Continued Disagreement And Confusion Over Yahoo Email Scanning
from the someone-needs-to-come-clean-for-real dept
The story behind Yahoo's apparently scanning over every email for the NSA continues to be... confusing. Earlier this week we noted some conflicting reports in the media on what was actually happening. The NY Times report said that it was via a FISA Court Order, which would be interesting, and would almost certainly require a declassification of the FISA opinion. However, Reuters insisted that it was actually under Section 702 of the FISA Amendments Act (which doesn't involve a FISA Court Order). So, confusion abounded.And now it's getting worse. That same NY Times report said that the system was just a modification of Yahoo's malware scanners for a particular snippet of text or code:
To comply, Yahoo customized an existing scanning system for all incoming email traffic, which also looks for malware, according to one of the officials and to a third person familiar with Yahoo’s response, who also spoke on the condition of anonymityExcept, according to a new report from Motherboard, that's not actually true, and instead the NSA was asking Yahoo to install its own malware which was super buggy:
Anonymous sources told The Times that the tool was nothing more than a modified version of Yahoo’s existing scanning system, which searches all email for malware, spam and images of child pornography.That's more consistent with the original report in Reuters, which talked about the security team finding the code and believing it was malware. And, apparently the rootkit/malware code that the NSA gave Yahoo was super buggy and put everyone at risk:
But two sources familiar with the matter told Motherboard that this description is wrong, and that the tool was actually more like a “rootkit,” a powerful type of malware that lives deep inside an infected system and gives hackers essentially unfettered access.
The rootkit-like tool was found by Yahoo’s internal security testing team during one of their checkups, according to a source.
“It definitely contained something that did not look like anything Yahoo mail would have installed,” the source added. “This backdoor was installed in a way that endangered all of Yahoo users.”A different article over at the Intercept has similar claims as well. It's possible that this is the same source going to multiple publications, or it could actually be different sources. Seeing as the language in the two articles is similar, it very likely is the same source though:
Another source, who also requested anonymity and was familiar with what happened, confirmed that describing the tool as a “buggy” “rootkit” is accurate.
According to the Yahoo alum, a mere “modification to [existing] mail filters wouldn’t have raised a red flag … [the security team] wouldn’t have been able to detect it in the first place.” Rather, Yahoo’s security team had detected “something novel, like something a hacker would have installed.” The team believed it “was or looked like a root kit,” a piece of software installed on a computer system to give a third party complete, invisible control. In this case, according to the ex-Yahoo source, it was “a program that runs on your servers that has access to incoming data.”And the buggy nature is also discussed as well:
“The program that was installed for interception was very carelessly implemented, in a way that if someone like an outside hacker got control of it, they could have basically read everyone’s Yahoo mail,” something the source attributed to “the fact that it was installed without any security review.”I'm guessing this is the same source who went to both publications, but it continues to raise more questions about this. Forcing Yahoo to actually install code is a big, big deal and gets back to the questions raised by the DOJ trying to force Apple to do the same thing. And, once again, this is the kind of thing the government isn't supposed to be able to do in secret. Yes, individual orders and details about who or what is being searched can and should be kept secret, but requiring a company to install code that sniffs through every email... that's not how these things are supposed to work.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: email, malware, mass surveillance, nsa, rootkit, scanning
Companies: yahoo
Reader Comments
Subscribe: RSS
View by: Time | Thread
'Could have' or 'did'?
A thought came to mind upon reading this. Not too long ago Yahoo apparently had a serious breach, with a ton of accounts compromised and data accessed. I think they made it out to be a rather sophisticated attach and would have required a large, potentially state level group to managed, but what if the angle of attack was thanks to the malware the article is saying that Yahoo was forced to install?
With a giant security hole like that in place it wouldn't have taken skill so much as luck to find and exploit it, as the biggest step was already accomplished thanks to the NSA and Yahoo.
[ link to this | view in thread ]
separate note: you oldsters who recall, doesn't this yahoo story feel like early watergate? in watergate, every attempt to dead-end the thing turned into a brand new avenue.
[ link to this | view in thread ]
Why would they care about quality?
[ link to this | view in thread ]
rootkit
[ link to this | view in thread ]
GLOBALLY MANDATED CYBER TRIPWIRE TECHNOMAE
.
