I'm not going to repost stuff from Wikilinks here, but it looks like you're not correct: there's a transcript of the screenshots that includes things like, "CONFIDENTIAL ETHICS INVESTIGATION" and "REQUEST FOR DOCUMENTS".

In addition to being a fuckup of spectacular proportions, it also corroborates an earlier news report of leaked emails that included specific instructions not to send sensitive government mails to Palin's work account.

Of course, none of this has been authenticated. It looks credible, but there's plenty of incentive to make something look credible in this political and news climate.

The interesting story here is the trend story. It applies to companies as well as government officials. People will attempt to use personal email accounts to avoid subpoenas. But nobody knows enough to keep those accounts secure, and the growing insecurity of the web guarantees most hosted mail accounts will eventually get popped. Meanwhile, it's hard for executives and officials to find "secure" mail providers without tacitly confirming that they're conducting business in secret. It's an interesting problem.

[Late edit: Time: it's probably real.]

Ah, I'd just looked at the screenshots, not the text "log". Interesting that they'd screenshot all of the subjects that are totally personal/innocuous but the text log has all of the potentially damning subjects... Hrm. Why wouldn't you just scroll down and take a few screenies to prove the evil?

I've worked on the technology side of a few candidates and politicians-- they are almost without fail moronic about technology. I can imagine accidental sends to Palin's personal account. For all we know, the content of those emails are "You dumbass. How many times do I have to tell you that stuff like this should go to my work account?!", right?

I agree that the trend is interesting, tho.

(a) Because the people who pulled off the attack are stupid.

(b) Because the people who pulled off the attack somehow lost access after getting the account but before archiving all the mail, and so made up the good stuff.

(c) Because the people who pulled off the attack are very smart, and are going to slow-drip this out to the media over the next month.

I know where my bet's at now.

The narrative of the compromise is pretty convoluted, but from what I understand, it was done more for lulz than for politics or ideology. The way I understand it, notification of the compromise went out to one of her contacts at the same time that the password was posted to /b/, so with all of Anonymous trying to log in at once, the account got shut down quickly, and was deleted shortly thereafter.

If the people who pulled off this attack are very smart, then they'll be shutting up about it.

The US Secret Service has a lot of resources and a pretty limited mission statement. It's not a good idea to attract their attention.

Give me a break. There are very few organizations less well equipped to respond to computer attacks than US law enforcement. It takes years to convict on computer crime cases, and almost every one of them is front page news in the trade press. You know how many we've had in the past decade?

Trivia question: which law enforcement agency was primarily responsible for responding to computer incidents throughout the 80s and 90s?

(Of course, it's always possible that the person who did this was stunningly dumb about it.)

I'd go with a combination of (a) and (b)

Seems like it was 4chan/Anonymous, unless it started in a super elite IRC channel and was slowly leaked to 4chan.

You underestimate the cleverness and persistence of a large group of bored internet trolls at your own peril. I am not kidding. Either that, or you've drastically overestimated the security of the Internet at large.

Startup idea: ultra-secure webmail (accessed via one of those little physical key-generating token thingies).

None of this "I've forgotten my password but here's my mother's maiden name" crap.

A startup that does no-frills, genuinely secure mail on hardened servers might in fact do pretty well. I've wanted one a lot lately. It's not an easy problem though; you're going to deliberately sacrifice features for security, a tradeoff most customers won't get.

It won't solve this problem though; funnelling mail through Yahoo comes with plausible deniability. Funneling it through the email security vault, not so much.

For just a couple bucks a month you buy a virtual server you can install your IMAP server and do VPN or SSL (or both, just in case).

Because I have time to audit and re-audit dovecot's source code at every release? We host our own mail right now, on qmail, but there's no workable IMAP or POP solution I would trust out of the box. Hence, I'd pay money for someone else to do this.

doesn't change the vector of this attack one bit: weak password

Weak password wasn't the vector. Weak password reset feature was.

Yes it does change that vector. I'm talking about the physical tokens which generate a new key every 30 seconds, like:

http://www.rsa.com/node.aspx?id=1156

This way you need to know the password _and_ have the physical token in your hand to know the current key. On the downside, it's also a hassle to carry it around and use it (I have a couple of 'em for access to various supercomputers), so I wouldn't bother doing it for my own email, but if you're a public figure or otherwise sufficiently paranoid it might be worthwhile.