"Do or Do not. There is no try."

“What’s There And What Isn’t”: What Does The New Inspector General Report Actually Tell Us About Hillary Clinton’s Emails?

Today the State Department’s inspector general released a report on Hillary Clinton’s email use during her time as secretary of state. Both Democrats and Republicans are going to spin the report to argue either that Clinton is completely blameless or that it reveals her to be history’s greatest monster. Donald Trump will likely say that the Office of the Inspector General (OIG) found that Clinton kidnapped the Lindbergh baby and produced Vanilla Ice’s first album.

So let’s see if we can sort through what’s there and what isn’t.

You can read our story by Rosalind Helderman and Tom Hamburger for a summary, but here are the two key excerpts from the IG’s report that deal with Clinton. First:

Secretary Clinton should have preserved any Federal records she created and received on her personal account by printing and filing those records with the related files in the Office of the Secretary. At a minimum, Secretary Clinton should have surrendered all emails dealing with Department business before leaving government service and, because she did not do so, she did not comply with the Department’s policies that were implemented in accordance with the Federal Records Act.

So that’s one problem: she should have printed out her emails so they could be archived, but she didn’t do that until the department sent a request to multiple secretaries of state, two years after she left office. Here’s the other part, which is more serious:

Secretary Clinton used mobile devices to conduct official business using the personal email account on her private server extensively, as illustrated by the 55,000 pages of material making up the approximately 30,000 emails she provided to the Department in December 2014. Throughout Secretary Clinton’s tenure, the FAM [Foreign Affairs Manual] stated that normal day-to-day operations should be conducted on an authorized AIS [Automated Information System], yet OIG found no evidence that the Secretary requested or obtained guidance or approval to conduct official business via a personal email account on her private server. According to the current CIO and Assistant Secretary for Diplomatic Security, Secretary Clinton had an obligation to discuss using her personal email account to conduct official business with their offices, who in turn would have attempted to provide her with approved and secured means that met her business needs. However, according to these officials, DS and IRM [Bureau of Information Resource Management] did not — and would not — approve her exclusive reliance on a personal email account to conduct Department business, because of the restrictions in the FAM and the security risks in doing so.

Get past all the abbreviations and government-speak, and what it comes down to is that Clinton should never have used a personal email account, no matter how secure she thought it was, for department business, and that she repeatedly failed to consult with personnel who should have been aware of how her personal system worked.

If you’re saying, “Didn’t we already know that?”, well yes, we mostly did, though there are some new details here. So here’s what Clinton and her supporters will say: This report doesn’t reveal anything new. Clinton already said that using a private email server instead of the State Department’s system was a mistake, and she apologized for it. But there’s no evidence that national security was actually compromised, none of her emails contained information that was classified at the time she sent or received it, and even if she violated departmental policy, she certainly didn’t do anything criminal. And don’t forget that the report was highly critical of Colin Powell, who also used his personal email for official business.

And here’s what her opponents will say: This report shows the true gravity of Clinton’s misdeeds. She violated the department’s policies. She probably committed crimes. For all we know Kim Jong Un was reading her emails every night. At every step, she tried to hide from scrutiny and accountability.

How valid are those arguments? Clinton’s case is meant to lead you to the conclusion that in the end this is not that big a deal. The Republicans’ case is that she was reckless and irresponsible, and terrible things might have happened as a result. On one hand, we don’t have any evidence of anything terrible happening, but on the other hand, speculation is all Republicans need to get what they want out of this matter.

That’s because the political reality is that Republicans aren’t making a big deal out of this because of their deep and abiding concern for cybersecurity. They just want something to hammer Clinton with. Which is fine — that’s politics. But they also know that the details are all but irrelevant. Most Americans couldn’t tell you what this controversy is actually about; they just know that Clinton did something shady with emails. As long as Republicans can weave that into a larger argument about her being untrustworthy, they’ll run with this, even if they’d be even happier if Clinton got indicted (which is theoretically possible but looking extremely unlikely at this point).

