Yahoo collaborating with US intelligence agencies

Today it was revealed that Yahoo has been scanning people’s email for the federal government.

Yahoo Inc last year secretly built a custom software program to search all of its customers’ incoming emails for specific information provided by U.S. intelligence officials, according to people familiar with the matter.

The company complied with a classified U.S. government demand, scanning hundreds of millions of Yahoo Mail accounts at the behest of the National Security Agency or FBI, said three former employees and a fourth person apprised of the events. (Reuters)

This activity was, apparently, authorized by Yahoo CEO Marissa Meyer but not the former CSO Alex Stamos. Mr. Stamos left Yahoo in June 2015. He also publicly disagreed with the director of the NSA back in February 2015 about the NSA having access to encrypted data.

WttWColorEye_forBlog

This is probably the part where I’m supposed to write something insightful, but honestly, I don’t have much. Like many people, I’m shocked and dismayed at Marissa Meyer’s decisions to allow this. I’m also somewhat heartened by the fact that, reportedly, Yahoo staff detected the malicious software within a few weeks of it being deployed. Apparently the deployed software was buggy and could have been compromised by third parties.

On the heels of a major compromise of email accounts by “unrelated 3rd parties” I have to wonder how much more bad news Yahoo can take. They’ve had their ups and downs, but most folks I know who worked there don’t any longer. It’s certainly not a place anyone I know considers when looking for new jobs.

In many ways it’s sad to watch one of the foundations of the internet flail and fail. It didn’t have to be this way, I’m sure.

What’s interesting is who has commented on this.

Verizon: nothing I can find. If you remember, Verizon announced a deal to buy Yahoo for 4.83 billion dollars this past summer. The deal was supposed to close in Q1 2017. Wonder if Verizon is questioning their purchase now?

Other companies have responded.

Google: We didn’t and wouldn’t do this.

Microsoft: We didn’t and wouldn’t do this.

Twitter: We didn’t and wouldn’t do this.

Facebook: We didn’t, wouldn’t and will fight any attempt at this.

We know Apple has fought this kind of request, publicly. Interesting to note in that article, Yahoo is not one of the technology companies listed as supporting Apple’s stance.

I’m sure this isn’t going away any time soon. The internet, privacy, free speech, access, harassment, abuse… these are all issues many folks have hand waved around for a long time. Now we’re really going to have to start addressing them, not just with technology but also with real, concrete actions.

Affiliates can be liable for fraud
September 2016: The month in email

Related Posts

Traffic Light Protocol

If you’re sharing sensitive computer security information it’s important to know how sensitive a document is, and who you can share it with.
US-CERT and many other security organizations use Traffic Light Protocol as shorthand for how sensitive the information in a document is. It’s simple and easy to remember with just four colour categories: Red, Amber, Green and White. If you’re likely to come into contact with sensitive infosec data, or you just want to understand the severity of current leaks, it’s good to know that it exists.
 

Read More

The Cyber and The Security

Cybersecurity has been on my mind lately. There is a lot of bad stuff going on, from giant dDOS attacks, to subscription bombing, to the ongoing low level harassment that some people have to deal with on a daily basis. I’ve written a lot about how I think marketers are going to have to step up and stop being a conduit for abuse. I do believe this. There are a lot of different issues to discuss but there are also many, many different stake holders in the issue of cybersecurity.
I’ve been on multiple calls with different groups over the last few weeks discussing the implications of the subscription attack and how it was carried out. The majority of my focus is email and how to protect senders from becoming a conduit for abuse. Other folks participating on the call are looking at what abuse is out there and how to stop it or minimize it.
One thing that came up on a recent call is that the bulk of dDOS traffic that took Brian Krebs’ website down was from various Internet of Things devices. Security cameras, DVD players, televisions, lightbulbs and other connected devices were part of the problem. It’s a huge issue, and one that cannot simply be mitigated by just ISPs and providers. But convincing individuals to secure their lightbulbs can be a challenge, we can’t even protect their computers completely. Convincing companies to stop providing default usernames and passwords or using the same keys for every device is another challenge.
These are big issues that we’re going to have to deal with.
Last night, with 100 million of my virtual friends and a small group of local ones, I watched the first Presidential debate. Part of the debate was about cyber security. To misquote Vice President Biden, “Cybersecurity is a big freaking deal.” We have nation states, and groups with the resources of nation states, conducting covert operations online. We have hacking, compromises, bonnets and other malicious activity occurring every, single day. And, the more complex the site and the more users it has the more likely it is to be compromised. Cybersecurity is a critical part of national security and our own individual security. We must take it seriously and we must address it.
Now, I’ll be honestI don’t think there is a solution to the problem. I think, though, that there are hundreds of things we can do as individuals, as companies, as nations, as volunteer organizations, as NGOs and as coalitions to solve different parts of the problem. We all need to think about what it is and who’s doing the bad stuff.
It’s common to think of hackers as lonely boys in basements who have too much time and too little to do. Back in the ancient days of the spam wars some folks referred to them as “chickenboners“: beer drinking rednecks who ate fried chicken and threw the bones on the floors of their trailers. The reality even then, though, was that many spammers ran businesses and made a lot of money. Admittedly, the descriptions of how the business was run are cringe inducing and full of illegal activity.
Now, much of the hacking is actually organized crime outside the US. This makes it hard to address successfully through legal channels.
It’s all very complicated. But I think we can agree security is a big deal. We are all part of the solution, by securing our sites and our personal devices. We’re also part of the solution by paying attention to the larger issues and events going on around us.
 
 
 
 

Read More

Abuse, triage and data sharing

The recent subscription bombs have started me thinking about how online organizations handle abuse, or don’t as the case may be. Deciding what to address is all about severity. More severe incidents are handled first. Triage is critical, there’s never really enough time or resources to investigate abuse.
biohazardmail
What makes an event severe? The answer is more complicated that one might think. Some of the things that ISP folks look at while triaging incoming complaints include:

Read More