Alex Stamos Profile picture
Trustworthy tech at the Stanford Internet Observatory (@stanfordio) and the Election Integrity Partnership (@2020partnership). Helping companies via https://t.co/mBd5JnF9fe
Twitter author Profile picture Buck Borasky, Frontier Programmer Profile picture jeff w Profile picture Lara Cumberland Profile picture Dr. Alison Books Profile picture 9 added to My Authors
11 Jun
This is a good rundown of the new tech regulation bills by @CaseyNewton. There are some good ideas here, but I think the anti-acquisition law is too broad. For ex: could have blocked Zoom's acquisition of Keybase, which brought E2EE and other security enhancements to millions.
There are tons of small acquisitions of companies with specific skillsets or features that can't get the impact they want, and large companies that want to improve existing products. This would decimate a key way talent and capital flow up and down the stack.
California gets 13% of a lot of those deals (leading to a record surplus) so I expect the California delegation might have ideas for something more targeted.

Here's the Zoom E2E system that I guess some consider too good an "enhancement" to ship:
github.com/zoom/zoom-e2e-…
Read 5 tweets
7 Jun
Since I have some crazy people threatening me: I don't think we should outlaw BTC, but I do think it is time to outlaw ransomware payments in any currency.

CNN put some ellipses into a key part of this multi-minute interview.

cnn.com/2021/06/07/pol…
The evil genius of ransomware is that it is almost always the logical choice for a CEO to pay once they are ransomed. Senators tsk tsking on the Sunday shows doesn't really matter when you are looking down the barrel of massive disruptions followed by shareholder lawsuits.
That being said, I do think a lot of the cryptocurrency community (and especially the VCs) are whistling past the graveyard on the existential risk posed by abuse. The idea that these blockchains are so distributed as to be beyond regulation is laughable.
Read 5 tweets
7 Jun
I am so very proud of what our @stanfordio team has accomplished in only two years, especially the teaching of 479 students and the supervision of 75 research assistants while also launching the @2020Partnership and @ViralityProject.
A special shout-out to my partner-in-crime and associate director, Elena Cryst. It turns out that large research universities aren't always set up to facilitate rapid, policy-impacting research or cross-disciplinary projects😲but Elena figured out a way!

And big kudos to our other incredible leaders:

@noUpside for defining and leading our research program,

@shelbygrossman for teaching and mentoring students and post-docs, and

@elegant_wallaby for herding a tech team full of eager, brilliant, and very young engineers.
Read 4 tweets
5 Jun
An important lesson from the DOJ attempts to go after communications records of reporters at the Times and the Post: tech companies will fight for your rights in court, telcos will comply, even for journalists, immediately.
Procedural protections against unreasonable search should not depend on which of the seven messaging apps on your home screen you clicked.
I've watched @Riana_Crypto teach these slides to our Hack Lab students a couple of times now and I'm still confused.
Read 4 tweets
26 May
My former colleagues at Facebook have summarized the changes in how influence operations are reflected on the platform since this work started in 2017.

I'm hopeful such reporting can become regularized across the industry like surveillance transparency did.
The most useful part might be the index of all of Facebook's CIB takedowns, which is linked from the end of the PDF. Direct link to the XLSX here: about.fb.com/wp-content/upl…
I'm also glad to see that they didn't pull their punches on including the USA in the list of top sources of influence operations. U-S-A! U-S-A!
Read 4 tweets
22 May
It’s a good thing Europe has their own thing going because if the US could compete Biden would call Beyoncé and Lil Nas X back from their well earned retirements to HALO jump out of a C-5 with 100 backup dancers and a drumline straight onto the stage and it would be over.
A horse pasture framed by rugged snow-capped peaks, likely Wyoming. Beyoncé brushes the mane of a huge Clydesdale. An assistant breathlessly runs up with a satellite phone.
“Ma’am, it’s the President. He says he knows you have done your duty but that the country needs you!”
She looks at the setting sun wearily. We can see the memories of a thousand sacrifices from a lifetime of war play behind her eyes.

A long pause. A regretful sigh.

“Tell him I will suit up once more, but that there is a man I need…”
Read 4 tweets
17 May
🚨JOB ALERT🚨

KSG is building a diverse team interested in solving hard security problems for important organizations. We are looking for everybody from new grads to ex-CISOs, and can offer flexible locations, the opportunity for growth and huge impact.

ks.group/careers
Some specific needs:

Love DFIR and want to be where the action is? Do you get FOMO when a new breach or ransomware incident is in the news and you can't be in the room where it happens?

<2 yr exp:
recruiting.paylocity.com/Recruiting/Job…

>2yr exp:
recruiting.paylocity.com/Recruiting/Job…
Are you an expert on modern enterprise IT? Do you dream in Intune configs and wake with nightmares of Azure conditional access failures? We need people who can help companies rebuild on the modern Microsoft stack to secure their futures:

recruiting.paylocity.com/Recruiting/Job…
Read 7 tweets
10 May
People discussing the relationship between ransomware teams and the Russian government should probably keep @Jason_Healey's "Spectrum of National Responsibility" in mind.

Right now, it looks like the Darkside group that attacked Colonial is at least "State-Encouraged".
One way you can think about how to respond to these attacks is by adding a dimension of "importance of impact". You could imagine the response for a "state-encouraged" attack that has massive economic impact (not there yet) to lead to serious retribution.
Article for those with JSTOR access:
jstor.org/stable/2459077…
Read 5 tweets
1 May
Facebook alone takes down 1B pieces of (1st Amend protected) spam a quarter. The political content moderation decisions are outnumbered by those necessary to make platforms usable by at least 100:1.

The “1st Amendment for Platforms” people never have relevant experience.
Zero-marginal-cost communications to millions of people wasn’t exactly foreseeable in 1791.
2nd Amendment arguments often revolve around the fact that firearms are vastly more dangerous now, but at least modern rifles can exist within the conceptual frame of 18th century science (with amazing materials).

Modern communication technologies are effectively witchcraft.
Read 4 tweets
24 Apr
I'm looking at a wall of con badges and realizing that most of them have a @dakami story attached. He wasn't only brilliant, but an incredibly generous colleague and friend. No matter what news he was making, he would have an encouraging word for and talk up other researchers.
"Larger than life" is a term that is thrown around too much, but the guy had a massive impact on others and it's difficult to imagine the last twenty years of infosec without him.
Thanks to the way he treated others, it was hard not to love Dan. In summer 2008, everybody wanted a picture (no selfies yet) with Fake Dan Kaminsky. The next summer, he faced incredible adversity but still stood tall and got a hug from half of Vegas.

flickr.com/photos/fakedan…
Read 5 tweets
23 Mar
If Congress wants useful hearings they should call the:

1) Product VP of Integrity/Trust and Safety
2) VP of Platform Policy

...from Facebook, Twitter, YouTube and one upstart (maybe TikTok). Those are the people at the trade-off coal face.
Instead we get hours of trying to score imaginary C-Span points by tripping up a CEO on decisions made three levels down.

To make it really spicy, ask those eight witnesses to come with prevalence, precision and recall numbers on their efforts to stop four major types of abuse.
My fantasy hearing: "I'm looking at the confusion matrix for your COVID misinfo classifier and it feels like you made a politically motivated decision to back off of recall to not anger certain political groups. Did I get that right?"
Read 5 tweets