Slashdot Mirror
Yahoo Repeatedly Didn't Invest In Security, Rejected Bare Minimum Measure To Reset All User Passwords: NYTimes
If it wasn't already enough that the mega breach at Yahoo affects over 500 million users, a new investigative report on The New York Times states the extent to which Yahoo didn't care about its users' security (Editor's note: the link could be paywalled; alternate source). The report says Yahoo CEO Marissa Mayer refused to fund security initiatives at the company, and instead invested money in features and new products. Despite Edward Snowden warning Yahoo that it was too easy of a target for hackers, the company took one year to hire a new chief information officer. The company hired Alex Stamos, who is widely respected in the industry. But Stamos soon left partly due to clashes with Mayer, The Times adds. And it gets worse. From the report:But when it came time to commit meaningful dollars to improve Yahoo's security infrastructure, Ms. Mayer repeatedly clashed with Mr. Stamos, according to the current and former employees. She denied Yahoo's security team financial resources and put off proactive security defenses, including intrusion-detection mechanisms for Yahoo's production systems. [...] But during his tenure, Ms. Mayer also rejected the most basic security measure of all: an automatic reset of all user passwords, a step security experts consider standard after a breach. Employees say the move was rejected by Ms. Mayer's team for fear that even something as simple as a password change would drive Yahoo's shrinking email users to other services.
topic says it all...
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
They were already a dead, worthless company. Now no one will even want the name.
Employees say the move was rejected by Ms. Mayer's team for fear that even something as simple as a password change would drive Yahoo's shrinking email users to other services.
At my company we call this "stepping over a dollar to pick up a nickel".
Surely, the board of directors at Yahoo had someone that they listened to when it came to security issues that had the potential to affect the profitability and viability of the company. Right? I mean, after all, that's a board's job, to see to those two things. [/heavy sarcasm]
>for fear that even something as simple as a password change would drive Yahoo's shrinking email users to other services
And this won't? What a silly shortsighted [expletive] that woman is.
Finally deleted my Yahoo & Flickr accounts today. Nothing of value was lost...
They did it twice in recent memory. One time was in 2015 and came out of the blue, possibly as a result of this hack.
Honestly, I don't think passwords are the bigger thing here. When my password was compromised as part of the Gawker leak, Yahoo locked down their system so that you couldn't log into accounts from new IPs. You had to change your password from an IP you've used before before you could log in again.
Getting hacked (seemingly phished) was really bad. Having a system where people in the company can give away this data is also really bad. Not resetting everyone's password seems kind of small potatoes next to all that.
They could probably have put a monkey into the office instead of Mayer, and be in the same position. Maybe even better because Yahoo would not have made all those failed acquisitions.
It's not even that she laid out some grand strategy or attempted some potentially groundbreaking acquisitions. There has been no vision, no risk-taking, nothing. Her only strategy appears to be to deploy employee-unfriendly policies, while benefiting from special arrangements for her personal life.
The real "Libtards" are the Libertarians!
Maybe she'll go the route of Carly Fiorina and after she's done running companies into the ground she'll try at politics.
Your hair look like poop, Bob! - Wanker.
I've said it before, but these companies need to be sued into the ground. It's the only way things will ever change.
Irresponsible disclosure is responsible
In addition to not forcing a password reset, in my case, the password CANNOT be reset.
When I sign in to yahoo mail through a browser, I am told "Suspicious Activity was detected, Click here to reset your password."
Sounds OK, but my only listed "recovery" e-mail address has been dead for over 15 years...
"Employees say the move was rejected by Ms. Mayer's team for fear that even something as simple as a password change would drive Yahoo's shrinking email users to other services."
I think we have a new winner in the Twit of the Century contest!
Not one organization I have ever worked for has seriously cared about IT security. The second anyone mentions security, the next question is how much it costs. So I don't think it's a Yahoo thing - I think it happens everywhere. Even banks and healthcare companies, who have some of the most regulated data in the world don't go beyond lip service and a few token defenses to protect it. Companies will continue to offshore vital functions to companies that don't care what happens to data. They'll also continue to ignore key parts of new product development relating to security. I think one of the problems is that IT security guys can't articulate this to executives. They're either from the physical security world, or they're so tech-focused that they can't give a coherent presentation to people who only understand what dollars are.
Companies have insurance, and it's always cheaper to say "oops" and give out free credit monitoring for a year than it is to build a serious defense against security breaches. Until it becomes too expensive to ignore, whether in the form of lost business, fines or lost intellectual property, nothing will change.
Great PR move guys!
I mean, I maybe she could do better, but usually you wouldn't call a person who took command of the Titanic as it scraped the iceberg a bad captain.
But, apparently, she deliberately kept going full speed through a cluster of icebergs and ignored all hits. That's pretty damn bad.
Sent from hacked yahoo.com accounts . . . and boy, I've been keeping Yahoo's abuse department busy these last six months!
It's in fact possible to be even less competent than Meg Whitman and Carly Fiorina.
But just like the Mylan CEO and Martin Shkreli; nothing, nothing, NOTHING of any import will happen to Marissa Myer.
Just as morality doesn't apply to the 1%, neither does laws of the 99%.
It will be bad for Verizon if they knew about these "security choices" and still went ahead with the acquisition. (which may play out in the courts) Airing this type of soiled linens just about erases any residual or liquidation value that Yahoo may have had.
Beautiful day by the Beach
Not really a surprise. Yahoo has been irrelevant since the mid 90s and a joke since Google introduced gmail.
Grief people, show it some mercy and put a stake through it's heart.
How long are they going to wait before they start doing forced resets not just hey we would like it if you changed your password resets?
Minimum threshold fixed. Thanks!
We just block the whole domain at the spam filter.
How are those cost saving decisions working out for you now?
Not one organization I have ever worked for has seriously cared about IT security.
When it comes to rolling out new products, ignoring security is the norm.
This is because the "window of opportunity" is only "open" for a short time - until the first, second, and maybe third movers go through it and grab most of the potential customers. Companies that spent the time to get the security right arrive at the window after it closes.
This happens anywhere the customers don't test for and reject non-secure versions of the "new shiny" - which means enterprises sometimes hold suppliers' feet to the fire (if the new thing doesn't give them an advantage commensurate with, or perceived as outweighing, the risk) but consumer stuff goes out wide open.
Then, if you're lucky and the supplier is clueful, they retrofit SOME security before the bad guys exploit enough holes to kill them.
I expect this will continue until several big-name tech companies get an effective corporate death penalty in response to the damages their customer base took from their security failings. Then the financial types will start including having a good, and improving with time, security story (no doubt called "best practices") among their check boxes for funding.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
I just got an email the other day from Yahoo. Yes, I use their email.
That email said they know I use an outside email client, and that FOR SECURITY I should discontinue using it in favor of using their webmail interface.
This despite the fact that I still have to pay them $20.00 per year to be able to POP my mail (which Google allows for free.)
Yahoo wants to give me fucking lectures about my email security????? And the funniest fucking part? I haven't used Thunderbird since I had to re-image my system when a Windows update / GWX Control Panel clash borked my system beyond repair. Apparently they didn't get the memo? (Or has someone cracked my strong password?) In any event.....
Asshats.
She knows that the Yahoo! products are so inferior to their competitors that they were barely hanging onto what users they had. So she took the gamble that probably had the highest odds. In blackjack, you always split eights. Not because you're in a good situation, but because 16 is the worst hand you can have and splitting is slightly less bad than drawing a card. Revenue can solve a lot of problems but Yahoo!'s is declining. Some ships are sinking so fast, it doesn't matter which bucket you bail with.
Thanks for quoting Marissa Mayer's comments on security spending, but next time please attribute it correctly.
Blank until
Seriously, Yahoo died when they shut down the news message boards in 2006.
Impression is almost all companies and govt agencies suffered security breaches and lost information even after spending tons of money and resources to only get their system hacked anyway.
mfwright@batnet.com
If blame is to be dispensed, we can blame this CEO for doing a poor job of keeping the high-profile CIO under control and for being insufficiently aggressive and proactive on the publicity angle.
With hindsight she might have been better advised to leverage the good reputation of the CIO by stroking him into sponsoring an "innovative and systemic approach" towards security.
For example convince him to commission an AI system to look after security against modest cost. That would have staved off disaster on the PR front for the time being, it might have kept the reputable CIO in place, and it would have prevented any really disruptive measures.
That would have been the American Way ... because who knows ... maybe some nerd would have come up with an effective AI system. That would have been a great cost-saving, a potential new profit centre and a PR bonanza.
Tumblr...
Security...
Tumblr...
Security...
Tumblr...
Security...
Tumblr it is! I wonder why others have not gone after the minimum wage making social justice warrior with $200,000 in students loans for a useless degree and living in their parents home demographic? Surely they are an untapped goldmine!
Marissa Mayer should be required to forgo all her pay and bonuses for the period when she refused to fund realistic security measures. She ran Yahoo! into the ground and will be richly rewarded for doing so. Great work if you can get it..
Organization? You must be joking..
Im already deleting my yahoo account once i get a new merchant email bucket.
Here's to you Ms Mayer, and yahoo too.
Well done!
Oops almost forgot, Fuck You Both!
The report says Yahoo CEO Marissa Mayer refused to fund security initiatives at the company, and instead invested money in features and new products.
For a moment I misread that as "... and instead invested the money in her compensation package."
#TrumpOnInfosec
Marrisa's logo redesign didn't fix that.?
In the past couple years, they did make sure to request that I give them a mobile phone number, or click on a smaller, not underlined link, at every single log in.
I also tried to use it from TOR, but it didn't work and now I'm semi-fucked. Now I can't use it anywhere except from home. I'm thus at low risk for the time to lose access to that long running mail account.
I registered to too many internet/web accounts with this email (credentials and personal info in clear text in many received emails), but I'm glad I didn't give them a "backup email address" and as for the phone number, piss off. I didn't give you my surname.
We to, after they refused to unblock our hosting-server from the mail-blocklists (something about a website not up to date. Was fixed in 24 hours).
I had such high hopes for her and Yahoo!
After trying repeatedly to change my password. I called a number I found listed for Yahoo. After telling me that I had been hacked by Russia the guy tried to sell me $250 worth of software that would protect my account and allow me to change my passwords. I'm 76, living on my pension and SS. I don't have $250 to spend on software to fix Yahoo's lack of concern for the safety of it's users. I already have to buy programs to protect my own personal CPU.
Have you guys checked out this guy Raggat mustapha at richraggamussie@gmail.com this Dude's a cyber guru. Involved with cloning phones,hacked into a political leader,legislator gmail,hacked into my ex's gmail and Facebook, what led to me knowing he was infidel and also just gave my nephew some really outstanding school scores which he upgraded himself,cool way to have financial freedom as well,get your bank blank Atm cards which could debit money from any Atm machine. Make $20,000 and more in a couple days. Bank transfers and wire transfers as well as PayPal jobs. His that good,had to make him my personal hacker.You could mail him if you got issues, he's as discreet and professional tool. He's kinda picky though so make mention of the reference. Alison referred you.You're welcome.
Have you guys checked out this guy Raggat mustapha at richraggamussie@gmail.com this Dude's a cyber guru. Involved with cloning phones,hacked into a political leader,legislator gmail,hacked into my ex's gmail and Facebook, what led to me knowing he was infidel and also just gave my nephew some really outstanding school scores which he upgraded himself,cool way to have financial freedom as well,get your bank blank atm cards which could debit money from any atm machine. Make $20,000 and more in a couple days. Bank transfers and wire transfers as well as PayPal jobs. His that good,had to make him my personal hacker.You could mail him if you got issues, he's as discreet and professional tool. He's kinda picky though so make mention of the reference. Alison referred you.You're welcome.
Have you guys checked out this guy Raggat mustapha at richraggamussie@gmail.com this Dude's a cyber guru. Involved with cloning phones,hacked into a political leader,legislator gmail,hacked into my ex's gmail and Facebook, what led to me knowing he was infidel and also just gave my nephew some really outstanding school scores which he upgraded himself,cool way to have financial freedom as well,get your bank blank Atm cards which could debit money from any Atm machine. Make $50,000 and more in a couple days. Bank transfers and wire transfers as well as PayPal jobs. His that good,had to make him my personal hacker.You could mail him if you got issues, he's as discreet and professional tool. He's kinda picky though so make mention of the reference. Alison referred you.You're welcome.
Have you guys checked out this guy ''Raggat Mustapha'' at richraggamussie@gmail.com this Dude's a cyber guru. Involved with cloning phones,hacked into a political leader,legislator email,hacked into my ex's email and Facebook,black diamond that worth $1 million dollars can be ship to you address from hacking security company,this guy can do it,what led to me knowing him was infidel and also just gave my nephew some really outstanding school scores which he upgraded himself,cool way to have financial freedom as well,get your bank blank Atm cards which could debit money from any Atm machine. Make $50,000 and more in a couple days. Bank transfers and wire transfers as well as PayPal jobs. His that good,had to make him my personal hacker. Looking for professional hacks into secured servers such as: governmental departments, private servers, companies, banks.You could mail him if you got issues, he's as discreet and professional tool. He's kinda picky though so make mention of the reference. Alison referred you.You're welcome.