
Did the Clinton Email Server Have an Internet-Based Printer? - whbk
http://krebsonsecurity.com/2016/05/did-the-clinton-email-server-have-an-internet-based-printer/
======
untog
Among the more disappointing things in all of this is that there is a
rational, important conversation to be had about everyday awareness of
security and government inflexibility. But there won't be, because she is
Hillary Clinton and it is 2016.

Supposedly she got the server set up because the NSA refused to give a
politician who travels frequently a secure smartphone. She (I personally
believe) was likely ignorant of many of the security requirements of such a
server (even one set up for unclassified e-mail), as was whoever set it up.
And no-one on her staff either knew enough or was willing enough to say
anything. She is also supposedly not the first Secretary of State to have an
arrangement of this nature.

This feels like the very definition of systematic failure and clearly needs to
change. But the conversation is almost exclusively based around a) her having
nefarious motivations, because she is Hillary Clinton, or b) this all being a
Republican plot to derail the Democratic candidate for President.

It's all very depressing.

~~~
themartorana
What's the rationale for not giving _everyone_ secure smartphones? And I mean
high-ranking officials, SoS certainly ranks considering how much she/he is in
foreign countries with foreign leaders. Can someone in the know explain why
the NSA would deny such requests?

~~~
untog
Difficult to know for sure. Obama had one, Rice previously used one, but:

 _The NSA refused to give Clinton a device similar to the one used by Obama: a
modified BlackBerry 8830 World Edition with additional cryptography installed.
And while Clinton 's predecessor Condaleeza Rice had obtained waivers for
herself and her staff to use BlackBerry devices, Clinton's staff was told that
"use [of the BlackBerry] expanded to an unmanageable number of users from a
security perspective, so those waivers were phased out and BlackBerry use was
not allowed in her Suite,"_[1]

This being Clinton there are probably conspiracy theories (the NSA is out to
get her!) but I suspect they simply didn't want to have to deal with it, and
had the ability to say no. So they did.

[1] [http://arstechnica.com/information-technology/2016/03/nsa-
re...](http://arstechnica.com/information-technology/2016/03/nsa-refused-
clinton-a-secure-blackberry-like-obama-so-she-used-her-own/)

~~~
snappy173
>Clinton's staff was told that "use [of the BlackBerry] expanded to an
unmanageable number of users from a security perspective

if you don't provide a secure way to get shit done, motivated individuals will
figure out how to get shit done, security be damned. happens every time.
that's what happened here.

~~~
ryanlol
They offered her a non-blackberry alternative. That's not what happened here.

~~~
_dominic
You could rephrase it, "if you don't provide [an easy and] secure way to get
shit done, motivated individuals will figure out how to get shit done,
security be damned. happens every time. that's what happened here."

~~~
ryanlol
To be fair, the device she was offered doesn't look that bad. It even comes
with a blackberry style keyboard.

------
Jerry2
Here's some more details about the state of security of her private server
[0]:

> _Outlook Web Access, or OWA, was running on port 80 without SSL
> (unencrypted)_

> _Remote Desktop Protocol, port 3389, was exposed through the DMZ (open to
> anyone on the internet.) This, at the time it was being used, was open to
> critical vulnerabilities that would allow for remote execution of code._

> _VNC Remote Desktop, port 5900, was also exposed through the DMZ._

> _SSL VPN used a self-signed certificate. This isn 't inherently bad, but
> left them open for "spearphishing" attacks, which have already been
> confirmed to be received by Hillary Clinton and her staff_

It's also interesting how they responded to attacks on the server [1]:

> _Here is the section from page 41 of the report which references an
> “attack”:_

> On January 9, 2011, the non-Departmental advisor to President Clinton who
> provided technical support to the Clinton email system notified the
> Secretary’s Deputy Chief of Staff for Operations that he had to shut down
> the server because he believed “someone was trying to hack us and while they
> did not get in i didnt [sic] want to let them have the chance to.” Later
> that day, the advisor again wrote to the Deputy Chief of Staff for
> Operations, “We were attacked again so I shut [the server] down for a few
> min.” On January 10, the Deputy Chief of Staff for Operations emailed the
> Chief of Staff and the Deputy Chief of Staff for Planning and instructed
> them not to email the Secretary “anything sensitive” and stated that she
> could “explain more in person.”

