Using an AOL email without any form of two-factor authentication should preclude you from serving as director of the CIA.
How can these top government officials be so clueless about email security when they know first-hand how effective our own intelligence agencies are at reading everyone's email?
I understand commercial email accounts aren't secure. So I don't treat email as being secure.
Look at what you have here. A pair of half drafted generic position papers. A legal memo about a document review protocol (I carry stuff like that in my unlocked briefcase). And a couple of what appear to be public documents about torture. The most potentially embarrassing thing on there is his SF86. But a quick scan of it doesn't show anything embarrassing on there.
If he was sending actual sensitive information on an insecure email, that is a problem.
Isn't the problem with publish sf86 more complicated...? This is basically the security clearance application for the CIA director...Aren't these things classified? Why on earth is this in any unsecure e-mail correspondence, if that is so? If that is not so, HR or homeland security has some gaps in their document handling process. Not that they haven't been hacked independently already, but still.
This is just one SF-86. China already has the entire database of all SF-86s[1].
Officials said hackers accessed not only personnel records
of current and former employees but also extensive information
about friends, relatives and others listed as references in
applications for security clearances for some of the most
sensitive jobs in government.
"It is a very big deal from a national security perspective
and from a counterintelligence perspective," FBI Director James
B. Comey said at a meeting with reporters Thursday at the FBI
headquarters. "It's a treasure trove of information about everybody
who has worked for, tried to work for, or works for the United
States government."
The CIA keeps it's own personnel records, so as I understand it, this SF86 form is a new addition to the previously hacked OPM records.
Not sure if CIA held SF86's are considered classified, but even if they are I suspect we won't see anyone, let alone a director, prosecuted for having a copy of their own "classified" employment questionnaires.
The government is supposed to keep the copy you gave them secret until you die. Coincidentally, the OPM accidentally leaked a bunch of them a few weeks/months ago.
But it's your own information, you can do what you want with your copy.
Most formal document policies cover drafts and works-in-process (ie, so they don't become less classified because they are incomplete or penultimate in version control.)
But the SF86 isn't actually classified. It's just Privacy Act information and FOUO. The Privacy Act says how to protect other people's information and FOUO means "For Official Use Only," but he's not breaking any laws by having his own SF86 on a public email service. He's fine as long as he isn't using it for unofficial business (which I'm not sure how) and he doesn't have other people's SF86 .
Thanks for this clarifying comment. Open issue IMHO is if CIA's "actual process" is subject to levels of scrutiny/protection beyond the statuatory minimum(s). This being an exec appointment w/ senate confirmation etc.
I cannot help but hear Tina Turner singing. "What's AOL got to do -- got to do with it? What's AOL, but a second-hand email..."
That aside, it is an indicator toward technology adoption. Despite "why fix it" attitudes, a CIA or NSA director should employ more modern email methods -- PGP or other encryption types notwithstanding. Although I'm not picturing a government top dog dialing up for email, what else am I supposed to first imagine when I hear "AOL" and a related governmental acronym? "We internet chat over AIM"?
Conversely, if our own intelligence agencies are adept at reading everyone's email, shouldn't they have noticed the head of the CIA using AOL and given him a heads up?
Hillary wasn't using some AOL account, she was using a private server configured by a private security firm. ON one hand, I am betting her e-mails were much more secure than the CIA director's. On the other hand, the amount of effort and thought put into acquiring a secure alternative to a government e-mail account makes it far less likely that her motives were doing so were simple ignorance.
Scans claim that server had ports open for RPC and VNC, so that's an open question. I know there was a VNC authentication bypass[1] some years back so we may just have to wonder given that we don't know for sure what it ran or if anyone noticed.
[1] It was a really dumb bypass, too:
Client: The authN methods I support are: [empty list].
Server: Ok, let's just skip authN.
You could be right, it's been a long time since I looked at that one. I just remember that the client claimed not to support any authN methods and the server decided that was just fine.
I remember reading that article about the open ports and distinctly recall they left out whether or not this was a public facing. Not that it justifies anything, but it wouldn't be egregious.
It was found by someone scanning the internet at large and publishing results. Someone else went through that data long, long after the fact and looked to see if they'd ever scanned her servers. Because of that background, the public was able to see the ports--they would not have appeared in the scans if they were non-public.
But that doesn't mean she actually had VNC or RPC software actually listening on those ports, or that the software that was listening (whatever it might be) was actually vulnerable. It might be more likely than not that it was vulnerable--I mean, that's why security people look for things like that to begin with--but false alarms aren't exactly uncommon, either and my customers have proven to me that there's no shortage of bizarre server configurations in the wild.
