Tracking the Palin Email Hacker

Yesterday I wrote about how the alleged hacker got into Vice Presidential Candidate Sarah Palin's Yahoo email account on Tuesday, September 16. Today, let's take a look at how the hacker's IP address was traced starting with part of a message the hacker (username Rubico) had put up on the 4chan forum:

yes I was behind a proxy, only one, if this s*** ever got to the FBI I was f*****, I panicked, i still wanted the stuff out there but I didn’t know how to rapids*** all that stuff, so I posted the pass on /b/, and then promptly deleted everything, and unplugged my internet and just sat there in a comatose state.

Rubico had used a proxy service to try and hide his identity but quickly realized how vulnerable his identity was. Proxy services are commonly used to access sites that are sometimes blocked by IT departments. Typical blocked sites include YouTube, Facebook, MySpace, etc. Proxy services are also used to play web based on-line games on sites that are blocked. Here's a good definition of what a proxy server does from Wikipedia:

A proxy server is a server (a computer system or an application program) which services the requests of its clients by forwarding requests to other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource, available from a different server. The proxy server provides the resource by connecting to the specified server and requesting the service on behalf of the client.

Here's a simplified diagram (modified from Wikipedia with some made up IP addresses) we can use to show how a proxy server/service works.

Let's describe what happened referring to the diagram:

Rubico made his attack by accessing yahoo.com from the client computer (IP address 132.168.2.10) and going to yahoo.com through the proxy server (IP address 10.7.5.3). As a result, yahoo.com saw the proxy IP address of 10.7.5.3 only - yahoo.com did not see the 132.168.2.10 client address Rubico was using. So.... using the proxy service masked his IP address from yahoo.com - yahoo.com servers logged the IP address accessing the account as 10.7.5.3. Sounds good so far - right? Yahoo logs the proxy address and Rubico is "hidden" from yahoo.com - at least for a little while.

This kind of setup works great for accessing sites that are commonly blocked by businesses but it does not really hide client IP addresses from law enforcement people. Rubico used a proxy service offered by Ctunnel.com. Ctunnel is a CGI Proxy service and it is simple to use - it does not require any special browser configurations and can be used to access most sites on the web. According to the Ctunnel website, the proxy service is administrated by Gabriel Ramuglia, owner of the Overnight PC computer repair shop located in Fairbanks, AK. Ramuglia setup the proxy so users could access a browser based game he runs called Oil Fight. Because Oil Fight is a game, it could potentially be blocked by schools or corporations.

Here's more from the Ctunnel website:

Why should I trust Ctunnel?

By going through any proxy, you trust any data you send or receive to the proxy owner. To earn your trust I will be as open and honest with you as possible....... Open proxies may be honeypots to steal your information, or may be left open accidentally and be down tomorrow, or be otherwise unreliable. Ctunnel however, operates solely off money derived from advertising shown during the proxy session, and therefore will not be down tomorrow. Because our visitors value their privacy, it is not in our interests to spy on you, lest we lose traffic and advertising revenue. Because government subpoena could require us to hand over our server access logs, access logs are regularly deleted to protect your privacy. In short, we value your browsing experience as well as your anonymity, and would not do anything to break your trust in us.

Less that 24 hours after the hack the U.S. Secret Service was knocking on Ramuglia's door with a subpoena. The proxy server log files had exposed Rubico - each Ctunnel user's IP address, the time and destination were logged and they had not been flushed yet. By Sunday morning the FBI was knocking on the door of accused University of Tennessee student David Kernell with a search warrant.

How Sarah Palin Got Hacked

You've probably heard by now that Vice Presidential candidate Sarah Palin's Yahoo account got hacked. According to Wired Magazine the story was briefly posted Wednesday to the 4chan forum where the hack first surfaced. Bloggers have connected the handle of the poster, "Rubico," to an e-mail address, and tentatively identified the owner as a college student in Tennessee. You've probably also heard that FBI agents served a federal search warrant to 20-year-old University of Tennessee student David Kernell on Sunday. David is the son of Democratic Tennessee State Representative Mike Kernell.

According to an MTV post, a Department of Justice spokesperson confirmed some "investigatory activity" in the Knoxville area related to the Palin case, but said no charges have been filed.

What I find most interesting is the ease at which the hacker got access to her account. I think most of us have forgotten a password or two and have had to click on "Forgot my password" to answer a few questions to reset it. This is exactly what the hacker did. The questions were pretty easy to research and answer on the web and, according to the hacker, it only took about 45 minutes. Here's how the hacker (referred to as Rubico) did it:

Rubico had made an attempt to hide behind a proxy service to anonymize his IP address but.... that was not enough. According to Wired he realized how vulnerable he was to being caught since he only used a single proxy service. Here's part of the message he posted Wednesday to the 4chan forum:

yes I was behind a proxy, only one, if this s*** ever got to the FBI I was f*****, I panicked, i still wanted the stuff out there but I didn’t know how to rapids*** all that stuff, so I posted the pass on /b/, and then promptly deleted everything, and unplugged my internet and just sat there in a comatose state

After Rubico posted the information on the 4chan forum, a white hat hacker tried to protect Palin by resetting the password and sending an email to Palin aide Ivy Frye. The white hat then posted a screen shot of the Frye email on the 4chan forum - that screen shot included the new password. Other 4chan readers (referred to as b/tards) jumped in and tried to access Palin's account with the frenzy causing the account to be locked for 24 hours.

