Slashdot Mirror

← Back to Stories (view on slashdot.org)

Yahoo's Government Email Scanner Was Not A Modified Spam Filter, But a Secret Hacking Tool: Motherboard (vice.com)

Posted by msmash on from the security-woes dept.

The spy tool that the US government ordered Yahoo to install on its systems last year at the behest of the NSA or the FBI was a "poorly designed" and "buggy" piece of malware, according to two sources closely familiar with the matter, reports Motherboard. From the article: Last year, the US government served Yahoo with a secret order, asking the company to search within its users' emails for some targeted information, as first reported by Reuters this week. It's still unclear what was the information sought, but The New York Times, citing an anonymous official source, later reported that the government was looking for a specific digital "signature" of a "communications method used by a state-sponsored, foreign terrorist organization." Anonymous sources told The Times that the tool was nothing more than a modified version of Yahoo's existing scanning system, which searches all email for malware, spam and images of child pornography. But two sources familiar with the matter told Motherboard that this description is wrong, and that the tool was actually more like a "rootkit," a powerful type of malware that lives deep inside an infected system and gives hackers essentially unfettered access.

45 comments

  1. Hacking? by ArtemaOne · · Score: 3, Informative

    Are we going to continue to move away from the definition of this word? If they designed a program to sift through all of the email they host then that is not hacking. Using non-prescriptive methods is hacking. If a group of software engineers professionally designed this, that is not hacking.

    1. Re:Hacking? by Anonymous Coward · · Score: 0

      Are you saying that the holders of the email accounts reasonably knew or should have known, and implicitly consented to, the methods? If not, then maybe the definition you are using indeed requires revision.

    2. Re:Hacking? by Anonymous Coward · · Score: 0

      Hacking is not purely about consent or lack thereof, so no...

    3. Re:Hacking? by ArtemaOne · · Score: 3, Informative

      Email account holders were not users of the program. Email account holders were victims of an intentional intrusion that appears to violate constitutional law.

    4. Re: Hacking? by Anonymous Coward · · Score: 0

      Right, because your email provider reading your email is prevented by the Constitution.

      I don't understand how we can go from in the 90's nobody trusting the internet, we knew our service providers and everyone else in the middle could read our emails and communication (why SSL and PGP exists), but we didn't really care enough to ever use them and really weak laws against hacking and everybody knew the internet was basically an unregulated cesspool where anything goes, there are no borders, no laws, no nationalities, and you never get caught...

      Now I hear people constantly moan about the Constitution like the ONLY FUCKING PROBLEM with the internet is the US Government, and the Constitution is this magical bullet that limits the government from doing what you dislike.

    5. Re: Hacking? by ArtemaOne · · Score: 1

      You're continuing to misuse the term. See original post.

    6. Re: Hacking? by Anonymous Coward · · Score: 0

      Up until quite recently the US Government was a good 15 years behind everyone else. Their ability to track and monitor email amounted to local offices, organized in much the same way as a small business (very little tech support, servers running in closets, etc). Now that the Government has caught up with everyone else, and that they are deliberately breaking the 4th Amendment (you know, that right that you have to be secure in your possessions unless they have an actual motherfucking warrant?), it's considerably more important for people to know how to be safe.

      People are bitching, not because "the biggest problem on the internet is the US Government", but because "the biggest problem with the US Government is that they regularly break whatever laws they feel like to accomplish their task". Two different things.

      Of course, with you being an idiot this will all fly over your head, but I had to make the effort.

    7. Re: Hacking? by AHuxley · · Score: 2

      AC, because your gov/mil reading your email is prevented by the Constitution.
      Bulk domestic collection is not legal. The Foreign Intelligence Surveillance Act even has the word "Foreign" in it so courts, the wider public and staff can more easily understand what is legal.
      The Church Committee https://en.wikipedia.org/wiki/... went all over that the last time vast domestic spying was discovered.

      --
      Domestic spying is now "Benign Information Gathering"
  2. This is TRON, he fights for the Users. by Thud457 · · Score: 2

    This is GREP, he snoops for the NSA.

    --

    the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff

    1. Re:This is TRON, he fights for the Users. by Black+Parrot · · Score: 1

      I wonder what the "rootkit" was looking for that the existing filters couldn't do. Looks at header information that content filters don't search? Correlating multiple messages?

      --
      Sheesh, evil *and* a jerk. -- Jade
    2. Re:This is TRON, he fights for the Users. by Gilgaron · · Score: 1

      Steganography, probably.

    3. Re:This is TRON, he fights for the Users. by Anonymous Coward · · Score: 0

      It wasn't looking for anything. It was just a backdoor into Yahoo's entire network, not just emails...

    4. Re:This is TRON, he fights for the Users. by Anonymous Coward · · Score: 0

      Likely to detect communication via saved drafts.

  3. Just die already! by Anonymous Coward · · Score: 0

    Seriously Yahoo, just die already.

    You are like a zombie that refuses to go down even after being shot in the chest 10 times.

    Nobody likes you. Nobody wants you.

    Don't make me get my shotgun...

    1. Re:Just die already! by Hylandr · · Score: 1

      What would happen if the zombies from Yahoo mated with with Ebola victims of AOL? And would we still need to bus their asses around?

      --
      ~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
    2. Re:Just die already! by Anonymous Coward · · Score: 0

      Zombies need to be shot in the head, dumbass. That's you're problem.

  4. Buggy rootkit = 500 million accounts hacked? by JoeyRox · · Score: 4, Interesting

    I wonder what the timeline is between when the NSA-instructed "buggy rootkit" scanner was installed vs when the 500m - 1b accounts were hacked.

    1. Re:Buggy rootkit = 500 million accounts hacked? by Anonymous Coward · · Score: 0

      As delicious as it would be if this government-mandated snooping opened the door for the hacks... ...We have every reason to believe that Yahoo's demonstrated level of incompetence is, alone, enough to explain it all.

    2. Re:Buggy rootkit = 500 million accounts hacked? by Anonymous Coward · · Score: 2, Informative

      The accounts were hacked in 2014 and this was put in place in 2015 so not related. Not to say yahoo wasn't doing something else we don't know about back then, or purposely not investing in security to give the feds a deniable way in, either seem likely for such a terrible company.

    3. Re:Buggy rootkit = 500 million accounts hacked? by Anonymous Coward · · Score: 0

      that was my first thought once both the incidents became known... and it would not surprise me at all if the snooping gateway was directly responsible for the account data hack.

    4. Re:Buggy rootkit = 500 million accounts hacked? by Anonymous Coward · · Score: 0

      I wonder what the timeline is between when the NSA-instructed "buggy rootkit" scanner was installed vs when the 500m - 1b accounts were hacked.

      why cannot they tell what they want instead if they weren't just some gays..

  5. It's not the intrusion per se by wickerprints · · Score: 5, Interesting

    As I have always maintained, what is most troubling is not the government's surveillance itself, but the complete lack of accountability and oversight with respect to such policy, and that this deliberate opacity is used to hide government malfeasance under the pretense of protecting national security.

    In a recent NPR interview I listened to on the radio, this is how the conversation played out: the interviewer kept focusing on drawing comparisons to situations where companies that collect and relay personal data might filter or flag such data for legitimate purposes (e.g., child pornography), and the interviewee did a remarkably poor job of addressing the real issue as I have mentioned above. So long as we focus on the legality of the surveillance itself, such discussions are a losing battle for advocates of privacy and personal liberty, because there are always persuasive moral, legal, and ethical arguments to be made in favor of some kind of broad but algorithmic surveillance without explicit human intervention or judgment. The real point of attack, then, is to bring attention to the fact that the government does their spying on the general public in a way that so totally removes any liability on their part that in the vast majority of cases, we either (1) do not know or cannot confirm the existence of such surveillance in the first place; (2) private corporations are coerced to cooperate and are prevented from divulging the methods used by the government to spy on users; (3) individuals who are subjects of surveillance are unable to defend themselves in a court of law because they aren't granted access to evidence; (4) there is no oversight of such surveillance programs to ensure no abuses take place or that it even operates as is claimed; (5) no results are ever shown that demonstrate the utility or effectiveness of such programs.

    In short, if the government wants to throw our constitutional protections out the window in the name of keeping us safe, they could at least do it in a way that makes it clear that it's happening. But since they don't, the only logical conclusion is that they are entirely aware that their programs are illegal, hence the need to lie and hide. And this, I argue, is the root of the problem.

    1. Re:It's not the intrusion per se by bedeutungslos · · Score: 1

      You aren't, to my mind, wrong. But the logical extension of your point is that the government just shouldn't have secrets. How do we catch terrorists or other enemies via their communications if we are obligated to announce exactly how we are monitoring communications, and which ones we are and are not tapped in to?

    2. Re:It's not the intrusion per se by wickerprints · · Score: 4, Insightful

      In some sense, yes: the government really shouldn't have secrets, at least in the context of withholding information that is needed to maintain their accountability to the American public, who are in principle the source of the government's power. This is the essential meaning of the famous conclusion of Lincoln's Gettysburg Address: "...that government of the people, by the people, for the people, shall not perish from the earth."

      The NSA is a good example of what happens when the government is entrusted to monitor the scope of its own secret-keeping. Their testimony to Congress after the Snowden revelations proves that they regard themselves as not accountable to the people, choosing to directly lie under oath to public officials, even if they believe that doing so ultimately serves the public interest.

      To address your more specific case of "how do we catch terrorists or other enemies via their communications if we are obligated to announce how we are monitoring communications," one could just as easily turn the argument around and ask how police can catch criminals if they are obligated to have probable cause and obtain warrants. That is to say, the constraints imposed upon the enforcement of the law are not defined by what is technologically or physically possible or expedient, but from the rights and responsibilities guaranteed by the law itself, and that it is the duty of law enforcement to work within the legal framework they are sworn to uphold, rather than to define that framework and not only choose what tactics are permissible, but prevent anyone but themselves from knowing what is permissible or not. Otherwise, we have no rights, and the government can act with impunity (e.g., extrajudicial killings, summary executions, warrantless search and seizure, all in the name of rooting out crime and terrorism). And we can easily point to contemporaneous examples of the consequences of such policies and see how this is essentially tyranny of the state and the collapse of democratic governance.

      How do we catch terrorists? To put it simply, good old fashioned detective work. Build and earn trust between the public and law enforcement. Rather than relying on the government to institute secret panopticon tactics, recognize that the public itself is a far better observer of illegal activities. There will be, of course, vehement criticism of such ideas as "naive" and "wildly idealistic." But it is actually eminently realistic because it begins with the recognition that not every threat can be stopped. What is unrealistic is the notion that a government can detect and respond to all threats through a sophisticated, secret, and pervasive surveillance network. That is the stuff of spy-thriller and dystopian sci-fi fantasy movies.

    3. Re: It's not the intrusion per se by Atomic+Fro · · Score: 1

      That's easy. We declare war and let the military do it. Say we are at war with ISIS or whoever and monitor their communications like the military complex would do in any other war.

      Of course domestic lone wolves would be off limits like they should be anyway. You can't be guilty of a crime without actually committing one. Obviously we've gone too far requiring ID and and recording such information any time someone buys a pressure cooker, right? Right?

      --

      ==================
      Hippie Logger Jock
      ==================
    4. Re:It's not the intrusion per se by Anonymous Coward · · Score: 0

      As I have always maintained, what is most troubling is not the government's surveillance itself, but the complete lack of accountability and oversight with respect to such policy,

      As I have always maintained- it is so much worse than a lack of accountability and oversight. Perhaps in a thousand years anthropologists will dig deep in the details of the truth. I suspect the the troubling lack of accountability and oversight was not as innocently passive as you suggest. Active coverup.

  6. That which is dead can never die by WillAffleckUW · · Score: 2

    The problem is you have people who call themselves hackers, unfamiliar with the underlying code and why it was built that way, trying to use a hammer as a pry bar.

    If you need a pry bar, make a pry bar. Make it from a cold pressed cylindrical bar, not from a piece of metal modifed from a spade.

    We made the hammer, and the underlying code, for a different reason.

    They need to realize if you intend to sup from the well of souls, that you must first be able to drink deeply and without ceasing. And that the act of doing so has impacts.

    And, yes, they do care about you. FBI and NSA searches of specific people who are NOT supposed to be on the lists is a major problem, probably 90 percent of the actual individual searches. Happens in other spy systems as well. People are curious beasts, and they have their own motives which are contrary to the goals of the nation. They even justify violating our own Constitution by failing to understand WHY it says "Don't do this. Ever."

    --
    -- Tigger warning: This post may contain tiggers! --
  7. Re:Who gives a damn? by Wulf2k · · Score: 1

    And then, once it's in place and the bad men are caught, then sure. The agent can snoop on his ex-girlfriend's emails, for fun.

    Because why the hell not?

  8. well, it figures... by Anonymous Coward · · Score: 0

    Given that the feds can ask anything, using pressure that would be called extortion if I did it, then I guess they did snoop, pilfer and such.
    No accountability. No control. No search warrant.
    So why does it feel like the corporations should be on the phone to their congresscritters?
    Why does it feel like the state AGs should be investigating ths heinous travesty of privacy and the citizens rights to be secure in their papers, conversations, etc. ?
    This is why the US gov. has no trust by us. Don't let them play without supervison anymore.
    NO soup for YOU!

  9. Re:Who gives a damn? by Anonymous Coward · · Score: 0

    Every time I read a post like this, I mentally disregard it quickly. Who are you to say who someone else cares about or not, and just because you make up some cnerios as to one might not like it, that means anything else doesn't exist/the ones YOU presumed on 0 basis are true? Mayhap you, and people like you, would push support for stronger security and the like if you didn't argue like you had the reasoning skills of a potato.

  10. consider anything posted on the net Public Domain by Anonymous Coward · · Score: 0

    There is no such thing as bulletproof security on the internet. The Feds love the net because it's easier to police. Just think about what information can be gleaned from Facebook alone.

    Dsniff Mailsnarf has been around for a long time. Add some additional code to that and it's real easy to grep for keywords.

    as I said .. everything posted should be considered Public Domain. Encrypted or not.

    If you can't live with that don't post it on the internet.

    Also.. TOR networks were designed by the NSA so if you really think they don't have a back door in you are mistaking.

  11. Yahoo runs with non-denial again. by whoever57 · · Score: 1
    From TFA:

    " ...The mail scanning described in the article does not exist on our systems.â

    "does not"? How about denying that it ever existed on their systems? Or perhaps there is some element of the description that isn't quite right (hence the "described in the article")?

    --
    The real "Libtards" are the Libertarians!
  12. If you Install it it is not Hacking. by Anonymous Coward · · Score: 0

    If you Install it it is not Hacking.
    If you gave it root it is not a root Kit.
    If it is Buggy then what does that mean? it crashed?
    You are allowed to install malware

  13. Dead-drop email accounts by planckscale · · Score: 1

    I recall reading an article where they described daesh methods of communicating with potential recruits. The recruiters would create a new email account on yahoo then create a draft email with instructions on where to go, who to meet, etc. They would never actually send the message, nor use the account for emailing. They would then only give the username/password to the recruits for the account, the recruit would log in, and then just read the message in the drafts folder. So the 'rootkit' probably only looked for 1. New accounts created and were only logged into 1 or 2 times 2. Look at the origin IP of the new account. 3. Look for login access of an account who's origin is wildly different than where it came from when created. Just a theory...

    --
    Namaste
  14. Re:Who gives a damn? by Anonymous Coward · · Score: 0

    Mod ^ up - this, seriously. You don't care about your rights, that's fine. I care about mine. Don't fuck it up for me.

    I had a friend once...anti-abortion....her logic: "I would never want to get an abortion, so it should be illegal."

    Nothing like forgetting your sharing this planet with 7 billion other people that *might* have a different perspective.

  15. Re:Who gives a damn? by Anonymous Coward · · Score: 0

    The problem is that a gigantic percentage of the population hears "privacy", "NSA" or just reads the title and they immediately are outraged that somebody can read their E-mails. In reality, where some of us live, this doesn't mean a god damn thing. It means they will see the super secret recipe that your grandmother passed down, or see that you are getting scammed by 14 different companies. Tell me why you would not want the government looking at your E-mail. And be specific.

  16. Re:Who gives a damn? by AHuxley · · Score: 1

    Re "no harm in this."
    The United States Constitution is clear on what needs to be done to get a search warrant for domestic access.
    Once that color of law sets in to set aside constitutional protections from mil and gov tasking over generations, all other protections are lost.
    AC with sharing this goes to a city and state level. State task forces push requests up, other agencies push data down to the city and state level.
    A lot of local eyes are now getting to see, requesting or getting the product of such domestic tasking.

    --
    Domestic spying is now "Benign Information Gathering"
  17. Re:consider anything posted on the net Public Doma by Anonymous Coward · · Score: 0

    as I said .. everything posted should be considered Public Domain.

    Everything *posted* should be, yes. When I post a comment here on Slashdot the whole intent is for it to be viewed by the public. The same goes for what I post on Hackernews or Stack Overflow. It's a public forum.

    Two parties conducting a private conversation via email are not intending it to be viewed by the public. They should have an expectation of (and a right to) privacy. We shouldn't have to assume every keystroke is available to the government. That's a shitty world to live in, and anyone who helps make it happen is anti-American.

  18. America China Russia by Anonymous Coward · · Score: 0

    I cant find a difference.

  19. Goverment installs backdoor. 500mil account stolen by Anonymous Coward · · Score: 0

    That would make a great news headline, eh Yahoo?

  20. Yahoo Commenters Are Spied On by Anonymous Coward · · Score: 0

    Yahoo also sends your Yahoo comments to the government for analysis. Sure, comments are publically posted, but they also send identifying information that is hidden, so you are instantly de-anonymized whenever you post a comment.

  21. Re:Who gives a damn? by TheRaven64 · · Score: 1

    You are absolutely right. No concentration of power in the hands of a few individuals has ever been abused. Certainly there's no history of NSA operatives abusing their agency's capabilities to spy on individuals for personal reasons. There's also no history of the FBI creating files to blackmail members of the government and influence policy. Nothing to see, move along.

    --
    I am TheRaven on Soylent News
  22. Maybe it wasn't the government? by Anonymous Coward · · Score: 0

    How does Yahoo know the government asked them for the access? Maybe it was the hackers that they seemed oblivious to for years? Do they really know? I don't trust Yahoo (less even than the government), as they sound incompetent.