To sum up... the general catchphrase I'm using here is "Cyber Tripwire Technomae (software and hardware!)!... but, whatever it finally gets to couched under, it's software and/ or hardware that can "trip" an "intruder" at ANY LEVEL of traffic intrusion! And maybe in the future, one will find such technomae operating in REAL TIME, and overseen by Network Hubs, which-- in turn!-- are tied to PRIMARY SECTOR SECURITY STAKEHOLDER AGENCIES!
.
Please!... no emails!
[ link to this | view in thread ]
Re: 'Could have' or 'did'?
How ever, why forge a whole new tool when someones already given you one?
[ link to this | view in thread ]
Re:
.. I am not a crook. lol
[ link to this | view in thread ]
Re: GLOBALLY MANDATED CYBER TRIPWIRE TECHNOMAE
[ link to this | view in thread ]
Re: Re: GLOBALLY MANDATED CYBER TRIPWIRE TECHNOMAE
.
Please!... no emails!
[ link to this | view in thread ]
Mutex not required
'repurposed scanner' are both
possible at the time.
[ link to this | view in thread ]
Re: Re: Re: GLOBALLY MANDATED CYBER TRIPWIRE TECHNOMAE
The First Amendment states what the government can not do (see below) not what it can do - and says nothing about software.
The First Amendment states:
Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances
[ link to this | view in thread ]
Re: Re: Re: Re: GLOBALLY MANDATED CYBER TRIPWIRE TECHNOMAE
.
Please!... no emails!
[ link to this | view in thread ]
Re: Re: Re: Re: Re: GLOBALLY MANDATED CYBER TRIPWIRE TECHNOMAE
Get it?
[ link to this | view in thread ]
MB is smoking the wacky weed.
Whatever happened the action was on Yahoo servers, this wasn't done on customer computers. A rootkit would be where? There is no way any server is going to let the NSA install 'buggy' rootkits on their own servers. The technical details are just slopping over with the bullshit.
NSA/FBI sent their usual 'avoid/ignore the Constitution' letter and Yahoo did their legal duty. Now, what exactly that duty consisted of and whether there were any courts (rubber stamping or normal) involved at all are still unknown.
But, seriously, Motherboards sources need a quick lesson in techno terms so their next revelation doesn't stink quite so bad.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: GLOBALLY MANDATED CYBER TRIPWIRE TECHNOMAE
.
And yes!... I get it!... you're an IJIT!
.
Please!... no emails!
[ link to this | view in thread ]
Re: GLOBALLY MANDATED CYBER TRIPWIRE TECHNOMAE
Second, In terms of running a national tripwire network, something like that already exists, in the form of edge network DPI and overlay networks.
If the fed implemented distributed passive honeypot nodes instead of active forcibly compelled surveillance, they would have no problem getting capacity. Admins world wide would be tripping over themselves to help. But they don't. It is anyones guess as to why not.
I predict the FCC's new privacy rules are going to be criminally lax. The way you know that is that Tom Wheeler is talking about the data that service providers can release, NOT what data service providers can collect.
There is a distinction.
ISP's have no compelling technical reason to look at traffic above OSI layer 3. Doing so is an unauthorized, unprovoked, and unjustified intrusion into their customers privacy.
I predict what the FCC will announce, is normalizing criminal corporate surveillance for internal use, but restricting it for sales. Which is ridiculous, since the crime occurs at the moment of collection, not at the moment of redistribution.
This is similar to Citizens United in that it endows ISP's with rights beyond those of normal citizens and formalizes a class based hierarchy of legal rights based on title. I regard this as a contradiction of the intent of Article 1 Section 9.
But really it doesn't matter what the FCC says anyway. The only time they ever enforce the law is when the public complains. And the current level of intrusion into the civil rights and national discourse is sophisticated enough, that the public can't reasonably be expected to even know WHAT to complain about.
All the public knows is that it is being fucked with, and that it is pissing them off.
The engine light comes on. The car still runs. That doesn't mean you should drive it. But apparently the FCC is adopting the Clintonian motto: "Drive it like you stole it."
[ link to this | view in thread ]
Encryption is too complicated.
Then we will agree the government has the right to know what we are saying, watching, doing, eating, buying, ...
After all who would be interested in our lowly lives?
[ link to this | view in thread ]
Re: 'Could have' or 'did'?
[ link to this | view in thread ]
Re:
Amish hackers.
[ link to this | view in thread ]
Re: MB is smoking the wacky weed.
Umm, You seem to have a fundamental misunderstanding of corporate governance. If the CEO says "do it", it gets done.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: MB is smoking the wacky weed.
[ link to this | view in thread ]