Facebook Chief Security Officer Joe Sullivan: ‘Constant State Of Improvement’

By David Cohen 

DataEncryptionPadlockFacebook Chief Security Officer Joe Sullivan hosted reporters at Facebook’s headquarters in Menlo Park, Calif., Tuesday, where he detailed how the social network is maintaining and fine-tuning its security protocols in the wake of the continuing controversy about government surveillance.

One of the measures Sullivan discussed was Hacktober, in which the month of October is devoted to members of the social network’s security team attempting to hack the site, and rewarding Facebook employees who discover and report the hacking attempts with T-shirts.

Highlights of Sullivan’s comments follow, as reported by TechCrunch and The Register:

You can’t expect security to be perfect. On the Internet, the state of security is in a constant state of improvement.

I think as a company, we’ve matured a lot, we’ve been learning a lot. It’s hard to deal with the constant stops and spurts of stories, and to figure out what’s really going on, but a world more concerned with security and things like encryption … that’s the silver lining on this.

I don’t think anyone who focuses on security has been surprised by the specific things that we’ve seen.

As security people, we’re paranoid, so we assume all of these things are happening, but when you actually see concrete evidence of an implementation, that moves it from paranoia to professional security advice.

We’re looking at literally every point in the movement of data and analyzing the risks. If data are going through a building or a cable that someone else controls, we need to assume the worst, in the same way that we assume the worst about every one of our employees.

I trust everyone I work with, but I also assume that they can get malware on their laptop, or they might have their spouse held hostage. Everything can go wrong, and it’s not about trusting people — it’s about removing the risk.

Sometimes we do work with law enforcement. We know just playing defense and whack-a-mole and removing those accounts over and over doesn’t make the problem go away, so in that context, we’ll build investigations and our own proactive referrals to law enforcement.

With SSL, there’s going to be a single key that opens every car on the highway, and with Perfect Forward Secrecy, there’s a different key for each car.

Readers: What did you think of Sullivan’s comments?

Image courtesy of Shutterstock.