
How Clinton’s email scandal took root - whbk
https://www.washingtonpost.com/investigations/how-clintons-email-scandal-took-root/2016/03/27/ee301168-e162-11e5-846c-10191d1fc4ec_story.html?tid=ss_tw
======
harry8
So exactly who is to blame for the US state department having the worst opsec
imaginable? I dislike Hilary but even if I think the absolute worst of her
behaviour here she's kind of down the list of guilt. She's not a technology
security expert and she's driving how her tech is set up while she's secretary
of state without literally the best tech advise available to the most powerful
nation on earth? Really?

They can't provide her with a secure device. That's the Secretary of State of
the United States of America who they can't provide with a secure device and
so they leave her, literally to her own devices. Apparently nobody reviewed
how she was communicating and advise her directly about her own behaviour.
"Much less, ok what do you need? We'll design a system that does that with the
best security we can manage. We'll tell you exactly what not to do. Mr/Madam
Secretary." Whoever the secretary of state is.

Fire them all and start again. You can't do worse than this can you? No matter
who you've got in power you're selling them and US State Department policy.
Hillary, yeah, to hell with her, but that's _entirely_ beside the point and
totally a sideshow in this story. I can't think of a single politician who
would know and understand the security implications of electronic
communication without being directly advised in the most clear and emphatic
fashion possible.

Does anyone care to speak up for the competence on display here?

~~~
poof131
The government issues government accounts for different levels of
classification. You get a normal .gov or .mil for unclassified, another one
for secret, and another one for top secret. All the communication is done on
separate networks: nipr, sipr, etc. Around 2008, the military got hacked so
bad that you couldn’t even put a thumb drive in a non-secure computer. If you
did, you had to talk to a General/Admiral and could expect punishment. Secret,
Top Secret, and SAP were a totally different matter. Cell phones and
electronic devices don’t go in secure areas at all. Red lights flash when non-
cleared people enter areas. Hillary wanted a Top Secret blackberry which no
one except the president had from reading the articles. She wanted to avoid
FOIA so she avoided using any government email addresses. This is totally non-
standard and I imagine was only permitted because she was the boss. It isn’t
remotely similar to what Powell did and while I agree that the government
classifies too much shit, that isn’t the case here either. She went against
protocol because she wanted to and she could, and she should own the
consequences. I don’t blame incompetence at State here. If she’d used her
government accounts and followed normal procedures this would have been a non
issue.

~~~
marak830
Wait. She wanted to avoid FOIA? Is that allowed? If that is true, how the hell
is she still running?

(Non us citizen here btw)

~~~
marcoperaza
Yes, this is the big elephant in the room. The only sane reason to have such
an arrangement is to avoid oversight and accountability. The large number of
deleted emails should also be a red flag as to what the real motive was.

~~~
marak830
From the outside, that is what it seems like. To avoid accountability.

If, as the above poster said, it's a rule/law shouldn't they be disallowed
from running for president? By breaking a law that is.

Edit: (can't reply to dogma thread too long?).

Damn. I can sort of understand why, but how isn't this sort of law breaking
being pushed by everyone else running for president. I would be pointing it
out!

~~~
dogma1138
There are no restrictions that prevent convicted felons from running to
president.

A small pro tip if you can't reply, click reply to any comment and just edit
the post id to the one of the comment you want to reply too in the URL.

------
mentat
Though I'm not sure it's even worth trying to bring up in the opinion filled
noise of these threads, there is no way to secure current generation mobile
devices sufficiently to withstand nation-state attackers. Full stop.

The processors, basebands, MMUs, all of them lack the tools necessary to
create a chain of trust with also sufficient isolation at the application
level to run normal applications. When everyone is saying "of course the FBI
could get into the terrorist cellphone, just take it to TAO," this same thing
applies to Blackberries and Android phones when applied by opposite numbers in
China or Russia.

 _It is not possible to secure a mobile device from a nation-state attacker
due (at least) to gaps in the hardware capabilities_

~~~
visarga
Also, it's not ok to use a phone that doesn't get regular security updates,
but that means you have to trust the phone manufacturer or set up a team of
experts to monitor each and every update.

Can't trust the hardware, can't trust the software. How can this device be ok
to be used by a state official?

------
marcoperaza
The elephant in the room, which the media only occasionally brings up, is her
motive for this arrangement. Based on the large number of emails that she
tried to delete when the existence of this server became public, and her
failure to previously include these emails in requests for data by Congress,
we can deduce that the goal was likely to escape oversight and avoid
accountability. A totally logical move for someone who is no stranger to
scandal. And pretty damning to anyone who cares about making government
accountable.

------
sdrothrock
> Their fears focused on the seventh floor, which a decade earlier had been
> the target of Russian spies who managed to plant a listening device inside a
> decorative chair-rail molding not far from Mahogany Row.

This is a throwaway tidbit in the article that I wish had a link to some more
details. That one sentence hints at a very interesting longform article on its
own.

Edit: I found these, which offer a few details. Surprising that it's from
1999!

[http://edition.cnn.com/ALLPOLITICS/time/1999/12/13/spy.html](http://edition.cnn.com/ALLPOLITICS/time/1999/12/13/spy.html)

[http://www.wsj.com/articles/SB944783077407465290](http://www.wsj.com/articles/SB944783077407465290)

------
davesque
From the article:

""" Clinton lawyer David Kendall later told the State Department that her “use
of personal email was consistent with the practices of other Secretaries of
State,” citing Powell in particular, according to a letter he wrote in August.

