If Palin's e-mail can be cracked, yours can too

Putting aside the rectitude of using a public e-mail service like Yahoo Mail for government business, as Alaska governor and U.S. vice presidential candidate Sarah Palin has done, if her e-mail was so easily hacked, how private do you think yours is?

The answer? Your only hope may be to keep so low key that no one cares about hacking your e-mail.

I'm willing to bet that most public figures keep Gmail, Yahoo Mail, Hotmail, etc. accounts, though most probably don't use them for public duty. Is it really as easy as wanting to crack them to be able to do so? The methods used are not yet known, but the hackers wouldn't have had much time. Despite it being somewhat common knowledge in Alaska that Gov. Palin uses private Yahoo e-mail accounts regularly, the news doesn't appear to have hit the national stage until the last week or so.

In other words, as soon as hackers had interest, they got access. This should be of concern to anyone using an e-mail service like Gmail or Yahoo Mail. Is our e-mail privacy only as durable as our anonymity? Security through obscurity, indeed.

Update: Ars Technica has details on a possible first-person account of how Governor Palin's email was hacked.

[teraphim]

This sort of invasion of privacy happens all the time, it's just that most of the time the victims are just plain folks who can do nothing about it. There is also a vicious cycle where the mainstream media picks up the story, prints names an personal information, and then those articles are reposted and quoted on the Internet. Nothing is easier these days than making someone a target of public discussion and Google ensures that discussion will have an eternal record for any prospective employer or other important decision-maker who wants to find the dirt.

It doesn't matter how "careful" and "secure" people are with their own private information. If someone else decides to print your name or post your picture, they can ruin your privacy with impunity.

I have yet to see one good suggestion about how regular folks can protect themselves. Wealthy people and celebrities have lawyers, and they may be able to push through policy that will defend their privacy. However, what about the people who can't afford lawyers? What about the people who are regarded as "nobodies", so even mainstream media privacy-invaders don't bother to fix what they've done?

There is only one solution I can see, though it's draconian. Private individuals should be able to request immediate removal of a web page (not a whole site) from a search engine if their is a question of privacy invasion. While the page can be restored if no privacy invasion has occurred (with the victim receiving benefit of the doubt) and/or if the matter is shown resolved (private information deleted). This policy should apply even to government web sites and mainstream media web sites.

If possible, deletion of pages that display personal information should take place at the touch of a button (to be propagated to all mirror servers). It should be a required feature of all Internet search engines.

Perhaps such radical privacy protection will be used to protect people who abuse power in high government and corporate positions from public scrutiny. If this is the case, then there needs to be more channels of recourse to demand an investigation for such wrongdoing. Allowing normal citizens to protect their privacy should come first.

[The_Decider]

Educate yourself. Lock down your computer, make sure all sensitive information is transmitted via https, use multiple strong passwords and change them often. Don't put personal information in the reach of search spiders. Google hacking is fun simply because 99% of the computing public is completely computer illiterate.

The best protection for the average Joe is a little education and some common sense.

[theantibush]

We are talking about a governor and potential head of state that still hasn?t gotten her head around the ?if you wouldn?t write it on a post card, don?t send it by email? mantra of the past decade and a half. Oh, your email could get hacked. What headlines. Of course it can get hacked, as any school child knows. Thats why you send encrypted messages across the internet and use your own email server at work, not yahoo or others, like any other semi-competent person does. What stops a commercial mail admin from reading your email to pass the time during lunch? Duhhh...! That this is lost on someone a hairs breath away from the presidency is outrageous. And you can bet her other security practices are just as lacking. Such lack of awareness and attention to detail is but the tip of the iceberg and hardly indicative of a great, unique mind suitable for world leadership.

[umbrae]

This is why the "cloud" sucks. Only idiots with no idea of what privacy means would every put their data in the hands of someone else.

[Kev_Orng]

C'mon, look at her. Give me three guesses at her password, and I'd guess as follows:

"12345"
"Secret"
"BigGuns69"

Either that, or its one of her kids names

[Matt Asay]

You lose. "HotMaMA" wins the prize. ;-)

[Dalkorian]

Funny, I would have guessed "abstinence". ;-)

[The_Decider]

Matt,

There is nothing hot about a vile, mean-spiriting, unintelligent woman.

[The_Decider]

You are giving her too much credit, it was probably "password"

[benjaminstraight]

Just like the lifelock dude getting his identity stolen. Nothing is truly safe.

[Matt Asay]

Ouch! I didn't know that one. Is that the guy who gives out his social security number? I think I just saw one of those ads in Businessweek. Ironic.

[Dalkorian]

Yeah Matt, that's the one. Those guys are convicted crooks and only the mentally incompetent would trust them with the time of day.

Some nighttime reading:

http://www.cnn.com/2008/CRIME/05/22/lifelock.flap.ap/index.html
http://www.phoenixnewtimes.com/2007-05-31/news/what-happened-in-vegas/1
http://www.ftc.gov/os/1997/04/maynard.htm

[mrjzn]

"If the pro's want it, they'll get it." Your only hope is to be able to slow them down long enough to keep them from getting to it, and obscurity is/can be part of that.

And yes .... the cloud is neat, but there are some real issues there regarding where the data is stored and how it is transacted. Even if you don't use Yahoo, gmail, hot mail, etc. ... odds are your email is traveling plain text. If the right person/group is truly interested, they can get their hands on it.

And the lifelock guy ... well, that's an obvious one ... my SSN is ######### ... 'nuff said there.

I had to instruct a state senator on how to use the 'Bcc' field after she sent me (and a number of other people) an email with everyone's addresses in the 'To' field. Teaches me to write in and speak up on issues with government representatives (that's how they got my address).

[The_Decider]

Obscurity will never save you. I run an extremely obscure web and mail server for my family. In fact, it is so obscure, if a server were less so, it wouldn't exist. You can not find a trace of it on Google or any other search engine, the only way you could come across my server is if you were methodically attempting to recon every IP address and/or happened across my web host, which is a fairly small host(big hosts generally don't offer VM's with complete control of the OS running on it). OK, we are talking obscure.

Less than 5 people use it per day. Spammers try(and fail) to bounce several thousand pieces of spam per day, and my message board get 5-10 account creation attempts every day

With something like Yahoo mail, if you have a truly strong password then the only way to hack it would be to crack the encryption from the https session or brute force the mail servers.

Writing a program to randomly create or use dictionary(that appends these names with numbers) based user names and passwords and trying them against Yahoo or whomever is a fairly trivial exercise. You would probably get a few confirmed "hacked" accounts everyday.

There is no security in obscurity.

A dictionary based password can be broken inside 5 minutes, usually in just a few seconds. A longer, strong password could take 500+ years on modern equipment.

[sendmeabunch]

http://skirtsnotpantsuits.blogspot.com/2008/09/and-hacker-is.html

http://rsmccain.blogspot.com/2008/09/palin-hacker-idd.html

http://libertarianrepublican.blogspot.com/2008/09/mike-kernell-member-of-tennessee-for.html

And get this, his dad is Mike Kernell, a democrat for Obama in Tennessee. Busted!

[dadsgravy]

Oh no! They're gonna find out that my breath always smells like crap because my wife's dad is cheating on me.

[BenjaminWright]

On account of Open Records Acts, state governments are wise to insist that employees (including governors) route all business e-mail through a central e-mail archive and to encourage employees to take all personal e-mail to personal accounts. --Ben <a href="http://legal-beagle.typepad.com/wrights_legal_beagle/2008/08/local-government-e-mail-and-the-freedom-of-information-act.html">http://legal-beagle.typepad.com/wrights_legal_beagle/2008/08/local-government-e-mail-and-the-freedom-of-information-act.html</a>

[The_Decider]

Too bad it doesn't get enforced, at least not against Repiglicans.

[The_Decider]

2-1 that this "hack" was possible due to a weak password.

1000-1 that it was brute forced.

[The_Decider]

Obscurity will never save you. I run an extremely obscure web and mail server for my family. In fact, it is so obscure, if a server were less so, it wouldn't exist. You can not find a trace of it on Google or any other search engine, the only way you could come across my server is if you were methodically attempting to recon every IP address and/or happened across my web host, which is a fairly small host(big hosts generally don't offer VM's with complete control of the OS running on it). OK, we are talking obscure.

Less than 5 people use it per day. Spammers try(and fail) to bounce several thousand pieces of spam per day off my mail server, and my message board and custom web app get 5-10 account creation attempts every day. I lost track of how many times it gets probed by programs like Nessus.

With something like Yahoo mail, if you have a truly strong password then the only way to hack it would be to crack the encryption from the https session or brute force the mail servers.

Writing a program to randomly create or use dictionary(that appends these names with numbers) based user names and passwords and trying them against Yahoo or whomever is a fairly trivial exercise. You would probably get a few confirmed "hacked" accounts everyday.

There is no security in obscurity.

A dictionary based password can be broken inside 5 minutes, usually in just a few seconds. A longer, strong password could take 500+ years on modern equipment.

[chooseanothername]

Barracuda refused to turn over 1100 emails in a F.O.I.A. Stating they are of a personal nature, when they are not. That?s a federal crime. It?s a pre-meditated crime,which to commit the crime of illegally shielding government documents is why she was using the account in the first place. Moreover the Attorney Generals Office of the great state of Alaska just issued an opinion that if government documents are in a private e-mail account,the State has the right to review them, that they must be saved for three years, and that to destroy (delete) them is a crime.In my opinion, Palin or someone in her employment (McCorkell? Having a P.I. Background & couldn?t resist giving herself 2 min. of fame)done this as an excuse to delete and/or discredit the account.I believe the trail will lead back to them if it?s followed in a prudent manner. Everyone so smart call this hacker so dumb.Do we have a sloppy hacker or a smart and devious hacker framing the kid?don't say no or act like you're so smart if you haven't considered it.If the I.P. Addy matches the kid in question yet it still doesn?t add up a then programs like netbus or back orifice with a built in wiping routine should be considered. These are common names for a trojan jacker that a hacker can take over your computer use it without you knowing it,then attack others with your computer address.It turns your computer into a proxy..after the deed is done it can erase itself and fill in where it was with random bytes. Anyone can download these programs off the net in a matter of three minutes..Remember M.O.M. (means,opportunity,& motive)Who really has all three? Palin...Let us not forget the bug Karl Rove found in his Texas office and the WHOLE story behind that!! What, you don?t know what I?m talking about? Well then just nevermind

[chooseanothername]

It's clear this kid has been set up. He hacked her email found nothing, absolved her of any wrong doing but was still compelled to send it to a web site after expressing fear of the FBI? Why? No one would have known he even done it,if it wasn't posted to ..Why after you found nothing would you go ahead and post it when it could put you in prison and would only absolve her of any wrong doing?Why would he do that then say there was nothing incriminating? If he really was scared at that point all he had to do was go to bed and forget it. Then he supposedly writes an email that he did it and used a name he had used for years all over the net? Right,sure sure. He said he was only behind one proxy and knew that wasn't enough,then why wasn't he behind three proxies? No my friends it's not true. Palin needed an excuse to get rid of her e-mails and this kid is being framed..