[trome]

Jeez, how do they still have a positive net worth? Like seriously, obviously their users & user data is worthless, they don't care about it getting stolen, nor do they seem serious about fixing their dilapidated, insecure systems.

This is just a case of poor management, if Google, Facebook, Twitter and others can figure out how to secure their sites, Yahoo can.

[probably_wrong]

> If Google, Facebook, Twitter and others can figure out how to secure their sites, Yahoo can.

The other article linked in this thread[1] attributes this attack to a "state-sponsored actor", which is interesting considering that Google was hacked by such an actor [2], but I'm not sure they ever acknowledged it.

I doubt anyone can say for sure that Facebook and/or Twitter haven't been hacked in such a way. If anything, all we can say is that we haven't heard about it.

[1] http://www.telegraph.co.uk/technology/2017/02/16/yahoo-hack-...

[2] http://www.slate.com/blogs/future_tense/2013/10/30/nsa_smile...

[allenz]

Schneier reports that it wasn't a state-sponsored actor, but a criminal group called Group E. He says "state-sponsored actor" is often code for "please don't blame us for our shoddy security because it was a really sophisticated attacker and we can't be expected to defend ourselves against that." [1]

Google is definitely more secure and more proactive at security than Yahoo. You can look through their security whitepaper: they take a systematic approach and they meet and exceed the state of the art.[2] In contrast, Yahoo was hashing passwords with MD5. Here's Ptacek saying "there is no redeeming quality to justify using MD5", in 2007.[3] Yahoo doesn't really have any excuse.

[1] https://www.schneier.com/blog/archives/2016/09/the_hacking_o...

[2] https://drive.google.com/file/d/0B5Y-fwYJF2hLOTVmMzQ1MjAtMDF...

[3] https://web.archive.org/web/http://www.matasano.com/log/958/...

(I'm not affiliated with any of these companies.)

[sandworm101]

And you think those other sites are more secure? The differences are slight. Giant public websites are tricky. It is very hard to deploy real security across such a large team/platform. Even if you make the effort, some security measures simply wont fly, especially in regards to change control or network segmentation. This sort of bug is only one level of the issue.

Open up any random NIST, ISO or even PCI doc to see what is involved above and beyond bug squashing.

[bogomipz]

I took the OPs comments as referring to the fact that management either:

a) didn't know the company was hacked.

b) claimed they didn't know they were hacked,

c) didn't bother to do proper discovery to quantify the extent of the hack until years later.

[sandworm101]

And that would have been covered under nist or iso or any other resonable standard. My point is that once you look into these companieas, get beyond the tech stuff, virtually none implement proper security on such large deployments.

[bogomipz]

>"virtually none implement proper security on such large deployments."

Can you provide a citation for this? Otherwise it seems you are suggesting because Yahoo was lacking that this means all SV tech giants are lacking.

[sandworm101]

Well, without ndas make it hard to find actual reports, but take ashley-madison. Millions of users, talk of a billion-dollar ipo, and the post-hack report by the canadian and austrailian privacy ministers found they had no formal security plan.

[bogomipz]

So you can't actually substantiate your claim that "virtually none implement proper security".

I am not sure why you think that mentioning a second incident makes your statement true for the majority of tech companies.

[digler999]

so according to your logic, one massive hack means all sites are insecure ?