The latest news item is the chess-playing hacker, David Carl Kernell

A Chess-Playing Hacker?

By Bill Wall

Did chess amateur player David Carl Kernell hack into one of Alaskan governor Sarah Palin’s Yahoo accounts? So far, all the evidence points that way and he has been indicted for it.

David C. Kernell was born on October 27, 1986. His parents are Michael Kernell, age 56, Tennessee democratic state senator from the 93rd district in Memphis, and Lillian Landrigan, medical doctor. David learned how to play chess at the age of 7. He started playing in USCF-rated events in 2001 while living in Killeen, Texas. His first USCF rating was around 736. He attended Killeen Independent School District schools from 1991 through 2001. His family moved to Tennessee in 2002 where David continued to play in USCF-rated events and scholastic tournaments. In 2003, he played in the Junior High section of the Memphis Scholastic Championships. In 2004, he won the 58th Tennessee Open (High School) Scholastic Championship, held in Chattanooga on September 3-5, 2004. He also won the class B championship in the 58th Tennessee Open in 2004. He scored 4-0. In 2005, he won the 59th Tennessee Open Scholastic Championship with a perfect 4-0, held in Crossville, Tennessee. The event was directed by Harry Sabine. His rating at the end of the tournament was 1820. There were 90 players in this event. He also played in the 59th annual Tennessee Open, taking 7th place and top Class A (defeating a 2087 player in the process). His rating at the end of the tournament was 1841. In 2006, he took 1st place in the Memphis Candidates tournament, scoring 5-0. In 2006, he took first place in the Memphis High School Championships, winning with a perfect 6-0 score. Also in 2006, he took 2nd place in the Memphis City Championship. He played board 1 for his high school, Germantown HS. In November, 2006, he took 2nd-3rd place in the 46th Mid-South Open, behind Semion Palatnik (2518) and tied with Ron Burnett (2447). In 2007, he played in 15 USCF-rated tournaments, with a USCF rating of 1961. In 2008, he played in the Pawn Power Open in Memphis and ended up with a current USCF rating of 1913. He has played in over 200 USCF rated tournaments since 2001.

In 2000, when David was in the seventh grade and attended Eastern Hills Middle School in Harker Heights, Texas, he and another boy found a way to get onto the school’s server by figuring out the password, according to Tracey McDaniels, a history teacher there. The server was used to store teaching materials at the school. Kernell and a friend found a classroom computer to the server and were able to guess the password.

In 2003, David, age 15, created a bio at the Apocoliptic visions blog site in which he stated that he would post some of his internet chess games in pgn format (he posted one game). He played chess at gameknot using the handle “rubicox.” He stated that his favorite and only hobby was chess, more like an obsession.

In 2006, David entered the University of Tennessee at Knoxville majoring in Economics. He became active on some web sites, including the WikiProject Chess forum. His online handle has been rubicon, rubico10, and rubico. His Yahoo email account was rubico10@yahoo.com (now temporarily locked because of security concerns). His Facebook account mentioned that he was a chess player. Rubicon is a development company that makes 3D Shogi (Japanese Chess). Rubico10 also had accounts on YouTube, Stream Community, and Newground. All these accounts are now closed.

In early September, a suit was filed by an Alaskan activist, charging that Governor Sarah Palin had used her Yahoo accounts to conduct official government business and therefore email in the accounts was part of the public record and should be disclosed under Alaska’s public records statute.

On September 10, 2008, the Washington Post printed an article that Sarah Palin, governor of Alaska and vice-presidential candidate under Republican presidential candidate John McCain, stating that she had two Yahoo! e-mail accounts (gov.sarah@yahoo.com and gov.palin@yahoo.com). Discussions were then made on several blog sites and forums, including somethingawful.com, as to how to crack the email account and making a contest out of it. There were a lot of password guesses, including trig1, governor, Alaska1st, Jesus, etc (some sources say the real password was SarahGuv). Someone also suggested using the yahoo forgotten password trick. Todd Palin, Sarah Palin’s husband, used the Yahoo account fek9wnr@yahoo.com (Fe - Iron, k9 – dog, wnr - winner). It is also his vehicle license tag in Alaska.

On or about September 16, 2008, a user named rubico (David Kernell?) attempted and succeeded in getting access to this account by resetting her account password using the Yahoo Mail’s password-recovery tool. He did this by answering three questions that Yahoo asks before resetting the password. The questions were her birth date, her ZIP code, and where she met her spouse. A Wikipedia search shows that she was born February 11, 1964. Palin’s hometown is Wasilla, which has 5 zip codes (99629, 99652, 99654, 99687, 99694). She lives in the 99654 area. Palin met her spouse at Wasilla High. Once rubico guessed all this, he was prompted to enter a new password. He chose the new password “popcorn” (as in popcorn kernel (kernell)) and was able to get access to Palin’s account.

