Yahoo! dysfunction! meant! security! warnings! were! ignored! Yahoo!'s board has decided CEO Marissa Mayer should not be paid her bonus, after investigating the 2014 hack that has so besmirched the company's reputation and finding the company knew about the gravity of the situation but failed to act properly to address the situation. Mayer has also decided to forego an award of equity due …
Just for hiring Mayer in the first place.
If you need to hire someone to turn a failing organization around, the last thing anyone with any brains would do is hire someone who has zero experience with turning around failing organizations. And that describes Mayer because she spent her whole career at a place like Google. Mayer's failure was as predictable as the sunrise.
If you need to hire someone to turn a failing organization around, you hire someone who has done it at least once before.
If you need to hire someone to turn a failing organization around, you hire someone who has done it at least once before.
...And in 2045 died the last human who knew how to turn around a failing organization. There was no one left in the world who had ever done it before, therefore no one who was able to do it.
That said, you could have made quite a bit of cash if you'd bought Yahoo stock when Marissa Meyer was hired!
Due to Yahoo owning a huge chunk of Alibaba, an investment that pre-dates Meyer by quite a long time.
Only a investment fool would confuse the increase in value of a company's assets (akin to it's real estate holdings) inflating it's book value with how the company's core business is doing.
Wrong question. Right question should be: "Is she capable of the only requirement for a large company CEO in a golfocracy?". I.E - does she play golf?
I bet she does. So she (and other senior executives) comply to the only real requirement for a public company exec nowdays. The Mar e Largo regulatory requirement.
...when the law talking guy gets his tit in the wringer. But this is just wrong on so many levels I don't know what to say or where to start.
http://www.recode.net/2017/3/1/14783686/yahoos-lawyer-ousted-hacking-marissa-mayer-pay-docked
Read this one as well. Pretty fsckin' surreal. Just pay docked, no fine/lawsuit?
The only/last question I have is who did she sleep with in order to avoid being shown the door?
"The Independent Committee also found that the Audit and Finance Committee and the full Board were not adequately informed of the full severity, risks, and potential impacts of the 2014 Security Incident and related matters."
Those of us in the infosec trenches know why this is. Middle management are strongly incentivised to only report good news upwards and to sit on or suppress bad news. Hit the bar at any security conference and find a corporate droid (drinking on his own dollar -- no expenses for us!), buy 'em a drink and probe them for some horror stores... we've seen things you people wouldn't believe. A very large email filtering firm that never applied security patches in production or upgraded OSes, so there were thousands of servers running on decade-old default Linux installs. Developers building handy databases of all the Local Administrator passwords across the organisation - browse to site, enter hostname, get plaintext admin password back -- with no audit trail, access control being membership of an AD group, and no even using HTTPS. Enormous financial services organisations with a completely flat internal network *globally* (cos firewalls are for the perimeter, right?) Mandatory annual "penetration tests" that consist of nothing more than an anonymous external Nessus scan...
The fact is, in most organisations the security people are an annoyance inflicted on the organisation by box-ticking auditors and regulators. We're here to not criticise management's attitude that security means "spend a lot of money on a box with flashing lights", to provide the illusion of a security culture to auditors and customers, and to have someone to sack when the inevitable finally comes to pass.
I seriously think that the soul-crushing grimness and stress resulting from spending years learning about things just so you can be told to keep quiet about it is one of the main reasons there's such a skills shortage. It's not the lack of smart, ambitious entrants at the bottom of the field: it's the burning out in a tangle of blazing metal against the Armco ten years later that's to blame.
If by any chance someone in senior management is reading this: find a junior security person who's been around for a year or two. Buy 'em a drink, Promise them no retribution. Get them to spill their guts...
(I've just realised I should post this as AC... )
The cookie forgery issue goes all the way back to 2009, details of it were and still are public. The reported attack sounds very similar to what was done back then. Yahoo appear to still be using the same authentication system as they did at that time. Why they did not choose to address the wider issues that were highlighted in the time since is puzzling. I hope they realise that changing the server secret to invalidate the cookies is only a temporary solution. In order to prevent this from happening again, they must redesign their single sign on system, which allow/s/ed any production server to become a single point of failure.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
