Continued Disagreement And Confusion Over Yahoo Email Scanning


from the someone-needs-to-come-clean-for-real dept

The story behind Yahoo’s apparently scanning over every email for the NSA continues to be… confusing. Earlier this week we noted some conflicting reports in the media on what was actually happening. The NY Times report said that it was via a FISA Court Order, which would be interesting, and would almost certainly require a declassification of the FISA opinion. However, Reuters insisted that it was actually under Section 702 of the FISA Amendments Act (which doesn’t involve a FISA Court Order). So, confusion abounded.

And now it’s getting worse. That same NY Times report said that the system was just a modification of Yahoo’s malware scanners for a particular snippet of text or code:

To comply, Yahoo customized an existing scanning system for all incoming email traffic, which also looks for malware, according to one of the officials and to a third person familiar with Yahoo’s response, who also spoke on the condition of anonymity

Except, according to a new report from Motherboard, that’s not actually true, and instead the NSA was asking Yahoo to install its own malware which was super buggy:

Anonymous sources told The Times that the tool was nothing more than a modified version of Yahoo’s existing scanning system, which searches all email for malware, spam and images of child pornography.

But two sources familiar with the matter told Motherboard that this description is wrong, and that the tool was actually more like a “rootkit,” a powerful type of malware that lives deep inside an infected system and gives hackers essentially unfettered access.

The rootkit-like tool was found by Yahoo’s internal security testing team during one of their checkups, according to a source.

That’s more consistent with the original report in Reuters, which talked about the security team finding the code and believing it was malware. And, apparently the rootkit/malware code that the NSA gave Yahoo was super buggy and put everyone at risk:

“It definitely contained something that did not look like anything Yahoo mail would have installed,” the source added. “This backdoor was installed in a way that endangered all of Yahoo users.”

Another source, who also requested anonymity and was familiar with what happened, confirmed that describing the tool as a “buggy” “rootkit” is accurate.

A different article over at the Intercept has similar claims as well. It’s possible that this is the same source going to multiple publications, or it could actually be different sources. Seeing as the language in the two articles is similar, it very likely is the same source though:

According to the Yahoo alum, a mere “modification to [existing] mail filters wouldn’t have raised a red flag … [the security team] wouldn’t have been able to detect it in the first place.” Rather, Yahoo’s security team had detected “something novel, like something a hacker would have installed.” The team believed it “was or looked like a root kit,” a piece of software installed on a computer system to give a third party complete, invisible control. In this case, according to the ex-Yahoo source, it was “a program that runs on your servers that has access to incoming data.”

And the buggy nature is also discussed as well:

“The program that was installed for interception was very carelessly implemented, in a way that if someone like an outside hacker got control of it, they could have basically read everyone’s Yahoo mail,” something the source attributed to “the fact that it was installed without any security review.”

I’m guessing this is the same source who went to both publications, but it continues to raise more questions about this. Forcing Yahoo to actually install code is a big, big deal and gets back to the questions raised by the DOJ trying to force Apple to do the same thing. And, once again, this is the kind of thing the government isn’t supposed to be able to do in secret. Yes, individual orders and details about who or what is being searched can and should be kept secret, but requiring a company to install code that sniffs through every email… that’s not how these things are supposed to work.

Oct 8th 2016