Today we are going to discover the difference between a hack and the use of political influence to achieve a court ruling against someone who is just somehow smart and got a bit bored.
Officially, the guy who ‘hacked’ the email account of Sarah Palin in the last elections got sentenced to one year of imprisonment (maybe halfway house). He got access to the private email account of Sarah Palin and then published some information and pictures inter alia on 4Chan.
Why do we not call it a hack? Simply because it was not a hack. The guy just tried to reset the password used for Sarah’s email account by answering the security question with information publicly available on the Internet. This is actually very funny, because you should never answer the security questions with the truth. Security questions are so easy that anyone can find out the answer. Try to transform the answer a bit, like using a specific style of writing the answer – of course for all your security answers, otherwise they would be rendered useless. E.g. “What’s your favourite pet?” could be answered by “Wuff” or “My Dog”. It could also be “M1y1 D1o1g1”. One you developed a pattern for you, it decreases the possibility that someone can use the reminder tool against you. If you ask me, never use security questions – better remember or in the worst case note down on a notepad (real…you know with paper and pencil). Ya, and don’t glue it to your computer then.
When would we have called it a hack? We would have called it a hack, if someone would put some sort of malware on her computer, exploited unpatched bugs or in any other way got control over her computer and trace the password (wifi sniffing etc.). We would have also called it a hack if someone used a bruteforce attack on the online account (which would rather not work). If your password is a plain word withnout numbers and symbols, than it is not even a password, it is just pathetic, so for example the password Sarah used. If someone for example uses his birthday or the birthday of his daughter or husband as password, it is not a hack, it is just a nice guess to figure that out.
Why would have been hacking the correct term and not cracking? Simply because this guy did not really have malicious intent. He posted some of these information online. It did not download everything and then tried to blackmail the family, or sold the information online. He simply but some of the information in some fora, which of course would sooner or later reach Sarah to make her change her password. Even though, what he did was not right, it was barely a crime.
Do not get me wrong. If someone leaves his car open and the key in the car it is still theft. If the key is hidden under the car mat, it is still theft. I don’t know why the cyberspace has so many car analogies.
From my perspective, he should not go to jail but get an award. Why? Because he showed the world that a future American wanna-be politician who does not not what Africa is, is using her very UNSAFE and PRIVATE email account for political business. How can her IT security staff (if she had one) protect her if she is just using her private account? So, the guy actually prevented her from more trouble than she could have gotten into when he would have sold her password or did other things to her account.
The one year sentence is a very sad and deterring joke. The court clearly has no idea of the cyberspace (as so often). The court got influenced by (maybe not only?) the popularity of Sarah. If you ask me, it is a crime, but more like stealing a kids candy than breaking into a house (see, works even without car analogies!). One year for that? Sad. The court’s decision was not more and not less than making an example. It also shows how low the understanding of cyberspace is or maybe it is just my perspective as a cyber libertarian.
In all the countries, I observed it, the laws made do not really work for the Internet. Some of them which are applied on Internet cases are even older than the Internet. Thus, the adaptation of these laws to the Internet-related cases is very poor.
All my blessings for the guy, that he does not have to spend his 23rd year of life in prison but can finish his studies. Who wants to bet whether the security of Sarah’s email account has been improved or not?