Mike Rothman warns in his blog entry called “RSA Guide 2011: Key Themes” that only a very elite and small group (himself included, of course) can understand the cloud, let alone the security issues.

Last year you could count real cloud security experts on one hand… with a few fingers left over.

[…]

The number of people who truly understand cloud computing is small. And folks who really understand cloud computing security are almost as common as unicorns.

Unless I am reading that wrong he is saying that no one really understands cloud computing security. How does one enter the cloud if no one exists that can understand how to make it safe? Is that a warning against it?

He probably means to say only he and his immediate colleagues are to be hired — they are the real deal and will save you from the cloud. Even that sounds to me like scare-mongering, marketing and hype. Perhaps he could just issue a new Securosis byline:

We are like unicorns in the cloud — and everyone else is dumb

The truth is that many people outside his sphere of influence understand cloud security and are actively working on tools, architectures and live deployments. Not all of them take the time or even want to give presentations. And let’s face it, cloud security actually is not that hard to understand. It is essentially applying controls to new engineering, architectures and technologies and then finding ways to address gaps. That is a familiar exercise for anyone who has worked in the past with security for product companies and development, especially within large shared environments.

Speaking of marketing hype, Mike gives a clear set of criteria for how to choose a good presentation, but then he appears to ask you to violate his own criteria for two presenters that are related to his company.

Skip over session descriptions that say things like, “will identify the risks of cloud computing” and look for those advertising reference architectures, case studies, and practical techniques (don’t worry, despite the weird titles, Rich includes those in his cloud presentation with Chris Hoff).

This is some odd advice. Don’t worry? On the one hand he warns about others who engage in a kind of behavior he wants you to find distasteful, and on the other hand he (and his colleagues) engage in it. Not sure what to make of that; much of what he says is interesting and well researched, but it is hard to overlook contradictions and double-standards. Why not just say “don’t worry” about the cloud?

Disclaimer: I am also presenting on cloud security at RSA and I do not believe in unicorns.

Websense explains how Facebook users are so often victims — they are targeted by the huge growth in inexperienced attackers due to inexpensive malware app builders.

You don’t have to be a developer, but a mere $25 can buy you a Facebook viral application toolkit and unleash all the unwanted content you want onto Facebook.

As an example, let’s look at a very similar fraudulent application that “can” allow Facebook users to know who “creeps” at their profile, called “Facebook Profile Creeper Tracker Pro”. The application asks for some permissions, shows an online survey/advertisements and tells the user at the end of the process that he/she is the one that looks at his/her own profile the most. In other words, this application should be revoked according to the terms and conditions of Facebook.

Should be revoked?

There appears to be no Facebook barrier to entry for attackers. The $25 is a nominal amount and easily recovered; victims generate revenue of at least $.20 — only 125 are needed to cover the initial expense and then it’s all profit. And that cost model is for attackers with no experience.

The burning question for regulators should be how a user can protect themselves against a Facebook scam like this permanently. In other words, why does Facebook continuously fail to provide reasonable privacy options, or offer users permanent protection?

The answer may be found in Facebook’s recent trickery with network privacy.

Two weeks ago, the social networking site proudly announced a new “secure browsing” option located under the Account Security menu which would allow people to enable HTTPS for all future visits.

However, at the moment, third-party apps don’t not work via HTTPS, because they load external content into the page.

This content cannot be signed by Facebook, therefore, the secure connection is broken each time an HTTPS client opens such an app.

Facebook prevents this from happening automatically via a dialog that reads “Sorry! We can’t display this content while you’re viewing Facebook over a secure connection (https). To use this app, you’ll need to switch to a regular connection (http).”

Pressing the continue button, however, doesn’t just remove HTTPS for that session, but clears the checkbox from the persistent “secure browsing” setting without any indication of doing so.

They take a one-time decision and turn it into a permanently insecure setting without notifying you.

Just in case you still have any doubt: Storing private information on Facebook is like putting your finances in a bank that offers partnerships to grand theft felons. You might really like working with the bank and their customers, but you need to be very wary of their business practices.

I strongly recommend to everyone they immediately delete all personal and valuable information from their account or at least only use fictitious information on Facebook including fake photos.

Even the founder himself has turned to the government to protect against Facebook-based attackers.