Slashdot Mirror
Security Concerns Paramount After Early Reviews of Diaspora Code
Stoobalou writes with this excerpt from Thinq.co.uk:
"Following the release of the source code for the Diaspora social networking platform, hackers and tinkerers the world over have been poring over the code in order to improve, enhance, and otherwise help the project in its attempt to unsettle Facebook. Sadly, the current opinion is that the code just isn't up to scratch. While the team clearly stated that 'we know there are security holes and bugs' in the code that was released, it's possible that they weren't aware of just how many show-stopping issues there are — issues which make it hard to recommend that you roll your own Diaspora server just yet."
You're wrong. I'm 99% confident that 2011 will be the year of Diaspora on the desktop.
It might encourage the workers on Diaspora code to work harder for security. I mean, even if you think you have every security hole plugged, until you open that code up to the world you won't really know. So what, there are many more security bugs than expected. That's fine, delay the release a little bit and start patching.
Unless this completely discourages them to the point that they turn emo and start lying in the dark crying, I'm pretty sure they can fix this and still release.
Yeah, but it will be like email is now. People won't need to run their own servers. They will be able to pick from a variety of free diaspora hosts who get their revenue from ad dollars and harvesting your data (and that of your friends, who might host their own diaspora node at home, or on another service), and then we will be free of facebook's horrible privacy violations, and be in a new universe of less accountable companies with even worse problems.
I can't wait, diaspora, here I come!
After a few months, a big project has bugs? Really? That's amazing! After all, Windows has been around for only 20 years and it's perfect, right?
I think I'll reserve judgment for sometime in 2012...
You do not have a moral or legal right to do absolutely anything you want.
zomg! Pre-alpha! This thing is sure to be a failure!
Seriously, a bunch of kids from NYU... what did you expect?
It's not a bad thing though, as long as people are willing to constructively collaborate on the project.
Okay, I have no horse in this race, as I only have a passing interest in online social networks (enough to read the article, but not enough to join one), so I am not very passionate about this news in one way or another, but...
Isn't that why it's called pre-Alpha software?? I mean, bugs happen. In open architectures, you fix them. If this were a closed software project, you wouldn't even know about them. If there were endemic, critical flaws inherent in their underlying assumptions going into this project, then that would be news, but "oversold Alpha software contains bugs!!!" is hardly worth noting. Being free software, many eyes will ensure that the Beta version is better, presumably.
If I had a nickel for every time I had a nickel, I'd be richcursive!
I'm more interested in the protocol than the code. If the protocol is vulnerable to attacks/fraud then it is a show stopper.
If the ruby-web-stuff-code contains bugs and security holes, I'll just write my own (read: wait for someone else to do it).
I couldn't find any relevant info about the protocol in TFA. Am I missing something?
I don't understand why Diaspora has had saturation coverage in the mainstream press (and pretty heavy coverage here, for that matter) before it even went alpha, but identi.ca gets so little.
a variety of free diaspora hosts who get their revenue from ad dollars and harvesting your data (and that of your friends ...
So this model is different from Facebook how exactly?
If libertarians are so opposed to effective government, why don't they all move to Somalia?
Many people are reporting that it doesnt do what they want and is missing lots of functions that it needs as well as all the security vulnerabilities. of course lots will be missing this is a very early release. If you want to judge it at least wait till the first consumer release in october.
Something doesn't have to convince every user just to succeed. To me, Diaspora represents everything RIGHT with the FOSS community. Collaboration on software that, on its own, would never survive. However, with people working together on it, they can increase its usefulness (and increase their own skills, which by proxy would improve any future projects they worked on.) Diaspora is a grand experiment, one that I hope works out.
I fail to see how working with people dedicating their time and knowledge can be seen as a bad thing.
Living With a Nerd
Again, a project that was way overhyped before any code became available.
Unlike Facebook, the Diaspora network is planned to have more than one server operator. Some might offer ad-free accounts to subscribers. Others might be run by a company that offers ad-free accounts to its employees, a school that offers ad-free accounts to its students (echoing the original meaning of the word "facebook"), or a church or other non-profit club that offers ad-free accounts to its members.
