Yahoo won't be able to get away with its mega data breach from 2014 that it only reported this month. Six senior senators have said Yahoo's two-year delay in reporting the largest known data breach in history is unacceptable. The senators have asked Yahoo CEO Marissa Mayer to explain why the massive hack of more than 500 million accounts wasn't reported two years ago when the breach occurred. From a ZDNet report:The senators said they were "disturbed" that a breach of that size wasn't noticed at the time. "That means millions of Americans' data may have been compromised for two years. This is unacceptable. This breach is the latest in a series of data breaches that have impacted the privacy of millions of American consumers in recent years, but it is by far the largest," the letter wrote. Sens. Patrick Leahy, Al Franken, Elizabeth Warren, Richard Blumenthal, Roy Wyden, and Edward Markey signed the letter, dated Tuesday. The senators also requested a briefing to senate staffers on its incident response and how it intends to protect affected users.

Slashdot reader theweatherelectric writes: Over on Streaming Media, Amit Jain from Yahoo has written a behind-the-scenes look at the development of Yahoo's HTML5 video player. He writes, "Adobe Flash, once the de-facto standard for media playback on the web, has lost favor in the industry due to increasing concerns over security and performance. At the same time, requiring a plugin for video playback in browsers is losing favor among users as well. As a result, the industry is moving toward HTML5 for video playback...

At Yahoo, our video player uses HTML5 across all modern browsers for video playback. In this post we will describe our journey to providing an industry-leading playback experience using HTML5, lay out some of the challenges we faced, and discuss opportunities we see going forward."
Yet another brick in the wall? YouTube and Twitch have already switched to HTML5, and last year Google started automatically converting Flash ads to HTML5.

An anonymous Slashdot reader quotes The Washington Post: Two senior Democratic lawmakers with access to classified intelligence on Thursday accused Russia of "making a serious and concerted effort to influence the U.S. election," a charge that appeared aimed at putting pressure on the Obama administration to confront Moscow... "At the least, this effort is intended to sow doubt about the security of our election and may well be intended to influence the outcomes," the statement said. "We believe that orders for the Russian intelligence agencies to conduct such actions could come only from very senior levels of the Russian government..."

White House officials have repeatedly insisted that they are awaiting the outcome of a formal FBI investigation, even though U.S. intelligence are said to have concluded with "high confidence" that Russia was responsible for the DNC breach and other attacks. The White House hesitation has become a source of frustration to critics, including senior members of Congress.
Meanwhile, U.S. intelligence officials are reportedly investigating whether Donald Trump's foreign policy adviser "opened up private communications with senior Russian officials -- including talks about the possible lifting of economic sanctions if the Republican nominee becomes president."

Yahoo apparently took two years to investigate and tell people that its service had been breached, and that over 500 million users were affected. Amid the announcement, a user is suing Yahoo, accusing the company of gross negligence. From a Reuters report: The lawsuit was filed in the federal court in San Jose, California, one day after Yahoo disclosed the hacking, unprecedented in size, by what it believed was a "state-sponsored actor." Ronald Schwartz, a New York resident, sued on behalf of all Yahoo users in the United States whose personal information was compromised. The lawsuit seeks class-action status and unspecified damages. A Yahoo spokeswoman said the Sunnyvale, California-based company does not discuss pending litigation. The attack could complicate Chief Executive Marissa Mayer's effort to shore up the website's flagging fortunes, two months after she agreed to a $4.8 billion sale of Yahoo's Internet business to Verizon Communications. Yahoo on Thursday said user information including names, email addresses, phone numbers, birth dates and encrypted passwords had been compromised in late 2014.

Update: 09/22 18:47 GMT by M :Yahoo has confirmed the data breach, adding that about 500 million users are impacted. Yahoo said "a copy of certain user account information was stolen from the company's network in late 2014 by what it believes is a state-sponsored actor." As Business Insider reports, this could be the largest data breach of all time. In a blog post, the company said:Yahoo is notifying potentially affected users and has taken steps to secure their accounts. These steps include invalidating unencrypted security questions and answers so that they cannot be used to access an account and asking potentially affected users to change their passwords. Yahoo is also recommending that users who haven't changed their passwords since 2014 do so. The Intercept reporter Sam Biddle commented, "It took Yahoo two years to announce that info on half a billion user accounts was stolen." Amid its talks with Verizon for a possible acquisition -- which did happen -- Yahoo knew about the attack, but didn't inform Verizon about it, Business Insider reports. Original story, from earlier today, follows.

Last month, it was reported that a hacker was selling account details of at least 200 million Yahoo users. The company's service had apparently been hacked, putting several hundred million users accounts at risk. Since then Yahoo has remained tight-lipped on the matter, but that could change very soon. Kara Swisher of Recode is reporting that Yahoo is poised to confirm that massive data breach of its service. From the report: While sources were unspecific about the extent of the incursion, since there is the likelihood of government investigations and legal action related to the breach, they noted that it is widespread and serious. Earlier this summer, Yahoo said it was investigating a data breach in which hackers claimed to have access to 200 million user accounts and was selling them online. "It's as bad as that," said one source. "Worse, really." The announcement, which is expected to come this week, also possible larger implications on the $4.8 billion sale of Yahoo's core business -- which is at the core of this hack -- to Verizon. The scale of the liability could be large and bring untold headaches to the new owners. Shareholders are likely to worry that it could lead to an adjustment in the price of the transaction.

An anonymous reader quotes a report from Business Insider: Tesla is suing an oil executive under suspicion of impersonating Elon Musk to dig up confidential financial information from the company, Forbes reported on Wednesday. The lawsuit, reportedly filed Wednesday in the Superior Court of Santa Clara County, claimed that Todd Katz, the chief financial officer for Quest Integrity Group, emailed Tesla's chief financial officer using a similar email address as Musk's looking to gain information that wasn't disclosed in an earnings call with investors. Quest Integrity Group has partnerships with BP, Chevron, and ExxonMobil, the Forbes report said. According to the lawsuit, Katz used "elontesla@yahoo.com" to send an email to Tesla CFO Jason Wheeler asking about the company's sales and financial projections. The email named in the suit reads: "why you so cautious w Q3/4 gm guidance on call? also what are your thoughts on disclosing M3 res#? Pros/cons from ir pov? what is your best guess as to where we actually come in on q3/4 deliverables. honest guess? no bs. thx 4 hard work prepping 4 today. em." Tesla is seeking "undisclosed financial compensation," as well as compensation for the cost of the investigation and legal fees, according to Forbes.

Sean Gallagher, writing for ArsTechnica: Another major site breach from four years ago has resurfaced. Today, LeakedSource revealed that it had received a copy of a February 2012 dump of the user database of Rambler.ru, a Russian search, news, and e-mail portal site that closely mirrors the functionality of Yahoo. The dump included usernames, passwords, and ICQ instant messaging accounts for over 98 million users. And while previous breaches uncovered by LeakedSource this year had at least some encryption of passwords, the Rambler.ru database stored user passwords in plain text -- meaning that whoever breached the database instantly had access to the e-mail accounts of all of Rambler.ru's users. The breach is the latest in a series of "mega-breaches" that LeakedSource says it is processing for release. Rambler isn't the only Russian site that has been caught storing unencrpyted passwords by hackers. In June, a hacker offered for sale the entire user database of the Russian-language social networking site VK.com (formerly VKontakte) from a breach that took place in late 2012 or early 2013; that database also included unencrypted user passwords, as ZDNet's Zach Whittaker reported.

An anonymous reader quotes a report from Yahoo: The clairvoyant folks over at the World Economic Forum warned of a "Fourth Industrial Revolution" involving the rise of the machine in the workforce, and the latest company to lend credence to that claim is none other than Walmart, which is planning on cutting 7,000 jobs on account of automation. But the Walmart decision may be a bit more alarming for those in the workforce. As the Wall Street Journal reports (Warning: may be paywalled), the most concerning aspect of America's largest private employer might be that the eliminated positions are largely in the accounting and invoicing sectors of the company. These jobs are typically held by some of the longest tenured employees, who also happen to take home higher hourly wages. Now, those coveted positions are being automated. The Journal reports that beginning in 2017, much of this work will be addressed by "a central office or new money-counting 'cash recycler' machines in stores." Earlier this year, the company tested this change across some 500 locations. "We've seen many make smooth transitions during the pilot," said Deisha Barnett, a Walmart spokeswoman.

