Having been in the role of advocating investing in security the typical questions are;
* "Will the product run faster?",
* "Will the customers get better service?",
* "Will someone choose us over a competitor
because of this?"
But if you can say, "When you try to sell this company to another company, the strong security policies and technology this funding will provide insurance against having a security breach like Yahoo! and tanking the sales price."
Now that resonates because they probably have a lot to win or lose over the sales price of the company in a merger/acquisition strategy.
"Its a few million now, but without it, it could cost you billions of personal wealth down the road. Now who's in?"
So you go to the annual planning meeting and you pitch to the execs ,,, We want to take 5 engineers to first fix the password encryption we are using, second to update all the databases, third to build and test a system that makes swapping out the encryption method of passwords easier and less disruptive in the future, and finally updating the build system to do some sort of regression test on passwords to insure we aren't creating new services with weak algorithms.
The person after you pitches ... we'd like to take 5 engineers to build an algorithm to identify viral videos on the web and then put them into an iframe on our properties, thus increasing the length of time someone spends on our web pages which early A/B testing with some hand picked videos suggests increases revenue per page by .5%.
They give the 5 engineers to the kitten project it makes for more revenue.
A year goes by, the security guy pitches and the second pitch is "Our videos are doing great but we have discovered that people really hate that it takes three clicks to change their preferences on page layout. We want the 5 engineers to tweak the portal pages to make customization easier and we'll add a frictionless ad portal where they can just click on a product that appears and it will order it for them."
The updated portal gets the 5 engineers.
Now they are at a due diligence meeting with a potential suitor who discovers that millions of passwords were breached and later compromised because for years they knew they were using an insecure way of storing them but had not done anything about it. This materially affects what they consider the 'value' of the company to be.
The challenge is that if the security guy is really good the customers don't "see" anything, just their password is better protected than it was, and future projects start with strong password management systems. So from the people visiting the web property "nothing" changes. From the executive planning group's perspective they have spent 5 precious head count on a feature that they will have no way of "reporting" its success either in their own resumes or to their bosses. Kittens and better click through? Easy to measure and report and you can point at dollars in the bank as the benefit.
That said, the alternatives are much worse than the price of security.
How will this pragmatically trickle down to middle managers and their subordinates? With politics and personal incentive that are potentially unaligned with the company's long term interests (not having a data breach), will more resources actually be spent on security?
The return on investment of information security is not obvious / tangible, especially on a quarterly basis. Data breaches are "black swan" events, rarely occurring but with disproportionate consequences when they do occur. It's harder to quantitatively track progress, or lack thereof, of investment into security.
People can (over) claim the amount of time reallocated to security. These claims would be hard to falsify. Teams who are behind on other deadlines can blame time being reallocated to information security. Managers can use the purported reallocated time to spend on feature work, or whatever it is that makes them look objectively better for promotion.
I admit I'm being a bit cynical. I think company culture would help mitigate these issues. Executives valuing information security, even if it's just words rather than policy, nurtures such a culture.
For middle management and below, if upper management doesn't care about security, despite the "look at Yahoo" argument, then you'll find no leverage there for security funding. If they care at all, then managers and individual contributors can argue for security to stand out and accelerate their career. Yahoo's security troubles brighten the spotlight on the need for security funding at companies for training, audits, and setting aside time to do retroactive security work. It's not a silver bullet, but it helps.
 OWASP has a lot of great web security resources. Here is their top 10 list from 2013, https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet
Some people say it materially affected their brand value but outside of the costly downtime during the holiday sales period I am not certain it affected their brand much if at all.
If people ask, just doing my day job'
edit: care to explain the downvotes?
http://www.investopedia.com/stock-analysis/070215/why-yahoos... from April, but the prices haven't moved too much since.
Now light the chairs on fire.
It can get worse.
Drops in BABA's share price tend to be mirrored in YHOO's, so that's responsible for a decent portion (albeit less than half) of today's dip.
Of course Mr. Robot could itself be a symptom of the zeitgeist.
The problem is that it's hard to evaluate security. Unless you know the area very well, it's hard to hire someone that knows the area well, which is a catch-22.
Do we know that Yahoo skimped on security, or did they just not get what they paid for because they didn't know better?
I'm seriously flabbergasted that they continue to let this happen. The last time you would've thought head would roll, they would batten down the hatches, notify users and be completely proactive in defending against another attack.
To me, it looks like they just said, "Well, fuck it, it won't happen again, why invest the time and money to protect our users?" I'd also point out the breech they're referencing was from 2013 so any data that was pilfered has already been running wild on the underground and been passed around a few thousand times. Another reason it just shows they don't care at all.
After this, no investor should touch this company with a ten foot pole.
The delay in them discovering the breach isn't that alarming either. If you didn't have systems in place to detect an intrusion, how do you retroactively find one? Companies usually don't find out until law enforcement contacts them or they accidentally stumble across the backdoor.
So, does Yahoo still have poor infosec? I'd guess so. But this newest breach isn't evidence of that, it only shows how bad their security was in 2013.
