Paranoid-in-Chief: Yahoo's Alex Stamos Wants to Secure the Entire Internet
The internet isn’t safe for anyone, and he wants to change that.
Alex Stamos posing in front of a printout of the classic Yahoo logo at the company's San Francisco office. (Image: Lorenzo Franceschi-Bicchierai/Motherboard)
It's an early and sunny Saturday after the week-long RSA, perhaps the largest computer security conference in the world. A small group of weary and conference-hungover hackers, information security professionals and activists is gathering at the new San Francisco office of Yahoo, in the neighborhood of South of Market, or SoMa, a quickly gentrifying and hip neighborhood filled with tech startups.
Alex Stamos, the man who for more than a year now has been in charge of securing Yahoo, the sometimes forgotten internet giant that boasts more than 1 billion users, was opening the doors of the company's office for something called the "Trust Unconference." This event was in part inspired by another one-day event he helped organize last year, when several high-profile speakers who were supposed to talk at the RSA conference pulled out after the explosive revelation that the National Security Agency had reportedly paid the company RSA $10 million to put a backdoor into one of its popular security products.
For many, that was a watershed moment in the history of the security industry: a giant, well respected company had been successfully bribed to make life easier for the NSA—at the expense of all users and customers of the company.
In front of a group of around 200 people, Stamos tucked his hands in his pockets. He started to bounce on his toes, perhaps uneasy at what he was about to say.
"I'm not very happy with where we are as an industry," he said, with a grim look on his face. "We're really focusing on the 1%," he added, referring to the small number of companies that can afford to spend on cybersecurity teams and products, and the minority of internet users who are literate enough to jump through the hoops that are needed to be safer online.
That, according to Stamos, is not going to cut it as the internet adds a billion new users in its expansion in developing countries all over the world.
"The vast majority of people are not safe using the internet everyday"
The problem, essentially, is that the internet is not safe for everyday users, as the seemingly endless series of high profile hacks and breaches, from eBay to AdultFriendFinder, reminds us almost every week. Perhaps Mikko Hypponen, a renowned security expert, put it best when he said that "the internet is on fire."
Everyone deserves part of the blame. Users still choose dumb passwords and click on links from people they don't know, which makes the life of low-level hackers, also known as script kiddies, very easy. But, for Stamos, the information security, or cybersecurity, industry is the biggest culprit for having "failed" its users.
"The vast majority of people are not safe using the internet everyday," Stamos tells me the day before the Unconference, as we chat at Yahoo's new SoMa office. "They're only safe because they don't have anybody attacking them at that moment."
But if a hacker targets them, the user is doomed.
For Stamos, the worst is that the security industry knows about all of this. They "know it's on fire," he says, "they're just down at RSA selling tiny fire extinguishers that only put out a little fire in a very specific place."
On March 3, 2014, Keith Arnold's Yahoo Mail inbox, as he puts it, started "going nuts."
Arnold, a writer and producer from Manhattan Beach, California, started receiving "dozens and dozens" of emails from inactive email accounts. That's when he realized his Yahoo account was sending floods of spam to all his address book. His email had been hacked.
It was "a nightmare," he says, and it took him hours to clean up his account. Then even though he changed his password and enabled two-factor authentication, his account kept sending spam for months. In fact, it still does.
"It's a running joke among my friends, actually," Arnold tells me, after showing me a recent spam email sent by his now seldom used account. "If someone does something wrong, they just blame my Yahoo account."
That's why he switched to Gmail.
"Between that and the unhip status of still using Yahoo, it was a decision I begrudgingly made," he says.
His experience wasn't unique. In early 2014, many Yahoo accounts were compromised by unknown hackers who stole credentials from a "third-party" database. (A Yahoo spokesperson declined to explain exactly what happened, and instead referred me to a blog post the company published at the time.) The year before, in a similar series of incidents, several Yahoo users got their email accounts hijacked.
This was all under the watch of Yahoo's security team, which has long been known internally as the "Paranoids." In the last few years, it seems like they sometimes failed at being paranoid enough.
The internet giant, which also owns Tumblr and Flickr, has gone through a number of high-profile security issues, such as the ones that affected Arnold and many others; a plan to recycle unused email addresses that a well-known security expert called "moronic"; and an incident in which hackers served malware from Yahoo.com by compromising the company's ad servers.
Also, for years, Yahoo did not encrypt connections between Yahoo Mail users and the company's servers using HTTPS, which protects data exchanged between the user and the provider. The company didn't switch to HTTPS by default until early in 2014 (they offered it as an option a year earlier after being pressured by privacy advocates), four years after Google did.
"Their mail system was completely owned," according to Nico Sell, the founder of privacy messaging app Wickr and an organizer of Def Con, one of the most famous hacking conferences in the world.
And this was before documents leaked by Edward Snowden revealed that the NSA was able to tap directly into unprotected links between Yahoo data centers to spy on its users. (The agency took advantage of the same lack of encryption to spy on Google's data centers as well.)
Stamos was brought on board to put out these large fires as Yahoo's Chief Information Security Officer, or CISO. At the helm of the "Paranoids," Stamos has hired a team of developers to work on email encryption for the masses, hired a team of hackers who attack Yahoo products and networks to find flaws to fix, simulating real-life scenarios, and is also trying to make passwords obsolete.
He has also helped put the final touches on Yahoo's response to the Snowden revelations, when the company boosted its encryption efforts, making searches and email more secure by finally implementing HTTPS encryption by default on Yahoo's homepage, as well as its email service. The company also encrypted its data center links, and is working on encrypting the rest of its sites.
His goals are ambitious, but Stamos has already made a difference, according to Stefano Zanero, an assistant professor at Politecnico di Milano university, and a member of the review board of the Black Hat security conference. Since Stamos was hired, Yahoo has been taking security more seriously, which is good for the whole internet, not just Yahoo users.
"When one of the internet giants changes their security stance it's a huge positive impact for the community," Zanero told me. "Security is not just a problem for the specific company or the specific end user, it is a kind of hygiene problem."
"The more companies and users care about their own security," he added, "the more the internet becomes safer for everybody else."
When he was seven, Stamos's parents got him a Commodore 64 and a modem. Those were the very early days of the internet, before the World Wide Web. At the time, kids like him would learn of the early-day chat sites known as bulletin board systems, or BBSs, from classified ads on the local paper in Sacramento, where Stamos was born.
As a young geek, Stamos played text-based BBS video games, and soon started hacking.
"It was all pretty innocent," he says, smiling.
The security of those chat systems was almost nonexistent, Stamos says, and people could easily take over chat channels, post messages as each other, or kick people out of text-based role-playing games known as Multi-User Dungeons. Stamos was naturally drawn to these hacking games, because he wanted to know exactly how things worked, which, he says, is the basic instinct of a hacker.
When Stamos was 17, his dad took him to his first Def Con, where, years later, he would attend as a speaker, at just one of the many conferences where he has talked about his research.
At that point, his life could've taken a turn. Before going to college, Stamos received a letter from the NSA. The intelligence agency offered him a scholarship, which would have entailed free college tuition in exchange for spending every summer at NSA headquarters in Fort Meade, and then working for the agency for at least four years after graduating, according to Stamos.
But Stamos, who's now 36, turned down the offer because, he says, he didn't need it and it would have been too much of a commitment for a 17-year-old. So he took a scholarship at Berkeley instead, and studied under Dave Patterson, a well-known computer scientist.
After graduating, he got into the security industry doing offensive research—trying to break things and telling companies how to fix them. In 2004, when he was 25, he co-founded iSEC Partners, which under his lead became a widely-respected security consulting firm.
After a British IT services company bought iSEC, Stamos founded Artemis Internet, another security startup whose mission was to build a more "trustworthy" internet, something that echoes what he's trying to do today at Yahoo.
During his years at Artemis, Stamos tried to push for two new top-level domains, .SECURE and .TRUST. It was one of his first attempts at making the internet safer for everyone. The idea was that Artemis would manage those domains and only grant them to websites using the best security practices.
Despite his long career in the industry, Stamos was an unlikely choice for Yahoo. When Max Levchin, a well-known Silicon Valley entrepreneur who's also on Yahoo's board of directors, told him to apply for the job, Stamos himself thought it was a "crazy idea."
Because of "how technical he is," Stamos is "a bit of an anomaly" as a CISO, according to Ramses Martinez, the senior director at Yahoo's security team.
Eventually, Stamos took the job because he realized he had spent his whole career telling other companies how to do things differently. Now, he says, he had a chance to do things differently himself and make the day-to-day internet more secure for "lots of normal people."
For being a paranoid, and a well-respected security expert—all the Yahoo security employees I talked to highlighted his technical knowledge as his most impressive trait—Stamos is almost incredibly down to earth, and downright funny. When I asked him about Yahoo's end-to-end email encryption plugin, which the company is developing using, in part, code first written by Google, Stamos cuts me short.
"Make sure to give them credit," he says, before taking a quick pause. "Because, you know, a baby seal dies every time we take full credit."
The goal is to make an easy-to-use browser plugin that would allow users to send end-to-end encrypted emails. End-to-end encryption in email is nothing new—the underlying technology is more than 20 years old—but it's never become mainstream due to the steep learning curve required to use it. Yahoo's plugin, on the other hand, looks almost too easy to use.
To work on this project, Stamos hired Yan Zhu, a developer who was previously at the digital rights group the Electronic Frontier Foundation, where she worked on other privacy projects such as HTTPS Everywhere and Privacy Badger.
She was perhaps an unusual pick for Yahoo, since she had been working for a nonprofit and activist organization. But just like Stamos, she couldn't turn down the chance.
Given how many users Yahoo email has—a company spokesperson told me that number is 225 million monthly active users—"turning on email encryption for them has the potential to have a huge impact," Zhu tells me after showing me how the plugin works.
Zhu was the first hire for a team that now has around a dozen developers. The goal, as Stamos put it, "is to build mail encryption that can be used by anybody that can use Yahoo Mail." In other words, make encryption for the masses. It's not just a reaction to the Snowden revelations, it's simply to make everyday conversations more secure than they are now.
Despite the adoption of HTTPS by the major email providers, Zhu explains, once emails leave one provider's servers to go to another one, they are often unencrypted, leaving them vulnerable to snoops and hackers.
Internally at Yahoo, the plugin is already in use, and the company plans to release it to everyone by the end of the year. Initially it will work only between Yahoo users, but when Google rolls out its own plugin, they'll be compatible. This will give Yahoo Mail and Gmail users an easy, hassle-free, way to send each other scrambled emails.
"Most of the security issues on the internet nowadays, from a technical point of view, are very simple problems"
The second moonshot at Yahoo is to kill passwords with an "on-demand" service that allows users to log in with a one-time code that Yahoo sends to the user's phone. For now, the code is sent via text, but eventually, Stamos says, they want to make an ad hoc app, so that they can encrypt the connection and make sure the password-replacing code doesn't get intercepted while travelling over the internet. Stamos hopes that within a couple of years "nobody has passwords on Yahoo."
Whether these projects are successful, of course, remains to be seen.
"Most of the security issues on the internet nowadays, from a technical point of view, are very simple problems," Zanero says. "But their solution in a widespread usable, transparent manner is still hard to achieve."
Take passwords. The password has been declared dead for years, and yet, we all still use it. "The password is very much like Dracula, it just won't stay dead," Zanero jokes. "It raises from the dead and will come back and bite you."
On a cold morning in February, Stamos wasn't happy with the answer that Mike Rogers, the head of the NSA, had just given during an event in Washington, DC. While Rogers joked at the beginning of the talk that he was there "to be grilled," for more than half an hour, he was anything but.
At some point though, someone asked Rogers about the encryption debate that's been boiling in Washington for six months now, ever since Apple and Google announced that they were going to make changes to their phones' security so that only users would have access to the stored data, which wouldn't be accessible even for the companies making the gizmos.
Rogers said he shared the concerns of FBI Director James Comey, who's been the loudest critic of Apple and Google's new encryption plans, which, he said, would lead the country "to a very dark place" where authorities can't access crucial digital evidence when lives are on the line.
The problem, Rogers said, was that for privacy advocates, "it's either total encryption or no encryption at all." But there should be a middle ground, a compromise.
Critics of the FBI's nebulous plan, including prominent crypto experts, say that there is no way of creating a way for the US government to get around encryption without creating a backdoor that can be exploited by others, be it criminal hackers or cyberspies from China or Russia.
After hearing that, Stamos, who is an outspoken voice on many controversial issues—a quick glance at his Twitter account will show that he usually doesn't bite his tongue—raised his hand and waited for his turn.
"Which of those countries should we give backdoors to?" Stamos, who normally has a gentle demeanor and a contagious laughter, asked in a somber tone.
Rogers dodged his questions. "We can work through this," Rogers repeated twice.
"Okay, nice to meet you," Stamos said, before sitting back down. "Thanks."
When I ask him what he'd tell Comey, if he ever came and complained about Yahoo's encryption email plugin, Stamos leans back and, without much hesitation, says that he'd tell him encryption is an important tool to keep people safe on the internet, and that there are always other ways around it. In other words, no compromises.
"If we open the door an inch, other countries are probably going to kick the door all the way in," Stamos told me. "Once you do that for one country, then it's a negotiation of how far you'll go for other countries."
A spokesperson for the FBI declined to comment, saying "we cannot comment on specific companies, products, or services."
The polite yet heated exchange between Stamos and Rogers, punctuated by nervous laughter from the public, was the first time a big name from Silicon Valley directly confronted the US government on encryption nearly two years since Snowden documents began illuminating countless attempts by the NSA to subvert and get around it. And it was an employee of Yahoo, no less, a company that's somehow slowly been losing relevance, who publicly gave voice to Silicon Valley's concerns, weeks before all the major internet companies sent a letter to President Barack Obama on the issue.
In the last couple of years, however, it hasn't been just the NSA subverting internet security. Chinese spies have used millions of innocent netizens to attack a US company, and countless governments take advantage of their control over the networks to monitor and censor.
"We are in a world historical moment right now," Stamos said at Black Hat last year, making a call for hackers and cybersecurity professionals alike to fight the good fight, "when people in our profession have the ability to change whether or not the internet is going to be the center of freedom and free expression and of democratization that we always thought it should be or if it's going to be a tool of oppression and censorship and monitoring by both democratic and nondemocratic governments."
Stamos is trying to do his part at Yahoo, where the changes he makes to the company's products affect millions of people all over the world "in one fell swoop," as Sell, the Def Con organizer, told me.
Passwords and encrypted email, if successful, might just be the beginning. At stake, there's the future of the internet.