Philip Bump is a Hack. Clinton's email was at risk.

Philip Bump, Washington Post reporter, is ready to criticize or talk down every candidate for President not named Hillary Clinton. But her, he’s ready to stick up for. He claims that “our technical ignorance” is hurting her.

Sorry, I’m not technically ignorant. I’ve personally set up email servers from scratch. And Hillary Clinton was negligent in keeping her email on servers far below the appropriate standards of security. Even if Clinton’s server was secure enough to protect cookie recipes or photos of grandchildren, it was nowhere near up to proper standards for data relevant to US national security and foreign policy interests.


state-department-email-security-vpn

Bump is a real Forrest Gump. He’s been a climate expert, economic expert, and now he apparently is a systems administration expert in his own mind.

He makes a few points attempting to defend Clinton. Let’s take this apart one step at a time to show why she was recklessly negligent with classified data:

First, Bump says “that someone from China tried to hack into Clinton’s server doesn’t mean 1) that they were targeting Clinton specifically, 2) that they were agents of the Chinese government, or 3) that they were actually able to access information.” Well, in truth: 1) It is evidence it’s possible, 2) it’s evidence the server was vulnerable to password guessing, and 3) unless the server had logs of every login, we can’t know if they got access or not.

If classified email had been kept on secured servers accessed via VPNs, we wouldn’t have to cross our fingers and hope a determined Chinese script kiddie with a dictionary attack script didn’t guess a password. The data should never have been on a server with login ports open to the whole Internet to begin with.

Second, Bump shills “Hackers will often ‘port scan’ IP addresses to find vulnerable systems.” Yes, and there are ways around that. You put servers on VPNs, adding a layer of defense between the broad Internet and your precious data. You block ports to connections from unauthorized IP addresses, so that you’re limiting access only to known good locations (like, say, the State Department headquarters in Foggy Bottom). You can even use sophisticated techniques like port knocking to defeat simple, broad sweeps.

Third, Bump (trying out for the role of Napoleon’s sheep) bleats, “a full ‘wipe’ of the server would be a best practice when decommissioning a server.” That’s true, and the fact that it was claimed the server was wiped, when in fact the data was recoverable, shows that industry best practices for the wipe were most definitely not followed. Had the drives been erased and repeatedly overwritten according to government standards until the data could not be retrieved, then it would have been successfully wiped. The fact that they tried to wipe it, but failed, shows Clinton’s email server has not ever been managed in a secure manner.

Bump tries to cover for this by suggesting “it can be assumed that the account was deleted at some point,” but that’s exactly the point. The account was deleted. Someone tried to erase this sensitive data, including satellite intelligence, and did not use standard practices to erase it correctly. It was treated like some throwaway email account on gmail.com, and erased with no care about who could unerase it. Insecure administration by unqualified administrators.

Fourth, Bump desperately hopes you won’t notice the failures with respect to malicious emails sent to her. “But it could not, Fidler said, directly compromise her e-mail server, unless she was checking her e-mail on the server itself,” he writes. Well, getting access to Secretary Clinton’s personal user account would have been disastrous enough. Email is a common means of sending passwords, and on top of that, any ‘notes’ she had on a phone (including passwords, a common practice) would have been stored in a folder within her email account.

But why was she receiving these malicious emails in her inbox to begin with? Actual government servers have layers of filtering and quarantining, leveraging the fact that they’re monitoring lots of accounts to catch them before the user can ever accidentally click. That Clinton was getting these demonstrates that her server, once again, was simply not up to the standards of security we see even from less-sensitive government servers, let alone the State Department.

WaPo says “Philip Bump writes about politics for The Fix.” He should stick to politics, because systems administration is not his area. Clinton’s email situation was a wreck, and demonstrates why it’s a terribly bad idea for important government officials to roll their own email at home. Clinton was negligent, and must be held accountable. Any expert can see this.