Microsoft Yahoo Round Two?

According to the New York Times, Microsoft has proposed a complex new collaborative deal with Yahoo that would not involve a full takeover of Yahoo by Microsoft. Microsoft had made an offer of $47.5 billion to outright take over Yahoo that was withdrawn a couple of weeks ago.

From the New York Times piece and in a statement released by Microsoft today - the company said it was “considering and has raised with Yahoo an alternative that would involve a transaction with Yahoo but not an acquisition of all of Yahoo.” Microsoft provided no additional details.

Here's more from the New York Times:

“Microsoft is not proposing to make a new bid to acquire all of Yahoo at this time, but reserves the right to reconsider that alternative depending on future developments and discussions that may take place with Yahoo or discussions with shareholders of Yahoo or Microsoft or with other third parties,” the company said.

It looks like Microsoft is scrambling, trying to head off a partnership deal currently in the works between Yahoo and Google, expected to be announced as early as this week.

Read the full New York Times piece here.

Google, Microsoft and Yahoo! - Some Questions and Some Options

On Sunday. February 3, 2008 (yes, Super Bowl Sunday) David Drummond, Google's Senior Vice President, Corporate Development and Chief Legal Officer published Yahoo! and the future of the Internet on the Official Google Blog page.

Drummond, never one to hold back, raises some questions regarding Microsoft's Yahoo! offer. He starts by saying the openness of the Internet is what made Google -- and Yahoo! -- possible. And goes on to say that, because of the openness, good ideas spread quickly and users benefit from the constant innovation an open system provides. According to Drummond, this is what has made the Internet a popular and exciting place. He also asks a few questions:

Could Microsoft now attempt to exert the same sort of inappropriate and illegal influence over the Internet that it did with the PC?

Could the acquisition of Yahoo! allow Microsoft -- despite its legacy of serious legal and regulatory offenses -- to extend unfair practices from browsers and operating systems to the Internet?

Could a combination of the two take advantage of a PC software monopoly to unfairly limit the ability of consumers to freely access competitors' email, IM, and web-based services?

Three very interesting questions depending on your position, perspective and opinion. Personally, I am amazed with Google's innovation - I use and encourage others to use their applications and would hate to see things slow down. Read Drummond's complete post (it's short) if you can.

Let's look at where Yahoo! is on this. The company has not had a good history with either Microsoft or Google and the offer has put them in a difficult spot. Most experts are saying if Yahoo! does not take the deal with Microsoft the company will have to form some kind of partnership with Google - most likely agreeing to have Google run their search engine and take revenue generated from ad clicks. Another option for Yahoo! would be to go private with a leveraged buyout. In an Associated Press Article titled Microsoft bid backs Yahoo into a corner , Stifel Nicolaus analyst George Askew is quoted, saying this option (leveraged buyout) would involve Yahoo! going into about $20 Billion of debt and having to layoff approximately 4,500 (31%) of their current employees. Neither of these appears to be a good option for Yahoo!

Where's Microsoft on this? They want Yahoo! to the point where the company may end up raising the bid on the current $41 Billion offer. Microsoft also may be financing a portion of the deal if it goes through which would be the first time the company has taken a loan to buy a another company.

Yahoo! may not have any other options at this time - other companies that may have the money (Comcast, Verizon, AT&T, etc.) do not appear to be interested at this time...... In the same AP Article, investment banker Peter Falvey from Revolution Partners is quoted:

At the end of the day, I don't think they (Yahoo!) are going to be able to turn down Microsoft.

Yahoo!'s board has a difficult decision to make.

Some Quick Thoughts About Microsoft's Offer to Buy Yahoo!

By now most have heard about Microsoft's proposal toYahoo!'s board of directors to buy Yahoo! at $31 per share (Yahoo! closed yesterday at $19.18). Here's a piece from the letter Steve Ballmer sent to the Yahoo! board:

Together, Microsoft and Yahoo! can offer a credible alternative for consumers, advertisers, and publishers. Synergies of this combination fall into four areas:

-- Scale economics:  This combination enables synergies related to scale
 economics of the advertising platform where today there is only one
 competitor at scale.  This includes synergies across both search and
 non-search related advertising that will strengthen the value
 proposition to both advertisers and publishers.  Additionally, the
 combination allows us to consolidate capital spending.

-- Expanded R&D capacity:  The combined talent of our engineering
 resources can be focused on R&D priorities such as a single search
 index and single advertising platform.  Together we can unleash new
 levels of innovation, delivering enhanced user experiences,
 breakthroughs in search, and new advertising platform capabilities.
 Many of these breakthroughs are a function of an engineering scale that
 today neither of our companies has on its own.