Sure there may be some sniggling going on when we look over the code but these guys have took the necessary steps to start something which hopefully will become huge for them. I know if it is within my power to point out some helpful hints and tips i will and i would encourace everyone else to do the same. Best of luck to all on the team! The journey of a thousand miles begins with a single step, and whilst your first step may be shakey in this case you have the support of the development comunity to help u stay afloat. Bobs Belfast Plumbers
Yes, I understand that any security vulnerability is a bad thing. In that merit this is a bad thing. BUT...
These are people fresh out of college, and haven't gotten a lot of real world experience. I, myself, am only out of college by a year and a half. The first year was spent as a sys admin, but the past 6 as a developer. They have probably heard of some types of attacks, but are unfamilier with details. Others, if they are like me, they haven't even thought of. All of this comes from being "in the trade".
This is why Open Source is good. It can rapidly increase a programmers competency if they get constructive criticism. It sounds like they are getting plenty of that, but the article kinda makes it sound like the should know all this.
I, for one, am glad they are doing this, and that they have decided to release some code early for review. Not only will it allow bugs to be fixed early, but it will also give them lessons for future use.
These are people fresh out of college, and haven't gotten a lot of real world experience.
So these are the people we should be trusting to make a highly secure network protocol and implementation? Really?
I respect what's been done so far with Diaspora, but for all the hype and money poured into this project, this is a bit embarrassing. To me, it looks like a byproduct of a closed development model with a small team...I'm glad there can be community participation on the project now but I don't understand why the community wasn't involved in the beginning.
Geeks like to think that they can ignore politics, you can leave politics alone, but politics won't leave you alone.-rms
But will I still be able to play Bejeweled?
So, they started from scratch whipping up a solution that's potentially huge, with programmers that apparently aren't that experienced.
I question how intelligent this approach really is.
My solution would have been: Take a standard XMPP server, use its capabilities in the area of code stability, pubsub technology, server-to-server communication and properly documented communications protocol (as an RFC), and just write a javascript-based client (based on jQuery and strophe.js for example) that uses it. Any common server like ejabberd would be perfectly able to handle the stuff they need, no server-side coding required at all. As a bonus, the code has already been tested for security and has fewer bugs due to being out in the open for much longer.
Additionally, it would be trivial to have competing implementations. They already exist.
It is a web service created by a bunch of kids still in school. Unless they have been doing professional web design and service coding since they were 12 then I don't see why this would turn out any better than the internal web service I let the interns learn on.
Security, scalability, and maintenance concerns at the start of a project are a big deal. These are all foundations of a computer system that you cannot change or fix later without basically doing a complete rewrite.
My point is, then obviously new they were inexperienced and that the code would have numerous problems. That's why the article said only the die-hard fans with blinders on would try to set this up and be subject to the security holes.
What I'm trying to say in my post is that since they knew there were problems, they went ahead and released the code so others can look. This is one of the great strengths of open source. If you know you have problems in your code, you can release it and have others look over it and provide insights into what you are or are not doing correctly.
Should inexperienced people be trusted to create a highly secure network protocol and implementation? No. Not even remotely. BUTThey took it upon themselves to get the process started. Once they felt they had something worth others looking at, they released the code, and professionals with more experience provided feedback.
BURN THE WITCHES
Version 0.0.0.0.1 of something more complicated than "Hello world" released along with huge warnings that it is not ready for production and people are shooting the entire project down. It has had 4 people working on it, now they've stuck to their word and opened it at the time they said they would. Why is this news surprising or bad? Why is it even news?? People have found gaping holes, said people will close gaping holes - that was the whole point of it being open wasn't it?
“If you've been on the Diaspora mailing list, there are people who are clearly not security professionals who are asking each other, 'OK, what do I need to do to get this running because I hate being on Facebook,'” he said. “They are going to get burned in a very serious manner very, very quickly if they actually succeed in doing what they're trying to do.”
(screams into pillow)
Good thing the world took the same attitude about those kooks Gates, Jobs, and Torvalds.
Seriously, all of this hulabaloo is astro-turfed FUD. Inside of a year diaspora will be the most secure social network there is, and will end up providing a nucleus for a tremendous number of AGPL cloud services, from webmail to upper body strength increase.
Each one of the coders probably thinks the other coders are responsible for security, because it's nobody knows exactly what the other modules actually do. It's not written down anywhere.
To be fair, this isn't the only system I've seen like this... and kudos to the team for sticking their code out where everyone can see it. I'm sure that there are similar problems in many widely-used systems, but since they're closed source, we can only guess about the details.
Am I part of the core demographic for Swedish Fish?
So in other words, yes, it's a little bit worse than Facebook at this point.
include $sig;
1;
says a lot about how pissed off such a large majority of people are with Facebook. People want it to succeed because they are tired of dealing with Facebook changing privacy pretty overwhelmingly without much notice or instruction guides and exposing your data more often that most on /. change underwear.
I've been a facebook user since the first year it rolled out at my college in 2K4 and it just sucks ass now. The fact that if you want to share info with your friends about what bands you like or interests they are now Pages with no way to hide them from anyone who sees your profile is "gayer than all the guys in the pile". If Diaspora takes these suggestions keeps up the hard work and makes a good product with a few bugs that has a regular patches I will drop Facebook like a rock.
Umm... Am I missing something here? Why would you set up your own Diaspora server using a Developer's Release? It's in development, as in not ready for prime time yet. There might be too many security issues for it to go live in October, as is scheduled, but if the open source community gets behind the project, that could easily be overcome.
Unfortunately, this seems to be the catch-22 of many open source start-ups: You need outside developers to help you work out the bugs in your software, but when you publish your development software, everyone beats you up for all the bugs they find in it.
Stop criticizing and start coding.
i ~ Celebrating Science, Cyberspace, Speculation
Facebook, LLC.
It is by my will alone my thoughts acquire motion; it is by the juice of the coffee bean that the thoughts acquire speed
It is excellent that security analysts have taken the time to investigate this code base. I think Eben Moglen made a very strong case for the value of this project, and the voluntary efforts by global security researchers is extremely valuable to the long-term health of Diaspora. Getting security people involved early is a Very Good Thing.
issues which make it hard to recommend that you roll your own Diaspora server just yet
Well, yeah. It is brand new pre-alpha code from a small team. If you are going to run brand new pre-alpha code from a small team on a network connected computer, it would be best to know about things like tripwire, process monitoring, traffic monitoring, and chroot, just for starters. You should probably be running it, if anywhere, on a sacrificial box that you can kill remotely. If you are considering running highly experimental code, you should either know how to handle it or know your limitations (I know I don't know enough to run this code in the wild).
Some products, like OpenBSD, start with high security as job one. Perhaps such projects can be somewhat trusted in their early state (though they will likely be deficient in other important areas). Others start with other prime motives, and should not be so trusted in the early days. The key value of Open Source is not that it is perfect in all critical areas on the first day of publication. It is that it can be collectively enhanced to become very strong in all areas over time. The first step in that process is publishing the broken stuff so the global system of experts can get together for a barn raising.
In short, this is exactly how it should work. This is not a sign of weakness but a significant step forward on the Open Source best practices road.
Stop-Prism.org: Opt Out of Surveillance
I admit that I haven't read through the code, and I am not a programmer. But it seems to me that if this can be hosted and run by individual institutions, it could have a fairly large impact in higher education in the next few years. Employees could use this like intranet-lite, and alumni and students could use this the way Facebook was originally used -- a social network for the school itself. The only difference is that it could provide very useful data directly to the school instead of an individual. I've also read a lot of complaints about how the project focused first on user interface instead of back-end programming. Isn't that similar to how Facebook itself started? I don't think there were a bunch of new protocols declared for the "Face book" launch.
The Diaspora guys should hire Austin Heap.
Jobs never was a programmer. Torvalds had help from other experienced programmers and Gates didn't single-handedly write all the software Microsoft put out and also hired experienced programmers. So I'm failing to see what analogous situation you are trying to build.
Can you do better? If so, are you going to be contributing to the project?
Have you driven a fnord... lately?
You must wait a little bit before using this resource; please try again later.
Ginning up an architecture and a code blob while holed up in a basement, THEN asking for input is wrong. The initial architect and developers are married to the design and code. They will maybe grudgingly try to "fix" what should never have been typed in the first place.
Open source should start at the drawing it on a napkin phase, not the first alpha release. Often it can't because nobody cares that early. In this case it could have.
If there's a security bug or privacy hole in Facebook, all you can do is play with your profile options and pray it helps, or start a petition. Here, we have a chance to define the way we want to use such a system. It doesn't start out perfect, but Facebook as-is isn't perfect either after years of work. This project has started out with a foot forward in a much better direction.
Twinstiq, game news
No, I'm not going to be. I have better things to do than wade through the amateur-quality code of a bunch of Ruby noobs.
I think this could be good for this project. Its good to get nailed with security issues as early as possible. This just means that focus on security will get higher...end result could be a very secure system. GL!
-- Disclaimer: I can't really back up anything I post on
"Something doesn't have to convince every user just to succeed."
/. even knows how horrible they are, I just don't see anyone knocking them out of the way.
Maybe not every user, but it does need to convince everyone I want to know and I just don't see Diaspora doing that. Facebook, after ~5 years, has 500 million users, and it's steadily been growing by 100 million users every 160 days. That's huge, and unless Facebook really messes up, I mean messes up to the point that it's on the nightly news and 20/20 saying how horrible they are so every grandma that doesn't read
Facebook has 2 billion results
Diaspora has 20 million, and many of those are wiki entries, music, and a video game.
And these latest reports that Diaspora is riddled with security issues has hit the news big time.
I think this is the last we'll hear of Diaspora. They were given $200,000 and couldn't even make a secure site. That's pretty damn disappointing.
my karma will be here long after I'm gone
Release early and release often is one of the fundamental tenets ESR spelled out in the Cathedral and the Bazaar I believe. Why should anyone be surprised or disappointed that early versions of the code aren't perfect yet? Seriously that's just dumb. The open source model can not be brought up to speed to fix anything until there is source code released to look at and improve.
article and this comment sponsored by the makers of Facebook: the original and premier stalker tool and dont you forget it
PRECISELY. To me this is showing that the idea has its own momentum now - which is absolutely what it needs. I even almost shed a tear over this - it's like watching a community get together to help put out a fire.
it's expected to be missing many features but if the code quality is pure rubbish the final product will be... surprise, surprise... pure rubbish!
Imagine the pressure on them. They had $200k of donations to show for and every privacy activist has been following them for months. I bet half those holes would've been patched if it weren't for all the pressure to release.
Article - A Pre-alpha release of the User Interface has security holes. For some reason this surprises people, and those who do know better are acting shocked, despite the fact that compiling "#include " by itself can be considered a pre-alpha release and that they have no idea about the project path.
Comments - Since I wouldn't have started with the user interface, this project is a failure. Stupid kids with no real-world large project experience can't do anything. The money they raised is completely wasted, even though we've no idea how much of that they've actually spent, with 4 programmers living in NYC working on this, they must have spent the $200,000 on gold plated Ferraris. They are not following my formula for creating large successful social networks (my current success rate: 0/0), therefore it is worthless. Trying is the first step towards failure.
Remind me never to show a work in progress on Slashdot.
This sentence no verb.
To me the real story here is how four students with no real skills or experience managed to convince people into giving them $200,000.
Of course their code is going to be utter rubbish, they are uni grads with no experience, discipline, standards, or any of the myriad other factors that are required to make rock solid code. It sounds like they don't even have a documented protocol to work, and I'm guessing that means there's nothing in place for inter-communication with add-ons or third party code.
Even if you assume they worked mainly on the front-end, that's seriously only a week or so of work for four developers, especially when so much has been cribbed from elsewhere.
I'm expecting a delay to their release to fix the major obvious flaws, massive security concerns, and a lacklustre launch of a product no-one really needs that much. If Facebook is so bad that you have already removed your account, or haven't subscribed yet - then you might be a contender for this product. Most others will simply stay where their friends all are - because that's the whole ********* point of a social network.
Never underestimate the power of inertia.
All those moments will be lost in time, like tears in rain.
(I might be making an assumption with how this is "distributed", friends and trusted servers might be acceptable. But i'm not going to give them the benefit of the doubt because they did a very poor job explaining important details like these.)
Encryption should never be your only line of defence for PRIVATE information.
"Distributed Encrypted Backups" and "distributed" is scary because this is PRIVATE information and not PUBLIC information, not only is this uncharted territory but it is fundamentally wrong. With Tor and Freenet there was nothing of value stored or transferred.
A malicious user could archive torrents of encrypted personal information, even if it takes 20-50 years to crack this is unacceptable. Normally you are just packet sniffing on a small fraction of the population.
This project could be a false prophet that will that will doom the success of any future social projects.
Also, these client diversity and data portability concepts may not be compatible with attempts at real privacy and security, for example your perfect email client and server is at the mercy of the client on the other sending/receiving end. These concepts make the assumption that the indefinite storage of information is a good idea, while i happen to think that the expiration of messages is a good idea, and an idea that can look appealing with the right spin. (well, these concepts are may be ok for making the transition to something better, but i think it encourages defeatism, accepting to be average)
disclaimer, i'm about to finish a security/privacy focused social networking website that isn't exactly 'open' for the foreseeable future but its not feature fancy/flashy either.
Facebook was made by people still in college. I'm and sure it wasn't highly secure, and probably still isn't. But we'll never know will we?
All that's really needed here is managing the hype until the system is deployment-ready. I know it's a difficult for a small team already overloaded with to-do lists to have to deal with PR as well, but this is critical to a project with a planned large social scope. They need to do all they can to keep this lying low until the resolution of all major issues that would sour the public's fickle and first-impression-is-everything opinion.
"Politicians and diapers must be changed often, and for the same reason."
Why can't we just put our own profiles on ome webspace and model this "friend" thing with something I would e.g. call "link"?
Throw in some decentralized profile hoster (think of geocities) with the possibility to add your friends as links in the html-header (like googles social graph suggests) and some simple profile-page building tools where you upload your pictures and stuff and your profile is generated automatically. For anything else (messages, groups, status updates) use WHATEVER ANYONE ELSE uses too. (Email, Newsgroups, Twitter)
bickerdyke
Blah keep your pants on... it's a technical preview !!! Tho whole point of them releasing the code and making it open source is so that people can find these bugs before it even gets close to a testing final release. This is just another case of corporate rats not understanding open source software development.
I think the headlines of news websites are being a bit too harsh. It is a pre-alpha release after all.
Wouldn't you consider making it open source and putting it out there for review, comment, and code submission to be similar to getting help from (a la Torvalds) or the FOSS equivalent of "hiring" (a la Gates) experienced programmers? You're failing to see the analogy because you're viewing it so narrowly so you can stick to your claim that good/secure programming can't come out of young people without much experience and this is being developed in a vacuum. I'm not sure of the validity of either of those suppositions.
If the developers set out to create an API, protocol, or specification, and then simultaneously released an initial implementation, this might be less of a big deal.
Take XMPP for example. It is a specification, and there are many implementations to choose from to run a Jabber server. Different languages, platforms, and features are up to the user to choose.
A well documented API, supplemented by buggy code, would be best. If you don't want to hack Ruby, implement the spec in your language of choice.
OH GOD the pre-alpha code HAS FLAWS
How long will it take for people to realized that under this all-new-super-perfect-diaspora-protocol, Facebook will still get all your data anyway, and now together with a whole new bunch of less accountable diaspora-hosting companies?
Likewise, you can run your own seeds.
Most people aren't going to want to upgrade from residential Internet service, whose TOS bans servers, to higher-priced business-class service, whose TOS allows low-bandwidth servers, just to run Diaspora.
