The article kind of dropped that line randomly in. Her email server and this issue (Blackberry or Black Phone in the state's SCIF) are completely unconnected.
I don't know how or why they're trying to connect the two. I find this issue interesting in its own right, but see it as nothing to do with her email server (which is already interesting but different).
I took that to mean that she couldn't hook a civilian Blackberry to her official .gov account, so the personal email server was set up to service her personal Blackberry.
Previous SoSs didn't make extensive use of it, or like Rice, got exceptions.
If the security apparatus doesn't allow people to get their job done, people will find ways to solve their own problems.
For example, you could certainly ban all internet use. It would render moot a huge amount of security problems, but people wouldn't abide it. So you have to find the trade off that the user and the security people find acceptable.
I would like to point out that it doesn't excuse her action: You have to abide by the rules even when they are dumb.
But it's a tension between rules and human nature that comes up often. It's like telling teenagers the only safe sex is no sex, and then not teaching them anything else about sex, because they shouldn't be having sex. You're going to have a bad time trying to make that work.
> Other Secretaries of State hadn't done anything like that.
They actually have, the FBI is auditing the last 4 Secretaries of State and has found similar use of private email servers [1]. Outside of the state department the Bush administration was rife with the use of private, RNC managed email servers [2].
None of these guys used their private email exclusively for government business. That is the key. They all had State Department email. Clinton did not. ALL of her email was on her private server.
> The NSA should probably evaluate if the end result of their refusal was more security or less.
They could but they'd conclude it was MORE secure. Her leaving the SCIF to use an insecure device is infinitely more secure than allowing insecure devices into the SCIF or giving out highly sensitive devices like candy (in particular as she wanted to use it for non-top secret email).
Cellphones can be attacked and turned into bugs (e.g. baseband hacking). A bug in the SCIF is unacceptable, and having any wireless devices at all makes it much harder to detect bugging from other avenues.
Additionally giving out the president's "Black Phone" to more people makes it easier to attack since they'd have more opportunities and potential mistakes. Plus what if the black phone was compromised? Now you've exposed the SCIF in state.
> Additionally giving out the president's "Black Phone" to more people makes it easier to attack since they'd have more opportunities and potential mistakes.
It is worth knowing that the US President himself has two phones. A black phone and a regular smartphone for everything else.
Giving one to the Secretary of State (which was, at one point, apparently acceptable) isn't really in the same class of risk as giving it to an intern. It's a risk, but why is it no longer an acceptable risk?
This is literally the highest level example of Bruce Schneier's theory that people understand risks, but security people don't understand people. [1]
Let's look at this classic case: they won't give Hillary Clinton access to a modified BlackBerry that Obama was using because it made security "unmanageable". Even though Clinton's position is literally one of the most important in the country, if not the world the NSA decided it was a security threat and so just didn't allow it to happen.
So Clinton setup her own email server infrastructure and conducted all State business through that.
So now those same security people caused a considerably greater threat to national security.
Someone should find who denied Clinton access to a secure BB, then they should be removed from any security related work. I almost feel sorry for them if Clinton becomes President, because their days will hopefully be numbered. But I don't feel sorry, because their short-sightedness caused a greater risk to U.S. National Security.
It feel the same about these modern chip based credit cards. While giving a totally intangible security benefit these cards have brought great discomfort to everyone. A swipe takes around 1 second to register. Chip based cards take anywhere from 5 to 9 seconds with the message "do not remove card" flashing in between. Machines are designed such that you have to insert card in a slit you cant see, I have seen elderly people struggle to do that and cards falling out on floor creating more delays.
I really wonder if the wasted human time is worth saving handful of frauds.
To be honest: This is more based around the terminal designers, both hardware and software, than anything else. For far too long, the designers have been shit hardware and software while charging an insane premium. The cryptography required for processing chip transactions requires more horsepower yet the exact same hardware specs are being used.
Furthermore, the chip is not only protecting from cloned cards, but also protecting from the vast malware breeches that occurred at Target, Home Depot, and more.
The decision is right. The crap the processors are pulling with their terminal designs is not. The processing market is ripe for someone to break formation and accept smaller margins in return for a well designed and faster terminal.
Are you saying people who designed the secure chip card have no say in the terminal technology. I don't know the details but I suspect that the terminal also needs to have sufficient security mechanism isn't it ?
I'm sorry, but I'm having a hard time relating to this. In Sweden, we have had chip cards for a very long time (it feels like), and I've never heard anyone complain that it takes so much longer than swiping. I guess you're in a country where it is relatively new?
Could it be that your card readers are somehow worse compared to the ones we have here, which makes it more painful to use? Could it be that here we always use a PIN code as well, so that takes a bit of time anyway, and you do not?
GP is probably in the US, like me, where chip and PIN is pretty new. I can confirm that it tends to take a lot longer than swiping; I still do a lot of both swiping and chipping, so it's easy to compare.
I still find it bizarre the USA is only just dealing with this - the UK and most of Europe moved to chip and PIN years ago, and are now increasingly rapidly moving to using contactless payments.
I was in Iceland 2 years ago, and I could not get fuel for my rental car anywhere with my chipless and PINless card, and had to pay a large amount of money to have the agency fill it. Even though the USA has finally started to roll out chip based cards, half the places I go to have the chip slot, but say to swipe instead. It is confusing. We also still do not have PINs so if your card is lost, it can still be used for fraud.
What really baffles me is how inconsistent the rollout has been. Chip-capable terminals are everywhere, but maybe 3/4ths of them don't have the chip part enabled. So many times, I've inserted my card only to find that it simply doesn't work. Yesterday I made a purchase where they had taped over the slot so you wouldn't even try.
It seems like once you have the hardware, the rest should just work. I don't know what the hell is going on.
I was at a place the other day with a taped over chip slot, with a little note saying "please swipe". I asked what the deal was, and the guy said all chip purchases were being double billed (apparently due to some software issue). I commented, "at least they were being securely double billed". Chuckles all around.
In other countries, chip based credit cards have reduced in store fraud by about 75%. This is a lot more than a "handful of frauds".
That said, make one thing harder, they find another avenue in. I'm voting for cameras that read your physical card while it is in, then the fraud is conducted online. (Downside of that for thieves being that now they have to give out a working address.)
Does it allow the credit issuers just to shift the blame to the end-users and deny 75% of fraud claims where the user could not adequately prove they were not present at the time and place of the fraud?
No. The default in the USA is that consumers are not liable for anything that consumers claim they didn't buy, and the company can't prove they did.
The reason it reduces crime is that you can't make fake credit cards with data collected from a skimmer, and use them in stores. Your fake credit cards fail because they can't do the chip interaction. Therefore in store fraud is reduced to people physically stealing your credit card.
I disagree - I'm in the UK where these have been standard for a long time (I've had cards for around 6 years or so, and I have only ever used the old swipe when travelling).
My experience is that it takes way less time (I'd say 3-4s, maybe it's a connectivity issue?), and (comparing to what I have done travelling and memories from watching my parents in childhood) any time you did save with a swipe is instantly eaten up by signing taking far longer than tapping in a pin (not to mention the magstripes wearing out faster than the pins).
As to 'saving a handful of frauds' - I was shocked at the ease of fraud in the old system. When I was in the US, I felt uncomfortable with the staff taking my card (here in the UK, it's always in my hands) - often taking it out of my sight, and a colleague had 'Please ask for ID' rather than a signature on his card - he never once got asked for it, implying that the signature check is valueless, because apparently no one does it.
The US doesn't have chip-and-pin, we have "chip-and-sign", plus the older magstripe system (and the CC number is still necessary for online purchases).
As of this spring update I'd estimate vendor uptake is about 30-50%. So half the time you either swipe and wait 2 seconds for it to beep that you need to insert, or you insert and wait a couple seconds for nothing to happen and be told to swipe. The chip mode is poorly integrated into many POS systems - at most local groceries even if you tap "card" and insert the card it will make you go back to the screen and push "card" again, or take several seconds before it accepts it. Then it processes for ~5 seconds, then you need to sign.
Some of this is teething issues with rollout and POS integration, but the signature is unfortunately not going away.
Why is this comment being down voted? This system is an embarrassment. The improved security measures are important but there's no excuse for it to come at a cost of a worsened user experience.
> Someone should find who denied Clinton access to a secure BB, then they should be removed from any security related work. I almost feel sorry for them if Clinton becomes President, because their days will hopefully be numbered. But I don't feel sorry, because their short-sightedness caused a greater risk to U.S. National Security.
If you'd like to fire your security people who are too paranoid and obstinate, you'll find yourself without a National Security Agency. You should give them a manager who does understand people.
No, Clinton's reaction caused a threat to national security.
"Mr. President, those NSA guys won't give me a BlackBerry like yours."
"Hillary, that's ridiculous. I'll have someone call Admiral Bigwig right away so you can get some BlackBerry."
And if the President doesn't help you, you had better learn to sit in the SCIF or, better, do whatever previous Secretaries did to keep informed without BlackBerries. Clinton is responsible for her actions. Nobody made her set up her own email server.
I totally agree. I ran into this myself fighting with high-assurance vendors over the tech that was limited to defense only. I said, "We have infrastructure, banks, I.P., and so on to protect. NSA's pentesters & certifications say these are only devices that can stop even them. These are American businesses, not foreign spies. Background check them, whatever, just get them security that works." Replies were always courteous denials on grounds of national security. That's despite that each system usually had tens of millions in taxpayer-funded R&D or nearly guaranteed contracts to get it started.
In all my time studying NSA's IAD, I could never be sure if this was just organizational issues or straight subversion. Snowden leaks made that harder rather than easier. Bell, of Bell-LaPadula fame, has a nice write-up of how they helped create high-assurance security market then destroyed it over time.
The A1 products he referenced still exist but government doesn't push them for rest of us. A NOBUS thing I guess. SNS Server (MLS LAN) is defense only, not sure about XTS-400 (now XTS-500 w/ Linux apps), and Aesec's GEMSOS might be available to commercial sector. I forgot to ask for clarity on that. Nobody outside high assurance or good CompSci has ever heard of them. Bleak picture for anyone investing in next high-security product, ain't it?
Nice, albeit biased, presentation on methods behind GEMSOS & old school high-assurance.
Holistic, pub-subscribe architecture leveraging SNS Server as "impenetrable" component to simplify overall scheme. That's overstating it but it's allegedly unbroken in field since released in early 90's. Embedded firewall is another old trick you can do today w/ Octeon II's or similar PCI card computers.
When it comes NSA pen testing, its not that some things are "impenetrable" its a question of how far they are willing to go, and who they are willing to p__ off to do it.
There are limits, both legal and political, that the NSA won't cross but a private contractor doing pen testing might try.
