Here's why you should not delete your yahoo account.
Once you delete your account, yahoo will make it available again to everyone.
This means that if you have not unlinked everything it can be used by others to reset accounts on services you forgot that you linked to your yahoo account.
Instead of deleting it, forward it all to another account and stop using it.
Do not forget to log in every 12 months to keep it active.
Right, something so basic to mail software that in 2016 it's still under development? I'm glad Engadget saw right through that too. It's pretty obvious they're doing whatever they can from losing users.
it seems that it wasn't forwarding that caused an issue, but rather its interaction with another new feature. For sure, Yahoo deserves more trust than what this article is giving it.
Isn't your E-mail address used as the username in most services' credentials? So you should know which services you registered using your Yahoo E-mail address because that's what you use to log in. Just go in and change them over to using your new address. For those few that don't use E-mail, take a Sunday afternoon and log in to each of them to check. Surely it couldn't be that difficult.
I have accounts at literally hundreds of sites, from credit cards and banks, public utilities, online stores, photo sites, discussion sites and forums, social networks, etc. I don't even have an exhaustive list of all the sites I've got accounts with. I certainly don't use them all frequently enough to know what my login account is set to and it would be a lot more than a Sunday morning for me to track them all down.
This is where having a password manager can really help, you just search your password manager database by username/email and go through that... Just the same, it's probably better to check as you log into them for a year or so before abandoning the account.
Many of them are old, and there are services for which I have multiple sign-ons. (e.g., four sign-ins for Hipchat, five for Slack, two for Amazon.)
There are also a lot of one-off things that require registration to try out whatever they're offering.
Some appear to just be security notes or stored keys from previous employers; others are imported from 1Password and haven't been used in the entire time I've used LastPass (5 years.)
Some are just fucking baffling, to be honest. What the hell is vodka-hoop.com, and why do I have an entry for it?
Anyway; what's the alternative to "set up a service for everything" that's not a single point of failure? (Although, I guess LastPass is that already.)
The alternative I've been leaning toward increasingly is to have user-controls-data as the model. Rather than pop up to a particular vendor, supply auth tokens, and have them pull up their information on you, you show up, they provide their tokens, and you provide your information (in their formats).
Combine this with a strong regime prohibiting inter-enterprise transfers of personal data. So that if Firm A want to talk to Firm B about User X, Firm A submits User X the request, Firm B confirms, and User X either complies or doesn't.
This would ... change certain dynamics of use of personal data.
Avoiding data loss: mumble, mumble something PKI key escrow trusted parties distributed encrypted data. Some form of personal data server as data origin, with re-shares distributed around social infrastructure. It may be a pipe dream, but at the very least it's a different model for considering pervasive data. If the user's Personal Data Stick or Home Server Box is destroyed in fire (or stolen or the cat eats it, or ...), then they and a trusted set of key escrow holders if necessary can reconstruct the data from shards spread amongs some n other systems, no one of which could individually reconstruct the whole.
"Services" in this model would be applications distributed out to operate on the user's own data directly.
Among other implications, the concept of coming up with a common base universal data format seems like a possible outcome. That could still be modified for individual service use, but the transforms would still have to map back to the core.
So basically OAuth, with more additional metadata, but with the flow going in the opposite direction? Sounds interesting, but they'd still need to cache it on their end for it to be remotely useful, right?
E.g., Google (Roberto Bayardo) state that the two critical elements for ad placement are a) current location and b) current search term. Everything else is quite minimally beneficial.
I'm not sure this is viable. I think it's worth tossing into the discussion.
This is an excellent argument for setting up e-mail using your own domain name, though, and for using that for all new accounts and transitioning existing accounts to your new e-mail address as soon as possible.
The Internet works just fine when it's decentralised, but particularly with e-mail, relying on the big service providers (or an ISP-provided address, for that matter) immediately locks you into someone else's systems for no particularly good reason.
Registering your own domain and setting up mail forwarding can be done with any number of services and costs less for a year than many people pay for a week of their cell phone service, and crucially, the domain is registered by some specialist service but is your domain and can be transferred to another service any time you want.
