Forgot your password?
typodupeerror
Open Source Privacy Security Social Networks News

Security Concerns Paramount After Early Reviews of Diaspora Code 206

Posted by Soulskill
from the work-in-progress dept.
Stoobalou writes with this excerpt from Thinq.co.uk: "Following the release of the source code for the Diaspora social networking platform, hackers and tinkerers the world over have been poring over the code in order to improve, enhance, and otherwise help the project in its attempt to unsettle Facebook. Sadly, the current opinion is that the code just isn't up to scratch. While the team clearly stated that 'we know there are security holes and bugs' in the code that was released, it's possible that they weren't aware of just how many show-stopping issues there are — issues which make it hard to recommend that you roll your own Diaspora server just yet."
This discussion has been archived. No new comments can be posted.

Security Concerns Paramount After Early Reviews of Diaspora Code

Comments Filter:
  • by iONiUM (530420) on Friday September 17, 2010 @10:16AM (#33610646) Homepage Journal

    It might encourage the workers on Diaspora code to work harder for security. I mean, even if you think you have every security hole plugged, until you open that code up to the world you won't really know. So what, there are many more security bugs than expected. That's fine, delay the release a little bit and start patching.

    Unless this completely discourages them to the point that they turn emo and start lying in the dark crying, I'm pretty sure they can fix this and still release.

    • by e065c8515d206cb0e190 (1785896) on Friday September 17, 2010 @10:19AM (#33610684)
      Seriously, a bunch of kids from NYU... what did you expect?

      It's not a bad thing though, as long as people are willing to constructively collaborate on the project.
      • by MoonBuggy (611105)

        Is that a jab at NYU or a jab at college kids in general?

        • Maybe it wasn't a jab at all?
        • Most college-level kids don't have experience coding a secure, distributed social networking site from scratch, and wouldn't be aware of all the potential snafus and pitfalls. In fact it's likely that they haven't written ANY software that is going to have enough traffic that security becomes a critical issue, and I doubt any college courses would focus on that in particular.

          I don't see how that could possibly be considered a jab at anyone.

          • by severoon (536737) on Friday September 17, 2010 @01:05PM (#33612522) Journal

            It's too bad there's so many problems with this project...I was really looking forward to a good alternative to Facebook.

            If only there was some kind of development methodology where these issues could be discovered early on and addressed by those that do have the necessary experience...alas, I forget myself—such a thing is and shall forever remain unattainable fantasy.

            I guess we should just be glad they published the source code so the facts are out and we can all agree: the only path forward is to toss the whole idea.

        • by gparent (1242548) on Friday September 17, 2010 @10:58AM (#33611154)
          It's not a jab at all. It's perfectly normal for inexperienced coders to have security issues in their applications, just like you can have any other bug.
      • by DJRumpy (1345787) on Friday September 17, 2010 @10:44AM (#33610990)

        Am I missing something here? This is the way it should work, and the true strength of open source. Assuming they have the skillset to address the security issues found, I just don't see an issue. This isn't release level software yet, and I would expect that anyone putting up such a site based on it would publish that fact. I'm pleased that they are getting such great input on key security flaws.

        • by yincrash (854885)
          I think the implication is that a few kids still in school don't have the skill set to address those issues, let alone write quality code yet.
          • Re: (Score:2, Insightful)

            by coldfarnorth (799174)
            They have been admitted to the school of practical experience with a great idea, but less practical experience than you would prefer. We have two choices: 1) Tell them "You suck", throw them out on their asses, and consign their idea to the scrap heap -or- 2) Start to teach them the skill sets they need, and try to realize some of the promise of their idea. Choose wisely.
          • And your point is??

            Learning is part of the experience we all share. Nobody learns to write perfect code, with no security holes in it, from the beginning.

            The biggest problem with experience is that we tend to forget where we came from, and the big errors we've made in years past, or worse, we don't even know of the big errors we had early on, because we don't use that code any longer so the holes were never plugged.

            Who here thinks that High School Standout can play professional Baseball right away? You don

        • by idontgno (624372)

          FWIW, my take-aways on this topic are:

          • Never install the "dot-zero" version of ANYTHING for production
          • The devs are young. That means energetic and possibly well-intentioned, but inexperienced. If this works out, the OS community will be enriched by skilled and savvy devs who have seen the elephant and have the scars to prove it.

          After all, "good judgment comes from experience, and experience comes from bad judgment."

          • Exactly true. Experience is something you don't get until AFTER you need it.

            I have checked out the Alpha, even though I am not a fan of facebook or social networking. It's always worth playing with new OSS stuff, because you never know where the next really good project (or even really good idea) will come from. It takes a lot of "almost good" attempts to make one that is good.

      • by poetmatt (793785)

        I think people forget that it's open source, so it's easily modified.

        Able to code, and spot a vulnerability? Fix it yourself!

        • by yincrash (854885) on Friday September 17, 2010 @10:57AM (#33611144)
          Just because software is open source does not mean it is easily modified. In many cases, it could be easier to rewrite it from scratch to do the same thing than to modify existing code that is terrible.
        • I think people forget that it's open source, so it's easily modified.

          It's "easy to modify" but not "easy to modify" and make sure that you don't break other things or introduce bugs. That is unless all the open source software you deal with is extremely trivial in nature.

          Able to code, and spot a vulnerability? Fix it yourself!

          Because all users are programmers, right?

      • by GreatBunzinni (642500) on Friday September 17, 2010 @11:18AM (#33611362)

        Seriously, a bunch of kids from NYU... what did you expect?

        I don't know. What do you expect from a 21-year old kid from University of Helsinki? Personally I don't believe anyone expects much from it but nowadays you have the entire IT world being carried by a pet project made by a little Finnish kid from University of Helsinki.

        Is this also the case? I don't know, really. Yet, I hope it is.

        • You have to wonder where Linux would be today if Torvalds had tried to commercialize it instead of releasing it into the wild at such an early stage of development....

        • Re: (Score:3, Insightful)

          by Subm (79417)

          I don't know. What do you expect from a 21-year old kid from University of Helsinki? Personally I don't believe anyone expects much from it but nowadays you have the entire IT world being carried by a pet project made by a little Finnish kid from University of Helsinki.

          Is this also the case? I don't know, really. Yet, I hope it is.

          You know, there was a bit of code there before Linus started. Linus's pet project was one of many many people's pet projects.

          Sometimes I question calling the operating system GNU/Linux, but when people imply Linus wrote the entire OS, I see why people press for the recognition to everyone who contributed all the free code.

      • As a kid at NYU doing compsci who knew these guys (not well but we had classes together), I can say that at my internship is where I learned what it was truly like coding outside of small scale and you do learn a lot about things you would not have otherwise accounted for.

      • by iamhassi (659463)
        "Seriously, a bunch of kids from NYU... what did you expect?"

        I would expect better from a bunch of "kids" that were given $200,000 to make the site. [kickstarter.com] I think most of /. could have done a better job if we were given $200,000.
    • by MaWeiTao (908546)

      Like everyone else, they're never going to be able to completely address security. I suppose the goal should be to eliminate any glaring flaws and stay on top of things for as long as the platform is being used. But people are going to always reveal flaws as quickly as they can be patched. Being open-source doesn't provide any inherent level of security simply because anyone has access to the code.

      If anything, it's only a matter of time before we see a fork. Someone is going to decide they can do without ce

    • by gilesjuk (604902)

      These aren't small holes, these are major show stoppers. It's currently possible for anyone using the site to do anything they like to someone else's profile.

      If you're designing a portal you need to design it to be secure. Otherwise when you start reworking the code to secure it the code gets messy.

      It sounds like they've been designing this thing as they go along, not the best way really.

    • by Americano (920576)

      It might encourage the people working on the code to work harder - or it might mean they run out of money, energy, and interest and Diaspora becomes another piece of abandoned FOSS code.

      If there are so many glaring security holes from the start, it sounds to me like they have accomplished nothing but a basic mockup. How long can they delay the release while they refactor & rewrite? While they implement the many features they haven't completed? While they do thorough security testing, which will possi

    • by anyGould (1295481)
      Well, considering they released it saying "Yeah, there are a mess of bugs and security holes here"... I suspect the point *was* to flush them out. The releases I read were pretty clear that this code wasn't remotely ready for production, and that they knew it. If I'm going to poke them for anything, it's that they had promised something by the end of the summer. But that's just over-optimistic young folks.
  • After how long? (Score:5, Insightful)

    by Sarten-X (1102295) on Friday September 17, 2010 @10:17AM (#33610668) Homepage

    After a few months, a big project has bugs? Really? That's amazing! After all, Windows has been around for only 20 years and it's perfect, right?

    I think I'll reserve judgment for sometime in 2012...

