Palin Email Hacker Found

mortonda writes to tell us that the person responsible for breaching Sarah Palin's private email account has been found. We discussed the breach last Wednesday, shortly before the hacker, a University of Tennessee-Knoxville student, posted a message detailing his methods. Wired has a story examining the potential legal consequences for the hacker.

This Just In

Cracker is an idiot. Ever hear of Tor [wikipedia.org]? Or better yet, post the information on something like Freenet [wikipedia.org] and just advertise it on Freenet somehow and let other people get the information out to the main web.

Of course, the fact that he posted his nick on /b/ when it's usually forced-anon anyway means he basically confessed. Not to mention that he said which proxy service he used -- note to criminals: if you want to get away with something, don't brag about how you did it!

Re:This Just In

Unless someone just compromised that forum account and framed him.

Re:This Just In

Forum account? 4chan doesn't have 'accounts' to be compromised. And tripcodes don't give any user information, just verifiers the username. The only identifiable info on 4chan would be the IP.

Re:This Just In

He put a name he uses elsewhere in the name field. That name was then connected to an email account.

Re:This Just In

Let's say it like this: He or she is no hacker or cracker. It is just a usual internet user who did not obtain great skill.

Lessons:

* government users should not take yahoo (who ever came to that idea?)

* Anonymous communication matters

* Activities of governments should be transparent.

* It may help a person to become vice president who appears to be a nightmare and encourage anti-hacking regulations. Fortunately S. Palin has close affiliations with witch hunters. [youtube.com]

Re:This Just In

The whole reason Palin is using Yahoo instead of government sponsored email is that any email sent through those channels is archived for a Very Long Time as a matter of public record. Wondering what the clerk at the DMV is REALLY emailing about? Put in a freedom of information act request and it's all yours.
 
By Palin using yahoo, it's not closely watched and she can conduct official business off the record. It's very poor form to do so and is the real story here.

Re:This Just In

I have yet to see anyone ask Cheney or Palin if they feel they are above the law. Their actions seem to indicate they do.

I have trouble understanding why we put people with such obvious contempt for the law in positions that are in charge of it.

Re:This Just In

I have trouble understanding why we put people with such obvious contempt for the law in positions that are in charge of it.
 
Brilliant marketing, and the general public's desire to believe what they're told in hopes that it will come true. If the general public were half as smart as we give them credit for the world would have never seen Napoleian, Cesar (well actually the Romans solved that problem on their own), Castro, Hugo Chavez and more. But as the protestants like to point out, people are like sheep and will head in whatever direction the man who speaks softly but carries a big stick says.

Re:This Just In

Email is a lot easier to record? There's always been a divide between the written and spoken word, from business deals (oral contract is only binding up to $500 in Florida), to courtroom hearings (hearsay, your word vs. mine, etc). You can request copies of government memos; email is electronic mail; it stands to reason that any official written communication should be kept. Lots of meetings are held behind closed doors because there's no written record for public consumption.
 
There's lots of other cases where emails are available for public consumption; for instance emails back to 1996 for the Seattle metro service are all available for review. On the flip side you have a matter of public record, historical records for data mining, and more. Imagine how boring history would have been if we didn't have access to Benjamin Franklin, George Washington, Abraham Lincoln's personal letters today?
 
Governors aren't required to record their telephone conversations, although I know Nixon was a fan of doing so - which is partially what got him in trouble in the first place. I'm not sure what the outcome was in court about whether those are considered personal or not. I know in most states both parties have to be aware of the conversation being recorded. In Virginia(?) only one party is required to know that the conversation is being recorded.

Because Yahoo is not for gov business.

Do you know that she seems to have been using the account for gov business? No matter what the kid said or saw there is more to it than you seem to know.

http://voices.washingtonpost.com/the-trail/2008/09/17/palins_yahoo_account_hacked.html [washingtonpost.com]

Among the e-mails released as part of the records request in June were several from Frye asking a state official whether private e-mail accounts and messages sent to BlackBerry devices are immune to subpoena, then reporting the answer to the governor and her husband, Todd, who also uses a Yahoo! mail address.

Asking if Yahoo accounts are subject to subpoena and relaying the answer to the governor suggests to me that the accounts were not simple private email accounts.

Re:Why can't a government employee use Yahoo?

Most of the newsbits explicitly mention that "Governor Palin has come under media criticism in the past week for using private email accounts to avoid Alaskan freedom of information laws." Neither of you seem to have even read the original story?!

Re:This Just In

She wasn't using the account for gov business, at least not based on what was posted on wikileaks, or according to the purported "Hacker". It was personal e-mail, in some cases about how she and others were being treated personally in the political arena, but not anything related to official government business.

As Officer Bar Brady says "Nothin to see here, move along now".

Yeah, the emails with "CONFIDENTIAL" in the subject line from other officials in her administration really screamed "Not official government business" to me, too.

Re:This Just In

Let's say it like this: He or she is no hacker or cracker. It is just a usual internet user who did not obtain great skill.

Lessons:

* government users should not take yahoo (who ever came to that idea?)

* Anonymous communication matters

* Activities of governments should be transparent.

