John Brandon

David Kernell indicted, Yahoo Mail safe again

By John Brandon
October 08, 2008 3:02 PM EDT
David Kernell has been indicted by the Justice Department for breaking into VP hopeful Sarah Palin's Yahoo e-mail account, according to an announcement at Justice.gov.

The news comes as somewhat of a shock because, the last we heard, the FBI was searching his apartment and did not make any arrests.

The indictment goes into great detail, explaining how Kernell, the son of a Tennessee congressman used the password reset feature at Yahoo, changed the password to 'popcorn' and then posted screenshots of the e-mail messages online. It's a rather obvious example to anyone who thinks it might be a cool idea to try and read someone's e-mail without their knowledge.

However, it also had another effect. Yahoo Mail now uses an alternate e-mail that you must use to reset your account. If you don't have an alternative e-mail, or if you click an option that you can't access that account, then Yahoo says you can't reset the password and that you have to contact Customer Care.

Before even getting to that point, you have to type in your birthdate, country of residence, and zip code. Okay, so all of that info is easy to find about politicians on Wikipedia, but it is a small deterrent. There's also a captcha that prevents bots from running password recovery software, although I'm not sure if there is a bot out there that can fool a captcha (post in comments if you know).

To be honest - and this is where my opinion gets me into trouble, I know - the penalty for the break-in seems stiff. It's up to a $250,000 fine and 5 years in prison. I imagine that teenagers break into the accounts of their friends all the time, but likely would not get an indictment from the Justice Department or an FBI warrant. That's not supposed to be an endorsement, but let's face it: it obviously matters a great deal which account you break into, and if that account could have revealed secrets pertaining to the upcoming election.

And then there is the matter of whether politicians should use Webmail at all -- I would say it's not a good idea. I know this: the e-mail for a personal domain I own seems much more secure - it uses SSL encryption, for example. I'm not sure how someone would reset my password, it doesn't seem possible - but maybe it is if you know the ISP I'm using and can access the account somehow. For now, I feel safe by the mere fact that I am not running for office and, also, that my e-mail is full of everyday e-mails from editors asking for stuff.