Facebook’s Head of Security Alex Stamos chided an audience of information security professionals at the Black Hat conference in Las Vegas today, rebuking them for the “hot takes” and “snark” aimed at government officials who last year demanded Apple build a tool for the Federal Bureau of Investigation to access encrypted iPhones.
“Engaging the world effectively,” is one of the things the information security community needs to improve, Stamos said. And saying that members of Congress are “stupid” for not understanding the complexities of encryption makes the security community look “childish,” Stamos said.
“People now know how important it is to build secure systems to underlie our civilization," Stamos said. “A topic that was once considered fringe, a topic that we had to fight for respect for, is now on the front page of every newspaper pretty much once a week."
Stamos, who reportedly resigned from his job of Chief Information Security Officer at Yahoo when the company complied with a secret U.S. government order to search users’ e-mails, said the security community too often focuses on things like zero-day exploits, sometimes serious bugs that are unknown to the software creator, and doesn’t pay enough attention to abuse like publishing someone’s personal information online.
“We focus on the complexity of a flaw rather than the potential human harm,” he said.
Stamos also pressed for more consideration of users around the world. “This room is full of $800, fully patched, top-of-the-line smartphones,” Stamos said, referring to iPhones, which are generally seen as the most secure smartphone. “This is not what the world looks like.”
It’s part of what Stamos has dubbed “security nihilism,” which he defied as “a set of beliefs that includes the assumptions that all attackers are perfect, that everybody faces the worst possible threat scenario, or that any compromise to make a security feature more widespread should be considered a bug.”
Stamos’ aversion to this philosophy might explain Facebook’s recent implementation of secure encryption within the Messenger app. Unlike Facebook’s sister application WhatsApp, the encryption, which would protect from hackers and mass surveillance, isn’t turned on by default.
There is an interesting discussion to be had on the failure modes of 2FA at billion-user scale that doesn't start with righteous fury. https://t.co/hYa2bvw4P5
— Alex Stamos (@alexstamos) May 25, 2017
On the topic of diversity and inclusion, a problem in Silicon Valley which is generally dominated by white men, Stamos told a story of the time he saw two men being disrespectful to a female engineer in a meeting. Stamos stood up for the woman, he says, and that woman pulled him aside after the meeting and explained why Stamos actually made the problem worse. Stamos says the woman told him he should have let her articulate her argument, and that by intervening he made it more difficult to be viewed as an equal by her male colleagues. Stamos advise advised the crowd not to ask female speakers if they came to the convention with their boyfriends.
“A topic that was once considered fringe ... is now on the front page of every newspaper pretty much once a week.”
In a post keynote press conference, I asked Stamos about President Donald Trump, who supported the FBI in its battle with Apple, and even went as far as to call for a boycott of Apple. My question was: Due to the increased likelihood that the Trump administration could ask for more data and information on Facebook’s users or demand the company to build less secure tools, what is the company doing to protect its users? “We continue to respectfully explain our position,” Stamos said. “We try to train law enforcement on the data that they can get. We also explain to them that we believe that a competitive U.S. tech industry and the security and privacy of our users is dependent on encryption continuing to be legal.”
