Facebook CSO slams RSA Conf for repping 'the worst parts of the security industry'

Stamos tells infosec world to drop the hype

Alex Stamos

Usenix Enigma Facebook's chief security officer Alex Stamos is not a man to mince words. Today, he delivered a stinging rebuke to the RSA Conference, due to be held in San Francisco next month.

"In my opinion, RSA represents some of the worse parts of the security industry in its direction and it's not very helpful," he told attendees at Usenix's Enigma conference on Tuesday in the city.

"It's the thinking that everything should be patched at great cost, with a focus on vulnerabilities and super-hackers and seeing everything as a war."

The RSA Conference is one of the biggest security shows on the calendar, with 33,000 people heading into San Francisco's Moscone Center last year to listen to talks and hammer out deals on the exhibition floor. But it's leading the industry in the wrong direction, Stamos said.

Encouraging confrontation at every turn is a mistake, he opined, adding: "We are not doing our job in security, right now."

Security professionals need to concentrate less on a them-and-us adversarial relationship with each other, and more on sharing knowledge and constantly learning to improve the security of systems, he said. There are too many gaps in knowledge that need to be filled, and the industry has been too focussed on conflict, we were told.

On one level Stamos' animosity is understandable. He was one of the organizers of TrustyCon – an alternative conference to RSA held on the same day back in 2014 as a protest against allegations that RSA had taken money from the NSA to use an algorithm championed by the spying agency. Reuters claimed RSA took $10m from No Such Agency in return for enabling the backdoored Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG) by default in its products.

RSA played down the allegations, but the news was enough to cause several high-profile speakers to drop out of its conference – including F-Secure's chief research officer Mikko Hyppönen, crypto guru Bruce Schneier, and Princeton computer science professor Ed Felten.

TrustyCon was a small affair, with only 400 attendees and press, but it raised $30,000 for the EFF and had some excellent presentations. Stamos said TrustyCon has now been folded into the Enigma shindig and urged attendees to think again about the direction some in the industry are leading them.

According to attendees El Reg spoke to, Stamos has a point. RSA has been criticized for years as an overly large industry shindig that's more about marketing than hard security technology. Several people told us that RSA was now off their conference timetable as they favored more in-depth seminars.

"It has just got too big," one said. "In a way the Black Hat conference is what RSA used to be, but even that is changing. Nowadays I stick to smaller events like Defcon – that'll never change."

Nevertheless, RSA is still a very popular conference and one of the original rebels, Mikko Hyppönen, told El Reg last week that he will be attending the show again after his boycott. ®


Biting the hand that feeds IT © 1998–2017