77 comments

[ 4.1 ms ] story [ 121 ms ] thread
So exactly who is to blame for the US state department having the worst opsec imaginable? I dislike Hilary but even if I think the absolute worst of her behaviour here she's kind of down the list of guilt. She's not a technology security expert and she's driving how her tech is set up while she's secretary of state without literally the best tech advise available to the most powerful nation on earth? Really?

They can't provide her with a secure device. That's the Secretary of State of the United States of America who they can't provide with a secure device and so they leave her, literally to her own devices. Apparently nobody reviewed how she was communicating and advise her directly about her own behaviour. "Much less, ok what do you need? We'll design a system that does that with the best security we can manage. We'll tell you exactly what not to do. Mr/Madam Secretary." Whoever the secretary of state is.

Fire them all and start again. You can't do worse than this can you? No matter who you've got in power you're selling them and US State Department policy. Hillary, yeah, to hell with her, but that's entirely beside the point and totally a sideshow in this story. I can't think of a single politician who would know and understand the security implications of electronic communication without being directly advised in the most clear and emphatic fashion possible.

Does anyone care to speak up for the competence on display here?

After the OPM information leak disaster, it's pretty clear that there exists a serious disconnect between the extremely technical areas of govt (NSA) and others.

The BlackBerry part is interesting. At civilian sites (Natl labs) you can easily get an encrypted blackberry, and even take it into classified areas. You are just required to power it off before viewing or discussing any material. Apparently the Dept of State can't even manage what we already do throughout the country.

Any modifications required to the Blackberry before being taken into classified areas - such as removal/destruction of microphones and/or any cameras?

I can't imagine, "Just power it off" as a security mechanism, and can only imagine that compliance is somewhat less than 100%.

Also - I can imagine there are different levels of classification, and that the Secretary of State may be in places where the rules might be somewhat more strict.

The blackberries are provided by the national lab, so not personal ones. Though you would likely also be able to check personal emails also. For laptops they do remove cameras / microphones as a policy. I wouldn't be surprised if a camera was disabled (obviously not a microphone for a phone) but I'm not sure.
Are your civilian labs SCIFs?
There are SCIF areas.
(comment deleted)
(comment deleted)
i dont really know the story other than this article... but seems she was given a awkward but approved secure email methodology. she was repeatedly told that what she was doing was insecure. she more or less just chose to take this approach because it was more convenient... at least according to this article.

just seemed like she had really bad communication discipline and didnt believe it was that big a deal.

did get the impression that there really wasnt anyone who really wanted to step up and forbid her to do certain things not sure if there is a role who has authority to do that

It seems to me like their procedures and systems were established in an era of telephones, paper memos, and (barely) desktop computers, and that workflow was horribly painful for someone with several years experience doing all communications on a Blackberry.

I can understand where Clinton is coming from. If I took a new job and they told me I had to use the ed editor to write code, and could only send patches by fax, I would either demand to keep using my networked laptop, a version control system, and preferred editor, or quit on the spot.

It’s ridiculous that the NSA, the White House, and the State Department couldn’t work out some kind of secure mobile device solution for Clinton.

To reiterate harryh's point, the sitting US secretary of state couldn't get a working email solution out of the nsa or state dept internal IT. Simply amazing.

And where did everyone who fucking emailed her the entire duration of her employment think emails addressed to HDR22@clintonemail.com were going, exactly?

She was told she could use a secure laptop or desktop. She was not without secure e-mail, she was without secure e-mail on a device she preferred. The new spins on this story continue to amaze me.

There was a lot of discussion some time ago when essentially the same story hit Slashdot: https://news.slashdot.org/story/16/03/17/2242233/emails-show...

EDIT: Lest I forget, this also happened after she'd set up the home email server...

awkward but approved secure email methodology.

Awkward is insecure.

explain what this means?
If someone needs a tool to do their job, and they are supplied with a bad tool, there is a high chance they will use their own tool instead. If this goes poorly, both parties are to blame.

Therefore if it is your job to keep communications secure, it is not enough to supply users with a secure system, it is also your job to supply them with a usable system.

fundamentally as far as i can tell based on what i know of the details primarily based on the article here... sometimes in real life processes are by necessity awkward. 2 factor authentication is awkward, long complex alphanumeric password are awkward, not being able to use private thumbdrives on certain networks is awkwards... sometimes the secure alternative is awkward.

she had as far as i can tell a usable system, i am under the impression it is usable because pretty much everyone else besides her and the president who have top level security clearance use the system and do their job...

I remember seeing a great picture in a security presentation of some kind, and for the life of me I can't find it again. Basically it was a 10' tall sign outside of a maximum security prison that read: "Security is not a convenience".
It's weird that hundreds of thousands of other people with similar clearances don't run into this issue.
People treat inconvenience as damage and route around it.

Ever see a password written on a sticky note & stuck to a monitor?

The inconvenience of having to work to a certain level of security is highly awkward - so people reduce security in whatever way they can.

understood. completely. fundamentally the situation here is the secretary of state chose to use a system which put information that potentially impacted millions of lives because she didn't want to have to log into a desktop to check her official emails when she was in her official office suite. full stop. step back. evaluate that honestly.

thats all...

The flip side of that is that anything you do to make the US Secretary of State's job harder, also directly affects millions of lives.
"not sure if there is a role who has authority to do that"

that's probably the most likely scenario. they can punish her but they cant control her real time.

US intelligence by the means of agencies and external consultancies is using directly 1 millions IT workers with Top secret clearance. 1 out 100 of the working population.

They could not find one to set hillary's mail correctly? Or they did not wished to? Or did Hillary refused to have an email set up by the government to protect her MI6/DGSE leaks?

And when you read the story of snowden's, he was able to trigger all alarms and get away with it.

And now NSA discover that too much data is a problem because informational entropy is growing so much it is hard to find the relevant data, even though informational entropy is a basic concept? (not to speak of false positive (innocent tagged terrorists) and false negative (missing the boston terrorist)).

ELECTINT is living its last years at my opinion. And I am okay with it. It has created a growing gap of perception between governments and the people they govern.

Sometimes failure are okay for me.

To err is human, to persevere is evil, and no machine can notice when it errs. Relying to much on ELECTINT is the first part of incompetence here.

The government issues government accounts for different levels of classification. You get a normal .gov or .mil for unclassified, another one for secret, and another one for top secret. All the communication is done on separate networks: nipr, sipr, etc. Around 2008, the military got hacked so bad that you couldn’t even put a thumb drive in a non-secure computer. If you did, you had to talk to a General/Admiral and could expect punishment. Secret, Top Secret, and SAP were a totally different matter. Cell phones and electronic devices don’t go in secure areas at all. Red lights flash when non-cleared people enter areas. Hillary wanted a Top Secret blackberry which no one except the president had from reading the articles. She wanted to avoid FOIA so she avoided using any government email addresses. This is totally non-standard and I imagine was only permitted because she was the boss. It isn’t remotely similar to what Powell did and while I agree that the government classifies too much shit, that isn’t the case here either. She went against protocol because she wanted to and she could, and she should own the consequences. I don’t blame incompetence at State here. If she’d used her government accounts and followed normal procedures this would have been a non issue.
Wait. She wanted to avoid FOIA? Is that allowed? If that is true, how the hell is she still running?

(Non us citizen here btw)

this is editorializing on his part. the rest of the post seems to be fact and not opinion, so i wish that sentence had been left out.
Yes, this is the big elephant in the room. The only sane reason to have such an arrangement is to avoid oversight and accountability. The large number of deleted emails should also be a red flag as to what the real motive was.
From the outside, that is what it seems like. To avoid accountability.

If, as the above poster said, it's a rule/law shouldn't they be disallowed from running for president? By breaking a law that is.

Edit: (can't reply to dogma thread too long?).

Damn. I can sort of understand why, but how isn't this sort of law breaking being pushed by everyone else running for president. I would be pointing it out!

There are no restrictions that prevent convicted felons from running to president.

A small pro tip if you can't reply, click reply to any comment and just edit the post id to the one of the comment you want to reply too in the URL.

(comment deleted)
The Republicans have been attacking her over it, but they're largely focused on the primaries and Donald Trump right now.

