Hillary Clinton Used BleachBit To Wipe Emails

An anonymous reader quotes a report from Neowin: The open-source disk cleaning application, BleachBit, got quite a decent ad pitch from the world of politics after it was revealed lawyers of the presidential hopeful, Hillary Clinton, used the software to wipe her email servers. Clinton is currently in hot water, being accused of using private servers for storing sensitive emails. "[South Carolina Representative, Trey Gowdy, spoke to Fox News about Hillary Clinton's lawyers using BleachBit to wipe the private servers. He said:] 'She and her lawyers had those emails deleted. And they didn't just push the delete button; they had them deleted where even God can't read them. They were using something called BleachBit. You don't use BleachBit for yoga emails or bridesmaids emails. When you're using BleachBit, it is something you really do not want the world to see.'" Two of the main features that are listed on the BleachBit website include "Shred files to hide their contents and prevent data recovery," and "Overwrite free disk space to hide previously deleted files." These two features would make it pretty difficult for anyone trying to recover the deleted emails. Slashdot reader ahziem adds: The IT team for presidential candidate Hillary Clinton used the open source cleaning software BleachBit to wipe systems "so even God couldn't read them," according to South Carolina Rep. Trey Gowdy on Fox News. His comments on the "drastic cyber-measure" were in response to the question of whether emails on her private Microsoft Exchange Server were simply about "yoga and wedding plans." Perhaps Clinton's team used an open-source application because, unlike proprietary applications, it can be audited, like for backdoors. In response to the Edward Snowden leaks in 2013, privacy expert Bruce Schneier advised in an article in which he stated he also uses BleachBit, "Closed-source software is easier for the NSA to backdoor than open-source software." Ironically, Schneier was writing to a non-governmental audience. Have any Slashdotters had any experience with BleachBit? Specifically, have you used it for erasing "yoga emails" or "bridesmaids emails?"

Too secure for insecure?

[dirk]

I really can't find something to bitch about here. Sure, Clinton sucks, but the big knock against her and her email server was that she wasn't secure enough with it. Then, when she does do something secure, the knock is "See, she is so secure she must be hiding something!" Sorry, you can't bitch when she isn't secure and then bitch when she is. Was she hiding stuff? Most probably, since all politicians are. Do I trust her? Not a chance. But you can't set up a now in scenario as your reason for not liking her. You can't bitch about insecurity and then bitch about too much security at the same time.

Re:Too secure for insecure?

All indications are she wasn't very careful while actively using the server. However, once she started getting requests to produce data from it, then she suddenly got very careful. Even if she did do nothing wrong, that is a very stark change in behavior that just happened to coincide with legal requests to hand over data.

Re:Too secure for insecure?

[NotInHere]

The wiping just means that she is very secure from her own state interfering with her. But it doesn't say anything about how easy it was for third party states to gain information from her email server before it was wiped. So her servers might be secure from the justice system, but not secure from third parties. Both these aspects are how it shouldn't be.

Re:Too secure for insecure?

What about the Freedom of Information Act? Don't secretary of state emails have to be archived?

The big knock against her email server is that any other state employee that ran such a thing would be locked up in jail.

Re:Too secure for insecure?

[laing]

In the eyes of the law (courts), spoliation of evidence is equivalent to guilt, but perhaps to a lessor degree.

Re:Too secure for insecure?

[cahuenga]

Sure, Clinton sucks, but the big knock against her and her email server was that she wasn't secure enough with it.

My quibble was the blatant arrogance of the act. That private server was clearly a move to preserve final editing rights of her tenure at the State Department and evade any future FOIA requests that may crop up during her next run for the presidency; and was there ever any doubt that she would run again? The fact that she thought she could get away with it after experiencing the fallout from the exact same move by members of the Bush administration while she was a sitting Senator in Washington reinforces the feeling that her arrogance knows no bounds. She took a page out of the neocon playbook and figured she would show them how it's done.

Re:Too secure for insecure?

[whoever57]

account != server.

This is even worse. They did not use a private server, they used a server run by some unknown third party. There is even less control of the security of those emails than the emails on Clinon's server.

Georgia Godfrey, Rice's chief of staff at Stanford University's Hoover Institution, said the former secretary of state did not use email while in the job nor have a personal email account.

LOL. Does anyone believe that? Not even a private email account in 2009? Really?

Re:Too secure for insecure?

[Etcetera]

It does not count if Congress declares any one of these emails classified after the fact for political effect.

You're begging the question here. Information is classified based on the content, markings are irrelevant. There's explicitly statutory language that indicates that someone who Should Know that data involved Should Be classified should be treating it as classified, *regardless* of any markings or lack thereof.

Joe Blow on the street may not know that certain info is classified and might pass it along. The Secretary of State is expected to know that something is classified information and has a duty to take care of it responsible. That's something you're "read into" before you ever receive any clearance at all.

If the emails are considered classified retroactively, then someone in her position should have realized they contained sensitive data. Nothing is being classified "for political effect"... and if something is, then that's a scandal in and of itself.

Re:Too secure for insecure?

[tsotha]

Destruction of evidence is itself a crime. The difficulty is always in proving that's what happened - by definition you're missing a key piece of evidence.

Re:Too secure for insecure?

[kenai_alpenglow]

The FBI found the "key piece(s)". Comey then said "No prosecutor would pursue this case" and dropped it. He was probably right--but only because of her last name. If I did that, I might get out after 5 years or so. Heck, one of my counterparts got in trouble for a single line in a controlled document which had the same info in the public domain. I'm sick of these "Nothing to see here" claims--just look at any security briefing and it's spelled out. We just had another one, and according to it I would be required to report her if she was in my office.

Re:Too secure for insecure?

[Nostalgia4Infinity]

Please state the part of the law on improperly transmitted classified information that talks about ratio of classified material to non classified material.

Re:Too secure for insecure?

[khallow]

I like how the argument has devolved here to "If Bush did it, then it's ok". PopeRatzo, is Dubya really your moral compass? Your guiding light?

Re:Too secure for insecure?

[jeff4747]

either the emails were classified or not when they were stored or sent from the private server.

According to the DNI, the FBI, the DoJ and the State Department IG, they were classified. Not even the Clinton campaign is pushing classified-after-the-fact anymore.

It does not count if Congress declares any one of these emails classified after the fact for political effect.

Congress has no say in what is classified.

In 1947, they couldn't figure out how to create a unified classification system. So they passed a law which basically said "Hey Executive branch! You come up with it". Thus, the Executive branch gets to decide what is and is not classified. And it's codified in a series of Executive Orders and classification guides.

This is why the whole email "scandal" is much ado about nothing.

Says the person who thinks Congress classifies documents at all, much less after-the-fact.

Those of us who had security clearances know we'd be in prison if we did this. In fact, several people are in prison for negligently handling classified information. But they had the misfortune of not running for president at the time.

Re:Too secure for insecure?

[RoccamOccam]

Comey spent hours in front of Congress explaining, very patiently, over and over, that the reason he could not recommend prosecution against Clinton is because all of the suspected crimes required proof of intent, which the FBI did not have.

Transcript of Gowdy questioning Comey. Lots of context, but note the bolded section:

Gowdy: Secretary Clinton said "I did not e-mail any classified information to anyone on my e-mail there was no classified material." That is true?

Comey: There was classified information emailed.

Gowdy: Secretary Clinton used one device, was that true?

Comey: She used multiple devices during the four years of her term as Secretary of State.

Gowdy: Secretary Clinton said all work related emails were returned to the State Department. Was that true?

Comey: No. We found work related email, thousands, that were not returned.

Gowdy: Secretary Clinton said neither she or anyone else deleted work related emails from her personal account.

Comey: That's a harder one to answer. We found traces of work related emails in — on devices or in space. Whether they were deleted or when a server was changed out something happened to them, there's no doubt that the work related emails that were removed electronically from the email system.

Gowdy: Secretary Clinton said her lawyers read every one of the emails and were overly inclusive. Did her lawyers read the email content individually?

Comey: No.

Gowdy: Well, in the interest of time and because I have a plane to catch tomorrow afternoon, I'm not going to go through any more of the false statements but I am going to ask you to put on your old hat. False exculpatory statements are used for what?

Comey: Well, either for a substantive prosecution or evidence of intent in a criminal prosecution.

