Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Databases

Yahoo Insiders Believe Hackers Could Have Stolen Over 1 Billion Accounts (businessinsider.com) 71

An anonymous reader quotes a report from Business Insider: The actual tally of stolen user accounts from the hack Yahoo experienced could be much larger than 500 million, according to a former Yahoo executive familiar with its security practices. The former Yahoo insider says the architecture of Yahoo's back-end systems is organized in such a way that the type of breach that was reported would have exposed a much larger group of user account information. To be sure, Yahoo has said that the breach affected at least 500 million users. But the former Yahoo exec estimated the number of accounts that could have potentially been stolen could be anywhere between 1 billion and 3 billion. According to this executive, all of Yahoo's products use one main user database, or UDB, to authenticate users. So people who log into products such as Yahoo Mail, Finance, or Sports all enter their usernames and passwords, which then goes to this one central place to ensure they are legitimate, allowing them access. That database is huge, the executive said. At the time of the hack in 2014, inside were credentials for roughly 700 million to 1 billion active users accessing Yahoo products every month, along with many other inactive accounts that hadn't been deleted. In late 2013, Yahoo CEO Marissa Mayer said the company had 800 million monthly active users globally. It currently has more than 1 billion.
Yahoo!

Yahoo Open Sources a Deep Learning Model For Classifying Pornographic Images (venturebeat.com) 114

New submitter OWCareers writes: Yahoo today announced its latest open-source release: a model that can figure out if images are specifically pornographic in nature. The system uses a type of artificial intelligence called deep learning, which involves training artificial neural networks on lots of data (like dirty images) and getting them to make inferences about new data. The model that's now available on GitHub under a BSD 2-Clause license comes pre-trained, so users only have to fine-tune it if they so choose. The model works with the widely used Caffe open source deep learning framework. The team trained the model using its now open source CaffeOnSpark system.
The new model could be interesting to look at for developers maintaining applications like Instagram and Pinterest that are keen to minimize smut. Search engine operators like Google and Microsoft might also want to check out what's under the hood here.
The tool gives images a score between 0 to 1 on how NSFW the pictures look. The official blog post from Yahoo outlines several examples.
Security

The Yahoo Hackers Weren't State-Sponsored, Security Firm Says (csoonline.com) 33

itwbennett writes from a report via CSO Online: After Yahoo raised eyebrows in the security community with its claim that state-sponsored hackers were responsible for the history-making breach, security firm InfoArmor now says it has evidence to the contrary. InfoArmor claims to have acquired some of the stolen information as part of its investigation into "Group E," a team of five professional hackers-for-hire believed to be from Eastern Europe. The database that InfoArmor has contains only "millions" of accounts, but it includes the users' login IDs, hashed passwords, mobile phone numbers and zip codes, said Andrew Komarov, InfoArmor's chief intelligence officer. Earlier this week, Chase Cunningham, director of cyber operations at security provider A10 Networks, called Yahoo's claim of state-sponsored actors a convenient, if trumped up, excuse: "If I want to cover my rear end and make it seem like I have plausible deniability, I would say 'nation-state actor' in a heartbeat." "Yahoo was compromised in 2014 by a group of professional blackhats who were hired to compromise customer databases from a variety of different targeted organizations," Scottsdale, Arizona-based InfoArmor said Wednesday in a report. "The Yahoo data leak as well as the other notable exposures, opens the door to significant opportunities for cyber-espionage and targeted attacks to occur."
Yahoo!

