back to article Hillary's sysadmin left VNC, RDP exposed to the internet - report

Not only did Democratic Party presidential hopeful Hillary Clinton run her own email server while at the State Department: someone, presumably her friendly local sysadmin, decided it needed remote desktop protocol (RDP) and desktop sharing code virtual network computing (VNC) exposed to the Internet. The folks at Associated …

  1. FozzyBear

    still leaving one mystery device to be identified. ®

    Yep that'll be the actual truth of the situation. Unfortunately that will never see the light of day.

  2. a_yank_lurker

    So the Russians, Chinese, just about everyone else was reading her email while at Foggy Bottom. It seems to give a very good perspective on why the US foreign policy has been such as disaster for the last several years.

    1. Anonymous Coward
      Anonymous Coward

      There is no need to read her email for it to be a disaster

      When Russians deal with a foreign country the guy(s) or gal(s) at MGU with a modern history PhD (and optionally history of religion PhD) on the country in question get a call and a FAT check to help with the analysis, selection of the strategy, PR, etc. The result is "successful policy alteration" in most cases - especially when privatisation, mergers, etc are involved. I have a couple of childhood friends which have made some very good money on that and have had their apartments, dachas and the spanking new BMW parked in the private garage under the apartment block paid by that. All stuff you will never get on a professor salary.

      When Chinese deal with a foreign country they come with a FAT check. One of the reasons why cleptocracy in Africa will not die any time soon.

      When Americans deal with a foreign country they come with arrogance, bulshit and start the conversation with "do not give me this crap about what happened 200 years ago". That used to work when their competition was only USSR which came with the copy of the Das Kapital and AK47s. It does not work any more in the modern world.

      1. I. Aproveofitspendingonspecificprojects

        Speaking of Kleptocrasy

        Dare tell us how the KGB got everyone rich overnight in 1990?

        Did they really have to shunt Gorbachev out past the Urals for a few weeks and install a drunk Boss of Bosses to do it?

      2. Anonymous Coward
        Anonymous Coward

        Re: There is no need to read her email for it to be a disaster

        So you think bribery of government officials is the way to deal with foreign governments?

        Remind me why billions of dollars that were shipped to Iraq didn't make any frigging difference. Remind me why the Egyptian government gets billions in "Aid" from the US Government. Remind me why we gave you European ungrateful bastards billions of aid during WWII and then forgave the "loans". Remind me why we gave Russia tractors and airplanes that they promptly copied as their own. Remind me why we kept England fed at great personal costs during the war.

        Because I cant think of single reason why we should have bothered for the simple reason that those acts allowed you useless twats to be born.

        Frankly any arrogance is deserved because you people are bunch of double dealing, backstabbing, cheats, thieves and ingrates who should be speaking German today if it wasn't for our help.

        And no, no person alive today should have to care what his/her great, great, great, grandparents did 200 years ago. But as far as I am concerned you still owe us billions of dollars and some gratitude

        1. Anonymous Coward
          Anonymous Coward

          Re: There is no need to read her email for it to be a disaster

          Someone forgot to take their meds today!?

        2. Anonymous Coward
          Anonymous Coward

          Re: There is no need to read her email for it to be a disaster

          Your arrogance is ridiculous, a front put on by History's only 'superpower' that couldn't establish an empire, whose biggest achievements are based mostly on the work of recent immigrants to that country.

          A country whose history stretches back the same length of time as my local haulage company and university, and they're latecomers compared to some of our institutions.

          A country whose greatest achievement- the moon landings- would have been unachievable without Nazi scientists. A country who've been undone militarily time and again by underestimating anyone not American.

          A country who managed to establish a massive ruling class at the expense of everyone else while fighting Communists, who managed to create a climate of fear while fighting terrorists and who cheer on freedom while clamping down on that of their own people.

          You've no military skill besides building big bombs- and the USSR had you beat at that one- as proven by your egregious record for "blue-on-blue" killings and outright defeats at the hands of Vietnam, Iraq, Afghanistan- even the Canadians (backed by the polite, tea-drinking British) beat you at war and burned your capital to the ground.

          You've got the Bomb- and large conventional forces- and apparently have no qualms about using them. That makes us fear you, yes. But it's not respect as we have for the Russians (who caught up with 150 years of european technological development in a few short years) or the Germans (who twice bettered France, supposedly their superior in every way). The arrogance we see is that of a child who's found his father's gun.

          So sit down and shut up, son, the grown-up countries are talking.

          1. The Vociferous Time Waster

            Re: There is no need to read her email for it to be a disaster

            Bravo

          2. Anonymous Coward
            Anonymous Coward

            Re: There is no need to read her email for it to be a disaster

            And we Americans twice bettered Germany, dug France out of a hole twice etc. Who liberated whom in two world wars ingrate? Shows what the unfettered military might of the US can accomplish if left alone by the politicians and simpering European aristocrats that tried bargaining with Hitler.

            BTW, it was ineffectual DEMOCRAT politicians that meddled with our Military that "lost" wars in Vietnam, Iraq and Afghanistan. France and Russia lost there too and I think some Brits and Aussies lost there too.

            Our whole country was based solely on immigrants who came here to better themselves because they got a raw deal in Europe. Seems WE were more tolerant than you ever were, so they came here. THOSE immigrants integrated into our societal "melting pot" (mine came here in 1672 is that old enough for you?) and contributed to our country unlike the ones invading your countries right now. Your so called "history" and age of your countries is certainly nothing to brag about. All you did is fight each other for centuries, keep and trade slaves, keep people in servitude, live too close in unsanitary conditions and subjugate countries. Or did you forget about the "Empire"?

            BTW, we never had a "ruling class"; YOU were the idiots with a Monarchy or several.

            Speaking of "grownups' you simpering, effete, arrogant twit, your aged European countries (no union there!) have acquired the problems of the Roman and Russian Empires. It appears that emulating your role models Caligula, Nero and Stalin is counterproductive these days and now that you given away every pound and euro to the wastrels and layabouts, there is no one left to tax but successful American companies that you can't even come close to comparing to. But hey let's not let a few facts get in the way of our so called "friendship".

            1. GrumpenKraut

              Re: There is no need to read her email for it to be a disaster

              > Speaking of "grownups' you simpering, effete, arrogant twit, your aged European countries...

              Yeah, right.

        3. LewisRage

          Re: There is no need to read her email for it to be a disaster

          "And no, no person alive today should have to care what his/her[..] grandparents did 200 years ago. But as far as I am concerned you still owe us billions of dollars and some gratitude"

          But I don't care what my grandparents did, so you can do one.

          1. Peter2 Silver badge

            Re: There is no need to read her email for it to be a disaster

            Remind me why we gave you European ungrateful bastards billions of aid during WWII and then forgave the "loans".

            Britain paid for all of the equipment bought under Lend Lease during WW2, in Gold to start with and credit after spending the entire gold reserves of the British Commonwealth. Loans were paid back in full, something which was completed only a few years ago. Nothing was "given" to the UK, and if you have contrary information then while I hate Wikipedia Citation Needed. is the appropriate term for the situation. Proof please.

            If you want to get into things being given during WW2 then you might want to consider things like the cavity magnetron, the jet engine, the design for the 57mm AT gun (British 6 pounder) etc. All of these were given without charge. For the complete avoidance of doubt, these were given from Britain to the US.

            1. John 104

              Re: There is no need to read her email for it to be a disaster

              Not to get into it too much, but there was great loss of life in the merchant navies who risked it all to deliver critical war time supplies.

            2. Anonymous Coward
              Anonymous Coward

              Re: There is no need to read her email for it to be a disaster

              Try reading THIS article. You only paid the LOANS we gave you. The Lend Lease aid was mostly free and we also gave you terms of ten cents on the dollar on the LOAN not to mention the cost of hundreds of thousands of American lives.

