Continued Disagreement And Confusion Over Yahoo Email Scanning

from the someone-needs-to-come-clean-for-real dept

The story behind Yahoo's apparently scanning over every email for the NSA continues to be... confusing. Earlier this week we noted some conflicting reports in the media on what was actually happening. The NY Times report said that it was via a FISA Court Order, which would be interesting, and would almost certainly require a declassification of the FISA opinion. However, Reuters insisted that it was actually under Section 702 of the FISA Amendments Act (which doesn't involve a FISA Court Order). So, confusion abounded.

And now it's getting worse. That same NY Times report said that the system was just a modification of Yahoo's malware scanners for a particular snippet of text or code:
To comply, Yahoo customized an existing scanning system for all incoming email traffic, which also looks for malware, according to one of the officials and to a third person familiar with Yahoo’s response, who also spoke on the condition of anonymity
Except, according to a new report from Motherboard, that's not actually true, and instead the NSA was asking Yahoo to install its own malware which was super buggy:
Anonymous sources told The Times that the tool was nothing more than a modified version of Yahoo’s existing scanning system, which searches all email for malware, spam and images of child pornography.

But two sources familiar with the matter told Motherboard that this description is wrong, and that the tool was actually more like a “rootkit,” a powerful type of malware that lives deep inside an infected system and gives hackers essentially unfettered access.

The rootkit-like tool was found by Yahoo’s internal security testing team during one of their checkups, according to a source.
That's more consistent with the original report in Reuters, which talked about the security team finding the code and believing it was malware. And, apparently the rootkit/malware code that the NSA gave Yahoo was super buggy and put everyone at risk:
“It definitely contained something that did not look like anything Yahoo mail would have installed,” the source added. “This backdoor was installed in a way that endangered all of Yahoo users.”

Another source, who also requested anonymity and was familiar with what happened, confirmed that describing the tool as a “buggy” “rootkit” is accurate.
A different article over at the Intercept has similar claims as well. It's possible that this is the same source going to multiple publications, or it could actually be different sources. Seeing as the language in the two articles is similar, it very likely is the same source though:
According to the Yahoo alum, a mere “modification to [existing] mail filters wouldn’t have raised a red flag … [the security team] wouldn’t have been able to detect it in the first place.” Rather, Yahoo’s security team had detected “something novel, like something a hacker would have installed.” The team believed it “was or looked like a root kit,” a piece of software installed on a computer system to give a third party complete, invisible control. In this case, according to the ex-Yahoo source, it was “a program that runs on your servers that has access to incoming data.”
And the buggy nature is also discussed as well:
“The program that was installed for interception was very carelessly implemented, in a way that if someone like an outside hacker got control of it, they could have basically read everyone’s Yahoo mail,” something the source attributed to “the fact that it was installed without any security review.”
I'm guessing this is the same source who went to both publications, but it continues to raise more questions about this. Forcing Yahoo to actually install code is a big, big deal and gets back to the questions raised by the DOJ trying to force Apple to do the same thing. And, once again, this is the kind of thing the government isn't supposed to be able to do in secret. Yes, individual orders and details about who or what is being searched can and should be kept secret, but requiring a company to install code that sniffs through every email... that's not how these things are supposed to work.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: email, malware, mass surveillance, nsa, rootkit, scanning
Companies: yahoo


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    That One Guy (profile), 7 Oct 2016 @ 5:18pm

    'Could have' or 'did'?

    “The program that was installed for interception was very carelessly implemented, in a way that if someone like an outside hacker got control of it, they could have basically read everyone’s Yahoo mail,

    A thought came to mind upon reading this. Not too long ago Yahoo apparently had a serious breach, with a ton of accounts compromised and data accessed. I think they made it out to be a rather sophisticated attach and would have required a large, potentially state level group to managed, but what if the angle of attack was thanks to the malware the article is saying that Yahoo was forced to install?

    With a giant security hole like that in place it wouldn't have taken skill so much as luck to find and exploit it, as the biggest step was already accomplished thanks to the NSA and Yahoo.

    link to this | view in thread ]

  2. identicon
    Anonymous Coward, 7 Oct 2016 @ 5:21pm

    buggy . . . you mean like with a fringe on top? i made a wrong turn somewhere and got stuck in the wrong century.

    separate note: you oldsters who recall, doesn't this yahoo story feel like early watergate? in watergate, every attempt to dead-end the thing turned into a brand new avenue.

    link to this | view in thread ]

  3. icon
    pixelpusher220 (profile), 7 Oct 2016 @ 8:58pm

    Why would they care about quality?

