It is quite amazing and disturbing the way Clinton’s spin doctors and the neoliberal press have spun the story of Clinton’s illegal basement email server into a tale of “Russia is attacking the United States” with no accountability for Clinton for the shocking lack of computer security at State.
Why were emails not encrypted with PGP so if they were hacked or leaked there would still be an additional layer of protection?
Why were they using passwords instead of dual key encryption with passphrases and two or more factor authentication for access?
Why did she set up an insecure server at home and redirect her official emails to it? A server that reportedly did not support DKIM, so that to communicate with it, DKIM had to be turned off at State as well?
Why in the world when folks at State received phishing emails, and checked with their IT folks, they were told yes go ahead and click on them and put in your password?
Where was their intrusion detection system? Did nobody notice hey all of our emails are being downloaded to a compromised machine in Germany?
Why was TLS reportedly not set up correctly on HC’s basement server when it was set up?
Why was a server configuration program, probably cpanel, left open to the outside world on HC’s server? Given that it was set up by a moonlighting guy from State’s IT, Brian Pagliano, was this also true of severs at State?
Was tripwire running on any of these servers so folks could say hey there’s weird changes happening on our servers that shouldn’t ever happen such as log files getting smaller?
When Pagliano detected that Clinton’s home server had been breached and shut it down, why the fuck did they start it up again. Why was it not shut down for good at this point?
And where is the accountability for Clinton? All we are hearing is Putin, Putin, Putin.
I can’t categorically say that State, the DNC, Clinton’s email would not have been hacked if I was in charge, because there is no such thing as perfect security. But none of the specific things I mentioned above would have happened, that’s for sure.
Copyright © 2016 Henry Edward Hardy
Hillary Clinton is facing possible indictment on Federal felony charges of unauthorized removal and retention of classified documents or material under 18 U.S. Code § 1924.
Clinton’s secret basement server’s sysadmin, Bryan Pagliano, has been granted immunity from prosecution by the Justice Department in order to testify against her. DOJ doesn’t grant immunity unless they feel certain a crime has been committed and there is a reasonably good chance of a conviction.
Pagliano is or was reportedly a GS-15 who was moonlighting for HC and did not report this engagement to his superiors nor did he report the income she paid him under the table.
Now they are both in deep, deep shit. But Brian has the get out of jail free card, but only if he brings down Hillary. She’s fucked, to put it bluntly. Whether she is charged, or convicted, or not.
The statute says nothing about whether the information was classified when it was first retained. If it was classified at any point, and it was on her server in her basement, and she was aware of this at any point, Clinton is in jeopardy of being found guilty of probably multiple felony counts.
Most likely scenario is HC pleads guilty to a single felony charge, and gets a non-custodial, or home-confinement sentence. As was done with General Petraeus and National Security Advisor Sandy Berger.
Her best outcome is to get a pardon from Obama before he leaves office, joining such notable patriots as Admiral Poindexter and John Ashcroft. That will still destroy her career and injure the Democratic Party.
If Clinton was someone lower in the bureaucracy she would be facing heavy time, like John Kiriakou, William Binney, Jeff Sterling, Chelsea Manning, Susan Lindauer, Barrett Brown, Thomas Drake, Stephen Jin-Woo Kim, and Shami K. Leibowitz. And others.
Pagliano is the dude on the right.
Copyright © 2016 Henry Edward Hardy
Guardian inaccurate article: Alleged credit card scam raises new web security fears
To the Guardian Tech Editor:
published Tuesday 18 August 2009 20.43 BST
incorrectly describes the computer vulnerability, or “exploit” allegedly used by one Albert Gonzalez and unnamed others to allegedly steal and sell credit card information from several companies. The article also mis-characterizes the legal procedure used to bring the charges.
The article says,
“The charge sheet says that Gonzalez, along with two others who “resided in or near Russia”, in December 2007 injected “structured query language”, a computer programming language designed to retrieve and manage data, into the computers of companies such as Heartland, one of the world’s biggest credit and debit card payment processing companies.”
Structured Query Language is not a computer language such as C or FORTRAN. It cannot be “injected” anywhere. It is a format or language for querying or posting information to a computer database.
It sounds like your reporters read “SQL injection”, didn’t understand what that meant, and made up a likely sounding (but wrong) explanation.
A more correct description would be that the alleged fraudsters illegally accessed corporate databases, and inserted fraudulent information into them in order to gain access to those or other systems.
SQL injection is a well-known and preventable vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1804
Your writers apparently could not even be troubled to look up the defendant on wikipedia, see http://en.wikipedia.org/wiki/Albert_Gonzalez
The article refers to a “charge sheet”, the correct term in this case is “indictment”, see http://www.usdoj.gov/usao/ma/Press%20Office%20-%20Press%20Release%20Files/IDTheft/Gonzalez,%20Albert%20-%20Indictment%20080508.pdf
A “charge sheet” in US usage refers to the daily written record of events in a police station, it has little or nothing to do with Grand Jury proceedings. In the Commonwealth, it may refer to a final police report. It is not the same as an indictment brought by a Grand Jury. Confusing charges brought by police and charges brought by a Grand Jury is a fundamental error.
The most newsworthy item overlooked in this rather poor excuse for an article is the question of liability. Both the “wardriving” and “SQL Injection” attacks are well-documented and generally preventable. Thus there is the question of the liability of the companies allegedly victimized as they may have failed to take even the most basic computer security precautions with this sensitive data. Further, how was the defendant able to carry out the alleged attacks while at the same time allegedly acting as a consultant or informant to the US Secret Service? To what degree is the Secret Service liable for failing to prevent, or even possibly enabling, these attacks?
The article’s confusion of the acting US attorney for New Jersey, Ralph Marra, with the “acting US Attorney General” further detracts from the accuracy and reliability of your reportage. The Attorney General of the United States is Eric Holder. There is no “acting US Attorney General.” Your reporters should certainly have known this if they were even moderately well-informed. Basic fact-checking by your editors should have caught and prevented this error from being published.
In the future, please don’t have articles written by people who A) have no idea what they are writing about in either the legal or technical sphere and B) don’t do even a basic job of research and fact-checking. Editors must fact-check and verify all references to technical descriptions, legal proceedings, and offices held by public officials.
Henry Edward Hardy
The subtitle refers to “‘Biggest ever’ case involves 130m cards”
Who says it is the “biggest ever” case? This unattributed quote appears nowhere in the article, which does not state anything of the kind. Was it simply made up by a copy editor?
I would also note that the title of the Guardian article claims that the incident “raises new web security fears.” This is bullocks. Wardriving and SQL injection are neither new issues nor are they web-dependent; how to defend against them is well-understood and documented; and fear-mongering about them isn’t warranted or appropriate.
Copyright © 2009 Henry Edward Hardy