[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Thu, Feb 13, 2014 at 06:19:19PM +0000, Simon Avery wrote: > I respect your opinion a lot, and your experience in this area outstrips > mine so perhaps I'm over-critical. I don't deal with them on a daily basis, > but they have failed to address what must be massively gaping holes in > security for far, far, FAR longer than I would deem reasonable. Thanks. I don't work with them on a daily basis either. I do think they have a serious issue and that they should fix it. That's what I said here and at other places before. But I think it may be harder to fix these issues than we think. I think there are two possibilities. The first is that Yahoo is aware of the issue, but decides it's not worth fixing. If that's the case, we should all be angry. But Yahoo will say: it's just spam. I have no evidence that those sending the spam have access to personal information. Most people who find their account has been sending spam will change their password to a more secure one and check their PC for malware - neither of which are a bad thing. It might be that the solution is simply too expensive. (Which is why I'm in favour of people leaving Yahoo because of it: it will give them an incentive to fix the issue.) The second possibility is that Yahoo doesn't know what the issue is. This may sound implausible, but from their point of view, it may just look like a lot of people logging in to their webmail service to, as becomes clear later on, send spam. Yahoo could stop people from sending short messages with a link, or sending emails to many people in their address book, or logging in from a different country - but all of these are likely to cause a lot of false positives and thus angry users. Authentication is hard. It becomes even harder if it appears that two people have access to the account: how do you distinguish the genuine account holder from the fake one? A third possibility is that Yahoo is somehow complicit in this. If they were, I think they wouldn't be selling access to the accounts to send weight loss spam, but do something that made them a lot more money. But like you, I can't prove that this isn't the case. Sometimes very weird things happen. Martijn. -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq