A chess-playing hacker?
Submitted by
on Fri, 09/19/2008 at 10:43pm.
The latest news item is the chess-playing hacker, David Carl Kernell. David was born on October 27, 1986. His parents are Michael Kernell, Tennessee democratic state senator from the 93rd district in Memphis, and Lillian Landrigan, medical doctor. David learned how to play chess at the age of 7. He started playing in USCF-rated events in 2001 while living in Killeen, Texas. His first USCF rating was around 736. His family moved to Tennessee in 2002 where David continued to play in USCF-rated events and scholastic tournaments. In 2003, he played in the Junior High section of the Memphis Scholastic Championships. In 2004, he won the 58th Tennessee Open (High School) Scholastic Championship, held on September 3-5, 2004 . He also won the class B championship in the 58th Tennessee Open in 2004. He scored 4-0. In 2005, he won the 59th Open Scholastic Championship with a perfect 4-0, held in Crossville, Tennessee. The event was directed by Harry Sabine. His rating at the end of the tournament was 1820. There were 90 players in this event. He also played in the 59th annual Tennessee Open, taking 7th place and top Class A (defeating a 2087 player in the process). His rating at the end of the tournament was 1841. In 2006, he took 1st place in the Memphis Candidates tournament, scoring 5-0. In 2006, he took first place in the Memphis High School Championships, winning with a perfect 6-0 score. Also in 2006, he took 2nd place in the Memphis City Championship. He played board 1 for his high school, Germantown HS. In November, 2006, he took 2nd-3rd place in the 46th Mid-South Open, behind Semion Palatnik (2518) and tied with Ron Burnett (2447). In 2007, he played in 15 USCF-rated tournaments, with a USCF rating of 1961. In 2008, he played in the Pawn Power Open in Memphis and ended up with a current USCF rating of 1913. He has played in over 200 USCF rated tournaments since 2001.
In 2003, David, age 15, created a bio at the Apocoliptic visions blog site in which he stated that he would post some of his internet chess games in pgn format. He played chess at gameknot using the handle “rubicox.” He stated that his favorite and only hobby was chess, more like an obsession.
In 2006, David entered the Univeristy of Tennessee at Knowville majoring in Engineering Physics. He became active on some web sites, including the WikiProject Chess forum. His online handle was Rubicon or Rubinco10 or Rubico. His email account was rubico10@yahoo.com (now temporarily locked because of security concerns). His facebook account mentioned that he was a chess player. Rubicon is a development company that makes 3D Shogi (Japanese Chess). Rubico10 also had accounts on YouTube, Stream Community, and Newground. All these accounts are now closed.
On September 10, 2008, the Washington Post printed an article that Sarah Palin , governor of of Alaskaand vice-presidential candidate under Republican presidential candidate John McCain, stating that she had two Yahoo! e-mail accounts (gov.sarah@yahoo.com and gov.palin@yahoo.com). Discussions were then made on several blog sites and forums, including somethingawful.com as to how to crack the email account and making a contest out of it. There were a lot of password guesses, including trig1, etc (some sources say her password was SarahGuv). Someone also suggested using the yahoo forgotten password trick, and that the secret answer was jesus or something like that. Todd Palin, Sarah Palin’s husband, use the Yahoo account fek9wnr@yahoo.com (fe - Iron, k9 - dog wnr - winner). It is also his vehicle license tag in Alaska.
On September 16, 2008, a user named rubico (David Kernell?) attempted and succeeded in getting access to this account by resetting her account password using the Yahoo Mail’s password-recovery tool. He did this by answering three questions that Yahoo asks before resetting the password. The questions were her birthdate, her ZIP code, and where she met her spouse. A Wikipedia search shows that she was born February 11, 1964. Palin’s hometown is Wasilla, which has 5 zip codes (99629, 99652, 99654, 99687, 99694). She lives in the 99654 area. Palin met her spouse at Wasilla High. Once rubico guessed all this, he was prompted to enter a new password. He chose the new password “popcorn” (as on popcorn kernel) and was able to get access to Palin’s account.
Rubico then passed this information (screenshot of Palin’s Yahoo email account, username and password) that he hacked this email site on the 4chan bulletin board (www.4chan.org), using the pseudonym “Rubico.” 4chan is a popular bulletin board with members that are interested in Japanese and computer geek cultures. The most popular 4chan board is simply called /b/, which allows users to post on any random Rubico posted the information on /b/ around 4 am on Tuesday, September 16. Later, the moderator deleted the thread. Rubico returned to 4chan the next day, September 17, around 1 pm, and said that he was the lurker that "hacked" Palin's yahoo account and posted the captures.
Later, someone (rubico calls him the white knight) on /b/ logged into Palin's email account (probably with the new popcorn password), changed the password again, and sent an email to a friend of Sarah Palin, warning her and letting her know the new password. By now, other people were logging in and changing the password again, tripping the automated Yahoo freeze. Since then, the account has been deleted.
Rubico used the Ctunnel.com proxy server, run by Gabriel Ramuglia of Athens, Georgia. Ctunnel is an Internet anonymity service. A proxy server hides the source IP address from the website logging scripts. But he posted screenshots of the Yahoo account that showed the full URL which included the proxy server url (ctunnel.com) appended with a unique identifier ( http://ctunnel.com/index.php/1010110A/58a5cd1e8ab47088982c83282fd768456ebe14f44221026).
Rubico wanted to download all the emails, put them in one file, and put the file on rapidshare.com. He pawned this task off on Anonymous. Emails and pictures from the email site were put in the gossip site Gawkers and Wikileaks (http://www.wikileaks.org/wiki/VP_contender_Sarah_Palin_hacked). The emails did not contain any controversial information, or official Alaska government.
Blog sites are making fun of him as a nerdy chess player. One blog site asked if they played chess in Leavenworth (they do). Another said that rubico will be playing the role of a queen, then pawned off to other prisoners who will repeatedly penetrate the hole in his rear defenses. Other sites say that his room mates in prison won’t be playing chess. The will be playing poker.
One blog site says he is stupid, devious, hateful and cruel who has no other life other than chess (which explains a lot)...so he took his deep seated obsession with Palin and his hatred of women out on her and her family. There have already been alleged death threats against David’s father, Democratic State Representative. Mike Kernell, who had nothing to do with it, only said that David was an excellent chess player.
Some blog sites say that because David was an excellent chess player, solving the account login questions was almost an intellectual game or treasure hunt for him.
Under federal law (the Stored Communications Act and the Computer Fraud and Abuse Act- CFAA), e-mail hacker/crackers could face a fine and/or prison time ranging from six months to five years, depending on whether the hacker was snooping or intended to steal vital information or do. Most likely, the hacker will be prosecuted under the CFAA as a misdemeanor and not a felony. No actual loss was resulted from the hack. He will be prosecuted under 18 U.S.C. 1030(a)(2)(C), accessing a protected computer without authorization to obtain information. Sentencing would be up to six months. If the government thinks the hacker was only curious to see he he could hack into the account, little, if any, jail time would result.
By the way, after Fox News commentator Bill O'Reilly made comments about the Palin hack, his own site was hacked. A list of subscribers to his site found its way on the Internet (WikiLeaks), which included names, email addresses, city and state, and the password they use for their registration to the site.
As of September 22, 2008, David Kernell has not been charged and no complaints or warrants have been issued against Kernell. Gabriel Ramuglia, the webmaster of Ctunnell, said he was not sure the FBI was investigating the right man. He said that the IP address doesn't look consistent with David Kernell's IP address.
This isn’t the first time that hackers and chess came together. In 1996, hackers tried to close down the Internet Chess Club (ICC) with a series of denial of service attacks (SYN-flood attack).
In 2005, the Yahoo Chess JavaScript was hacked to change the time control or rating of a player.
In 2006, Dutch hackers cracked into Dutch voting machines and uploaded a chess-playing program.
Some chess blogs have been hacked and infected with viruses such as the JS/downloader agent using the iframe vulnerability.
In April, 2008, Barack Obama's campaign site on the web was exploited to redirect users to the URL of Hillay Clinton. A person called "Mox" took credit for this cross site scripting vulnerability.
Computer systems for both Barack Obama and John McCain were broken into during their campaigns and files were stolen. The computer systems were victims of a foreign cyberattack.
Hopefully, www.chess.com has never been successfully hacked, although some players have claimed they lost because someone hacked into the system and altered the chess clock or something. But then again, avoid being hacked. Use a good password (non-dictionary, alphanumeric and special character, 8 characters or better, and change it every few months) or passphrase, and don't use free email services to conduct official business if you work for the government. Don't answer a password recovery system's questions with something that could be guessed.
Here is one of David Kernell's recent games
| 2071 reads | 16 comments