DragonI

The Google co-founder Sergey Brin regarded the attack on his company’s systems as a personal affront and responded by making security a top corporate priority. Google hired hundreds of security engineers with six-figure signing bonuses, invested hundreds of millions of dollars in security infrastructure and adopted a new internal motto, “Never again,” to signal that it would never again allow anyone — be they spies or criminals — to hack into Google customers’ accounts.

Yahoo, on the other hand, was slower to invest in the kinds of defenses necessary to thwart sophisticated hackers that are now considered standard in Silicon Valley, according to half a dozen current and former company employees who participated in security discussions but agreed to describe them only on the condition of anonymity.

When Marissa Mayer took over as chief executive of the flailing company in mid-2012, security was one of many problems she inherited. With so many competing priorities, she emphasized creating a cleaner look for services like Yahoo Mail and developing new products over making security improvements, the Yahoo employees said.

The “Paranoids,” the internal name for Yahoo’s security team, often clashed with other parts of the business over security costs. And their requests were often overridden because of concerns that the inconvenience of added protection would make people stop using the company’s products.

But when it came time to commit meaningful dollars to improve Yahoo’s security infrastructure, Ms. Mayer repeatedly clashed with Mr. Stamos, according to the current and former employees. She denied Yahoo’s security team financial resources and put off proactive security defenses, including intrusion-detection mechanisms for Yahoo’s production systems. Over the last few years, employees say, the Paranoids have been routinely hired away by competitors like Apple, Facebook and Google.

Mr. Stamos, who departed Yahoo for Facebook last year, declined to comment. But during his tenure, Ms. Mayer also rejected the most basic security measure of all: an automatic reset of all user passwords, a step security experts consider standard after a breach. Employees say the move was rejected by Ms. Mayer’s team for fear that even something as simple as a password change would drive Yahoo’s shrinking email users to other services.

Cybersecurity expert explains why Tesla's cars are some of the toughest to hack

The same can't be said of many of the other major car manufacturers.

www.techinsider.io|Paul Szoldra

"Tesla is on the path to be the most secure car," David Kennedy, the CEO of TrustedSec, told Tech Insider. "I don’t think that they’re there yet, but I think they’re definitely striving for it."

As a white hat hacker who works with three major auto manufacturers, Kennedy has a better view than most into how cars can be exploited or manipulated remotely. He told TI that car hacking is rather trivial for many models, since most use an old technology that never had security in mind.

But that's not true for Tesla, which considers itself a technology company first, car company second.

Security researchers can score anywhere from $100 to $10,000 if they find a bug in one of Tesla's cars, its app, or websites. According to the BugCrowd website, at least 135 bugs have been found so far.

Among hacks that were reported and quickly fixed: The ability to perform any action an owner could do through the touchscreen or app, which includes unlocking doors, or starting and stopping the car. That's a sharp contrast from how Nissan reacted when its own app was found with similar issues. Instead of fixing it, the company shut it down.

"Tesla is essentially running some of the core security principles we want to see in a car, but," Kennedy said. "If I hacked the main server infrastructure, I could take all of the Teslas off the road."

Facebook rewarded a 10-year-old with $10,000 for finding Instagram security flaw

www.theverge.com|Ananya Bhattacharya

Earlier this year, a 10-year-old — who is not even old enough to sign up on Facebook — impressed Mark Zuckerberg by hacking Instagram, the photo-sharing application owned by Facebook. The Helsinki-based boy genius, called Jani, received $10,000 from Facebook for identifying a security bug, Forbes reported.

Jani uncovered a flaw that allowed him to delete any written content on the social media platform by altering the code. "I would have been able to eliminate anyone, even Justin Bieber," the wunderkind told Finnish publication Iltalehti.

An aspiring security expert, Jani sent his discovery to Facebook via email. He verified his report by deleting a comment the company posted on a test account, a spokesperson told Forbes. The bug was resolved at the end of February. In March, the tech giant informed Jani of the fix and gave him his monetary reward.

Jani plans to use the reward to buy a new bike, football gear, and new computers for his brothers, he said in the interview with Iltalehti. He ousted a 13-year-old to become the youngest ever recipient of Facebook's bug bounty program, which offers rewards to people who identify and report legitimate security risks.

Apple Policy on Bugs May Explain Why Hackers Would Help F.B.I.

Apple does not pay hackers to find and report bugs, which may explain why a third party has offered to help the government break into an iPhone.

www.nytimes.com|Nicole Perlroth and Katie Benner

Google, Microsoft, Facebook, Twitter, Mozilla and many other tech companies all pay outside hackers who turn over bugs in their products and systems. Uber began a new bug bounty program on Tuesday. Google has paid outside hackers more than $6 million since it announced a bug bounty program in 2010, and the company last week doubled its top reward to $100,000 for anyone who can break into its Chromebook.

Apple, which has had relatively strong security over the years, has been open about how security is a never-ending cat-and-mouse game and how it is unwilling to engage in a financial arms race to pay for code exploits.

The company has yet to give hackers anything more than a gold star. When hackers do turn over serious flaws in its products, they may see their name listed on the company’s website — but that is it. That is a far cry from what hackers can expect if they sell an Apple flaw on the thriving underground market where a growing number of companies and government agencies are willing to pay hackers handsomely.

Flaws in Apple’s mobile devices can typically fetch $1 million. Last September, a boutique firm in Washington, called Zerodium, which sells flaws to governments and corporations, announced a $1 million bounty for anyone who would turn over an exploit in Apple’s iOS 9 mobile operating system — the same operating system used to power the iPhone used by the San Bernardino shooter. By November, Zerodium said a team of undisclosed hackers had successfully claimed the bounty.