By Joris Evers
Staff writer, CNET News.com
June 26, 2007
To Arturo Bejar, the name of Yahoo's security team made perfect sense
when he came up with it eight years ago: the "Paranoids."
Bejar, whose own title is "Chief Paranoid Yahoo," wanted his
department's moniker to be disarming and give the security role a
"We try to be somewhat lighthearted about security," he said. "As
important as it is, I also think it helps adoption if it is not too
The unconventional naming befits a company that was once an icon of
dot-com counterculture, where its co-founders still carry the title of
"Chief Yahoo". That informality--or at least the perception of it--is
particularly important to Yahoo, whose goal is to be the most
consumer-friendly of all the companies at the forefront of creating
security standards in the Digital Age.
Yahoo has long viewed itself as a media company, unlike the hard-core
technological roots of rivals Google (search engine) and Microsoft
(operating systems). But make no mistake: despite its casual
nomenclature, the company is dead serious about the issue of security.
In this regard, the term "Paranoids" can be taken most literally.
There are Paranoids throughout Yahoo, of both the uppercase and
lowercase variety. The company, the third biggest Web firm, won't share
numbers but suggests that there are more than the 50 or so dedicated
security staffers reported by rivals Google and Microsoft. Moreover,
aside from the core team run by Bejar, various departments have
ambassadors, known as "Local Paranoids," who may not be part of the
full-time security team but serve related duties.
Yahoo employees get basic training during orientation and people in
product management roles can follow a security quick-start course. More
in-depth security training is provided by Yahoo's Paranoid University,
which tours around the world.
For the past three years, Yahoo has also held a "Security Week." It is
the biggest interdisciplinary conference at Yahoo that includes speakers
from within and outside the company. External speakers have included
security luminaries Matt Blaze and Dan Geer. Nowhere else are employees
likely to get annual reviews on their "paranoid effectiveness."
The paranoia is justified. Yahoo has faced a broad array of Web security
troubles, ranging from bugs in its instant messenger software to
cross-site scripting flaws that could leave accounts vulnerable to
forgery and hijacking or unwittingly help launch data-thieving phishing
Bejar himself is the personification of the two sides of Yahoo's
security perspective: although he is fully committed to the safety of
his company's far-flung operations, he shuns the stereotypically
foreboding image of a Web security professional.
"A lot of people have preconceptions about talking to the security guy,"
he said. "When you're talking to a Paranoid, it has a different feel."
Becoming a superhero
One difference between Yahoo's security stars and law enforcement is the
uniform. Do well in security at Yahoo and the company will give you a
T-shirt that's blue, green or red, depending on the effort. Blue is for
good, proactive efforts, green for heroic efforts and red for people who
have gone beyond the call of duty for a long time.
The shirts are awards that aren't given out to just anyone. They have
become conversation starters on the Yahoo campus. "We have never given
one as just a favor, or in barter, to friends or family, not one.
Everyone with a 'Paranoids' T-shirt has earned it," Bejar said.
Employees who do something really exceptional for the security of Yahoo
users are turned into a superhero, a "Super Paranoid." A cartoon artist
renders the individual as a superhero, which gets publicized inside the
company. This prize also includes a bonus and a meeting with senior
The most recent Super Paranoids worked on security in the new Yahoo
Mail, developed an antiphishing feature and recruited more Paranoids in
All of this falls under Bejar's simple definition for online security.
"Alice shouldn't be able to see Bob's e-mail without Bob's consent,"
Bejar said. That's the more complex definition; he tells his 5-year-old
son that he tries to stop the bad guys from reading other people's
"He asks if I am a cop and he believes that's what it is, but it is not
the way I look at it." Perhaps, but there's no denying that Bejar's
natural gumshoe mentality was influenced by digital sleuthing at a young
While growing up in Mexico City, he became interested in computers from
playing with some Commodores at summer camp. "When I got home
afterwards, someone gave my dad a computer with no games, so I learned
how to write one," he said.
He began to develop his feel for security after realizing that
applications could be made to do things the developers had not intended.
More inspiration came from reading Clifford Stoll's The Cuckoo's Egg:
Tracking a Spy Through the Maze of Computer Espionage, a seminal work in
"It spoke about default passwords in certain systems, which my school
had, and passwords which administrators did not change, which my
school's administrators had not--and well, you could do a lot with
that," Bejar said. "I'm not sure if they ever found out though."
A natural with computers, Bejar started working for IBM when he was in
his late teens. A link with Apple co-founder Steve Wozniak, still a good
friend of Bejar, subsequently led him to King's College London where he
got a degree in mathematics while also working at IBM there.
He then moved to the United States to work at a start-up that was
building distributed social systems, a transition that brought him a
step closer to joining Yahoo nearly a decade ago, initially in billing
"It was ultimately the appeal of helping build and protect things that
would be used by many people that got me, and has kept me, at Yahoo," he
It's a noble goal that is, of course, easier said than done. "Web
applications are available to anyone in the world, so you have to build
them to withstand instant scrutiny," Bejar said.
He notes that, in theory, developing secure Web applications isn't any
different from building good desktop software. But early PC programs and
operating systems didn't take that access into account and therefore
weren't designed with constant network connectivity in mind.
Curriculum on security has traditionally focused on topics such as
encryption. "Security was not defined as what happens if somebody tries
to manipulate your API (application programming interface) with
malicious or mischievous intent. Application security has a lot to do
with building things that don't behave unexpectedly when by accident or
by malice somebody on the outside tries to manipulate them," Bejar said.
"We were aware of a lot of these problems before they even had names,"
he added. "When they first came around, there wasn't any good prior art
available so we had to come up with a response ourselves."
That response includes several homemade tools to identify and track
potential security issues in the Web site and online applications. One
such tool, called Scanmus, hunts for cross-site scripting issues. The
tool is named after Rasmus Lerdorf, the original creator of the PHP
scripting language and a member of the Yahoo Paranoids.
Others include the Code Ferret, which inspects code and reports bugs to
Pepe, a bug-tracking system named after a character similar to Jiminy
Cricket in a version of Pinocchio.
The tools were tailored to work with Yahoo's systems. The company had
tried some commercial applications but found that it would take too much
time to retrofit those to fit its needs.
It is a laborious task, but Bejar knows that some things are worth
waiting for. When he went to work at Yahoo in 1998, he was restoring a
1973 Porsche Carrera that he named "El Pato"--Spanish for "The Duck."
"El Pato was built as Yahoo took off. I built or rebuilt almost every
part of it, under the supervision of Bob, my mechanic," Bejar said. "To
some extent, I see El Pato as analogous to my time here at Yahoo. The
security program has taken time to put together and it requires a lot of
thought and understanding of how the different parts interact."
Now he says it may be time for Yahoo to share that hard work outside the
"We're all in this together," Bejar said. "If anything were to happen to
any one of us, all are impacted."
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com