Stamos, Alex
Krebs Stamos Group Partner, Jan 2021 – present (full-time, Washington DC). Stanford Internet Observatory Director (non-PhD teaching/research professor), Aug 2018 – present (full-time, Stanford CA). Facebook data breach Chief Security Officer (CSO; same as CISO), Jun 2015 – Aug 2018. Yahoo data breach Chief Information Security Officer (CISO), Mar 2014 – Jun 2015.
From Yahoo-Then-Facebook CISO Alex Stamos Allows Yet Another Massive Data Breach:
Yesterday, Facebook admitted to yet another massive data breach; 50 million user accounts compromised. Alex Stamos was (Jun 2015 – Aug 2018) Facebook's Chief Information Security Officer (CISO a.k.a. CSO) when the hole that allowed the breach was introduced into Facebook's code (Jul 2017). Stamos was (Mar 2014 – Jun 2015) also CISO of Yahoo during their two massive data breaches (late 2014); 500 million and 1 billion user accounts compromised. Stamos staggeringly exemplifies another aspect of IT incompetence: being overwhelmingly more interested in imposing his political beliefs on customers than in being competent at his high-paid IT job.From CISA: No Infrastructure Cybersecurity, Just a Stepping Stone for IT Incompetents:
...
Facebook makes it sound like a sophisticated attack, although it was probably an obvious hole to any competent programmer, who would be extra careful with any feature that lets a user pretend to be some other user. This is exactly what a CISO, like Alex Stamos at Facebook at the time (Jun 2015 – Aug 2018), should have been looking out for.
...
Alex Stamos quit Facebook in August 2018, not over exasperation with Facebook's poor security, but in protest over Facebook's handling of Russian meddling in the 2016 U.S. election. Politics over IT competence.
Before Facebook, Alex Stamos was CISO at Yahoo from March 2014 to June 2015. In late 2014 a data breach occurred at Yahoo that compromised 500 million user accounts. A separate data breach also occurred in 2014 that compromised 1 billion user accounts. Stamos was CISO at Yahoo when he could and should have done something to prevent these massive data breaches.
Alex Stamos is a disaster moving from one place to the next hoping his IT incompetence doesn't catch up with him.
These two massive Yahoo data breaches were admitted only in September and December 2016, respectively, which explains why Facebook still hired Alex Stamos as CISO in June 2015. The data breaches drastically and adversely affected the buying of Yahoo by Verizon, which was being negotiated in late 2016, so it is unlikely that even IT incompetent Facebook would have hired Stamos as CISO had they known.
Alex Stamos quit Yahoo in June 2015, not over exasperation with Yahoo's poor security, but in protest over Yahoo's handling of NSA snooping of Yahoo email (although Facebook allowed exactly the same thing, but maybe Stamos didn't know that yet). Additionally and ironically, while CISO at Yahoo, Stamos got himself invited to testify before Congress about computer security and data privacy. Politics over IT competence.
(Dictionary definition of "yahoo": a person who is not very intelligent and is rude, noisy, or violent.)
Alex Stamos claims to have a BS in Electrical Engineering and Computer Science (EECS) from the University of California, Berkeley. A BS in Electrical Engineering and Computer Science from a good university is what I would require as a minimum for IT competence (and a higher degree for higher positions, like CISO of a Fortune 500 company); see The Most Important IT Credential: An IT Education in Principles of IT Incompetence. I have a BS in EECS from MIT (and a Ph.D. in supercomputing from Columbia); see my Credentials.
So is Alex Stamos IT competent? No. The "good university" clause is the main catch (Stamos also only has a BS as CISO of Fortune 500 companies). UC Berkeley is the quintessential politics over competence university, and violently so at that. You could have easily predicted Stamos's IT incompetent political loudmouth career based on his being at UC Berkeley for EECS. See IT Hiring: Trading IT Competence for Political Correctness in Principles of IT Incompetence.
Alex Stamos is now at Stanford University "working to make tech safer and more trustworthy for all via teaching and research". A couple of sayings come to mind: "those who can, do; those who can't, teach" and "politics over competence universities, the last refuge of the incompetent". Stanford has drastically degenerated: they hire incompetent non-PhD's as research professors.
Chris Krebs did not end up working directly as an employee of Microsoft, but only because he saw and exploited an opportunity created by The Doomsday Microsoft Government Email Data Breach. After he was fired for IT incompetence by President Trump after the 2020 U.S. Presidential Election in November 2020, Chris Krebs started an IT security consulting firm with, incredibly, Alex Stamos, the IT incompetent Yahoo-then-Facebook Chief Information Security Officer (CISO) who was responsible for both Yahoo's and then Facebook's massive data breaches; see Yahoo-Then-Facebook CISO Alex Stamos Allows Yet Another Massive Data Breach. The first customer of the Krebs Stamos Group was SolarWinds, the software company whose biggest customer was the federal government and that most are blaming — although Microsoft was really to blame — for The Doomsday Microsoft Government Email Data Breach. Microsoft will also, if they haven't already, hire the Krebs Stamos Group, which will also probably be a violation of Title 18 (crimes and criminal procedure) of U.S. Code, § 207 (restrictions on former officers, employees, and elected officials of the executive and legislative branches); see IT Hiring: IT Incompetence Breeds Disloyalty and Corruption in Principles of IT Incompetence.