Wardens of the Web

TalkBack

E-mail

del.icio.us

Digg this

At Yahoo, being paranoid comes with the job

By Joris Evers
Staff writer, CNET News.com
June 26, 2007, 4:00 AM PDT

Editors' note: This is part two of a four-day series examining the state and future of Web security.

To Arturo Bejar, the name of Yahoo's security team made perfect sense when he came up with it eight years ago: the "Paranoids."

Bejar, whose own title is "Chief Paranoid Yahoo," wanted his department's moniker to be disarming and give the security role a friendly face.

"We try to be somewhat lighthearted about security," he said. "As important as it is, I also think it helps adoption if it is not too serious."

The unconventional naming befits a company that was once an icon of dot-com counterculture, where its co-founders still carry the title of "Chief Yahoo". That informality--or at least the perception of it--is particularly important to Yahoo, whose goal is to be the most consumer-friendly of all the companies at the forefront of creating security standards in the Digital Age.

Yahoo has long viewed itself as a media company, unlike the hard-core technological roots of rivals Google (search engine) and Microsoft (operating systems). But make no mistake: despite its casual nomenclature, the company is dead serious about the issue of security. In this regard, the term "Paranoids" can be taken most literally.

There are Paranoids throughout Yahoo, of both the uppercase and lowercase variety. The company, the third biggest Web firm, won't share numbers but suggests that there are more than the 50 or so dedicated security staffers reported by rivals Google and Microsoft. Moreover, aside from the core team run by Bejar, various departments have ambassadors, known as "Local Paranoids," who may not be part of the full-time security team but serve related duties.

Yahoo employees get basic training during orientation and people in product management roles can follow a security quick-start course. More in-depth security training is provided by Yahoo's Paranoid University, which tours around the world.

For the past three years, Yahoo has also held a "Security Week." It is the biggest interdisciplinary conference at Yahoo that includes speakers from within and outside the company. External speakers have included security luminaries Matt Blaze and Dan Geer. Nowhere else are employees likely to get annual reviews on their "paranoid effectiveness."

The paranoia is justified. Yahoo has faced a broad array of Web security troubles, ranging from bugs in its instant messenger software to cross-site scripting flaws that could leave accounts vulnerable to forgery and hijacking or unwittingly help launch data-thieving phishing scams.

Bejar himself is the personification of the two sides of Yahoo's security perspective: although he is fully committed to the safety of his company's far-flung operations, he shuns the stereotypically foreboding image of a Web security professional.

"A lot of people have preconceptions about talking to the security guy," he said. "When you're talking to a Paranoid, it has a different feel."

Becoming a superhero
One difference between Yahoo's security stars and law enforcement is the uniform. Do well in security at Yahoo and the company will give you a T-shirt that's blue, green or red, depending on the effort. Blue is for good, proactive efforts, green for heroic efforts and red for people who have gone beyond the call of duty for a long time.

The shirts are awards that aren't given out to just anyone. They have become conversation starters on the Yahoo campus. "We have never given one as just a favor, or in barter, to friends or family, not one. Everyone with a 'Paranoids' T-shirt has earned it," Bejar said.

Employees who do something really exceptional for the security of Yahoo users are turned into a superhero, a "Super Paranoid." A cartoon artist renders the individual as a superhero, which gets publicized inside the company. This prize also includes a bonus and a meeting with senior Yahoo executives.

The most recent Super Paranoids worked on security in the new Yahoo Mail, developed an antiphishing feature and recruited more Paranoids in Europe.

All of this falls under Bejar's simple definition for online security. "Alice shouldn't be able to see Bob's e-mail without Bob's consent," Bejar said. That's the more complex definition; he tells his 5-year-old son that he tries to stop the bad guys from reading other people's e-mail.

"He asks if I am a cop and he believes that's what it is, but it is not the way I look at it." Perhaps, but there's no denying that Bejar's natural gumshoe mentality was influenced by digital sleuthing at a young age.

While growing up in Mexico City, he became interested in computers from playing with some Commodores at summer camp. "When I got home afterwards, someone gave my dad a computer with no games, so I learned how to write one," he said.

He began to develop his feel for security after realizing that applications could be made to do things the developers had not intended. More inspiration came from reading Clifford Stoll's The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage, a seminal work in cybercrime nonfiction.

"It spoke about default passwords in certain systems, which my school had, and passwords which administrators did not change, which my school's administrators had not--and well, you could do a lot with that," Bejar said. "I'm not sure if they ever found out though."

Next page: The appeal of the job

Stories

Day 1: Inventing the wheel
Leading the charge in Web security at Google, vice president of engineering stands at the forefront of a critical period.

Day 2: It pays to be paranoid
All Yahoo employees are encouraged to be at least a little paranoid. Meet the man who was the first to put it in a job title.

Day 3: Lessons from the desktop
While similar rules apply to Web security, the differences are crucial and the stakes are high, says Microsoft senior security director.

Day 4: Web security challenge
Unprecedented amounts of data will need to be secured in new, untested ways. What's the best course in such uncharted territory?