Bernie decided not to attack her over the issue at the first Democratic Party debate last year. It was honestly a smart move on his part. He wants to win the primary, but he wants his side to win even if he does not. In the general election campaign, Hillary will now be more convincing when she says it's just a Republican witch hunt (see "vast right-wing conspiracy" from her time as FLOTUS).

In the unlikely scenario that she's actually indicted for a crime, she'd probably be politically forced to drop out of the race, but who knows.

I would totally try to avoid an official record if I wanted to facilitate a coup in Latin America. I guess the real wtf is why she didn't get better opsec advice from some private former-cia-or-other-agency people, if she wanted to play at clandestine geopolitics.
The biggest issue is not FOIA is that the server violates the Federal Records Act[0] including the amendments signed under the Obama administration.

Any record created by any government official has to be kept and recorded this isn't some game if something happens there needs to be a clear trail of all records for accountability.

If a person can run their own records and communications they can do what ever they want and never be hold accountable because no one else knows those records even exist.

On a more comedic note Hilary could send a drunken email to Putin and cause WW3 and no one would be the wiser to why this has happened.

[0]https://en.wikipedia.org/wiki/Federal_Records_Act

And this is the part which annoys me that the "left" ignores I love Bill Maher but he continuously brings this up and makes it look like there is a witch hunt against Hilary she violated a federal law her emails don't contain cookie recipes and links to cat videos and while they probably also do not contain nuclear launch codes they do contain information that could potentially be volatile (as it shows opinions which are held by public officials and individuals of note) as well as official statements/positions by the secretary of state and the administration at large (and any email from the secretary of state could even count as an "order" to some extent) as when you assume a public office there is little to no "unofficial" communications one can make especially when they are communicating with public sector executives, think tanks, and other elected officials.

You're just re-iterating what happened, but the question is why are things this way?

It's worth remembering that Obama was also told no at first when he asked for a secure Blackberry. He only got one a few months later after making it clear as CIC he would get one or else.

So they made him one. Well why can't they make two? Or 20?

One answer might be bureaucracy. The NSA reports to the President, not State, so maybe they won't do as much for State. Turf-fighting is pretty common among federal agencies, especially those with overlapping jurisdictions.

Another reason might be that information collection is prized much more highly right now in the federal government that information assurance. Even if the NSA helps out State IA, will they get much credit for it? No. And will they get punished if they fail to help State IA? Obviously not.

Simply put, federal IT is very sick right now. The Clinton email saga is a tiny symptom of that. Snowden and the OPM breach are much larger and more consequential results of this pervasive problem.

they made him one because he is the president of the united states and he demanded one directly as you say.

they didn't make her one because she was not the president of the united states, she asked repeatedly for the same thing the president had and was told no.

most likely she was told 'no' by the NSA because, they know very well what is in their range of capabilities and so know what is probably in the range of capability of nation states.

It's worth noting that Clinton was offered an alternative device AND told explicitly not to use her Blackberry. Not sure why parent comment believes otherwise.

When told not to do what she was doing she said she "got it," and continued to do it anyways.

Well, if you want to be technical it doesn't appear that she was told NOT to use her personal BlackBerry and email server in any official way. This article mentions a memo that said "Any unclassified Blackberry is highly vulnerable in any setting to remotely and covertly monitoring conversations, retrieving e-mails, and exploiting calendars." This isn't the same thing as an official policy.

I know this seems like nitpicking, but you said "She went against protocol because she wanted to and she could, and she should own the consequences". The fact is that she did not go against protocol. If the president or congress wanted to prohibit the use of certain communication devices, they would have. Just like if someone's supervisor didn't want them to use a blackberry, they wouldn't write a memo pointing out problems with the device. They would just say "Don't use a blackberry."

The issue is did she break any laws or policies regarding the handling of classified information. That's for the courts to decide. But if there was any evidence I'd imagine they would have brought an indictment by now.

> The issue is did she break any laws or policies regarding the handling of classified information. That's for the courts to decide.

That's mentioned in the article around this point,

> Under Title 18, Section 2071, it is a misdemeanor to take federal records without authorization, something that is sometimes referred to as the “alienation” of records. The law is rarely enforced, but a conviction can carry a fine or imprisonment.

Agreed it is for the courts to decide. It would be quite a farce if this didn't see the light of a court room.