* It may help a person to become vice president who appears to be a nightmare and encourage anti-hacking regulations. Fortunately S. Palin has close affiliations with witch hunters. [youtube.com]

Oh please. Here's the real lessons learned:

1. Don't make your security question anything that can be found online or don't discuss anything about it online (hers was where she and her husband met).

2. Don't enter your real birthdate anywhere online. Again, what places really need this for an online account except "social networking" sites? Even then, anyone you know is probably going to know when your birthday is anyway.

3. Don't use your real zip code.

All of the above would have completely prevented this "hack". It's not difficult to make up a birth date and use that instead. Same goes for a zip code (12345 anyone?).

step to step guide how not to get caught

1) Buy cheap pc using cash (OLPC or similar)
2) Find open wifi network, choose a place far from where you live
3) Connect to TOR and do your dirty deeds
4) Clean finger prints from PC and trash it, far from where you live

OR

1) Goto internet cafe, ensure cafe has no security cameras
2) Pay with cash
3) Connect to TOR and do your dirty deeds
4) Clean finger prints from computer

Profit?

Re:"Hacker"

It is usually the easiest way for a lot of systems; that, or just ask the user and they will tell you.

Re:"Hacker"

If you have followed the story, he didn't guess the password. He used publicly available information to fool Yahoo's password recovery tool to give it up.

As simple as it may sound, it is a bit more involved than 'guessing' a password.

Re:"Hacker"

If you have followed the story, he didn't guess the password. He used publicly available information to fool Yahoo's password recovery tool to give it up.

And somehow that turned into headlines that say:
Palin Email Hacker Impersonated Her, Stole Password

http://www.google.com/search?q=palin+impersonated [google.com]
Even the Associated Press went down that road.

Re:"Hacker"

Not even password guessing. He apparently took public information about her and reset the password.

If anyone wondered if demanding date of birth, home town, etc. was a BAD way of determining identity, this should resolve that for them.

Re:"Hacker"

First, it wasn't password guessing. He exploited Yahoo's password recovery system to get it to reset her password. He basically used public information to pose as Palin and convince Yahoo's password recovery system that he needed the password reset. Exploiting such a weakness in the system is, by any standards, "hacking".

Second, after he got in, he than went through all of her e-mail. Breaking into a system, even if it had been a password guess, and then going through its contents is again, by any standard standard, hacking.

I loath Palin, but this guy is going to get what he has coming. Even shitty and crazy humans who think the world is a few thousand years old and much to my horror might be president one day, get legal protection. It isn't like the police can go, "Yeah, he hacked in, but Palin kinda sucks, so I think we will let this one slide".

Re:Important

If he's a student, I hope Palin opts not to press charges, or pushes for a slap-on-the-wrist. Some kind of punishment that will sting, but won't be career ending.

Regardless of the politics involved, if there's no charges then any online email service is essentially useless for private communication.

No, they are *already* useless for private communication. Email is sent in plaintext across networks, and regardless of prosecution, the attack vector used here is a pretty easy one. If your email is unencrypted, or you're using easily looked-up information as passwords or recovery questions, then it's not private. period.

It would almost be better not to prosecute at all, if it has the effect of making people aware of, and take precautions against, the complete lack of privacy already extant.

Re:Public Records

Why is Sarah Palin using a private account when she is Governor?

Because there are laws in place that say what you can and cannot do with government services and equipment. What you do not seem to get is she was abiding by these laws. Thats why she has 2 (or more) email accounts. The hacker ought to be prosecuted, he even said he did it with malicious intent

I really wanted to get something incriminating which I was sure there would be

but guess what? he found squat and diddly.

I read though the emails... ALL OF THEM... before I posted, and what I concluded was anticlimactic, there was nothing there, nothing incriminating, nothing that would derail her campaign as I had hoped, all I saw was personal stuff, some clerical stuff from when she was governor.... And pictures of her family

You can't conduct state buisness.

A number of those emails seem to be very state-businessy looking at who they are all from. And apparently they were using those accounts in order to have the ability to quickly delete any email they wanted rather than be subject to maintaining them for FOIA requests.

Re:Public Records

Why is Sarah Palin using a private account when she is Governor?

Because there are laws in place that say what you can and cannot do with government services and equipment. What you do not seem to get is she was abiding by these laws. Thats why she has 2 (or more) email accounts. The hacker ought to be prosecuted, he even said he did it with malicious intent

That's not why she uses personal e-mail accounts for state business. [nytimes.com]

Interviews show that Ms. Palin runs an administration that puts a premium on loyalty and secrecy. The governor and her top officials sometimes use personal e-mail accounts for state business; dozens of e-mail messages obtained by The New York Times show that her staff members studied whether that could allow them to circumvent subpoenas seeking public records.

Re:Public Records -- The Catch-22

As for the hacker, hopefully the Feds will give him a nice long stay in a real PMITA prison with a guy named Bubba.

Your post was great until you said this. People should be punished according to sentences under the law, not subjected to the arbitrary abuse of other prisoners.

Re:Equal punishment?

Like the GOP staff that used an exploit to read their oppositions email? Hmm, there were no legal consequences in that case. Maybe there should have been? Report Finds Republican Aides Spied On Democrats http://query.nytimes.com/gst/fullpage.html?res=9F00E0D7103FF936A35750C0A9629C8B63 [nytimes.com]