article

05.31.11

Is Weiner's Excuse Credible?

Anthony Weiner blames a hacker for sending a Twitter message with a naughty photo, and according to Dan Lyons, that's a lot easier than you think.

Anthony Weiner’s PR pickle is getting longer and stranger. During an interview with MSNBC’s Luke Russert, the New York Democrat tried to clear things up about his alleged lewd photo hack, but appeared to only muddy the waters. “I didn’t send that picture out,” he said, insisting again that his account was broken into. Weiner also reiterated his statement that he doesn’t know the woman to whom a crotch shot was sent from his Twitter account, and that she doesn’t know him. But he offered a puzzling statement about the photo. When Russert asked Weiner to confirm that the picture didn’t show him, he replied, “I can't say with certitude.”

Before Weiner's interview, The Daily Beast's Dan Lyons reported that it's a lot easier than you think to hack into someone's account. Plus, David A. Graham on Weiner's playboy past.

Weiner denies tweeting the wiener, and there is no proof that the wiener even belongs to Weiner, but if the wiener is not Weiner's and if Weiner did not tweet the wiener, then to whom does the wiener belong and how did it get tweeted from Weiner's Twitter account?

These are the pressing questions in what has now come to be known as Weinergate, a would-be political scandal that began over the weekend when someone supposedly sent out a photo of a bulge-bearing pair of men's jockey shorts from the Twitter account of Rep. Anthony Weiner, a influential Democrat from New York.

The intended recipient of the photo was a young woman in Seattle who says she's a fan of Weiner's politics but has no interest in his bulges and is not his girlfriend.

Weiner claimed his Twitter account was hacked.

Right-wingers like Andrew Breitbart at BigGovernment.com gleefully pounced on the story, saying Weiner had been caught sending a naughty photo to a young lady who is not his wife.

Left-wingers on DailyKos, examining time stamps on photos and tweets, claim the whole thing was a hoax perpetrated by right-wingers—perhaps Breitbart himself—looking to smear a liberal.

So how plausible is Weiner's claim that hackers broke into his online accounts? After all, that's the same excuse that Rep. Christopher Lee lamely tried to use in February when he was caught sending a shirtless photo of himself to a woman he was hoping to meet via a Craiglist personal ad.

“It’s just someone with intent and access to a Web browser.”

Well, according to Herbert "Hugh" Thompson, a computer-security expert, breaking into someone's email or social-networking account can be relatively easy to do.

You don't have to find out the person's password. Instead, you just need to trick a site into letting you reset someone's password. It turns out that's not so difficult. The system will validate your identity by asking you to answer one or two security questions, like "What is your father's middle name?" or "What is the name of your favorite pet?"

And that stuff, these days, is pretty easy to find. "Fifteen years ago, the only people who would know your biographical information were people close to you, but now because so much information about you is being broadcast online, and not just by you but by your friends, your sister, your mother, your cousin—it's so easy for someone to quote-unquote 'know' you," says Thompson, an adjunct professor at Columbia University who teaches a course called Software Security and Exploitation.

A few years ago Thompson used this password-reset method to gain access to bank accounts belonging to friends who gave him permission to do it. Thompson wrote an article for Scientific American explaining exactly how to do it.

"It was a lot easier than I thought it would be," he says.

Websites like ancestry.com and intelius.com gather loads of information about people, Thompson says. (You have to pay a subscription fee to get that info.) On top of that, there are personal blogs, Facebook pages, Twitter streams. "We're all much more knowable to strangers than we ever were in the past," Thompson says.

The beauty of the password-reset method is that even if someone has created a really strong password, it's just as easy to break in as if they'd used a totally dumb easy password. "You can have a password with all sorts of special characters and upper-case letters, and it doesn't matter at all if your password-reset question is your grandfather's name and it takes me only 30 seconds to find that on Google," Thompson says.

One thing that irks Thompson: Gaining access via the password-reset break-in doesn't really even qualify as hacking. "Most of the time when people think about hacking they think about something that is pretty sophisticated, a guy waves a magic wand and the account is available. But these are very simplistic techniques. And that makes it pretty scary. In the past the person who could pull this stuff off had to be someone with intent and have some amount of technical skills, sort of an elite hacker. Now it's just someone with intent and access to a Web browser."

The kind of software security that Thompson teaches at Columbia is the stuff of elite hackers. His course is aimed at graduate students and perhaps a few undergraduate computer-science students who are advanced enough to follow along.

But while computer scientists concern themselves with studying sophisticated hacking methods, "more and more when we look at high-profile attacks it's the simple stuff that fails," Thompson says. "For a long time we've ignored the very simple low-tech hacking approach."

Another vulnerability stems from the fact that a lot of social-networking sites like Facebook and Twitter encourage users to stay logged on. "It's not like a bank where if you're idle for a few minutes you get logged off automatically," Thompson says. "The social-networking sites have a business model where there are incentives to keep you logged on as long as possible. But that creates interesting opportunities from a hack perspective."

Go away for a weekend, and all someone needs to do is get into your apartment, fire up your laptop, and they're already logged in to your accounts and can read all your mail.

A Twitter spokesman says users get logged off automatically once they finish using Twitter, unless they click the "remember me" box when they log in.

But if you do click "remember me," as many users do, how long will you remain logged in? The spokesman said he wasn't sure. He also sent a link to a page where Twitter explains how to keep your account secure.

Thompson says there are so many ways in which hackers could get into an account that "it's hard to know" what could have happened to Weiner's account. But he also points out that blaming things on hackers "can be a great scapegoat. You just say, 'Whoops, my bad, the thing got hacked.' "

Yesterday, three days after the story broke, Weiner started getting testy when reporters kept bugging him to talk about what happened. He said he wasn't going to talk about it anymore because he had more important work to do.

Apparently Weiner believes that if he just keeps dodging questions, the problem will go away. If so, he's as clueless about PR as he is about computer security.

Dan Lyons is technology editor at Newsweek and the creator of Fake Steve Jobs, the persona behind the notorious tech blog, The Secret Diary of Steve Jobs. Before joining Newsweek, Lyons spent 10 years at Forbes.