    • by Kjella (173770)

      The time when you did security by making sure you've dotted all the i's and crossed all the t's should be long over. Anything built now should have some clear security layers that prevent input validation attacks, cross scripting attack, database injection attacks and so on. The application may be unfinished but most of those errors sounds like it'll be a steaming pile when it's done too.

      • Re:After how long? (Score:5, Interesting)

        by truthsearch (249536) on Friday September 17, 2010 @10:33AM (#33610852) Homepage Journal

        It looks like they've only focused on the front end so far. I was expecting an architectural prototype with a thin front end (in which case security should be baked in from the start). Instead they've only focused on the user interface, which pretty much makes this project pointless so far.

        • Re:After how long? (Score:5, Interesting)

          by EggyToast (858951) on Friday September 17, 2010 @10:46AM (#33611006) Homepage
          Yeah, they've only focused on the "fun stuff." Or rather, it sounds more like their purpose was "Facebook's so annoying to use. Let's make one that works like we want!" without really caring about the backend stuff. Maybe they assume that the "open source community" will do all the backend stuff for them -- even though they're the ones getting paid?
          • Re:After how long? (Score:5, Insightful)

            by Rival (14861) on Friday September 17, 2010 @11:51AM (#33611696) Homepage Journal

            Yeah, they've only focused on the "fun stuff." Or rather, it sounds more like their purpose was "Facebook's so annoying to use. Let's make one that works like we want!" without really caring about the backend stuff. Maybe they assume that the "open source community" will do all the backend stuff for them -- even though they're the ones getting paid?

            Or possibly, that they are smart enough to recognize that having "something" to show possible investors (and more importantly, current investors) is worth a great deal more than a framework that can't be demonstrated.

            Don't get me wrong -- I really, *really* hope that the security model gets implemented well in Diaspora, and they don't get destracted by "ooh, shiny!" syndrome. But expecting them to go to folks who have given them money -- people who likely know even less about security than these college students -- and say, "This mystery code will work, it's really better, we just can't demonstrate it," is unreasonable.

            Prototype first, then refine. Bugs happen, just fix them and move on. It looks like they're on their way to me. If you (or others) think you can fix these bugs or fundamental flaws in their security model, talk to them. You might just find yourself a job at a potentially big startup.

          • Re: (Score:2, Interesting)

            by 16K Ram Pack (690082)
            On the other hand, getting people seeing features that they might be interested keeps some buzz going about it. No-one gets excited about security, they expect security.
          • Re: (Score:2, Interesting)

            by danny_lehman (1691870)

            Perhaps they put some effort into the GUI to establish a brand image of sorts before the Open Source Community got their hands on it, wouldn't you? They got Paid because they had the initiative to start it, that's how it works.Also, the amount they got paid is kind of representative of the amount of demand out there for an alternative to Facebook - So

            "Facebook's so annoying to use. Let's make one that works like we ALL want!"

            FTFY...

            They announced they would release a semi-working version's code, and that's exactly what they did. Their "mission statement" has a large emphasis on s

        • Don't diss the interface.

          The open source landscape is littered with elegant backends with totally unusable interfaces, a good interface is not a trivial exercise.

          They did a solid start on the part that they had talent and interest for, then went to the community. I'd say that they are doing it right.

        • Instead they've only focused on the user interface, which pretty much makes this project pointless so far.

          Unless, of course, one of their primary goals is to attract more users, in which case a well developed, well tested UI is probably one of the most important parts of the project. After all, 90% of social networkers (number out of my ass) probably judge software based on "How easy is it to click what I want?"

          Now that doesn't mean they should neglect the back-end code, however, if they are trying to raise awareness of their product and make it more attractive, then I would think having a nicely developed

      • Re:After how long? (Score:5, Insightful)

        by Sarten-X (1102295) on Friday September 17, 2010 @10:48AM (#33611046) Homepage

        Not if it's anything like every big project I've worked on.

        First, projects go through a phase of "how can we do this" where various components are mashed together with the expectation that things will work later. That's a good thing to do while gathering initial funding.

        Then they go through the phase of "we can do this" where some parts of the project work, but most is broken.

        That's followed by the "demonstration" phase, where things work under perfect circumstances. That seems to be where Diaspora is at now.

        Next is the "we can do this well" phase, where the once-connected components are split up and divided into their appropriate layers and security is locked down, now that there's a clear idea of what the security model must support.

        Finally is the "continued development" phase, where the project is stable enough that new components don't need major changes to security, and extra features can be added.

        I've had a few projects that started with the frameworks and various layers of abstraction, and they've invariably failed after many refactorings and revisions. Heck, one project I worked on was a web-based game engine, which turned into a giant security model, and finally died without a single line of actual game code written. It took eight months to fail miserably. Projects change, and requirements change. Going into a security model too early can be worse than not having one.

  • Pre-alpha (Score:2, Informative)

    by mseidl (828824)
    zomg! Pre-alpha! This thing is sure to be a failure!
    • Re: (Score:2, Interesting)

      by WalkingBear (555474)

      Yeah, we used to call this level of code a functional prototype. Build the features that let you test you concepts and ideas. Get as many eyeballs on it as possible. Not all of the defects, holes, changes, bugs, etc.

      Now take that information, go back to a blank slate, and start coding towards a v1.0 release.

      What I've seen of the Diaspora code, and what I've seen others post about it tells me this is definitely in the prototype / conceptual release phase. It's called a Pre-Alpha for a reason.

  • by metamechanical (545566) on Friday September 17, 2010 @10:20AM (#33610708)

    Okay, I have no horse in this race, as I only have a passing interest in online social networks (enough to read the article, but not enough to join one), so I am not very passionate about this news in one way or another, but...

    Isn't that why it's called pre-Alpha software?? I mean, bugs happen. In open architectures, you fix them. If this were a closed software project, you wouldn't even know about them. If there were endemic, critical flaws inherent in their underlying assumptions going into this project, then that would be news, but "oversold Alpha software contains bugs!!!" is hardly worth noting. Being free software, many eyes will ensure that the Beta version is better, presumably.

    • Re: (Score:2, Insightful)

      If this were a closed software project, you wouldn't even know about them.

      If this were true, no independent researchers would ever be able to find security holes in things like Windows or Adobe products. Having access to source code is a nicety but the vast majority of security holes aren't found staring at source code it's by poking around at the binary.

      • by metamechanical (545566) on Friday September 17, 2010 @10:34AM (#33610876)
        That's a fantastic point. I should have been more specific - what I meant was the only reason security concerns and bugs are being found out in a pre-alpha is that it is open. It is exceedingly rare that a closed piece of software releases up a pre-alpha for general review (and hence, you wouldn't have ever even known about them). In more mature released closed software, though, you're right that my point holds no water.
      • Re: (Score:3, Insightful)

        by nine-times (778537)

        I think the point was that, if this were a closed project, no one would have acess to anything yet-- not the source, not the binary, nothing.

        This was not intend to be a secure release or a complete release. This was the first release of an open source project, just to say "here, we have something, so let's get started.". If you expected to be rolling your own diaspora server right now, then you really didn't understand what was going on.

        • by shish (588640)

          This was not intend to be a secure release or a complete release

          An empty project has no features, and the desired result is lots of features, so having half features at the half way point is expected; but an empty project has no security holes, and the desired result is no security holes, so if there is a hole at the half way point then something has gone wrong.

          • by mwvdlee (775178)

            If I bring my car to the garage to have the tires changed, it starts with four tires and the desired result is four tires. If somewhere halfway it does not have four tires, has something gone wrong or were they just actively working on it.

            If you tell me you've ever started a software project that DIDN'T have any security issues halfway, then you lie.

        • by Monchanger (637670) on Friday September 17, 2010 @11:18AM (#33611356) Journal

          If you expected to be rolling your own diaspora server right now, then you really didn't understand what was going on

          Exactly. Like much of the dumbed-down "news" we're subjected to, this is just a little more sensational nonsense.

          Breaking news! Infants can't grasp quantum physics. Are they stupid? You decide!

          The little coverage I've seen sticks strictly to usability ("aspects" and this very early revision of the UI) . If that's all they built, I wouldn't bother criticizing the more difficult areas of security, scalability and reliability (that's not to say one shouldn't report bugs). Since hearing of the project I've assumed that these problems may be something these kids are looking for others to pitch in. Releasing the code isn't a bad way to get other people to start working, and as we've seen that actually worked out well, significantly multiplying the number of contributors to the project.

          Diaspora, done right, is not a weekend project. Doesn't help that these naysayers are too immature to seek positive reinforcement.

    • by alen (225700)

      and by that time facebook will add some more features and get up to a billion registered users

    • Re: (Score:2, Insightful)

      by Spansh (219937)

      The problem about this is that many of those types of flaws have been well known about and well publicised for many years now (and many high profile sites have had widely publicised exploits ecause of them).

      However, there are now many standard practices which seasoned/experienced programmers/developers/system designers use to mitigate most of those issues (Hell, whilst I may have some issues with Ruby on Rails, with the current release I believe you'd have to explicitly allow unescaped HTML into your pages)

  • Protocol, not code (Score:5, Interesting)

    by ath1901 (1570281) on Friday September 17, 2010 @10:21AM (#33610714)

    I'm more interested in the protocol than the code. If the protocol is vulnerable to attacks/fraud then it is a show stopper.

    If the ruby-web-stuff-code contains bugs and security holes, I'll just write my own (read: wait for someone else to do it).

    I couldn't find any relevant info about the protocol in TFA. Am I missing something?

    • It doesn't look like they started out by documenting any new protocols (which is probably what I would have worked on first if this were my project). From the code it appears they've mostly focused on the user interface.

      They also could leverage something like XMPP.

      • Re: (Score:3, Insightful)

        by Rogerborg (306625)

        It doesn't look like they started out by documenting any new protocols (which is probably what I would have worked on first if this were my project). From the code it appears they've mostly focused on the user interface.

        Flashback to my game dev days: "Never mind if it works, make it spin!"

        I guess they're not locked into a death march yet, but it's not a good start. "Pre-alpha" bollocks aside, you've either got a zero defect mentality, or you don't. Since nobody forced them to release in this state, it l

    • Re: (Score:2, Interesting)

      by crf00 (1048098)
      This should hardly surprise anyone. In fact, I realized it early that what matters is the protocol not the code, but you can't offer privacy protection in a decentralized protocol [slashdot.org]. A centralized social network like Facebook can actually offer more privacy protection, because Facebook is the only party that holds your information.

      Decentralization on the other hand, means broadcasting information to multiple parties, in this case your friends. A protocol can be designed to be P2P, but you cannot prevent any

  • Diaspora marketing (Score:4, Insightful)

    by jdfox (74524) on Friday September 17, 2010 @10:28AM (#33610780)
    I don't understand why Diaspora has had saturation coverage in the mainstream press (and pretty heavy coverage here [slashdot.org], for that matter) before it even went alpha, but identi.ca gets so little.
    • If I'm not mistaken, identi.ca is a microblogging platform, not a full blown social networking platform. So, while Diaspora goes directly against the main area of investment where major multinational corporations are heavily dedicated, which has a profound impact on humanity's views on fundamental rights such as the right to privacy, identi.ca is designed to only offer a very specific and limited service which is currently seen as a novelty. To put it in other terms, while Facebook alone racks about 800 m

    • I don't understand why Diaspora has had saturation coverage in the mainstream press (and pretty heavy coverage here, for that matter) before it even went alpha, but identi.ca gets so little.

      Because a lot of people have their eyes on Diaspora for a variety of reasons. This is not just a test of Diaspora but also Kickstarter which is the fundraising site they used to get the money to make this project. They went on Kickstarter and proposed to write "Diaspora - the privacy aware, personally controlled, do-it-a [kickstarter.com]

  • Horse before cart (Score:5, Insightful)

    by drewhk (1744562) on Friday September 17, 2010 @10:34AM (#33610866)

    Again, a project that was way overhyped before any code became available.

  • by antiparadigm (544353) on Friday September 17, 2010 @10:35AM (#33610884)

    Yes, I understand that any security vulnerability is a bad thing. In that merit this is a bad thing. BUT...

    These are people fresh out of college, and haven't gotten a lot of real world experience. I, myself, am only out of college by a year and a half. The first year was spent as a sys admin, but the past 6 as a developer. They have probably heard of some types of attacks, but are unfamilier with details. Others, if they are like me, they haven't even thought of. All of this comes from being "in the trade".

    This is why Open Source is good. It can rapidly increase a programmers competency if they get constructive criticism. It sounds like they are getting plenty of that, but the article kinda makes it sound like the should know all this.

    I, for one, am glad they are doing this, and that they have decided to release some code early for review. Not only will it allow bugs to be fixed early, but it will also give them lessons for future use.

  • I respect what's been done so far with Diaspora, but for all the hype and money poured into this project, this is a bit embarrassing. To me, it looks like a byproduct of a closed development model with a small team...I'm glad there can be community participation on the project now but I don't understand why the community wasn't involved in the beginning.
    • I can't think of any open source project where it was completely community designed/programmed from the beginning. Most communities don't care enough to do that, bicker too much to do that, would have way too many different ideas to do that, etc.

      I can be corrected, of course... but aren't most open-source projects started with just a couple people?

      This isn't a symptom of closed or open development model. This is a symptom of young, inexperienced programmers who, frankly, it seems don't really even care ab

  • by am 2k (217885) on Friday September 17, 2010 @10:53AM (#33611110) Homepage

    So, they started from scratch whipping up a solution that's potentially huge, with programmers that apparently aren't that experienced.

    I question how intelligent this approach really is.

    My solution would have been: Take a standard XMPP server, use its capabilities in the area of code stability, pubsub technology, server-to-server communication and properly documented communications protocol (as an RFC), and just write a javascript-based client (based on jQuery and strophe.js for example) that uses it. Any common server like ejabberd would be perfectly able to handle the stuff they need, no server-side coding required at all. As a bonus, the code has already been tested for security and has fewer bugs due to being out in the open for much longer.

    Additionally, it would be trivial to have competing implementations. They already exist.

  • Oh come on... (Score:2, Insightful)

    by bigpistol (1311191)

    BURN THE WITCHES

    Version 0.0.0.0.1 of something more complicated than "Hello world" released along with huge warnings that it is not ready for production and people are shooting the entire project down. It has had 4 people working on it, now they've stuck to their word and opened it at the time they said they would. Why is this news surprising or bad? Why is it even news?? People have found gaping holes, said people will close gaping holes - that was the whole point of it being open wasn't it?

    “If you've been on the Diaspora mailing list, there are people who are clearly not security professionals who are asking each other, 'OK, what do I need to do to get this running because I hate being on Facebook,'” he said. “They are going to get burned in a very serious manner very, very quickly if they actually succeed in doing what they're trying to do.”

    (screams int

    • by Chang (2714)

      There is something to be said for wasting the summer and wasting the enthusiasm. Had they opened it from start it might have turned out differently.

      Of course, it also might have turned into design by committee marathon flame war. We'll never know.

      What is readily apparent to me after getting a seed up and running this week is that these guys are not the web devs to lead this effort. I predict another effort will pick up steam. Maybe GNU social, although that's in a pretty bad alpha state right now also.

      Th

    • Maybe because it's hilarious to see a bunch of people who claim they are going to dethrone Facebook and give us this highly-secured social networking framework but instead that it is full of amateur-level security issues?

  • by pedantic bore (740196) on Friday September 17, 2010 @11:05AM (#33611240)

    ... but after skimming through the code, I'm not terribly surprised to hear that it has issues, because there are virtually no comments or design docs.

    Each one of the coders probably thinks the other coders are responsible for security, because it's nobody knows exactly what the other modules actually do. It's not written down anywhere.

    To be fair, this isn't the only system I've seen like this... and kudos to the team for sticking their code out where everyone can see it. I'm sure that there are similar problems in many widely-used systems, but since they're closed source, we can only guess about the details.

  • by Linux_ho (205887) on Friday September 17, 2010 @11:16AM (#33611334) Homepage

    The release of pre-alpha source code for their Diaspora social Website was only a few hours old on Wednesday when hackers began identifying flaws they said could seriously compromise the security of those who used it. Among other things, the mistakes make it possible to hijack accounts, friend users without their permission, and delete their photos.

    "The bottom line is currently there is nothing that you cannot do to someone's Diaspora account, absolutely nothing," said Patrick McKenzie, owner of Bingo Card Creator, a software company in Ogaki, Japan.

    So in other words, yes, it's a little bit worse than Facebook at this point.

  • by ideonexus (1257332) * on Friday September 17, 2010 @11:24AM (#33611410) Homepage Journal

    "...issues that make it hard to recommend that you roll your own Diaspora server just yet."

    Umm... Am I missing something here? Why would you set up your own Diaspora server using a Developer's Release? It's in development, as in not ready for prime time yet. There might be too many security issues for it to go live in October, as is scheduled, but if the open source community gets behind the project, that could easily be overcome.

    Unfortunately, this seems to be the catch-22 of many open source start-ups: You need outside developers to help you work out the bugs in your software, but when you publish your development software, everyone beats you up for all the bugs they find in it.

    Stop criticizing and start coding.

