Sophos Slams Facebook Security In Open Letter

An anonymous reader writes "Security experts are calling on Facebook to implement a three-point plan to improve safety online. Sophos says it receives reports every day of crime and fraud on Facebook, and that victims are desperate for advice on how to clean up their profiles and undo the consequences. In an open letter to Facebook, the firm calls upon the social networking giant to adopt three principles: privacy by default (opt-in sharing), vetted app developers, and use of https whenever possible. 'Our question to Facebook is this — why wait until regulators force your hand on privacy? Act now for the greater good of all.'"

lol

[smash]

Our question to Facebook is this — why wait until regulators force your hand on privacy?

Answer: because that would interfere with our business model.

Facebook's rogue app risks

[Announcer]

As a frequent user of Facebook, I find the numbers of rogue and bogus applications to be the most annoying aspect of the site. They need to start seriously vetting the developers and apps NOW. No more allowing apps to just be posted and start spreading SPAM from user-to-user.

I use Firefox, with the "NoScript" and "AdBlock" plugins, so 3'rd party sites have no access to ANY scripting functions. This allows me to visit these rogue app's sites and REPORT them, which I do frequently. I also warn my friends who fall victim to them, NOT to click the links posted on their pages. Many of them have thanked me for doing this. I have seen Facebook remove virus apps and links within minutes of my reporting them, which is "good", but not good enough!

It's high time that the people at Facebook took this much more seriously, and use PREVENTION rather than CURE after-the-fact.

Re:Facebook's rogue app risks

[Culture20]

For some reason all the worst ones seem to refuse to work in https mode.

Because if they use a trusted SSL cert, there should be a trail to a real person. Unless they used Comodo.

And two factor authentication...

[HerculesMO]

If I can have my World of Warcraft account secured with a two factor authentication, I should be able to do this for Facebook. Seriously.

Re:No, No and No

[fuzzyfuzzyfungus]

If information does "leak" out of Facebook their precious company won't be worth the billions and billions they seem to think it is.

I think no more highly of Facebook's adherence to any principles other than their bottom line than you do; but I think that it might not be so clear cut...

Facebook's position of strength lies in having massive network effects, and piles of user data, that draw users back so that their consumery little eyeballs can be monetized until they bleed. What could weaken their position? 1. 'Their' data being trivially available by assorted dodgey-but-easy means without paying them for access to it. 2. People disclosing less because they have heard that Bad Things Can Happen, Oh Noes!

Now, the second item is as likely, or more, to simply elicit cynical displays of 'security' which, after all, are cheaper and easier than the real thing; but the effects of number one could be interesting. Facebook obviously has not the slightest interest in your privacy; but their revenue stream depends on being the gatekeeper to any commercial scale violation of it. The market value of their precious "social graph" goes way down if 95% of it can be swiftly scraped by building a bottom-of-the-barrel malicious app that collects users', users' friends', and friends' of friends, details, or if some combination of spiders and cheap summer interns equipped with attractive stock photos can collect the public stuff.

They obviously have no reason to protect privacy; but it is arguably very much in their interest to have a saleable monopoly position on information disclosures. Particularly if somebody like Phorm or Nebuad shows up and starts snagging Facebook info right off the wire, I'm guessing that Facebook will suddenly start to take SSL a bit more seriously.

Re:Easy answer.

just stop using facebook you idiots