BLOG

About the Hillary Clinton email server thing…

I was going to say something about the issue with Hillary Clinton using an email server provided by her own staff for some of her email traffic, rather than one provided by her employer, but @LaneWinree already wrote pretty much what I’d have written, just better than I would have done.

So, I guarantee this is exactly how the email server thing went down.
Whatever internal system the government has set up for email communication is, I guarantee, a total and utter shitshow.
Shitshow as in horrid UI, horrid performance, and just in general unusable. Most business email environments are. Government worse.
Clinton probably complains about this, someone on staff looks into fixing it, someone somewhere thinks “Hey, we could just build a server”
Given that it’s absurdly easy to build an environment to host an email server, a request gets made and some IT guy somewhere says it’s fine
So a server gets built, Clinton uses it, and the whole thing gets overlooked because someone way down the chain doesn’t vette it out
And given the sheer scale of systems the federal government uses, no one audits what systems are running and where
And if you’re Clinton or her staff, you’re thinking if IT signed off on it, it complies with all needed regulations
So where it -should- have been nixed was that federal IT level, where a network specialist sees the request and says “Nope, can’t do it.”
But because it didn’t get nixed there, no one any further up the chain should have any reason to think it’s insecure and against the rules
Here’s the dirty IT secret: This crap happens all the time. Someone at the IT level should know better and deny the request, and that’s it.
And the reason this happened is likely because building a separate environment probably saved a few days work optimizing the existing one
So when Comey says there was no intent to break the law, I totally buy it. Compliance often breaks due to badly optimized systems/processes
Coming from the IT side, I don’t expect mid/upper management to get ANY of these nuances, nor would I find value in explaining it all
So it’s totally reasonable for a manager to assume that if I sign off and build it, I believe it complies with compliance regulations.
Because, well, compliance adherence over IT systems is something -I- should be responsible for. Not a manager. Or Secretary of State.
So the tl;dnr version is a complaint happened, someone put in a request to address the complaint, and IT dropped the ball on compliance.
Yes in IT you want to be helpful and provide solutions, but you MUST know how to comply with IT regulations. That’s on you, not up the chain
I’ve posited this to some friends who also work in IT, and each one of them agrees that this is likely what happened.
Badly optimized legacy systems require a ton of work to fix, IT monkey looks for a shortcut, breaks compliance rules in the process.
@LaneWinree

19 comments

  1. Al Iverson says

    Totally agree. Been guilty of this myself.

  2. Josh says

    Sorry, but no. As someone who is familiar with IT and formerly worked with classified information, this explanation doesn’t fly.
    When a person is given access to classified information, it is drilled into their heads repeatedly how important security is and what the penalties are for screwing it up, and those penalties are severe. That applies to every IT person and everyone who would have a say in approving a private server. The idea that all of them would risk that seems unlikely, unless said order came from the top.
    Combine that with the Clintons’ long history of questionable ethics (to put it mildly) and their current quest for power, if they could reasonably have blamed this on “rogue IT guy/group”, they certainly would have done it by now.
    This just seems like a flimsy rationalization to suport your preferred candidate.

  3. Hōkan says

    The news says that the server(s?) was in her house. Her IT staff set up a server IN HER HOUSE and that was OK?

  4. Huey says

    I agree, but it’s missing a discussion of “What IS ‘classified information’?”, with a focus on who determines that and when, how that information is conveyed, how classified information is marked, and what happens when it is leaked.
    Do I think Clinton is guilty of a federal crime in the course of exposure of classified information? Well, yes. Under the current law, pretty much everybody who has ever used a web-browser to read an article about Snowden is guilty of that. The law is exceptionally stupid in this regard.
    In theory, classified email systems are air-gapped from unclassified email systems. In practice, no one can stop you from putting classified information in an unclassified system, because no one can tell you what “classified information” is, because that’s classified.

  5. Andrew says

    I disagree with one statement in particular…
    “Given that it’s absurdly easy to build an environment to host an email server”
    If it was easy then you and Steve wouldn’t have a business consulting in how to do it properly.

  6. Brandon says

    I’m sorry but this whole this is bunk and it’s easily proven as bunk:
    State Department report slams Clinton email use
    http://www.cnn.com/2016/05/25/politics/state-department-report-faults-clinton-over-email-use/
    From the article:
    The report draws attention to two staff members in the Office of Information Resources Management, who back in 2010 “discussed their concerns about Secretary Clinton’s use of a personal email account in separate meetings with the then-Director” of their office.
    The report says, “According to the staff member, the Director stated that the Secretary’s personal system had been reviewed and approved by Department legal staff and that the matter was not to be discussed any further.” The same director reportedly “instructed the staff never to speak of the Secretary’s personal email system again.”

