A recap of the past week's news is topped by a new Facebook controversy, plans for a record-breaking Microsoft Patch Tuesday and discussions of "collective defense."
It was a week that saw Facebook get hit once again with controversy and Microsoft announced plans for a massive security update
On Oct. 6, Facebook announced plans for a new Groups feature to give
users more control of who they share information with. The Groups are
set to "closed" by default, meaning the names of members are visible to
the public but content posted to the group is not. Other settings
include "secret," where the names and content are hidden, and "open,"
where everything is visible.
While the changes were largely greeted initially
positive, controversy broke out due to Facebook's decision not to give
users the power to approve whether or not a friend adds them to a group.
"To prove a point," blogged Sophos Senior Security Advisor Chester
Wisniewski, "someone created a new group called NAMBLA [North American
Man Boy Love Association]...Within a few hours someone had added
[TechCrunch editor] Michael Arrington without his permission, and it
appears to show Mark the power of the new Facebook he added [Facebook
CEO Mark] Zuckerberg."
According to Facebook's Help Center, "you can only be added to a
group by one of your friends. When a friend adds you to a group, a
story in the group (and in News Feed for Open or Closed groups) will
indicate that your friend has added you to a group."
Users can leave groups at any time, and if they choose to do so,
they can't be re-added by someone else unless they request it, Facebook
Microsoft meanwhile made security headlines twice during the week.
On Thursday, the company announced plans to release the largest
Patch Tuesday update in history, breaking the record for the second
time this year. Four of the 16 bulletins slated for the update are
rated -critical', while 10 are rated -important' and two are considered
Earlier in the week, Scott Charney, Microsoft Corporate Vice
President of Trustworthy Computing, suggested an approach
called -collective defense' as a way to protect the Internet.
Under his proposal, PCs would be issued a "health certificate" to
demonstrate the system is fully patched, uninfected and running
security software. Compromised or vulnerable machines could be blocked
from the Internet to prevent botnet activity.
"Just as when an individual who is not vaccinated puts others'
health at risk, computers that are not protected or have been
compromised with a bot put others at risk and pose a greater threat to
society," Charney blogged
"In the physical world, international, national, and local health
organizations identify, track and control the spread of disease which
can include, where necessary, quarantining people to avoid the
infection of others."
Security experts noted a number of challenges to Charney's
proposal, including zero-days and the prospect of user pushback.
"The idea of developing an "Internet Cybercrime Watch" isn't
necessarily a new one, but it is good to see this conversation being
brought up by one of the largest vendors who can make an impact for
better or worse on the issue of PC security and Internet security,"
said Philip Lin, director of marketing at FireEye.
In other news, Adobe Systems issued a massive update of its own Oct.
5 that fixed 23 security vulnerabilities in Adobe Reader and Acrobat,
and a former contractor at Fannie Mae was convicted of planting a logic bomb
the company's servers in an attempt to destroy data. At sentencing,
Rajendrasinh Babubhai Makwana faces a maximum of 10 years in prison.