Slashdot Mirror
Donald Trump Running Insecure Email Servers (theregister.co.uk)
Donald Trump has slammed Hillary Clinton for using private email servers numerous times, but it turns out his inboxes aren't that secure either. From a report on The Register: Security researcher Kevin Beaumont discovered the Trump organization uses a hopelessly outdated and insecure internet setup. Servers on the Trump Organization's domain, TrumpOrg.com, are using outdated software, run Windows Server 2003 and the built-in Internet Information Server 6 web server. Microsoft cut off support for this technology in July 2015, leaving the systems unpatched for the last 15 months. In addition, Beaumont said he'd found that emails from the Trump Organization failed to support two-factor authentication. That's particularly bad because the Trump Organization's web-based email access page relies on an outdated March 2015 build of Microsoft Exchange 2007, he says. "Windows Server 2003, IIS 6 and Exchange 2003 went end of life years ago. There are no security fixes. They don't have basics down," the UK-based researcher concludes. Beaumont's findings are based simply on inspecting publicly available information rather than actively scanning for vulnerabilities or attempting to gain access to insecure systems, a point lost on Trump supporters who have reported him to the Feds.
Trump is not the Secretary of State. He doesn't have the country's classified documents on his server.
Call me when Trump is doing this in public office using taxpayer money.
Why would Trump want to pay to secure unclassified emails?
These allegations are different from the Clinton allegations. They point to possible incompetence in maintaining a private email system, in contrast to allegations of violating govenment policies and regulations regarding a government official. Had Trump done something like this while working in government rather than campaigning for office, the allegations would hold more weight.
Windows 2003 is the best Windows.
He's just trying to be more transparent with his campaign. This is totally irrelevant to the campaign.
Far be it for me to defend the moron... but did the dipshit who posted this bother to consider that Trump isn't the fucking Secretary of State and it therefore doesn't fucking matter.
They already know. Most commercial airlines and the transportation industry itself use even older mainframe hardware. That is why there is still demand for Cobol.
Trump isn't the Secretary of State and don't handle classifieds documents.
UNDERSTOOD ?
He couldn't decide between getting an .org or a .com domain, so he took trumporg.com?
Anyway, trumpcom.org is still available if someone has an idea of something to do with it...
$ whois trumpcom.org
NOT FOUND
>>> Last update of WHOIS database: 2016-10-19T23:47:43Z
He better get those servers secured. We wouldn't want to leak any classified documents. Hey, wait a minute... :/
What web server does Outlook Web Access use again?
The man can't even hide his bald head. If there was anything juicy to leak, you'd think they'd have already leaked it by now because it's pretty clear that he has a server that anyone could've robbed ages ago.
If you want juicy Hillary quotes, you read her FBI files or the Podesta dump. If you want juicy Trump quotes, you can just read his damn Twitter feed.
Trump is not the Secretary of State
So he automatically gets a free pass and is measured by lower standards? You must do a great job hiring people for your business. . .
Irregardless, saying our voting system is rigged without any credible evidence has invoked a kind of Godwin's law in my mind. . . For anyone who cares about our democracy, the primary goal at this point should be to make sure Trump loses by a large enough margin that any claim of a rigged election would be laughable.
Otherwise, these last couple months will seem like a VACATION compared to what is headed our way. Let's end this once and for all. . .
Sdelat' Ameriku velikoy Snova!
Does anyone really expect technical competence from someone who makes repeated references to "The cyber"? Trump's only hope, just as Hillary's only hope was, is to pick competent advisers on the subject. Considering they're both absolute retards that want magical backdoors in encryption, we're fucked either way.
In Capitalist West gov dictates cyber security to you.
Do US brands really want yet more US gov inside their networks?
In the US political orgs still have the freedom to run any hardware and software they want.
Its the US gov workers who actually have to be security aware.
"Penguins for President?" "Web server/platform combinations 2004 presidential candidates "
http://www.linuxjournal.com/ar...
In the US you still have the party political freedom to run a political campaign.
Linux, Microsoft, Apache, FreeBSD and others have all been used over the years to run great campaigns and get the voters out.
Domestic spying is now "Benign Information Gathering"
"...he'd found that emails from the Trump Organization failed to support two-factor authentication..."
How does an email support two factor authentication?
Seems like they just put out a call to be hacked:
The Trump Organisation responded to Beaumont’s criticism by putting out a statement to the media saying that its web setup is shielded behind a firewall.
The Trump Organization deploys best in class firewall and anti-vulnerability technology with constant 24/7 monitoring. Our infrastructure is vast and leverages multiple platforms which are consistently monitored and upgraded using current cyber security best practices.
If the business isn't a government regulated industry such as Medical or Financial, private companies can do whatever they want (within lawful bounds) with their private networks. As far as I know, Trump's 500 or so businesses are owned solely by him - so he has no obligations to shareholders or the SEC.
Trump and only Trump bears the entire risk for his poor IT choices. The entire American people bear the risk of Hillary's poor IT choices.
There is a big difference between the two.
So what if he is just a private citizen and doesn't even have access to (supposedly) secure government servers.
Nobody is expecting him to be using servers audited and monitored by the NSA.
They expect him to be using servers that aren't running EOL versions of Windows 2003. Because, in Trump's own word's...
"Iâ(TM)m going to surround myself only with the best and most serious people. We want top of the line professionals."
I
I'm no Trump fan, but there are many reasons why him running insecure servers for his current business isn't even close to Clinton running insecure servers when she was Secretary of State.
Someone who's running for president should be adhering to higher standards than regular people, not lower ones. Trump can have crap security right now; he's a private citizen, and there's no law against it (whether or not there should be is another question). Clinton can even have crap security on her personal servers. She just needs to know when to use which one. Really it was the greatest stroke of brilliance of the entire Clinton campaign to get the media to label the whole server / classified document situation as the "e-mail scandal" because it trivializes it and hides away what actually makes it significant.
For the record I'm not voting for either one.
What are the chances that all that org's e-mail is public by tomorrow morning?
Pretty good I'd think. Lots of hacker types around who read. Wouldn't take much to crack that box.
As a SE, if the contract fell my way, I'd have them completely offline for an upgrade on an emergency basis. Let the mail backup on the secondary- assuming his admin is smart enough to have done it right.
I'd bet dinner with a friend they are cracked by morning. If Trump had a decent IT staff they would not be in this condition.
Another consultant who stuck it out.
"We are the Priests, of the Temples of Syrinx..."
Trump also doesn't use email. Like, at all.
So this certainly puts a different spin on the DNC and Clinton email hacks. It certainly looks more and more like they were politically motivated. A curious child could hack this setup and yet there has been no release of documents from the Trump campaign's email servers. If it truly was about just sharing information, why would they not attack both sides? The longer it goes, the more it looks like someone (or someones) is purposely trying to influence the election with the hacks and leaks. If Wikileaks was really about just releasing information, why would they be slowly releasing the hacked emails over time before the election instead of just releasing them all at once? IT's not like the scrub person information from them, so what is the purpose of slowly dishing them out if not to keep it in the news and influence people?
"Information wants to be expensive" - Stewart Brand, the same guy who said "Information wants to be free"
I'd get a laugh if Trump's IT people did it on purpose, trolling for a sucker that thinks he's an easy target. What better way to get some fool to download and open a doc, and unleash a trojan horse.
Are you actually trying to make people here on Slashdot believe that it takes a state actor to hack an old IIS server?
Are you actually telling me that none of the people worried that Trump will start a nuclear war would be willing or able to dump the contents of an old IIS server if they could find anything juicy in there?
I bet someone already DID steal it and are having trouble finding anything more interesting than the stuff he puts on Twitter. I wonder if CNN will try to tell us that looking through a Trump dump is illegal if they ever get one?
Oh sure. But here are some counterpoints:
1). Trump likes to portray himself and his organization(s) as competent, "great", "fantastic", "unbelievable", and "HUUUUGGGGEEEE". An incompetently administered and badly neglected e-mail server doesn't quite align to this message;
2). During all the DNC hacking, Trump supporters have loudly proclaimed that "how the information was obtained doesn't matter". Now that they are on the receiving end of an investigation by a security researcher, they suddenly reverse course and report the security researcher to the Feds. I thought that information on political parties could be obtained by any means necessary? Or is it only by any means necessary, when it is convenient for your side? Yeah, I thought so.
3). The DNC hacking incident is particularly instructive because there are (apparently strong) indications that the hackers were Russian. Objections by Trump supporters must be viewed in light of The Donald's frequent loving and admiring comments about Vladimir Putin, so not exactly an objective objection. This time it is a known, real security researcher, doing you know, security research. And the security researcher is from a friendly country, not a frenemy/enemy. And not attempting an unauthorized penetration test. Even so, the Republicans are going wild, claiming all sorts of unlikely activities and improbable motives.
Partisans will be partisan. The Republicans lost their moral compass on the hacking incident and now that the shoe is (very slightly) on the other foot, they suddenly discovered that they don't like the attention. Not very convincing, I must say.
Anyone that has seen corporate networks knows just how crappy security is. It's been that way for over 2 decades. If you haven't noticed how bad IT security is, you either didn't care, didn't pay attention or don't really understand security.
Mathematics is either flawed or not; math doesn't tarnish or rust or break. It was either secure to begin with, or insecure all along. The only difference is that if it's insecure and new there's a chance no one knows the flaw yet and perhaps you fix it before anyone finds it. But it could be secured (eg by sufficiently advanced firewall rules), and if it's secure it's secure. On that note, I wouldn't mind reading the Trump emails if anyone has them. I'd bet either Wikileaks or the New York Times would be willing to publish Trump emails, if someone were to get them off that supposedly insecure server.
Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
It bet it was the Russians that did it.
Big deal. He's not the Secretary of State. He's a private citizen. He's not charged with the responsibility of protecting classified information.
Another “Barrier Breakers” employee heard from.
I'm an American. I love this country and the freedoms that we used to have.
Netcraft reports that trumporg.com is running IIS 7.5, not 6 as the article claims. Who am I to believe: a computer, or an investigative journalist attempting a hit piece?
sig: sauer
Somewhere, someone is saying this .... Jack Nicholson as the Joker
The Russians have won. They have made the world a cesspool of distrust, greed, fear and hate.
Make no mistake. Only billion dollar corporations get to speak at a presidential debate.
NO SIG
There is no such thing as "secure" on the internet.
So what, he's been running an insecure mouth for years
If medical and financial systems are built in an insecure manner, then that is the fault of the regulators.
I've worked in both medical and financial IT fields - both jobs had annual independent and government auditors looking at the systems. If the regulators are doing their jobs - those systems would be changed or replaced.
But he has an impeccable source - James O'Keefe! Because when I'm looking for accurate reporting, and not, you know, selective editing and deliberate misrepresentation to make up a scandal out of whole cloth, I turn to James O'Keefe. Gold standard in reliable information there.
I also turn to Alex Jones for information about the Bilderberg Group, Art Bell for information about cosmology, and David Icke for information about herpetology.
"99 dead duelists of Dios on the wall. 99 dead duelists of Dios! Take one's ring, pass it around..."
and The Foval Group started all the violence at all the Trump rallies.
Allthe violence at all the Trump rallies? I don't think even James O'Keefe is making that claim.
"What the American public doesn't know is what makes them the American public." -Ray Zalinsky (Tommy Boy)
Exactly. Thread closed.
Just because he is not secretary of state does not mean that it's uninteresting that his e-mail servers are not secure.
It does bring up an interesting question: so, why are only DNC email being leaked? If the Trump servers are also insecure, why aren't we seeing leaks of them?
mailhost01.trumporg.com and mailhost02.trumporg.com are running Sendmail. Maybe his internal server is Exchange.
Irony tends to become invisible on the internet, because it's camouflaged by so much stuff from which it is indistinguishable
But if I had mod points I'd mod it troll just on general principles.
Hey, Trump has the same setup we have!
-==- Buy a Mac and leave me alone!
Oh, please. You're not being fair to Trump's supporters. Do you really expect them to understand things like information security, much less those "subtle" nuances like the role of white hat researchers?
"You've got to remember that these are just simple farmers. These are people of the land. The common clay of the new West. You know... morons."
Donald Trump has slammed Hillary Clinton for using private email servers numerous times, but it turns out, he's done something completely different and legal. So how very dare he?
Also, create connection between marketing budget of political ghouls and security researcher.
Requiem for the American Dream
There were 2 rallies in question - the one in Chicago that had to be cancelled, and another in San Jose that had that frightening scene of a small boy fleeing from a group of rioters while separated from his father. As well as that woman w/ egg on her face trying to get into the San Jose convention center. Had anything more serious happened to them, the blood would have been on the hands of the Clinton campaign
Except Hillary was a high-level government employee who had been given access to a secured government system and told that all of her official business was supposed to be handled on the secured government citizen and that anything else was a crime.
Trump is a private citizen conducting private business.
If you can't see the difference, then you are not very bright.
The Democrats in question brag that they have team at EVERY Trump and/or Pence rally doing this stuff.
They claim credit for the Chicago rally, the one in the LA area, the one where an old lady with an O2 tank got punched (SHE was an old leftie on their payroll and trained to provoke people). They trained the agitators who were in the KKK hood and provoked a black Trump supporter to punch them. Now the most-famous three incidents of "Trump violence", which were played endlessly by ABC,CBS,NBC,MSNBC,etc are all accounted for as Hillary and Obama violence.
These people led by a felon who was in the Obama White House nearly every week of the presidency, and met with Obama himself more often than most members of congress, are the worst trolls in out entire political system.
It leads to another set of questions:
Will the DNC and the Hillary campaign who are now known to be funding and orchestrating political violence, be willing to lie?
Are they tied to the fire-bombing of the RNC office in North Carolina several days ago?
Are they related to the robbery of another RNC office within the past 3 days?
No more whining that Trump offered to pay the legal bills for an old guy who punched pack at one of these paid agitators.
Why it don't surprises me?
No. They haven't. Most previous SOS's did not use email at all, and what few Powell sent were preserved.
Hillary Clinton was, which makes her a hypocrite for doing the same thing within two years of that rant, and her supporters mindless sycophants for excusing it.