Media’s Epic Email Fail

The media continues to output articles with fantastic titles such as “Hillary Clinton’s private server doesn’t look like honest mistake”, “The Origin of Key Clinton Emails From the Inspector General Report Is a Mystery”, and my personal favorite, “Hillary Clinton Wasn’t Adept at Using Desktop for Emails, Inquiry is Told”.

(Perhaps in the next debate, we can ask our candidates to demonstrate their ability to send an email via a laptop to determine whether they’re qualified to be President. Well, except if the debate is between Trump and Sanders. They don’t have to prove their ability. After all, everyone knows men are born knowing how to use computers.)

Since we’re now looking at weekly releases of deposition transcripts related to the emails, courtesy of Judge Emmet Sullivan (about which I’ll have more in a follow-up post), it’s important that people have a solid understanding of what the OIG Evaluation Report on State’s email retention and security really means. This means cutting through the many misunderstandings: both inside the report, and among the media’s interpretations of the report results.

First, it’s essential that people realize the OIG report is an evaluation, not a formal OIG investigation. This means that the OIG was looking for general patterns of failure related to the focus of the evaluation, rather than looking for specific instances of deliberate wrong doing. As such, the OIG effort wasn’t exhaustive.

Specifically, the OIG report notes that their fact-finding was limited because of faulty memory, or lack of responses from those people who have already left the department, and didn’t return any of the questionnaires:

In addition, OIG was unable to reconstruct many events because of staff turnover and current employees’ limited recollections of past events. These problems were compounded by the fact that multiple former Department employees and other individuals declined OIG requests for interviews, and OIG lacks the authority to compel anyone who is not a current Department employee to submit to interviews or to answer questions.

Clinton and many of her previous staff have been condemned for not “cooperating” with the OIG evaluation. However, an FBI investigation takes precedence over any other investigation—especially a non-time critical effort such as an OIG evaluation of State’s email retention and email cybersecurity procedures. As noted in a Wall Street Journal article:

Within the federal government, criminal investigations commonly take precedence over noncriminal probes. The State Department will assess how to proceed after the FBI has concluded its investigation, Ms. Trudeau said. A separate probe by the State Department’s independent Office of Inspector General is ongoing, said Doug Welty, a spokesman for that office.

Brian Fallon, a spokesman for Mrs. Clinton’s presidential campaign, said the State Department took “a prudent step.”

“The State Department’s Inspector General should follow suit,” he said.

The Clinton folks are correct: the OIG should have paused its efforts until the FBI investigation is complete, especially since they must have been aware that the key people they needed to interview were not going to participate until after the FBI finished.

While the FBI is investigating, you limit what you say. That’s “No Brainer” 101. Only the naive believe that “if you’re innocent, what’s the harm?” Even the most innocuous utterance could be enough to trigger another five months of FBI investigation, especially when you have an FBI Director who is as obsessive-compulsive as Comey.

(I shouldn’t have to remind anyone about the FBI’s attempt to force Apple into creating backdoor software, making every iPhone vulnerable, just so they could crack the work cellphone for one of the San Bernadino terrorists.)

Why didn’t the OIG wait on the FBI investigation? Most likely pressure from Congress. The same Congress that has permanently enshrined Benghazi into the Congressional infrastructure. And, from the OIG’s perspective, it was able to obtain enough information to note general problems in the State Department and issue relevant recommendations. Ultimately, that was supposed to be the evaluation’s primary purpose.

Incomplete reports mean incomplete conclusions

But the very incompleteness of the OIG’s fact finding mission undermines many of the statements made in the report. For instance, the OIG report mentions that it could not find evidence that Clinton’s personal system had been reviewed:

According to the staff member, the Director stated that the Secretary’s personal system had been reviewed and approved by Department legal staff and that the matter was not to be discussed any further. As previously noted, OIG found no evidence that staff in the Office of the Legal Adviser reviewed or approved Secretary Clinton’s personal system.

However, if key people who were employed by State at that time were not interviewed, we can’t know for sure that no review was done. In addition, the OIG also admits to lack of success discovering records…hence the OIG evaluation.

