But Hillary Clinton supporters might as well get used to it.

Then a hacker could sell that address to the highest bidder.

Anyone she ever sent an email to had it, and anyone they forwarded the emails to. Also, selling it would be useless once Sid's emails were posted on the internet.

I think some folks are failing to realize how desperate they're appearing when they try to rely on a criminal's cry for attention as some form of evidence.

Thanks!

You can see the screen shots and other info he posted back in 2013. (He made the background pink and used Comic Sans font so people thought it was a joke.)

Then visit the Network-that-shall-not-be-named and again search for him; they have more details that answer your questions, including a more recent interview.

Last, search for "pailthompson" and his posts about this from yesterday; his timeline explains the significance of the hack period (the IT guy wasn't taking care of the server anymore, and they hadn't hired the new company yet).

Enjoy!

Doesn't make a bit of it true.

He got into those by socially engineering his way into Sid's AOL account, which had nothing to do with Hillary's email server.

I saw the "paulthompson" posts and quickly learned that "paulthompson" doesn't understand the first thing about computer security.

They extradited him for a reason, so apparently whatever he says is important to them.

It seems like you are trying to hard to poke holes in his story. Understandable but his claim isn't far fetched.

Out of curiosity, do you know anything about computer security?

to do doesn't actually get you into a server.

But the fact the server had an outdated and vulnerable remote client program running and you could use brute force tactics on her log in is troubling.

The outdated email software has absolutely nothing to do with the Guccifer story, because Guccifer didn't claim he hacked the email server, he claimed that he hacked in through an open port, but somehow declined to specify which port and how he got access through it.

Running outdated software is obviously not ideal, but it doesn't make it "easy" to hack by any means. Like I said in the OP, even if client-server communications are unencrypted, to sniff packets or spoof you actually have to control a node in between the client and the server. I don't know if it had any protection against brute-force attacks or not, but brute-force attacks definitely leave traces in logs, and there were no traces found in the logs.

And the bottom line is, email is insecure. It's arguable whether a private server, even running outdated software, is less secure than gmail or .gov, for a lot of reasons. Most hacks aren't spoofing or anything technical, they are social engineering, bad passwords, etc. With a large administered system, there are a lot more ways in. There are a lot more IT people to convince to reset your password. And then there are Edward Snowdens, who it is really hard to protect against in a big organization.

The biggest leaks of classified information we've seen, Snowden and Manning, didn't arise from weak encryption software or outdated certificates, they were simply due to humans who had access. So I think, all things considered, her emails were likely more secure on that home server than on .gov.

American officials, which is why he is being extradited to the US.

I think he probably went ahead and did as you say and did as the others say.
One thing is for sure, we'll know more in the coming weeks and it is going to get damn interesting.

But if you believe its just a coincidence, you can be surprised later.

While we're at it, maybe Ted Cruz's dad really did kill JFK.

"criminal conspiracy" and the explanation of charges will come from the FBI and DOJ. The emails she had deleted and edited and her "private server" will become "evidence".

I'm not a lawyer but I've watched enough "Law & Order" to know those folks investigate crimes. Spin all you want; you aren't as credible as they are.

I think that pretty much sums it up.

And to establish basis for evidence regarding Blumenthal emails and thus probable cause for investigating Clinton's server for containing national security information and through that the Clinton Foundation emails. Everything is being done carefully by the book for probable cause, chain of custody, etc. and avoid any risk from the exclusionary rule.

Whether Guccifer himself actually hacked Clinton's server or email may be interesting or even otherwise important, it is not required for establishing the cases in the likely criminal investigations of Blumenthal or Clinton and her staff. It is mostly a distraction from the core issues.

But conspiracy theories are fun too.

That was why I discussed how his possibly hacking her server was not necessary for investigating the likely issues concerning Clinton, et al.

The fact that Guccifer actually hacked others like Powell undermines your arguments in OP. Hacking his personal email and posting pictures of Powell at Bohemian Grove isn't quite the same as exposing national security information.

He's got nothing to do with Clinton, except that he hacked Blumenthal's account which had emails from Clinton on it. If I had sent Blumenthal emails, then he would have accessed those too. It has nothing to do with the security on Clinton's side.

And, like I said in the OP, the way he hacked those others is by social engineering, not exploiting security vulnerabilities. He claims to have hacked Hillary in a totally different way, and yet can't even explain how he did it, nor provide any evidence of it. It's no wonder that the Right Wing Media is running with this.

Guccifer's hack of Blumenthal is how we learned first of Clinton's server. What we have learned since is serious, very serious. Whether she or her staff will be indicted is another matter. I see it likely that she and some of her staff knowingly circumvented several laws and regulations and then took specific actions to obfuscate and cover up such actions. Things like editing copies of certain emails before the were printed and delivered to State go a long way in establishing intent and proving conspiracy.

If even a single associate is indicted, the political damage will be huge for all Democrats.

Blumenthal and his sources are in big trouble of their own, and it would have similar political fallout for Clinton and all of us.

FYI I have over 40 years of professional experience in and around security and technology, though I no longer deal with day-to-day operations. I am appalled by the incompetence exhibited in this episode. There are several DUers with specific and detailed knowledge of the specific security systems and practices current at State and other Federal agencies. Their posts attest to the seriousness of these problems.

For instance...if he gets the IP address, he can attempt to log in via SSH(port 22), which then gives him access to a login screen which accepts a username and password.

He'd then need a username and a password, and depending on how secure the server was(and indications show it wasn't secure at all), assuming it was a ubuntu server, which is pretty common, there is a default user 'ubuntu', so from there he could just brute force his way in by trying different passwords.

Also, many email servers are configured so that each email account is also a user on the server, so he'd already have a username(Hillary Clinton's) to try. That would probably be even easier than trying to guess the ubuntu user's password, because there is a chance that her server password is the same as her email password, and likely easy to guess.

Brute forcing over SSH is not going to work unless the password is something like 4 characters. The number of attempts per second is limited both by bandwidth and by the capacity of the server to accept them. And even if you get 10,000 per second, which you can't, that would mean 15 years to crack even an 8 character password with no digits and no capitals. Besides, most servers are configured to deny access after N repeated failed login attempts.

Brute forcing is only really feasible if you have an encrypted file and you can keep trying passwords on your own hardware, so you try passwords much more quickly and with parallelism. This is why passwords for encrypting files need to be longer than passwords for logging in to servers.

Also, no, Ubuntu does not have a default user "ubuntu". On some versions "ubuntu" is the default username if you boot from a live CD, but not on an installed system. It is possible that she also had a username on the server that matched her email, but this is pure speculation, you certainly don't have to have an account on the machine in order to have an email account.

As far as guessing passwords, sure, that is always possible, that's actually how Guccifer got into other people's email. That's possible with any email account, including state.gov and gmail and whatever.

Oh, and either a brute force attack or attempts at guessing passwords would show up in server logs, which they didn't. And he wouldn't have been able to clean the logs unless he hacked into someone with root privileges, which neither hillary's account nor any guest account would have had.

Finally, if Guccifer had either brute forced his way in or guessed her password, he would have said "I guessed her password" or "I brute forced the password" instead of "I ran a port scan".

Like I said in the OP, knowing an IP address and running a port scan gets you nowhere towards actually hacking a system. It is like saying that you robbed a bank by googling its address and business hours.

They didn't check the logs until after he got access, so it showing up on the logs during the attack would be irrelevant. He could clean up after the fact.

"you certainly don't have to have an account on the machine in order to have an email account" - Many email server configuration do require you to have an account on the machine in order to have an email account. It is an extremely common setup.

Considering most people use extremely simple passwords, and this server has been criticized for its lack of security, it probably wasn't configured to deny access after failed attempts, and a brute force attempt could very well be successful since good ones go through a dictionary of the most common passwords first, and don't just randomly start plugging through the alphabet.

Paragraphs 4 and 7 of yours directly contradict each other. If he could guess the passwords as he had in the past and had access to ssh with which to do so, then running a port scan does get him somewhere. Maybe running a port scan gave him access to ssh because it wasn't running on the standard port.

Whatever the case is, your argument seems to be that since he said he said he searched for open ports, and not the verbiage you think he should use, that he didn't do it, but that of course is just an arbitrary standard you set.

Cleaning up logs requires root access. Do you even know what that is? You think any user can just go in and tamper with logs? I guess you're used to computer systems where everyone is a superuser. That in itself is a great reason to not listen to anything you say regarding this topic. That and the "ubuntu" user thing, unless you think the server was running of a live CD boot.

Bottom line, the only way in is if he actually guessed her password, and unless he guessed it on the first try, the attempts would have shown up in logs. Which they didn't.

There's no indication that he got in by guessing a password, he didn't claim to have guessed her password like he did for other people, he has no evidence that he ever got in, and he is a criminal with a penchant for exaggeration and conspiracy theories. His description of how he got in, by running a port scan, is a joke. It impresses clueless people who don't know what an "open port" is, but means nothing.

That's a common setup for large organizations like universities, where the people using the system actually use their account for other things too. Which this was not, it was a dedicated email server. If you just want to set up an email server, you certainly don't need to create user accounts for everyone with an email account.

And the lack of security was respect to the encryption of client connections to the email server. That has nothing to do with password guessing. If you guess someone's password, you get in even if the connections are encrypted.

But, if you put together a bunch of assumptions that have zero evidence behind them, I guess you can get there. You have to assume (a) all email users had accounts they could SSH to (b) her password was easy to guess (c) there was no failed login limit (d) all users had root access (e) instead of telling the world he guessed her password he decided to talk about a port scan and (f) unlike his other hacks, he decided to produce zero evidence of getting in.

And if you can convince yourself of all that, you probably also think Bernie has more delegates than Hillary.