Rightly or wrongly, about the only way most US private companies can get a proper grasp of what the NSA is capable of is to hire a senior former NSA officer.
This is possible. However, I read many of the papers and Final Evaluation Reports from this time period. They usually found the common and some uncommon flaws in systems with feedback to vendors. One of a UNIX aiming for higher assurance heavily criticized its lack of hardware-level enforcement and architectural issues. They also standardized on assurance and design techniques with similar re-applications to ensure what worked before would again. Evaluations were done by people from private labs and NSA's IAD hackers sometimes repeated by other groups.
So, altogether, they probably got plenty of review. They could still use more from independents with great skill. So far, though, solid in review and the field in high risk is saying something.
Re hiring a former NSA officer
Others and I have been telling all of you for years what they're capable of. You just look at each layer or compondnt to see what a subversion/breach would do. Then read years of papers showing how to avoid those. Then notice what each product is or isnt applying. Then you know they were breaking almost all of it. ;)
>So now those same security people caused a considerably greater threat to national security.
Yeah. That woman made me rape her by not having sex with me voluntarily.
Maybe Clinton should accept that the laws apply to her too and if the constrictions of a particular position don't suit her, she shouldn't accept it that position.
That's an invalid argument. I am indeed saying that they should be removed from security related work because they don't understand people. However, it doesn't necessarily follow that Clinton doesn't understand security. In fact, it sounds like she was advised that she needed a secure BlackBerry, but was denied it but never given a reason.
All that you have shown here is that the people tasked with securing sensitive information failed to do so.
If Clinton becomes President, then she'll be provided with a secure mode of communication, regardless of what the security person thinks of it. So as President, she'll be able to access secret and classified information.
I would hope you'd also agree that if the people who didn't give Secretary Clinton the specific mobile device she wanted should be removed from security-related work, then so also should Secretary Clinton.
>So now those same security people caused a considerably greater threat to national security.
The logic here is that one adult's actions can be blamed on a second adult if the second adult doesn't allow the first one to get their way. Now imagine applying that to other situations.
If the context is relevant, it needs to be explicitly denoted. To otherwise expect context to matter when it cannot be made part of the argument is special pleading. Even if it is popular to use special pleading in day to day life does not mean we should accept it as valid.
That's not a reasonable requirement. You simply can't write rules that apply to every aspect of day to day life that may be relevant for situations you may have not even anticipated might happen.
You can try, and that's typically what organizational policies aim to do. But once you've set a policy, pretending like it's some sort of infallible divine guidance is asking for failure. Good security policy needs to always be reacting, always considering whether the rules they've set are still a net gain in the security of the system, given that they're operating in a real world of real people with real behaviors that may not have been accurately predicted.
You're still missing the point. She may have gotten the job, but she didn't manage to get any love her new boss. When he got the new toy, he made sure the ID department told her to go pound sand.
I sincerely hope he hasn't changed his mind, and will not stand in the way of her indictment.
I'm so glad people are finally, hopefully going to shut up about this soon. I'm surprised Clinton didn't just say this herself and end the scandal months ago. It's an extremely lame scandal because we're talking about unencrypted email anyways, email that could have been read by anyone and everyone and almost undoubtedly was. The irony that it was the NSA (as usual) that made things less secure instead of more secure is certainly not lost on me.
why would this in anyway end the scandal? so because the NSA didn't give in to your request you can go break security protocol and put people's lives at risk?
Saying NO is exactly not doing their job when there are numerous alternatives to their provided computer. The secretary of state must be able to communicate with others, period. Since they couldn't figure out a proper solution (and from the article it sounds like they didn't even try/ignored her/insulted her) they left the secretary of state without a means to communicate. I'd say that's criminal, negligent, and certainly not doing their jobs.
People are not going to shut up about this. This will be an issue through the election. It's a really big issue that the Secretary of State was so cavalier about how she handled classified information.
Classified yet sent in plain text. Somehow those two just don't go together and it doesn't matter what email server you use with plain text it's still never going to be secure.
I'm going to point out that no one has found a single email sent to Secretary Clinton that was born secret - all of the emails were retroactively reclassified.
No, they are not "retroactively" classified. They were intentionally kept out of the classification process by Clinton via her undisclosed server. When the emails were finally inspected for classification many of them were designated as containing what should have been classified from their creation. This act was fully intentional by Clinton. And inexcusable.
That would cover emails sent by her - but not emails sent /to/ her - which arguably if they were classified never should have left the email servers hosted by Department of State/General Service Administration.
I don't believe I understand the reason for pointing out the distinction. IIRC the overarching issue here is the subterfuge involved in the email server even existing.
Am I the only one who thinks that having a private email server would not get around being banned from using wireless devices in one particular building.
I think most people are not really angry about the security risk, they're angry about the double standard. Anybody who wasn't Secretary of State would have been fired and probably prosecuted for this.
Obviously people who already don't like Clinton are all over it, but I think there's a legitimate complaint from people saying that she shouldn't be able to get away with something that nobody else could.
People who bitch about a double standard are childish. Yes, the people at the top make the rules (or change them to suit them). Does that surprise you?
It doesn't have to be surprising to be wrong. Obviously the people at the top make the rules, that's true by definition. But we don't live in a dictatorship, and we can complain when we don't like the rules they make. That's not childish, it's human, it's the basis of our society.
I just find it absolutely silly that people expect a lowly grunt to follow the same rules and have the same punishment as literally the head of the institution that made the rules. It just seems plainly absurd. If the state dept makes rules about private servers, the head of the state dept can break those rules. That's just common sense. It's like workers complaining that the owner of a company breaks the rules he sets out for employees.
"When the president does it, that means that it is not illegal."
That argument doesn't always work out. Is it silly when people complain that the NSA is breaking the rules that everyone else has to follow?
Yes, it is sort of like workers complaining that the CEO doesn't follow his own rules. That's a valid complaint. But it's not exactly like that, because Clinton wasn't just breaking some internal State Department rule. It's a rule for the whole government, which she is not the head of. And it's not just a lowly grunt that would be punished for this, it's anyone else. A general would not get away with it.
>Is it silly when people complain that the NSA is breaking the rules that everyone else has to follow?
Yes, I do think it is silly. Now that doesn't mean that the NSA should have no rules and have free reign, but to draw an equivalence between the NSA and an average person (that would justify them being bound by the same rules) is just absurd.
>because Clinton wasn't just breaking some internal State Department rule.
The issue regarding the rules isn't about classified information, its about private servers. That is a rule that she is absolutely justified in re-writing on-the-fly even if a lowly grunt would be thrown in a hole for doing the same thing. Just to be clear, her private server does not inherently endanger classified information. People have been conflating these two issues to the point where no one can speak clearly about it. That classified information was incorrectly sent to her private email is an entirely different issue.
The NSA didn't make things less secure. Clinton's people did to get around the NSA's restrictions. The restrictions suck, but if I were like "doot dee do, I hate working with this secure PC, I'll migrate the info I need to my cellphone connected to my own private server" I would be looking at a long stint in prison.
Hillary Clinton doesn't need to worry about that because she's Hillary fucking Clinton.
The NSA itself knows very well that if the gizmos they provide aren't usable -- and more fundamentally, if they don't respect their customers -- then it doesn't matter how "secure" the technology is, because people won't use it.
Hillary Clinton doesn't need to worry about that because she's Hillary fucking Clinton.
Look, I'm hardly a fan of the former Secretary. But in the original article, it's pretty clear that she and her secure information technology coordinator (Donald Reid) were feeling stonewalled (it not outright disrespected) by the NSA on their requests.
Which doesn't justify her opting to use a less-secure communication means (by any stretch). But it's pretty clear from the basic narrative of the story that there was more going on to this fiasco than simply Hillary Clinton going off on an ego trip.
I don't agree with whoever downvoted your post; it contributes to the discussion.
> The NSA itself knows very well that if the gizmos they provide aren't usable
What isn't usable about a desktop computer? According to the article, she just liked using BBs more. Confusingly, the article seems to conflate a few things.
1. She wanted to use her Unclassified//SBU Blackberry in the SCIF. Because of phone exploits that the NSA employs against other heads of state [1], State Department guidelines require her to leave it outside of her office that has classified computers. Obama's special Blackberry might let him talk to DNC leadership and big donors, but I'm guessing he uses a normal phone for that. Why couldn't she use a desktop phone and her unclassified computer to check her email to donors, campaign managers, and DNC leadership? How does a separate email server solve this problem?
2. She felt the need to have a separate email server. What this solves is never mentioned in the article. All State Department employees have access to the Unclassified network. Most have access to State Department provided Blackberries for that network, and also to 2FA token generators to permit them to VPN in. Traveling all over the world doesn't restrict the usage of either of these. Also, DSS sets up a classified network wherever the Sec State stays.
The only plausible reason to set up this outside email server is to evade FOIA and discuss classified topics without the risk of a government employee seeing classified information on an unclassified network. I'm really trying to understand any other reason to do this.
[1] I didn't see a Blackberry exploit in the Snowden leaks, but it's probably safe to assume that the risk is significant. Imagine how valuable it would be to get room audio of political or trade discussions before stepping into a meeting with the U.S. Secretary of State.
Most people, including myself, would be fired if we broke security protocol. Inconvenience is not a justified reason to break protocol.
At least she wasn't mandated to use the cone of silence :-P
She had a wired-computer she could check email on in the SCIF, but she refused and was only willing to read her email on a Blackberry, so her staff tried to get authorisation for one, failed, and then tried to get her a highly sensitive top level device just so she could check her unclassified email in the SCIF (she could use a standard Blackberry elsewhere).
I'm siding with the NSA here. She should just buck up and learn to check her email on a wired PC like everyone else.
This is easy when you work in an office every day at the same location for your job. As Secretary of State travelling all of the time around the world this isn't realistic.
The SCIF is a fixed location, your point doesn't make sense/doesn't apply here. Nobody was stopping her from using a standard Blackberry outside of that facility (and she was, according to the article).
The entire point of a SCIF is that it is a very secure fixed location where the intelligence community can make sure people don't say steal documents, listen in or look at secret documents behind another person's shoulder.
Imagine all the previous people in that position that were incapable of properly doing their jobs because they had no Blackberry in which to receive secured information.
It wasn't withdrawn for Clinton, it was withdrawn for the devices themselves. The NSA decided the potential consequences for a baseband compromise within a SCIF was too high risk.
Honestly I suspect their policy is "no wireless devices within the SCIF period." From wireless keyboards, to cellphones, to WiFi, and beyond. The black phone might be authorised but I suspect that is due to operational importance (e.g. calls vital to national security).
The world is a different place now than it was when those people were in that position, it's hardly a good comparison. Everything moves faster today and the Secretary of State should be able to along with it.
