Yahoo Ignoring Its Own Security Flaws

Safeowl

In light of the Heartbleed story, I felt that we needed a post here about the inherent dangers of Yahoo’s new redesign. Not counting all the other issues, the new redesign is a security risk all by itself, full of numerous problems that can easily be exploited.

Yahoo is not a safe environment, and even patching Heartbleed and using encrypting won’t fix all their problems. They have caused so many issues in their Groups and Mail services with their new “improved” redesign that they are broken and unsafe.

Without any ability to regulate them, spammers can overrun us because we can’t see what we are approving and sometimes it appears to be blank when approving.

Embedded images aren’t shown either, and “reject with a reply” sometimes goes to the entire group instead of privately.  See here.

Near the beginning of the NEO changeover, private information in Freecycle Groups was mistakenly going public and was displayed to 18,000 users.  Although it was supposedly fixed, trust was broken, and most Freecycle groups have long since left.

The system breaks and hangs; things don’t work. They threw us in this “test” with no warning in August of 2013 and have not ever publicly acknowledged that Group members still have these  problems.

**************************************************
From the Yahoo Uservoice Feedback Forum
1,633 votes

After filing an incident report (130824-020762) with your so called Customer Care, I have come to the conclusion that you really couldn’t care any less. “You are part of a test group and cannot be removed” is not an adequate response nor helpful in any way. I not only don’t appreciate the Yahoo attitude, as far as I’ concerned you can keep it. I will start my groups over in Google Groups and leave Yahoo and it’s advertisers to their own demise.

**************************************************

It’s now been 8 months and yet we are still stuck in this broken, buggy, unstable mess. Yahoo needs to man-up and admit their new interface is a failure and no amount of encrypting or securing will make it function correctly. It doesn’t even function on the mobile devices it was designed for!

We’ve been hacked.

Attacked with ads that were inappropriate or with malware.

Suffered severe mail outages that also affected Group Mail, and and Yahoo Customer Care has been little or no help.

Suffered loss of moderator controls and features and had many other issues:

And nothing has been done to fix it. Yahoo figures no one will care about us; we’re just “Groups” users who don’t matter. Mail users got an admission of failure, an adjustment on a feature, and an apology. We got nothing. Once loyal longtime users of Yahoo, we were simply disregarded.

So we are once again in the fight of our lives against Yahoo’s new “improvements” because the new format called NEO has been a disaster from day one that has impacted and changed many thousands of users’ lives forever.

The secret Yahoo doesn’t want you to know? Yahoo’s new “upgrades” DO NOT WORK. They are broken, buggy, dysfunctional, have security issues, and worse, they cause physical harm to the elderly and disabled. We’ve had enough; it’s been long enough, and something needs to be done NOW!

Meanwhile, they are trying to hide their failure. In fact, instead of properly evaluating feedback that we’ve been providing in their Feedback Forum, now Yahoo is DELETING it!  Fortunately, I had already archived a lot of it.

This is now day #220 of our Crusade, and we are still going strong. We need to get our story in the press, like mail did, in order to bring public opinion to the table and hopefully force Yahoo to roll back this disaster of an “improvement” and return us to the classic format that we all knew and loved, that was secure and user friendly, and that WORKED.

But if nothing else, even if we fail and can’t get them to return to Classic, my group and another group of 3,000+ teenagers and twenty-somethings who have joined forces with me are determined to hold Yahoo accountable for what they have done in the public eye, if nowhere else. We are going to bring their treatment of loyal users to the light of day, one way or another, and you can help us do that!

Please read this and consider helping by putting our Crusade Site URL and our fight in the press.

Thanks,

Nightowl >8#

Beware the Ides of March

 

In what amounts to a tacit admission of failure, Yahoo! deleted thousands of Groups-related suggestions and bug reports and has nothing to say to disappointed users.

Early on March 15th Yahoo Groups users began to report that the official Feedback forum suddenly contained a lot fewer feedback items. A few thousand fewer. The content of the forum had been decimated from recollections of 1,600 to 2,300 items previously to as few as 150 that day. This was reported to Yahoo that day by way of the Yahoo Groups section on Yahoo! Answers. Thus far Yahoo has declined to make any public comment on the deletions in the Answers section cited, in its blog, or in the Feedback forum itself.

Absent any comment, it is tempting to suggest that Yahoo was simply overwhelmed by the number of feedback items and arbitrarily discarded the lower-ranked items to bring the number down to a manageable level. If true, that would amount to a tacit admission that the “new experience” is more troubled than Yahoo can publicly acknowledge or privately cope with.

Some users have suggested that this might have been a simple house-cleaning, ridding the forum of duplicate or inappropriate items. But if that was the intent, Yahoo discarded an unknown number of babies with the bathwater. Some users have posted their bug reports and suggestions again. Others have simply walked away in disgust that their time and effort was so carelessly discarded.

Yahoo, having already caused much discontent within the Groups community over the roll-out of their “new experience,” scarcely needed to give the user community another slap in the face. It is incomprehensible that Yahoo would discard user feedback in bulk at the same time that they are working feverishly to make a show of rolling out the return of lost features and the continued improvement of the “new experience.” If anyone thought they were sweeping problems “under the rug,” that was very short-sighted. Discarding bug reports in particular would only serve to prolong the period of time before the bug gets discovered again and corrected.

Discarding suggestions, on the other hand, is simply rude. The Feedback forum has a mechanism for marking a suggestion as “Declined” if Yahoo decides not to implement it. That may disappoint the person who made the suggestion, but at least they have been given the courtesy of a reply.

– Shal

Update: I tweeted Jeff Bonforte, SVP of Communications Products at Yahoo!, about the situation on Friday, before writing the above, and received a prompt reply from him Monday morning, after that was written but before it was published here. The reply did not address the issue in my opinion.

 

Additional Comment by Nightowl >8#:

I have plenty to say about this issue. Yahoo has been hiding uservoice posts ever since we started the crusade. First they were marking them done, declined, or whatever and moving them, which would break the links we were sending to the press. Then they carelessly started rushing fixes, which was worse, and everything under the sun was breaking. NOW, instead of hiding, falsely marking, or moving comments, they are DELETING them — discarding them with no response to users — a blatant statement on their part that we are nothing to them, that we don’t matter. Well, we are here to tell you GROUPS USERS MATTER! And I archived a huge number of those comments that are now gone from view on Yahoo.

So if you want to see what users have REALLY been saying about the new redesign of Yahoo, go here:  Click on The Feedback Trench and go from there. I promise you, there is a LOT of reading there and almost none of it is positive about the new NEO redesign.

Oh, and if you want some additional reading, click on For The Press. You’ll find two very interesting archived tweet convos between a group of distressed users and Mr. Jeff Bonforte himself!

Happy Reading!!!

 

Neo Fails ADA Requirements

Lawyer Owl 1
By Andrew Seales
Reposted with permission by Nightowl >8#

Last I heard, Yahoo is scrambling to cover its unit before justice levels THEM.  Web Site ADA Compliance Checklist:
Does each non-text element on the page have a text equivalent via “alt” (alternative text attribute) or does the page otherwise include a meaningful description of the non-text element in the text accompanying the non-text element?  For any multimedia content, is text captioning provided for all audible output and audible output provided for all-important visual information?Are all audio descriptions and text captions synchronized with their associated dynamic content?  Is the page capable of being understood and navigated even if users do not have the ability to identify specific colors or differentiate between colors?If the page uses cascading style sheets or JavaScript style sheets, is it viewable without style sheets or with style sheets turned off or not supported by the browser?If the page uses cascading style sheets or JavaScript style sheets, is it designed so that it does not interfere with style sheets set by the browser?

If the page includes any server-side image maps, are duplicate text links provided for all links within the server-side image maps?

If the page includes any server-side image maps, have you established a timetable to replace the server-side image maps with client-side image maps except where the regions cannot be defined with an available geometric shape?

If the page includes one or more client-side image maps, does each map region have a text equivalent via “alt” (alternative text attribute) or does the page otherwise include a meaningful description of the non-text element in the text accompanying it?

If the page includes data in tables (either HTML tables or preformatted text tables using the <PRE> tag) and if any of the tables have two or more rows (including header or data cells), does each cell provide identification of row and column headers?