Gowdy: Exactly. Intent and consciousness of guilt, right?

Comey: That is right?

Gowdy: Consciousness of guilt and intent? In your old job you would prove intent as you referenced by showing the jury evidence of a complex scheme that was designed for the very purpose of concealing the public record and you would be arguing in addition to concealment the destruction that you and i just talked about or certainly the failure to preserve. You would argue all of that under the heading of content. You would also — intent. You would also be arguing the pervasiveness of the scheme when it started, when it ended and the number of emails whether They were originally classified or of classified under the heading of intent. You would also, probably, under common scheme or plan, argue the burn bags of daily calendar entries or the missing daily calendar entries as a common scheme or plan to conceal.
Two days ago, Director, you said a reasonable person in her position should have known a private email was no place to send and receive classified information. You're right. An average person does know not to do that.
This is no average person. This is a former First Lady, a former United States senator, and a former Secretary of State that the president now contends is the most competent, qualified person to be president since Jefferson. He didn't say that in '08 but says it now.
She affirmatively rejected efforts to give her a state.gov account, kept the private emails for almost two years and only turned them over to Congress because we found out she had a private email account.
So you have a rogue email system set up before she took the oath of office, thousands of what we now know to be classified emails, some of which were classified at the time. One of her more frequent email comrades was hacked and you don't know whether or not she was.
And this scheme took place over a long period of time and resulted in the destruction of public reco

Former DoD sysad

[OffTheLip]

I used DBAN routinely in 7 wipe mode. I'd be surprised had she not chosen something like that in spite of the cloth remark.

Re:Former DoD sysad

[TykeClone]

BleachBit's new tagline: "We're the dustcloth for the DNC!"

Never that specific program

[ArtemaOne]

But any time you stop using a hard drive you should clean it. I have probably 6 hard drives on a shelf in my house because I've replaced them with larger or faster drives. Each one has had the free space randomized twice and then set to all zeros afterward. Bank info, taxes, official (unclassified) work files, all of those have been on them in some variety at some points, and if they are ever disposed, I don't want any of that to be easily recoverable. I have never used it to destroy evidence when it was requested by investigators, as I am not a wealthy and powerful person, I would end up incriminating myself by doing so.

I don't have any yoga emails ....

[King_TJ]

But I can say that something like this isn't too surprising, assuming you hired a lawyer with a brain in his/her head. They really like the idea of deleting evidence that could be used against you in a court of law, if they're hired to work FOR you.

This is why businesses are being pushed to start purging all of their employee's email on a regular basis. They want to preserve that plausible deniability and ensure some former employee didn't say something in a company email you weren't aware of that winds up costing you $'s in a lawsuit.

If this is an attempt to discuss if Clinton is guilty of anything or not with running her own private mail server? I think the answer to that is really pretty obvious.... Yes, of course she is. If any of us worked for an employer who provided us with a company email system for use with company-related things and we just decided to conduct business via our personal Gmail accounts, or some home-brew Linux server? How long do you think we'd stay employed there once that was realized? In a case like hers, it's only magnified as a problem because we KNOW she was allowed to handle classified content in her mail. So the hunt is on to prove she actually possessed some of that on this unofficial server. And if her lawyers did their jobs properly, there won't be much concrete proof that she did so, or at least that she ever accessed it once it was sent out. That doesn't make her less guilty though .... just smart enough to dodge some legal repercussions for her behavior.

Re:Responsible?

[Triklyn]

no, the responsible thing to do is to turn it over to the justice department and let them fucking shred it.

Re:Responsible?

[GerryGilmore]

Let me try. First, her entire purpose in having said private email server was explicitly to protect her privacy - something she is very sensitive about. The issue, and what separates her situation from that of Colin Powell, is that she used that server for both personal and official email exchanges. This defies both basic common sense and several applicable federal laws - laws which were *NOT* part of the recently concluded FBI investigation. That investigation was about the content of the emails and their classification, NOT - again - the real violation of law and common sense. Bottom line is that her credibility is in question because of a series of actions, all attributable to her paranoia and penchant for secrecy.

Not responsible - it's a crime.

[zerofoo]

Hillary Clinton co-mingled personal and official government communications on her private email server. All of those communications are subject to the Federal Records Act and the Freedom of Information Act.

Her personal emails ceased to be personal when she co-mingled them with official government communications. HRC and her lawyers were not authorized to decide what is relevant to FRA and FOIA and what is not.

HRC and her lawyers deleted 30,000 or so emails that are not recoverable - therefore she is in violation of both the FRA and FOIA.

HRC should be, at the very least, in front of a jury to answer for her actions.

Re:Responsible?

[Triklyn]

we're also not the ones who mixed her personal and professional lives. she is.

she's the public face of the state department, which has policies in place to make sure that their correspondence are both secure and archived... so people can go back and look into them to make sure everything is aboveboard.

she sacrificed her right to privacy on her private correspondence when she conducted professional business on the same server.

i don't want to see her fucking wedding photos, but i want someone to make sure that she wasn't selling access to the office of the secretary of state of the united states. and if someone with clearance in the justice department needs to comb through 4 years of "private" emails to make sure, then she has only herself to blame.

Re:Deflection

[OhPlz]

I can't believe her campaign signs are "4 her" and not "4 us". Pretty much says everything you need to know. There are laws 4 us, and there are special exceptions to those laws 4 her.

Powell is not the prototype !

Powell used an aol account.
He did NOT put a private server in his house!

Same for Rice. Powell used it for non-state NON-classified business.

Hillary has lied so many times about this server, is is clear to any hones observer that she was hiding activities of corruption with the Clinton foundation and did not want FOIA to discover her activities.

Hillary was supposed to have government archivists sort through the mails, not her personal attorneys. That was a violation of the federal records act.

She had classified information on the server, despite assertions that she did not- caught in another lie.
She said all work related mails were turned over. Another lie- the FBI found thousands of work related mails not turned over, including classified.

Re:Decommissioning servers

[sexconker]

Did you run shred on a server after the FBI said it wanted the data on it?

Lies

Yes it does, read the laws. There is a Navy person who facing 20 years to life for disposing of a phone which had his picture while inside the sub. That is one of the more extreme cases, but it's literally a Web Search to prove you are wrong (shill?) Intent comes in to play _only_ for the penalty.

Re:More political redirection

This isn't mud slinging. This is technology news about obfuscating forensic evidence in practice on a technology website.

Your statement is mudslinging.

Whether the secure wipe was used as a simple matter of Best Practice, or was done for Nefarious reasons, is not known. So when the article makes judgements such as "When you're using BleachBit, it is something you really do not want the world to see." it becomes a political mudslinging story.
I don't personally use this software, but I personally always securely wipe any drive which I'm done using. Even if there's nothing on there, even if it only contains "yoga emails" or etc.

The disturbing thing to me is that this article is all but using the "If you have nothing to hide, you wouldn't use secure wipe methods" line of bullshit. Using strong encryption, secure wipe software, etc. should not be allowed to be seen as a "shady" or "suspicious" activity- it should rather be seen as the Intelligent and Normal way of doing things.

Re:Really

[Wraithlyn]

No.

You're in this shit because the FPTP electoral college system makes a two party lock-in inevitable.

• - Nearly 1 in 5 Americans voted for Ross Perot in 1992, and didn't receive any representation in government whatsoever.

• - The last time a "third party" gained traction was 1860, with Lincoln's Republicans. There is a reason it hasn't happened since.

The system is broken. And the two-party duopoly has no interest in fixing it.

I'm sorry but acting like things would get better "if only more people voted for better candidates" is a hopelessly naive pipe dream. That requires viable 3rd party candidates, and the US system makes that effectively impossible.

So I'm afraid I must repeat (and I take no pleasure in saying this, believe me) your only three options this election are Trump, Clinton, or throwing your vote away.

Of course Clinton is horrible. But would you prefer Trump?

Re:More political redirection

[meerling]

I know a rather large number of people that use secure delete or wipe tools.
It may be considered strange by computer neophytes and people that don't work with government computer systems, but it's pretty common for techies and government computer people with security clearance required jobs to employ that kind of software.
I guess the people that are making accusations over that are either ignorant, or disingenuous.

