Episode 2—Goodbye from Yahoo!

Breach podcast - Episode 2
 

Featured guests include:

Nicholas Carlson
Nicholas is the global editor-in-chief and chief content officer at Business Insider. He's also the author of "Marissa Mayer and the Fight To Save Yahoo!" Carlson's coverage of Yahoo won Digiday's award for Best Editorial Achievement of 2014.
Twitter: @nichcarlson

Nicole Perlroth
Nicole is a cybersecurity reporter for The New York Times. She is the author of the forthcoming book “This is How They Tell Me the World Will End” with Penguin/Portfolio.
Twitter: @nicoleperlroth

Katie Moussouris
Katie is CEO and founder of Luta Security. A noted authority on vulnerability disclosure and bug bounties, she developed bug bounty programs for Microsoft and the US Department of Defense. She’s also our favorite hacker.
Twitter: @k8em0

Breach Episode 2 - Transcript

 

ALIA:

So, Bob what were you doing in 2012?  You see any movies?

 

BOB:

God that’s a long time ago.  I mean Barack Obama was reelected, so we were all learning about Mitt Romney.

 

ALIA:

I was graduating from college.

 

BOB:

See you just really brought the mood down in the room.  You just really, I mean 2012 that's sort of meaningless to me.   I map everything to sports.  I’m trying to think who won the World Series that year.  I think it was the Detroit Tigers.  I think the Yankees lost in the second round to Detroit after beating Baltimore in the first round.

 

ALIA:

 I mean you remember that in great detail.  The new Avengers movie came out.

 

BOB:

I mean, I entirely blocked out hurricane Sandy.  You know my block was one of the only blocks in Hoboken New Jersey that didn't lose power.

 

ALIA:

One other thing that happened in 2012, the Mayan calendar told us that it was the end of the world.

 

BOB:

In the tech world, Facebook had a successful-ish IPO.

 

ALIA:

And then they acquired Instagram. 

 

BOB:

And meanwhile the Pope joined Twitter. 

 

ALIA:

Obama answered voters’ questions via Reddit.

 

BOB:

Somebody started using the word meme. 

 

ALIA:

Then other social media apps like Tumblr, Pinterest, and Snapchat are growing tremendously.

 

BOB:

All of these sort of new millennium companies are really really sexy and starting to attract market attention and market capitalization, and older companies like Microsoft and Nintendo are starting to feel like they're getting IBM’d.  That's when they start to look around and say how do we reinvent ourselves, how do we capture some of that youth magic ourselves?  And Yahoo's technique for doing that was to hire Google’s star, Marissa Mayer.  If everything goes right, she's going to be the Steve Jobs of Yahoo, turning Macintosh and Apple.  At that point, she has no idea she's walking into a really dangerous, maybe even toxic cybersecurity situation.  She's got the keys to rebuild the Yahoo kingdom, and has no idea the castle’s about to be breached. 

 

ALIA:

This is Breach, a podcast investigating history's most notorious data breaches, brought to you by Carbonite, how businesses protect their data.  

 

MONTAGE/THEME

 

ALIA:

I’m Alia Tavakolian, and I’m in this mystery van with cybersecurity journalist Bob Sullivan.  He is the cyber Scooby Doo to my Scrappy.  We’re here in part two.  Don’t skip the first episode, you crazy.  That’s like starting Harry Potter at the Chamber of Secrets.  You missed all the establishing exposition with the Dursleys.

 

In this episode of Breach, we’re going to tell you a story about a company that seemed too big to fail, until it did.  A story about the people at the center of it all who dared to believe they could make a tech giant matter again.  But what slips through the cracks when a company tries to reclaim its glory, and how does that turn into the biggest data breach in history? 

 

So when we set out to do this podcast about a big data breach, I really didn’t expect to be fascinated with Yahoo, but turns out it’s incredibly fascinating.  And I’m kind of obsessed with it, and I think that Yahoo actually deserves its own episode.  And so, I think by following the rise and fall of Yahoo the company, we get this really interesting insight into the disruptions and anxieties of an evolving Silicon Valley.

 

BOB:

I think it’s true.  Yahoo is- follows this life cycle that almost all startups on the west coast go through.  Some of them go through it in six months.  Some of them go through it in twenty years.  But the story of Yahoo is really the story of every place, all of these tech startups.  By looking through this lense at Yahoo, by tracking this whole story, we are tracking vast changes in the Silicon Valley ecosystem itself.  Tensions between tech giants and disruptors, how the life cycle of a tech company plays out, and ultimately a huge shift in the way that we think about these data breaches.

 

ALIA:

What kind of story is Yahoo?  Is it a tragedy, is it ‘A Comedy of Errors,’ is it some sort of Greek myth?

 

BOB:

Wow.  I'm I'm immediately picturing a five act Shakespearean play, and definitely a tragedy, and I kind of think maybe you and I are the chorus that’s singing at the end of this tragedy, you know. 

 

ALIA:

I hope we’re the Greek chorus.

 

BOB:

It'll take me a minute here to divide this into five acts, but you know, when you think about Yahoo the you know the GarageBand company, and then you know Yahoo, the the ascendant  Internet company, and then you know Yahoo becoming a sort of boring large market cap Wall Street company.  And then in the fourth act, Yahoo goes through all of this tumult and its star starts to fade.  And and you might think that's the end of the story, it's it's just like a typical like an IBM that was once the world's biggest company and now like it's pushing cash around but not really interesting anymore.  And then, instead in act five, is this massive flameout that involves it leaking the identity of every single person who had ever touched it, which is since it was there from the dawn of the Internet means the history of the Internet has been leaked.  So the ending is a rather dramatic ending, rather than the sort of slow burnout.  It didn't Yahoo didn't fade away, it exploded.

 

ALIA:

Before we can get to the explosion in act five, we have to go back to the beginning.  Here’s something those of us who graduated college in 2012, sorry Bob, don’t remember.  Yahoo used to be the shit.

 

BOB:

So, when the internet was invented, there was all this useful information on it, but no one could find any of it.  And some people- have you ever used bookmarks?

 

ALIA:

Oh yeah, I use them all the time.  

 

BOB:

What they did, was they essentially-

 

ALIA:

They being Yahoo co-founders Jerry Yang and David Filo.

 

BOB:

They essentially invented bookmarks.  They started bookmarking things that were interesting to themselves.  And the list got bigger and bigger and bigger, and suddenly they realized it was useful to other people.  And they went from having you know a list of a couple hundred really useful websites, to being the entire front end for the internet itself.  What we think of today as Googling things, the way we Xerox something, we probably should have been Yahoo-ing things, because that's how search was invented.

 

ALIA:

So they were like one of the most defining moments of the Internet.

 

BOB:

The internet was almost useless until Yahoo came around.

 

NICHOLAS:

So basically, Yahoo was the internet in the beginning.

 

ALIA:

That’s Nicholas Carlson.

 

NICHOLAS:

I’m Nicholas Carlson, I’m Global Editor-in-Chief of Business Insider, and also the author of “Marissa Mayer and the Fight to Save Yahoo.” 

 

ALIA:

Since he literally wrote the book on this, I asked him to break down the rise and fall of Yahoo for us. 

 

NICHOLAS:

I’ll shrink-  I’ll go down from 93,000 words to concisely, that’s great.  Yahoo solved this problem, you know this making the Internet user friendly, for about two years, and had a huge lead, and it was that momentum that created its value for years for you know now two decades.

 

ALIA:

So not only does Yahoo have a jumpstart on the Internet, but pretty soon, once you get on Yahoo, you don't ever need to leave.  You use Yahoo to navigate the Internet, find a florist, and check your email. 

 

NICHOLAS:

Then what happened is that a bunch of other companies came out and started doing little pieces of what Yahoo was doing, and they did them better.

 

ALIA:

These are the first few crumbling bricks in their shiny Empire.  For example, eBay.

 

NICHOLAS:

You know, eBay was a single-serving kind of product that did one thing and it didn't try to do everything, which is what Yahoo was doing, and it did very well.  And that was sort of a warning sign for Yahoo, but one that was not necessarily heard.  Yahoo then managed to get itself into the web search race in a way that was really remarkable.  It was at a point in time more- a slightly more popular search engine than Google, and then it blew it.  Basically, there's a thousand reasons, but there’s also one reason.  And the one reason is that Google sorted its ads differently than Yahoo sorted its ads, and that provided a tremendous advantage for Google. 

 

ALIA:

Okay this gets a little more technical, but I'm kinda into it. 

 

NICHOLAS:

Yahoo did a straight auction for all of its advertisers on search advertising.  You’d go to the site,  and whichever advertiser had paid the highest dollar amount for every click that it could get, would then be served at the top of the Yahoo search page.  So, if you searched for flowers and 1-800 flowers paid a dollar and another florist was paying $0.75 per click, then 1-800 flowers would go straight to the top of Yahoo's search ad results.

 

ALIA:

Whoever pays you the most goes to the top.  Makes sense.

 

NICHOLAS:

Google did it differently.

 

ALIA:

So, Google looked to see which was the most popular site, which link would get clicked more, and put them at the top.  So if you’re Yahoo, you get paid that full dollar when someone clicks your top link, 1-800 flowers.  But meanwhile Google is getting paid $0.75 over and over again each time someone clicks their top link, the more popular site.

 

NICHOLAS:

This is a very very small difference between the two strategies, but one that made a huge difference in in the long run. 

 

ALIA:

So, pretend you’re the Yahoo Empire.  People are no longer afraid of the Internet, so they aren't clinging to your brand.  You're no longer anyone's one stop shop, because other sites are more specialized.  And after inventing search, you aren't even the top search engine anymore.  

On top of Yahoo's identity crisis, add a revolving door of leadership.  Before 2012, they have an interim CEO, Ross Levinsohn, who took over for someone named Scott Thompson. 

 

NICHOLAS:

But prior to him, they had this guy named Scott Thompson, who came in.  And he-

 

ALIA:

Scott has a vision for the company, but doesn’t work well with the activist shareholders.  Those guys do some digging.

 

NICHOLAS:

- a minor amount of investigation and found out that Scott Thompson seems to have misled you know prior employers and Yahoo about his engineering degree.  And I’m being polite here.  He said that he had an engineering degree from a school that did not offer an engineering degree.

 

ALIA:

So, this is one of those moments I contend it’s a comedy, ripped right out of a workplace sitcom. The news breaks about Scott Thompson lying about having an engineering degree, while the whole leadership team is on an off-site meeting with Scott Thompson.

 

NICHOLAS:

-and the senior executive team started like, you could kind of like look from person to person as they sort of like lit up and realized what was going on. 

 

ALIA:

Everyone in the same meeting, reading the same article on their phones, about their CEO, while their CEO is talking. 

 

NICHOLAS:

And then finally someone rushed into the room and whispered in Scott Thompson's ear, and he fled.  And they were all like ‘oh my God, this company’s about to change in a big way.’

 

ALIA:

Before Scott Thompson was interim CEO Tim Morse, brought in after they fired CEO Carol Bartz.  She'd been there two years and had a colorful tenure as CEO.  She had a proclivity for embarrassing verbal gaffes; she swore like a sailor, and ended up really offending Yahoo’s Chinese investment, Alibaba, who they really needed.  So all of that means, by the time Marissa stepped in in 2012, that was- 

 

BOB:

-probably third, maybe fourth.

 

ALIA:

CEO?

 

Bob:

Yeah.

 

ALIA:

Woah, fifth CEO in four years.  Woof.

And then there's an almost comical series of fumbled acquisitions, like back in 1997, when Yahoo’s at the top of their game, cofounders Jerry Yang and David Filo met with a Stanford student, Larry Page, who wanted to sell his thesis project called ‘Backrub’ for $1 million, so he could finish his PhD and become a professor.  The meeting went well, but Yahoo passed.  So Larry kept at it, realized the name wasn't going to work, found something simpler, Google.  Fast forward almost 10 years later in 2006-

 

NICHOLAS:

The Facebook acquisition was right there for the taking.  They had Mark Zuckerberg in the conference room at Yahoo headquarters about to do the deal, and Terry Semel the CEO at the time decided after all the deal work was done by all of his team that he was going to go in and renegotiate the deal.  

 

ALIA:

If it wasn't a billion-dollar offer anymore, Zuckerberg was allowed not to take it.

 

NICHOLAS:

So when Terry Semel comes into that office room with all sorts of swagger and says ‘sorry, the deal price is coming down a little bit,’ Zuckerberg left the scene thrilled, went back to Facebook headquarters and gave his cofounders a high five. 

 

ALIA:

Okay, I know hindsight is 20/20, but also regular sight would make it pretty clear that you should just buy Facebook for $1 billion.  And then two years after fumbling the Facebook acquisition, in 2008, Microsoft makes a hostile bid to buy Yahoo for around $44 billion. 

 

NICHOLAS:

They did everything they could to turn the offer down, and then they promptly went, you know, cut their value in half, so it was a big mistake.

 

ALIA:

By 2012, Yahoo had missed out on buying Google for $1 million, could've closed the deal on Facebook for a billion, and missed out on a $44 billion payout from Microsoft.  But at least they had that Alibaba money.  All they were missing was an identity, a core product, a CEO, and a vision for the future.  And perhaps most importantly, talent.

 

NICOLE:

 They had a hard time competing with security teams, particularly at Google and Facebook . 

 

ALIA:

So basically, by the 2010s things aren’t looking great for Yahoo. 

 

NICOLE:

And I think a lot of people just treated Yahoo as this like ‘dirty faded 90s Internet company that never really found its identity.  And its user interface was terrible, and people who emailed you from Yahoo addresses were kinda gross.  You know, why were they still using Yahoo?  It’s only one step up from Hotmail.’ 

 

ALIA:

That's-

 

NICOLE:

Nicole Perlroth

 

ALIA:

She covers cybersecurity for the New York Times.  Nicole explained that back then, Yahoo had already been considered such a faded company, that the New York Times didn't have a tech reporter devoted to Yahoo. 

 

NICOLE:

So somehow I ended up being the lucky duck that covered all of cybersecurity, and then Yahoo in my spare time.  So I actually remember this time period pretty well.  And what I remember about it, is that Yahoo had this huge identity crisis about whether it was going to go forward as a media company, or whether it was gonna go forward as a tech company. 

 

ALIA:

Lights up on Marissa Mayer.

We’re gonna take a short break, so we can go see how many times we’ve been pwned.

 

BOB:

I’m going to go set and unset and then reset all of my two factor authentications on all my accounts.

 

ALIA:

I’m gonna go drink some tea.

 

STEPHEN:

Dear Hacker,

I hope this finds you well.  Congratulations, you made it into my inbox.  I sincerely hope this wasn't a result of some basic phishing scheme; I would feel pretty bad about that because I'm generally pretty wary of those things.  I don't have much money.  But you know, if you can find a way to get what I do have, by all means.  I only ask that you don't mess with any documents I have written or media files, both personal and work related.  Those are the things  that I have spent hours working on and would be difficult to monetize, short of producing one of my plays or starting a podcast business.  Side note, if you could reply to this whenever you're done, that would be super helpful so that I know to reset my passwords and whatnot.  I also understand if that's counterintuitive to your goals, but I figured it was worth asking.  We're all trying to do a little better.

In short, happy hunting!

Best,

Stephen

Associate Producer at Spoke Media

 

ALIA:

And there, stepping in for the final catastrophic finale of the Yahoo story is Marissa Mayer, a character in her own right.

 

NICHOLAS:

Marissa Mayer is amazing.

 

ALIA:

Back to Nicholas, my fellow Marissa Mayer fangirl.

 

NICHOLAS:

She is someone who has gone out and in an industry where there are not a lot of women has done extremely well, and been a real role model for a lot of people. 

 

ALIA:

Like Marissa was this woman who started at Stanford as wanting to become a brain surgeon.  Then that essentially was too boring for her.  She’s Google employee number 20, and she realizes that she's not a coder, but she's really good at user interface and she's really really good at design.

 

NICHOLAS:

One of the best things she ever did at Google is, like these days you go to Google and it's not just a list of blue links.  She's someone who said we can do better than that, you know.  It should have the weather if you type in your ZIP Code and weather.  She also was a big player when it came to Google Maps, especially the app on the phone, and Gmail.

 

ALIA:

And Google's minimalist aesthetic was her, sans serif font and colors were her, interface was her.  Google looks and feels the way it does because of her. 

 

NICHOLAS:

She redesigned that page and made it more information rich, and and arguably made it a better consumer experience, and elevated the game of the company and so that it's the reason it's as big and popular as it is today has a lot to do with her.  

 

ALIA:

But Marissa’s more of a user interface person, not a software engineer/  And Nicholas explains that, eventually, there’s some kind of showdown over who gets to control the future of Google Search, interface vs. engineering, and the engineers won.  So, some say Marissa was sidelined at Google for her last few years, but her reputation was still solid gold.

 

NICHOLAS:

Marissa Mayer had an incredible reputation going into Yahoo.  Well, okay Marissa Mayer had two reputations going into Yahoo.  One of them was you know from people inside the industry and particularly at Google who had seen what she had done there, which was a lot but also not as much as she was given credit for on the outside world.  And then there was another reputation, which was from the media and from some people in tech, which did treat her as someone who's like basically kind of a Mark Zuckerberg, but a woman, which is even more exciting for Yahoo when they were hiring someone. 

 

ALIA:

So when Yahoo came calling, she had the opportunity to take a top CEO role instead of coasting on the sidelines at Google, to get her hands dirty, and build something again.  She’s going to save Yahoo.  

And did a lot of people in the tech world like really believe that, that she was the Savior? 

 

BOB:

I think a lot of folks thought if anyone could do do it she could do it, because she was bringing that incredible Google experience, and because she was a very different kind of CEOs than Silicon Valley had seen before, for obvious and a lot of less obvious reasons.  She certainly was was about to be the most famous female CEO ever.  She might be still today, but she had a chance to be just a heroic figure. 

 

ALIA:

Yeah I definitely think of her as a hero, a complicated hero. 

 

BOB:

So she is a heroic figure.  She'll need a second act to to to change her résumé, her LinkedIn page.

 

ALIA:

So, from the minute they announced Marissa as CEO, all of a sudden, there’s a ton of new buzz and attention around Yahoo.  With that buzz, comes a lot of scrutiny and media attention.  Not only around Marissa as the CEO of Yahoo, but Marissa the person, the avatar.

 

NICHOLAS:

And then yes there is this sort of outward avatar that Marissa Mayer has of femininity, where she is you know the person that will be featured on the front of a magazine-

 

ALIA:

Her like beautiful blonde hair is fanned out perfectly on this white chaise lounge.  She's got this amazing porcelain skin, these perfect red lips, and then she's got one arm behind her head, and the other one’s holding an iPad.  Or a tablet with her face on it.

 

NICHOLAS:

She's known for being a cupcake chef, and she's also known for her like huge affinity for Oscar de La Renta.  Now it is true that Marissa Mayer had a thing for cupcakes, but it was really more of an engineering sort of way of like ‘how can I combine different ingredients and colors to make cupcakes into a new thing?’

 

ALIA:

Like yeah, she made a spreadsheet about how to make the perfect cupcake, but like what's interesting is that she made a spreadsheet about how to make the most perfect cupcake, not that she has an obsession with cupcakes and is a woman.

 

NICHOLAS:

And then when she's in a meeting, she’s sort of expected to be, I think in an unfair way, this like sort of soft feminine person, and she just does not come off that way.

 

ALIA:

Marissa is full of contradictions: that she is in public a very engaging, charming, warm person.  In a group- in meetings she's notoriously late, and she is notoriously cold and hard to work with, and one on one she doesn't make eye contact, and she's difficult to talk to.  That I'm already just fascinated. 

 

BOB:

She is herself a user interface that's been designed. 

 

 

ALIA:

She is.

 

NICHOLAS:

She always says to take the job that’s most scary.  So if there are people offering you different opportunities, take the one that’s scariest and go do that.

 

ALIA:

Obsessed with taking risks.  The job that she took at Google was a huge risk.  In fact, she calculated that risk and it was a 98% chance that it was going to fail, and she took it.  She takes one of the riskiest moves yet by jumping into Yahoo, and she comes in with a plan. 

 

NICHOLAS:

So one thing that Marissa Mayer deserves a ton of credit for, is she went in and she revamped the culture of Yahoo and turned it into an energetic and exciting place again.

 

ALIA:

They could pivot to being a media company.  She acquired Tumblr. 

 

NICOLE:

You might remember she made some huge hires back in those days, with Katie Couric-

 

ALIA:

But they wouldn't just be a media company.  Yahoo had lost search, but there were still two more tech battlegrounds to be won: social media and mobile.  She had her eye on mobile. 

 

NICHOLAS:

She was in the cafeteria, talking to people about Yahoo’s mobile plans, and realized that there was maybe a few dozen people in the whole company working on mobile.  And she's like ‘oh God we need to get that fixed.’  And so she put a big team on it and she really concentrated on it.  And over time Yahoo did start to develop applications that got at least critical attention and some user attention, and eventually a good bit of user attention.

 

ALIA:

And she just trimmed the fat, cut low performers, instead of firing 5000 employees like some thought she would. 

 

NICHOLAS:

She also raised morale by doing things like giving every employee an iPhone.  She also brought free food to the campus, which is something that tech companies all over the Bay Area were already doing, but she caught them up with.  And really by the way that's a nice way to keep people in the office a lot longer.