Then there’s the seeming conflicting information in the report, again related to the vetting of Clinton’s system. For instance, the following paragraph implies that Clinton or her people never asked for a solution from IRM (Bureau of Information Resource Management) regarding her email server:

During Secretary Clinton’s tenure, the FAM also instructed employees that they were expected to use approved, secure methods to transmit SBU information and that, if they needed to transmit SBU information outside the Department’s OpenNet network on a regular basis to non-Departmental addresses, they should request a solution from IRM. However, OIG found no evidence that Secretary Clinton ever contacted IRM to request such a solution, despite the fact that emails exchanged on her personal account regularly contained information marked as SBU.

Yet the same report contains the following footnote, related to Brian Pagliano (Senior Advisor), who maintained Clinton’s server:

At that time, S/ES IRM staff met with the Senior Advisor, who accessed the Secretary’s email system and looked at its logs. The issue was ultimately resolved and, on December 21, 2010, S/ES-IRM staff sent senior S/ES staffers an email describing the issue and summarizing the activities undertaken to resolve it. On another occasion, the Senior Advisor met with staff within CTAD and received a briefing on cyber security risks facing the Department. A third interaction took place on October 30, 2012, during the period when Hurricane Sandy disrupted power in the New York City area. An email exchange between Deputy Chief of Staff for Operations and another member of the Secretary’s staff revealed that the server located in Secretary Clinton’s New York residence was down. Thereafter, the Senior Advisor met with S/ES-IRM staff to ascertain whether the Department could provide support for the server. S/ES-IRM staff reported to OIG that they told the Senior Advisor they could not provide support because it was a private server.

Even in the convoluted parlance of government-speak, how can you reconcile “never contacted IRM and asked for help” with “contacted IRM and asked for help”?

Despite these obvious contradictions and important provisos, the media has been slamming Clinton nonstop since the report released. And some of the outrage is just plain silly.

Media-manufactured outrage? Yes.

The Chicago Tribune writes, “Origin of key Clinton emails from report are a mystery”. What emails? The ones from her IT person to her staff expressing concerns that the server might be under attack and he was taking measures to prevent it, and the one related to whether Clinton should get a State email account or not, because her emails weren’t being answered.

Of course, the “attack” emails weren’t to Clinton, or from Clinton, but by golly, they should have been in the emails Clinton turned over! As for the email related to the State email account, if this was one of the emails from Clinton’s first few months transitioning into her position as Secretary (and by its nature, I’m assuming it is), she’s already stated she doesn’t have these emails. I think since Secretary Powell didn’t turn over any of his emails during his entire tenure, or Secretary Rice’s staff didn’t turn in all of theirs, we can cut Clinton some slack for not turning over about two months of emails, during a time when she was trying to figure out how everything worked. Can’t we?

Speaking of these particular emails, the Chicago Tribune writes, “Hillary Clinton’s private server doesn’t look like an honest mistake.” No, she deliberately hid her server because she wanted it to bite her in the butt when she ran for President.

One of the Tribune’s concerns seems to be the email describing how the server may have been under attack, but they didn’t report the attack. But again, how do we know it wasn’t reported? Several of the relevant people are no longer in State, and declined to be interviewed. And how do we know that Clinton or her staff even knew that this was the procedure to follow? After all, the whole point of the OIG report was discovering problems within the State’s handling of emails, including cybersecurity. There is an assumption that all of these people knew all of the arcane rules and regulations associated with systems in the State department, when there’s no clear indication that this was so.

You can check out just some of the procedures and regulations, yourself. Now ask yourself: how long would it take to become proficient enough with these types of rules, so that you could remember them enough to deduce the procedure to follow implicit in the rules?

Some media stated that Clinton should have used the State Department’s SMART system to back up her email. What the same media doesn’t know is that the SMART system wasn’t meant for State Department executives, such as Clinton. The SMART system was for rank-and-file State employees. The only preservation system Secretary Clinton had at the time was to print out each email, and then file it.

Even if Clinton tried to use the SMART system, she most likely would have failed. The OIG did a evaluation of the SMART system last year, and found that, for the most part, those who were supposed to use the system were not using it. Why? They didn’t have the proper training, and the system was too hard to use.

I can relate to that.

