You see, when Hillary fell on her head and couldn’t testify about Benghazi, which was of course completely honest and of purest intentions, she also forgot to set up her government email account and instead opted to buy her own server to store (and erase) official emails.
Done, of course, with the purest of intentions.
She will make a fine, fine president. Nixon would be proud.
Right, and not only that…
Didn’t the countless people that she interacted with notice that she was using a non-gov internet account for gov related interactions. I would imagine a thousand red flags were sent up in other peoples’ minds. “Can I trust communications with this individual?” “Is her personal account secure?” “Why is she not using her employers email account like everyone else?” etc., ad-infinitum…
My personal thoughts…
How can she guarantee that the information sent and received would be encrypted and archived as well as her peers.
I think it also gives her an “out” if she’s required to produce said emails for the subpoena.
It’s just a bone headed move on her part if she has nothing to hide.
Post snipped.
It has been standard business practice since I started in the business back in 1994 for business email to be done on business accounts. This isn’t new.
Additionally, it shows some seriously bad judgement on Clinton’s behalf. According to Slate (that bastion of Right Wing conspiracy) Clinton ‘took no actions to have her personal emails preserved on department servers at the time, as required by the Federal Records Act.’.
So, assuming Slate is correct, then on top of looking hinkey, she broke the law as it was at the time.
Another quote:
One would think that Mr Baron, former director of litigation for the U.S. National Archives would have an idea about this.
Additionally, Clinton did this at the time that the Bush administration was being investigated for using outside email addresses (a fact which I just relearned, I vaguely remember something about this) in the firing of a Justice Department official. So this was a known issue when she set this up. Unless, of course, you want to believe that Clinton didn’t hear about that little fiasco. Oh, and there was another email scandal going on at the time.
So, yeah, this bothers me. Our politicians are supposed to do things the right way. They are supposed to play by the rules. They are supposed to be honest. They are suppose to follow the law.
Either Clinton didn’t know the law, which is exceedingly troubling in itself, or she decided that it didn’t apply to her. Either way, this is bad.
Now, a few people have commented that the government got hacked and therefore her system couldn’t be any worse security wise. I highly doubt that. No system is totally secure. However, the government has procedures and policies in place to make the systems as secure as possible. What did Clinton have? Were the systems given any kind of security review? If so, what were the results and what was done to remediate the known issues?
Having just been through a full security review recently because that the business I work got a federal contract, I can tell you that they are thorough. Does that mean our systems are bulletproof? No, however we have the tools in place to stop attacks and, if one to occur, trace back what happened. However, I am willing to bet that Clintons system did not go through a full security review as, if a review had been done, someone would have said ‘Hey, wait, this is stupid. Really, really fucking stupid.’
Slee
Richard II? That’s a deep cut, man. Props.
I’m a card carrying liberal and will probably vote for Clinton over whoever the Republicans put forth in 2016, but… I find it pretty weird that she didn’t use a State Department email when she was leading the State Department. Doesn’t basically everyone in every office in America conduct work business through their work email account? Why would she not do that?
Apparently according to the State Department, John Kerry is the first Secretary of State to have a state.gov email address.
Mr Baron’s quote about “nuclear winter” is ridiculous, unless Colin Powell also lived through said winter (wait-did he mention nuclear winter at the UN, in addition to yellowcake uranium? Asking for a friend).
Post snipped.
The Federal Records Act-the law that you refer to-was signed in by Pres Obama the day before Thanksgiving in 2014.
Hillary stepped down Feb 1st, 2013, so following that law was probably difficult for her.
“Practice” is not “law.”
Even if it’s “standard.”
Thanks for illustrating my point.
On what date did the Federal Records Act start to require this?
(Hint: commentators are willing to blur the distinction between current rules and rules as they existed at the time).
No, Slate just phrased the sentence to imply something that wasn’t true.
And yet, he describes NARA policy as rules, not laws.
So what?
The law at the time vested the head of each agency with responsibility to determine methods for executing policy. The Justice Department official wasn’t the Attorney General, was he?
From a PR perspective, maybe it was. But it was, at most, a technical violation of the NARA policy of the time, and not a violation of law.
I didn’t vaccinate my dog from rabies, but so long as all of the other dog owners have complied with the law and vaccinated their dogs from rabies, then no harm no foul, right?
You are missing some of the technical points. Regular e-mail is inherently insecure and trivial to spoof. Let’s say that Hillary has been corresponding with high level officials in Russia, China and lots of other sensitive countries and a hacker learns her e-mail address. That hacker could pose as her very easily and have whole conversations undetected for some time as long as they have decent mimicking skills. Can’t you see the potential problem with that? A teenager could start an international incident that is hard to fix as a joke.
That type of e-mail is also very easy to intercept along any part of the chain of servers that it passes through on both the sending and receiving end. Regular e-mail is just plain text that gets passed around like a note in 7th grade math class until it gets to the intended recipient.
Even at my place of work, we are forbidden from using private e-mail for any remotely sensitive information (it is grounds for instant dismissal) for those reasons. There are ways to make e-mail secure that involve strong encryption keys among other things but she doesn’t have the technical savvy to know how to do that herself unless I missed that part of her biography. I assume that official government e-mail has those protections in place.
It is a serious issue, not just for her, but for government officials in general. If that is a remotely standard practice now, countries don’t even need clandestine spooks on the ground to learn what they want. They can just hire some rebellious kids that really like Mountain Dew to do the same job from the comfort of their own bedroom.
You originally called it “manufactured outrage”, and I disagreed.
That problem exists no matter what. Give me your e-mail address and I’ll send you an e-mail from b-obama@whitehouse.gov.
