Asking the Right Questions in EmailGate

 

4403152760_c6c556d039_zI’m curious how dangerous the tech-savvy Ricochetti believe that clintonemail.com was. Perhaps a better way to put it: What is the scale and scope of that danger?

My biggest concern is how compromised our *.gov email systems were by Hillary’s rogue operation. Once I thought of the recent State.gov exploit — in conjunction with the revelation of Hillary’s private server — other worries came to mind over the last few days:

  • Hillary’s own emails pose a smaller security risk than those of her staff. In my experience, it’s often low-level staff who open the door to email-driven breaches. They’re easier to tempt into opening “WHSalary.xls” files or juicy-looking links.
  • I wonder if the Clintonistas have any idea if clintonemail.com was breached. If they did, however, it would be a great reason to delete mail, destroy the server, etc. She can survive non-disclosure; she can’t survive having allowed Russians, Chinese, or both, to use clintonemail.com to attack the government.
  • Were any *.gov defenses lowered to accommodate this separate operation. For example, did state.gov treat clintonemail.com as a trusted domain?
  • Even if clintonemail.com wasn’t in *.gov domains via a trust, payloads in attachments or links are notoriously hard to vet. So long as attachments or links were allowed, spoofing *.gov account holders via what looked like Hillary and staff mails (e.g., Name appears as Hillary Clinton, but it’s really an clintonemail.com account controlled by another).

Any other ideas about what went down and what to ask?

Tags:

There are 29 comments.

Become a member to join the conversation. Or sign in if you're already a member.
  1. DocJay Inactive
    DocJay
    @DocJay

    I’m curious if we will ever find out. Huma was compromised somehow is my guess.

    • #1
  2. Fricosis Guy Listener
    Fricosis Guy
    @FricosisGuy

    DocJay:I’m curious if we will ever find out.Huma was compromised somehow is my guess.

    Yes. For example, someone could’ve spoofed her account, then sent a mail with a lurid subject and attachment. Say “I can’t believe you’re texting pic again!” with a picture. Or what appears to be a picture.

    At least one person wouldn’t be able to resist.

    • #2
  3. user_1126573 Member
    user_1126573
    @

    My question is about the vetting of the administrators of the server and “home-brew” email system. They would have access to highly classified information in Clinton’s emails. They would need very high security clearance to legally have that type of access. I’m guessing they did not have the proper clearance to have the access that Clinton gave to them. This should be investigated.

    • #3
  4. Nick Stuart Inactive
    Nick Stuart
    @NickStuart

    We still don’t know who hired Craig Livingstone. We’re never going to get the straight story about this, or foreign contributions, etc etc.

    • #4
  5. Vance Richards Member
    Vance Richards
    @VanceRichards

    Security is only a part of the problem. Transparency is the other issue. When a government committee is doing an internal investigation, the person whom they are investigating can’t be the one to decide which emails the committee can see and which ones can be destroyed.

    • #5
  6. neutral observer Thatcher
    neutral observer
    @neutralobserver

    Where was the physical server?  Not in Hillary’s basement.  Somewhere in some server farm that could be anywhere in the world.  Under someone’s control, but whose?

    • #6
  7. Ricochet Moderator
    Ricochet
    @OldBathos

    If it were an issue of security, the patriotic former Secretary of State would insist on a full-on inspection by cyber security gurus to see if there were evidence of a breach so the U.S. would know what others may know. But HRC’s priorities don’t run in that direction.

    Worse, now that she has lied and destroyed email, the questions she should be asking herself are (a) Did you make sure all recipients/senders of the concealed email also destroy their copies and archives?; (b) Do you realize that now that you have lied to State, the Congress and the public about the existence of those emails, any foreign hacker or any State Dept insider with copies owns you?

    Soon, Gowdy will likely produce a graph showing emails/day and that the Benghazi period was deleted in its entirety. If it did not make a difference, then there was no need to delete them. Instead she would be proud to exonerate herself with the record of what she knew and when she knew it and what she did about it. Hillary is Nolo Contendere on Benghazi until she can fully document her version.

    The only issue is whether the tired shtick of Carville and Davis in defence of Donna Rodham Corleone will once again whip the MSM into line like Eloi waiting to be dinner for the Morlocks.

    • #7
  8. Fricosis Guy Listener
    Fricosis Guy
    @FricosisGuy

    John Wilson hit on a huge risk: the admin. It was a substantial effort to vet IT support staff for systems that held trade secrets…never mind state secrets.

    • #8
  9. Fricosis Guy Listener
    Fricosis Guy
    @FricosisGuy

    One other note: that sure looked like a Blackberry in Hillary’s hands. She, Bill, and others may well have been using the native BB chat feature if they ran a BEZ server as well.

    • #9
  10. Mollie Hemingway Contributor
    Mollie Hemingway
    @MollieHemingway

    I’m sorry. Questions are so yesterday. Isn’t it time we just move on?

    • #10
  11. user_1008534 Member
    user_1008534
    @Ekosj

    Just looking at the State Dept rules in place at the time (Google “12 FAM 540″) These are the rules governing Sensitive But Unclassified (SBU) information. I assume most of Clinton’s work emails would fall under this heading.

    They say, in part:

    “a. It is the Department’s general policy that normal day-to-day operations be conducted on an authorized AIS …”(Automated Information System)

    Is Clinton’s server ‘authorized’? Who authorized her to use this server? Herself?

    “b. The Department is expected to provide, and employees are expected to use, approved secure methods to transmit SBU information when available and practical.”

    Funny … Nothing about ‘convenient’ in there.

    There is more and links to tons of additional stuff…but it is quickly over my head. Perhaps someone with better tech chops than myself can make heads or tails out of this?

    • #11
  12. Vance Richards Member
    Vance Richards
    @VanceRichards

    Mollie Hemingway:I’m sorry. Questions are so yesterday. Isn’t it time we just move on?

    In other words, at this point, what difference does it make?

    • #12
  13. James Lileks Contributor
    James Lileks
    @jameslileks

    1. Investigating the process for vetting the sysadmin is a good question; another might be finding out the person’s identity.

    2. The system was set up for Bill? When? How many security patches installed in the years that followed?

    3. That leaked letter from Sid Blumenthal that revealed the private-domain issue in the first place: is it in the stack of emails she handed over?

    4. Did she ever use public wifi when using email on her phone? That may sound like a stupid question, but the remark about not being able to have two email accounts on one device, as well as assuring us the server was secure because there were Secret Service agents in the vicinity, does not speak to a high level of tech savvy. Unless of course she’s lying.

    You always have to admit that possibility, unlikely as it may seem.

    • #13
  14. Percival Thatcher
    Percival
    @Percival

    All sysadmin tasks were handled by sysop Timmy. He performed these duties in between Little League practice and his paper route.

    Best damn sysop in Chappaqua Middle School.

    • #14
  15. Fricosis Guy Listener
    Fricosis Guy
    @FricosisGuy

    Mollie, I’m shooting for at least one PROBLEMATIC from Sonny Bunch.

    • #15
  16. user_1938 Member
    user_1938
    @AaronMiller

    Vance Richards:[….] When a government committee is doing an internal investigation, the person whom they are investigating can’t be the one to decide which emails the committee can see and which ones can be destroyed.

    There is no good reason to wait for Clinton to provide access voluntarily. If Congress has the authority to subpoena witnesses, I assume they have the authority to subpoena documents. Congressional Republicans should order the server and all relevant data seized immediately. Appoint private investigators to do this if Obama’s AG tries to forbid FBI or police involvement. Take the battle with the Administration to SCOTUS if need be. But do not wait!

    If justice is going to be done, it must be done quickly. The Benghazi investigation is emblematic of the usual process: years later, still Congress politely requests access to witnesses and documents. It’s not a serious investigation.

    Those tech questions are good ones. But none of it matters if there are no legal consequences when Cabinet members grossly violate obvious and important laws. This strikes at the legitimacy of elected government.

    • #16
  17. The Reticulator Member
    The Reticulator
    @TheReticulator

    “she can’t survive having allowed Russians, Chinese, or both, to use clintonemail.com to attack the government.”

    She can’t?

    • #17
  18. Casey Way Member
    Casey Way
    @CaseyWay

    The focus now is on content but I’m really interested in construction and conception.

    It’s really hard to prove the negative that deleted emails contained confidential information and damaging documents. It’s we say, she says.

    The establishment of a server was an active endeavor. What was the novel problem or inconvenience posed to Clinton, and how did that differ from previous and current Secretaries?

    Who is in charge of establishing IT protocols and equipment needs at State? What role did they play in this configuration? Who evaluated security concerns? What security measures were agreed on and established? What do those records show? If not established, why was the Secretary of State’s primary digital communication not subjected to scrutiny?

    If not a government entity, who was paid to do the work? Public or private funds?