> But if there was any evidence I'd imagine they would have brought an indictment by now.

It takes time to build a proper case. Note that the guy who set up the email server was just given immunity in exchange for his cooperation earlier this month. I imagine the DOJ only gives immunity when they are working towards something.

It's also a symptom that people in power are usually older generations and that we only start to see coming a generation of people who even use computers and emails. I guess previous Secretary of States must have used pen and paper.

It's not exactly a vote of confidence that smartphones are so unsecure that the intelligence services will not even allow them within the walls of a secure building. Shouldn't that be the first problem on the list here?

>It's not exactly a vote of confidence that smartphones are so unsecure that the intelligence services will not even allow them within the walls of a secure building. Shouldn't that be the first problem on the list here?

It's not just that smartphones are insecure enough to allow external attackers. Smartphones would also make it easier for another Snowden to exfiltrate material.

And some of this is abundance of precaution - GCHQ and NSA banned Furbies because they weren't sure what would or wouldn't be recorded.

http://news.bbc.co.uk/1/hi/world/americas/254094.stm

That must be heartbreaking for NSA employees not to be able to bring their Furbies at work
> She's not a technology security expert

Which makes setting up her own server all the worse.

> They can't provide her with a secure device.

They did, but it wasn't a BlackBerry one. BlackBerry or Windows Mobile, I don't think either were that secure anyway.

I agree with the general sentiment that digital security in the government is between catastrophic and terrible. It's now going towards just "terrible", so there' some progress, I suppose.

> > She's not a technology security expert

> Which makes setting up her own server all the worse.

Obviously she didn't set up the server. She probably got one of her technical aids to do it. Probably not good either way, though. It's almost certainly unpatched.

> > They can't provide her with a secure device.

> They did, but it wasn't a BlackBerry one. BlackBerry or Windows Mobile, I don't think either were that secure anyway.

> I agree with the general sentiment that digital security in the government is between catastrophic and terrible. It's now going towards just "terrible", so there' some progress, I suppose.

there are potentially two other possibilities, neither of which i necessarily believe

1) this exposes that Secretary of State is a figurehead to placate world leaders, a tool for diplomacy, but not highly respected or valued by the intelligence community. The position exists on the outskirts of what they care about locking down.

2) they left her to her own devices on purpose. it was a trap she fell right into. they knew she would make a bad decision and let her hoping it would lead her to her own demise.

I think you're stepping over the fact that during Bill Clinton's tenure as President, he was demonized and frankly slandered in a very hard-to-understand way. Last I checked, entire media empires were built on stories then that were simply made up out of whole cloth.

Since Hillary Clinton was long expected to be a candidate in this years election, it's not too much trouble to use that as an explanation.

Explanation, perhaps - justification, no.

Interesting how people forget that our government is to serve its people, not its own career interests. Hillary Clinton chose to sacrifice the country's interests (major security lapse) in order to cover her ass and hide potentially unethical (perhaps even illegal) activity.

All business conducted on behalf of the country should be made public as soon as it is safe to do so (no more than 5 years for classified material).

The "career interest" I see in this thread are of the Computer Security Industrial Complex, which seem to have quite the bullet as a means of generating income these days. I have objection to this. They're dedicated professionals but sometimes they have big feet.

IMO there is but one mode for computer security - lock and key, perhaps barbed wire, perhaps armed guards. And certainly no connection to the larger internet. That's me reading Bruce Scheiner. Probably badly - computer security bores me no end ( because I know of the one way to do it, you see... )

Bluntly, those who do not serve their own career interests simply won't be in government. The Anthropic Principle - it's not just for physicists.

And that's rather beside the point. I'm by no means up on the details here, but it begins to look like there was no available solution that met requirements.

This is straight up Dilbert "Mordac, Preventer of Information Services" nonsense. Was having email available optional for her? Probably not.

And frankly, the entire narrative is that of imagined threats. I realize that's the mode de jour now but I still have the habits of looking for evidence not made up in the pursuit of political power.

After seeing the Clinton-bashing effort outed completely ( but the rotting zombie corpse of it still in use as a political device - inexplicably ) I'm just not inclined to hold any other opinion. MY conspiracy has been proven and completely outed.

