A privacy breach affecting hundreds of thousands of users in June 2014 happened several months after Yahoo had hired a CSO who publicly boasted he personally was the reason users could trust security of the service. He then quietly left in disgrace, failing to reveal this and other breaches, to become the CSO at Facebook and repeat the same story of breaches, again leaving in disgrace.

After his two failed attempts at CSO, generating a wake of unprecedented unreported global breaches and privacy disasters in just three years, he then took up an ill-conceived “academic” role at Stanford. What may be of importance now, based on the latest revelations, is relationships between academic staff and Facebook.

March 2014 saw the following highly unusual PR campaign on finance.yahoo.com that seemed to frame security teams as competitors instead of collaborative industry peers:

Watch out, Google. The rumors are true. Yahoo has officially stepped up its security A-game. It’s called Alex Stamos.

Yahoo announced yesterday that it hired the world-renowned cybersecurity expert and vocal NSA critic to command its team of “Paranoids” in bulletproofing all of its platforms and products from threats that will surely come.

Bulletproofing. Who says that? Someone who doesn’t understand the role of CSO. “Vocal NSA critic” is a reference to when Stamos was parroting anti-government talking points (he stood in front of the head of NSA and bizarrely alleged the US should be treated as morally equivalent to Russia, China, Saudi Arabia…when discussing key management).

What these PR campaigns by Stamos failed to include was the fact that he had no prior experience as a CSO, let alone experience leading security operations for a public company, let alone management experience to handle a large complex organization.

His lack of experience very soon after manifested in some of the largest privacy breaches in history, as revealed by those who ended up involved in his catastrophic tenures.

For example look at June 2014, just three months after those Yahoo “bulletproofing” boasts attempted to juice stocks, an unprecedented breach of privacy happened, violating American biometric data protection law:

In June 2014, seeking to advance the cause of computer vision, Yahoo unveiled what it called “the largest public multimedia collection that has ever been released,” featuring 100 million photos and videos. Yahoo got the images — all of which had Creative Commons or commercial use licenses — from Flickr, a subsidiary.

…researchers who accessed the database simply downloaded versions of the images and then redistributed them, including a team from the University of Washington. In 2015, two of the school’s computer science professors — Ira Kemelmacher-Shlizerman and Steve Seitz — and their graduate students used the Flickr data to create MegaFace.

That breach method should sound familiar. Anyone looking at the Cambridge Analytica incident in 2015 at Facebook would recognize it.

And as the facts would have it Stamos abruptly and quietly left Yahoo in June 2015 to join Facebook as their CSO. Then a month later a report surfaced that said American billionaires were actively using data mining in centralized data repositories to drive political coups.

Cambridge Analytica is connected to a British firm called SCL Group, which provides governments, political groups and companies around the world with services ranging from military disinformation campaigns to social media branding and voter targeting.

So far, SCL’s political work has been mostly in the developing world — where it has boasted of its ability to help foment coups.

By December 2015, despite these warnings, the Guardian broke a story on researchers taking data from Facebook without user consent.

Documents seen by the Guardian have uncovered longstanding ethical and privacy issues about the way academics hoovered up personal data by accessing a vast set of US Facebook profiles, in order to build sophisticated models of users’ personalities without their knowledge.

The FBi has released 2015 internal email threads from Facebook (PDF) where staff were discussing Cambridge Analytica.

Sept 30, 2015. 12:17PM. To set expectations we can’t certify/approve apps for compliance, and it’s very likely these companies are not in violation of any of our terms. …if we had more resources we could discuss a call with the companies to get a better understanding, but we should only explore that path if we do see red flags.

There are two major security leadership problems here.

One, it reflects a team that only will look for danger if they can get more resources.

If they could acknowledge what they were doing wasn’t working, getting more resources and doing more of that same thing probably wouldn’t change the situation. They would have to admit they don’t know what we they are doing, which seems unlikely for a company with a CSO that has no real prior experience.

Two, given the first point, this also suggests the team only would look for evidence of smoke after they see evidence of fire, provided to them by the arsonists. That’s not the sort of thing that deserves more resources.

It reads basically like someone was running a self-funding plan to deliver an absolute least amount of security services possible. Such a mindset may be common for a CTO who is hoping to build a high-margin minimum-viable product (MVP). Yet it reads to me as entirely inverted from expected CSO ethical models.

While Facebook has repeatedly stated after the fact that Cambridge Analytica exploits were a “clear lapse” by their security team, we increasingly see evidence these security lapses may have also been present a year before under the same CSO at a different company.

After her project soaking up hundreds of thousands of people’s faces from the Yahoo services, the ones Stamos boasted he would protect, Kemelmacher-Shlizerman in 2016 also joined Facebook.

In somewhat related news, Facebook still is on the hook for a $35 billion class-action lawsuit filed in 2015, the year Stamos joined as CSO and the year before Kemelmacher-Shlizerman joined.

The suit alleges that Illinois citizens didn’t consent to having their uploaded photos scanned with facial recognition and weren’t informed of how long the data would be saved when the mapping started in 2011. […] Filed in 2015, Facebook has done everything to try to block the class action case, from objecting to definitions of tons of words in the suit to lobbying against the underlying Biometric Information Privacy Act. The class action poses an even greater penalty than the record-breaking $5 billion settlement Facebook agreed to over violations of its FTC consent decree. Though that payment amounts to a fraction of the $55 billion in revenue Facebook earned last year, it’s also been saddled with tons of new data privacy and transparency requirements. The $35 billion threat coming into focus contributed to a 2.25% share price drop for Facebook today.

There’s a good chance this case is too political to survive a Supreme Court test.

