So totally saw Alex getting some major opportunities coming his way, and very much deserved. If you don't follow infosec watch the entire hour video of Mike Rogers and the Q&A that included Alex along with Bruce Schneier before him. Alex's lucid, persistent and funny Q&A raised his profile in a big way this year.
Here's the Q&A and while I do think the intelligence community actually does some decent work on occasion, the kind of doublespeak displayed by Rogers here is what really gives the IC a bad name and has lead it down bad paths. https://www.youtube.com/watch?v=TjL1WYhLx-M
I'd also very much encourage developers here to watch this presentation which is my personal favorite. Alex talk about some really smart ways to approach application security and why the idea of a traditional firewall is basically dead. Also some interesting stuff re moving away from virtualization towards containerization. https://www.youtube.com/watch?v=-1kZMn1RueI
Edit: Just wanted to add, I really hope he continues contributing talks to the infosec community as they're a great contribution.
I'm excited about this. Facebook has aggressively evolved its Security org over the years and they have given security a whole new level of focus in the past few years. I was there for 8.5 years and watched them grow and reinvent themselves a few times. I think FB's Security team is one of its crown jewels and it's great to see Alex joining FB. This will shake things up further and will likely lead to more great things.
Alex is a great guy (from a security point of view). But I wonder how 1 guy can change how X employees develop applications securely. Replace X by the number of facebook employee.
Really, I wonder how one guy can change how a company can develop secure applications
My immediate reaction is, if they hire someone that has great security knowledge, they'll be better placed to compromise mine; their business model seems to be pillaging my data and selling ads, same with Google.
If by security you mean the organization that gives data to the police willy-nilly and not any sort of org dedicated to protecting user data. FB has no security (user data) ; no org, no culture, barely any tooling, and no corporate intent.
Respectfully, you don't sound very well informed and your reply is pretty emotional and negative. Did you actually work on or with FB's Security team? If so, when?
It's irrelevant if you worked on the team. Facebook is a profiling tool. Its users have traded their privacy for convenience. Please tell me that Facebook doesn't track people using the Facebook banners/IP address combinations... or better yet, tell me that Facebook isn't the ONLY one that does it as a justification for selling people's personal data.
Facebook is only worth 100bn because it sells peoples' personal information.
Am I jaded? Not at all. I am a realist. Facebook is primarily a monitoring tool that monetises itself on selling people's personal information.
> "Facebook is only worth 100bn because it sells peoples' person information"
What does that have to do with the security that Facebook has put in place to protect this info so only they can sell it? These seem like orthogonal discussions. You're arriving at the conclusion that Facebook security sucks because it sells peoples' data. That is an illogical argument.
Somewhat interesting is the fact that the previous Facebook CSO was Joe Sullivan (now CSO at Uber), who did not have an "IT security" background at all; most of his career is oriented towards law (he has a J.D. after all ;))
Contrast this to Alex Stamos, who's given many presentations at Defcon/Blackhat, co-founded iSEC, EE/CS background, and it seems a bit of a mentality shift for Facebook.
It's true that Joe's background is on the legal and policy side of things, but he presided over the softwareification of Facebook's security team. I worked closely with him for many years and he saw the need for more technology and automation; so that they could be a security team focused on not just incident response, but excellence on the technical front too. Joe and I spent a lot of time talking about technology and where things should be going, and he had his own well-formed opinions and goals. And he often deferred to other experts as a good leader does too.
I'm excited to see what Alex does since his credentials are stronger on the technology front, but the team's shift to a technology focus has been happening for a long time. I view this as another hugely positive step in that direction.
Must be fun to finally be able to talk about FB, eh Doug? :)
Joe had more of a legal focus, but if you think back to where FB was at the time there were significant problems with privacy/compliance, LERT and other external-facing security issues that made him a good choice. Similarly, Uber is in the position now where they need someone who can handle those aspects of company security and policy more than someone to tighten up the internal pcap analysis system...
Yeah, you're right. We certainly had different problems when Joe came on board and he was a great fit to lead us through fixing them. And I'm glad him and Mat and others are working to fix similar problems with Uber.
I just commented because I wanted people to know that it wasn't like there was no software focus before Joe left--things weren't as binary as that. The software focus shift had been in progress for some time before he stepped down.
And yeah, feels good to talk about FB with no filter. :-)
I can't think of a better person to replace their outgoing CSO. He made a lot of positive changes at Yahoo and I can't wait to see what he does at Facebook with the amazing team there.
