Monthly Archives: March 2016

Hillary Clinton’s Home Server: It’s Really Not About the Emails

A recent article posted in the Huffington Post (http://www.huffingtonpost.com/h-a-goodman/why-did-hillary-clinton-need-a-private-server-the-answer-makes-bernie-sanders-president_b_9397304.html) got me thinking: it’s really not about the emails – its about the network she used away from the State Department offices.

So as to keep the ‘geek speak’ to a minimum (and please, this isn’t about partisan politics: it’s about the network and security that’s being used) here’s the deal,…

The point this article brings up is that Clinton never once utilize her government issued email address – in fact, no official state department email addresses – was utilized by her during her tenure as Secretary of State. The Secretary instead utilized her private e-mail to conduct official state department business.

This naturally lends to several key questions – these being the following:

1) Private or Public service? Utilizing a private service / server in the conducting of official business leaves open questions of propriety: did any ‘spill-over’ take place? Did any (for example) Clinton Foundation work spillover into official State Department? Rule of thumb is (as many of you would agree) separate e-mails insure (for purpose of e-discovery) a separation of business and private work in the event of any legal actions. If there were private / foundational emails on the very same server (and using the same e-mail address; more on that shortly) then in the event of legal discovery it would leave open the possibility of classified e-mails being accessed in the course of answering a legal action.

Also, it all leads open the elephant in the room: how much work was done on the server that was foundational versus that of official state department business? Did ever the two get mixed in? One approach would be to have two totally separate servers utilizing a single switch: the two servers would be on two totally separate ‘virtual’ networks (an industry standard) and thus there would be no question of anything ‘spilling over’ while insuring far superior security. This is network management 101; was this done? And this is important to ask for,…

2) Was practicing safe emailing conducted? Separate e-mails create a ‘firewall’ in terms of keeping things said in the course of official business from that of anything that could be contrued as ‘classified’. With one using the same e-mail for governmental, private work or even personal work, such a practice can lead to potentially confusing scenarios (‘hey, where’s that e-mail about the latest bombing raid? Oh, its next to the e-mail about getting that new sofa we ordered for the living room’ and that meeting we got regarding the foundation). And speaking of e-mails,…

3) Got good security? You got some pretty big wolves out there in the Internet and frankly, it’s probably a good rule of thumb to insure a greater (note that I did not say complete) level of security. Every computer – regardless if it’s a Power Edge Server or a more modest system – has some 65,000+ ‘ports’ that are readily targeted by hackers.

Given the fact that Clinton uses a private server at her home I’d be willing to wager that her home server / network was, at some point, successfully hacked; it’s just the odds. On average there are over 50,000 types of ‘malware’ and ‘attack software’ developed every day (Don’t take my word – Google it; incredible). Think about that for a minute and let it sink in,…

And BTW: did anyone ever conduct a ‘pen test’ – a penetration test – to insure that the home system was secured? I’d be curious to know if the IT staff at State did their due diligence and kept a log of their security checks as they are required to do so (standard professional practice).

And understand this: with all the malware out there, if the Secretary was conducting any business at all – state department, ordering home furnishings or foundational work or whatever – then all it takes is one (1) bad e-mail with a virus / malware / bot – to truly wreck havoc. More often than not, not all anti-virus systems catch every ‘bad’ software that’s out there. Nobody and nothing is totally perfect or secure: its the nature of the software security beast.

4) What are the hardware and network schematics? Love to see the network schematic. I’m curious: was there a Cisco (or even Juniper) switch installed on her home system? If there was (and I would expect it to be) odds are (as recently reported) Cisco switches (the industry standard and most prevalent) were exposed to have a ‘zero day’ exploit – the very same exploit that virtually shut down the Australian national network not too long ago (seems as though somebody at the Cisco factory literally installed a “back door” – and then failed to mention it, leaving it wide open for access!). We can naturally assume that there was some kind of DMZ – i.e., a server (usually a proxy server or some such thing) placed on the ‘edge’ of the home network that would require to be accessed before the server containing the actual emails was accessed.

5) Adhering to federal records requirements. According to the article, if there are some 33,000 e-mails deleted, this is not good; this would be in clear violation of Federal records management standards as unless there is a duly submitted and processed ‘records destruction request’, then deletions are considered illegal. Bad enough that the creeps during the recent Bush administration did this; no reason to excuse another’s actions just because the creeps (who rightfully belong in jail) did so. Two wrongs don’t make a right.

6) Why not letting somebody else assume the responsibility and the blame? Assuming that the Secretary of State purchased the home server and network on her own dime, why not instead let the government professionals and the taxpayer pay for all of this? Save money, time and hassle. Avoid all of this nonsense and be assured that if things do go south, it’s not the candidates fault and thus avoid the hassle of this entire subject matter.

7) Any backups? In the event of a power surge, a lightning strike or some other act of God taking place at the Clinton home, were there any backups conducted with regard to the home server so that any official emails wouldn’t be lost? If so, where are those backups and how are they secured? Are they backed up on tape? In the cloud? In another server? And how are those back ups (if any) secured? And if there are no backups, what the hell: don’t we want to insure that we don’t lose official state department e-mails that could be important for future reference?

In the end, that’s what this all is: a distraction. There’s a lot to be done and a lot to be focused on, but frankly, somebody wasn’t thinking when they undertook this approach of using a dedicated home system: it only raise more questions than answers.

Put it this way: I don’t think a private financial firm or a health service would utilize a home server in the course of conducting business.

In the meantime, I truly hope that nothing comes of this – and that somewhere out there, we won’t later hear about how Clinton’s home system was hacked and the resulting exposure akin to a ‘Snowden’ effect, with classified state department e-mails spilling all over the internet. After all, far bigger players – both private and government – have been hacked.

As to this issue insuring Sander’s getting the Presidency? Well, I personally think it’ll take more than just what’s being said in here – but it certainly does not diminish the importance of the issue and does indeed raise a series of concerns, especially as it relates to matters of national security.

Please set aside your partisan arguments or denouncements; I’m merely asking some basic 101 hardware and software questions that are standard for anyone working within the realm of computer security, particularly as it relates to higher level governmental service.

These points need to be answered. As a taxpayer (and a professional) I’d like to make sure that nothing comes out of this that would hurt Clinton’s fair chance at getting a higher office, nor expose me or my community to any dangers lurking by way of individuals seeking to harm my country.

But if this is turns out to be standard practice by Mrs. Clinton, I have to ask: what else is taking place and are we all being placed at risk?

Advertisements