Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Politics

Donald Trump Running Insecure Email Servers (theregister.co.uk) 445

Donald Trump has slammed Hillary Clinton for using private email servers numerous times, but it turns out his inboxes aren't that secure either. From a report on The Register: Security researcher Kevin Beaumont discovered the Trump organization uses a hopelessly outdated and insecure internet setup. Servers on the Trump Organization's domain, TrumpOrg.com, are using outdated software, run Windows Server 2003 and the built-in Internet Information Server 6 web server. Microsoft cut off support for this technology in July 2015, leaving the systems unpatched for the last 15 months. In addition, Beaumont said he'd found that emails from the Trump Organization failed to support two-factor authentication. That's particularly bad because the Trump Organization's web-based email access page relies on an outdated March 2015 build of Microsoft Exchange 2007, he says. "Windows Server 2003, IIS 6 and Exchange 2003 went end of life years ago. There are no security fixes. They don't have basics down," the UK-based researcher concludes. Beaumont's findings are based simply on inspecting publicly available information rather than actively scanning for vulnerabilities or attempting to gain access to insecure systems, a point lost on Trump supporters who have reported him to the Feds.
This discussion has been archived. No new comments can be posted.

Donald Trump Running Insecure Email Servers

Comments Filter:
  • Comment removed (Score:5, Insightful)

    by account_deleted ( 4530225 ) on Wednesday October 19, 2016 @06:32PM (#53111253)
    Comment removed based on user account deletion
    • Re:But . . . (Score:5, Insightful)

      by Anonymous Coward on Wednesday October 19, 2016 @06:35PM (#53111271)

      Exactly. Thread closed.

      • Depends on where his classified security briefings as a presidential candidate go...
        • Re: But . . . (Score:5, Informative)

          by Ken Hansen ( 3612047 ) on Thursday October 20, 2016 @01:21AM (#53113139)
          His National Security briefings are received in-person, not presented as emailed PPT presentations... You know, once upon a time it was considered a good security technique to change the identity signatures of your server to mid-lead would-be hackers. I'' not saying that Trump's IT team did this, but the basis of this 'report' is that some, without ever attempting to hack into the servers, used 'public records' to determine he was running Windows Server 2003 & IIS 6. I find it hard to believe it never occurred to anyone to try and hack into his servers, or if it did occur to them that they were found to be impenetrable... Bottom line, a lazy reporter extrapolated a story out of a few server identification response strings. Wow.
      • As Sonny and Cher once sang, "the thread goes on..."

      • Re:But . . . (Score:4, Insightful)

        by AmiMoJo ( 196126 ) on Thursday October 20, 2016 @06:40AM (#53113883) Homepage Journal

        It shows that he is at least as incompetent as she is. In fact it's part of a pattern of behaviour, where he claims to have the best people but it turns out to be untrue, e.g. Trump University.

        It's also rather interesting that the Russians or whoever hacked the DNC looking to weaken their campaign, but didn't hack him even though they easily could have. Or more likely they did, but didn't release the stolen data.

      • Not uninteresting (Score:4, Insightful)

        by XXongo ( 3986865 ) on Thursday October 20, 2016 @08:32AM (#53114377) Homepage

        Exactly. Thread closed.

        Just because he is not secretary of state does not mean that it's uninteresting that his e-mail servers are not secure.

        It does bring up an interesting question: so, why are only DNC email being leaked? If the Trump servers are also insecure, why aren't we seeing leaks of them?

    • by baomike ( 143457 )

      There maybe not be any documents on his server if someone so decides.

    • Re:But . . . (Score:5, Insightful)

      by Software ( 179033 ) on Wednesday October 19, 2016 @06:43PM (#53111355) Journal
      One of Trump's frequent arguments is that he's so much better than Clinton because he "hires the best people." This story puts the lie to that.
      • He may still have hired the best people but did he license the best software? Apparently not.

      • This story puts the lie to that.

        Does it? Or maybe he hired people who were smart enough to obfuscate the identity of a server by claiming it's something else. Or do you believe that neither were people trying to hack trump, nor could they figure out how to break IIS 6 on an obsolete unsupported OS? /Posted from Mosaic 2 running Windows 95. Honest.

    • Re:But . . . (Score:5, Insightful)

      by Anonymous Coward on Wednesday October 19, 2016 @06:49PM (#53111413)

      Exactly right. This article REEKS of whiny liberal finger pointing. When he's Secretary of State and hides an email server in his bathroom at his house, then you have a scandal. Kevin Beaumont comes off like a juvenile, as do the author and anyone citing this "article" as some kind of "gotcha" moment.

      But liberals, who claim keeping a server in your bathroom closet when your the Secretary of State is a "non issue", will undoubtedly continue to show their hypocrisy with this.

    • Also (Score:3, Funny)

      by Xenographic ( 557057 )

      The man can't even hide his bald head. If there was anything juicy to leak, you'd think they'd have already leaked it by now because it's pretty clear that he has a server that anyone could've robbed ages ago.

      If you want juicy Hillary quotes, you read her FBI files or the Podesta dump. If you want juicy Trump quotes, you can just read his damn Twitter feed.

      • Ah but the Putin State paid hackers (Fancy Bear) weren't unleashed on the Trump organization.

        • by Xenographic ( 557057 ) on Wednesday October 19, 2016 @08:14PM (#53111989) Journal

          Are you actually trying to make people here on Slashdot believe that it takes a state actor to hack an old IIS server?

          Are you actually telling me that none of the people worried that Trump will start a nuclear war would be willing or able to dump the contents of an old IIS server if they could find anything juicy in there?

          I bet someone already DID steal it and are having trouble finding anything more interesting than the stuff he puts on Twitter. I wonder if CNN will try to tell us that looking through a Trump dump is illegal if they ever get one?

    • by wardk ( 3037 )

      He has been receiving security briefings. I have been hearing lots of people say that he's emailing himself details of all the fabulous tremendously important secret knowledge, you would not believe.

    • Trump is not the Secretary of State

      So he automatically gets a free pass and is measured by lower standards? You must do a great job hiring people for your business. . .

      Irregardless, saying our voting system is rigged without any credible evidence has invoked a kind of Godwin's law in my mind. . . For anyone who cares about our democracy, the primary goal at this point should be to make sure Trump loses by a large enough margin that any claim of a rigged election would be laughable.

      Otherwise, these last couple months will seem like a VA

    • Re:But . . . (Score:5, Insightful)

      by unixisc ( 2429386 ) on Wednesday October 19, 2016 @07:22PM (#53111677)

      Trump is not the Secretary of State. He doesn't have the country's classified documents on his server.

      Precisely! It's not like Trump has overridden the State Department and insisted in substituting their secure servers for his insecure ones. It just happens that his organization uses servers that it bought way back 12 years ago, and didn't consider it worthwhile getting onto the Microsoft upgrade treadmill. Can't say that I would fault them.

      But they might do well to look into migrating to either Linux or one of the BSDs, so that this is not an issue going forward

      • you can't fault him/them??

        seriously?

        public facing email servers that run OLD MS software and its 'not a big deal'?

        what planet do you live on? because here on earth, it IS a big deal.

        it shows he does not care (his people, that is) or they are short-changed funding (that's worth noting) and attention to detail is not something his org values (also worth noting).

        all this matters. its a statement about his management and what his people (that he hires) care about; or even worse, are ABLE to understand enough

        • you can't fault him/them??

          seriously?

          public facing email servers that run OLD MS software and its 'not a big deal'?

          what planet do you live on? because here on earth, it IS a big deal.

          it shows he does not care (his people, that is) or they are short-changed funding (that's worth noting) and attention to detail is not something his org values (also worth noting).

          all this matters. its a statement about his management and what his people (that he hires) care about; or even worse, are ABLE to understand enough to care about.

          the guy has more money than anyone would ever need, and yet he cheaps out on software updates on PUBLIC FACING SERVERS.

          stupid. beyond stupid. its actually reckless.

          NOT THE KIND OF GUY I WANT RUNNING MY COUNTRY.

          yes, this detail does matter. especially when he's so fond of throwing dirt on other peoples' mistakes.

