Forgot your password?
typodupeerror
Open Source Privacy Security Social Networks News

Security Concerns Paramount After Early Reviews of Diaspora Code 206

Posted by Soulskill
from the work-in-progress dept.
Stoobalou writes with this excerpt from Thinq.co.uk: "Following the release of the source code for the Diaspora social networking platform, hackers and tinkerers the world over have been poring over the code in order to improve, enhance, and otherwise help the project in its attempt to unsettle Facebook. Sadly, the current opinion is that the code just isn't up to scratch. While the team clearly stated that 'we know there are security holes and bugs' in the code that was released, it's possible that they weren't aware of just how many show-stopping issues there are — issues which make it hard to recommend that you roll your own Diaspora server just yet."
This discussion has been archived. No new comments can be posted.

Security Concerns Paramount After Early Reviews of Diaspora Code

Comments Filter:
  • Re:Freetard fail (Score:5, Interesting)

    by Anonymous Coward on Friday September 17, 2010 @10:17AM (#33610662)

    Yeah, but it will be like email is now. People won't need to run their own servers. They will be able to pick from a variety of free diaspora hosts who get their revenue from ad dollars and harvesting your data (and that of your friends, who might host their own diaspora node at home, or on another service), and then we will be free of facebook's horrible privacy violations, and be in a new universe of less accountable companies with even worse problems.

    I can't wait, diaspora, here I come!

  • Protocol, not code (Score:5, Interesting)

    by ath1901 (1570281) on Friday September 17, 2010 @10:21AM (#33610714)

    I'm more interested in the protocol than the code. If the protocol is vulnerable to attacks/fraud then it is a show stopper.

    If the ruby-web-stuff-code contains bugs and security holes, I'll just write my own (read: wait for someone else to do it).

    I couldn't find any relevant info about the protocol in TFA. Am I missing something?

  • Re:After how long? (Score:5, Interesting)

    by truthsearch (249536) on Friday September 17, 2010 @10:33AM (#33610852) Homepage Journal

    It looks like they've only focused on the front end so far. I was expecting an architectural prototype with a thin front end (in which case security should be baked in from the start). Instead they've only focused on the user interface, which pretty much makes this project pointless so far.

  • by oldspewey (1303305) on Friday September 17, 2010 @10:43AM (#33610982)

    But as I understand it, an end user does not necessarily have control over where their information is routed/stored. So if there are a few rogue server managers out there acting the way FB does today (selling personal info as a source of revenue) then every member of the user base will (potentially) be affected.

    Please correct me if I'm wrong, because I'd like to be wrong about this.

  • Re:After how long? (Score:5, Interesting)

    by EggyToast (858951) on Friday September 17, 2010 @10:46AM (#33611006) Homepage
    Yeah, they've only focused on the "fun stuff." Or rather, it sounds more like their purpose was "Facebook's so annoying to use. Let's make one that works like we want!" without really caring about the backend stuff. Maybe they assume that the "open source community" will do all the backend stuff for them -- even though they're the ones getting paid?
  • It's got potential (Score:2, Interesting)

    by Ancalimar (920912) on Friday September 17, 2010 @11:32AM (#33611516)
    I admit that I haven't read through the code, and I am not a programmer. But it seems to me that if this can be hosted and run by individual institutions, it could have a fairly large impact in higher education in the next few years. Employees could use this like intranet-lite, and alumni and students could use this the way Facebook was originally used -- a social network for the school itself. The only difference is that it could provide very useful data directly to the school instead of an individual. I've also read a lot of complaints about how the project focused first on user interface instead of back-end programming. Isn't that similar to how Facebook itself started? I don't think there were a bunch of new protocols declared for the "Face book" launch.
  • by crf00 (1048098) on Friday September 17, 2010 @11:52AM (#33611698) Homepage
    This should hardly surprise anyone. In fact, I realized it early that what matters is the protocol not the code, but you can't offer privacy protection in a decentralized protocol [slashdot.org]. A centralized social network like Facebook can actually offer more privacy protection, because Facebook is the only party that holds your information.

    Decentralization on the other hand, means broadcasting information to multiple parties, in this case your friends. A protocol can be designed to be P2P, but you cannot prevent any peer from choosing a provider to host data on behalf of themselves. Just like email, any corporation can make use of this protocol to host a user's social network. When this become the norm, and when you, who host your own social server, try to broadcast a status update to some friends on Facebook/MySpace, then bang! Now both Facebook and MySpace holds a copy of your status update.

    I'm actually surprised that the Slashdot crowd is naive enough to expect a protocol to protect one's privacy. As far as I know, none of the protocol we have today holds any claim that it can protect user's privacy, including email, IP, IPv6, HTTP, Tor, XMPP, FOAF, and the semantic web. In fact, the newer protocols such as IPv6 and FOAF are in fact far more privacy invasive than any kind of web 2.0 services today. Sure, we have protocols that protects user's anonymity, but anonymity is different from privacy that anonymity hides the true identity of the user, but the anonymous user's activity is always public. Furthermore, communication protocols such as email and XMPP never guarantee any kind of privacy protection, and they even encourage users to find a provider instead of forcing them to host server themselves.

    My point is, either Diaspora will be extremely successful in privacy protection but nobody uses it, or everyone will use Diaspora but it will have serious privacy loophole that can never be fixed.

    I'm pretty sure that supporters of Diaspora will be very upset if this happens:
    1. Social protocol forks out of Diaspora and becomes standard.
    2. Facebook refuse to join. MS jumps in but provides sucky service.
    3. Diaspora founders startup Sporazzora social hosting, earns big bucks, starts data mining.
    4. Google jumps in as second mover and kill everyone else, now becomes top social network.
    5. Facebook joins in too late, but still has enough users for data mining.
    6. Data exchange chaos to communicate with friends located at Facebook, MySpace, and Hi5. Privacy settings getting out of control.
    7. Evil MySpace discloses all users' data to public. Everyone yells but nobody cares. MySpace users continue to stay there, while Google users unfriending MySpace friends.

    Many privacy issues are caused by people misunderstanding about the privacy features of various protocols (which is none). For example, it actually take people by surprise that the server will know the client's IP address for every TCP/IP connection established, and that HTTP is transfered in plain text and cached in various proxies.

    But we geeks didn't correct user's misunderstanding, but instead even use it as our own arguments against corporations. We think that, sure, the protocols expose these problems, but we'll just use brute force to restrict how websites can make use of these data. Sure that there are a few responsible one who want to invent new protocols that can protect user privacy, such as the one who made free proxy pools [slashdot.org] that connect to Google through the shared proxy. But they failed and instead raised more privacy issues in the protocol.

    Protocol designers usually aware of the privacy issues that might arise from using their protocol. However they usually keep quiet and do not warn users about the potential danger. This is reasonable since nobody likes to be blamed at, and everyone likes to see their product to s

  • Re:After how long? (Score:2, Interesting)

    by 16K Ram Pack (690082) <(tim.almond) (at) (gmail.com)> on Friday September 17, 2010 @11:55AM (#33611746) Homepage
    On the other hand, getting people seeing features that they might be interested keeps some buzz going about it. No-one gets excited about security, they expect security.
  • Doing it Rong (Score:1, Interesting)

    by Anonymous Coward on Friday September 17, 2010 @11:57AM (#33611770)

    Ginning up an architecture and a code blob while holed up in a basement, THEN asking for input is wrong. The initial architect and developers are married to the design and code. They will maybe grudgingly try to "fix" what should never have been typed in the first place.

    Open source should start at the drawing it on a napkin phase, not the first alpha release. Often it can't because nobody cares that early. In this case it could have.

  • Re:After how long? (Score:2, Interesting)

    by danny_lehman (1691870) on Friday September 17, 2010 @12:05PM (#33611862)

    Perhaps they put some effort into the GUI to establish a brand image of sorts before the Open Source Community got their hands on it, wouldn't you? They got Paid because they had the initiative to start it, that's how it works.Also, the amount they got paid is kind of representative of the amount of demand out there for an alternative to Facebook - So

    "Facebook's so annoying to use. Let's make one that works like we ALL want!"

    FTFY...

    They announced they would release a semi-working version's code, and that's exactly what they did. Their "mission statement" has a large emphasis on security so i sincerely doubt they will allow another major release with a "Patched" backend. The open source community Is large enough and kind enough to contribute where they may have fallen short. If you want to get paid for helping, you may want to go start your own.

  • Re:Pre-alpha (Score:2, Interesting)

    by WalkingBear (555474) on Friday September 17, 2010 @12:17PM (#33611986) Homepage Journal

    Yeah, we used to call this level of code a functional prototype. Build the features that let you test you concepts and ideas. Get as many eyeballs on it as possible. Not all of the defects, holes, changes, bugs, etc.

    Now take that information, go back to a blank slate, and start coding towards a v1.0 release.

    What I've seen of the Diaspora code, and what I've seen others post about it tells me this is definitely in the prototype / conceptual release phase. It's called a Pre-Alpha for a reason.

  • by severoon (536737) on Friday September 17, 2010 @01:05PM (#33612522) Journal

    It's too bad there's so many problems with this project...I was really looking forward to a good alternative to Facebook.

    If only there was some kind of development methodology where these issues could be discovered early on and addressed by those that do have the necessary experience...alas, I forget myself—such a thing is and shall forever remain unattainable fantasy.

    I guess we should just be glad they published the source code so the facts are out and we can all agree: the only path forward is to toss the whole idea.

  • Re:Freetard fail (Score:2, Interesting)

    by KazW (1136177) on Saturday September 18, 2010 @05:03AM (#33618442)
    I'm not entirely sure, but I think the HTML injection is caused by their use of WebSockets, which uses EventMachine and then ties back into the Rails app or bypasses it and goes straight into the MongoDB. That's my basic understanding of it, if I'm wrong someone should correct me.

    As for people criticizing the project, I think that it's way too early, it hasn't even hit Beta status, it's an Alpha release.

    WebSockets is actually the aspect of this project that interests me the most, if they can make a "standard" social communications protocol or API that functions over WebSockets, I think that'd be the greatest outcome for the project. If it succeeds in creating that protocol, it wouldn't only kill FaceBook, but Twitter as well. Also, that would allow other developers to create other implementations in different languages(sans Rails) , user interfaces or mashups.

    Either way, I watch this project with great anticipation and bated breath.

    P.S. MongoDB is a NoSQL database...... HA! Now the Web 2.0 synergy in this post is complete.(Yes, I did throw in a few terms just for shits and giggles.) /endpost

I judge a religion as being good or bad based on whether its adherents become better people as a result of practicing it. - Joe Mullally, computer salesman

Working...