Continued Disagreement And Confusion Over Yahoo Email Scanning

from the someone-needs-to-come-clean-for-real dept

The story behind Yahoo’s apparently scanning over every email for the NSA continues to be… confusing. Earlier this week we noted some conflicting reports in the media on what was actually happening. The NY Times report said that it was via a FISA Court Order, which would be interesting, and would almost certainly require a declassification of the FISA opinion. However, Reuters insisted that it was actually under Section 702 of the FISA Amendments Act (which doesn’t involve a FISA Court Order). So, confusion abounded.

And now it’s getting worse. That same NY Times report said that the system was just a modification of Yahoo’s malware scanners for a particular snippet of text or code:

To comply, Yahoo customized an existing scanning system for all incoming email traffic, which also looks for malware, according to one of the officials and to a third person familiar with Yahoo?s response, who also spoke on the condition of anonymity

Except, according to a new report from Motherboard, that’s not actually true, and instead the NSA was asking Yahoo to install its own malware which was super buggy:

Anonymous sources told The Times that the tool was nothing more than a modified version of Yahoo?s existing scanning system, which searches all email for malware, spam and images of child pornography.

But two sources familiar with the matter told Motherboard that this description is wrong, and that the tool was actually more like a ?rootkit,? a powerful type of malware that lives deep inside an infected system and gives hackers essentially unfettered access.

The rootkit-like tool was found by Yahoo?s internal security testing team during one of their checkups, according to a source.

That’s more consistent with the original report in Reuters, which talked about the security team finding the code and believing it was malware. And, apparently the rootkit/malware code that the NSA gave Yahoo was super buggy and put everyone at risk:

?It definitely contained something that did not look like anything Yahoo mail would have installed,? the source added. ?This backdoor was installed in a way that endangered all of Yahoo users.?

Another source, who also requested anonymity and was familiar with what happened, confirmed that describing the tool as a ?buggy? ?rootkit? is accurate.

A different article over at the Intercept has similar claims as well. It’s possible that this is the same source going to multiple publications, or it could actually be different sources. Seeing as the language in the two articles is similar, it very likely is the same source though:

According to the Yahoo alum, a mere ?modification to [existing] mail filters wouldn?t have raised a red flag ? [the security team] wouldn?t have been able to detect it in the first place.? Rather, Yahoo?s security team had detected ?something novel, like something a hacker would have installed.? The team believed it ?was or looked like a root kit,? a piece of software installed on a computer system to give a third party complete, invisible control. In this case, according to the ex-Yahoo source, it was ?a program that runs on your servers that has access to incoming data.?

And the buggy nature is also discussed as well:

?The program that was installed for interception was very carelessly implemented, in a way that if someone like an outside hacker got control of it, they could have basically read everyone?s Yahoo mail,? something the source attributed to ?the fact that it was installed without any security review.?

I’m guessing this is the same source who went to both publications, but it continues to raise more questions about this. Forcing Yahoo to actually install code is a big, big deal and gets back to the questions raised by the DOJ trying to force Apple to do the same thing. And, once again, this is the kind of thing the government isn’t supposed to be able to do in secret. Yes, individual orders and details about who or what is being searched can and should be kept secret, but requiring a company to install code that sniffs through every email… that’s not how these things are supposed to work.

Filed Under: , , , , ,
Companies: yahoo

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Continued Disagreement And Confusion Over Yahoo Email Scanning”

Subscribe: RSS Leave a comment
That One Guy (profile) says:

'Could have' or 'did'?

“The program that was installed for interception was very carelessly implemented, in a way that if someone like an outside hacker got control of it, they could have basically read everyone’s Yahoo mail,

A thought came to mind upon reading this. Not too long ago Yahoo apparently had a serious breach, with a ton of accounts compromised and data accessed. I think they made it out to be a rather sophisticated attach and would have required a large, potentially state level group to managed, but what if the angle of attack was thanks to the malware the article is saying that Yahoo was forced to install?

With a giant security hole like that in place it wouldn’t have taken skill so much as luck to find and exploit it, as the biggest step was already accomplished thanks to the NSA and Yahoo.

