If you're a fly-by-night computer hacker who prefers IRC to Instagram and goes by your handle instead of your real name, a company like Facebook is basically The Man. But the social network is back at Def Con, the long-running hacker convention that draws 15,000 attendees to the Las Vegas desert every summer, for the seventh year in a row. Other internet companies tend to gravitate toward the corporate sister conference Black Hat, maybe sending a small number of employees to Def Con. But Facebook actually hosts events, sponsors parties, and makes major announcements here.
"I think we do a different kind of engagement at conferences like this than a lot of the other companies," said chief security officer Joe Sullivan. When he started working at Facebook in 2009, the company was still so young that Def Con was actually one of its larger expenses. "It's partially for networking, partially for recruiting, partially for just learning and catching up on what's going on."
Facebook still feels warmly toward the hacker community
Facebook was famously founded by a programmer who didn't always follow the rules, so it makes sense that the company still feels warmly toward the hacker community. When the company went public, CEO Mark Zuckerberg included a letter outlining "the hacker way." Facebook also has one of the most generous "bug bounty" programs, which has paid out more than $1 million in rewards to more than 300 hackers (and hired two of them).
Still, Def Con is full of geeks ready to rail against Facebook for being a dystopian time waster that tramples over user privacy. (One Def Con organizer's email signature includes the line, "Facebook: No way.") Def Con started out as an elite, hackers-only party in the desert. Over the years, it was slowly infiltrated by security experts, press, corporations, and even federal agents. It became a neutral ground for techies from these groups to meet and talk about the things they have in common, from hardware hacking to password cracking. For a long time there was peace.
Then, two months ago, details leaked about the National Security Agency's surveillance programs, which had a chilling effect on the desert party. Def Con founder Jeff Moss publicly called for federal agents to skip the convention this year. Privacy and government overreach are the subjects of half a dozen panels, and references to the NSA seemed to make their way into every casual conversation. Facebook, of course, was on the list of nine companies that cooperated with the government.
Facebook fought back hard when the news came out, denying some of the charges and releasing exact numbers on NSA requests. "It was definitely frustrating when the initial stories came out and they mischaracterized it as, the government has a backdoor into our service or something like that, or that they can run automated queries," Sullivan said. "As we stated, that's completely false."
Facebook's cooperation with the NSA is pretty damaging to its hacker image
Still, the inclusion of Facebook in the NSA program is pretty damaging to its hacker image. The circumstances will make recruiting at Def Con a bit tougher this year, but Sullivan still thinks it's important for Facebook to meet the hackers. These are the world's best programmers, the people who know what threats Facebook needs to worry about and how to prepare for them. "We need to get out and have a dialogue. What are the things that Facebook should be doing? What are the criticisms that people have?" Sullivan said.
The company took a big step toward protecting its users this week by doing something hackers will like: enabling secure browsing by default. It also plans to implement a very secure system called perfect forward secrecy, in which traffic is encrypted as it travels between Facebook's servers and the user's browser, as well as military-level 2048-bit encryption. This exceeds the security precautions taken by most consumer banks.
Facebook does seem to be creating good will in the hacker community just by showing up and having its engineers talk shop with Def Con attendees. It makes sense that hacker outreach would be a priority for the company, a high-profile target that has drawn hacker wrath in the past. Facebook is a goldmine for identity thieves, an excellent distribution method for malware, and has a huge database of mostly unsavvy users who could potentially stumble into traps. Tight security is not an extra selling point for Facebook, Sullivan says; it's "table stakes for us." And on this critical battlefront, the social network needs allies.