Rubico then passed this information (screenshot of Palin’s Yahoo email account, username and password) that he hacked this email site on the 4chan bulletin board (www.4chan.org), using the pseudonym “Rubico,” and account linked to the email address rubico10@yahoo.com. 4chan is a popular bulletin board with around 30,000 members that are interested in Japanese and computer geek cultures. The most popular 4chan board is simply called /b/, which allows users to post on any random subject. Rubico posted the information on /b/ around 4 a.m. on Tuesday, September 16. Later, the moderator deleted the thread.

Rubico returned to 4chan the next day, September 17, around 1 pm, and said that he was the lurker that "hacked" Palin's yahoo account and posted the captures, and that it took 45 minutes to find the needed information and reset the password. He said he was hoping to find something incriminating in her account.

Later, someone (rubico calls him the white knight) on /b/ logged into Palin's email account (probably with the new popcorn password), changed the password again, and sent an email to a friend of Sarah Palin, warning her and letting her know the new password. By now, other people were logging in and changing the password again, tripping the automated Yahoo freeze. Since then, the account has been deleted.

Rubico used the Ctunnel.com proxy server, run by Gabriel Ramuglia of Athens, Georgia. Ctunnel is an Internet anonymity service. A proxy server hides the source IP address from the website logging scripts. But rubico posted screenshots of the Yahoo account that showed the full URL which included the proxy server url (ctunnel.com) appended with a unique identifier ( http://ctunnel.com/index.php/1010110A/58a5cd1e8ab47088982c83282fd768456ebe14f44221026).

Though the proxy server gives users anonymity, it also gets around filters that block out everything from porn, access to places like MySpace and YouTube, and certain e-mail accounts.

Rubico wanted to download all the emails, put them in one zipped file, and put the file on rapidshare.com. He pawned this task off on Anonymous. Emails and pictures from the email site were put in the gossip site Gawkers and Wikileaks (http://www.wikileaks.org/wiki/VP_contender_Sarah_Palin_hacked). The emails did not contain any controversial information or official Alaska government business.

This is what rubico wrote at 4chan:

rubico 09/17/08(Wed)12:57:22 No.85782652

Hello, /b/ as many of you might already know, last night sarah palin’s yahoo was “hacked” and caps were posted on /b/, i am the lurker who did it, and i would like to tell the story.

In the past couple days news had come to light about palin using a yahoo mail account, it was in news stories and such, a thread was started full of newfags trying to do something that would not get this off the ground, for the next 2 hours the acct was locked from password recovery presumably from all this bullshit spamming.

after the password recovery was reenabled, it took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!)

the second was somewhat harder, the question was “where did you meet your spouse?” did some research, and apparently she had eloped with mister palin after college, if youll look on some of the screenshits that I took and other fellow anon have so graciously put on photobucket you will see the google search for “palin eloped” or some such in one of the tabs.

I found out later though more research that they met at high school, so I did variations of that, high, high school, eventually hit on “Wasilla high” I promptly changed the password to popcorn and took a cold shower…

>> rubico 09/17/08(Wed)12:58:04 No.85782727

this is all verifiable if some anal /b/tard wants to think Im a troll, and there isn’t any hard proof to the contrary, but anyone who had followed the thread from the beginning to the 404 will know I probably am not, the picture I posted this topic with is the same one as the original thread.

I read though the emails… ALL OF THEM… before I posted, and what I concluded was anticlimactic, there was nothing there, nothing incriminating, nothing that would derail her campaign as I had hoped, all I saw was personal stuff, some clerical stuff from when she was governor…. And pictures of her family

I then started a topic on /b/, peeps asked for pics or gtfo and I obliged, then it started to get big

Earlier it was just some prank to me, I really wanted to get something incriminating which I was sure there would be, just like all of you anon out there that you think there was some missed opportunity of glory, well there WAS NOTHING, I read everything, every little blackberry confirmation… all the pictures, and there was nothing, and it finally set in, THIS internet was serious business, yes I was behind a proxy, only one, if this shit ever got to the FBI I was fucked, I panicked, i still wanted the stuff out there but I didn’t know how to rapidshit all that stuff, so I posted the pass on /b/, and then promptly deleted everything, and unplugged my internet and just sat there in a comatose state

Then the white knight fucker came along, and did it in for everyone, I trusted /b/ with that email password, I had gotten done what I could do well, then passed the torch , all to be let down by the douchebaggery, good job /b/, this is why we cant have nice things

Under federal law (the Stored Communications Act and the Computer Fraud and Abuse Act or CFAA), e-mail hacker/crackers could face a fine and/or prison time ranging from six months to five years, depending on whether the hacker was snooping or intended to steal vital information or do. Most likely, the hacker will be prosecuted under the CFAA as a misdemeanor and not a felony. No actual loss was resulted from the hack. He will be prosecuted under the Computer Fraud and Abuse Act (CFAA) 18:2 United States Code (U.S.C.) 1030(a)(2)(C) and 1030(c)(2)(B)(ii), accessing a protected computer without authorization to obtain information. If the government thinks the hacker was only curious to see if he could hack into the account, little, if any, jail time would result

18 U.S.C. Code 1030 – Fraud and related activity in connection with computers

(a) Whoever—

(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—

(2)

(B) a fine under this title or imprisonment for not more than 5 years, or both, in the case of an offense under subsection (a)(2), or an attempt to commit an offense punishable under this subparagraph, if—

(ii) the offense was committed in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or of any State

Gabriel Ramuglia, the webmaster of Ctunnell, the proxy server that rubico used, said that the IP address he found in his server logs originated from Pavlov Media, an Internet Service Provider (ISP) based in Champaign, Illinois. This ISP provides Internet, television, and phone services to The Commons at Knoxville, a University of Tennessee student housing complex. This is where David Kernell resides.

By the way, after Fox News commentator Bill O'Reilly made comments about the Palin hack, his own site was hacked. A list of subscribers to his site found its way on the Internet (WikiLeaks), which included names, email addresses, city and state, and the password they use for their registration to the site.

On September 21, FBI agents served a federal search warrant at the Commons apartment complex where David resides with three other room mates.

On September 23, 2008, a federal grand jury listened to testimony about the hacking. Three unidentified students, as well as several federal agents, were seen entering the courthouse. No charges were filed at the time.

The Kernell family has hired attorney Wade Davies to handle the case.

On October 7, 2008, David Kernell was indicted by a federal grand jury on one account of accessing a computer without authorization. The indictment also states that Kernell also tried to hide his track by deleting and concealing files on his notebook computer.

The Justice Department said the case was being prosecuted by section chief Michael DuBose and trial attorney Mark Krotoski of the criminal division’s computer crime and intellectual property section and Assistant U.S. Attorney Greg Weddle of the U.S. Attorney’s Office for the Eastern District of Tennessee.

On October 7, 2008, David Kernell pleaded not guilty in federal court in Knoxville to the felony charge of hacking the e-mail account of Sarah Palin and violating the Compute Fraud and Abuse Act. He was released without posting bond, but not allowed to own a computer. He can only use the Internet for checking e-mail and doing class work. He appeared before U.S. Magistrate Judge C. Clifford Shirley.

Following the initial indictment, lawyer Wade Davies objected to the computer hacking charge on the grounds that the government had erroneously used two misdemeanors pertaining to the same crime to elevate the charge to a felony. In order for hacking to be a felony, it has to be done for the purpose of committing an additional crime, or a “tortuous” act (an action that could give rise to a civil suit). Without the privacy violation, the government may not have a felony case. It would be very difficult for the government to allege a breach of privacy if the email is a public record.

In March, 2009, prosecutors filed three more charges against Kernell, including one count of identity theft, one count of wire fraud, and one count of obstruction of justice.

The initial trial was set for Dec 16, 2008. Trial is now set for October 27, 2009. The maximum penalty if found guilty is 5 years in prison as a felon, a $250,000 fine, and a three-year term of supervised release. A more likely maximum penalty of all four charges is 24 months in prison and a fine of $40,000. If he is charged with misdemeanors, the penalty would be probation or house arrest.

Defense lawyer Wade Davies argued that his client couldn’t have violated Palin’s privacy because an Alaskan judge had already ruled her emails were a matter of public record. He also said that Tennessee only recognizes an invasion of privacy when the invasion exposes something that is inherently private, and the victim was placed in a false light by the invasion. Davies asserted that no expectation of privacy can be given to the Palin Yahoo account, as its status as a matter of public record precludes privacy. His point was that Palin’s email was not private or personal because of who she is and because it wasn’t intimate communication. A judge had ruled that Palin was required to preserve the correspondence in her private accounts until the other lawsuit that she used a Yahoo account to conduct official business was resolved.

This isn’t the first time that hackers and chess came together. In 1996, hackers tried to close down the Internet Chess Club (ICC) with a series of denial of service attacks (SYN-flood attack).

In 2004, the Microsoft Gaming Zone chess site was hacked due to some security holes in its ActiveX controls.

In 2005, the Yahoo Chess JavaScript was hacked to change the time control or rating of a player.

In 2006, Dutch hackers cracked into Dutch voting machines and uploaded a chess-playing program.

In 2008, hackers attacked the web site of former world chess champion Gary Kasparov, who has now become a political activist.

Some chess blogs have been hacked and infected with viruses such as the JS/downloader agent using the iframe vulnerability.

Avoid being hacked. Use a good password (non-dictionary, alphanumeric and special character, 8 characters or better, and change it every few months) or pass phrase, and don't use free email services to conduct official business if you work for the government. Don't answer a password recovery system's questions with something that could be guessed.