Friday, September 19, 2008

57r416h7 H4x0r

A double shot from WIRED's Threat Level on the Palin e-mail hack and some of the group's better hits (or misses). First, why there could be little or no jail time for the crack into her account (and I warn you, it's a little dry and technical, but still interesting):

It might seem obvious to most people that the hacker who gained unauthorized access to the private e-mail account of Republican vice-presidential candidate Sarah Palin violated the Stored Communications Act.

Under that law, a violation is committed by anyone who “(1) intentionally accesses without authorization a facility through which an electronic communication service is provided;” or “(2) intentionally exceeds an authorization to access that facility; and thereby obtains...[an] electronic communication while it is in electronic storage in such system.”

But Kurt Opsahl, senior staff attorney at the Electronic Frontier Foundation, says not so fast. Although the law seems clear on such a matter, the Department of Justice has taken a position on the law that could thwart its own prosecution of the hack under the SCA. (Before anyone jumps to conclusions, the hacker could still be prosecuted under the Computer Fraud and Abuse Act. Keep reading to see discussion below about the CFAA.)

Electronic storage is defined in the Stored Communications Act as "any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof." E-mail that has arrived in a recipient's inbox on his ISP's server and that has not yet been opened would fall into this category. The law also refers to electronic storage as "any storage of such communication by an electronic communication service for purposes of backup protection of such communication." E-mail that has been read, but not deleted would fit this description. In a U.S. 9th Circuit precedent, the court regarded both read and unread e-mail, or received and unreceived e-mail, as being in "electronic storage" under the SCA (See Theofel v. Farey-Jones, 359 F.3d 1066, 1075 -- 9th Cir. 2003).

"[W]hen the recipient accesses an email but does not delete it, it moves from storage incident to transmission to backup storage under the second part of the SCA's 'electronic storage' definition," Opsahl writes in a post on the EFF's blog. But Opsahl says the DOJ has taken a different view of the SCA. He points to the DOJ's Prosecuting Computer Crimes Manual, which says that read e-mail is no longer stored communication. The manual says, "If the recipient chooses to retain a copy of the communication on the service provider's system, the retained copy is no longer in 'electronic storage' because it is no longer in 'temporary, intermediate storage ... incidental to ... electronic transmission,' and neither is it a backup of such a communication."

According to Opsahl, the DOJ's interpretation of the SCA means that any emails that Gov. Palin had already opened (but left on the Yahoo! Mail servers) would not be protected under this email privacy law. This would mean no SCA privacy protection for the majority, if not the entirety, of the Gov. Palin's email messages at issue. As the DOJ acknowledges, "[i]f Theofel's broad interpretation of 'electronic storage' were correct, prosecutions under section 2701 would be substantially less difficult..." On the flip side, if the DOJ were right and Theofel were wrong, any hacker responsible for obtaining access to those emails - or any other individual's opened messages - could not be prosecuted under the SCA.

Mark Rasch, a former Justice Department computer crime prosecutor, agrees with Opsahl. "While the DOJ guidelines are not binding on the DOJ, they certainly have persuasive authority," he said. "In this case I think the DOJ would be bound by its own interpretation of the statute and probably could not prosecute [the hacker under that statute] simply because of its own interpretation of the statute."

As mentioned above, the hacker could still be prosecuted under the CFAA, though likely for a misdemeanor, not a felony, since there was no actual loss that resulted from the hack. More specifically, he'd be prosecuted under 18 U.S.C. 1030(a)(2)(C), accessing a protected computer without authorization to obtain information. Rasch says if the hacker were charged with a misdemeanor, he would likely face a sentence of zero to six months, depending on his history, attitude and contrition. If the hacker were to come forward and apologize to Palin and tell the FBI exactly what he did, prosecutors might take this into consideration.

"If the government treats this for what it really is, which was a kid who was curious to see if he could do this . . . then the kid should be in reasonably good shape" and face "little, if any, jail time," Rasch said.

Although there is also a possibility the government could charge the hacker with a felony under the CFAA depending on the whim of the prosecutor and whether he argued that the invasion of Palin's privacy was a torteous act. Rasch likened the situation to the government's charges against Lori Drew in the MySpace suicide case.

"It would be a stretch to charge a felony [in the Palin case], but if they want to be hard on [the hacker], they could do that," Rasch said. "I wouldn't have predicted that they would use that argument in the MySpace case, but they did. So they could certainly do that to [Palin's hacker]."
And now, the lighter side of hacking:

Anonymous isn't so anonymous anymore. At least not after one "member" of Anonymous, the loose confederation of online troublemakers, broke into the personal e-mail account of Republican vice-presidential nominee Sarah Palin and then posted the new password to Anonymous' online message board. From there, others slipped screenshots and family photos to the leak-releasing website Wikileaks, launching a maelstrom of media coverage and widespread speculation as to the e-mail hacker's real name.

For those unfamiliar, Anonymous is a group you can't join, except by hanging out for a long time in the internet's most juvenile corners -- usually one of the image boards where everyone posts anonymously. 4chan's /b/ board -- or random -- seems to be the main hangout, though other chans and IR channels seem to serve as adjunct clubhouses as well. The hangouts have almost no rules -- though using some variation of the terms fag, nigger and jew seems mandatory in every post.

The self-identified Palin-email burglar who uses the online handle Rubico said he got the idea while hanging out at 4chan -- specifically its random or /b/ board (which BTW is NSFW). After watching others on the board temporarily lock up the e-mail account by trying primitive ways to break in, Rubico decided to call on the power of Google. With a combination of answers found through searches and an educated guess, Rubico was able to reset the account's password.

Though Fox News famously and hilariously called Anonymous "hackers on steriods," in large part they have little skill besides knowing how to use a web proxy to mask their IP addresses. Instead, Anonymous keyboard miscreants combine online Fight Club-like bravado, inside jokes documented only on the world's stupidest wiki, and harassment tactics that sound funny in theory but in practice are streaked with cruelty. The point? Fun at other people's expense. The basic repertoire? Prank phone calls, ordering pizzas to someone's house, flooding a message board with obscene ASCII art. Advanced techniques include finding a way into someone's MySpace account in order to send messages to their friends saying they are gay. What are Anonymous' greatest or worst hits?

The Epilepsy Attack – In March, a group of internet griefers flooded an epilepsy message board with flashing images that caused migraine headaches and seizures in some users. While it's not certain whether it was properly the work of Anonymous, the assault was rumored to have started on a thread at 7chan.org -- another Anonymous hang out -- and much was blamed on eBaumsworld, an online site often derided by Anonymous. The FBI is reportedly investigating what may be the first computer attack that physically harmed people.

The Scientology War – In January, Anonymous decided to take on a real target -- the Church of Scientology -- which its members considered to be an overly litigious cult. Soon, anonymous pranksters were ordering pizzas to Scientology offices, using denial-of-service attacks to scuttle its web servers and posting previously unseen secret Scientology documents. They also briefly pointed denial-of-service attack tools at the wrong IP address -- which happened to be a Dutch school. The publicity drew hordes who wanted to participate, and soon many longtime Anonymous users found themselves annoyed with the new converts who thought Anonymous was a crusading organization.

The Habbo Hotel Raid – Anonymous has staged many minor incursions into other people's online playgrounds, but one of the most storied involved a virtual world known as Habbo -- a frequent target for bored Anonymous lurkers interested in ruining other people's fun. In 2006, hundreds of Anonymous users showed up using identically dressed avatars: a black man with an Afro in a grey suit. They blocked off the pool to other users, claiming it was infected with AIDS. They also formed swastika-like formations and flooded the site with stupid internet sayings. When users were banned, they claimed it was racist.

The Mitchell Henderson Harassment – The suicide of Mitchell Henderson, a seventh grader, stirred Anonymous, who gleefully decided that Henderson shot himself because he had lost his iPod, a fact he'd noted on his MySpace page. Anonymous grabbed onto a badly written message on an online memorial page for him, and turned the phrase "an hero" into an internet meme. For more than a year, Anonymous kept up the fun, calling Henderson's parents, pretending to be his ghost.

The Hal Turner Campaign – In late 2006 and early 2007, Anonymous had much fun with Hal Turner, a small-time white supremacist who ran an online radio show. Anonymous flooded one of his shows with prank calls, which then escalated in mutual internet stupidity. Anonymous eventually flooded his site with too much traffic for his web host to handle. Turner tried suing the image boards -- unsuccessfully -- and finally he closed down his show after a hacker managed to unearth correspondence suggesting Turner was an FBI informant.

No comments: