Sorry about jumping ahead by posting to your comment but it is necessary to point out that this post is ripe with Clinton Derangement Syndrome. In fact, I found it so disturbingly lacking in fact and truth that I felt compelled to register on this site in order to get the truth out.

Just read this Newseek article, "How 'The New York Times' Bungled the Hillary Clinton Emails Story" (I haven't learned how to format on this site, yet), which explains the whole Clinton emails, criminal charges, Inspectors General, etc., brouhaha. There's no there, there people. It's simply another hit piece against the Clintons by the NYT.

Thanks in advance.

It was about the state department releasing confidential information from her emails. That's the missing fact.

From the Times article:

I know that people *say* it isn't true. I also know that the NY Times is quoting government officials - fabricating those quotes is unlikely.

Not the mark of a truthful article. NYT not quoting goveernment officials. Justice Dept. totally denied they were referred any criminal case against HRC, or do you only pay attention to the bad stuff said about her and ignore the rest? That's the way it looks.
BTW, I'm a Bernie supporter.

They made a mistake, and fixed it. But that doesn't change what seems to be the case, that Clinton's private email server contained emails with classified information.

They did not refer Clinton for criminal charges as you allege. Facts may be inconvenient for political theater, but they are still facts.

This whole smear campaign against HRC by the NYT is about a Freedom Of Information Request for emails already in the possession of the State Dept. and the release of these emails that could now, repeat NOW, be deemed classified. And if the emails are now determined to be classified, they should be redacted before release via FOIA requests. The emails weren't classified at the time of their handing to the State Dept. As such, there is no criminal investigation; there is no malfeasance on the part of HRC; there is no there, there. This is simply misleading information given to the NYT by Reupblic operatives to, again, smear HRC. And, I'm sorry to inform you but you bought this stroy hook, line and sinker.

The Newsweek articles claims that nobody is directly claiming that Clinton sent classified info, but The Times article states:

It just didn't get into the weeds on this bogus story. Two separate gov't. agencies dispute whether documents should be classified. On the one hand you have the Intelligence Community Inspector General which believes the emails and many more should have been classified from conception. On the other hand you have the State Dept. that doesn't think so. So you have turf wars, basically, over who gets to decide what should be classified and when. A FOIA request is made for HRC emails, already in possession of State Dept. and considered unclassified by State Dept. Suddenly NYT reports not only that HRC possessed classified emails (because IG said they were classified, not State Dept.) on her personal server but that there is now a criminal investigation into her handling of emails.
Total smear job by the NYT.

at the time of release:

Give it up!

raised by Republicans, and she cannot just say 'give it up' in a debate, can she?

We need a candidate who can wipe the floor with Republicans on every issue that is important to the American people and who has demonstrated how easily he handles the Corporate Media's attempts to distract from those issues.

on trying to discredit good candidates? I do not know the answer to that.

who are quick to point out their refusal to do the party pledge thing.

So, that kind of makes the opposite point...

Though I don't know the topology of this so I can't say for sure.

I can tell you that the hackers these days are not concerned with small targets. They want the money, and the money can be found where there is a lot of data. Mrs. Secretary Clinton's server was a microscopic fish living in the ocean for them.

When our own NSA trolls even private citizens with no connection to the government you really don't think other countries would hack into an ex-President and his SOS wife's private network. Other countries aren't interested in your bank account numbers and passwords, they are interested in government data. Sometimes small targets are the richest.

How's the weather in dream world?

How does one figure that one out?

So tell me how does one find out what domain a specific person is on without even having an email address, as I am sure that China did not have.

How's the weather in paranoia land?

Really it's not that hard to find out. She sent thousands of emails to hundreds of people. Do you think they were all loyal allies?

They were loyal. Are you now telling me that the security checks that are done on our ambassadors are flawed, and the agency that runs them? Interesting.

the Chinese ambassador or Premier, or any other counties leader(s)?

