Most of the time that I spend as a security-wonk is focused on email security. This is due almost entirely to my involvement as one of the architects of the Direct Project, which is a specification for using secure encrypted email in healthcare settings.
Which is why I was surprised by a recent analysis from Politifact evaluating something that Hillary Clinton said about her email servers. I should mention that I am apolitical. I care, but both US parties fail to resonate. So I have no reason to pick one side of this debate over the other. I am interested in the implications and perceptions of Hillary’s email system, however, because it is very revealing of basic attitudes about email systems.
For those that do not know Politifact is an organization that evaluates the veracity of specific statements that politicians make. Given my attitude about politics, you can understand why I am a fan of such a service. The statement that Hillary Clinton made that Politifact was evaluating was that “my predecessors did the same thing” regarding her email practices.
Politifact said:
And there’s a big difference between a private account, which is generally free and simple to start, and a private server, which requires a more elaborate setup…. The unorthodox approach has opened up questions about her system’s level of security.
later concluding:
This is a misleading claim chiefly because only one prior secretary of state regularly used email, Colin Powell. Powell did use a personal email address for government business, however he did not use a private server kept at his home, as Clinton did.
We rate this claim Mostly False.
The central assumption that Politifact is making is that Clinton’s email server was fundamentally less secure than using a service. Specifically, Colin Powell used AOL. In fact, for the average person, you are probably better off using a service like AOL. But Hillary Clinton and Colin Powell are hardly the average person. There are considerably advantages to having your own email server and your own domain, if you are particularly concerned with security.
First, all of the email services are constantly the targets of hackers. If someone broke into AOL, they could find Colin Powell’s account as a side-effect of the overall hack. It would be a bonus for hacking a system that is already regarded as a high-value target. Second, it is still relatively easy to spoof email. That means that it is fairly simple for someone to send emails pretending to be a particular person on a public email service. So if I had wanted to pretend to be Colin Powell, it would have been a little easier to get away with it, given that he was using an email service. It would be much easier to setup specific defenses (there is not that much you can do without encryption of some kind) to combat spoofing on your own server.
Unless Colin Powell had some special relationship with AOL (which is actually a real possibility) then login attempts from eastern Europe to his account would not have been flagged in any way. On a private server, however, you could always say “Is Secretary Clinton in eastern Europe today? No. Then that login attempt is a problem”. Of course, if you are not watching the logs on your private server, then this advantage is negated.
As it turns out, Clinton was also publicly serving up Windows Remote Desktop on her server, which makes it unlikely that she was taking the steps needed to get the security benefits. Even with that information, however, I cannot see the merit to the assumption that using AOL vs hosting your own Exchange server is fundamentally less or more secure for a public official like this.
Ultimately when you trust an organization like AOL you are effectively trusting thousands of people all at once. Clinton probably trusted somewhere between 10 and 100 people with the contents of her email server. Colin Powell probably trusted somewhere between 1000 and 10000. If I was making suggestions for the security of the email of my grandmother.. I would go with AOL. If I were making suggestions for the secretary of state? It is much less clear, and would depend alot on how the two different email systems were configured and regularly used.
As per almost always, the Wikipedia article on the subject is a tremendous source of the kinds of detail that a security researcher like me might need to evaluate whether there were security advantages, or disadvantages to hosting your own server. But still it is obvious that Colin Powell trusted state secrets to a massive Internet provider and Hillary Clinton trusted state secrets to a small team of generalist (i.e. not security) consultants. Neither of those decisions was well-informed by proper security thinking for securing emails that might eventually become state secrets.
So from my perspective as a security researcher with a focus on email security, it is a pretty fair statement for Hillary to say “My recent bad decision about email is equivalent to previous bad decisions made by members of the other party”.
Which means I think Politifact got it wrong. What is more interesting is why. They got it wrong because they made some flawed. This is deeply ironic, because that is precisely the same mistake that both Clinton and Powell made about exactly the same issue.
But I also think this is a problem with the way that technical options are presented. Politifact quotes Clifford Neuman as saying “you would need to stay current on patches”. I can promise you that this is not all Clifford had to say on the matter, but this is the only thing that Politifact chose to surface. The reality of the technical issues is a huge debate about whether Software as a Service is more secure than locally deployed and supported software. In reality, locally deployed software clearly can me made more secure, because one can choose to enforce parameters that improve security at the expense of convenience (like two factor authentication, for instance). However, Software as a Service is usually more secure in practice because you have teams of people ensuring that bare-minimums are always met.
I really could not care less about Clinton’s or Powell’s choices when it comes to email servers. It is a little silly to be accusing people who get to decide what is classified and what is not with mis-handling classified information. Personally, I think the fact that Clinton was exposing an RDP connection to the public Internet is the only thing that I have heard that is truly scandalous here, and this is clearly not the focus of the media circus here. I do not care at all about the political side of this.
I am very concerned, however, about how novices think about about complex security and privacy issues. How did Politifact, which is charged with getting to the bottom of this issue, discussed precisely none of these complex technical issues? The conclusion they reached is pretty shallow. Which I do not think is their failing… I think this is a symptom of dogmatic thinking in InfoSec messaging.
Still not done thinking about this.
-FT