The security of Web 2.0 - an oxymoron

I recently found this presentation from Morgan Stanley about Web 2.0 and where and how the Internet is growing.  I haven't heard any accompanying audio with the presentation, so I don't know the finer points of the points being made, but just the slides themselves show some very interesting facts and open the mind to so many security implications.

For instance, take a look at slides 6 & 7.  Slide 6 talks about telephony and communication over the Internet, with Skype being the focus.  Look at the stats:

• 136 Million registered users (Skype says 100 Million)
• ~ 7% of international long distance minutes
• Would be ranked #3 in number of global users if it was a carrier

Slide 7 talks about the growth of social networking sites like YouTube, MySpace, etc.  If I am reading it correctly, slide 8 says YouTube traffic has grown 2,662%.

The security issues with these types of apps are bad enough of they were used on a small or medium sized scale.  But with these huge  numbers and stats, the amount of security issues that go along with this new cyber world are staggering.  Go look at this spyware-centric blog that I read via my RSS feed.  It is almost exclusively talking about the junk floating on MySpace. 

Take a look at this article from CNet about Web 2.0 security.  Some might think there is some FUD here, but this article is really explaining the issues of non-security centric coding and the ways the bad guys can take advantage of it. 

And frankly, the physical security issues worry me more than the cyber-security issues.  When you have so many people sharing so much personal information without any regard to what people can use it for, you have a huge recipe for disaster for children and otherwise vulnerable people.

What I am seeing is a freight train that can't be slowed down, much less stopped.  This thing has turned into a juggernaut.  With large companies like eBay and Google buying these companies, there may be some hope for more secure coding and more community responsibility.  But that can be argued when most large companies look at security in dollars and cents rather than ethical duty.  Take a look at this quote from the CNet article:

The buzz around the new technology echoes the '90s Internet boom--complete with pricey conferences, plenty of start-ups, and innovative companies like MySpace.com and Writely being snapped up for big bucks. And the sense of deja vu goes even further for some experts. Just as in the early days of desktop software, they say, the development momentum is all about features--and protections are being neglected.

That second point about desktop software (MS Office and the like) really strikes a cord with me since I started in IT in the early 90's and went through those "security nightmare" times.  And if takes as long for the broader public to realize the implications of Web 2.0 insecurity as it did the insecurity of Office-type products and the OS, then we are in for trouble.