This is a classic story that gets repeated again and again, and security professionals should take note; if you forbid your users from doing something, they will route around you to do it, and it will be end up being less secure than if you were involved.
Haroon Meer says that saying "no" is a finite resource that security professionals are too willing to tap. If an organization comes to see your department as an obstacle that shoots down ideas and never contributes, you end up ignored. Chip in with ways to make bad ideas less bad, because we already know that deploying any vendor's software is a loss to security.
The problem is that quite often security professionals say "No", provide reasons, and the person doing the asking insists that convenience is more important than security.
My favorite story of all time, which I'll share because it's now over 20 years old, had to do with a security vulnerability in the diagnostic trace component of a serial device driver.
The developer in question insisted it had to be there. A meeting with the two of us, as well as our bosses, and a "neutral" odd-numbered party was had.
I started by explaining the exploit. The developer then explained the need to have support staff (who weren't "root" users") able to enable the diagnostic trace feature. I then explained how a non-support person could trace a specific TTY (see, it is an old story!) and capture an entire login dialog.
Things weren't going well for me, so I then explained that it presented a security vulnerability which I'd have to disclose.
At that point in time, the developer got up out of his chair, and came across the table at me. His boss grabbed him, sat him back down, then agreed with my explanation and the feature was changed to require privilege.
If you think being a security professional is fun, it's not all sunshine, roses and egotistical power-tripping. It's a constant struggle to say "No" when people want to make products more "useable" and we want to make sure they are "secure".
I have a class with the guy who was in charge of infosec (or the closest thing they had to 'in charge') for US military in the Middle East from about 2004-2006. When he got there he implemented a policy forbidding use of flash drives, and in doing so made everyone furious. For his entire time there he was pissing off users, but maybe the capacity for accepting unexplained 'No's is greater in the military, so the policy held. Then as soon as he left, they got rid of his rule, and a year later Russia landed their worm on tons of DoD boxes, classified and otherwise, with some flash drives in a parking lot; as the largest ever of DoD networks, it led to the start of CyberCom. Talk about failing to get any buy-in...
I'm not sure I understand. Are you saying that security professionals should lower their standards because too many people don't want to follow the protocols that security professionals have determined to be the best course of action?
Must be nice to have a high enough position in life to ignore security protocols at whim. If I did that I would be fired.
Another way of thinking about it is that the security team is supposed to help other people do what they want to do securely. If X is insecure, make it secure. Now, if you're an IT department at some corp, you probably don't have the budget or the manpower to do that, so you have to say no as much as you can get away with it.
But when the Secretary of State wants to Do A Thing, and you're the NSA...
How is this a classic story? It's a story on Clinton just casually dismissing the security requirements, not some security technology meme where people game the password length and character requirements and monthly expiration and the arstechnica editor is going "we feel you!".
It's the state department. The same people that invoke "but secretz!" on every lawsuit.
I understand that is is very inconvenient to use the channels provided to transmit confidential information, but that goes with the job. It is also probably inconvenient to have a massive physical security detail follow you everywhere as well but that is also necessary as a high profile government official.
Securing mobile communications on a massive scale according to SCI government specifications does not happen overnight, and is not very easy. So unfortunately she has to use the channels provided, however clunky they are. I am sure Mrs. Clinton wouldn't hop into her car to visit a friend without gathering a full security detail. Yes this curtails her life, and yes it is inconvenient, but it is necessary just like securing her communications is!
It is like if I were working for a large bank, and I put in a back door VPN to the network since their VPN client only works on Windows, and I want to use Linux. Sure more convenient for me, but it is not my place to subvert security for my own personal convenience.
Not everything Secretary Clinton did was TS/SCI. The common practice is an Android device[0] that is approved to SECRET only. This would suffice for general email and messaging.
My understanding is that President Obama's blackberry [1] isn't really a mobile device as configured. This blackberry device connects to the a custom secure base station [2] or picocell, that follows him around just like the Football[3], when outside certain vehicles.
Another factor is that TS/SCI access is restricted by location. eg. AF1 or the Presidential vehicle.
I'm not sure the Secretary of State would have a full time [*24/7] detail, although as former First Lady, Sec. Clinton would have a Secret Service detail which is funded separately.
It would be more likely that the NSA offered a different solution and State Dept. bureaucrat balked at the cost involved, especially something like following senior staff around with a football.
I don't know why this comment was downvoted without explanation, because your point is correct: as a public servant, one is expected to live up to and follow the rules and laws dictated for that position.
Security is something you never need until you need it the most.
>I understand that is is very inconvenient to use the channels provided to transmit confidential information, but that goes with the job. It is also probably inconvenient to have a massive physical security detail follow you everywhere as well but that is also necessary as a high profile government official. ... I am sure Mrs. Clinton wouldn't hop into her car to visit a friend without gathering a full security detail. Yes this curtails her life, and yes it is inconvenient, but it is necessary just like securing her communications is!
Semi-OT, the president does exactly that in 24 season 3: there was an episode where he just decides, on a moments notice, to duck out (nearly) by himself to go visit a friend in a rich neighborhood and come back, and it's all over in 30 minutes. Really broke immersion.
She had a wired-computer she could check email on in the SCIF, but she refused and was only willing to read her email on a Blackberry, so her staff tried to get authorisation for one, failed, and then tried to get her a highly sensitive top level device just so she could check her unclassified email in the SCIF (she could use a standard Blackberry elsewhere).
I'm siding with the NSA here. She should just buck up and learn to check her email on a wired PC like everyone else.
This is easy when you work in an office every day at the same location for your job. As Secretary of State travelling all of the time around the world this isn't realistic.
The subtext of some of these stories seem to be that there was a great deal of tension between the intelligence community and the state department. In particular, this whole business about retroactive classification seems to be part of a larger battle on the issue of overclassification.
The arguement I have read is that the device the president had was only possible because he has a full security detail 24x7 that can keep track of the phone. Doesn't the secretary of state have that as well?
This is literally the highest level example of Bruce Schneier's theory that people understand risks, but security people don't understand people. [1]
Let's look at this classic case: they won't give Hillary Clinton access to a modified BlackBerry that Obama was using because it made security "unmanageable". Even though Clinton's position is literally one of the most important in the country, if not the world the NSA decided it was a security threat and so just didn't allow it to happen.
So Clinton setup her own email server infrastructure and conducted all State business through that.
So now those same security people caused a considerably greater threat to national security.
Someone should find who denied Clinton access to a secure BB, then they should be removed from any security related work. I almost feel sorry for them if Clinton becomes President, because their days will hopefully be numbered. But I don't feel sorry, because their short-sightedness caused a greater risk to U.S. National Security.
I totally agree. I ran into this myself fighting with high-assurance vendors over the tech that was limited to defense only. I said, "We have infrastructure, banks, I.P., and so on to protect. NSA's pentesters & certifications say these are only devices that can stop even them. These are American businesses, not foreign spies. Background check them, whatever, just get them security that works." Replies were always courteous denials on grounds of national security. That's despite that each system usually had tens of millions in taxpayer-funded R&D or nearly guaranteed contracts to get it started.
In all my time studying NSA's IAD, I could never be sure if this was just organizational issues or straight subversion. Snowden leaks made that harder rather than easier. Bell, of Bell-LaPadula fame, has a nice write-up of how they helped create high-assurance security market then destroyed it over time.
The A1 products he referenced still exist but government doesn't push them for rest of us. A NOBUS thing I guess. SNS Server (MLS LAN) is defense only, not sure about XTS-400 (now XTS-500 w/ Linux apps), and Aesec's GEMSOS might be available to commercial sector. I forgot to ask for clarity on that. Nobody outside high assurance or good CompSci has ever heard of them. Bleak picture for anyone investing in next high-security product, ain't it?
Nice, albeit biased, presentation on methods behind GEMSOS & old school high-assurance.