The FBI has uncovered evidence that foreign hackers breached two state election databases in recent weeks, and it has warned election officials across the country to some measures to step up the security of their computer systems. The Guardian reports: The FBI warning did not identify the two states targeted by cyber intruders, but Yahoo News said sources familiar with the document said it referred to Arizona and Illinois, whose voter registration systems were penetrated. Citing a state election board official, Yahoo News said the Illinois voter registration system was shut down for 10 days in late July after hackers downloaded personal data on up to 200,000 voters. The Arizona attack was more limited and involved introducing malicious software into the voter registration system, Yahoo News quoted a state official as saying. No data was removed in that attack, the official said. US intelligence officials have become increasingly worried that hackers sponsored by Russia or other countries may attempt to disrupt the November presidential election.

chicksdaddy writes: "Call it The Big Short -- or maybe just the medical device industry's 'Shot Heard Round The World': a report from Muddy Waters Research recommends that its readers bet against (or 'short') St. Jude Medical after learning of serious security vulnerabilities in a range of the company's implantable cardiac devices," The Security Ledger reports. "The Muddy Waters report on St. Jude's set off a steep sell off in St. Jude Medical's stock, which finished the day down 5%, helping to push down medical stocks overall. The report cites the 'strong possibility that close to half of STJ's revenue is about to disappear for approximately two years' as a result of 'product safety' issues stemming from remotely exploitable vulnerabilities in STJ's pacemakers, implantable cardioverter defibrillator (ICD), and cardiac resynchronization therapy (CRT) devices. The vulnerabilities are linked to St. Jude's Merlin at home remote patient management platform, said Muddy Waters. The firm cited research by MedSec Holdings Ltd., a cybersecurity research firm that identified the vulnerabilities in St. Jude's ecosystem. Muddy Waters said that the affected products should be recalled until the vulnerabilities are fixed. In an e-mail statement to Security Ledger, St. Jude's Chief Technology Officer, Phil Ebeling, called the allegations 'absolutely untrue.' 'There are several layers of security measures in place. We conduct security assessments on an ongoing basis and work with external experts specifically on Merlin at home and on all our devices,' Ebeling said."

More controversial: MedSec CEO Justine Bone acknowledged in an interview with Bloomberg that her company did not first reach out to St. Jude to provide them with information on the security holes before working with Muddy Waters. Information security experts who have worked with the medical device industry to improve security expressed confusion and dismay. "If safety was the goal then I think (MedSec's) execution was poor," said Joshua Corman of The Atlantic Institute and I Am The Cavalry. "And if profit was the goal it may come at the cost of safety. It seems like a high stakes game that people may live to regret."

Samsung has announced that it will be discontinuing Milk Music on September 22. The announcement comes a year after the South Korean technology conglomerate shuttered Milk Video, another service that didn't receive the traction Samsung was hoping. Peter Kafka, writing for Recode: It's true that you can't get media/apps/services to customers without access to a platform. But control of the platform doesn't mean customers are going to use your media/apps/services: They've got plenty of choices and they'll choose the ones they want. Ask Verizon and Comcast, which both launched video apps on their networks last year and have nothing to show for it. (You've heard of Verizon's Go90 only because Verizon keeps talking about it when people ask why it spent $10 billion on AOL and Yahoo; you have completely forgotten about Comcast's Watchable.) Soon you'll be able to ask AT&T, which is launching its own video app this fall, which will also feature lots of content people either don't want or can get elsewhere.

Around 65% of the internet's one zettabyte of global traffic uses SSL/TLS encryption -- but Slashdot reader River Tam shares an article recalling last August when 910 million web browsers were potentially exposed to malware hidden in a Yahoo ad that was hidden from firewalls by SSL/TLS encryption: When victims don't have the right protection measures in place, attackers can cipher command and control communications and malicious code to evade intrusion prevention systems and anti-malware inspection systems. In effect, the SSL/TLS encryption serves as a tunnel to hide malware as it can pass through firewalls and into organizations' networks undetected if the right safeguards aren't in place. As SSL/TLS usage grows, the appeal of this threat vector for hackers too increases.

Companies can stop SSL/TLS attacks, however most don't have their existing security features properly enabled to do so. Legacy network security solutions typically don't have the features needed to inspect SSL/TLS-encrypted traffic. The ones that do, often suffer from such extreme performance issues when inspecting traffic, that most companies with legacy solutions abandon SSL/TLS inspection.

He grew up in San Jose, and at the age of 25 sold his second online advertising company to Yahoo for $300 million just nine years ago. Friday Gurbaksh Chahal was sentenced to one year in jail for violating his probation on 47 felony charges from 2013, according to an article in The Guardian submitted by an anonymous Slashdot reader: Police officials said that a 30-minute security camera video they obtained showed the entrepreneur hitting and kicking his then girlfriend 117 times and attempting to suffocate her inside his $7 million San Francisco penthouse. Chahal's lawyers, however, claimed that police had illegally seized the video, and a judge ruled that the footage was inadmissible despite prosecutors' argument that officers didn't have time to secure a warrant out of fear that the tech executive would erase the footage.

Without the video, most of the charges were dropped, and Chahal, 34, pleaded guilty to two misdemeanor battery charges of domestic violence... In Silicon Valley, critics have argued that Chahal's case and the lack of serious consequences he faced highlight the way in which privileged and wealthy businessmen can get away with serious misconduct.. On September 17, 2014, prosecutors say he attacked another woman in his home, leading to another arrest.
Friday Chahal was released on bail while his lawyer appeals the one-year jail sentence for violating his probation.

Kerry Flynn, writing for Mashable: Looking to buy an elephant tusk on eBay? Might not be so easy. The e-commerce giant, along with Etsy, Gumtree, Microsoft, Pinterest, Tencent and Yahoo, have signed on to a new commitment to prevent the sale of illegal wildlife products on their services. The initiative is in collaboration with the World Wildlife Fund, the International Fund for Animal Welfare and TRAFFIC, and was announced Friday to coincide with World Elephant Day. Under the new policy, companies are seeking to prohibit the sale of wild live animals and animal body parts that are sourced illegally, species that are threatened by extinction and other protected animals. That includes rhino horns, pangolin parts and turtle meat. It's the first time that conservation organizations have partnered with multiple tech companies. Prior, the WWF, for example, has worked with other organizations individually.Recently, the Indian government had accused several tech companies including Amazon of "selling" rare animals and their parts.

Hulu has inked a deal with Yahoo to provide free, ad-supported episodes of a range of TV shows. But Hulu also said Monday it will end free streaming service on its own platform as it is moving that to an all-subscription model. As part of its expanded distribution deal with Yahoo, which is launching Yahoo View, a new ad-supported TV streaming site with five most recent episodes of shows from ABC, NBC, and Fox among other networks. From an article on The Hollywood Reporter:Most of Hulu's free content has been fairly limited, restricted to what's known as the "rolling five," or the five most recent episodes of a current show -- content that typically becomes available eight days after it airs and is usually also available for free on broadcast networks' websites. For example, recent episodes of shows like America's Got Talent, South Park and Brooklyn Nine-Nine are currently available for free, while Hulu's slate of originals and high-profile exclusives remain behind the paywall. [...] Yahoo is launching the TV site a half-year after shuttering Yahoo Screen, the video service that offered up ad-supported episodes of original TV shows like Community, live streaming concerts and other clips. With View, however, Yahoo is focusing specifically on providing a destination for television to its audience, many of whom are still driven to Yahoo products via its highly trafficked homepage.

On September 1, "GhostMail will no longer provide secure email services unless you are an enterprise client," reports ZDNet. "According to the company, it is 'simply not worth the risk.'" GhostMail provided a free and anonymous "military encrypted" e-mail service based in Switzerland, and collected "as little metadata" as possible. But this week on its home page, GhostMail told its users "Since we started our project, the world has changed for the worse and we do not want to take the risk of supplying our extremely secure service to the wrong people... In general, we believe strongly in the right to privacy, but we have taken a strategic decision to only supply our platform and services to the enterprise segment."

GhostMail is referring their users to other free services like Protonmail as an alternative, but an anonymous Slashdot reader asks: What options does an average person have for non-NSA-spied-on email? I am sure there are still some Ghostmail competitors out there but I'm wondering if it's better to coax friends and family to use encryption within their given client (Gmail, Yahoo, Outlook, whatever...) And are there any options for hosting a "private" email service: inviting friends and family to use it and have it kind of hosted locally. Ghostmail-in-a-box or some such?

An anonymous reader quotes a report from CNN: Twenty-five years ago, the first public website went live. It was a helpful guide to this new thing called the World Wide Web. The minimalist design featured black text with blue links on a white background. It's still online today if you'd like to click around and check out the frequently asked questions or geek out over the technical protocols.
Its original URL was info.cern.ch, where CERN is now also offering a line-mode browser simulator and more information about the birth of the web. CNN is also hosting screenshots of nine web "pioneers", including the Darwin Awards site, the original Yahoo, and the San Francisco FogCam, which claims to be the oldest webcam still in operation.

What are some of the first web sites that you remember reading? (Any greybeards remember when the Internet Movie Database was just a Usenet newsgroup where readers collaborated on a giant home-made list of movie credits?)

16.4% of the comments on Yahoo News are "abusive," according to human screeners. Now Yahoo has devised an abuse-detecting algorithm "that can accurately identify whether online comments contain hate speech or not," reports Wired UK: In 90 per cent of test cases Yahoo's algorithm was able to correctly identify that a comment was abusive... The company used a combination of machine learning and crowdsourced abuse detection to create an algorithm that trawled the comment sections of Yahoo News and Finance to sniff out abuse. As part of its project, Yahoo will be releasing the first publicly available curated database of online hate speech.
The machine-learning algorithm was "trained on a million Yahoo article comments," according to the article, and Slashdot reader AmiMoJo writes "The system could help AIs avoid being tricked into making abusive comments themselves, as Microsoft's Tay twitter bot did earlier this year."

An anonymous reader writes from a report via Yahoo News: Cloud backup and storage provider Backblaze has published its hard drive stats for Q2 2016. Yahoo News reports: "The report is based on data drives, not boot drives, that are deployed across the company's data centers in quantities of 45 or more. According to the report, the company saw an annualized failure rate of 19.81 percent with the Seagate ST4000DX000 4TB drive in a quantity of 197 units working 18,428 days. The next in line was the WD WD40EFRX 4TB drive in a quantity of 46 units working 4,186 days. This model had an annualized failure rate of 8.72 percent for that quarter. The company's report also notes that it finally introduced 8TB hard drives into its fold: first with a mere 45 8TB HGST units and then over 2,700 units from Seagate crammed into the company's Blackblaze Vaults, which include 20 Storage Pods containing 45 drives each. The company moved to 8TB drives to optimize storage density. According to a chart provided in the report, the 8TB drives are highly reliable. The HGST HDS5C8080ALE600 worked for 22,858 days and only saw two failures, generating an annualized failure rate of 3.20 percent. The Seagate ST8000DM002 worked for 44,000 days and only saw four failures, generating an annual failure rate of 3.30 percent." For comparison, Backblaze's reliability report for Q1 2016 can be found here.

UPDATE 8/2/16: Corrected Seagate Model "DT8000DM002" to "ST8000DM002."

An anonymous reader writes from a report via Softpedia: A listing was published today on TheRealDeal Dark Web marketplace claiming to be offering data on over 200 million Yahoo users, sold by the same hacker that was behind the LinkedIn, Tumblr, MySpace, and VK data dumps. In statements to Softpedia, Yahoo said it was investigating the breach, but based on the seller's reputation, it is very likely the data is authentic. The data is up for sale for 3 Bitcoin (approximately ~$1,800), and based on the sample the hacker provided, the data dump includes details such as usernames, MD5-hashed passwords, and dates of birth for all users. For some records, there is also a backup email address, country of origin, and ZIP code for U.S. users. The hacker, called Peace, has also told Softpedia that he previously made $50,000 from the LinkedIn breach alone, and over $65,000 in total from all breaches.