Monday, July 25, 2016

A Little Careless?

I've been seeing people post that Hillary Clinton was "a little cavalier about internet security."

As a lawyer who also has 20 years of professional IT experience (including setting up and managing many email systems) I feel qualified to refute that. I can assure you she was not "a little cavalier about internet security."

Let's count the careless here. This is from an information security perspective. Maybe you don't realized just how dangerous this was.

  1. Hiring someone without security clearance to install a server and email software in her home. That person had full administrative access to her email for an unknown length of time.
  2. Registering a domain with her name in it, clintonemail.com, and a public registration. (At this point, literally everyone on earth knows who's system it is, AND that it's used for email, AND what software and version is used, AND its rough geographic location, AND the ISP providing service, AND the type of internet connection used, AND that it doesn't have government security). This also tells us that she hired an idiot for step 1.
  3. We have no idea whether she had a firewall in place. Her version of Windows, without a firewall in place is routinely compromised within minutes of being connected to the internet).
  4. We don't know who her ISP was, what security they had in place, or whether they had access to the server at any point.
  5. Repeating 1, 3 and 4 when she moved the server to a hosting provider.
  6. We don't know the physical security of the server at her home, or at either of the ISPs. Was physical access restricted? Does anyone know?
  7. We don't know who moved the server twice. All the classified information was put into the hands of unknown persons, multiple times for hours or days at a time. Was any other software installed during the move? Were any drives copied?
  8. We don't know what remote management solution was used, how it was protected, who had access, and for how long.
  9. We don't know what backup solution was used. Was there physical media? Stored offsite? By whom? Where is it now? If they used online backup, all the previous unknowns are duplicated for that service.
  10. Did the staffer who installed the server do all the management? If not, others had administrative access to her email
  11. Accidentally not turning the email over after she left state, and repeating 1, 3 and 4 again when she moved the server again.
  12. She went through multiple servers, multiple wipes of the data, all deliberate, plus an unknown automatic purge schedule, an unknown number of manual deletions over the course of four years, unknown automatic routing rules, the main purge of over half her email as "personal", a purge of her, her staff's and her attorneys' mobile devices, "losing" the server until subpoenaed, and no archive or backup produced.
The above is why the FBI just assumes that our enemies have all her email. It also means that the email she turned over in no way constitutes a complete, reliable or authoritative record of her time at State.

This would get anyone fired and prosecuted in the private sector - and has.

Thursday, July 7, 2016

A "Top Secret" tale of two citizens.


First, some background. Read these two FBI statements to get up to speed on both cases:

James Comey Statement on Hillary Clinton's email server

FBI Press release on sentencing of Bryan Nishimura

Both cases examined the "unauthorized removal and retention of classified material" Let's do a point by point comparison based on the FBI Nishimura press release:

"In his role.... had access to classified briefings and digital records"
Nishimura: Check
Clinton: Check

"....[which] could only be retained and viewed on authorized government computers"
Nishimura: Check
Clinton: Check

"....caused the materials to be downloaded and stored on his personal, unclassified electronic devices and storage media"
Nishimura: Check
Clinton: Check

"....carried such classified materials on his unauthorized media at.... the end of his deployment [at the end of his/her authorized access]."
Nishimura: Check
Clinton: Check

"....continued to maintain the information on unclassified systems in unauthorized locations, and copied the materials onto at least one additional unauthorized and unclassified system"
Nishimura: Check, and Check
Clinton: Check, and Check

".... admitted that... he destroyed a large quantity of classified materials he had maintained in his home"
Nishimura: Check
Clinton: Check

"Despite that, when the Federal Bureau of Investigation searched [home/servers].... agents recovered numerous classified materials"
Nishimura: Check
Clinton: Check

"The investigation did not reveal evidence [of intent] to distribute classified information to unauthorized personnel."
Nishimura: Check
Clinton: Check

"admitted to [investigators] that he had handled classified materials inappropriately."
Nishimura: Check
Clinton: NO. She still denies this. The FBI found that she did.

Punishment:
Nishimura: Guilty plea, thousands in fines, loss of current and all future security clearances
Clinton: None.

Anything seem off about that to you?

Thursday, February 27, 2014

Religious Freedom and Arizona

I know this is not a popular point to make, but ....

Sad day for religious freedom. The governor of Arizona vetoed a bill that would have protected the rights of (among others):
1. Jews to refuse to bake a Swastika cake for a Neo-Nazi celebration,
2. Muslim women to be covered in spite of company dress codes,
3. Black business owners to refuse to cater a KKK rally,
4. Catholic-owned pharmacies to refuse to sell condoms, and
5. Mormon landowners to refuse to rent their land to parties that will be serving alcohol at their gatherings.

The law simply stated:

"B. Except as provided in subsection C of this section, State Action shall not substantially burden a person's exercise of religion even if the burden results from a rule of general applicability.
C. State Action may substantially burden a person's exercise of religion only if the opposing party demonstrates that application of the burden to the person's exercise of religion in the particular instance is both:
1. In furtherance of a compelling governmental interest.
2. The least restrictive means of furthering that compelling governmental interest."

That's the whole meat of the bill. The rest is definitions and remedies at law.

The characterization of this bill as "anti-gay" in the media is dishonest and obscene. If this Bill is anti-gay, then the 1st Amendment to the U.S. Constitution is as well. All the bill does is restate that amendment's protection for religion and the existing court test for when the state may lawfully infringe on religious practice. Gays are not mentioned, nor are Muslims, Mormons, Catholics or Jews. Everyone's freedom of conscience is protected.

Let me repeat: All this bill would have done is restate current Federal and state law. Read it yourself if you don't believe me (the bill minus definitions is less than one page long): http://www.azleg.gov/legtext/51leg/2r/bills/sb1062p.pdf

What the media have done is pick one possible scenario under the law, and convinced everyone that the bill was about refusing service to gays and lesbians.

Everyone cheering this veto needs to think about this long term. Yes, you've prevented a possible outcome you find undesirable. But, what happens in the future when the KKK sues because they were refused service at a business because the owner felt conscience-bound to not promote their lifestyle? If you think other laws will protect them, or "that could never happen here, everyone agrees the business shouldn't have to..." just wait. Times change, and tactics used to promote views you agree with can just as easily be used to promote others you abhor. The only safe path is to strongly guarantee each of us the right not just to believe, but to ACT on our sincere beliefs in both the personal and public spheres..

Failure to check the types of lawsuits that prompted this law is a two-edged sword.

Friday, December 27, 2013

The Utah Gay Marriage Ruling is Judicial Activism, But Not Because of the Decision....

Conservatives are quick to label Judge Shelby's decision a case of "judicial activism." But, what does that mean?

I'm not going to criticize the ruling in this post. I am going to argue that regardless of your opinion on gay marriage, this decision is not the way we want decisions to be made.

The Decision was Issued at the Wrong Point in the Case

Judge Shelby decided the case by ruling on a motion for summary judgment. He essentially ruled that there are no disagreements of fact. That is patently untrue and he made the ruling without hearing the facts in dispute.

Motions for summary judgment are made at the beginning of almost every case, by both sides, as they were here. In these motions, each side makes a BRIEF summary of their case focused on why there doesn't need to be a trial. The goal is to convince the judge that there is no real chance the other side can win.

There are no witnesses called, and only limited written and oral arguments are heard in support of a motion for summary judgment. Neither side presents all their evidence.

That's the key point - Neither side presents all their evidence.

This case will have a huge impact nationwide, not just in Utah. If judge Shelby's ruling is eventually upheld, ALL state laws and constitutional amendments will be invalidated, not just Utah's. His ruling really is unprecedented. No other Only one other gay marriage law has ever been found to violate the Federal Constitution. **

In this type of case I want all the evidence to be heard. I want to know that the judge has heard all the arguments for and against amendment 3, not just a summary focused on criticizing the other side's case.

Judge Shelby pointed out that the state didn't ask for a stay with their motion for summary judgment. The state didn't move for a stay at the time because no one expected the case to be decided at this point. The Plaintiffs did not move for a stay either, for the same reasons.

If judge Shelby had ruled for the state, proponents of gay marriage would want all the evidence heard. They would feel that the ruling "short circuited" the legal process - and they would be right. Summary judgment is not appropriate in a case of this magnitude.

Not Staying the Decision Pending Appeal Means the State Can Never Win

In addition to not hearing all the evidence, by not issuing a stay of his decision (allowing the status quo to remain) while the State appeals, Judge Shelby is ensuring that even if Utah wins in the Appeals court, or the Supreme Court, the couples suing the state still win.

He is harming Utah's position on appeal.

Let's imagine another case. In this case two parties dispute ownership of land. One side has been recognized as the undisputed owner, and has kept he land as undeveloped wilderness for over 100 years. The other party recently discovered that they may, in fact, be the true landowner, and they want to build a skyscraper on the lot.

The party wishing to build on the land sues the other party, and both sides submit motions for summary judgment. Both sides, and the court, know that the losing side will appeal the ruling.

Let's assume that the judge finds that the skyscraper team owns the land, and rules for them, and allows them to start building the skyscraper immediately. The losing side has substantial evidence to present, and asks the judge to stop construction until they can appeal the ruling.

The fair outcome in this case would be for the judge to halt construction until the case has a final decision. If she does not, and allows construction to begin, the skyscraper team wins anyway, no matter what happens on appeal. If the original owner wins in the supreme court 3 years later, it doesn't matter, the building has been built. It would be expensive and unjust to tear down the building and return the land to its original state - who would pay the costs to clear it, and who would compensate the developer for the time and resources spent to build the skyscraper?

That's the position Judge Shelby has put Utah in. By not staying his decision, the Plaintiffs get everything they want while the appeal is ongoing. If Utah wins on appeal, the "damage" is done. the definition of marriage in Utah has changed because hundreds of gay marriages have been performed, joint tax returns filed, death benefits collected and so on. It would be unjust and expensive to allow Utah to keep traditional marriage. The longer gay marriages are performed, the more parties would be harmed by a ruling in favor of the state. Appeals courts consider this kind of harm when ruling, as they should.

Leaving the law in place during appeal does not impact either the state or same-sex couples in Utah, and would not harm Utah's chances on appeal. That would have been the fair way to handle things.

In summary, judge Shelby did not have all the facts when he ruled. He alone invalidated the marriage laws of 33 states without hearing all the evidence from both sides in even one of those states. He seems convinced that no evidence could possibly convince him, the 10th circuit, or the U.S. Supreme Court to rule otherwise, and thus will not stay his decision. The fact that he chose not to leave the status quo in place while the state appeals means that Utah loses, and the plaintiffs get what they want, even if the state wins in the appeals court.

That's what we mean by judicial activism.

** (A reader pointed out to me that one other Federal District judge has ruled on 14th amendment grounds - Judge Vaughn in the California Prop 8 case. His is the ruling that still stands after the Supreme Court vacated the Ninth Circuit decision. However, this decision will not be appealed again, and can't be used to strike down marriage laws in other states -- It's complicated).

Tuesday, October 22, 2013

The Russia Left Behind.... The Role of Civil Institutions

The New York times has a fascinating article on the deterioration of Russia outside of large urban areas.

Things are much the same in the rest of the former USSR. People in the former USSR have completely lost the very concept of an organization not associated with the government. It's had terrible consequences for their society. Any Libertarian leanings I have, I gained in Ukraine.

What are missing in Russia/Europe/Socialism in general are civil institutions between the individual and the state. The more robust these institutions are, the less the state has to provide. And, the less disruptive it is when the state runs out of money - which will happen here too.

Such institutions include: families, churches, local governments, professional associations, service clubs, non-profits, charities, credit unions, labor unions, neighborhood committees, the ACLU, and yes, corporations both small and large.

These play a major role in American society. We have been "joiners" since the founding. DeTocqueville commented on this. Our first instinct when we see a problem is to organize a group to solve it. Local groups for local issues, state groups for state issues, etc.

We seem to be losing that tendency. To many people, everything is a Federal government issue, requiring a Federal government solution. The more government solutions we have, the more power is concentrated in a system which can be manipulated by those in power.

As the old adage has it: power corrupts, and absolute power corrupts absolutely. Decentralized government and less federal control over everything is one answer to the corruption of both government and corporate power. You can fight Walmart or your school board in your neighborhood and win, but try winning the same battle in Congress fighting corporate tax breaks or the common core.

To those who say "the systems seem to work to sustain that status quo."

Yes, exactly. Shrink the system, and you shrink the influence that can be wielded by manipulating that system.

Wednesday, September 4, 2013

Religious Freedom, Gay Marriage, and Name Calling.

Freedom of belief and thought are beginning to come under attack by the forces of "tolerance." We conservatives have been ridiculed for warning that legalization of same-sex marriage, and the inclusion of sexual orientation in anti-discrimination statutes would erode religious freedom. There's no question anymore - those warnings were prescient.

The erosion started in 2006 when Catholic Charities of Massachusetts faced a stark choice: Violate their religious convictions or cease to facilitate adoptions in the state.

Catholic Charities ceased adoptions.

The assault continues today, especially against small businesses. A Bakery in Oregon has been forced to close in the face of threats, boycotts and an investigation by the state.

In addition to this bakery being investigated the article lists more lawsuits and investigations:


  • Just last month, New Mexico’s Supreme Court ruled that two Christian photographers who declined to photograph a same-sex union violated the state’s Human Rights Act. One justice said the photographers were “compelled by law to compromise the very religious beliefs that inspire their lives.” 
  • Denver baker Jack Phillips is facing possible jail time for refusing to bake a cake for a gay wedding. The Colorado Attorney General’s office filed a formal complaint against Phillips, the owner of Masterpiece Cake Shop. A hearing before the state’s civil rights commission is set for later this month.
  • In Indianapolis, a family-owned cookie shop faced a discrimination investigation after they refused to make rainbow cookies for National Coming Out Day.
  • A T-shirt company in Lexington, Ky. found itself at the center of a Human Rights Commission investigation after they refused to make T-shirts for a local gay rights organization."


The message being sent is: you can believe anything you want, but you can't act on it. Keep your thoughts to yourself. (And the message from New Mexico is that we have a human right to a wedding photographer ??)

One definition of a religion is: "a system of beliefs which lead to actions which improve the believer."


Freedom of religion is meaningless if it's all in our heads. Beliefs that don't influence the way we live don't mean much. If you aren't allowed to act in accordance with a belief, then the belief is rendered meaningless. 



If homosexuality wasn't involved, these lawsuits would be dismissed quickly: Would people sue a halal butcher shop if it refused to slaughter and sell pork? How about an LDS owned business that closed on Sunday? We even routinely send police to protect KKK marchers exercising their rights.

What makes homosexuality so different? Why is the belief that homosexual conduct is wrong vilified as homophobic, and worthy of state coercion and re-education?

One last point: the term "homophobic" is a slur designed to marginalize and belittle people. It's designed to cut off debate. We don't call atheists "Deiphobic" or pagans "Christophobic" Principled disagreement is not a phobia, and those who disagree should be persuaded and debated civilly, not dismissed and belittled by name calling.

