Hillary wasn't using some AOL account, she was using a private server configured by a private security firm. ON one hand, I am betting her e-mails were much more secure than the CIA director's. On the other hand, the amount of effort and thought put into acquiring a secure alternative to a government e-mail account makes it far less likely that her motives were doing so were simple ignorance.
Scans claim that server had ports open for RPC and VNC, so that's an open question. I know there was a VNC authentication bypass[1] some years back so we may just have to wonder given that we don't know for sure what it ran or if anyone noticed.
[1] It was a really dumb bypass, too:
Client: The authN methods I support are: [empty list].
Server: Ok, let's just skip authN.
You could be right, it's been a long time since I looked at that one. I just remember that the client claimed not to support any authN methods and the server decided that was just fine.
I remember reading that article about the open ports and distinctly recall they left out whether or not this was a public facing. Not that it justifies anything, but it wouldn't be egregious.
It was found by someone scanning the internet at large and publishing results. Someone else went through that data long, long after the fact and looked to see if they'd ever scanned her servers. Because of that background, the public was able to see the ports--they would not have appeared in the scans if they were non-public.
But that doesn't mean she actually had VNC or RPC software actually listening on those ports, or that the software that was listening (whatever it might be) was actually vulnerable. It might be more likely than not that it was vulnerable--I mean, that's why security people look for things like that to begin with--but false alarms aren't exactly uncommon, either and my customers have proven to me that there's no shortage of bizarre server configurations in the wild.
By the same standard we should count people using SSH and TLS (really: about any given protocol) as clueless, as implementations of both have had wide impact remote vulnerabilities.
I agree this all is testament to widespread cluelessness, but more on the software industry level...
I don't believe I claimed anyone was clueless, that they were actually vulnerable to any known issues, or even that VNC or RPC were actually running on those ports. As far as I know, nobody knows any of that.
Setting up a private email server was actually allowed by the official rules at the time. I have no idea why that was the case, but presumably they had some reasons for creating that exception. Honestly, that's the real question IMO.
PS: I also wonder how this worked in practice. I mean I would assume top officials spam rules where setup to ignore hillary@somerandomdomain.org due to spoofing if nothing else.
First I've heard of this rule/exception, got a link to any doc's validating this claim? If true, it flys in the face of everything on the books with regards to mandates/rules/regs for ensuring secure communications for high-level government officials.
Quite interested, as I've been watching this one closely, especially with regards to retro-active changes allowing for an escape from previously committed illegalities.
I fully expect a presidential pardon to be the end-game on this one.
Other government officials, and Secretaries of State before her, had also used private email for official business, and experts agree that this is allowed by federal law in case of emergencies.[25][8][26] The State Department declined to answer questions about whether the private system was widely known within the agency or officially approved.[21]https://en.wikipedia.org/wiki/Hillary_Clinton_email_controve...
Because DoS's email system was crazy ancient at time (maybe still?), and the rules allowed the boss some leeway. In terms of security and government IT, 2008 was a long time ago.
It is incredibly commonplace among politicians and even public servants to use private email accounts for work to act as a shield for FOIA-type laws.
Even my public University's president used a personal account in order to avoid student activist groups getting his email.
Sarah Palin used personal email (I think also AOL, actually) in her tenure as governor of Alaska.
Everyone, on both sides of the aisle, and all the way up and down the hierarchy does it. Absolutely everyone. Probably everyone has at some point in time. Probably even Bernie Sanders.
If you want to find out who, start sending FOIA requests and see what comes back empty.
So that excuses it, right? When a bunch of people that don't matter do it, you're right, I don't give a shit. When it's our Secretary of State, one with access to all kinds of Top Secret material, I do however very much give a shit. If national security regulations don't apply to our top leadership, then what the fuck do we have them for?
The reason those laws are there is exactly for people like top leadership, because you and I aren't going to run across top secret documents in our day to day... UNLESS some asshat does something stupid like this.
Scope of damage is an important concept when it comes to government versus private sector. Scope of damage for private sector is a "Sony" - possibly implosion of the company, but it generally stops there. Government however is the safety of every citizen in the affected country.
>When a bunch of people that don't matter do it, you're right, I don't give a shit.
Why not? Do you think that local government and other public servants should be able to hide corruption, suppression of dissent, or other unsavouryness behind personal email accounts?
>HUGE differences on the damage scale.
The only thing on the scale is that our entire political system is corrupt.
That said, the focus on Hillary is a function of right-wing media hacking, and I think it's important to note that EVERYONE DOES THIS, THE WHOLE SYSTEM IS FUCKED, etc..
I trust AOL more than some random shop when it comes to system security though. She may not have been vulnerable to some password reset hack, but that doesn't mean the server wasn't setup with other poorly secured services.
In the spirit of the other commenters, never underestimate the intelligence of a career machiavellian who has risen to considerable power within the most powerful nation on earth
Any executive position is a generalist role that ultimately depends on one's ability to play politics with the stakeholders. Clinton's emails are perhaps an example of why she should not run an intelligence agency, but POTUS is different. A president doesn't have to be an expert in everything, that's what the cabinet is for. If someone goes through considerable effort an expense to host a private email server, then perhaps the reason could be attributed to something other than cluelessness.
Not really. From public accounts, State was running back level Exchange 2007 with tiny mailboxes with administration from some useless contractor. The Russians probably read the mail before the employees did.
It's very common for senior execs to play all sorts of games with email. If you see folks carrying legacy Blackberry devices today, they are doing something similar.
The issue isn't using her own private email server. The issue is whether she violated federal record keeping laws. We can only trust (since she says she turned over everything) that all emails were preserved.
Some of the laws in question here carry prison time:
