Hillary’s Latest Email Problems

John Schindler deconstructs the Gray Lady’s attempt to whitewash:

At the National Security Agency—where I used to work as a senior intelligence analyst, including as the technical director of NSA’s largest operational division—what outsiders call hacking is handled by a shadowy group called Tailored Access Operations that gets at the hard targets requiring actual cyber-break-ins. TAO are probably the best hackers on earth, but Russia and China are no slouches either, as demonstrated by their repeated infiltrations into protected U.S. Government computer networks in recent years.

However, unencrypted IT systems don’t need “hacking”—normal SIGINT interception will suffice. Ms. Clinton’s “private” email, which was wholly unencrypted for a time, was incredibly vulnerable to interception, since it was travelling unprotected on normal commercial networks, which is where SIGINT operators lurk, searching for nuggets of gold.

They hunt for data with search terms called “selectors”—a specific phone number, a chatroom handle, an email address: here Ms. Clinton’s use of the “clintonmail.com” server was the SIGINT equivalent of waving a huge “I’m right here” flag at hostile intelligence services. Since the number of spy agencies worldwide capable of advanced SIGINT operations numbers in the many dozens, with Russia and China in the top five, that Ms. Clinton’s emails wound up in the wrong hands is a very safe bet, as any experienced spy will attest.

The amount of ignorance on this issue spouted by her defenders is both staggering and terrifying.

16 thoughts on “Hillary’s Latest Email Problems”

  1. Clinton’s server was unencrypted before March 29, 2009. She received her first email there on March 18. She sent her first email on the server in April, 2009, after the digital certificate was issued.

    It looks like she screwed up by giving out her new email address before it had been completely set up, and before she herself had switched over to using it.

    On the scale of government computer security breakdowns, a handful of cleartext inbound emails over a week and a half ranks pretty low.

    1. Digital certificates are used for authentication — so that other email servers trust that the servers that contacts them to relay email is indeed clintonmail.com to avoid relaying SPAM. Encryption keys are something completely different and can be used without our without digital certificates. I haven’t seen anything mentioned that emails sent to and from Hillary’s server was at all encrypted either in storage or transmission. If you have such information to the contrary, please provide a link.

      1. Digital certificates are a requirement for TLS/SSL encrypted connections between mail clients and servers, and between mail servers (MTAs). If clintonemail.com did not have such a certificate from a certificate authority for the 11 days from March 18 (the date of the oldest email Clinton received there) and March 29 (when the certificate was issued), then either the server was operating with a self-signed certificate (which would support encryption, but be vulnerable to a man-in-the-middle attack) or was using cleartext connections (which could be intercepted by anyone with access to the network links being traversed).

    2. “It looks like she screwed up by giving out her new email address before it had been completely set up, and before she herself had switched over to using it.

      “On the scale of government computer security breakdowns, a handful of cleartext inbound emails over a week and a half ranks pretty low.”

      My SF-86 was swiped, probably by the Chinese, off of an extremely secure system. That document was used to get my TS/SCI clearance, and contains enough information to allow someone to fuck up not only my life, but that of everyone else IN my life, forever.

      You’re a complete ignoramus when it comes to these things. She had nothing like the OPM server level of security, not even close, at any time she used that server. My information resided on an OPM server that was thought to be immune from foreign breakin, and it was purloined.

      The rule in security is that when classified information is left in a place where it may have been stolen, it is assumed to have been stolen. I don’t think there is any question that Hillary’s email was stolen by every other country on earth, but what I think doesn’t matter. In order to protect our security, it must be assumed to have been stolen.

      The worst part of all of this is her wiping the server. I mentioned the first rule of security, which is that any classified information left in a place where it might have been stolen must be assumed to have been stolen. When Hillary wiped her server, she deprived us of the knowledge of exactly what might have been stolen. We know that she had put Top Secret/SCI/SAP material in an unprotected environment. But because of her destruction of the evidence, we don’t know how much else might have been put out there.

      This isn’t a case where you can say “well, it probably wasn’t all that much.” Just having one piece of TS/SCI/SAP information on an unclassified system is a felony. Do you endorse a felon for President?

        1. Baghdad Jim is wasting his time here. He should be working for the Times in their Spin Division.

      1. My SF-86 was swiped, probably by the Chinese, off of an extremely secure system.

        I think you’re making my point: running an unclassified email server without a cert for 11 days, during a transition between accounts, does not rank very high on the list of recent U.S. computer security failures.

        Do you endorse a felon for President?

        Inadvertently receiving unclassified email on a server without an SSL certificate is not a felony, and Hillary Clinton is not a felon.

        1. I think you’re making my point

          He wasn’t, you are just avoiding missing his point. Hillary’s server contained actionable classified intelligence, and it didn’t have the security of OPM.

          Inadvertently receiving unclassified email on a server without an SSL certificate is not a felony

          Sure, but Hillary appears to have demanded classified information be stripped of such marking and sent to her unsecure server, and such an act is a felony.

          1. Clinton’s server had “actionable classified intelligence” during the 11 days it didn’t have a digital certificate? Where did you read that?

            Hillary appears to have demanded classified information be stripped of such marking and sent to her unsecure server, and such an act is a felony.

            Here’s what we know, based on one of the publicly released emails. Clinton aide Jacob Sullivan emailed Clinton stating:

            “They say they’ve had issue sending secure fax. They’re working on it.”

            Clinton replies:

            “If they can’t, turn into nonpaper with w no identifying heading and send nonsecure.”

            That, by itself, is not close to being proof of a felony. We don’t know what the content of the message was, or its classification status. We don’t even know whether anything was ever sent by a nonsecure channel; maybe they got the secure fax working, or maybe they never sent anything.

            I should also note that while the scandal over Clinton’s private email server resulted in the public release of this particular email, it isn’t clear that the incident in question had anything to do with her email server (it could be that she was telling Sullivan to send the document, if necessary, by regular fax).

          2. That, by itself, is not close to being proof of a felony. We don’t know what the content of the message was, or its classification status. We don’t even know whether anything was ever sent by a nonsecure channel; maybe they got the secure fax working, or maybe they never sent anything.

            You don’t seem to know how classified data is handled nor understand the law regarding the handling of classified data.

          3. It’s not the first time he’s demonstrated his profound ignorance on those subjects, and given his persistence it’s unlikely to be the last.

        2. Well, when the news about the server broke, some white hat hackers were able to get to the login screen for the email server’s web console. It was supposedly from an older version of the server software with known security issues. Also, remote login to the OS was supposedly enabled.

  2. “NSA’s largest operational division—what outsiders call hacking”

    It used to be called cracking actually. Hacking was just the act of using a computer to learn how it worked. Cracking was the act of trying to gain access into system(s) you did not have access to. As usual the press messed the terms up and now its all bollocks.

    I think there is too much emphasis on encryption as a band-aid for providing data security nowadays. Without classifying data and messages as secret or not… the idea of encrypting everything just for the heck of it just results in a lot of wasted cycles and other compute resources. In practice a lot of ISPs end up forging certificates and go around the encryption so they can locally cache data which otherwise can’t be cached and optimize the network.

    Do you really need to encrypt the front page content of a free access news site?

    I don’t know if the emails were supposed to be publicly accessible or not, but aren’t government actions supposed to be open? If it wasn’t for the fact that Clinton was the SecState I doubt much of these communications required being secret anyway.

    1. Actually, encrypting everything greatly helps secure the important data. As things are now, Russia needs to spend 1000 compute-years to discover if the data just sent to NSA headquarters is the front page of the Wall Street Journal, or the NOC list. If the only thing that was encrypted was the NOC list, then it would be easy to just decrypt the important things.

      In addition, one of the hardest things to “encrypt” is the fact that something important is going on. A sudden rise in encrypted traffic is a huge red flag that enemy agents need to focus now. (Just like a rise in pizza orders in Washington…) If that traffic is hidden in a larger flow of other traffic, even the fact that there is a sudden need to be vigilant is disguised.

      For maximum security: everything is encrypted, and links are constantly kept saturated. If you don’t have any real traffic to send, send fake traffic.

    2. “In practice a lot of ISPs end up forging certificates and go around the encryption …”
      Any Certificate Authority caught facilitating that needs to be drop kicked with extreme prejudice. And the way SSL certificates operate you can easily see (if you bother to look) who signed the cert, all the way up to the root (who should be “well known”).

Comments are closed.