  • by Bob9113 (14996) on Friday September 17, 2010 @11:26AM (#33611454) Homepage

    It is excellent that security analysts have taken the time to investigate this code base. I think Eben Moglen made a very strong case for the value of this project, and the voluntary efforts by global security researchers is extremely valuable to the long-term health of Diaspora. Getting security people involved early is a Very Good Thing.

    issues which make it hard to recommend that you roll your own Diaspora server just yet

    Well, yeah. It is brand new pre-alpha code from a small team. If you are going to run brand new pre-alpha code from a small team on a network connected computer, it would be best to know about things like tripwire, process monitoring, traffic monitoring, and chroot, just for starters. You should probably be running it, if anywhere, on a sacrificial box that you can kill remotely. If you are considering running highly experimental code, you should either know how to handle it or know your limitations (I know I don't know enough to run this code in the wild).

    Some products, like OpenBSD, start with high security as job one. Perhaps such projects can be somewhat trusted in their early state (though they will likely be deficient in other important areas). Others start with other prime motives, and should not be so trusted in the early days. The key value of Open Source is not that it is perfect in all critical areas on the first day of publication. It is that it can be collectively enhanced to become very strong in all areas over time. The first step in that process is publishing the broken stuff so the global system of experts can get together for a barn raising.

    In short, this is exactly how it should work. This is not a sign of weakness but a significant step forward on the Open Source best practices road.

  • It's got potential (Score:2, Interesting)

    by Ancalimar (920912)
    I admit that I haven't read through the code, and I am not a programmer. But it seems to me that if this can be hosted and run by individual institutions, it could have a fairly large impact in higher education in the next few years. Employees could use this like intranet-lite, and alumni and students could use this the way Facebook was originally used -- a social network for the school itself. The only difference is that it could provide very useful data directly to the school instead of an individual.
  • The Diaspora guys should hire Austin Heap.
  • If there's a security bug or privacy hole in Facebook, all you can do is play with your profile options and pray it helps, or start a petition. Here, we have a chance to define the way we want to use such a system. It doesn't start out perfect, but Facebook as-is isn't perfect either after years of work. This project has started out with a foot forward in a much better direction.
  • by Posting=!Working (197779) on Friday September 17, 2010 @01:02PM (#33612492)

    Article - A Pre-alpha release of the User Interface has security holes. For some reason this surprises people, and those who do know better are acting shocked, despite the fact that compiling "#include " by itself can be considered a pre-alpha release and that they have no idea about the project path.

    Comments - Since I wouldn't have started with the user interface, this project is a failure. Stupid kids with no real-world large project experience can't do anything. The money they raised is completely wasted, even though we've no idea how much of that they've actually spent, with 4 programmers living in NYC working on this, they must have spent the $200,000 on gold plated Ferraris. They are not following my formula for creating large successful social networks (my current success rate: 0/0), therefore it is worthless. Trying is the first step towards failure.

    Remind me never to show a work in progress on Slashdot.

  • Taken (Score:3, Insightful)

    by BlackHawk-666 (560896) <ivan.hawkes@gmail.com> on Friday September 17, 2010 @01:07PM (#33612552) Homepage

    To me the real story here is how four students with no real skills or experience managed to convince people into giving them $200,000.

    Of course their code is going to be utter rubbish, they are uni grads with no experience, discipline, standards, or any of the myriad other factors that are required to make rock solid code. It sounds like they don't even have a documented protocol to work, and I'm guessing that means there's nothing in place for inter-communication with add-ons or third party code.

    Even if you assume they worked mainly on the front-end, that's seriously only a week or so of work for four developers, especially when so much has been cribbed from elsewhere.

    I'm expecting a delay to their release to fix the major obvious flaws, massive security concerns, and a lacklustre launch of a product no-one really needs that much. If Facebook is so bad that you have already removed your account, or haven't subscribed yet - then you might be a contender for this product. Most others will simply stay where their friends all are - because that's the whole ********* point of a social network.

    Never underestimate the power of inertia.

  • Give'em A Break (Score:5, Insightful)

    by Ukab the Great (87152) on Friday September 17, 2010 @04:50PM (#33615030)

    It's not any dumber than two college dropouts in Cupertino building a personal computer in their garage or some lone crazy finish student making his own OS.

    Budgets considerably larger than $200,000 have been spent on software projects written by professional programmers that don't run at all.

The unfacts, did we have them, are too imprecisely few to warrant our certitude.

Working...