Security Concerns Paramount After Early Reviews of Diaspora Code 206
Stoobalou writes with this excerpt from Thinq.co.uk:
"Following the release of the source code for the Diaspora social networking platform, hackers and tinkerers the world over have been poring over the code in order to improve, enhance, and otherwise help the project in its attempt to unsettle Facebook. Sadly, the current opinion is that the code just isn't up to scratch. While the team clearly stated that 'we know there are security holes and bugs' in the code that was released, it's possible that they weren't aware of just how many show-stopping issues there are — issues which make it hard to recommend that you roll your own Diaspora server just yet."
This isn't necessarily a bad thing (Score:5, Insightful)
It might encourage the workers on Diaspora code to work harder for security. I mean, even if you think you have every security hole plugged, until you open that code up to the world you won't really know. So what, there are many more security bugs than expected. That's fine, delay the release a little bit and start patching.
Unless this completely discourages them to the point that they turn emo and start lying in the dark crying, I'm pretty sure they can fix this and still release.
After how long? (Score:5, Insightful)
After a few months, a big project has bugs? Really? That's amazing! After all, Windows has been around for only 20 years and it's perfect, right?
I think I'll reserve judgment for sometime in 2012...
And that was to be expected (Score:4, Insightful)
It's not a bad thing though, as long as people are willing to constructively collaborate on the project.
Re:After how long? (Score:1, Insightful)
After a few months, a big project written by a bunch of students with no real-world big project experience has numerous showstopper bugs? Really? That's amazing!
Improved that for you.
Good thing it's free... (Score:5, Insightful)
Okay, I have no horse in this race, as I only have a passing interest in online social networks (enough to read the article, but not enough to join one), so I am not very passionate about this news in one way or another, but...
Isn't that why it's called pre-Alpha software?? I mean, bugs happen. In open architectures, you fix them. If this were a closed software project, you wouldn't even know about them. If there were endemic, critical flaws inherent in their underlying assumptions going into this project, then that would be news, but "oversold Alpha software contains bugs!!!" is hardly worth noting. Being free software, many eyes will ensure that the Beta version is better, presumably.
Re:Good thing it's free... (Score:2, Insightful)
If this were a closed software project, you wouldn't even know about them.
If this were true, no independent researchers would ever be able to find security holes in things like Windows or Adobe products. Having access to source code is a nicety but the vast majority of security holes aren't found staring at source code it's by poking around at the binary.
Re:This isn't necessarily a bad thing (Score:5, Insightful)
Is anyone actually surprised that a bunch of Ruby developers can't write secure code?
No, but then I wouldn't be surprised if you substituted Python, Perl, Java, or C for Ruby in that statement. The proportion of programmers who can write secure code is a relatively small proportion of the number that can write code in any language.
That's one of the reasons why, as I said in the last story, I am more interested in the protocols than in the implementation. A set of standard protocols for social networking (ideally built on top of XMPP) would allow lots of different implementations, which would reduce the damage that could be done by a flaw in one of them.
Diaspora marketing (Score:4, Insightful)
Re:Freetard fail (Score:5, Insightful)
Something doesn't have to convince every user just to succeed. To me, Diaspora represents everything RIGHT with the FOSS community. Collaboration on software that, on its own, would never survive. However, with people working together on it, they can increase its usefulness (and increase their own skills, which by proxy would improve any future projects they worked on.) Diaspora is a grand experiment, one that I hope works out.
I fail to see how working with people dedicating their time and knowledge can be seen as a bad thing.
Horse before cart (Score:5, Insightful)
Again, a project that was way overhyped before any code became available.
This shouldn't be looked upon as a 'bad thing'... (Score:4, Insightful)
Yes, I understand that any security vulnerability is a bad thing. In that merit this is a bad thing. BUT...
These are people fresh out of college, and haven't gotten a lot of real world experience. I, myself, am only out of college by a year and a half. The first year was spent as a sys admin, but the past 6 as a developer. They have probably heard of some types of attacks, but are unfamilier with details. Others, if they are like me, they haven't even thought of. All of this comes from being "in the trade".
This is why Open Source is good. It can rapidly increase a programmers competency if they get constructive criticism. It sounds like they are getting plenty of that, but the article kinda makes it sound like the should know all this.
I, for one, am glad they are doing this, and that they have decided to release some code early for review. Not only will it allow bugs to be fixed early, but it will also give them lessons for future use.
Re:Good thing it's free... (Score:3, Insightful)
I think the point was that, if this were a closed project, no one would have acess to anything yet-- not the source, not the binary, nothing.
This was not intend to be a secure release or a complete release. This was the first release of an open source project, just to say "here, we have something, so let's get started.". If you expected to be rolling your own diaspora server right now, then you really didn't understand what was going on.
Re:And that was to be expected (Score:5, Insightful)
Am I missing something here? This is the way it should work, and the true strength of open source. Assuming they have the skillset to address the security issues found, I just don't see an issue. This isn't release level software yet, and I would expect that anyone putting up such a site based on it would publish that fact. I'm pleased that they are getting such great input on key security flaws.
Re:After how long? (Score:5, Insightful)
Re:After how long? (Score:5, Insightful)
Not if it's anything like every big project I've worked on.
First, projects go through a phase of "how can we do this" where various components are mashed together with the expectation that things will work later. That's a good thing to do while gathering initial funding.
Then they go through the phase of "we can do this" where some parts of the project work, but most is broken.
That's followed by the "demonstration" phase, where things work under perfect circumstances. That seems to be where Diaspora is at now.
Next is the "we can do this well" phase, where the once-connected components are split up and divided into their appropriate layers and security is locked down, now that there's a clear idea of what the security model must support.
Finally is the "continued development" phase, where the project is stable enough that new components don't need major changes to security, and extra features can be added.
I've had a few projects that started with the frameworks and various layers of abstraction, and they've invariably failed after many refactorings and revisions. Heck, one project I worked on was a web-based game engine, which turned into a giant security model, and finally died without a single line of actual game code written. It took eight months to fail miserably. Projects change, and requirements change. Going into a security model too early can be worse than not having one.
Re:After how long? (Score:1, Insightful)
So many rookie Security bugs in pre-Alpha software mean something very significant for the project
Re:Specialized servers offering ad-free accounts (Score:4, Insightful)
All actual data like messages is (supposed to be) encrypted. So the rogue seed can see your network or parts of it but should not get anything else.
My understanding is from a quick glance, it would be awesome if the developers would document things a bit more and lay out the design and roadmaps properly.
Symptom of a closed development model (Score:2, Insightful)
Questioning the Whole Concept (Score:3, Insightful)
So, they started from scratch whipping up a solution that's potentially huge, with programmers that apparently aren't that experienced.
I question how intelligent this approach really is.
My solution would have been: Take a standard XMPP server, use its capabilities in the area of code stability, pubsub technology, server-to-server communication and properly documented communications protocol (as an RFC), and just write a javascript-based client (based on jQuery and strophe.js for example) that uses it. Any common server like ejabberd would be perfectly able to handle the stuff they need, no server-side coding required at all. As a bonus, the code has already been tested for security and has fewer bugs due to being out in the open for much longer.
Additionally, it would be trivial to have competing implementations. They already exist.
What did people expect? And it *does* matter. (Score:1, Insightful)
It is a web service created by a bunch of kids still in school. Unless they have been doing professional web design and service coding since they were 12 then I don't see why this would turn out any better than the internal web service I let the interns learn on.
Security, scalability, and maintenance concerns at the start of a project are a big deal. These are all foundations of a computer system that you cannot change or fix later without basically doing a complete rewrite.
Re:And that was to be expected (Score:4, Insightful)
Re:And that was to be expected (Score:5, Insightful)
Re:This shouldn't be looked upon as a 'bad thing'. (Score:3, Insightful)
My point is, then obviously new they were inexperienced and that the code would have numerous problems. That's why the article said only the die-hard fans with blinders on would try to set this up and be subject to the security holes.
What I'm trying to say in my post is that since they knew there were problems, they went ahead and released the code so others can look. This is one of the great strengths of open source. If you know you have problems in your code, you can release it and have others look over it and provide insights into what you are or are not doing correctly.
Should inexperienced people be trusted to create a highly secure network protocol and implementation? No. Not even remotely. BUTThey took it upon themselves to get the process started. Once they felt they had something worth others looking at, they released the code, and professionals with more experience provided feedback.
Oh come on... (Score:2, Insightful)
BURN THE WITCHES
Version 0.0.0.0.1 of something more complicated than "Hello world" released along with huge warnings that it is not ready for production and people are shooting the entire project down. It has had 4 people working on it, now they've stuck to their word and opened it at the time they said they would. Why is this news surprising or bad? Why is it even news?? People have found gaping holes, said people will close gaping holes - that was the whole point of it being open wasn't it?
“If you've been on the Diaspora mailing list, there are people who are clearly not security professionals who are asking each other, 'OK, what do I need to do to get this running because I hate being on Facebook,'” he said. “They are going to get burned in a very serious manner very, very quickly if they actually succeed in doing what they're trying to do.”
(screams into pillow)
Re:Good thing it's free... (Score:2, Insightful)
The problem about this is that many of those types of flaws have been well known about and well publicised for many years now (and many high profile sites have had widely publicised exploits ecause of them).
However, there are now many standard practices which seasoned/experienced programmers/developers/system designers use to mitigate most of those issues (Hell, whilst I may have some issues with Ruby on Rails, with the current release I believe you'd have to explicitly allow unescaped HTML into your pages).
Anyone who has been developing any web applications for any decent length of time should be treating security (XSS, SQL Injection, Request Forgery etc) as a matter of principle, because it's much harder to retrofit security once you're finished. So that their source has so many holes in it does not bode well for any underlying protocol, they are not approaching the project with security in mind at all (and it may seem that they are not experienced enough yet to approach it so). This would be fine if it was just your average open source project, however it's not. They have been donated some $200,000 with which to develop it, and the benefit that could be gained from it is immeasurable. If the code they write is full of flaws, you can probably expect the protocol to have issues as well.
As has been suggested, the very first thing they should have done is come up with the protocol/data schema/api with which the sites would communicate . This would include allowing extensions/non base data as if there isn't a standard way of doing this then many of the various companies who run the servers will attempt to extend them (ala Microsoft) to get their own kind of vendor lock in (The best way would probably be something similar to the RSS v2.0 modules via namespaces, though I haven't spent too much time thinking about it).
Call me old-fashioned... (Score:4, Insightful)
Each one of the coders probably thinks the other coders are responsible for security, because it's nobody knows exactly what the other modules actually do. It's not written down anywhere.
To be fair, this isn't the only system I've seen like this... and kudos to the team for sticking their code out where everyone can see it. I'm sure that there are similar problems in many widely-used systems, but since they're closed source, we can only guess about the details.
Re:This isn't necessarily a bad thing (Score:5, Insightful)
A great big helping of THIS. It is insanely difficult to write really secure code in any language. (Although it's harder in some than in others).
Look at Postfix -- it was designed and written specifically with security in mind by one of the world's foremost experts on TCP/IP security, and it STILL has had security bugs. If a hacker god like Wietse Venema [wikipedia.org] has security bugs in his code, what chance do mere mortals like us have of writing secure code?
This is something that has to be tackled on multiple levels -- in library code, at the compiler, at the operating system, and even in the language itself. Modern languages have garbage collection that prevents (most) memory leak issues; we need a similar language-level mechanism to address common security issues. Perl's taint mode is a definite step in the right direction, but there needs to be more research done on language-level security features.
Likewise, we have static and dynamic code checkers that highlight problematic code; while there are some for security, we need more/better tools in this area, and more importantly we need to teach young programmers to actually USE them, or better yet build them into the compiler so you HAVE to use them.
Re:Good thing it's free... (Score:4, Insightful)
If you expected to be rolling your own diaspora server right now, then you really didn't understand what was going on
Exactly. Like much of the dumbed-down "news" we're subjected to, this is just a little more sensational nonsense.
Breaking news! Infants can't grasp quantum physics. Are they stupid? You decide!
The little coverage I've seen sticks strictly to usability ("aspects" and this very early revision of the UI) . If that's all they built, I wouldn't bother criticizing the more difficult areas of security, scalability and reliability (that's not to say one shouldn't report bugs). Since hearing of the project I've assumed that these problems may be something these kids are looking for others to pitch in. Releasing the code isn't a bad way to get other people to start working, and as we've seen that actually worked out well, significantly multiplying the number of contributors to the project.
Diaspora, done right, is not a weekend project. Doesn't help that these naysayers are too immature to seek positive reinforcement.
Re:And that was to be expected (Score:5, Insightful)
Seriously, a bunch of kids from NYU... what did you expect?
I don't know. What do you expect from a 21-year old kid from University of Helsinki? Personally I don't believe anyone expects much from it but nowadays you have the entire IT world being carried by a pet project made by a little Finnish kid from University of Helsinki.
Is this also the case? I don't know, really. Yet, I hope it is.
Why Would You "Roll" off a Developer Release??? (Score:4, Insightful)
Umm... Am I missing something here? Why would you set up your own Diaspora server using a Developer's Release? It's in development, as in not ready for prime time yet. There might be too many security issues for it to go live in October, as is scheduled, but if the open source community gets behind the project, that could easily be overcome.
Unfortunately, this seems to be the catch-22 of many open source start-ups: You need outside developers to help you work out the bugs in your software, but when you publish your development software, everyone beats you up for all the bugs they find in it.
Stop criticizing and start coding.
Open Source Best Practices (Score:3, Insightful)
It is excellent that security analysts have taken the time to investigate this code base. I think Eben Moglen made a very strong case for the value of this project, and the voluntary efforts by global security researchers is extremely valuable to the long-term health of Diaspora. Getting security people involved early is a Very Good Thing.
issues which make it hard to recommend that you roll your own Diaspora server just yet
Well, yeah. It is brand new pre-alpha code from a small team. If you are going to run brand new pre-alpha code from a small team on a network connected computer, it would be best to know about things like tripwire, process monitoring, traffic monitoring, and chroot, just for starters. You should probably be running it, if anywhere, on a sacrificial box that you can kill remotely. If you are considering running highly experimental code, you should either know how to handle it or know your limitations (I know I don't know enough to run this code in the wild).
Some products, like OpenBSD, start with high security as job one. Perhaps such projects can be somewhat trusted in their early state (though they will likely be deficient in other important areas). Others start with other prime motives, and should not be so trusted in the early days. The key value of Open Source is not that it is perfect in all critical areas on the first day of publication. It is that it can be collectively enhanced to become very strong in all areas over time. The first step in that process is publishing the broken stuff so the global system of experts can get together for a barn raising.
In short, this is exactly how it should work. This is not a sign of weakness but a significant step forward on the Open Source best practices road.
Re:And that was to be expected (Score:2, Insightful)
Re:After how long? (Score:5, Insightful)
Yeah, they've only focused on the "fun stuff." Or rather, it sounds more like their purpose was "Facebook's so annoying to use. Let's make one that works like we want!" without really caring about the backend stuff. Maybe they assume that the "open source community" will do all the backend stuff for them -- even though they're the ones getting paid?
Or possibly, that they are smart enough to recognize that having "something" to show possible investors (and more importantly, current investors) is worth a great deal more than a framework that can't be demonstrated.
Don't get me wrong -- I really, *really* hope that the security model gets implemented well in Diaspora, and they don't get destracted by "ooh, shiny!" syndrome. But expecting them to go to folks who have given them money -- people who likely know even less about security than these college students -- and say, "This mystery code will work, it's really better, we just can't demonstrate it," is unreasonable.
Prototype first, then refine. Bugs happen, just fix them and move on. It looks like they're on their way to me. If you (or others) think you can fix these bugs or fundamental flaws in their security model, talk to them. You might just find yourself a job at a potentially big startup.
Re:Protocol, not code (Score:3, Insightful)
Flashback to my game dev days: "Never mind if it works, make it spin!"
I guess they're not locked into a death march yet, but it's not a good start. "Pre-alpha" bollocks aside, you've either got a zero defect mentality, or you don't. Since nobody forced them to release in this state, it looks clear that they don't. The problem isn't the code, it's the coders.
Summary of article and comments (Score:4, Insightful)
Article - A Pre-alpha release of the User Interface has security holes. For some reason this surprises people, and those who do know better are acting shocked, despite the fact that compiling "#include " by itself can be considered a pre-alpha release and that they have no idea about the project path.
Comments - Since I wouldn't have started with the user interface, this project is a failure. Stupid kids with no real-world large project experience can't do anything. The money they raised is completely wasted, even though we've no idea how much of that they've actually spent, with 4 programmers living in NYC working on this, they must have spent the $200,000 on gold plated Ferraris. They are not following my formula for creating large successful social networks (my current success rate: 0/0), therefore it is worthless. Trying is the first step towards failure.
Remind me never to show a work in progress on Slashdot.
Taken (Score:3, Insightful)
To me the real story here is how four students with no real skills or experience managed to convince people into giving them $200,000.
Of course their code is going to be utter rubbish, they are uni grads with no experience, discipline, standards, or any of the myriad other factors that are required to make rock solid code. It sounds like they don't even have a documented protocol to work, and I'm guessing that means there's nothing in place for inter-communication with add-ons or third party code.
Even if you assume they worked mainly on the front-end, that's seriously only a week or so of work for four developers, especially when so much has been cribbed from elsewhere.
I'm expecting a delay to their release to fix the major obvious flaws, massive security concerns, and a lacklustre launch of a product no-one really needs that much. If Facebook is so bad that you have already removed your account, or haven't subscribed yet - then you might be a contender for this product. Most others will simply stay where their friends all are - because that's the whole ********* point of a social network.
Never underestimate the power of inertia.
Re:And that was to be expected (Score:3, Insightful)
I don't know. What do you expect from a 21-year old kid from University of Helsinki? Personally I don't believe anyone expects much from it but nowadays you have the entire IT world being carried by a pet project made by a little Finnish kid from University of Helsinki.
Is this also the case? I don't know, really. Yet, I hope it is.
You know, there was a bit of code there before Linus started. Linus's pet project was one of many many people's pet projects.
Sometimes I question calling the operating system GNU/Linux, but when people imply Linus wrote the entire OS, I see why people press for the recognition to everyone who contributed all the free code.
Bigger security bug is the design its self (Score:2, Insightful)
(I might be making an assumption with how this is "distributed", friends and trusted servers might be acceptable. But i'm not going to give them the benefit of the doubt because they did a very poor job explaining important details like these.)
Encryption should never be your only line of defence for PRIVATE information.
"Distributed Encrypted Backups" and "distributed" is scary because this is PRIVATE information and not PUBLIC information, not only is this uncharted territory but it is fundamentally wrong. With Tor and Freenet there was nothing of value stored or transferred.
A malicious user could archive torrents of encrypted personal information, even if it takes 20-50 years to crack this is unacceptable. Normally you are just packet sniffing on a small fraction of the population.
This project could be a false prophet that will that will doom the success of any future social projects.
Also, these client diversity and data portability concepts may not be compatible with attempts at real privacy and security, for example your perfect email client and server is at the mercy of the client on the other sending/receiving end. These concepts make the assumption that the indefinite storage of information is a good idea, while i happen to think that the expiration of messages is a good idea, and an idea that can look appealing with the right spin. (well, these concepts are may be ok for making the transition to something better, but i think it encourages defeatism, accepting to be average)
disclaimer, i'm about to finish a security/privacy focused social networking website that isn't exactly 'open' for the foreseeable future but its not feature fancy/flashy either.
Re:Freetard fail (Score:3, Insightful)
Re:And that was to be expected (Score:3, Insightful)
It states very clearly that this is ALPHA code. It's a bit too soon to formulate opinions on if its useable, right?
Give'em A Break (Score:5, Insightful)
It's not any dumber than two college dropouts in Cupertino building a personal computer in their garage or some lone crazy finish student making his own OS.
Budgets considerably larger than $200,000 have been spent on software projects written by professional programmers that don't run at all.
Re:Freetard fail (Score:3, Insightful)
I do not make predictions about diaspora, too early for that.
I have been suprised by the reported problems, esp. with html injection.
Diaspora seems a rails app.
Rails, like most web frameworks, takes precautions against such injections, and IIRC even basic tutorials mention those, so an unskilled coder that RTF tutorials ought to avoid those.
So I guess they released very early and the code and protocol will have to be massaged a lot. Changing the code is trivial, the protocol is a bit more delicate. :)
It's also probably too late to use gnunet, freenet, other p2p or stuff as i2p or tahoe-lafs as an infrastructure, too. Like every other coder out there, including me, they are gonna pay for the NIH syndrome
But ok, let's see what happens. Good luck to diaspora.