Facebook's security is like a "college campus," but they face threats like a "defense contractor"

A leaked recording of Facebook security chief Alex Stamos (who refused to help with an illegal NSA spying program when he was CSO for Yahoo) has him describing the company's IT culture as being "like a college campus, almost" while the company has the "threat profile of a Northrop Grumman or a Raytheon or another defense contractor."

It's an alarming revelation, given the sensitivity of the data Facebook holds on billions of internet users, including people who aren't Facebook users but have their data recorded by Facebook through updates from their friends and Facebook cookies that are set and read on pages that have Facebook "Like" buttons or embeds.

Stamos says that the company's IT culture is focused on giving "access to data and systems to engineers to make them 'move fast'" which means that systems aren't compartmentalized, so that an intrusion into one system can be leveraged to gain access to other systems.

Stamos later described the college campus comparison as a "figure of speech." He says that the company's management is committed to security. The source who leaked the recording disagrees.

The recording's source, who has intimate knowledge of Facebook's security systems and internal processes but did not want to be named, said that the threats that the company faces are "way above [Facebook's] ability to handle."

It was for that reason the recording was leaked — to reveal an endemic apathy by Facebook executives — Stamos excluded — who are too focused on making the company work rather than making the company secure.

The source argued that Stamos has internally pushed for stronger cybersecurity, policies, and processes, but executives were too busy lobbying lawmakers, and focusing on the company's vision and products — citing its "move fast" strategy (which has since been partially retired) and not listening enough to the company's security professionals.

Leaked: Facebook security boss says its corporate network is run "like a college campus"
[Zack Whittaker/Zdnet]

(Image: Dave Maass CC-BY)

(via /.)