Phony Facebook application security tests? Say it ain't so, Zuckerberg
How can we explain the FTC's discovery that, for close to a year, Facebook operated a for-profit application security testing service that was little more than a sham?
By Paul Roberts
September 21, 2012 — CSO —
Call it "Zuckerberg's Law" -- that mathematical postulation describing the inverse relationship that exists between the size and wealth of a social network and the wisdom of those who own and operate it. This isn't Beckstrom's Law, mind you, which postulated that there's an optimal size for things like social networks, beyond which more members decrease -- rather than increase -- the value of the network for everyone else.
No, Zuckerberg's Law is bigger and more subtle than that. It says that the larger and richer your social network becomes, the smaller and more penurious are your ideas for improving it; the more varied your options become for extracting a dollar from your sea of happy users, the narrower and more ham-fisted your methods for doing so.
Also see: 10 Security Reasons to Quit Facebook (And One Reason to Stay On)
How else can we explain the report from the Federal Trade Commission (FTC) this week that disclosed that, for close to a year, Facebook operated a for-profit application security testing service that was little more than a sham: taking money from hopeful application developers with false promises to vet their creations for security holes. Instead, the FTC concluded, the company banked the money and put a "Facebook Verified App" logo next to the application, without bothering to do any additional auditing of the submitted application. The program, the FTC said, was "false and misleading" -- a hollow show that, all the same, netted Facebook between $50,000 and $95,000 for "verifying" 254 applications between May and December, 2009.
Mind you, at the time the Facebook Verified App program was bilking developers with empty promises of security audits, the then-privately-held company had revenues of around $777 million. In other words: the Verified Apps scam was chump change, revenue wise: about 1/100th of a percent of Facebook's overall revenue. It was small, especially compared to the money Facebook was making selling information on its hundreds of millions of users to advertisers and application developers.
So why even bother with a bogus application security program? That's a good question, and it's one that is likely to remain unanswered. Facebook declined to comment on the FTC's announcement this week beyond a one-line statement saying it was pleased that the FTC had approved the settlement, which was first announced in November, 2011. As The New York Times reported, FTC rules also permit Facebook to agree to a settlement, submit to 20-year consent order and bi-annual audits and amend its woeful security practices without actually admitting that it did anything wrong.
ESSENTIAL READING
Social networks create new security risks to both corporate and individual data. These resources help clarify threats, create awareness, and find potential solutions.
Q&A with Facebook CSO Joe Sullivan
Basic social media risks
7 deadly sins of social networking
Facebook, Twitter scams to avoid
Writing a social media security policy
- HIPAA Hiccup Solved
- Enterprise File Sharing: All You Need to Know
- Forrester Research and EMC on Continuous Availability
- Big Ideas; Big Tech-Continuous Availability for VMware
- Reduce Costs, Maximize Performance and Ensure High Availability of your Business Critical Applications
- Software Asset Management - Program Considerations to Help Reduce Risk and Lower Costs
- Mandiant's APT1: Revisited
The Mandiant APT1 report made our industry stronger by encouraging -- if not forcing -- information sharing. By Nick Selby - Attacks from China: A survival guide
- #FFSec: Infosec pros who bring value to Twitter
More Salted Hash with Bill Brenner