The Facebook DC office is run by Joel Kaplan. He is the guy who infamously sat next to Kavanaugh while allegations of sexual assault were denied. Kaplan serves the extreme-right nationalist publications like Breitbart and the Daily Caller by linking them to Facebook management. That also is why right now we’re about as likely to see Stamos held accountable for his disasters as anyone who failed upward into the White House.

But the real lesson here is that Americans are overly fixated on a singular individual as savior, despite society taking a huge risk by following their unexpected jumps. Whether it be Stamos, Snowden or Assaange there increasingly is a toxic exhaust from their meteoric failures that a Canadian marketing journal recently described best:

We have become fascinated with strong individuals: Ninjas, rockstars and 30 under 30s. We hail unicorns and disruptors, and we mock those on the decline as dinosaurs or people who couldn’t see the writing on the wall. Celebrating individual achievements is fine, but when we forget about the importance of community, I believe we all suffer…

In New York political circles it’s called the Stop Hacks and Improve Electronic Data Security (SHIELD) Act. Unless I’m reading that sentence wrong, it should be called the SHIELDS Act.

Leaving off the last S is kind of ironic, when you think about an act meant to prevent people from leaving off security.

In any case, S.5575B/A.5635 was meant to impose stronger regulations to force notification of security breaches for any New York resident’s data. Passed July 25th this year (three days after the NY government announced a $19.2 million settlement with Equifax over their data breach), its breach notification becomes effective one week from today (240 days after passage) on October 23, 2019.

Notable changes:

• Broader definition of a breach: unauthorized access to private information
• Broader definition of private information: includes bank account and payment data, biometric information and email addresses with any corresponding passwords or recovery flow (security questions and answers)
• Broader definition of whose information is protected: any NY resident no matter where their data is stored (not just business operations in NY)
• New state government notification requirements (deadline for data protection programs is March 21, 2020, but data breaches must be recorded starting October 23, 2019)
• “Tailored” data security requirements based on “size of a business”

The inclusion of biometric information in state data protection legislation is a huge deal in America. This recently has come to light when people realized their rights were being egregiously violated by technology companies, given Illinois regulations that already are ten years old:

As residents of Illinois, they are protected by one of the strictest state privacy laws on the books: the Biometric Information Privacy Act, a 2008 measure that imposes financial penalties for using an Illinoisan’s fingerprints or face scans without consent. Those who used the [unprecedentedly huge facial-recognition database called MegaFace] — companies including Google, Amazon, Mitsubishi Electric, Tencent and SenseTime — appear to have been unaware of the law, and as a result may have huge financial liability, according to several lawyers and law professors familiar with the legislation.

After a series of tragic missteps by the White House, which led to tens of thousands of Kurds being killed and hundreds of thousands of refugees, American officials tried to claim they had created a cease-fire.

On the face of it their claim doesn’t make any sense, as America turned tail and abruptly left its allies. A cease-fire would be with whom? Can’t say the Kurds or that would mean Turkey is formally acknowledging a Kurdish authority.

The U.S. departure from its position was so sudden, it had to fly in jets to bomb its own supply depots and structures instead of following normal exit procedures. Russians were said to be within hours inhabiting military structures built by Americans.

Russians have fun exploring the hastily abandoned American military base in Syria: “Yesterday it was them and today it is us here. Let’s see how they lived and what they ate.”

The American story-line attempted to say in this context of running away that a cease-fire was negotiated. It gives the impression of Turkey recognizing an authority.

However Turkey officially has said the opposite, as The Economist correspondent in Turkey tweeted:

Turkish FM Çavuşoğlu just now: “We will suspend the Peace Spring operation for 120 hours for the PKK/YPG to withdraw. This is not a ceasefire.”

The joint Turkish-US statement confirms this, calling it a unilateral pause for a Turkish operation.

Cisco announced that it’s wireless access points have an authentication bypass.

The most crucial one is CVE-2019-15260, which could be exploited by attackers by requesting specific URLs from an affected AP and allow them to gain access to the device with elevated privileges.

Kubernetes announced that anyone can be admin by tampering with headers.

…attackers could exploit the bug to authenticate as any user by crafting an invalid header that would go through to the server.

Palo Alto provided an example: “An attacker may send the following request to the proxy: ‘X-Remote-User : admin.’ If the proxy is designed to filter X-Remote-User headers but doesn’t recognize the header because it’s invalid and forwards it to the Kubernetes API server [anyway], the attacker would successfully pass the API request with the roles of the ‘admin’ user.”

Google announced its phones have a facial recognition bypass (you don’t have to be awake).

Google has confirmed the Pixel 4 smartphone’s Face Unlock system can allow access to a person’s device even if they have their eyes closed.

Samsung announced that its phones have a fingerprint reader bypass.

The issue was spotted by a British woman whose husband was able to unlock her phone with his thumbprint just by adding a cheap screen protector.

When the S10 was launched, in March, Samsung described the fingerprint authentication system as “revolutionary”.

…and if anyone remembers 2002 security mailing lists, biometric failure such as Samsung’s was framed as having an important moral.

Matsumoto tried these attacks against eleven commercially available fingerprint biometric systems, and was able to reliably fool all of them. The results are enough to scrap the systems completely, and to send the various fingerprint biometric companies packing. Impressive is an understatement.

There’s both a specific and a general moral to take away from this result. Matsumoto is not a professional fake-finger scientist; he’s a mathematician. He didn’t use expensive equipment or a specialized laboratory. He used $10 of ingredients you could buy, and whipped up his gummy fingers in the equivalent of a home kitchen. And he defeated eleven different commercial fingerprint readers, with both optical and capacitive sensors, and some with “live finger detection” features. (Moistening the gummy finger helps defeat sensors that measure moisture or electrical resistance; it takes some practice to get it right.) If he could do this, then any semi-professional can almost certainly do much much more.

Look at how far we’ve come in 17 years.