Yahoo didn't install an NSA email scanner, it was a "buggy" NSA "rootkit"

Ex-Yahoo employees have spoken anonymously to Motherboard about the news that Yahoo had built an "email scanner" for a US security agency, likely the FBI or the NSA. These sources — at least one of whom worked on the security team — say that in actuality, the NSA or FBI had secretly installed a "rootkit" on Yahoo's mail servers and that this was discovered by the Yahoo security team (who had not been apprised of it), who, believing the company had been hacked, sounded the alarm, only to have the company executives tell them that the US government had installed the tool.

The sources in the article say that the "rootkit" was "buggy" and "poorly designed."

In the security world, a rootkit is a program that changes the operating system to create administrative ("root") access that is invisible to the system's actual administrator. For example, in 2005, Sony-BMG put a covert rootkit installer on more than six million audio CDs; when inserted into Windows computers, these CDs silently updated the Windows kernel so that it would not report the existence of files or processes whose names started with "$sys$". Then the CDs installed an anti-ripping program that started with $sys$ and tried to shut down any attempt to rip an audio CD — because the program started with $sys$, users and their anti-virus software couldn't see the programs' files on their drives, nor would the programs appear in the computers' process list.

It's not clear what a "rootkit" is in the context of a complex system of servers like those that run Yahoo Mail. Perhaps it means that the US government wanted to be able to run programs on these servers that Yahoo's administrators couldn't monitor or discover. That would allow the government agencies to spy on Yahoo's users without revealing their search parameters to Yahoo employees.


Also unclear is how interconnected Yahoo's other services are with its Mail product. Like other platforms, Yahoo offers a variety of integrated services — financial products, personal organizers, photo sharing, etc — and depending on how those products were integrated, it's possible that having administrative access to the mail servers would have given government agencies access to more of Yahoo's platform.

Sony's rootkit exposed users to opportunistic infections from other malicious software; the authors of this software were quick to realize that machines that had been compromised by Sony could not detect their own viruses if they, too, were packaged in files that began with "$sys".

The sources in the Motherboard story called the rootkit "buggy" and "poorly designed," suggesting that, as with Sony, other people could have exploited the rootkit to gain access to Yahoo users' data and Yahoo's network, and that these attacks would be virtually undetectable by either the US government or Yahoo's team (because, by design, administrators can't see what programs are being run under a rootkit's cloak).

The picture that's emerging is pretty bizarre. Some top Yahoo executive(s) gave the US government the go-ahead to install a rootkit on the mail-processing servers. The Yahoo security team were not consulted on this (Alex Stamos, former Yahoo CSO, quit the company to become Facebook's CSO around then, and the initial Reuters report by Joseph Menn says that he left over this issue). The security team discovered the software independently, raised the alarm, and were told not to meddle with it. The NSA (or FBI), and anyone who figured out how to exploit the rootkit, had potentially unlimited, undetectable access to all Yahoo users' data.

Last year, the US government served Yahoo with a secret order, asking the company to search within its users’ emails for some targeted information, as first reported by Reuters this week. It’s still unclear what was the information sought, but The New York Times, citing an anonymous official source, later reported that the government was looking for a specific digital “signature” of a “communications method used by a state-sponsored, foreign terrorist organization.”

Anonymous sources told The Times that the tool was nothing more than a modified version of Yahoo’s existing scanning system, which searches all email for malware, spam and images of child pornography.

But two sources familiar with the matter told Motherboard that this description is wrong, and that the tool was actually more like a “rootkit,” a powerful type of malware that lives deep inside an infected system and gives hackers essentially unfettered access.

Yahoo’s Government Email Scanner Was Actually a Secret Hacking Tool [Lorenzo Franceschi-Bicchierai/Motherboard]