I see a lot of comments about how great Alex Stamos is. I have not followed the industry long enough to know -- why is he great? What makes him different from a crappy engineer, or even Average Joe engineer?
0) Highly Technical Past. https://www.blackhat.com/presentations/bh-jp-06/BH-JP-06-Sta... < This is part of the problem space every app dev team has.
1) Great handle on technical realities and where things are going.
2) Great, clear, entertaining speaking style.
3) Articulate social media presence.
4) Doesn't come off as a security asshole.
Most companies realize they should have security at this point. Getting there is another matter. Delivering the culture and attracting the right hires from a incredibly finite talent pool is the difference in the ability to execute.
From what I've seen, his style wins over even the non-security people and he knows the technical better than most "Senior" security people. I suspect he'll have no problems filling his roles at Facebook.
My impression has been that alex wants to tackle problems that are large in scale. Probably less about money and more about doing good for the most people possible.
While Neal is good the type of people Alex staffed while at Yahoo are insanely good. I only worked under Alex for a few months before he moved to Yahoo but he can staff very strong teams. For example, he bought out Leaf Security to work for Yahoo.
because Facebook paid more. why else does anybody ever leave anywhere?
all i can say is that in very happy. while he did a little real good at yahoo, he was mostly doing two things: promoting his name and adopting everything in sight based on cool factor without regard for hard facts.
life for people that actually know things was hell. life for the frivolous i-just-read-about-some-cool-thing-on-hn was paradise and full of bonuses.
I know several people involved here, some of them very well, some of them being people I tried hard to pull out of Alex's orbit (because they are awesome, not because Alex isn't), and, respectfully: I think you're full of shit.
Especially amused by the attempted "read-something-on-HN" snark. Yeah, that's where all the high-profile elite security people are these days. Hanging out on HN with me.
Sour Grapes much? Despite having worked in his general vicinity 15 years ago (when he was already recognized as a leader in issues security related, mostly at the tactical "how do I determine if there is a rootkit on this server" level) - I'll admit to being completely incapable of judging his expertise. But, the smartest people I know who are capable of judging Alex, say that he is the real thing. Super insightful, and, has that ability to understand where the "puck is going" rather than constantly being reactive to the issue du jour. He also has a reputation for being generous with his time, and giving advice/guidance to people who need it.
I'm sure they did pay more. But Alex Stamos is not the kind of person to take a job for the money. If Chase Bank offered him double what Facebook is paying, there's no chance he would take money over the opportunity to work on industry changing projects at Facebook.
Best security: (1) hit down arrow upper right page corner. (2) hit "settings" (3) in general account settings, hit "Security". (4) hit "Deactivate your account" (5) hit "deactivate your account" again. (6) give reason (7) remove check mark in "Automatically reactivate in 7 days" (8) give password (9) Hide from Process Server. Reactivate on weekends-- I don't want to miss out on the Hootenanny? Wonder if that person, I would once die, for really wants me as her 5091 friend--now? I kinda miss my Amish group?
I kind of disagree Facebook is a good force. I have noticed that I am getting really heavily tracked and re-targeted on their service now. I don't like using it any more. Your literally giving a mega corporation all your most private information. They have paired up publicly with Acxiom and many other data brokers which mine your credit card data and associate it with your facebook profile. It makes you wonder what they do in private. They definitely need a good security team to keep their secrets secret. Congrats on the role.
Your comment is excellent and the truth. By selling a person's secrets, you control them. Spending habits, political beliefs, sexual preferences, gambling/drinking problems. You are owned when you reveal this data.
Facebook track people through IP addresses, Facebook logos, partnerships, etc. So they know what you say, what you look at, when, who you talk to etc.
If the wrong people get that data (including espionage, change of management etc), it could get VERY ugly.
Here's the Q&A and while I do think the intelligence community actually does some decent work on occasion, the kind of doublespeak displayed by Rogers here is what really gives the IC a bad name and has lead it down bad paths. https://www.youtube.com/watch?v=TjL1WYhLx-M
I'd also very much encourage developers here to watch this presentation which is my personal favorite. Alex talk about some really smart ways to approach application security and why the idea of a traditional firewall is basically dead. Also some interesting stuff re moving away from virtualization towards containerization. https://www.youtube.com/watch?v=-1kZMn1RueI
Edit: Just wanted to add, I really hope he continues contributing talks to the infosec community as they're a great contribution.