The State Department is just one of many examples of IT gone rogue

Much has been made of Hillary Clinton’s use of her own mail server, running out of her home. It didn’t change my opinion of her, and I don’t think it changed anyone else’s either–it just reinforces what everyone has thought of her since the early 1990s. Then, Ars Technica came forward with the bizarre case of Scott Gration, an ambassador who ran his own shadow IT shop out of a bathroom stall in Nairobi.

The money quote from Ars: “In other words, Gration was the end user from hell for an understaffed IT team.” And it concluded with, “[A]s with Clinton, Gration was the boss—and the boss got what the boss wanted.”

Indeed. And it doesn’t just happen in the government.

I still remember 15 years ago when my then-employer’s director of accounting (and self-appointed IT expert) cornered me in an elevator and told me to put a permit-all rule in the firewall so his vendor wouldn’t have any problems next week. Of course I told him I didn’t have the rights to authorize such a thing, and even if I did, the answer would be no. What happened after that, I can only speculate. Maybe he escalated and everyone said no. Maybe he escalated until he got a yes, and the person who said yes to him never ordered the change–or he did order the change and the firewall guys refused to do it. Or maybe he gave up after talking to me.

When I was a contractor in the military, from time to time I saw people ram things through by finding someone who outranked the Lt. Colonel in charge of my office, who could simply call rank on him or her. The tactic worked better with some LTCs than others, but one time, near the end of my time there, I was providing hourly status updates to a Colonel in the Marines. This was strange because I worked for the Air Force. But I did what the marine said, because every time the marine called, a few minutes later my Lt. Colonel would call and demand an update of her own. The marine was talking to her too.

And of course, everyone’s heard stories of people taking old workstations, installing Windows Server on them, plugging them in, and turning them into production servers sitting under their desks. One time I even saw someone turn a consumer-grade Emachine into a server. It just wasn’t sitting under someone’s desk–someone took the extra step of sticking it on a shelf in a server cabinet. Was it authorized to be there? I have no idea.

I guess what I’m trying to say is that these abuses–and don’t get me wrong, they are abuses–don’t just take place in the State Department. They happen anywhere and everywhere.

And I guess that’s why I just can’t get worked up about either story, though I did really snicker at the Gration story. I see this kind of stuff a lot, and don’t expect to stop seeing it any time soon.

3 thoughts on “The State Department is just one of many examples of IT gone rogue

  • March 10, 2015 at 9:36 am
    Permalink

    Dave,
    Was Clinton’s closet based server safe from ISIS hackers?
    Could our enemies have read everything that transpired between the Secretary of State and her minions?

    • March 10, 2015 at 6:25 pm
      Permalink

      That’s not a quick yes or no question so I’ll do my best, briefly.

      ISIS is really good at instilling fear and grabbing headlines and getting attention. They are not prolific hackers. And in Clinton’s day they were a much smaller organization than they are today. Russia and China were the biggest threats then, and remain the biggest threats today.

      I would feel worse about what Clinton did if the State Department’s mail servers didn’t happen to be thoroughly owned and controlled by the Russians right now (and they have been since December). That’s why the sensitive communications happens on networks designed for classified information. On unclassified networks they pretty much assume the Chinese and Russians, at the very least, are always listening. So are a host of much friendlier nations. How safe Clinton’s server was depends on how good her admins were–I don’t think we don’t know if it was a college intern who ran it or a team of professionals–but the mail server she was avoiding has known issues.

      This is a very quick answer, and it deserves more time and attention than I can give it right now, but I see worse stuff than this every week, if not several times a week. I find it elitist and amusing but it’s not anything that any security professionals I know of are talking very much about. I think we all agree it wasn’t a good idea but we see worse stuff all the time. It’s a bigger political issue than it is a security issue.

  • March 11, 2015 at 10:11 am
    Permalink

    Thanks.
    Sometimes it’s hard to separate politics from reality.

Comments are closed.

%d bloggers like this:
WordPress Appliance - Powered by TurnKey Linux