as possible without them invoking their usual "unduly burdensome" rejection [0]. (Hoping to have something published within the next two months or so. Crazy story.)
The level of misinterpretation of FOIA among FOIA officers, lack of domain knowledge, intentional delays and reject-if-possible mentality makes these things very difficult. Total incompetence.
Though, if you find yourself close to something juicy, you can bet your ass a lawyer will swoop in and find something technically wrong to prevent information from being released. Chicago did that to me eight months in by saying "We don't use VoIP, so your request is void." after the state's attorney general's office told Chicago to give me the info. I'd consider this mildly nefarious.
[0] As far as I'm concerned, "unduly burdensome" is just another way of saying "we're not clever enough to get that information, so you're going to have to come up with a clever way on your own, with 1% of the information we have".
"Many journalists have fallen for the conspiracy theory of government. I do assure you that they would produce more accurate work if they adhered to the cock-up theory." -Bernard Ingham
Seems similar to Hanlon's Razor:
https://en.m.wikipedia.org/wiki/Hanlon%27s_razor
1 reply →
It's both. The security aspect is incompetence. The idea of having it external is deliberate to avoid FOIA.
Obvious throwaway account for obvious reasons. I worked at a well known international "activism" type organization. If our data practices ever came to light, the organization wouldn't exist anymore. I promise.
Never underestimate the incompetence even by the largest of organizations.
Depends if you class lobbying as a grand nefarious plot or not. I suspect there's likely to be financial reasons for the private email server in this case.
It is neither. It is just standard 'incompetence'; this is really '65 year old doesn't understand computers' ; details @ 11
It is "65 years old wants to skirt the rules and no in her entourage had the skills to do it properly or the balls to tell her it is a bad idea".
In a sense I am sympathetic with her - this is the type of hacking the system we at HN tend to admire. Clinton is "Uber for Email" before it was cool - dislike the rules and current infrastructure - build your own.
It almost sounds like a farce: Clinton gets indicted or loses face due to incompetence relating to the e-mail server scandal, and in her place is elected The Donald, a man who has committed worse transgressions and has the potential to do even worse things when given power.
Frankly, she doesn't sound any more incompetent than even a typical old company c. 2010: think Target, Sony, etc. It would be sad, given that her opponent will likely be Trump, if this scandal sinks her candidacy.
While I care for neither she is the bigger danger because the anti-war left will be silent with her as will many other good activist groups like they are currently silent. A complicit and complacent press and Congress is the reason we have drones killing American's abroad, Manning in jail, Snowden in Russia, Libya in disarray, and a general mess in the Middle East to say the least about increased racial issues in the states. Identity based politics is poison and it shuts down too many groups.
Donald won't catch a break from ANYONE, it will be good to have nearly every group riding the Administrations ass every single day. Let alone he really isn't bound to one party or another and likely will go down the middle and get more things fixed than a party centric politician.
tl;dr the real threat Clinton poses over Trump is that press, Congress, and activist, will be silent against her.
1 reply →
> The Donald, a man who has committed worse transgressions and has the potential to do even worse things when given power.
You are overestimating Trump and underestimating Hillary.
She has no one to blame but herself.
You really believe this garbage?
Worry not. Any democrat candidate on the ballet will beat trump. You can't win an election on the rich, white, male vote.
2 replies →
It's a vast right wing conspiracy. All the scandals...over her 30 year public career. Nothing to see here. /sarc
I really want to like Clinton for running her own server, respecting the decentralized basis of the Internet. Yet her domain name was clintonemail.com? What a pleb! Political corruption and murder is her family business, yet even with those capabilities she can't be bothered to obtain a better online identity? She may as well have been at hotmail or gmail and highlighted in blue!
If I remember correctly, Sarah Palin used a Yahoo account to do some of her business as Alaska's governor.
EDIT: Found it, yeap, Yahoo: http://thecaucus.blogs.nytimes.com/2008/09/17/palins-e-mail-...
That's not as bad as Colin Powell, who used AOL while serving as Secretary of State.
And of course it also was hacked by, you guessed it, Guccifer.
Does this really indicate any private correspondence was printed via the internet? Even if a printer was set up which _was_ writable via this web address, that doesn't mean that emails from the email server itself were printed to that address rather than directly to the device, does it? In fact, presumably the printer and email were hosted on the same server so it doesn't make much sense to me that they would send one to the other via the web address.
It seems like it would be strange to give a printer a DNS name if you didn't intend to talk to it over the internet. If you're directly connected it doesn't need an IP at all.
I think the sniffing threat mentioned is overblown. As one of the commenters mentions, ISPs don't generally allow adjacent IPs to sniff traffic.
A bigger threat is that a vulnerability in the printer may have been exploited. E.g., for a long time most HP printers could have their firmware upgraded by sending them a print job. And so far the cursory look I've taken at various printer firmware has been really alarming – think thousands of calls to strcpy/memcpy and other unsafe friends.
Edit: Here's a reference for firmware upgrade via print job: http://www.internetsociety.org/sites/default/files/03_4_0.pd...
Edit2: Also, when I say "firmware upgrade" I mean arbitrary code – it wasn't verifying a digital signature or anything.
Printer firmware and drivers are the worst. I've integrated with a software package that supplies its own printer drivers because the manufactures can't make a driver that will actually work well.
They constantly screw up the most basic of things. A good test of a network printer is to set it offline, send 20 print jobs to it (a test page is fine), then set it back online. Way too many printers will not print out all 20 print jobs, despite reporting success for all of them (This is true even of $30k printers).
I think you've misread my point. I understand this indicates an intention to talk to the printer over the internet; I don't understand why this would indicate that the emails, specifically, were printed in that manner rather than directly through a local connection. Perhaps the printer was used for printing emails locally but also was made web-accessible as a (misguided) convenience feature for printing other content.
It was on a cable internet connection. Typically that means that everything is broadcast to every customer on the same node (because cable networks are inherently broadcast-only) and the only privacy protection is a crappy 56-bit DES encryption that can be broken with a couple of dollars of compute time.
Just the idea that this configuration may have existed is a red flag for me on what other configuration choices may have been made.
Any time in the last 10 years I setup an independent email server it had horrible deliverability rates. I wonder how they worked around that. Getting your server whitelisted with all the major providers is a major hassle.
http://www.mail-tester.com/ is a good resource to use to help with this.
Funny enough, State Department did in fact have issues with clintonemail.com mail ending up in Spam folders! Check the just released State Department report.
The US government should give Guccifer the Medal of Honour. This is a farce.
Also curious about USB - are there any USB logs and is that something logged by whatever OS her server was running? seems like it would have been really easy for things to move from email to usb...
That's a intersting point. Who knows if she even had a way to do that unless she connected remotely overseas via a secure client . Granted though it'd have to be highly secure
I seem to recall something about a CIA head getting fired because he took a Mac from work home. Does anyone recall details of this? (I tried to find it, and failed.)
John Deutch?
https://fas.org/irp/cia/product/ig_deutch.html
Yeah, that was it. Thanks.
Bernie 2016?
Am I the only one who dislikes the domain name itself? Every time I see it, I read it as "Clint One Mail", not "Clinton Email".
Yeah, as important and fascinating as the whole story is, every time I see "ClintonEmail.com," all I can think is that surely the Clintons of all people should have the influence and power to get a hold of just "Clinton.com."
I mean the current owner of clinton.com is some investment firm that could probably do just as well something like ClintonGroup.com or ClintonInvestments.com. If I was her, I would fight for the email address "hillary@clinton.com."
Then again, I'm a programmer, not a politician.
> If I was her, I would fight for the email address "hillary@clinton.com."
How does one "fight for an email address"?
Once you own a domain, you own it. It doesn't matter that it just so happens to be someone else's last name.
She would have had to pay most likely a large sum to the investment firm that already owns clinton.com... and perhaps they aren't interested in selling, or they value the domain too high.
Other very serious concerns:
1. Was it running RAID? If so, what level? Better not be RAID 5. Horrible write speed.
2. Let's REALLY dig into the DNS. What about reverse lookups and CNAMEs.
3. Any idea what the screensaver was? I'll reserve judgement until I have some confirmation.
4. NIC driver version: Hearing that she just ran a generic MS driver for the Intel dual network card. Unbelievable.
Is your point that the published details are irrelevant? Because if so, I very much disagree. You can ignore the details if you want.
Yes, let's look at all the dns records created, edited, removed and theorize all possible devices that could have been connected or not.
Wouldn't a better rendering of all of this be a video from Taiwanese animation?
A rough analogy for this situation would be if a company had an "employees must use blackberries" policy, but the CFO of the company outright refused because he wanted to use his iPhone. Are they going to fire the CFO over that? Possible but not likely, especially if he is doing a good job otherwise.
In the same way, the Secretary of State can also refuse to comply with government policy (not law). You can't fire the Secretary of State for using the wrong email server. It just doesn't work that way. The fact that national security is involved does change things, but organizational politics is pretty much the same all over. If Clinton's email server contained the nuclear launch codes or the contents of Area 51 then the government would have handled it differently. It's unlikely that any lasting and serious security threats were exposed.