- home
- reviews
- news
- downloads
- cnet tv
On BNET: Online porn struggles for profits
- log in
- join CNET
- welcome,
- my profile
- log out

News.com special report:

Wardens of the Web

TalkBack

E-mail

del.icio.us

Digg this

At Yahoo, being paranoid comes with the job

By Joris Evers
Staff writer, CNET News.com
June 26, 2007, 4:00 AM PDT

Editors' note: This is part two of a four-day series examining the state and future of Web security.

To Arturo Bejar, the name of Yahoo's security team made perfect sense when he came up with it eight years ago: the "Paranoids."

Bejar, whose own title is "Chief Paranoid Yahoo," wanted his department's moniker to be disarming and give the security role a friendly face.

"We try to be somewhat lighthearted about security," he said. "As important as it is, I also think it helps adoption if it is not too serious."

The unconventional naming befits a company that was once an icon of dot-com counterculture, where its co-founders still carry the title of "Chief Yahoo". That informality--or at least the perception of it--is particularly important to Yahoo, whose goal is to be the most consumer-friendly of all the companies at the forefront of creating security standards in the Digital Age.

Yahoo has long viewed itself as a media company, unlike the hard-core technological roots of rivals Google (search engine) and Microsoft (operating systems). But make no mistake: despite its casual nomenclature, the company is dead serious about the issue of security. In this regard, the term "Paranoids" can be taken most literally.

There are Paranoids throughout Yahoo, of both the uppercase and lowercase variety. The company, the third biggest Web firm, won't share numbers but suggests that there are more than the 50 or so dedicated security staffers reported by rivals Google and Microsoft. Moreover, aside from the core team run by Bejar, various departments have ambassadors, known as "Local Paranoids," who may not be part of the full-time security team but serve related duties.

Yahoo employees get basic training during orientation and people in product management roles can follow a security quick-start course. More in-depth security training is provided by Yahoo's Paranoid University, which tours around the world.

For the past three years, Yahoo has also held a "Security Week." It is the biggest interdisciplinary conference at Yahoo that includes speakers from within and outside the company. External speakers have included security luminaries Matt Blaze and Dan Geer. Nowhere else are employees likely to get annual reviews on their "paranoid effectiveness."

The paranoia is justified. Yahoo has faced a broad array of Web security troubles, ranging from bugs in its instant messenger software to cross-site scripting flaws that could leave accounts vulnerable to forgery and hijacking or unwittingly help launch data-thieving phishing scams.

Bejar himself is the personification of the two sides of Yahoo's security perspective: although he is fully committed to the safety of his company's far-flung operations, he shuns the stereotypically foreboding image of a Web security professional.

"A lot of people have preconceptions about talking to the security guy," he said. "When you're talking to a Paranoid, it has a different feel."

Becoming a superhero
One difference between Yahoo's security stars and law enforcement is the uniform. Do well in security at Yahoo and the company will give you a T-shirt that's blue, green or red, depending on the effort. Blue is for good, proactive efforts, green for heroic efforts and red for people who have gone beyond the call of duty for a long time.

The shirts are awards that aren't given out to just anyone. They have become conversation starters on the Yahoo campus. "We have never given one as just a favor, or in barter, to friends or family, not one. Everyone with a 'Paranoids' T-shirt has earned it," Bejar said.

Employees who do something really exceptional for the security of Yahoo users are turned into a superhero, a "Super Paranoid." A cartoon artist renders the individual as a superhero, which gets publicized inside the company. This prize also includes a bonus and a meeting with senior Yahoo executives.

The most recent Super Paranoids worked on security in the new Yahoo Mail, developed an antiphishing feature and recruited more Paranoids in Europe.

All of this falls under Bejar's simple definition for online security. "Alice shouldn't be able to see Bob's e-mail without Bob's consent," Bejar said. That's the more complex definition; he tells his 5-year-old son that he tries to stop the bad guys from reading other people's e-mail.

"He asks if I am a cop and he believes that's what it is, but it is not the way I look at it." Perhaps, but there's no denying that Bejar's natural gumshoe mentality was influenced by digital sleuthing at a young age.

While growing up in Mexico City, he became interested in computers from playing with some Commodores at summer camp. "When I got home afterwards, someone gave my dad a computer with no games, so I learned how to write one," he said.

He began to develop his feel for security after realizing that applications could be made to do things the developers had not intended. More inspiration came from reading Clifford Stoll's The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage, a seminal work in cybercrime nonfiction.

"It spoke about default passwords in certain systems, which my school had, and passwords which administrators did not change, which my school's administrators had not--and well, you could do a lot with that," Bejar said. "I'm not sure if they ever found out though."

Next page: The appeal of the job

Stories

Day 1: Inventing the wheel
Leading the charge in Web security at Google, vice president of engineering stands at the forefront of a critical period.

Day 2: It pays to be paranoid
All Yahoo employees are encouraged to be at least a little paranoid. Meet the man who was the first to put it in a job title.

Day 3: Lessons from the desktop
While similar rules apply to Web security, the differences are crucial and the stakes are high, says Microsoft senior security director.

Day 4: Web security challenge
Unprecedented amounts of data will need to be secured in new, untested ways. What's the best course in such uncharted territory?

Photo galleries

Day 1: Google team at work
Everything from dogs to Darth Vader keeps things lively at the office. June 25, 2007

Day 2: A peek at Yahoo 'Paranoids'
"Paranoids" come in the uppercase and lowercase variety. And then there are the superheroes. June 26, 2007

Day 3: Leading Microsoft's crew
Senior security director heads up a 55-member team that's working on marketing itself inside Microsoft. June 27, 2007

Podcast

Podcast: The state of Web security
Is Web security where it should be? Where is it headed? CNET News.com talks to some experts.June 25, 2007

News from around the Web

Divide between Net, desktop disappearing

Don't call it a bubble

Web 2.0 threats and risks for financial services

Security remains a challenge for browser developers

Is Really Simple Syndication really secure?

Study: Security cues on banking sites ignored

Botnet battlers call for Net driver's license

Credits

Editors: Anne Dujmovic, Mike Ricciuti, Mike Yamamoto
Design: Andrew Ballagh
Production: Jessica Kashiwabara

Add a Comment (Log in or register) (12 Comments)

Fire mail security/admin team dear Paranoia boss
by Ilgaz June 26, 2007 5:04 AM PDT: The mail team does these and these are the facts I formally sent to Yahoo. 1) Random disabling of SORBS RBL which only includes time tested, open proxies which you would expect nothing but trouble.(see 2 too) 2) Allowing very basic scam schemes which have very complex results such as murder in real life. Yes the Nigerian Mafia scams. Basic as: Newbie MS Outlook Express user can filter them by HAND by very basic filter. 3) Ignoring end user reports sparing their precious personal time and showing Spamcop Report URL's which are pretty standard for hosting providers and bounce them a stupid template saying they need full message headers. I am against the other monopoly wannabe who is a complete disrespect to user privacy but our limits are already in border. You know what to do as a paranoid leader? Get a free account, be paranoid so don't share it with people at Yahoo, give it to couple of known spammer friendly or insecure sites, check back your inbox. You will see march of open proxies, basic scam schemes. Also instead of telling those outsourced team to reply as template to mails they DON'T UNDERSTAND, THEY ARE TECHNICALLY INCAPABLE OF UNDERSTANDING, let them IGNORE mails since the Auto reply templates really started to hit peoples nerves. (KMM52131562V38554L0KM ) ---> Actual feedback trail which goes on for a WEEK.; Like this Reply to this comment

Got a Little worried late last night
by Claire Gaeta June 26, 2007 8:11 AM PDT: Last night, while attempting to check my yahoo mail, I got a notification from Norton 360 that the yahoo site security certificate had been revoked. What is really going on here?; Like this Reply to this comment