              All to pull you out of a "bad spot" and you wouldn't even bother to help today to do the same in return.

              BTW, for the record Radar was developed from Tesla and Marconi's work, that jet engine sucked and it wasn't until the ME-262 engines got copied everywhere did it finally become a commercial success.

              They don't compare to the sheer amount of material and personnel we provided but the only reason I commented on it in the first place is because of the continuous ungrateful, rude and downright retarded treatment of a country and it's people that once was your most dependable ally.

              How's this for a CITATION? https://en.wikipedia.org/wiki/Lend-Lease

              I cherry pick below:

              In general the aid was free, although some hardware (such as ships) were returned after the war. In return, the U.S. was given leases on army and naval bases in Allied territory during the war.

              A total of $50.1 billion (equivalent to $656 billion today) worth of supplies were shipped, or 17% of the total war expenditures of the U.S.[2] In all, $31.4 billion went to Britain, $11.3 billion to the Soviet Union, $3.2 billion to France, $1.6 billion to China, and the remaining $2.6 billion to the other Allies

        4. MyffyW Silver badge

          Re: There is no need to read her email for it to be a disaster

          Remind me why...

          @AC firstly, breath hun. All that anger is not good for you.

          Secondly: You gave Russia tractors and kept England fed 'cos we were fighting the Nazis. And their idea of empire building would ultimately have reached across the Atlantic Ocean. FDR compared it to the wisdom of a man lending his neighbour a hose to put out a fire. Churchill called it "The most unsordid act in history".

          Thirdly: If you still feel the same read P. J. O'Rourke's rather more humorous take:

          https://www.goodreads.com/work/quotes/790662-holidays-in-hell

      3. Mark 75

        Re: There is no need to read her email for it to be a disaster

        Anyone know what a FAT check is?

        1. Anonymous Coward
          Anonymous Coward

          Re: There is no need to read her email for it to be a disaster

          I have a device in the bathroom that provides me with a fat check as often as I wish.

          1. Anomalous Cowturd
            Joke

            Re: I have a device in the bathroom...

            So do I, but mine keeps complaining "one at a time please."

            I think there's something wrong with it.

        2. h4rm0ny

          Re: There is no need to read her email for it to be a disaster

          >>"Anyone know what a FAT check is?"

          Checks length of the diplomat's name is under 255 characters, I think.

        3. The Vociferous Time Waster

          Re: There is no need to read her email for it to be a disaster

          Are the horizontal and vertical stripes both wide?

        4. John 104

          Re: There is no need to read her email for it to be a disaster

          RE: Anyone know what a FAT check is?

          chkdsk

        5. jelabarre59

          Re: There is no need to read her email for it to be a disaster

          > Anyone know what a FAT check is?

          The predecessor of a NTFS check?

      4. a_yank_lurker

        Re: There is no need to read her email for it to be a disaster

        In intelligence there is the concept of securing your own communications so whomever has to work hard to one get the raw intercept and two decode it. By apparently running an poorly secured server, Hildabeast made everyone's snooping very easy. At some point all the encryption must be removed for a human readable text and it is likely the snoops were sniffing when this happened.

        1. tom dial Silver badge

          Re: There is no need to read her email for it to be a disaster

          "At some point all the encryption must be removed ..."

          For a while this was not a problem. Reports published some time ago had it that for the first few months of operation the server in question lacked a certificate and the ability to encrypt http links.

  3. herman

    RDP and VNC? The level of cluelessness is despairing. Fortunately, this server only had unclassified email...

    1. Mark 85
      Trollface

      Pssst.... you forgot the joke icon.

      Cluelessness.. yes... Unclassifed email.. err.... not all of it as has been reported.

      1. oldcoder

        It isn't classified until someone classifies it...

        And that wasn't done until AFTER the mail was handed over...

  4. Anonymous Coward
    Anonymous Coward

    what does shodan say for these machines?

    Or for that matter, I'm sure Michigan State University and various other research institutions have scanned her ISPs netblock.

    I just thought of something else. What do you think google maps wifi scan found when the drove past her house?

    1. Anonymous Coward
      Anonymous Coward

      Re: what does shodan say for these machines?

      > I just thought of something else. What do you think google maps wifi scan found when the drove past her house?

      Good question. Perhaps I'll see what WiFi Analyzer shows me the next time I'm on that side of town (as much as I despise driving through Chappaqua for *anything* these days).

  5. tom dial Silver badge

    I makes me sad that this person, who one reasonably supposes declined the advice of the CIO in a sensitive government department, ran an almost certainly unauthorized and apparently quite insecure server on which were stored sensitive government communications, and failed (although quite selectively) to ensure that the department employees followed the laws and regulations governing information assurance, might actually be elected President.

    I have as little respect for the State Department CIO who allowed this to happen.

    1. ZSn

      That CIO would like to keep their job. If they stand up to Hilary, no matter how stupid her actions, they would be out on their ear. Doing your job properly is no protection against a vindictive politician.

      1. 404

        And that, sir, is why we can't have nice things...

        Too much deadwood and placeholders in the US Government.

      2. tom dial Silver badge

        That CIO was a high ranking Foreign Service officer, almost certainly receiving a salary well into six digits (in 2009). If worth her salt, she would have been able to get a comparable job in the private sector or another government department; in the event, she was appointed CIO at the International Monetary Fund in mid-2012. Furthermore, in the worst case she would be protected against retaliation by the applicable whistleblower laws and at worst be assigned, with saved grade and pay, to a null job. Alternatively, since she

        The presently incumbent CIO was Deputy CIO and CTO for operations from 2011 until his appointment in 2013 had extensive prior IT experience within the Department of State and has a masters degree in Management Information Systems.

        One or the other of these officials should have been aware that Ms. Clinton chose to use a private server for her official email - perhaps advised by a conscientious subordinate or other State Department employee.

    2. Tom 13

      @ tom dial

      Anyone familiar with the Clintons and their modus operandi would NOT reasonably assume the CIO provided such advice. Instead they would assume he wasn't consulted.

      Everybody keeps dancing around what we all know: $Hrillary was selling access to State through Bill and Chelsea via the Clinton Foundation. The server was intended to keep all that secret which was why she deleted MORE personal email than she turned over to the government. You don't ask the CIO about something like that because it causes too many plausible deniability problems down the road.

      Even the whole one device meme she keeps trying to start is transparently a lie. And I mean beyond the NYT showing her using an iPhone when she was supposedly issued a Blackberry. Because of the Hatch Act, it's illegal to use your government account to engage in fundraising activities of any sort. In fact, an aggressive prosecutor can go after you for posting anything even slightly partisan using a government device (not account). And because of the Presidential Records Act (which means the whole Executive branch, not just the President) you HAVE to use a government account and server. It's not just a guideline, or a regulation. It is in fact the ONLY way you've got a 50/50 shot at complying with the law. So she's now up to two email accounts. Then you get into the whole classified angle and you're up to THREE accounts.

      1. martinusher Silver badge

        Re: @ tom dial

        If Hilary's Email is anything like mine then there will be a lot of deleted mail traffic. It won't be super-secret nefarious plans, just never ending pitches for dubious products, phishes, appeals to help get secret funds out of African countries and so on. Junk filters take care of a lot of this before it even hits the in-box. This whole email thing is another Benghazi, just an attempt to make political capital out of a rather ho-hum issue (since there wasn't a specific prohibition on what Hilary was doing until after she left the State Department).

        Knowing what we know these days I'm confident that if we really wanted to read all her mail then we'd just have to ask the NSA for a copy.

        1. Tom 13

          Re: @ tom dial

          (since there wasn't a specific prohibition on what Hilary was doing until after she left the State Department)

          Another DNC kool-aid drinker I see. NO, it was not an internal prohibition which came into being in 2014. IT IS IN FACT A LONG ESTABLISHED LAW. It's called the Federal Records Preservation Act and its origins are all the way back in WW2.

          Here's a little snippet that pretty much puts your lies in the grave:

          http://www.ediscoverylaw.com/2004/12/preservation-of-email-required-under-federal-records-act/

          To put it simply, in 1993 the DC Circuit Court (so regardless of SCOTUS it has jurisdiction over DC unless reversed) found:

          1. Email constitute federal records.

          2. The electronic record itself still constitutes a federal record even if paper copies are printed

          3. Must be managed and preserved as per the Act's requirements.

          Shorter synopsis: There isn't a statement $Hrillary has made about her email which is true.

          1. dieselbug

            Re: @ tom dial

            Yet her predecessor at State under GWB and his VP, both used personal email servers and not. one. Congressional. Inquiry.

            Explain.

            1. tom dial Silver badge

              Re: @ tom dial

              Clinton's predecessors used personal email *accounts*, not (unauthorized, personally owned, badly configured, and highly vulnerable) *servers*. There is a difference.

              In addition, under earlier Secretaries, email was less important compared with old fashioned telex type messaging. This is explained in an interview with the CIO who served from 2009 - 2012, available on youtube at about 13:45:

              https://www.youtube.com/watch?v=WmxMRJzQgxU

      2. tom dial Silver badge
        Joke

        Re: @ tom dial

        Nonsense. Everyone knows that all this is a Republican conspiracy to prevent Hillary assuming her rightful place as the Democratic presidential nomnee or, failing that, to gather ammunition for their candidate to use in the election campaign.

        A couple of additional observations in non-joke mode:

        Based on the information reported in the article, the private server did not comply with FiSMA requirements, and probably was not certified and accredited by the department CIO.

        The secure network should not be connected electrically or logically to the non-secure network. Any email capability there should be limited to that network. That classified (and classifiable) messages seem to have been sent or received on the internet and probably the non-secure State Department network suggests fairly widespread ignorance or disregard of proper security behaviour among the employees and, perhaps, by the CIO's office and the CISO or equivalent, who normally would have a (possibly additional) reporting chain that bypasses the CIO.

    3. oldcoder

      Like the OPM hack?

      Or the Department of State Email hacked so bad they couldn't even use it?

      Using Windows for anything is not safe - yet people still do it.

  6. A Non e-mouse Silver badge

    Passowrd not service?

    Surely, it doesn't matter what service is exposed (RDP, SSH, VPN). What matters is how strong the authentication is?

    Having a password of, say, "?[au]f'=){p71 F" on RDP is better than a username/password of root/root on VPN?

    Unless what is being claimed is that the RDP protocol is weaker than, say, an IPSEC VPN so more hackable?

    1. Anonymous Coward
      Anonymous Coward

      Re: Passowrd not service?

      Password security is only part of the solution. Services like RDP and VNC can be hacked without a password due to widely available exploit code.

      If they are stupid enough to allow these ports to be open to the Internet, they are likely to be stupid enough not to patch them against these attacks.

      1. Anonymous Coward
        Anonymous Coward

        Re: Passowrd not service?

        "Services like RDP and VNC can be hacked without a password due to widely available exploit code."

        Still a better choice than say SSH though - which has historically had more exploits.

        1. phil dude
          Trollface

          Re: Passowrd not service?

          Anon - you forgot your troll icon...----->

          P.

        2. This post has been deleted by its author

        3. Anonymous Coward
          Anonymous Coward

          Re: Passowrd not service?

          Sometimes arguing with idiots is what I do. Here goes....

          Remote access over the Internet is bad if you are solely relying on username/password combination and the HOPE that those applicationa do not have vulnerabilities in which allow them to be compromised without user/pass.

          VNC and RDP and Telnet and SSH and Remotely Anywhere versions along with a raft of other remote access tools have all been shown to be vulnerable to exploit. Maybe they are running a version which isn't but it will be more by good luck than good management if they are, given the stupidity which led them to doing this in the first place.

          Simple user/pass protection is not enough. Best case scenario they iterate through a password list and lock out accounts. Worst case, they find the password and have a ready made remote access tool in place.

          If the server is compromised with malware, you don't even have to put a RAT in place as there is already remote access in place for you to use.

          Remote access tools should have multi factor authentication. The requirement for additional keys, only accept connections from a specific IP address, banning IP which attempt hacks, VPN only access...

          It seems the down voting commentards know a lot less than they think they do. Try googling the Dunning Kruger effect. You are probably overestimating your knowledge and competency.

        4. oldcoder

          Re: Passowrd not service?

          Actually, fewer exploits.

          Windows as a whole is the worst for exploits.

  7. Anonymous Coward
    Anonymous Coward

    Why both? They both pretty much do the same thing.

    Seems to me this non-story is being repeated over and over again, is she running for election or something?

    1. Roland6 Silver badge

      Re: Why both?

      These articles provide some more details:

      http://bigstory.ap.org/article/5ad0f6bb57eb487f84e98fe9a74a08b1/clinton-subject-hack-attempts-china-korea-germany

      http://bigstory.ap.org/article/467ff78858bf4dde8db21677deeff101/only-ap-clinton-server-ran-software-risked-hacking

      Basically, it seems that like many SME's and home office setups Hilary was calling on different people and so whoever was responsible for the website console preferred VNC, whereas whoever was responsible for the Windows Server (I suspect it was an SBS server) preferred RDP. And probably Hilary's security consultant didn't know about this because they were never sufficiently hands on to get a full understanding of Hilary's actual home set up, rather than the one they had advised her to use.

      Been through this with a client who has upgraded/refreshed to WS2012-R2, and who has implemented RDS Server to allow people to work from home. The IT supplier has set this up using MS defaults, so if you attempt an RDP connection to their router you will be automatically forwarded to the RDS server, which as we know from various MS statements over the year is hackable... Similar considerations apply to OWA... So in my experience Hilary having the VNC and RDP ports open on her Internet/firewall/router isn't something to be surprised about, likewise I suspect her email server used the standard ports and wasn't hidden behind a cloud-based mail preprocessor.

  8. Hans 1

    Who says it was not the Microsoft scammers who called her up and said "Hello, we are Microsoft, we need to fix your computer, please download this software (VNC) and install it for us to take a look .... the rest is history.

    Seeing that VNC stores passwords in clear text, ROFL ...

    >Having a password of, say, "?[au]f'=){p71 F" on RDP is better than a username/password of root/root on VPN?

    Better, yes, still braindead, though.

  9. Your alien overlord - fear me

    Er, it's a mail server. I'll let you guess which port is open to the internet for, I dunno, recieving emails.

    1. Anonymous Coward
      Anonymous Coward

      25 yes. Ports for RDP and VNC should not be.

      1. Tom 13

        We haven't used port 25 on any of our mail servers in at least 5 years. It's too much of a target for hackers.

        Oh, and yes, we are a MINIMAL security system. Meaning most of what we do is SUPPOSED to be available to the public. Only salaries, internal discussions about contract awards, and NDAs signed with private companies about their trade secrets are excluded.

        1. Anonymous Coward
          Anonymous Coward

          We haven't used port 25 on any of our mail servers in at least 5 years. It's too much of a target for hackers.

          So what do you put in your MX records to indicate the alternate port number for SMTP?

      2. tom dial Silver badge

        RDP, and VNC were open ...

        To allow Platte River Systems, located in Colorado, to administer the server, which was in New York. Platte River was hired in 2013 to take over administration from Bryan Pagliano, who had been IT manager for the Hillary Clinton's 2008 presidential primary campaign and was hired as a special assistant CIO at the Department of State shortly after Ms. Clinton was confirmed as Secretary of State. According to a spokesman for Ms. Clinton, the Clintons paid him from personal funds to administer the server, although that put him in a fairly obvious, and serious, conflict of interest position.

    2. Anonymous Coward
      Anonymous Coward

      Usually receiving and sending unencrypted emails too :) This comments page is fascinating to see what different people think is and is not secure. Our industry scares me sometimes :)

    3. Preston Munchensonton
      Pint

      Ports, plural. The email services would not be isolated to just receiving emails, but also sending. I would love to look at the full list found, because I'm betting that they had TCP 25, 110, and 143 all wide open. I would also think all the NetBIOS ports were open. This is so funny that I'm crying with joy.

      1. a_yank_lurker

        The problem is many are missing (deliberately?) the point that very poor security practices were used by HIldabeast and her minions. Good security practices are to isolate the servers as much as possible. Also, to have only those ports needed open and secured with proper authentication. On an email server at most 4 ports are needed and if only pop or imap are support then 2 ports are needed.

  10. Warm Braw

    Picture

    I wonder if Ms Lewinsky's laundry ever supplied a label reading "heavy use, now perfectly clean"?

  11. Stevie

    Bah!

    I'm so tired of this storm in a teacup.

    So far I've seen no evidence that anything at all was sourced from this server as opposed to being sailed on a raft from various other government machines. And if there were so much as a hint of that, it would have been page one at the New York Post, not to mention the flag behind which the committee "investigating" the matter would rally in a storm of self-agrandizing publicity righteous indignation.

    It seems, contrary to popular wisdom on the matter, in this case security by (extreme) obscurity worked to prevent any leaks.

    Also: "white hat botnet"? Wait, what?

    1. 404

      Re: Bah!

      It was the New York Times that broke the story fyi - which created the email firestorm. Everything else snowballed from there, from Hillary lying about it, being flippant, wiping the server, etc. She did it to herself and is not fit to be President if she's that stupid/arrogant.

      Also curious about your 'I've seen no evidence' - why would anyone crow about it? That would lead to losing access to a prime target for information and possible retribution.

    2. Crazy Operations Guy

      Re: Bah!

      "Also: "white hat botnet"? Wait, what?"

      Yes, they exist. That term would apply to such projects as SETI, Folding@Home, and any other service where you allow a remote system to use resources on your machine. I've known plenty of security researchers that volunteer machines on their networks for such purposes where they all have access to all machines for the purpose of working on specific tasks from multiple angles or to just test firewall / IPS configurations (Being able to test from dozens of different networks / countries is invaluable)

      1. Lusty

        Re: Bah!

        Normally we just call that distributed computing. It's not a white hat bot-net because there are no "bots" involved, it's all voluntary people running software and there are no hackers, white or black with absolutely no hats. The only bit that really applies is the network, and that's just the Internet.

    3. Donn Bly
      FAIL

      Re: Bah!

      You say you haven't seen any evidence that anything was sourced from the server? I suppose you missed this, which was published here a little over a month ago

      http://www.theregister.co.uk/2015/09/04/clinton_email_auction_twist_secure_hacker/

      The problem is that a government official set up a server for the specific purpose of attempting to skirt the laws of the nation, got caught doing it, has KNOWINGLY made a number of untrue statements about it, left top secret, classified, and other confidential materials in the hands of those not authorized to access them, and went out of their way to obstruct other government officials from doing their job of securing the materials after the fact.

      The knowledge that the server was implemented in an insecure manner is hardly surprising, given the overall situation.

      1. Stevie

        Re: You must have missed

        But even a foreign policy expert would struggle to verify the claims here and the whole exercise might just as easily be the work of an enterprising chancer.

        I have now. I was taken by the paragraph above in light of the fact no further revelations seem to have transpired.

        You are aware the private e-mail server, while unwise, was not against the rules that were in play when it was set up and for most of its life? Sending classified stuff to it was, though the nefarious swath of compromised secrets don't appear to be there in the sort of abundance that was eagerly anticipated by some.

        Storm in a teacup judgment still in place. If there was any meat on those bones we'd have seen it trumpeted far and wide by now.

        1. tom dial Silver badge

          Re: You must have missed

          The Federal Information Security Management Act of 2002 (FISMA) covers computer equipment used to store or process government data and reauires NIST to issue implementing technical requirements. NIST did that around 2005 and 2006: FIPS 199, FIPS 200, and SP 800-53 (and possibly others) apply to the server or servers that hosted clintonemail.com beginning in 2009. I do not have to look to be pretty sure they do not allow either RDP or VNC access from the public internet. The server was operated in violation of federal law, probably for its entire service life. And that does not even touch on the fact that, as it turns out, it stored classified (and classifiable) material that never should have been placed on any server connected to the internet.

          This is not a "storm in a teacup" but a matter that goes straight to the question of whether Hillary Clinton should be given another public trust position.

          1. Stevie

            Re: I do not have to look to be pretty sure

            "Everyone knows". Pfft.

            teacup.storm = true;

    4. 100113.1537

      Re: Bah!

      A US presidential election is fought almost entirely on the record and personal morals of the candidates. A former senior government appointee operating a non-governmental email account for government business, but also running this on a private server (however secure) is breaking a lot of rules. Yes, she is not the first (I understand Colin Powell did this - for a while and this was why the rules were re-iterated after he left), but this person is now running for president.

      Furthermore, this person was not some government newbie, but someone who had been the First Lady for 8 years and so cannot reasonably claim not to have know the issues at hand or the consequences.

      This is not a storm in a teacup, but goes straight to the issue of the fitness of this person to be president. This is why it is big news, and will continue to be big news while she is a candidate. Get used to it.

    5. tom dial Silver badge

      Re: Bah!

      Intelligence agencies do not, as a rule, tout their successes.

  12. bpfh
    Joke

    And so what is the problem?

    She has been lambasted for using a private server and not making her mails available to the world, but in fact she already had and was one step ahead of everybody.

    I'll get my coat...

    1. Yet Another Anonymous coward Silver badge

      Re: And so what is the problem?

      Open government. Everyone can be their own NSA

  13. simpfeld

    What is more shocking leaving VNC/RDP open to the Internet....

    or trusting a Windows email server to be Internet facing at all. Slightly better to even front end it with something.

    1. Crazy Operations Guy

      Re: What is more shocking leaving VNC/RDP open to the Internet....

      With her money and the sensitivity of the data she was working with, I"d have figured that she would have had at least a layer of Cisco ASA's on the front end, with a layer of Palo Altos behind that for proper defense-in-depth. Then behind those, running a pair of OpenBSD-based mail servers running Dovecot. For authentication, I'd expect nothing less than 1024-bit client certificates with 16-character passwords

      She also should have never, ever used that same account for personal email. Use one of the plethora of free email services out there for that, or set up a second account/domain on the mail server for that.

      What I suspect happened was that some high level exec at her foundation had a kid "That is good with computers". That kid then proceeded to go to a big-box store, picked up a high-end machine, a copy of Windows Server Small Business Edition, and a Datto backup drive (Which, by the way, this device was sending all her backups to a commercial cloud service)[1].

      What angers me the most about this whole thing is that Secretary of State is a very, very sensitive role. Even simple phrases must be carefully considered lest you put your country on the brink of Nuclear Armageddon (See: Khrushchev and "We will bury you"). For all we know the Crimean Crisis could have been started by the Ukrainian ambassador sending an email to Clinton where he says that the Russian ambassador smells like spoiled cabbage, then Clinton agrees. That conversation finding its way into the hands of the Russians could easily cause talks to break down, leading to countries responding by force rather than diplomacy (Its happened over some even pettier reasons before). Of course that is just a theoretical example, but my point is that something like that can have far-reaching and devastating consequences.

      [1] http://www.mcclatchydc.com/news/nation-world/national/article37968711.html

  14. Anonymous Coward
    Anonymous Coward

    Something we can ALL agree upon

    All this US vs. UK is silliness...

    Seriously - I hate the French.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like