Parsing the Clinton Email Scandal
Jul 11, 2016 9:57 AM PT
I've been watching the Clinton email scandal closely, because I not only have been in and out of law enforcement and security for much of my early life, but also was an internal auditor for IBM and one of the leading email experts in the 1990s. I think this is the only time I've seen an investigator channel a prosecutor in making a recommendation, and give someone a pass without addressing why crimes were committed.
For instance, if a child were injured and the parent could be charged, the investigator might recommend leniency because the parent intended no harm and the accident could have happened to anyone. However, seeing an investigator recommend leniency because it appeared unlikely the prosecutor would enter a charge -- particularly given how serious the investigator clearly viewed the breach -- brought back memories of when I was in a similar situation, and it doesn't bode well for how things are done in Washington.
I'll share some stories and then close with my product of the week, the Fitbit Blaze, which I think is more Steve Jobs iPod-like than the Apple Watch. (I really think Apple screwed up.)
The Importance of Email
Email is one of those things that gives CIOs nightmares because there is no upside to it. Folks expect it to work all the time. Should it not, it can escalate quickly to the CEO and members of the board, all of whom tend to jump to the conclusion that the fix should be a new CIO.
Some of my best stories revolve around email. For instance, one of my own biggest moments was when I was being briefed by Jim Barksdale, then CEO of Netscape (the firm that effectively created the modern Internet and then committed suicide). I'd told him about a presentation by his folks to Boeing on the company's email solution, in which the presenter stopped, checked his watch, and said something like "the market is closing, wonder where my stock options are at."
The Boeing employees were so turned off by that they didn't want to see Netscape ever again. Barksdale called me a liar right then and there and bet me US$100 the story wasn't true. I ended up with the $100 and one hell of a story.
Another time Microsoft was making a big deal about how great its Exchange email system was. Don't get me wrong -- I was and remain a fan. However, when I called the first multinational reference, I got a guy who said, "Love to talk, but I can't because eight of our nine Exchange servers are down and the CEO wants my head." Not exactly a glowing reference. To be fair, it was very young then and not really ready for a multinational.
Email also plays a big role in catching employees doing inappropriate things. One of the most fun parts of doing an audit was looking at email. (Much of the work in an audit is pretty grueling. We regularly worked six and a half days, and our workdays were 12 to 18 hours long.)
Affairs -- people often use email to send really inappropriate pictures that you can't un-see -- theft, bribes, and other illegal and termination-level offenses show up in email. Further, it's often where you discover security breaches. When employees choose to use personal email, it is often to cover up a crime, which is why that practice generally isn't tolerated when conducting company business.
However, this is just to showcase how important email is. Companies and governments run on communications, and email provides both a method to communicate and a record of the communication. That is why email is heavily mined in litigation and firms tend to have email-deletion policies. It also contains everything you need to execute a phishing -- or particularly, a spear phishing attack -- which can be incredibly devastating to a firm or government.
Oh, and regardless of how secure your site is, you are only as secure as your weakest link. For instance, back in the 1980s, IBM created a showcase company that it felt was impenetrable. It hired an ex-CIA specialist to break in, planning to market his failure. It took him a couple of days to breach the system. He didn't even try to breach the site -- he simply looked for an insecure trusted data link and breached it, gaining access to the firm and showcasing the weakest link problem.
The unanswered question remains, "Why?" I have never in my life seen someone who was willing to accept the cost of running a personal IT service for convenience. You have to pay for the hardware, hire the administrators, secure the damn thing, ensure uninterrupted power, and keep up with all the patching. Sure, there are those who want to use Gmail or Outlook.com, but those costs are trivial compared to hosting your own email server. Seriously, outside of a few old geeks who do it themselves, no one does that.
Now, if you did this and you were an experienced executive, you'd sure as hell secure the crap out of it because if it was breached you'd be shot. Making sure there was no tracking so a breach couldn't be detected must be a political thing, because in my world you simply would assume a breach took place and fire the executive.
