The Palin Email Break-In
It was being reported generally yesterday (BBC News, New York Times) that hackers, a group called Anonymous, broke in to Governor Sarah Palin’s Yahoo email accounts and copied some material which they then made public.
It doesn’t seem as though the material taken will in any way compromise or even embarrass the Governor — except in so far as it reveals her injudicious use of a large public email system in connection with government and important personal matters. It’s unlikely that any of us will suddenly find ourselves nominated for vice-president of a country, even a small one, and therefore the object of a hacker’s attention; but we do deal with confidential matters of course and this should be yet another warning to us all to stay away from Hotmail or Gmail etc. when dealing with sensitive material. Or, learn about encryption.
“Anonymous” sent the stolen material to Wikileaks, where you can see it even now.
Really, its not just web-based email like gmail/hotmail that is at risk.
All email servers, even private, internal firm servers are vulnerable. We are fortunate that we haven’t seen this exploited, but be assured it is only a matter of time before the highly sensitive and valuable data sitting on the email servers of some of our most respected law firms is compromised.
Unfortunately, it’s probably going to take some serious incident before people recognize how vulnerable their privileged data is and law firms implement encryption policies.
Especially if there’s no realistic possibility of prosecution.
There is a helpful discussion here of what we can all learn from this incident, as well as links to the mechanics of what actually happened on the hack.
Chief lesson is that Wikipedia and online bios may enable a hacker to answer the security validation questions. You can’t Google my mother’s birthname, but I know it’s accessible in any university library. So much for that sort of security.
Roll on biometrics
The incident does not show that law firms’ (or other serious) emiail systems are particularly vulnerable. It does show that one should not choose security questions (usable to reset passwords) that are searchable by others (or already known to others that you shouldn’t trust).
As to the realistic chance of prosecution, I suspect that what the hacker did would have violated the Criminal Code of Canada if done here. The article cited by Omar deals with a technical interpretation of a relevant US statute – and the US Dept of Justice does not like the 9th circuit interpretation because it puts much more email off limits to law enforcement seizure or tapping.
Yes, it would be ironic, or maybe morally satisfactory, if the interpretation intended to give law enforcers a freer hand in investigating people’s emails prevented them from prosecuting the breach of someone they wanted to protect.
But lawyers figure out the way through such contradictions all the time…
There’s a new chapter in the Pallin break-in.
Bill O’Reilly, yours and my favorite Fox news host, debated with co-anchor and lawyer, Megyn Kelly, over whether the 1st Amendment would protect media organizations that forwarded the contents of Pallin’s email.
Kelly said,
Of course O’Reilly responded with is trademark,
In retaliation, a hacker has claimed to hack O’Reilly’s email. Proof of the hack was provided through Wikileaks.