Even if Verizon end up paying the full price, the fact that investors really worried that they wouldn't is enough to share future companies.
If you care about your data you are basically only able to secure it if you host it yourself.
It's pretty revolting, but my assumption is that if the US government _really_ wants your data, it's virtually impossible to block all the vectors they have to get at it.
It's important that people also don't fall into the illusion that their Infosec skills can match that of google/apple engineers. These guys are some of the best there is.
Verizon can get rid of the costly parts of Yahoo (mostly its media business) and have its own small Google to make cash. That was $1.8bn per year in 2015, while Yahoo's overall revenue stands at $3.9bn (Asia excluded). So Verizon buys the company at 1x revenue.
Who would quit such a deal?
Yahoo! (like Twitter, in my opinion) may only find a buyer in that sort of financial purchaser who doesn't mind looking bad resurrecting corpses. Unfortunately, those bidders are notorious low ballers.
However, they are hemorrhaging money. You don't generally buy for revenue unless you're buying a small startup, where the growth rate is exponential and you'll become profitable once you hit economies of scale.
Yahoo has already ostensibly hit economies of scale, is stagnant in terms of growth, and is losing both money and eyeballs. What part of that is attractive to the balance sheet? You might not even be able to milk it to its demise, as it's currently unprofitable.
And mail would be just fine if they'd remove all the crap so it would run faster.
Lots of non techy still uses yahoo mail, and that won't change as long as the service exists.
If anything, these two hacks being announced years later, along with their voluntary NSA backdoor, demonstrates that Yahoo! has skeletons in their closet.
Inquiries to my username...@gmail. Go on Yahoo board, ask me why I switched and you might learn something useful.
And how many of those people pay money for Yahoo mail other than indirectly through the "crap" you want to get rid of?
I used the phrase "management assisted suicide" recently, which basically means figuring out how to maximize return to shareholders given a future that guarantees death.
Is it unreasonable to suspect that a company that has had multiples breaches of security of this extent might also not have had its IP taken out from underneath them as well?
but if the details of a patent have been stolen the patents still have value, except for when the exact implementation of a patent can be circumvented due to access to plans.
They are pretty big assumptions to make.
Second assumption: letting 80% of staff go won't hurt. For that, I simply have to describe what I've heard from friends / coworkers / scuttlebutt about working at yahoo. But there are a lot of eng doing maybe a couple hours of work per day.
under opex it looks like there's plenty of fat to cut.
And the fat on that OPEX you linked is the writeoff from the Tumblr purchase.
"That's a 17-fold difference in the price per 1% share"
"That's a 17-fold difference in the price per 8% share"
"That's a 17-fold difference in the price per search"
Isn't Microsoft the one providing search results? If it is, then Microsoft ultimately controls the traffic, not Yahoo.
Whatever yahoo has in comparison is negligible.
Searches are also what drive relevance on other pages' embedded ads. Because you search on Google, they know how to target ads when you are browsing elsewhere.
Google websites include search as well as YouTube, Gmail, et cetera. AdSense, AdMob or DoubleClick revenues make up the bulk of the other 20%.
 https://www.sec.gov/Archives/edgar/data/1652044/000165204416... pages 31, 33
(Also most people honestly don't know the difference between sponsored results and real search results)
Do you see how that argument is flawed? Leaders in a market tend to be worth much more and have much higher profits than even the 2nd player in the market, let alone the third or fifth. When you have a small percentage of the market, it's also much more difficult to make something out of it, than it would say for a market leader to go from 30% market share to 50% market share (and billions of dollars more in revenue).
We could repeat the argument for a small social network that has a much lower market value than Facebook per user, and so on.
Not just Android OEMs but other tech giants - remember this was not long after the Nortel/Rockstar episode. The patent cold war was heating up with proxy battles and occasional direct skirmishes; Google found itself with a 'patent-gap'. Fortunately things are much saner now after a change of management at several belligerents.
Tumblr has insanely high operating costs and practically no revenue stream. Yahoo has spent a lot of time and money (while fighting with Tumblr people) to get these costs down, but much of that work would be undone to separate Tumblr from Yahoo.
So much of Tumblr's traffic is comprised "non-monetizable" porn sites that Yahoo foots the CDN bill for, which does nothing to build the brand or the social aspect of the service. They can't truly crack down on it though, because that would reveal the truth: there isn't that much real use to justify the spending.
I'm curious why you find pornography to be non-monetizable. It's a $97 billion dollar industry, and is probably easier to directly monetize than a random mishmash of personal blogs because adult sites tend to focus solely on a single fetish, and there's a clear standardized categorization of such.
Maybe a future operator of Tumblr would feel differently -- but I think it would be difficult to monetize both sets of content simultaneously.
> I think it would be difficult to monetize both sets of content simultaneously.
I'm not really certain why you'd feel that way. Most ad agencies simultaneously have an adult wing and a mainstream wing because the truth is... most people in the world are adults, and sexuality is a large part of what we consider the human condition.
It's only natural that you'd pay for services and products to aid in that.
What's not done is mixing the content verticals. You have pornographic content, then you advertise Adam & Eve products, paysites, or one of the many clothing distributors that will never be seen in a local mall.
Ironically, since tumblr lets' you use your own templates---some people are successfully doing upsells via Tumblr using "in house" advertisements for companies.
Maybe Google would buy given that it's pretty much bombed out on photo sharing itself.
I really haven't found anything else quite like it, and I would hate to see it go away. I've been paying for my pro account for the last eight years.
But, yeah, it was popular for a time to dump on Flickr because they hadn't really moved forward. But truth be told, it pretty much does the job for me the way it is and I don't want a whole bunch of social stuff dumped on it.
Tumblr is an important community even if it does have a few weirdnesses and inconsistent policy enforcement.
Tumblr has a huge community and there are a large number of niche topics that have their biggest communities on Tumblr.
LiveJournal is a good comparison here - it never went away, is still popular in some communities (Runet), and is not worth very much money because most Internet users in the United States that advertisers care about decided to move on to other social networks.
I must be wrong, since Yahoo believes Tumblr increases its worth.
At this point there's the ArchiveTeam and that's about it, so we actually have something to point at when we're talking about what a great website that sure was back then.
From what I've seen (and I'll admit to not being overly familiar with either), WordPress and Tumblr are very different beasts with every different aims.
To answer your questions: yes and yes: https://en.blog.wordpress.com/2012/01/20/read-blogs/ (Not that I use it, but this functionality was implemented back in 2012).
If the Verizon deal falls through, I'd say "someone with the skill and resources to keep Tumblr running buying Tumblr, either together with other parts of Yahoo! or separately."
Why is there value? Honest question, just curious. Do myspace friends, for instance, still have value in today's day and age?
I hope that if the deal goes through (and I'm sure it will), Verizon will still keep the better Yahoo services running.
Between AOL and Yahoo (and their own Verizon email addresses where they're an ISP), they'd have a huge portion of the world's email accounts, and I could see a push to pull an Outlook.com: Move everyone to a new service, but keep all the old legacy email addresses from older services.
A billion compromised accounts seems like it could fill that role. Many people may not understand their online information's privacy/security, but that's an ear-grabbing number.
My mother (and her news) heard this loud and clear. Thats a problem, and VZ has every right to renegotiate -- this has passed the point of "we're yahoo so we're big and an unlucky target". This is, in my mother's words, "what the hell is wrong with those people, I'm done, how do i get everything to go to gmail".
Setting aside that $4 billion was clearly way too much, Verizon, as the parent company, would be liable for any lawsuits against Yahoo resulting from the last few leaks.
Yahoo has nothing close to that. I'm not saying that drives a 4B$ valuation exactly, but comparing Yahoo to LinkedIn is apples to oranges.
FB put down billion dollar purchases for them, but they weren't the inflated-valuation investor rodeos we see with unicorns.
Verizon right now is only bidding for Yahoo's core business, not its Alibaba and Yahoo Japan shares. From what I remember, without those two assets, its core business is valued at less than zero.
Why would you pay 4 billion for a company that's bleeding cash, open to huge liabilities for password breaches/backdoors, ever-shrinking user numbers, and no technology worth speaking of?
Seriously!? You really need to educate yourself if you believe that.
MD5 hashed passwords. In 2013. Apparently Yahoo never made it out of the 90s.
Imagine if I had two friends, Google and Yahoo. Both are asking me if they can borrow a dollar.
Over the last few years when Google borrows a dollar it gives back an extra 3.5 cents the next year as a thank you. On the opposite side, when Yahoo has borrowed a dollar they've lost 13 cents within the next year.
Left to their own devices, Yahoo will implode and be out of money in under 7 years, likely much sooner. The $4 billion price tag was a way of salvaging what may still be valuable properties within Yahoo, but the company on paper is rapidly losing money at any valuation.
It's like asking someone to buy a car that's broken when it's unclear if they can fix it.
Also, at this point, under-investing in security never pays.
and this: https://news.ycombinator.com/item?id=13182120
"Verizon Communications Inc. is exploring a price cut or possible exit from its $4.83 billion pending acquisition of Yahoo! Inc., after the company reported a second major e-mail hack affecting as many as 1 billion users"
Verizon wants Yahoo on the cheap and somebody at Yahoo is helping.
They just don't have a mammoth money making one product which subsidizes the rest of the business like Google. Not to mention the tech talent and the culture that Yahoo! brings to Verizon.
If you have any solid argument about why $4 billion is a waste, i would definitely like to hear.
0 : https://www.comscore.com/Insights/Rankings/comScore-Releases...
The price is pretty low now, if you are confidant in your assement why not buy?
Many (most?) people would call that an attack.
also how is your comment not an attack? you're saying his opinion is tainted... because he knows people who work at yahoo? does that mean no one can have a fair opinion on apple, amazon, google, microsoft?