Where did I ever mention our ambassadors, which incidentally were using the proper government servers?

The simplest is to go through the domain name. Every email has to have a domain listed after the @ symbol that is linked to the mail servers. It's not that hard to find domains for specific people. Every domain name has contact information for people that setup and maintain the account. All you need to know is the name of the person you're looking for or the names of associates that would have set it up (staffers, IT people working for that person with clearance). Or you can search via phone number, contact address, etc. Once you identify the domain name you can do a whois lookup for the full contact information to verify. All of that is public records.


Alternately if they're using a .gov email address then you can narrow your search to those and look for .gov names related to her name or position.


Once you locate the domain name for the emails you just have to nslookup the ip address of the server the domain name points to. You can check for open smtp ports to verify it is an email server.


This is all rather trivial. Most IT people could do it with a little patience and some basic personal information. Finding a server is the easy part. This is just one of many ways to do so. The hard part is getting into them (assuming the people setting them up are semi-competent).


There's an IT saying: "Security through obscurity is no security at all". Hoping someone doesn't find out where your server is isn't how things are protected on the internet.

Some are economically-motivated. Like you describe.

Some are not.

After the server was revealed, it was also revealed that the VPN appliance was using the default encryption keys. So we can be pretty sure at least China and Russia got in. Their hackers are not hacking for profit, but for old-fashioned espionage.

I hope whoever was managing her network doesn't have a job. They don't deserve one. Especially the keys on a Cisco appliance. Cisco probably has their own back door into them any way. I am no Cisco expert, but I certainly would have changed the default keys.

violating the law to be safer? Are you aware of what actions would be taken against any government employee lower than a GS-15 would be for using private email services to communicate government business? But I guess H. Clinton gets special compensation because of her popularity with the ruling oligarchy.

The rules didn't change until 2014 IIRC.

were going to run for President do something so questionable?

Such poor judgement does not look good on a resume. Nor is this her first incident of poor judgement.

Bush and Cheney were found to have separate email and emails servers during their time as President and VP. They destroyed the PC,s totally before anyone could see what they were doing. What happened to them - exactly nothing. It's only a problem when a Dem does this, Repugs do all the time with no consequences. That's why people aren't concerned about this except the HRC haters.

we ain't them. And for those that have nothing better to argue with than calling those with whom you disagree, haters, your desperation is showing. As for me, I am a hater. I hate the oligarchy. You know Goldman-Fracking-Sachs and the Wall Street Gangsters. Now some her like the Wall Street Gangsters because they are wealthy and wealth equals success. Am I right?

There is a populist movement world wide to throw off the chains of Oligarchy. Dare to join us and fight for our Democracy and freedoms.

But I'm not buying the story that she didn't know what was classified and what wasn't.

She's either very naive or very Machiavellian, and either way, it isn't good.

the stuff got retroactively classified.

This material was classified at the time, and still is today.

Or she knew it wasn't secure but went ahead and kept using the private server anyway.

Either way, it looks bad, this isn't some Benghazi type fishing expedition.

It may be true that there is no criminal liability involved here but that doesn't mean there isn't a boatload of piss poor judgment on display.

the decision to use a private server. Of course regular government workers would be fired immediately if they did what she did.

Out of 1.6 million?

Once n gets to be around 300 or so the sample, if honestly random, will have a very small MOE. The size of the population, provided it is sufficiently large, is irrelevant to MOE. MOE is figured out by taking 1.96 (if you want a 95 percent certainty) and multiplying by the sample standard deviation divided by the square root of n (sample size). If n is 40 you are dividing by about 6. If n is 300 you are dividing by about 17. If n is 1064, you are dividing by about 33. In other words, you have cut the size of the MOE by almost 3 when you get to 40, and by a bit over 2 when you go from 40 to 1064. A standard poll for the entire US, that isn't trying to give subcategories, will have around 500.

Succinct and clear light on the power of stats. Thanks!

by most willing to argue, loudly, about sample sizes of 1,000.

