At Blackhat this year people sometimes asked me if I was familiar with the “Charlatan Security Officer” situation at Facebook. I was not sure what they meant, and then they showed me threads online and invited me to meetings where this was the topic. Screenshots like the following one about ex-Yahoo CSO and current Facebook CSO Alex Stamos were aplenty, often with titles like “someone is having a bad day”:

Apparently the keynote intro this year was a harsh retribution of last year’s keynote by Stamos. I can’t say I hear that, but many people after the keynote were discussing it with me because they said they had seen my recent posts:

• Holding Facebook Executives Responsible for Crimes
• Will Facebook CSO Face Jail Time?

In one group conversation I was told by several people Alex Stamos had written his own biography in the third person and posted to wikipedia, then convinced them to lock his words to prevent his detractors in the community from editing what he thought about himself. Sounds crazy yet several people confirmed this and showed me what looked like a Russian-style ruler waving flags of his face in a parade he threw himself.

It was in such a context, after several days of hearing and seeing this kind of strange report from several groups, I was implored to consider writing another blog post about the Trump-ish man working in infosec. So here we are.

Clearly I have been a vocal critic of the Yahoo and Facebook breaches, based on how security has been handled. They stem directly from the fact Stamos never had been a CSO in his life, let alone having any experience managing any large organization or working within a CSO office. He abruptly donned a big title, the way any monarch or patronage member might, and failed at it spectacularly.

People at Blackhat were nudging me to accept the CSO acronym now starts with “Charlatan” thanks to Alex Stamos, the crest-fallen attempted Chief.

I think I can see the acronym shift now for a post-Stamos CSO, and here’s why:

It is no secret as the CSO of Facebook that Stamos carried a libertarian anti-governance anti-regulatory hubris. He hated representative government in a similar way to his hatred of security vendors. It wasn’t that he thought they were all shit and should be evaporated as much as he thought they all should be replaced by his superior intellect and ideas.

This angered many principals of international relations who saw him as a reckless and naive dictator. The theory became that his self-serving speeches and impatient approaches to data protection (he pre-announced in 2014 he would deliver end-to-end encryption with Yahoo mail by hiring a new team, but failed to do either) was fueling a backlash. Widespread concerns among privacy experts and seasoned safety professionals ultimately meant new drafts started for old laws designed to protect the vulnerable from giant anti-privacy bullies like Facebook.

Well, some of this backlash theory bubbled over into reality this weekend as yet another massive breach is said to have been announced. Shortly after the infamous fog of Stamos was lifted from Facebook, news came out that users had become less safe during his tenure. A failed attempt to be a CSO at Yahoo in 2014 seems like old news. Yet his second attempt to be a CSO at Facebook took a similarly dark turn; and this brings right back to mind how increasingly terrible things get revealed after he leaves a job. His only two CSO attempts, ever, have ended with stories of massive harm to users right under his nose, and revealed not by him but others or much later.

History books someday may link the massive disasters under this single CSO’s brief career directly to the sobering topic of GDPR fines:

Under GDPR, companies that don’t do enough to safeguard their users’ data risk a maximum fine of €20 million ($23 million), or 4% of a firm’s global annual revenue for the prior year, whichever is higher. Facebook’s maximum fine would be $1.63 billion using the larger calculation.

The law also requires companies to notify regulators of breaches within 72 hours, under threat of a maximum fine of 2% of world-wide revenue.

In other words, the massive GDPR fine that Facebook faces today was the predictable outcome of Stamos’ arguing with EU regulators that he wanted to end privacy in order to protect it. This really is an excellent time to look back at why Blackhat months ago had been so abuzz about whether Facebook had a charlatan in charge.

Let us examine, for example, how as CSO he floated a snarky thought piece that he is the one who cares about “real” privacy, and not the EU regulators that Facebook “of course” agreed to comply with…

Earlier this month, the court issued an interim ruling, and today we received the order from the BPC impacting how we can use the datr cookie in Belgium. Our legal team plans to appeal this ruling. […] I met recently with the Belgian Privacy Commission to share these details…. As the organization that’s responsible for safeguarding the data of Belgian citizens, we hoped they would appreciate the real privacy and security benefits that tools like the datr cookie provide. We also explained that when these requirements are applied to other websites in Belgium, people may lose access to useful features such as maps, videos, and share buttons…. In the absence of the datr cookie, we will have to treat any visit to Facebook from an unrecognized browser in Belgium as potentially malicious.

Yes, he actually said “we hoped they would appreciate the real privacy and security benefits” as if the BPC privacy order was not based in reality, and then gave “maps, videos, and share buttons” as some kind of serious weight to the decision. It’s a lot like saying people need to lose their privacy just to look at a map or watch a video. Crazy talk.

This stuff is neither new nor rocket science and Stamos wasn’t doing himself or the infosec industry any favors by trying to argue that tracking everyone is the future for EU privacy. Come on man.

And his argument for treating unrecognized browsers as malicious? That is just naive Trump-like talk. He literally was responding to requests for privacy from the government with the opposite, that everyone who doesn’t surrender privacy to Facebook and submit to being tracked will be treated as an outsider threat.

And so…infosec experts at Blackhat were telling me that the infosec industry now should refer to him as the:

Charlatan. Security. Officer.

His comments to the BPC were from December 2015, only months after he naively asked the US government if he should sooner work with Russia, China…and then ran away from the Yahoo breaches rather than disclose them. Anybody and everybody familiar with the Yahoo! CEO testimony to Congress knows how oddly uninformed Stamos sounded for asking the US government whether they want him to treat all countries the morally equivalent and work with the Chinese more.

The NSA wasn’t going to push back openly, but Stamos was making the kind of fundamental mistake in attacking governments that soon would come back around.

So after Stamos’ pushy post of December 2015 the European Parliament moved to adopt GDPR in April 2016. Was it a response? I don’t think anyone has the kind of evidence to say there was a direct connection from Facebook CSO hubris to privacy-law, given how Google had already been generating heat, only that there was overall a temperature increase and Stamos’ hot air arguments definitely contributed to distrust in Facebook.

Distrust in Stamos’ vision of safety turned out to be wise as regulators had set the scene for his reputation to be cemented as a someone who doesn’t disclose harm in a timely manner, let alone prevent it. I’ve been told the Russians didn’t overlook his behavior (see above RT news) and typically only need to drop a few coin in operating such a person towards their objectives.

Around this time there were giant glaring integrity breaches that Stamos apparently did not believe constituted a serious enough security concern to disclose:

Facebook has been roundly criticized for being slow to acknowledge a vast disinformation campaign run by Russian operatives on its platform and other social media outlets before the 2016 presidential election.

[…]

Outside the United States, the impact of disinformation appearing on Facebook and the popular messaging service it owns, WhatsApp, has been severe. In countries such as Myanmar and India, false rumors spread on social media are believed to have led to widespread killing.

This is verging on crimes against humanity. And so…social science experts at Blackhat were telling me that the geopolitical security industry now should refer to him as the:

Charlatan. Security. Officer.

Now Facebook’s latest vulnerability in the news was said to have been introduced July 2017, under the Stamos fog.

Was it potentially exploited through low-and-slow methods? That is unclear of course, because of the fog. If it was known it was never disclosed (similar to how Stamos did not disclose the breach at Yahoo). We do know that a Product Manager, and not even an officer or security role, is the one who disclosed the breach based on evidence of a sudden spike on September 16th, 2018 (a month after Stamos was pushed out and took a role at Stanford to redirect naive students into venture-backed get-rich schemes instead of graduating).

It is important to remember in this context that Stamos had continued his leave-it-to-me mindset long past the vulnerability and even through 2018, arguing that unauthorized access to Facebook user data did not constitute a breach because any “reasonable” definition.

“The recent Cambridge Analytica stories by the NY Times and The Guardian are important and powerful, but it is incorrect to call this a ‘breach’ under any reasonable definition of the term,” Stamos says in one screenshot. “We can condemn this behavior while being accurate in our description of it.”

Yeah, that kind of stupid really burns. It suggests things would be worse now if he still was CSO. I mean Facebook at that time was handed a whopping £500,000 for lack of transparency and failing to protect users’ information. Stamos was way off base. His legacy potentially will be a fine in the billions, but the company at least may feel better about removing the Yahoo who probably would be claiming no breach happened, or that he is the only one with a real and reasonable sense of what privacy means. Facebook investors might take comfort in the fact Stamos has been booted, but if Yahoo is any guide the survival of the entire company becomes ever less certain as more breaches are revealed to have happened under his fog.

Charlatan. Security. Officer.

One might say Facebook health warning signs were there since the middle of 2015, when a certain person with no CSO experience other than a short stint at Yahoo, suddenly popped-up spouting all kinds of strange self-promotional ideas about what is “real” and “reasonable” to people who know better. In other words, regulators realized the time is now for the kind of fines that would hopefully prevent any Charlatan Security Officer from causing widespread harm to public safety from massive-scale data privacy breaches. And for some reason a lot of people think I should blog about this…again.

Big day in the news for international relations. The leader of the US Regime took a self-promotion campaign to the UN body and received only laughs and mockery. The Independent has sharp analysis of what the vacuum in US leadership means for global policy makers.

First appearance before intergovernmental organisation after Washington cut refugee aid funding. […] The moment only reinforced Mr Trump’s isolation among allies and foes alike, as his nationalistic policies have created rifts with erstwhile partners and cast doubt in some circles about the reliability of American commitments around the world.

Much of this was overshadowed by allegations that yet another of the US Regime leader’s appointments has turned out to be a partisan bully, abuser of women, and liar

With his all-out attack on Democrats, the Senate, and the Judiciary Committee, Kavanaugh helped guarantee the Court will look even more partisan, whether he sits on its bench or not.

Speaking of a penchant for bully tactics, another story was overshadowed. The US Regime has released a new cyber doctrine that advocates “pre-emptive” hacking of foreign countries. They have rebranded the active defense or hack-back concept as “defend forward”, which is only sightly removed from saying “defense offense”. I suspect the latter couldn’t be chosen because a Department of Defense Offense acronym would never fly.

Anyway, thinking back to the UN speech of the same day, in which the US Regime leader said he did not respect global authority and then proceeded to tell all the other countries what they should be doing differently, I have to point out a key caveat in the cyber attack policy:

…under the new strategy, US offensive cyberattacks will not target civilian infrastructure, because the US must abide by a UN agreement that prohibits “damaging civilian critical infrastructure during peacetime.”

Someone is writing that the US must abide by a UN agreement?

Given that the US is the ONLY COUNTRY IN THE WORLD that refuses to sign a UN Convention on the Rights of the Child.

Given that the US ended its support for UN refugee aid?

And given that the US Regime leader just literally said to the UN Assembly he abides by own beliefs not global controls:

…America will always choose independence and cooperation over global governance, control, and domination.

I honor the right of every nation in this room to pursue its own customs, beliefs, and traditions. The United States will not tell you how to live or work or worship.

We only ask that you honor our sovereignty in return.

Where is the must abide part?

I mean don’t get me wrong, the US Regime is saying both “The United States will not tell you how to live” just a few short paragraphs before also saying “place refugees as close to their homes as possible” without caring that it is obviously contradicting itself. His words are untrustworthy and often meaningless.

My point is that you can’t claim to be giving good analysis of US political policy by looking at this rudderless leader (whose only consistent theme is support for white men accused of abusing women), on the day that he gives a speech rejecting global governance or control, by reporting that his cabal must abide by agreements prohibiting harm to civilians.

Again, let me point out the US is the ONLY COUNTRY IN THE WORLD that refuses to sign a UN Convention on the Rights of the Child. Does the writer thinking about abiding by UN agreements realize the US is ranked among the very lowest countries in terms of ratifying human rights, lower than China and Iran?

And let me also remind the reader of US Regime actions, more than words, when the Yemen incident was reported shortly after inauguration:

…first counterterrorism operation authorized by President Trump since he took office, and the commando was the first United States service member to die…Yemeni official said that at least eight women and seven children, ages 3 to 13, had been killed in the raid. Qaeda supporters said that Mr. Awlaki’s young daughter was among the dead and denied that any senior Qaeda leaders had been killed, according to the SITE Intelligence Group, which monitors extremist communications. Faisal Mohamed, a Bayda official whose two sons witnessed the attack, said it severely damaged a school, a health facility and a mosque.

As a long-time public and global advocate of active defense, this of course puts me in the position of having to explain again how and why the US military today is likely wrong in its thinking.

To be fair to myself, I suspect most people quickly can see the difference between what I advocate and what the US Regime is doing. If nothing else, I continually try to remind people the US has not agreed to a convention that protects children from harm. Active defense does not need to operate without basic regard for human rights, as promulgated through the UN assembly.

And so if any of you, dear readers, are even thinking about joining the DoDo, sorry, the defense forward team, just remember the US Regime almost immediately upon taking control gave the order to bomb a school, hospital and mosque killing innocent women and children while getting their own highly-trained soldier killed in the process.