
Why Clinton’s Private Email Server Was Such a Security Fail - altern8
http://www.wired.com/2015/03/clintons-email-server-vulnerable/
======
groovylick
The reporting on this story has been pretty terrible. Wired just running with
the AP story without spending the couple of minutes it takes to verify the
details is shameful.

The clintonemail.com domain was registered by Justin Cooper [1] and the MX
records point to mail servers run by mxlogics.net, now owned by McAfee, not
some solo server in Clinton's home. The sole evidence from the AP report is:

> It was not immediately clear exactly where Clinton's computer server was
> run, a business record for the Internet connection it used was registered
> under the home address for her residence as early as August 2010. The
> customer was listed as Eric Hoteham.

A business record for an Internet connection doesn't prove anything, let alone
the location of an email server. A history of the MX records [2] is evidence
of the location and management of the email server, which has always been set
to a mxlogics domain. That it took me only 5 minutes to gather his information
but unsourced reporting is being parroted is poor journalism.

[1] [http://who.is/dns/clintonemail.com](http://who.is/dns/clintonemail.com)
[History & DNS Tabs] [2] [https://dnshistory.org/dns-
records/clintonemail.com](https://dnshistory.org/dns-records/clintonemail.com)

~~~
jonathanmayer
Background: I was quoted in the Wired piece. I made sure to emphasize that us
outsiders can't say, with any certainty, whether this server was more or less
secure than the State Department infrastructure. Matt Blaze, faculty at Penn,
made the same point. But, alas, non-expert sensational spin won the day.[1]

With that out of the way, I suspect some HN readers might have an interest in
the attribution process.

1) Find the mail servers for clintonemail.com, using DNS MX records. These
days, they're run through McAfee. Back in 2010, though, the records pointed to
mail.clintonemail.com. (There are a handful of services that keep those
historical records, e.g. dnshistory.org.)

2) Find the IP address for mail.clintonemail.com, using DNS A records. Today,
it's 64.94.172.146.[2] Back in 2010, it was 24.187.234.187.

3) Run an ARIN WHOIS on the old IP address. It's a static IP range through
Optimum Online, allocated to "Eric Hoteham" at the Clinton home in Chappaqua.
The surrounding IP ranges map to small businesses in the area.[3]

So, there is some nontrivial technical evidence that the email server was at
the Clinton residence. But it's hardly definitive. It's possible, for
instance, that the registered address is merely for billing purposes.

[1] There's even a glaring a factual error in the story. It was a web hosting
service offered by Network Solutions that was hacked in 2010, not their DNS
service. That would've been a much bigger deal.

[2] There's still a live server at mail.clintonemail.com. It's running Windows
Server 2008 R2 with a valid SSL certificate. And it appears to be colo'd at
Internap. Between that and the MXLogic protection, hardly a slapdash setup.

[3] Quite a few of these records have odd contractions or typos, suggesting
the misspelled name wasn't intentional.

~~~
tedunangst
Thank you. That's certainly more compelling than the AP story talking about
how her "private email server was reconfigured". Given the language used,
Occam's Razor was definitely leaning towards reporter misinterpreted what was
said.

------
lmg643
I'm still waiting for the explanation of why this was OK. "Every secretary of
state has done this." or, "appropriate and very common among high elected
officials."

When i think about the email requirements of any corporation, every real job
I've had, the use of personal email for company business is against policy and
would be a fireable offense.

Also interesting to consider the FOIA is more fearful to a politician, than
having this private email service hacked by a foreign intelligence service.
state department is essentially an adjunct to the CIA at the highest levels,
so this is a real risk.

~~~
parasubvert
"When i think about the email requirements of any corporation, every real job
I've had, the use of personal email for company business is against policy and
would be a fireable offense."

Rarely enforced. Executives in regulated industries do it all the time. Or
(more commonly) when hordes of contractors use their own email systems to
discuss client matters -- which is perfectly normal because they are covered
by NDA. If someone is fired for using personal email, it's likely because a
higher up was looking for an excuse.

Of course a contract doesn't cover classified or FOIA material which is where
the questions regarding Clinton's setup will go.

~~~
001sky
This answer is too flip. In corporate america, you might be able to use a
personal e-mail as a stop-gap measure but not as a primary communication. Not
in any fortune 50 or whatevr company with compliance and security
infrastructure. This is something that has changed drastically in the past 10
years.

Most corporate hardware should be presumed "insecure" from the perspective of
personal communication, and similarly so shoud any account that is used to co-
mingle work and personal communication.

In other words, it is with great risk[1] that you don't use company hardware.
Unless you have duplicate systems, of course. And if you have a duplicate
system that you pay for in lieu of the company, only to for the purpose of
subverting company policy, you have an ethics problem.

If that makes sense.

In any event, the technical issues here about how this was setup are
legitimately interesting. It might very well be that the NSA/secret service or
whomever set up this system to very secure indeed. I think the jury is out on
that, frankly, and I'm not sure I would jump to the conclusion that SOS would
be so wreckless as to not have her system vetted. (Or that the secret service
or NSA or whomever would be so wreckless to not do it for them). Obviously it
was a very carefully considered and pre-meditated decision to set up this
system.

But then again people do stupid stuff all the time.

[1] To your personal life and privacy, not to the corporations per-se.

~~~
parasubvert
"In corporate america, you might be able to use a personal e-mail as a stop-
gap measure but not as a primary communication. Not in any fortune 50 or
whatevr company with compliance and security infrastructure. This is something
that has changed drastically in the past 10 years."

Yes ... towards things like Google Mail for Corporations. If you make your
corporate email better than your personal email, people will use it. If not,
they just won't, if they have enough political power within the organization.

I speak from close exposure to white glove CxO level IT service where we do
everything from ensure the biometric reader on the CEO's laptop works, to
helping wire the CFO's home theatre system, getting the board chairman's
vacation photos printed, and setting up all their personal devices.

If these sorts of folks don't like a system, they won't use it. They chucked
the Blackberry for an iPhone. One of the reasons I've seen biometrics on a
laptop is that a particular leader refused to remember a password longer than
4 digits. That alone made them prefer the corporate Lenovo vs. their personal
Macbook Air.

"Most corporate hardware should be presumed "insecure" from the perspective of
personal communication, and similarly so shoud any account that is used to co-
mingle work and personal communication."

Bring Your Own Device is becoming popular. Every company I've worked for in
the past 8 years (2/3 in the Fortune 100) allows BYOD in some form for
executives, where they mix their personal and corporate communication. And
sometimes for all employees.

The latest thinking in corporate security is not to lock down devices but
rather to assume that ALL devices are vulnerable, with no special status for
corporate assets. The solution there is to isolate in depth at the service
level, with appropriate policy and device management installed for enforcing
minimum standards and for emergency remote wipe. Modern apps - email, HR,
reporting, order management, etc. are on the Internet, not behind the
firewall... unless there's a need for NAT. Legacy can be accessed through VDI.

I admit the future here is not evenly distributed yet. But this is the trend
that I see.

"In other words, it is with great risk[1] that you don't use company hardware.
Unless you have duplicate systems, of course. And if you have a duplicate
system that you pay for in lieu of the company, only to for the purpose of
subverting company policy, you have an ethics problem."

I would say corporate IT has a usability problem.

------
agwa
> Clintonemail.com currently uses an invalid TLS certificate, another method
> that a man-in-the-middle might use to intercept or spoof emails from the
> server; but Stanford researcher Jonathan Mayer points out to WIRED that the
> State Department’s own TLS certificate is currently invalid, too.

The invalid certificates are a red herring. These are certificates used by
SMTP servers[1], and since SMTP encryption is currently opportunistic (i.e.
completely optional and trivially defeated by an active attacker), it _does
not matter_ whether the certificate is valid or not. Virtually no SMTP client
validates the certificate presented by an SMTP server on port 25, let alone
care if encryption is used. The only reason why SMTP servers present
certificates at all, as opposed to using an anonymous TLS ciphersuite, is
because some SMTP clients choke on anonymous ciphersuites.

[1]
[https://twitter.com/jonathanmayer/status/572779239281332224](https://twitter.com/jonathanmayer/status/572779239281332224)

------
rebootthesystem
This mess is an example of a much larger problem: We are being governed by a
bunch of attorneys who do not hesitate to lie, cheat and steal and play all of
us for the fools that we are. Recent examples include a President telling lies
(keep your insurance and doctor, save $2,500 a year, etc.) without
consequences. This is not limited to a single party. It travels equally well
on both rails and spans from mayors and governors to senators and, yes,
Presidents.

Not sure what the solution to this might be. This is the stuff of so-called
third world countries. I have long held that we are not far from "them", we
just do it differently and don't take to the streets en-masse when we are lied
to and royally screwed.

Maybe one day we will and things will start to change. A lot of these people
belong to jail for what they've done to this country. My guess is that if you
are under, say, 30, you are going to have to suffer the consequences of what
these people have been doing to the country for, say, 50 years. And your
children. Well, there's a school of thought that is of the opinion that your
children migt just get to experiencethe US as a near third world country in
about 50 years.

Our politicians must be accountable for their actions and must have
consequences for misleading and manipulating the people. Not sure how that
happens. Not sure what laws would deal with this. If there aren't any, there
ought to be.

------
rrggrr
I seem to recall CIA director Deutch keeping highly classified information on
his home computer. CIA Director Patraeus giving classified info to his
mistress. National Security Director Berger taking national archive info?
Snowden. Its alleged Leon Panetta revealed classified info in his biography.
Its almost as if some of the intelligence community leadership could,
possibly, lack humility and believe they are infallible. There have been one
or two cases in history where a lot of power combined with secrecy has led to
bad decision-making. Perhaps this is another example.

~~~
bdcravens
Patraeus is facing jail time as a result. (though his plea deal will probably
prevent that)

 _led to bad decision-making_ I think you misspelled "law-breaking"

------
zaroth
Also, the bit about self-signed certificates being insecure? Arguably they are
the _most_ secure if you pin to them since you are trusting no third parties.
Obviously if you keep them untrusted and ignore the validation error every
time it's a different story.

~~~
VieElm
How could it be the "most secure"? How do you as a client verify the self
signed certificate is the right one? If someone MITM'ed the certificate and
you've never used it before how would you know that the certificate was
intercepted? Who do you go to verify you've got the right certificate? That
doesn't sound secure at all. It's like asking potential a liar to swear to you
they aren't lying and not asking someone else if that person is possibly being
dishonest. Sure central certificate authorities have their problems as a
concept, but at least that someone else verifying the cert is the real one.

~~~
vidarh
Note the "if you pin them" part. Pin in this context means you have the
identity of the specific certificate stored on your client, and so you are not
depending on whether or not it is being declared by some CA to be be valid for
the server in question. Instead you are expecting _that exact certificate_.

That it is a private cert does not make it any more secure, but pinning is
more secure, and with a pinned cert, having the cert signed by a CA gives no
_additional_ security.

~~~
VieElm
And how do you know you're not pinning the MTIM cert?

~~~
zaroth
Because it's _your_ cert that you just installed on _your_ server, so you know
its thumbprint.

This is effectively what you are doing every time you connect to a server over
SSH and say 'yes' to that message with the funny string asking, "Are you sure
you want to connect?" It's analogous to pinning a self-signed certificate.

------
chrissnell
Remember this: if you are a run-of-the-mill State Department staffer or a
military servicemember and you put classified material on a non-classified
network, you might go to prison. Even high-ranking government officials have
gotten in serious crap over classified material mismanagement--GEN Petraeus
did this and lost his job as a result.

~~~
x0x0
And proceeded to get the biggest sweetheart deal in the world from the feds.
It's a miracle they didn't offer him a sex act to go with his plea. Unless you
believe some random asshole who shares TS/code word info with a mistress and
repeatedly lies to the fbi normally gets the feds to give him a misdemeanor
and suggest probation.

One law for you and me, one law for them.

[https://www.popehat.com/2015/03/03/a-few-comments-on-the-
dav...](https://www.popehat.com/2015/03/03/a-few-comments-on-the-david-
petraeus-plea-deal-what-money-and-connections-buy-you/)

------
drawkbox
I am surprised this is such a big issue considering something very similar
happened while Bush was in the White House with outside email under gwb43.com
and georgewbush.com and Bush didn't really use email:
[http://en.wikipedia.org/wiki/Bush_White_House_email_controve...](http://en.wikipedia.org/wiki/Bush_White_House_email_controversy)

~~~
adventured
That would be like saying it's surprising torture by the Obama Administration
is such a big issue, because the Bush Administration did it too (and I'm not
implying there is or has been torture under Obama, that's not the point).

These things should always be a big deal.

------
tedunangst
I like that Wired takes the AP claim that the server was literally in her home
(in a closet? the attic?) at face value.

~~~
skuhn
Whether it was located in her home or not, that building is probably quite
secure given who she is and is married to.

------
jedbrown
Interestingly, neither state.gov or clintonemail.com sets SPF records. (Nor
does nsa.gov, army.mil, or af.mil, though cia.gov, navy.mil, and
whitehouse.gov do.) From personal experience as of a few months ago, state.gov
did not use DKIM for outgoing mail.

------
dschiptsov
Because it was Windows?)

------
gcb0
heh. they are probably safe. or should i recall the kind of people the gov
gives out money for it security?