 

BOB:

I don't know of a Silicon Valley company that doesn't have free food. I mean-

 

ALIA:

Yeah, but at the time, in 2012, I don’t know.

 

BOB:

No I mean like in the 90s. 

 

ALIA:

In the 90s, really?

And she’d create a functional, open culture.

 

NICHOLAS:

You know, before she came in people were leaving the office on Thursday afternoon and not coming back till Monday. 

 

BOB:

No telecommuting, very-

 

ALIA:

No working from home.

 

BOB:

-very dramatic step by her.  Very controversial.  In Silicon Valley, everybody works from home.

 

NICHOLAS:

Six months in she's holding a Friday afternoon meeting with the whole company that’s just packed.  And she's taking hard questions from the audience and answering them on stage, in a way that really deserves a lot of credit.

 

ALIA:

Marissa’s not the only new exciting higher.  In 2014 they bring in Alex Stamos as Chief Information Security Officer.

 

NICOLE:

The general feeling just around the news of his hire was ‘oh good finally Yahoo is putting some real muscle behind their security operation.’  And what we discovered years later, they got the name, but they didn't give him any of the resources he would need to actually pull off security at a level of what we expected when they hired him.

 

ALIA:

He’s the CISO of Yahoo for about a year, 2014 to 2015, which would be while the alleged Russia breaches are happening.  And he has this security team. 

 

NICOLE:

They call themselves The Paranoids.

 

ALIA:

It's unclear how this name was coined.  Some would say the paranoids came up with it themselves.  Others say it was an unflattering name assigned to them that they kind of owned and decided to rock.  Either way, it's pretty ironic in hindsight.  If they were paranoid, they were totally right to be.

 

NICOLE:

It’s kind of sad.  And I- I remember talking to a lot of people on the Paranoids team, and one thing they said, and and I really credit Alex with this, was that even though they were sort of shortchanged in terms of resources, it was a really mission oriented tight team of security folks, but they found it really hard to recruit.

 

ALIA:

Other big companies are giving a lot of resources to proactive security and intelligence measures.

 

NICOLE:

Whereas if you talked to people from Yahoo during those those days, I think they would really describe the company's approach to security as pretty reactive.

 

ALIA:

But when you're trying to turn a company around, security is the last thing on your mind. 

 

NICOLE:

Back in 2013, the overwhelming story that I heard from people who worked on the paranoids team at Yahoo is that given any choice between spending money on making that Yahoo user interface homepage delightful for users, or taking that same dollar and spending it on improving Yahoo’s security, hands down Marissa Mayer was always diverting resources to the former and sort of shortchanging the latter.

 

ALIA:

While there is no specific instance we know of where Alex might've brought up the Russia hacks or larger security threats, this does paint a picture of a tension between engineering productivity and security, making things versus keeping them safe.  And yet, there was one significant instance where CISO Alex Stamos seems to be at odds with the rest of the Yahoo team.  In 2015, we learned that Yahoo searched users accounts on behalf of the NSA or the FBI.

 

NICOLE:

So Alex on the record will not talk about this.

 

ALIA:

But according to other employees, we know there was some kind of agreement, voluntary or not, between Yahoo and the US government, giving them access to some of Yahoo’s systems.   And remember, these are in the days post Snowden, when Silicon Valley companies were swearing up and down to Nicole that they didn't just roll over and give the NSA access to their systems.

 

NICOLE:

If you’re the the Chief Information Security Officer of one of these major Silicon Valley companies, and publicly you are refuting these charges that that the Snowden documents brought up, that you were somehow complicit in the NSA surveillance collection, and suddenly find out that actually there was this black box sitting on your network siphoning off data for US intelligence companies, you’d be pretty miffed.

 

ALIA:

So Alex Stamos leaves, and joins Facebook.

 

BOB:

So, just by way of timeline, Justin Somaini was at Yahoo from 2011 to 2013.  Marissa Mayer came in in 2012.  So, soon after she arrived, Somaini left, January 2013.  There was thirteen months where there was no CISO running the security department at Yahoo, during which time a lot of this Russian hacking activity began, as far as we know.  Alex Stamos was hired in February 2014 and only stayed for about a year.  2015, he leaves, allegedly to protest the fact that Yahoo was complying or had built systems to help comply with government orders to suck data out of its systems, to surveil citizens.  And the Bob Lord comes in in 2015.  And Bob Lord is the one who actually has to deal with all the cleanup.  But most of the Russian hacking had happened before his time.

 

ALIA:

As for the cybersecurity perspective on the Yahoo story-

 

BOB:

When you go back and look at the papers, when you look at the SEC filings, and you see you know on the one hand the company says the information security team didn’t communicate well enough to the executive team.  On the other hand, it says the executive team didn’t pay attention enough to the warnings it received.  I don’t exactly know how to interpret that, but it’s clear something was very very wrong, and it’s clear the company didn’t do enough to fix it.

 

NICHOLAS:

Marissa Mayer’s biggest mistake at Yahoo was believing that that she would be able to re-create what Yahoo was in the past on a new device.

 

ALIA:

Yahoo could become that user-friendly, safe, one-stop shop for the Internet.  This time, on the mobile phone. 

 

NICHOLAS:

Unfortunately, the revenue from those mobile applications was never able to truly replace the revenue that had been coming in from Yahoo’s web applications, like email and the homepage. 

 

ALIA:

One of the big award-winning apps the new mobile team developed, was the weather app on the iPhone.  Then, Apple decides to use the weather Channel’s app instead of Yahoo's.

It sounds to me Bob that there was a mobile play to be made, there was a media play to be made, and those seem really logical.  Those seem really smart to me.  Marissa seemed to be making really educated decisions.  Is that true?

 

BOB:

Sure.  I think a lot of people applauded her plan when she arrived.  And and I think how history is borne out, that somebody has made money in the mobile world, and somebody has made money in the advertising/media world, it just wasn't Yahoo.  Not all plans work out.  Sometimes you strike out.

 

ALIA:

It seems like such a gamble. 

 

BOB:

Yeah I think the- what your question is kind of getting at is: was it a flawed strategy, or or did it just not work out? 

 

ALIA:

Right, like was there nothing she could do, like and if things had just been a little bit different, or if it had just been one year later, maybe this would all have been fine?

 

BOB:

Just like with relationships, timing is everything. 

 

ALIA:

Next enter Verizon, ready to acquire Yahoo and give everyone a payout. 

 

BOB:

So it's July 2016, the end of July, when Verizon publicly announces that they're going to acquire Yahoo.  The Yahoo announcement, I have I have is dated July 26 of 2016, and I've never noticed this before, but I have August 1 as the first headline of the Yahoo hack.  That's five days afterwards.

 

ALIA:

Oh my God. 

 

BOB:

I never noticed that.  I never put these two timelines on the same page before.  What's amazing is how compressed this timeline really is between the acquisition being announced, and word coming out that there had been this massive hack of Yahoo’s systems.  Fast forward six months or so and suddenly the price tag for Yahoo drops by about $350 million, which is essentially a check that Yahoo writes to Verizon to say ‘I'm sorry that what you bought is worth a lot less than what you thought it was worth.’

 

ALIA:

Can we just say that this data breach is like getting engaged to somebody and finding out that they’re in a lot of debt?

 

BOB:

I think that's that's a great metaphor actually.  You know you don't have the conversation you don't ask to look at the credit report- although I think that you should- before you get married.

 

ALIA:

You would. 

 

BOB:

So you’re dating someone, you get engaged, you find out right before the wedding that they have a huge credit card debt that might take years to pay off, there’s not much you can do about that, unless you call off the wedding.  You’re at a moment of truth.  So you know often what happens is you get married, and then you start just paying off the other person's debt.  That's the way it works.  And so right now what Verizon is doing, is it's trying to pay down the debt it owes customers whose whose trust is gone.  They’re having to pay the debt that Yahoo created. 

 

ALIA:

We’d love for you to be able to hear from Verizon or Oath, but both of these companies declined to comment for this story.

Would it have been a heroic story if Verizon swooped in to buy Yahoo, to rescue Yahoo, maybe make it relevant again, maybe just give them a really nice payout, and there hadn't been this enormous data breach?

 

BOB:

No, I think-

 

ALIA:

What?!

 

BOB:

Yeah, sorry.  It would be great for this podcast if we could say this was the happiest ending ever and Prince charming had just arrived and the story was going to be heroic but for this hack which suddenly ruined everything.  Getting acquired and getting merged together with AOL in a new brand was never anybody's idea of a home run when hiring Marissa.  The fate was already sealed.  This just made the last chapter more sad. 

 

ALIA:

So nothing could really save them, there was no hero that could save Yahoo.

 

BOB:

Well that I wouldn't necessarily agree with.  You know there’s a thousand decisions that were made after she was hired.  And could she have done something else that would have made the company a success?  I think most analysts would say probably not, probably the fate of the company was sealed by the time she arrived, and the best she or anyone else could've hoped for was getting acquired.  But I'm sure at least part of her and definitely the investors hoped that there would be some out-of-the-box, there would be a grand slam in front of them.  The problem that Yahoo had was it had to live up to this incredible reputation that it had from the beginning of the Internet.  And I think the only way you would call this a success would be if Yahoo rose to the prominence that it once had, the once and future Yahoo.  And that was a very very high bar to clear. 

 

ALIA:

So how did Yahoo find out that they had been breached? 

 

BOB:

Well we’re not exactly sure, but but here's what we do know.  Right around August 2016, only a few days after the announcement of the acquisition, journalists first spot for sale Yahoo data that's listed for sale by this fellow who goes by the moniker ‘Peace of Mind.’  He says he has 200 million Yahoo accounts, and they’re up for sale for what is actually an insanely low price, so it’s very very suspicious.  Somebody from the outside also obtains this data and then shared it either directly with Yahoo or through law enforcement, that often happens.  So they went to the FBI and then the FBI went to Yahoo and said ‘this looks pretty real, what do you guys think?’  Only Yahoo would know.

 

ALIA:

Until now, I hadn’t thought of a data breach from the company's perspective.  I'm picturing the Yahoo team, Marissa, and the new CISO Bob Lord, nervously waiting for the Verizon deal to close, and then getting a call that Yahoo data was for sale on the dark web.  That's already bad enough. but then, you find out it's with- 

 

MONTAGE, ‘With suspected ties to Russia’

 

BOB:

And that information kind of trickled out over time, which I think probably helps Yahoo in terms of public perception.  But at the same time, it's also pretty sympathetic to Yahoo.  I mean they were pretty quick to say a nation-state was involved, even back when folks thought it wasn’t a nation-state, partly because that's a much more sympathetic form of hacking.  I mean is Yahoo really supposed to fight the Russians by itself?  That's a pretty tall challenge.

 

SENATOR JOHN THUNE:

Ms. Mayer. 

 

MARISSA MAYER:

Chairman Thune, ranking member Nelson, and distinguished members of the committee, thank you for the opportunity to appear before you today.  I have the honor and privilege of serving as Yahoo's Chief Executive Officer, from July 2012, through the sale of its core operating business in June of this year.  As you know, Yahoo was the victim of criminal state-sponsored attacks on its systems, resulting in the theft of certain user information.

 

ALIA:

So when everything goes to hell in a handbasket, one thing I'm wondering and the Senate was wondering, as well as shareholders and consumers and a number of people suing Yahoo, is what should they have done differently?

 

BOB:

I want to speak carefully about this, because I feel very strongly, but in the fall of 2014 Yahoo detected a hack of 30 to 40 people and it blamed Russia/

 

ALIA:

30 to 40 people?

 

BOB:

Yes, but at the time it knew that Russians were involved in attacking its systems.  But when you know there's an active attack going on and years go by, these guys were inside Yahoo’s systems for two and a half years after that point, something horrible must've happened there.  And I suspect in a court of law you wouldn’t declare this an accident, you would at least declare it negligent.  I think it's important that we tag that on this team here.

 

ALIA:

The negligence.

 

BOB:

Yeah.

 

ALIA:

Yeah, I mean- 

 

BOB:

A reasonable person acting reasonably would have done more than they did.

 

ALIA:

Instead of dedicating so much time to features, and engineering, and hiring people like Katie Couric to make your brand bigger and better.

 

BOB:

Imagine how many information security professionals they could have hired for Katie Couric’s salary. 

 

ALIA:

Oh my God.  But I mean here's the thing you know, I see it from Marissa's perspective.  I totally see what she's doing.  She is trying to make Yahoo relevant again.  She's gotta hire a name, she’s gotta bring something to the table to make Yahoo shiny again, and new again.  I see why security might not be at the top of her priorities list.

 

BOB:

Security is almost never sexy, but after your building burns down you sure wish you had spent the extra money on the fire escape. 

 

ALIA:

So we talked to Nicole Perlroth from the New York Times, right.  She told this story about- do you know what story I’m talking about?

 

BOB:

I sure do, that was the moment. 

 

ALIA:

That was the moment.

 

BOB:

Yeah yeah, I thought that we could start the entire podcast with that moment.

 

NICOLE:

You know it was really surreal.  I was with my husband.  And I get this call and it's from my coworker who I had written one of the initial Yahoo stories with, and he said Marissa wants to talk to us you have to get on the phone. 

 

BOB:

When this big event occurred and it started to get covered by journalists, Yahoo made this rather unusual decision for its time, which was even though they knew many millions of people had their email addresses and encrypted passwords stolen, Yahoo did not tell their users to reset their passwords, which is what in almost every other major incident like this, that's the first step that the security team insists on.  And Nicole wrote that up in her story 

 

NICOLE:

So my husband and I go back to his car, it’s one of those situations where my phone is automatically Bluetoothed up to the car, and I don't have time to really switch it off, so my husband’s sitting there hearing this whole thing, and Marissa’s tone is just yelling.

 

ALIA:

Can you just for a second like play Marissa Mayer, and like try to convince me, like I just don't see the reason- how could you possibly convince somebody that it's not an important security step? 

 

BOB:

These passwords were encrypted, they’re useless to whoever took them, so why would we tell our users that they had to change them?  That would just cause unnecessary confusion and frustration for our users. 

 

ALIA:

But these hackers have all this information.  Somebody's looking at it on the dark web.

 

BOB:

But it’s useless, it’s scrambled, it doesn't do them any good. 

