Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Concerns Paramount After Early Reviews of Diaspora Code

Posted by Soulskill on from the work-in-progress dept.

Stoobalou writes with this excerpt from Thinq.co.uk: "Following the release of the source code for the Diaspora social networking platform, hackers and tinkerers the world over have been poring over the code in order to improve, enhance, and otherwise help the project in its attempt to unsettle Facebook. Sadly, the current opinion is that the code just isn't up to scratch. While the team clearly stated that 'we know there are security holes and bugs' in the code that was released, it's possible that they weren't aware of just how many show-stopping issues there are — issues which make it hard to recommend that you roll your own Diaspora server just yet."

16 of 206 comments (clear)

  1. This isn't necessarily a bad thing by iONiUM · · Score: 4, Insightful

    It might encourage the workers on Diaspora code to work harder for security. I mean, even if you think you have every security hole plugged, until you open that code up to the world you won't really know. So what, there are many more security bugs than expected. That's fine, delay the release a little bit and start patching.

    Unless this completely discourages them to the point that they turn emo and start lying in the dark crying, I'm pretty sure they can fix this and still release.

    1. Re:This isn't necessarily a bad thing by TheRaven64 · · Score: 5, Insightful

      Is anyone actually surprised that a bunch of Ruby developers can't write secure code?

      No, but then I wouldn't be surprised if you substituted Python, Perl, Java, or C for Ruby in that statement. The proportion of programmers who can write secure code is a relatively small proportion of the number that can write code in any language.

      That's one of the reasons why, as I said in the last story, I am more interested in the protocols than in the implementation. A set of standard protocols for social networking (ideally built on top of XMPP) would allow lots of different implementations, which would reduce the damage that could be done by a flaw in one of them.

      --
      I am TheRaven on Soylent News
    2. Re:This isn't necessarily a bad thing by Tassach · · Score: 4, Insightful

      No, but then I wouldn't be surprised if you substituted Python, Perl, Java, or C for Ruby in that statement. The proportion of programmers who can write secure code is a relatively small proportion of the number that can write code in any language.

      A great big helping of THIS. It is insanely difficult to write really secure code in any language. (Although it's harder in some than in others).

      Look at Postfix -- it was designed and written specifically with security in mind by one of the world's foremost experts on TCP/IP security, and it STILL has had security bugs. If a hacker god like Wietse Venema has security bugs in his code, what chance do mere mortals like us have of writing secure code?

      This is something that has to be tackled on multiple levels -- in library code, at the compiler, at the operating system, and even in the language itself. Modern languages have garbage collection that prevents (most) memory leak issues; we need a similar language-level mechanism to address common security issues. Perl's taint mode is a definite step in the right direction, but there needs to be more research done on language-level security features.

      Likewise, we have static and dynamic code checkers that highlight problematic code; while there are some for security, we need more/better tools in this area, and more importantly we need to teach young programmers to actually USE them, or better yet build them into the compiler so you HAVE to use them.

      --
      Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?
  2. After how long? by Sarten-X · · Score: 4, Insightful

    After a few months, a big project has bugs? Really? That's amazing! After all, Windows has been around for only 20 years and it's perfect, right?

    I think I'll reserve judgment for sometime in 2012...

    --
    You do not have a moral or legal right to do absolutely anything you want.
    1. Re:After how long? by ihatejobs · · Score: 5, Insightful

      Irrelevant. A bug is a bug, and can be fixed. So long as they actually fix the bugs instead of pushing out a release, they should do fine.

      --
      Can anyone tell me why 99% of /. users are total assclowns?
    2. Re:After how long? by Sarten-X · · Score: 5, Insightful

      Not if it's anything like every big project I've worked on.

      First, projects go through a phase of "how can we do this" where various components are mashed together with the expectation that things will work later. That's a good thing to do while gathering initial funding.

      Then they go through the phase of "we can do this" where some parts of the project work, but most is broken.

      That's followed by the "demonstration" phase, where things work under perfect circumstances. That seems to be where Diaspora is at now.

      Next is the "we can do this well" phase, where the once-connected components are split up and divided into their appropriate layers and security is locked down, now that there's a clear idea of what the security model must support.

      Finally is the "continued development" phase, where the project is stable enough that new components don't need major changes to security, and extra features can be added.

      I've had a few projects that started with the frameworks and various layers of abstraction, and they've invariably failed after many refactorings and revisions. Heck, one project I worked on was a web-based game engine, which turned into a giant security model, and finally died without a single line of actual game code written. It took eight months to fail miserably. Projects change, and requirements change. Going into a security model too early can be worse than not having one.