Would you be able to be good at your job if you were only able to check email once a day? I sure couldn't, but 15 years ago that's how often I checked it.
I could do my job quite well if I had a staff that could check it for me at the location dictated by security and then inform me over secure channels of anything that required my attention.
Imagine all the previous people in that position who were incapable of properly doing their jobs because they had no personal computer with which to receive secured information.
Imagine all the previous people in that position who were incapable of properly doing their jobs because they had no fax machine with which to receive secured information.
Imagine all the previous people in that position who were incapable of properly doing their jobs because they had no telephone with which to receive secured information.
Times change, and so does the technology required for the position.
I mean - if you go back enough, this problem doesn't exist. It's a growing problem - I'd imagine there were plenty of secretary of state's before who didn't use technology/where technology wasn't available.
The subtext of some of these stories seem to be that there was a great deal of tension between the intelligence community and the state department. In particular, this whole business about retroactive classification seems to be part of a larger battle on the issue of overclassification.
What is your basis for calling the NSA petty? Or claiming it was a personal grudge?
On technical grounds the NSA's position makes sense. Baseband compromises are viable and an active threat, cellphone OS software compromises are also viable and an active threat, so effectively every wireless device inside of a SCIF could be turned into a bug at any minute.
Additionally the NSA doesn't let wireless devices into ANY SCIF, by Clinton or anyone else. Only the US president himself is the exception to this rule and even then we're talking about a specific device designed for official functions only.
What is your basis for calling the NSA petty? Or claiming it was a personal grudge?
There may have been valid (short-term) reasons as to why it would have been difficult (or costly) to provide her with a POTUS-like solution.
But the overall sense I get from the article (and in my view, the bigger issue at play here) is that Clinton and her secure technology coordinator (Donald Reid) felt they weren't being given a credible explanation as to why their request would be unworkable. And (subjectively) felt they were being ignored generally with regard to their request.
(And BTW no, the partial explanation they were given -- "use has expanded to an unmanageable number of users" -- meaning presumably legions of underlings probably shouldn't have been granted exceptions in the first place, is not, on the face of it, a credible explanation as to why an exception can't be granted for the 2nd most important office holder in the Executive Branch).
Only the US president himself is the exception to this rule
Umm, what "rule", and why is the POTUS the only exception?
These are the questions that Clinton and Reid were apparently unable to get an answer to.
"These are the questions that Clinton and Reid were apparently unable to get an answer to."
So they just decided to do whatever they wanted because they feel that they are above the system.
I can't avoid asking myself what would happen if, some subordinate of them, just thought that some rule in their department was stupid and decided not to follow it.
Again, I see no defense whatsoever for the course of action Clinton ultimately took, both in regard to her BlackBerry and in setting up her personal email server.
> Umm, what "rule", and why is the POTUS the only exception?
Taking wireless devices into the SCIF. And because POTUS has a national security need for immediate communications (because they're the head of the military, have access to the football, and may need to make key strategic decisions).
The key question is: Are you going to risk more lives and save more lives by allowing potential bugs into the state's SCIF? Leaks from within a SCIF could almost certainly get people killed (foreign agents, US agents, US military personnel), the key question is if the Secretary of State can save enough lives by being instantly accessible in that one area?
> These are the questions that Clinton and Reid were apparently unable to get an answer to.
Or they received an answer but either didn't understand the answer or just didn't like it. There are a lot of people who claim that their issues are never addressed just because they don't understand the answer to the question they're asked.
I'm sure the NSA gave them a full report on why cellphones are risky and how they can be compromised. But I don't know if that information was received by state or understood.
By "rule" I was referring to the criteria by which exceptions were granted. I'll grant that wasn't clear in my language, but that's what I was driving at.
Because [the] POTUS has a national security need for immediate communications because they're the head of the military, have access to the football, and may need to make key strategic decisions).
The Secretary of State's job is also quite important, you know. They're also pretty high up in the chain-of-succession for direct access to the same duties as the POTUS.
Or they received an answer but either didn't understand the answer or just didn't like it. ... I'm sure the NSA gave them a full report on why cellphones are risky and how they can be compromised. But I don't know if that information was received by state or understood.
Drawing from the trove of recently released emails, the article itself says that most likely they were informed of (and understood -- or at least her staff understood -- the risks of) using private cellphones ("her staff was fully aware of the security risks associated with using her BlackBerry.") What they didn't understand is why a modified cellphone was considered a secure enough solution both for the POTUS, and for the predecessor SoS -- but not for the current one.
As to whether Clinton herself really understood the risks, or she did, why she continued to use a non-secured device, anyway?
That I don't know -- and I won't offer any defense for, either.
The arguement I have read is that the device the president had was only possible because he has a full security detail 24x7 that can keep track of the phone. Doesn't the secretary of state have that as well?
That isn't an argument that I have read. Obviously it would be "bad" if the black phone slipped into enemy hands, but I think the real concern is that with more of them out in the world there is more potential for adversaries to try and attack them wirelessly.
That's the real paranoia. What if the black phone turned into a wireless bug? Anything wireless inside of a SCIF is "bad." The black phone is just an exception for national security reasons, the default is to deny all.
This is a classic story that gets repeated again and again, and security professionals should take note; if you forbid your users from doing something, they will route around you to do it, and it will be end up being less secure than if you were involved.
Haroon Meer says that saying "no" is a finite resource that security professionals are too willing to tap. If an organization comes to see your department as an obstacle that shoots down ideas and never contributes, you end up ignored. Chip in with ways to make bad ideas less bad, because we already know that deploying any vendor's software is a loss to security.
Another way of thinking about it is that the security team is supposed to help other people do what they want to do securely. If X is insecure, make it secure. Now, if you're an IT department at some corp, you probably don't have the budget or the manpower to do that, so you have to say no as much as you can get away with it.
But when the Secretary of State wants to Do A Thing, and you're the NSA...
I'm not sure I understand. Are you saying that security professionals should lower their standards because too many people don't want to follow the protocols that security professionals have determined to be the best course of action?
Must be nice to have a high enough position in life to ignore security protocols at whim. If I did that I would be fired.
No, security professionals should find adequate solutions to a changing technological (and the corresponding sociological) landscape.
Just saying "No" without investigating alternative solutions to satisfy the spirit of the request is likely the problem.
It's also apparent that there was no routine security auditing which may have caught Clinton's behavior. I'm not sure you can claim the NSA was acting with security in mind when it's quite evident she was walking around with a blackberry every day in "Mahogany Row'.
A) People seeing this play out in their own lives enough to relate it to this experience
B) That the quote wasn't "No", it was "shut up and go color", lmao
If you re-read that portion of the article, the State Department rep used that phrase to paraphrase the NSA's response. That was not the actual response; nobody who wants to keep their job communicates inter-agency like that.
Because when "we" can't do something it's for reasons that are varied, nuanced and entirely justifiable.
When "they" can't do something it's because they are malicious lazy idiots. Obviously.
It's illuminating how someone treats other professions that intersect with their own. If one security team acts in a way you disagree with fine. But if you view all security teams as inherently obstructionist, then that tells me you are self-centered or cut corners. Similar if you always have problems with HR, Accounting, etc...
It's a very high standard to force a user to change his password every 24 hours. It also guarantees this user will write it down on a post it next to the screen. Security professional should think also in term of practicality.
I was trying to enter a 26 characters wifi passcode when setting up a new MacBook recently (so without access to clipboard). All characters hidden, not even certain the keyboard was set up with the right region. It might be secure but the guy who designed this step of MacOS should still be fired.
No, he's saying if you work in a department that has been given the power to oversee security at your organization, then your job is as much to service your customers (the other departments) as much as it is to ensure their safety. Trying to use that position as a means to be change-averse or to power-play is just going to ultimately lead to people finding another way.
There's also a real line between ultimately flaunting the rules and "just trying to get your job done" in these kinds situations. Obviously if you're imperiling classified secrets that distinction will not apply to you. But for most other people this is just an item in the toolbox for effecting the change you want to see, lol.
I would hope security's main concern is security, not making people feel happy about their preferences. If a person can show that it is a power-play then those security people are failing at their jobs, which is a different matter. So far I've only seen speculation that this situation was politics.
So back in the real world, no one's job is ever to go "do the best for the best's sake", outside of maybe academia. That's not how people work together, and as you get into more heavily politicized environments, the more true that is.
There are a lot of situations in life that end up having come down to "do you want to be right or do you want solve the problem?"
If you're a security professional who doesn't spend a fair amount of your energy making your users happy, you're failing at your main job of ensuring security, for exactly the reasons on display here. Security doesn't end when you've sent out the memo outlining your policy.
I think he means, if you tell somebody that you can't do something that's technically possible, they will find someone who can and will do it.
They did it for the previous administration but refused to do it for her and offered no good alternative. She couldn't fire them and replace them and with someone more capable, so her team found an alternative.
This is exactly how a person who is used to getting shit done would operation. You either break down obstacles or you go around.
That's the equivalent of someone who sees a bunch of broken windows in the neighborhood and therefore figures it's okay to toss a beer bottle out the window of their car.
Mind you, I could see that being her thought process, it's very human. But it is hardly a ringing endorsement of her behavior and principles, to say the least.
The point is the security professionals exist in order to facilitate the needs of the users they serve, not the other way around. It's always easier to just say no, but a good security professional knows how to assess risks, find creative ways to mitigate them, and serve the needs of the user to as great an extent possible without compromising security.
I think he is saying that often people have a legitimate need and security professionals should try understand these needs and not just say "No".
In my company IT puts all kinds of restrictions on the network but for automated testing we need these restrictions removed or we can't do our job. Since IT didn't accommodate us or provide an approved workaround we had to hack around them and make the system less secure as a consequence.
I've worked in an environment where it'd be impossible to do your job if you didn't ignore IT.
I've posted about this before on here - "It was worse at $last_company where at my best count, I had 20+ different passwords, all with differing rules, and expiration policies, the solution in the end was a spreadsheet (contrary to IT policy) - which was stored on my workstation with full disk encryption."
If you have a choice between loosing 8 hours a week just to information access management or just ignoring the rules, which one would you pick?
When you're a contractor, you often dont have that advantage - if for example all of your co-workers (and managers) violate policy in the same way, you're left being the odd man out, which does not bode well for your employment future. That said a large amount of "I cant because I'm locked out" was tolerated - if for no other reason that managing the account circus was too much for any one person.
The difficulty with the best protocols as designed by security professionals is that they are not necessarily designed based on how users actually work. And if they are not, it is likely that users will subvert them. This paper from 2010 is along those lines, "The True Cost of Unusable Password Policies: Password Use in the Wild" (http://www.cl.cam.ac.uk/~rja14/shb10/angela2.pdf).
I particularly like two of their observations from the introduction:
"Based on our results, we make three key observations:
1. When users cannot cope with the demands of strict
password policies, it a) reduces their productivity, and
b) leads them to adopt coping strategies - which usually
reduce security.
2. Although passwords are usually considered in terms of
authentication for a service or a device, today they are
encountered in many other ways in the workplace –
and existing password policies do not cover these. As a
result, users adopt ad-hoc solutions, which are usually
insecure."
The security we actually get is the result of the technology we use, and the human behavior that interacts with that technology. Sometimes, in order to get higher actual security, we may need to relax the technological security so that we get the human behavior we want.
"Must be nice to have a high enough position in life to ignore security protocols at whim. If I did that I would be fired."
Only if you get caught, usually by (losing the device and having to tell everyone|getting a virus or what-not that noticeably impacts some other system). Which is sufficiently rare that you can get away with "it won't happen to me" for an arbitrary period of time.
If you say "yes" rather than "no", you become involved in the process of implementing the system and can provide security fixes and mitigations. If you say "no" they they probably do it anyway, stick it in Digital Ocean, and never tell you about it. It stops getting patched when they leave the company. Years later, someone kicks the door down and finds it littered with your IP.
Of course they were wrong to go through unofficial channels, but as a security professional, you don't plan for things to happen as you expect. You plan for things to go wrong, and you plan so they go wrong less.
> Must be nice to have a high enough position in life to ignore security protocols at whim. If I did that I would be fired.
Ivory towers take a stain too easily, so I only summer there. The rest of the year I stay on the ground with you commoners.
The problem is that quite often security professionals say "No", provide reasons, and the person doing the asking insists that convenience is more important than security.
My favorite story of all time, which I'll share because it's now over 20 years old, had to do with a security vulnerability in the diagnostic trace component of a serial device driver.
The developer in question insisted it had to be there. A meeting with the two of us, as well as our bosses, and a "neutral" odd-numbered party was had.
I started by explaining the exploit. The developer then explained the need to have support staff (who weren't "root" users") able to enable the diagnostic trace feature. I then explained how a non-support person could trace a specific TTY (see, it is an old story!) and capture an entire login dialog.
Things weren't going well for me, so I then explained that it presented a security vulnerability which I'd have to disclose.
At that point in time, the developer got up out of his chair, and came across the table at me. His boss grabbed him, sat him back down, then agreed with my explanation and the feature was changed to require privilege.
If you think being a security professional is fun, it's not all sunshine, roses and egotistical power-tripping. It's a constant struggle to say "No" when people want to make products more "useable" and we want to make sure they are "secure".
This is a great tale - and clearly an obvious vulnerability. Most of the situations I've entered into are less clear cut however, its organizational policy choosing the easy way out (and being able to tick the 'best practices' box at the same time) over more practical solutions that actually work for a majority of the needed users.
> The problem is that quite often security professionals say "No", provide reasons, and the person doing the asking insists that convenience is more important than security.
The real problem is that this is true. Just like the fastest and most error-free code is an empty file.
When security breaches can kill people, you'd better be able to prove that lack of convenience kills even more people, and that there are no other options.
Without endorsing the NSA's actions, no. Clinton's reckless disregard for security led to a dangerous breach of protocol. The fact that anyone else might have done the same in that situation makes not the slightest difference to me. If no one will give you a parachute, do you say "screw it" and go skydiving anyway? No, that would be stupid. The reason for the refusal is immaterial.
The huge problem with your analogy is that what you're describing is saying 'no' to a feature that can't exist or else it is inherently a security backdoor.
The feature that Clinton wanted was not inherently a backdoor. The feature even existed and Obama was given the solution. Obama's blackberry proves that a legitimate need existed and there was a secure solution to it. But Clinton was told 'No' and this is the kind of situation where it leads users to simply bypassing the security.
You can't justify the 'No' response to Clinton on the basis of your 'No' response to a diagnostic backdoor. The fact that you can't see the difference in the two circumstances is why the security industry has a credibility problem, and why you've probably got a credibility problem.
Unlike your example, a secure solution existed to the problem. Obama used it every day. Clinton was told 'No' and she chose, like many users do, to view it as a broken policy rather than as a legitimate security concern--because it probably was.
Some users are dumb and want stupid broken things and have to be told why they can't have it. Other users are pretty smart and know when the reason they're being told 'No' has more to do with petty government feuds and bureaucratic infighting.
Your post sounds like a well-rehearsed speech, and I suspect that you've used this a lot to say 'No' to requests--are you certain that all of those cases have been as legitimate as the case in your speech? I tend to doubt it or you wouldn't have posted it here in a case that shares little of the same circumstances.
The problem is not fundamentally unsolvable because Obama had one of those phones. The solution existed and at least one of them was produced.
The US Government spent $4 trillion in FY 2016. I can't imagine that a secure blackberry for the Secretary of State would have costed more than a negligible fraction of a fraction of a percentage of that.
The "lack of resources" was someone /deciding/ that they didn't want to spend the resources on securing the US Secretary of State's phone -- not some kind of law of nature or economics.
The person who made the judgement that there were "no resources" to accomplish the task ALSO needs to be held accountable for that decision.
People try to divide security vulnerabilities into "super-obviously-bad" and "no one will ever find / exploit / do much of anything with it."
The problem is that rather often little holes can be leveraged into bigger holes. The argument against the change I'd requested was that no one would ever write a program which would process the trace hook events. Because they just wouldn't. Except no one needed to - there was a program that took trace identifiers and dumped the events for all to see.
That's an argument to "difficulty to exploit". The same thing has happened with various race-related exploits -- a race that's fractions of a millisecond long is considered "unexploitable" until process scheduling, and how to control it via various means is discussed.
It doesn't matter the problem space - fixing bugs in code, configuring servers securely, proper OPSEC, choice of programming languages or development methodologies. It always comes down to security versus convenience. Sometimes "convenience" is replaced by "cost" or "resources". In this case, the NSA didn't have the "resources", which is a proxy for "convenience" because if giving Clinton a secure BlackBerry had been dead simple and free ("convenient") she'd have gotten one.
As for being "well-rehearsed", yeah, I've spoken publicly on security and try to make my little anecdotes fun to read or hear.
No, you're still making category errors and still completely blind to them.
You slide from race conditions and attaching debuggers, to a policy decision by a bureaucrat not to come up with the resources.
You fundamentally cannot be held responsible for the existence of debuggers in the universe. That is just silly.
The bureaucrat who said 'no' to the request from the state department can be held responsible for justifying that decision. With a $4T budget I can't believe that the US government couldn't find a few bucks under a cushion someplace to dig up another blackberry for the Secretary of State. In fact, its pretty much negligence that they couldn't.
And when you make pure policy decision about security you cannot abdicate responsibility over users deciding to work around those policy decisions when you make bad decision.
I have a class with the guy who was in charge of infosec (or the closest thing they had to 'in charge') for US military in the Middle East from about 2004-2006. When he got there he implemented a policy forbidding use of flash drives, and in doing so made everyone furious. For his entire time there he was pissing off users, but maybe the capacity for accepting unexplained 'No's is greater in the military, so the policy held. Then as soon as he left, they got rid of his rule, and a year later Russia landed their worm on tons of DoD boxes, classified and otherwise, with some flash drives in a parking lot; as the largest ever of DoD networks, it led to the start of CyberCom. Talk about failing to get any buy-in...
Sometimes the "no" exists for a reason. Users don't understand this, and want the path of least resistance. Which is why policies exist for terminating such users from organizations.
But heh, infosec shouldn't exist and everyone should be able to BYOD, amirite? "Frictionless" or something like that?
> Sometimes the "no" exists for a reason. Users don't understand this, and want the path of least resistance. Which is why policies exist for terminating such users from organizations.
I will say that, in my experience dealing with government and DOD contractor security, is that they often fail to articulate the reasons. Users should understand, at some level, the threats you are trying to face. If someone comes to you for permission to do something and your "No" is backed up with nothing more than "That's the policy" or "Because I said so" you can expect them to be much more hostile to it and more likely to go around it.
The problem with this story isn't that USB drives were used and caused a vulnerability, it's that USB drives could be used to cause a vulnerability.
Let's say the Russians did the same thing dumping a bunch of USB devices whilst the USB drive ban was in place. Almost certainly someone is going to sneak in a USB drive at the risk of getting caught, just so they can do their job more effectively. There is still a good chance that this USB drive hack might have worked, just not as likely.
I really feel that your friend wasn't looking at things from the right perspective. The reason that USB drives were the vector that allowed the Russian hack to work was because they allow the execution of arbitrary code once the drive is mounted. If you prevent the execution of that code, then the issue would largely have gone away.
Instead of only banning USB drives, why not investigate ways of preventing code execution on drive insertion from occurring in the first place? Then you could have the policy of no USB drives, but if someone did sneak one in then it would have removed the vulnerability completely.
A small point of information, it is also problematic (in a highly sensitive enviornment) to let people arbitrarily decide to take gigabytes of information out the door with them.
I've definitely spoken to people who've told me that, when they plug a USB drive in at their place of work, Windows pops up a dialog for an administrator's password in order to mount it. I believe this is some sort of group policy, but I'm afraid I only use GNU/Linux.
Funny story: a particular Australian Federal government department I did consulting work for just couldn't figure out how to prevent auto mounting of USB storage and - I kid you not - they superglued all the USB ports on all workstations that had access to their secure servers!
Based on the fact that the policy held for the duration of my classmate's stay, I'm guessing that he did implement a policy forcibly preventing flash drive use. But the whole time he was a thorn in everyone's side, maybe because he didn't try to explain himself adequately (or maybe because the military is too burnt out on mandatory training to pay attention). So after he left they probably "fixed" the systems to allow flash drives again.
How is this a classic story? It's a story on Clinton just casually dismissing the security requirements, not some security technology meme where people game the password length and character requirements and monthly expiration and the arstechnica editor is going "we feel you!".
It's the state department. The same people that invoke "but secretz!" on every lawsuit.
I understand that is is very inconvenient to use the channels provided to transmit confidential information, but that goes with the job. It is also probably inconvenient to have a massive physical security detail follow you everywhere as well but that is also necessary as a high profile government official.
Securing mobile communications on a massive scale according to SCI government specifications does not happen overnight, and is not very easy. So unfortunately she has to use the channels provided, however clunky they are. I am sure Mrs. Clinton wouldn't hop into her car to visit a friend without gathering a full security detail. Yes this curtails her life, and yes it is inconvenient, but it is necessary just like securing her communications is!
It is like if I were working for a large bank, and I put in a back door VPN to the network since their VPN client only works on Windows, and I want to use Linux. Sure more convenient for me, but it is not my place to subvert security for my own personal convenience.
I don't know why this comment was downvoted without explanation, because your point is correct: as a public servant, one is expected to live up to and follow the rules and laws dictated for that position.
Security is something you never need until you need it the most.
Security is something you never need until you need it the most.
Yeah, we get that part. But it isn't about secure, or not secure.
It's that she (or more specifically Donald Reid, her secure information technology coordinator) was never provided a legitimate explanation as to why this technology was available for the POTUS -- and for her predecessor -- but not for her. So it's understandable that they felt dissed.
As a public servant, "I felt dissed" is certainly no reason for me to break the law. I expect better, both from the Secretary of State and from the President of the United States.
Oh, I agree. There's no defense for her going for a backchannel device in response.
Just that arguably, the NSA has a legal obligation to at least attempt to properly coordinate with the Executive Branch when it comes to perfectly reasonable-seeming requests (as this request appears to have been, from the outset).
Which they apparently did not do in this case, for some reason. So the legal aspects of that matter should be looked into, also.
Feeling dissed, is one thing, but subverting the process is another. The explanation given was that scaling the Blackberry that the POTUS was given was unmanageable. Whether that is a fair explanation or not we do not know. Even if it were not a fair explanation, does that give Mrs. Clinton the right to basically backdoor the whole process?
Feeling dissed, is one thing, but subverting the process is another.
Agreed - I definitely do not condone her going rogue in response.
My message is simply: if the NSA can't (or won't) reasonably coordinate with the 2nd most important office holder in the Executive Branch, on what should be a perfectly tractable issue... then we have to wonder whose interests they're serving, exactly.
The explanation given was that scaling the Blackberry that the POTUS was given was unmanageable.
How about you look at Hillary's own statement and actions in terms of other people breaking laws or regulations when they didn't feel like following them. Then, you'll see why some of us want her held accountable too. ;)
Besides, it wasn't all or nothing: she had several options available that she just didn't like. Security people's decisions sucked and should probably get them fired as chris_wot said. Yet, she did have options before creating the third that was a national security risk and illegal. I'm just saying no double standards here: apply her standards to her.
Yes they were given a legitimate, real explanation. Quoting another comment here:
> [Approval] wasn't withdrawn for Clinton, it was withdrawn for the devices themselves. The NSA decided the potential consequences for a baseband compromise within a SCIF was too high risk.
That's what the poster of that comment surmises to have happened.
However, that information is not contained in the AT article. We can't just assume that's what the Clintons were told. And going by the article, that's not the explanation they were given.
Not everything Secretary Clinton did was TS/SCI. The common practice is an Android device[0] that is approved to SECRET only. This would suffice for general email and messaging.
My understanding is that President Obama's blackberry [1] isn't really a mobile device as configured. This blackberry device connects to the a custom secure base station [2] or picocell, that follows him around just like the Football[3], when outside certain vehicles.
Another factor is that TS/SCI access is restricted by location. eg. AF1 or the Presidential vehicle.
I'm not sure the Secretary of State would have a full time [*24/7] detail, although as former First Lady, Sec. Clinton would have a Secret Service detail which is funded separately.
It would be more likely that the NSA offered a different solution and State Dept. bureaucrat balked at the cost involved, especially something like following senior staff around with a football.
The Secretary of State has a full-featured security detail [1]. While on foreign missions, this includes a motorcade with armored vehicles (flown in by DSS beforehand), surveillance teams, and security augmentees from U.S. Embassies nearby [2].
Not disagreeing about DSS. The part I'm not sure of is if DSS follows the secretary 24/7 at home. It would be questionable if they would detail someone to follow the secretary 24/7 just to support a TS/SCI blackberry.
>I understand that is is very inconvenient to use the channels provided to transmit confidential information, but that goes with the job. It is also probably inconvenient to have a massive physical security detail follow you everywhere as well but that is also necessary as a high profile government official. ... I am sure Mrs. Clinton wouldn't hop into her car to visit a friend without gathering a full security detail. Yes this curtails her life, and yes it is inconvenient, but it is necessary just like securing her communications is!
Semi-OT, the president does exactly that in 24 season 3: there was an episode where he just decides, on a moments notice, to duck out (nearly) by himself to go visit a friend in a rich neighborhood and come back, and it's all over in 30 minutes. Really broke immersion.
I was rather impressed by Clinton's IT skills, managing her own mail server, using electronic communications extensively, and according to this even asking the NSA to provide a bberry.
Then I read:
> As I had been speculating, the issue here is one of personal comfort… [Secretary Clinton] does not use a computer.
Perhaps I'm overly cynical but I'm guessing she got caught with her phone in the SCIF more than a few times before she got the message to leave it outside.
A number of comments here blame the security people or government IT in general for not being accommodating. That may be appropriate in some cases, but anyone who has worked in IT for any length of time understands how this happens. Systems that you don't like are created by bad policies, not bad IT people. Bad policies are driven by overly centralized security responsibility. The security department that says no to <X> because they are responsible for whatever you manage to do with <X>.
Think of a car accident. There is a diffusion of responsibility. The decisions both drivers made, road conditions, weather, speeds etc... You would only be concerned with the manufacturer of the car if one of the safety systems malfunctioned. Yet in the case of computer security we want to hang all the contributing factors/decions around one party: the security team. Imagine if General Motors was liable for every car accident; regardless of fault. Every time someone didn't put on their seatbelt, or drove through a flooded road etc... What kind of cars would be produced? Certainly not the kind you would enjoy driving.
The day that we can have the security departments we want is the day we understand that we can't absolve ourselves of all security responsibility.
I'm reading between the lines here, but is it suggesting that Clinton didn't trust the PC she had been assigned, and that she suspected she was being spied on?
Was this the reason why she chose to run her own email server (not that it was secure but still)?
Maybe she did not want anyone in to be able to FOIA her correspondences. She has said she deleted about 30k emails off the server because she claimed they were "personal in nature". The problem is, that wasn't her call to make.
>And while Clinton's predecessor Condaleeza Rice had obtained waivers for herself and her staff to use BlackBerry devices, Clinton's staff was told that "use [of the BlackBerry] expanded to an unmanageable number of users from a security perspective, so those waivers were phased out and BlackBerry use was not allowed in her Suite," an e-mail from the NSA's senior liaison to the State Department noted.
NSA says that they could not ensure the security of BlackBerry devices. That's not a refusal, just the facts. Is someone expecting the NSA to magically conjure unlimited, secure BlackBerries?
Securing the blackberry is a red herring. What they wanted was a functionally equivalent mobile device. If providing such capabilities isn't exactly what the NSA should be doing, then they shouldn't exist.
Having dealt with classified work in a previous life, there's no doubt that if any normal joe without her political connections did anything remotely close to this type of thing, they'd wind up in prison.
Clinton will probably skate. And yet she'll be the first person demanding that we try Snowden and keep Chelsea Manning locked up.
It's not crystal clear that she violated any laws. Agency heads determine policy for their department's classified information, and she was the most senior of the agency heads. She had explicit authority to classify and declassify information, and to say how it can be disseminated.
There isn't that much statutory groundwork to support charges and what there is says an agency head "is assumed to be acting under executive authority", i.e. as the arm of the President.
The Congressional Research Service wrote a rather helpful summary[1] of the myriad aspects of classification and law.
I hear you, although I would argue that someone with her position should have been the first person to know whether what they were sending needed a security designation or not.
The fact that 10-15% or so of those emails needed a retroactive security classification demonstrates that she held either had a cavalier attitude toward guarding that information, or was simply incompetent in knowing what should and should not have been classified.
Whether that rises to the level of a criminal act, I suspect, depends on whether any of the 30k+ emails she deleted, claiming they were personal, also contained classified material, because then the crime is lying to the FBI more so than the reckless handing of classified information.
Information does not get de-classified just because it is publicly known.
For example if one of Clinton's friends forwarded her a NYTimes story about CIA activity in Syria, and she forwarded that to a deputy, well, now she has both received and sent classified information from her email.
And even though it might have been on the front page of a newspaper, a retrospective review would designate it as classified information.
Would a staff-level person get fired in that situation? I don't know. So much stuff is classified these days, and yet the press is pretty good about ferreting out stories. Any regular reader of the major news operations is probably going to see classified info on a regular basis.
How easy is it to keep track of which public, well-known news stories should be excluded from nonsecure email? I would guess, not that easy.
I've seen the same thing at companies, where employees get in trouble for talking about confidential information that is known outside of the company.
I think the rationale is because sometimes the file gets updated internally such that the leaked info is no longer accurate and the person with access might screw up.
"Normal Joe" maybe, but senior executive? Nope. Or am I misremembering Petraeus' long prison term? Or does he get a bye because he was using a pc instead of a phone?
> the solution supported by the NSA—its SME PED (Secure Mobile Environment Portable Electronic Device)—was hardly BlackBerry-like. SME PED devices are based on a secure version of Windows CE, and they're only rated up to "Secret" classification. And as Clinton was taking over at State, the SME PED was only just becoming available.
It sounds like at the time that Clinton was moving into State, there was, literally, no good solution supported by the NSA for mobile email use.
Which considering it was 2009, and mobile email was already prevalent with Blackberry, iPhones/Androids, etc, is well, maybe par for the course for government entities.
198 comments
[ 3.8 ms ] story [ 237 ms ] threadNot that that excuses her going off and using her own. The NSA should probably evaluate if the end result of their refusal was more security or less.
I don't know how or why they're trying to connect the two. I find this issue interesting in its own right, but see it as nothing to do with her email server (which is already interesting but different).
If the security apparatus doesn't allow people to get their job done, people will find ways to solve their own problems.
For example, you could certainly ban all internet use. It would render moot a huge amount of security problems, but people wouldn't abide it. So you have to find the trade off that the user and the security people find acceptable.
But it's a tension between rules and human nature that comes up often. It's like telling teenagers the only safe sex is no sex, and then not teaching them anything else about sex, because they shouldn't be having sex. You're going to have a bad time trying to make that work.
They actually have, the FBI is auditing the last 4 Secretaries of State and has found similar use of private email servers [1]. Outside of the state department the Bush administration was rife with the use of private, RNC managed email servers [2].
1. http://www.nytimes.com/2016/02/05/us/politics/state-dept-cla...
2. https://en.wikipedia.org/wiki/Bush_White_House_email_controv...
They could but they'd conclude it was MORE secure. Her leaving the SCIF to use an insecure device is infinitely more secure than allowing insecure devices into the SCIF or giving out highly sensitive devices like candy (in particular as she wanted to use it for non-top secret email).
Cellphones can be attacked and turned into bugs (e.g. baseband hacking). A bug in the SCIF is unacceptable, and having any wireless devices at all makes it much harder to detect bugging from other avenues.
Additionally giving out the president's "Black Phone" to more people makes it easier to attack since they'd have more opportunities and potential mistakes. Plus what if the black phone was compromised? Now you've exposed the SCIF in state.
> Additionally giving out the president's "Black Phone" to more people makes it easier to attack since they'd have more opportunities and potential mistakes.
It is worth knowing that the US President himself has two phones. A black phone and a regular smartphone for everything else.
Let's look at this classic case: they won't give Hillary Clinton access to a modified BlackBerry that Obama was using because it made security "unmanageable". Even though Clinton's position is literally one of the most important in the country, if not the world the NSA decided it was a security threat and so just didn't allow it to happen.
So Clinton setup her own email server infrastructure and conducted all State business through that.
So now those same security people caused a considerably greater threat to national security.
Someone should find who denied Clinton access to a secure BB, then they should be removed from any security related work. I almost feel sorry for them if Clinton becomes President, because their days will hopefully be numbered. But I don't feel sorry, because their short-sightedness caused a greater risk to U.S. National Security.
1. https://www.schneier.com/essays/archives/2009/08/people_unde...
I really wonder if the wasted human time is worth saving handful of frauds.
Furthermore, the chip is not only protecting from cloned cards, but also protecting from the vast malware breeches that occurred at Target, Home Depot, and more.
The decision is right. The crap the processors are pulling with their terminal designs is not. The processing market is ripe for someone to break formation and accept smaller margins in return for a well designed and faster terminal.
Could it be that your card readers are somehow worse compared to the ones we have here, which makes it more painful to use? Could it be that here we always use a PIN code as well, so that takes a bit of time anyway, and you do not?
What really baffles me is how inconsistent the rollout has been. Chip-capable terminals are everywhere, but maybe 3/4ths of them don't have the chip part enabled. So many times, I've inserted my card only to find that it simply doesn't work. Yesterday I made a purchase where they had taped over the slot so you wouldn't even try.
It seems like once you have the hardware, the rest should just work. I don't know what the hell is going on.
That said, make one thing harder, they find another avenue in. I'm voting for cameras that read your physical card while it is in, then the fraud is conducted online. (Downside of that for thieves being that now they have to give out a working address.)
The reason it reduces crime is that you can't make fake credit cards with data collected from a skimmer, and use them in stores. Your fake credit cards fail because they can't do the chip interaction. Therefore in store fraud is reduced to people physically stealing your credit card.
My experience is that it takes way less time (I'd say 3-4s, maybe it's a connectivity issue?), and (comparing to what I have done travelling and memories from watching my parents in childhood) any time you did save with a swipe is instantly eaten up by signing taking far longer than tapping in a pin (not to mention the magstripes wearing out faster than the pins).
As to 'saving a handful of frauds' - I was shocked at the ease of fraud in the old system. When I was in the US, I felt uncomfortable with the staff taking my card (here in the UK, it's always in my hands) - often taking it out of my sight, and a colleague had 'Please ask for ID' rather than a signature on his card - he never once got asked for it, implying that the signature check is valueless, because apparently no one does it.
As of this spring update I'd estimate vendor uptake is about 30-50%. So half the time you either swipe and wait 2 seconds for it to beep that you need to insert, or you insert and wait a couple seconds for nothing to happen and be told to swipe. The chip mode is poorly integrated into many POS systems - at most local groceries even if you tap "card" and insert the card it will make you go back to the screen and push "card" again, or take several seconds before it accepts it. Then it processes for ~5 seconds, then you need to sign.
Some of this is teething issues with rollout and POS integration, but the signature is unfortunately not going away.
If you'd like to fire your security people who are too paranoid and obstinate, you'll find yourself without a National Security Agency. You should give them a manager who does understand people.
"Mr. President, those NSA guys won't give me a BlackBerry like yours."
"Hillary, that's ridiculous. I'll have someone call Admiral Bigwig right away so you can get some BlackBerry."
And if the President doesn't help you, you had better learn to sit in the SCIF or, better, do whatever previous Secretaries did to keep informed without BlackBerries. Clinton is responsible for her actions. Nobody made her set up her own email server.
Which was probably about as insecure.
In all my time studying NSA's IAD, I could never be sure if this was just organizational issues or straight subversion. Snowden leaks made that harder rather than easier. Bell, of Bell-LaPadula fame, has a nice write-up of how they helped create high-assurance security market then destroyed it over time.
http://lukemuehlhauser.com/wp-content/uploads/Bell-Looking-B...
The A1 products he referenced still exist but government doesn't push them for rest of us. A NOBUS thing I guess. SNS Server (MLS LAN) is defense only, not sure about XTS-400 (now XTS-500 w/ Linux apps), and Aesec's GEMSOS might be available to commercial sector. I forgot to ask for clarity on that. Nobody outside high assurance or good CompSci has ever heard of them. Bleak picture for anyone investing in next high-security product, ain't it?
Nice, albeit biased, presentation on methods behind GEMSOS & old school high-assurance.
http://www.iwia.org/2005/Schell2005.PDF
Holistic, pub-subscribe architecture leveraging SNS Server as "impenetrable" component to simplify overall scheme. That's overstating it but it's allegedly unbroken in field since released in early 90's. Embedded firewall is another old trick you can do today w/ Octeon II's or similar PCI card computers.
htttp://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA425566
There are limits, both legal and political, that the NSA won't cross but a private contractor doing pen testing might try.
Rightly or wrongly, about the only way most US private companies can get a proper grasp of what the NSA is capable of is to hire a senior former NSA officer.
http://ironnetcyber.com/executive-team.html
So, altogether, they probably got plenty of review. They could still use more from independents with great skill. So far, though, solid in review and the field in high risk is saying something.
Re hiring a former NSA officer
Others and I have been telling all of you for years what they're capable of. You just look at each layer or compondnt to see what a subversion/breach would do. Then read years of papers showing how to avoid those. Then notice what each product is or isnt applying. Then you know they were breaking almost all of it. ;)
Yeah. That woman made me rape her by not having sex with me voluntarily.
Maybe Clinton should accept that the laws apply to her too and if the constrictions of a particular position don't suit her, she shouldn't accept it that position.
What you are saying is that they should be removed from security related work because they don't understand people.
OK, but that also means Clinton should be removed from security related work because she doesn't understand security.
Can she act as president without any access to anything secret or classified? It would be hard, but that's the standard you are setting.
All that you have shown here is that the people tasked with securing sensitive information failed to do so.
If Clinton becomes President, then she'll be provided with a secure mode of communication, regardless of what the security person thinks of it. So as President, she'll be able to access secret and classified information.
Not having what you want, even when you have a right to it, is not an excuse to do it anyway.
She probably says things like "it's fine, it's secure enough".
I have a hard believing anyone would understand it and still not care.
The logic here is that one adult's actions can be blamed on a second adult if the second adult doesn't allow the first one to get their way. Now imagine applying that to other situations.
The world is full of grays, and not everyone's jobs, actions, abilities, and powers are equal.
You can try, and that's typically what organizational policies aim to do. But once you've set a policy, pretending like it's some sort of infallible divine guidance is asking for failure. Good security policy needs to always be reacting, always considering whether the rules they've set are still a net gain in the security of the system, given that they're operating in a real world of real people with real behaviors that may not have been accurately predicted.
I sincerely hope he hasn't changed his mind, and will not stand in the way of her indictment.
Obviously people who already don't like Clinton are all over it, but I think there's a legitimate complaint from people saying that she shouldn't be able to get away with something that nobody else could.
That argument doesn't always work out. Is it silly when people complain that the NSA is breaking the rules that everyone else has to follow?
Yes, it is sort of like workers complaining that the CEO doesn't follow his own rules. That's a valid complaint. But it's not exactly like that, because Clinton wasn't just breaking some internal State Department rule. It's a rule for the whole government, which she is not the head of. And it's not just a lowly grunt that would be punished for this, it's anyone else. A general would not get away with it.
Yes, I do think it is silly. Now that doesn't mean that the NSA should have no rules and have free reign, but to draw an equivalence between the NSA and an average person (that would justify them being bound by the same rules) is just absurd.
>because Clinton wasn't just breaking some internal State Department rule.
The issue regarding the rules isn't about classified information, its about private servers. That is a rule that she is absolutely justified in re-writing on-the-fly even if a lowly grunt would be thrown in a hole for doing the same thing. Just to be clear, her private server does not inherently endanger classified information. People have been conflating these two issues to the point where no one can speak clearly about it. That classified information was incorrectly sent to her private email is an entirely different issue.
Hillary Clinton doesn't need to worry about that because she's Hillary fucking Clinton.
Some people are more equal than others.
The NSA itself knows very well that if the gizmos they provide aren't usable -- and more fundamentally, if they don't respect their customers -- then it doesn't matter how "secure" the technology is, because people won't use it.
Hillary Clinton doesn't need to worry about that because she's Hillary fucking Clinton.
Look, I'm hardly a fan of the former Secretary. But in the original article, it's pretty clear that she and her secure information technology coordinator (Donald Reid) were feeling stonewalled (it not outright disrespected) by the NSA on their requests.
Which doesn't justify her opting to use a less-secure communication means (by any stretch). But it's pretty clear from the basic narrative of the story that there was more going on to this fiasco than simply Hillary Clinton going off on an ego trip.
> The NSA itself knows very well that if the gizmos they provide aren't usable
What isn't usable about a desktop computer? According to the article, she just liked using BBs more. Confusingly, the article seems to conflate a few things.
1. She wanted to use her Unclassified//SBU Blackberry in the SCIF. Because of phone exploits that the NSA employs against other heads of state [1], State Department guidelines require her to leave it outside of her office that has classified computers. Obama's special Blackberry might let him talk to DNC leadership and big donors, but I'm guessing he uses a normal phone for that. Why couldn't she use a desktop phone and her unclassified computer to check her email to donors, campaign managers, and DNC leadership? How does a separate email server solve this problem?
2. She felt the need to have a separate email server. What this solves is never mentioned in the article. All State Department employees have access to the Unclassified network. Most have access to State Department provided Blackberries for that network, and also to 2FA token generators to permit them to VPN in. Traveling all over the world doesn't restrict the usage of either of these. Also, DSS sets up a classified network wherever the Sec State stays.
The only plausible reason to set up this outside email server is to evade FOIA and discuss classified topics without the risk of a government employee seeing classified information on an unclassified network. I'm really trying to understand any other reason to do this.
[1] I didn't see a Blackberry exploit in the Snowden leaks, but it's probably safe to assume that the risk is significant. Imagine how valuable it would be to get room audio of political or trade discussions before stepping into a meeting with the U.S. Secretary of State.
You'd also be fired if you made life difficult for the CTO. They'd find someone more capable.
