Forgot your password?
typodupeerror
Facebook Privacy Security Your Rights Online

Sophos Slams Facebook Security In Open Letter 96

Posted by Soulskill
from the proactive-vs-slowactive dept.
An anonymous reader writes "Security experts are calling on Facebook to implement a three-point plan to improve safety online. Sophos says it receives reports every day of crime and fraud on Facebook, and that victims are desperate for advice on how to clean up their profiles and undo the consequences. In an open letter to Facebook, the firm calls upon the social networking giant to adopt three principles: privacy by default (opt-in sharing), vetted app developers, and use of https whenever possible. 'Our question to Facebook is this — why wait until regulators force your hand on privacy? Act now for the greater good of all.'"
This discussion has been archived. No new comments can be posted.

Sophos Slams Facebook Security In Open Letter

Comments Filter:
  • No, No and No (Score:3, Interesting)

    by WrongSizeGlass (838941) on Monday April 18, 2011 @10:20PM (#35863614)

    adopt three principles: privacy by default (opt-in sharing), vetted app developers, and use of https whenever possible

    Their answer is very predictable: No, no and no.

    If information does "leak" out of Facebook their precious company won't be worth the billions and billions they seem to think it is.

    • Re: (Score:3, Interesting)

      If information does "leak" out of Facebook their precious company won't be worth the billions and billions they seem to think it is.

      That should be "If information doesn't "leak" out of Facebook ..."

    • Re:No, No and No (Score:5, Insightful)

      by fuzzyfuzzyfungus (1223518) on Monday April 18, 2011 @10:48PM (#35863838) Journal

      If information does "leak" out of Facebook their precious company won't be worth the billions and billions they seem to think it is.

      I think no more highly of Facebook's adherence to any principles other than their bottom line than you do; but I think that it might not be so clear cut...

      Facebook's position of strength lies in having massive network effects, and piles of user data, that draw users back so that their consumery little eyeballs can be monetized until they bleed. What could weaken their position? 1. 'Their' data being trivially available by assorted dodgey-but-easy means without paying them for access to it. 2. People disclosing less because they have heard that Bad Things Can Happen, Oh Noes!

      Now, the second item is as likely, or more, to simply elicit cynical displays of 'security' which, after all, are cheaper and easier than the real thing; but the effects of number one could be interesting. Facebook obviously has not the slightest interest in your privacy; but their revenue stream depends on being the gatekeeper to any commercial scale violation of it. The market value of their precious "social graph" goes way down if 95% of it can be swiftly scraped by building a bottom-of-the-barrel malicious app that collects users', users' friends', and friends' of friends, details, or if some combination of spiders and cheap summer interns equipped with attractive stock photos can collect the public stuff.

      They obviously have no reason to protect privacy; but it is arguably very much in their interest to have a saleable monopoly position on information disclosures. Particularly if somebody like Phorm or Nebuad shows up and starts snagging Facebook info right off the wire, I'm guessing that Facebook will suddenly start to take SSL a bit more seriously.

    • Re: (Score:3, Funny)

      by MightyMartian (840721)

      Zuckerberg's answer is "I'm a fucking billionaire, you worthless halfwits. I'm bigger than Jesus, Buddha and Muhammad Ali combined. If I choose to sell the email addresses worthless worms who use Facebook to Russian mobsters in South Africa, that's my business and fuck anyone who questions me. I could buy their mothers and use them as my bitches and throw them out without any breakfast because I'm Mark Motherfucking Zuckerberg"

  • lol (Score:5, Insightful)

    by smash (1351) on Monday April 18, 2011 @10:27PM (#35863668) Homepage Journal

    Our question to Facebook is this — why wait until regulators force your hand on privacy?

    Answer: because that would interfere with our business model.

    • Re:lol (Score:5, Interesting)

      by Nikker (749551) on Monday April 18, 2011 @11:15PM (#35864022)
      Right now Zuckerberg might be known as the Billion Dollar Kid but that's really not the case. His company is valued at 50 Billion I don't really see that lasting because it's just all about paper. On paper Facebook looks huge and with MS and a few other big guys on the bandwagon they're are fewer companies to jump in on the idea. At the end of the day Zuckerberg was right it is all about exclusivity, it's the same reason people hang out at certain places but when every one shows up at your hangout and you can't kick them out you eventually find a better spot for yourself.

      MySpace was exclusive in a way because it was the first of it's kind then it became well, lame. Then Facebook comes along and only the select few can join but now the bar is so low anyone with a pulse and a keyboard can join. Eventually something new will come along and it will split up the same way as it is in 'real life' every one will find their own coffee shops or dives and kill time there will be intermittent communication between the groups but they will mainly stay where they are.

      Ces't la vie.
      • by Animats (122034)

        At the end of the day Zuckerberg was right it is all about exclusivity, it's the same reason people hang out at certain places but when every one shows up at your hangout and you can't kick them out you eventually find a better spot for yourself.

        I've made that observation before. Social networking sites have a life cycle, like nightclubs. AOL, Geocities, Friendster, Orkut, Myspace, etc. all had their day.

        That may have changed, though, with mobile integration. When Helio tied in Myspace and GPS tracking on their phones, I thought that integrating social networking with mobile was going to be the next big thing. It was, but not with Helio. There's more of a lock-in with phone integration. Nobody seems to be threatening Facebook right now.

        • I don't think it's about exclusivity at all, it was about hot college chicks posting photos. It was about a simple design that's easy to use, easy to make, and doesn't crash my computer when I try loading your page. It was about ad sales revenue all going directly to the parent company. Simplicity won.

          Now that facebook has won the market, I think Facebook's data being sold off for $10 or $ $100 billion or more to a new company is the most likely way of Facebook's demise.

          Unless a future hack is so bad

        • When exactly did Orkut have have its day? Right before or after Buzz?
      • Well until eventually, they will continue to rake in Billions in ad sales. It was almost 2 Billion last year, that's a P/E ratio of 25, right on par with other publicly traded companies.

        It's impossible to break into the facebook model nowadays. It's like saying Google is just a search engine, someone else will come along and push them away. Perhaps Bing will, but what you are saying is that it'll be some small startup, I just don't see it happening unless they do something stupid, oh wait... they do tha

      • Eventually something new will come along and it will split up the same way as it is in 'real life' every one will find their own coffee shops or dives

        I know what you're saying but you can't really compare FB to MySpace, though people tend to because they're both "social networks". But FB is much more than that now. On FB you can have your business page, conduct your advertising (I just set one up for a friend who runs a book cafe) with nothing more than your existing site and that ubiquitous "Like" button. You can inform friends of movie nights, your community group of new events (though Meetup does a slightly better job it costs, FB is free). Part of FB

  • Instead of telling another business what to do, and jumping on the ever popular Facebook bashing bandwagon, how about you fix your anti-virus software so it doesn't freeze, crash, block access to portable drives silently while it scans them, and leak memory like a sieve. While your at it no anti-virus is perfect so clean up your heuristics. This is nothing more than a shoddy publicity stunt.

    I agree with 2 out of 3 of the points though. I think they could make a dog's breakfast out of forcing HTTPS use and b

    • by Culture20 (968837) on Monday April 18, 2011 @10:34PM (#35863746)

      Of course if they did it right with a clearly visible link to the HTTPS address it would work (though take a huge toll on their servers).

      https://www.facebook.com/editaccount.php [facebook.com]
      Account Security
      Set up secure browsing (https) and login alerts.
      Secure Browsing (https)
      Browse Facebook on a secure connection (https) whenever possible
      When a new computer or mobile device logs into this account: Send me an email

      • by daedae (1089329)
        Unfortunately, "whenever possible" has the side-effect of "when not possible, we're going to disable this option." For instance, I'll turn on https when possible, go play Tetris Battle, it'll say "sorry, we can't display this as https, do you want to switch to http," and if I click yes, it disables https for everything else too.
        • by Americano (920576)

          Here's what Facebook says:

          "Sorry! We can't display this content while you're viewing Facebook over a secure connection (https).
          Would you like to temporarily switch to a regular connection (http) to use this app?
          You will have a secure connection upon your next login."
          (Continue) (Cancel)

          It disables https for the current login, it doesn't change the setting in your profile for all time. It clearly asks if you'd like to switch, and allows you to say "No, I'd rather not." I think that's a fairly reasonable de

          • by daedae (1089329)

            That may or may not be new behavior, but it's still not the ideal behavior. There's no reason (that I know of) I should have to log out and back in to go back to a secure connection. I used to be able to go back to the security settings page to reenable https without logging out and back in, although I see now they've replaced it with "please logout and login again." The obviously correct behavior is to serve whatever page(s) it has to over http, with that interstitial warning page, but continue serving

            • by Americano (920576)

              You have (potentially) multiple active endpoints, all connecting to the same central server. The central server needs to track whether you're in http or https mode for your session, and apply those settings across all your connections - keeping in mind you could have 1..N pages open to Facebook at any given moment.

              Consider this scenario:
              1) Window 1 - Sign in to facebook (https), and check your news feed, seeing what your friends are up to;
              2) Window 2 - Open a Tetris Battle game session; disable https be

      • by syousef (465911)

        I am aware that Facebook has HTTPS login available. I simply meant they need a very visible reminder that you can use HTTPS for improved security on their HTTP login page.

    • by digsbo (1292334)

      how about you fix your anti-virus software so it doesn't freeze, crash, block access to portable drives silently while it scans them, and leak memory like a sieve.

      Amen to that. My whole office stops meaningful work for several hours on Wednesdays when the scheduled Sophos scan begins. It takes my dual core system w/ 4GB ram and a 10,000 rpm hard drive fifteen minutes to become usable after booting because of Sophos start-up scans. Sophos is a garbage product and their company is garbage, and I hope they go out of business.

      • Re: (Score:2, Funny)

        by Anonymous Coward

        Oh... So your company is running virus scans every Wednesday for several hours. Good to know, Thx! =)

  • by Announcer (816755) on Monday April 18, 2011 @10:28PM (#35863680) Homepage

    As a frequent user of Facebook, I find the numbers of rogue and bogus applications to be the most annoying aspect of the site. They need to start seriously vetting the developers and apps NOW. No more allowing apps to just be posted and start spreading SPAM from user-to-user.

    I use Firefox, with the "NoScript" and "AdBlock" plugins, so 3'rd party sites have no access to ANY scripting functions. This allows me to visit these rogue app's sites and REPORT them, which I do frequently. I also warn my friends who fall victim to them, NOT to click the links posted on their pages. Many of them have thanked me for doing this. I have seen Facebook remove virus apps and links within minutes of my reporting them, which is "good", but not good enough!

    It's high time that the people at Facebook took this much more seriously, and use PREVENTION rather than CURE after-the-fact.

    • by drinkypoo (153816)

      I found that setting facebook to always use https has resulted in far fewer lame apps harassing me. For some reason all the worst ones seem to refuse to work in https mode.

      • by Culture20 (968837) on Monday April 18, 2011 @10:39PM (#35863784)

        For some reason all the worst ones seem to refuse to work in https mode.

        Because if they use a trusted SSL cert, there should be a trail to a real person. Unless they used Comodo.

        • by drinkypoo (153816)

          Even apps served entirely from/by facebook often have this restriction, so THAT is NOT the problem. Or at least, it's not the only one.

      • by rsborg (111459)

        I found that setting facebook to always use https has resulted in far fewer lame apps harassing me. For some reason all the worst ones seem to refuse to work in https mode.

        I'm sure this will change. It's not like it's hard to get a free SSL cert [startcom.org]. What you're seeing is that bottom-feeders, like spammers, sometimes take a while to catch up to the tech, but once a significant portion of the userbase is SSL, they will start taking advantage of free certs.

    • by definate (876684)

      Weird, I setup my privacy settings, quite strictly, and I've never had a problem with this. I occasionally get asked to use an app, which I then block, and never have to see it again. Also, when an app asks for permissions, I just click cancel/deny.

      Done.

      Really hasn't been a problem. Have you been through ALL of your privacy settings? Some are nested inside others, and may seem quite hidden.

    • by tlhIngan (30335)

      As a frequent user of Facebook, I find the numbers of rogue and bogus applications to be the most annoying aspect of the site. They need to start seriously vetting the developers and apps NOW. No more allowing apps to just be posted and start spreading SPAM from user-to-user.

      Two problems.

      One, Apple probably has a patent on a curated app store.

      Two, Apple App Store. Facebook vetting apps and developers is just like Apple vetting apps.

      The only difference is that while Apple demands changes to apps to fulfill i

    • by RogerWilco (99615)

      As a frequent user of Facebook, I find the numbers of rogue and bogus applications to be the most annoying aspect of the site. They need to start seriously vetting the developers and apps NOW.

      But I thought that this was exactly why everyone over here hated the Apple AppStore? Isn't everything supposed to be free so the users can make their own choices?

  • Most important. Ever since I signed up back in the day when university email address was necessary, Facebook has been steadily changing privacy guidelines and resetting sharing settings to be open. I end up having less and less stuff on my profile.
    • by initdeep (1073290)

      that's ok.
      they still have everything you ever put up there on their end.

      • by Culture20 (968837)
        Sure, they do. But according the the stricter, older guidelines, they can only sell the public info (which is why they try to redefine newly added "links" as public and force you to re-add your old info as links). Sorry, no links for me. They're good at staying just on the legal side of the fence.
        • > But according the the stricter, older guidelines, they can only sell
          > the public info (which is why they try to redefine newly added
          > "links" as public and force you to re-add your old info as links).

          I have altered the guidelines; pray that I do not alter them further.

    • I end up having less and less stuff on my profile.

      Well, here's what's on my Facebook profile: first name, surname, date of birth. Alas, I wonder until today why I gave a true DOB.

      What REALLY annoys me more and more about the site is the cutesy passive aggressivness. For example :

      You log in after some time and get some : Hello, your account is not secure. Enter cell phone # to secure it. Now hold on a second: My private information is not secure unless I provide you with more private information? Yeah, sure!

      Finally in, you're greated by a blinking banne

  • Easy answer: doing those things will hurt Facebook's bottom line. So, they won't until forced.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      just stop using facebook you idiots

      • by smash (1351)
        I'm not sure if you've experienced having friends in real life, but unfortunately the masses put everything on facebook. Everything is organised on facebook. If you're not on facebook in some way, you are excluded from social gatherings. Now to your typical slashdot nerd that may not matter, but to those of us who have non-nerd friends, not being on facebook means you never find out what they're up to any more, don't get invited to stuff ("I put it on facebook!"), etc.
  • Clamping down on third party apps alone would make facebook more secure. Require https for apps, and ban predatory apps. There is an app that creates a status message that looks like a standard "hey look at this" link in your feed. When a friend clicks it, it not only brings them to the target link, it automatically publishes that same status on their wall without them having even installed the app. I wonder what else apps can do without explicit user permission? Really, given the increasing frequency of fa
    • by GP1911 (1439907)
      Please provide an example of a link that automatically posts a status update without granting it permission to post your stream. If this were possible, it would be patched immediately by Facebook.
  • by HerculesMO (693085) on Monday April 18, 2011 @10:31PM (#35863710)

    If I can have my World of Warcraft account secured with a two factor authentication, I should be able to do this for Facebook. Seriously.

    • by z0idberg (888892)
      How much do you pay for your WOW account? And how much do you pay for your facebook account? I imagine part of a WOW subscription pays for the outlay in cost for the authentication. Would anyone be willing to pay a small fee to get two-factor authentication to Facebook? I wouldn't and I very much doubt many other people would either. And there isn't much incentive for Facebook to wear the costs of it.
      • Moot argument - Facebook does not depend on the same types of revenue streams and is not part of a traditional business model. They make the money that warrants this type of security.
        • by z0idberg (888892)
          If someone breaks into your WOW account then the vendor has to investigate and correct it etc. as there is "real life" money involved. You can get your credit card company involved, or your bank, or even the police.

          If someone breaks into your facebook account who are you actually going to call? Who will care?
      • by swillden (191260)

        Two-factor doesn't have to cost much. Your phone can be the second factor. In the case of smartphones, a one-time password generator can be installed as an app, or you can get even more sophisticated and have the web site display a 2D barcode which a phone app photographs, munges into an auth code and sends via the data network. For traditional phones, the site can SMS a one-time password to the phone.

        Of course, this assumes that the phone isn't the device accessing FB in the first place.

        • by Uzuri (906298)

          And it also assumes that you'd want Facebook to have access to your cell number.

          Which I suppose a lot of people would. So never mind.

      • by Americano (920576)

        $15/month, generally. And I suspect that Blizzard has already recouped the costs of developing the authenticator & associated infrastructure, since it will help them reduce "my account was hacked" complaints & restores, which in turn means less customer service staffing required; Keeping warm bodies (even minimum wage) in a seat 16x5 is a lot more expensive than devoting some spare cycles on a server rack to handling the additional authentication load.

        If Facebook becomes a significant target with

    • by MrNemesis (587188)

      I imagine facebook's idea of two-factor authentication is your DNA sequence hashed with your pre-tax income, and your signature on a legal disclaimer.

    • Purely anecdotal, but my WoW account has been compromised probably 10 times in the past 3 years. My Facebook account has never been compromised.

      • by Americano (920576)

        Differences in scope - WoW data is valuable, regardless of who the owner is, because you can strip the characters of gear, gold, etc., and convert that gold into hard currency in the real world by selling it to the "black market" - gold sellers, who will turn around and sell it back to other players. An individual's Facebook data is not so valuable on a case-by-case basis. This is why hackers go after the central data stores of these companies, rather than hacking a hundred thousand accounts individually.

        • Differences in scope - WoW data is valuable, regardless of who the owner is, ...An individual's Facebook data is not so valuable on a case-by-case basis.

          Exactly. And this is why I scoff at the hyperbole of any and all Facebook + Privacy!! articles posted on slashdot.

          I don't expect my stuff to be private on Facebook. The whole point of Facebook goes against the concept of privacy.

          • by Americano (920576)

            Agreed - there's a lot of unnecessarily lurid prose about privacy and Facebook. When it comes to privacy, Benjamin Franklin said it best: "Three may keep a secret if two of them are dead."

            I'd say the most embarrassing tidbit to be found on my Facebook profile would be my revelation that I enjoy the music of Bruce Springsteen. Imagine, if you can, the horror and dismay of my parents and family and friends when their image of me - indeed, what they had assumed was the solid bedrock of their lives - was sha

  • . 'Our question to Facebook is this — why wait until regulators force your hand on privacy? Act now for the greater good of all.'"

    Why lose all that oodles of money that they could make by selling access to the users' personal data to dataminer? Facebook is not a charity. It is there to make money. It has to make money at some blistering pace, even if it is sustainable for just a short duration. Long enough for the founders and sugar daddy venture capitalists to dump stock and realize the gains. Then... well, who cares what happens then.

  • by Anonymous Coward

    Doesn't give a shit!

    I still do not understand why people haven't figured this out yet.

  • "Security experts are calling on... ". Zap
    Expert Experts are encouraging Security Experts to change their language from "calling on" to "asking". The Expert Experts believe that "calling on" is one way street and "asking" would open a "dialogue". This "dialogue" can help with "discussion" of a "three point plan", allowing possible evolution of the solution to a "two point plan", a "one point plan" or an "item of consideration".
    The Expert Experts think that by "calling on" the Security Experts may be
  • 1. "User settings"
    2. "Delete Account"
    3. "Yes"
    • Facebook is really good at securing against certain threats, like users leaving. In the case of your plan, they secured against that potential threat by making the process of deactivating your account cumbersome and tedious, only allowing you to deactivate it (as opposed to deleting it), and reactivating your account if you ever log back in again, which puts it back as if you never left in the first place. Basically, the barrier for departure is high, the barrier for reentry is so easy that most people prob

      • by bmo (77928)

        How hard would it be to get a judgment against Facebook forcing them to delete your data?

        It shouldn't be too difficult, but I've bounced this idea around in my head for a while now since I learned that they never delete anything.

        Has anyone tried?

        --
        BMO

  • It's one feature I wouldn't mind being opted-in to without my permission.

    Unfortunately, since the time that I signed up back when you still had to select your university from a pull-down menu of just a few schools, they instead decided to opt me in for a few other "features":
    1) Sharing my information via Beacon with trusted partners like Blockbuster, CBS, Verizon, Sony, and the New York Times (all of whom are known for the care they take in handling their customers and the privacy of their customers/sarcasm

    • by Culture20 (968837)

      And in what I sincerely hope is a bug but suspect is not, letting anyone at all see all of my pictures, despite the fact that I had my settings explicitly set to "Friends Only" for all of my picture settings. On that last one, I was seriously peeved too, since one of my housemates (who I hadn't friended yet) was able to see all of my pics without a problem. I'm not sure if it was a bug or what, since it was completely contrary to my settings

      Let me guess, this happened in the last month? A few friends of mine and I noticed random privacy changes with a "helpful" pop-up saying the data was publicly available, and we should check the settings. I _know_ I set them to be friends-only. BTW, this was over the new https-only setup, so I know that I wasn't being MITM'd.

  • by Trufagus (1803250) on Monday April 18, 2011 @11:52PM (#35864260)

    It's one thing that they don't do enough to protect their users, but what really bugs me is that they trick their users about what security means in an attempt to get more info out of their users.

    In recent months I've been getting messages from FB warning me that my account is not secure. When I look at the steps they want me to take they have nothing to do with making my account more secure and everything to do with extracting more personal info from me. I think that using people's concerns about security to trick them into giving more personal info is quite slimy.

    • Mark Zuckerberg's response: "Hi, this is Mark Motherfucking Zuckerberg here, just finishing up making your mother give one of the Winklevoss Twins a rimjob. Anyways, I just wanted to say that the only people more worthless and more worthy of being coated in frosty piss than the losers who use Facebook are the pointless rubes who try to leave. Just remember, you disgusting piece of ejaculate, that I'm worth billions, and you, well, let's just say the stuff my maid scrapes off my underwear has more inherent

  • by Anonymous Coward

    First and foremost - if you don't like Facebook then don't use it. Nobody's twisting your arm to make you use it.

    Secondly I don't think regulation would ever help. Companies like Facebook will always find a way to weasel out of it: "oh, it's too expensive" or "oh, we'll move to another state." The only way to force the required privacy changes through is to make the directors of these companies accessories to the crimes. If the directors are personally held accountable and required to pay fines, do jail tim

  • This will obviously not happen (sharing off by default!? haha, good one!), and even Sophos probably knows that.

    They're just coming forward because they want to get free advertising as a security company that cares for user privacy. That is all. Empty story here.

  • Funny how vetting devs is considered a good thing in this article, but when Apple does it with the App store, it's called "lock in".

  • by bmo (77928)

    Just the other day I got a "so and so has made you an administrator of x page" from FB (actual facebook message, not some fake thing).

    I go to try and report it, and lo and behold there is no way to report it except by going to the page and clicking "report."

    The FUCKING PROBLEM is that the page has HOSTILE JAVASCRIPT as part of the worm and simply navigating to it makes it impossible to back out unless you force-close (kill -9) the browser entirely.

    Yes, Facebook has security problems, and they've insulated t

  • ...90% of Sophos "news" feed from the last months consists in highlights of Facebook scams, warnings about "specially engineered" posts, and the likes. Maybe they are just trying to con FB into hiring them as their "Security Provider"?
  • We need a new metaphor for "criticize" than violence. "Rachel Maddow eviscerated Ron Paul!" "Ron Paul put Rachel Maddow in a head lock, then decaptitated her with a spork!"

10 to the 12th power microphones = 1 Megaphone

Working...