Version: 2008
  • On The Insider: Britney's Bikini-Clad Top 10

(continued from previous page)

News.com special report:

Wardens of the Web

Tell us what you think about this storyTalkBack    E-mail this story to a friendE-mail    Add to your del.icio.usdel.icio.us    Digg this storyDigg this

(continued from previous page)

A natural with computers, Bejar started working for IBM when he was in his late teens. A link with Apple co-founder Steve Wozniak, still a good friend of Bejar, subsequently led him to King's College London where he got a degree in mathematics while also working at IBM there.

He then moved to the United States to work at a start-up that was building distributed social systems, a transition that brought him a step closer to joining Yahoo nearly a decade ago, initially in billing applications.

"It was ultimately the appeal of helping build and protect things that would be used by many people that got me, and has kept me, at Yahoo," he said.

It's a noble goal that is, of course, easier said than done. "Web applications are available to anyone in the world, so you have to build them to withstand instant scrutiny," Bejar said.

Special report
Wardens of the Web
In CNET News.com's multipart series, we peek behind the curtain at online giants Yahoo, Google and Microsoft, and the elite corps committed to securing Web applications.

He notes that, in theory, developing secure Web applications isn't any different from building good desktop software. But early PC programs and operating systems didn't take that access into account and therefore weren't designed with constant network connectivity in mind.

Curriculum on security has traditionally focused on topics such as encryption. "Security was not defined as what happens if somebody tries to manipulate your API (application programming interface) with malicious or mischievous intent. Application security has a lot to do with building things that don't behave unexpectedly when by accident or by malice somebody on the outside tries to manipulate them," Bejar said.

"We were aware of a lot of these problems before they even had names," he added. "When they first came around, there wasn't any good prior art available so we had to come up with a response ourselves."

That response includes several homemade tools to identify and track potential security issues in the Web site and online applications. One such tool, called Scanmus, hunts for cross-site scripting issues. The tool is named after Rasmus Lerdorf, the original creator of the PHP scripting language and a member of the Yahoo Paranoids.

Others include the Code Ferret, which inspects code and reports bugs to Pepe, a bug-tracking system named after a character similar to Jiminy Cricket in a version of Pinocchio.

The tools were tailored to work with Yahoo's systems. The company had tried some commercial applications but found that it would take too much time to retrofit those to fit its needs.

It is a laborious task, but Bejar knows that some things are worth waiting for. When he went to work at Yahoo in 1998, he was restoring a 1973 Porsche Carrera that he named "El Pato"--Spanish for "The Duck."

"El Pato was built as Yahoo took off. I built or rebuilt almost every part of it, under the supervision of Bob, my mechanic," Bejar said. "To some extent, I see El Pato as analogous to my time here at Yahoo. The security program has taken time to put together and it requires a lot of thought and understanding of how the different parts interact."

Now he says it may be time for Yahoo to share that hard work outside the company.

"We're all in this together," Bejar said. "If anything were to happen to any one of us, all are impacted."  


Add a Comment (Log in or register) (12 Comments)
  • prev
  • 1
  • next
Fire mail security/admin team dear Paranoia boss
by Ilgaz June 26, 2007 5:04 AM PDT
The mail team does these and these are the facts I formally sent to Yahoo.

1) Random disabling of SORBS RBL which only includes time tested, open proxies which you would expect nothing but trouble.(see 2 too)

2) Allowing very basic scam schemes which have very complex results such as murder in real life. Yes the Nigerian Mafia scams. Basic as: Newbie MS Outlook Express user can filter them by HAND by very basic filter.

3) Ignoring end user reports sparing their precious personal time and showing Spamcop Report URL's which are pretty standard for hosting providers and bounce them a stupid template saying they need full message headers.

I am against the other monopoly wannabe who is a complete disrespect to user privacy but our limits are already in border.

You know what to do as a paranoid leader? Get a free account, be paranoid so don't share it with people at Yahoo, give it to couple of known spammer friendly or insecure sites, check back your inbox. You will see march of open proxies, basic scam schemes.

Also instead of telling those outsourced team to reply as template to mails they DON'T UNDERSTAND, THEY ARE TECHNICALLY INCAPABLE OF UNDERSTANDING, let them IGNORE mails since the Auto reply templates really started to hit peoples nerves.

(KMM52131562V38554L0KM ) ---> Actual feedback trail which goes on for a WEEK.
Reply to this comment
Got a Little worried late last night
by Claire Gaeta June 26, 2007 8:11 AM PDT
Last night, while attempting to check my yahoo mail, I got a notification from Norton 360 that the yahoo site security certificate had been revoked.