I have little use for either of the Clintons, but there can be no explanation for the furor surrounding the American Spectator in that time except this one. Even when Neocon hit pieces were done on films like "The Power of Nightmares" they conveniently left out reference to the Clinton hit pieces, preferring to shore up the Neocon's evidence and other more tractable things.

I simply find use of The Big Lie patently and irrevocably offensive.

From the article:

""" Clinton lawyer David Kendall later told the State Department that her “use of personal email was consistent with the practices of other Secretaries of State,” citing Powell in particular, according to a letter he wrote in August.

But Powell’s circumstances also differed from Clinton’s in notable ways. Powell had a phone line installed in his office solely to link to his private account, which he generally used for personal or non-classified communication. At the time, he was pushing the department to embrace the Internet era and wanted to set an example.

“I performed a little test whenever I visited an embassy: I’d dive into the first open office I could find (sometimes it was the ambassador’s office). If the computer was on, I’d try to get into my private email account,” Powell wrote in “It Worked for Me: In Life and Leadership.” “If I could, they passed.”

Powell conducted virtually all of his classified communications on paper or over a State Department computer installed on his desk that was reserved for classified information, according to interviews. Clinton never had such a desktop or a classified email account, according to the State Department. """

...sooooo. Colin Powell did the same thing as Clinton and all we have is his (and his staff's) claims that they didn't communicate classified information over inappropriate channels? So then what makes this situation any different or any more deserving of attention?

Wait, what? The 4 paragraphs you quoted seem to directly answer your question about how Powell and HRC acted differently ("Clinton never had such a desktop or a classified email account, according to the State Department.")

Also, even if we now find out that Powell acted as poorly as HRC, that doesn't excuse either of them at all. It just means that they're both guilty, not that Hillary should get off the hook because previous Secretaries of State did it too.

So that's all we have that makes what Powell did okay? Either he or the WP is simply assuring us that he never sent any important emails through his private email account (which he liked to log into from random computers)? Furthermore, isn't the point here that, apparently (if the stories of Powell and Clinton are any indication), the government doesn't really try that hard to secure the communications of its cabinet members? The way I had imagined it is that, as soon as these people take office, they're given the best crypto tech in the world. They're not told to take a hike because only the POTUS gets the good stuff. What kind of sense does that make?
> So then what makes this situation any different or any more deserving of attention?

Well that's pretty obvious: she's the leading candidate for the Presidency. Would you claim it's unfair that the leading candidate for the highest office shouldn't be heavily scrutinized or treated differently than other people? That premise wouldn't be realistic, the world has never and will never work that way. It's unfair? Ok, let's say it's unfair (assuming similar abuses occurred under the last Bush White House and aren't going to be pursued at all), I agree... so what. Since when do leading presidential candidates get treated fairly?

It's also unfair if Hillary is being protected from prosecution by the Obama Administration, which appears to be the case right now. General Petraeus had his career destroyed for doing less than what Hillary has done. We already know for a fact that she communicated classified information improperly.

If there's no evidence that Colin Powell did anything wrong, then you don't get to proclaim that he broke the law. The difference - if that's all the evidence that exists regarding Powell - is that we have a full chain of proof of what Hillary did.

Hillary should get into appropriate trouble for it (which would instantly end her candidacy for President), and there needs to be an investigation into any other recent past abuses. It's that simple.

The point is that, apparently, these kinds of insecure practices are common among the cabinet members. So it makes the story about _her_ being the incompetent/malicious actor much less compelling.
The way she seems so cavalier and reckless over an inconvenience makes me doubt I'd really want her to be president.
Just curious: what's the os and email server used in this "basement server"?
> He also identifies the server routed to and from mail.clintonemail.com as a " Windows Server 2008 R2 with a valid SSL certificate," but that server, according to Mayer, is located at managed services company Internap.

> Clinton's private email server was reconfigured again to use a Denver-based commercial email provider, MX Logic, which is now owned by McAfee Inc., a top internet security company. Except MX Logic isn't a "commercial email provider," it's a service that offers spam and virus filtering for email, very similar to Google's own Postini service. One of my friends who runs an ISP offers both Postini and MX Logic to customers but recommends MX Logic because he says the spam management is better.

http://www.zdnet.com/article/clintons-little-email-fuss-beyo...

