About the Hillary Clinton email server thing…

I was going to say something about the issue with Hillary Clinton using an email server provided by her own staff for some of her email traffic, rather than one provided by her employer, but @LaneWinree already wrote pretty much what I’d have written, just better than I would have done.

So, I guarantee this is exactly how the email server thing went down.
Whatever internal system the government has set up for email communication is, I guarantee, a total and utter shitshow.
Shitshow as in horrid UI, horrid performance, and just in general unusable. Most business email environments are. Government worse.
Clinton probably complains about this, someone on staff looks into fixing it, someone somewhere thinks “Hey, we could just build a server”
Given that it’s absurdly easy to build an environment to host an email server, a request gets made and some IT guy somewhere says it’s fine
So a server gets built, Clinton uses it, and the whole thing gets overlooked because someone way down the chain doesn’t vette it out
And given the sheer scale of systems the federal government uses, no one audits what systems are running and where
And if you’re Clinton or her staff, you’re thinking if IT signed off on it, it complies with all needed regulations
So where it -should- have been nixed was that federal IT level, where a network specialist sees the request and says “Nope, can’t do it.”
But because it didn’t get nixed there, no one any further up the chain should have any reason to think it’s insecure and against the rules
Here’s the dirty IT secret: This crap happens all the time. Someone at the IT level should know better and deny the request, and that’s it.
And the reason this happened is likely because building a separate environment probably saved a few days work optimizing the existing one
So when Comey says there was no intent to break the law, I totally buy it. Compliance often breaks due to badly optimized systems/processes
Coming from the IT side, I don’t expect mid/upper management to get ANY of these nuances, nor would I find value in explaining it all
So it’s totally reasonable for a manager to assume that if I sign off and build it, I believe it complies with compliance regulations.
Because, well, compliance adherence over IT systems is something -I- should be responsible for. Not a manager. Or Secretary of State.
So the tl;dnr version is a complaint happened, someone put in a request to address the complaint, and IT dropped the ball on compliance.
Yes in IT you want to be helpful and provide solutions, but you MUST know how to comply with IT regulations. That’s on you, not up the chain
I’ve posited this to some friends who also work in IT, and each one of them agrees that this is likely what happened.
Badly optimized legacy systems require a ton of work to fix, IT monkey looks for a shortcut, breaks compliance rules in the process.
@LaneWinree

Harvesting Addresses from LinkedIn
June 2016: The Month in Email

Related Posts

Do you have an abuse@ address?

I’ve mentioned multiple times before that I really don’t like using personal contacts until and unless the published or official channels fail. I don’t hold this opinion just about resolving delivery issues, but also use official channels when reporting spam to one of my addresses or spam traps.
My usual complaints contain a plain text copy of the mail, including full headers and a short summary of the email address it was sent to. “This is an address that was part of a leak from…” or “This is an address scraped off my website. It’s been removed from the website since 2004” or “This address isn’t used to sign up for any mail.”
Sadly, there are a number of “legitimate” ESPs that don’t have or don’t monitor their abuse address. In some cases it’s an oversight or a break down of internal mail handling. But in most cases, it’s a sign that the ESP doesn’t actually handle abuse.
It’s frustrating to watch an ESP post long blog posts about “best practices” and “effective delivery” and “not spamming” and yet not be able to actually stop their own customers from spamming. It’s not even that I necessarily want them to disconnect their spamming customers (although that would be nice) but suppressing the address that I’ve told them was a spamtrap seems trivial. And yet, a month after my first complaint and weeks after escalating to a personal contact, I’m still getting spam.
The 5 things every ESP should do to handle spam complaints.

Read More

Monetizing the complaint stream

What if ESPs (and ISPs, for that matter) started charging users for every complaint generated? Think of it like peak pricing for electricity. In California, businesses can opt for discounted power, with the agreement that they are the first companies shut off if electrical demand exceeds supply. What if ESPs and ISPs offered discounted hosting rates to bulk senders who agreed to pay per complaint?
I see pricing scheme something like this.

Read More

We gave you a chance…

Our formerly feral cat was diagnosed with hyperthyroid disease earlier this year. This week she went in for treatment with radioactive iodine. Now that she’s home, we have some minor safety precautions (mostly around keeping radiation out of landfills and minimizing our exposure) for the next 2 weeks.
MC_forBlog
In previous careers, both Steve and I have been licensed to work with radioactivity so we’ve been swapping stories. Today I remembered an incident recounted during training. One lab had ordered some radioisotope and then mistakenly thrown out the isotope with the packaging material. An honest, but very expensive, mistake. Part of the fix was to have all radiation orders go through a central office on campus. This office would handle the opening and recording of the material and then distributing it to the appropriate research lab. As Steve put it, “We trusted you but you messed up, so now we have to institute some controls.”
This actually is how a lot of email compliance is done, too. Companies are allowed to do what they’re going to do. If they do something bad, even by mistake, there is often a lot of expensive cleanup. After the cleanup, the network (either the ESP or ISP) puts in place processes to limit the chance of this kind of mistake in the future.
In the email space the processes usually involves a couple things. First, the sender needs to change their acquisition process. This change limits the bad addresses getting onto a list in the future. Second, the sender needs to address the bad part of their current list. This often involves purging and/or re-engaging non-responsive addresses.
The fixes are painful for everyone involved. But when cleanup is expensive, prevention is important.

Read More