back to article Yahoo! dysfunction! meant! security! warnings! were! ignored!

Yahoo!'s board has decided CEO Marissa Mayer should not be paid her bonus, after investigating the 2014 hack that has so besmirched the company's reputation and finding the company knew about the gravity of the situation but failed to act properly to address the situation. Mayer has also decided to forego an award of equity due …

  1. The Man Who Fell To Earth Silver badge
    FAIL

    The entire Yahoo board should be sacked

    Just for hiring Mayer in the first place.

    If you need to hire someone to turn a failing organization around, the last thing anyone with any brains would do is hire someone who has zero experience with turning around failing organizations. And that describes Mayer because she spent her whole career at a place like Google. Mayer's failure was as predictable as the sunrise.

    If you need to hire someone to turn a failing organization around, you hire someone who has done it at least once before.

    1. mr. deadlift
      Trollface

      Re: The entire Yahoo board should be sacked

      do you mean the kind of CEO that argues with the CTO nerd while this is all happening, who then resigns and heads to team Zuck?

    2. ratfox
      Trollface

      Re: The entire Yahoo board should be sacked

      If you need to hire someone to turn a failing organization around, you hire someone who has done it at least once before.

      ...And in 2045 died the last human who knew how to turn around a failing organization. There was no one left in the world who had ever done it before, therefore no one who was able to do it.

      That said, you could have made quite a bit of cash if you'd bought Yahoo stock when Marissa Meyer was hired!

    3. Anonymous Coward
      Anonymous Coward

      Re: The entire Yahoo board should be sacked

      Based on share price, her tenure at the top is a success.

      1. The Man Who Fell To Earth Silver badge
        FAIL

        @AC on share price

        Due to Yahoo owning a huge chunk of Alibaba, an investment that pre-dates Meyer by quite a long time.

        Only a investment fool would confuse the increase in value of a company's assets (akin to it's real estate holdings) inflating it's book value with how the company's core business is doing.

    4. Doctor Syntax Silver badge

      Re: The entire Yahoo board should be sacked

      "If you need to hire someone to turn a failing organization around, you hire someone who has done it at least once before."

      Bernard Woolley wants a word with you. He can't work out how such a person could possibly exist.

  2. ST Silver badge
    Mushroom

    [ ... ] it appears certain senior executives did not properly comprehend [ ... ]

    In other words, Marissa Mayer is a thoroughly inept and completely incompetent boob?

    I just want to make sure I got it right.

    1. Mark 85 Silver badge

      Re: [ ... ] it appears certain senior executives did not properly comprehend [ ... ]

      Correct to the boob part. How much is she getting when the sale goes through? Something about millions? Dumb but not totally stupid. Still... Darwin should get a shot at her.

      1. LDS Silver badge
        Devil

        Darwin should get a shot at her.

        Why? Her DNA is more successful than yours, it looks....

        Evolution is about being able to adapt to the environment - and these CEOs are more capable to adapt than many nerds around.

    2. Anonymous Coward
      Anonymous Coward

      Re: [ ... ] it appears certain senior executives did not properly comprehend [ ... ]

      Wrong question. Right question should be: "Is she capable of the only requirement for a large company CEO in a golfocracy?". I.E - does she play golf?

      I bet she does. So she (and other senior executives) comply to the only real requirement for a public company exec nowdays. The Mar e Largo regulatory requirement.

  3. Christoph

    "the publication of the company's Form 10-K, the warts-and-all documents US public companies are required to file each year to disclose just about any risk they face."

    Republican Congress abolishes Form 10-K in 3 ... 2 ... 1 ...

  4. chivo243 Silver badge
    WTF?

    Normally I would cheer...

    ...when the law talking guy gets his tit in the wringer. But this is just wrong on so many levels I don't know what to say or where to start.

    http://www.recode.net/2017/3/1/14783686/yahoos-lawyer-ousted-hacking-marissa-mayer-pay-docked

    Read this one as well. Pretty fsckin' surreal. Just pay docked, no fine/lawsuit?

    The only/last question I have is who did she sleep with in order to avoid being shown the door?

  5. Anonymous Coward
    Anonymous Coward

    The ugly truth

    "The Independent Committee also found that the Audit and Finance Committee and the full Board were not adequately informed of the full severity, risks, and potential impacts of the 2014 Security Incident and related matters."

    Those of us in the infosec trenches know why this is. Middle management are strongly incentivised to only report good news upwards and to sit on or suppress bad news. Hit the bar at any security conference and find a corporate droid (drinking on his own dollar -- no expenses for us!), buy 'em a drink and probe them for some horror stores... we've seen things you people wouldn't believe. A very large email filtering firm that never applied security patches in production or upgraded OSes, so there were thousands of servers running on decade-old default Linux installs. Developers building handy databases of all the Local Administrator passwords across the organisation - browse to site, enter hostname, get plaintext admin password back -- with no audit trail, access control being membership of an AD group, and no even using HTTPS. Enormous financial services organisations with a completely flat internal network *globally* (cos firewalls are for the perimeter, right?) Mandatory annual "penetration tests" that consist of nothing more than an anonymous external Nessus scan...

    The fact is, in most organisations the security people are an annoyance inflicted on the organisation by box-ticking auditors and regulators. We're here to not criticise management's attitude that security means "spend a lot of money on a box with flashing lights", to provide the illusion of a security culture to auditors and customers, and to have someone to sack when the inevitable finally comes to pass.

    I seriously think that the soul-crushing grimness and stress resulting from spending years learning about things just so you can be told to keep quiet about it is one of the main reasons there's such a skills shortage. It's not the lack of smart, ambitious entrants at the bottom of the field: it's the burning out in a tangle of blazing metal against the Armco ten years later that's to blame.

    If by any chance someone in senior management is reading this: find a junior security person who's been around for a year or two. Buy 'em a drink, Promise them no retribution. Get them to spill their guts...

    (I've just realised I should post this as AC... )

  6. John Brown (no body) Silver badge

    The good news is that Yahoo! has "invalidated" those cookies

    Make you wonder a little about The Great Google De-Authentication Event, doesn't it?

  7. Anonymous Coward
    Anonymous Coward

    It's time this was fixed.

    The cookie forgery issue goes all the way back to 2009, details of it were and still are public. The reported attack sounds very similar to what was done back then. Yahoo appear to still be using the same authentication system as they did at that time. Why they did not choose to address the wider issues that were highlighted in the time since is puzzling. I hope they realise that changing the server secret to invalidate the cookies is only a temporary solution. In order to prevent this from happening again, they must redesign their single sign on system, which allow/s/ed any production server to become a single point of failure.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021