    Attack the inception to divulge intent of deception or incompetence. I fear that pushing “what ifs” in the media makes it easier for Clinton to blame partisanship, but with the mainstream what difference does it make?

    • #18
  19. Tuck Inactive
    Tuck
    @Tuck

    Fricosis Guy: My biggest concern is how compromised our *.gov email systems were by Hillary’s rogue operation.

    They’re so compromised anyway, this is a drop in the bucket.

    • #19
  20. FridayNightEcon Member
    FridayNightEcon
    @FridayNightEcon

    neutral observer:Where was the physical server? Not in Hillary’s basement. Somewhere in some server farm that could be anywhere in the world. Under someone’s control, but whose?

    HRC said it was in an area already guarded by the Secret Service, so I presume she meant in her basement.

    • #20
  21. lesserson Member
    lesserson
    @LesserSonofBarsham

    If the reports are to believed then sometime during the confirmation hearings (I’ve heard it said the day they started) the domain was registered and a short time after the email server was setup inside their residence. It does take some technical expertise but ultimately you can setup a basic email server with an old spare computer, some open source software, and a little port forwarding. It doesn’t have to be as complex as you would think, and that’s really what’s at issue here.

    No doubt the Clinton’s didn’t hire out the neighborhood teenage geek to set it up on some old Dell computer they had sitting around, however, unless the person that did it took the time and money to set it up securely (and keep it that way) then it may have been vulnerable.

    There is the issue of digital intrusion, which there are physical network devices you can put in place to help mitigate or at least alert you when there is some funny business going on on the network.  If left unattended, over time it’s almost certain that security vulnerabilities were discovered in the software being used over the course of her time as SoS which would make it more vulnerable (the type of OS used to host the email server would determine how bad that could be). There are still a lot of other variables. Was it monitored by someone for suspicious network activity? Was it connected in any way to the rest of the network and other regularly used computers and devices at the house? If not was it the only device on that network it was on? How locked down were the ports in the firewall? Was there a hardware firewall? Was it on a network accessible by a wireless access point?

    Then there is physical intrusion. There is a reason that companies and Government agencies lock down access to areas where the servers, network switches, and other equipment are.  Only certain people should have physical access to them because it eliminates a lot of potential intrusion points. Even then you want to keep the list small because it’s a smaller pool of people who can be coerced into giving access or social engineered into it. So that brings up more questions. Was it in a secured room? If yes, who had access to it? If any of the staff had access to it, how many of them and what were their functions at the house? 

    Ultimately it all depends on just how paranoid you want to be about it. That being said, we’re not talking about the ambassador to Canada here, we’re talking about the Secretary of State. If all it would take is a bribe to a maid or a maintenance guy to get access to something what foreign intelligence agent wouldn’t at least consider it? Note to Hilary Clinton, security is not about convenience. In particular, network security is actually all about starting from the most inconvenient and working your way down to as most inconvenient as users can stand.

    • #21
  22. user_5186 Inactive
    user_5186
    @LarryKoler

    FridayNightEcon:

    neutral observer:Where was the physical server? Not in Hillary’s basement. Somewhere in some server farm that could be anywhere in the world. Under someone’s control, but whose?

    HRC said it was in an area already guarded by the Secret Service, so I presume she meant in her basement.

    That should work. Those secret service guys wouldn’t just let anyone come into her basement — so no problem. Say, I wonder… does anyone know any other way that people could get access to the data on this computer. I keep hearing about this Internet thing — do you think this computer could be connected to that? If so, they should look into that right away. Pronto. They can call me and I can tell them about how dangerous that could be. Glad to help her out for free. Then we could look at some ways to make it safer for all concerned — and that’s what this is all about, isn’t it?

    • #22
  23. Fricosis Guy Listener
    Fricosis Guy
    @FricosisGuy

    I’m not sure it’s appropriate to make “Sysop Timmy” jokes. He’s probably working to get his sister off Bill’s buddy’s Sex Slave Island.

    • #23
  24. Ricochet Moderator
    Ricochet
    @OldBathos

    FYI: Commenters here with further concerns not resolved at the press conference can contact the email server admin directly at BiteMe@ClintonEmail.com.

    • #24
  25. RedRules Inactive
    RedRules
    @RedRules

    Any competent Sysadmin would have had a backup procedure in place to recover from a disaster. If she literally built a server rack in her house, there would be a large number of invoices and a wide paper trail peopel can backtrack. Are backtracking already, I’m sure. If she ‘rented’ a server from a provider, this provider would likely have included some sort of backup plan for her to use. Exchange servers do fail, from time to time, and the prospect of losing emails can be very serious. Hence, having an IT team to run things. The coming days and weeks will be very interesting.

    *edit*

    Also, while it might not be “complicated” to run an open-source email server on old hardware, I doubt even Clinton would have wanted such a thing. The functionality of such a thing is limited, and requires a certain skillset ‘normal’ people just don’t have.

    No, she would have paid people to set up a small server, with Exchange. Maybe even an SBS2008. Honestly, that would be what I would have suggested to her. All told, it’s still a $5-$10k thing to get going. Minimum. I think the Clinton’s really don’t understand that her words are literally jibberish to those of us who work in IT….. And we will be the type who is investigating this.

    • #25
  26. No Caesar Thatcher
    No Caesar
    @NoCaesar

    FridayNightEcon:

    neutral observer:Where was the physical server? Not in Hillary’s basement. Somewhere in some server farm that could be anywhere in the world. Under someone’s control, but whose?

    HRC said it was in an area already guarded by the Secret Service, so I presume she meant in her basement.

    Yeah. It appears it was physically located at her house.  That really points to something to hide. It’s not uncommon to have personal web & e-mail domains.   However, it is obtuse and very cumbersome to physically host it oneself.  That is too much trouble and expense.  The only reason if for complete control.   A hosting company will look to its own interests when receiving a subpoena.  It will also have back ups that may include archives of e-mails you deleted.

    It’s not hard to have a personal domain for web sites and/or e-mail.  It’s difficult to host it yourself.  When looking at security, redundancy, maintenance, cost, there is no good reason to self-host a personal email domain like this, unless you have something to hide and place control far above anything else (including security and secrecy).

    • #26
  27. Rodin Member
    Rodin
    @Rodin

    Security talk is all a trap. The emails were as secure as they would have been on a .gov server (FWTW). The real story is likely the level of cooperation and deference the Clinton’s got (probably at taxpayer expense) to set up a system over which they maintained sole control. That is not to say they did not violate federal law (nothing new here). But the system may have technically complied with requirements to limit access to classified information, but without identifying as an authorized repository.  In other words, there are some number of individuals on the federal payroll who were asked to ignore the rules because ….Clinton.

    In other words, if there were a special prosecutor there would be jail time for someone … just no one with “Clinton” as a married or birth name.

    • #27
  28. user_990996 Member
    user_990996
    @RktSci

    A few other questions:

    – Who set up the server? What was the hardware? What software?

    – Who provided the internet connection? Did they have safeguards in place to prevent physical access to the connection on their end? (If nothing else, watching the traffic being routed in and out of the server might have given valuable intel. You would be able to watch the routing information on the emails to see where it was going to/coming from.)

    – It appears that the server ran MS Exchange and also had a VPN connection. Who had access to the VPN and for what purposes?

    – It appears that the system used a self-signed security certificate. Why didn’t it use a certificate from a trusted source?

    – Mrs. Clinton has said she never sent classified information over that server. However, the images I saw of the Blumenthal emails on Libya were marked “Confidential”. “Confidential” is classified within the US government system. It’s the lowest level of classified info. Even if it was not intended to be marked such, it became classified when it was marked that way and entered a government owned system – like her phone. If you don’t want something spread around, you use “Private” as a marking. (Or, as others up the chain have said, “Sensitive But Unclassified”.) So, was classified or SBU information sent via that system?

    – Did anyone from State Information Technology or one of the intelligence agencies vet the system?

    – Was the server used for any other purposes? Did anyone use it for web surfing, in particular?

    – It appears from public records, and apparently some non-public ones, that the server had some relationship with two hosting companies, “The Planet” and “Confluence Networks”. What was that relationship? Did they ever host the email server? The relationship with Confluence Networks might have happened if the domain registration expired. Did it ever expire? (See http://andstillipersist.com/2015/03/curiouser-and-curiouser/ and http://andstillipersist.com/2015/03/where-is-or-was-the-clinton-e-mail-server/ for more on this.)

    – Was the system used to send work emails to people and organizations outside the US government? (I expect that there might have been emails sent to other governments, NGOs, etc.)

    • #28
  29. CuriousKevmo Member
    CuriousKevmo
    @CuriousKevmo

    Hillary is obviously the victim here…yawl need to stop piling on.

    • #29

Comments are closed because this post is more than six months old. Please write a new post if you would like to continue this conversation.