$1.63 Billion Breach Fine Discussed As Facebook CSO Legacy

At Blackhat this year people sometimes asked me if I was familiar with the “Charlatan Security Officer” situation at Facebook. I was not sure what they meant, and then they showed me threads online and invited me to meetings where this was the topic. Screenshots like the following one about ex-Yahoo CSO and current Facebook CSO Alex Stamos were aplenty, often with titles like “someone is having a bad day”:

Apparently the keynote intro this year was a harsh retribution of last year’s keynote by Stamos. I can’t say I hear that, but many people after the keynote were discussing it with me because they said they had seen my recent posts:

In one group conversation I was told by several people Alex Stamos had written his own biography in the third person and posted to wikipedia, then convinced them to lock his words to prevent his detractors in the community from editing what he thought about himself. Sounds crazy yet several people confirmed this and showed me what looked like a Russian-style ruler waving flags of his face in a parade he threw himself.

It was in such a context, after several days of hearing and seeing this kind of strange report from several groups, I was implored to consider writing another blog post about the Trump-ish man working in infosec. So here we are.

Clearly I have been a vocal critic of the Yahoo and Facebook breaches, based on how security has been handled. They stem directly from the fact Stamos never had been a CSO in his life, let alone having any experience managing any large organization or working within a CSO office. He abruptly donned a big title, the way any monarch or patronage member might, and failed at it spectacularly.

People at Blackhat were nudging me to accept the CSO acronym now starts with “Charlatan” thanks to Alex Stamos, the crest-fallen attempted Chief.

Stamos stands by his “flair” startup, where he tried to sell vanity domains as proof of care about online security. Nobody bought it, so he tried to be a CSO instead

I think I can see the acronym shift now for a post-Stamos CSO, and here’s why:

It is no secret as the CSO of Facebook that Stamos carried a libertarian anti-governance anti-regulatory hubris. He hated representative government in a similar way to his hatred of security vendors. It wasn’t that he thought they were all shit and should be evaporated as much as he thought they all should be replaced by his superior intellect and ideas.

This angered many principals of international relations who saw him as a reckless and naive dictator. The theory became that his self-serving speeches and impatient approaches to data protection (he pre-announced in 2014 he would deliver end-to-end encryption with Yahoo mail by hiring a new team, but failed to do either) was fueling a backlash. Widespread concerns among privacy experts and seasoned safety professionals ultimately meant new drafts started for old laws designed to protect the vulnerable from giant anti-privacy bullies like Facebook.

Well, some of this backlash theory bubbled over into reality this weekend as yet another massive breach is said to have been announced. Shortly after the infamous fog of Stamos was lifted from Facebook, news came out that users had become less safe during his tenure. A failed attempt to be a CSO at Yahoo in 2014 seems like old news. Yet his second attempt to be a CSO at Facebook took a similarly dark turn; and this brings right back to mind how increasingly terrible things get revealed after he leaves a job. His only two CSO attempts, ever, have ended with stories of massive harm to users right under his nose, and revealed not by him but others or much later.

History books someday may link the massive disasters under this single CSO’s brief career directly to the sobering topic of GDPR fines:

Under GDPR, companies that don’t do enough to safeguard their users’ data risk a maximum fine of €20 million ($23 million), or 4% of a firm’s global annual revenue for the prior year, whichever is higher. Facebook’s maximum fine would be $1.63 billion using the larger calculation.

The law also requires companies to notify regulators of breaches within 72 hours, under threat of a maximum fine of 2% of world-wide revenue.

In other words, the massive GDPR fine that Facebook faces today was the predictable outcome of Stamos’ arguing with EU regulators that he wanted to end privacy in order to protect it. This really is an excellent time to look back at why Blackhat months ago had been so abuzz about whether Facebook had a charlatan in charge.

Let us examine, for example, how as CSO he floated a snarky thought piece that he is the one who cares about “real” privacy, and not the EU regulators that Facebook “of course” agreed to comply with…

Earlier this month, the court issued an interim ruling, and today we received the order from the BPC impacting how we can use the datr cookie in Belgium. Our legal team plans to appeal this ruling. […] I met recently with the Belgian Privacy Commission to share these details…. As the organization that’s responsible for safeguarding the data of Belgian citizens, we hoped they would appreciate the real privacy and security benefits that tools like the datr cookie provide. We also explained that when these requirements are applied to other websites in Belgium, people may lose access to useful features such as maps, videos, and share buttons…. In the absence of the datr cookie, we will have to treat any visit to Facebook from an unrecognized browser in Belgium as potentially malicious.

