Thursday, October 6, 2016

The organizational implications of Yahoo's email scanning

There are certainly a number of ways that one can go with the recent revelation that Yahoo scanned emails for a certain character string at the request of the U.S. National Security Agency (NSA), but I want to focus on one aspect of Yahoo's actions.

According to Reuters, Yahoo's actions were known by some affected departments, but not others.

[Yahoo Chief Executive Marissa] Mayer and Yahoo General Counsel Ron Bell did not involve the company's security team in the process, instead asking Yahoo's email engineers to write a program to siphon off messages containing the character string the spies sought and store them for remote retrieval, according to the sources.

The sources said the program was discovered by Yahoo's security team in May 2015, within weeks of its installation. The security team initially thought hackers had broken in.


In essence, one part of Yahoo made a change to Yahoo's internal systems without letting the security group know about it. To its credit, the security group discovered the change on its own (although one could argue that in the ideal world, the change should have been noticed within minutes, not weeks).

There were probably political reasons for this. Yahoo's then-Chief Information Security Officer, Alex Stamos, was publicly on the record as opposing NSA efforts to obtain information from U.S. Internet companies. In fact, Stamos is now at Facebook - Reuters claims that he resigned after he learned of Yahoo's cooperation with the NSA.

Before assuming that everyone Mayer did was bad, the question should be asked - was there a valid reason for keeping the CISO in the dark about this effort?

One could claim that this was a legal matter and not a security matter. In addition, since the request was from the NSA, the existence of the program should only be revealed on a "need to know" basis - and one could claim that the CISO's job was to keep outsiders out of the system, and not to monitor what was going on in the inside.

As you might discern, I'm having a hard time making this argument. One of the greatest threats to a company is its own employees, and if a Yahoo employee is siphoning off email information - even if it is at the request of the NSA - the CISO should have been informed about it.

Would other Internet companies have behaved in the same way? Or, more importantly, DID they behave in the same way? As of now, the other companies are claiming that they didn't cooperate with the NSA, but you never know.

The important lesson is that when you change a system, ALL of the people affected by the decision should be informed of it.

And now we just have to wait for Julian Assange or a disgruntled ex-Yahoo employee to leak the email exchanges regarding the discovery of the email scans.

Or, maybe we don't have to wait. An unreliable source has just provided me with said email exchange, which you will not find anywhere else. (Hint, hint.)

To: Alex Stamos
From: Jane Jones
Subject: Skimming

Alex,

Attached are the logs that show that an internal program is skimming all Yahoo emails. The skimmer appears to be looking for a character string. To implement the program, the hacker gained privileges reserved to the most senior members of the email programming team. As a precaution, I recommend that we disable the senior privileges effective immediately.

= = =

To: Jane Jones
From: Alex Stamos
Subject: Re: Skimming

Jane, let me check around first. I have a bad feeling that these weren't outside hackers.

= = =

To: Jane Jones
From: Alex Stamos
Subject: Re: Skimming

Jane, hold off on those privileges. This program was authorized by Marissa, and the results are going to the NSA.

= = =

To: Alex Stamos
From: Jane Jones
Subject: Re: Skimming

Wisconsin Tourism Federation?

= = =

To: Jane Jones
From: Alex Stamos
Subject: Re: Skimming

Yeah. Um, don't tell anyone, but I'm driving down to Menlo Park. Gotta talk to someone about something.
blog comments powered by Disqus