Something that is extra alarming is that the hackers were inane 4chan kiddies, beloved of stupid internet memes and hentai before politics.

Imagine what harm could be done if it was done by someone with genuine malicious intent (in retrospect of the ease at which it was done, its probably surprising it wasnt).

I wouldn’t recommend underestimating “inane 4chan kiddies”. I would guess that it’s a pretty diverse population, talent wise. Certainly there are lots of 12-year-olds who are only there for the ‘lulz’ and the pr0n, but the speed at which 4chan memes spread to technically competent communities, such as Slashdot and Ars Technica suggests that at least a subset of those on 4chan know what they’re doing.

That said, it does look like the person who cracked the account wasn’t the brightest political operator. I think if anything, Palin got lucky. If someone hadn’t changed the password and got it locked, a lot more sensitive material could have ended up on Pirate Bay pretty quickly, I would think.

As to the moral dilemma, I don’t think it’s an either/or situation. It was stupid to use an unsecured Yahoo email account for government business, and just as stupid to break into it and brag about it.

Modern cracking tools include dictionaries in multiple languages, including slang, dictionaries of characters, places, events and items from fiction, numerical codes — especially those resembling dates or phone numbers .. it goes on and on.

It can be slow going if all you have access to is the password field, as most systems limit the number of login attempts and space them out. But if the attacker has the password hashes — the actual file stored by the server — then running a dictionary attack is trivial. Hundreds of thousands of passwords per second can be checked.

I’m working on a little dotcom project at the moment which won’t allow users to pick their passwords but instead auto-generates them — there’s money involved — and my biggest fear is that they won’t be random enough.

The thing is, I can’t remember passwords (due to dyslexia) and always hated the monthly requests to change them that used to come through at work – both JAG and at law firms. If anything, the constant requests for new passwords made my accounts easier to hack, rather than harder. Instead of remembering one fantastically difficult password (which I can do if given a couple of months to remember it – although I do have to have it written down), I just entered easier and easier passwords (and would routinely recycle passwords from elsewhere) so that I could remember them. Many of my passwords over the years have been as easy as ‘popcorn’, with ‘security questions’ based on all the standard stuff – partner’s name, where we met etc.

It took ages to get permission for me to be allowed to keep my passwords for a longer period – and I’m sure the only thing that led to that was IT people having constantly to let me into my account when I’d forgotten my password and the security system had locked me out. I do know that ‘not famous’ people who suddenly become famous often have trouble with the enhanced security fame requires – the worst one I’ve ever seen involved Linkin Park frontman Chester Bennington – story is here – not for the faint-hearted, and much worse than Palin’s circumstances.

A separate issue is whether charges could be pressed on the basis of evidence obtained criminally, but that’s one for the resident jurists.

It’s bad she used private email for official business. Government must be open and accountable to those that pay for it and hire the politicians. Anyway you can always slap a Cabinet In Confidence header on top.

It’s also bad that her private email was so easily hacked by hacker pack kiddies. Any serious politician or administrator these days who doesn’t practice proper online hygiene is unfit for power.

In retrospect, the McCain campaign is probably now realising it’s a damn good thing he doesn’t know how to send emails. Late night temper tantrums captured with timestamps? They’re dodging bullets every day with that one.

Imagine what harm could be done if it was done by someone with genuine malicious intent (in retrospect of the ease at which it was done, it’s probably surprising it wasn’t).

In a moral dilemma though, perhaps we can liken the issue to bodyguards. Public figures have every much right as anyone else for bodily integrity (like not being shot), but they seem resigned to understanding that isn’t naturally sacrosanct because of their position. So they employ bodyguards. I guess the same applies to private email….except when the private email is used to hide email that should be semi-public despite the fact that there was apparently nothing to hide.

Damn.