Yahoo's Government Email Scanner Was Not A Modified Spam Filter, But a Secret Hacking Tool: Motherboard

The spy tool that the US government ordered Yahoo to install on its systems last year at the behest of the NSA or the FBI was a "poorly designed" and "buggy" piece of malware, according to two sources closely familiar with the matter, reports Motherboard. From the article: Last year, the US government served Yahoo with a secret order, asking the company to search within its users' emails for some targeted information, as first reported by Reuters this week. It's still unclear what was the information sought, but The New York Times, citing an anonymous official source, later reported that the government was looking for a specific digital "signature" of a "communications method used by a state-sponsored, foreign terrorist organization." Anonymous sources told The Times that the tool was nothing more than a modified version of Yahoo's existing scanning system, which searches all email for malware, spam and images of child pornography. But two sources familiar with the matter told Motherboard that this description is wrong, and that the tool was actually more like a "rootkit," a powerful type of malware that lives deep inside an infected system and gives hackers essentially unfettered access.

Buggy rootkit = 500 million accounts hacked?

[JoeyRox]

I wonder what the timeline is between when the NSA-instructed "buggy rootkit" scanner was installed vs when the 500m - 1b accounts were hacked.

It's not the intrusion per se

[wickerprints]

As I have always maintained, what is most troubling is not the government's surveillance itself, but the complete lack of accountability and oversight with respect to such policy, and that this deliberate opacity is used to hide government malfeasance under the pretense of protecting national security.

In a recent NPR interview I listened to on the radio, this is how the conversation played out: the interviewer kept focusing on drawing comparisons to situations where companies that collect and relay personal data might filter or flag such data for legitimate purposes (e.g., child pornography), and the interviewee did a remarkably poor job of addressing the real issue as I have mentioned above. So long as we focus on the legality of the surveillance itself, such discussions are a losing battle for advocates of privacy and personal liberty, because there are always persuasive moral, legal, and ethical arguments to be made in favor of some kind of broad but algorithmic surveillance without explicit human intervention or judgment. The real point of attack, then, is to bring attention to the fact that the government does their spying on the general public in a way that so totally removes any liability on their part that in the vast majority of cases, we either (1) do not know or cannot confirm the existence of such surveillance in the first place; (2) private corporations are coerced to cooperate and are prevented from divulging the methods used by the government to spy on users; (3) individuals who are subjects of surveillance are unable to defend themselves in a court of law because they aren't granted access to evidence; (4) there is no oversight of such surveillance programs to ensure no abuses take place or that it even operates as is claimed; (5) no results are ever shown that demonstrate the utility or effectiveness of such programs.

In short, if the government wants to throw our constitutional protections out the window in the name of keeping us safe, they could at least do it in a way that makes it clear that it's happening. But since they don't, the only logical conclusion is that they are entirely aware that their programs are illegal, hence the need to lie and hide. And this, I argue, is the root of the problem.