  7. John Lasersohn says

    Building an email server is easy. Making it immune to dictionary attacks and other SMTP threats which either compromise the server or its performance, or flood its users with spam, is not easy at all. Nobody puts a simple Exchange Server behind a firewall without any specific SMTP security device or software (Barracuda, Dell, Symantec, etc.). I’ve worked in the technical side of this product and it’s daunting, even for seasoned security professionals.

  8. Mike says

    Disagree, big time.
    Anyone can ask somebody to setup a server; and if a poor underpaid IT nerd doesn’t dare to ask questions. Sure.
    Handling “sensitive” information includes more than just that IT nerd, and this was done knowingly and -thus- with bad intent. Bad UI or performance aren’t an excuse for that. We have policies and rules (laws) to live by, even your preferred candidate.
    @Huey: the type of classified information isn’t classified. The contents are.

  9. Nate says

    At most companies I’ve worked for (and with), there have been special servers/VPNs/other infrastructure at the boss’s house (or board members’ house, etc.). Often it violates IT policies, but they’re the boss, so you do it. And it’s understandable. The official servers are likely extremely restrictive to the point it inhibits your work. I’d certainly want my own system if I was the boss.
    I don’t know how this works for government, but in the business world this is absolutely standard operating procedure.

  10. Randi Lee Harper says

    “I’ve worked in the technical side of this product and it’s daunting, even for seasoned security professionals.”
    It’s really not. I’ve also worked in the ‘technical side’ under a subsidiary of Cisco that dealt specifically with antispam. This is why vendors exist, and why you can find those support contracts under the FOIAed emails. Heck, there are even open source solutions for antispam/antivirus that, while I wouldn’t put them into use for the government, are perfectly adequate for the average user. This isn’t a solved problem, but it isn’t rocket surgery.

  11. drs says

    AIUI, this system was meant for unclassified info, replacing the state.gov email accounts used for unclassified communication. Hillary’s classified access was via “aides print it out for me from their secure systems” or something.

  12. EJ says

    Disagree. I work for a bank – highly regulated, just like health care and the government itself.
    We go through quarterly compliance training – yes every three months. I can assure you anyone working on department of state information systems also has security clearance and goes through compliance training.
    They knew what they were doing and did it anyway, my theory is that some higher up (Clinton or direct report) asked for it and someone was afraid to say no.

  13. Erik says

    Disagree. I work for a bank – highly regulated, just like health care and the government itself.
    We go through quarterly compliance training – yes every three months. I can assure you anyone working on department of state information systems also has security clearance and goes through compliance training.
    They knew what they were doing and did it anyway, my theory is that some higher up (Clinton or direct report) asked for it and someone was afraid to say no.

    1. laura says

      I’m probably going to pull this comment out and write a whole post about it. Banks are my go to example when it comes to “lets just register a new domain because IT can’t do what we need them to do.” Bank email departments do it all the damn time, and they do it with mail they send to their customers. Healthcare is another one where a lot of times different departments will just register a new domain outside of the control of IT and do what they want to do with it. It’s against policy, it’s bad practice, it causes issue and it’s completely common and accepted.

  14. Erik says

    Laura, what you are referring to is called shadow IT, it’s risky and wrong.
    Yes, banks have groups who will ignore IT because either they can’t do it, or in most cases, won’t. The bank group “accepts the risk,” sets up the domain, and e-mails things.
    What happens later is that the regulators and auditors come through, find all these e-mail domains, and require them to be shut down, or e-mail archived and made available for discovery. I’ve seen it happen many times.
    Bank IT hates it when this happens because they are the ones who own the archival and discovery systems and now have to integrate a rogue domain, usually by assuming management of the domain and pulling it off the third-party vendor, costing time and money.
    My point is that setting up shadow IT is usually risky and dangerous and just because banks do it doesn’t mean that the Secretary of State can do it. Funny, that’s one of the excuses she used (“everyone is doing it, what’s the big deal?”)

    1. laura says

      It happens. So when people say “hey, y’know, I can understand how this happened” that’s exactly what they mean. They can understand how this happens because they’ve watched it happen even in, as you point out, highly regulated industries.

  15. daniel says

    Erik,
    How does “Shadow IT” get around using authentication mechanisms that are already in place (SPF/DKIM/DMARC)?

  16. David B says

    This actually makes a ton of sense to me because I see it every day with government and corporate entities that through initiative of bright people ticked off by inefficient systems end up with violations to ITAR controls for military data. Business or government department has bad system. Smart person sets up a slick website to do what is needed, but misses something on the security side. Boom. I see this each and every day in disclosures to the State Department.

  17. Al Iverson says

    The bank comments are especially interesting. I’ve worked with some banking clients who are absolutely on top of things, and I’ve worked with others who have systems that send legitimate business communication from IP addresses that don’t have reverse DNS, and they were totally confused by the concepts of SPF and DKIM and didn’t want to talk about it. Oh, the regulator’s going to catch that every single time? Sure…

Comment:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.