02 June 2020

ZDNet Zero Day: “Former Facebook CSO Alex Stamos to join Zoom as outside security consultant”

In a blog post published on Medium today, Stamos said he decided to join the company after a phone call last week with Zoom founder and CEO Eric Yuan.

Yuan approached Stamos for the move after the former Facebook CSO defended Zoom on Twitter after the video conferencing software was being widely criticized in the media for a series of – what Stamos described as – “shallow bugs”.

Catalin Cimpanu

I didn't give this piece of news much thought at the time, other than cynically thinking that Zoom is doing good PR to counteract the rising number of security and privacy incidents on their videoconferencing software. Since then I listened to a podcast where Stamos was invited to talk, and found out that, prior to working at Facebook, he had been Chief Security Officer at Yahoo! around the time of their massive hack in 2014! Twice in a row he clashed with his superiors from a similar position, but ultimately failed to influence internal policies and left the company without positive results. Even if you cannot attribute Yahoo!’s and Facebook’s failures to him in particular, I would not consider him effective at his job… Which brings me back to my original point that contracting Stamos is more a way for Zoom to improve their public image than actually delivering more secure products.

Update: shortly after I wrote this, Alex Stamos was criticized in similar terms on TechCrunch. Needless to say, he did not take it well; like most of Silicon Valley when dealing with criticism in the press, he immediately complained that this a personal attack.

Which might suggest Stamos’ conception of online “harms” has evolved considerably since 2016 — after all, he’s since landed at Stanford as an adjunct professor (where he researches “safe tech”). Although, in the same year (2016), he defended his employer’s decision not to make e2e encryption the default on Facebook Messenger. So Stamos’ unifying thread appears to be being paid to defend corporate decision-making while applying a gloss of ‘security expertise’.

Natasha Lomas

Post a Comment