She had a wired-computer she could check email on in the SCIF, but she refused and was only willing to read her email on a Blackberry, so her staff tried to get authorisation for one, failed, and then tried to get her a highly sensitive top level device just so she could check her unclassified email in the SCIF (she could use a standard Blackberry elsewhere).
I'm siding with the NSA here. She should just buck up and learn to check her email on a wired PC like everyone else.
Honestly I suspect their policy is "no wireless devices within the SCIF period." From wireless keyboards, to cellphones, to WiFi, and beyond. The black phone might be authorised but I suspect that is due to operational importance (e.g. calls vital to national security).
https://www.bostonglobe.com/news/nation/2015/09/30/john-kerr...
Would you be able to be good at your job if you were only able to check email once a day? I sure couldn't, but 15 years ago that's how often I checked it.
Imagine all the previous people in that position who were incapable of properly doing their jobs because they had no fax machine with which to receive secured information.
Imagine all the previous people in that position who were incapable of properly doing their jobs because they had no telephone with which to receive secured information.
Times change, and so does the technology required for the position.
For another elucidating example (and another Hillary situation), look at the CIA vs State Department in Benghazi.
No, the NSA was being petty.
Worse than that, actually. Most likely whoever made this decision had some kind of a personal grudge.
On technical grounds the NSA's position makes sense. Baseband compromises are viable and an active threat, cellphone OS software compromises are also viable and an active threat, so effectively every wireless device inside of a SCIF could be turned into a bug at any minute.
Additionally the NSA doesn't let wireless devices into ANY SCIF, by Clinton or anyone else. Only the US president himself is the exception to this rule and even then we're talking about a specific device designed for official functions only.
So again, you'll have to justify your position.
There may have been valid (short-term) reasons as to why it would have been difficult (or costly) to provide her with a POTUS-like solution.
But the overall sense I get from the article (and in my view, the bigger issue at play here) is that Clinton and her secure technology coordinator (Donald Reid) felt they weren't being given a credible explanation as to why their request would be unworkable. And (subjectively) felt they were being ignored generally with regard to their request.
(And BTW no, the partial explanation they were given -- "use has expanded to an unmanageable number of users" -- meaning presumably legions of underlings probably shouldn't have been granted exceptions in the first place, is not, on the face of it, a credible explanation as to why an exception can't be granted for the 2nd most important office holder in the Executive Branch).
Only the US president himself is the exception to this rule
Umm, what "rule", and why is the POTUS the only exception?
These are the questions that Clinton and Reid were apparently unable to get an answer to.
So they just decided to do whatever they wanted because they feel that they are above the system.
I can't avoid asking myself what would happen if, some subordinate of them, just thought that some rule in their department was stupid and decided not to follow it.
Taking wireless devices into the SCIF. And because POTUS has a national security need for immediate communications (because they're the head of the military, have access to the football, and may need to make key strategic decisions).
The key question is: Are you going to risk more lives and save more lives by allowing potential bugs into the state's SCIF? Leaks from within a SCIF could almost certainly get people killed (foreign agents, US agents, US military personnel), the key question is if the Secretary of State can save enough lives by being instantly accessible in that one area?
> These are the questions that Clinton and Reid were apparently unable to get an answer to.
Or they received an answer but either didn't understand the answer or just didn't like it. There are a lot of people who claim that their issues are never addressed just because they don't understand the answer to the question they're asked.
I'm sure the NSA gave them a full report on why cellphones are risky and how they can be compromised. But I don't know if that information was received by state or understood.
Because [the] POTUS has a national security need for immediate communications because they're the head of the military, have access to the football, and may need to make key strategic decisions).
The Secretary of State's job is also quite important, you know. They're also pretty high up in the chain-of-succession for direct access to the same duties as the POTUS.
Or they received an answer but either didn't understand the answer or just didn't like it. ... I'm sure the NSA gave them a full report on why cellphones are risky and how they can be compromised. But I don't know if that information was received by state or understood.
Drawing from the trove of recently released emails, the article itself says that most likely they were informed of (and understood -- or at least her staff understood -- the risks of) using private cellphones ("her staff was fully aware of the security risks associated with using her BlackBerry.") What they didn't understand is why a modified cellphone was considered a secure enough solution both for the POTUS, and for the predecessor SoS -- but not for the current one.
As to whether Clinton herself really understood the risks, or she did, why she continued to use a non-secured device, anyway?
That I don't know -- and I won't offer any defense for, either.
That's the real paranoia. What if the black phone turned into a wireless bug? Anything wireless inside of a SCIF is "bad." The black phone is just an exception for national security reasons, the default is to deny all.
Haroon Meer says that saying "no" is a finite resource that security professionals are too willing to tap. If an organization comes to see your department as an obstacle that shoots down ideas and never contributes, you end up ignored. Chip in with ways to make bad ideas less bad, because we already know that deploying any vendor's software is a loss to security.
But when the Secretary of State wants to Do A Thing, and you're the NSA...
Must be nice to have a high enough position in life to ignore security protocols at whim. If I did that I would be fired.
Just saying "No" without investigating alternative solutions to satisfy the spirit of the request is likely the problem.
It's also apparent that there was no routine security auditing which may have caught Clinton's behavior. I'm not sure you can claim the NSA was acting with security in mind when it's quite evident she was walking around with a blackberry every day in "Mahogany Row'.
How do we know there wasn't an audit done?
How is it the lacking of the NSA in considering security when a person who was told don't do that decided to ignore it?
A) People seeing this play out in their own lives enough to relate it to this experience B) That the quote wasn't "No", it was "shut up and go color", lmao
When "they" can't do something it's because they are malicious lazy idiots. Obviously.
It's illuminating how someone treats other professions that intersect with their own. If one security team acts in a way you disagree with fine. But if you view all security teams as inherently obstructionist, then that tells me you are self-centered or cut corners. Similar if you always have problems with HR, Accounting, etc...
I was trying to enter a 26 characters wifi passcode when setting up a new MacBook recently (so without access to clipboard). All characters hidden, not even certain the keyboard was set up with the right region. It might be secure but the guy who designed this step of MacOS should still be fired.
There's also a real line between ultimately flaunting the rules and "just trying to get your job done" in these kinds situations. Obviously if you're imperiling classified secrets that distinction will not apply to you. But for most other people this is just an item in the toolbox for effecting the change you want to see, lol.
If you're a security professional who doesn't spend a fair amount of your energy making your users happy, you're failing at your main job of ensuring security, for exactly the reasons on display here. Security doesn't end when you've sent out the memo outlining your policy.
They did it for the previous administration but refused to do it for her and offered no good alternative. She couldn't fire them and replace them and with someone more capable, so her team found an alternative.
This is exactly how a person who is used to getting shit done would operation. You either break down obstacles or you go around.
I can see how she would consider her actions to be the lesser to two evils, at least she could trust her people.
Mind you, I could see that being her thought process, it's very human. But it is hardly a ringing endorsement of her behavior and principles, to say the least.
In my company IT puts all kinds of restrictions on the network but for automated testing we need these restrictions removed or we can't do our job. Since IT didn't accommodate us or provide an approved workaround we had to hack around them and make the system less secure as a consequence.
I've posted about this before on here - "It was worse at $last_company where at my best count, I had 20+ different passwords, all with differing rules, and expiration policies, the solution in the end was a spreadsheet (contrary to IT policy) - which was stored on my workstation with full disk encryption."
If you have a choice between loosing 8 hours a week just to information access management or just ignoring the rules, which one would you pick?
The difficulty with the best protocols as designed by security professionals is that they are not necessarily designed based on how users actually work. And if they are not, it is likely that users will subvert them. This paper from 2010 is along those lines, "The True Cost of Unusable Password Policies: Password Use in the Wild" (http://www.cl.cam.ac.uk/~rja14/shb10/angela2.pdf).
I particularly like two of their observations from the introduction:
"Based on our results, we make three key observations:
1. When users cannot cope with the demands of strict password policies, it a) reduces their productivity, and b) leads them to adopt coping strategies - which usually reduce security.
2. Although passwords are usually considered in terms of authentication for a service or a device, today they are encountered in many other ways in the workplace – and existing password policies do not cover these. As a result, users adopt ad-hoc solutions, which are usually insecure."
The security we actually get is the result of the technology we use, and the human behavior that interacts with that technology. Sometimes, in order to get higher actual security, we may need to relax the technological security so that we get the human behavior we want.
Only if you get caught, usually by (losing the device and having to tell everyone|getting a virus or what-not that noticeably impacts some other system). Which is sufficiently rare that you can get away with "it won't happen to me" for an arbitrary period of time.
Of course they were wrong to go through unofficial channels, but as a security professional, you don't plan for things to happen as you expect. You plan for things to go wrong, and you plan so they go wrong less.
> Must be nice to have a high enough position in life to ignore security protocols at whim. If I did that I would be fired.
Ivory towers take a stain too easily, so I only summer there. The rest of the year I stay on the ground with you commoners.
My favorite story of all time, which I'll share because it's now over 20 years old, had to do with a security vulnerability in the diagnostic trace component of a serial device driver.
The developer in question insisted it had to be there. A meeting with the two of us, as well as our bosses, and a "neutral" odd-numbered party was had.
I started by explaining the exploit. The developer then explained the need to have support staff (who weren't "root" users") able to enable the diagnostic trace feature. I then explained how a non-support person could trace a specific TTY (see, it is an old story!) and capture an entire login dialog.
Things weren't going well for me, so I then explained that it presented a security vulnerability which I'd have to disclose.
At that point in time, the developer got up out of his chair, and came across the table at me. His boss grabbed him, sat him back down, then agreed with my explanation and the feature was changed to require privilege.
If you think being a security professional is fun, it's not all sunshine, roses and egotistical power-tripping. It's a constant struggle to say "No" when people want to make products more "useable" and we want to make sure they are "secure".
The real problem is that this is true. Just like the fastest and most error-free code is an empty file.
So you are left with tradeoffs.
Without endorsing Clinton's actions, lets learn from this.
The feature that Clinton wanted was not inherently a backdoor. The feature even existed and Obama was given the solution. Obama's blackberry proves that a legitimate need existed and there was a secure solution to it. But Clinton was told 'No' and this is the kind of situation where it leads users to simply bypassing the security.
You can't justify the 'No' response to Clinton on the basis of your 'No' response to a diagnostic backdoor. The fact that you can't see the difference in the two circumstances is why the security industry has a credibility problem, and why you've probably got a credibility problem.
Unlike your example, a secure solution existed to the problem. Obama used it every day. Clinton was told 'No' and she chose, like many users do, to view it as a broken policy rather than as a legitimate security concern--because it probably was.
Some users are dumb and want stupid broken things and have to be told why they can't have it. Other users are pretty smart and know when the reason they're being told 'No' has more to do with petty government feuds and bureaucratic infighting.