 

NICOLE:

And you know if you cover this, you know how laughable that is, because you know how many ways there are to crack these passwords.

 

BOB:

2010’s way of encrypting doesn't do any good in 2015, because criminals have figured out how to break that level of encryption.  So it's kind of an arms race game.

 

NICOLE:

It was really weird to be explaining basic security to the chief executive of one of the biggest companies in Silicon Valley.  And her arguments just weren’t adding up.

 

BOB:

And she wasn't arguing that the story was incorrect, but what Marissa was trying to do and for the life of me I will never understand why an executive would ever do this, was she was trying to personally convince Nicole that it was an unnecessary security step.  Let's say Nicole agreed with her at that point.  What good would that do?  The story wasn't inaccurate.  But what's really happening is this: Marissa made a decision which I would say is her her tragic flaw.  This would be the moment.  Marissa made a decision that -and she knew this- if they sent out a note to everyone saying change your password, already they had millions and millions of accounts that were dormant.  And that would be the one step that would have pushed a whole bunch of their user base off the cliff.  People would've said ‘you know what screw it I'm not going to bother resetting my password.  I don't use my Yahoo account anyway.’  So because she was preening for sale, it would be devastating to see tens of millions of users disappear.  So she decided to make this calculated risk.  So she picked the the needs of her company over the needs of her consumers, quite clearly.  And it was more than a bad choice, it's a choice that deserves all the criticism it got.

 

ALIA:

And the choice was driven ultimately by money.

 

BOB:

The choice was driven by money over taking care of people.  In Silicon Valley, and I think rightly so, Marissa had this reputation for being the defender of consumers.  But what she really was was the defender of usability, of ease-of-use, of making things incredibly friendly and intuitive.  People who are involved in cybersecurity do not want things to be easy.  Easy is bad.  They want to put speed bumps in front of you.  The easier it is for you to get your data, the easier it is for someone who’s a bad guy to get your data.  So you can see how there is this natural tension between usability and security.  They’re basically sworn enemies, and Marissa was right at the center of that.  

 

ALIA:

I’d personally love to chat with her, but Marissa didn’t respond to our emails for comment.

 

BOB:

It's funny because while she was the defender of consumers when it came to using things, ultimately she abandoned consumers when it came to protecting them.  While I think we can fault her for that decision, the truth is that decision has been made and made and made every day every hour for the entire history of the Internet.  It was fundamentally designed for sharing, security was layered on as an afterthought.  What I just said to you has happened at virtually every software product, every hardware product ever developed.  People have an idea, they add a feature, and then eventually someone breaks it, and someone says ‘oh my God we’d better hire a security person.’  And then they try to retrofit it on there.  And so that tension exists, and it's probably always going to exist.

 

CARSON:

And now it's time for hack facts.  If you’re anything like me, you’ve been worried for years that artificially intelligent robots are going to take over all of our devices and destroy us all.  One recent example of this is the research done by Billy Rios, the founder of WhiteScope Security, and Jonathan Butts of QED Secure Solutions.  They found vulnerabilities in carwash systems which allowed hackers to control the entire system and physically attack the cars inside.  The test subject, the researcher’s own truck, did not survive unscathed.  This has been hack fact.  Now please excuse me while I go disconnect all of my Wifi-enabled devices.

 

ALIA:

Security team and leadership aside, there's also another compelling case to be made against Yahoo.  Maybe one of its biggest problems was just being super super old.

 

KATIE:

You know, I had a friend who had become the CSO of Yahoo, an old friend.  And that was my friend Alex Stamos.  So we were all very proud of him.

 

ALIA:

That's Katie Moussouris again. 

 

KATIE:

I think the thing that was his problem to tackle and is the problem of any organization that has been on the Internet for a long time, is that you build out dependencies on older systems that you still have to maintain and support.  Let's say Microsoft kept offering updates for Windows XP forever.  Like let's pretend that nightmare exists right.  And even if you update Windows XP, there are architecture level issues that will always be exploitable.  Whereas in Windows 10, or whatever the you know latest architecture is, those things have been removed from the platform in terms of you know them as attack vectors.  So in a lot of ways, from an IT security standpoint, Yahoo represented an un-securable network, because it was so complex and had so many dependencies.  However, impossible to secure doesn't mean impossible to notice that you've been breached..

 

ALIA:

For Katie, responsible cybersecurity doesn't mean building unbreachable networks.

 

KATIE:

Any of these things can happen to any size of organization.  I think the thing that distinguishes organizations that do better with cybersecurity is that they know they will be breached at some point.  Everyone will be.  Given a determined attacker with resources and time, everyone can be breached.  It's what you do about it, and how quickly you can detect a breach and recover from a breach, that distinguishes the good and well-prepared organizations from the ones that are not performing their proper security hygiene.

 

ALIA:

Okay so there are several cases to be made for Yahoo’s blame in these Russia hacks, right.  

A) They didn't have everything in place that they needed.  They failed to put proper security procedures in place or they didn't heed security warnings.  They were somehow negligent so they couldn't defend themselves against an attack.

 

SENATOR GARY PETERS:

Certainly gross negligence should never be acceptable.

 

ALIA:

B) They had adequate enough, secure enough measures in place, but they weren’t unable to defend themselves against big bad Russia, because no one could handle that.

 

MARISSA MAYER:

Even robust defenses and processes are not sufficient to protect against a state-sponsored attack, especially one that's extremely sophisticated. 

 

ALIA:

But we know for sure one thing: whether they had enough security measures in place or not, they didn’t notice the breach in time, and they didn't respond quickly enough.

 

BOB:

I see it more as option C.  They may have had everything in place and the Russians may have been operating with what are called ‘zero days,’ which are security vulnerabilities that no one knows about.  And they’re almost impossible to defend against.  It wasn’t- again, they didn’t know they’d been hack.  They knew they had been hacked by Russia, they knew that their user database had been compromised, so that should have set off whatever red alarm bell was in the security room.  That should have been pulled that day.  And there we were 2 ½ years later, and they were still dealing with it.

 

ALIA:

That’s such a good point.  So, it’s not just about the fact that there was a breach, that Russia got in.  It’s the fact that they stayed inside and they like continued to essentially come to Yahoo everyday and gather whatever intel they wanted.

 

BOB:

And they did it for years.  They did it right up through the middle of 2016, right while these negotiations were happening with Verizon, and right up until, for the most part, the news broke that there might be data for sale about Yahoo.  When we think about a Target hack, a Home Depot hack, the LinkedIn email passwords, you imagine one big spreadsheet getting stolen, somebody breaking in for one night, for an hour or so, and running away with data.  That’s not what this is.  This is them getting into Yahoo’s systems and then just rooting around with them day after day, year after year.  So this is a lot more like breaking into a building and then going into the building every single day, stealing money from the cash drawer, day after day.  And they were essentially using Yahoo as their own personal espionage Google tool for years without being noticed.

 

ALIA:

So, does that sort of mean that like Yahoo was finally the number one search engine, for Russia?

 

BOB:

Can you just picture the ads for you know like ‘Spies ‘R Us’?

 

ALIA:

Laughing

Yes.

 

BOB:

‘You’ll say Yahoo when you find whatever military email you need.’

 

ALIA:

You’ll say Yahoo.

