PINDROP BLOG

Facebook CSO: It’s Time to Focus on Real Problems

LAS VEGAS–The security community needs to get back to solving real problems facing real users in the real world, Facebook’s CSO said, and the company is putting up a million dollars to help do that.

Alex Stamos, the top security official at Facebook, said security professionals are spending too much time focusing on elaborate hacks and rare vulnerabilities, at the expense of fixing the problems that cause users trouble on a daily basis.

“We’re still focused on the sexy problems. The things that we see every day that cause people harm generally aren’t that technically difficult,” Stamos said in the opening keynote at the Black Hat conference here Tuesday.

“We see something like three to four orders of magnitude more account takeovers from password reuse than anything else we can measure. It’s very dangerous to think the world would be a better place if users were perfect. Every single day we ask billions of people to walk these tightropes and when they fall of the tightrope we say, that’s it, we can’t help you.”

“Things are not getting better. Things are getting worse.”

To help encourage researchers and security professionals to work on difficult, if unsexy problems, Facebook is planning to pay out up to $1 million in rewards to people who make significant contributions to solving certain issues. Problems such as the lag between patch releases and when people install them, account lifecycle management, and mobile ecosystem security are what the prize is for, Stamos said.

“Hundreds of millions of people are using cheap smartphones that come out of the factory with two-year-old versions of Android on them. We can’t just write these people off,” he said.

Facebook has it’s own internal bug bounty and the company is one of the main sponsors of the Internet Bug Bounty, as well, so it has experience working with these kinds of programs. But Stamos emphasized that just finding new bugs and reporting them isn’t going to solve the major difficulties users face.

“We’re not going to bug-squash our way out of the current situation. We’re only going to get better if we kill entire classes of bugs and lear how to build systems that fail gracefully,” he said.

“Things are not getting better. Things are getting worse.”

But Stamos said he was optimistic that the security community was up to the challenge of fixing what’s broken.

“I’m an optimist,” he said.