Precisely this.
Full disclosure: while I have not worked at Facebook, I have worked with Alex Stamos (I am a former IT Admin for iSEC Partners/NCC Group where Alex Stamos was a founding partner). His batting average isn't perfect (who's is?) but it's decidedly better than average in the field of computer security. While we worked together, Facebook was a client of iSEC Partners, and we helped FB implement TLS and performed IPv6 scans among other things. I departed iSEC Partners/NCC Group at the end of 2011, and Stamos later went on to found Artemis Security and later was CSO of Yahoo! He left Yahoo! if I understand correctly, after determining that there was a severe breach compromising most user accounts and when he wanted to implement a mandatory passphrase change, he received push back from other executives in the Board of Directors. Given that CSO levels are legally liable for security decisions, he decided that if he had his hands tied to the point where he couldn't do his job on such a basic level as mandating passphrase changes on known compromised accounts, then he didn't want to get paid for being Yahoo!'s fall guy. Seems like a wise move, and with the users' best interests at heart.
His departure from Facebook circa 2018 I seem to recall was over not entirely dissimilar grounds after information regarding the Cambridge Analytica breech came out. It appeared as if he did his best at damage control for a while, even going so far as to suggest that Mark Zuckerberg step down as CEO. After all, being implicated as leader of any organization which is facing involvement with war crimes and manipulating elections is a bad look, and like Bill Gates stepping down as CEO of Microsoft after they were losing antitrust lawsuits didn't stop Gates from being a multibillionaire, there is little wrong with letting someone else take over the reigns. Zuckerberg didn't acquiesce to such recommendations, and near as I can discern Alex Stamos thought it best to jump from a sinking ship in flames after he realized that no amount of damage control and bailing could save it.
Since then I guess he's been a staff research with Stanford? I took some issue with his apparent endorsement of Zoom a year or two ago (which has since lost an $85 million dollar lawsuit over their end-to-end encryption implementation being bollocks, as I could discern back when I looked at their "technical" documents), but as he sheepishly admitted to in a recent Youtube live stream with Mathew Green, David Thiel (another former iSEC Partners/NCC Group coworker of mine) et al over the Apple CSAM scanning decision recently, paraphrasing: "even some of the recent end-to-end encryption claims of vendors are difficult for experts to discern correctly." Albeit, that eating crow applies to things such as Apple's iCloud not being server-side encrypted and that Apple has repeatedly cooperated with law enforcement of particular concern in places such as China where they have handed over user data to governmental agencies (e.g.
https://www.cpomagazine.com/data-privacy/icloud-data-turned-over-to-chinese-government-conflicts-with-apples-privacy-first-focus/#:~:text=Apple does not have the,be stored within the country.).
I'm more of a nerdy ops guy who fixates on bit level optimizations and Kolmogorov complexity reduction in code implementations and don't profess to even want to wear the sorts of hats that Alex Stamos has. Nonetheless, while I can state that I did help him unlock accounts in the past when we worked together, I've never testified in front of Congress as he has. Nor would I want to do such things. I think he and I still "fight for the users" more than not, but we may do so in different ways.
Suffice to say, Alex Stamos hasn't spoken on Facebook's behalf for a few years now, but even before he worked as CSO at Facebook, he was deeply involved in the field of computer security, and I consider him to be among the more seasoned and ethical practitioners in the field. Discounting someone's viewpoint because of a contextualization of one of their past employers, is a pretty narrow perspective, and given that I have worked as a janitor and far humbler positions at some pretty heinous employers in my past, I would sincerely question how anyone's past career history is a reflection on them as a person, in particular if it seems as if most of their actions as an employee were admirable. I know some with a lot of skeletons in their closets, myself included, but Alex Stamos didn't ever read that way to me.
The "screeching minority" categorizations of those who have raised concerns about Apple's local CSAM scanning implementation are more than concerning, they are dismissive. I don't think I've read nor heard a single perspective, even from trolls, advocating for child abuse. Meanwhile, hash collisions are a field of study within computer science which are widely known, with even cryptographic hashes such as MD5 and SHA-1 having fallen by the wayside in more recent years due to chosen prefix attacks. Another colleague and computer forensics expert, Cory Altheide, some years ago described to me malware which would drop files which had CSAM hash collisions so as to shift investigative onus, and I found that prospect chilling. The likelihood that similar techniques can and will be used against Apple's implementation, seems nonzero, and from my perhaps paranoid vantage, extremely likely as a means to facilitate unwarranted governmental eavesdropping based over spurious levels of "probable cause". For those who think that no one is that nefarious, perhaps they need some reminders of the threat levels of nation state level adversaries using known malware such as Pegasus sold by Israeli NSO Group.
At the very least, Apple's multi-million dollar ad campaign "Privacy. That's iPhone." now reads like Orwellian double speak with this most recent decision. As another colleague posited: it seems likely that this may have been a move which Apple was forced to take lest Tim Cook be faced with even worse choices from governmental pressure for cryptographic backdoors.
Regardless, the canary in the coal mine looks awfully dead to me.
www.reuters.com