Yahoo: Stupidity Begins At Home
by Stating June 26, 2007 10:00 AM PDT: Maybe the Yahoo Security Team can explain why they do not suppport encryption of email traffic for PAYING customers working at WiFi hotspots? Yeah, Yahoo supports https: for the login, but after that it is plaintext http: Ilgaz's comments about stupid Yahoo's lack of even basic spam filtering is spot on. I will also add, yet again, that it is ridiculous that customers can't even block email from top level domain countries of known mass spammers such as China, Poland, etc. I am sorry Terry Smell, but I have no communications with China or Poland at all, so why do you force me to get countless ads from them for Rolex watches and pen1s enlargement pills? I submit the following fresh Yahoo spam email so that Yahoo's Kindergarten software engineers can learn from example: From Mavis Rivera Tue Jun 26 05:11:38 2007 X-YahooFilteredBulk: 195.16.88.9 X-Originating-IP: [http://195.16.88.9|http://195.16.88.9] Return-Path: <mavis_rivera2048@unisys.com> She/He will love this iblj You've Seen Them On TV... Doctor Approved And Recommended. <a class="jive-link-external" href="http://www.geocities.com/e964bd" target="_newWindow">http://www.geocities.com/e964bd</a> tundra ackley tusk image. --> fwhois 195.16.88.9 address: Stream Communications Sp. z o.o. address: ul. 29 Listopada 130 address: 31-406 Krakow address: Poland; Like this Reply to this comment

Yahoo crack day
by n3td3v June 26, 2007 10:11 AM PDT: That is something we were all paranoid about that Yahoo smoke too much crack.; Like this Reply to this comment

Superhero cartoon characters
by n3td3v June 26, 2007 10:18 AM PDT: I hope Yahoo paranoids also carry out mandatory drug checks on its employees, with special emphasis on the Yahoo security team.; Like this Reply to this comment

What is with the BS marketing term?
by qwerty75 June 26, 2007 10:32 AM PDT: Web 2.0 is a meaningless term meant to make applications that use the internet seem more hip and advanced then it really is. Why do people insist on buying into the nonsense?; Like this Reply to this comment

Yahoo paranoids T-shirt
by n3td3v June 26, 2007 10:32 AM PDT: I was offered one of those t-shirts by senior security consultant Mark Seiden, but I turned it down through paranoia that he was socially engineering me to obtain geographical intelligence postal information about me, but I guess that gives me extra yahoo paranoid status amoung the all time great superheros. I would like the list of Superheros post on the Yahoo security website, I also think this information about Yahoo paranoids should of been more public to the security community long before today. Yahoo over the years has done itself no good deeds in respect of public relations between underground folks, so hopefully this is part of a U-turn on their "say nothing" policy. However, after you strip away the Superhero stuff, they still haven't said anything much than to say they employ more than 50 employees.; Like this Reply to this comment

Terry Semel is a cartoon character!
by anarchyreigns June 26, 2007 10:53 AM PDT: Glad that clueless piece of trash is going. Good riddance.; Like this Reply to this comment

Kudos to Joris Evers
by n3td3v June 26, 2007 11:29 AM PDT: Thank you for this story and ripping apart and exposing Yahoo security team's drug activities within the company, with the cartoon stuff evidence of this and the paranoia are all classic signals of drug use. For years the underground community joked about drug use within the company affecting their security operation, but todays findings couldn't be more WEIRD. Ok, maybe they don't take drugs, but its definitely weird.; Like this Reply to this comment

Yahoo Messenger Down, Again No Status
by Stating June 27, 2007 9:37 AM PDT: Yahoo Messenger has been down since Tuesday night. Again no status message from Yahoo regarding the outage. Like, how hard is it Yahoo to put a 2 line message on www.yahoo.com mentioning the outage -- or send an email to Yahoo users?; Like this Reply to this comment

Not paranoid enough.
by mcgmatt June 28, 2007 12:53 PM PDT: There is a Facebook feature that asks for your Yahoo login, then Facebook logs in to your Yahoo account and retrieves your address book data. This should not be possible. People shouldn't be stupid enough to enter their e-mail login on other sites in the first place, but that's too much to hope for. Yahoo needs to block Facebook and any other site that does this.; Like this Reply to this comment