It is quite amazing and disturbing the way Clinton’s spin doctors and the neoliberal press have spun the story of Clinton’s illegal basement email server into a tale of “Russia is attacking the United States” with no accountability for Clinton for the shocking lack of computer security at State.
Why were emails not encrypted with PGP so if they were hacked or leaked there would still be an additional layer of protection?
Why were they using passwords instead of dual key encryption with passphrases and two or more factor authentication for access?
Why did she set up an insecure server at home and redirect her official emails to it? A server that reportedly did not support DKIM, so that to communicate with it, DKIM had to be turned off at State as well?
Why in the world when folks at State received phishing emails, and checked with their IT folks, they were told yes go ahead and click on them and put in your password?
Where was their intrusion detection system? Did nobody notice hey all of our emails are being downloaded to a compromised machine in Germany?
Why was TLS reportedly not set up correctly on HC’s basement server when it was set up?
Why was a server configuration program, probably cpanel, left open to the outside world on HC’s server? Given that it was set up by a moonlighting guy from State’s IT, Brian Pagliano, was this also true of severs at State?
Was tripwire running on any of these servers so folks could say hey there’s weird changes happening on our servers that shouldn’t ever happen such as log files getting smaller?
When Pagliano detected that Clinton’s home server had been breached and shut it down, why the fuck did they start it up again. Why was it not shut down for good at this point?
And where is the accountability for Clinton? All we are hearing is Putin, Putin, Putin.
I can’t categorically say that State, the DNC, Clinton’s email would not have been hacked if I was in charge, because there is no such thing as perfect security. But none of the specific things I mentioned above would have happened, that’s for sure.
Copyright © 2016 Henry Edward Hardy
Is there a smoking gun proving that the GRU, Russian Army General Staff Intelligence, hacked the DNC email? And what about Hillary’s illegal server at home?
A smoking gun would be we traced this connection back to GRU Headquarters *and* could prove that *only* they got into the DNC and/or HC’s illegal basement server. Or if there was human intelligence to confirm. That still doesn’t rule out an inside whistleblower such as Seth Rich or a Snowden type at State. Let’s ask Brian Pagliano about that possibility, for instance. He took the fifth before Congress.
What we have heard suggested so far is, we saw a connection from a compromised machine in Germany which we think was used last year by a group we think is associated with GRU, and some linguistic patterns in messages which indicate a Russian speaker may have written them.
The first is suggestive but not proof. If a machine was open for years, it might have more than one group using it. If you will run SNORT and ACID, you will see people/things scanning you for weakness every day, all the time. Lingustic patterns proves pretty much nothing. Also “A Russian speaker did it” is a lot different than “GRU did it and was the source of the leaks.”
The other side of it is that if Fancy Bear and Cozy Bear are in fact GRU assets, and they did hack the DNC email, and we have only Crowdstrike (a private company employed by the DNC)’s word on this, it doesn’t prove that GRU was the source of the leaks.
What about Hillary Clinton’s illegal homebrew basement server?
Michael Lazar Lehel, a Romanian who has been in US custody since April 2016, claimed he had hacked Hillary’s illegal mail server:
Lehel was convicted of hacking email of a number of prominent figures including two former Presidents and a number of other officials and former officials, including Clinton crony Sid Blumenthal. Lehel was the first source of the information that Clinton had an illegal offsite server, but that doesn’t prove he actually got in. He might have just read the header on some of Clinton’s exchanges with Blumenthal, for instance.
Lehel said Clinton’s server was, “like an open orchid on the Internet” and that “it was easy … easy for me, for everybody.”
Mike Hayden former CIA Director and former NSA director said, “I would lose all respect for a whole bunch of foreign intelligence agencies if they weren’t sitting back, paging through the emails,” with regards to Clinton’s server.
Clinton reportedly had warnings from staff at State that there was evidence that her home server had been breached and it was temporarily shut down due to this.
Some analysis I have read suggests that TLS was incorrectly configured when the server was set up. That plus the really secret and hard to guess what it is name of “clintonemail.com” plus the geographic location in Chappaqua, New York in Clinton’s basement, plus that they left a server configuration program (CPANEL?) open to the outside world, was basically sending out an invitation to every bad actor in the world, of “House party at Hillary’s! Secret clandestine stuff free for the taking.”
My suspicion is that GRU probably hacked Clinton’s server and the DNC and probably so did at least a half dozen other state actors plus God knows how many private individuals.
Copyright © 2016 Henry Edward Hardy
Bioshock Infinite is a visual feast but the gameplay is eh. More specifically, the gameplay is basically Doom with splendid 1910 garb and steampunk weapons and technology. I find myself enjoying exploring and solving such puzzles as there are and not enjoying the tedious gunbattles. The premise for the game is promising, a self-proclaimed prophet builds a modern-day Noah’s Arc, a floating city in the sky like Swift’s Laputa, and secedes from the United States. Now Columbia is a rogue nation state going whither it will after being disowned by the United States following a massacre of Chinese civilians by the flying city in putting down the Boxer Rebellion in 1903.