      --
      You do not have a moral or legal right to do absolutely anything you want.
    3. Re:After how long? by Rival · · Score: 5, Insightful

      Yeah, they've only focused on the "fun stuff." Or rather, it sounds more like their purpose was "Facebook's so annoying to use. Let's make one that works like we want!" without really caring about the backend stuff. Maybe they assume that the "open source community" will do all the backend stuff for them -- even though they're the ones getting paid?

      Or possibly, that they are smart enough to recognize that having "something" to show possible investors (and more importantly, current investors) is worth a great deal more than a framework that can't be demonstrated.

      Don't get me wrong -- I really, *really* hope that the security model gets implemented well in Diaspora, and they don't get destracted by "ooh, shiny!" syndrome. But expecting them to go to folks who have given them money -- people who likely know even less about security than these college students -- and say, "This mystery code will work, it's really better, we just can't demonstrate it," is unreasonable.

      Prototype first, then refine. Bugs happen, just fix them and move on. It looks like they're on their way to me. If you (or others) think you can fix these bugs or fundamental flaws in their security model, talk to them. You might just find yourself a job at a potentially big startup.

  3. And that was to be expected by e065c8515d206cb0e190 · · Score: 4, Insightful

    Seriously, a bunch of kids from NYU... what did you expect?

    It's not a bad thing though, as long as people are willing to constructively collaborate on the project.

    1. Re:And that was to be expected by DJRumpy · · Score: 5, Insightful

      Am I missing something here? This is the way it should work, and the true strength of open source. Assuming they have the skillset to address the security issues found, I just don't see an issue. This isn't release level software yet, and I would expect that anyone putting up such a site based on it would publish that fact. I'm pleased that they are getting such great input on key security flaws.

    2. Re:And that was to be expected by gparent · · Score: 5, Insightful

      It's not a jab at all. It's perfectly normal for inexperienced coders to have security issues in their applications, just like you can have any other bug.

    3. Re:And that was to be expected by GreatBunzinni · · Score: 4, Insightful

      Seriously, a bunch of kids from NYU... what did you expect?

      I don't know. What do you expect from a 21-year old kid from University of Helsinki? Personally I don't believe anyone expects much from it but nowadays you have the entire IT world being carried by a pet project made by a little Finnish kid from University of Helsinki.

      Is this also the case? I don't know, really. Yet, I hope it is.

      --
      Slashdot, fix your code or at least hire someone who is competent at it to do it for you.
  4. Good thing it's free... by metamechanical · · Score: 4, Insightful

    Okay, I have no horse in this race, as I only have a passing interest in online social networks (enough to read the article, but not enough to join one), so I am not very passionate about this news in one way or another, but...

    Isn't that why it's called pre-Alpha software?? I mean, bugs happen. In open architectures, you fix them. If this were a closed software project, you wouldn't even know about them. If there were endemic, critical flaws inherent in their underlying assumptions going into this project, then that would be news, but "oversold Alpha software contains bugs!!!" is hardly worth noting. Being free software, many eyes will ensure that the Beta version is better, presumably.

    --
    If I had a nickel for every time I had a nickel, I'd be richcursive!
  5. Re:Freetard fail by Pojut · · Score: 4, Insightful

    Something doesn't have to convince every user just to succeed. To me, Diaspora represents everything RIGHT with the FOSS community. Collaboration on software that, on its own, would never survive. However, with people working together on it, they can increase its usefulness (and increase their own skills, which by proxy would improve any future projects they worked on.) Diaspora is a grand experiment, one that I hope works out.

    I fail to see how working with people dedicating their time and knowledge can be seen as a bad thing.

    --
    Living With a Nerd
  6. Horse before cart by drewhk · · Score: 4, Insightful

    Again, a project that was way overhyped before any code became available.

  7. This shouldn't be looked upon as a 'bad thing'... by antiparadigm · · Score: 4, Insightful

    Yes, I understand that any security vulnerability is a bad thing. In that merit this is a bad thing. BUT...

    These are people fresh out of college, and haven't gotten a lot of real world experience. I, myself, am only out of college by a year and a half. The first year was spent as a sys admin, but the past 6 as a developer. They have probably heard of some types of attacks, but are unfamilier with details. Others, if they are like me, they haven't even thought of. All of this comes from being "in the trade".

    This is why Open Source is good. It can rapidly increase a programmers competency if they get constructive criticism. It sounds like they are getting plenty of that, but the article kinda makes it sound like the should know all this.

    I, for one, am glad they are doing this, and that they have decided to release some code early for review. Not only will it allow bugs to be fixed early, but it will also give them lessons for future use.

  8. Give'em A Break by Ukab+the+Great · · Score: 4, Insightful

    It's not any dumber than two college dropouts in Cupertino building a personal computer in their garage or some lone crazy finish student making his own OS.

    Budgets considerably larger than $200,000 have been spent on software projects written by professional programmers that don't run at all.