By the same standard we should count people using SSH and TLS (really: about any given protocol) as clueless, as implementations of both have had wide impact remote vulnerabilities.
I agree this all is testament to widespread cluelessness, but more on the software industry level...
I don't believe I claimed anyone was clueless, that they were actually vulnerable to any known issues, or even that VNC or RPC were actually running on those ports. As far as I know, nobody knows any of that.
Setting up a private email server was actually allowed by the official rules at the time. I have no idea why that was the case, but presumably they had some reasons for creating that exception. Honestly, that's the real question IMO.
PS: I also wonder how this worked in practice. I mean I would assume top officials spam rules where setup to ignore [email protected] due to spoofing if nothing else.
First I've heard of this rule/exception, got a link to any doc's validating this claim? If true, it flys in the face of everything on the books with regards to mandates/rules/regs for ensuring secure communications for high-level government officials.
Quite interested, as I've been watching this one closely, especially with regards to retro-active changes allowing for an escape from previously committed illegalities.
I fully expect a presidential pardon to be the end-game on this one.
Other government officials, and Secretaries of State before her, had also used private email for official business, and experts agree that this is allowed by federal law in case of emergencies.[25][8][26] The State Department declined to answer questions about whether the private system was widely known within the agency or officially approved.[21]https://en.wikipedia.org/wiki/Hillary_Clinton_email_controve...
Because DoS's email system was crazy ancient at time (maybe still?), and the rules allowed the boss some leeway. In terms of security and government IT, 2008 was a long time ago.
It is incredibly commonplace among politicians and even public servants to use private email accounts for work to act as a shield for FOIA-type laws.
Even my public University's president used a personal account in order to avoid student activist groups getting his email.
Sarah Palin used personal email (I think also AOL, actually) in her tenure as governor of Alaska.
Everyone, on both sides of the aisle, and all the way up and down the hierarchy does it. Absolutely everyone. Probably everyone has at some point in time. Probably even Bernie Sanders.
If you want to find out who, start sending FOIA requests and see what comes back empty.
So that excuses it, right? When a bunch of people that don't matter do it, you're right, I don't give a shit. When it's our Secretary of State, one with access to all kinds of Top Secret material, I do however very much give a shit. If national security regulations don't apply to our top leadership, then what the fuck do we have them for?
The reason those laws are there is exactly for people like top leadership, because you and I aren't going to run across top secret documents in our day to day... UNLESS some asshat does something stupid like this.
Scope of damage is an important concept when it comes to government versus private sector. Scope of damage for private sector is a "Sony" - possibly implosion of the company, but it generally stops there. Government however is the safety of every citizen in the affected country.
>When a bunch of people that don't matter do it, you're right, I don't give a shit.
Why not? Do you think that local government and other public servants should be able to hide corruption, suppression of dissent, or other unsavouryness behind personal email accounts?
>HUGE differences on the damage scale.
The only thing on the scale is that our entire political system is corrupt.
That said, the focus on Hillary is a function of right-wing media hacking, and I think it's important to note that EVERYONE DOES THIS, THE WHOLE SYSTEM IS FUCKED, etc..
I trust AOL more than some random shop when it comes to system security though. She may not have been vulnerable to some password reset hack, but that doesn't mean the server wasn't setup with other poorly secured services.
In the spirit of the other commenters, never underestimate the intelligence of a career machiavellian who has risen to considerable power within the most powerful nation on earth
Any executive position is a generalist role that ultimately depends on one's ability to play politics with the stakeholders. Clinton's emails are perhaps an example of why she should not run an intelligence agency, but POTUS is different. A president doesn't have to be an expert in everything, that's what the cabinet is for. If someone goes through considerable effort an expense to host a private email server, then perhaps the reason could be attributed to something other than cluelessness.
Not really. From public accounts, State was running back level Exchange 2007 with tiny mailboxes with administration from some useless contractor. The Russians probably read the mail before the employees did.
It's very common for senior execs to play all sorts of games with email. If you see folks carrying legacy Blackberry devices today, they are doing something similar.
The issue isn't using her own private email server. The issue is whether she violated federal record keeping laws. We can only trust (since she says she turned over everything) that all emails were preserved.
Some of the laws in question here carry prison time:
No, they're about connections with the appropriate in-group first, administrative / executive ability well below that, and technical ability or common sense will actually disqualify you.
