Kinja reply list

Read More
The Creepy KingSam Biddle
3/05/15 1:40pm
Kudos to Gawker for their coverage of this story.

I'm a socially political moderate who thinks that our past 2 presidents have both been terrible (and not coincidentally, in many ways indistinguishable), but to anyone defending Hillary on the basis that what she did was not technically illegal: be intellectually honest and think about how you'd respond to that argument if this whole thing was committed by the Bush regime.
Reply
- Read More
  iamccThe Creepy King
  3/05/15 1:42pm
  well in fairness, the bush regime did it too (not that it makes it ok)
  
  http://www.washingtontimes.com/news/2015/mar/…
  Reply
- Read More
  OctoberSurpriseThe Creepy King
  3/05/15 1:52pm
  As I recall there was some hubbub over the Bush email scandal where it was believed that as many as 22 million emails were lost because they were on a private domain owned by the RNC and IIRC nearly 100 Sr Bush admin officials had these non sanctioned email accounts. When the RNC was told to preserve the email communications following a congressional investigation it was revealed that the RNC had deleted them.
  Reply
Read More
tito_swinefluSam Biddle
3/05/15 2:07pm
Why is a self-signed certificate a problem? The reason to have a certificate that is signed by a certificate authority is that third-parties can feel comfortable accessing the site. There are no third parties here, only the server and people who have email accounts on the server. Those users all know who their IT person is, so they don't need the certificate to be signed by anyone else. Buying a certificate approved by a certificate authority would be a waste of time.

I run an email server. I use a self-signed certificate. Communication between my email client and my server is secure. Since I'm the only one using it, I am comfortable that the person who created the certificate (me) is reputable, so I'll accept my own encryption scheme.
Reply
- Read More
  endusonetito_swineflu
  3/05/15 4:42pm
  No.
  
  Using a self signed cert is ridiculously unsafe. No user is going to check the fingerprint of the cert every time they connect, its absolutely begging for a man in the middle attack. This is approximately 478,987,103 times more true when you're talking about someone travelling to Russia, China, etc. Legitimate certs from second tier CA's are dirt cheap. There is no reason to use a self signed cert for any production application in 2015.
  Reply
- Read More
  tito_swinefluendusone
  3/05/15 6:01pm
  As someone who knows very little about computers, maybe you can help me understand more. If I set up a self-signed cert, then I go to my email program and accept that cert, and the email program stores that cert permanently, how does one do a man-in-the-middle attack? I'm assuming that the man in the middle has not stolen my private key. If he has, he has access to my server anyway, so it's all over. My understanding was that the man-in-the-middle attack happened during the initial cert and key exchange.
  Reply
Read More
FauxhemianRhapshodySam Biddle
3/05/15 1:40pm
Passwords to try:

Password

qwerty

Buddy1

Socks1
Reply
- Read More
  Violent FellowkneesFauxhemianRhapshody
  3/05/15 1:48pm
  What about "Monica?" Nobody would expect that!
  Reply
- Read More
  FauxhemianRhapshodyViolent Fellowknees
  3/05/15 1:49pm
  Monica1
  
  BlueDress1
  Reply
Read More
John CookSam Biddle
3/05/15 2:03pm
Edit: changed "when you attempt to log into sslvpn.clintonemail.com" to "when you attempt to access" to make clear that we didn't attempt to actually enter log-in credentials.
Reply
- Read More
  raincoasterJohn Cook
  3/05/15 6:21pm
  You should have, chicken! Try username admin and password123. I'm sure someone else already has.
  Reply
Read More
sui_generisSam Biddle
3/05/15 1:46pm
Cubrilovic echoed Hansen's concern: "When you are a staffer in a government department, internal email never leaves the network that the department has physical control over," he told me. But "with externally hosted email every one of those messages would go out onto the internet," where they're subject to snooping.

So....just like every previous Secretary of State before Nov 2014, then? And apparently just like previous occupants of every former administration ...? I like how this issue somehow is only being acknowledged now, as if it's particular to Clinton and hasn't been going on forever, entirely legally and widespread.

This is a political fishing expedition for any emails that might be able to embarrass or undermine Clinton for 2016, plain and simple.
Reply
- Read More
  Question_of_Factsui_generis
  3/05/15 2:18pm
  Not really though.
  
  First of all, the regulation did not go into effect until 2009. Secondly, she was the first SOS to use ONLY a private e-mail for ALL of her government business. Prior SOS's did have private e-mails. However, this was before the pertinent 2009 regulation. Additionally, prior SOS's had a government e-mail address in addition to a personal e-mail address.
  Reply
- Read More
  sui_generisQuestion_of_Fact
  3/05/15 2:36pm
  Not really though.
  
  The law in question saying they had to use govt email addresses definitely was signed in Nov 2014, not "2009". If you read the linked articles, you'll see that's not even in dispute.
  
  That's why the USA Today piece and other coverage criticizing the NYTimes article keeps asking " what law did she break?"
  
  And your other assertion, there was not one single previous Sec of State that conducted administration business solely through govt email addresses. Again , this is not even in dispute. Beginning to see the double standard...?
  Reply
Read More
endusoneSam Biddle
3/05/15 4:28pm
I found this outrageous before, and its almost certainly illegal for a number of reasons, but apparently its even worse than I thought! Self signed cert? Seriously? Who the fuck can't afford a real certificate now? If they were using the VPN for email access, how much do you want to bet that split tunneling is enabled?