Your post sounds like a well-rehearsed speech, and I suspect that you've used this a lot to say 'No' to requests--are you certain that all of those cases have been as legitimate as the case in your speech? I tend to doubt it or you wouldn't have posted it here in a case that shares little of the same circumstances.
In the article the NSA is quoted as saying that additional BlackBerries could not be secured due to lack of resources.
You assume a lot (without apparent basis) about your OP.
The problem is not fundamentally unsolvable because Obama had one of those phones. The solution existed and at least one of them was produced.
The US Government spent $4 trillion in FY 2016. I can't imagine that a secure blackberry for the Secretary of State would have costed more than a negligible fraction of a fraction of a percentage of that.
The "lack of resources" was someone /deciding/ that they didn't want to spend the resources on securing the US Secretary of State's phone -- not some kind of law of nature or economics.
The person who made the judgement that there were "no resources" to accomplish the task ALSO needs to be held accountable for that decision.
People try to divide security vulnerabilities into "super-obviously-bad" and "no one will ever find / exploit / do much of anything with it."
The problem is that rather often little holes can be leveraged into bigger holes. The argument against the change I'd requested was that no one would ever write a program which would process the trace hook events. Because they just wouldn't. Except no one needed to - there was a program that took trace identifiers and dumped the events for all to see.
That's an argument to "difficulty to exploit". The same thing has happened with various race-related exploits -- a race that's fractions of a millisecond long is considered "unexploitable" until process scheduling, and how to control it via various means is discussed.
It doesn't matter the problem space - fixing bugs in code, configuring servers securely, proper OPSEC, choice of programming languages or development methodologies. It always comes down to security versus convenience. Sometimes "convenience" is replaced by "cost" or "resources". In this case, the NSA didn't have the "resources", which is a proxy for "convenience" because if giving Clinton a secure BlackBerry had been dead simple and free ("convenient") she'd have gotten one.
As for being "well-rehearsed", yeah, I've spoken publicly on security and try to make my little anecdotes fun to read or hear.
You slide from race conditions and attaching debuggers, to a policy decision by a bureaucrat not to come up with the resources.
You fundamentally cannot be held responsible for the existence of debuggers in the universe. That is just silly.
The bureaucrat who said 'no' to the request from the state department can be held responsible for justifying that decision. With a $4T budget I can't believe that the US government couldn't find a few bucks under a cushion someplace to dig up another blackberry for the Secretary of State. In fact, its pretty much negligence that they couldn't.
And when you make pure policy decision about security you cannot abdicate responsibility over users deciding to work around those policy decisions when you make bad decision.
But heh, infosec shouldn't exist and everyone should be able to BYOD, amirite? "Frictionless" or something like that?
I will say that, in my experience dealing with government and DOD contractor security, is that they often fail to articulate the reasons. Users should understand, at some level, the threats you are trying to face. If someone comes to you for permission to do something and your "No" is backed up with nothing more than "That's the policy" or "Because I said so" you can expect them to be much more hostile to it and more likely to go around it.
Let's say the Russians did the same thing dumping a bunch of USB devices whilst the USB drive ban was in place. Almost certainly someone is going to sneak in a USB drive at the risk of getting caught, just so they can do their job more effectively. There is still a good chance that this USB drive hack might have worked, just not as likely.
I really feel that your friend wasn't looking at things from the right perspective. The reason that USB drives were the vector that allowed the Russian hack to work was because they allow the execution of arbitrary code once the drive is mounted. If you prevent the execution of that code, then the issue would largely have gone away.
Instead of only banning USB drives, why not investigate ways of preventing code execution on drive insertion from occurring in the first place? Then you could have the policy of no USB drives, but if someone did sneak one in then it would have removed the vulnerability completely.
Actually, I'm not even sure if Windows allows a way of preventing this.
It's the state department. The same people that invoke "but secretz!" on every lawsuit.
Securing mobile communications on a massive scale according to SCI government specifications does not happen overnight, and is not very easy. So unfortunately she has to use the channels provided, however clunky they are. I am sure Mrs. Clinton wouldn't hop into her car to visit a friend without gathering a full security detail. Yes this curtails her life, and yes it is inconvenient, but it is necessary just like securing her communications is!
It is like if I were working for a large bank, and I put in a back door VPN to the network since their VPN client only works on Windows, and I want to use Linux. Sure more convenient for me, but it is not my place to subvert security for my own personal convenience.
Security is something you never need until you need it the most.
Yeah, we get that part. But it isn't about secure, or not secure.
It's that she (or more specifically Donald Reid, her secure information technology coordinator) was never provided a legitimate explanation as to why this technology was available for the POTUS -- and for her predecessor -- but not for her. So it's understandable that they felt dissed.
Just that arguably, the NSA has a legal obligation to at least attempt to properly coordinate with the Executive Branch when it comes to perfectly reasonable-seeming requests (as this request appears to have been, from the outset).
Which they apparently did not do in this case, for some reason. So the legal aspects of that matter should be looked into, also.
Agreed - I definitely do not condone her going rogue in response.
My message is simply: if the NSA can't (or won't) reasonably coordinate with the 2nd most important office holder in the Executive Branch, on what should be a perfectly tractable issue... then we have to wonder whose interests they're serving, exactly.
The explanation given was that scaling the Blackberry that the POTUS was given was unmanageable.
Actually what they said was quite different.
Besides, it wasn't all or nothing: she had several options available that she just didn't like. Security people's decisions sucked and should probably get them fired as chris_wot said. Yet, she did have options before creating the third that was a national security risk and illegal. I'm just saying no double standards here: apply her standards to her.
I'm just saying that it appears there may have been multiple points of failure, in this fiasco.
> [Approval] wasn't withdrawn for Clinton, it was withdrawn for the devices themselves. The NSA decided the potential consequences for a baseband compromise within a SCIF was too high risk.
However, that information is not contained in the AT article. We can't just assume that's what the Clintons were told. And going by the article, that's not the explanation they were given.
One is also expected to do a certain job, and if the security regulations are impeding your job, then which do you really think will take precedent?
My understanding is that President Obama's blackberry [1] isn't really a mobile device as configured. This blackberry device connects to the a custom secure base station [2] or picocell, that follows him around just like the Football[3], when outside certain vehicles.
Another factor is that TS/SCI access is restricted by location. eg. AF1 or the Presidential vehicle.
I'm not sure the Secretary of State would have a full time [*24/7] detail, although as former First Lady, Sec. Clinton would have a Secret Service detail which is funded separately.
It would be more likely that the NSA offered a different solution and State Dept. bureaucrat balked at the cost involved, especially something like following senior staff around with a football.
[0] http://www.boeing.com/defense/boeing-black/index.page
[1] http://www.technologytell.com/gadgets/156930/yes-president-o...
[2] http://electrospaces.blogspot.com/2013/04/how-obamas-blackbe...
[3] https://en.wikipedia.org/wiki/Nuclear_football
Edit: 24/7 detail at home. On official trips, the Secretary of State would have a security detail as commented by carboncopy below.
[1] https://en.wikipedia.org/wiki/Diplomatic_Security_Service
[2] Personal experience (sorry)
Semi-OT, the president does exactly that in 24 season 3: there was an episode where he just decides, on a moments notice, to duck out (nearly) by himself to go visit a friend in a rich neighborhood and come back, and it's all over in 30 minutes. Really broke immersion.
Then I read:
> As I had been speculating, the issue here is one of personal comfort… [Secretary Clinton] does not use a computer.
What?
Think of a car accident. There is a diffusion of responsibility. The decisions both drivers made, road conditions, weather, speeds etc... You would only be concerned with the manufacturer of the car if one of the safety systems malfunctioned. Yet in the case of computer security we want to hang all the contributing factors/decions around one party: the security team. Imagine if General Motors was liable for every car accident; regardless of fault. Every time someone didn't put on their seatbelt, or drove through a flooded road etc... What kind of cars would be produced? Certainly not the kind you would enjoy driving.
The day that we can have the security departments we want is the day we understand that we can't absolve ourselves of all security responsibility.
Was this the reason why she chose to run her own email server (not that it was secure but still)?
>And while Clinton's predecessor Condaleeza Rice had obtained waivers for herself and her staff to use BlackBerry devices, Clinton's staff was told that "use [of the BlackBerry] expanded to an unmanageable number of users from a security perspective, so those waivers were phased out and BlackBerry use was not allowed in her Suite," an e-mail from the NSA's senior liaison to the State Department noted.
NSA says that they could not ensure the security of BlackBerry devices. That's not a refusal, just the facts. Is someone expecting the NSA to magically conjure unlimited, secure BlackBerries?
Clinton will probably skate. And yet she'll be the first person demanding that we try Snowden and keep Chelsea Manning locked up.
There isn't that much statutory groundwork to support charges and what there is says an agency head "is assumed to be acting under executive authority", i.e. as the arm of the President.
The Congressional Research Service wrote a rather helpful summary[1] of the myriad aspects of classification and law.
[1] https://www.fas.org/sgp/crs/secrecy/RS21900.pdf
But yeah, if you or I were to do what she did, big difference - just not all because of politics.
The fact that 10-15% or so of those emails needed a retroactive security classification demonstrates that she held either had a cavalier attitude toward guarding that information, or was simply incompetent in knowing what should and should not have been classified.
Whether that rises to the level of a criminal act, I suspect, depends on whether any of the 30k+ emails she deleted, claiming they were personal, also contained classified material, because then the crime is lying to the FBI more so than the reckless handing of classified information.
For example if one of Clinton's friends forwarded her a NYTimes story about CIA activity in Syria, and she forwarded that to a deputy, well, now she has both received and sent classified information from her email.
And even though it might have been on the front page of a newspaper, a retrospective review would designate it as classified information.
Would a staff-level person get fired in that situation? I don't know. So much stuff is classified these days, and yet the press is pretty good about ferreting out stories. Any regular reader of the major news operations is probably going to see classified info on a regular basis.
How easy is it to keep track of which public, well-known news stories should be excluded from nonsecure email? I would guess, not that easy.
I think the rationale is because sometimes the file gets updated internally such that the leaked info is no longer accurate and the person with access might screw up.
> the solution supported by the NSA—its SME PED (Secure Mobile Environment Portable Electronic Device)—was hardly BlackBerry-like. SME PED devices are based on a secure version of Windows CE, and they're only rated up to "Secret" classification. And as Clinton was taking over at State, the SME PED was only just becoming available.
It sounds like at the time that Clinton was moving into State, there was, literally, no good solution supported by the NSA for mobile email use.
Which considering it was 2009, and mobile email was already prevalent with Blackberry, iPhones/Androids, etc, is well, maybe par for the course for government entities.