Monday, July 25, 2016

A Little Careless?

I've been seeing people post that Hillary Clinton was "a little cavalier about internet security."

As a lawyer who also has 20 years of professional IT experience (including setting up and managing many email systems) I feel qualified to refute that. I can assure you she was not "a little cavalier about internet security."

Let's count the careless here. This is from an information security perspective. Maybe you don't realized just how dangerous this was.

  1. Hiring someone without security clearance to install a server and email software in her home. That person had full administrative access to her email for an unknown length of time.
  2. Registering a domain with her name in it, clintonemail.com, and a public registration. (At this point, literally everyone on earth knows who's system it is, AND that it's used for email, AND what software and version is used, AND its rough geographic location, AND the ISP providing service, AND the type of internet connection used, AND that it doesn't have government security). This also tells us that she hired an idiot for step 1.
  3. We have no idea whether she had a firewall in place. Her version of Windows, without a firewall in place is routinely compromised within minutes of being connected to the internet).
  4. We don't know who her ISP was, what security they had in place, or whether they had access to the server at any point.
  5. Repeating 1, 3 and 4 when she moved the server to a hosting provider.
  6. We don't know the physical security of the server at her home, or at either of the ISPs. Was physical access restricted? Does anyone know?
  7. We don't know who moved the server twice. All the classified information was put into the hands of unknown persons, multiple times for hours or days at a time. Was any other software installed during the move? Were any drives copied?
  8. We don't know what remote management solution was used, how it was protected, who had access, and for how long.
  9. We don't know what backup solution was used. Was there physical media? Stored offsite? By whom? Where is it now? If they used online backup, all the previous unknowns are duplicated for that service.
  10. Did the staffer who installed the server do all the management? If not, others had administrative access to her email
  11. Accidentally not turning the email over after she left state, and repeating 1, 3 and 4 again when she moved the server again.
  12. She went through multiple servers, multiple wipes of the data, all deliberate, plus an unknown automatic purge schedule, an unknown number of manual deletions over the course of four years, unknown automatic routing rules, the main purge of over half her email as "personal", a purge of her, her staff's and her attorneys' mobile devices, "losing" the server until subpoenaed, and no archive or backup produced.
The above is why the FBI just assumes that our enemies have all her email. It also means that the email she turned over in no way constitutes a complete, reliable or authoritative record of her time at State.

This would get anyone fired and prosecuted in the private sector - and has.