Microsoft Security, Facebook Groups Controversy Lead News

It was a week that saw Facebook get hit once again with controversy and Microsoft announced plans for a massive security update.

On Oct. 6, Facebook announced plans for a new Groups feature to give users more control of who they share information with. The Groups are set to "closed" by default, meaning the names of members are visible to the public but content posted to the group is not. Other settings include "secret," where the names and content are hidden, and "open," where everything is visible.

While the changes were largely greeted initially as positive, controversy broke out due to Facebook’s decision not to give users the power to approve whether or not a friend adds them to a group.

“To prove a point,” blogged Sophos Senior Security Advisor Chester Wisniewski, "someone created a new group called NAMBLA [North American Man Boy Love Association]…Within a few hours someone had added [TechCrunch editor] Michael Arrington without his permission, and it appears to show Mark the power of the new Facebook he added [Facebook CEO Mark] Zuckerberg.”

According to Facebook’s Help Center, “you can only be added to a group by one of your friends. When a friend adds you to a group, a story in the group (and in News Feed for Open or Closed groups) will indicate that your friend has added you to a group.”

Users can leave groups at any time, and if they choose to do so, they can’t be re-added by someone else unless they request it, Facebook added.

Microsoft meanwhile made security headlines twice during the week. On Thursday, the company announced plans to release the largest Patch Tuesday update in history, breaking the record for the second time this year. Four of the 16 bulletins slated for the update are rated ‘critical’, while 10 are rated ‘important’ and two are considered ‘moderate.’

Earlier in the week, Scott Charney, Microsoft Corporate Vice President of Trustworthy Computing, suggested an approach called ‘collective defense’ as a way to protect the Internet. Under his proposal, PCs would be issued a "health certificate" to demonstrate the system is fully patched, uninfected and running security software. Compromised or vulnerable machines could be blocked from the Internet to prevent botnet activity.

“Just as when an individual who is not vaccinated puts others’ health at risk, computers that are not protected or have been compromised with a bot put others at risk and pose a greater threat to society,” Charney blogged. “In the physical world, international, national, and local health organizations identify, track and control the spread of disease which can include, where necessary, quarantining people to avoid the infection of others.”

Security experts noted a number of challenges to Charney’s proposal, including zero-days and the prospect of user pushback.

“The idea of developing an "Internet Cybercrime Watch" isn't necessarily a new one, but it is good to see this conversation being brought up by one of the largest vendors who can make an impact for better or worse on the issue of PC security and Internet security,” said Philip Lin, director of marketing at FireEye.

In other news, Adobe Systems issued a massive update of its own Oct. 5 that fixed 23 security vulnerabilities in Adobe Reader and Acrobat, and a former contractor at Fannie Mae was convicted of planting a logic bomb on the company’s servers in an attempt to destroy data. At sentencing, Rajendrasinh Babubhai Makwana faces a maximum of 10 years in prison.