[ISN] At Yahoo, being paranoid comes with the job

From: InfoSec News (alerts@private)
Date: Tue Jun 26 2007 - 23:11:55 PDT


http://news.com.com/At+Yahoo%2C+being+paranoid+comes+with+the+job/2009-1002_3-6189429.html

By Joris Evers
Staff writer, CNET News.com
June 26, 2007

To Arturo Bejar, the name of Yahoo's security team made perfect sense 
when he came up with it eight years ago: the "Paranoids."

Bejar, whose own title is "Chief Paranoid Yahoo," wanted his 
department's moniker to be disarming and give the security role a 
friendly face.

"We try to be somewhat lighthearted about security," he said. "As 
important as it is, I also think it helps adoption if it is not too 
serious."

The unconventional naming befits a company that was once an icon of 
dot-com counterculture, where its co-founders still carry the title of 
"Chief Yahoo". That informality--or at least the perception of it--is 
particularly important to Yahoo, whose goal is to be the most 
consumer-friendly of all the companies at the forefront of creating 
security standards in the Digital Age.

Yahoo has long viewed itself as a media company, unlike the hard-core 
technological roots of rivals Google (search engine) and Microsoft 
(operating systems). But make no mistake: despite its casual 
nomenclature, the company is dead serious about the issue of security. 
In this regard, the term "Paranoids" can be taken most literally.

There are Paranoids throughout Yahoo, of both the uppercase and 
lowercase variety. The company, the third biggest Web firm, won't share 
numbers but suggests that there are more than the 50 or so dedicated 
security staffers reported by rivals Google and Microsoft. Moreover, 
aside from the core team run by Bejar, various departments have 
ambassadors, known as "Local Paranoids," who may not be part of the 
full-time security team but serve related duties.

Yahoo employees get basic training during orientation and people in 
product management roles can follow a security quick-start course. More 
in-depth security training is provided by Yahoo's Paranoid University, 
which tours around the world.

For the past three years, Yahoo has also held a "Security Week." It is 
the biggest interdisciplinary conference at Yahoo that includes speakers 
from within and outside the company. External speakers have included 
security luminaries Matt Blaze and Dan Geer. Nowhere else are employees 
likely to get annual reviews on their "paranoid effectiveness."

The paranoia is justified. Yahoo has faced a broad array of Web security 
troubles, ranging from bugs in its instant messenger software to 
cross-site scripting flaws that could leave accounts vulnerable to 
forgery and hijacking or unwittingly help launch data-thieving phishing 
scams.

Bejar himself is the personification of the two sides of Yahoo's 
security perspective: although he is fully committed to the safety of 
his company's far-flung operations, he shuns the stereotypically 
foreboding image of a Web security professional.

"A lot of people have preconceptions about talking to the security guy," 
he said. "When you're talking to a Paranoid, it has a different feel."


Becoming a superhero

One difference between Yahoo's security stars and law enforcement is the 
uniform. Do well in security at Yahoo and the company will give you a 
T-shirt that's blue, green or red, depending on the effort. Blue is for 
good, proactive efforts, green for heroic efforts and red for people who 
have gone beyond the call of duty for a long time.

The shirts are awards that aren't given out to just anyone. They have 
become conversation starters on the Yahoo campus. "We have never given 
one as just a favor, or in barter, to friends or family, not one. 
Everyone with a 'Paranoids' T-shirt has earned it," Bejar said.

Employees who do something really exceptional for the security of Yahoo 
users are turned into a superhero, a "Super Paranoid." A cartoon artist 
renders the individual as a superhero, which gets publicized inside the 
company. This prize also includes a bonus and a meeting with senior 
Yahoo executives.

The most recent Super Paranoids worked on security in the new Yahoo 
Mail, developed an antiphishing feature and recruited more Paranoids in 
Europe.

All of this falls under Bejar's simple definition for online security. 
"Alice shouldn't be able to see Bob's e-mail without Bob's consent," 
Bejar said. That's the more complex definition; he tells his 5-year-old 
son that he tries to stop the bad guys from reading other people's 
e-mail.

"He asks if I am a cop and he believes that's what it is, but it is not 
the way I look at it." Perhaps, but there's no denying that Bejar's 
natural gumshoe mentality was influenced by digital sleuthing at a young 
age.

While growing up in Mexico City, he became interested in computers from 
playing with some Commodores at summer camp. "When I got home 
afterwards, someone gave my dad a computer with no games, so I learned 
how to write one," he said.

He began to develop his feel for security after realizing that 
applications could be made to do things the developers had not intended. 
More inspiration came from reading Clifford Stoll's The Cuckoo's Egg: 
Tracking a Spy Through the Maze of Computer Espionage, a seminal work in 
cybercrime nonfiction.

"It spoke about default passwords in certain systems, which my school 
had, and passwords which administrators did not change, which my 
school's administrators had not--and well, you could do a lot with 
that," Bejar said. "I'm not sure if they ever found out though."

A natural with computers, Bejar started working for IBM when he was in 
his late teens. A link with Apple co-founder Steve Wozniak, still a good 
friend of Bejar, subsequently led him to King's College London where he 
got a degree in mathematics while also working at IBM there.

He then moved to the United States to work at a start-up that was 
building distributed social systems, a transition that brought him a 
step closer to joining Yahoo nearly a decade ago, initially in billing 
applications.

"It was ultimately the appeal of helping build and protect things that 
would be used by many people that got me, and has kept me, at Yahoo," he 
said.

It's a noble goal that is, of course, easier said than done. "Web 
applications are available to anyone in the world, so you have to build 
them to withstand instant scrutiny," Bejar said.

He notes that, in theory, developing secure Web applications isn't any 
different from building good desktop software. But early PC programs and 
operating systems didn't take that access into account and therefore 
weren't designed with constant network connectivity in mind.

Curriculum on security has traditionally focused on topics such as 
encryption. "Security was not defined as what happens if somebody tries 
to manipulate your API (application programming interface) with 
malicious or mischievous intent. Application security has a lot to do 
with building things that don't behave unexpectedly when by accident or 
by malice somebody on the outside tries to manipulate them," Bejar said.

"We were aware of a lot of these problems before they even had names," 
he added. "When they first came around, there wasn't any good prior art 
available so we had to come up with a response ourselves."

That response includes several homemade tools to identify and track 
potential security issues in the Web site and online applications. One 
such tool, called Scanmus, hunts for cross-site scripting issues. The 
tool is named after Rasmus Lerdorf, the original creator of the PHP 
scripting language and a member of the Yahoo Paranoids.

Others include the Code Ferret, which inspects code and reports bugs to 
Pepe, a bug-tracking system named after a character similar to Jiminy 
Cricket in a version of Pinocchio.

The tools were tailored to work with Yahoo's systems. The company had 
tried some commercial applications but found that it would take too much 
time to retrofit those to fit its needs.

It is a laborious task, but Bejar knows that some things are worth 
waiting for. When he went to work at Yahoo in 1998, he was restoring a 
1973 Porsche Carrera that he named "El Pato"--Spanish for "The Duck."

"El Pato was built as Yahoo took off. I built or rebuilt almost every 
part of it, under the supervision of Bob, my mechanic," Bejar said. "To 
some extent, I see El Pato as analogous to my time here at Yahoo. The 
security program has taken time to put together and it requires a lot of 
thought and understanding of how the different parts interact."

Now he says it may be time for Yahoo to share that hard work outside the 
company.

"We're all in this together," Bejar said. "If anything were to happen to 
any one of us, all are impacted."


_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Tue Jun 26 2007 - 23:25:54 PDT