And though Clinton would like us to believe that her intentions were pure and unimpeachable, while Republicans would like us to believe that her intentions were dark and sinister, the truth is probably somewhere in between. I don’t doubt that Clinton made the initial decision to use a private server in order to retain control of her communications. That’s not because she was planning to execute some kind of nefarious criminal conspiracy over email, but because she knew that she’ll always be the target of lawsuits and fishing expeditions from her political opponents, and she didn’t want to give them any more material to work with. As a piece of forward-looking political strategy, we now know how foolish that was; it’s done far more damage to her than it would have if her emails had regularly been FOIA’ed and then leaked to the press by her opponents.

But it also appears, from what we know so far, that there weren’t really any practical consequences for the country because of her decision — no covert operations compromised, no key national security information delivered to our enemies. And cybersecurity experts will tell you that her emails likely would have been no less vulnerable had they been on the State Department’s servers, which are the target of constant hacking attempts.

So maybe the best thing for Clinton to do now would be to say that this whole episode has brought home to her the need for the federal government to dramatically improve its cybersecurity, and she wants to assemble a blue-ribbon commission of experts to devise a plan to reform the systems across the government, one that she hopes Republicans will join with her to pass through Congress within her first year in office so it can be implemented as soon as possible. At least then some good might come of this controversy.


By: Paul Waldman, Senior Writer, The American Prospect; Contributor, The Plum Line Blog, The Washington Post, May 25, 2016

May 29, 2016 Posted by | Clinton Emails, Hillary Clinton, Republicans | , , , , , | Leave a comment

“Unto The Breach”: For Credit Card Data Breaches, There Really Hasn’t Been Any Business Consequences

On Wednesday, a letter landed in my email inbox from Gregg Steinhafel, the chief executive of Target. He wanted me to know that there was a decent likelihood that some of my personal information had been stolen by criminals who had “forced their way into our systems,” as Steinhafel put it, and pulled off one of the biggest data breaches in history.

I’m not a regular Target shopper, so I had to think about this for a minute. Then I remembered: In mid-December, while marooned in Houston after missing a connecting flight to Rio de Janeiro, I went to a Target store to buy some clean clothes. I paid with my debit card, which I swiped through the little “point of sale” machine, and then entered my passcode — something I probably do a dozen times a day. The very ordinariness of the transaction is partly why it hadn’t stood out in my memory.

Since receiving Steinhafel’s letter, however, I’ve been brushing up on data breaches, and I’m here to say it is going to be a while before I’m sanguine when I make that little swiping motion with my debit card. In the battle between hackers and retailers, it sure looks as though the hackers are winning.

If you have read anything about the Target data breach, you know that from Nov. 27 to mid-December, hackers siphoned off the credit card information of 40 million Target shoppers, including card numbers, passcodes and the three-digit security code on the back. They also took names and email addresses of tens of millions of other Target customers.

Target acknowledged the breach on Dec. 19, but only after a reporter named Brian Krebs had broken the news on his authoritative blog, Krebs on Security.

When I talked to Krebs, he told me that while Target was “hardly a poster boy for how to secure data,” the company probably wasn’t all that much worse than most other retailers. Its digital system undoubtedly had all the current antivirus software, none of which had detected the malicious software — “malware,” as it’s called — that had infected it. Krebs was pretty convinced that the hackers were Russians. It was obvious that they were extremely sophisticated in how they went about stealing credit card data.

After burrowing into a Target server, he explained on his blog, the malware would then grab data from Target’s point-of-sale terminals all across the country shortly after customers swiped their cards. At that moment, a moment of maximum vulnerability since all the data was unencrypted at that point, the magnetic stripe would yield all the information the hacker needed.

Another security expert, Gerhard Eschelbeck, the chief technology officer at Sophos, wrote in a recent report that “one trend that stands out is the growing ability of malware authors to camouflage their attacks.” Eschelbeck described attacks by modern hacks as “innovative and diverse.”

