SAN FRANCISCO -- Web 2.0 Expo -- "The Internet cannot be safely used by normal people."
That was the message delivered by Alex Stamos, co-founder at iSEC Partners, yesterday in a session on cybersecurity.
Acknowledging his status as "a paranoid," Stamos made some unsettling statements about the current and future state of cybersecurity, which is today being challenged with new, sophisticated attacks.
Stamos stressed that most Web users shouldn't be trusted to make transactions online.
"We're past the point where I can recommend my mom use the Internet," says Stamos. "It's not possible to transact on a day-to-day basis with the level of trust you have in doing it in the physical world... Most people are not prepared to make technological decisions necessary to use the Internet."
"This is a bad problem," says Stamos. "People haven't realized yet. There's a lot of e-commerce going on, and online banking. There will be a reckoning when people realize they're not qualified to use the Internet safely."
Apart from e-commerce and banking, Stamos says that users are given way too much decision power when it comes to protecting their networks.
"It's time for us to stop asking users to make decisions they're not qualified to make," says Stamos. " 'Want to trust this SSL certificate?' There's absolutely no way 99 percent of people on this planet are qualified to make that decision.
"It's time for us to get past giving people choices. Choices are done... Software should work securely. If it's not, it should stop. Stop letting people do dumb things."
Further, despite the overall air of excitement surrounding social media here at the Web 2.0 Expo, Stamos says the new technology is making us much more vulnerable and setting users up for disaster.
"Social networks are ruining two-factor authentication," he says, suggesting that all of the questions banking sites use for authentication can likely be answered by checking someone's Facebook page.
" 'Where did you go on your honeymoon?' Hmm... Go to Facebook, pull the photos, and guess. The idea this is real secure authentication by banks is ridiculous. We're going to see some interesting ideas when it turns out that 500 to 600 people have access to data."
As cyber-attacks become more sophisticated, and users remain unqualified to handle them, Stamos believes, law enforcement and the security industry aren't doing nearly enough to help.
"We've had 20 years of people being security experts," says Stamos. "Things are even worse than they were."
Part of the problem, he says, is that people in the security industry who do valuable work aren't being rewarded.
"People are not getting rewarded for doing positive things. When people do come up with solutions they immediately go get a VC and sell the product for $500,000 to enterprises only. Lots of solutions out there are not affordable or usable by most people."
Further, he says, software engineers are not taking advantage of the education available to help them do their jobs better, nor are they being forced to learn, with most entry-level software engineers not getting trained in security for the first few years on the job.
"The basic knowledge for building more secure systems is out there. If you choose to be an educated developer you have the ability to do things right." Nevertheless, "technological innovations to make software better are starting to drop off.
"Software engineering still sucks. It's not really engineering," says Stamos. "If bridges were engineered like software we'd all be dead."
— Nicole Ferraro, Site Editor, Internet Evolution