Among the more disappointing things in all of this is that there is a rational, important conversation to be had about everyday awareness of security and government inflexibility. But there won't be, because she is Hillary Clinton and it is 2016.<p>Supposedly she got the server set up because the NSA refused to give a politician who travels frequently a secure smartphone. She (I personally believe) was likely ignorant of many of the security requirements of such a server (even one set up for unclassified e-mail), as was whoever set it up. And no-one on her staff either knew enough or was willing enough to say anything. She is also supposedly not the first Secretary of State to have an arrangement of this nature.<p>This feels like the very definition of systematic failure and clearly needs to change. But the conversation is almost exclusively based around a) her having nefarious motivations, because she is Hillary Clinton, or b) this all being a Republican plot to derail the Democratic candidate for President.<p>It's all very depressing.
Here's some more details about the state of security of her private server [0]:<p>><i>Outlook Web Access, or OWA, was running on port 80 without SSL (unencrypted)</i><p>><i>Remote Desktop Protocol, port 3389, was exposed through the DMZ (open to anyone on the internet.) This, at the time it was being used, was open to critical vulnerabilities that would allow for remote execution of code.</i><p>><i>VNC Remote Desktop, port 5900, was also exposed through the DMZ.</i><p>><i>SSL VPN used a self-signed certificate. This isn't inherently bad, but left them open for "spearphishing" attacks, which have already been confirmed to be received by Hillary Clinton and her staff</i><p>It's also interesting how they responded to attacks on the server [1]:<p>><i>Here is the section from page 41 of the report which references an “attack”:</i><p>> On January 9, 2011, the non-Departmental advisor to President Clinton who provided technical support to the Clinton email system notified the Secretary’s Deputy Chief of Staff for Operations that he had to shut down the server because he believed “someone was trying to hack us and while they did not get in i didnt [sic] want to let them have the chance to.” Later that day, the advisor again wrote to the Deputy Chief of Staff for Operations, “We were attacked again so I shut [the server] down for a few min.” On January 10, the Deputy Chief of Staff for Operations emailed the Chief of Staff and the Deputy Chief of Staff for Planning and instructed them not to email the Secretary “anything sensitive” and stated that she could “explain more in person.”<p>[0] <a href="https://np.reddit.com/r/politics/comments/4j2r94/judicial_watch_new_clinton_emails_reveal_clinton/d336scb" rel="nofollow">https://np.reddit.com/r/politics/comments/4j2r94/judicial_wa...</a><p>[1] <a href="http://lawnewz.com/high-profile/clinton-tech-says-private-email-server-was-attacked-forcing-shutdown/" rel="nofollow">http://lawnewz.com/high-profile/clinton-tech-says-private-em...</a>
One of the commenters on the Krebs post makes a remarkable point [1]:<p>"It gets better. Do a dig mx clintonemail.com. You’ll see that the machine’s incoming email was filtered by mxlogic.net, a spam filtering service that works by received all your emails, filtering out the spam, and forwarding you the rest.<p>This is because the hosting provider, Platte River Network, sold a package along with the hosting. The package included spam filtering and full-disk off-site backup (since then seized by the FBI).<p>So every email received by Clinton was going through many unsecured places, including a spam filtering queue, a backup appliance and an off-site backup server. Which has already been documented."<p><a href="http://krebsonsecurity.com/2016/05/did-the-clinton-email-server-have-an-internet-based-printer/#comment-406731" rel="nofollow">http://krebsonsecurity.com/2016/05/did-the-clinton-email-ser...</a>
I have spent some time talking to different people I meet/know who have security clearances.<p>EVERY one of tells me that if they had done what it appears Hillary did, they would fully expect to be in jail for years.<p>In researching this, I find that about 4.5 million Americans currently have, and maybe 1.5 million more did have in the past, security clearances.<p>I find it hard to believe that in Washington DC, surrounded by people with security clearances, this was unintentional and just an accident. It's like Hillary had to look far afield to find people <i>without</i> security clearances so that they would set this up for her.
The emails themselves sent from Clinton's server were unencrypted for several months, so unencrypted printing is just more of the same.<p>There's no reasonable question anymore that laws on handling classified data were broken, the only question is will charges actually be brought?
Given all the warnings I got when I had a secret clearance back in the 80's about protecting the information and what penalties I faced for not following the rules I've found it unimaginable that the Secretary of State didn't know or didn't care about protecting much higher level secrets.
This story just keeps getting better. There is either a grand nefarious plot, or worse, horrific incompetence. I just can't find a third possibility.
I really want to like Clinton for running her own server, respecting the decentralized basis of the Internet. Yet her domain name was clinton<i>email</i>.com? What a pleb! Political corruption and murder is her family business, yet even with those capabilities she can't be bothered to obtain a better online identity? She may as well have been at hotmail or gmail and highlighted in blue!
Does this really indicate any private correspondence was printed via the internet? Even if a printer was set up which _was_ writable via this web address, that doesn't mean that emails from the email server itself were printed to that address rather than directly to the device, does it? In fact, presumably the printer and email were hosted on the same server so it doesn't make much sense to me that they would send one to the other via the web address.
Any time in the last 10 years I setup an independent email server it had horrible deliverability rates. I wonder how they worked around that. Getting your server whitelisted with all the major providers is a major hassle.
Also curious about USB - are there any USB logs and is that something logged by whatever OS her server was running? seems like it would have been really easy for things to move from email to usb...
I seem to recall something about a CIA head getting fired because he took a Mac from work home. Does anyone recall details of this? (I tried to find it, and failed.)
Other very serious concerns:<p>1. Was it running RAID? If so, what level? Better not be RAID 5. Horrible write speed.<p>2. Let's REALLY dig into the DNS. What about reverse lookups and CNAMEs.<p>3. Any idea what the screensaver was? I'll reserve judgement until I have some confirmation.<p>4. NIC driver version: Hearing that she just ran a generic MS driver for the Intel dual network card. Unbelievable.
A rough analogy for this situation would be if a company had an "employees must use blackberries" policy, but the CFO of the company outright refused because he wanted to use his iPhone. Are they going to fire the CFO over that? Possible but not likely, especially if he is doing a good job otherwise.<p>In the same way, the Secretary of State can also refuse to comply with government <i>policy</i> (not law). You can't fire the Secretary of State for using the wrong email server. It just doesn't work that way. The fact that national security is involved does change things, but organizational politics is pretty much the same all over. If Clinton's email server contained the nuclear launch codes or the contents of Area 51 then the government would have handled it differently. It's unlikely that any lasting and serious security threats were exposed.