During his opening talk at the Black Hat 2017 conference, Alex Stamos, Facebook’s chief security officer, talked about preventing actual damages and being OK with compromises — things that every information security specialist should be doing. This CSO at Facebook is no slouch: His team has been protecting a really complex IT system and 2 billion users’ worth of data.
According to Stamos, the security industry suffers from several adolescent problems, the main one being nihilism. That means specialists prefer to focus on “fancy,” technically complex security problems and vulnerabilities, not on the ones that cause real damage and jeopardize a large number of people. Those specialists also tend not to accept any compromises and make information security their only goal, at the same time assuming everyone will fall victim to the most dreadful attacks from the most dangerous threat actors.
One of the most remarkable examples Stamos gave was the WhatsApp “backdoor” that wasn’t actually a backdoor. To make secure encryption available to 1 billion WhatsApp users, the development team made a reasonable decision on how to inform chat partners that one of them has just received a new encryption key. In this situation, an additional notification appears in chat, and no action is required from the chat partners to carry on with their conversation.
Information security nihilists assumed that this was a backdoor created for special services so that they could attack the chat and get access to the conversation history. However, its purpose is actually the opposite, allowing people to continue their conversation after one chat partner changes their smartphone or reinstalls WhatsApp. And this way it’s used a lot more often than by spec ops.
The WhatsApp example brings together all of those nihilistic aspects: assuming all users are supposed to study the encryption system and compare encryption keys between conversation partners and that each of the users will be closely watched by special services, which will certainly attack their Internet traffic with a complex variation of a man-in-the-middle attack. The paranoiameter just went off the scale.
The attention to the most complex attacks and the most labor-intensive security measures distracts specialists from problems that cause real damage. Stamos presented a “threat pyramid” diagram with a barely visible point at the top representing zero-day vulnerabilities and complex government-sponsored attacks. The rest of the pyramid is taken up by “mundane” problems related to password and personal-data theft (including banking data), phishing, financial threats, and social engineering.
Stamos recommends not being afraid of trade-offs when solving these problems. If a solution is imperfect or partially effective but 10 times as many people will implement it, then it is much better than the solution that protects just a few of the most advanced users, leaving the rest completely unprotected.