
Yahoo installed a backdoor for the NSA behind the back of the security team - xenophonf
https://diracdeltas.github.io/blog/surveillance/
======
peterkelly
I know this is from October, but it warrants re-reading now.

Today, Yahoo announced a hack of 1B accounts. They say they don't know who it
is, but we can conclude it's not the US government because Yahoo is willing
and legally able to publicly disclose it.

Previously, Yahoo willingly assisted an attacker in compromising 1B accounts.
In this case, they did not disclose the attack publicly, _or even to their own
chief information security officer_ , because in that instance the attacker
was the US government itself.

US intelligence activities are actively harmful to American commercial
interests because they destroy trust, particularly from customers elsewhere in
the world.

[1] [http://arstechnica.com/tech-policy/2016/10/report-fbi-
andor-...](http://arstechnica.com/tech-policy/2016/10/report-fbi-andor-nsa-
ordered-yahoo-to-build-secret-e-mail-search-tool/)

~~~
uiri
Given its government's track record, I would think that data centers in the US
should be walled off in much the same way as data centers in China. It is
frankly surprising that American companies are blind to their own government's
track record for indiscriminately spying on its citizens and people around the
world.

~~~
avdempsey
You mean American companies like Apple? Whether you trust them or not they've
certainly brought it up. Though they might not label the spying
indiscriminate; maybe still 'criminate.

Or are Chinese companies doing some interesting walling-off?

~~~
brazzledazzle
Google encrypting traffic flowing between data centers seems to reflect
significant awareness of the issue too.

~~~
dlubarov
When I worked at Square we required mutual TLS for almost all service-to-
service communication within a datacenter, so sniffing traffic within the
datacenter wouldn't be fruitful either (assuming no weakness in the cipher or
TLS stack). Is that not common elsewhere?

~~~
granos
No.

I've had to explain to clients on numerous occasions why I enabled TLS between
things in the same data center. Security requires layers and just because the
data is on a network you own doesn't mean nobody can get in.

------
walrus01
I seriously think that to get a CS or EE degree (or similar) B.Sci degree, you
should be required to take at least one full term length ethics course. Same
idea as the ethics courses taught to junior law students.

The internet is already fucked up enough with governments and rogue
corporations messing with its AS-adjacency topology in non-free ways at OSI
layers 1-3 , before you even get into stuff like writing backdoors at layer 4+
to pass all email to the NSA.

~~~
marcoperaza
When you get a legally-binding order from the government of the United States
of America, and exhaust your legal appeals, you either comply or go to prison.
An ethics course won't do you any good.

~~~
kabdib
Options:

\- Refuse to take action. They want engineering done, they can bloody well do
it themselves. Don't type a single keystroke in the direction of helping them.

\- Announce what is going on anonymously. Plenty of avenues for this.

\- Announce what is going on, publicly. See if they do indeed want to take you
to court.

\- Quit.

\- Take down the service. Much easier if the service is only a part of your
company. Helps a lot if you don't retain the information they're looking for.

\- Lie.

\- Destroy records (this is by far the riskiest action here, above a simple
public announcement).

\- Delay. And delay more.

\- Keep information outside the jurisdiction, possibly controlled by a third
party who will not comply with orders.

\- Misunderstand ("Is that a one, or an ell?")

Most of these will get you into trouble, a few won't. Most of these are really
difficult roads.

I've given this some thought before. If I found a backdoor in a product, I
would remove it with a tracking bug and a checkin, and send internal email
about a really bad bug that I'd just fixed; the more internal people that
know, the better. And if a VP showed up and berated me, I'd just tell them to
fuck off, and quit if it came to that.

~~~
marcoperaza
If you want to quit to refuse to help, fine, but I take serious issue with
what you're suggesting beyond that.

These are the legal actions of the United States government, executing the
authority given to them to the people's elected representatives, and overseen
by a judiciary duly selected according the constitutional procedures. Their
legal and democratic authority is unassailable.

Further, you don't know what motivated these actions. Is it intelligence about
a specific threat? Has the government identified how a specific adversary
operates? You could be impeding the investigation into a deadly plot. You have
no way of knowing this.

This isn't a game. We have real enemies who would gladly kill all of us. We
have processes as a society for deciding how we defend ourselves. If you don't
like our current policies, then exercise your vote, exercise your right to
speak and publish and assemble. But don't usurp the sovereignty of the people
of this country.

~~~
nnq
Not an american, but the idea is that _passive aggressiveness / mild-sabotage
from citizens_ is just another way of expression, just like voting. And _it
works for the purpose and /or towards democracy!_

This is imho the _untold truth about why most communist / socialist regimes
failed:_ people at all levels of society started doing their work gradually
worse and worse, pissed off and stressed out by the lack of freedom and
constant interference from state organs, until everything collapsed, and
people now live in better economies and freer _because_ they've destroyed
their previous systems. Yeah, most of the people who performed such "low level
sabotage" will not even recognize to themselves that they did it. And yeah,
bad governments were also helped to fail by external interference and external
sabotage, but imho a "socialist regime where the people would truly believe in
socialism/communism" could have worked out and had good economic performance,
problem is that when "good economic performance" can only be had at too high
of a cost of "individual personal freedom", people will start, even
subcounsciously motivated, without admitting even to themselves what they are
doing, and with insect-like non-communicative coordination, to slowly and
methodically weaken the system they live in from within, until it crumbles,
even at the cost of their own lives sometimes.

This was America's secret weapon that helped "win the cold war" \- people's
inner "instinct for freedom or death" \- thank god we all have it and a race
of subhumans lacking it has not yet been engineered! It might also be the
reason why so many Americans "voted for Trump", though this was probably
engineered by some really smart "puppet masters" \- the guy is clearly a "man
of the establishment" despite it's clown persona...

Of course, there is no "monument to the lazy and drunk soviet worker that
helped take down communism". And there will be no monument for the Google
employee that writes a subtle bug in the "government reporting module XYZ" :)
Of course, if the gov doesn't abuse its power and asks for too much, that poor
programmer might not be so "overwhelmed" by it's duties so as to make stupid
"mistakes" with dire consequences...

~~~
CapacitorSet
That's an extremely rose-tinted narrative.

~~~
pjc50
Well, Stanislav Petrov won a Nobel Prize for refusing to follow orders ...

~~~
barry-cotter
No he didn't. He won the Dresden prize, whatever that is.

------
ryanmarinoff
With the way the execs of Yahoo handled the 2015 back door, there is a
likelihood that the 1 billion + 500 million compromised accounts were due to
an exec decision that no one knew about. That individual or group of
individuals may not be at Yahoo, and kept everything quiet. Or, the
individuals may not even know that they did it!

------
brian-armstrong
Let's say you were on security on and found it on the network. Would you
somehow be bound by a gag order about it, since you would never have seen said
gag order?

~~~
viraptor
I think it's irrelevant in practice. (In theory, that's an interesting
question) You're not making the decision to make this public. If you're on the
security team, you're going to notify the boss, and at that scale of the
system compromise this goes all the way to the top. At that point someone who
knows about the gag order is in the chain.

The only scenario where I think the question matters is if you do something
really stupid that would get you fired if this was an actual exploited
external access.

~~~
derefr
Let's say an unaffiliated third party (white-hat hacker) found the exploit and
reported it to you under a Bug Bounty program. Let's also say that that third-
party was someone who followed "responsible disclosure" rules, and said that
they'd publicize the vulnerability if you didn't do so yourself within a short
time-frame. You investigate (by asking your team, your boss, looking at the
bug tracker, etc.) and figure out it's an NSA backdoor. Now what do you do?
Are you allowed talk to the white-hat? Are you allowed to _not_ talk to the
white-hat, knowing that this would result in the white-hat reporting the
vulnerability and thus compromising the investigation?

~~~
neuland
Whether or not the company is doing everything they can to resist the order, I
think that NSL's are always accompanied by a clear communication channel
between a company's counsel and the agency.

So, after someone under the gag realizes the situation, they get the company's
lawyers in contact with the agency to see what to do. The agency would then
gag the white hat.

IMO, that's a huge part of why NSL's are scary. You are in an absolute
strangle-hold and are at the mercy of the agency for your every move.

If I remember correctly, people even had to argue for the ability to talk to a
lawyer about receiving an NSL. So, the feds are really not messing around here
and will do absolutely everything to ruin you if you don't cooperate fully.
Any perceived resistance is crushed.

~~~
hollander
> So, after someone under the gag realizes the situation, they get the
> company's lawyers in contact with the agency to see what to do. The agency
> would then gag the white hat.

He doenn't live in the US. Once he realizes this is going on, he'll disclose.

------
greenyoda
This is an old story that was discussed extensively when it was new (in
October):

[https://news.ycombinator.com/item?id=12637126](https://news.ycombinator.com/item?id=12637126)

~~~
lalaland6789
First time I'm hearing about it. October is very recent so not old at all.

------
pksadiq
> [Update (12/14/16): Reuters has specified that the rootkit was implemented
> as a Linux kernel module. Wow.]

Hm.. One more proof to avoid using non-free binary blobs in Linux kernel. Be
safe. Use Debian GNU/Linux without non-free repo or any better[0] one.

[0] [https://www.gnu.org/distros/free-
distros.html](https://www.gnu.org/distros/free-distros.html)

~~~
Veratyr
I don't think this has anything to do with non-free blobs. They knew exactly
what it did and they installed it anyway. It wouldn't have mattered if they
had the source or the rootkit was open.

------
danbmil99
What really upsets me about this is the idea that the security team was
bypassed, effectively compromising security for Yahoo and every one of their
customers. The idea that a company executive would knowingly bypass their own
CSO, and take it upon themselves to understand the risks they are introducing,
is mind-bogglingly stupid and egregious.

Marissa Meyer, if she approved this, should be deeply ashamed of herself.

~~~
dickbasedregex
>Marissa Meyer should be deeply ashamed of herself.

Fixed that for you.

------
hoodoof
But Yahoo definitely does not know how it got hacked, losing 1 billion
accounts.

------
peterkelly
Seriously, why the title change? Sometimes the title tells you nothing -
wouldn't it be reasonable HN policy to allow the title if it's an accurate
summary of the first paragraph?

"Yesterday morning, Reuters dropped a news story revealing that Yahoo
installed a backdoor on their own infrastructure in 2015 in compliance with a
secret order from either the FBI or the NSA"

Edit: Looks like it's changed back now - great. For a brief period the title
was set to "Surveillance, whistleblowing, and security engineering".

------
fulafel
From a threat modeling POV, this is an interesting type of insider threat. A
high-privileged faction of the company is hijacked (via extortion) by a
malicious third party with legal leverage.

------
electic
If they are doing this at Yahoo, what proof do we have they are not doing this
at Google...right at this moment?

~~~
polack
One would have to be really naive to believe that Google, Apple and the other
big ones aren't backdoored by the three letter agencies by now.

~~~
benevol
You'd be surprised that there are still (technically competent) HN users who
_seem_ to be that naive. Or to promote gv't propaganda.

Our only solution is to go 100% open-source and 100% end-to-end encryption.

~~~
coldcode
And the government has the power to ban open source and encrypted
communications. It's not really all that difficult, if you eliminate any
concern for the constitution. If all else fails, rubber hoses and bullets work
well.

~~~
jstanley
That won't work. People will just do it anyway. Just look at how well alcohol
prohibition worked.

That's part of the beauty of open source - once the cat is out of the bag,
there is no getting it back in.

------
mouzogu
What is a "backdoor" exactly? Another euphemism used to disguise something
much darker I imagine.

Usually a "backdoor" is something you would be aware of in your home. You know
you have a door round the back. This is more like your landlord giving the
keys to a stranger who comes and stares at you every night when you're
sleeping and rifles through your draws and cabinets.

------
milansuk
I'm wondering what will happen? More users will start using decentralized and
open source programs? They will run their own mail server? Or They will hate
NSA, but still push personal data to few big corporations?

~~~
mikegioia
Nothing will happen. "Users" don't even know what the majority of these things
are, and this concern certainly doesn't even fly on their radar.

I've spent 5 years now on this very topic and my conclusion is that the people
just don't give a shit.

~~~
milansuk
I feel it same. I've created new decentralized internet platform for 3years.
But when I release it next month I will present different features than
decentralization, because people who hate spying, but fear to change are
really not the market.

------
tootie
Whelp. Yahoo is officially over today. It was quite a fall.

~~~
hoodoof
Do you think?

Seems to me people are getting used to accounts being hacked, it's not such a
big deal any more, in fact it may be even an expectation.

And as for government NSA hacking, well that's just old news and a given isn't
it?

~~~
trendia
I'm not sure that people are getting 'used' to it. I was talking to a non-
techie over the weekend, and although they were aware about Snowden's NSA
revelations, they were quite perturbed to think someone could be reading their
email.

I don't think people have stopped caring, they just feel helpless. This means
that normal people may be willing to adopt new protocols (end-to-end
encryption), something they wouldn't do if they were accepting of NSA spying.

~~~
lern_too_spel
Nothing in Snowden's leaks suggests that the government has access to your
friend's email, let alone is reading it. Stop exaggerating to your non-techie
friends.

~~~
ionised
You must have been folowing a different leak than me.

~~~
lern_too_spel
I read the documents released by Snowden. Which leaks are you referring to?
Can you point me to any document that suggests the NSA has his friend's
emails?

~~~
dmix
I'll cite a single program not even leaked by Snowden which would allow any
unencrypted email sent to by intercepted
[https://en.m.wikipedia.org/wiki/Room_641A?wprov=sfla1](https://en.m.wikipedia.org/wiki/Room_641A?wprov=sfla1)

Snowden leaks showed that they get billions of hits each month from the
various submarine cables as well as direct access from telco backbone fiber
stations in the US, Europe, Middle East, and elsewhere.

> As this map shows that almost 3 billion data elements from inside the United
> States were captured by the NSA over a 30-day period ending in March 2013,
> Snowden stated that this tool was collecting more information on Americans
> located within the United States than on Russians in Russia

[https://en.m.wikipedia.org/wiki/Boundless_Informant?wprov=sf...](https://en.m.wikipedia.org/wiki/Boundless_Informant?wprov=sfla1)

In addition, the MUSCULAR program involved tapping the data links between data
centers of Google and Yahoo.

[https://en.m.wikipedia.org/wiki/MUSCULAR_%28surveillance_pro...](https://en.m.wikipedia.org/wiki/MUSCULAR_%28surveillance_program%29?wprov=sfla1)

So I'd say there is an 80-90% chance the NSA has a good chunk of his friends
email. Closer to 95% if he was located outside of the US.

The only thing stopping them from getting the full content of each Americans
(plus 3 hops) passive data collection (besides 100% of metadata they get
legally) is a FISA warrant. They have no restriction for foreigners.

Maybe you need to reread some of those slides because you clearly missed the
big picture.

~~~
lern_too_spel
Your single source does not actually collect his friend's data. According to
Snowdon's leaks, it was used to find a court-ordered monitored target's
traffic leaving or entering the country. It does not actually siphon all data,
including emails, to the NSA.

MUSCULAR provides similar filtering capability within Google's and Yahoo's
networks, though not anymore because they encrypt all traffic. Again, only
metadata. And again, the email envelope collection had already been shut down
prior to the leaks according to the leaked documents. According to Snowden's
leaks, the NSA is not allowed to keep communications from a US citizen or
anybody even living inside the US without a court order, so no, his friend's
emails don't reside with the US government.

------
benevol
Does anybody _still_ doubt that all major _closed-source_ software companies
in the US (but probably elsewhere too) will put backdoors in their software
products and therefor on your hardware?

------
stefek99
Ever since I started using email I though law enforcement has continuous,
uninterrupted access to my communication.

News like this are no news to me :)

~~~
Raphmedia
I browse assuming that I always have someone over my shoulder.

------
titzer
Face it, the US government is not operating like it has the best interests of
the people as its core motivation.

~~~
brbrodude
`"That's not the way the world really works anymore." He continued "We're an
empire now, and when we act, we create our own reality. And while you're
studying that reality—judiciously, as you will—we'll act again, creating other
new realities, which you can study too, and that's how things will sort out.
We're history's actors … and you, all of you, will be left to just study what
we do."`

[https://en.wikiquote.org/wiki/Karl_Rove](https://en.wikiquote.org/wiki/Karl_Rove)

------
JustSomeNobody
I think we need to find ways to hurt big companies in the pocket book who do
this. Stage (IT) employee walkouts, boycot the products they sell, etc.

Somehow, _we_ need to get the upper hand over the surveillance monster the US
is becoming.

~~~
dickbasedregex
It's a nice notion but are we going to see an exodus from Google? Facebook?
Apple?

I left Google and Facebook but me and the other 3000 people don't actually
matter. You'll never get a non-negligible number of people to forsake their
comfort zone for anything so trivial as rights, privacy, etc.

------
avdempsey
Taking the headline literally "Yahoo installed a backdoor for the NSA behind
the back of the security team" is as much an indictment of then-Yahoo's
security team as a reminder that's it's a possibility for other companies to
consider.

~~~
grub5000
The OP does specify that Yahoo's Security Team caught the backdoor within a
few weeks, so they can't be wholly incompetent.

------
huac
Yahoo stock hasn't moved very much recently over these issues. I guess the
market still thinks that the Verizon acquisition will still go through. For
context, the price was ~$43 after the acquisition and closed at ~$41 today.

~~~
k8t
Most of the value from yhoo is from its holdings in alibaba. So this actually
is fairly irrelevant for the stock.

~~~
huac
There was a big jump in the stock when the acquisition was announced, so it
would follow that the acquistion premium is priced in.

------
norea-armozel
Ouch. And I have at least one active account on there for Flickr. Nice to know
they basically screwed over the security of the entire site. I guess I'll have
to delete that account now.

------
dsfyu404ed
What I wonder is how this slipped past the security team? I had an internship
with a defense contractor my junior year of college and they would have been
all over that.

------
voycey
2 of my friends had their Yahoo accounts compromised and then their credit
card off the back of it - I want to say its a coincidence but....

------
OverThere
Yahoo has completely lost my trust forever... looking forward to the day they
don't exist anymore.

------
chinathrow
Great Yahoo - way to sink the ship.

Yahoo won't be the one and only lucky receiver, hello Google, Apple...

------
kakarot
So who built the backdoor? Do we know if it was existing software or privately
contracted?

------
jlebrech
if you're forced to installed a backdoor do you have to maintain it?

------
known
Does Yahoo violate its Terms and Conditions?

~~~
a3n
No, they allow themselves to do [whatever] to provide you with The Service,
what ever that happens to be from NSL to NSL.

------
oonny
and they wonder why i use yahoo for my marketing spam newsletters.

------
lasermike026
Wow, that was stupid.

------
disposablezero
Fuck Yahoo, AOL and Verizon.

~~~
sctb
Please comment civilly and substantively on Hacker News or not at all.

[https://news.ycombinator.com/newswelcome.html](https://news.ycombinator.com/newswelcome.html)

[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)

------
hash-set
So sad what tech people in this country have become. I prefer the anarcho-
capitalists. Statism is ugly, ugly, ugly.

------
hourislate
I would be surprised if anyone was using Yahoo for anything but a spam account
when this occurred.

I guess a really good indicator that things were not right was when the CSO
left the company with no real reason. He was like I want no part of this shit.

~~~
bluesmoon
yahoo groups is still very big. it was big before yahoo acquired it (egroups),
remained almost unchanged throughout the years, and is now in maintenance
mode, but there are still millions of users who continue to sign up.

~~~
notyourwork
I regularly dream about being involved in the creation of a project that lasts
this long. News groups, IRC, etc. I would love to look back on my career and
think that I contributed to something that user's would simply not let die.
The feels to be a creator of something of that magnitude has to change a
person.

