56 comments

[ 4.1 ms ] story [ 128 ms ] thread
From a thread about the data breach:

> Investors are conflicted: on the one hand, Yahoo had a data breach that will cost them trust, but on the other hand, investors are surprised to hear there are still 500 million Yahoo users.

https://news.ycombinator.com/item?id=12559594

> but on the other hand, investors are surprised to hear there are still 500 million Yahoo users.

Not the onion.

One wonders how many of those users would flee if mail forwarding were restored.
Yahoo's operating income since Mayer took seat.

2012: 802.5M 2013: 579.4M 2014: 218.7M 2015: -127.5M

Wait til 2016 numbers come in.

Revenue flat at $5 billion.

Ouch that's painful to look at.
Now, those numbers do not explain everything.

Consider Uber revenue, and operating income ... the numbers are horrible, but the overall outlook is obviously different.

Uber's revenue

2013: 160m 2014: 440m 2015: 1.5 billion

Yahoo's revenue

2012 - 2015: 5 billion flat, with dip in the middle.

Uber experienced explosive growth in user base... can't say the same about Yahoo.

Apple - orange comparison.

So... Uber's revenue is still less than Yahoo's, right?

Explosive growth? If you are losing money, like Uber is, that means exploding loss. Is that good?

How about operating income? They both seem to be bleeding money.

Found the yahoo shareholder.
(comment deleted)
But Silliman made clear on Thursday that the “state-sponsored” nature of the breach would have no bearing on the analysis of materiality.

“From a legal perspective,” he said, “the question . . . ‘is it a state-sponsored attack?’ isn't really relevant in terms of what we're looking at. The question is whether this [had] a material or an adverse effect on the asset we are buying.”

One can see why he didn't want to call "bullshit" publicly, and the news media is required to be dumb, but does anyone with a clue really believe these oh-so-convenient "state actor" attributions? We're supposed to imagine that Russia: 1) wanted what Yahoo had, and 2) wanted to get caught at it. What's the motivation? Did Marissa cut in front of some favored oligarch at the ski lift in Davos or something?

Come on...

WikiLeaks drops shit on Clinton, blame Russia.

Mayer does a terrible job, blame Russia.

Who wants to bet that next we'll hear Elizabeth Holmes blaming Russia for her silly Edison machines not working properly.

I'm outing you as a Russian shill, but yes, there's a strange amount of Russian-blaming going on. Meanwhile, Russians are distancing themselves from American software companies. I would too in this environment.
I'm outing you as a moron.
I hope you didn't take that literally! I'm just following the trend. I hope things cool down because the tech in Eastern Europe is fantastic.
(comment deleted)
Just to be absolutely clear, I'm not seriously suggesting that you're a Russian shill. That's meant as sarcasm and immediately contradicted by my next statement. I'm seriously concerned about the amount of Russian-blaming going on. Although I'm making fun of the people who blame everything on Russia, the chance for war is serious business.
We've warned you more than once not to do this, so we've banned the account.
The guy said he was outing me as a Russian shill. Are you fucking stupid? Get off your power trip you retard.
What media conglomerate did China pay off? They used to get blamed for all the magical unavoidable super hacking... well, them and North Korea both.
After a certain point you can't blame people for robbing you if you keep leaving the door unlocked.
It really doesn't matter what Verizon believes about who did the breach. Say you want to buy my car, but then it gets destroyed, and I say Superman did it. Whether you believe me or not, it doesn't matter, you still won't buy a destroyed car.

This is somewhat different from Yahoo users' perspective: in their case, as well, the point is not if the breach was state-sponsored, the point is: did it take mass destruction weapons and hundreds of spies coordinated for months, or did it take five minutes and a hairpin?

While I suspect some of this is posturing for a better price, I'm certain from some past experience that Verizon is very serious about security.

A lot of large enterprise take an approach my colleagues have referred to as 'rubber stamp security', that checks boxes in a compliance report while still remaining largely ineffective. For example, these companies buy tools and install them, but then never configure them properly.

From what I've seen of Verizon, they are more serious about security and beyond requiring an effective toolset, they take the approach of hiring new people who already know the tools well or give effective training to their existing and competent people as part of the onboarding process. This sounds like a no-brainer, but a lot of companies either don't do this or do it very poorly.

Beyond any kind of material impact of the breach on Yahoo's business, it would require a _lot_ of work from their security teams to absorb Yahoo in a way that raises them to Verizon's standards. An acquisition of this size is rarely very easy, but having to completely overhaul the acquired company's entire security posture just adds to this effort. Verizon's security team has to consider Yahoo's infrastructure with very little trust at this point. I wouldn't much care for the prospect of having a flaming bag of poo deposited on my porch, either.

this... is certainly not my experience. However, they're a large organisation so they're most likely schizophrenic.
That's fair, I definitely don't have a global insight. Security teams are usually segmented in some way, rather than monolithic, with varying levels of competency among different teams.

They do periodically put out some interesting reading. If you want to look at it, their annual Data Breach Investigations Report are worth checking out:

http://www.verizonenterprise.com/verizon-insights-lab/dbir/

(prior year reports don't require registration and are still fairly applicable)

I once had verizon admit they'd oversold their capabilities for Incident Response and security consulting and were in dire need of support. Of course they wanted bottom barrel rates at $140 an hour.. seriously. Naturally we turned away from the opportunity as it wouldn't be profitable. I'm not convinced Verizon is anymore secure than Sony after that call ....
It's certainly not a lot of people's experience. Youtuber boogie2988 (3.5m subscribers) had his accounts hacked and his channel deleted (his primary source of income) via a Verizon social engineering hack. The hack via Verizon gained the hackers access to his Twitter, YouTube/Google accounts, even his PayPal account.
Here are more details about that[1]. I'm still surprised how they could have gained access to his Youtube and Twitter just by using his phone number.

[1] https://www.reddit.com/r/boogie2988/comments/4psg4x/i_was_ha...

If you know someone's Gmail account used for YouTube and have access to their cell phone to receive text message verifications for account resets, you have full access.

Being able to verify a code sent to the mobile phone registered with the account is used as proof of identity for account recovery by basically everything online except banking.

k. But in boogie2988 case, did the hacker got access to his actual cell phone or just cell number? That's not clear.
A social engineer goes to the Verizon store and tells customer service that they have lost their cellphone. Customer service deactivates the owner's phone and gives the social engineer a brand new phone that's connected to the owner's account.
Weird! Don't the Verizon guys do an ID verification that the person requesting the new phone is really who he claims he is?
They apparently didn't in boogie's case.
Verizon may be quite serious about protecting Verizon and its infrastructure, while still indifferent to retail subscriber account takeovers.
Given that not too long ago they were publicly shamed for implementing an invasive tracking system that completely undermines their customers' privacy, [1] you'll have to do a little better than "some past experience" and "from what I've seen" if you want your assertion that "Verizon is very serious about security" to be taken seriously.

[1] https://www.wired.com/2014/10/verizons-perma-cookie/amp/

One has nothing to do with the other

You can be VERY good at systems security, while simultaneously wanting to violate your customers privacy....

Well ironically, in this case, Verizon's problem with Yahoo is allegedly about customers' privacy.
Well, it is just anecdotal. Feel free to withhold judgement, it is just an anonymous internet comment instead of a detailed report from a thorough study. I'm certainly not giving you my CV. However, I was referring to what I saw of their stance towards their own security, rather than toward the privacy of their customers.

Still, I think the point that there's more for Verizon to worry about from Yahoo than the direct impact of the exposed customer data is a valid one. Failure to discover (if we believe them), or at least a failure to disclose, a breach for close to two years, does not speak well for them. Maybe this breach was only possible during some temporary time period two years ago, but it's also possible that whatever allowed the breach was open for a long time, allowing further opportunity to exploit other services on their network. The claim that it was possibly a 'state actor' either means they don't know and are covering their incompetence, or it was a fairly advanced threat that could potentially still be in place or even have expanded its footprint since 2014.

Lawsuit: Yahoo CEO Illegally Purged Male Workers to Replace with Women

https://www.youtube.com/watch?v=XnrkkMtHBL0

EDIT: Haha why is this being downvoted so heavily? Is it because it's off-topic, or you don't like the suggestion that someone could be discriminatory against men, or what?

I didn't downvote, but your comment is 1) off topic and 2) doesn't further a discussion or make a point. You just dropped a link with no explanation.
Probably because it's off topic and not the main reason why Verizon is raising red flag. If you thought it was relevant, then a short blurb explaining your reasoning would've helped. (would be my guess)
I just thought it was interesting. What's the protocol to share something I find interesting and not directly related to the main thread? Create a whole new thread?
There was already a thread about the lawsuit, so many are probably fatigued out by it... hence the possible downvotes.

You've been a long timer... I think you know the protocol probably better than many others. :)

Actually, I've only started commenting a few months ago. I also missed that thread about the lawsuit. Anyway, doesn't matter. Thanks.
(comment deleted)
Probably because only women can be discriminated against.

…Well, that, or because it's most definitely off topic.

> Probably because only women can be discriminated against.

I agree with the off topic part. But that statement is beyond crazy if you're serious.

(comment deleted)
I think it was sarcastic.
(comment deleted)
The delay informing Verizon is also a big deal: they are surely wondering what else they haven't been told.
Any way to bypass the free article limit on Washington Post?
Try 'Reader View' on Firefox.
It's a big warning flag for everybody: pay attention to security (broadly) or there could be no exit at the end of the road of your startup.