Yes, that’s true. An SMTP connection is simply plain text over TCP port 25.
But what the hell do you think happens when Sylvia Burwell (sburwell@hhs.gov) sends a message to John Kerry (jkerry@state.gov?)
She doesn’t have the carpentry skills to build a house, and yet amazingly lives in one.
This is a mystery that defies comprehension.
And your assumption is incorrect, at least with respect to intra-agency e-mail. It’s true that a message from someone at state.gov to someone else at state.gov is relatively secure, because it doesn’t ever traverse the public internet and traffic between Exchange servers. But a message between different government agencies is generally sent the same way you send a message to your poker buddies: unencrypted SMTP, over port 25, between servers.
(There are military solutions like SIPRNET which are certainly secure; I’m discussing civilian agencies here).
I stand by the characterization. The manufacture lies in the deliberate misinformation being fed to the public about the law governing the conduct – for example, quoting current law accurately but never mentioning it did not exist during Clinton’s tenure as SoS.
While I’m not all that fired up about not using the government email account per se, I am upset that Clinton is firm in her belief that the rules just don’t apply to her. And I see that with all people who have been in power, on the right and the left. The Clinton’s have held powerful positions in government for close to 40 years now, and they are confident that the rules don’t apply to them. And I worry that if elected, that mindset will get her (and or us) into trouble.
I don’t know exactly what happens in that case because my experience is limited to the DoD, but the State Department does require its employees to have PIV credentials which make use of Public Key Infrastructure. I’m almost certain that Sylvia Burwell’s email would be digitally signed. It’s certainly within the technological possibility that John Kerry has the HHS root certificates loaded onto his computer so that he can verify that the email did indeed come from Sylvia Burwell. He might not, and the digital signature may remain unverified; it depends on how frequent those sorts of intra-departmental emails are and what the IT folks were asked to do. Certainly anything sent between @state.gov accounts would be digitally signed and verifiable by all employees, with the additional option of encryption available. (It’s unlikely that John and Sylvia would be able to send encrypted emails back and forth, but that’s just my WAG).
Now, it’s possible that Clinton maintained her own PKI root certificates for clintonemail.com, and it’s possible that she securely distributed those certs to everyone she regularly communicated with. But I really doubt it.
In another angle, HRC included secret email accounts in a list of unconstitutional acts she was accusing the Republicans of, back in 2007.
I’ve seen this asserted a lot, but it’s unclear whether the others had a .gov account which was not a state.gov account, or if they had no official account at all. (If the former, then this is a misleading line.)
I don’t know for sure, but I would imagine that many agencies of the federal government use TLS email, just as many private companies do. Email between larger companies increasingly uses TLS email to provide email encryption that’s transparent to the end user. I would think it likely that many federal agencies do the same. At least, it provides encryption between the servers. The last hop from the server to the recipient is a different problem.
Anyway, that is one of the myriad security problems that are raised by random schmoes running their own email servers. I’ve brought some of them up in this and the other thread. But what do I know? I’ve only made my living as a security professional for over a decade, contributed to the field through independent research, spoken at professional conferences, and led the DFIR function at Fortune 500 companies. You know what, Cabinet officials want to leave state secrets in a box under their desk, have at it. What can go wrong? It wasn’t illegal, so it must be both moral and wise.
A fun experiment:
Get an e-mail sent to you from a civilian government e-mail address and grab the SMTP host headers it used, or simply do an MX lookup on a .gov host.
Try to telnet to that MX host on port 25. See if it restricts you to TLS.
If you’re trying to leverage your professional experience to convince me that inter-agency e-mail in the civil federal government space is TLS-only, you’re only going to convince me you have virtually no experience in the federal civil space.
If, on the other hand, you’re opining that it’s not best practice, I certainly don’t disagree.
I’m not holding Mrs. Clinton’s approach up as a best practice solution. I’m not saying it’s moral or wise.
Do we have any areas of disagreement?
As I said above, mail between state.gov addresses would be secure (although I absolutely disagree that it’s digitally signed as a matter of course – at the present time, senders at state have the option to select digital signatures, encryption, or both, but it’s very hit or miss, since encryption only works if the receiver has first published his public key (from his PIV card) to the Outlook GAL; the vast majority of people have NOT done this). It’s true that anyone can use digital signing but it’s not the default option.
I agree it’s unlikely Clinton acted as her own LRA. But State doesn’t even today, in 2015, enforce those requirements. And of course, if they’re not doing it today, why would you imagine they were doing it during her tenure as SoS?
I’m not imagining it, nor did I ever claim it was required during her tenure. It’s dumb not to even give yourself the option, though, especially when it’s readily available to you. Just dumb.
If part of your defense of Clinton here is that “Everyone in the State department has horrendous email security habits,” then, uhh… well, that’s sort of my point. My first posts in this thread tried to make clear that while I don’t think this is necessarily a huge scandal for Clinton herself, I think this points to systemic problems in government IT with regard to record keeping and, apparently, email security. Somebody should have been on top of this from a records archival perspective. Everyone should be making use of their available authentication measures. Even if there was someone on the SoS IT support team who was aware of all of this, if the SoS herself can’t even be arsed to use a state.gov email address, how much respect is anyone else in the office going to give to that guy when he recommends security best practices? It’s a terrible example to set as the head of a department.
Your defense of Clinton seems to fall on some razor-thin margin of “it wasn’t illegal and it didn’t violate policy,” even though you readily acknowledge that it was unwise. Classic Bricker.
eta: I don’t believe you that digital signatures aren’t the default option as of 2015. I don’t have proof, but the digital signature option has been selected by default on DoD servers for at least 5 years in most places. I have a hard time believing that the State Dept is that far behind.