Virtually every security expert I spoke to said it is likely that a lot more retail companies have been breached than has been acknowledged. Indeed, last week, Neiman Marcus admitted that its systems had been breached. And just the other day, the Department of Homeland Security sent a report to retailers and banks warning about point-of-sale malware, which it suspects has infected more systems than just Target’s.

So why don’t retailers do more to stop such attacks? Part of the reason is that nobody is forcing them to. It costs a lot of money to completely revamp their systems in ways that would make them harder to breach. However disruptive to customers, there really hadn’t been any business consequences, not until the Target breach, anyway. (Target saw its Christmas sales decline after the breach was announced.)

The simplest thing we could do to diminish data breaches would be to move away from magnetic stripes, which are relatively easy to copy, and go to a system in which credit and debit cards are embedded with chips. In widespread use in Europe and elsewhere, such cards are practically nonexistent in the United States (though a rollout is supposed to begin in the fall of 2015). In 2009, a payment company called Heartland suffered a breach that was even larger than Target’s. You would think that would have been a wake-up call, but apparently it wasn’t.

The most galling part of Steinhafel’s letter is its advice to consumers. “Never share information with anyone,” he writes. “Be wary of emails that ask for money.” None of this advice, of course, would have helped anyone who had the misfortune to shop at Target during the three weeks the malware was doing its devious work. The fault was not ours, Mr. Steinhafel; it was yours.

As for me, it turns out that the Russian hackers won’t be able to use my debit card information after all. I had to get a new card — after I was hacked in Brazil.


By: Joe Nocera, Op-Ed Columnist, The New York Times, January 17, 2014

January 20, 2014 Posted by | Consumers, Corporations | , , , , , , | Leave a comment

“Still Playing Games”: House Votes To Undermine ACA, Again

The House of Representatives held its first meaningful floor vote of 2014 this morning, sending a clear signal about the Republican majority’s priorities. Did they vote on unemployment benefits? The farm bill? One of the many other unfinished bills from 2013?

No, the GOP majority is still playing games with health care.

A significant number of Democrats broke party lines to vote on the House’s first anti-Obamacare vote of 2014 on Friday, a blow to party unity and leadership’s advice that rank-and-file members stand strong against GOP “gotcha” bills.

The legislation, which would require victims of security breaches through insurance exchanges to be notified within two days, passed 291-122. Sixty-seven Democrats sided with all voting Republicans to hoist the bill over the finish line.

The fact that so many Democratic lawmakers broke ranks wasn’t a huge surprise – it’s now an election year and they seem reluctant to create attack-ad fodder by opposing pointless “messaging” bills.

As we discussed last week, the proposal comes by way of Majority Leader Eric Cantor (R-Va.), who has a lengthy record of preferring partisan games to actual governing. It also dovetails with a coordinated messaging campaign championed by House Oversight Committee Chairman Darrell Issa (R-Calif.).

Indeed, today’s vote was unusually vapid. As has been reported many times, there have been no security breaches; literally zero Americans’ personal information has been compromised; administrative security testing for is constant; and when rare vulnerabilities have popped up, the problems have been identified and resolved quickly and safely.

What’s more, while the bill approved by the House today would require HHS to notify consumers if their personal information is accessed improperly, it’s worth noting (a) HHS is already required to make these notifications, making the legislation unnecessary; and (b) since consumers’ personal information is not actually stored on, the underlying concern really doesn’t make a lot of sense.

So what’s the point of pushing a pointless bill and making it the first proposal voted on in 2014? I found remarks from Rep. Elijah E. Cummings (D-Md.), ranking member of the House Oversight Committee, quite compelling.

“Despite all these positive results, Republicans are still obsessed with killing this law. Since they cannot do so legislatively, they have shifted to a different tactic: scaring people away from the website.