Yahoo Repeatedly Didn't Invest In Security, Rejected Bare Minimum Measure To Reset All User Passwords: NYTimes 124

If it wasn't already enough that the mega breach at Yahoo affects over 500 million users, a new investigative report on The New York Times states the extent to which Yahoo didn't care about its users' security (Editor's note: the link could be paywalled; alternate source). The report says Yahoo CEO Marissa Mayer refused to fund security initiatives at the company, and instead invested money in features and new products. Despite Edward Snowden warning Yahoo that it was too easy of a target for hackers, the company took one year to hire a new chief information officer. The company hired Alex Stamos, who is widely respected in the industry. But Stamos soon left partly due to clashes with Mayer, The Times adds. And it gets worse. From the report:But when it came time to commit meaningful dollars to improve Yahoo's security infrastructure, Ms. Mayer repeatedly clashed with Mr. Stamos, according to the current and former employees. She denied Yahoo's security team financial resources and put off proactive security defenses, including intrusion-detection mechanisms for Yahoo's production systems. [...] But during his tenure, Ms. Mayer also rejected the most basic security measure of all: an automatic reset of all user passwords, a step security experts consider standard after a breach. Employees say the move was rejected by Ms. Mayer's team for fear that even something as simple as a password change would drive Yahoo's shrinking email users to other services.
Yahoo!

Yahoo's Delay in Reporting Hack 'Unacceptable', Say Senators (zdnet.com) 72

Yahoo won't be able to get away with its mega data breach from 2014 that it only reported this month. Six senior senators have said Yahoo's two-year delay in reporting the largest known data breach in history is unacceptable. The senators have asked Yahoo CEO Marissa Mayer to explain why the massive hack of more than 500 million accounts wasn't reported two years ago when the breach occurred. From a ZDNet report:The senators said they were "disturbed" that a breach of that size wasn't noticed at the time. "That means millions of Americans' data may have been compromised for two years. This is unacceptable. This breach is the latest in a series of data breaches that have impacted the privacy of millions of American consumers in recent years, but it is by far the largest," the letter wrote. Sens. Patrick Leahy, Al Franken, Elizabeth Warren, Richard Blumenthal, Roy Wyden, and Edward Markey signed the letter, dated Tuesday. The senators also requested a briefing to senate staffers on its incident response and how it intends to protect affected users.
Yahoo!

Moving Beyond Flash: the Yahoo HTML5 Video Player (streamingmedia.com) 96

Slashdot reader theweatherelectric writes: Over on Streaming Media, Amit Jain from Yahoo has written a behind-the-scenes look at the development of Yahoo's HTML5 video player. He writes, "Adobe Flash, once the de-facto standard for media playback on the web, has lost favor in the industry due to increasing concerns over security and performance. At the same time, requiring a plugin for video playback in browsers is losing favor among users as well. As a result, the industry is moving toward HTML5 for video playback...

At Yahoo, our video player uses HTML5 across all modern browsers for video playback. In this post we will describe our journey to providing an industry-leading playback experience using HTML5, lay out some of the challenges we faced, and discuss opportunities we see going forward."

Yet another brick in the wall? YouTube and Twitch have already switched to HTML5, and last year Google started automatically converting Flash ads to HTML5.
Government

Senators Accuse Russia Of Disrupting US Election (washingtonpost.com) 199

An anonymous Slashdot reader quotes The Washington Post: Two senior Democratic lawmakers with access to classified intelligence on Thursday accused Russia of "making a serious and concerted effort to influence the U.S. election," a charge that appeared aimed at putting pressure on the Obama administration to confront Moscow... "At the least, this effort is intended to sow doubt about the security of our election and may well be intended to influence the outcomes," the statement said. "We believe that orders for the Russian intelligence agencies to conduct such actions could come only from very senior levels of the Russian government..."

White House officials have repeatedly insisted that they are awaiting the outcome of a formal FBI investigation, even though U.S. intelligence are said to have concluded with "high confidence" that Russia was responsible for the DNC breach and other attacks. The White House hesitation has become a source of frustration to critics, including senior members of Congress.

Meanwhile, U.S. intelligence officials are reportedly investigating whether Donald Trump's foreign policy adviser "opened up private communications with senior Russian officials -- including talks about the possible lifting of economic sanctions if the Republican nominee becomes president."
Yahoo!

Yahoo Sued For Gross Negligence Over Huge Hacking (reuters.com) 56

Yahoo apparently took two years to investigate and tell people that its service had been breached, and that over 500 million users were affected. Amid the announcement, a user is suing Yahoo, accusing the company of gross negligence. From a Reuters report: The lawsuit was filed in the federal court in San Jose, California, one day after Yahoo disclosed the hacking, unprecedented in size, by what it believed was a "state-sponsored actor." Ronald Schwartz, a New York resident, sued on behalf of all Yahoo users in the United States whose personal information was compromised. The lawsuit seeks class-action status and unspecified damages. A Yahoo spokeswoman said the Sunnyvale, California-based company does not discuss pending litigation. The attack could complicate Chief Executive Marissa Mayer's effort to shore up the website's flagging fortunes, two months after she agreed to a $4.8 billion sale of Yahoo's Internet business to Verizon Communications. Yahoo on Thursday said user information including names, email addresses, phone numbers, birth dates and encrypted passwords had been compromised in late 2014.
Security

Yahoo Confirms Massive Data Breach, 500 Million Users Impacted [Updated] (recode.net) 169

Update: 09/22 18:47 GMT by M :Yahoo has confirmed the data breach, adding that about 500 million users are impacted. Yahoo said "a copy of certain user account information was stolen from the company's network in late 2014 by what it believes is a state-sponsored actor." As Business Insider reports, this could be the largest data breach of all time. In a blog post, the company said:Yahoo is notifying potentially affected users and has taken steps to secure their accounts. These steps include invalidating unencrypted security questions and answers so that they cannot be used to access an account and asking potentially affected users to change their passwords. Yahoo is also recommending that users who haven't changed their passwords since 2014 do so. The Intercept reporter Sam Biddle commented, "It took Yahoo two years to announce that info on half a billion user accounts was stolen." Amid its talks with Verizon for a possible acquisition -- which did happen -- Yahoo knew about the attack, but didn't inform Verizon about it, Business Insider reports. Original story, from earlier today, follows.

Last month, it was reported that a hacker was selling account details of at least 200 million Yahoo users. The company's service had apparently been hacked, putting several hundred million users accounts at risk. Since then Yahoo has remained tight-lipped on the matter, but that could change very soon. Kara Swisher of Recode is reporting that Yahoo is poised to confirm that massive data breach of its service. From the report: While sources were unspecific about the extent of the incursion, since there is the likelihood of government investigations and legal action related to the breach, they noted that it is widespread and serious. Earlier this summer, Yahoo said it was investigating a data breach in which hackers claimed to have access to 200 million user accounts and was selling them online. "It's as bad as that," said one source. "Worse, really." The announcement, which is expected to come this week, also possible larger implications on the $4.8 billion sale of Yahoo's core business -- which is at the core of this hack -- to Verizon. The scale of the liability could be large and bring untold headaches to the new owners. Shareholders are likely to worry that it could lead to an adjustment in the price of the transaction.
Businesses

Tesla Is Suing An Oil-Company Executive For Impersonating Elon Musk (businessinsider.com) 170

An anonymous reader quotes a report from Business Insider: Tesla is suing an oil executive under suspicion of impersonating Elon Musk to dig up confidential financial information from the company, Forbes reported on Wednesday. The lawsuit, reportedly filed Wednesday in the Superior Court of Santa Clara County, claimed that Todd Katz, the chief financial officer for Quest Integrity Group, emailed Tesla's chief financial officer using a similar email address as Musk's looking to gain information that wasn't disclosed in an earnings call with investors. Quest Integrity Group has partnerships with BP, Chevron, and ExxonMobil, the Forbes report said. According to the lawsuit, Katz used "elontesla@yahoo.com" to send an email to Tesla CFO Jason Wheeler asking about the company's sales and financial projections. The email named in the suit reads: "why you so cautious w Q3/4 gm guidance on call? also what are your thoughts on disclosing M3 res#? Pros/cons from ir pov? what is your best guess as to where we actually come in on q3/4 deliverables. honest guess? no bs. thx 4 hard work prepping 4 today. em." Tesla is seeking "undisclosed financial compensation," as well as compensation for the cost of the investigation and legal fees, according to Forbes.
Security