What is really going on here?
Reply to this comment
Yahoo: Stupidity Begins At Home
by Stating June 26, 2007 10:00 AM PDT
Maybe the Yahoo Security Team can explain why they do not suppport encryption of email traffic for PAYING customers working at WiFi hotspots? Yeah, Yahoo supports https: for the login, but after that it is plaintext http:

Ilgaz's comments about stupid Yahoo's lack of even basic spam filtering is spot on. I will also add, yet again, that it is ridiculous that customers can't even block email from top level domain countries of known mass spammers such as China, Poland, etc. I am sorry Terry Smell, but I have no communications with China or Poland at all, so why do you force me to get countless ads from them for Rolex watches and pen1s enlargement pills?

I submit the following fresh Yahoo spam email so that Yahoo's Kindergarten software engineers can learn from example:

From Mavis Rivera Tue Jun 26 05:11:38 2007
X-YahooFilteredBulk: 195.16.88.9
X-Originating-IP: [http://195.16.88.9|http://195.16.88.9]
Return-Path: <mavis_rivera2048@unisys.com>

She/He will love this iblj
You've Seen Them On TV...
Doctor Approved And Recommended.
http://www.geocities.com/e964bd
tundra ackley tusk image.

--> fwhois 195.16.88.9
address: Stream Communications Sp. z o.o.
address: ul. 29 Listopada 130
address: 31-406 Krakow
address: Poland
Reply to this comment
Yahoo crack day
by n3td3v June 26, 2007 10:11 AM PDT
That is something we were all paranoid about that Yahoo smoke too much crack.
Reply to this comment
Superhero cartoon characters
by n3td3v June 26, 2007 10:18 AM PDT
I hope Yahoo paranoids also carry out mandatory drug checks on its employees, with special emphasis on the Yahoo security team.
Reply to this comment
What is with the BS marketing term?
by qwerty75 June 26, 2007 10:32 AM PDT
Web 2.0 is a meaningless term meant to make applications that use the internet seem more hip and advanced then it really is.

Why do people insist on buying into the nonsense?
Reply to this comment
Yahoo paranoids T-shirt
by n3td3v June 26, 2007 10:32 AM PDT
I was offered one of those t-shirts by senior security consultant Mark Seiden, but I turned it down through paranoia that he was socially engineering me to obtain geographical intelligence postal information about me, but I guess that gives me extra yahoo paranoid status amoung the all time great superheros.

I would like the list of Superheros post on the Yahoo security website, I also think this information about Yahoo paranoids should of been more public to the security community long before today.

Yahoo over the years has done itself no good deeds in respect of public relations between underground folks, so hopefully this is part of a U-turn on their "say nothing" policy.

However, after you strip away the Superhero stuff, they still haven't said anything much than to say they employ more than 50 employees.
Reply to this comment
Terry Semel is a cartoon character!
by anarchyreigns June 26, 2007 10:53 AM PDT
Glad that clueless piece of trash is going. Good riddance.
Reply to this comment
Kudos to Joris Evers
by n3td3v June 26, 2007 11:29 AM PDT
Thank you for this story and ripping apart and exposing Yahoo security team's drug activities within the company, with the cartoon stuff evidence of this and the paranoia are all classic signals of drug use.

For years the underground community joked about drug use within the company affecting their security operation, but todays findings couldn't be more WEIRD.

Ok, maybe they don't take drugs, but its definitely weird.
Reply to this comment
Yahoo Messenger Down, Again No Status
by Stating June 27, 2007 9:37 AM PDT
Yahoo Messenger has been down since Tuesday night. Again no status message from Yahoo regarding the outage. Like, how hard is it Yahoo to put a 2 line message on www.yahoo.com mentioning the outage -- or send an email to Yahoo users?
Reply to this comment
Not paranoid enough.
by mcgmatt June 28, 2007 12:53 PM PDT
There is a Facebook feature that asks for your Yahoo login, then Facebook logs in to your Yahoo account and retrieves your address book data. This should not be possible.

People shouldn't be stupid enough to enter their e-mail login on other sites in the first place, but that's too much to hope for. Yahoo needs to block Facebook and any other site that does this.
Reply to this comment
(12 Comments)
  • prev
  • 1
  • next
Previous page
Page 1 | 2
advertisement
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
Dell
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET