Heartbleed: “Heartbleed is a security bug disclosed in April 2014 in the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. Heartbleed may be exploited regardless of whether the party using a vulnerable OpenSSL instance for TLS is a server or a client.” (from Wiki) Which means all the “https” “secure log-in” urls we’ve used may not have been secure. With or without any local firewall I bought from Best Buy.
That’s the “in-transit” part. I think. Meaning, it’s not my computer or my app and it’s security add-ons that are at fault.
Now, the government has all sorts of security standards to be stamped and delivered by clients–I know this because I learned of a niche-niche market for computers that are designed only to be test beds for such things. I presume, or hope, that the financial industry, among others, has a set of standards as well. And of course, the Clinton domain(s) were not under the control of the US government, with its standards or protocols.
*) Is there an “industry standard” for her system which at least could be used to discuss with some degree of lay-man accuracy the possibility of interception? Or, barring that, some metric which the U.S. Government, I presume and hope, is using now to figure out what could have been swiped?
I’ve read about third party signatures and 1024-or-longer key-length encryption.
*) Can I just say, “yup, got that, got that,” and the portion of the messages winging over the net after having left Google’s, Yahoo’s, or somebody’s server is satisfactory to a client’s demands? (Bearing in mind, of course, a Heartbleed, or naturally a code designed for espionage.)
Obviously I don’t expect posts explaining Internet security as a whole.
As I said, I’m not too sure on where or what the “in-transit” part is, in the context of someone demonstrating a level of security, relative to security routines installed locally at the server–which themselves may be corrupted, I presume.
Which leads me to the following:
For now, the one techie thing that people in the mass media are proud to toss around is that the email system was hosted on a “private server”–a hunk of metal in her house. Fortinet is the name I’ve read – and I’m sorry that I don’t have a cite now – as a company which in some way provided security software–and perhaps the entire set-up–for clintonemail.com and perhaps the other co-located (?) domains for Bill. Hillary has/had the “private” domain name, and had her own servers to host the system.
*) So, for private (non-governmental) servers–for which standards exist–compared to mine or Hillary’s or Chase Manhattan’s or Google’s: what’s the diff, to demonstrate security? Me, nobody’s asked. Hillary, every government on Earth is asking now or tried to find out when it was up and running.
*) What is “The” e-mail system? Built from scratch? Not like mine on Gmail?
This is GQ, and I’d like to get better speculation than here, from Gawker, which compared to the rest of the mass media is as technical as you’ll see.
“The local system” can be protected, as far as most people are concerned, by buying off the shelf firewalls. Now, I don’t think Fortinet–or any company in the field–doesn’t just slap on some McAfee-type app.
*) The government can control its own machines, routers, and physical cables, if it wants, and work with Comcast or Verizon or Sprint, whoever, to set up security there. Could a Fortinet or similar company also worked with them for Hillary? Which is to say: “a” Hillary, like me or you at home, if we had the coin and connections.