Wow, that's actually even worse than I'd first thought.

They didn't even have physical control over the server? So anyone could've exploited internaps vulnerable ubersmith install and asked them to boot clintons box into recovery.

sending classified state secrets through a third party spam filter? that almost makes the "server in a basement" a bit of a fib. her emails were flowing through some private companies network first.
Though I'm not sure it's even worth trying to bring up in the opinion filled noise of these threads, there is no way to secure current generation mobile devices sufficiently to withstand nation-state attackers. Full stop.

The processors, basebands, MMUs, all of them lack the tools necessary to create a chain of trust with also sufficient isolation at the application level to run normal applications. When everyone is saying "of course the FBI could get into the terrorist cellphone, just take it to TAO," this same thing applies to Blackberries and Android phones when applied by opposite numbers in China or Russia.

It is not possible to secure a mobile device from a nation-state attacker due (at least) to gaps in the hardware capabilities

Also, it's not ok to use a phone that doesn't get regular security updates, but that means you have to trust the phone manufacturer or set up a team of experts to monitor each and every update.

Can't trust the hardware, can't trust the software. How can this device be ok to be used by a state official?

Wow I really wouldn't want to be the guy who set up her email server. He was just granted immunity in exchange for cooperation, but that has got to be stressful to testify at the national level, plus against a Presidential candidate. Yikes.
> Their fears focused on the seventh floor, which a decade earlier had been the target of Russian spies who managed to plant a listening device inside a decorative chair-rail molding not far from Mahogany Row.

This is a throwaway tidbit in the article that I wish had a link to some more details. That one sentence hints at a very interesting longform article on its own.

Edit: I found these, which offer a few details. Surprising that it's from 1999!

http://edition.cnn.com/ALLPOLITICS/time/1999/12/13/spy.html

http://www.wsj.com/articles/SB944783077407465290

(comment deleted)
The elephant in the room, which the media only occasionally brings up, is her motive for this arrangement. Based on the large number of emails that she tried to delete when the existence of this server became public, and her failure to previously include these emails in requests for data by Congress, we can deduce that the goal was likely to escape oversight and avoid accountability. A totally logical move for someone who is no stranger to scandal. And pretty damning to anyone who cares about making government accountable.
One thing I don't get and drives me mad - why didn't she insisted of using pgp, but sent them plaintext. A chimp could learn to use it in 2 hours. So I guess for a career politician it would take a week. But it is doable.

What worries me is not the ethical part - I am yet too cynical, but the total disregard of basic security.

> A chimp could learn to use it in 2 hours.

The chimp needs everyone else to be using PGP too. Since everyone else is using the already secure email networks they see no need to use PGP.

And, really, PGP is not that easy to use. It's very easy for people to make mistakes with PGP.

If I am secretary of state, the only persons that I could not force to generate key and use enigmail are probably the president and the VP.

A simple policy - I have tuned the server to discard any non encrypted and non signed email will force big chunk of the beltway elite to learn a new thing.

enigmail works for blackberry?

if you read the article, its pretty clear her entire team were blackberry users and refused to use anything else to communicate with each other.

How does the voting system on HN work? This is the second article on this topic I've seen today removed from the front page now. It was there only an hour or so ago, and now isn't in the first ten pages on HN.
Maybe some stuff gets flagged to death? Not sure exactly.

I've seen other controversial topics drop off the front page that have recent submission times, and a decent number of points and comments, while others with similar stats remain on the front. ¯\_(ツ)_/¯

The charts at hnrankings.com can give you an idea of what happened to it: http://hnrankings.info/11372264/

Among the things that can cause big drops:

  User flagging.  
  Administrative action. 
  Staleness (some number of hours on front page)
  Flamewar detector (flurry of responses to responses)
It's difficult to distinguish between these from the outside, but a polite email to Dan (hn@ycombinator.com) will probably get you a specific answer if you are interested. Based on asking about similar stories, this one would be a tossup between "Flamewar" and "User flags".
(comment deleted)
How long do we have to hear about this debacle?

Seriously, it's enough already. There's no new information to discuss.