Clinton was Secretary of State, not a State secretary

There’s one more article from the media I want to address, and that’s the Washington Post’s editorial titled “Clinton’s inexcusable, willful disregard for the rules.” They wrote:

The department’s email technology was archaic. Other staffers also used personal email, as did Secretary Colin Powell (2001-2005), without preserving the records. But there is no excuse for the way Ms. Clinton breezed through all the warnings and notifications. While not illegal behavior, it was disturbingly unmindful of the rules. In the middle of the presidential campaign, we urge the FBI to finish its own investigation soon, so all information about this troubling episode will be before the voters.

All I have to say to the Washington Post Editorial board is: how dare you?

How dare you undermine Hillary Clinton’s tenure as Secretary of State? How dare you imply that all she had to do during her tenure as Secretary was discover the rules and regulations related to her email server and ensure her staff followed them. That she had nothing else of importance to do.

In her first year in this position, Secretary Clinton made 52 official State Department trips. She attended UN sessions, sessions with NATO, met with world leaders, and attended ceremonies as official United States representative. Whether you agree with her actions during the events or not, that same year she helped re-establish more cordial relations with Russia (the Russian Reset) and established first overtures to Iran that eventually led to the Iran nuclear deal implemented this year. The Honduran crises also happened in 2009, becoming a major focus of State Department effort that year..

And you’re fussing about Clinton not taking the time to discover the email system rules she should be following?

The Washington Post editorial board has one woman in the nine-member board, Jo-Ann Armao. Perhaps she can help her fellow board members understand the difference between being an office secretary, and being Secretary of State.

This isn’t an episode of Mad Men, and Hillary Clinton isn’t Joan Harris. She wasn’t a secretary in the secretary pool, she was Secretary of State of the United States of America…one of the most powerful and important positions in the world. And the OIG report, and the media stories like the Washington Post editorial, are faulting her for not taking the time to discover the minutia of intra-agency policy regarding her email system.


A Broken System

That Clinton did not throw her staff under the bus, and accepted responsibility for the email server is commendable. I don’t know of many other candidates for President who would be this fair. And I want to be clear: her direct staff wasn’t at fault. It was up to career State employees to ensure all the proper steps were taken regarding Clinton’s email and email server. I am astonished, and frankly, more than a little disgusted, how few media professionals have realized this.

That procedures at State regarding email were not clear, or well known, just drives out the necessity of the OIG report. Though it isn’t as comprehensive, or as balanced, as one would hope, the report did cover what State needs to do to ensure the events related to Clinton’s emails don’t happen again.

Then, in the future, we won’t be subjected to what we’re being subjected to now: story after story after story about Clinton’s emails—the majority of which are either deliberately incendiary or confused. Instead, we could be focused on more important facts. Facts, like how on earth could someone like Trump become an actual Presidential nominee.

Originally published at Crooks & Liars.


Inspector General’s Report On Clinton’s Email Greatly Exaggerated By Media Outlets

The Office of Inspector General (OIG) released its anticipated report on the State Department’s handling of email and cybersecurity. The report covers Hillary Clinton’s use of a private email server, but also includes an examination of other State employees use of email, including Colin Powell’s use of a private email service.

Almost immediately, the media was full of headlines such as “State Department report slams Clinton email use” from CNN, “State Dept. inspector general report sharply criticizes Clinton’s email practices” from the Washington Post, and “IG: Clinton didn’t want emails ‘accessible'”, from The Hill.

Lost in the hyperbole is the fact that the OIG report was meticulous and thorough, but also dispassionate, just like any other OIG report I’ve read. There was no direct criticism of Clinton, sharp or otherwise. The OIG was examining the State Department’s practices, not specifically investigating Clinton’s actions.

Reading the various media stories on the report, I found other misrepresentations. For instance, The Hill claims that Clinton didn’t want her email to be “accessible”. In actuality, what the report stated was that Clinton didn’t want her personal emails being accessible:

In November 2010, Secretary Clinton and her Deputy Chief of Staff for Operations discussed the fact that Secretary Clinton’s emails to Department employees were not being received. The Deputy Chief of Staff emailed the Secretary that “we should talk about putting you on state email or releasing your email address to the department so you are not going to spam.” In response, the Secretary wrote, “Let’s get separate address or device but I don’t want any risk of the personal being accessible.”

The Washington Post article stated:

The inspector general, in a long awaited review obtained Wednesday by The Washington Post in advance of its publication, found that Clinton’s use of private email for public business was “not an appropriate method” of preserving documents and that her practices failed to comply with department policies meant to ensure that federal record laws are followed.

First of all, a lot of people and organizations got a copy of the report, WaPo. You’re not special.

Secondly, Clinton did take action to preserve her emails, as the report notes. On Page 66 of the report, Janice Jacobs, the State Departments Transparency Coordinator, specifically addressed Clinton’s handling of the emails:

In addition the Department had already received Secretary Clinton’s emails and undertook to release 30,000 of them to the public. The National Archives and Records Administration concluded that our efforts with respect to Secretary Clinton and her senior staff mitigated past problems, as has a federal district court in a suit brought under the Federal Records Act. As you note in your report, you concur with this conclusion. (emph. added)

The State Department, the OIG, and NARA all concurred that Clinton’s actions in turning over the emails she had, in addition to others the State Department was able to discover, did mitigate not following proper procedures (i.e. printing out each email and filing it). It’s true that in the beginning of Clinton’s tenure as Secretary of State, during the first two months transition period, some emails were lost. However, there was no indication that an attempt was made to deliberately hide these emails from a salivating public: it’s technology; stuff happens.

Lastly, I can almost hear the calls of “criminal Hillary” from a certain party who shall go nameless. Note, though, as the report mentions, there were no administrative penalties in place—either about the use of a private email server, or not following the established procedures for preserving emails—at the time Clinton served as Secretary of State. Moreover, there is no indication that she was even aware of the requirements.

Although the Department is aware of the failure to print and file, the FAM contains no explicit penalties for lack of compliance, and the Department has never proposed discipline against an employee for failure to comply. OIG identified one email exchange occurring shortly before Secretary Clinton joined the Department that demonstrated a reluctance to communicate the requirement to incoming staff. In the exchange, records officials within the Bureau of Administration wondered whether there was an electronic method that could be used to capture the Secretary’s emails because they were “not comfortable” advising the new administration to print and file email records.

State Department personnel were discouraged from using their private email, but not explicitly forbidden from doing so. As quoted in the CNN story—the one where Clinton was purportedly “slammed’ by the OIG—the State Department spokesman concurred:

State Department spokesman Mark Toner briefed reporters Wednesday: “While not necessarily encouraged, there was no prohibition on using personal email. The only requirement is that — and the regulations do state this, that these records need to be preserved.”

To repeat what I wrote earlier, the OIG report was focused on the State Department’s procedures in place for emails; it’s not specifically focused on Clinton. It may be more titillating to say that the OIG is “slamming” Clinton, or that the OIG report was “sharply critical of Clinton”…but it’s also inaccurate, and misleading.


The Getting-Smarter SmartThings Home Hub

When last we left our intrepid, if challenged, SmartThings home hub, it was not having the best of times.

CNet picked up my previous story, and expanded on it in an article titled Samsung’s smart home push hits disconnect. In addition, researchers exposed what they considered to be serious security flaws with the hub.

Multiple issues exist in SmartThings’ framework, the researchers say, but most pressing are the privileges given to apps, many of which they don’t need to function. A smart lock might only need the ability to lock itself remotely, for instance, but the SmartThings API bundles that command with the unlock command, which an attacker can leverage to carry out a physical attack. Another over-granting of permissions involves the way in which SmartApps connect to physical devices. When a user downloads a SmartApp, it asks for specific permissions to perform its intended purpose. After being installed, SmartThings then lists all the devices that could be used with that app because of its ability to sync with those permissions. But it also gives the app more access than it needs.

In response, SmartThings CEO Alex Hawkinson apologized in the SmartThings community forum, promising improvements. He also posts a weekly update (the latest) about what improvements have been pushed out that week. In addition, the company recently hired Amazon’s former director of engineering, Robert Parker, to oversee the improvements.

As a result, SmartThing users have been seeing an improvement in the hub. We’re no longer seeing the “red bar of death” that used to be so common in the Android app. In addition, performance has improved, including better detection of presence, as well as quicker response to actions. Scheduled events actually run on schedule, after months of erratic behavior.

Hawkinson also responded to the security concerns:

A research report entitled “Security Analysis of Emerging Smart Home Applications” was released this morning by a team from the University of Michigan and Microsoft Research. The report discloses hypothetical vulnerabilities in the SmartThings platform and demonstrates how, under certain circumstances, they could be exploited. Over the past several weeks, we have been working with this research team and have already implemented a number of updates to further protect against the potential vulnerabilities disclosed in the report. It is important to note that none of the vulnerabilities described have affected any of our customers thanks to the SmartApp approval processes that we have in place.

The system has stabilized enough that some of us are tentatively moving back into the world of the Smart Home Monitor—the golden child of the SmartThings network, responsible for security. It is this application that had the most faulty behavior, with frequent false alarms, and not being able to manually arm or disarm the system.

I turned on SHM last week for the first time in over two months. Unfortunately, I also had a false alarm at exactly 5:04 AM last Thursday, when one of my monitors detected movement where there was none. However, I do believe this is more the monitor (I’ve had some issues with SmartThings own motion sensors in the past)—perhaps reacting to a spider, or air flow eddies—and not the application or the hub. I’ve switched to a different motion sensor (the Fibaro Motion Sensor), and so far no additional false alarms.

We can now easily arm and disarm the SHM security system. When the security alert did go off, all the appropriate lights and alarms were triggered, and notifications sent. In addition, when I dismissed the alert, the alarms were immediately silenced, though I had to turn off all the lights manually.

There are still issues with the SmartThings Hub. The biggest concern is that most of the activity related to the Hub occurs within the cloud rather than locally. This means that if we lose internet connectivity—something that happens daily for me during the hottest part of the day in the summer—automatic actions that should still function, don’t.

We also still don’t have Rule Machine, the extremely popular community-developed application, and no idea if it will ever return.

Still, I’ll take the improvements we’ve received, and the promise of more.

I’m moving the SmartThings Hub from “hold on buying” to, “OK, you can give it a try, but don’t go crazy buying devices just yet”.


Inspector General’s Report On Clinton’s Email Greatly Exaggerated By Media Outlets

The Office of Inspector General (OIG) released its anticipated report on the State Department’s handling of email and cybersecurity. The report covers Hillary Clinton’s use of a private email server, but also includes an examination of other State employees use of email, including Colin Powell’s use of a private email service.

Almost immediately, the media was full of headlines such as “State Department report slams Clinton email use” from CNN, “State Dept. inspector general report sharply criticizes Clinton’s email practices” from the Washington Post, and “IG: Clinton didn’t want emails ‘accessible'”, from The Hill.

Lost in the hyperbole is the fact that the OIG report was meticulous and thorough, but also dispassionate, just like any other OIG report I’ve read. There was no direct criticism of Clinton, sharp or otherwise. The OIG was examining the State Department’s practices, not specifically investigating Clinton’s actions.

Technology Writing

Learning Node, 2nd Edition is now live

Learning Node 2nd cover

Learning Node, 2nd Edition is now in production and should be hitting the streets within a few weeks. We had a bit of excitement when Node 6.0 was rolled out, just as we entered production. However, this edition of the book was specifically designed to accommodate Node’s rather energetic release schedule, and the book survived with only minimal changes.

In this edition, I focused heavily on the Node core API, rather than third-party modules. I figured the book audience either consists of front-end developers working with JavaScript in the browser, or server-side developers who have worked with other tools. In either case, the audience wants to know how to work with Node…not this module or that. Node, itself.

My one trip into the fanciful was the chapter on Node in other environments. In this chapter, I had a chance to introduce the reader to Microsoft’s new ChakraCore for Node, as well as using Node with Arduino and Raspberry Pi, and with the Internet of Things (IoT). I figured by Chapter 12, we all deserved a special treat.

The book’s Table of Contents:

1. The Node Environment
2. Node Building Blocks: the Global Objects, Events, and Node’s Asynchronous Nature
3. Basics of Node Modules and Npm
4. Interactive Node with REPL and More on the Console
5. Node and the Web
6. Node and the Local System
7. Networking, Sockets, and Security
8. Child Processes
9. Node and ES6
10. Full-stack Node Development
11. Node in Development and Production
12. Node in New Environments

A more detailed TOC is available at O’Reilly.

I had a good crew at O’Reilly on the book, and an exceptionally good tech reviewer in Ethan Brown.