> Investors are conflicted: on the one hand, Yahoo had a data breach that will cost them trust, but on the other hand, investors are surprised to hear there are still 500 million Yahoo users.
But Silliman made clear on Thursday that the “state-sponsored” nature of the breach would have no bearing on the analysis of materiality.
“From a legal perspective,” he said, “the question . . . ‘is it a state-sponsored attack?’ isn't really relevant in terms of what we're looking at. The question is whether this [had] a material or an adverse effect on the asset we are buying.”
One can see why he didn't want to call "bullshit" publicly, and the news media is required to be dumb, but does anyone with a clue really believe these oh-so-convenient "state actor" attributions? We're supposed to imagine that Russia: 1) wanted what Yahoo had, and 2) wanted to get caught at it. What's the motivation? Did Marissa cut in front of some favored oligarch at the ski lift in Davos or something?
I'm outing you as a Russian shill, but yes, there's a strange amount of Russian-blaming going on. Meanwhile, Russians are distancing themselves from American software companies. I would too in this environment.
Just to be absolutely clear, I'm not seriously suggesting that you're a Russian shill. That's meant as sarcasm and immediately contradicted by my next statement. I'm seriously concerned about the amount of Russian-blaming going on. Although I'm making fun of the people who blame everything on Russia, the chance for war is serious business.
It really doesn't matter what Verizon believes about who did the breach. Say you want to buy my car, but then it gets destroyed, and I say Superman did it. Whether you believe me or not, it doesn't matter, you still won't buy a destroyed car.
This is somewhat different from Yahoo users' perspective: in their case, as well, the point is not if the breach was state-sponsored, the point is: did it take mass destruction weapons and hundreds of spies coordinated for months, or did it take five minutes and a hairpin?
While I suspect some of this is posturing for a better price, I'm certain from some past experience that Verizon is very serious about security.
A lot of large enterprise take an approach my colleagues have referred to as 'rubber stamp security', that checks boxes in a compliance report while still remaining largely ineffective. For example, these companies buy tools and install them, but then never configure them properly.
From what I've seen of Verizon, they are more serious about security and beyond requiring an effective toolset, they take the approach of hiring new people who already know the tools well or give effective training to their existing and competent people as part of the onboarding process. This sounds like a no-brainer, but a lot of companies either don't do this or do it very poorly.
Beyond any kind of material impact of the breach on Yahoo's business, it would require a _lot_ of work from their security teams to absorb Yahoo in a way that raises them to Verizon's standards. An acquisition of this size is rarely very easy, but having to completely overhaul the acquired company's entire security posture just adds to this effort. Verizon's security team has to consider Yahoo's infrastructure with very little trust at this point. I wouldn't much care for the prospect of having a flaming bag of poo deposited on my porch, either.
That's fair, I definitely don't have a global insight. Security teams are usually segmented in some way, rather than monolithic, with varying levels of competency among different teams.
They do periodically put out some interesting reading. If you want to look at it, their annual Data Breach Investigations Report are worth checking out:
I once had verizon admit they'd oversold their capabilities for Incident Response and security consulting and were in dire need of support. Of course they wanted bottom barrel rates at $140 an hour.. seriously. Naturally we turned away from the opportunity as it wouldn't be profitable. I'm not convinced Verizon is anymore secure than Sony after that call ....
It's certainly not a lot of people's experience. Youtuber boogie2988 (3.5m subscribers) had his accounts hacked and his channel deleted (his primary source of income) via a Verizon social engineering hack. The hack via Verizon gained the hackers access to his Twitter, YouTube/Google accounts, even his PayPal account.
If you know someone's Gmail account used for YouTube and have access to their cell phone to receive text message verifications for account resets, you have full access.
Being able to verify a code sent to the mobile phone registered with the account is used as proof of identity for account recovery by basically everything online except banking.
A social engineer goes to the Verizon store and tells customer service that they have lost their cellphone. Customer service deactivates the owner's phone and gives the social engineer a brand new phone that's connected to the owner's account.
Given that not too long ago they were publicly shamed for implementing an invasive tracking system that completely undermines their customers' privacy, [1] you'll have to do a little better than "some past experience" and "from what I've seen" if you want your assertion that "Verizon is very serious about security" to be taken seriously.
Well, it is just anecdotal. Feel free to withhold judgement, it is just an anonymous internet comment instead of a detailed report from a thorough study. I'm certainly not giving you my CV. However, I was referring to what I saw of their stance towards their own security, rather than toward the privacy of their customers.
Still, I think the point that there's more for Verizon to worry about from Yahoo than the direct impact of the exposed customer data is a valid one. Failure to discover (if we believe them), or at least a failure to disclose, a breach for close to two years, does not speak well for them. Maybe this breach was only possible during some temporary time period two years ago, but it's also possible that whatever allowed the breach was open for a long time, allowing further opportunity to exploit other services on their network. The claim that it was possibly a 'state actor' either means they don't know and are covering their incompetence, or it was a fairly advanced threat that could potentially still be in place or even have expanded its footprint since 2014.
Just don't rely on Verizon for your own 2FA security, partly because the phone system is too easy to redirect and spoof in various ways, and partly because Verizon is too easy to social-engineer.
EDIT: Haha why is this being downvoted so heavily? Is it because it's off-topic, or you don't like the suggestion that someone could be discriminatory against men, or what?
Probably because it's off topic and not the main reason why Verizon is raising red flag. If you thought it was relevant, then a short blurb explaining your reasoning would've helped. (would be my guess)
I just thought it was interesting. What's the protocol to share something I find interesting and not directly related to the main thread? Create a whole new thread?
56 comments
[ 4.1 ms ] story [ 128 ms ] thread> Investors are conflicted: on the one hand, Yahoo had a data breach that will cost them trust, but on the other hand, investors are surprised to hear there are still 500 million Yahoo users.
https://news.ycombinator.com/item?id=12559594
Not the onion.
2012: 802.5M 2013: 579.4M 2014: 218.7M 2015: -127.5M
Wait til 2016 numbers come in.
Revenue flat at $5 billion.
Consider Uber revenue, and operating income ... the numbers are horrible, but the overall outlook is obviously different.
2013: 160m 2014: 440m 2015: 1.5 billion
Yahoo's revenue
2012 - 2015: 5 billion flat, with dip in the middle.
Uber experienced explosive growth in user base... can't say the same about Yahoo.
Apple - orange comparison.
Explosive growth? If you are losing money, like Uber is, that means exploding loss. Is that good?
How about operating income? They both seem to be bleeding money.
“From a legal perspective,” he said, “the question . . . ‘is it a state-sponsored attack?’ isn't really relevant in terms of what we're looking at. The question is whether this [had] a material or an adverse effect on the asset we are buying.”
One can see why he didn't want to call "bullshit" publicly, and the news media is required to be dumb, but does anyone with a clue really believe these oh-so-convenient "state actor" attributions? We're supposed to imagine that Russia: 1) wanted what Yahoo had, and 2) wanted to get caught at it. What's the motivation? Did Marissa cut in front of some favored oligarch at the ski lift in Davos or something?
WikiLeaks drops shit on Clinton, blame Russia.
Mayer does a terrible job, blame Russia.
Who wants to bet that next we'll hear Elizabeth Holmes blaming Russia for her silly Edison machines not working properly.
This is somewhat different from Yahoo users' perspective: in their case, as well, the point is not if the breach was state-sponsored, the point is: did it take mass destruction weapons and hundreds of spies coordinated for months, or did it take five minutes and a hairpin?
A lot of large enterprise take an approach my colleagues have referred to as 'rubber stamp security', that checks boxes in a compliance report while still remaining largely ineffective. For example, these companies buy tools and install them, but then never configure them properly.
From what I've seen of Verizon, they are more serious about security and beyond requiring an effective toolset, they take the approach of hiring new people who already know the tools well or give effective training to their existing and competent people as part of the onboarding process. This sounds like a no-brainer, but a lot of companies either don't do this or do it very poorly.
Beyond any kind of material impact of the breach on Yahoo's business, it would require a _lot_ of work from their security teams to absorb Yahoo in a way that raises them to Verizon's standards. An acquisition of this size is rarely very easy, but having to completely overhaul the acquired company's entire security posture just adds to this effort. Verizon's security team has to consider Yahoo's infrastructure with very little trust at this point. I wouldn't much care for the prospect of having a flaming bag of poo deposited on my porch, either.
They do periodically put out some interesting reading. If you want to look at it, their annual Data Breach Investigations Report are worth checking out:
http://www.verizonenterprise.com/verizon-insights-lab/dbir/
(prior year reports don't require registration and are still fairly applicable)
[1] https://www.reddit.com/r/boogie2988/comments/4psg4x/i_was_ha...
Being able to verify a code sent to the mobile phone registered with the account is used as proof of identity for account recovery by basically everything online except banking.
[1] https://www.wired.com/2014/10/verizons-perma-cookie/amp/
You can be VERY good at systems security, while simultaneously wanting to violate your customers privacy....
Still, I think the point that there's more for Verizon to worry about from Yahoo than the direct impact of the exposed customer data is a valid one. Failure to discover (if we believe them), or at least a failure to disclose, a breach for close to two years, does not speak well for them. Maybe this breach was only possible during some temporary time period two years ago, but it's also possible that whatever allowed the breach was open for a long time, allowing further opportunity to exploit other services on their network. The claim that it was possibly a 'state actor' either means they don't know and are covering their incompetence, or it was a fairly advanced threat that could potentially still be in place or even have expanded its footprint since 2014.
https://medium.com/the-coinbase-blog/on-phone-numbers-and-id...
https://www.youtube.com/watch?v=XnrkkMtHBL0
EDIT: Haha why is this being downvoted so heavily? Is it because it's off-topic, or you don't like the suggestion that someone could be discriminatory against men, or what?
You've been a long timer... I think you know the protocol probably better than many others. :)
…Well, that, or because it's most definitely off topic.
I agree with the off topic part. But that statement is beyond crazy if you're serious.