Commentary on the Palin Email Thing

I know that I promised not to talk about politics on this blog. You get some of that in the form of politically charged funnies at /dev/random and short bursts of venom on twitter. I don’t really want to become too verbose about my frustrations with certain presidential candidates here. So this won’t be about politics – this will be about security or lack of thereof. I will try to restrain myself from political comments and only make comments about human stupidity which is quality that is equally distributed amongst the democrats and republicans.

I initially wasn’t going to comment on this, but people keep asking me for my opinion and I figured I should put together something more eloquent than “Palin got pwnd by /b/. She should totally invest in a dog.” And preferably something that is not as politically charged.

Let’s start from the top. Once upon a time, Gov. Palin had a Yahoo email account. Note that I’m using the past tense here. She no longer has it, because a /b/tard heard about it and took it over in 5 minutes. How was this feat of extremely 1337 hacking on steroids performed? From the horse’s mouth:

rubico 09/17/08(Wed)12:57:22 No.85782652

Hello, /b/ as many of you might already know, last night sarah palin’s yahoo was “hacked” and caps were posted on /b/, i am the lurker who did it, and i would like to tell the story.

In the past couple days news had come to light about palin using a yahoo mail account, it was in news stories and such, a thread was started full of newfags trying to do something that would not get this off the ground, for the next 2 hours the acct was locked from password recovery presumably from all this bullshit spamming.

after the password recovery was reenabled, it took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!)

the second was somewhat harder, the question was “where did you meet your spouse?” did some research, and apparently she had eloped with mister palin after college, if youll look on some of the screenshits that I took and other fellow anon have so graciously put on photobucket you will see the google search for “palin eloped” or some such in one of the tabs.

I found out later though more research that they met at high school, so I did variations of that, high, high school, eventually hit on “Wasilla high” I promptly changed the password to popcorn and took a cold shower…

As you can see, there was no hacking done here. In fact, the very act of taking over Palin’s email required no computer knowledge, and no skill. Hell, it didn’t even required intelligence. All it required was the ability to type in the word “palin” into google search box. Anyone in the world could have done this. It just happens that it was done by /b/ and for LULZ but it could have been just as easily perpetuated by someone with a much more malicious agenda to either monitor, intercept or forge Gov. Palin’s work related messages.

The obvious point of failure here is of course the password recovery system. Almost all online services use one of these, because remembering strong passwords is difficult and using weak passwords is dangerous. It is an age old problem, and the solution is to force people to use strong passwords, and allow them to go through a recovery process involving easy to remember questions in case they forget. Most services won’t actually allow you to reset your password on the spot, but instead will send a temporary password or a confirmation message to the email you used to the email you used to sign up for the service. So if someone tries to recover your Facebook password for example, and correctly guesses the name of your first dog and your zip code they still won’t get access to the account. Instead you will get an email notifying you about the recovery attempt. Not the most secure solution, but it works.

Of course in case of Yahoo mail this is apparently not the case which sort of makes sense. Requiring someone to use an email address sign up for another email account is a bit silly. As a result Yahoo apparently relies solely on the very insecure personal questions to verify your identity. These questions may often work for a private person. After all, how many people in the world know the zip code of your mom’s house, the name of your high school crush and the name of that pet goldfish you flushed down the toilet when you were 11. Even if you blab about yourself constantly, there is only a limited number of people who could potentially know these things – and these are the people who know you personally, and who you can track down slap around if you find out they have tried to read your email. This changes when you become a public person and you have your own detailed Wikipedia entry that gets vandalized 5 times a day. The flaw that is inherent to the password recovery system becomes a gaping security hole.

The lessons here are twofold:

1. Using a free email account when you are a public figure puts you at risk, even if it is purely for personal use. You really want to invest into something more robust. It’s fine if you want to keep your public email, and your private email separate but you should really look for a more professional solution. Perhaps something where you can confirm your identity by giving out the CC number associated with your account, and it’s security number. After all, that’s something a random /b/tard won’t be able to find on wikipedia.
2. We need to carefully reexamine the way we use the password recovery mechanisms. It’s obvious that Yahoo’s solution is very vulnerable to a common sense, logic based attack. This is unacceptable, and needs to be fixed for Yahoo and all the other services which use a similar recovery method.

The problem with password recovery is a serious one, because there is really no easy way to make it more secure. Let’s remember that the only reason people use this feature is because they can’t remember their 6-8 character password. If you make the recovery questions to obscure or complex, people will forget them as well. This is why most free online services insist that you sign up with a valid email address where they can send you a password recovery confirmation. The only way to ensure that you are not giving away the password to a bad guy is to hand over the job of confirming your identity to someone else – your email provider. Of course if you are trying to be a primary email provider for people who already have, but don’t want (or don’t know how) to use their ISP provided emails you don’t really have that option.

How do we resolve this? First off, don’t do what yahoo did. When you are a free online service, always deffer the job of confirming identity when attempting password recovery to someone else. This way, when account gets compromised it is not your fault. The easiest way of course is to require you user to sign up with a valid email account. But not necessarily – you can also become an OpenID consumer. Everyone and their mom is an OpenID provider these days, but no one ever wants to be consumer. However, using OpenID logins is a perfect way to defer trust to another entity without asking the user for another email address.

This way security issues cluster around popular OpenID providers, some of which are paid services (eg. Live Journal) which can ask the user to verify their CC# upon password recovery. Better yet – if you are a public figure you can roll out your own OpenID provider solely responsible for authenticating you, and only you on bunch of online services. If you forget your password you simply visit or call up “Joe” the guy who maintains your OpenID server and ask him to reset it for you. If someone hacks your account, you can personally kick Joe’s ass, and then fire him.

Of course there are many issues with actually implementing OpenID in a way that works. If you trust the wrong OpenID provider for example, you may find yourself overrun by spammers. Not an ideal solution, but a solution nevertheless. It does seem to work for Stackoverflow for example.

If you don’t want to defer authentication to someone else, and you want to remain free do something like Google did for Gmail registration – ask your users for a phone number and send them a text message with a security code when they try to recover a password. It is almost like a poor man’s two factor authentication. There are of course usability issues with this scheme as well – problems with sms transports across networks, and other random stuff. I’m not saying everyone should do it – I’m just saying it is a more secure option than asking for the name of a person’s dog. At least in theory.

At the very least, we should revisit the questions and answers the recovery process is using. Obviously things like DOB, zip code and spouse name are very easy to find out for a potential attacker. Perhaps a different kind of questions would be in order. Perhaps something among the lines of:

You’re in the desert, you see a tortoise lying on its back, struggling, and you’re not helping. Why is that?

Only don’t use a known quote, because 80% people who watched/read Blade Runner will invariably answer this one with “what is a tortoise?” and that’s not exactly what you want. Simply ask a personal question, and assume that the answer for a given question doesn’t change. Perhaps something among the lines of:

“You are walking in the park, alone. It is cloudy day but it is not raining. You smell wet leaves. What are you thinking about?”

Again not perfect, but it may trigger some rather personal memories, or incite a trivial response among the lines “better get home before the rain”. We would probably have to test this type of questions on a group of users, and then have them try to recover their passwords 6 months later and see if they are able to use the same responses. Also it would be interesting to see if this sort of emotionally charged questions prompt similar answers from many people. I have a hunch that the above question would end up with many responses among the lines of “I think of her/him” but again – it would take some testing. Assumption is that these questions would be harder to defeat by looking them up, but since we are all emotionally wired in a similar way they may be easy to guess by intuition alone.

Those are my 3 ideas. Feel free to suggest your solutions to the password recovery issue in the comments. Maybe there is a better way to do this.

Is it Gov. Palin’s fault that she got pwnd? Yes and no. Yes, because she should have known better than to use Yahoo. No because this would not have happened if it wasn’t for the un-elegant kludge that is the “password recovery question” mechanism employed by Yahoo. She is not the only person who had their account compromised this way – it’s just that content’s of most people’s Yahoo inbox is not a matter of national security and thus we don’t hear about it on the news.

The interesting thing is what will happen to the kid who did this. What’s his name? David, was it? Yes, it was David. Will he get a slap on the wrist, or will he be made an example of? Will he spend some quality time in a federal prison or will he get off with a fine, some community service and a nasty smear on his daddy’s reputation. Or will he doge all punishment by a small margin due to insufficient evidence?

What do you think?