Yes, he actually said “we hoped they would appreciate the real privacy and security benefits” as if the BPC privacy order was not based in reality, and then gave “maps, videos, and share buttons” as some kind of serious weight to the decision. It’s a lot like saying people need to lose their privacy just to look at a map or watch a video. Crazy talk.

This stuff is neither new nor rocket science and Stamos wasn’t doing himself or the infosec industry any favors by trying to argue that tracking everyone is the future for EU privacy. Come on man.

And his argument for treating unrecognized browsers as malicious? That is just naive Trump-like talk. He literally was responding to requests for privacy from the government with the opposite, that everyone who doesn’t surrender privacy to Facebook and submit to being tracked will be treated as an outsider threat.

And so…infosec experts at Blackhat were telling me that the infosec industry now should refer to him as the:

Charlatan. Security. Officer.

His comments to the BPC were from December 2015, only months after he naively asked the US government if he should sooner work with Russia, China…and then ran away from the Yahoo breaches rather than disclose them. Anybody and everybody familiar with the Yahoo! CEO testimony to Congress knows how oddly uninformed Stamos sounded for asking the US government whether they want him to treat all countries the morally equivalent and work with the Chinese more.

The NSA wasn’t going to push back openly, but Stamos was making the kind of fundamental mistake in attacking governments that soon would come back around.

Russian media gleefully reports NSA is under attack by the guy who soon will let them run propaganda campaigns

So after Stamos’ pushy post of December 2015 the European Parliament moved to adopt GDPR in April 2016. Was it a response? I don’t think anyone has the kind of evidence to say there was a direct connection from Facebook CSO hubris to privacy-law, given how Google had already been generating heat, only that there was overall a temperature increase and Stamos’ hot air arguments definitely contributed to distrust in Facebook.

Distrust in Stamos’ vision of safety turned out to be wise as regulators had set the scene for his reputation to be cemented as a someone who doesn’t disclose harm in a timely manner, let alone prevent it. I’ve been told the Russians didn’t overlook his behavior (see above RT news) and typically only need to drop a few coin in operating such a person towards their objectives.

Around this time there were giant glaring integrity breaches that Stamos apparently did not believe constituted a serious enough security concern to disclose:

Facebook has been roundly criticized for being slow to acknowledge a vast disinformation campaign run by Russian operatives on its platform and other social media outlets before the 2016 presidential election.

[…]

Outside the United States, the impact of disinformation appearing on Facebook and the popular messaging service it owns, WhatsApp, has been severe. In countries such as Myanmar and India, false rumors spread on social media are believed to have led to widespread killing.

This is verging on crimes against humanity. And so…social science experts at Blackhat were telling me that the geopolitical security industry now should refer to him as the:

Charlatan. Security. Officer.

Now Facebook’s latest vulnerability in the news was said to have been introduced July 2017, under the Stamos fog.

Was it potentially exploited through low-and-slow methods? That is unclear of course, because of the fog. If it was known it was never disclosed (similar to how Stamos did not disclose the breach at Yahoo). We do know that a Product Manager, and not even an officer or security role, is the one who disclosed the breach based on evidence of a sudden spike on September 16th, 2018 (a month after Stamos was pushed out and took a role at Stanford to redirect naive students into venture-backed get-rich schemes instead of graduating).

It is important to remember in this context that Stamos had continued his leave-it-to-me mindset long past the vulnerability and even through 2018, arguing that unauthorized access to Facebook user data did not constitute a breach because any “reasonable” definition.

“The recent Cambridge Analytica stories by the NY Times and The Guardian are important and powerful, but it is incorrect to call this a ‘breach’ under any reasonable definition of the term,” Stamos says in one screenshot. “We can condemn this behavior while being accurate in our description of it.”

Yeah, that kind of stupid really burns. It suggests things would be worse now if he still was CSO. I mean Facebook at that time was handed a whopping £500,000 for lack of transparency and failing to protect users’ information. Stamos was way off base. His legacy potentially will be a fine in the billions, but the company at least may feel better about removing the Yahoo who probably would be claiming no breach happened, or that he is the only one with a real and reasonable sense of what privacy means. Facebook investors might take comfort in the fact Stamos has been booted, but if Yahoo is any guide the survival of the entire company becomes ever less certain as more breaches are revealed to have happened under his fog.

Charlatan. Security. Officer.

One might say Facebook health warning signs were there since the middle of 2015, when a certain person with no CSO experience other than a short stint at Yahoo, suddenly popped-up spouting all kinds of strange self-promotional ideas about what is “real” and “reasonable” to people who know better. In other words, regulators realized the time is now for the kind of fines that would hopefully prevent any Charlatan Security Officer from causing widespread harm to public safety from massive-scale data privacy breaches. And for some reason a lot of people think I should blog about this…again.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.