Security Nightmare: Clinton’s Sloppy Server Put Everyone Who Emailed Her At Risk

AP Photo/Seth Wenig
AP Photo/Seth Wenig

The black comedy of Hillary Clinton’s transparency-evading homebrew server grows more incredible with each new revelation. Yesterday we found out she didn’t sign off on the paperwork to verify that she returned all official correspondence and classified information to the State Department, neatly avoiding a signature that would have put her in danger of perjury charges, since she clearly didn’t return that information. We’re told not to worry about the absence of this form because her predecessors Colin Powell and Condoleezza Rice didn’t fill it out, either.

You know what else Powell and Rice didn’t do? Run all of their official correspondence through secret homebrew email servers.

It’s predictable, but still astonishing, to watch Clinton apologists claim she didn’t need to sign off on her exit paperwork after four years of running a private data tomb the State Department knew about from the very beginning.

Clinton’s secrecy and disregard for laws and State Department policy is one part of this story. Her hypocrisy, after shrieking about how the Bush Administration supposedly offended the Constitution by occasionally using private email, is a second – although by now we should all understand that “hypocrisy” is a Beltway sin only Republicans can ever be guilty of. (Liberals have an unlimited license to change their minds, “evolve,” or simply flush inconvenient past statements down the Memory Hole.)

The third angle of the Clinton email scandal is the way she jeopardized national security in her drive for unaccountable secrecy.

We’ve learned a number of disturbing things about the security flaws in her homebrew server. The latest bombshell is dropped by Josh Rogin and Eli Lake at BloombergView: Hillary’s server admins didn’t bother to activate the system that prevents hackers from “impersonating or ‘spoofing’ her identity in messages to close associates.”

This vulnerability put anyone who was in communication with her account while she was secretary of state at risk of being hacked. Clinton said at the United Nations last week that there were no security breaches of her personal e-mail server, which she used to send and receive more than 60,000 professional and personal e-mails. But former cyber-security officials and experts told us that there were gaps in the system.

According to publicly available information, whoever administrated the system didn’t enable what’s called a Sender Policy Framework, or SPF, a simple setting that would prevent hackers sending e-mails that appear to be from SPF is a basic and highly recommended security precaution for people who set up their own servers…

Experts told us that oversight was just one flaw of a security system that would have been relatively easy for foreign intelligence services and others to exploit. “I have no doubt in my mind that this thing was penetrated by multiple foreign powers, to assume otherwise is to put blinders on,” said Bob Gourley, the chief technology officer at the Defense Intelligence Agency from 2005 to 2008 and the founder of Cognitio, a cybersecurity consultancy.

Everything we’ve learned about makes it look like a juicy target for foreign agents; I’ve thought since the beginning that the intelligence community needs to assume Clinton was compromised, especially during the early months when her email wasn’t even encrypted. Now it looks like she jeopardized the security of everyone who came into contact with her.

Rogin and Lake discuss how “spoofing” works in detail. To make it short and sweet, without the Sender Policy Framework that Clinton wasn’t using, it was possible for hackers to impersonate Hillary Clinton and her aides, potentially tricking those accustomed to receiving messages from into anything from divulging sensitive information in a reply to a fake message, to installing virus code laced into an email they believed was coming from a trusted source. That sort of viral attack, known as “spear phishing,” is very popular with the hacker gangs responsible for many of the high-profile security breaches of the past few years, including attacks on government systems.

Clinton flacks responded to these revelations the same way they’ve handled all the others, robotically mumbling that Clinton ran a super-secure computer and everybody should implicitly trust every single word she says. She refuses to hand over the server for independent analysis or answer detailed questions about its security. She’s as accountable as she chooses to be, as secure as she wanted to be, and that has to be good enough for you peons.

It all reads like a satire of arrogance and corruption, filled with the sort of crazy details that satirists are normally reluctant to include, because they can only ask their audience to accept so much absurdity. If Clinton’s irresponsibility caused a major security breach, we’ll be watching this black comedy play out for years to come, whether she runs for office again or not.