Great call on the spearphishing angle. I was reading the article with my security guy hat on waiting to jump on that, but this really is a very good write up. This situation not only risks the security of her email, but of the entire state department.

None of the attacks mentioned are far fetched or even remotely unlikely. They're all actually *extremely* likely. State sponsored hacking is a thing now, and compromising the security of an ill-maintained private email service is trivial. I would put money on the servers not having current patches and a loose firewall policy.
Reply
- Read More
  RvLeshracendusone
  3/05/15 10:07pm
  Bull. Fucking. Shit.
  
  You know fuck-all about security, so stop positioning yourself as some sort of expert.
  
  Why the fuck would you pay for a third-party certificate when you're the *only fucking person who will ever legitimately access your server*? So that the root signing authority, whom you have *no fucking control over*, can compromise your personal certificate?
  
  The worst possible thing you can do from a security perspective is give up control over *any* part of your system. The sole reason we do it in the public web is because most users don't have direct, physical access to the server, and therefore can't verify that the copy of the certificate in their store is an exact duplicate of the one on the server.
  Reply
- Read More
  endusoneRvLeshrac
  3/06/15 3:34pm
  If you're the only person accessing the server, you could probably get away with it. However, it does introduce more risk. If you manually accept the cert every time you connect, you're going to get into the habit of not really checking it when you accept it. When you're talking about giving access to any nontechnical user, this becomes a complete deal breaker. They will *never* validate the cert, let alone validate it every time. If you add the cert you could avoid having to manually accept it, but it does become another attack vector. If they gain access to the server to be able to issue a fake cert you're obviously hosed anyway, but it would allow someone to intercept sessions and gather data without accessing the server a second time which could introduce more problems.
  
  You don't need physical access to the server to validate the cert. You can use the fingerprint as long as you transmit it out of band.
  
  Agree about the CA, and this is a well documented problem with SSL. See Moxie Marlinspike's research for a good breakdown of why. That said, security at most commercial CA's is going to go way above and beyond what you can reasonably to at home. Offline root, key ceremonies requiring physical and logical keys, etc. They're a bigger target than your home server, too, obviously.
  
  You're talking about, "physical access to the server" as though public key cryptography was invented yesterday. You definitely don't need physical access to the server. You can do it with a fingerprint transmitted out of band. The reason that's impractical is that users don't know how to do it, its a huge pain in the ass to do for every site you access, you need a way to be able to expire/replace certs without causing your users a huge amount of work, etc. There are other ways than the CA model (again see Moxie Marlinspike's stuff) to create trust, but for practical purposes the CA model works OK for the time being.
  
  To be clear, none of this has to do with Clinton. For her to use a setup like this is unacceptable to the point of being completely outrageous.
  Reply
Read More
CosmonautVolkov-bigtimespacemanSam Biddle
3/05/15 1:40pm
Extremely unsafe.

But that's not the question. The question is why did she purposefully circumvent established rules and procdedures in order to maintain such a high level of secrecy from the media? Any Chinese or Russian hacker could have gained access easily. It was the media she was trying to keep out. She did not want public scrutiny. Why?

She is not trustworthy and will never be president. The progressives are already scrambling for a better choice. She is also way, way too old and drinks way, way too much. I hope she runs, to be honest.
Reply
- Read More
  UnTruckedCosmonautVolkov-bigtimespaceman
  3/05/15 1:47pm
  Agreed. Everything points to her intentionally hiding her records, which is a habit we've seen before from the Clintons. Deny, deny, deny, destroy the evidence and then once it's too late and blows up in your face, lawyer up.
  Reply
Read More
Creative DestructionSam Biddle
3/05/15 1:36pm
But, hey, Bush did it worse, so what's a little email insecurity and opaqueness in government business when she does it, amirite?!
Reply
- Read More
  caekislove-thethirdCreative Destruction
  3/05/15 1:47pm
  You betcha! George Dubya is now the gold standard for statesmanship, and as long as you're just a tiny bit better than he was, nobody has the right to bitch about your performance in office!
  
  Torture, wars, domestic espionage, state secrecy? "Dubya did it worse!" Boom. Anyone else still arguing is just being unreasonable!
  Reply
Read More
Graby SauceSam Biddle
3/05/15 2:27pm
This article fails to mention that classified information is handled on an entirely separate State Department system. I think that would be good to point out in an article about security.
Reply
Read More
Avatar SeniorSam Biddle
3/05/15 2:39pm
Does anyone really believe that ANY EMAIL is secure and safe in these days? If you don't want it to be public, don't write it! Hackers and the govt can read anything. And the government already has all of them anyway. Even tho I rarely agree with Senator McCain, he does not use email. If you don't want it to be available to the world, don't write it.

This article is obviously filled with gaps and holes, and needs to be "reported" and not "biased by the writer's attitudes." Isn't there actually important news that you can write about? Go after the Bush Administration, or the many congressmen who are admittedly doing the same thing. Get a life! Those of us who have one think you don't!
Reply