David Kernell, the Tennessee college student who came under suspicion as the hacker who broke into the e-mail account of U.S. vice presidential candidate Sarah Palin, has been indicted by a federal grand jury, the U.S. Department of Justice announced today.
Kernell, 20, was indicted Tuesday on one count of accessing a computer without authorization by a grand jury in Knoxville, Tenn., and has turned himself in to the FBI, a DOJ spokeswoman said this morning. He will be arraigned later today and is currently in processing.
If convicted, Kernell faces up to five years in prison and a fine of $250,000.
Kernell, a student at the University of Tennessee at Knoxville, was the focus early on in the investigation of the hacking of Palin's Yahoo Mail account. Although initially a loose group of activists was blamed for the break-in -- which resulted in the public posting of several messages from her account -- Internet sleuths quickly assembled clues left online by a hacker identified as "rubico," who admitted to the break-in.
On Sept. 17, rubico posted a message to a popular message board claiming to have gained access to Palin's e-mail by using Yahoo's password reset feature. Others then quickly linked the rubico handle to the e-mail address "firstname.lastname@example.org," which was in turn linked to Kernell through Internet searches that uncovered connections between him, the username and the e-mail address on such sites as YouTube.
Within days, Gabriel Ramuglia, the webmaster of Ctunnel, a proxy service used by rubico, had traced the hacker's IP address to an Illinois company that provides Internet service to the Knoxville apartment complex where Kernell lives. The FBI searched Kernell's apartment on Sept. 21.
Claims made in the three-page indictment were in line with other details of the case. According to the grand jury, Kernell hacked into the Alaska governor's "email@example.com" account on or about Sept. 16 by using the Webmail service's password reset mechanism.
"Specifically, he reset the password to 'popcorn' by researching and correctly answering a series of personal security questions," the indictment read.
Rubico had bragged that it took just 45 minutes to do the online research needed to reset Palin's password, while others had remarked on the use of the "popcorn" password and its obvious link to Kernell's last name.
The three largest Web mail services, Google Inc.'s Gmail, Microsoft Corp.'s Windows Live Hotmail and Yahoo Inc.'s Mail, all rely on automated password-reset mechanisms that can be abused by anyone who knows the username associated with an account and an answer to a single security question.
The indictment alleges that Kernell took screenshots of several of Palin's messages, which he then posted on the 4chan.org site, which hosts the message board where rubico talked about the hack. Those screenshots were later published on the Wikileaks.org Web site. The indictment did not say how the images got from 4chan to Wikileaks.
"Defendant Kernell posted the reset password, thus providing the means of access to the e-mail account for others," the indicted stated, and noted that at least one other person used the reset password to access Palin's account.
Kernell also tried to hide his track by deleting and concealing files on his notebook computer, the indictment said.
Kernell is the son of Mike Kernell, a longtime Democratic state representative from Memphis.