John Mayor says:


What is needed is GLOBALLY MANDATED “CYBER TRIPWIRE SOFTWARE AND HARDWARE” for EVERY “ICT traffic level (e.g., from a chip’s gate, to the largest network configuration known to man!)”! And!… preferably!… overseen by the GLOBAL FOSS and FOSH communities! Although the ensuing is not exactly what I have in mind, it gives a “thumbnail sketch” of where I want us to go… see,… and…
To sum up… the general catchphrase I’m using here is “Cyber Tripwire Technomae (software and hardware!)!… but, whatever it finally gets to couched under, it’s software and/ or hardware that can “trip” an “intruder” at ANY LEVEL of traffic intrusion! And maybe in the future, one will find such technomae operating in REAL TIME, and overseen by Network Hubs, which– in turn!– are tied to PRIMARY SECTOR SECURITY STAKEHOLDER AGENCIES!
Please!… no emails!

Anonymous Coward says:


How is mandating the installation of specific software on all privately owned computer systems a First Amendment issue?

The First Amendment states what the government can not do (see below) not what it can do – and says nothing about software.

The First Amendment states:
Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances

John Mayor says:


And yes!… I get it!… you’re an IJIT!
Please!… no emails!

Anonymous Coward says:


First, a mandate isn’t required.

Second, In terms of running a national tripwire network, something like that already exists, in the form of edge network DPI and overlay networks.

If the fed implemented distributed passive honeypot nodes instead of active forcibly compelled surveillance, they would have no problem getting capacity. Admins world wide would be tripping over themselves to help. But they don’t. It is anyones guess as to why not.

I predict the FCC’s new privacy rules are going to be criminally lax. The way you know that is that Tom Wheeler is talking about the data that service providers can release, NOT what data service providers can collect.

There is a distinction.

ISP’s have no compelling technical reason to look at traffic above OSI layer 3. Doing so is an unauthorized, unprovoked, and unjustified intrusion into their customers privacy.

I predict what the FCC will announce, is normalizing criminal corporate surveillance for internal use, but restricting it for sales. Which is ridiculous, since the crime occurs at the moment of collection, not at the moment of redistribution.

This is similar to Citizens United in that it endows ISP’s with rights beyond those of normal citizens and formalizes a class based hierarchy of legal rights based on title. I regard this as a contradiction of the intent of Article 1 Section 9.

But really it doesn’t matter what the FCC says anyway. The only time they ever enforce the law is when the public complains. And the current level of intrusion into the civil rights and national discourse is sophisticated enough, that the public can’t reasonably be expected to even know WHAT to complain about.

All the public knows is that it is being fucked with, and that it is pissing them off.

The engine light comes on. The car still runs. That doesn’t mean you should drive it. But apparently the FCC is adopting the Clintonian motto: “Drive it like you stole it.”

David (profile) says:

MB is smoking the wacky weed.

Okay, the Motherboard piece is sort of in the deep outer reaches of logic, and has most likely exceeded it.

Whatever happened the action was on Yahoo servers, this wasn’t done on customer computers. A rootkit would be where? There is no way any server is going to let the NSA install ‘buggy’ rootkits on their own servers. The technical details are just slopping over with the bullshit.

NSA/FBI sent their usual ‘avoid/ignore the Constitution’ letter and Yahoo did their legal duty. Now, what exactly that duty consisted of and whether there were any courts (rubber stamping or normal) involved at all are still unknown.

But, seriously, Motherboards sources need a quick lesson in techno terms so their next revelation doesn’t stink quite so bad.

Mat (profile) says:

Re: MB is smoking the wacky weed.

… Except in this case, it looks like it is possible that they did install a buggy rootkit on their own servers. And given a server is nothing more than a computer, it can be rootkited or malwared just like any other computer. (The fact a security audit -caught- it and then stink flew actually makes this scenario sadly more plausible.

Ninja (profile) says:

Techdirt and others warned multiple times about the slippery slope that mass surveillance is. Orwell was prophetic. It won’t be a surprised if we come to know that the intel services are tapping directly into the major cables and infra-structure, inserting itself in the middle of everything. If it isn’t happening it will happen. Unless they are stopped. But the megalomaniac sociopaths in power these days don’t want this to stop.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...