
Alex Stamos to Become CSO of Facebook - afreak
https://www.facebook.com/alex.stamos/posts/10153403650527929
======
mmaunder
So totally saw Alex getting some major opportunities coming his way, and very
much deserved. If you don't follow infosec watch the entire hour video of Mike
Rogers and the Q&A that included Alex along with Bruce Schneier before him.
Alex's lucid, persistent and funny Q&A raised his profile in a big way this
year.

Here's the Q&A and while I do think the intelligence community actually does
some decent work on occasion, the kind of doublespeak displayed by Rogers here
is what really gives the IC a bad name and has lead it down bad paths.
[https://www.youtube.com/watch?v=TjL1WYhLx-M](https://www.youtube.com/watch?v=TjL1WYhLx-M)

I'd also very much encourage developers here to watch this presentation which
is my personal favorite. Alex talk about some really smart ways to approach
application security and why the idea of a traditional firewall is basically
dead. Also some interesting stuff re moving away from virtualization towards
containerization.
[https://www.youtube.com/watch?v=-1kZMn1RueI](https://www.youtube.com/watch?v=-1kZMn1RueI)

Edit: Just wanted to add, I really hope he continues contributing talks to the
infosec community as they're a great contribution.

------
nocarrier
I'm excited about this. Facebook has aggressively evolved its Security org
over the years and they have given security a whole new level of focus in the
past few years. I was there for 8.5 years and watched them grow and reinvent
themselves a few times. I think FB's Security team is one of its crown jewels
and it's great to see Alex joining FB. This will shake things up further and
will likely lead to more great things.

~~~
GauntletWizard
If by security you mean the organization that gives data to the police willy-
nilly and not any sort of org dedicated to protecting user data. FB has no
security (user data) ; no org, no culture, barely any tooling, and no
corporate intent.

~~~
nocarrier
Respectfully, you don't sound very well informed and your reply is pretty
emotional and negative. Did you actually work on or with FB's Security team?
If so, when?

~~~
rustynails77
It's irrelevant if you worked on the team. Facebook is a profiling tool. Its
users have traded their privacy for convenience. Please tell me that Facebook
doesn't track people using the Facebook banners/IP address combinations... or
better yet, tell me that Facebook isn't the ONLY one that does it as a
justification for selling people's personal data.

Facebook is only worth 100bn because it sells peoples' personal information.

Am I jaded? Not at all. I am a realist. Facebook is primarily a monitoring
tool that monetises itself on selling people's personal information.

~~~
nemothekid
None of what you said has to do with _security_ \- and you shouldn't conflate
security with privacy.

~~~
kyrre
security and privacy are two sides of the same coin

~~~
tedunangst
You can have the one without the other, but not the other without the one.

------
NotHereNotThere
Somewhat interesting is the fact that the previous Facebook CSO was Joe
Sullivan (now CSO at Uber), who did not have an "IT security" background at
all; most of his career is oriented towards law (he has a J.D. after all ;))

Contrast this to Alex Stamos, who's given many presentations at
Defcon/Blackhat, co-founded iSEC, EE/CS background, and it seems a bit of a
mentality shift for Facebook.

~~~
nocarrier
It's true that Joe's background is on the legal and policy side of things, but
he presided over the softwareification of Facebook's security team. I worked
closely with him for many years and he saw the need for more technology and
automation; so that they could be a security team focused on not just incident
response, but excellence on the technical front too. Joe and I spent a lot of
time talking about technology and where things should be going, and he had his
own well-formed opinions and goals. And he often deferred to other experts as
a good leader does too.

I'm excited to see what Alex does since his credentials are stronger on the
technology front, but the team's shift to a technology focus has been
happening for a long time. I view this as another hugely positive step in that
direction.

~~~
evgen
Must be fun to finally be able to talk about FB, eh Doug? :)

Joe had more of a legal focus, but if you think back to where FB was at the
time there were significant problems with privacy/compliance, LERT and other
external-facing security issues that made him a good choice. Similarly, Uber
is in the position now where they need someone who can handle those aspects of
company security and policy more than someone to tighten up the internal pcap
analysis system...

~~~
nocarrier
Yeah, you're right. We certainly had different problems when Joe came on board
and he was a great fit to lead us through fixing them. And I'm glad him and
Mat and others are working to fix similar problems with Uber.

I just commented because I wanted people to know that it wasn't like there was
no software focus before Joe left--things weren't as binary as that. The
software focus shift had been in progress for some time before he stepped
down.

And yeah, feels good to talk about FB with no filter. :-)

------
jedberg
I can't think of a better person to replace their outgoing CSO. He made a lot
of positive changes at Yahoo and I can't wait to see what he does at Facebook
with the amazing team there.

------
tptacek
All they need now is Himanshu and Joel and they'll have most of original iSEC
back together under one roof.

Congrats to Alex.

------
personjerry
I see a lot of comments about how great Alex Stamos is. I have not followed
the industry long enough to know -- why is he great? What makes him different
from a crappy engineer, or even Average Joe engineer?

~~~
cmgreen
I don't know Alex directly. I've worked in security a long time in various
positions. Watch his recent talk:
[https://www.youtube.com/watch?v=-1kZMn1RueI](https://www.youtube.com/watch?v=-1kZMn1RueI)

0) Highly Technical Past. [https://www.blackhat.com/presentations/bh-jp-06/BH-
JP-06-Sta...](https://www.blackhat.com/presentations/bh-jp-06/BH-JP-06-Stamos-
Lackey.pdf) < This is part of the problem space every app dev team has. 1)
Great handle on technical realities and where things are going. 2) Great,
clear, entertaining speaking style. 3) Articulate social media presence. 4)
Doesn't come off as a security asshole.

Most companies realize they should have security at this point. Getting there
is another matter. Delivering the culture and attracting the right hires from
a incredibly finite talent pool is the difference in the ability to execute.

From what I've seen, his style wins over even the non-security people and he
knows the technical better than most "Senior" security people. I suspect he'll
have no problems filling his roles at Facebook.

------
kdazzle
I was much more excited when I thought it was John Stamos.

~~~
secalex
Me too.

~~~
ddlatham
Got to laugh to see the parent post. Written by Alex Stamos. And downvoted.

~~~
tptacek
I downvote all of Alex's posts on general principle.

------
jitl
Why did he leave Yahoo?

~~~
ta008
because Facebook paid more. why else does anybody ever leave anywhere?

all i can say is that in very happy. while he did a little real good at yahoo,
he was mostly doing two things: promoting his name and adopting everything in
sight based on cool factor without regard for hard facts.

life for people that actually know things was hell. life for the frivolous
i-just-read-about-some-cool-thing-on-hn was paradise and full of bonuses.

~~~
tptacek
I know several people involved here, some of them very well, some of them
being people I tried hard to pull out of Alex's orbit (because they are
awesome, not because Alex isn't), and, respectfully: I think you're full of
shit.

Especially amused by the attempted "read-something-on-HN" snark. Yeah, that's
where all the high-profile elite security people are these days. Hanging out
on HN with me.

------
curiousDog
Does this mean they eventually want to make a foray into Enterprise?

------
marincounty
Best security: (1) hit down arrow upper right page corner. (2) hit "settings"
(3) in general account settings, hit "Security". (4) hit "Deactivate your
account" (5) hit "deactivate your account" again. (6) give reason (7) remove
check mark in "Automatically reactivate in 7 days" (8) give password (9) Hide
from Process Server. Reactivate on weekends-- I don't want to miss out on the
Hootenanny? Wonder if that person, I would once die, for really wants me as
her 5091 friend--now? I kinda miss my Amish group?

~~~
dude3
I kind of disagree Facebook is a good force. I have noticed that I am getting
really heavily tracked and re-targeted on their service now. I don't like
using it any more. Your literally giving a mega corporation all your most
private information. They have paired up publicly with Acxiom and many other
data brokers which mine your credit card data and associate it with your
facebook profile. It makes you wonder what they do in private. They definitely
need a good security team to keep their secrets secret. Congrats on the role.

~~~
rustynails77
Your comment is excellent and the truth. By selling a person's secrets, you
control them. Spending habits, political beliefs, sexual preferences,
gambling/drinking problems. You are owned when you reveal this data.

Facebook track people through IP addresses, Facebook logos, partnerships, etc.
So they know what you say, what you look at, when, who you talk to etc.

If the wrong people get that data (including espionage, change of management
etc), it could get VERY ugly.

~~~
harkyns_castle
If they get the data? Hehe. Its a hosepipe direct to the people you don't want
having that data.

It's really beyond me why anyone would sign up for Facebook nowadays. Feels
like we need to reboot the Internet honestly.

