Sarah Palin goes the way of Paris Hilton
Wednesday, it was reported that VP candidate Sarah Palin's Yahoo account was hacked by a perpetrator wishing to find incriminating information in her emails. It was not done using some strange computer security vulnerability. It was not done by guessing her password. It was done just in the same way as Paris Hilton's T-Mobile account was hacked some time ago: by guessing the answers to security questions. For Paris Hilton, it was the name of her dog. For Sarah Palin, it was her zip code, date of birth, and where she met her husband.
How hard is it to learn somebody's zip code? Not that hard. Try the whitepages. Date of birth? Easy for a public figure - try Google. This will take you less than a minute each. Now, we know that Sarah Palin and her husband were high school sweethearts. The answer to this question turned out to be "Wasilla High School". All in all, it took the Sarah Palin hacker less than 45 minutes to break into the account.
Whose fault was this?
Was it the fault of this unknown political hacktivist? In large part, yes. After all, it is a crime to try to break into somebody else's account.
Was it Sarah Palin's fault? Maybe she shares some of the blame. It wasn't too bright to pick these questions. One might hope for a little more caution from somebody who might one day be president. But average people shouldn't be expected to be security specialists to avoid being hacked.
Was it Yahoo's fault? Certainly they also share the blame. Their security questions were not very well chosen. But that doesn't make them unique: A recent Scientific American article describes how a Gmail account was hacked in a similar way.
How can email hacks be prevented?
Should we lie when asked security questions? Not a good idea. You need to remember the answer to the question. After all, you have supposedly already forgotten your password!
Should we write our own security questions? No, most people don't know what would be secure -- as demonstrated by Palin and Hilton, but scores of others,
too.
What is called for is better design of the questions by security professionals -- a subject I've covered in a recent Google Tech talk on Password Reset and this blog post: What is worse than reusing passwords?
pasmith
Kindle news: pricing, business models and ... source code?
mulderjoe
Cell phone gaming: In search of good mobile games
jfruh
The guts of the iPhone 3GS
Enter your caption for this week's cartoon! The winner will receive a $25 Amazon gift card. Go now!
Essential JavaFX
Get started building rich Web apps quickly with an introduction to the power of JavaFX key features -- scene node graphs, nodes as components, the coordinate system, layout options, colors and gradients, custom classes with inheritance, animation, binding, and event handlers.Enter now!
The Nomadic Developer
Consulting can be hugely rewarding, but it's easy to fail if you are unprepared. To succeed, you need a mentor who knows the lay of the land. Aaron Erickson is your mentor, and this is your guidebook. Enter now!
No maybe about the hacker
No maybe about the hacker being at fault. Locks are to keep honest people honest. Any lock can be picked, that's why we have laws. He/She/They should pay the price. Are you confused about who's at fault in rape cases, or is it a matter of degree?I'll blame the hacking on
I'll blame the hacking on the hacker, but Palin really shouldn't be using a personal account for government business either...is she going to do the same thing as VP? Not what I would call improving national security.So I guess if I get shot
So I guess if I get shot while walking down the street, it's my fault for being in the way of the bullet. You're a fraud. You are a lefty to the core, why don't you just admit it.