          Of course I don't fault them. You are looking at it as a techie - someone who knows plenty about server OSs. His staff may not be that type at all. They may have thought - okay, we paid $$$ for this server in 2003, and it's still working fine for our emails, web server and so on, so why change? You're assuming a lot about what they know, and then projecting your biases against him and staff.

          And GP is right. He's not running the State Department. Private citizens or businesses are at full liberty to

      • Precisely! It's not like Trump has overridden the State Department and insisted in substituting their secure servers for his insecure ones.

        No-one is pretending that Trump's email is as important as the Secretary of State, but it makes his claims a little weak when he is guilty of similar things.

    • by guruevi ( 827432 )

      Additionally it's not illegal for Trump to run a private e-mail server, let alone a bad one. The media is glossing over a lot of the facts lately. It's sad that FoxNews has actually become 'fair and balanced' and for GOP-slanted news you have to go over to something like Infowars.

    • Trumporg.com redirects to trump.com - what does trump.com run on? BTW, trumporg.com is NOT his campaign website - it's a brochure web site with very little else on it and appears to be hosted on cloudflare-ngix web servers.
      • ngix - isn't this the web server for the BSDs? In which case, it seems to me that it's very secure. Are they running the Windows Server 2003 in the cloud, under this environment?
  • by MacTO ( 1161105 ) on Wednesday October 19, 2016 @06:37PM (#53111293)

    These allegations are different from the Clinton allegations. They point to possible incompetence in maintaining a private email system, in contrast to allegations of violating govenment policies and regulations regarding a government official. Had Trump done something like this while working in government rather than campaigning for office, the allegations would hold more weight.

    • by dbIII ( 701233 )
      The point is him being caught out with "do as a say not as I do".
      The character flaw is being discussed not the overdone issue of a fuckup with email procedure that Hillary, Powell, Rice and many others saw as beneath their notice (also a character flaw - one Trump shares - rules for the workers don't apply to the boss).
  • by Type44Q ( 1233630 ) on Wednesday October 19, 2016 @06:38PM (#53111301)
    Far be it for me to defend the moron... but did the dipshit who posted this bother to consider that Trump isn't the fucking Secretary of State and it therefore doesn't fucking matter.
  • by rduke15 ( 721841 ) <(rduke15) (at) (gmail.com)> on Wednesday October 19, 2016 @06:51PM (#53111437)

    He couldn't decide between getting an .org or a .com domain, so he took trumporg.com?
    Anyway, trumpcom.org is still available if someone has an idea of something to do with it...

    $ whois trumpcom.org
    NOT FOUND
    >>> Last update of WHOIS database: 2016-10-19T23:47:43Z

    • Re:trumporg.com? (Score:4, Insightful)

      by ScentCone ( 795499 ) on Wednesday October 19, 2016 @07:19PM (#53111663)

      He couldn't decide between getting an .org or a .com domain, so he took trumporg.com?

      He is involved in several hundred business ventures and holdings. Collectively, those companies are and have for a long time been referred to as "The Trump Organization." And it's a business, so a .com domain of a shortened version of his company's familiar name makes sense. All of which you know, so the question is why you're pretending to be dumb so you can toss out some lame, faux-misinformed ridicule in hopes of scoring a couple of pointless points with low information readers.

  • by galabar ( 518411 ) on Wednesday October 19, 2016 @06:52PM (#53111443)
    He better get those servers secured. We wouldn't want to leak any classified documents. Hey, wait a minute... :/
  • Does anyone really expect technical competence from someone who makes repeated references to "The cyber"? Trump's only hope, just as Hillary's only hope was, is to pick competent advisers on the subject. Considering they're both absolute retards that want magical backdoors in encryption, we're fucked either way.
    • by JustNiz ( 692889 )

      >> Does anyone really expect technical competence from

      Dude of course not, but it doesn't matter, that's common-or-garden technical expertise that he could and should hire, rather than learn himself. Its not like Trump is ever going to be wasting time configuring/administering his own server, just like he's not going to be repairing his own cars.

      Whatever incompetent muppet is being paid to set up/run that shit for him should be pretty fucking embarrassed though. If I was Trump I'd have already fired th

  • In Capitalist West gov dictates cyber security to you.
    Do US brands really want yet more US gov inside their networks?
    In the US political orgs still have the freedom to run any hardware and software they want.
    Its the US gov workers who actually have to be security aware.
    "Penguins for President?" "Web server/platform combinations 2004 presidential candidates "
    http://www.linuxjournal.com/ar... [linuxjournal.com]
    In the US you still have the party political freedom to run a political campaign.
    Linux, Microsoft, Apache, Free
  • "...he'd found that emails from the Trump Organization failed to support two-factor authentication..."

    How does an email support two factor authentication?

    • If you have to ask you don't understand it.

      • Webmail, as in a site to get your email, can support two-factor authentication. But the summary says that emails failed to support two-factor authentication. Email, by itself, doesn't have any authentication, single or two factor.

  • by hawguy ( 1600213 ) on Wednesday October 19, 2016 @07:17PM (#53111649)

    Seems like they just put out a call to be hacked:

    The Trump Organisation responded to Beaumont’s criticism by putting out a statement to the media saying that its web setup is shielded behind a firewall.

    The Trump Organization deploys best in class firewall and anti-vulnerability technology with constant 24/7 monitoring. Our infrastructure is vast and leverages multiple platforms which are consistently monitored and upgraded using current cyber security best practices.

    • I'm pretty sure Clinton activists have been trying to hack him since the day he indicated he was interested in running for President. You'd think they'd leak anything embarrassing they might have found -- unless they completely failed.
  • Comment removed based on user account deletion
  • I'm no Trump fan, but there are many reasons why him running insecure servers for his current business isn't even close to Clinton running insecure servers when she was Secretary of State.

    • When Secretary of State, Clinton was theoretically subject to Freedom of Information Act requests on all her communications. By using a private server, she deliberately sidestepped this pesky requirement to enable the commoners to learn what the elite ruling class were discussing.
    • She repeatedly sent classified e-mails
  • What are the chances that all that org's e-mail is public by tomorrow morning?

    Pretty good I'd think. Lots of hacker types around who read. Wouldn't take much to crack that box.

    As a SE, if the contract fell my way, I'd have them completely offline for an upgrade on an emergency basis. Let the mail backup on the secondary- assuming his admin is smart enough to have done it right.

    I'd bet dinner with a friend they are cracked by morning. If Trump had a decent IT staff they would not be in this condition.

  • by dirk ( 87083 ) <dirk@one.net> on Wednesday October 19, 2016 @07:49PM (#53111865) Homepage

    So this certainly puts a different spin on the DNC and Clinton email hacks. It certainly looks more and more like they were politically motivated. A curious child could hack this setup and yet there has been no release of documents from the Trump campaign's email servers. If it truly was about just sharing information, why would they not attack both sides? The longer it goes, the more it looks like someone (or someones) is purposely trying to influence the election with the hacks and leaks. If Wikileaks was really about just releasing information, why would they be slowly releasing the hacked emails over time before the election instead of just releasing them all at once? IT's not like the scrub person information from them, so what is the purpose of slowly dishing them out if not to keep it in the news and influence people?

  • Mathematics is either flawed or not; math doesn't tarnish or rust or break. It was either secure to begin with, or insecure all along. The only difference is that if it's insecure and new there's a chance no one knows the flaw yet and perhaps you fix it before anyone finds it. But it could be secured (eg by sufficiently advanced firewall rules), and if it's secure it's secure. On that note, I wouldn't mind reading the Trump emails if anyone has them. I'd bet either Wikileaks or the New York Times would be w

  • It bet it was the Russians that did it.
  • Netcraft reports that trumporg.com is running IIS 7.5, not 6 as the article claims. Who am I to believe: a computer, or an investigative journalist attempting a hit piece?
  • Somewhere, someone is saying this .... Jack Nicholson as the Joker [youtu.be]

Technology is dominated by those who manage what they do not understand.

Working...