The OC Blog Back Issues Our Mission Contact Us Masthead
Sudsy Wants You to Join the Oregon Commentator

Some Thoughts on the Palin E-Mail Debacle [update 09/19]

No doubt that by now everyone has heard that Republican VP nominee Sarah Palin’s Yahoo e-mail account(s) were cracked and the contents thereof distributed on the Internet. The whole imbroglio has got both Team Red and Team Blue riled up, and I’ve got a few thoughts on the affair.

1) A lot of people seem to be saying “Wow, she’s so stupid that even a teenager could outsmart her.” I don’t think this is a fair criticism. As I understand it, Yahoo has a number of security questions that you have to answer in order to reset the password on the account, which is what the intruder did. Oftentimes, these questions are on the order of “what zip code were you born in” or “what was your maternal grandmother’s maiden name?”

If you’re trying to crack some nobody’s account, this information might be kind of hard to dig up. For a public figure, especially one like Palin, whose life has been gone through with a fine-toothed comb and published in recent weeks, this kind of info is much easier to locate. This was, in fact, the method used by the persion who cracked Palin’s e-mail account, by his own admission.

The problem, in this case, was not Palin’s “stupidity”, but rather a fundamental flaw in the security system that Yahoo uses to protect against illegitimate password change requests.

2) A lot has been said about whether or not it was appropriate for Palin to even be using a Yahoo account. Many are arguing (mostly in the comments sections of blogs) that the fact that she might’ve been using the Yahoo account for official business justifies the intrusion. This is obviously a specious argument.

While I’m not an authority on the applicable laws, it doesn’t seem that there was really much of anything of substance to be found on the e-mail accounts. Much has been made of the fact that, since the attack, the e-mail addresses have been deleted. It’s been suggested that this is because Palin is trying to “destroy evidence” or some such thing.

Nonsense. Locking or deleting an account after a known intrusion (rather than simply changing a the password) is standard procedure just about anywhere, including here at the University of Oregon.

By the cracker’s own admission, he found nothing incriminating. Of course, he’s not a legal authority either, so maybe there’s a case to be made. I don’t know. What I do know, however, is that what he did is illegal and the fact that some people think there might have been inappropriate use of the Yahoo accounts absolutely does not excuse his actions.

There was a lot of uproar on the part of both conservatives and liberals about Bush’s wiretapping schemes and how they infringed upon civil liberties and the right to privacy. Anyone who was upset about the wiretapping but finds no problems with this invasion (and visa-versa) is engaging in very, very selective outrage, as far as I can see.

3) This appears to have been a politically motivated attack, though let me state up front that I think that any suggestion that the Obama campaign — or any prominent Democrat — condoned this, or even knew about it until the story broke, is absolutely absurd.

Nevertheless, the intruder stated outright that he broke in with the intention of finding incriminating e-mails — and, in fact, totally expected to find them — that he could post online and derail the McCain campaign. There’s also this preliminary report that the culprit may have been the son of a Democratic Tennessee Representative.

A few days ago I posted a quote from Nick Cohen, who wrote:

In an age when politics is choreographed, voters watch out for the moments when the public-relations facade breaks down and venom pours through the cracks. Their judgment is rarely favourable when it does. Barack Obama knows it. All last week, he was warning American liberals to stay away from the Palin family. He understands better than his supporters that it is not a politician’s enemies who lose elections, but his friends.

I think that’s especially apropos in this case. Whether or not the attack was committed by the legislator’s son, it is, as I said, a pretty clearly partisan attack, and could very well have some negative consequences for Obama, even though he had nothing to do with it.

[update 09/19/08]

The BBC has a round-up of what’s known so far:

First, it looks like Yahoo has basically admitted that its password-reset system was the weak link here:

It is thought the attackers exploited the password resetting system of Yahoo’s e-mail service.

Details about Mrs Palin’s life pulled from public sources reportedly helped defeat security questions.

Information from Wikipedia and other online databases helped to establish Mrs Palin’s date of birth, zip code and other personal information.

Armed with this, the attackers convinced the Yahoo password re-setting system they warranted access and allowed them to re-set the password and then get at the account.


In an official statement Yahoo said: “Yahoo treats issues of security and privacy very seriously.”

It added: “To protect the privacy of our users, we are not able to comment on the details of a specific user account.”

“Generally, if Yahoo! receives reports that an account has been compromised, we investigate for suspicious activity and take appropriate action,” the company said.

It also looks like the FBI has identified how the intruder masked their IP address:

The hackers used the CTunnel proxy service which routes web browsing through an intermediary to obscure where the attackers were based.

However, the screenshots for the attack reveal the original web address used by the proxy which may help investigators track down the miscreants.

No information, however, on whether or not David Kernell is considered a suspect. I reckon if the FBI gets a hold of CTunnel’s logs that they’ll know soon enough.


Geez, it looks like Barack Obama’s email has been hacked too. Screenshot here. Looks like Dick Cheney is pissed.

(Hat tip: Instapundit)