Matthew Cole had an interesting talk a while back about how Italy was able to implicate the CIA in a kidnapping and identify several agents, using cell phone tracking technology provided by the US.
I've been going through the details in http://newsroom.grasswire.com and I'm almost completely convinced this is all hot air.
The Iran doc is public, the bill is obviously public. The policy paper is not but it’s also a draft, unclear who even authored or commented on it.
They are all also from a time when Brennan didn't even work for the government.
There is no indication these documents came from a compromised email address, and even less indication that any of it matters other than to say "lol the CIA Director is an idiot." I get that it's a sexy story to say "leaked emails of CIA director," but this is really not a big deal.
That last question might answer itself. Doesn't excuse that extra measures aren't taken of course. Granted I bet the real reason is general ineptitude towards his job as can often be found in upper management especially in governments.
Kidnapping and torturing people -- and fancying that you can use bizarre linguistic constructions to either prevent the world from finding out grittiest, literally pornographic details of what you've been up to; or to reduce your own culpability in said crimes -- should preclude you from serving as director of the CIA.
And secondarily, using a public-sector email service (independent of its authentication scheme, or the quality of its implementation) to conduct government business should further disqualify you, as well.
The one to change allowed torture techniques from a whitelist to a blacklist is scary. Its even phrased to sound like a good thing "I urge you to consider my proposal to ban the use of certain harsh interrogation techniques expressly prohibited by the Army Field Manual". And the specific prohibitions looks like a list of Iraq abuse leaked pictures checklist (pose in sexual manner, hood, using dogs, etc.), so the army is free to "invent" new inhuman techniques.
Why did they publish his SF-86? This seems like a very irresponsible invasion of Brennan's personal privacy; nothing in there could possibly be of legitimate public interest.
This has nothing to do with the contents of any particular document. It has everything to do with Assange's larger strategy to weaken or destroy "unjust systems of governance".
Assange himself explained the "non-linear effects of leaks on unjust systems of governance[1]".
His rationale is that illegitimate power requires conspiracy and conspiracy requires secrecy.
Therefore, by leaking information Assange makes secrecy so difficult that it cripples the organization's ability to communicate with itself and operate the conspiracy.
The more secretive or unjust an organization is, the more leaks
induce fear and paranoia in its leadership and planning coterie.
This must result in minimization of efficient internal communications
mechanisms (an increase in cognitive "secrecy tax") and consequent
system-wide cognitive decline resulting in decreased ability
to hold onto power as the environment demands adaption.
Hence in a world where leaking is easy, secretive or unjust
systems are nonlinearly hit relative to open, just systems.
Since unjust systems by their nature induce opponents, and in
many places barely have the upper hand, mass leaking leaves
them exquisitely vulnerable to those who seek to replace them with
more open forms of governance.
It really serves no public interest, I was honestly shocked when I saw that Wikileaks decided to publish this stuff. Publishing leaked personal emails with no newsworthiness is the kind of thing a dirty supermarket tabloid like Gawker would do.
At least I imagined that Wikileaks would want to preserve their reputation as doing something for the public good but a childish move like this focused on a single individual (an enemy in their eyes) makes me question the organization's values going forward.
They've been grasping for relevancy the last few years ever since Assange has gone into exile but the Chelsea Manning disclosures were newsworthy and responsibly handled.
The Cablegate leaks were newsworthy and responsibly handled.
Syrian/Saudi diplomatic emails, Iraq/Afghanistan war documents, Trans-pacific Partnership reporting. These actions bring attention to large groups of people in power and hold governments accountable for their actions.
Publishing the emails from an AOL account of a CIA director doesn't quite fit that mould.
"He did nothing wrong, therefore he has nothing to hide".
Are you really questioning the fact that this was made public while NSA, CIA and other agencies have been wiping their asses with the Fourth Amendment of the US Constitution and the Article 8 of the Universal Declaration of Human Rights?
No one is questioning that it was made public, rather, that Wikileaks decided to latch on to a data leak that kind of shares the same trollish territory as leaking nude celebrity photos.
Running with the Chelsea Manning leak helped start a conversation about the ethics of drone warfare and the culpability of the US military in the deaths of civilians.
What kind of a wider conversation does leaking John Brennan's SF-86 create? Maybe there's some ancillary discussion about those in the security community not using secure channels but it mostly just feels like a cheap shot.
> What kind of a wider conversation does leaking John Brennan's SF-86 create?
Does it necessarily have to create a conversation?
It, at the very least, destroys yet another time the "nothing to hide" argument and underlines both the fact that nobody is safe unless active measures are taken and that all this spying business is tainted with serious amateurism.
And if this is worthless to you, see it as a backlash. Our personal informations are intercepted on a daily basis and played with in a way that we have no control over. The average Joe, alone, can't fight back, Wikileaks is the collective answer.
It is in-line with Trevor Paglen's work [1] on demystifying spying activities: they're no super heroes, they're bound to physical, practical and logistical limitations (like we all are), we can fight them.
It's in the public interest if encryption and digital security are in the public interest. People like this have a voice that's actually heard when those topics come up. It's just a gentle reminder that actively sabotaging security "for national security" can come back to bite.
>nothing in there could possibly be of legitimate public interest.
There could be. There is a reason the government asks there questions because they get relevant information. Hypothetically there could be newsworthy stuff in there.
But there isn't anything actually in there. So it's shitty to leak it.
There are no anti-russian documents because Assange nor any of his activists care about Russia. They care about the Western world, that's why they prod it.
They don't claim to be objective, they claim to pass on data that is real. You don't know what they don't pass on, you don't know what they change and you can't know whether or not something is real without outside verification. Think of them as an imperfect channel that seems to present - to date at least - an insane amount of real data and the occasional manipulated video.
I really don't understand your point: do you consider leaking the TPP draft "anti-west"? because in my honest opinion WL did a huge service to the western world by publishing this atrocious agreement.
How should TTP cover Russia or China? It's not about Russia or China. It's still important and it's good that they released it. For every citizen that may suffer from that.
Your comments looks like straight out of the Cold War PR battle.
> Theres a theory that WIKILEAKS has been a FSB front since 2010
...linking to a post on /r/conspiracy.
There are also a theories, in the very same sub, that drinking is own urine is better the chemotherapy [0], that China has floating cities in parallel universe [1] and that Ahmed Mohammed is a "clock bomb hoaxer" [2].
Please keep on improving our discussion with wonderful sources like /r/conspiracy.
I was in college in 1998 when the Starr report came out, detailing President Clinton's sex life. Back then it wasn't easy to download such a big document to your computer, so a lot of people came to the computer center, which I managed, to look at it. But it was long and they didn't want to read it in the computer center, so they started printing out the 90+ page report! (printing was free)
It go so bad we had to ask all the people that printed it if they could bring their copies back when they were done, so we could have a lending library of the Starr report.
My point is, you're right, it's a great time to be alive -- you don't have to tell anyone about your interest in these things. :) (although on the flip side there was a pretty good watercooler discussion of the report at the computer center)
Blacklist by default and whitelist what is wanted is better in almost all context. Otherwise people will always find a way to circumvent the rules to get the expected results.
> placing hoods or sacks over the head of the individual or using duct tape over the individual’s eyes;
So using other kind of tape is totally ok (for example).
The one question not asked yet. The guy knew probably about Clinton emails case. And made nothing with his personal mailbox having the same problems. He's unlikely to be an idiot(who knows though). So has he thought he's more protected from a prosecution than Hillary?
Not only that, but the whole reason Brennan got the job as Director of the CIA was that the prior Director, David Petraeus, resigned[1] in the wake of his own email and information leak scandal.
Petraeus and Broadwell used fake names to create free webmail
accounts exchanging messages without encryption tools.
The FBI, using electronic metadata that pinpointed the times,
places and IP addresses, identified Paula Broadwell as the source.
Ooh, I didn't think about Petraeus. I was glad to learn recently that he was actually convicted of unauthorized removal and retention of classified information in April -- two years' probation and $100k fine (fine more than 2x what DoJ asked for!)[0] I'm sure that's all they'll give Snowden. /s (Yeah, I know Snowden is a bigger magnitude, but Petraeus was more reckless and self-serving, and as the leader he should set the example -- he deserves at least a few months in Club Fed.)
The released docs so far are all dated when he wasn't actually in government. This is his honest to goodness personal email account.
So far there is no indication that he's using his personal email as a government work email. In fact, all these emails are from times when he had no government email.
Clinton side stepped her official email to use an off the books private server in an official capacity.
Of course he knows about the Hillary situation. Since this is the CIA, would it be entirely tinfoil mad-hat of me to suggest that this was an intentional honeypot left out, knowing it would get hacked and the ensuing leak coverage would reinvigorate the debate over Hillary's misuse of private email for official business?
