At Yahoo, it pays to be paranoid

All employees are encouraged to be at least a little paranoid. Meet the man who was the first to put it in a job title.

To Arturo Bejar, the name of Yahoo's security team made perfect sense when he came up with it eight years ago: the "Paranoids."

Bejar, whose own title is "Chief Paranoid Yahoo," wanted his department's moniker to be disarming and give the security role a friendly face.

"We try to be somewhat lighthearted about security," he said. "As important as it is, I also think it helps adoption if it is not too serious."

The unconventional naming befits a company that was once an icon of dot-com counterculture, where its co-founders still carry the title of "Chief Yahoo". That informality--or at least the perception of it--is particularly important to Yahoo, whose goal is to be the most consumer-friendly of all the companies at the forefront of creating security standards in the Digital Age.

Photos: A peek at Yahoo 'Paranoids'

Yahoo has long viewed itself as a media company, unlike the hard-core technological roots of rivals Google (search engine) and Microsoft (operating systems). But make no mistake: despite its casual nomenclature, the company is dead serious about the issue of security. In this regard, the term "Paranoids" can be taken most literally.

There are Paranoids throughout Yahoo, of both the uppercase and lowercase variety. The company, the third biggest Web firm, won't share numbers but suggests that there are more than the 50 or so dedicated security staffers reported by rivals Google and Microsoft. Moreover, aside from the core team run by Bejar, various departments have ambassadors, known as "Local Paranoids," who may not be part of the full-time security team but serve related duties.

Yahoo employees get basic training during orientation and people in product management roles can follow a security quick-start course. More in-depth security training is provided by Yahoo's Paranoid University, which tours around the world.

For the past three years, Yahoo has also held a "Security Week." It is the biggest interdisciplinary conference at Yahoo that includes speakers from within and outside the company. External speakers have included security luminaries Matt Blaze and Dan Geer. Nowhere else are employees likely to get annual reviews on their "paranoid effectiveness."

The paranoia is justified. Yahoo has faced a broad array of Web security troubles, ranging from bugs in its instant messenger software to cross-site scripting flaws that could leave accounts vulnerable to forgery and hijacking or unwittingly help launch data-thieving phishing scams.

Bejar himself is the personification of the two sides of Yahoo's security perspective: although he is fully committed to the safety of his company's far-flung operations, he shuns the stereotypically foreboding image of a Web security professional.

"A lot of people have preconceptions about talking to the security guy," he said. "When you're talking to a Paranoid, it has a different feel."

Becoming a superhero
One difference between Yahoo's security stars and law enforcement is the uniform. Do well in security at Yahoo and the company will give you a T-shirt that's blue, green or red, depending on the effort. Blue is for good, proactive efforts, green for heroic efforts and red for people who have gone beyond the call of duty for a long time.

Arturo Bejar

The shirts are awards that aren't given out to just anyone. They have become conversation starters on the Yahoo campus. "We have never given one as just a favor, or in barter, to friends or family, not one. Everyone with a 'Paranoids' T-shirt has earned it," Bejar said.

Employees who do something really exceptional for the security of Yahoo users are turned into a superhero, a "Super Paranoid." A cartoon artist renders the individual as a superhero, which gets publicized inside the company. This prize also includes a bonus and a meeting with senior Yahoo executives.

The most recent Super Paranoids worked on security in the new Yahoo Mail, developed an antiphishing feature and recruited more Paranoids in Europe.

All of this falls under Bejar's simple definition for online security. "Alice shouldn't be able to see Bob's e-mail without Bob's consent," Bejar said. That's the more complex definition; he tells his 5-year-old son that he tries to stop the bad guys from reading other people's e-mail.

"He asks if I am a cop and he believes that's what it is, but it is not the way I look at it." Perhaps, but there's no denying that Bejar's natural gumshoe mentality was influenced by digital sleuthing at a young age.

While growing up in Mexico City, he became interested in computers from playing with some Commodores at summer camp. "When I got home afterwards, someone gave my dad a computer with no games, so I learned how to write one," he said.

He began to develop his feel for security after realizing that applications could be made to do things the developers had not intended. More inspiration came from reading Clifford Stoll's

"It spoke about default passwords in certain systems, which my school had, and passwords which administrators did not change, which my school's administrators had not--and well, you could do a lot with that," Bejar said. "I'm not sure if they ever found out though."

A natural with computers, Bejar started working for IBM when he was in his late teens. A link with Apple co-founder Steve Wozniak, still a good friend of Bejar, subsequently led him to King's College London where he got a degree in mathematics while also working at IBM there.

He then moved to the United States to work at a start-up that was building distributed social systems, a transition that brought him a step closer to joining Yahoo nearly a decade ago, initially in billing applications.

"It was ultimately the appeal of helping build and protect things that would be used by many people that got me, and has kept me, at Yahoo," he said.

It's a noble goal that is, of course, easier said than done. "Web applications are available to anyone in the world, so you have to build them to withstand instant scrutiny," Bejar said.

Special report
Wardens of the Web
In CNET News.com's multipart series, we peek behind the curtain at online giants Yahoo, Google and Microsoft, and the elite corps committed to securing Web applications.

He notes that, in theory, developing secure Web applications isn't any different from building good desktop software. But early PC programs and operating systems didn't take that access into account and therefore weren't designed with constant network connectivity in mind.

Curriculum on security has traditionally focused on topics such as encryption. "Security was not defined as what happens if somebody tries to manipulate your API (application programming interface) with malicious or mischievous intent. Application security has a lot to do with building things that don't behave unexpectedly when by accident or by malice somebody on the outside tries to manipulate them," Bejar said.

"We were aware of a lot of these problems before they even had names," he added. "When they first came around, there wasn't any good prior art available so we had to come up with a response ourselves."

That response includes several homemade tools to identify and track potential security issues in the Web site and online applications. One such tool, called Scanmus, hunts for cross-site scripting issues. The tool is named after Rasmus Lerdorf, the original creator of the PHP scripting language and a member of the Yahoo Paranoids.

Others include the Code Ferret, which inspects code and reports bugs to Pepe, a bug-tracking system named after a character similar to Jiminy Cricket in a version of Pinocchio.

The tools were tailored to work with Yahoo's systems. The company had tried some commercial applications but found that it would take too much time to retrofit those to fit its needs.

It is a laborious task, but Bejar knows that some things are worth waiting for. When he went to work at Yahoo in 1998, he was restoring a 1973 Porsche Carrera that he named "El Pato"--Spanish for "The Duck."

"El Pato was built as Yahoo took off. I built or rebuilt almost every part of it, under the supervision of Bob, my mechanic," Bejar said. "To some extent, I see El Pato as analogous to my time here at Yahoo. The security program has taken time to put together and it requires a lot of thought and understanding of how the different parts interact."

Now he says it may be time for Yahoo to share that hard work outside the company.

"We're all in this together," Bejar said. "If anything were to happen to any one of us, all are impacted."