ISPs realize that enforcing their TOS is a bad business decision when a large enough group of people are using diaspora
Which is why the ISPs would feel need to nip Diaspora in the bud before the TOS violation that would undermine ISPs' market segmentation becomes widespread.
and freedom boxes
ISPs' response: "If you want to use your FreedomBox, feel free to upgrade to business-class service." Even if you're talking about a different FreedomBox, ISPs won't know nor care about the difference.
This is doubly so in areas where there is competition between residential ISPs.
ISPs' response: "Of course there's competition. Our service is just two orders of magnitude faster than the 0.05 Mbps that our dial-up competitors provide."
I've said it before, I'll say it again: A project named "Diaspora" will never take off. Seriously, a catchy name is ridiculously important. Yahoo, Google, Facebook, Myspace, Friendster, Digg, Reddit, Slashdot, Diaspora? One of these names is not like the others. I'm really trying hard to think of another popular website with four syllables but am coming up short. Epic fail on so many levels for this project.
It's not any dumber than two college dropouts in Cupertino building a personal computer in their garage or some lone crazy finish student making his own OS.
Budgets considerably larger than $200,000 have been spent on software projects written by professional programmers that don't run at all.
"issues which make it hard to recommend that you roll your own Diaspora server just yet." It's not even alpha yet people, of course there are going to be issues that would cause one not to recommend you roll your own server. Dayum.
I do not make predictions about diaspora, too early for that.
I have been suprised by the reported problems, esp. with html injection.
Diaspora seems a rails app.
Rails, like most web frameworks, takes precautions against such injections, and IIRC even basic tutorials mention those, so an unskilled coder that RTF tutorials ought to avoid those.
So I guess they released very early and the code and protocol will have to be massaged a lot. Changing the code is trivial, the protocol is a bit more delicate. :)
It's also probably too late to use gnunet, freenet, other p2p or stuff as i2p or tahoe-lafs as an infrastructure, too. Like every other coder out there, including me, they are gonna pay for the NIH syndrome
But ok, let's see what happens. Good luck to diaspora.
---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol
I'm not entirely sure, but I think the HTML injection is caused by their use of WebSockets, which uses EventMachine and then ties back into the Rails app or bypasses it and goes straight into the MongoDB. That's my basic understanding of it, if I'm wrong someone should correct me.
/endpost
As for people criticizing the project, I think that it's way too early, it hasn't even hit Beta status, it's an Alpha release.
WebSockets is actually the aspect of this project that interests me the most, if they can make a "standard" social communications protocol or API that functions over WebSockets, I think that'd be the greatest outcome for the project. If it succeeds in creating that protocol, it wouldn't only kill FaceBook, but Twitter as well. Also, that would allow other developers to create other implementations in different languages(sans Rails) , user interfaces or mashups.
Either way, I watch this project with great anticipation and bated breath.
P.S. MongoDB is a NoSQL database...... HA! Now the Web 2.0 synergy in this post is complete.(Yes, I did throw in a few terms just for shits and giggles.)
Geeks don't grock information, they grep it.
Hopefully the developers will ignore many of the idiotic comments on this thread. It doesn't matter if the prototype has a few security flaws, in fact I would be surprised if it didn't. The idea is to get something out there and people playing with it, evolving it according to the feedback people give, saying what they like and what they don't like, what they would like to see, etc. There is no point shifting the focus onto security whilst it is still evolving rapidly. Eventually the feature list will stabalise and an API becomes fixed. Alternative back-ends and front-end can then be developed in Java, Python, etc.
Patience everybody.
Phillip.
Property for sale in Nice, France
[...] Facebook, after ~5 years, has 500 million users [...]
...of which currently 14 are relevant to me. Do not mistake size for usefulness.
Rudolf Hess edited Mein Kampf. He was the very first grammar nazi.
He didn't say that people won't setup their own servers to go to it. He said that people won't go to it. Period. Which I agree with, of course. The first thing you need to overcome a social site like Facebook is a way to interact with all the existing Facebook accounts seamlessly. The second is a way to import/invite them that's attractive enough that people will go for it.
No, wait... the first is a sensible name. The second is a way to interact...
Oh no? Are you aware that it's made with Rails? ;)