More Passwords, Please: 98 Million Leaked From 2012 Breach Of 'Russia's Yahoo' (arstechnica.com) 23

Sean Gallagher, writing for ArsTechnica: Another major site breach from four years ago has resurfaced. Today, LeakedSource revealed that it had received a copy of a February 2012 dump of the user database of Rambler.ru, a Russian search, news, and e-mail portal site that closely mirrors the functionality of Yahoo. The dump included usernames, passwords, and ICQ instant messaging accounts for over 98 million users. And while previous breaches uncovered by LeakedSource this year had at least some encryption of passwords, the Rambler.ru database stored user passwords in plain text -- meaning that whoever breached the database instantly had access to the e-mail accounts of all of Rambler.ru's users. The breach is the latest in a series of "mega-breaches" that LeakedSource says it is processing for release. Rambler isn't the only Russian site that has been caught storing unencrpyted passwords by hackers. In June, a hacker offered for sale the entire user database of the Russian-language social networking site VK.com (formerly VKontakte) from a breach that took place in late 2012 or early 2013; that database also included unencrypted user passwords, as ZDNet's Zach Whittaker reported.
Businesses

Walmart Is Cutting 7,000 Jobs Due To Automation (yahoo.com) 256

An anonymous reader quotes a report from Yahoo: The clairvoyant folks over at the World Economic Forum warned of a "Fourth Industrial Revolution" involving the rise of the machine in the workforce, and the latest company to lend credence to that claim is none other than Walmart, which is planning on cutting 7,000 jobs on account of automation. But the Walmart decision may be a bit more alarming for those in the workforce. As the Wall Street Journal reports (Warning: may be paywalled), the most concerning aspect of America's largest private employer might be that the eliminated positions are largely in the accounting and invoicing sectors of the company. These jobs are typically held by some of the longest tenured employees, who also happen to take home higher hourly wages. Now, those coveted positions are being automated. The Journal reports that beginning in 2017, much of this work will be addressed by "a central office or new money-counting 'cash recycler' machines in stores." Earlier this year, the company tested this change across some 500 locations. "We've seen many make smooth transitions during the pilot," said Deisha Barnett, a Walmart spokeswoman.
Government

FBI Says Foreign Hackers Breached State Election Systems (theguardian.com) 163

The FBI has uncovered evidence that foreign hackers breached two state election databases in recent weeks, and it has warned election officials across the country to some measures to step up the security of their computer systems. The Guardian reports: The FBI warning did not identify the two states targeted by cyber intruders, but Yahoo News said sources familiar with the document said it referred to Arizona and Illinois, whose voter registration systems were penetrated. Citing a state election board official, Yahoo News said the Illinois voter registration system was shut down for 10 days in late July after hackers downloaded personal data on up to 200,000 voters. The Arizona attack was more limited and involved introducing malicious software into the voter registration system, Yahoo News quoted a state official as saying. No data was removed in that attack, the official said. US intelligence officials have become increasingly worried that hackers sponsored by Russia or other countries may attempt to disrupt the November presidential election.
Medicine

The Big Short: Security Flaws Fuel Bet Against St. Jude (securityledger.com) 81

chicksdaddy writes: "Call it The Big Short -- or maybe just the medical device industry's 'Shot Heard Round The World': a report from Muddy Waters Research recommends that its readers bet against (or 'short') St. Jude Medical after learning of serious security vulnerabilities in a range of the company's implantable cardiac devices," The Security Ledger reports. "The Muddy Waters report on St. Jude's set off a steep sell off in St. Jude Medical's stock, which finished the day down 5%, helping to push down medical stocks overall. The report cites the 'strong possibility that close to half of STJ's revenue is about to disappear for approximately two years' as a result of 'product safety' issues stemming from remotely exploitable vulnerabilities in STJ's pacemakers, implantable cardioverter defibrillator (ICD), and cardiac resynchronization therapy (CRT) devices. The vulnerabilities are linked to St. Jude's Merlin at home remote patient management platform, said Muddy Waters. The firm cited research by MedSec Holdings Ltd., a cybersecurity research firm that identified the vulnerabilities in St. Jude's ecosystem. Muddy Waters said that the affected products should be recalled until the vulnerabilities are fixed. In an e-mail statement to Security Ledger, St. Jude's Chief Technology Officer, Phil Ebeling, called the allegations 'absolutely untrue.' 'There are several layers of security measures in place. We conduct security assessments on an ongoing basis and work with external experts specifically on Merlin at home and on all our devices,' Ebeling said."

More controversial: MedSec CEO Justine Bone acknowledged in an interview with Bloomberg that her company did not first reach out to St. Jude to provide them with information on the security holes before working with Muddy Waters. Information security experts who have worked with the medical device industry to improve security expressed confusion and dismay. "If safety was the goal then I think (MedSec's) execution was poor," said Joshua Corman of The Atlantic Institute and I Am The Cavalry. "And if profit was the goal it may come at the cost of safety. It seems like a high stakes game that people may live to regret."

Music

Samsung Reminds Us That You Can't Make People Use an App They Don't Want (recode.net) 70

Samsung has announced that it will be discontinuing Milk Music on September 22. The announcement comes a year after the South Korean technology conglomerate shuttered Milk Video, another service that didn't receive the traction Samsung was hoping. Peter Kafka, writing for Recode: It's true that you can't get media/apps/services to customers without access to a platform. But control of the platform doesn't mean customers are going to use your media/apps/services: They've got plenty of choices and they'll choose the ones they want. Ask Verizon and Comcast, which both launched video apps on their networks last year and have nothing to show for it. (You've heard of Verizon's Go90 only because Verizon keeps talking about it when people ask why it spent $10 billion on AOL and Yahoo; you have completely forgotten about Comcast's Watchable.) Soon you'll be able to ask AT&T, which is launching its own video app this fall, which will also feature lots of content people either don't want or can get elsewhere.
Encryption

How SSL/TLS Encryption Hides Malware (cso.com.au) 87

Around 65% of the internet's one zettabyte of global traffic uses SSL/TLS encryption -- but Slashdot reader River Tam shares an article recalling last August when 910 million web browsers were potentially exposed to malware hidden in a Yahoo ad that was hidden from firewalls by SSL/TLS encryption: When victims don't have the right protection measures in place, attackers can cipher command and control communications and malicious code to evade intrusion prevention systems and anti-malware inspection systems. In effect, the SSL/TLS encryption serves as a tunnel to hide malware as it can pass through firewalls and into organizations' networks undetected if the right safeguards aren't in place. As SSL/TLS usage grows, the appeal of this threat vector for hackers too increases.

Companies can stop SSL/TLS attacks, however most don't have their existing security features properly enabled to do so. Legacy network security solutions typically don't have the features needed to inspect SSL/TLS-encrypted traffic. The ones that do, often suffer from such extreme performance issues when inspecting traffic, that most companies with legacy solutions abandon SSL/TLS inspection.

Businesses

One Year in Jail For Abusive Silicon Valley CEO (theguardian.com) 287

He grew up in San Jose, and at the age of 25 sold his second online advertising company to Yahoo for $300 million just nine years ago. Friday Gurbaksh Chahal was sentenced to one year in jail for violating his probation on 47 felony charges from 2013, according to an article in The Guardian submitted by an anonymous Slashdot reader: Police officials said that a 30-minute security camera video they obtained showed the entrepreneur hitting and kicking his then girlfriend 117 times and attempting to suffocate her inside his $7 million San Francisco penthouse. Chahal's lawyers, however, claimed that police had illegally seized the video, and a judge ruled that the footage was inadmissible despite prosecutors' argument that officers didn't have time to secure a warrant out of fear that the tech executive would erase the footage.

Without the video, most of the charges were dropped, and Chahal, 34, pleaded guilty to two misdemeanor battery charges of domestic violence... In Silicon Valley, critics have argued that Chahal's case and the lack of serious consequences he faced highlight the way in which privileged and wealthy businessmen can get away with serious misconduct.. On September 17, 2014, prosecutors say he attacked another woman in his home, leading to another arrest.

Friday Chahal was released on bail while his lawyer appeals the one-year jail sentence for violating his probation.
Businesses

Tech Giants Sign Pledge With World Wildlife Fund To Prevent Wildlife Trading (mashable.com) 27

Kerry Flynn, writing for Mashable: Looking to buy an elephant tusk on eBay? Might not be so easy. The e-commerce giant, along with Etsy, Gumtree, Microsoft, Pinterest, Tencent and Yahoo, have signed on to a new commitment to prevent the sale of illegal wildlife products on their services. The initiative is in collaboration with the World Wildlife Fund, the International Fund for Animal Welfare and TRAFFIC, and was announced Friday to coincide with World Elephant Day. Under the new policy, companies are seeking to prohibit the sale of wild live animals and animal body parts that are sourced illegally, species that are threatened by extinction and other protected animals. That includes rhino horns, pangolin parts and turtle meat. It's the first time that conservation organizations have partnered with multiple tech companies. Prior, the WWF, for example, has worked with other organizations individually.Recently, the Indian government had accused several tech companies including Amazon of "selling" rare animals and their parts.
Television

Hulu Ends Free Streaming Service, Moves Free Stuff To Yahoo View (hollywoodreporter.com) 111

Hulu has inked a deal with Yahoo to provide free, ad-supported episodes of a range of TV shows. But Hulu also said Monday it will end free streaming service on its own platform as it is moving that to an all-subscription model. As part of its expanded distribution deal with Yahoo, which is launching Yahoo View, a new ad-supported TV streaming site with five most recent episodes of shows from ABC, NBC, and Fox among other networks. From an article on The Hollywood Reporter:Most of Hulu's free content has been fairly limited, restricted to what's known as the "rolling five," or the five most recent episodes of a current show -- content that typically becomes available eight days after it airs and is usually also available for free on broadcast networks' websites. For example, recent episodes of shows like America's Got Talent, South Park and Brooklyn Nine-Nine are currently available for free, while Hulu's slate of originals and high-profile exclusives remain behind the paywall. [...] Yahoo is launching the TV site a half-year after shuttering Yahoo Screen, the video service that offered up ad-supported episodes of original TV shows like Community, live streaming concerts and other clips. With View, however, Yahoo is focusing specifically on providing a destination for television to its audience, many of whom are still driven to Yahoo products via its highly trafficked homepage.
Privacy

GhostMail Closes in September, Leaves Users Searching For Secure Email Alternatives (zdnet.com) 158

On September 1, "GhostMail will no longer provide secure email services unless you are an enterprise client," reports ZDNet. "According to the company, it is 'simply not worth the risk.'" GhostMail provided a free and anonymous "military encrypted" e-mail service based in Switzerland, and collected "as little metadata" as possible. But this week on its home page, GhostMail told its users "Since we started our project, the world has changed for the worse and we do not want to take the risk of supplying our extremely secure service to the wrong people... In general, we believe strongly in the right to privacy, but we have taken a strategic decision to only supply our platform and services to the enterprise segment."

GhostMail is referring their users to other free services like Protonmail as an alternative, but an anonymous Slashdot reader asks: What options does an average person have for non-NSA-spied-on email? I am sure there are still some Ghostmail competitors out there but I'm wondering if it's better to coax friends and family to use encryption within their given client (Gmail, Yahoo, Outlook, whatever...) And are there any options for hosting a "private" email service: inviting friends and family to use it and have it kind of hosted locally. Ghostmail-in-a-box or some such?

Slashdot Top Deals