A jury handed down a mixed verdict in the case of David Kernall, who hacked into Sarah Palin’s Yahoo email account. Kernall used a password reset attack to break into Palin’s Yahoo account, something that wouldn’t have happened if either Yahoo had been using reasonable security practices at the time, or if Palin would have known not to answer password reset questions with the correct answer (more on that in an upcoming blog). Still, it is neither Yahoo nor Palin’s fault that Kernall chose to break the law and the blame lies squarely with him. Still, in apparent effort for prestige and glory, the prosecutors really decided to go overboard on this case. It is unlikely there would have been so many charges were it not for the publicity of the event.

So, the charges and the verdicts...

The most serious charge was obstructing justice, which is a felony. Kernel faces up to 20 years in jail for that charge, however he will probably get a significantly shorter sentence. The thing about a felony conviction is that as an American you lose your right to vote and that is for life.

Kernall was convicted of unauthorized access to a computer, which was completely appropriate for the prosecution to charge him with. The unauthorized access is a misdemeanor charge.

Kernall escaped conviction on the charge of wire fraud.

The prosecution also charged identity theft. This one seems a stretch to me, but I haven’t reviewed the testimony. The jury deadlocked on the identity theft charge and the prosecutors have yet to say if they will seek a retrial.

Of particular interest was the commentary of a man who testified against Kernall. You can read his statements at http://www.theregister.co.uk/2010/04/28/palin_email_witness/. The witness for the prosecution described the prosecution as “a dog and pony show” and as a result is changing the logging policies of his anonymous proxy to the legal minimum rather than retaining logs for a longer period of time, which may have helped the prosecution in this case.

I’ll follow up with a recap of the password reset attack and how to protect your accounts against such attacks

Randy Abrams
Director of Technical Education