h1

You’re on your own. Act accordingly.

December 16, 2016

This post originally appeared October 5th, 2016. (My emphasis.)

surveillance, whistleblowing, and security engineering

[Update (12/14/16): Reuters has specified that the rootkit was implemented as a Linux kernel module. Wow.]

Yesterday morning, Reuters dropped a news story revealing that Yahoo installed a backdoor on their own infrastructure in 2015 in compliance with a secret order from either the FBI or the NSA. While we all know that the US government routinely asks tech companies for surveillance help, a couple aspects of the Yahoo story stand out:

1. The backdoor was installed in such a way that it was intercepting and querying all Yahoo Mail users’ emails, not just emails of investigation targets.

2. The program was implemented so carelessly that it could have allowed hackers to read all incoming Yahoo mail. Of course this also means FBI/NSA could have been reading all incoming Yahoo mail.

3. Yahoo execs deliberately bypassed review from the security team when installing the backdoor. In fact, when members of the security team found it within weeks of its installation, they immediately assumed it had been installed by malicious hackers, rather than Yahoo’s own mail team. (This says something about what the backdoor code may have looked like.)

4. Yahoo apparently made no effort to challenge this overly-broad surveillance order which needlessly put hundreds of millions of users at risk.

At the time this was happening, I was on the Yahoo Security team leading development on the End-to-End project. According to the Reuters report, the mail backdoor was installed at almost the exact same time that Alex Stamos and I announced the open-source launch of a Chrome extension for easy-to-use end-to-end encryption in Yahoo Mail at SXSW 2015. Ironically, if only we had been able to actually ship E2E, we would have given users a way to protect themselves from the exact backdoor scenario that they ended up in! […]

Most of all, keep pushing for end-to-end encryption.

H.T. Paul B

Since you can’t generally verify your e-mail provider’s security, you can’t trust their security. The only alternative is to provide your own security.

And the bigger lesson is that the U.S. government is relentless in its secret surveillance.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: