RSA 2018 Speaking at the 2018 RSA conference, a board of some of the most respected names in security spoke on Tuesday and were scathing about Facebook – and the industry's response to the Spectre processor bug.
The Cryptographers' Panel, an annual tradition at the event, this year included Ronald Rivest of MIT and Adi Shamir of the Weizmann Institute (the 'R' and 'S' of RSA, respectively), public key encryption co-creator Whitfield Diffie, researcher Paul Kocher, and Signal co-author Moxie Marlinspike.
Among the hot topics in this year's discussion was how society needs to view Facebook in light of its latest user privacy disaster. In particular, how we should handle a massive company that has little apparent regard for protecting information.
"In many ways Facebook is the Exxon of our time, it is this indispensable tool that is a part of everyone's life that everyone also despises," the Marlinspike explained.
"It doesn't matter how many gallons of oil Exxon dumps in the ocean or how egregious Facebook's policies are."
At the same time, Marlinspike points out that it won't be as easy as simply telling people to walk away from a platform that, for many, has become most if not all of their online activity.
"There were a lot of things Facebook could have done, but it wasn't in their interest to protect our data," Kocher noted.
"It was very much in their interest to take advantage of all the data they collect. We can't look to the companies that benefit from the status quo to fix these problems."
CPU bug hunting
Also confounding the panel was the issue that confronted Kocher for much of last year: how to deal with a massive hardware flaw. When he and Google researchers separately uncovered and reported the bugs that would become the Spectre and Meltdown side-channel vulnerabilities last year, Kocher said he faced a new challenge in how to deal with a flaw that is present in the silicon itself, and who should be told among a long chain of designers, fabricators, vendors, and resellers.
"Who can fix a hardware problem in Arm processors? Who should know about a vulnerability in Intel processors when you have got Intel, and cloud providers, and customers using them?" Kocher asked.
"We need ethicists and people thinking what to do in those situations. We need a roadmap of what to do." ®