Unfortunately it can be a scary-looking process for non-technical users, but for those with enough confidence to arrange it, I highly recommend it.
Yes! Reducing the risk of losing control of the domain is a great reason to prefer gmail.com, outlook.com, or another similarly theft-hard mail domain. Otherwise, if an attacker can trick the registrar or nameserver, it's game-over for all accounts that use mail or mail-dependent factors for authentication.
Otherwise, if an attacker can trick the registrar or nameserver
That's a mighty big "if", though. For any of the TLDs I'm familiar with, there are significant protections against unintended domain transfers, and that has been the case for a long time for the major ones.
Losing control over your domain would be problematic. It happens.
It is extremely difficult to unintentionally lose control of a domain that you legitimately register with a respectable registrar.
Any centralised service you use for free can terminate your account on a whim any time they like, give access to an account you used to use to anyone else they like, and so on.
There is some non-zero level of risk in any dealing with a remote service, but I don't think the scale of risk in these two scenarios is even remotely comparable.
Just be careful about "deleting" your Yahoo account.
> Register a previously used ID
> A deleted Yahoo account ID may become available for future use, and you’re welcome to try to register it. However, Yahoo can't specify how long until a deleted ID may become available, and we can't guarantee that it will become available.
And make sure it doesn't get removed for inactivity:
> If you rarely use your account, it will go into an inactive state and then be deleted. You can prevent this by signing in to your account using any device at least once every 12 months.
I wondered why my old Yahoo accounts wouldn't let me in. I didn't sign in once a year.
To be honest, I don't think that's a good policy. A few months ago, I was going to give Yahoo a second chance. I was told "my name, or password was wrong." I spend five minutes finding my info, and in that fife minutes; figured it just wasen't worth it.
Anyways--goodby Yahoo. One day, Google and FB will be right there on the long slide to the bottom.
The Yahoo fiasco is horrible, but it shouldn't come as a surprise to anyone who has heard of Snowden and his leaks. He talks about programs like this, though I don't remember the program's name. So, in other words, shouldn't we all have dumped Yahoo (and everyone else) in 2013? Also, it's rather irrelevant if you communicate mostly with other Yahoo, Gmail, etc. users because, unless you encrypt (good luck with getting your friends and family to encrypt) all messages, you still can't keep it private. So let's not pretend like this is a surprise or it's only Yahoo doing it. That last claim would be the most ridiculous.
You are probably thinking of the PRISM program, which demands information from technology companies based on warrants from the secret FISA court [1], and the MUSCULAR program which sniffs internal Google/Yahoo cloud traffic from servers based in foreign countries. MUSCULAR is completely warrantless because the information is collected outside of the United States [2].
While these programs are horrible, I'd like to mention how great the naming of the programs have been. One of my favorites was FIRSTDATE then BADDECISION leading to SECONDDATE.
Again, not condoning behavior, I just wish I could be so creative when naming systems.
To be fair, according to this article, Google, Microsoft, Apple, and others have explicitly denied allowing government officials direct access to their servers.
However, due to the secrecy requirements of the law, we cannot know if they did allow the government some other form of access that was functionally equivalent to a rootkit on the server in terms of what the government could access.
Pure speculation on my part: Yahoo probably got the court order and made the decision that the government was going to get what they wanted anyway in the end, and resistance was going to be futile, and they probably figured that since no-one was going to be able to hear about them fighting against this order, it wouldn't even do their reputation any good to fight it. Of course, if I'm right, they miscalculated a little bit on that last part, since they obviously didn't count on a leak of the fact that they did roll over, which now has damaged their reputation.
> To be fair, according to this article, Google, Microsoft, Apple, and others have explicitly denied allowing government officials direct access to their servers.
Right, but the statements were very carefully crafted PR statements that only implied that there were no similar feeds while leaving open the possibility that there may be.
Having watching the industry for some time (Skype's PR denials come to mind as well as all the companies implicated in the Snowden disclosures) I have no confidence that those PR releases mean anything of significance besides a recognition from the companies that their users might not like certain activities by their customers.