You're being willfully ignorant

1. She put classified info on a private unsecured server where it was vulnerable, contrary to the law which she was fully advised of upon taking office.
2. She did all her work through that server, hiding it from all 3 government branches (congressional oversight, executive oversight, and the courts) and public FOIA requests.
3. When the material was sought by the courts and congress, she and the state department people lied under oath claiming the material did not exist (perhaps Nixon cronies should have all lied about tapes existing).
4. After her people knew the material was being sought, the server's files were transferred (by private IT people w/o clearances) to her lawyers (no clearances).
5. She and her lawyers deleted over 30000 e-mails, claiming they were only about yoga and her daughter's wedding dress (Nixon cut a few minutes of tape).
6. They then wiped the files with bit bleach (a step not needed for yoga or wedding dress e-mails). (Nixon did not degauss all his tapes)
7. They handed the wiped server to the FBI, and hillary publicly played ignorant with her "with a CLOTH?" comment (absolute iin-you-face arrogance against the rule of law) (Nixon did not hand tape recorders with erased tapes to the FBI)
Prove you are sincere, and not a total unprincipled partisan hack:
Are you a Nixon supporter?
Would you accept this behavior from Donald Trump or Dick Cheney?

Backup appliance and server have all emails

Hillary Clinton's IT guy purchased an MS Exchange hosting contract from Platte River. The standard package came with a periodic backup to a Datto appliance, which takes snapshots of the Windows disk image several times a day. The appliance copies the snapshot to Datto's data center in real time. You can erase or even destroy the Windows machine drives and still use the snapshots to restore the disks to the snapshot of the time and date of your chosing.

The FBI confiscated the appliance from Platte River and seized the server from Datto. They have all the emails she sent and received since the start of her State Department tenure.

Re:More political redirection

A: "But anyone could hack in and see her emails, it's totally unsecure!"
B: "She used BleachBit."
A: "That proves she had something to hide!"

Being that Clinton didn't give a damn about securing the physical server and didn't give a damn about securing the messages sent through the server, it seems strange that she suddenly cares about security practices when deleting e-mail messages about yoga classes.

Oh, did I mention that deleting the e-mail messages would be considered an obstruction of justice if it were done by a typical citizen?

Re:More political redirection

[AthanasiusKircher]

I guess the people that are making accusations over that are either ignorant, or disingenuous.

Here's the problem -- Clinton deleted these emails AFTER they were requested from the House as part of an official investigation. She chose to print out everything she claimed was relevant (probably to avoid giving away metadata in headers, etc.) and then effectively "burned" the server, including (by her lawyer's own admission) tens of thousands of messages.

FBI investigations have now come up with thousands of emails which were NOT turned over in that paper dump. How many could have been part of those that were deleted and then lost when the server was wiped? We'll never know. Many of them were likely deleted in error, with her lawyers not realizing which ones should have been retained as they were going through tens of thousands of documents. But were ALL of these official state department emails recovered by the FBI (now 15,000+) deleted "in error"?

That's what's troubling about all of this. We have no way of knowing whether there may have been significant spoliation of evidence here (that's the legal term for intentionally, recklessly, or negligently destroying evidence). If this were a corporation who had been issued a subpoena and they acted in this manner, and it was later proven that they "lost" over ten thousand relevant documents in the process of their destruction of "irrelevant" documents, they would likely face significant legal sanctions, perhaps even criminal charges.

Legally, the safe course in this instance would have been to put the server in a secure location with legal supervision by Clinton's counsel until the matter could be resolved. Clinton's use of BleachBit is not surprising here -- not because it's proper protocol to delete secure information, but because it's the only reasonable way to delete potentially incriminating evidence of spoliation (even if most of it was accidental or whatever). If they hadn't used a very secure deletion protocol, then Clinton's attorneys would have been doing a VERY poor job at protecting her legally.

Personally, I'm not sure it's likely there was any "evil memo" buried among the State Department correspondence that could prove anything. (And if there were, I'm not convinced Clinton realized it.) On the other hand, I'm sure she had a bunch of private email dealings that she wouldn't want to get out -- if for nothing else then for bad public relations. Hence the destruction of everything on the server -- it's in line with the privacy paranoia that likely caused her to set up the server in the first place. But could there have been worse stuff there too? Maybe. Doesn't seem like we'll ever know, though, does it?