Ricochet is the best place on the internet to discuss the issues of the day, either through commenting on posts or writing your own for our active and dynamic community in a fully moderated environment. In addition, the Ricochet Audio Network offers over 50 original podcasts with new episodes released every day.
Asking the Right Questions in EmailGate
I’m curious how dangerous the tech-savvy Ricochetti believe that clintonemail.com was. Perhaps a better way to put it: What is the scale and scope of that danger?
My biggest concern is how compromised our *.gov email systems were by Hillary’s rogue operation. Once I thought of the recent State.gov exploit — in conjunction with the revelation of Hillary’s private server — other worries came to mind over the last few days:
- Hillary’s own emails pose a smaller security risk than those of her staff. In my experience, it’s often low-level staff who open the door to email-driven breaches. They’re easier to tempt into opening “WHSalary.xls” files or juicy-looking links.
- I wonder if the Clintonistas have any idea if clintonemail.com was breached. If they did, however, it would be a great reason to delete mail, destroy the server, etc. She can survive non-disclosure; she can’t survive having allowed Russians, Chinese, or both, to use clintonemail.com to attack the government.
- Were any *.gov defenses lowered to accommodate this separate operation. For example, did state.gov treat clintonemail.com as a trusted domain?
- Even if clintonemail.com wasn’t in *.gov domains via a trust, payloads in attachments or links are notoriously hard to vet. So long as attachments or links were allowed, spoofing *.gov account holders via what looked like Hillary and staff mails (e.g., Name appears as Hillary Clinton, but it’s really an clintonemail.com account controlled by another).
Any other ideas about what went down and what to ask?
I’m curious if we will ever find out. Huma was compromised somehow is my guess.
Yes. For example, someone could’ve spoofed her account, then sent a mail with a lurid subject and attachment. Say “I can’t believe you’re texting pic again!” with a picture. Or what appears to be a picture.
At least one person wouldn’t be able to resist.
My question is about the vetting of the administrators of the server and “home-brew” email system. They would have access to highly classified information in Clinton’s emails. They would need very high security clearance to legally have that type of access. I’m guessing they did not have the proper clearance to have the access that Clinton gave to them. This should be investigated.
We still don’t know who hired Craig Livingstone. We’re never going to get the straight story about this, or foreign contributions, etc etc.
Security is only a part of the problem. Transparency is the other issue. When a government committee is doing an internal investigation, the person whom they are investigating can’t be the one to decide which emails the committee can see and which ones can be destroyed.
Where was the physical server? Not in Hillary’s basement. Somewhere in some server farm that could be anywhere in the world. Under someone’s control, but whose?
If it were an issue of security, the patriotic former Secretary of State would insist on a full-on inspection by cyber security gurus to see if there were evidence of a breach so the U.S. would know what others may know. But HRC’s priorities don’t run in that direction.
Worse, now that she has lied and destroyed email, the questions she should be asking herself are (a) Did you make sure all recipients/senders of the concealed email also destroy their copies and archives?; (b) Do you realize that now that you have lied to State, the Congress and the public about the existence of those emails, any foreign hacker or any State Dept insider with copies owns you?
Soon, Gowdy will likely produce a graph showing emails/day and that the Benghazi period was deleted in its entirety. If it did not make a difference, then there was no need to delete them. Instead she would be proud to exonerate herself with the record of what she knew and when she knew it and what she did about it. Hillary is Nolo Contendere on Benghazi until she can fully document her version.
The only issue is whether the tired shtick of Carville and Davis in defence of Donna Rodham Corleone will once again whip the MSM into line like Eloi waiting to be dinner for the Morlocks.
John Wilson hit on a huge risk: the admin. It was a substantial effort to vet IT support staff for systems that held trade secrets…never mind state secrets.
One other note: that sure looked like a Blackberry in Hillary’s hands. She, Bill, and others may well have been using the native BB chat feature if they ran a BEZ server as well.
I’m sorry. Questions are so yesterday. Isn’t it time we just move on?
Just looking at the State Dept rules in place at the time (Google “12 FAM 540″) These are the rules governing Sensitive But Unclassified (SBU) information. I assume most of Clinton’s work emails would fall under this heading.
They say, in part:
“a. It is the Department’s general policy that normal day-to-day operations be conducted on an authorized AIS …”(Automated Information System)
Is Clinton’s server ‘authorized’? Who authorized her to use this server? Herself?
“b. The Department is expected to provide, and employees are expected to use, approved secure methods to transmit SBU information when available and practical.”
Funny … Nothing about ‘convenient’ in there.
There is more and links to tons of additional stuff…but it is quickly over my head. Perhaps someone with better tech chops than myself can make heads or tails out of this?
In other words, at this point, what difference does it make?
1. Investigating the process for vetting the sysadmin is a good question; another might be finding out the person’s identity.
2. The system was set up for Bill? When? How many security patches installed in the years that followed?
3. That leaked letter from Sid Blumenthal that revealed the private-domain issue in the first place: is it in the stack of emails she handed over?
4. Did she ever use public wifi when using email on her phone? That may sound like a stupid question, but the remark about not being able to have two email accounts on one device, as well as assuring us the server was secure because there were Secret Service agents in the vicinity, does not speak to a high level of tech savvy. Unless of course she’s lying.
You always have to admit that possibility, unlikely as it may seem.
All sysadmin tasks were handled by sysop Timmy. He performed these duties in between Little League practice and his paper route.
Best damn sysop in Chappaqua Middle School.
Mollie, I’m shooting for at least one PROBLEMATIC from Sonny Bunch.
There is no good reason to wait for Clinton to provide access voluntarily. If Congress has the authority to subpoena witnesses, I assume they have the authority to subpoena documents. Congressional Republicans should order the server and all relevant data seized immediately. Appoint private investigators to do this if Obama’s AG tries to forbid FBI or police involvement. Take the battle with the Administration to SCOTUS if need be. But do not wait!
If justice is going to be done, it must be done quickly. The Benghazi investigation is emblematic of the usual process: years later, still Congress politely requests access to witnesses and documents. It’s not a serious investigation.
Those tech questions are good ones. But none of it matters if there are no legal consequences when Cabinet members grossly violate obvious and important laws. This strikes at the legitimacy of elected government.
“she can’t survive having allowed Russians, Chinese, or both, to use clintonemail.com to attack the government.”
She can’t?
The focus now is on content but I’m really interested in construction and conception.
It’s really hard to prove the negative that deleted emails contained confidential information and damaging documents. It’s we say, she says.
The establishment of a server was an active endeavor. What was the novel problem or inconvenience posed to Clinton, and how did that differ from previous and current Secretaries?
Who is in charge of establishing IT protocols and equipment needs at State? What role did they play in this configuration? Who evaluated security concerns? What security measures were agreed on and established? What do those records show? If not established, why was the Secretary of State’s primary digital communication not subjected to scrutiny?
If not a government entity, who was paid to do the work? Public or private funds?
Attack the inception to divulge intent of deception or incompetence. I fear that pushing “what ifs” in the media makes it easier for Clinton to blame partisanship, but with the mainstream what difference does it make?
They’re so compromised anyway, this is a drop in the bucket.
HRC said it was in an area already guarded by the Secret Service, so I presume she meant in her basement.
If the reports are to believed then sometime during the confirmation hearings (I’ve heard it said the day they started) the domain was registered and a short time after the email server was setup inside their residence. It does take some technical expertise but ultimately you can setup a basic email server with an old spare computer, some open source software, and a little port forwarding. It doesn’t have to be as complex as you would think, and that’s really what’s at issue here.
No doubt the Clinton’s didn’t hire out the neighborhood teenage geek to set it up on some old Dell computer they had sitting around, however, unless the person that did it took the time and money to set it up securely (and keep it that way) then it may have been vulnerable.
There is the issue of digital intrusion, which there are physical network devices you can put in place to help mitigate or at least alert you when there is some funny business going on on the network. If left unattended, over time it’s almost certain that security vulnerabilities were discovered in the software being used over the course of her time as SoS which would make it more vulnerable (the type of OS used to host the email server would determine how bad that could be). There are still a lot of other variables. Was it monitored by someone for suspicious network activity? Was it connected in any way to the rest of the network and other regularly used computers and devices at the house? If not was it the only device on that network it was on? How locked down were the ports in the firewall? Was there a hardware firewall? Was it on a network accessible by a wireless access point?
Then there is physical intrusion. There is a reason that companies and Government agencies lock down access to areas where the servers, network switches, and other equipment are. Only certain people should have physical access to them because it eliminates a lot of potential intrusion points. Even then you want to keep the list small because it’s a smaller pool of people who can be coerced into giving access or social engineered into it. So that brings up more questions. Was it in a secured room? If yes, who had access to it? If any of the staff had access to it, how many of them and what were their functions at the house?
Ultimately it all depends on just how paranoid you want to be about it. That being said, we’re not talking about the ambassador to Canada here, we’re talking about the Secretary of State. If all it would take is a bribe to a maid or a maintenance guy to get access to something what foreign intelligence agent wouldn’t at least consider it? Note to Hilary Clinton, security is not about convenience. In particular, network security is actually all about starting from the most inconvenient and working your way down to as most inconvenient as users can stand.
