Saturday, March 11, 2017

You’ve Got Mail (and So Do Your Comrades?)

I’m sure you’ve read that Vice-Commandante Mike Pence got hacked while using an AOL account for state business, while governor of the fair (as in: meh) state of Indiana.

[source: http://www.npr.org/sections/thetwo-way/2017/03/03/518286557/mike-pence-used-aol-email-for-state-business-as-indiana-governor ]

Things I could be annoyed with in this story:

* Pence was hacked with a trivial phishing scam and yet he’s ostensibly bright enough to be a heartbeat away from the presidency (a heart that’s fed a steady diet of KFC, to boot)

* Pence & Co. repeatedly laid into Clinton during the campaign about the poor judgement used running her own server, given the risks of getting hacked. Not only did the private sector (AOL) fail this free-market warrior, so did the government: the State Department server was hacked at the time Clinton ran her own server — or more accurately, paid a specialist to run a server for her, and I think the distinction is important and generally ignored — and the breach easily could have exposed Clinton’s emails if she’d “done the right thing”. Ironically, the only people who questionably accessed Clinton’s emails were those investigating her, after they subpoenaed her emails … exposing those emails to hacking and Three-Letter-Agency snooping, given that securing email and servers is not what federal employees appear to do well, but over-sharing secret info among spooks is.

* Pence’s incredibly poor judgment using a public server for sensitive business, with access by sysadmins and other non-state employees, a server run by a company whose board is largely made up of questionable ex-spooks with shady histories … never mind the hacking risk of relying on a dying (and never overly competent) AOL for security.

* The difficulty of meeting Indiana sunshine law requirements that these private-corp emails be made part of the public record, given that the state has no access to deleted emails, mail logs, etc. for email run on non-governmental servers.

* Mixing personal and business email, then saying that not all mail could be revealed in the follow-up investigation because some of it was too personal (but claiming Clinton needs to give up her wedding planning emails because that’s part of the public interest, when she did the same, wrong thing), or too important (but not too important to properly secure):
Some of Pence's emails were deemed too sensitive to be released as part of the Star's public records request.
* The possibility that he was hacked by a state actor that might be using personal info to blackmail the VP of the US, given that the Russians are both the most capable party, and appear to be getting a hall pass on everything:
Security experts told the paper that hackers were likely able to access Pence's inbox and sent emails, which could have included those same sensitive documents.
What I am actually annoyed with in this story:

* Someone with an AOL account weighing in on the security of a hardened MTA, run by a guy who secures servers for a living, and being taken seriously. Just because your mail client arrived in a box of Captain Crunch does not make it MilSpec. As we used to say of our AOL customers, “our AOL users couldn’t spell A-O-L if you spotted them the vowels.”

No comments:

Post a Comment