The reporting on this story has been pretty terrible. Wired just running with the AP story without spending the couple of minutes it takes to verify the details is shameful.<p>The clintonemail.com domain was registered by Justin Cooper [1] and the MX records point to mail servers run by mxlogics.net, now owned by McAfee, not some solo server in Clinton's home. The sole evidence from the AP report is:<p>> It was not immediately clear exactly where Clinton's computer server was run, a business record for the Internet connection it used was registered under the home address for her residence as early as August 2010. The customer was listed as Eric Hoteham.<p>A business record for an Internet connection doesn't prove anything, let alone the location of an email server. A history of the MX records [2] is evidence of the location and management of the email server, which has always been set to a mxlogics domain. That it took me only 5 minutes to gather his information but unsourced reporting is being parroted is poor journalism.<p>[1] <a href="http://who.is/dns/clintonemail.com" rel="nofollow">http://who.is/dns/clintonemail.com</a> [History & DNS Tabs]
[2] <a href="https://dnshistory.org/dns-records/clintonemail.com" rel="nofollow">https://dnshistory.org/dns-records/clintonemail.com</a>
I'm still waiting for the explanation of why this was OK. "Every secretary of state has done this." or, "appropriate and very common among high elected officials."<p>When i think about the email requirements of any corporation, every real job I've had, the use of personal email for company business is against policy and would be a fireable offense.<p>Also interesting to consider the FOIA is more fearful to a politician, than having this private email service hacked by a foreign intelligence service. state department is essentially an adjunct to the CIA at the highest levels, so this is a real risk.
> Clintonemail.com currently uses an invalid TLS certificate, another method that a man-in-the-middle might use to intercept or spoof emails from the server; but Stanford researcher Jonathan Mayer points out to WIRED that the State Department’s own TLS certificate is currently invalid, too.<p>The invalid certificates are a red herring. These are certificates used by SMTP servers[1], and since SMTP encryption is currently opportunistic (i.e. completely optional and trivially defeated by an active attacker), it <i>does not matter</i> whether the certificate is valid or not. Virtually no SMTP client validates the certificate presented by an SMTP server on port 25, let alone care if encryption is used. The only reason why SMTP servers present certificates at all, as opposed to using an anonymous TLS ciphersuite, is because some SMTP clients choke on anonymous ciphersuites.<p>[1] <a href="https://twitter.com/jonathanmayer/status/572779239281332224" rel="nofollow">https://twitter.com/jonathanmayer/status/572779239281332224</a>
This mess is an example of a much larger problem: We are being governed by a bunch of attorneys who do not hesitate to lie, cheat and steal and play all of us for the fools that we are. Recent examples include a President telling lies (keep your insurance and doctor, save $2,500 a year, etc.) without consequences. This is not limited to a single party. It travels equally well on both rails and spans from mayors and governors to senators and, yes, Presidents.<p>Not sure what the solution to this might be. This is the stuff of so-called third world countries. I have long held that we are not far from "them", we just do it differently and don't take to the streets en-masse when we are lied to and royally screwed.<p>Maybe one day we will and things will start to change. A lot of these people belong to jail for what they've done to this country. My guess is that if you are under, say, 30, you are going to have to suffer the consequences of what these people have been doing to the country for, say, 50 years. And your children. Well, there's a school of thought that is of the opinion that your children migt just get to experiencethe US as a near third world country in about 50 years.<p>Our politicians must be accountable for their actions and must have consequences for misleading and manipulating the people. Not sure how that happens. Not sure what laws would deal with this. If there aren't any, there ought to be.
I seem to recall CIA director Deutch keeping highly classified information on his home computer. CIA Director Patraeus giving classified info to his mistress. National Security Director Berger taking national archive info? Snowden. Its alleged Leon Panetta revealed classified info in his biography. Its almost as if some of the intelligence community leadership could, possibly, lack humility and believe they are infallible. There have been one or two cases in history where a lot of power combined with secrecy has led to bad decision-making. Perhaps this is another example.
Also, the bit about self-signed certificates being insecure? Arguably they are the <i>most</i> secure if you pin to them since you are trusting no third parties. Obviously if you keep them untrusted and ignore the validation error every time it's a different story.
Remember this: if you are a run-of-the-mill State Department staffer or a military servicemember and you put classified material on a non-classified network, you might go to prison. Even high-ranking government officials have gotten in serious crap over classified material mismanagement--GEN Petraeus did this and lost his job as a result.
I am surprised this is such a big issue considering something very similar happened while Bush was in the White House with outside email under gwb43.com and georgewbush.com and Bush didn't really use email: <a href="http://en.wikipedia.org/wiki/Bush_White_House_email_controversy" rel="nofollow">http://en.wikipedia.org/wiki/Bush_White_House_email_controve...</a>
Interestingly, neither state.gov or clintonemail.com sets SPF records. (Nor does nsa.gov, army.mil, or af.mil, though cia.gov, navy.mil, and whitehouse.gov do.) From personal experience as of a few months ago, state.gov did not use DKIM for outgoing mail.