That should work. Those secret service guys wouldn’t just let anyone come into her basement — so no problem. Say, I wonder… does anyone know any other way that people could get access to the data on this computer. I keep hearing about this Internet thing — do you think this computer could be connected to that? If so, they should look into that right away. Pronto. They can call me and I can tell them about how dangerous that could be. Glad to help her out for free. Then we could look at some ways to make it safer for all concerned — and that’s what this is all about, isn’t it?
I’m not sure it’s appropriate to make “Sysop Timmy” jokes. He’s probably working to get his sister off Bill’s buddy’s Sex Slave Island.
FYI: Commenters here with further concerns not resolved at the press conference can contact the email server admin directly at BiteMe@ClintonEmail.com.
Any competent Sysadmin would have had a backup procedure in place to recover from a disaster. If she literally built a server rack in her house, there would be a large number of invoices and a wide paper trail peopel can backtrack. Are backtracking already, I’m sure. If she ‘rented’ a server from a provider, this provider would likely have included some sort of backup plan for her to use. Exchange servers do fail, from time to time, and the prospect of losing emails can be very serious. Hence, having an IT team to run things. The coming days and weeks will be very interesting.
*edit*
Also, while it might not be “complicated” to run an open-source email server on old hardware, I doubt even Clinton would have wanted such a thing. The functionality of such a thing is limited, and requires a certain skillset ‘normal’ people just don’t have.
No, she would have paid people to set up a small server, with Exchange. Maybe even an SBS2008. Honestly, that would be what I would have suggested to her. All told, it’s still a $5-$10k thing to get going. Minimum. I think the Clinton’s really don’t understand that her words are literally jibberish to those of us who work in IT….. And we will be the type who is investigating this.
Yeah. It appears it was physically located at her house. That really points to something to hide. It’s not uncommon to have personal web & e-mail domains. However, it is obtuse and very cumbersome to physically host it oneself. That is too much trouble and expense. The only reason if for complete control. A hosting company will look to its own interests when receiving a subpoena. It will also have back ups that may include archives of e-mails you deleted.
It’s not hard to have a personal domain for web sites and/or e-mail. It’s difficult to host it yourself. When looking at security, redundancy, maintenance, cost, there is no good reason to self-host a personal email domain like this, unless you have something to hide and place control far above anything else (including security and secrecy).
Security talk is all a trap. The emails were as secure as they would have been on a .gov server (FWTW). The real story is likely the level of cooperation and deference the Clinton’s got (probably at taxpayer expense) to set up a system over which they maintained sole control. That is not to say they did not violate federal law (nothing new here). But the system may have technically complied with requirements to limit access to classified information, but without identifying as an authorized repository. In other words, there are some number of individuals on the federal payroll who were asked to ignore the rules because ….Clinton.
In other words, if there were a special prosecutor there would be jail time for someone … just no one with “Clinton” as a married or birth name.
A few other questions:
– Who set up the server? What was the hardware? What software?
– Who provided the internet connection? Did they have safeguards in place to prevent physical access to the connection on their end? (If nothing else, watching the traffic being routed in and out of the server might have given valuable intel. You would be able to watch the routing information on the emails to see where it was going to/coming from.)
– It appears that the server ran MS Exchange and also had a VPN connection. Who had access to the VPN and for what purposes?
– It appears that the system used a self-signed security certificate. Why didn’t it use a certificate from a trusted source?
– Mrs. Clinton has said she never sent classified information over that server. However, the images I saw of the Blumenthal emails on Libya were marked “Confidential”. “Confidential” is classified within the US government system. It’s the lowest level of classified info. Even if it was not intended to be marked such, it became classified when it was marked that way and entered a government owned system – like her phone. If you don’t want something spread around, you use “Private” as a marking. (Or, as others up the chain have said, “Sensitive But Unclassified”.) So, was classified or SBU information sent via that system?
– Did anyone from State Information Technology or one of the intelligence agencies vet the system?
– Was the server used for any other purposes? Did anyone use it for web surfing, in particular?
– It appears from public records, and apparently some non-public ones, that the server had some relationship with two hosting companies, “The Planet” and “Confluence Networks”. What was that relationship? Did they ever host the email server? The relationship with Confluence Networks might have happened if the domain registration expired. Did it ever expire? (See http://andstillipersist.com/2015/03/curiouser-and-curiouser/ and http://andstillipersist.com/2015/03/where-is-or-was-the-clinton-e-mail-server/ for more on this.)
– Was the system used to send work emails to people and organizations outside the US government? (I expect that there might have been emails sent to other governments, NGOs, etc.)
Hillary is obviously the victim here…yawl need to stop piling on.