Hillary Clinton’s State Department security at the mercy of anybody who could hack a spam filtering service.

Well, this is particularly droll: “Hillary Clinton used a spam filtering service MxLogic to filter her spam and viruses. What this means is – employees at MxLogic, now owned by McAfee – had full access to all her classified state department email in unencrypted form.”  Assuming that the guy is correct, it sounds like there was a giant, gaping hole in the administration’s security system that nobody caught until years after the fact.  And please note that this story is from somebody who actually wants Hillary Clinton, or at least a Democrat, elected President: in other words, this isn’t a partisan story*.

Two thoughts on this one. First off, it’s stuff like this that is making CNN having to try to spin away its own poll-of-adults** showing that a majority of voters aren’t really buying Hillary Clinton’s story.  Second, it’s a shame that nobody in the administration ever reads Charles Stross:

“Didn’t they know that the only unhackable computer is one that’s running a secure operating system, welded inside a steel safe, buried under a ton of concrete at the bottom of a coal mine guarded by the SAS and a couple of armoured divisions, and switched off?

Which is to say: if that’s the standard for ‘safe,’ then civilian-level computer security is simply not going to do the deal.  It boggles my mind that anyone in the State Department – or on the White House staff – thought that said security regimen might be up to the job.  I’d be fascinated to hear the justification for this, assuming that anybody involved ever dares to explain the matter…

Moe Lane (crosspost)

*Note that partisan stories can, in fact, be true.

**Reminder: the results of polls of adults usually work out better for Democrats than the ones of likely voters do.

8 thoughts on “Hillary Clinton’s State Department security at the mercy of anybody who could hack a spam filtering service.”

  1. Not to defend Clinton, but has anyone taken this serious of a look at the State Department service she was supposed to be using? I know the assumption is that this is the most secure system in the world, but the reality of government also makes me suspicious that it’s all on Windows 3.1 and the E-mail addresses all end in @compuserve.gov

    1. To the best of my understanding, it’s much easier to make early OSes secure than most modern ones.
      There’s a lot to be said for something than does a few things, does them well, and in as efficient a manner as possible.

      1. I’m pretty sure it doesn’t work that way. If it can connect to the internet at all, it needs to be kept patched. Old microsoft products are no longer patched.
        Other types of OS offer a wide range of choice in bells and whistles, and can be kept patched.

    2. I can’t speak for the State Department email, but I know the guy that originally installed whitehouse.gov back in the mid-1990s; he’s one of the top security guys in the United States. He wrote a front-end that looks like ordinary sendmail but in fact does no processing whatsoever; it hands everything it gets off to another script that analyzes it six ways from Sunday before processing. Whether whatever was set up for the State Department is as thorough is beyond what I know.

    3. Take a look at Diplomad.
      The difficult login, the seperation of classified and unclassified, the liability warning, and the whole doesn’t send to private emails thing are not themself proof of good security. They are evidence that more than standard attention was paid.
      Yeah, it doesn’t sound like it would stop someone from logging onto their unclassified email from a system compromised by malware. It sounds better than the normal or below normal attention that was paid to

    Surely there’s an IT person in charge of this server, and surely this person would be willing to turn state’s evidence to avoid being the designated fall guy …

  3. “It was then decrypted, checked for spam and viruses, and then reencrypted and sent over the open internet to Hillary’s server.”

    Um, not necessarily. Only completely clueless sysadmins would permit an outside service to decrypt even modestly important email addresses. It would never fly for, say HIPPA or GAAP compliance. OTOH, no one has accused Clinton of being serious about securing stuff from the NoKos, Chinese, or Russians. Just Congress and the American Press.

Comments are closed.