But Powell’s circumstances also differed from Clinton’s in notable ways.
Powell had a phone line installed in his office solely to link to his private
account, which he generally used for personal or non-classified communication.
At the time, he was pushing the department to embrace the Internet era and
wanted to set an example.

“I performed a little test whenever I visited an embassy: I’d dive into the
first open office I could find (sometimes it was the ambassador’s office). If
the computer was on, I’d try to get into my private email account,” Powell
wrote in “It Worked for Me: In Life and Leadership.” “If I could, they
passed.”

Powell conducted virtually all of his classified communications on paper or
over a State Department computer installed on his desk that was reserved for
classified information, according to interviews. Clinton never had such a
desktop or a classified email account, according to the State Department. """

...sooooo. Colin Powell did the same thing as Clinton and all we have is his
(and his staff's) claims that they didn't communicate classified information
over inappropriate channels? So then what makes this situation any different
or any more deserving of attention?

~~~
gcommer
Wait, what? The 4 paragraphs you quoted seem to directly answer your question
about how Powell and HRC acted differently ("Clinton never had such a desktop
or a classified email account, according to the State Department.")

Also, even if we now find out that Powell acted as poorly as HRC, that doesn't
excuse either of them at all. It just means that they're both guilty, not that
Hillary should get off the hook because previous Secretaries of State did it
too.

~~~
davesque
So that's all we have that makes what Powell did okay? Either he or the WP is
simply assuring us that he never sent any important emails through his private
email account (which he liked to log into from random computers)? Furthermore,
isn't the point here that, apparently (if the stories of Powell and Clinton
are any indication), the government doesn't really try that hard to secure the
communications of its cabinet members? The way I had imagined it is that, as
soon as these people take office, they're given the best crypto tech in the
world. They're not told to take a hike because only the POTUS gets the good
stuff. What kind of sense does that make?

------
Glyptodon
The way she seems so cavalier and reckless over an inconvenience makes me
doubt I'd really want her to be president.

------
saboot
How does the voting system on HN work? This is the second article on this
topic I've seen today removed from the front page now. It was there only an
hour or so ago, and now isn't in the first ten pages on HN.

~~~
nkurz
The charts at hnrankings.com can give you an idea of what happened to it:
[http://hnrankings.info/11372264/](http://hnrankings.info/11372264/)

Among the things that can cause big drops:

    
    
      User flagging.  
      Administrative action. 
      Staleness (some number of hours on front page)
      Flamewar detector (flurry of responses to responses)
    

It's difficult to distinguish between these from the outside, but a polite
email to Dan (hn@ycombinator.com) will probably get you a specific answer if
you are interested. Based on asking about similar stories, this one would be a
tossup between "Flamewar" and "User flags".

------
studentrob
Wow I really wouldn't want to be the guy who set up her email server. He was
just granted immunity in exchange for cooperation, but that has got to be
stressful to testify at the national level, plus against a Presidential
candidate. Yikes.

------
freewizard
Just curious: what's the os and email server used in this "basement server"?

~~~
mtgx
_> He also identifies the server routed to and from mail.clintonemail.com as a
" Windows Server 2008 R2 with a valid SSL certificate," but that server,
according to Mayer, is located at managed services company Internap.

> Clinton's private email server was reconfigured again to use a Denver-based
> commercial email provider, MX Logic, which is now owned by McAfee Inc., a
> top internet security company. Except MX Logic isn't a "commercial email
> provider," it's a service that offers spam and virus filtering for email,
> very similar to Google's own Postini service. One of my friends who runs an
> ISP offers both Postini and MX Logic to customers but recommends MX Logic
> because he says the spam management is better._

[http://www.zdnet.com/article/clintons-little-email-fuss-
beyo...](http://www.zdnet.com/article/clintons-little-email-fuss-beyond-
servers-in-the-basement/)

~~~
ryanlol
Wow, that's actually even worse than I'd first thought.

They didn't even have physical control over the server? So anyone could've
exploited internaps vulnerable ubersmith install and asked them to boot
clintons box into recovery.

~~~
basch
sending classified state secrets through a third party spam filter? that
almost makes the "server in a basement" a bit of a fib. her emails were
flowing through some private companies network first.

------
selllikesybok
[https://en.m.wikipedia.org/wiki/Bush_White_House_email_contr...](https://en.m.wikipedia.org/wiki/Bush_White_House_email_controversy)

------
venomsnake
One thing I don't get and drives me mad - why didn't she insisted of using
pgp, but sent them plaintext. A chimp could learn to use it in 2 hours. So I
guess for a career politician it would take a week. But it is doable.

What worries me is not the ethical part - I am yet too cynical, but the total
disregard of basic security.

~~~
DanBC
> A chimp could learn to use it in 2 hours.

The chimp needs everyone else to be using PGP too. Since everyone else is
using the already secure email networks they see no need to use PGP.

And, really, PGP is not that easy to use. It's very easy for people to make
mistakes with PGP.

~~~
venomsnake
If I am secretary of state, the only persons that I could not force to
generate key and use enigmail are probably the president and the VP.

A simple policy - I have tuned the server to discard any non encrypted and non
signed email will force big chunk of the beltway elite to learn a new thing.

~~~
basch
enigmail works for blackberry?

if you read the article, its pretty clear her entire team were blackberry
users and refused to use anything else to communicate with each other.

------
jakeogh
To get a copy: [https://github.com/wsjdata/clinton-email-
cruncher](https://github.com/wsjdata/clinton-email-cruncher)

------
throwaway284534
How long do we have to hear about this debacle?

Seriously, it's enough already. There's no new information to discuss.