If the page uses frames, does each frame have a title that meaningfully describes it?

Does the page include content (such as applets or content requiring plug-ins) that may cause the screen to flicker with a frequency greater than 2 Hz and lower than 55 Hz?

If the page uses scripts, such as JavaScript or scripts in Macromedia Flash content, and if the scripts affect any content displayed to the user, is there equivalent text provided by the page or the script that is accessible to a screen reader?If the web page uses applets, such as downloadable Java applets, does it also contain the same information and functionality in an accessible format?  If the page uses other programmatic objects (such as Flash, Shockwave, RealAudio, or RealVideo content) or otherwise requires the use of plug-ins or programmatic support for the browser, does the page include a link to the plug-in or programmatic item required for accessing the content of the page, and is that plug-in or programmatic item itself accessible to people with disabilities?If the page includes links to .pdf (Adobe Acrobat’s portable document format) files, were those .pdf files created in a way that is likely to maximize their usability for people with disabilities?If the page includes one or more electronic forms that is designed for completion online, does each form permit users of assistive technology to access the information, field elements, and functionality required for completion and submission of the form including all directions and cues?If the page contains one or more forms designed to be completed online but inaccessible to people with disabilities in some respect, does the page include an alternate accessible form or a link to an alternate accessible form?

If the page includes navigational links to other web pages within the same website, is there a link allowing users of screen readers to skip over those links?

If the page requires users to respond within a fixed amount of time before the user is “timed out,” is the user alerted that he or she will be timed out and given sufficient time to indicate that more time is required before actually being timed out?

Taking into consideration your responses to the previous questions, if the reviewed page likely contains barriers to access for people with disabilities, do you have an alternative text-only page that contains the same information and is updated as often as the reviewed page?

Originally posted here.

Database Not Yet Back To Basics

Owl Angry

By Deborah from Paris

This is an update from the previous post.

I appreciate yahoo trying to make the databases usable again

Indeed there are many good things in the improvements and I appreciate you got us the French accented characters back again.

However, the format is still difficult to read and use for following reasons:

1/ column headings do not align with the actual columns as soon as you click on one of the columns to have it ordered. After reordering one column, column headings stay the same at the top but when you scroll down, column widths vary and no longer fit the headings!

example: I try to sort out column number 3 according to zip code, all columns realign but not with the headings, one still cannot understand what each column is about

2/ I dont understand the first column: these numbers are of no use at all, I used to have the first column for the name of the group member who put in the information, this is what I wanted first but now it is no longer! It takes space for no use.

3/ I appreciate having more length for reading each column but this is far toooooo long now, you need to use the cursor to go very far to the right, while it used to be possible to read the whole table without using cursors.

4/ In particular, to move the cursor to the right, you need to go ALL THE WAY down the database, even if it was the first entry you wanted to go and read towards the right! Now if you want to go back and read the second entry (out of 400 or so entries) you need to scroll back all the way to the top, and then when you want to go to the right to see what is in the 5th or 6th column,, you need to go ALL THE WAY down to get the cursor towards the RIGHT, you must be KIDDING ME ?

Therefore, I much prefered having pages, rather than scroll down the entire list !

5/ It would be nicer to have the entire page free to read the database and thus PLEASe could you get rid of the list of all the groups I own or am a member of, on the left of the screen, this is really totally unnneeded once I am in a group and even more when we are trying to read a database.

Overall comment: you have really worked hard and I appreciate.

HOWEVER, it is really still very difficult to use and far LESS convenient than it USED TO BE

To vote on this issue and convince Yahoo to fix it go here:

DATABASES STILL PROBLEMS AFTER REVAMPING

Deborah from Paris

Making it Clear to Yahoo

Lawyer Owl 1By Adrian Smith
Reposted with permission by Nightowl >8#

  • Yahoo NEO has destroyed our databases.  Students are no longer able to use the database to post……anything.
  • Yahoo NEO violates the privacy of users that post directly to the group by showing the IP address of the user.  Our network is fortunate to use a server to bypass this security problem.
  • Yahoo NEO does not allow aliases to be used.
  • Yahoo NEO is in violation of the ADA and other nations’ rights of the disabled.  How dare you treat these people with contempt.  How dare you treat these people as yesterday’s garbage.  How dare you roll out this format without any type of notice.  We owe it to our neighbors to fight you at every opportunity and to bring you to justice.
  • We have every right to hold your advertisers accountable for blocking access to the groups with ads you place on the message board that stops the equipment they use.
  • Yahoo NEO discriminates against the elderly and poor.  The elderly on fixed incomes cannot afford the computer upgrades needed to navigate your new format that is a RAM hog.
  • You dismissed the hundreds of thousands of complaints against NEO. You have been disingenuous to the media and concerned individuals by saying the classic system was outdated.  You had every opportunity to build a new foundation with the classic groups.  The dollars you’ve spent with just the new logo could have been used to enhance the classic groups.

We will not reveal our final strategy.  We will say that a growing number of concerned individuals are aware of what you have done.

  • This format is in violation of public website access defined in the DOJ/ADA.  Yahoo was warned from day one that the format is illegal but has not heeded the concerns of the visually impaired.
  • This format is in violation of international conventions adopted by the majority of sovereign nations through the auspices of the United Nations. Rights to public access to to internet websites for the elderly and disabled. The placement of ads causes the reading equipment of the blind to stop functioning.
  • This format is discriminatory against the elderly.The elderly have warned Yahoo since day one that the format causes their older computers and slow modems to freeze. The high usage of RAM depletes the functionality of their computers over a period of time.
  • This format cannot be used by those that have peripheral vision and nerve damage.  Once again, users have voiced and written their concerns to Yahoo. These concerns have been dismissed.  Yahoo claims that measures have been taken to address these concerns.  Their proclamations are not based in reality.  Their proclamations are for the sole attention of media scrutiny.
  • Yahoo needs to be held accountable for forcing this unwanted, unneeded, and unpopular format on millions of users that have complained about this format from day one.

Originally posted here.

Yahoo Finds New Ways to Spam Its Members

spamowlBy Charley Silverman

This article is a follow-up to a previous article written in the hopes of highlighting the problems caused by Yahoo with its hasty decision to NEO-fy its membership.  In February, I wrote an article about how Yahoo’s awful decision to inflict its NEO model on its users affected one business community, namely the members of the QFLEA small business community.

You can read that article here.

This community consists of small business people who run their businesses on websites and list those businesses at QFLEA.com.  A major component of our shared experience is the QFLEA Yahoo Group, where said businesses have the opportunity to exchange information and ideas that are beneficial to all.

We’ve run this Yahoo Group since 1999 and have shared over 20,000 posts related specifically to small business.  These posts have educated members about a variety of issues from business shopping carts to website HTML coding to search engine optimization to effective use of social media and much more.  The one thing that we have not allowed in this group is advertising.  We made a decision early in the process that the one thing that might kill this Yahoo Group was if we all started spamming each other, so the 20,000 messages in this group have been related only to business and topics that would assist our members.

That ended with NEO.  While hundreds of members have been able to refrain from spamming the Yahoo Group for almost fifteen years, Yahoo has decided to spam us on their own.  Intertwined within the educational and informational posts of our membership is spam from AdChoices.  For example, in between my post about QFLEA and social media this morning and a member post about how to handle a particular line of text/javascript, there is spam from Yahoo about there being no long-term benefits from Glucosamine.  Between a question about websites and mobile phones and commentary about a business editorial, we have spam about the top credit cards for 2014 for excellent credit.

Have the powers-that-be at Yahoo lost their minds?  Is it not bad enough that you’ve spammed our group with big picture ads?  (By the way, my favorite is the ad for the builder of the community in whose house I already live!!)  Must you muddy up a purely information process with advertising as well?  Your spam ads are unwelcome and detract from the efficiency of our Yahoo Group, though having said that, I know it means nothing to you.  I just find it particularly annoying that in addition to giving us a platform which is buggy, user-unfriendly, troublesome to edit, and a major step backwards in terms of usefulness, you’ve added spamming into our content.

It would appear that NEO is, if nothing else, aptly named.  It stands for what must be your new mantra, Never-ending Economic Opportunities!  In layman’s terms, Yahoo is now spamming all that is spammable!  Unfortunately, at the rate they are proceding, there will be fewer and fewer members on which to foist future failures.

Hasty Fixes to Groups Won’t Fix Revenue Woes

Owl Money 2
Well, here we are in 2014, and it appears that the projected goals for Yahoo have not been met. There is little wonder why – they broke every one of their services to the point of being unusable. On Twitter recently (February 4, 2014), there were still people tweeting that their Yahoo mail was down and not working. Yahoo managed to break it again . . . and Flickr, too.

Do you know why Yahoo is such a mess? Because they rolled out a broken, buggy, untested program called NEO and forced it onto their users without warning.  They started with Yahoo Groups and turned us into guinea pigs as though we were due no consideration for our years of loyalty to Yahoo.  With total disregard they destroyed years of work put into the groups – archives, databases, and even accessibility were gone.

The media paid little attention to the protests of Groups users, but when Yahoo sabotaged Mail, the press was all over it.  Yahoo couldn’t deny the chaos they had created, and they quickly restored at least one of the favorite features (tabs) that they had eliminated.

Still the plight of Groups users was ignored, but we weren’t idle.  Yahoo’s Uservoice overflowed with requests for help, complaints about lost features, and pleas for the return to Classic Groups.  When that didn’t work, we took to contacting the media, advertisers, and stockholders – telling them what we were experiencing, asking for support, and advising them of plans to boycott. We also created this blog to collect relevant data, personal stories, news articles, resources, and comments in one location for anyone to see.

Finally, six months after the advent of NEO, we are beginning to see the true effect. Yahoo’s fourth quarter returns indicate that our efforts have not been in vain. Even though ad sales were up, revenue was down, and COO De Castro was fired by Mayer (with a generous – to say the least – severance deal). Despite Yahoo’s claim of increased traffic, maybe the advertisers and investors are finally seeing the validity of what we’ve been telling them.

Bloomberg Ad Sales Increase 2

Bloomberg Revenue Decline 2

Source:  Bloomberg

Now Yahoo is in a hurry to repair the damage and stop the exodus, but it isn’t working. Months ago Bonforte stated on Twitter that it would take at least two years to identify and fix all the bugs in Groups.

Jeff BonforteJeff Bonforte@bonforte Jeff Bonforte
@Mark__Oliver @Apacapacas it isn’t that easy. And we definitely do have ideas on where we want to take Groups in the next couple of years.
from Castro, San Francisco
(You can read the full transcript here.)

With the recent drop in revenue, investors are pressing for changes in Mayer’s management style.  The press is not only focusing on that, they’re also starting to take seriously the impact on Groups.  The result has been a push by Yahoo to make Groups functional again.  The problem is, the more they “fix” in haste, the more problems they actually cause. In an effort to conceal this latest fiasco, they’ve revised Uservoice so vote counts for requests/complaints are no longer shown.  Perhaps this is a ploy to minimize the effect when viewed by the media and general public.

Another favorite tactic of Yahoo is to close items and claim they have been fixed. In most instances, the problem still exists. They will also close requests as soon as they’ve been submitted, and they’ve changed the way requests are made and made it difficult to know what, if anything, has been done.  So far many of the things they claim are fixed still don’t work properly, if at all.

One of the problems we experienced with NEO is that all of the personalized home page photos were removed and replaced by arbitrary, irrelevant photos assigned by Yahoo (some of them actually offensive to certain cultures or religions).  When they recently returned the personalized photos to the home pages, they left the ones they had imposed on us and placed the original ones lower on the page, in a cropped format.  Below is an example of what a photo “restored” by NEO looks like now, although the original photo did not chop off the heads of the subjects (we did, however, blur the subjects’ faces to protect their privacy).NEOTT 2

The bottom line is that Yahoo took services that worked – Groups, Mail, Finance, Sports, etc. – and destroyed them.  Groups lost functionality, Mail was down for days, and passwords have been compromised.  Yet they have adamantly refused to return to the Classic format, stating that it is no longer feasible, even though many users are still using that format. What we have repeatedly requested is a return to Classic at least until the new interface can be adequately tested and proven to provide the features on which we have relied for so long.  Is that really too much to ask?