The computer security industry has failed computer users, and the Internet has become so unsafe that average users can't protect themselves.
"The Internet cannot be safely used by normal people," he said. "Most people are not prepared to make the technical decisions necessary to safely use the Internet."
Given the date, April 1, and the unwarranted Conficker hysteria, Stamos' dire assessment of the state of online computer security begs to dismissed as a joke, particularly in light of the presentation's subtitle, "Dark Musings From A Professional Paranoid."
Everyone in the security industry, after all, has a vested interest in convincing the world that the sky is falling; it's what moves people to invest in the security umbrella.
Yet, Stamos hadn't come to praise the security industry but to bury it, or at least give it a slap upside the head.
"The security industry is failing you," he said, adding that the industry "needs to look at itself and its motivations."
After decades of computer security work, he said, things are worse than they were. Finding bugs and publicizing them is not making people safer. At the same time, security researchers who try to help the community by developing a free static code analyzer for open source code are not rewarded. And every solution gets turned into an overpriced, marketing-driven $500,000 product.
He questioned whether computer security coders deserved to be called engineers. "No other engineering profession would allow for the number of failures that we have," he said. He suggested the vaguely derisive term "security artists."
He also urged programmers to stop writing in unsafe languages like C and C++ unless they're coding an operating system. "Most people are not smart enough to write secure C code," he said.
Some companies get it, he said, praising the security processes at companies like Adobe, Google, Microsoft, Oracle, IBM, and Mozilla. But most software, he said, is written for internal corporate use, without sufficiently rigorous security processes.
"The software that's getting better only reflects a small fraction of the ecosystem," he said.
Noting that something like only 40% of computers running Windows XP have the most current patches applied, he said the computer industry should do what Google does with Google Desktop: force updates on users.
Judging by the news coming out of Washington on Wednesday, Stamos isn’t alone in his concern. The Washington Post is reporting that Senate lawmakers are advancing legislation to create mandatory computer security standards for the government and the private sector for operators of critical infrastructure. Federal security requirements wouldn't be necessary if the current system were working.
He predicted that Heartland Payment Systems would collapse under the weight of lawsuits over its massive data breach earlier this year, that SHA-1 encryption will soon be defeated, and that location awareness will lead to a stalker tragedy.
He also said that the information available on social networks would make two-factor authentication unworkable, because cybercriminals will be able to find information like your mother's maiden name, the city where you were born, and so on.
Get ready for the post-privacy, post-security society, he advised.
"It's a good time to be paranoid," he concluded. "They are out to get you."
2009 marks the 12th year that InformationWeek will be monitoring changes in security practices through our annual research survey. Find out more, and take part.