[0]
[https://np.reddit.com/r/politics/comments/4j2r94/judicial_wa...](https://np.reddit.com/r/politics/comments/4j2r94/judicial_watch_new_clinton_emails_reveal_clinton/d336scb)

[1] [http://lawnewz.com/high-profile/clinton-tech-says-private-
em...](http://lawnewz.com/high-profile/clinton-tech-says-private-email-server-
was-attacked-forcing-shutdown/)

~~~
darawk
Ah yes, the classic 'shut it down for a few minutes' defense. Stops 'em every
time.

~~~
artursapek
"i didnt [sic] want to let them have the chance to"

Can you imagine if this was how Google and Amazon handled security?

~~~
laura2013
I'm pretty sure google and amazon can afford scrubbing centers (not to mention
their apps are load balanced) to avoid attacks.

------
slantedview
One of the commenters on the Krebs post makes a remarkable point [1]:

"It gets better. Do a dig mx clintonemail.com. You’ll see that the machine’s
incoming email was filtered by mxlogic.net, a spam filtering service that
works by received all your emails, filtering out the spam, and forwarding you
the rest.

This is because the hosting provider, Platte River Network, sold a package
along with the hosting. The package included spam filtering and full-disk off-
site backup (since then seized by the FBI).

So every email received by Clinton was going through many unsecured places,
including a spam filtering queue, a backup appliance and an off-site backup
server. Which has already been documented."

[http://krebsonsecurity.com/2016/05/did-the-clinton-email-
ser...](http://krebsonsecurity.com/2016/05/did-the-clinton-email-server-have-
an-internet-based-printer/#comment-406731)

~~~
wrong_variable
oh my god, this is depressing sad.

She could have hired a team of machine learning grad students to build her a
personalized spam filter.

but she went with the cheapest option.

this is going to keep me upset for a while.

~~~
salgernon
"She" did nothing of the sort. She told someone she wanted her email
available. They said, ok, we'll just host it ourselves. "Whatever, I want my
daily suduko and make sure I stop getting those damn linked-in spams". "Ok
boss".

Seriously, how could anyone really believe she specc'd this out herself? Her
staff probably threw it together as a MVP with the full intention of
revisiting the implementation "really soon".

And then they lost interest.

~~~
stillusingvb6
She asked and they gave her options she didn't like and then worked around it.
Big difference

~~~
unlinker
That's implying she understood the implications.

~~~
stillusingvb6
She cheered imprisonment of whistleblowers, citing sanctity of classified
info. Source: "Hillary Clinton on the Sanctity of Protecting Classified
Information"

Best quote: “I think that in an age where so much information is flying
through cyberspace, we all have to be aware of the fact that some information
which is sensitive, which does affect the security of individuals and
relationships, deserves to be protected and we will continue to take necessary
steps to do so,” Clinton said

She knew what she was doing. This is outrageous.

------
patrickg_zill
I have spent some time talking to different people I meet/know who have
security clearances.

EVERY one of tells me that if they had done what it appears Hillary did, they
would fully expect to be in jail for years.

In researching this, I find that about 4.5 million Americans currently have,
and maybe 1.5 million more did have in the past, security clearances.

I find it hard to believe that in Washington DC, surrounded by people with
security clearances, this was unintentional and just an accident. It's like
Hillary had to look far afield to find people _without_ security clearances so
that they would set this up for her.

~~~
GVIrish
That's because in the federal government the average employee simply doesn't
have the same amount of power nor leeway that a cabinet level executive would.
For one, several cabinet level appointees have original classifying authority.
No regular employee has that power.

A rank and file employee obviously could not direct anyone to set up a private
email server for their correspondence or request that the NSA provide them
with a secure blackberry.

> I find it hard to believe that in Washington DC, surrounded by people with
> security clearances, this was unintentional and just an accident. It's like
> Hillary had to look far afield to find people without security clearances so
> that they would set this up for her.

Clinton certainly was wrong here and people certainly told her not to do this.
But I don't think it requires malicious intent, just someone not taking the
rules/guidelines seriously and/or thinking they have more power than they do.

NARA compliance is something that many people either don't know about or are
confused about at State department so I could see how some might not take it
as seriously as they should.

I'm sure she and her inner circle rationalized away the security risk because
classified materials are not supposed to be sent to public email addresses,
there's a separate network for that.

------
zaroth
The emails themselves sent from Clinton's server were unencrypted for several
months, so unencrypted printing is just more of the same.

There's no reasonable question anymore that laws on handling classified data
were broken, the only question is will charges actually be brought?

~~~
x0x0
What laws regarding handling classified information were broken?

[http://www.latimes.com/opinion/op-ed/la-oe-0330-mcmanus-
clin...](http://www.latimes.com/opinion/op-ed/la-oe-0330-mcmanus-clinton-
email-prosecution-20160330-column.html)

~~~
at-fates-hands
Here are the two obvious one, and another one that's well. . . more in the
vein of the Clinton's being the Clinton's IMHO.

[http://www.ijreview.com/2015/03/264655-3-federal-laws-
hillar...](http://www.ijreview.com/2015/03/264655-3-federal-laws-hillary-may-
violated-secret-email-accounts/)

\- _Executive Order 13526 and 18 U.S.C Sec. 793(f) of the federal code make it
unlawful to send of store classified information on personal email._

\- _Section 1236.22 of the 2009 National Archives and Records Administration
(NARA) requirements states that:_

 _“Agencies that allow employees to send and receive official electronic mail
messages using a system not operated by the agency must ensure that Federal
records sent or received on such systems are preserved in the appropriate
agency record keeping system.”_

\- _MSNBC’s Lawrence O’Donnell believes that the use of a personal emails
server appears to be a preemptive move, specifically designed to circumvent
FOIA:_

~~~
x0x0
Nothing that links to the daily caller is a serious news source.

Plus the article is a pile of stupid innuendo that conflates what Hillary did
with Petraeus providing contemporaneously classified documents to his
journalist fuckbuddy.

Further, clearly nobody in government had a contemporaneous problem with it
since they saw the email address every time they communicated with Hillary
Clinton. Whenever they sent her an email, they saw

    
    
       Hillary Clinton <hdr22@clintonemail.com>
    

show up in the email composition window, which certainly cannot be mistaken
for a state department email...

~~~
Brendinooo
Ad hominem?

Sure, news sources can be biased and we should be discerning when we look at
them, but that doesn't automatically mean that the source is automatically
wrong 100% of the time.

~~~
x0x0
Secret Muslim Barack Obama's new house is near a mosque, and the daily caller
is on it!

[http://dailycaller.com/2016/05/26/obamas-fancy-new-
mansion-i...](http://dailycaller.com/2016/05/26/obamas-fancy-new-mansion-is-
located-1000-feet-from-the-islamic-center-of-washington-dc/)

------
coldcode
Given all the warnings I got when I had a secret clearance back in the 80's
about protecting the information and what penalties I faced for not following
the rules I've found it unimaginable that the Secretary of State didn't know
or didn't care about protecting much higher level secrets.

------
drakefire
This story just keeps getting better. There is either a grand nefarious plot,
or worse, horrific incompetence. I just can't find a third possibility.

~~~
gizmo
No nefarious plot. My understanding is that it went roughly like this. Back in
2009 Clinton requested a secure smartphone from the NSA. It's a custom made
device (security by obscurity?). Anyway, the president gets one. As the
secretary of state she has to travel a lot, and not being able to do email on
the road is highly impractical. So she thought she should get one too.

The NSA denied her request for a secure smartphone and gave her some nonsense
excuse. She tried a few more times to get one, and then Clinton gave up and
ordered somebody to set her up with a private email server. She used this
unsecure email server for years. She used it to communicate with top level
officials (including the president). That she had this server was common
knowledge in the administration. She knew it wasn't secure and she's been very
careful not to discuss any classified information over email at all. In a
handful of cases she slipped up and some classified information ended up on
email anyway.

~~~
blhack
Do you have any sources for that?

The story I keep hearing is that she had this set up to make FOIA requests
more difficult/impossible to fulfil.

The _really out there_ stuff is that this was to hide any cash-for-favors
exchanges that happened with relation to The Clinton Foundation.

~~~
gizmo
I can't prove some of the more out-there theories aren't true, but they just
don't make sense to me.

Given the sheer volume of email she sent from her blackberry (lunch meetings,
when to get up, where to go, can you print this, happy birthday, etc) it's
pretty clear it's her primary way of communication. So that explains her
refusing to take no for an answer from the NSA.

If her motivation was to block FOIA requests, then why did she do literally
all important and confidential communication on paper, which falls under FOIA?
Then why did the entire administration accept her use of a private email
server if she didn't have an obvious reason why she needed one? If her real
motivation was to dodge FOIA, then why was the NSA stonewalling? The FOIA
hypothesis raises far more questions than it answers.

~~~
jevinskie
> then why did she do literally all important and confidential communication
> on paper

This may not have always been the case.

> Part of the exchange is redacted, so the context of the emails is unknown,
> but at one point, Sullivan tells Clinton that aides "say they've had issues
> sending secure fax. They're working on it."

> Clinton responds, "If they can't, turn into nonpaper w no identifying
> heading and send nonsecure."

[http://www.cbsnews.com/news/state-department-releases-
more-c...](http://www.cbsnews.com/news/state-department-releases-more-clinton-
emails-several-marked-classified/)

------
mindslight
I really want to like Clinton for running her own server, respecting the
decentralized basis of the Internet. Yet her domain name was clinton
_email_.com? What a pleb! Political corruption and murder is her family
business, yet even with those capabilities she can't be bothered to obtain a
better online identity? She may as well have been at hotmail or gmail and
highlighted in blue!

~~~
at-fates-hands
If I remember correctly, Sarah Palin used a Yahoo account to do some of her
business as Alaska's governor.

EDIT: Found it, yeap, Yahoo:
[http://thecaucus.blogs.nytimes.com/2008/09/17/palins-e-
mail-...](http://thecaucus.blogs.nytimes.com/2008/09/17/palins-e-mail-account-
hacked/?_r=0)

~~~
gormo2
That's not as bad as Colin Powell, who used AOL while serving as Secretary of
State.

And of course it also was hacked by, you guessed it, Guccifer.

------
ghostly_s
Does this really indicate any private correspondence was printed via the
internet? Even if a printer was set up which _was_ writable via this web
address, that doesn't mean that emails from the email server itself were
printed to that address rather than directly to the device, does it? In fact,
presumably the printer and email were hosted on the same server so it doesn't
make much sense to me that they would send one to the other via the web
address.

~~~
moyix
It seems like it would be strange to give a printer a DNS name if you didn't
intend to talk to it over the internet. If you're directly connected it
doesn't need an IP at all.

I think the sniffing threat mentioned is overblown. As one of the commenters
mentions, ISPs don't generally allow adjacent IPs to sniff traffic.

A bigger threat is that a vulnerability in the printer may have been
exploited. E.g., for a long time most HP printers could have their firmware
upgraded by sending them a print job. And so far the cursory look I've taken
at various printer firmware has been really alarming – think thousands of
calls to strcpy/memcpy and other unsafe friends.

Edit: Here's a reference for firmware upgrade via print job:
[http://www.internetsociety.org/sites/default/files/03_4_0.pd...](http://www.internetsociety.org/sites/default/files/03_4_0.pdf)

Edit2: Also, when I say "firmware upgrade" I mean arbitrary code – it wasn't
verifying a digital signature or anything.

~~~
extrapickles
Printer firmware and drivers are the worst. I've integrated with a software
package that supplies its own printer drivers because the manufactures can't
make a driver that will actually work well.

They constantly screw up the most basic of things. A good test of a network
printer is to set it offline, send 20 print jobs to it (a test page is fine),
then set it back online. Way too many printers will not print out all 20 print
jobs, despite reporting success for all of them (This is true even of $30k
printers).

------
jrcii
Any time in the last 10 years I setup an independent email server it had
horrible deliverability rates. I wonder how they worked around that. Getting
your server whitelisted with all the major providers is a major hassle.

~~~
banhfun
[http://www.mail-tester.com/](http://www.mail-tester.com/) is a good resource
to use to help with this.

------
internaut
The US government should give Guccifer the Medal of Honour. This is a farce.

------
dmritard96
Also curious about USB - are there any USB logs and is that something logged
by whatever OS her server was running? seems like it would have been really
easy for things to move from email to usb...

~~~
xufi
That's a intersting point. Who knows if she even had a way to do that unless
she connected remotely overseas via a secure client . Granted though it'd have
to be highly secure

------
AnimalMuppet
I seem to recall something about a CIA head getting fired because he took a
Mac from work home. Does anyone recall details of this? (I tried to find it,
and failed.)

~~~
paulmd
John Deutch?

[https://fas.org/irp/cia/product/ig_deutch.html](https://fas.org/irp/cia/product/ig_deutch.html)

~~~
AnimalMuppet
Yeah, that was it. Thanks.

------
jaboutboul
Bernie 2016?

------
Esau
Am I the only one who dislikes the domain name itself? Every time I see it, I
read it as "Clint One Mail", not "Clinton Email".

~~~
rosalinekarr
Yeah, as important and fascinating as the whole story is, every time I see
"ClintonEmail.com," all I can think is that surely the Clintons of all people
should have the influence and power to get a hold of just "Clinton.com."

I mean the current owner of clinton.com is some investment firm that could
probably do just as well something like ClintonGroup.com or
ClintonInvestments.com. If I was her, I would fight for the email address
"hillary@clinton.com."

Then again, I'm a programmer, not a politician.

~~~
Alupis
> If I was her, I would fight for the email address "hillary@clinton.com."

How does one "fight for an email address"?

Once you own a domain, you own it. It doesn't matter that it just so happens
to be someone else's last name.

She would have had to pay most likely a large sum to the investment firm that
already owns clinton.com... and perhaps they aren't interested in selling, or
they value the domain too high.

------
mergy
Other very serious concerns:

1\. Was it running RAID? If so, what level? Better not be RAID 5. Horrible
write speed.

2\. Let's REALLY dig into the DNS. What about reverse lookups and CNAMEs.

3\. Any idea what the screensaver was? I'll reserve judgement until I have
some confirmation.

4\. NIC driver version: Hearing that she just ran a generic MS driver for the
Intel dual network card. Unbelievable.

~~~
arcticfox
Is your point that the published details are irrelevant? Because if so, I very
much disagree. You can ignore the details if you want.

~~~
mergy
Yes, let's look at all the dns records created, edited, removed and theorize
all possible devices that could have been connected or not.

Wouldn't a better rendering of all of this be a video from Taiwanese
animation?

------
karmacondon
A rough analogy for this situation would be if a company had an "employees
must use blackberries" policy, but the CFO of the company outright refused
because he wanted to use his iPhone. Are they going to fire the CFO over that?
Possible but not likely, especially if he is doing a good job otherwise.

In the same way, the Secretary of State can also refuse to comply with
government _policy_ (not law). You can't fire the Secretary of State for using
the wrong email server. It just doesn't work that way. The fact that national
security is involved does change things, but organizational politics is pretty
much the same all over. If Clinton's email server contained the nuclear launch
codes or the contents of Area 51 then the government would have handled it
differently. It's unlikely that any lasting and serious security threats were
exposed.