Ultimately, what were the consequences for Marissa Mayer?  Did she accomplish what she hoped to accomplish at Yahoo? 

 

NICHOLAS:

By any conventional measures, she has had a remarkably successful career.  She was one of the youngest, if not the youngest, Fortune 500 CEOs at the time.  She was a pregnant woman taking the job.  These are remarkable things.

 

NICOLE:

Ultimately I think her goal was accomplished.  She was trying to do as much as she could to make it attractive to a big-name acquirer, and I think that's exactly what she did.  Unfortunately on the on the back side of things, things were really messy, and in the meantime they were like basically giving away their customer information to the Russian government. 

 

BOB:

Very well said.  She made the company more valuable than it was when she walked in the door and she was able to sell it off.  And Wall Street does keep score.  On the scoreboard she won. 

 

ALIA:

Everyone walked away with millions of dollars. 

 

BOB:

Not everyone, but she did and the the people who hired her did, so. 

 

ALIA:

Yeah. 

 

BOB:

That- they would think of it as a success.

 

ALIA:

Do you think Marissa would think it was a success?

 

BOB:

Knowing what I know about her, I really doubt it.  It's actually not fun to run a company and sell out.  The people who own companies want to cash out.  The people who run companies want them to succeed on their own.

 

NICHOLAS:

There's an idea out there, which I subscribe to, which is that companies have a life cycle.  They come out and they solve a problem and they grow really fast, and then at some point growth is over and they turn into a profit creating machine.

 

ALIA:

At that point, you don't need a visionary leader single-mindedly focused on building and engineering new things.  You need a finance person in maintenance mode. 

 

NICHOLAS:

And Marissa Mayer was not someone who was ever going to go in and want to optimize Yahoo.   That’s just not how she's programmed.  She was someone who went into Google and helped build amazing things like Gmail, and Google Maps, and also Google Search.

 

ALIA:

Nicholas gives her credit for doing an okay job navigating Yahoo through its sale and selling off pieces of Alibaba.

 

NICHOLAS:

But it's not what she went in there to do, and by her own standards I think she failed.

 

ALIA:

What about consequences for the information security team at Yahoo?

 

NICOLE:

And I remember I did this story a couple years back about what it's like to be a Chief Information Security Officer.  So I run around and I caught up all these CISOs who worked from everything from like a small county in Virginia, to a Fortune 500 company and asked them what it was like.  And universally they described themselves as lambs waiting for slaughter.  It was only gonna be a matter of time before their company was gonna get breached and the first thing that that was gonna happen is they were going to get fired.  And now I think that narrative has changed a lot.  I think that actually in a lot of cases, companies are looking for CISOs who’ve been through a breach, don't care whether they were fired or not.  You know if anything it gives them some good war experience.  And-

 

ALIA:

Alex Stamos, former Yahoo CISO-

 

NICOLE:

-well it’s not like it ended his career.  I mean now he’s at Facebook ,which gets more resources devoted to security than most Silicon Valley companies, and is really widely respected in the Valley.

 

ALIA:

Breaking news on that front: while Facebook’s been grappling with their role in allowing Russian trolls to spread misinformation on their platform, they’ve recently come under fire for the Cambridge Analytica scandal, in which 50 million Facebook profiles were mishandled.  And CISO Alex Stamos is right in the crossfire, just announced he’s leaving Facebook in August.

Bob Lord, the CISO that came after Alex and did a lot of the hack cleanup, he's at the DNC. 

 

NICOLE:

So I think if anything, people look at that and say you know ‘he's been through it, he knows what to look for, he knows what's acceptable and not acceptable in terms of security practices, and people want to hear his take on a lot of the security issues we see popping up today.’

 

ALIA:

We’d love for you to hear from Alex Stamos, or any of Yahoo’s CISOs for that matter, but Alex and Bob didn’t respond to our emails, and Justin Somaini declined to comment.

The ultimate consequence of Yahoo?  It'll be used as a case study because of its large price tag.

 

NICOLE:

You know I always tell the story about the breach at Home Depot.  So Home Depot had abysmal security.  They were hacked.  People who on the security team at Home Depot were telling family members and friends that if they shopped at Home Depot to only use cash, because the security measures were so bad.  And we wrote about all of this and you know what it did to the Home Depot stock price?  Nothing, it went up.  And so that incident really taught me there's not that many consequences for these breaches.  You know, there’s really not.  People keep shopping, your stock price might even go up.  You know, you might have some class-action lawsuits, but for the most part your cyber insurance might cover that kind of thing.

 

ALIA:

But with Yahoo, things changed. 

 

NICOLE:

This is the first time we saw real financial repercussions for a breach of this magnitude.  Some of the people at Yahoo who oversaw the breach response resigned without severance pay.  I think Marissa Mayer was personally docked because of the breach.  That was the first time we had seen something like that.

 

ALIA:

Does that mean that the only way executives, CEOs can be motivated to spend more money and lend more resources to security, are these big data breaches and the price tags that come with them?  I mean like what else could possibly motivate them besides that, besides money?

 

BOB:

That is the only thing that motivates them.  And I can tell you flat out that these conversations just almost never happened until the Target leak.  And finally, with Target, a CEO lost his job because of a hack.  And now I mean every single budget proposal that comes from a security team mentions Target or has Target as a whiff of the concept behind it.  And I think going forward, that’s what Yahoo will become.  Yahoo has a very specific, very large price tag on it.  And now when you go ask for budget, the executives and the board have to listen more.

 

ALIA:

While we were discussing what we should expect and demand from organizations that have been breached, I kept thinking about an anecdote Katie told me from her early days of penetration testing. 

 

KATIE:

Actually you know there was an experiment done in a I think this was almost 10 years ago if not more, where the experiment was: people said ‘I will give you a bar of chocolate if you tell me your password’ and so many people gave up their passwords for chocolate.  I mean another one is literally leaving infected USB sticks out in a parking lot.  You would be surprised how many people are like ‘ooh, free USB stick.’  And they take it, and then they plug it into their computer, and then it runs something malicious.  We see infections happening all the time that take advantage of relatively low-tech mechanisms and relatively low sophistication.  So that can happen to anyone in any organization.

 

ALIA:

I mean Bob when we started all this, a hack seemed super technical, a hack still seems super technical, but actually it's kind of really human.

 

BOB:

Your company is only as secure as the worst trained person on your entire staff. 

 

ALIA:

So if we’re Marissa or the Yahoo team, we’re under tremendous pressure to turn around an aging organization, right.  We’re fighting constant fires, losing search to Google, we’re losing talent to Google and Facebook.  We’re successfully rebuilding new award-winning apps that Apple stops using.  We’re also under this immense microscope as this young new female CEO Marissa Mayer in Silicon Valley.  She can't blow it, she has to turn around a dying company with great ideas that might've totally worked like 12 years ago.  We’re working with an older giant vulnerable security system and security infrastructure.  We’re up against an entire nation-state and an endless line of hackers, whose only job is to attack relentlessly until they find one tiny weakness.  And we’re working against human nature, on top of all of this Bob, we’re working against human nature, depending on thousands of employees to remain constantly vigilant 24/7, and not click links even if they look completely secure like an interoffice memo or their recovery password email.  I mean they're up against a lot.

