Sophos Slams Facebook Security In Open Letter

An anonymous reader writes "Security experts are calling on Facebook to implement a three-point plan to improve safety online. Sophos says it receives reports every day of crime and fraud on Facebook, and that victims are desperate for advice on how to clean up their profiles and undo the consequences. In an open letter to Facebook, the firm calls upon the social networking giant to adopt three principles: privacy by default (opt-in sharing), vetted app developers, and use of https whenever possible. 'Our question to Facebook is this — why wait until regulators force your hand on privacy? Act now for the greater good of all.'"

No, No and No

[WrongSizeGlass]

adopt three principles: privacy by default (opt-in sharing), vetted app developers, and use of https whenever possible

Their answer is very predictable: No, no and no.

If information does "leak" out of Facebook their precious company won't be worth the billions and billions they seem to think it is.

Re:No, No and No

[WrongSizeGlass]

If information does "leak" out of Facebook their precious company won't be worth the billions and billions they seem to think it is.

That should be "If information doesn't "leak" out of Facebook ..."

Re:No, No and No

[fuzzyfuzzyfungus]

If information does "leak" out of Facebook their precious company won't be worth the billions and billions they seem to think it is.

I think no more highly of Facebook's adherence to any principles other than their bottom line than you do; but I think that it might not be so clear cut...

Facebook's position of strength lies in having massive network effects, and piles of user data, that draw users back so that their consumery little eyeballs can be monetized until they bleed. What could weaken their position? 1. 'Their' data being trivially available by assorted dodgey-but-easy means without paying them for access to it. 2. People disclosing less because they have heard that Bad Things Can Happen, Oh Noes!

Now, the second item is as likely, or more, to simply elicit cynical displays of 'security' which, after all, are cheaper and easier than the real thing; but the effects of number one could be interesting. Facebook obviously has not the slightest interest in your privacy; but their revenue stream depends on being the gatekeeper to any commercial scale violation of it. The market value of their precious "social graph" goes way down if 95% of it can be swiftly scraped by building a bottom-of-the-barrel malicious app that collects users', users' friends', and friends' of friends, details, or if some combination of spiders and cheap summer interns equipped with attractive stock photos can collect the public stuff.

They obviously have no reason to protect privacy; but it is arguably very much in their interest to have a saleable monopoly position on information disclosures. Particularly if somebody like Phorm or Nebuad shows up and starts snagging Facebook info right off the wire, I'm guessing that Facebook will suddenly start to take SSL a bit more seriously.

Re:No, No and No

[MightyMartian]

Zuckerberg's answer is "I'm a fucking billionaire, you worthless halfwits. I'm bigger than Jesus, Buddha and Muhammad Ali combined. If I choose to sell the email addresses worthless worms who use Facebook to Russian mobsters in South Africa, that's my business and fuck anyone who questions me. I could buy their mothers and use them as my bitches and throw them out without any breakfast because I'm Mark Motherfucking Zuckerberg"

Re:No, No and No

[K10W]

WTF you talking 'bout Willis? No-one said anything about have an in house exclusive rights store like apple store here. There was simply the reasonable and sane suggestion of vetting apps rather than an anything goes attitude. You could still have apps coming from assorted 3rd party devs but just filter out the obviously rogue stuff that is more likely to decrease your userbase and hence profits. I personally don't use it, have never and will never and am a smug elitist twat about it haha!

lol

[smash]

Our question to Facebook is this — why wait until regulators force your hand on privacy?

Answer: because that would interfere with our business model.

Re:lol

[Nikker]

Right now Zuckerberg might be known as the Billion Dollar Kid but that's really not the case. His company is valued at 50 Billion I don't really see that lasting because it's just all about paper. On paper Facebook looks huge and with MS and a few other big guys on the bandwagon they're are fewer companies to jump in on the idea. At the end of the day Zuckerberg was right it is all about exclusivity, it's the same reason people hang out at certain places but when every one shows up at your hangout and you can't kick them out you eventually find a better spot for yourself.

MySpace was exclusive in a way because it was the first of it's kind then it became well, lame. Then Facebook comes along and only the select few can join but now the bar is so low anyone with a pulse and a keyboard can join. Eventually something new will come along and it will split up the same way as it is in 'real life' every one will find their own coffee shops or dives and kill time there will be intermittent communication between the groups but they will mainly stay where they are.

Ces't la vie.

Re:lol

[Animats]

At the end of the day Zuckerberg was right it is all about exclusivity, it's the same reason people hang out at certain places but when every one shows up at your hangout and you can't kick them out you eventually find a better spot for yourself.

I've made that observation before. Social networking sites have a life cycle, like nightclubs. AOL, Geocities, Friendster, Orkut, Myspace, etc. all had their day.

That may have changed, though, with mobile integration. When Helio tied in Myspace and GPS tracking on their phones, I thought that integrating social networking with mobile was going to be the next big thing. It was, but not with Helio. There's more of a lock-in with phone integration. Nobody seems to be threatening Facebook right now.

Re:lol

[Americium]

Well until eventually, they will continue to rake in Billions in ad sales. It was almost 2 Billion last year, that's a P/E ratio of 25, right on par with other publicly traded companies.

It's impossible to break into the facebook model nowadays. It's like saying Google is just a search engine, someone else will come along and push them away. Perhaps Bing will, but what you are saying is that it'll be some small startup, I just don't see it happening unless they do something stupid, oh wait... they do that all the time.

I mean extremely stupid, like letting everyone get hacked to the point they are forced to leave. And believe me, you will have to FORCE people to leave their beloved facebook.

Re:lol

[Americium]

I don't think it's about exclusivity at all, it was about hot college chicks posting photos. It was about a simple design that's easy to use, easy to make, and doesn't crash my computer when I try loading your page. It was about ad sales revenue all going directly to the parent company. Simplicity won.

Now that facebook has won the market, I think Facebook's data being sold off for $10 or $ $100 billion or more to a new company is the most likely way of Facebook's demise.

Unless a future hack is so bad that people are literally FORCED to leave, I'm sure it won't have a major effect.

Re:lol

[johnsnails]

When exactly did Orkut have have its day? Right before or after Buzz?

Re:lol

[cavebison]

Eventually something new will come along and it will split up the same way as it is in 'real life' every one will find their own coffee shops or dives

I know what you're saying but you can't really compare FB to MySpace, though people tend to because they're both "social networks". But FB is much more than that now. On FB you can have your business page, conduct your advertising (I just set one up for a friend who runs a book cafe) with nothing more than your existing site and that ubiquitous "Like" button. You can inform friends of movie nights, your community group of new events (though Meetup does a slightly better job it costs, FB is free). Part of FB's strategy is to firmly embed itself as an invaluable addition to any web site, blog, etc.

MySpace wasn't this ubiquitous by a long shot. It may seem so in retrospect only because its tormented ghost is evoked in every discussion about FB. But it's a completely different animal. MySpace was all about you. FB seems that way but is really all about *connections* - between you and friends, you and your tastes, you and businesses, you and products, you and web sites. And it will keep trying to make more connections, like cancerous neurons. It's focus is networks more than identity as such. As far as FB is concerned, your total network *is* your identity.

As such, it has much more value to investors than MySpace ever did, with its traditional eyeballs and stickiness metrics. FB is beyond that, it's value is in the behaviours and actions of the bodies behind those eyeballs.

It's the Red Weed of the Martian invasion. Yes, it may come crashing down at the hand of the smallest of human considerations - fickleness - but I'm not so sure. I have a feeling their vision is of much wider scope than just a web site for social networking. I may be giving Zuckerberg too much credit, but I feel sure he's not one to think inside the box model, so to speak.

Clean up your own back yard

[syousef]

Instead of telling another business what to do, and jumping on the ever popular Facebook bashing bandwagon, how about you fix your anti-virus software so it doesn't freeze, crash, block access to portable drives silently while it scans them, and leak memory like a sieve. While your at it no anti-virus is perfect so clean up your heuristics. This is nothing more than a shoddy publicity stunt.

I agree with 2 out of 3 of the points though. I think they could make a dog's breakfast out of forcing HTTPS use and block out too many users. Of course if they did it right with a clearly visible link to the HTTPS address it would work (though take a huge toll on their servers). But the other 2 Facebook likely won't do because it would cost them money and increase their responsibility - probably not the best of reasons to ignore security. Vetting app developers costs money and if something gets through probably increases their legal exposure. Making everything private by default decreases Facebook's value which is all about what information is shared. If you don't want something on Facebook, forget privacy options, just don't put it there in the first place. They'd sell your grandmother if they had the right motiviation.

Re:Clean up your own back yard

[Culture20]

Of course if they did it right with a clearly visible link to the HTTPS address it would work (though take a huge toll on their servers).

https://www.facebook.com/editaccount.php
Account Security
Set up secure browsing (https) and login alerts.
Secure Browsing (https)
Browse Facebook on a secure connection (https) whenever possible
When a new computer or mobile device logs into this account: Send me an email

Re:Clean up your own back yard

[daedae]

Unfortunately, "whenever possible" has the side-effect of "when not possible, we're going to disable this option." For instance, I'll turn on https when possible, go play Tetris Battle, it'll say "sorry, we can't display this as https, do you want to switch to http," and if I click yes, it disables https for everything else too.

Re:Clean up your own back yard

[syousef]

I am aware that Facebook has HTTPS login available. I simply meant they need a very visible reminder that you can use HTTPS for improved security on their HTTP login page.

Re:Clean up your own back yard

Oh... So your company is running virus scans every Wednesday for several hours. Good to know, Thx! =)

Re:Clean up your own back yard

[Americano]

Here's what Facebook says:

"Sorry! We can't display this content while you're viewing Facebook over a secure connection (https).
Would you like to temporarily switch to a regular connection (http) to use this app?
You will have a secure connection upon your next login."
(Continue) (Cancel)

It disables https for the current login, it doesn't change the setting in your profile for all time. It clearly asks if you'd like to switch, and allows you to say "No, I'd rather not." I think that's a fairly reasonable default behavior.

If you're playing games on Facebook and allowing apps access to your profile, it's likely that your "privacy" isn't very "private" anyway. Worrying about not being on https while you use Facebook apps and games is sort of closing the barn door after the horses have escaped, isn't it?

Re:Clean up your own back yard

[daedae]

That may or may not be new behavior, but it's still not the ideal behavior. There's no reason (that I know of) I should have to log out and back in to go back to a secure connection. I used to be able to go back to the security settings page to reenable https without logging out and back in, although I see now they've replaced it with "please logout and login again." The obviously correct behavior is to serve whatever page(s) it has to over http, with that interstitial warning page, but continue serving everything else that it can over https.

(I also disagree with your second point, but I'm completely failing at coming up with a well-articulated response to it.)

Re:Clean up your own back yard

[Americano]

You have (potentially) multiple active endpoints, all connecting to the same central server. The central server needs to track whether you're in http or https mode for your session, and apply those settings across all your connections - keeping in mind you could have 1..N pages open to Facebook at any given moment.

Consider this scenario:
1) Window 1 - Sign in to facebook (https), and check your news feed, seeing what your friends are up to;
2) Window 2 - Open a Tetris Battle game session; disable https because you need to battle some tetris with your friends;
3) Tab back to Window 1 a few minutes later, and refresh your connection to your news feed to see what your friends are up to now;

Now stop and consider - what does FB do? You have a game open with http only, but your original tab was served up over https; Should it re-enable https for your session, and perhaps wreck your game in Window 2? That would make a lot of people very annoyed with FB - "You keep breaking my game, FB, HATECHOO."

A very simple way to be sure that you go back to https is to force all the endpoints connected from a given system to reconnect (thus the log out, and back in cycle). I'm sure that FB could put some time and effort into functionality that would detect that you have a game session active, and leave your settings alone, but swap them back if your game session has timed out or been closed; Or they could find a way to serve you non-game data over https, but that all requires engineering time and effort, and it may not be a high priority for them to accomplish.

I'd be interested in even a poorly-articulated response to the second question, because I'm at a loss to see how trusting J. Random Developer with access to your profile would make you comfortable with your "privacy" on Facebook. HTTPS helps prevent session hijacking and things like that, but let's be honest, that sort of an attack is generally going to be opportunistic anyway; if you're connecting from a reasonably secured home network, the likelihood that you'll be singled out by a hacker is fairly low. But there's an awful lot of interesting data that a developer with access to the profiles of 2 million people could aggregate across its 2 million users, don't you think? They have incentive to do so (it could make them some money), and they have opportunity to do so.

Facebook's rogue app risks

[Announcer]

As a frequent user of Facebook, I find the numbers of rogue and bogus applications to be the most annoying aspect of the site. They need to start seriously vetting the developers and apps NOW. No more allowing apps to just be posted and start spreading SPAM from user-to-user.

I use Firefox, with the "NoScript" and "AdBlock" plugins, so 3'rd party sites have no access to ANY scripting functions. This allows me to visit these rogue app's sites and REPORT them, which I do frequently. I also warn my friends who fall victim to them, NOT to click the links posted on their pages. Many of them have thanked me for doing this. I have seen Facebook remove virus apps and links within minutes of my reporting them, which is "good", but not good enough!

It's high time that the people at Facebook took this much more seriously, and use PREVENTION rather than CURE after-the-fact.

Re:Facebook's rogue app risks

[drinkypoo]

I found that setting facebook to always use https has resulted in far fewer lame apps harassing me. For some reason all the worst ones seem to refuse to work in https mode.

Re:Facebook's rogue app risks

[Culture20]

For some reason all the worst ones seem to refuse to work in https mode.

Because if they use a trusted SSL cert, there should be a trail to a real person. Unless they used Comodo.

Re:Facebook's rogue app risks

[definate]

Weird, I setup my privacy settings, quite strictly, and I've never had a problem with this. I occasionally get asked to use an app, which I then block, and never have to see it again. Also, when an app asks for permissions, I just click cancel/deny.

Done.

Really hasn't been a problem. Have you been through ALL of your privacy settings? Some are nested inside others, and may seem quite hidden.

Re:Facebook's rogue app risks

[tlhIngan]

As a frequent user of Facebook, I find the numbers of rogue and bogus applications to be the most annoying aspect of the site. They need to start seriously vetting the developers and apps NOW. No more allowing apps to just be posted and start spreading SPAM from user-to-user.

Two problems.

One, Apple probably has a patent on a curated app store.

Two, Apple App Store. Facebook vetting apps and developers is just like Apple vetting apps.

The only difference is that while Apple demands changes to apps to fulfill its requirements for Apps, Facebook would most likely just start implementing a "reported app fee". For everytime your app is reported, you can pay Facebook $0.01 to keep your app up. After all, Facebook got to make money, and scamming users to get ad pageviews is the name of the game.

Facebook's just about monetizing the user information people voluntarily give to sell to advertisers. Scam apps are just another way for Facebook to do that by keeping users on its site.

Hrm, I think they may be out-Googling Google.

Re:Facebook's rogue app risks

[RogerWilco]

As a frequent user of Facebook, I find the numbers of rogue and bogus applications to be the most annoying aspect of the site. They need to start seriously vetting the developers and apps NOW.

But I thought that this was exactly why everyone over here hated the Apple AppStore? Isn't everything supposed to be free so the users can make their own choices?

Re:Facebook's rogue app risks

[drinkypoo]

Even apps served entirely from/by facebook often have this restriction, so THAT is NOT the problem. Or at least, it's not the only one.

Re:Facebook's rogue app risks

[rsborg]

I found that setting facebook to always use https has resulted in far fewer lame apps harassing me. For some reason all the worst ones seem to refuse to work in https mode.

I'm sure this will change. It's not like it's hard to get a free SSL cert. What you're seeing is that bottom-feeders, like spammers, sometimes take a while to catch up to the tech, but once a significant portion of the userbase is SSL, they will start taking advantage of free certs.

privacy by default (opt-in sharing)

[Culture20]

Most important. Ever since I signed up back in the day when university email address was necessary, Facebook has been steadily changing privacy guidelines and resetting sharing settings to be open. I end up having less and less stuff on my profile.

Re:privacy by default (opt-in sharing)

[initdeep]

that's ok.
they still have everything you ever put up there on their end.

Re:privacy by default (opt-in sharing)

[Culture20]

Sure, they do. But according the the stricter, older guidelines, they can only sell the public info (which is why they try to redefine newly added "links" as public and force you to re-add your old info as links). Sorry, no links for me. They're good at staying just on the legal side of the fence.

Re:privacy by default (opt-in sharing)

[knorthern+knight]

> But according the the stricter, older guidelines, they can only sell
> the public info (which is why they try to redefine newly added
> "links" as public and force you to re-add your old info as links).

I have altered the guidelines; pray that I do not alter them further.

Re:privacy by default (opt-in sharing)

[CaptainZapp]

I end up having less and less stuff on my profile.

Well, here's what's on my Facebook profile: first name, surname, date of birth. Alas, I wonder until today why I gave a true DOB.

What REALLY annoys me more and more about the site is the cutesy passive aggressivness. For example :

You log in after some time and get some : Hello, your account is not secure. Enter cell phone # to secure it. Now hold on a second: My private information is not secure unless I provide you with more private information? Yeah, sure!

Finally in, you're greated by a blinking banner of the sort 10 of your friends live in $CITY. Click here if you live in $CITY

I use Facebook a few times a year. But if they push up the bullshitometer any further I'll definitely (pseudo-) delete my account.

Assholes!

Re:privacy by default (opt-in sharing)

[Culture20]

You just made me feel like Billy Dee Williams. Thank you. :)

Easy answer.

[man_ls]

Easy answer: doing those things will hurt Facebook's bottom line. So, they won't until forced.

Re:Easy answer.

just stop using facebook you idiots

Re:Easy answer.

[smash]

I'm not sure if you've experienced having friends in real life, but unfortunately the masses put everything on facebook. Everything is organised on facebook. If you're not on facebook in some way, you are excluded from social gatherings. Now to your typical slashdot nerd that may not matter, but to those of us who have non-nerd friends, not being on facebook means you never find out what they're up to any more, don't get invited to stuff ("I put it on facebook!"), etc.

Keep Up the Pressure

[ohnocitizen]

Clamping down on third party apps alone would make facebook more secure. Require https for apps, and ban predatory apps. There is an app that creates a status message that looks like a standard "hey look at this" link in your feed. When a friend clicks it, it not only brings them to the target link, it automatically publishes that same status on their wall without them having even installed the app. I wonder what else apps can do without explicit user permission? Really, given the increasing frequency of facebook status updates being admitted in court and used by potential employers - that could be quite enough to get you in a heap of trouble. So I say - keep up the pressure. Either Facebook will get the right idea, or perhaps an ethical congress person (heh, I know) will propose regulation, or perhaps a white hat hacker will expose just how nasty this kind of security hole can be - and the resulting nasty PR will force Facebook's hand. (Accidentally posted this when I wasn't logged in).

Re:Keep Up the Pressure

[GP1911]

Please provide an example of a link that automatically posts a status update without granting it permission to post your stream. If this were possible, it would be patched immediately by Facebook.

And two factor authentication...

[HerculesMO]

If I can have my World of Warcraft account secured with a two factor authentication, I should be able to do this for Facebook. Seriously.

Re:And two factor authentication...

[z0idberg]

How much do you pay for your WOW account? And how much do you pay for your facebook account? I imagine part of a WOW subscription pays for the outlay in cost for the authentication. Would anyone be willing to pay a small fee to get two-factor authentication to Facebook? I wouldn't and I very much doubt many other people would either. And there isn't much incentive for Facebook to wear the costs of it.

Re:And two factor authentication...

[lawnboy5-O]

Moot argument - Facebook does not depend on the same types of revenue streams and is not part of a traditional business model. They make the money that warrants this type of security.

Re:And two factor authentication...

[z0idberg]

If someone breaks into your WOW account then the vendor has to investigate and correct it etc. as there is "real life" money involved. You can get your credit card company involved, or your bank, or even the police.

If someone breaks into your facebook account who are you actually going to call? Who will care?

Re:And two factor authentication...

[MrNemesis]

I imagine facebook's idea of two-factor authentication is your DNA sequence hashed with your pre-tax income, and your signature on a legal disclaimer.

Re:And two factor authentication...

[johnsnails]

I call setup!

Re:And two factor authentication...

[stewbacca]

Purely anecdotal, but my WoW account has been compromised probably 10 times in the past 3 years. My Facebook account has never been compromised.

Re:And two factor authentication...

[swillden]

Two-factor doesn't have to cost much. Your phone can be the second factor. In the case of smartphones, a one-time password generator can be installed as an app, or you can get even more sophisticated and have the web site display a 2D barcode which a phone app photographs, munges into an auth code and sends via the data network. For traditional phones, the site can SMS a one-time password to the phone.

Of course, this assumes that the phone isn't the device accessing FB in the first place.

Re:And two factor authentication...

[Americano]

$15/month, generally. And I suspect that Blizzard has already recouped the costs of developing the authenticator & associated infrastructure, since it will help them reduce "my account was hacked" complaints & restores, which in turn means less customer service staffing required; Keeping warm bodies (even minimum wage) in a seat 16x5 is a lot more expensive than devoting some spare cycles on a server rack to handling the additional authentication load.

If Facebook becomes a significant target with many accounts being hacked like WoW accounts, two-factor authentication like the Blizzard Mobile Authenticator might be a wise cost-saving investment for them.

As far as paying to have it on Facebook... I'm not sure I'd see much value to it. I'd rather have it on financial services first, that's for sure. If FB offered a "premium" - i.e., 'ad-free, your data is all yours to control and we won't use it in any advertising, etc.' - even then, I'm not sure I'd trust it, simply because posting your "secrets" up in the cloud seems rather... un-secret. I don't post anything I consider remotely 'private / sensitive / secret' now, and I doubt I'd change that behavior even with an ad-free FB service available.

Re:And two factor authentication...

[Americano]

Differences in scope - WoW data is valuable, regardless of who the owner is, because you can strip the characters of gear, gold, etc., and convert that gold into hard currency in the real world by selling it to the "black market" - gold sellers, who will turn around and sell it back to other players. An individual's Facebook data is not so valuable on a case-by-case basis. This is why hackers go after the central data stores of these companies, rather than hacking a hundred thousand accounts individually.

If somebody hacks your Facebook account, they might get some embarrassing stuff about you if you're dumb enough to post embarrassing data to Facebook, but there's not a lot of readily salable bits on Facebook. Marketing and advertising relies on large aggregate data sets; Knowing that YOU, specifically, really love Beanie Babies doesn't really help an advertising and marketing company develop an ad campaign. Knowing that 100,000 people who all like certain things ALSO tend to really love Beanie Babies... that might be useful information, but Facebook is already selling THAT information to the marketers, so there's very little need or demand for a "black market" source of this data, especially because hacking FB's accounts would also piss off a large company with a lot of money and a legal team on staff. Hacking your Facebook page will piss YOU off, but you're probably not going to unleash a team of bloodthirsty lawyers on the hacker. You'll just change your password, and moan about how people suck for a while.

Re:And two factor authentication...

[stewbacca]

Differences in scope - WoW data is valuable, regardless of who the owner is, ...An individual's Facebook data is not so valuable on a case-by-case basis.

Exactly. And this is why I scoff at the hyperbole of any and all Facebook + Privacy!! articles posted on slashdot.

I don't expect my stuff to be private on Facebook. The whole point of Facebook goes against the concept of privacy.

Re:And two factor authentication...

[Americano]

Agreed - there's a lot of unnecessarily lurid prose about privacy and Facebook. When it comes to privacy, Benjamin Franklin said it best: "Three may keep a secret if two of them are dead."

I'd say the most embarrassing tidbit to be found on my Facebook profile would be my revelation that I enjoy the music of Bruce Springsteen. Imagine, if you can, the horror and dismay of my parents and family and friends when their image of me - indeed, what they had assumed was the solid bedrock of their lives - was shattered irreparably by my coming-out as a Springsteen fan.

Re:And two factor authentication...

[Uzuri]

And it also assumes that you'd want Facebook to have access to your cell number.

Which I suppose a lot of people would. So never mind.

Why? Indeed!

[140Mandak262Jamuna]

. 'Our question to Facebook is this — why wait until regulators force your hand on privacy? Act now for the greater good of all.'"

Why lose all that oodles of money that they could make by selling access to the users' personal data to dataminer? Facebook is not a charity. It is there to make money. It has to make money at some blistering pace, even if it is sustainable for just a short duration. Long enough for the founders and sugar daddy venture capitalists to dump stock and realize the gains. Then... well, who cares what happens then.

Because the kid that runs the place ...

Doesn't give a shit!

I still do not understand why people haven't figured this out yet.

Experts Again!

[furgle]

"Security experts are calling on... ". Zap
Expert Experts are encouraging Security Experts to change their language from "calling on" to "asking". The Expert Experts believe that "calling on" is one way street and "asking" would open a "dialogue". This "dialogue" can help with "discussion" of a "three point plan", allowing possible evolution of the solution to a "two point plan", a "one point plan" or an "item of consideration".
The Expert Experts think that by "calling on" the Security Experts may be ignored. If any Expert is ignored it is often implied they are not Experts which is not a desirable outcome.

Three Point Plan

[FatLittleMonkey]

1. "User settings"
2. "Delete Account"
3. "Yes"

Re:Three Point Plan

[Anubis+IV]

Facebook is really good at securing against certain threats, like users leaving. In the case of your plan, they secured against that potential threat by making the process of deactivating your account cumbersome and tedious, only allowing you to deactivate it (as opposed to deleting it), and reactivating your account if you ever log back in again, which puts it back as if you never left in the first place. Basically, the barrier for departure is high, the barrier for reentry is so easy that most people probably do it by accident, and Facebook gets to keep all of your valuable data regardless.

Re:Three Point Plan

[hedwards]

I've done that in the past. The problem for some is that it can be a challenge to get the email set to something that you can't access, after validating the change. This is one of the nice things about disposable email addresses. You can use them for locking accounts that you can't help but unlock.

Re:Three Point Plan

[bmo]

How hard would it be to get a judgment against Facebook forcing them to delete your data?

It shouldn't be too difficult, but I've bounced this idea around in my head for a while now since I learned that they never delete anything.

Has anyone tried?

--
BMO

HTTPS always-on

[Anubis+IV]

It's one feature I wouldn't mind being opted-in to without my permission.

Unfortunately, since the time that I signed up back when you still had to select your university from a pull-down menu of just a few schools, they instead decided to opt me in for a few other "features":
1) Sharing my information via Beacon with trusted partners like Blockbuster, CBS, Verizon, Sony, and the New York Times (all of whom are known for the care they take in handling their customers and the privacy of their customers/sarcasm), despite the fact that I had previously opted-out of sharing my information with third parties.
2) Listing me on a page for every single item I had listed as a "favorite" or "interest", effectively making them publicly accessible information that could be crawled or seen by anyone, despite the fact that I had opted-out of sharing that information previously.
3) Allowing anyone to view a complete list of my friends, even if I don't know them or anyone else who knows them, despite the fact that I had opted to make my profile, which was previously the only method of accessing that information, accessible to "Friends Only".
4) And in what I sincerely hope is a bug but suspect is not, letting anyone at all see all of my pictures, despite the fact that I had my settings explicitly set to "Friends Only" for all of my picture settings.

On that last one, I was seriously peeved too, since one of my housemates (who I hadn't friended yet) was able to see all of my pics without a problem. I'm not sure if it was a bug or what, since it was completely contrary to my settings, but I didn't stick around to find out since it was well past strike three for Facebook at that point. Instead, I closed my account within the hour and haven't looked back.

Re:HTTPS always-on

[Culture20]

And in what I sincerely hope is a bug but suspect is not, letting anyone at all see all of my pictures, despite the fact that I had my settings explicitly set to "Friends Only" for all of my picture settings. On that last one, I was seriously peeved too, since one of my housemates (who I hadn't friended yet) was able to see all of my pics without a problem. I'm not sure if it was a bug or what, since it was completely contrary to my settings

Let me guess, this happened in the last month? A few friends of mine and I noticed random privacy changes with a "helpful" pop-up saying the data was publicly available, and we should check the settings. I _know_ I set them to be friends-only. BTW, this was over the new https-only setup, so I know that I wasn't being MITM'd.

FB misleads users on security

[Trufagus]

It's one thing that they don't do enough to protect their users, but what really bugs me is that they trick their users about what security means in an attempt to get more info out of their users.

In recent months I've been getting messages from FB warning me that my account is not secure. When I look at the steps they want me to take they have nothing to do with making my account more secure and everything to do with extracting more personal info from me. I think that using people's concerns about security to trick them into giving more personal info is quite slimy.

Regulation isn't the right way

First and foremost - if you don't like Facebook then don't use it. Nobody's twisting your arm to make you use it.

Secondly I don't think regulation would ever help. Companies like Facebook will always find a way to weasel out of it: "oh, it's too expensive" or "oh, we'll move to another state." The only way to force the required privacy changes through is to make the directors of these companies accessories to the crimes. If the directors are personally held accountable and required to pay fines, do jail time, etc., for the crimes committed through their portals using identity theft, stalking and so on then we'll start to see sweeping changes to how these businesses operate online.

Won't happen, and they know it

[Jugalator]

This will obviously not happen (sharing off by default!? haha, good one!), and even Sophos probably knows that.

They're just coming forward because they want to get free advertising as a security company that cares for user privacy. That is all. Empty story here.

Vetted devs?

[stewbacca]

Funny how vetting devs is considered a good thing in this article, but when Apple does it with the App store, it's called "lock in".

Re:Vetted devs?

[Uksi]

Shh, Slashdot heads might explode.

Yeah

[bmo]

Just the other day I got a "so and so has made you an administrator of x page" from FB (actual facebook message, not some fake thing).

I go to try and report it, and lo and behold there is no way to report it except by going to the page and clicking "report."

The FUCKING PROBLEM is that the page has HOSTILE JAVASCRIPT as part of the worm and simply navigating to it makes it impossible to back out unless you force-close (kill -9) the browser entirely.

Yes, Facebook has security problems, and they've insulated themselves pretty well from reporting them too.

Jerks.

--
BMO

Re:What did you expect?

[herojig]

Face to Face? Dead as a doornail. "The world has moved on..."

In related news...

[andrea.sartori]

...90% of Sophos "news" feed from the last months consists in highlights of Facebook scams, warnings about "specially engineered" posts, and the likes. Maybe they are just trying to con FB into hiring them as their "Security Provider"?

Re:Keep the Pressure Up

[GP1911]

When you go to these links, they ask you for authorization to post to your stream. It does not happen automatically after clicking the link. These types of apps are also already banned, of course, but Facebook is a quite slow at moderation. They do need to do a bit of work on that.

Was it a body slam?

[AP31R0N]

We need a new metaphor for "criticize" than violence. "Rachel Maddow eviscerated Ron Paul!" "Ron Paul put Rachel Maddow in a head lock, then decaptitated her with a spork!"

Re:Unsecure security

[igy]

Actually it's because most third party apps are served in iframes and forcing HTTPS causes mixed content warnings