Slashdot Mirror

← Back to Stories (view on slashdot.org)

Yahoo Repeatedly Didn't Invest In Security, Rejected Bare Minimum Measure To Reset All User Passwords: NYTimes

Posted by msmash on from the bad-blood dept.

If it wasn't already enough that the mega breach at Yahoo affects over 500 million users, a new investigative report on The New York Times states the extent to which Yahoo didn't care about its users' security (Editor's note: the link could be paywalled; alternate source). The report says Yahoo CEO Marissa Mayer refused to fund security initiatives at the company, and instead invested money in features and new products. Despite Edward Snowden warning Yahoo that it was too easy of a target for hackers, the company took one year to hire a new chief information officer. The company hired Alex Stamos, who is widely respected in the industry. But Stamos soon left partly due to clashes with Mayer, The Times adds. And it gets worse. From the report:But when it came time to commit meaningful dollars to improve Yahoo's security infrastructure, Ms. Mayer repeatedly clashed with Mr. Stamos, according to the current and former employees. She denied Yahoo's security team financial resources and put off proactive security defenses, including intrusion-detection mechanisms for Yahoo's production systems. [...] But during his tenure, Ms. Mayer also rejected the most basic security measure of all: an automatic reset of all user passwords, a step security experts consider standard after a breach. Employees say the move was rejected by Ms. Mayer's team for fear that even something as simple as a password change would drive Yahoo's shrinking email users to other services.

83 of 129 comments (clear)

  1. Bad CEO is bad by networkBoy · · Score: 3, Insightful

    topic says it all...

    --
    whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
    1. Re:Bad CEO is bad by elrous0 · · Score: 5, Funny

      Perhaps you missed the fact that this CEO is a *WOMAN*, which makes her a hero and an inspiration.

      This is somehow all the evil male patriarchy's fault.

      --
      SJW: Someone who has run out of real oppression, and has to fake it.
    2. Re:Bad CEO is bad by houstonbofh · · Score: 1

      I hope she enjoys retirement. Her days as a CEO will be over soon.

    3. Re:Bad CEO is bad by XparXnoiaX · · Score: 1

      Perhaps you missed the fact that this CEO is a *WOMAN*, which makes her a hero and an inspiration.

      It's irrelevant.

      --
      Irresponsible disclosure is responsible
    4. Re: Bad CEO is bad by Luthair · · Score: 3, Informative

      She ended up with a couple hundred million so...

    5. Re:Bad CEO is bad by Oswald+McWeany · · Score: 2

      She is heroically bad and an inspiration to all people achieving mediocrity in management.

      --
      "That's the way to do it" - Punch
    6. Re:Bad CEO is bad by gweihir · · Score: 2

      Indeed. She should go to prison and personally have to compensate anybody who suffered damage from her criminal acts.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    7. Re:Bad CEO is bad by jenningsthecat · · Score: 1

      I think they should change Mount Rushmore and replace those evil white men with Marrissa Meyer, Ellen Pao, Elizabeth Holmes, and Hillary Clinton.

      You forgot Carly Fiorina!

      --
      'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
    8. Re:Bad CEO is bad by rtb61 · · Score: 1

      If you hire and M&M https://www.youtube.com/watch?..., to do the job, don't be surprised when it's brain melts under the pressure. There was likely some good reasons why the M&M was demoted at Google.

      --
      Chaos - everything, everywhere, everywhen
  2. Short sighted by sjbe · · Score: 5, Funny

    Employees say the move was rejected by Ms. Mayer's team for fear that even something as simple as a password change would drive Yahoo's shrinking email users to other services.

    At my company we call this "stepping over a dollar to pick up a nickel".

    1. Re:Short sighted by Tablizer · · Score: 1

      Employees say the move was rejected by Ms. Mayer's team for fear that even something as simple as a password change would drive Yahoo's shrinking email users to other services.

      At my company we call this "stepping over a dollar to pick up a nickel".

      My co is so clueless they step over both.

      Seems playing with lightning releases their endorphins.

      --
      Table-ized A.I.
    2. Re:Short sighted by houstonbofh · · Score: 2

      Actually this is called "risk assessment." It was just badly done and very public risk assessment. Along the lines of Ford Pinto bad...

    3. Re:Short sighted by Anonymous Coward · · Score: 2, Informative

      In England they call this "penny wise, pound foolish".

    4. Re:Short sighted by Oswald+McWeany · · Score: 4, Funny

      Mine will hire an outside contractor to pick up both for $20- and then let them keep the dollar and the nickel.

      --
      "That's the way to do it" - Punch
    5. Re:Short sighted by Ungrounded+Lightning · · Score: 1

      In England they call this "penny wise, pound foolish".

      That one's old enough that it made it into American English (where it is still in use despite more than two centuries on a non penny-pound currency.)

      --
      Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
    6. Re:Short sighted by Bourdain · · Score: 1

      At my company we call this "focusing on the number to the right hand side of the decimal point"

    7. Re:Short sighted by losfromla · · Score: 2

      That would explain MY employer's (major defense contracting corporation) incredible increase in profitability lately.

      --
      Only I can judge you.
    8. Re:Short sighted by Bonobo_Unknown · · Score: 1

      The other weirdness is that you guys still use the term penny to describe an imperial currency, where the rest of the metric world uses cent or some derivative...

      --
      We don't believe in radical loony monotheistic religions from the middle east -- we're Christians.
    9. Re:Short sighted by Buchenskjoll · · Score: 1

      Would anyone be scared of Poundfoolish the clown?

      --
      -- Make America hate again!
    10. Re:Short sighted by Hognoxious · · Score: 1

      the rest of the metric world uses cent or some derivative...

      I'm not sure the two things are connected. What does Pfennig sound like to you? It was in play long after the huns switched to metric.

      The way things are going, it might be back soon.

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  3. So Where Was the Board? by Jawnn · · Score: 2

    Surely, the board of directors at Yahoo had someone that they listened to when it came to security issues that had the potential to affect the profitability and viability of the company. Right? I mean, after all, that's a board's job, to see to those two things. [/heavy sarcasm]

    1. Re:So Where Was the Board? by phantomfive · · Score: 4, Insightful

      Why do you think this will affect profitability? Did LinkedIn become less profitable when they leaked everyone's user accounts? Or did everyone just forget about that and move on?

      --
      "First they came for the slanderers and i said nothing."
    2. Re:So Where Was the Board? by PCM2 · · Score: 5, Insightful

      Well, for starters, LinkedIn only leaked data for around 6 million accounts. Yahoo leaked data for half a billion accounts. Also, considering that people use Yahoo for their personal email and to track their finances, the data on Yahoo was potentially much more sensitive than anything on LinkedIn.

      --
      Breakfast served all day!
    3. Re:So Where Was the Board? by Darinbob · · Score: 1

      Most boards are carefully shepherded and managed so that they never actually see what the company does. They usually get the financial numbers and not much more, and don't seem to mind that they're not getting more details.

    4. Re:So Where Was the Board? by Khyber · · Score: 1

      Also, the impending lawsuits for not reporting such a breach in a timely fashion. That's likely going to nail their stock price hard and probably make any company want to avoid them except for as a penny stock.

      --
      Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
    5. Re:So Where Was the Board? by whoever57 · · Score: 1

      The board were just acting like the original Yahoos (from Gulliver's travels).

      --
      The real "Libtards" are the Libertarians!
    6. Re:So Where Was the Board? by Anonymous Coward · · Score: 1

      What idiots provide Yahoo with their financial data?

      Yahoo has always been where script kiddies go for Remedial Hacking 098
      AOL is for those who have graduated to Remedial Hacking 099.

  4. Buh-bye... by Aaden42 · · Score: 2

    Finally deleted my Yahoo & Flickr accounts today. Nothing of value was lost...

    1. Re:Buh-bye... by hyperar · · Score: 1

      Finally deleted my Yahoo & Flickr accounts today. Nothing of value was lost...

      I can't even log in, my yahoo account has an old phone number, and i can't log in, since they don't provide any alternative methods

    2. Re:Buh-bye... by antdude · · Score: 1

      But they still have your data. :(

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
  5. yahoo made me change my password by Anonymous Coward · · Score: 3, Interesting

    They did it twice in recent memory. One time was in 2015 and came out of the blue, possibly as a result of this hack.

    Honestly, I don't think passwords are the bigger thing here. When my password was compromised as part of the Gawker leak, Yahoo locked down their system so that you couldn't log into accounts from new IPs. You had to change your password from an IP you've used before before you could log in again.

    Getting hacked (seemingly phished) was really bad. Having a system where people in the company can give away this data is also really bad. Not resetting everyone's password seems kind of small potatoes next to all that.

    1. Re:yahoo made me change my password by ShaunC · · Score: 1

      Yahoo locked down their system so that you couldn't log into accounts from new IPs. You had to change your password from an IP you've used before before you could log in again.

      That sounds like a great way to permanently lock the majority of your users out of their accounts. Many ISPs have short DHCP leases; millions of people get a new IP every week or every day. And heaven help you if you're stuck on a phone with CGNAT, you might appear to come from a different IP every few minutes. I've had enough annoyances out of Gmail thinking my logins were suspicious that I finally set up a datapipe to a server with a static IP, and I route my Gmail connections through there.

      --
      Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
  6. Wasted millions..... by whoever57 · · Score: 1

    They could probably have put a monkey into the office instead of Mayer, and be in the same position. Maybe even better because Yahoo would not have made all those failed acquisitions.

    It's not even that she laid out some grand strategy or attempted some potentially groundbreaking acquisitions. There has been no vision, no risk-taking, nothing. Her only strategy appears to be to deploy employee-unfriendly policies, while benefiting from special arrangements for her personal life.

    --
    The real "Libtards" are the Libertarians!
    1. Re:Wasted millions..... by gweihir · · Score: 1

      Quite a bit better, because the monkey would not have been able to reject all these sensible proposals.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  7. Mayer 2020? by OverlordQ · · Score: 3, Insightful

    Maybe she'll go the route of Carly Fiorina and after she's done running companies into the ground she'll try at politics.

    --
    Your hair look like poop, Bob! - Wanker.
    1. Re:Mayer 2020? by aaarrrgggh · · Score: 3, Interesting

      In fairness, yahoo was almost a lost cause when she came on board, while Carly...

      Not quite sure if anything could have been done to save them. They lacked meaningful sources of profit, and improving efficiency would not be enough. I think Mayer realized that the spinoff was the only hope when they unveiled the new logo. Just took too long to execute.

  8. lawsuits by XparXnoiaX · · Score: 2

    I've said it before, but these companies need to be sued into the ground. It's the only way things will ever change.

    --
    Irresponsible disclosure is responsible
    1. Re:lawsuits by Oswald+McWeany · · Score: 2, Insightful

      On the surface it sounds good; but if companies get sued for being hacked then more people will try hacking companies that piss them off (or in some cases maybe who are rivals).

      Get fired? Hack your employer so that they get sued as payback. Rival kicking your arse? Hire some Russian miscreants to hack them.

      --
      "That's the way to do it" - Punch
    2. Re:lawsuits by XparXnoiaX · · Score: 1

      If it does become a problem like you suggest, then it can be modified slightly, to:
      Sue companies when they do stupid shit.

      There are too many cases of clear negligence.

      --
      Irresponsible disclosure is responsible
  9. Re:Poor Yahoo by Tablizer · · Score: 1

    Now no one will even want the name.

    Rats! There goes my scam:
    http://www.yooha.com/

    --
    Table-ized A.I.
  10. In addition... by Anonymous Coward · · Score: 1

    In addition to not forcing a password reset, in my case, the password CANNOT be reset.
    When I sign in to yahoo mail through a browser, I am told "Suspicious Activity was detected, Click here to reset your password."
    Sounds OK, but my only listed "recovery" e-mail address has been dead for over 15 years...

    1. Re:In addition... by swalve · · Score: 1

      How is that their problem?

  11. Not a surprise by ErichTheRed · · Score: 5, Interesting

    Not one organization I have ever worked for has seriously cared about IT security. The second anyone mentions security, the next question is how much it costs. So I don't think it's a Yahoo thing - I think it happens everywhere. Even banks and healthcare companies, who have some of the most regulated data in the world don't go beyond lip service and a few token defenses to protect it. Companies will continue to offshore vital functions to companies that don't care what happens to data. They'll also continue to ignore key parts of new product development relating to security. I think one of the problems is that IT security guys can't articulate this to executives. They're either from the physical security world, or they're so tech-focused that they can't give a coherent presentation to people who only understand what dollars are.

    Companies have insurance, and it's always cheaper to say "oops" and give out free credit monitoring for a year than it is to build a serious defense against security breaches. Until it becomes too expensive to ignore, whether in the form of lost business, fines or lost intellectual property, nothing will change.

    1. Re:Not a surprise by pr0fessor · · Score: 4, Interesting

      We take security seriously where I work and have good security practices... That being said there are still management types who always want to find a loophole because being secure is to burdensome. They want to share logins, have password that never expire, put data on unencrypted thumb drives, etc...

      I usually just remind them that many of our clients want third parties to certify our security practices and if we can't keep that up we will not have clients and they can debate security all they want on the unemployment line.

    2. Re:Not a surprise by U8MyData · · Score: 1

      Copy that! If we can't take security seriously, what about AI? As far as articulation to executives, I do that and still get shot down. Sad state of affairs really and getting more and more dangerous.

    3. Re: Not a surprise by Anonymous Coward · · Score: 2

      Passwords that do not expire
      are not a problem. It is when
      the hashed passwords and the
      salts are exfiltrated that you have
      screwed up.

      I have passwords that are over
      ten years old. Resetting your
      password every x days is nothing
      but security theater.

      You do not need need to force
      a password reset until you are
      fairly suspicious that the breach
      has occurred. Or definitely know.

      Yahoo knew. This is epic fail.

    4. Re:Not a surprise by lgw · · Score: 5, Insightful

      Forcing users to change passwords regularly is a security anti-pattern. It produces lower security overall. It's something IT does to express their loathing of the userbase, not a security practice.

      Make users change passwords when there's evidence of a breach, and only then.

      --
      Socialism: a lie told by totalitarians and believed by fools.
    5. Re:Not a surprise by pr0fessor · · Score: 3, Interesting

      Forcing users to change passwords regularly is a security anti-pattern. It produces lower security overall.

      That may be true if not for all the other things users do.

      I've disabled a manager's credential because I was sure they had shared them with someone they shouldn't even though I warned them not to previously and I found the log in had been used on that user's company device after they had been terminated under very bad circumstances. Needless to say everyone was pissed at me and raised a big stink but as soon as I mentioned a disgruntled ex-employee may have access to that account and why they had no problem listening.

      On a fun note someone (possibly the same disgruntled ex-employee) called up every plastic surgeon in about 500 miles and made an appoint for one our managers to have a consultation about breast enlargements.

    6. Re:Not a surprise by Anonymous Coward · · Score: 1

      Run a small business anytime in the past twenty years, and go through auditing for pretty much anything around PCI level, and I'd give you a dollar if you found even a *single* QSA who did not make regular changing of passwords a requirement.

      It may be stupid, but somebody who had a lot of power in the industry years ago decided it was important and made it a little requirement in some black book somewhere that QSAs use to tell you that your policies are bad and need change. So, it happens pretty much everywhere that audits happen.

    7. Re:Not a surprise by Sassinak · · Score: 2

      Security has always been paid lip service because everyone assumes "it won't happen to me" until it does.. so its very difficult to get a CEO to sign off on a few thousand dollars on something that MAY happen (ironically they will purchase insurance and support contracts under the notion that IF something happens they are covered) Since I work in security and its always an issue.. the world is dangerous and since the laws allow them to, as you said.. "opps", wright off the breach as a loss on the taxes, pass on any costs incurred to the consumer, and keep on moving, there is really no incentive for them to actually DO anything.

      --
      God made the Idiot for practice, and then He made the School Board -- Mark Twain Look for http://Thebar.steelbeachca
    8. Re:Not a surprise by Anonymous Coward · · Score: 1

      I haven't worked for an organization that has cared about IT in general. My previous employer wanted to reduce my pay from $55k to an hourly $12 with 'straight time OT when needed'. I read a story about how they suffered a large amount of downtime due to a technical problem.

      You can sit down a manager and explain to them how trying to cheap out on IT infrastructure and personnel will cause massive financial damages and they'll just ask you how many years in the future the damages will occur. If they already see themselves in a new job by that time, well by damn let's cut IT's salary and budget.

    9. Re:Not a surprise by Anonymous Coward · · Score: 1

      A policy forcing password changes limits how long a compromised credential can be used. Doing so can also be one of the ways you generate evidence of a breach.

      I don't understand why this silly accusation that IT is doing it to piss of the userbase comes up on here constantly. Yes it sucks and many users are incapable of managing this simple task.. but there is a reason.

    10. Re:Not a surprise by Anonymous Coward · · Score: 2, Informative

      One password is a simple to change. A hundred passwords becomes a big deal. Throw in a random grab bag of retention and password complexity rules and you end up with pissed off users. Pissed off users write passwords down, email them, and other problematic behavior to cope.

    11. Re:Not a surprise by axafg00b · · Score: 1

      Well, there is a business balance to look at - risk mitigation vs cost. However, if you are in a business where you take reputational risk seriously, you have to take security seriously. This means going through the whole gamut of access management, strict password management, audits and pen tests, user education, as well as the traditional hardware and software based security tools. Are these perfect? Hell no! But, often times having a serious security posture makes the difficulty of attack higher and at least in the days before "state-sponsored hacking", it was enough to keep script kiddies and lone wolves away. Today, with hackers having greater resources behind them, we are seeing the online repetition of the first Iraq War where the powerful and mobile coalition forces overwhelmed the fixed, inferior Iraqi forces.

      What Yahoo! apparently did was to de-emphasize security more that they should have. As a Yahoo! customer, I have taken measures to move all relevant connections away from them and will end participation in other services as many peers have done. If indeed the corporate decision (Marissa) was to not take the logical steps to shore up security in order to prevent more subscriber losses, then she was definitely not the right person for this position. A successful CEO cannot have a short-term mentality. Also, they should have a good sounding board (and an effective governing board) to review and counsel. There are many people to share the blame at Yahoo!, and if Verizon doesn't restructure their deal then their board needs to be looked at skeptically as well.

      --
      I think, therefore I am - Rene Descartes; I yam what I yam, an' that's what I yam - Popeye
    12. Re: Not a surprise by radarskiy · · Score: 1

      The credentials in question came from the manager that was still employed. It was a different user that had been terminated and with whom the manager's credentials had been shared..

  12. This oughta help sell Yahoo... by MitchDev · · Score: 2

    Great PR move guys!

  13. I didn't think she was bad by Anonymous Coward · · Score: 3, Interesting

    I mean, I maybe she could do better, but usually you wouldn't call a person who took command of the Titanic as it scraped the iceberg a bad captain.

    But, apparently, she deliberately kept going full speed through a cluster of icebergs and ignored all hits. That's pretty damn bad.

  14. That explains around 75% of the spam I see lately. by mmell · · Score: 1

    Sent from hacked yahoo.com accounts . . . and boy, I've been keeping Yahoo's abuse department busy these last six months!

  15. Amazing by LichtSpektren · · Score: 4, Funny

    It's in fact possible to be even less competent than Meg Whitman and Carly Fiorina.

    1. Re:Amazing by Anonymous Coward · · Score: 1

      Lets add Hillary who is about to be the CEO of the US and don't forget the hottest CEO in the universe Elizabeth Holmes.

  16. But just like Mylan by ThatsNotPudding · · Score: 3, Insightful

    But just like the Mylan CEO and Martin Shkreli; nothing, nothing, NOTHING of any import will happen to Marissa Myer.

    Just as morality doesn't apply to the 1%, neither does laws of the 99%.

    1. Re:But just like Mylan by Anonymous Coward · · Score: 3, Insightful

      The ex-CEO of Tyco, Dennis Kozlowski, served eight years in prison. My guess the whole time he was in there he was constantly shouting "WTF!" as various CEO's came and went unscathed for frauds much larger than his...

  17. M&A Due dilligence? by Kevin+by+the+Beach · · Score: 1

    It will be bad for Verizon if they knew about these "security choices" and still went ahead with the acquisition. (which may play out in the courts) Airing this type of soiled linens just about erases any residual or liquidation value that Yahoo may have had.

    Beautiful day by the Beach

  18. So no password reset still yet then? by sims+2 · · Score: 1

    How long are they going to wait before they start doing forced resets not just hey we would like it if you changed your password resets?

    --
    Minimum threshold fixed. Thanks!
  19. Re:Poor Yahoo by poofmeisterp · · Score: 1

    Now no one will even want the name.

    Rats! There goes my scam:
    http://www.yooha.com/

    Nutscrape 3.0. That's awesome!

  20. The invisible hand strikes. by Ungrounded+Lightning · · Score: 4, Interesting

    Not one organization I have ever worked for has seriously cared about IT security.

    When it comes to rolling out new products, ignoring security is the norm.

    This is because the "window of opportunity" is only "open" for a short time - until the first, second, and maybe third movers go through it and grab most of the potential customers. Companies that spent the time to get the security right arrive at the window after it closes.

    This happens anywhere the customers don't test for and reject non-secure versions of the "new shiny" - which means enterprises sometimes hold suppliers' feet to the fire (if the new thing doesn't give them an advantage commensurate with, or perceived as outweighing, the risk) but consumer stuff goes out wide open.

    Then, if you're lucky and the supplier is clueful, they retrofit SOME security before the bad guys exploit enough holes to kill them.

    I expect this will continue until several big-name tech companies get an effective corporate death penalty in response to the damages their customer base took from their security failings. Then the financial types will start including having a good, and improving with time, security story (no doubt called "best practices") among their check boxes for funding.

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  21. Yeah I can top that. by Anonymous Coward · · Score: 1

    I just got an email the other day from Yahoo. Yes, I use their email.

    That email said they know I use an outside email client, and that FOR SECURITY I should discontinue using it in favor of using their webmail interface.

    This despite the fact that I still have to pay them $20.00 per year to be able to POP my mail (which Google allows for free.)

    Yahoo wants to give me fucking lectures about my email security????? And the funniest fucking part? I haven't used Thunderbird since I had to re-image my system when a Windows update / GWX Control Panel clash borked my system beyond repair. Apparently they didn't get the memo? (Or has someone cracked my strong password?) In any event.....

    Asshats.

  22. She was probably right by edtice1559 · · Score: 1

    She knows that the Yahoo! products are so inferior to their competitors that they were barely hanging onto what users they had. So she took the gamble that probably had the highest odds. In blackjack, you always split eights. Not because you're in a good situation, but because 16 is the worst hand you can have and splitting is slightly less bad than drawing a card. Revenue can solve a lot of problems but Yahoo!'s is declining. Some ships are sinking so fast, it doesn't matter which bucket you bail with.

  23. Re:Whhooogiffafuckina shittafuckle by Farmer+Tim · · Score: 2

    Thanks for quoting Marissa Mayer's comments on security spending, but next time please attribute it correctly.

    --
    Blank until /. makes another boneheaded UI decision.
  24. At least no waste of their money? by k6mfw · · Score: 1

    Impression is almost all companies and govt agencies suffered security breaches and lost information even after spending tons of money and resources to only get their system hacked anyway.

    --
    mfwright@batnet.com
  25. Goal-focused CEO by golodh · · Score: 1
    There's absolutely nothing "bad" about a CEO putting the interests of a company first. I think we can all agree about that.

    If blame is to be dispensed, we can blame this CEO for doing a poor job of keeping the high-profile CIO under control and for being insufficiently aggressive and proactive on the publicity angle.

    With hindsight she might have been better advised to leverage the good reputation of the CIO by stroking him into sponsoring an "innovative and systemic approach" towards security.

    For example convince him to commission an AI system to look after security against modest cost. That would have staved off disaster on the PR front for the time being, it might have kept the reputable CIO in place, and it would have prevented any really disruptive measures.

    That would have been the American Way ... because who knows ... maybe some nerd would have come up with an effective AI system. That would have been a great cost-saving, a potential new profit centre and a PR bonanza.

    1. Re:Goal-focused CEO by losfromla · · Score: 2

      Except that he's not a moron and would not be assuaged by something that any fool could clearly see as a delaying tactic. They hired him for his expertise, people like him know what they know and he clearly had not just fallen off the turnip truck when he landed at "Yahoo!"

      --
      Only I can judge you.
    2. Re:Goal-focused CEO by networkBoy · · Score: 1

      While I can respect your points, I *have* to disagree with you.
      What she did was not putting the company's interest first. What she did ensured that there would be a security *and* PR nightmare. Things like this never stay buried, they always come out eventually. That she denied a PWD reset because of being afraid people would leave is inexcusable.
      -nb

      --
      whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
    3. Re:Goal-focused CEO by gweihir · · Score: 1

      Well, if she _had_ put the interests of the company first, she would have made sure the company had adequate IT security for long-term survival.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    4. Re:Goal-focused CEO by ArmoredDragon · · Score: 2

      I've had a company I've worked for (contract work) as desktop support where I've complained loudly about atrocious security and nobody gave a shit. In fact, they had no plan in place at all for handling a breach, and there wasn't even somebody I could contact in the event of one, which I found out when we I noticed that we had a breach (and when I mentioned it to the system engineers, none of them seemed to care.) The only thing I could do was just let it go because the network engineers didn't want to add any kind of short term filtering as that would mean they would have to do some work, which was a thing they particularly hated doing.

      I suspect that if I was a manager or otherwise in a position where I had power, I probably never would have been given the budget to address any of the security concerns.

      As soon as the 90 days was up I just left and never looked back.

  26. Clawback by h8sg8s · · Score: 2

    Marissa Mayer should be required to forgo all her pay and bonuses for the period when she refused to fund realistic security measures. She ran Yahoo! into the ground and will be richly rewarded for doing so. Great work if you can get it..

    --
    Organization? You must be joking..
    1. Re:Clawback by gweihir · · Score: 1

      Actually she should go to prison and have all her possession impounded to compensate the users that suffered damage because of her grossly malicious acts.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  27. bad eyesight by Anonymous Coward · · Score: 1

    The report says Yahoo CEO Marissa Mayer refused to fund security initiatives at the company, and instead invested money in features and new products.

    For a moment I misread that as "... and instead invested the money in her compensation package."

    1. Re:bad eyesight by Hognoxious · · Score: 1

      On my browser it came up as "bought loads of shoes".

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  28. Re:Poor Yahoo by Tablizer · · Score: 1

    Nah, yours are too micro & soft

    --
    Table-ized A.I.
  29. Re: Poor Yahoo by poofmeisterp · · Score: 1

    Bullcrap, I say! They are nothing but a symphony orchestra with vocals. Laa-aaaa!

  30. Re:That explains around 75% of the spam I see late by tijgertje · · Score: 1

    We to, after they refused to unblock our hosting-server from the mail-blocklists (something about a website not up to date. Was fixed in 24 hours).

  31. Poor Marissa by NoSalt · · Score: 1

    I had such high hopes for her and Yahoo!