
Anonymous hacks one of Gov. Sarah Palin's yahoo email accounts - vaksel
http://s405.photobucket.com/albums/pp134/anoncrack/
======
comatose_kid
I'm no fan of Palin, but I think it's pretty low of Gawker to gain page views
by posting the contents of her personal emails, as well as the personal
photos. Apparently privacy rights don't matter anymore.

~~~
hugh
Agreed.

There's not even an attempt at a "Well usually we wouldn't publish someone's
personal email but in this particular case we think it's justified because
[insert justification here]"

I guess I may be expecting too much of a site called "gawker" though. Still,
here's hoping that someone (not me!) hacks Barack Obama's personal email soon
so we can check whether they treat it the same way.

~~~
ckinnan
McCain-Palin 2008 Campaign Manager Rick Davis: 'This is a shocking invasion of
the Governor's privacy and a violation of law. The matter has been turned over
to the appropriate authorities and we hope that anyone in possession of these
emails will destroy them. We will have no further comment.'

------
ckinnan
Gov. Palin is under the protection of the Secret Service, and it is a crime
committed in the context of disrupting a U.S. election, so the full
investigative power of the federal government will be brought to bear. Plus I
suspect Yahoo will be very cooperative.

~~~
jhancock
yes, the long arm of the arm will have its day on this one. However, it is
important to remember that most/all revolutionary behavior involves breaking
the law. I'm not saying this was an appropriate thing to do. But obviously,
whoever did this thought it worth the almost certain chance they would go to
jail for what they did.

So, who's the better American? The ones who violate the law and try to effect
change or the peanut gallery that kick back and do nothing? Sure, you can say,
"I vote". That is something. Its just that others obviously feel more action
(even illegal actions) is required to effect change.

Note: I am a member of the peanut gallery. I just bitch and vote. But it is
key hacker news that we are at a point in our history where others are
deciding to take alternative action.

~~~
hugh
Oh yeah, hoo-fricking-ray for that brave 4chan script kiddie, heroicially
giving up his own freedom so that the rest of us could see more of Sarah
Palin's family photos.

More likely this particular asshole is just an idiot who didn't think through
the consequences of his actions. He just thought it'd be funny.

~~~
jhancock
just as likely. I wasn't implying this was a heroic action. Perhaps my
original post was misleading in that regard. I don't know anything about the
person that did it or why. History gets to decide the import of people's
actions.

I think that increases in behaviors where people work outside social norms
(this includes people that strap bombs to their bodies) are indicators of
stress in the social fabric. Labeling actions as stupid, or terrorist, and
such are useful but miss the bigger picture sometimes.

------
DanielBMarkham
I got a lot of mixed feelings about this one.

First -- it's a crime, plain and simple. Somebody should go to jail. Sites
trafficking in stolen goods should be charged.

Second -- glad it happened in September. Can you imagine something like this
happening, only in the last week of the election? Heck, you could put any kind
of flamebait stuff you wanted in the screen shots. It doesn't even have to be
real. It could easily throw the election and you're left with a mess and
nobody to blame for it.

Third -- How was the system breached?

This is definitely hacker news. As an example, I had an idea last year for a
site/app to keep track of breaking election-year news. As the emotional juices
roil in the 40% of die-hards on each side, there's this incredible thirst for
up-to-the-date, cutting-edge news and insights. It doesn't get much more up-
to-date and insightful than reading the candidate's email. (Note earlier
comment about legality, though)

Where there's a great thirst, somebody is going to be selling trips to the
water fountain. Not only is there lots of money in this right now, elections
are predictable, repeatable events and piggybacking on people's emotional
investment in them is only going to get more and more profitable.

~~~
froo
_Third -- How was the system breached?_

Dunno, I just went and quickly braved 4chan (I know... I feel so dirty) to see
if anyone was linking anything. They had some rapidshare links up (a 1.4 mb
and 1.1mb one).

Am grabbing now just to see what they are... I'm curious if there is anymore
info on this.

~~~
mynameishere
It was a straighforward dictionary hack--her password was "popcorn".

~~~
tsetse-fly
No, it wasn't. "popcorn" is the password after the reset that was posted on
/b/. If you look at the screenshots, you'll see that her password was reset
using the "Forgot Your ID or Password?" feature.

To reset a Yahoo! Mail password, you need the person's birthdate, zip code,
and answer to their "secret question". That information is easily accessible
for public figures like Palin. Try it sometime with your friend's
email/screenname and Facebook; it's quite easy.

~~~
jnovek
If that's true, I think it's very interesting. I wonder if the security
community will step up and take advantage of this opportunity to discuss the
inherent security issues with the "secret question" method of account
recovery.

