A hit-and-run at digital speed

THE STILL-HAZY story of the hacker who broke into Sarah Palin’s e-mail account is an excellent case study in the powers and perils of digital communities and why it can be hard to tell which is which. I for one got caught up in the whirl of hype and slippery half-truths that surrounded this story, so I’m counting it as a teachable moment.

Much of what we know -- or think we know -- about this story comes to us from its only primary source: a semi-anonymous written confession the hacker may have posted on an underground Web bulletin board. I say “may” because the note is long gone., the hormonal birthplace of Web pranks designed to get a rise out normal Web folks, conveniently drops all discussion threads older than a few minutes.

But in the case of the Palin-hacking confession, someone appears to have rescued it before it was pushed off the plank. An anonymous source forwarded the message to conservative blogger Michelle Malkin, who posted it for all the blogosphere to see. Among the most intriguing parts of the message was the writer’s explanation of how he unlocked the Alaska governor’s account by using the “password recover” feature -- which allows users who have lost their password to create a new one if they can answer a few “security questions”:


“It took seriously 45 mins on wikipedia and google to find the info,” read the statement. “Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes.

“The second was somewhat harder, the question was ‘where did you meet your spouse?’ ” wrote the culprit. “I found out later though [sic] more research that they met at high school, so I did variations of that, high, high school, eventually hit on “Wasilla high” I promptly changed the password to popcorn and took a cold shower . . . . “

And just like that, the world discovers that a vice presidential nominee’s standards for data security are no more canny than hiding a key under a doormat. (Moreover, anyone who’s created much of a biographical footprint online ought to realize that they’re not much safer.)

But it appears that Palin’s lack of security awareness was equaled by that of the supposed hacker, who left an e-mail address on his mea culpa that crafty bloggers quickly connected to various social networking profiles of a University of Tennessee student named David Kernell -- who also happened to be the son of a Tennessee Democratic legislator. Web sleuths built a profile of Kernell based on online clues -- a 20-year-old avid chess player and self-described “Obamacrat.”

Well, with a name, a political affiliation and a connection to a Democratic politican, conservative bloggers had enough fuel to light their torches and begin a trial by firelight. It wasn’t long before the conviction was handed down in headlines: “FATHER OF HACKER Is Tennessee Dem State Rep!!!!!” screamed a blog post at Gateway Pundit. “Student claims responsibility for Palin e-mail hack,” declared a British technology magazine called PC Pro, which seemed to think the Kernell had himself admitted guilt. Even the New York Post got in on the action when it concluded, “Dem Pol’s son was ‘hacker.’ ”

“Your name is Mudd,” wrote the Ace of Spades HQ blog. “And every derogatory tip I get about your background, I will publish.” He finished with a request for anyone who’d been in a relationship with Kernell to contact him.

Here is where I weighed in. More than a little irked that a few connected dots arising from an unverifiable confession e-mail had been enough not only to convict Kernell in the court of blogger opinion but also to instantly begin handing down his sentence. All before the FBI or Department of Justice had named a suspect (they still haven’t).

“Can someone please arrest the blogosphere and put them all away?” I wrote on the Web Scout blog. “Don’t worry about gathering evidence or building a case, just lock them up and throw away the key -- they’d do the same to you.”

“There’s not one verifiable truth in this story,” I added hot-bloodedly.

Since then (cough), information has emerged that connects activity on 4chan and (Palin’s e-mail site) to an Internet service provider that supplies a Knoxville residential complex where Kernell lives. Federal investigators reportedly served a warrant on the complex Sunday, though the DOJ would not confirm its involvement in the search when I called, saying only that “investigatory activity took place in Knoxville” related to the hacking complaint.

With a few days of retrospect, I’ve decided to back away some from my original stance. Not because I was wrong for defending the kid, per se, but because I see now that I was lumping together two independent phenomena of the social Web: On one side, you had bloggers in a reasonable collaborative search to follow up on clues and attempt to identify the hacker. That’s journalism, and even if major questions remain (e.g. was it Kernell who actually wrote the confession?), there can be nothing wrong with trying to find the truth. One of the great features of the Web is its ability to tap into group intelligence --the wisdom of the crowd -- in order to solve problems that individuals can’t. And now that people can help solve crimes with nothing more than a keyboard and common sense, this kind of open source forensics may actually be a boon to law enforcement.

But look at a few of the angry threats and accusatory headlines and you get the sense that, as wise as the crowd may sometimes be, it’s still only a couple of pitchforks away from a mob. The unfettered collectivism that allows Web denizens to quickly gather the clues and information can be intoxicatingly effective. But being intoxicated is not so great when it comes to the painstaking business of piecing reality together. Jumping to conclusions can satisfy a lot faster.

In the case of the Palin hacker, we saw the intelligent lynch mob in action. It’s worth taking note that this many-headed entity appears to be officially charged with solving mysteries on the Web now. Truth may emerge, but so can character assasination. Telling the difference between the two, well, that’s the challenge.