The city is a creepy homage to everything evil in the idea of American Exceptionalism, from the murderous Motorized Patriot, an animatronic-like machine-gun wielding George Washington robot, to the public stoning of an interracial couple with baseballs. Where the game excels is in the art direction and the overall verisimilitude of the construction of the world. Where it fails, in my opinion, is in the introduction of what are essentially spells, the vigors. It breaks the monotony of the pistol-shotgun-machinegun tedium but so stretches the suspension of disbelief. Even moreso the gate-opening ability of companion Elizabeth, which strains credulity. If she can open a gate to Paris at will, why and how is she locked in a floating tower.
But no matter, as interactive fiction, with lots of shooting and gore, the game succeeds brilliantly. And it is worth playing just for the visual awesomeness.
Bioshock is a visual treat, a turn of the century romance and a somewhat garbled science fiction epic layered onto a rich tapestry of religion, corruption, slavery and sin. Worth a look, if not sixty dollars.
Copyright © 2013 Henry Edward Hardy
Guardian inaccurate article: Alleged credit card scam raises new web security fears
To the Guardian Tech Editor:
published Tuesday 18 August 2009 20.43 BST
incorrectly describes the computer vulnerability, or “exploit” allegedly used by one Albert Gonzalez and unnamed others to allegedly steal and sell credit card information from several companies. The article also mis-characterizes the legal procedure used to bring the charges.
The article says,
“The charge sheet says that Gonzalez, along with two others who “resided in or near Russia”, in December 2007 injected “structured query language”, a computer programming language designed to retrieve and manage data, into the computers of companies such as Heartland, one of the world’s biggest credit and debit card payment processing companies.”
Structured Query Language is not a computer language such as C or FORTRAN. It cannot be “injected” anywhere. It is a format or language for querying or posting information to a computer database.
It sounds like your reporters read “SQL injection”, didn’t understand what that meant, and made up a likely sounding (but wrong) explanation.
A more correct description would be that the alleged fraudsters illegally accessed corporate databases, and inserted fraudulent information into them in order to gain access to those or other systems.
SQL injection is a well-known and preventable vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1804
Your writers apparently could not even be troubled to look up the defendant on wikipedia, see http://en.wikipedia.org/wiki/Albert_Gonzalez
The article refers to a “charge sheet”, the correct term in this case is “indictment”, see http://www.usdoj.gov/usao/ma/Press%20Office%20-%20Press%20Release%20Files/IDTheft/Gonzalez,%20Albert%20-%20Indictment%20080508.pdf
A “charge sheet” in US usage refers to the daily written record of events in a police station, it has little or nothing to do with Grand Jury proceedings. In the Commonwealth, it may refer to a final police report. It is not the same as an indictment brought by a Grand Jury. Confusing charges brought by police and charges brought by a Grand Jury is a fundamental error.
The most newsworthy item overlooked in this rather poor excuse for an article is the question of liability. Both the “wardriving” and “SQL Injection” attacks are well-documented and generally preventable. Thus there is the question of the liability of the companies allegedly victimized as they may have failed to take even the most basic computer security precautions with this sensitive data. Further, how was the defendant able to carry out the alleged attacks while at the same time allegedly acting as a consultant or informant to the US Secret Service? To what degree is the Secret Service liable for failing to prevent, or even possibly enabling, these attacks?
The article’s confusion of the acting US attorney for New Jersey, Ralph Marra, with the “acting US Attorney General” further detracts from the accuracy and reliability of your reportage. The Attorney General of the United States is Eric Holder. There is no “acting US Attorney General.” Your reporters should certainly have known this if they were even moderately well-informed. Basic fact-checking by your editors should have caught and prevented this error from being published.
In the future, please don’t have articles written by people who A) have no idea what they are writing about in either the legal or technical sphere and B) don’t do even a basic job of research and fact-checking. Editors must fact-check and verify all references to technical descriptions, legal proceedings, and offices held by public officials.
Henry Edward Hardy
The subtitle refers to “‘Biggest ever’ case involves 130m cards”
Who says it is the “biggest ever” case? This unattributed quote appears nowhere in the article, which does not state anything of the kind. Was it simply made up by a copy editor?
I would also note that the title of the Guardian article claims that the incident “raises new web security fears.” This is bullocks. Wardriving and SQL injection are neither new issues nor are they web-dependent; how to defend against them is well-understood and documented; and fear-mongering about them isn’t warranted or appropriate.
Copyright © 2009 Henry Edward Hardy