Brennan doesn't exactly strike me as the kind of guy who plays for the Democratic team.
Is it really worth making yourself a laughing-stock to hope the press runs with it and maybe you score a few political points a whole year before the election? If this unnerves/angers the wrong people, he could lose his job and collective CIA morale too.
I'm not totally buying that he's really this incompetent, but dragging down Clinton seems a bit far-fetched as a reason this was intentional.
Sounds like one of those "the US has been keeping aliens in Area 51" kind of things. And what I mean by that is that if it were true, we'd probably know about it by now.
And really, don't you think the US gov would push that narrative across all the US media if it learned it was true? I mean, they've been pushing the "Snowden is a Russian spy" story already - and that's not even true.
Its hard to prove because it would be interpreted as just attacking a leaker.
The USGovt has to be sensitive to the fact that the leaks are real information. But its far more nuanced to prove that WIKILEAKS is just pushing an anti-USA/NATO view.
Look at the Saudi Arabia leaks in light of the fact they're in a price war with Russia right now.
You won't see an Iranian leak on WIKILEAKS..and you haven't.
This is completely illogical and tinfoily. If an intelligence outfit knows something, it's unwise to show their cards. It reveals sources and methods to do so. Nobody operates this way.
I'm not sure how "tinfoily" a suggestion is when it's referencing wikileaks. Wikileaks is in the business of conspiracies. It isn't much of a stretch to suggest a conspiracy might be behind wikileaks itself.
Not reporting on something because of a threat hardly qualifies someone as a "front". That's like saying newspapers that don't publish Muhammad cartoons for fear of retaliation are fronts for the Islamic State.
There's been many major leaks. Hell, Prime Minister Medvedev's email has been hacked and he's certainly higher ranked than CIA director. Nothing on Wikileaks of course. Strange, isn't it?
From what I've seen this is all pretty tame. Brennan was definitely stupid to keep around an AOL email after becoming one of the highest ranking law enforcement officials, but it doesn't seem like there was that much damning information sitting around.
And? It's not like they'd magically go away if one site didn't link to them, and they're easily found with a 1-second search. There's no point in not linking to the most accurate/direct source of information.
Yeah I was curious why they changed the link I posted to the actual documents in question. I hoped to allude to the story not link directly to the materials (which any HN reader could find on their own after having read the story). Either way it got the conversation started, I suppose.
Old people + technology = failure. Really common pattern. We like to believe people in positions of power know what they are doing, but sometimes the facade cracks and we see they are just regular old crazy people.
But, it's more like inconvenience + people + technology = policy violations. In one company I worked at a new CEO was installed (the old one was faulty; turned out the new one was still faulty) and he told people to forward all their company email accounts to their personal gmail accounts because he just liked the gmail interface better.
edit: _gasp_ it's like online people read comments while wearing hair trigger hostility goggles and don't use their contextually aware kindness beanies. go figure!
Is it better to move things around instead of just deleting things? Replies don't exist in a vacuum, so detaching from parent comments breaks meaning and intent, not just ___location on a page.
Seems better to censor by deleting unwanted content with prejudice instead of waffling and breaking context.
You have to consider scope of knowledge. Nobody is an expert everywhere. You can't use someone's knowledge of IT security as a stand in for all technical knowledge, let alone all knowledge in general.
I worked with an expert on NAND Flash. The guy is brilliant. Knew how the whole process flow works--from substrate to cap layer--off the top of his head. It doesn't need to be said that fabricating semiconductor devices makes setting up an email server look like childs play. Yet, he used a @aol.com account.
Brennan was the daily briefer to Clinton. He was Saudi Arabia station chief. He's definitely a talented guy who knows a TON of stuff you haven't the faintest clue about.
That's true of children, maybe. You'd be hard-pressed to recreate lord of the flies if you just took everyone over 50 out of the decision making process.
It's not that there aren't exceptions, but it's pretty obvious old politicians aren't hip to technology from the past 30 years, isn't it?
I didn't say "every old person is dumb and invalid and will rot in their living rooms out of stupidity." But, an average 4 year old can use an iPhone better than an average 63 year old.
This 'an average 4 year old can use an iPhone better...' makes me cringe every time I hear it, especially when it comes from proud parents who think their offspring is a genius. The geniuses here are the engineers who made the device usable by the 4 year old, not the other way around.
How can these top government officials be so clueless about email security when they know first-hand how effective our own intelligence agencies are at reading everyone's email?