Out of her house.

So she's not in control of her staff. Not good leadership qualities. But then, she's never been in a position of leadership. No experience.

As much as we can rationalize implications which validate our biases, regardless of how much of it is merely creative allegation and speculation, we certainly will... and pretend it's fact to further secure our imaginations.

American's phone calls, emails and whatever other means of communications they once thought was private.

They were after all, collecting the same data on Merkel and other World Leaders.

A lot of people here tried to defend that gross violation of the 4th Amendment rights of US citizens.

For what should be obvious reasons.

The fear eg, that it could use such information for nefarious purposes, such as in a case like this.

Maybe our law makers have to suffer the consequences of their support for those Anti-Consitutional practices by government agencies before they finally wake up and do something to restore our Constitutional rights.

The Russians, Germans, Israelis, Anonymous, Pakistan, etc.

I'm sure they had all were able to get access to her homebrew system.

you're going to either have to develop a new schtick, or seek a website more in tune with your political leanings.

They seem reliable.

there is a lot of smoke and mirror stuff to try to make it look like situation normal, but no one had actually asked the college library to NOT lend library copies of student thesis until that happened.

I am not saying HRC has done something wrong, based on what I know when I hit "post my reply" I don't know anything that suggests she did something wrong...I am just saying that people who wish to can construe a string of dots that could make her look worried about being in control of her tracks.

claim that government databases are secure. If a private server is set up correctly by someone skilled, it would be more secure than a big government agency's email system.

is more secure than the State Department? She needed to set up an email server herself to protect herself from the CIA and NSA? You can't be serious.

The weaknesses are mostly the humans involved, not the algorithms. But even if you don't know that, it should be obvious from the Wikileaks and Snowden incidents that government data is not safe.

I don't claim expertise in many areas, because I'm not an expert in many areas. Therefore, when I do make that claim, I mean exactly what the motherfuck I say, and I'm ready to back that up with a very large and public wager, proceeds going to the DU. Let me know when you're ready.

I'll believe you know the first thing about computer security when you say something intelligent on the topic. Which hasn't happened yet.

The thing is, if you were the expert you claim to be, then you would be able to set up a secure email server. Obviously, you can't. So you're not.

I can't cover $10,000, but I can certainly cover $500. But before we get to that, let's back up. I made no claims about an email server one way or another. If you'll attempt to read my post again, you may be able to see that my claim was expertise in data security. As it happens, I can set up a pretty secure email server, and I can do a lot to secure the perimeter too. But I can also run vulnerability scans that show me 150-200 new sev4/sev5 vulnerabilities popping up on a weekly basis. And I can remediate and mitigate those vulnerabilities on 150 servers, 25 routers, 60 switches, and 20 firewalls. I know I can, because that's EXACTLY WHAT THE FUCK I DO FOR A LIVING.

Here's a little knowledge for you to internalize: setting up a "secure email server" is not a static event. It's an ongoing event that must be kept up to snuff on a weekly (if not daily) basis. While an individual can choose to be very proactive and keep a server environment secured on a continual and ongoing basis, that almost never happens when a consultant is called in to implement the server in the first place.

You have made the claim that setting up one's own email server and maintaining it is, on balance, more secure than a large IT staff taking care of the same tasks. Ergo, you're out of your league. You've apparently never seen how an enterprise runs. I congratulate you on reading your O'Reilly book, but that's just not the same thing as managing a data security program that mandates internal and external audits, penetration tests, vulnerability remediation, and disaster recovery testing.

I am by trade a network engineer, and I manage an infrastructure group (which to you means servers, network equipment, and voice over-) at a financial institution, and I am subject to everything I've listed above, and then some. I have a CSO and security department watching what my department does. I have an internal audit group that does the same thing from a different perspective. I have outside auditors come in twice a year to poke holes in my network and see what they can see, and that's all in preparation for federal OCC examiners who come in once a year for the real deal. That's my claim to data security expertise, and I'll stand behind that.

Again, if you believe that an individual running an email server is more secure than a robust IT department doing the same, you haven't the faintest goddamned idea of what you're talking about. With regard to Hillary Clinton, I haven't really weighed in much on the issue. I don't think she's breaking any laws. I just think she was really stupid to run an email server out of her house. Tell me something, wise one. If she had such a shit-hot tech setting up her email server and getting the static/symmetrical connection, why on god's green earth didn't that shit-hot tech anonymize the WHOIS record so that it didn't...you know...trace directly back to the fucking Secretary of State's home address? Go ahead and answer that one for me, sport.

And do let me know about that wager. DU could use the money. But do remember, I NEVER make a bet without being ready to win.

when I was about 14. You'll grow out of it some day too.

Anyway, it looks like we agree that if a private server is set up (and managed, I left that out, you are right) correctly, then it will indeed be more secure than the state department's network.

Since you work with big systems, surely you understand that securing a large network is much, much, much more difficult than securing a single server. You also understand that the biggest risks that organizations face are not from the protocols themselves, but from the humans involved. It just takes one person to, say, start using Dropbox for work-related activites. And even that's assuming that there aren't any adversaries or leakers on the inside, something that is all but guaranteed to happen at the state department.

The NSA, probably the most security-savvy organization in the world, just suffered a massive breach. That is how difficult it is to secure systems that have a lot of users. Every single one of them is a vulnerability. This is the very reason why organizations like the one you work at need to have groups of IT experts. Well, one of the reasons. The other reason is that their computer systems do a lot more than just email.

Which brings us back to the original point. A single computer running nothing but an email server can be made more secure than the state department's or even the NSA's computer network.

I really don't particularly want a fight with you, but I'm not a big braggart about expertise--again, there are lots of areas where I'm not an expert, and a couple of areas where I am. That doesn't make me special; it just means I have a day job I'm pretty good at.

Regarding the conclusion, I'll always believe that a robust and continual data security program is the best way to keep any server secure, because it's one of those things that someone is assigned to do on a regular and recurring basis, i.e., "it's my job and I've got to do it if I want to get a raise, keep my job, etc". I understand what you're saying about the complexity of larger implementations, but I don't happen to agree. However, I would like to climb down off my high horse and bid you peace. Thanks for the civil reply.

EDITED to Add: you were mostly civil. And no, I won't learn to stop challenging "random" people with wagers. I come from an era where random actually meant random. I do have kids, so I understand the newer context too, but in no way did I randomly choose you. On three different occasions, from 2001 to now, on DU, I've challenged people to a bet. This always involved people making technical claims I KNEW with certainty were not correct. Those wagers have never happened, because we more or less came to an understanding the way you and I have more or less come to an understanding. There was nothing random about my choice, and I'll likely do it again one of these days if I feel compelled. Thanks.

I continue to believe that a private email server can be set up and managed, without extraordinary difficulty, to be more secure than the state department's network, for the reasons I outlined in the last post. But I'm glad we got to a reasonable agree-to-disagree point. I understand what you are saying about people making technical claims who don't have a clue.

Whether Hillary actually set up the server securely is a another question. Your point about the WHOIS is an indication that she didn't. Although, given that her house is guarded by secret service, one could make the argument that the physical threat level is very low. On the other hand, if it were me, I would rent some rack space somewhere instead of having the physical server in her home, not for security reasons, but for uptime.

Anyway, good talking to you.

I use Qualys at work. Just found this on Slashdot:

https://www.ssllabs.com/ssltest/analyze.html?d=mail.clintonemail.com

The server was not secure, so it earned an "F".

Still, not convinced that it was a big security risk, especially compared to the State Department's system, which after Snowden and Manning we know is insecure.

It looks like that site grades the security of web servers, not email servers specifically (though that raises the question of why the web server was even running). And also, seems to me that some of those weaknesses are only weaknesses depending on how clients connect. For example, correct me if I'm wrong, but support for SSL 2.0 isn't a huge problem as long as nobody actually uses SSL 2.0 on the client side.


Still, it doesn't look good that they had a poorly configured web server running.

Much more secure. LOL. The State Department has foreign intelligence trying to hack it constantly. They have a lot of people making sure they don't succeed. And you think some home server is more secure. I have no words. That is beyond stupid.

It would also be a huge waste of resources. Very bad idea.

The only thing hilarious -- well, there are two. The first is how utterly clueless you are about computer security. And the second is that you are singing the praises of the government's security in the wake of two truly enormous leaks. Of course! That could never happen again. So secure! LOL.

than the State Department and who thinks the greatest security threat at the State Department is the NSA and CIA. Thanks for the laughs.

But if done correctly, then yes, absolutely. Just one machine that does nothing but email is much easier to secure.

And, no, the greatest threats to the State Department aren't the NSA and the CIA. Not sure where you got that from.

And, yes, you are clueless.

about it. But that is not the entire threat picture. Internal threats are responsible for a huge percentage of data breaches.

The one thing she doesnt have to worry much about regarding a server in her home is internal threats.

http://www.csoonline.com/article/2134056/network-security/report-indicates-insider-threats-leading-cause-of-data-breaches-in-last-12-months.html

An anonymous-unnamed source says he worked in IT and says it was "well known" that the emails could be hacked, etc., etc., etc.,---and that's somehow translated as "Revealed: Clinton's Office was warned"????

Ya know..."some" have said that's complete and total bullsh$#, while "others" have "confirmed" that stories like this are compete and total bullsh$#, meanwhile, "someone" who is an expert on complete and total bullsh$#, confirmed that this was quite possibly the largest pile and foulest smelling bullsh$# they had ever encountered

and let me tell you, this "expert" certainly knows his bullsh$#.

This is what passes for news?