A Moral Dilemma
Posted by Jacques Chester on Thursday, September 18, 2008
So, amongst other things, Sarah Palin’s Yahoo email account was broken into. It turned out that she used her post code as her password, and then, when a jam of people eager to stickybeak caused the account to be locked, she’d used “Where did you meet your spouse?” as her password recovery question.
The person or persons who broke in got cold feet — worried about “party vans”, ie, the Secret Service — and didn’t do any more than take some screenshots. Even these have become a hot topic of discussion, as they show that Palin seems to have conducted some of her official work via the private email, in what seems to be a violation Alaskan laws about public records.
My question is: which was worse? That Palin allegedly used a private account to break anti-corruption laws, or that someone logged into it and took some screenshots?
Update: Ars Technica gives a much better summary, including the information that Palin’s password was actually “popcorn”. I hope she knows not to reuse passwords for her official Alaska logins …
ShareThis
This entry was posted on Thursday, September 18th, 2008 at 6:21 PM and filed under IT and Internet, Law, Politics - international.
Follow comments here with the RSS 2.0 feed.
Post a comment or leave a trackback.
Something that is extra alarming is that the hackers were inane 4chan kiddies, beloved of stupid internet memes and hentai before politics.
Imagine what harm could be done if it was done by someone with genuine malicious intent (in retrospect of the ease at which it was done, it’s probably surprising it wasn’t).
In a moral dilemma though, perhaps we can liken the issue to bodyguards. Public figures have every much right as anyone else for bodily integrity (like not being shot), but they seem resigned to understanding that isn’t naturally sacrosanct because of their position. So they employ bodyguards. I guess the same applies to private email….except when the private email is used to hide email that should be semi-public despite the fact that there was apparently nothing to hide.
Damn.
Posted on 18-Sep-08 at 6:55 pm | PermalinkAbout equally bad, I would say.
Posted on 18-Sep-08 at 7:21 pm | PermalinkI agree with gilmae but not necessarily for the same reasons.
It’s bad she used private email for official business. Government must be open and accountable to those that pay for it and hire the politicians. Anyway you can always slap a Cabinet In Confidence header on top.
It’s also bad that her private email was so easily hacked by hacker pack kiddies. Any serious politician or administrator these days who doesn’t practice proper online hygiene is unfit for power.
In retrospect, the McCain campaign is probably now realising it’s a damn good thing he doesn’t know how to send emails. Late night temper tantrums captured with timestamps? They’re dodging bullets every day with that one.
Posted on 18-Sep-08 at 7:46 pm | PermalinkFor high office? Anything less than the use of one time pads for all blog comments should be immediate grounds for disqualification from all employment.
Posted on 18-Sep-08 at 8:16 pm | PermalinkThis isn’t too vexing as moral dilemmas go. The relevant dilemma, if any, is not that of determining which action is more dilemma, but rather whether immoral actions are justified if they bring to light immoral actions committed by others. This can only be decided on a case-by case basis, as with any situation where ends are weighed against means. Am I justified in robbing a chemist to procure a life-saving drug if it’s my only recourse? Probably. Am I justified in killing the security guard in the process? Probably not. What’s clear is that person making the decision should be prepared to accept the legal consequences of their choice, including punishment for a crime if the authorities choose to press charges.
A separate issue is whether charges could be pressed on the basis of evidence obtained criminally, but that’s one for the resident jurists.
Posted on 18-Sep-08 at 9:09 pm | PermalinkI’m more concerned that her stuff was so easily hacked, not that the hackers have got hold of a couple of pictures of her kids (although no doubt some people will read all sorts of weird stuff into that).
The thing is, I can’t remember passwords (due to dyslexia) and always hated the monthly requests to change them that used to come through at work - both JAG and at law firms. If anything, the constant requests for new passwords made my accounts easier to hack, rather than harder. Instead of remembering one fantastically difficult password (which I can do if given a couple of months to remember it - although I do have to have it written down), I just entered easier and easier passwords (and would routinely recycle passwords from elsewhere) so that I could remember them. Many of my passwords over the years have been as easy as ‘popcorn’, with ’security questions’ based on all the standard stuff - partner’s name, where we met etc.
It took ages to get permission for me to be allowed to keep my passwords for a longer period - and I’m sure the only thing that led to that was IT people having constantly to let me into my account when I’d forgotten my password and the security system had locked me out. I do know that ‘not famous’ people who suddenly become famous often have trouble with the enhanced security fame requires - the worst one I’ve ever seen involved Linkin Park frontman Chester Bennington - story is here - not for the faint-hearted, and much worse than Palin’s circumstances.
Posted on 18-Sep-08 at 9:58 pm | Permalink[...] at Club Troppo, Jacques (our redoubtable admin) informs us that a bunch of not very nice internet types have [...]
Posted on 18-Sep-08 at 10:51 pm | PermalinkIf you use a word that can be found in a dictionary, or a simple variation of it, you are vulnerable to the ‘dictionary attack’. An attacker throws words at the password field until one works.
Modern cracking tools include dictionaries in multiple languages, including slang, dictionaries of characters, places, events and items from fiction, numerical codes — especially those resembling dates or phone numbers .. it goes on and on.
It can be slow going if all you have access to is the password field, as most systems limit the number of login attempts and space them out. But if the attacker has the password hashes — the actual file stored by the server — then running a dictionary attack is trivial. Hundreds of thousands of passwords per second can be checked.
I’m working on a little dotcom project at the moment which won’t allow users to pick their passwords but instead auto-generates them — there’s money involved — and my biggest fear is that they won’t be random enough.
Posted on 18-Sep-08 at 11:59 pm | PermalinkWrite them down and keep them in your wallet/purse/moneybelt, SL. It’s been pointed out before by noted security experts that as a race we have become pretty adept recently at protecting little scraps of paper in our wallets.
Posted on 19-Sep-08 at 4:27 am | PermalinkI wouldn’t recommend underestimating “inane 4chan kiddies”. I would guess that it’s a pretty diverse population, talent wise. Certainly there are lots of 12-year-olds who are only there for the ‘lulz’ and the pr0n, but the speed at which 4chan memes spread to technically competent communities, such as Slashdot and Ars Technica suggests that at least a subset of those on 4chan know what they’re doing.
That said, it does look like the person who cracked the account wasn’t the brightest political operator. I think if anything, Palin got lucky. If someone hadn’t changed the password and got it locked, a lot more sensitive material could have ended up on Pirate Bay pretty quickly, I would think.
As to the moral dilemma, I don’t think it’s an either/or situation. It was stupid to use an unsecured Yahoo email account for government business, and just as stupid to break into it and brag about it.
Posted on 19-Sep-08 at 7:14 am | PermalinkOh. You do :- )
Posted on 19-Sep-08 at 7:38 am | Permalink