 

BOB:

I have a metaphor that I love to use for this problem.

 

ALIA:

Of course you do. 

 

BOB:

When I used to have a backyard, I had a fence around my backyard, which was great because I could let the dog hang out in my backyard while I was at work.  And that worked for like a day, and then the dog found a way through the fence.  And then I patched the hole in the fence, and that worked for like a day and then the dog found another hole through the fence.  And this routine went on for several weeks.  And it made me think about computer hacking, because while I'm at work doing my job, my dog is spending every second of his day walking around the perimeter of my yard looking for a way out.  He has nothing else to do with his time, and his inventive dog brain figuring out one little spot that he can squeeze through, that’s what computer hackers are.  We’re all trying to work, we’ve got other stuff to do, this is no- no company's top priority is security.  You're just trying to do it good enough so you can get on with your life.  Hackers are bored, they have lots of free time, and all they do is prowl around the perimeter of your fence looking for a way in.

 

ALIA:

Given all of this, given this mountain of things that we’re talking about, obstacles, etc, do Yahoo and Marissa deserve a break?  I mean are they off the hook, are they on the hook?  This seems really like a very difficult question to answer.

 

BOB:

It’s certainly one I don't want to answer. I know for sure every person in the computer security world, and probably every executive of any kind, looks at this incident and says ‘there but for the grace of God go I.  If if we were in that moment in that spot who knows how we would’ve performed?’  Don't forget there are criminals who committed a crime here, and they’re actually the ones to blame.  The company here is is a victim and the people who were involved are victims, so it's not fair to victim blame.  But it was their responsibility to keep this data safe.  And when someone fails at a responsibility, they should be held accountable to that, especially when you're someone who's making millions of dollars.  Like I think it's fair to raise the criticisms and it’s also really important to do it, to hopefully minimize the next time this occurs.  This is- Yahoo is a case study and should be for every single executive at every Silicon Valley company, every company period to learn from this.  You know, there finally is an enormous price tag on a hack, and that's really really important.  So I would never want anyone to blunt the criticism, I think it’s really important to do it.  But criticizing and attributing blame are two different things and or you know attributing some morality to it, I think that's a that's a dangerous game that I wouldn’t want to play and I don't think anyone should.  If- if the dog gets out of my yard and bites someone, I'm absolutely responsible. 

 

ALIA:

Because you- because you decided to get that dog.

 

BOB:

Yeah, it's my dog.  I absolutely would be and fairly so responsible for what he did.  Doesn’t make me necessarily a bad person, but it certainly could make me a negligent person. 

 

ALIA:

Okay with all this in mind, do we still think the story of Yahoo is this five act Shakespearean play, peppered with a little bit of comedy and a little bit of tragedy?

 

BOB:

A lot of tragedy and very little bit of comedy I would say.  But yeah I think so, I think that's a good way to look at it.

 

ALIA:

I think I feel like this is such a tragedy, because at this moment, as I sit here, I better understand the fact that this wasn’t just a breach, this wasn’t a single breakin, this was a long-term breakin, a regular breakin that continued to happen.

 

BOB:

This was an infiltration.

 

ALIA:

It was an infiltration, right.  And that to me feels like a tragedy, because it's this overwhelming problem.

 

BOB:

Alia, it’s Bob.  Doing more research, because there’s always more research to do, and I just found this story about Yahoo getting hacked in 2012, in a hack that had nothing to do with the hack we’re talking about.  But the hackers who broke in left this message.  And reading it now, the message says ‘We hope the parties responsible for managing the security of this subdomain will take this as a wakeup call, and not as a threat.  There have been many security holes exploited in web servers belonging to Yahoo Inc. that have caused far greater damage than our disclosure.  Please do not take them lightly.’

 

ALIA:

From Nicole at the New York Times’s perspective, the last act of Yahoo, Marissa Mayer’s chapter, wrote itself.  The headlines were destined from the start. 

 

NICOLE:

The first headlines were about ‘oh actually she's pregnant, oh actually she's only gonna take a couple of weeks of maternity leave, she’s bringing in these big names, she’s making it this source of delight,’ all of these things.  And then you know I think ultimately we were all going to be writing the same story at the 100 day mark, which was something along the lines of ‘the honeymoon is over for Marissa Mayer and the company is still stuck and shows no signs of really improving.’  So I think in that sense she was really doomed from the start.

 

ALIA:

Adding to that inevitable disappointment, the surprise twist of the Yahoo hacks. 

 

NICOLE:

Those were the headlines that were some of the last headlines to be written about the company.  You know it's it's been acquired, but actually all 3 billion of its user accounts were compromised.

 

ALIA:

So that safe first search engine that introduced 3 billion people to the World Wide Web, becomes the company that loses all of their information.

 

NICOLE:

I remember looking back as I was covering this, and getting getting a email from my friend and she's like she said ‘thanks for writing this story.  I think David's finally gonna switch to Gmail.’

 

ALIA:

Yahoo began as an Internet defining startup, grew into a tech giant, lost its way, tried to make a comeback, imploded with the largest data breach of all time, and then dissolved into a million little acquired pieces.  If companies do have a lifecycle like Nicholas said, then Yahoo’s at its end.  I couldn't help feeling a little nostalgic now and revisiting that voicemail that started it all.

 

CARSON:

Goodbye from Yahoo.

 

ALIA:

Goodbye Yahoo. 

Meanwhile, all that Yahoo user info is still floating around out there.  So hackers got into Yahoo, but why?  Whose accounts were they really after?  Here's a hint: it's not the big number, it's not the millions of accounts that matter.  What do a Shanghai-based Private Equity guy, Russian officials, and a Ukrainian fitness expert have in common?  Well, they all have Yahoo accounts.  That’s next time, on Breach.

Breach is a branded podcast, brought to you by Carbonite, in partnership with Midroll and Spoke Media.  You can find transcripts and show notes at carbonite.com/breach.  If cybersecurity reporting was Blinky, Pinky, Inky, and Clyde, Bob Sullivan is Ms. Pacman.  Our show is produced by Alia Tavakolian -that’s me- and Janielle Kastner, with associate producers Stephen Gardner and Carson McCain.  When Bob and I are in the studio, we’re recorded by Jared O’Connell.  Our show is mixed and sound-designed by Mark Moncrieff.  The songs you hear are brought to you by APM Music.  Our executive producers are Alex DiPalma and Keith Reynolds, who is not tech savvy, has no sense of design, and is utterly incapable of growing a human inside his own body.  So, he’s kind of the opposite of Marissa Mayer.

How did Yahoo—a once respected Silicon Valley pioneer, the company that introduced the world to the internet—become the victim of the biggest data security breach in history?

In this episode of Breach, hosts Bob Sullivan and Alia Tavakolian investigate the series of events, missteps and executive decisions that led to Yahoo's fall from grace and the exposure of three billion private user accounts.

Yahoo gained notoriety by making the internet searchable and useful to everyday web surfers. But a series of questionable decisions made by a revolving door of CEOs led to the company's steady decline. Enter Marissa Mayer. The highly respected former Google executive joined the company with a mandate to turn things around. She made big changes and brought in star power like Katie Couric. But security was often an afterthought—and the stage was set for disaster. All that and more in the second installment of Breach.


[ About this series ]