About the Hillary Clinton email server thing…

I was going to say something about the issue with Hillary Clinton using an email server provided by her own staff for some of her email traffic, rather than one provided by her employer, but @LaneWinree already wrote pretty much what I’d have written, just better than I would have done.

So, I guarantee this is exactly how the email server thing went down.
Whatever internal system the government has set up for email communication is, I guarantee, a total and utter shitshow.
Shitshow as in horrid UI, horrid performance, and just in general unusable. Most business email environments are. Government worse.
Clinton probably complains about this, someone on staff looks into fixing it, someone somewhere thinks “Hey, we could just build a server”
Given that it’s absurdly easy to build an environment to host an email server, a request gets made and some IT guy somewhere says it’s fine
So a server gets built, Clinton uses it, and the whole thing gets overlooked because someone way down the chain doesn’t vette it out
And given the sheer scale of systems the federal government uses, no one audits what systems are running and where
And if you’re Clinton or her staff, you’re thinking if IT signed off on it, it complies with all needed regulations
So where it -should- have been nixed was that federal IT level, where a network specialist sees the request and says “Nope, can’t do it.”
But because it didn’t get nixed there, no one any further up the chain should have any reason to think it’s insecure and against the rules
Here’s the dirty IT secret: This crap happens all the time. Someone at the IT level should know better and deny the request, and that’s it.
And the reason this happened is likely because building a separate environment probably saved a few days work optimizing the existing one
So when Comey says there was no intent to break the law, I totally buy it. Compliance often breaks due to badly optimized systems/processes
Coming from the IT side, I don’t expect mid/upper management to get ANY of these nuances, nor would I find value in explaining it all
So it’s totally reasonable for a manager to assume that if I sign off and build it, I believe it complies with compliance regulations.
Because, well, compliance adherence over IT systems is something -I- should be responsible for. Not a manager. Or Secretary of State.
So the tl;dnr version is a complaint happened, someone put in a request to address the complaint, and IT dropped the ball on compliance.
Yes in IT you want to be helpful and provide solutions, but you MUST know how to comply with IT regulations. That’s on you, not up the chain
I’ve posited this to some friends who also work in IT, and each one of them agrees that this is likely what happened.
Badly optimized legacy systems require a ton of work to fix, IT monkey looks for a shortcut, breaks compliance rules in the process.
@LaneWinree

Related Posts

We gave you a chance…

Our formerly feral cat was diagnosed with hyperthyroid disease earlier this year. This week she went in for treatment with radioactive iodine. Now that she’s home, we have some minor safety precautions (mostly around keeping radiation out of landfills and minimizing our exposure) for the next 2 weeks.
MC_forBlog
In previous careers, both Steve and I have been licensed to work with radioactivity so we’ve been swapping stories. Today I remembered an incident recounted during training. One lab had ordered some radioisotope and then mistakenly thrown out the isotope with the packaging material. An honest, but very expensive, mistake. Part of the fix was to have all radiation orders go through a central office on campus. This office would handle the opening and recording of the material and then distributing it to the appropriate research lab. As Steve put it, “We trusted you but you messed up, so now we have to institute some controls.”
This actually is how a lot of email compliance is done, too. Companies are allowed to do what they’re going to do. If they do something bad, even by mistake, there is often a lot of expensive cleanup. After the cleanup, the network (either the ESP or ISP) puts in place processes to limit the chance of this kind of mistake in the future.
In the email space the processes usually involves a couple things. First, the sender needs to change their acquisition process. This change limits the bad addresses getting onto a list in the future. Second, the sender needs to address the bad part of their current list. This often involves purging and/or re-engaging non-responsive addresses.
The fixes are painful for everyone involved. But when cleanup is expensive, prevention is important.

Read More

Let's talk CAN SPAM

CheckboxEarlier this week I posted about the increased amount of B2B spam I’m receiving. One message is not a huge deal and I just delete and move on. But many folks are using marketing automation to send a series of emails. These emails often violate CAN SPAM in one way or another.
This has been the law for 13 years now, I find it difficult to believe marketers are still unaware of what it says. But, for the sake of argument, let’s talk about CAN SPAM.

Read More

Where do subscribers come from?

Do you know all the ways subscribers can get on your lists?
Are you sure?
I recently used the contact form belonging to a marketing company to inform them that someone had stolen my email address from their database and I was receiving spam to the address only they had.
They had an opt-out link on the form, allowing me to opt-out of personal contact and a demo of their product. But that opt-out didn’t translate to not adding me to their marketing list.
When I contacted the person who was talking with me about the address leak, he told me it was the contact form that led to my address ending up on their marketing list. I asked, just to make sure, if I did remember to check the opt-out link. He confirmed I had, but there was an oversight when they updated their contact page and there was no opt-out for marketing mail.
I believe that the majority of delivery problems for real companies that “only send mail with permission” come from these types of oversights. The biggest problem with these oversights is how long they can go on until companies notice the effect. With the overall  focus on aggregate delivery statistics (complaint rates, bounces, etc) oversights like this aren’t noticed until they cause some massive problem, like a SBL listing or a block at a major ISP.
The company involved in this most recent incident was very responsive to my contact and immediately corrected the oversight. But there are other companies that don’t notice or respond to the notifications individuals send. This leads to resentment and frustration on the part of the recipient.
Every company should have at least one person who can account for every address on their marketing list. Who is that person at your company?
 

Read More