~~~
khafra
Bruce Schneier's one of the more prominent security writers around, and he
covered that one over three years ago:
[http://www.schneier.com/blog/archives/2005/02/the_curse_of_t...](http://www.schneier.com/blog/archives/2005/02/the_curse_of_th.html)

Where I work, all webmail is blocked, so the IA department is grateful to
Palin for the object lesson supporting the policy.

------
kennyroo
At least she has e-mail. John McCain's messages are delivered by horse.

------
rgrieselhuber
The thing that struck me in this is that being a Republican politician
generally means you're going to have more people who know how to do this stuff
against you than for you.

I'm not saying this is ok or making a political statement - just an
observation.

------
josefresco
Completely off topic but...

Hah, notice in one of the screenies the 'hacker' is playing Counter-
Strike:Source, which ties in nicely with today's other big story
(Google/Valve)

------
vaksel
Thats why you need better security settings if you are in public office,
considering all the secret questions one might ask about you to retrieve your
password can be found on your wiki page

~~~
steelhive
Yeah. You think she'd have more security experience being so near Russia. :-)

~~~
vaksel
well by that logic she is a security expert because she filled out a "Lost
Password" questionnaire that yahoo does.

------
mynameishere
(non-)Anonymous is setting himself up for the federal pen.

------
vaksel
here is someone's blog post with a few more pictures, and her contacts list.

[http://gawker.com/5051193/sarah-palins-personal-email-
accoun...](http://gawker.com/5051193/sarah-palins-personal-email-account-
hacked)

------
rokhayakebe
Here are the links

[http://blogs.artvoice.com/techvoice/wp-
content/uploads/2008/...](http://blogs.artvoice.com/techvoice/wp-
content/uploads/2008/09/capture_17092008_010952.jpg)

[http://blogs.artvoice.com/techvoice/wp-
content/uploads/2008/...](http://blogs.artvoice.com/techvoice/wp-
content/uploads/2008/09/011.jpg)

[http://blogs.artvoice.com/techvoice/wp-
content/uploads/2008/...](http://blogs.artvoice.com/techvoice/wp-
content/uploads/2008/09/04.jpg)

[http://blogs.artvoice.com/techvoice/wp-
content/uploads/2008/...](http://blogs.artvoice.com/techvoice/wp-
content/uploads/2008/09/03.jpg)

[http://blogs.artvoice.com/techvoice/wp-
content/uploads/2008/...](http://blogs.artvoice.com/techvoice/wp-
content/uploads/2008/09/02.jpg)

------
tptacek
Michael Scherer at Time just wrote that his sources confirmed that this isn't
a hoax. _Epic fuckup._

------
iamelgringo
As an aside, I'm coming to this story 18 hours late, but every single link
posted on this page, is down. Wikileaks is even down. All of it.

I feel bad for the script kiddies that did this. They are going to get
Mitnicked on this one: <http://en.wikipedia.org/wiki/Kevin_Mitnick>

General law enforcement in the US is crap when it comes to computer crime, but
if you get the boys at the NSA, the FBI or at Secret Service interested,
you're going to be spending a lot of quality time exercising in a little room
with metal bars for a wall. And, if you have any sort of "ideological" basis
for your acts, I wouldn't be surprised to hear the word "terrorism" creep into
the DA's vocabulary at some point during your legal proceedings.

~~~
DanielBMarkham
Funny, I really don't feel bad for people who break into other people's
accounts and steal their information.

Whom I feel bad for is all the regular folks that had the same thing happen
and are not running for office.

~~~
iamelgringo
I'm sorry for the confusion. I'm not endorsing that people break into other
people's accounts. What I am saying, is that I don't really think that the
script kiddies that (I'm assuming) did this truly realize the extent of the
deep guano that they've just gotten themselves into.

I won't feel bad that these people get punished for their crimes. I will feel
bad if these people have charges of "terrorism" brought against them, which I
suspect might happen.

------
kul
why isn't this bigger news?

~~~
Goronmon
I'm curious...why should it be bigger news?

~~~
tptacek
Because it's alleged that she funneled government email through private email
accounts deliberately to avoid transparency laws --- in other words, to
prevent citizens from learning about her on-the-job correspondance --- only to
have the raw contents of those mail spools dumped to the entire Internet.

It touches on a political controversy (running the State of Alaska through
Yahoo may be illegal) and involves a seperate crime commited for publicity and
political purposes. It implicates the security of hosted email providers in
general, and begs the question of how confidential government emails could
have been so insecure in the first place.

I'm betraying opinions that I'd like to keep close, because this hasn't been
authenticated. If it is, I'd say it's huge news. _What a fuckup._

~~~
webwright
Looking at the screenshots, there is no evidence of government business there.
She's bitching a bit about Dan Fagan (a repub. commentator in AK) in the one
email, but everything looks pretty personal.

I have a work and personal account... 99% of the time I manage to keep my
personal account personal-- occasionally I don't. I'd be stunned if there
weren't occasional transgressions on this front in any governor's office. I'd
expect that security tightens up a bit in the Executive branch.

(disclaimers: I lived in Alaska until 2 years ago and know how utterly wrong
the national media is about what goes on up there. I am not a republican, but
don't really consider myself a democrat, either.)

~~~
tptacek
I'm not going to repost stuff from Wikilinks here, but it looks like you're
not correct: there's a transcript of the screenshots that includes things
like, "CONFIDENTIAL ETHICS INVESTIGATION" and "REQUEST FOR DOCUMENTS".

In addition to being a fuckup of spectacular proportions, it also corroborates
an earlier news report of leaked emails that included specific instructions
_not_ to send sensitive government mails to Palin's work account.

Of course, none of this has been authenticated. It looks credible, but there's
plenty of incentive to make something look credible in this political and news
climate.

The interesting story here is the trend story. It applies to companies as well
as government officials. People will attempt to use personal email accounts to
avoid subpoenas. But nobody knows enough to keep those accounts secure, and
the growing insecurity of the web guarantees most hosted mail accounts will
eventually get popped. Meanwhile, it's hard for executives and officials to
find "secure" mail providers without tacitly confirming that they're
conducting business in secret. It's an interesting problem.

 _[Late edit: Time: it's probably real.]_

~~~
webwright
Ah, I'd just looked at the screenshots, not the text "log". Interesting that
they'd screenshot all of the subjects that are totally personal/innocuous but
the text log has all of the potentially damning subjects... Hrm. Why wouldn't
you just scroll down and take a few screenies to prove the evil?

I've worked on the technology side of a few candidates and politicians-- they
are almost without fail moronic about technology. I can imagine accidental
sends to Palin's personal account. For all we know, the content of those
emails are "You dumbass. How many times do I have to tell you that stuff like
this should go to my work account?!", right?

I agree that the trend is interesting, tho.

~~~
tptacek
(a) Because the people who pulled off the attack are stupid.

(b) Because the people who pulled off the attack somehow lost access after
getting the account but before archiving all the mail, and so made up the good
stuff.

(c) Because the people who pulled off the attack are very smart, and are going
to slow-drip this out to the media over the next month.

I know where my bet's at now.

~~~
hugh
If the people who pulled off this attack are very smart, then they'll be
shutting up about it.

The US Secret Service has a lot of resources and a pretty limited mission
statement. It's not a good idea to attract their attention.

~~~
tptacek
Give me a break. There are very few organizations less well equipped to
respond to computer attacks than US law enforcement. It takes _years_ to
convict on computer crime cases, and almost every one of them is front page
news in the trade press. You know how many we've had in the past decade?

Trivia question: which law enforcement agency was primarily responsible for
responding to computer incidents throughout the 80s and 90s?

~~~
tptacek
(Of course, it's always possible that the person who did this was stunningly
dumb about it.)

------
ryanspahn
So is there anything truly damning here or is it just a publicity stunt?

------
ComputerGuru
Photobucket's pulled the images. Anyone have a cache somewhere?

~~~
sd
<http://www.wikileaks.org/wiki/Sarah_Palin_Yahoo_inbox_2008>

~~~
thomasmallen
Doesn't work...

~~~
ComputerGuru
It does here....

<http://downforeveryoneorjustme.com/wikileaks.org>

------
petercooper
Anonymous anonymous, or Anti-Scientology Anonymous?

------
mlLK
how is this not plastered all over NPR?

------
cortfr
The url in the pictures is cfunnel.com.

~~~
mileszs
ctunnel.com is a proxy. Not that it couldn't be a hoax, but that is not
evidence of it being a hoax. Simple attempt to protect his/her identity.

~~~
vaksel
smart person, considering Palin is known for being very vindictive.

"Hello anonymous? Good news! The IRS is going to audit you for the past 20
years"

------
time_management
This is indeed an _epic fail_... for, as it were, the Democrats.

Unfortunately, this only has the potential to help the Republicans. Let's
assume the 98th-percentile scenario, from a Democratic perspective: a few
mildly inappropriate emails are discovered via the hack. To us, meaning those
who post on Hacker News, transparency and propriety matter a great deal,
because we care about such "academic" issues. However, the average American
(who spends 3 hours per workday surfing the internet, despite having signed an
agreement that work computers were "for official use only") isn't going to be
shocked or disgusted that a governor has sent a few emails in violation of
propriety; it can easily be spun as a "one of us" crime, and the hackage will
do nothing less than engender sympathy for Mrs. Palin.

~~~
hugh
_Let's assume the 98th-percentile scenario, from a Democratic perspective: a
few mildly inappropriate emails are discovered via the hack._

I'm expecting a bunch of things to be "discovered" in the next few days. Most
will be fakes -- some obvious, some ambiguous. There might be some real ones
mixed in there somewhere, but how are we going to know one way or the other?

In the end, everyone will believe what they want to believe.

