Background: I was quoted in the Wired piece. I made sure to emphasize that us outsiders can't say, with any certainty, whether this server was more or less secure than the State Department infrastructure. Matt Blaze, faculty at Penn, made the same point. But, alas, non-expert sensational spin won the day.[1]
With that out of the way, I suspect some HN readers might have an interest in the attribution process.
1) Find the mail servers for clintonemail.com, using DNS MX records. These days, they're run through McAfee. Back in 2010, though, the records pointed to mail.clintonemail.com. (There are a handful of services that keep those historical records, e.g. dnshistory.org.)
2) Find the IP address for mail.clintonemail.com, using DNS A records. Today, it's 64.94.172.146.[2] Back in 2010, it was 24.187.234.187.
3) Run an ARIN WHOIS on the old IP address. It's a static IP range through Optimum Online, allocated to "Eric Hoteham" at the Clinton home in Chappaqua. The surrounding IP ranges map to small businesses in the area.[3]
So, there is some nontrivial technical evidence that the email server was at the Clinton residence. But it's hardly definitive. It's possible, for instance, that the registered address is merely for billing purposes.
[1] There's even a glaring a factual error in the story. It was a web hosting service offered by Network Solutions that was hacked in 2010, not their DNS service. That would've been a much bigger deal.
[2] There's still a live server at mail.clintonemail.com. It's running Windows Server 2008 R2 with a valid SSL certificate. And it appears to be colo'd at Internap. Between that and the MXLogic protection, hardly a slapdash setup.
[3] Quite a few of these records have odd contractions or typos, suggesting the misspelled name wasn't intentional.
Thank you. That's certainly more compelling than the AP story talking about how her "private email server was reconfigured". Given the language used, Occam's Razor was definitely leaning towards reporter misinterpreted what was said.
Wow, lame reporting by Wired. The author obviously wanted to run a negative piece, so he cherrypicked his sources.
Both computer security experts he talked to--seriously, experts, Matt Blaze and Jonathan Mayer do great work--explained that this isn't necessarily insecure. But most of the story belongs to this whining Soghoian guy from ACLU, who doesn't appear to be a computer scientist, software engineer, or even IT admin.
When did the server make the switch between the two IPs? According to the internet census data gathered in 2012 the 24.187.234.187 address had the following ports open (note SMTP and RDP):
With that out of the way, I suspect some HN readers might have an interest in the attribution process.
1) Find the mail servers for clintonemail.com, using DNS MX records. These days, they're run through McAfee. Back in 2010, though, the records pointed to mail.clintonemail.com. (There are a handful of services that keep those historical records, e.g. dnshistory.org.)
2) Find the IP address for mail.clintonemail.com, using DNS A records. Today, it's 64.94.172.146.[2] Back in 2010, it was 24.187.234.187.
3) Run an ARIN WHOIS on the old IP address. It's a static IP range through Optimum Online, allocated to "Eric Hoteham" at the Clinton home in Chappaqua. The surrounding IP ranges map to small businesses in the area.[3]
So, there is some nontrivial technical evidence that the email server was at the Clinton residence. But it's hardly definitive. It's possible, for instance, that the registered address is merely for billing purposes.
[1] There's even a glaring a factual error in the story. It was a web hosting service offered by Network Solutions that was hacked in 2010, not their DNS service. That would've been a much bigger deal.
[2] There's still a live server at mail.clintonemail.com. It's running Windows Server 2008 R2 with a valid SSL certificate. And it appears to be colo'd at Internap. Between that and the MXLogic protection, hardly a slapdash setup.
[3] Quite a few of these records have odd contractions or typos, suggesting the misspelled name wasn't intentional.