Facebook Exec: Security Researchers Not Doing Enough

John Lister's picture

According to Facebook's head of security Alex Stamos, the security industry needs to do more to solve problems that affect ordinary people in their everyday lives. He says researchers are often too obsessed with technical detail because they lack empathy.

Stamos spoke at Black Hat, a conference that brings together security professionals, researchers, self-described hackers and those with an interest in the topic. (Source: bbc.co.uk)

He said the security community had proven justified in many of its warnings about flaws in systems and networks, but that it hadn't done enough to find solutions that made a difference to most people. (Source: ft.com)

Researchers Too Worried about Trying to Impress

According to Stamos, that's partly because researchers are too concerned with giving dramatic presentations to amaze their peers and that the emphasis is more about showing off their own knowledge and understanding, rather than it is dealing with everyday security issues.

In particular, Stamos argues, researchers concentrate on the most complicated and sophisticated hacking attempts carried out against organizations and even governments, rather than the more mundane threats.

Stamos says one reason for this is that many security researchers come from similar backgrounds and don't give much thought to the way the population at large uses technology. For example, Stamos says other security experts he has spoken to often blame ordinary users for making security errors and making themselves more vulnerable to attacks.

Solutions Should Work for Ordinary Users

In Stamos's view, researchers need to understand that most people don't share their level of interest or knowledge in technology. It's also not realistic to expect them to act properly to protect themselves online all of the time. Instead, he thinks more should be done to make security systems and tools easier to use.

He also suggested that the industry bring in more people from a diverse background: not just in terms of demographics, but also in seeking the views and ideas of people who aren't life-long 'techheads'. That could make it easier to both identify the security risks that affect people from day to day and to develop solutions that people could effectively use, even if they don't fully understand how technology works.

What's Your Opinion?

Do you agree with Stamos's arguments? What topics would you like security researchers to concentrate on? Could the tech industry offer better incentives to solve everyday threats rather than work on the most dramatic and technically impressive flaws and fixes?

Rate this article: 
Average: 5 (4 votes)


Dennis Faas's picture

I am not sure that I agree that researchers should stop focusing on complicated and sophisticated hacking attempts in favor of 'every day issues'. It's the sophisticated attacks that usually put thousands or hundreds of thousands of users at risk in one fell swoop. The WannaCry ransomware 'zero day' exploit is a good example. Perhaps it would be best to create a startup that focuses on multiple aspects of security issues - call it the Grey Hat security conference. Leave the White and Black hats to the other guys that prefer more focusing on sophisticated attacks.

doulosg's picture

... it's those mundane, day-to-day security issues that most often provide the holes that dramatic threats exploit. Think finger in the dike versus the dike failing. How much more secure are we all with email attachments being pre-scanned rather than just depending on casual users not opening them even by accident? And with the use of social techniques in phishing exploits, many solutions (or at least a better understanding of the weaknesses) may not be technological at all.

ecash's picture

Anyone worth their Knowledge,has been HIRED..
And there is Probably a CLAUSE in the contract that says they can ONLY do for the Corp.
Anything they create, must go thru the corp, and is OWNED by the corp.
AND after he quits, resigns, he can NOT release anything for 5, 10 years..and can NOT work for another agency/corp..

Even NOW there is a separation from Anti virus/anti malware/Anti scripts/and OTHER protections between, Consumer, Company, Corporations, SERVERS..
They protect servers FIRST..and 2weeks later they send the Consumer version..

There Has always been an idea/conspiracy.. of WHERE/WHO made the virus's..Because the NET was fairly CLOSED in the past..it was restricted HOW much DATA you were downloading, and you knew where it came from..
NOW its not so easy.
A computer can wonder the net and JUST BEING ON THE NET, can infect your computer.
Auto run, auto exec, and So many ways to get People/machines to RUN CRAP..
Browsers designed to Emulate 7-12 different languages..

I AM always shocked when a server farm/system gets hacked..
as a restricted system and with TONS of control..they keep getting infected or hacked(not the same thing). I hate AUTOMATED systems..get RID of the humans, let the computer deside WHO is a BOT, WHO has been online..

rohnski's picture

Sure, let the white hats play with their complicated hacks, lets face it, most of them are doing it 'for the fun' not because they are getting paid (anything), but ...

In their spare time, it would be really nice if some of them would write specific instructions for common specific languages / situations, ie "if you are using SQL server write THIS not THAT" etc. Have you ever looked at the 'OWASP top 10'
ie https://www.owasp.org/index.php/Top_10_2013-Top_10
and tried to translate those high level observations into explicit code that works in your system? Especially generic modules that can be shared on site.