
Spam Filtering Service Had Access to Clinton Emails - icemodman
http://www.dvorak.org/blog/2015/03/16/breaking-news-spam-filtering-service-had-access-to-clinton-classified-emails/comment-page-1/
======
wl
Classified emails don't even touch the public internet. Is it concerning that
a third party sucked up these presumably sensitive but unclassified emails?
Yes. But the title is wrong.

~~~
ceejayoz
[http://www.nytimes.com/2015/03/12/us/politics/no-
classified-...](http://www.nytimes.com/2015/03/12/us/politics/no-classified-
emails-by-clinton-some-experts-are-skeptical.html)

> A former senior State Department official who served before the Obama
> administration said that although it was hard to be certain, it seemed
> unlikely that classified information could be kept out of the more than
> 30,000 emails that Mrs. Clinton’s staff identified as involving government
> business.

~~~
niels_olson
Your comment and parent are starting the dialog that need to happen.
Classified networks like SIPRnet are a neat idea, but it's ultimately _people_
who are responsible for securing the information. And at some point, you have
to say no harm, no foul.

There's a hallucination that classification is still used in the way it was
intended. System administrators, like Snowden, have to demonstrate the airgaps
in their SIPR systems, meanwhile, plenty of traffic is intentionally _not_
classified, so as to avoid dealing with SIPR. The current intelligence systems
classify the front page of the New York Times, yet the _humans_ can type
whatever they're gonna type into whichever keyboard.

And this happens all the time outside computers too. Some congress-critter
goes on a submarine ride and accidentally spills the depth of the dive, which
up to that point had been a state secret for 30 years. Who's to blame? Is
there blame?

Classification is a government sanctioned land-grab and you've got everyone
from the President to 18 year old kids grabbing the land. If we obeyed this
law in its strictest sense, and applied it as broadly as possible, government
would be in vapor lock.

We have mechanisms for machines to trust each other, and perhaps for people to
trust machines, and machines to trust people, but you can't code a human to
trust another human. At some point it's a judgement call.

Thus far, we have a small number of people at the top of the intelligence
community using computing trust to prevent their people from using resources
the intel higher-ups don't trust. But that

1) prevents people from using resources, so they're weakening their own
people, and

2) effectively encourages the people who are trying to do their best, to not
tell the boss what they're doing. They just do it and hope no one bothers to
do anything about it.

I hope I'm not the only one who sees how these two effects ultimately weaken
the whole enterprise.

------
marincounty
I'm not a huge fan of Hillary, but in her defense I actually think she thought
she needed a separate device for each email account she used? She kept talking
about multiple devises(phones) if she had more than one email account? She
didn't know you can add multiple email accounts to a smart phone? (Maybe you
can't with a secure government issued phone?)

And the Old Dog only used email two times in his life? (even in retirement. It
doesn't matter, but I just wrongly assumed he would use the Computer/Internet
--maybe it's good he's off it?)

Maybe, we overstate the actual need for so much tech?

~~~
ceejayoz
I'd expect government-issued devices certified to handle classified material
don't allow the addition of random email accounts (whoops, sent that top
secret message with my Gmail!) nor downloading of apps from the various
stores.

Bill Clinton (and Bush, and Obama) didn't _need_ to send email as they've got
a horde of staffers to do such things. I don't think we can extrapolate
anything on the general public's need for email based on their situations.

------
acqq
The background, for all of us not continuously following the news from US:

[http://dailysignal.com/2015/03/17/the-hunt-for-the-
clinton-e...](http://dailysignal.com/2015/03/17/the-hunt-for-the-clinton-
emails/)

[http://benghazi.house.gov/](http://benghazi.house.gov/)

------
eroo
I would love to know how the conversation about setting up her email went.
Does she tell someone and they say "I'm on it," and then no one follows up or
audits the infrastructure? Or was the setup one of her people's decisions and
she didn't really know/care?

~~~
eli
Perhaps it's the same sort of private email server Colin Powell was using.

------
unics
Considering that she used it as a personal account, emailed passwords would be
a consideration also.

------
deweller
It is shocking how often we choose convenience over security. Even for really
important stuff.

I catch myself doing it all the time. And I bet if you think about it really
hard, you do too.

This was a good reminder to me to stop and think about my personal security
practices.

------
tem5050
Are we sure she didn't use PGP/S-MIME?

------
dredmorbius
Though this piece has at least modestly more technical foundation than much of
the earlier coverage of this story (it doesn't claim that MX Logic's servers
were located in Clinton's private residence, as an early AP story tried to
ascertain from WHOIS registration records), it's still a tad breathless.

    
    
        $ host -t mx state.gov
        state.gov mail is handled by 20 haig-ee.state.gov.
        state.gov mail is handled by 20 stimson.state.gov.
        $ host haig-ee.state.gov.; host stimson.state.gov.
        haig-ee.state.gov has address 169.253.194.10
        stimson.state.gov has address 169.252.4.131
    

Both of these are direct allocations to Department of State. A swaks check
shows that both of these will accept non-TLS email:

    
    
        $ swaks --from nobody@example.com --to test@state.gov --server stimson.state.gov
        === Trying stimson.state.gov:25...
        === Connected to stimson.state.gov.
        <-  220 stimson.state.gov ESMTP
         -> EHLO mjolnir
        <-  250-stimson.state.gov
        <-  250-8BITMIME
        <-  250-SIZE 31457280
        <-  250 STARTTLS
         -> MAIL FROM:<nobody@example.com>
        <-  250 sender <nobody@example.com> ok
         -> RCPT TO:<test@state.gov>
        <-  250 recipient <test@state.gov> ok
         -> DATA
        <-  354 go ahead
         -> Date: Tue, 17 Mar 2015 14:12:13 -0700
         -> To: test@state.gov
         -> From: nobody@example.com
         -> Subject: test Tue, 17 Mar 2015 14:12:13 -0700
         -> X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
         ->
         -> This is a test mailing
         ->
         -> .
        <-  250 ok:  Message 19002797 accepted
         -> QUIT
        <-  221 stimson.state.gov
        === Connection closed with remote host.
    

SMTPS and SSMTP protocols are _not_ accepted.

So to the extent to which using State Department email would have provided
_transport_ level encryption, the report appears to be incorrect. If my checks
are correct, and DOS _doesn 't_ support SSL/TLS encrypted email transport,
then _all_ official state.gov email is unencrypted to _all_ users at _all_
points _all_ the time, _at the transport level._

Win Clinton if mxlogic supports SSL/TLS email protocols. Though further tests
suggest it doesn't.

Note the phrase "at the transport level _. Email encryption (as with pretty
much all encryption) can occur at multiple levels. "Transport layer" security
means that "data in flight" between two points is encrypted, but the "data at
rest" once received is not _at least as a consequence of the transport layer
_. For "data at rest" encryption, you'd need to use _encrypted content* (e.g.,
PGP, GPG, or other email encryption schemes, including, possibly, code-book
based encryption). Which is _independent_ of transport-layer security. It's
possible for _content_ to be encrypted where _transport_ is not (and vice
versa).

 _That_ still leaves _metadata_ exposed -- email headers, "To:", "From:",
"Subject:", "Date:", etc. But the actual contents of the email would be
secured.

We don't know that Clinton did or didn't use content encryption, though based
on observations elsewhere from even those with a solid awareness of security,
my guess would be "no, she didn't".

------
gesman
At least good that she didn't signed-up for antispam.ir or antispam.cn service
:)

