Anonymous Rides a Palin Horse

The Background

Earlier Wednesday, members from Anonymous posted on 4chan their successful attack on Sarah Palin's gov.palin@yahoo.com account and images from the account to prove authenticity. Within hours, a white hat within the ranks reset the password on the account, and notified a Palin associate of the attack. Soon after the account was deleted. A McCain Palin spokesperson condemned the attack as a "shocking invasion of the Governor's privacy."

Evidence Still Up At Gawker

While all evidence of the attack was scrubbed from 4chan's boards, Gawker has taken the baton and published the screen caps at its site: http://gawker.com/5051193/sarah-palins-personal-emails. Gawker promises to keep the images up, despite calls from the McCain Palin camp to destroy all copies of the images.

What It Means To Anonymous: It's All About Morality

If it isn't painfully obvious by now, Anonymous are the proto-Jokers of the Internet. They don't obey laws. They disregard conventional ethics. They have no jurisdiction. They have no limits. They are driven by one central idea: non-contradictory morality.

If Anonymous sees you as a moral hypocrite, they'll come after you. If you want to hide it, Anonymous wants to show it. If you want to destroy it, Anonymous wants to preserve it. If you want to worship it, Anonymous wants to mock it. if you want to control it, Anonymous wants to set it free. Anonymous only respects those whose morality is in harmony.

They also do it for the lulz. There's nothing wrong with having a good laugh at someone caught with their pants down.

It's unclear whether these particular members of Anonymous performed this attack because they question Palin's integrity or because they recognized one helluva good drama-creating prank. Either way, they've furthered the reputation of Anonymous, the cause of Anonymous, and the legal scrutiny on Anonymous. Which brings me to my next point:

What It Means To The Law: It's Not On Anonymous' Side. Or Palin's

Clearly, unauthorized access of a person's e-mail account is a violation of the Computer Fraud and Abuse Act. There's just one little problem: Anonymous members are very good at not giving up their identities. Whether they use basic anonymizing tools like a web proxy, Tor, or free wi-fi at a cafe, if Federal investigators cannot pin down access to a verifiable IP Address, there's no way to track down the perpetrators.

Here's what investigators are up against:

1. Get a warrant to obtain access records from Yahoo, the maintainers of Palin's e-mail account, if Yahoo has kept those records now that the account is deleted.
2. Start working backwards: from the Yahoo records, see which IP addresses accessed the account and opened specific messages.
3. Assuming Anonymous covered its tracks with a web proxy, investigators will then have to get a warrant to access records of the proxy, just like they did for Yahoo. Repeat step 2.
4. Tools like Tor help people stay anonymous by routing their traffic through international intermediary destinations like Germany and Venezuela. If Anonymous used Tor, investigators will have to work with international law enforcement agencies to get permission to access ISP records. This can be done in a few days to a few weeks in Germany. Venezuela will probably tell us to go f&*! ourselves.
5. Assuming investigators get international cooperation, they will most likely being trying to get ISP records for some kid's home computer. Those records may or may not be available, depending on how often they're purged. Time is of the essence in this situation.
6. If investigators can get those international records, they'll continue working the IP Address trail backwards to discover either a live American IP Address, or more likely yet another international address. (Tor can route you through multiple international points if you like.)
7. Repeat the hunt for international IP Addresses ad nauseum until they finally get back to an American IP Address. That address might point to someone's home, or it will probably point to a free wi-fi location, in which case the investigation is dead. For example, Seattle Metro offers free wi-fi on many of its buses. Talk about the ultimate mobile command center for launching attacks!

As you can see, law enforcement is on the extreme losing end in the battle against Internet hackery. Even the NSA's domestic spying program is largely ineffective against Anonymous' tactics. It's very doubtful the FBI will investigate this incident beyond a warrant for Yahoo's records.

What It Means To Politics: You're All On Notice

It means not even politics is safe from the drive for transparency from the Internet's hacking underground. While this incident is clearly illegal and unethical, it does produce one pretty flower: with people like Anonymous around, it's going to be harder for politicians to hide their dirty secrets from the public.

If Anonymous can make Scientology think twice and send the Palin camp scrambling, it can certainly serve as a vigilante force for truth in many other areas. That raises one final question: if Anonymous takes the vigilante role further, how long can they be trusted with the power that comes with such a role?

What It Means To You: The Only Good Defense Is To Not Be Stupid, Stupid.

I've harped on this point about a billion times now, and I'm going to do it again: these things happen because people are stupid, either through technological ignorance or personal irresponsibility. In the case of Palin, I think it's a little of both. If you value your privacy, keep it private. If you're worried about impropriety, run it past your advisors. If you're going to deceive the public, don't put your fly-by-night prowess in the hands of fucking Yahoo.

While I don't have first hand knowledge, I have been advised over and over that the majority of services out there are easily hacked. Yahoo Mail/Yahoo accounts, Hotmail, MySpace, LiveJournal, T-Mobile, and anything powered by Microsoft is all extremely vulnerable to an experienced hacker, and in some cases novice hackers who have access to hacking tools or are good at social hacking/manipulation. It's easy to trick people into handing out security information, or looking it up yourself, especially if it's a date of birth, or a social security number. There are good solutions to protect yourself here, but that's a topic in itself that I'll get to in some other article.

Until then, follow the first rule of the Internet: if you wouldn't want the public to find out about it, don't put it on the Internet.

Related Links

Vidalia Tor Bundle - easy setup for anonymous web browsing through Tor

Gawker.com - archive of screen captures of Palin e-mailscomment=kmkc http:// 2008-09-18 at 5:22am u r an asshole 128.210.218.112