Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sophos Slams Facebook Security In Open Letter

Posted by Soulskill on from the proactive-vs-slowactive dept.

An anonymous reader writes "Security experts are calling on Facebook to implement a three-point plan to improve safety online. Sophos says it receives reports every day of crime and fraud on Facebook, and that victims are desperate for advice on how to clean up their profiles and undo the consequences. In an open letter to Facebook, the firm calls upon the social networking giant to adopt three principles: privacy by default (opt-in sharing), vetted app developers, and use of https whenever possible. 'Our question to Facebook is this — why wait until regulators force your hand on privacy? Act now for the greater good of all.'"

17 of 96 comments (clear)

  1. No, No and No by WrongSizeGlass · · Score: 2, Interesting

    adopt three principles: privacy by default (opt-in sharing), vetted app developers, and use of https whenever possible

    Their answer is very predictable: No, no and no.

    If information does "leak" out of Facebook their precious company won't be worth the billions and billions they seem to think it is.

    1. Re:No, No and No by WrongSizeGlass · · Score: 2, Interesting

      If information does "leak" out of Facebook their precious company won't be worth the billions and billions they seem to think it is.

      That should be "If information doesn't "leak" out of Facebook ..."

    2. Re:No, No and No by fuzzyfuzzyfungus · · Score: 4, Insightful

      If information does "leak" out of Facebook their precious company won't be worth the billions and billions they seem to think it is.

      I think no more highly of Facebook's adherence to any principles other than their bottom line than you do; but I think that it might not be so clear cut...

      Facebook's position of strength lies in having massive network effects, and piles of user data, that draw users back so that their consumery little eyeballs can be monetized until they bleed. What could weaken their position? 1. 'Their' data being trivially available by assorted dodgey-but-easy means without paying them for access to it. 2. People disclosing less because they have heard that Bad Things Can Happen, Oh Noes!

      Now, the second item is as likely, or more, to simply elicit cynical displays of 'security' which, after all, are cheaper and easier than the real thing; but the effects of number one could be interesting. Facebook obviously has not the slightest interest in your privacy; but their revenue stream depends on being the gatekeeper to any commercial scale violation of it. The market value of their precious "social graph" goes way down if 95% of it can be swiftly scraped by building a bottom-of-the-barrel malicious app that collects users', users' friends', and friends' of friends, details, or if some combination of spiders and cheap summer interns equipped with attractive stock photos can collect the public stuff.

      They obviously have no reason to protect privacy; but it is arguably very much in their interest to have a saleable monopoly position on information disclosures. Particularly if somebody like Phorm or Nebuad shows up and starts snagging Facebook info right off the wire, I'm guessing that Facebook will suddenly start to take SSL a bit more seriously.

    3. Re:No, No and No by MightyMartian · · Score: 2, Funny

      Zuckerberg's answer is "I'm a fucking billionaire, you worthless halfwits. I'm bigger than Jesus, Buddha and Muhammad Ali combined. If I choose to sell the email addresses worthless worms who use Facebook to Russian mobsters in South Africa, that's my business and fuck anyone who questions me. I could buy their mothers and use them as my bitches and throw them out without any breakfast because I'm Mark Motherfucking Zuckerberg"

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
  2. lol by smash · · Score: 5, Insightful

    Our question to Facebook is this — why wait until regulators force your hand on privacy?

    Answer: because that would interfere with our business model.

    --
    I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
    1. Re:lol by Nikker · · Score: 5, Interesting

      Right now Zuckerberg might be known as the Billion Dollar Kid but that's really not the case. His company is valued at 50 Billion I don't really see that lasting because it's just all about paper. On paper Facebook looks huge and with MS and a few other big guys on the bandwagon they're are fewer companies to jump in on the idea. At the end of the day Zuckerberg was right it is all about exclusivity, it's the same reason people hang out at certain places but when every one shows up at your hangout and you can't kick them out you eventually find a better spot for yourself.

      MySpace was exclusive in a way because it was the first of it's kind then it became well, lame. Then Facebook comes along and only the select few can join but now the bar is so low anyone with a pulse and a keyboard can join. Eventually something new will come along and it will split up the same way as it is in 'real life' every one will find their own coffee shops or dives and kill time there will be intermittent communication between the groups but they will mainly stay where they are.

      Ces't la vie.

      --
      A loop, by its nature, continues. If that didn't make sense, start reading this sentence again.
  3. Facebook's rogue app risks by Announcer · · Score: 5, Insightful

    As a frequent user of Facebook, I find the numbers of rogue and bogus applications to be the most annoying aspect of the site. They need to start seriously vetting the developers and apps NOW. No more allowing apps to just be posted and start spreading SPAM from user-to-user.

    I use Firefox, with the "NoScript" and "AdBlock" plugins, so 3'rd party sites have no access to ANY scripting functions. This allows me to visit these rogue app's sites and REPORT them, which I do frequently. I also warn my friends who fall victim to them, NOT to click the links posted on their pages. Many of them have thanked me for doing this. I have seen Facebook remove virus apps and links within minutes of my reporting them, which is "good", but not good enough!

    It's high time that the people at Facebook took this much more seriously, and use PREVENTION rather than CURE after-the-fact.

    --
    Willie...
    1. Re:Facebook's rogue app risks by drinkypoo · · Score: 2

      I found that setting facebook to always use https has resulted in far fewer lame apps harassing me. For some reason all the worst ones seem to refuse to work in https mode.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    2. Re:Facebook's rogue app risks by Culture20 · · Score: 3, Insightful

      For some reason all the worst ones seem to refuse to work in https mode.

      Because if they use a trusted SSL cert, there should be a trail to a real person. Unless they used Comodo.

  4. Easy answer. by man_ls · · Score: 2

    Easy answer: doing those things will hurt Facebook's bottom line. So, they won't until forced.

    1. Re:Easy answer. by Anonymous Coward · · Score: 2, Insightful

      just stop using facebook you idiots

    2. Re:Easy answer. by smash · · Score: 2

      I'm not sure if you've experienced having friends in real life, but unfortunately the masses put everything on facebook. Everything is organised on facebook. If you're not on facebook in some way, you are excluded from social gatherings. Now to your typical slashdot nerd that may not matter, but to those of us who have non-nerd friends, not being on facebook means you never find out what they're up to any more, don't get invited to stuff ("I put it on facebook!"), etc.

      --
      I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
  5. And two factor authentication... by HerculesMO · · Score: 5, Insightful

    If I can have my World of Warcraft account secured with a two factor authentication, I should be able to do this for Facebook. Seriously.

    --
    The price is always right if someone else is paying.
  6. Re:Clean up your own back yard by Culture20 · · Score: 4, Informative

    Of course if they did it right with a clearly visible link to the HTTPS address it would work (though take a huge toll on their servers).

    https://www.facebook.com/editaccount.php
    Account Security
    Set up secure browsing (https) and login alerts.
    Secure Browsing (https)
    Browse Facebook on a secure connection (https) whenever possible
    When a new computer or mobile device logs into this account: Send me an email

  7. Re:privacy by default (opt-in sharing) by initdeep · · Score: 2

    that's ok.
    they still have everything you ever put up there on their end.

  8. Re:Clean up your own back yard by Anonymous Coward · · Score: 2, Funny

    Oh... So your company is running virus scans every Wednesday for several hours. Good to know, Thx! =)

  9. FB misleads users on security by Trufagus · · Score: 2

    It's one thing that they don't do enough to protect their users, but what really bugs me is that they trick their users about what security means in an attempt to get more info out of their users.

    In recent months I've been getting messages from FB warning me that my account is not secure. When I look at the steps they want me to take they have nothing to do with making my account more secure and everything to do with extracting more personal info from me. I think that using people's concerns about security to trick them into giving more personal info is quite slimy.