That's a moving target day by day (a document that is SBU today may be Class tomorrow, and then back to SBU the next day).

It's a really arcane and byzantine system that we need to rip up and start over on. Case in point: there's really no such thing as "classified information". "Documents" are classified, not the information contained in them. Back in the Marines, we had some daily incident reports that we all wrote down in notebooks. Those were unclassified (though "Sensitive&quot when they were in our notebooks, but the exact same words became classified once I typed them into a spreadsheet on the platoon's laptop. It's stupid.

And not a private one...so that is you don't know no harm is done.
Poor judgement at the least.

If there were classified emails going to that account, it's a problem whether it was a private server or a Government server. There is a classified network and an unclassified network and never the twain shall meet. If a computer can read classified emails that's all its supposed to do; you have to go to a different system to even use the Internet.

Store it on a State Department server, and State's IT people are to blame.

Store it on her own server, and it's her fault. Even if someone else emails her a classified document leaked by Manning.

to an insecure address. Particularly since it has to be tagged as unclass to even go to or from the mail server to begin with. People can and do misplace classified, but that has nothing to do with where her server was.

Someone emails her an excerpt from something Manning leaked, and that's a breach. She put classified on an unclassified system by storing her email on her own unclassified system.

Any security or legal professional will know that mingling business and personal communications - especially in position with a profile as high as Secretary of State of the United States - is extremely risky and unwise, as we have just seen: 10% of Hillary's communications contained classified information and she wasn't even aware of it.

That's acting above the very Agency/Department you purport to work *for*.

Just shows how much juice Sec. Clinton had when *NOBODY* at State or in the Oval Office can advise her to stick with the Federal email system.

an unforced error. No matter what Hillary turns over, the Republicans will claim something is missing and then shift into Whitewater or Benghazi.

Look around!

By the Republicans in the General Election. This is not to say that Hillary F*ck Up with the emails but I am not happy with how she is handling the issue. If there is any "Real" problem with her Home E-Mail servicer then now is the time to clear it up.

First, we had a breathless scoop that there was a request for a criminal investigation in regards to Hillary Clinton's use of email. Then, we had an edit, without any note about the edit, that no there was a request for a criminal investigation in regards to the state departments handling of the emails.
Now we have a correction, with a note, that no there really isn't a criminal investigation being requested at all.

Now as to the classification issue and the sample of the email. No where is the word random sample used, nor does anyone say who did the sample or why. That makes a pretty big difference. There is also the issue of retroactive classification. In other words, the issue isn't that Hillary didn't know the stuff was classified it is that the stuff wasn't classified. This would be like a cop clocking you going 70 in a 70 zone today, the city council changing the speed limit to 20 tomorrow but making the change retroactive to today, and then writing you a ticket for going 50 over the speed limit based on his clocking you at 70. But other than all that, you have it completely correct.

So the sample is based on what the State Department itself picked.

And no, it's not a matter of retroactive classification here:

"the inspectors general of the State Department and the nation’s intelligence agencies said the information they found was classified when it was sent and remains so now."

and make you say anything I like. Yes, they do have to sample what the department turned over and not emails they don't have. But they chose 40 out of 40,000 and did Gowdy's committee choose these, if so, then I frankly don't think it was anything like a random sample of the 40,000. Also, even if it is a random sample, the n is so small that the MOE on an estimate of what percent of the email had classified info would be huge. As to your second point, frankly that is according to the times who have been repeatedly incorrect. Unless, and until I see confirmation from the inspectors themselves and not the anonymous sources the Times are relying on I won't believe them. The fact is, apparently the retroactive classification is quite common.

to his inspectors general. But he won't.

as are presumedly the investigators. I guess Kerry could do what Jeb Bush did, and just put it all out on the net for the word to see but God help us if Obama's SS number is in one of the emails. BTW Bush refused to turn over any emails from the recount, any emails from the Shivo case, and a whole bunch of other stuff and you have written not one God damned word about it. Go figure.

and I won't vote for him.

This is the State Department's own inspectors generals that are being denied access. Not public disclosure.

Negligent. She should have known. Maybe an honest mistake but honest mistakes still have consequences. Also seems like bad judgement.

The generic email servers at State are not supposed to get classified email either.

because I hadn't looked at it yet, from this point of view.

Makes sense to me. The more of this that sticks will hurt
her bad in the GE. True dat.

Thanks Manny

Is this why our VP is warming up in the batting cage?

where Diane Lockhart is offered an Illinois Supreme Court justiceship by governor-elect, Peter Florick. So she gets her firms crack private investigator, Kalinda Sharma, to look through Diane's life & history for any problems which might surface at hearings to confirm her appointment (doing her own opposition research, as it were). Turns out Diane's housekeeper has been using Diane's home computer to post some steamy romance novel writings to some blog. Vampire Diaries fan fic, as it was referred to. Quelle surprise! Florick's political consultant delivers the ultimatum: Too bad, so sad Diane, you'll have to fire this hard working single mom w/2 kids.

So who knows who had access to HRC's private, unsecured email account? (Which is precisely why she should never have used an unsecured private account, as if that needs saying.) Kalinda was able to investigate in just a few days. Maybe the State Department should hire her.

is risky behavior on any system. Classified info needs to be sent only by Cripto and only to those who have a need to know. Not on phones, not on computers. This may be old school but none of that stuff is secure. It is just more secure than shouting it from the rooftops.

government officials sent Hillary Clinton emails to that private, personal server that contained classified information, that was NOT marked classified.

This is another non--story IMO.

Some unnamed officials broke the rules. There is no way any reasonable person or court could hold Hillary accountable when the information was not marked *Classified*.

A big "Ho-Hum" as far as I am concerned.

if she'd used her business email for business.

She's a princess.

I am sufficiently chastised.

She is a queen!

anyways. If there were classified emails going to her normal email address, that's a problem no matter where the emails were stored.

Everyone who has never received a "work email" at home or send a "work email" on a personal account, please send me a nickel. I'll be rich!!!

and I have 3 different email accounts I can access from my phone. You don't need separate phones to have access to separate emails accounts.

Clintons and Bushes are not adversaries. Quite the opposite. The rest is just theater for the gullible masses.

Has investigated on the facts, put out the straight facts, give the NYT an opportunity to recoup some of their reputation.

http://www.democraticunderground.com/?com=view_post&forum=1014&pid=1157044


http://www.democraticunderground.com/?com=view_post&forum=1002&pid=7006607

Is there any evidence the email server did not meet CCB standards?

Not familiar with those.

They control how servers and software must be set up for US Government use, to control both lifecycle costs and security. Since you called it "unsecure" you seem to be implying that it did not meet those standards.

As a generic entity. But is there a specific set of regs or a guidance in place? I don't see anything on the Google.

When we refer to a secure phone line, for example, we are referring to a phone line where extra steps have been taken to ensure that evesdropping is not taking place. While "normal" phone lines are encrypted and so forth, there's still a possibility of a man-in-the-middle attack, etc.

I meant 'secure' in the same way for email. But I'd be really interested in what the government standards are.

And contained numerous safeguards. Clinton also stated that she never emailed classified information, instead using other secure methods of communication approved by State dept. The State dept. also said no indication of any breaches, and Pres.Obama changed the law in 2014, after she had stepped down.

"The server was set up and approved by State dept. under Bill Clinton"

Link?

Exchange 2005, back at that time.

The government runs its own internal CA, and physically distributes the certificates, so MitM is not an issue.

That would be an epic complication for no benefit to anyone.

Various protocols are used to verify the chain of trust in the certs. So you get a domain name that ends in .com. The SSL certificate traces back to, say, GoDaddy. Their certificate traces back to Verisign. The chain checks out, so your web browser trusts the response.

In .gov domains, they manually copy the public keys around, and you verify against those keys instead of Verisign.

1. Her server had a .gov address, and the cert was issued by the government Certificate Authority (not all servers hosting a .gov domain are government-owned)
2. The government Certificate Authority is totally free to also issue certificates for .com, .net, .edu, even .uk or .ru if they wanted to. (It's not even limited to domains; they can issue a certificate to "The person who posts as Recursion on Democratic Underground" if they felt like it, or "The owner of the deli on 102nd and 7th".) And actually since they probably MitM most internal traffic to begin with, it's a safe assumption they do that already.

The SSL certificate traces back to, say, GoDaddy. Their certificate traces back to Verisign. The chain checks out, so your web browser trusts the response.

That would be ideal, wouldn't it? But, no, that's not how certificate verification works; you're describing a hypothetical secured model like DANE. As it is, my OS has 172 entities who are allowed to sign any certificate with full trust. It's an appalling situation.

The domain name was registered though a small ISP in NY. It was not registered by the government.

(Or, you're probably not, but your comments could lead others to.)

The domain name was registered though a small ISP in NY. It was not registered by the government.

OK, still doesn't matter. The certificate was issued by the government CA. Government computers have that CA in their root store (and not much else). If it had been issued by Verisign or Thawte or whatever the government email servers wouldn't have talked to it.

And there's several million different entities with certificates. The fact that it's only 172 is actually pretty good.

But any one of them can sign a certificate for a domain ending in .gov. We should probably do something about that. I know the USG computers have a very restricted set of accepted certificate authorities, for instance, but that won't work for general public use. Right now, their alleged probity is allegedly policed primarily just by Microsoft, Google, the Mozilla Foundation, and the Debian Foundation.

Google has an interesting idea to use a certificate-pinning peer-review system, kind of like what OpenSSH uses. That could be useful, though not foolproof, particularly for new domains.

The client retrieves whatever certificate is on whatever server, and checks it against the public key it stores locally. And generally fails to check the revocation list.

You were claiming the .gov CA can't sign except for .gov, which isn't true. The administrator of a site can put whatever the hell certificate he wants to on it.

Just like a .gov machine can, if desired, have a Chinese-signed certificate on it, a .com machine can, if desired, have a US Government signed certificate on it.

There is never a point where the CA is checked for the "permission" to sign a certificate for that domain.

Just like a .com server can have a USG signed cert, which was the whole point here.

Let me put it a different way: if a USG sysasmin used a Chinese CA to sign his .gov cert, are you saying my browser would warn me?

It would not. The browser would not care, just like it would not care if the USG CA signed a .com certificate. There's absolutely no connection there; a trusted CA is trusted for any certificate whatsoever.

It did not have a US government certificate. It did not need one. It's certificate, which you can pull yourself by going to clintonemail.com, was not issued by the US Government.

The USG CA doesn't publish a list of what certs it has signed. We know a commercial cert was made for a VPN device, but that doesn't remotely mean it was used for the mail server. We don't even know what the MX records for the domain were.

The server literally hands it out to anyone who asks. It was issued by her ISP. The root CA for it was from Verisign.

If the MX records were pointed elsewhere, then she couldn't have received any email on this server, and this entire issue would not exist.

So, you can't say what the MX records should have been. You're making a lot of assumptions here.

A host may have multiple A records pointing to it. A server may use multiple certificates in different situations. You're just assuming this was a standard SO/HO turnkey setup, which I see no reason to do.

Bad A record and she can't connect to the VPN and she can't get her email. Bad MX record and no other mail system sends the mail to her server.

Multiple A records? Well then she's shipping the same cert off to multiple responses. Multiple certs? Well, then she's listening on multiple ports, and guess what? You can port-scan a host and get all the certificates.

Super-secret protocol? Then her blackberry wouldn't be able to retrieve the email. Which was the entire point of this server.