Holistic, pub-subscribe architecture leveraging SNS Server as "impenetrable" component to simplify overall scheme. That's overstating it but it's allegedly unbroken in field since released in early 90's. Embedded firewall is another old trick you can do today w/ Octeon II's or similar PCI card computers.
>So now those same security people caused a considerably greater threat to national security.
The logic here is that one adult's actions can be blamed on a second adult if the second adult doesn't allow the first one to get their way. Now imagine applying that to other situations.
It feel the same about these modern chip based credit cards. While giving a totally intangible security benefit these cards have brought great discomfort to everyone. A swipe takes around 1 second to register. Chip based cards take anywhere from 5 to 9 seconds with the message "do not remove card" flashing in between. Machines are designed such that you have to insert card in a slit you cant see, I have seen elderly people struggle to do that and cards falling out on floor creating more delays.
I really wonder if the wasted human time is worth saving handful of frauds.
> Someone should find who denied Clinton access to a secure BB, then they should be removed from any security related work. I almost feel sorry for them if Clinton becomes President, because their days will hopefully be numbered. But I don't feel sorry, because their short-sightedness caused a greater risk to U.S. National Security.
If you'd like to fire your security people who are too paranoid and obstinate, you'll find yourself without a National Security Agency. You should give them a manager who does understand people.
You're still missing the point. She may have gotten the job, but she didn't manage to get any love her new boss. When he got the new toy, he made sure the ID department told her to go pound sand.
I sincerely hope he hasn't changed his mind, and will not stand in the way of her indictment.
I would hope you'd also agree that if the people who didn't give Secretary Clinton the specific mobile device she wanted should be removed from security-related work, then so also should Secretary Clinton.
A number of comments here blame the security people or government IT in general for not being accommodating. That may be appropriate in some cases, but anyone who has worked in IT for any length of time understands how this happens. Systems that you don't like are created by bad policies, not bad IT people. Bad policies are driven by overly centralized security responsibility. The security department that says no to <X> because they are responsible for whatever you manage to do with <X>.
Think of a car accident. There is a diffusion of responsibility. The decisions both drivers made, road conditions, weather, speeds etc... You would only be concerned with the manufacturer of the car if one of the safety systems malfunctioned. Yet in the case of computer security we want to hang all the contributing factors/decions around one party: the security team. Imagine if General Motors was liable for every car accident; regardless of fault. Every time someone didn't put on their seatbelt, or drove through a flooded road etc... What kind of cars would be produced? Certainly not the kind you would enjoy driving.
The day that we can have the security departments we want is the day we understand that we can't absolve ourselves of all security responsibility.
Having dealt with classified work in a previous life, there's no doubt that if any normal joe without her political connections did anything remotely close to this type of thing, they'd wind up in prison.
Clinton will probably skate. And yet she'll be the first person demanding that we try Snowden and keep Chelsea Manning locked up.
It's not crystal clear that she violated any laws. Agency heads determine policy for their department's classified information, and she was the most senior of the agency heads. She had explicit authority to classify and declassify information, and to say how it can be disseminated.
There isn't that much statutory groundwork to support charges and what there is says an agency head "is assumed to be acting under executive authority", i.e. as the arm of the President.
The Congressional Research Service wrote a rather helpful summary[1] of the myriad aspects of classification and law.
"Normal Joe" maybe, but senior executive? Nope. Or am I misremembering Petraeus' long prison term? Or does he get a bye because he was using a pc instead of a phone?
>And while Clinton's predecessor Condaleeza Rice had obtained waivers for herself and her staff to use BlackBerry devices, Clinton's staff was told that "use [of the BlackBerry] expanded to an unmanageable number of users from a security perspective, so those waivers were phased out and BlackBerry use was not allowed in her Suite," an e-mail from the NSA's senior liaison to the State Department noted.
NSA says that they could not ensure the security of BlackBerry devices. That's not a refusal, just the facts. Is someone expecting the NSA to magically conjure unlimited, secure BlackBerries?
Securing the blackberry is a red herring. What they wanted was a functionally equivalent mobile device. If providing such capabilities isn't exactly what the NSA should be doing, then they shouldn't exist.
> The NSA should probably evaluate if the end result of their refusal was more security or less.
They could but they'd conclude it was MORE secure. Her leaving the SCIF to use an insecure device is infinitely more secure than allowing insecure devices into the SCIF or giving out highly sensitive devices like candy (in particular as she wanted to use it for non-top secret email).
Cellphones can be attacked and turned into bugs (e.g. baseband hacking). A bug in the SCIF is unacceptable, and having any wireless devices at all makes it much harder to detect bugging from other avenues.
Additionally giving out the president's "Black Phone" to more people makes it easier to attack since they'd have more opportunities and potential mistakes. Plus what if the black phone was compromised? Now you've exposed the SCIF in state.
Perhaps I'm overly cynical but I'm guessing she got caught with her phone in the SCIF more than a few times before she got the message to leave it outside.
I was rather impressed by Clinton's IT skills, managing her own mail server, using electronic communications extensively, and according to this even asking the NSA to provide a bberry.
Then I read:
> As I had been speculating, the issue here is one of personal comfort… [Secretary Clinton] does not use a computer.
> the solution supported by the NSA—its SME PED (Secure Mobile Environment Portable Electronic Device)—was hardly BlackBerry-like. SME PED devices are based on a secure version of Windows CE, and they're only rated up to "Secret" classification. And as Clinton was taking over at State, the SME PED was only just becoming available.
It sounds like at the time that Clinton was moving into State, there was, literally, no good solution supported by the NSA for mobile email use.
Which considering it was 2009, and mobile email was already prevalent with Blackberry, iPhones/Androids, etc, is well, maybe par for the course for government entities.
I'm reading between the lines here, but is it suggesting that Clinton didn't trust the PC she had been assigned, and that she suspected she was being spied on?
Was this the reason why she chose to run her own email server (not that it was secure but still)?
Maybe she did not want anyone in to be able to FOIA her correspondences. She has said she deleted about 30k emails off the server because she claimed they were "personal in nature". The problem is, that wasn't her call to make.
I'm so glad people are finally, hopefully going to shut up about this soon. I'm surprised Clinton didn't just say this herself and end the scandal months ago. It's an extremely lame scandal because we're talking about unencrypted email anyways, email that could have been read by anyone and everyone and almost undoubtedly was. The irony that it was the NSA (as usual) that made things less secure instead of more secure is certainly not lost on me.
People are not going to shut up about this. This will be an issue through the election. It's a really big issue that the Secretary of State was so cavalier about how she handled classified information.
The NSA didn't make things less secure. Clinton's people did to get around the NSA's restrictions. The restrictions suck, but if I were like "doot dee do, I hate working with this secure PC, I'll migrate the info I need to my cellphone connected to my own private server" I would be looking at a long stint in prison.
Hillary Clinton doesn't need to worry about that because she's Hillary fucking Clinton.
I think most people are not really angry about the security risk, they're angry about the double standard. Anybody who wasn't Secretary of State would have been fired and probably prosecuted for this.
Obviously people who already don't like Clinton are all over it, but I think there's a legitimate complaint from people saying that she shouldn't be able to get away with something that nobody else could.
why would this in anyway end the scandal? so because the NSA didn't give in to your request you can go break security protocol and put people's lives at risk?
Most people, including myself, would be fired if we broke security protocol. Inconvenience is not a justified reason to break protocol.
At least she wasn't mandated to use the cone of silence :-P
[+] [-] fabulist|10 years ago|reply
Haroon Meer says that saying "no" is a finite resource that security professionals are too willing to tap. If an organization comes to see your department as an obstacle that shoots down ideas and never contributes, you end up ignored. Chip in with ways to make bad ideas less bad, because we already know that deploying any vendor's software is a loss to security.
[+] [-] julie78787|10 years ago|reply
My favorite story of all time, which I'll share because it's now over 20 years old, had to do with a security vulnerability in the diagnostic trace component of a serial device driver.
The developer in question insisted it had to be there. A meeting with the two of us, as well as our bosses, and a "neutral" odd-numbered party was had.
I started by explaining the exploit. The developer then explained the need to have support staff (who weren't "root" users") able to enable the diagnostic trace feature. I then explained how a non-support person could trace a specific TTY (see, it is an old story!) and capture an entire login dialog.
Things weren't going well for me, so I then explained that it presented a security vulnerability which I'd have to disclose.
At that point in time, the developer got up out of his chair, and came across the table at me. His boss grabbed him, sat him back down, then agreed with my explanation and the feature was changed to require privilege.
If you think being a security professional is fun, it's not all sunshine, roses and egotistical power-tripping. It's a constant struggle to say "No" when people want to make products more "useable" and we want to make sure they are "secure".
[+] [-] yompers888|10 years ago|reply
[+] [-] talmand|10 years ago|reply
Must be nice to have a high enough position in life to ignore security protocols at whim. If I did that I would be fired.
[+] [-] danharaj|10 years ago|reply
But when the Secretary of State wants to Do A Thing, and you're the NSA...
[+] [-] revelation|10 years ago|reply
It's the state department. The same people that invoke "but secretz!" on every lawsuit.
[+] [-] specialp|10 years ago|reply
Securing mobile communications on a massive scale according to SCI government specifications does not happen overnight, and is not very easy. So unfortunately she has to use the channels provided, however clunky they are. I am sure Mrs. Clinton wouldn't hop into her car to visit a friend without gathering a full security detail. Yes this curtails her life, and yes it is inconvenient, but it is necessary just like securing her communications is!
It is like if I were working for a large bank, and I put in a back door VPN to the network since their VPN client only works on Windows, and I want to use Linux. Sure more convenient for me, but it is not my place to subvert security for my own personal convenience.
[+] [-] neurotech1|10 years ago|reply
My understanding is that President Obama's blackberry [1] isn't really a mobile device as configured. This blackberry device connects to the a custom secure base station [2] or picocell, that follows him around just like the Football[3], when outside certain vehicles.
Another factor is that TS/SCI access is restricted by location. eg. AF1 or the Presidential vehicle.
I'm not sure the Secretary of State would have a full time [*24/7] detail, although as former First Lady, Sec. Clinton would have a Secret Service detail which is funded separately.
It would be more likely that the NSA offered a different solution and State Dept. bureaucrat balked at the cost involved, especially something like following senior staff around with a football.
[0] http://www.boeing.com/defense/boeing-black/index.page
[1] http://www.technologytell.com/gadgets/156930/yes-president-o...
[2] http://electrospaces.blogspot.com/2013/04/how-obamas-blackbe...
[3] https://en.wikipedia.org/wiki/Nuclear_football
Edit: 24/7 detail at home. On official trips, the Secretary of State would have a security detail as commented by carboncopy below.
[+] [-] rm_-rf_slash|10 years ago|reply
Security is something you never need until you need it the most.
[+] [-] SilasX|10 years ago|reply
Semi-OT, the president does exactly that in 24 season 3: there was an episode where he just decides, on a moments notice, to duck out (nearly) by himself to go visit a friend in a rich neighborhood and come back, and it's all over in 30 minutes. Really broke immersion.
[+] [-] Someone1234|10 years ago|reply
She had a wired-computer she could check email on in the SCIF, but she refused and was only willing to read her email on a Blackberry, so her staff tried to get authorisation for one, failed, and then tried to get her a highly sensitive top level device just so she could check her unclassified email in the SCIF (she could use a standard Blackberry elsewhere).
I'm siding with the NSA here. She should just buck up and learn to check her email on a wired PC like everyone else.
[+] [-] res0nat0r|10 years ago|reply
[+] [-] bradleyjg|10 years ago|reply
[+] [-] kafkaesq|10 years ago|reply
No, the NSA was being petty.
Worse than that, actually. Most likely whoever made this decision had some kind of a personal grudge.
[+] [-] golemotron|10 years ago|reply
[+] [-] CIPHERSTONE|10 years ago|reply
[+] [-] sharemywin|10 years ago|reply
[+] [-] chris_wot|10 years ago|reply
Let's look at this classic case: they won't give Hillary Clinton access to a modified BlackBerry that Obama was using because it made security "unmanageable". Even though Clinton's position is literally one of the most important in the country, if not the world the NSA decided it was a security threat and so just didn't allow it to happen.
So Clinton setup her own email server infrastructure and conducted all State business through that.
So now those same security people caused a considerably greater threat to national security.
Someone should find who denied Clinton access to a secure BB, then they should be removed from any security related work. I almost feel sorry for them if Clinton becomes President, because their days will hopefully be numbered. But I don't feel sorry, because their short-sightedness caused a greater risk to U.S. National Security.
1. https://www.schneier.com/essays/archives/2009/08/people_unde...
[+] [-] nickpsecurity|10 years ago|reply
In all my time studying NSA's IAD, I could never be sure if this was just organizational issues or straight subversion. Snowden leaks made that harder rather than easier. Bell, of Bell-LaPadula fame, has a nice write-up of how they helped create high-assurance security market then destroyed it over time.
http://lukemuehlhauser.com/wp-content/uploads/Bell-Looking-B...
The A1 products he referenced still exist but government doesn't push them for rest of us. A NOBUS thing I guess. SNS Server (MLS LAN) is defense only, not sure about XTS-400 (now XTS-500 w/ Linux apps), and Aesec's GEMSOS might be available to commercial sector. I forgot to ask for clarity on that. Nobody outside high assurance or good CompSci has ever heard of them. Bleak picture for anyone investing in next high-security product, ain't it?
Nice, albeit biased, presentation on methods behind GEMSOS & old school high-assurance.
http://www.iwia.org/2005/Schell2005.PDF
Holistic, pub-subscribe architecture leveraging SNS Server as "impenetrable" component to simplify overall scheme. That's overstating it but it's allegedly unbroken in field since released in early 90's. Embedded firewall is another old trick you can do today w/ Octeon II's or similar PCI card computers.
htttp://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA425566
[+] [-] ars|10 years ago|reply
What you are saying is that they should be removed from security related work because they don't understand people.
OK, but that also means Clinton should be removed from security related work because she doesn't understand security.
Can she act as president without any access to anything secret or classified? It would be hard, but that's the standard you are setting.
[+] [-] Lawtonfogle|10 years ago|reply
The logic here is that one adult's actions can be blamed on a second adult if the second adult doesn't allow the first one to get their way. Now imagine applying that to other situations.
[+] [-] tn13|10 years ago|reply
I really wonder if the wasted human time is worth saving handful of frauds.
[+] [-] fabulist|10 years ago|reply
If you'd like to fire your security people who are too paranoid and obstinate, you'll find yourself without a National Security Agency. You should give them a manager who does understand people.
[+] [-] rdancer|10 years ago|reply
I sincerely hope he hasn't changed his mind, and will not stand in the way of her indictment.
[+] [-] 13thLetter|10 years ago|reply
[+] [-] wang_li|10 years ago|reply
[deleted]
[+] [-] johngalt|10 years ago|reply
Think of a car accident. There is a diffusion of responsibility. The decisions both drivers made, road conditions, weather, speeds etc... You would only be concerned with the manufacturer of the car if one of the safety systems malfunctioned. Yet in the case of computer security we want to hang all the contributing factors/decions around one party: the security team. Imagine if General Motors was liable for every car accident; regardless of fault. Every time someone didn't put on their seatbelt, or drove through a flooded road etc... What kind of cars would be produced? Certainly not the kind you would enjoy driving.
The day that we can have the security departments we want is the day we understand that we can't absolve ourselves of all security responsibility.
[+] [-] grej|10 years ago|reply
Clinton will probably skate. And yet she'll be the first person demanding that we try Snowden and keep Chelsea Manning locked up.
[+] [-] jhayward|10 years ago|reply
There isn't that much statutory groundwork to support charges and what there is says an agency head "is assumed to be acting under executive authority", i.e. as the arm of the President.
The Congressional Research Service wrote a rather helpful summary[1] of the myriad aspects of classification and law.
[1] https://www.fas.org/sgp/crs/secrecy/RS21900.pdf
But yeah, if you or I were to do what she did, big difference - just not all because of politics.
[+] [-] fencepost|10 years ago|reply
[+] [-] jsprogrammer|10 years ago|reply
>And while Clinton's predecessor Condaleeza Rice had obtained waivers for herself and her staff to use BlackBerry devices, Clinton's staff was told that "use [of the BlackBerry] expanded to an unmanageable number of users from a security perspective, so those waivers were phased out and BlackBerry use was not allowed in her Suite," an e-mail from the NSA's senior liaison to the State Department noted.
NSA says that they could not ensure the security of BlackBerry devices. That's not a refusal, just the facts. Is someone expecting the NSA to magically conjure unlimited, secure BlackBerries?
[+] [-] hackinthebochs|10 years ago|reply
[+] [-] rrmm|10 years ago|reply
Not that that excuses her going off and using her own. The NSA should probably evaluate if the end result of their refusal was more security or less.
[+] [-] barney54|10 years ago|reply
[+] [-] Someone1234|10 years ago|reply
They could but they'd conclude it was MORE secure. Her leaving the SCIF to use an insecure device is infinitely more secure than allowing insecure devices into the SCIF or giving out highly sensitive devices like candy (in particular as she wanted to use it for non-top secret email).
Cellphones can be attacked and turned into bugs (e.g. baseband hacking). A bug in the SCIF is unacceptable, and having any wireless devices at all makes it much harder to detect bugging from other avenues.
Additionally giving out the president's "Black Phone" to more people makes it easier to attack since they'd have more opportunities and potential mistakes. Plus what if the black phone was compromised? Now you've exposed the SCIF in state.
[+] [-] AcerbicZero|10 years ago|reply
[+] [-] cm2187|10 years ago|reply
Then I read:
> As I had been speculating, the issue here is one of personal comfort… [Secretary Clinton] does not use a computer.
What?
[+] [-] azinman2|10 years ago|reply
[+] [-] Glyptodon|10 years ago|reply
[+] [-] thedz|10 years ago|reply
> the solution supported by the NSA—its SME PED (Secure Mobile Environment Portable Electronic Device)—was hardly BlackBerry-like. SME PED devices are based on a secure version of Windows CE, and they're only rated up to "Secret" classification. And as Clinton was taking over at State, the SME PED was only just becoming available.
It sounds like at the time that Clinton was moving into State, there was, literally, no good solution supported by the NSA for mobile email use.
Which considering it was 2009, and mobile email was already prevalent with Blackberry, iPhones/Androids, etc, is well, maybe par for the course for government entities.
[+] [-] junto|10 years ago|reply
Was this the reason why she chose to run her own email server (not that it was secure but still)?
[+] [-] grej|10 years ago|reply
[+] [-] joesmo|10 years ago|reply
[+] [-] barney54|10 years ago|reply
[+] [-] bitwize|10 years ago|reply
Hillary Clinton doesn't need to worry about that because she's Hillary fucking Clinton.
Some people are more equal than others.
[+] [-] burkaman|10 years ago|reply
Obviously people who already don't like Clinton are all over it, but I think there's a legitimate complaint from people saying that she shouldn't be able to get away with something that nobody else could.
[+] [-] moistgorilla|10 years ago|reply
[+] [-] 13years|10 years ago|reply
[+] [-] mSparks|10 years ago|reply
[deleted]