The reporting on this story has been pretty terrible. Wired just running with the AP story without spending the couple of minutes it takes to verify the details is shameful.
The clintonemail.com domain was registered by Justin Cooper [1] and the MX records point to mail servers run by mxlogics.net, now owned by McAfee, not some solo server in Clinton's home. The sole evidence from the AP report is:
> It was not immediately clear exactly where Clinton's computer server was run, a business record for the Internet connection it used was registered under the home address for her residence as early as August 2010. The customer was listed as Eric Hoteham.
A business record for an Internet connection doesn't prove anything, let alone the location of an email server. A history of the MX records [2] is evidence of the location and management of the email server, which has always been set to a mxlogics domain. That it took me only 5 minutes to gather his information but unsourced reporting is being parroted is poor journalism.
Background: I was quoted in the Wired piece. I made sure to emphasize that us outsiders can't say, with any certainty, whether this server was more or less secure than the State Department infrastructure. Matt Blaze, faculty at Penn, made the same point. But, alas, non-expert sensational spin won the day.[1]
With that out of the way, I suspect some HN readers might have an interest in the attribution process.
1) Find the mail servers for clintonemail.com, using DNS MX records. These days, they're run through McAfee. Back in 2010, though, the records pointed to mail.clintonemail.com. (There are a handful of services that keep those historical records, e.g. dnshistory.org.)
2) Find the IP address for mail.clintonemail.com, using DNS A records. Today, it's 64.94.172.146.[2] Back in 2010, it was 24.187.234.187.
3) Run an ARIN WHOIS on the old IP address. It's a static IP range through Optimum Online, allocated to "Eric Hoteham" at the Clinton home in Chappaqua. The surrounding IP ranges map to small businesses in the area.[3]
So, there is some nontrivial technical evidence that the email server was at the Clinton residence. But it's hardly definitive. It's possible, for instance, that the registered address is merely for billing purposes.
[1] There's even a glaring a factual error in the story. It was a web hosting service offered by Network Solutions that was hacked in 2010, not their DNS service. That would've been a much bigger deal.
[2] There's still a live server at mail.clintonemail.com. It's running Windows Server 2008 R2 with a valid SSL certificate. And it appears to be colo'd at Internap. Between that and the MXLogic protection, hardly a slapdash setup.
[3] Quite a few of these records have odd contractions or typos, suggesting the misspelled name wasn't intentional.
Thank you. That's certainly more compelling than the AP story talking about how her "private email server was reconfigured". Given the language used, Occam's Razor was definitely leaning towards reporter misinterpreted what was said.
Wow, lame reporting by Wired. The author obviously wanted to run a negative piece, so he cherrypicked his sources.
Both computer security experts he talked to--seriously, experts, Matt Blaze and Jonathan Mayer do great work--explained that this isn't necessarily insecure. But most of the story belongs to this whining Soghoian guy from ACLU, who doesn't appear to be a computer scientist, software engineer, or even IT admin.
When did the server make the switch between the two IPs? According to the internet census data gathered in 2012 the 24.187.234.187 address had the following ports open (note SMTP and RDP):
The reporting on this story has been pretty terrible. Wired just running with the AP story without spending the couple of minutes it takes to verify the details is shameful.
Agreed.
But, in my opinion, the point of the story isn't to prove factually one way or the other whether or not Clinton did anything at all. The point is to put yet another seed of doubt in the collective subconscious of the voting public in the run-up to the 2016 Presidential election.
Performing this simple feat simply requires a small group of the right people to parrot the same lines ad nauseam. Then it becomes "fact" in the world of punditry.
This story was only about security, others have been about the legal issues. On Hacker News the security angle is interesting, but the bigger picture is that only using her personal email for State Department business almost inevitably broke the law.
I wonder if Clinton was such a "rock star" that she had a non-standard employment agreement? My gut tells me she didn't take the job using "standard docs" but who knows.
There is no non-standard employment agreement here. The 'docs' that we are referring to her ignoring are federal law; Specifically, the Federal Records Act, which classifies her e-mails as federal records (the latest update clarifies this, but there's a reasonable argument that it was still the case before the explicit callout), and therefore subject to FOIA requests and other forms of review.
White house said this behaviour broke specific policy guidance, but the NY Times reports that setup was well known and a "status symbol"for the SOS. Those two things don't add up.
How can it be that breaking policy was a status symbol?
It would be more normal that having a policy waiver is a status symbol. Flagarantly breaking a rule/law otherwise just allows you to be blackmailed[1]. (you're basically a dead man walking subject to prosecutorial discretion...).
Since that is a common disqualifier for having top-secret security clearance...
Secretaries and senior officials are required by federal law to keep records pertinent to the operation of their departments. It's not really something you can cross out in your offer letter...
These articles are always political, it even says in the article that it's not uncommon for reps to role their own mail solutions. Are anyone else's names listed?
That doesn't really refute the article. Anyone with access to the DNS server could change the email records for a few minutes to intercept mail. A hacker wouldn't have to wait for propagation in that case. And who would notice? This has me thinking, it would be nice to get alerted if a) my DNS records change at registrar level and more importantly if b) my DNS records change at the DNS host level.
I think DNS hosts should offer a waiting period option or approval system (with warning alert) for changing email records. Obviously you want website records to change instantly for failover, but I don't want a hacker changing email records in the middle of the night without anyone knowing. I use Linode and DNSMadeEasy and I don't remember either service sending me a notification when an email record was changed.
Also, seems like you could sell a 3rd party service to monitor DNS hosts. (I didn't bother to Google if that service exists already.) I'm assuming "dnshistory.org" only pings once per day--pretty much useless info from a security standpoint.
The location of the email server is an irrelevence, though. The main issue is that she had such a server so she could hide her correspondance from official requests from congressional committees, FOI requests etc.
I look at the AP article, and although the writing is somewhat unclear and fuzzy, all they do is mention that the domain was registered to her home address. They don't directly say the server was in her house (although it seems heavily inferred that that's what they were thinking).
Just bad writing from AP, even worse from Wired since Greenberg should know better.
What do we expect from Wired? Is there a general consensus that Wired is a respectable news source? I'm subscribed to it (the subscription was a gift) and it occasionally has informative and interesting content (the Christopher Nolan issue was cool) but I've been depressed by it as much as I've gotten benefit out of it.
I generally don't read Wired articles when they're linked to here or elsewhere. I find the title format of:
'Why XXXXX.' or 'XXXXX. Here's why:' 'How XXXXXX' to be clickbaitey, and when I get to the story, it's typically this faux-longform narrative which doesn't bring the content you'd expect from reading such a large amount. It's a little distateful.
Furthermore, it has a rep of being style over substance, with facts left unchecked in favour of the more attention grabbing story.
I don't blame the journalists who write it, I understand how fast you have to work in such jobs, and there might simply not be the time to track down every lead (certainly the journalists wouldn't be expected to have the expertise to fairly present every story they're asked to write (as opposed to (say) a political correspondant)). This is especially the case with our content-aggregating type media (although Wired are more able to investigate themselves than most, since they're a big player).
I'm glad it exists, as popsci articles can easily help make people interested in supported of things they wouldn't otherwise be interested in, which is good for the industry, but without trying to be snooty I don't think that I'm their target audience (and I suspect you're not also).
I'd say there's certainly that general consensus. There's a huge difference between "people on hacker news think it's good" and "the general public thinks it's respectable". It's not the National Enquirer -- completely out of thin air I'd guess that well over 90% of the American public think Wired is generally reliable on technical issues.
I'm still waiting for the explanation of why this was OK. "Every secretary of state has done this." or, "appropriate and very common among high elected officials."
When i think about the email requirements of any corporation, every real job I've had, the use of personal email for company business is against policy and would be a fireable offense.
Also interesting to consider the FOIA is more fearful to a politician, than having this private email service hacked by a foreign intelligence service. state department is essentially an adjunct to the CIA at the highest levels, so this is a real risk.
"When i think about the email requirements of any corporation, every real job I've had, the use of personal email for company business is against policy and would be a fireable offense."
Rarely enforced. Executives in regulated industries do it all the time. Or (more commonly) when hordes of contractors use their own email systems to discuss client matters -- which is perfectly normal because they are covered by NDA. If someone is fired for using personal email, it's likely because a higher up was looking for an excuse.
Of course a contract doesn't cover classified or FOIA material which is where the questions regarding Clinton's setup will go.
This answer is too flip. In corporate america, you might be able to use a personal e-mail as a stop-gap measure but not as a primary communication. Not in any fortune 50 or whatevr company with compliance and security infrastructure. This is something that has changed drastically in the past 10 years.
Most corporate hardware should be presumed "insecure" from the perspective of personal communication, and similarly so shoud any account that is used to co-mingle work and personal communication.
In other words, it is with great risk[1] that you don't use company hardware. Unless you have duplicate systems, of course. And if you have a duplicate system that you pay for in lieu of the company, only to for the purpose of subverting company policy, you have an ethics problem.
If that makes sense.
In any event, the technical issues here about how this was setup are legitimately interesting. It might very well be that the NSA/secret service or whomever set up this system to very secure indeed. I think the jury is out on that, frankly, and I'm not sure I would jump to the conclusion that SOS would be so wreckless as to not have her system vetted. (Or that the secret service or NSA or whomever would be so wreckless to not do it for them). Obviously it was a very carefully considered and pre-meditated decision to set up this system.
But then again people do stupid stuff all the time.
[1] To your personal life and privacy, not to the corporations per-se.
"In corporate america, you might be able to use a personal e-mail as a stop-gap measure but not as a primary communication. Not in any fortune 50 or whatevr company with compliance and security infrastructure. This is something that has changed drastically in the past 10 years."
Yes ... towards things like Google Mail for Corporations. If you make your corporate email better than your personal email, people will use it. If not, they just won't, if they have enough political power within the organization.
I speak from close exposure to white glove CxO level IT service where we do everything from ensure the biometric reader on the CEO's laptop works, to helping wire the CFO's home theatre system, getting the board chairman's vacation photos printed, and setting up all their personal devices.
If these sorts of folks don't like a system, they won't use it. They chucked the Blackberry for an iPhone. One of the reasons I've seen biometrics on a laptop is that a particular leader refused to remember a password longer than 4 digits. That alone made them prefer the corporate Lenovo vs. their personal Macbook Air.
"Most corporate hardware should be presumed "insecure" from the perspective of personal communication, and similarly so shoud any account that is used to co-mingle work and personal communication."
Bring Your Own Device is becoming popular. Every company I've worked for in the past 8 years (2/3 in the Fortune 100) allows BYOD in some form for executives, where they mix their personal and corporate communication. And sometimes for all employees.
The latest thinking in corporate security is not to lock down devices but rather to assume that ALL devices are vulnerable, with no special status for corporate assets. The solution there is to isolate in depth at the service level, with appropriate policy and device management installed for enforcing minimum standards and for emergency remote wipe. Modern apps - email, HR, reporting, order management, etc. are on the Internet, not behind the firewall... unless there's a need for NAT. Legacy can be accessed through VDI.
I admit the future here is not evenly distributed yet. But this is the trend that I see.
"In other words, it is with great risk[1] that you don't use company hardware. Unless you have duplicate systems, of course. And if you have a duplicate system that you pay for in lieu of the company, only to for the purpose of subverting company policy, you have an ethics problem."
It's ok if it is for personal correspondence, however it is not ok and illegal if used for any government business. All the "where was the server" is irrelevant. This is generally why Presidents hand over their personal accounts and don't use them while in office. Also, the legislative members are under no such requirement.
The State Department might want to read the rules, $DIETY knows the Interior Department sure had problems with them.
Correct. In the rush to smear mud on a potential presidential candidate, the media is overlooking why Clinton was probably using her own email address: was the State Department unable to provide her with a properly archived and secure email address? On it's face I find it hard to believe they don't have the ability to do that. But at the same time, considering the cost-cutting, outsourcing, and the political maneuverings of congress that treats the federal budget like the hapless patient in a game of Operation... I wouldn't be too surprised if they weren't.
So you figure the best explanation is it's Congress's fault that Clinton chose to use a private secret email for her entire tenure at the State department that would just happen to be immune to FOIA if nobody already knew of its existence?
It's hard to fathom they thought it wouldn't become public knowledge. I don't think anyone is that stupid. Far more likely, they just didn't think it was a big deal.
I find it highly unlikely that the department of the federal government charged with corresponding with foreign nations and representing America abroad wouldn't have a satisfactory email system. That just seems dubious at best.
You may want to re-evaluate - this was widely reported last month:
>The State Department is still reportedly trying to block hacker access to its unclassified e-mail system more than three months after the intruders were first detected.
Yeah that's definitely in excusable. But what makes me even more curious is the care the author took to explain that it was only the unclassified system. So what about the classified network? SIPR? CENTRIXS? Are we to assume that HRC didn't send/receive any classified email? That just seems odd. So I'm starting to think that a) she did, in fact, have a government email to handle the classified material and b) chose to have her unclassified email off the network for other reasons that remain to be disclosed.
Edit: I suppose there are other options. She could have used a staffer's email to send messages on the classified networks.
Those are different issues entirely. Chelsea Manning essentially walked out of the SCIF with a bunch of disks - there wasn't any email hacking involved. Otherwise it's unclear what your point is.
I worked at the Department of Justice in 2003. We had properly archived and (reasonably) secure email systems then. I'm not sure how/why the State Department would be any different.
Surely if the State Dept failed to provide her with an email account, she could have piggy backed on whatever service a different Secretary used? Maybe buddy up with the Secretary of Transportation and direct her email to their server. It didn't have to be her own server.
My Interior remark stems from their multiple in contempt of court problems with keeping records. If Mrs. Clinton conducted official business on that server, she committed an illegal act. There is no "I knew better" defense. She failed to account for the correspondence as official.
> Agencies that allow employees to send and receive official electronic mail messages using a system not operated by the agency must ensure that Federal records sent or received on such systems are preserved in the appropriate agency recordkeeping system.
Also, I've rarely encountered a company that cared about whether C-level employees followed the company rules. A "fireable offense" for a fry cook is another day at work for the COO.
If I were her, I would want to personally vet my IT department. I don't know how many Snowdens work at the state department.
On prima facie Clinton's private email server, prsuambly immune from NSA spying while she was Secretary of State, is rather aristocratic & highly suspicious.
As an attorney, a former Senator, and finally a Secretary of States, she and her staff had to known proper security protocols & transparency laws were not applied.
much more likely it was even more susceptible let alone enticing simply from the host name. really if you don't want someone to spy on you use a name which doesn't declare who you are party too.
regardless, it was against the law and public officials should always be held to the highest standard, they are not royalty.
As far as I've seen it was only "OK" because it was before they changed the rules to expressly disallow this. So it was technically right, the best kind.
> Clintonemail.com currently uses an invalid TLS certificate, another method that a man-in-the-middle might use to intercept or spoof emails from the server; but Stanford researcher Jonathan Mayer points out to WIRED that the State Department’s own TLS certificate is currently invalid, too.
The invalid certificates are a red herring. These are certificates used by SMTP servers[1], and since SMTP encryption is currently opportunistic (i.e. completely optional and trivially defeated by an active attacker), it does not matter whether the certificate is valid or not. Virtually no SMTP client validates the certificate presented by an SMTP server on port 25, let alone care if encryption is used. The only reason why SMTP servers present certificates at all, as opposed to using an anonymous TLS ciphersuite, is because some SMTP clients choke on anonymous ciphersuites.
This mess is an example of a much larger problem: We are being governed by a bunch of attorneys who do not hesitate to lie, cheat and steal and play all of us for the fools that we are. Recent examples include a President telling lies (keep your insurance and doctor, save $2,500 a year, etc.) without consequences. This is not limited to a single party. It travels equally well on both rails and spans from mayors and governors to senators and, yes, Presidents.
Not sure what the solution to this might be. This is the stuff of so-called third world countries. I have long held that we are not far from "them", we just do it differently and don't take to the streets en-masse when we are lied to and royally screwed.
Maybe one day we will and things will start to change. A lot of these people belong to jail for what they've done to this country. My guess is that if you are under, say, 30, you are going to have to suffer the consequences of what these people have been doing to the country for, say, 50 years. And your children. Well, there's a school of thought that is of the opinion that your children migt just get to experiencethe US as a near third world country in about 50 years.
Our politicians must be accountable for their actions and must have consequences for misleading and manipulating the people. Not sure how that happens. Not sure what laws would deal with this. If there aren't any, there ought to be.
I seem to recall CIA director Deutch keeping highly classified information on his home computer. CIA Director Patraeus giving classified info to his mistress. National Security Director Berger taking national archive info? Snowden. Its alleged Leon Panetta revealed classified info in his biography. Its almost as if some of the intelligence community leadership could, possibly, lack humility and believe they are infallible. There have been one or two cases in history where a lot of power combined with secrecy has led to bad decision-making. Perhaps this is another example.
