September 20th, 2008

The lessons in Sarah Palin's email adventure

Posted by Paul Murphy @ 12:15 am

Categories: Applications, Enterprise Policy, General

Tags: Password, Yahoo! Inc., Sarah Palin, E-mail, Online Communications, Paul Murphy

Earlier this week a number of electronic media sites published extracts from Sarah Palin’s private Yahoo email files. Because this happened in the United States the sites doing the publishing committed no crime, but the person who stole them from her Yahoo account did.

According to a posting reproduced on pastebin the theft was carried out simply by pretending to have lost the password and then answering the identity questions Yahoo requires before issuing a password reset:

after the password recovery was reenabled, it took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!)

the second was somewhat harder, the question was “where did you meet your spouse?” did some research, and apparently she had eloped with mister palin after college, if you’ll look on some of the screenshits that I took and other fellow anon have so graciously put on photobucket you will see the google search for “palin eloped” or some such in one of the tabs.

I found out later though more research that they met at high school, so I did variations of that, high, high school, eventually hit on “Wasilla high” I promptly changed the password to popcorn and took a cold shower!

And, of course, he did it in the spirit of hyper-partisanship characteristic of the anti-Palin ranters:

I read though the emails, ALL OF THEM, before I posted, and what I concluded was anticlimactic, there was nothing there, nothing incriminating, nothing that would derail her campaign as I had hoped, all I saw was personal stuff, some clerical stuff from when she was governor. And pictures of her family

Earlier it was just some prank to me, I really wanted to get something incriminating which I was sure there would be, just like all of you anon out there that you think there was some missed opportunity of glory, well there WAS NOTHING, I read everything, every little blackberry confirmation, all the pictures, and there was nothing, and it finally set in…

Although there are numerous unproven claims that “rubico” is the 20 year old son of Tennessee state senator Mike Kernel, a democrat and Obama supporter the lesson here goes well beyond politics.

Sarah Palin seems to have followed all the standard security advice: yahoo uses BSD, not Windows, servers; she never accessed her personal email from hotel or other untrustable devices; she used a reasonably good password; and she gave truthful answers to the memory jogging questions companies like Yahoo use to deal with lost passwords. All great - except look what happened: an electronic Watergate reprise in which some guy hoping to score points with her political opponents used Yahoo’s system against it and published her private emails.

So what’s the bottom line? I think there are two different ones. On an industry basis, everybody’s going to have to rethink their password recovery procedures -thus both opening markets for better solutions and raising the cost and hassle factor for dealing with everyone from the Visa Consortium to Twitter.

The second one is both more general and more personal: there’s always someone who hates you or your company, and there’s always a way for that hatred to gain expression - but you can make it harder for the bad guy by recognizing the obvious: the larger and less personal the organization you trust with personal information, the more accessible it becomes and thus the more likely it is that someone will find a way to use that information against you.