“So my second point is this: there have been no successful security breaches of Nobody’s personal information has been maliciously hacked. […]

“These are important facts for the American people to know. But the Republicans disregard them and omit them because they undermine their claims. Many of us would support efforts to strengthen requirements for the entire federal government and private sector to notify consumers of breaches. But today’s bill does not do that. Today’s bill is the latest attempt to attack the Affordable Care Act and deprive millions of Americans of the healthcare they deserve.”

As for actual security threats, Jennifer Bendery makes a point that can’t be emphasized enough: “[T]he most credible threat to the website’s security may be the loudest critic of the website’s security: Rep. Darrell Issa (R-Calif.), chairman of the House Oversight and Government Reform Committee.”


By: Steve Benen, The Maddow Blog, January 10, 2014

January 12, 2014 Posted by | Affordable Care Act, GOP | , , , , , | Leave a comment

“No Company Is Secure”: Stop Asking Me For My Email Address

It’s hard out there for a paranoid cybersecurity reporter.

I’ve covered enough breaches, identity thefts, cybercrime and worse, to know it’s a terrible idea to hand over my personal data — even something as seemingly innocuous as my birthday or email address — to a store clerk, or a strange login page on the Internet.

But it’s getting hard to resist. I was in the middle of buying a swimsuit recently when the sweet lady behind the boutique counter asked me for my email address. I explained, as I have a hundred times before, that I’m a paranoid security reporter who makes it a general rule of thumb not to hand out information unnecessarily.

“We won’t spam you or anything,” she said, perplexed. “We just need it for our database.”

I knew then that the conversation was headed into a whole lot of awkward, as it had dozens of times before. The fact is, a boutique doesn’t need my email address so I can buy a swimsuit. The hotel I stayed in recently didn’t need my birth date, or my home address, or my driver’s license number, before I could check in. And Target doesn’t need to store your debit card PIN.

After news of Target’s breach first broke last month, a reader emailed complaining that after a recent purchase at a Target store in San Francisco, she was asked for her driver’s license after her credit card was authorized. “I gave it to her thinking she was only going to look at it, however she immediately scanned it through her register. I was a bit shocked and asked why she did that. She said it is always done but ‘Don’t worry, it is secure.’”

That, we now know, is absurd.

There is a temptation to think that major retailers like Target– and now Neiman Marcus– are more secure because they have more cash to spend on security. It’s the same assumption users made thinking Snapchat was secure because it magically makes selfies disappear, or that LinkedIn knew how to protect data because it likes to talk up big data, or that Adobe could protect our passwords.

Actually, I take that back: Compromised Adobe PDF files have been used in far too many cyberattacks to mention here.

The point is that no company is secure. None of them. Not when they are up against an increasingly sophisticated, elusive enemy. But the problem is not just retailers, or technology companies or hackers, it’s us.

We regularly hand over data simply because we’re politely asked. We don’t read privacy policies, or ask companies whether our email addresses and passwords will be “salted” or “hashed,” encrypted with long or short keys, or whether those keys will be stored on separate systems from the ones they can unscramble. We don’t challenge major credit card companies to hurry up and adopt smart-chip credit cards. And we don’t stop doing business with companies that don’t take data protection seriously.

So we’ll all feign shock that the Target breach did not just affect 40 million people as it previously reported, but well over one-third of America’s adult population. And then, in a few days, we will likely go back to politely handing over our email addresses and birth dates.

But for now, the sweet lady at the boutique just has this:


By: Nichole Perlroth, Digital Diary, The New York Times, January 10, 2014

January 12, 2014 Posted by | Privacy | , , , , , , , | Leave a comment

“Congress Goes Postal”: A Full Agenda Of Futile Symbolic Votes, On The Rare Occasions It’s In Session

Congress is gone. Yeah, I miss them, too.

All the members are off on a five-week recess, after which they’ll return for a few days, then go away again, then hobble back as lame ducks. This is going to do terrible things to the Congressional approval rating, which had climbed all the way up to 17 percent at one point this year. Now it’s sunk to BP oil spill level, and it’s only a matter of time before we’re back to the point where poll respondents say they have a more favorable attitude toward “the U.S. becoming communist.”

You are probably wondering what your elected officials have been up to. Well, the best news is that House and Senate leaders worked out a plan to avoid a government shutdown for six more months by agreeing to just keep doing whatever it is we’re doing now.

This is known as “kicking the can down the road.” Failure to kick the can down the road can lead to “falling off the fiscal cliff.” There are so many of these crises looming that falling off a cliff should be reclassified as an Olympic event.

Just this week, Congress failed to protect the Postal Service from tumbling, and the service defaulted on a $5.5 billion payment for future retiree health benefits. It was the first time that the U.S. mail system failed to meet a financial obligation since Benjamin Franklin invented it.

The Postal Service has multiple financial problems, and, earlier this year, the Senate passed a bipartisan bill to deal with them. It would not have fixed everything, or even resolved the question of whether the strapped agency would be allowed to discontinue Saturday mail delivery as a cost-savings measure. “It’s not perfect,” admitted Senator Tom Carper of Delaware, one of the sponsors.

At this point, the American public has been so beaten down by Congressional gridlock that “it’s not perfect” sounds fine. In fact, we’d generally be willing to settle for “it’s pretty terrible, but at least it’s something.”

The Senate plan would have definitely been preferable to the Postal Service default, which could be followed by an all-purpose running-out-of-cash later this fall. Carper was pretty confident that if the House passed a postal bill of any stripe, the two sides could work out a compromise during the long August vacation. That would presumably be a watered-down version of imperfection, which, as I said, is exactly what we’re currently dreaming about.

But the House leadership wouldn’t bring anything up for a vote. Speaker John Boehner never said why. Perhaps he was afraid voters would blame his members for the closing of underused post offices. There is nothing Congress cares more about than post offices, 38 of which the House has passed bills to rename over the past 18 months.

So, no Postal Service bill. You can’t deal with every single thing, and the House had a lot on its to-do list, such as voting to repeal the Obama health care law on 33 separate occasions.

Meanwhile, the national farm program was teetering on the cliff.

The farm bill has long been a classic Congressional compromise, combining aid to agriculture with the food stamp program, so there’s pretty much something for everybody. The Senate recently voted 64 to 35 to approve a new five-year authorization, which reformed some of the most egregious bad practices, like paying farmers not to grow crops. It was, I hardly need mention, not perfect.

Then, the House Agriculture Committee passed a bipartisan farm bill itself. Yes! In the House, people! Everybody was on board!

Then, the House leadership refused to allow it to go up for a vote. Boehner told reporters, “no decision has been made” about what to do next, without giving any hint as to when said decision might be coming along.

The problem appears to be Tea Party hatred for the food stamp program. But who knows? Boehner isn’t saying. Maybe his members want the power to rename the farms.

The House Agriculture Committee chairman, Frank Lucas, just kept making sad little noises. Lucas is from Oklahoma. His state is having a terrible drought. It’s been more than 100 degrees there forever. As a gesture of appeasement, the leadership did allow passage of a narrow bill providing disaster relief to cattle and sheep ranchers. The Senate dismissed it as too little, too late.

Meanwhile, several attempts to get a bill passed on cybersecurity for the nation’s power grid, water supply and financial systems failed entirely.

Maybe Congress will pick up the ball when it comes back to town for a couple of weeks this fall before the election. But it already has a full agenda of futile, symbolic votes plus the crucial kicking the can down the road.

Maybe it’s possible to have a negative approval rating.


By: Gail Collins, Op Ed Columnist, The Washington Post, August 3, 2012

August 5, 2012 Posted by | Congress | , , , , , , , , | Leave a comment


%d bloggers like this: