Friday, September 19, 2008

Me and my buddy Sarah

As has been widely reported, Gov Sarah Palin's Yahoo! email accounts were "hacked", and some of her email has been published on the web. There's a number of interesting aspects to this:

1. Much of the coverage has focused on Yahoo! accounts as being "insecure", with the implication that the State of Alaska accounts are "secure". While there's possibly a difference in how the email is stored (i.e., on state computers - although with outsourcing that's not necessarily the case), I strongly suspect that Yahoo!'s systems are more secure - they have the staff and motivation to ensure that there are no security vulnerabilities in their system. While the State of Alaska might benefit from the obscurity of their mail servers, it's unlikely that they have the level of expertise to protect their systems as well as Yahoo!

2. There's the question of propriety of Gov Palin using a Yahoo! account for state business. Doesn't look appropriate to me, but that's just an opinion.

3. Is it legal for Gov Palin to use Yahoo! for official state business? I don't know Alaska law (and I'm not a lawyer anyway), but it's an interesting question - it's really the same issue as President Bush has faced with use by his staff of RNC accounts rather than official whitehouse.gov accounts, thus allowing potentially millions of emails to be lost (which were by law public records).

4. Finally, my sister points out that the method purportedly used by the "hackers" (and I put that in quotes because it doesn't feel like my definition of hacking) to get control of Gov Palin's account was to ask for a password reset, and then guess the answers using well-known information. As I noted in my previous posting on this blog, many of the so-called secret questions used for security purposes by financial institutions really aren't very secret - so Gov Palin may well have fallen victim to exactly the problem I wrote about! (As I wrote this it occurred to me that one of the questions I was asked for financial verification is who holds my mortgage - a fact which is a public record in most places.)

Lessons learned? If you're a prominent person, whether elected official or not, use your official work email for official communications. Whether it's convenient or not, the embaressment of getting caught on a non-official email address isn't worth it.

0 Comments:

Post a Comment

Subscribe to Post Comments [Atom]

<< Home