Image: Allie Smith
Former Facebook and Yahoo Chief Security Officer (CSO) Alex Stamos is joining Zoom as an outside security consultant.
In a blog post published on Medium today, Stamos said he decided to join the company after a phone call last week with Zoom founder and CEO Eric Yuan.
Yuan approached Stamos for the move after the former Facebook CSO defended Zoom on Twitter after the video conferencing software was being widely criticized in the media for a series of — what Stamos described as — “shallow bugs.”
Also, all of these shallow bugs demonstrate the value of the hundreds of enterprise vendor risk assessments Zoom has gone through in the last couple of years.
— Alex Stamos (@alexstamos) April 1, 2020
Stamos was one of the many security figureheads that stood up and defended the company in the face of a rising wave of mostly unfair criticism.
The former Facebook exec clarified that he won’t be joining Zoom as an employee or CSO, but only as an advisor.
Stamos’ role is unclear, but from the Medium announcement, he’ll be serving more in a guiding role, to help the company through its current rough patch of security woes and towards designing a product that’s safe to use, and not just bug-free.
“As I told the computer science students in my Trust and Safety Engineering course this last quarter (the last two weeks of which were taught over, yes, Zoom) coding flaws and cryptographic issues are important, but the vast majority of real technological harm to individuals comes from people using products in a technically correct but harmful manner,” Stamos wrote on Medium.
“Zoom has some important work to do in core application security, cryptographic design and infrastructure security, and I’m looking forward to working with Zoom’s engineering teams on those projects.”
On April 1, Zoom said it was freezing all work on new features to focus on boosting security. The company has addressed some issues, like enabling waiting rooms and forcing passwords for new video calls, as a way to prevent a rising trend called Zoom-bombing. Other issues still remain, like its weak encryption and situations where encrypted calls and keys are routed through Chinese servers.
“We are thrilled to have Alex on board. He is a fan of our platform and will no doubt help us implement controls and practices that are best-in-class,” Yuan said in a blog post today, confirming the move.
Since leaving Facebook in 2018, Stamos has been serving as Director of the Stanford Internet Observatory where his team has published reports on disinformation campaigns carried out on various social networks.
🎙Thursday! Thursday! Thursday!🎙
The Stanford Internet Observatory brings you not one…
not two…
not even three…
but FOUR new reports of online disinformation from the Kingdom of Saudi Arabia, United Arab Emirates, Egypt, Honduras and Serbia!https://t.co/qhWEBX5I6z
— Alex Stamos (@alexstamos) April 2, 2020
Zoom announces new CISO Council and Advisory Board
Besides announcing Stamos in the role of outside security advisor, Zoom also announced today the creation of a CISO Council and Advisory Board, which will include cybersecurity leaders from other companies.
“Within our CISO Council, we are establishing an Advisory Board that will include a subset of CISOs who will act as advisors to me personally,” Yuan said.
“This group will enable me to be a more effective and thoughtful leader and will help ensure that privacy and security are at the forefront of everything we do at Zoom. The initial members of our Advisory Board will include security leaders from VMware, Netflix, Uber, Electronic Arts, and others.”
As Stamos pointed out, because of the current coronavirus (COVID-19) outbreak, Zoom has grown from a medium operation to one of the world’s most important online services, operating on an order of magnitude it didn’t foresee a few months ago. It’s product is now not only used by tech companies once in a while, but it’s regularly used for government, online classes, and by the vast remote workforce currently working from home due to the pandemic.
Zoom was never prepared to see its role in modern society expand within a matter of weeks, and just like any fledgling startup, failed to invest in security, preferring to focus on its product stability. In hindsight, the decision paid off, as Zoom has yet to face any major outage, but now people are raising questions the company was not prepared to answer, and is only now addressing its privacy and security issues. If it will work, remains to be seen, but the company has a solid product, which ensures some leeway from its users while it gets its act together.