Bruce Schneier agrees with you, which lends your argument some credence to me, but I thought "We’ve never received a request like this, and were we to receive it we’d challenge it in a court" was about as broad and clear a statement as could reasonably be made about this. What would you need them to say?
Something like "We do not have any programs or agreements whatsoever with law enforcement to share any user data or metadata or summaries or analysis of said information. We screen our employees for infiltration from intelligence community members, putting them only in positions where they can not influence our systems without significant risk of discovery and where they can not influence our systems without involving a large number of other people who we empower to contact the public and the media if they see anything suspicious. Furthermore, we have no shareholders or executives with business, security or personal relationships with federal police / national security personnel. Finally, we've designed our product such that the very most minimal set of information and meta information is ever available to us, even if we try, and so the amount of abuse that we could perpetrate is at the very most X, where X can be understood by someone who carefully looks at our design. In addition to this, I and significant parts of our company leadership will step down from our roles if any information contradicting any of this ever comes out."
Though I wouldn't hold my breath.
The wiggle room in "request like this", for example, is huge. That's not something that I'm being particularly pedantic about - it's something we've seen repeated evidence for.
Basically, I've lost trust in the public relations portions of these businesses - which are not empowered to know the truth about what goes on at their organizations to begin with. The only technologies I feel confident placing trust in are ones that don't require placing a trust (forever) in one of these corporations (as well as all future employees and shareholders).
(Twitter is a good example of a company that has held out for a very long time, but has eventually given way to pressure.)
Your proposed requests would include responding to legal warrants, which all of those companies already admit to doing.
Could I suggest "We do not ever voluntarily comply with any requests for user data or metadata or summaries or analysis, we resist involuntarily, legally mandated compliance as much as legally allowable, and we publish as much information about information we give away in as much detail as we legally can."?
Unfortunately, even though I would very much like to abandon mine (even though it's used only for some spammy registrations), email forwarding is not possible unless you pay them, which is obviously out of question.
So basically, the best I can do is start changing my associated email address at the services I care about that are still using my yahoo email address. After a while, my yahoo inbox will be 100% spam (as opposed to 90% spam now), so I'd be able to move on.
Some email services will allow you to "fetch" mail from another service. For example, I think it's possible with gmail to configure it to log in periodically to your yahoo account and fetch the email.
I run a hosting business and our email stack supports this feature. We use a combination of open source technologies to transfer email like imapsync for the initial transfer and then use a glorified version of fetchmail in a cron job.
Well dang it, I only keep my Yahoo account around so I can log in to Flickr, which is something I've been using long before Yahoo's acquisition of that service.
Yahoo Groups has some useful groups of which I've been a member for many years. I'd prefer that they'd just move to Majordomo-ish mailing lists but short of that they're preferable to Facebook Gruops.
There is a mail icon in the top-right of my Yahoo Groups screen which I've never clicked. Hovering over it says 'we're unable to preview your mail'. I'm half-scared of why that is.
This is actually one line of discussion I'd hoped to spark in posting the item.
There are a few dyanmics here:
1. Goodwill for a company with repeated security breeches.
2. Goodwill for a company which rolls over in the face of government surveillance.
3. Privacy expectations in the face of third-party hosted services. Frankly, Yahoo's actions should send stone-cold shivers through anyone using such systems.
4. The whole question of online petitions and such.
Presumably in that traditionally an actual normal court that is accountable to the public would have to based on evidence approve a warrant naming particularly the individuals and why and for a finite duration of time.
This is fundamentally different from building a tool that would allow them to access any or all of your customers communications forever with no further oversight forever based on a secret courts request or in fact sometimes nothing more than administrative request or even breaking in.
It is significant in the sense of scope (they searched everyone's email), in the sense of legality (this wasn't court ordered, indeed it didn't come through corporate attorneys), in the sense of reasonable suspicion (there was none), and in the sense of scale (data at scale can be used to do things that individual bits of data can not).
Those people who are security minded have already switched to a secure email provider, or run their own email servers. Those who are not so security minded people don't care, won't care and have no desire to stop using Yahoo. If you didn't know or think the NSA does this, then you've been living in a cave for the past decade.
While I appreciate the outrage, it seems most people have become fatigued by this constant barrage of evil corporations getting buddy:buddy with the NSA and have either done something about it, or have just accepted it.
Yahoo was very sloppy. But I believe all other companies that provide "free" email are continuing to allow The US Government Agencies to archive and search emails without explicit consent from the user.
If a company states it denied the access to email, then let the CEO of the company under oath, testify that they've rejected/denied all attempts to have emails archived and searched by any Government agency
"...I care about my own privacy and security..." and yet your website has no encryption. Thus, when I enter my details on your form, it is being passed over the same internet in plaintext, thereby violating the exact "privacy and security" this "protest" aims to create.
Well, I think the concept here is to publicly pledge to dump yahoo, in order to convince & pressure others to do the same. Saying you care about your privacy and security doesn't mean you remove yourself from all forms of public expression. It's the most basic form of free speech.
If you want to privately pledge, just write it down on a sticky note, and put it on your monitor.
This is a site collecting information for a public petition. By definition your GOAL is to share your information publicly. How is it absurd to do so in the open?
I host 20 sites from simple vps box with nginx. AFAIK i need an ip per domain to have ssl, unless I use something called sni, but I don't know how to set it up with nginx + let'sencrypt It's not that easy.
Of course I could just throw cloudflare in front of everything, but no thank you.
Honestly, I don't even know. I'm not familiar with SNI.
All I know is I didn't have to do anything special to get the 2nd domain running ssl on the same box. It just worked right away as expected. I wasn't even aware that there might be complications.
You don't need to set up anything specifically for SNI, nginx does that out of the box. Unless you have to serve really old clients (some WinXP and android <2.3 I think?) SNI is no problem at all.
Doing so is just so increasingly limiting on our lives. What might be a more ideal scenario is to change the government's priorities, and enact strict(er) privacy laws that prevent these and other companies from sharing our data, or to be able to speak out when a hidden government department asks them to keep it under wraps.
If we wanted to show that we weren't letting them do this without consequence, we'd be suing Yahoo and the Gov't like real Americans. We'd be suing for such an egregious amount that our national debt would look like a bit of pocket change. We would threaten the very life and livelihood of this country if we TRULY cared about our rights and privacy.
You don't need money. If you've ever bothered to read the paperwork to file a suit, you'd notice a spot that says "I cannot afford the fees for attorney nor filing. Waive them."
Then you prove that, make it a class-action suit, and you watch as lawyers scramble to make their name representing you and the class.
This is how America works. If you haven't figured this out, I hope you do very soon, as it will be the only way you can defend yourself in eventuality.
"I want to make it clear to the government, to Yahoo and to other internet companies that they cannot compromise my security, privacy and safety without consequence."
Well... then you should dump your phone too because the government has direct access to all telecom networks. By law! no spying necessary.
101 comments
[ 4.3 ms ] story [ 173 ms ] threadHere's why you should not delete your yahoo account.
Once you delete your account, yahoo will make it available again to everyone.
This means that if you have not unlinked everything it can be used by others to reset accounts on services you forgot that you linked to your yahoo account.
Instead of deleting it, forward it all to another account and stop using it.
Do not forget to log in every 12 months to keep it active.
When Yahoo released a ton of unused accounts, I grabbed my last name (which I use on every service). I occasionally get mail for that email address.
My Yahoo email is several years older than Gmail. It would take a LONG time to migrate to another service.
Why, exactly? mbsync (isync) between the two services, done.
See: https://techcrunch.com/2016/10/10/yahoo-makes-it-difficult-t...
Based on what? Since nuking Geocities Yahoo does not deserve any trust and it has been going steadily down from there.
I think this whole "set up a service for everything" concept ain't workin'.
I'm trying to think how much storage just the TOS and Privacy Policies for those would run.
There are also a lot of one-off things that require registration to try out whatever they're offering.
Some appear to just be security notes or stored keys from previous employers; others are imported from 1Password and haven't been used in the entire time I've used LastPass (5 years.)
Some are just fucking baffling, to be honest. What the hell is vodka-hoop.com, and why do I have an entry for it?
Anyway; what's the alternative to "set up a service for everything" that's not a single point of failure? (Although, I guess LastPass is that already.)
Combine this with a strong regime prohibiting inter-enterprise transfers of personal data. So that if Firm A want to talk to Firm B about User X, Firm A submits User X the request, Firm B confirms, and User X either complies or doesn't.
This would ... change certain dynamics of use of personal data.
Avoiding data loss: mumble, mumble something PKI key escrow trusted parties distributed encrypted data. Some form of personal data server as data origin, with re-shares distributed around social infrastructure. It may be a pipe dream, but at the very least it's a different model for considering pervasive data. If the user's Personal Data Stick or Home Server Box is destroyed in fire (or stolen or the cat eats it, or ...), then they and a trusted set of key escrow holders if necessary can reconstruct the data from shards spread amongs some n other systems, no one of which could individually reconstruct the whole.
"Services" in this model would be applications distributed out to operate on the user's own data directly.
Among other implications, the concept of coming up with a common base universal data format seems like a possible outcome. That could still be modified for individual service use, but the transforms would still have to map back to the core.
1. Move processing to data.
2. Use minimum viable data.
E.g., Google (Roberto Bayardo) state that the two critical elements for ad placement are a) current location and b) current search term. Everything else is quite minimally beneficial.
I'm not sure this is viable. I think it's worth tossing into the discussion.
The Internet works just fine when it's decentralised, but particularly with e-mail, relying on the big service providers (or an ISP-provided address, for that matter) immediately locks you into someone else's systems for no particularly good reason.
Registering your own domain and setting up mail forwarding can be done with any number of services and costs less for a year than many people pay for a week of their cell phone service, and crucially, the domain is registered by some specialist service but is your domain and can be transferred to another service any time you want.
Unfortunately it can be a scary-looking process for non-technical users, but for those with enough confidence to arrange it, I highly recommend it.
The argument for individual domains suggests itself, or an equivalent follows-the-person mechanism.
That's a mighty big "if", though. For any of the TLDs I'm familiar with, there are significant protections against unintended domain transfers, and that has been the case for a long time for the major ones.
It is extremely difficult to unintentionally lose control of a domain that you legitimately register with a respectable registrar.
Any centralised service you use for free can terminate your account on a whim any time they like, give access to an account you used to use to anyone else they like, and so on.
There is some non-zero level of risk in any dealing with a remote service, but I don't think the scale of risk in these two scenarios is even remotely comparable.
Or something like sovereign. https://github.com/sovereign/sovereign
> Register a previously used ID
> A deleted Yahoo account ID may become available for future use, and you’re welcome to try to register it. However, Yahoo can't specify how long until a deleted ID may become available, and we can't guarantee that it will become available.
https://help.yahoo.com/kb/SLN3060.html
And make sure it doesn't get removed for inactivity:
> If you rarely use your account, it will go into an inactive state and then be deleted. You can prevent this by signing in to your account using any device at least once every 12 months.
To be honest, I don't think that's a good policy. A few months ago, I was going to give Yahoo a second chance. I was told "my name, or password was wrong." I spend five minutes finding my info, and in that fife minutes; figured it just wasen't worth it.
Anyways--goodby Yahoo. One day, Google and FB will be right there on the long slide to the bottom.
[1] https://en.wikipedia.org/wiki/PRISM_(surveillance_program)
[2] https://en.wikipedia.org/wiki/MUSCULAR_(surveillance_program...
Again, not condoning behavior, I just wish I could be so creative when naming systems.
Yahoo has more disgruntled former employees to reveal secrets than Google, Microsoft, etc...
However, due to the secrecy requirements of the law, we cannot know if they did allow the government some other form of access that was functionally equivalent to a rootkit on the server in terms of what the government could access.
Pure speculation on my part: Yahoo probably got the court order and made the decision that the government was going to get what they wanted anyway in the end, and resistance was going to be futile, and they probably figured that since no-one was going to be able to hear about them fighting against this order, it wouldn't even do their reputation any good to fight it. Of course, if I'm right, they miscalculated a little bit on that last part, since they obviously didn't count on a leak of the fact that they did roll over, which now has damaged their reputation.
Right, but the statements were very carefully crafted PR statements that only implied that there were no similar feeds while leaving open the possibility that there may be.
Having watching the industry for some time (Skype's PR denials come to mind as well as all the companies implicated in the Snowden disclosures) I have no confidence that those PR releases mean anything of significance besides a recognition from the companies that their users might not like certain activities by their customers.
Though I wouldn't hold my breath.
The wiggle room in "request like this", for example, is huge. That's not something that I'm being particularly pedantic about - it's something we've seen repeated evidence for.
Basically, I've lost trust in the public relations portions of these businesses - which are not empowered to know the truth about what goes on at their organizations to begin with. The only technologies I feel confident placing trust in are ones that don't require placing a trust (forever) in one of these corporations (as well as all future employees and shareholders).
(Twitter is a good example of a company that has held out for a very long time, but has eventually given way to pressure.)
Could I suggest "We do not ever voluntarily comply with any requests for user data or metadata or summaries or analysis, we resist involuntarily, legally mandated compliance as much as legally allowable, and we publish as much information about information we give away in as much detail as we legally can."?
Yes, of course I will trust them. I am sure that they were paragons of user rights
And the government can compel them to lie about that, too. So their statements are literally useless and cannot be trusted. Period.
Or maybe they decided it was better to make money selling us out?
So basically, the best I can do is start changing my associated email address at the services I care about that are still using my yahoo email address. After a while, my yahoo inbox will be 100% spam (as opposed to 90% spam now), so I'd be able to move on.
I run a hosting business and our email stack supports this feature. We use a combination of open source technologies to transfer email like imapsync for the initial transfer and then use a glorified version of fetchmail in a cron job.
There is a mail icon in the top-right of my Yahoo Groups screen which I've never clicked. Hovering over it says 'we're unable to preview your mail'. I'm half-scared of why that is.
There are a few dyanmics here:
1. Goodwill for a company with repeated security breeches.
2. Goodwill for a company which rolls over in the face of government surveillance.
3. Privacy expectations in the face of third-party hosted services. Frankly, Yahoo's actions should send stone-cold shivers through anyone using such systems.
4. The whole question of online petitions and such.
Yep. Pretty much just a skin for their newsletter sign-up.
[1] https://www.mailinator.com/
You need another provider for sending.
I respect the lavabit guy for his decision to implode, but you can't expect a large public company to behave that way.
This is fundamentally different from building a tool that would allow them to access any or all of your customers communications forever with no further oversight forever based on a secret courts request or in fact sometimes nothing more than administrative request or even breaking in.
Those people who are security minded have already switched to a secure email provider, or run their own email servers. Those who are not so security minded people don't care, won't care and have no desire to stop using Yahoo. If you didn't know or think the NSA does this, then you've been living in a cave for the past decade.
While I appreciate the outrage, it seems most people have become fatigued by this constant barrage of evil corporations getting buddy:buddy with the NSA and have either done something about it, or have just accepted it.
If a company states it denied the access to email, then let the CEO of the company under oath, testify that they've rejected/denied all attempts to have emails archived and searched by any Government agency
If you want to privately pledge, just write it down on a sticky note, and put it on your monitor.
Of course I could just throw cloudflare in front of everything, but no thank you.
Shows working sni with nginx and let's encrypt. You've probably done the same config error
All I know is I didn't have to do anything special to get the 2nd domain running ssl on the same box. It just worked right away as expected. I wasn't even aware that there might be complications.
But no, instead you want us to sign a petition.
Give me a break.
Or is angrily commenting on Hacker News easier?
Give me a break.
Then you prove that, make it a class-action suit, and you watch as lawyers scramble to make their name representing you and the class.
This is how America works. If you haven't figured this out, I hope you do very soon, as it will be the only way you can defend yourself in eventuality.
Yahoo has not been purchased yet.
Well... then you should dump your phone too because the government has direct access to all telecom networks. By law! no spying necessary.