    The NSA Benefits from a sloppy install. Once they get the info having hackers come in and mess things up covers their tracks

    link to this | view in thread ]

  4. identicon
    Unanimous Cow Herd, 7 Oct 2016 @ 9:50pm

    rootkit

    admin tool

    link to this | view in thread ]

  5. This comment has been flagged by the community. Click here to show it
    identicon
    John Mayor, 7 Oct 2016 @ 10:15pm

    GLOBALLY MANDATED CYBER TRIPWIRE TECHNOMAE

    What is needed is GLOBALLY MANDATED "CYBER TRIPWIRE SOFTWARE AND HARDWARE" for EVERY "ICT traffic level (e.g., from a chip's gate, to the largest network configuration known to man!)"! And!... preferably!... overseen by the GLOBAL FOSS and FOSH communities! Although the ensuing is not exactly what I have in mind, it gives a "thumbnail sketch" of where I want us to go... see, https://en.wikipedia.org/wiki/Open_Source_Tripwire... and... https://en.wikipedia.org/wiki/Intrusion_detection_system
    .
    To sum up... the general catchphrase I'm using here is "Cyber Tripwire Technomae (software and hardware!)!... but, whatever it finally gets to couched under, it's software and/ or hardware that can "trip" an "intruder" at ANY LEVEL of traffic intrusion! And maybe in the future, one will find such technomae operating in REAL TIME, and overseen by Network Hubs, which-- in turn!-- are tied to PRIMARY SECTOR SECURITY STAKEHOLDER AGENCIES!
    .
    Please!... no emails!

    link to this | view in thread ]

  6. icon
    That Anonymous Coward (profile), 7 Oct 2016 @ 11:48pm

    Re: 'Could have' or 'did'?

    IIRC (90% chance) the insertion of the spyware was after the alleged nation state hacking.

    How ever, why forge a whole new tool when someones already given you one?

    link to this | view in thread ]

  7. identicon
    Anonymous Coward, 8 Oct 2016 @ 5:23am

    Re:

    So Trump/Putin are the modern version of Tricky Dick & Co ?

    .. I am not a crook. lol

    link to this | view in thread ]

  8. identicon
    Anonymous Coward, 8 Oct 2016 @ 5:24am

    Re: GLOBALLY MANDATED CYBER TRIPWIRE TECHNOMAE

    Mandatory anything is stupid and doomed to failure.

    link to this | view in thread ]

  9. identicon
    John Mayor, 8 Oct 2016 @ 7:52am

    Re: Re: GLOBALLY MANDATED CYBER TRIPWIRE TECHNOMAE

    Yeah!... like the 1st Amendment! Dumb me!
    .
    Please!... no emails!

    link to this | view in thread ]

  10. identicon
    SpaceLifeForm, 8 Oct 2016 @ 9:37am

    Mutex not required

    A 'buggy rootkit' and a
    'repurposed scanner' are both
    possible at the time.

    link to this | view in thread ]

  11. identicon
    Anonymous Coward, 8 Oct 2016 @ 10:56am

    Re: Re: Re: GLOBALLY MANDATED CYBER TRIPWIRE TECHNOMAE

    How is mandating the installation of specific software on all privately owned computer systems a First Amendment issue?

    The First Amendment states what the government can not do (see below) not what it can do - and says nothing about software.

    The First Amendment states:
    Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances

    link to this | view in thread ]

  12. This comment has been flagged by the community. Click here to show it
    identicon
    John Mayor, 8 Oct 2016 @ 2:01pm

    Re: Re: Re: Re: GLOBALLY MANDATED CYBER TRIPWIRE TECHNOMAE

    If the 1st Amendment wasn't MANDATED... O-H "T-H-I-C-K-H-E-A-D-E-D O-N-E!... then you wouldn't have a protection for the N-O-N-S-E-N-S-E you've offered up on techdirt!... T-W-I-C-E!! GEEZ!!
    .
    Please!... no emails!

    link to this | view in thread ]

  13. identicon
    Anonymous Coward, 8 Oct 2016 @ 3:03pm

    Re: Re: Re: Re: Re: GLOBALLY MANDATED CYBER TRIPWIRE TECHNOMAE

    Again ... the 1st states what the government can not do.

    Get it?

    link to this | view in thread ]

  14. icon
    David (profile), 8 Oct 2016 @ 5:07pm

    MB is smoking the wacky weed.

    Okay, the Motherboard piece is sort of in the deep outer reaches of logic, and has most likely exceeded it.

    Whatever happened the action was on Yahoo servers, this wasn't done on customer computers. A rootkit would be where? There is no way any server is going to let the NSA install 'buggy' rootkits on their own servers. The technical details are just slopping over with the bullshit.

    NSA/FBI sent their usual 'avoid/ignore the Constitution' letter and Yahoo did their legal duty. Now, what exactly that duty consisted of and whether there were any courts (rubber stamping or normal) involved at all are still unknown.

    But, seriously, Motherboards sources need a quick lesson in techno terms so their next revelation doesn't stink quite so bad.

    link to this | view in thread ]

  15. identicon
    John Mayor, 8 Oct 2016 @ 8:21pm

    Re: Re: Re: Re: Re: Re: GLOBALLY MANDATED CYBER TRIPWIRE TECHNOMAE

    NOPE!... IT STATES WHAT THE AMERICAN GOVERNMENT M-U-S-T D-O!... I-S M-A-N-D-A-T-E-D T-O D-O!... I.E., T-O N-O-T A-B-R-I-D-G-E-- A-T L-E-A-S-T!-- F-R-E-E E-X-P-R-E-S-S-I-O-N I-N T-H-E L-A-W-S T-H-A-T I-T M-A-Y C-R-E-A-T-E! AND!... THE ISSUE OF WHAT THE AMERICAN GOVERNMENT MUST NOT DO, DOES NOT NEGATE THE "MANDATION" IT HAS IMPOSED, RESPECTIVE OF THE LAWS ALLUDED TO!
    .
    And yes!... I get it!... you're an IJIT!
    .
    Please!... no emails!

    link to this | view in thread ]

  16. identicon
    Anonymous Coward, 9 Oct 2016 @ 7:52am

    Re: GLOBALLY MANDATED CYBER TRIPWIRE TECHNOMAE

    First, a mandate isn't required.

    Second, In terms of running a national tripwire network, something like that already exists, in the form of edge network DPI and overlay networks.

    If the fed implemented distributed passive honeypot nodes instead of active forcibly compelled surveillance, they would have no problem getting capacity. Admins world wide would be tripping over themselves to help. But they don't. It is anyones guess as to why not.

    I predict the FCC's new privacy rules are going to be criminally lax. The way you know that is that Tom Wheeler is talking about the data that service providers can release, NOT what data service providers can collect.

    There is a distinction.

    ISP's have no compelling technical reason to look at traffic above OSI layer 3. Doing so is an unauthorized, unprovoked, and unjustified intrusion into their customers privacy.

    I predict what the FCC will announce, is normalizing criminal corporate surveillance for internal use, but restricting it for sales. Which is ridiculous, since the crime occurs at the moment of collection, not at the moment of redistribution.

    This is similar to Citizens United in that it endows ISP's with rights beyond those of normal citizens and formalizes a class based hierarchy of legal rights based on title. I regard this as a contradiction of the intent of Article 1 Section 9.

    But really it doesn't matter what the FCC says anyway. The only time they ever enforce the law is when the public complains. And the current level of intrusion into the civil rights and national discourse is sophisticated enough, that the public can't reasonably be expected to even know WHAT to complain about.

    All the public knows is that it is being fucked with, and that it is pissing them off.

    The engine light comes on. The car still runs. That doesn't mean you should drive it. But apparently the FCC is adopting the Clintonian motto: "Drive it like you stole it."

    link to this | view in thread ]

  17. identicon
    Average Loser., 10 Oct 2016 @ 1:16am

    Encryption is too complicated.

    And we will whine and squirm and do anything to avoid spending 10 minutes to set it up.
    Then we will agree the government has the right to know what we are saying, watching, doing, eating, buying, ...
    After all who would be interested in our lowly lives?

    link to this | view in thread ]

  18. identicon
    Anonymous Coward, 10 Oct 2016 @ 5:49am

    Re: 'Could have' or 'did'?

    Wait. Didn't the US government blame that on the Russians?

    link to this | view in thread ]

  19. identicon
    Anonymous Coward, 10 Oct 2016 @ 5:51am

    Re:

    buggy . . . you mean like with a fringe on top? i made a wrong turn somewhere and got stuck in the wrong century.

    Amish hackers.

    link to this | view in thread ]

  20. identicon
    Anonymous Coward, 10 Oct 2016 @ 5:59am

    Re: MB is smoking the wacky weed.

    There is no way any server is going to let the NSA install 'buggy' rootkits on their own servers.

    Umm, You seem to have a fundamental misunderstanding of corporate governance. If the CEO says "do it", it gets done.

    link to this | view in thread ]

  21. icon
    Ninja (profile), 11 Oct 2016 @ 5:21am

    Techdirt and others warned multiple times about the slippery slope that mass surveillance is. Orwell was prophetic. It won't be a surprised if we come to know that the intel services are tapping directly into the major cables and infra-structure, inserting itself in the middle of everything. If it isn't happening it will happen. Unless they are stopped. But the megalomaniac sociopaths in power these days don't want this to stop.

    link to this | view in thread ]

  22. icon
    Mat (profile), 11 Oct 2016 @ 11:32am

    Re: MB is smoking the wacky weed.

    ... Except in this case, it looks like it is possible that they did install a buggy rootkit on their own servers. And given a server is nothing more than a computer, it can be rootkited or malwared just like any other computer. (The fact a security audit -caught- it and then stink flew actually makes this scenario sadly more plausible.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.