However, the "why" part is really important, because unless there is some great need to run an IT shop, no sane person would host an email server for convenience. It wouldn't be convenient at all -- it'd be a pain in the butt. Any number of free email services are generally far more secure than anything you or I reasonably could deploy, and they are free.
The reason the "why" is important is that with any third-party email system, you don't control the record and the content can be subpoenaed. You can blow up your own server -- and with no tracking, you can delete parts and leave no record to easily be found.
One final thought before moving on. The big problem isn't just the possibility of a crime; it is that a system is only as secure as its weakest link. This email server likely compromised the security of the nation, and the "why" would need to justify that level of risk. That's why knowing it is so important. Yet an experienced investigator seemed to leave that out of the report.
Now, to be clear, if an executive used a private email server but it wasn't discovered until after the person's voluntary departure, we likely wouldn't track the individual down and try to impose some creative punishment (unless we found hard evidence of something like embezzlement).
We'd make sure a product like Varonis was in place to immediately issue an alert if anyone tried to do the same thing again, and we'd flag that person's HR file. I'll tell you one thing that wouldn't happen, though. We wouldn't let that exec get on any list ever that would allow rehiring -- and certainly not as CEO. Because, you know, that'd be really stupid.
Wrapping Up: Snowden and Manning
I've always had an issue with the way both Snowden and Manning were treated. Yes, they leaked confidential information, but in both cases the crimes that were uncovered through those leaks by government employees seemed to exceed the crime of the leaks. Yet that wasn't reflected in the focus.
If the State Department's email was insecure, much of what was leaked likely was not secured either, suggesting those hostile foreign governments may already have had much of that stuff, thanks to Clinton. The irony is Snowden's and Manning's stated "why" was to stop the cover-up of multiple crimes -- so their "why" should have resulted in a recommendation of leniency yet it didn't. Snowden in particular is having a WTF moment.
One final thought: If you gain access to a firm's email, then you have everything you need to execute a phishing attack and pretty much gain access to everything. That is likely why the head of the FBI looked so pissed on his call, and why he was very careful to say the recommendation wasn't his, but what he thought the Attorney General would do regardless of the evidence. (Watch the video again -- impressive wordsmithing.)
It does kind of make you wonder why the government spent the money on the "investigation," but I did feel for FBI Director Comey. After the third time I was directed to change my own recommendations, I was out of audit for good.
Sometimes you have to vote with your feet.
I got my first iPod from Steve Jobs personally, along with a huge stack of CDs (because there was no iTunes back then). What made the iPod stand out against its competition was that it was very easy to use, and it excelled at one thing: playing music. It really didn't take off until two years later.
Now it wasn't bad looking. Sony's products were far more attractive but an incredible pain to use. They were so focused on keeping people from stealing music, they screwed up the user experience. Apple didn't care about music theft -- it wasn't its problem -- and the result was a far better product.
One of the most popular uses of the iPod nano was to put it on a strap and put it on your wrist. The FitBit Blaze ($180 on Amazon) is closer to this ideal than the Apple Watch, which doesn't even follow the iProduct naming methodology.
The Blaze is a decent watch and activity tracker, but the cool part is you can take the watch part and swap out the surround and band to match your wardrobe. The same watch can be black, silver, gold, or an increasing list of other colors (they even have rubber hardened cases for it now).
I've personally found black with a mesh steal band and magnetic clasp my favorite. It does a decent job of tracking activity, alerting me on calls, and giving me SMS messages. I didn't have to spend a lot of time learning it, it has several days' battery life, and when I'm doing the treadmill desk I can put it in my sock to track steps without the band. (The problem with a treadmill desk, which I use mostly for gaming, is you don't move your arms, so the steps don't count if your tracker is on your wrist). Oh and the Blaze works with a variety of platforms -- not just iOS.
I think it is closer to Steve Jobs' ideal than the Apple Watch is, and it does look a lot like that old iPod nano with a wrist strap. It isn't often that another company builds a more Apple-like product than Apple, but given that it is my new favorite fitness tracker/watch, the FitBit Blaze is my product of the week.