-- Operational efficiencies:  Eliminating redundant infrastructure and
 duplicative operating costs will improve the financial performance of
 the combined entity.

-- Emerging user experiences:  Our combined ability to focus engineering
 resources that drive innovation in emerging scenarios such as video,
 mobile services, online commerce, social media, and social platforms is
 greatly enhanced.

There's been rumors of this merger for the past couple of years so it comes as no big surprise to many. It's also no secret this is a direct move to try and head off Google. Each Yahoo shareholder will be able to choose whether to receive consideration in cash or in Microsoft common stock.

Microsoft is ready to move fast on this - we'll see what Yahoo does.

New York Times on Free Speech in China

On December 2, the New York Times published an editorial titled Yahoo Betrays Free Speech. The piece discussed how Yahoo helped the Chinese government find the identities of two Chinese journalists who both received ten years in jail for "disseminating pro-democracy writings".

Here's a quote from the editorial:

Yahoo’s collaboration is appalling, and Yahoo is not the only American company helping the Chinese government repress its people. Microsoft shut down a blogger at Beijing’s request. Google, Yahoo and Microsoft censor searches in China. Cisco Systems provided hardware used by Beijing to censor and monitor the Internet.

You may have seen the following YouTube piece on the Yahoo settlement (or something similar) last month:



I encourage you to read the New York Times editorial and watch the video clip - good classroom material for discussion from political, legal, business/financial and even technological (how do they do that?) perspectives.

Google and Yahoo Offering More Online Space

Check out the Gmail blog and the companies efforts in their "Infinity+1" storage plan - a plan to provide Gmail users with "more space as we were able." According to the blog, the Standard and Education Edition storage, which is now at 2GB, will get a bump and begin matching Gmail's counter. Premier Edition users get bumped up from 10GB to 25 GB. The standard edition is free and the Premier edition is $50 / user account / year. The Education Edition also offers 2GB but makes the text-based ads alongside email, found in the Standard Edition, optional to students and academic faculty and staff.

Yahoo’s unlimited storage product provides unlimited email storage space. According to Yahoo:

"....users that follow normal email practices and comply with our anti-abuse limits can consume an unlimited amount of free email storage. This will apply to both new and existing users."

Yahoo also offers the Yahoo! Briefcase that provides up to 30GB of free file storage free to Yahoo account holders. Briefcase is great for students who are accessing computers in different locations - imagine a community college commuter student using a computer at home and another computer at school. Brifcase allows file storage that can be accessed from both locations.

There have been Google Gdrive storage rumors for over a year now.

Search Engine Privacy

As Mike Q and I travel around presenting on Web 2.0 technologies some of the most common questions we get are with regards to privacy. The questions are along the lines of:

- How private is my communications (text messaging, email, etc) on the web?
- How private are documents stored in places like Google docs and Spreadsheets?
- Can I securely delete things like search records from places like Google and Yahoo?
- Can anybody else access my stuff?

Yesterday the Center for Democracy and Technology (CDT) released a report that starts to give some answers and, more importantly, will continue to put pressure on Internet search companies and lawmakers to further strengthen privacy protections. In a report titled Search Privacy Practices: A Work In Progress (linked here as PDF) the CDT takes a look at how these companies delete old user data, strip personally identifiable information and give users the ability to delete old search records. There's been a lot of activity by companies recently so this report is very timely.

Specifically - the report takes a good look at Google, Yahoo, Microsoft, Ask.com and AOL and makes the following recommendations:

1. Search companies should continue to work towards providing controls that allow users to not only extend but also limit the information stored about them. As it becomes possible to tie more and more information back to an individual user account, users should control the correlation of their account information with records of their online activities.
2. Researchers, academics, and Internet companies should continue to pursue new and innovative methods for (a) improving the quality of search results, preventing fraud and otherwise meeting business needs without tying searches to particular users, and (b) safeguarding data that is stored for long periods.
   
3. Search companies should expand efforts to at balance the demands of the advertising marketplace with their users’ privacy needs. This should include the development of new standards and policies that take privacy into account from the beginning.
   
4. Internet companies should leverage their contracts with partners to promote privacy protections across the board. Consumers can also exert pressure to improve privacy practices by staying informed and making use of available privacy tools.a simple, flexible framework.
   
5. No amount of self-regulation in the search privacy space can replace the need for a comprehensive federal privacy law to protect consumers from bad actors. With consumers sharing more data than ever before online, the time has come to harmonize our nation’s privacy laws into a simple, flexible framework.
   

The report is short (6 pages including a Glossary) and easy to read with an excellent table on the second page that answers the following questions for the 5 companies studied:

1. How long after search data has been collected will it be removed?
   
2. How will search data be removed?
   
3. Is most or all search data shared with a third party on an ongoing basis?
   

This is an excellent look at current web search privacy - you will likely be surprised at some of the things you see. I look forward to more "persuasion" in the web privacy areas from the CDT and other similar organizations.