Hillary’s Private Server — What Difference Does It Make?

Early this month, security firm Venafi reported that former Secretary of State Hillary Clinton used her private email in conjunction with a private server at her house to conduct formal State Department business. It is State Department security policy that any official correspondence be done on the State Department secured system, or, under certain circumstances, military or CIA equipment.

Not only did Clinton keep her entire email correspondence outside the State Department system, for the first three months she was Secretary of State, access to her personal email server was not encrypted or authenticated by a digital certificate. During that time, she traveled to China, Egypt, Israel, South Korea and other places outside the U.S.

We have invited our own web site host, Jay Donovan of Techsurgeons, LLC, to explain the security implications.

~ Piper Bayard & Jay Holmes

*   *   *   *   *   *   *   *   *   *   *   *   *

 

Meme by Lars Larson and Jose Lopez.

Meme by Lars Larson and Jose Lopez.

 

Hillary’s Unencrypted Emails – What Difference Does It Make?

By Jay Donovan

As our Vice President Biden once said, “It’s a big ****ing deal.”

To understand why this lack of encryption is significant, we need to go a little bit into the tech. Don’t worry, I’ll keep it brief.

Digital certificates are used to prove that a site is run by the actual person or group. Certificates vary in strength depending on the submitted proof of identity. Certificates are created and validated by Certificate Authorities.

With a certificate, “keys” can be created for securely encrypting network connections and files. If you suffer from insomnia, Wikipedia has a fine technical explanation of how key cryptography works.

Okay, that’s all the technical background we need. Now, let’s talk a little about how an email server without a certificate is insecure.

Without a certificate and the related keys, a mail server cannot encrypt anything. Not only would any email be transmitted “in the clear,” but passwords would be, as well. Anyone with the ability to view the information transmitted over the network path between the device and the server could eavesdrop on the conversation. This includes anyone on the same Wi-Fi network. When former Secretary of State Clinton was abroad, and she was behind a foreign national firewall or on a foreign government network, you can bet that country’s intelligence officers were monitoring and recording all of her communications.

It’s not just the link between the users and the private email server that’s insecure. It’s also the link between the private mail server and government mail servers. Without a certificate, all communications between mail servers is, again, “in the clear.”

Here’s the dirty little secret about email.

Messages are almost always stored on the servers in plain text. Anyone with administrator access to a server can read any email stored on said server. There are ways to encrypt email on the server so the admin can’t easily read it, but if the email is encoded or decoded on the server, an unethical administrator can see it. This is especially bad if the server administrators do not have security clearance.

Buying a reasonably secure certificate and configuring the mail server to require encrypted connections for devices can be done in half a day. If the server didn’t require encrypted conversations, any device that wasn’t reconfigured to use encryption would still be transmitting email and passwords “in the clear.” For safety sake, all passwords should have been changed during the switch from the communications being unencrypted to being encrypted.

 

Clinton had none of these protections when transmitting State Dept. communications.

Clinton had none of these protections when transmitting
State Dept. communications.

 

And the grand finale – why former Secretary of State Clinton’s email server made classified information ripe for the picking.

Having read the above, you’re probably a few steps ahead and realize that the idea that Secretary of State Clinton did not receive classified information on her phone is implausible. In her press conference, she made a specific reference to classified documents. Technically and legally, there is a difference.

Classified documents are generally physical documents and have specific handling procedures. Classified electronic documents are on a separate network and require clearance – this is why Edward Snowden’s ability to copy what he did is such a big deal. He breached the security on the ‘secure’ network.

There are many classified mailings that go out, including daily status reports regarding the assorted diplomatic hot spots and troubled areas. It’s just inconceivable (and yes, I know what the word means) to think that not a single classified email was sent to the Secretary of State.

And if her email password was not changed regularly, someone who grabbed her password when communications were insecure could simply have set up an email program to log in to the server with Sec State Clinton’s email credentials and copied every message sent or received from her account.

 

This guy and thousands of his friends are on the job 24/7.

This guy and thousands of his friends are on the job 24/7.

 

My feelings regarding SecState Clinton’s private email server are best described by the German word “fremdschämen.” The word means “vicarious embarrassment,” as I’m embarrassed for the people involved with the creation and use of a dangerously misconfigured email server.

*   *   *   *   *   *   *   *   *   *   *   *   *

Jay Donovan of TechSurgeons, LLC, has done it all, from remotely debugging the Internet connection for a US aircraft carrier deployed to *REDACTED*, to building the servers & networks for one of the largest Internet sites in the world. He’s trained as a Certified Ethical Hacker and always uses his geeky powers for good. When he’s not neck deep in wires and computer parts, you’ll find him hanging out on Twitter as @jaytechdad or on Facebook. He is the co-founder of TechSurgeons, LLC and can be contacted at jay.donovan@techsurgeons.com.

Advertisements

13 comments on “Hillary’s Private Server — What Difference Does It Make?

  1. Good explanation. It is a big deal.
    Either she doesn’t understand technology, she’s lying, or she’s got bad judgement. None are good for a person running for any office.

  2. Mike Lince says:

    As I understand it, Secretary Clinton may have been careless with security procedures and she could have been hacked, possibly over a three month period about seven years ago. That is a lot of maybes. What we know for sure is that she was guilty of poor judgment. I do not think that would distinguish her from other elected officials, appointees or bureaucrats in our government.

    I can see where this issue would be of concern to techies. For the rest of us, this situation is like getting a speeding ticket. Okay, I’ll slow down.

    • Jay Donovan says:

      Thanks for commenting Mike.

      There’s no “may have been” in terms of carelessness. She absolutely was careless with security for that three month period. After that is in question.

      If you think this is only a concern to techies, you might want to excuse yourself to zip up as your partisanship is showing. 🙂 My peers on the left are actually more unhappy about this than those on the right. Those on the left are embarrassed by the stupidity, while those on the right are saying “typical Clinton.”

      • Mike Lince says:

        Like many on the Left, I will take a page from the Right’s playbook when the best they can do is put forward a Romney/Ryan ticket. I will hold my nose and vote for the Democrat. What choice do I have? The Right’s frontrunners so far are Jeb Bush and Scott Walker. Ugh.

  3. Don Royster says:

    This is, of course, troubling. Why would someone with her experience have made such a stupid lapse in good judgement? Makes me wonder how well the State Department Security people briefed her. The second question I have is has she learned from her mistake.

    This does not mean that I won’t vote for her. I probable will. But I think she owes us a decent explanation. Even one where she says, I made a stupid mistake. I’ve learned my lesson. Now let’s move on.

    • Jay Donovan says:

      Agreed Don. Her press conference was a mess. I’d love to see an interview with her and the folk that set it up.

      I don’t have the slightest expectation that she knew the security requirements to set up the server. Those questions are better directed to those who set it up.

      However, there are many troubling questions far beyond the small slice of this incident that I didn’t go in to because they go beyond the technical and into the legal and political.

      • Don Royster says:

        The thing that scares me is that all the potential Republican, with the exception of Jeb Bush and Rand Paul, are itching to get us into a war with Iran. And that scares the dickens out of me. Everybody forgets the Iraq-Iran War that Sadam Hussein thought he would win easily. The Iranians threw thousands of ill-equipped young men into battle. All that reminds me of the Korean War when the Chinese entered. I see more of an advantage with making peace with the Iranians than I do following a strategy that provokes them. But with Netanyahu winning the Israeli election, it looks like we may find ourselves in a war soon since we will be doing his dirty work.

        • Piper Bayard says:

          Iran is determined to have a nuclear weapon and is close to achieving that goal. Iran also busied itself chanting “Death to America” at demonstrations led by their Supreme Leader just today. Iranian leaders have loudly and consistently proclaimed for a long time that its raison d’être is to be the sole Islamic Caliphate on the planet and to destroy Israel and the West. They are right now violating the Interim Agreement they made that was supposed to apply during these negotiations. Iran does not want to make peace. It wants to buy time.

          The time to neutralize Iran without a big fuss is past, and once it has nuclear weapons, it will only be worse. Pretending Iran is in any way an ally or even a good faith negotiating partner is to be oblivious to the bare, consistent facts of Iran’s behavior, words, and actions for the past several decades.

          Americans (not just Republicans) who see this are not eager for war. We are eager to stop Iran from obtaining nuclear weapons, which they would no doubt use to further their unwavering imperialistic goals.

          As for the fear factor, keep in mind that our military has done nothing but clear its throat so far in the fight against ISIS. The Iranian military is in no way a competition for the US if the politicians would allow the generals and admirals to fight the wars instead of the bean counters.

    • batousan2014 says:

      Precisely. She is going to let this story continue by ignoring questions, all the while playing the victim. And it won’t matter because her voters either don’t know or don’t care.

      Not an idiot. Not a saint. A liar and a hack? Maybe.

  4. She knew what she was doing, it’s out of the bag now, and come election time, whatever clown the GOP puts up against her will look petty and redundant when he brings it up.

    Good for her. At least we know she’s not an idiot.

    JMJ

Talk to us. We talk back.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s