Friday, June 7, 2013

Government "spying" on citizens is not as sinister... or as new... as you think

I'm not going to talk about the legal issues surrounding the government monitoring of major online services. That's a topic for another longer, more technical post. I want to tell a story:

(Keep in mind - I'm not a cop. That's why this post reads like a poorly written episode of Dragnet).
Imagine it's 1965. You're a cop in New York City. You're assigned to monitor the local mob hit man. You know your hit man’s a small piece of a much bigger organization. They are seriously bad people, killing others and terrorizing the city. You know a partial name, where he eats dinner most nights, and you generally know what kind of activities this guy is involved in. What do you do first?

You probably start by watching the restaurant where he eats. You get to know the regulars, and you start building a picture of everyone who comes and goes from this place. You pay special attention to anyone who talks to your target - any of his "friends."
You'll want to know where else this guy goes to so you get a description of his car. You may even follow him and find out the other places he hangs out, night clubs, etc. Then you repeat the restaurant scenario. You watch everyone and find out who knows who.

All this is hard work. It just so happens that this guys is really popular. He talks to everyone. It takes a lot of man power to keep track of all those people. You can't tail them all. You and your squad have to sleep sometime.
There's got to be an easier way... finally you have an idea. You talk to the managers of the restaurants and nightclubs and tell him what you're looking for. Being upstanding citizens, they give you whatever information they can, and they don't tell your hit man anything about it.

All this is done in public, so you don't have to get warrants. You can watch him and tail his car all you want on the city streets. In fact he knows he's under surveillance.
You need to watch the larger organization. But how can you watch 100 guys? 1000? You have serious manpower limitations. If only you could put up camera's and tape recorders everywhere. If you only could get a bug on one of his friends, then you'd really have what you need..... but, it's 1965. You don't have the technology.

Let's fast forward 40 years or so..... Same story, but make the following substitutions in your mind:
  • Mob hit man = Al Qaeda terrorist
  • Restaurants and nightclubs = social media and email
  • Restaurant managers = Google, Apple, Facebook, etc.
  • Hit man’s car = terrorist's cellphone
  • Stakeouts and tails = NSA monitoring
  • Larger mob organization = Global terrorist network (Al Qaeda, for example)

Now we do have the technology to watch thousands, even millions, of people at a time. We don’t need to follow them physically – no one conspiring to harm others has physical meetings anymore. All the planning is done online. We don’t have to watch 1000 different restaurants with 100 people per location. Facebook is a global meeting place. It accommodates over 1 billion people. We don’t need to listen to conversations from the shadows - Gmail and Hotmail host conversations for 1 billion plus users.  The managers of these meeting places have perfect memories, and “eyes-on” coverage of every part of their establishments. People voluntarily post their action and locations regularly – complete with pictures. They carry tracking devices in their pockets (cell phones) or cars (OnStar) voluntarily – and even pay for the privilege. We don’t have to track down their friends – They list and categorize them on Facebook.

From the perspective of the authorities, monitoring this makes perfect sense. They've been doing the same thing for decades. Same methods, new location.
Ponder these questions as you read about the scandal in the coming weeks and months:

We wouldn’t question the actions of the cop in 1965, why do we question the actions of the “cops” in 2013? The cop in 1965 wasn’t out to “spy” on innocent Americans, why do we assume cops in 2013 are?

And the question that gets to the heart of the matter:

Everyone involved in my story in 1965 - criminal, cop and bystander - knew their actions were public and observable, and the cop didn’t need a warrant, why have we forgotten that in 2013?

Facebook, email, Google, et al are private entities, but they are “open to the public” just like a restaurant or bar. You should not expect  ANYTHING you do on the internet to be private. Interactions on the internet are the equivalent, privacy-wise, of meeting in the middle of Times Square at rush hour.

Jason Perlow at ZDNet.com provides the unapologetically pro-government position, and explains why this isn’t a new issue at all. He also has good links to additional reading.