By Carmi Levy, Betanews
When news broke last week that Facebook users were on the receiving end of a large-scale phishing attack -- the first one to use external e-mail and not just the service's own messaging system -- I started to wonder whether the service had jumped the shark. If this sort of thing continues to escalate, you should start wondering, too.
Hardly a week goes by that Facebook doesn't get hit with another spam, malware, or phishing attack. Last week's screaming headline, that spammers are using conventional e-mail to spread virus-stealing malicious code to Facebook's 400 million users, is the latest chapter of a book that doesn't have an end in sight.
The more things change...
We've experienced this precise sequence of events previously, only last time it was Microsoft's turn to be the high-profile whipping boy of the hacker set. As criminals routinely targeted its Windows, Internet Explorer, and Office franchises, debate raged over the fundamental architecture of its products. The arguments, which will likely continue indefinitely, centered around whether the very design of Microsoft's products contributed to their vulnerability, and whether Microsoft did enough to fix security weaknesses as soon as they were identified.
Similar debates are already springing up around Facebook's response to a growing litany of threats to its platform and its 400 million registered users. To a certain extent, I view the two companies as victims of circumstance in that hackers prefer to focus their nefariously deployed resources on initiatives that will result in the most lucrative potential payoff. In other words, criminal ROI.
When Macs owned less than 3% of the overall PC market, for example, hackers simply couldn't be bothered to write illicit code for the platform. Things are different now that Mac market share has pushed into double digits. Windows was, and is, another story altogether. And because criminals always focus on the largest potential population of victims, it's hardly fair to fault the victim-companies. It isn't their fault that they did all the right things to grow so large, after all.
A tale of two companies
What we can fault them for is lackadaisical response to an identified threat -- or to a growing trend of escalating threats. This is where Microsoft and Facebook could not be more opposite. While critics will forever fault Microsoft for not doing enough and for not doing it quickly enough, it's clear that today's Microsoft is world's removed from yesterday's. It's invested billions to create platforms that address some of the well known weaknesses of older products. It's created a range of scheduled updates for its products (Patch Tuesday, anyone?) that have redefined how IT departments keep their fleets in tune. It's tweaked its sunset rules to minimize the damage caused by weakly secured, obsolete software. For better or worse, Microsoft has raised the volume on security-related issues, and in doing so, has ensured it remains high on the priority list of consumers and businesses as well.
Facebook? Not so much. While Rome burns, the social media giant twiddles its thumbs, offering up little more than common sense advice to end-users as it ignores the basic weaknesses in its platform. We shouldn't be surprised, as the company's earlier efforts to address privacy concerns -- an area closely related to security and data integrity -- were almost comically ham-fisted. In the realm of social media, this just isn't good enough. With more users globally than there are people in the US, the consequences of Facebook's Swiss cheese-like security can easily impact far larger audiences than the average phishing attack on a lower-profile group of victims.
When Microsoft faced a crisis of confidence among its user base, it made the tough decisions necessary to reorient itself around a new security mantra. It 'fessed up to some pretty iffy decisions made before Internet-borne threats became über-pervasive and, perhaps most importantly, made its stakeholders a central part of the solution. Today's environment is hardly perfect and, in fairness, probably never will be. Windows, Explorer and Office continue to be the targets of new forms of attack, and Microsoft continues to fend them off with ever evolving offerings.
This is the new reality of connected computing, and the only ones to blame here are the cretins who create the malicious code, write and distribute the spam and reap the criminal rewards of this growing "business." It isn't Microsoft's fault any more than it is Facebook's.
What matters most?
But here's the thing: From where I sit, Microsoft's solutions are far more critical to the success of the average consumer than Facebook's. One company's products give life to my laptop, let me connect to the broader Internet, and get actual work done. The other company's code lets me poke my friends and play FarmVille and Mafia Wars.
Perhaps that was a little mean-spirited, but it underscores the business rationale that we all -- companies as well as regular consumers -- apply to the tools we use every day. As revolutionary as Facebook has been at connecting us with long lost friends and maintaining virtual communities that can drive both social and professional success, it isn't a given that we'll absolutely need it to survive. Nor is it a given that some other Web 2.0/social media solution won't also hit critical mass and take Facebook's crown away. Friendster and MySpace both learned the hard way that relevance is as impermanent as the so-called "end-user loyalty" that got them to the top spot in the first place. Easy come, easy go. And when you're not weighed down by years of legacy files, macros, training, and ease-of-use concerns, migrating to the Next Best Thing is easier for the average social media solution than it is a productivity suite.
Facebook is at a bit of a crossroads in its all-too-brief history. Its massive popularity has placed it squarely in the crosshairs of a criminal community intent on exploiting the largest, most profitable audiences out there. The timing couldn't be worse, because the company still hasn't had the opportunity to develop the kind of security-aware culture that would allow it to proactively take these growing threats on, and win.
As users are increasingly exposed to Facebook-linked attacks, they'll find themselves wondering if the ability to poke their friends is worth it.
Carmi Levy is a Canadian-based independent technology analyst and journalist still trying to live down his past life leading help desks and managing projects for large financial services organizations. He comments extensively in a wide range of media, and works closely with clients to help them leverage technology and social media tools and processes to drive their business.
Copyright Betanews, Inc. 2010