Monday, July 25, 2016

A Little Careless?

I've been seeing people post that Hillary Clinton was "a little cavalier about internet security."

As a lawyer who also has 20 years of professional IT experience (including setting up and managing many email systems) I feel qualified to refute that. I can assure you she was not "a little cavalier about internet security."

Let's count the careless here. This is from an information security perspective. Maybe you don't realized just how dangerous this was.

  1. Hiring someone without security clearance to install a server and email software in her home. That person had full administrative access to her email for an unknown length of time.
  2. Registering a domain with her name in it, clintonemail.com, and a public registration. (At this point, literally everyone on earth knows who's system it is, AND that it's used for email, AND what software and version is used, AND its rough geographic location, AND the ISP providing service, AND the type of internet connection used, AND that it doesn't have government security). This also tells us that she hired an idiot for step 1.
  3. We have no idea whether she had a firewall in place. Her version of Windows, without a firewall in place is routinely compromised within minutes of being connected to the internet).
  4. We don't know who her ISP was, what security they had in place, or whether they had access to the server at any point.
  5. Repeating 1, 3 and 4 when she moved the server to a hosting provider.
  6. We don't know the physical security of the server at her home, or at either of the ISPs. Was physical access restricted? Does anyone know?
  7. We don't know who moved the server twice. All the classified information was put into the hands of unknown persons, multiple times for hours or days at a time. Was any other software installed during the move? Were any drives copied?
  8. We don't know what remote management solution was used, how it was protected, who had access, and for how long.
  9. We don't know what backup solution was used. Was there physical media? Stored offsite? By whom? Where is it now? If they used online backup, all the previous unknowns are duplicated for that service.
  10. Did the staffer who installed the server do all the management? If not, others had administrative access to her email
  11. Accidentally not turning the email over after she left state, and repeating 1, 3 and 4 again when she moved the server again.
  12. She went through multiple servers, multiple wipes of the data, all deliberate, plus an unknown automatic purge schedule, an unknown number of manual deletions over the course of four years, unknown automatic routing rules, the main purge of over half her email as "personal", a purge of her, her staff's and her attorneys' mobile devices, "losing" the server until subpoenaed, and no archive or backup produced.
The above is why the FBI just assumes that our enemies have all her email. It also means that the email she turned over in no way constitutes a complete, reliable or authoritative record of her time at State.

This would get anyone fired and prosecuted in the private sector - and has.

Thursday, July 7, 2016

A "Top Secret" tale of two citizens.


First, some background. Read these two FBI statements to get up to speed on both cases:

James Comey Statement on Hillary Clinton's email server

FBI Press release on sentencing of Bryan Nishimura

Both cases examined the "unauthorized removal and retention of classified material" Let's do a point by point comparison based on the FBI Nishimura press release:

"In his role.... had access to classified briefings and digital records"
Nishimura: Check
Clinton: Check

"....[which] could only be retained and viewed on authorized government computers"
Nishimura: Check
Clinton: Check

"....caused the materials to be downloaded and stored on his personal, unclassified electronic devices and storage media"
Nishimura: Check
Clinton: Check

"....carried such classified materials on his unauthorized media at.... the end of his deployment [at the end of his/her authorized access]."
Nishimura: Check
Clinton: Check

"....continued to maintain the information on unclassified systems in unauthorized locations, and copied the materials onto at least one additional unauthorized and unclassified system"
Nishimura: Check, and Check
Clinton: Check, and Check

".... admitted that... he destroyed a large quantity of classified materials he had maintained in his home"
Nishimura: Check
Clinton: Check

"Despite that, when the Federal Bureau of Investigation searched [home/servers].... agents recovered numerous classified materials"
Nishimura: Check
Clinton: Check

"The investigation did not reveal evidence [of intent] to distribute classified information to unauthorized personnel."
Nishimura: Check
Clinton: Check

"admitted to [investigators] that he had handled classified materials inappropriately."
Nishimura: Check
Clinton: NO. She still denies this. The FBI found that she did.

Punishment:
Nishimura: Guilty plea, thousands in fines, loss of current and all future security clearances
Clinton: None.

Anything seem off about that to you?