Also, the bit about self-signed certificates being insecure? Arguably they are the most secure if you pin to them since you are trusting no third parties. Obviously if you keep them untrusted and ignore the validation error every time it's a different story.
How could it be the "most secure"? How do you as a client verify the self signed certificate is the right one? If someone MITM'ed the certificate and you've never used it before how would you know that the certificate was intercepted? Who do you go to verify you've got the right certificate? That doesn't sound secure at all. It's like asking potential a liar to swear to you they aren't lying and not asking someone else if that person is possibly being dishonest. Sure central certificate authorities have their problems as a concept, but at least that someone else verifying the cert is the real one.
In general, you'd be right; in parent's hypothetical scheme, the trust model is different because your systems exist on both sides of the exchange (in normal Web communication, this obviously isn't the case). You simply configure your clients to only trust this single certificate that you yourself created and installed on your server. No one could MITM you unless they recreated an identical certificate from scratch, which is mathematically challenging.
Note the "if you pin them" part. Pin in this context means you have the identity of the specific certificate stored on your client, and so you are not depending on whether or not it is being declared by some CA to be be valid for the server in question. Instead you are expecting that exact certificate.
That it is a private cert does not make it any more secure, but pinning is more secure, and with a pinned cert, having the cert signed by a CA gives no additional security.
Because it's your cert that you just installed on your server, so you know its thumbprint.
This is effectively what you are doing every time you connect to a server over SSH and say 'yes' to that message with the funny string asking, "Are you sure you want to connect?" It's analogous to pinning a self-signed certificate.
Remember this: if you are a run-of-the-mill State Department staffer or a military servicemember and you put classified material on a non-classified network, you might go to prison. Even high-ranking government officials have gotten in serious crap over classified material mismanagement--GEN Petraeus did this and lost his job as a result.
And proceeded to get the biggest sweetheart deal in the world from the feds. It's a miracle they didn't offer him a sex act to go with his plea. Unless you believe some random asshole who shares TS/code word info with a mistress and repeatedly lies to the fbi normally gets the feds to give him a misdemeanor and suggest probation.
Yeah, but it's absolutely apples and oranges. Petraeus didn't just break this rule, he broke others too and became a bit of an embarrassment.
With your run-of-the-mill service member, it's more a culture of indoctrination - you train people to never make moves that could be perceived as exfiltrating data so that then if anyone makes them you have better evidence that they're exfiltrating data.
I think that when there are allegations being applied of a double standard, it's important to ask why the double standard is being applied.
In this case, I think it's pretty fair to assume that a Secretary of State might well have a good reason for a double standard to be applied. It could be that a staffer gave bad advice, or that she'd received advice from security people.
Certainly I could believe that she'd be better able to vet her people than the state department.
This seems to be a bit of a political crushing, though.
I am surprised this is such a big issue considering something very similar happened while Bush was in the White House with outside email under gwb43.com and georgewbush.com and Bush didn't really use email: http://en.wikipedia.org/wiki/Bush_White_House_email_controve...
That would be like saying it's surprising torture by the Obama Administration is such a big issue, because the Bush Administration did it too (and I'm not implying there is or has been torture under Obama, that's not the point).
Interestingly, neither state.gov or clintonemail.com sets SPF records. (Nor does nsa.gov, army.mil, or af.mil, though cia.gov, navy.mil, and whitehouse.gov do.) From personal experience as of a few months ago, state.gov did not use DKIM for outgoing mail.
The clintonemail.com domain was registered by Justin Cooper [1] and the MX records point to mail servers run by mxlogics.net, now owned by McAfee, not some solo server in Clinton's home. The sole evidence from the AP report is:
> It was not immediately clear exactly where Clinton's computer server was run, a business record for the Internet connection it used was registered under the home address for her residence as early as August 2010. The customer was listed as Eric Hoteham.
A business record for an Internet connection doesn't prove anything, let alone the location of an email server. A history of the MX records [2] is evidence of the location and management of the email server, which has always been set to a mxlogics domain. That it took me only 5 minutes to gather his information but unsourced reporting is being parroted is poor journalism.
[1] http://who.is/dns/clintonemail.com [History & DNS Tabs] [2] https://dnshistory.org/dns-records/clintonemail.com