A technical look at the Clinton email fiasco

Clinton greeting troops
Secretary of State Clinton in 2010 - image by Corwin Colbert, MC2
A friend contacted me recently asking for my take on an article on Politico which included details of the email setup Hillary Clinton used while she was Secretary of State. I wrote a long series of responses on social media, which I'm going to post here. To save you time if you're not interested in the technical details, I'll summarize my thoughts first. But if this whole saga has taught us anything at all, it's that you really should be interested in the technical details!

So the short form:
As a technical person, I know one person can run a fairly secure setup. Clinton's email server appeared to be just that - fairly secure for a one-person operation. It clearly should have been much more secure. On the other hand, the depth of technical non-prowess at State seems to mirror what we routinely hear about with government systems, like the VA or the original ACA (Obamacare) setup. I should be clear that the IT people might be very competent indeed, however, the systems they are working with clearly are not. Although there may be a very high level of technical security on some of their systems, this comes at such a cost of usability that everyone just bypasses them, creating many new and different security holes. Overall the whole setup, inside and outside, sounds like something an organization that knows that it should care about security would do, if it wasn't willing to spend the time and energy to actually make it right. Much of this seems to be because management didn't know enough to ask the right questions, and the tech staff weren't aware they needed to be taking this more seriously than they were. A little too much 'git er done' was happening at all levels.

Now the longer form, which is copied in large part from a facebook exchange. The original question from my friend was 'interested to know your response to this Politico piece about Secretary Clinton's email server set up.'

Let me start by saying that I have worked in government, and the 'don't put anything in a device that can be subpoenaed later' mentality at state is pervasive in government, at every level. It makes a mockery of FOI. I was once told to write my comments to certain documents we were required to retain on post-it notes so that they could be removed before we stored the docs.

From the Politico article:
Colin Powell told her to choose wisely and not to create an unnecessary paper trail. He said if it became "public" that Clinton had a BlackBerry and she used it to "do business," her emails could become "official record[s] and subject to the law." As Powell said: "Be very careful. I got around it all by not saying much and not using systems that captured the data."

On the subject of computer security, there are a couple questions you ask when setting up a secure computer or server. One is 'is it on the internet'. Obviously a mail server is, so you need to lock that baby down so people can't hack it. The second is something people think about less often: who can actually walk up to the computer and take it? I think they made a fair call on putting the servers in the basement - I'm assuming Clinton's house is pretty darned well locked down again breaking and entering (I could be wrong, but it makes sense). It depends how many people have access to the basement, but in general you would notice pretty quickly if the hard drive was gone, so in general that seems like an OK (or as the tech guy put it, a 'B+') solution

"On March 18, 2009, Hillary Clinton stopped using her longstanding email, hr15@att.blackberry.net, and switched to a new account: hrod17@clintonemail.com. When she switched accounts, all of her old email disappeared - including all of the email from her first seven weeks as secretary of state. To date, neither Clinton nor the FBI have located any of her email from that period." AT&T would have reprovisioned that storage immediately, and overwritten it with new data shortly thereafter. So the only way to get those mails would be from her blackberry, which it sounds like was turned over fairly quickly (she changed devices a lot). Most likely wiped before being given to the next person. Theoretically they could have thrown it out or something, but the tech guy sounds practical, so I'm guessing he would have handed it on.

I read on, and discovered it was something different: "Cooper recalled disposing of old devices by breaking them in half or hitting them with a hammer. "

picture of a very small oblong device with a screen and single button
An example of a 'fob'
This image shows a "fob". It generates a secure code every few seconds. You use a password plus the code to access secure data (like my PayPal account, which is what this fob is used for). The article noted that "The fob system that was supposed to allow access to email outside the building - whereby employees would enter a special key or token to confirm their identity - was slow and prone to shutting down inconveniently. "

Throughtout the article, Clinton's lack of tech savvy was reiterated. I noted to my friend "The funny thing is, I bet NOW Clinton is an expert in all things email tech. I bet she now could talk the theory (I'm not saying she could set up a server) at a very high level."

I will say one thing - although it would be very hard for one person to adequately secure a mail server to the level required for the Secretary of State, it's not at all clear to me that the teams of IT people at State proper were doing a better job. This article reads like keystone cops. And sloppy systems lead to workarounds lead to security holes.

This bit is important: "He also never installed what was known as Transport Layer Security, which would have encrypted messages as they passed between the Clinton server and the State Department's servers, telling the FBI that he figured there wasn't a need for encryption on a "personal" server." From a site called intermedia that offers email services:

Transport Layer Security (TLS) Every day, you send emails to people with the assumption that it's for "their eyes only", as James Bond would say. But here's the problem: most emails are sent across SMTP ("Simple Mail Transfer Protocol"), and SMTP messages are actually relatively easy to intercept. This is why you need TLS. TLS is a protocol that ensures privacy between applications and users. It ensures that no third party can intercept, tamper with or eavesdrop on an email. When you enforce a TLS protocol in your company, you are protecting yourself, your users and especially your customers. This is especially important if you're in a regulated industry. But not everyone knows this: according to recent research from Google, only 50 percent of incoming messages and 35 percent of outgoing messages are TLS encrypted. By default, Intermedia's mail servers are configured for "opportunistic TLS", which means the system accepts messages over TLS and attempts to send messages over TLS if the recipient will accept it. (If the recipient does not allow TLS, opportunistic TLS falls back to an unencrypted protocol.) There is a stronger standard. It's called enforced TLS. As you might have guessed, with this standard, there is no fallback to an unencrypted protocol.

I hadn't realized Bill Clinton's staff also had accounts on the machine. That was a security hole as well - every account offers an access point. But some of the biggest security fails come after she leaves office, and they move the email to new servers, located elsewhere. Clearly those administrators at Platte River Networks had access to everything, and although their security setup was probably quite good, they also sent stuff to the cloud (i.e. remote servers elsewhere) and were probably paying less attention to the day-to-day security logs.

In closing, let me note that everything here is my personal opinion.

Please let me know if this has been helpful! If you've found this informative, please tell everyone about it!