Security Concerns Paramount After Early Reviews of Diaspora Code

Stoobalou writes with this excerpt from Thinq.co.uk: "Following the release of the source code for the Diaspora social networking platform, hackers and tinkerers the world over have been poring over the code in order to improve, enhance, and otherwise help the project in its attempt to unsettle Facebook. Sadly, the current opinion is that the code just isn't up to scratch. While the team clearly stated that 'we know there are security holes and bugs' in the code that was released, it's possible that they weren't aware of just how many show-stopping issues there are — issues which make it hard to recommend that you roll your own Diaspora server just yet."

Re:Freetard fail

Yeah, but it will be like email is now. People won't need to run their own servers. They will be able to pick from a variety of free diaspora hosts who get their revenue from ad dollars and harvesting your data (and that of your friends, who might host their own diaspora node at home, or on another service), and then we will be free of facebook's horrible privacy violations, and be in a new universe of less accountable companies with even worse problems.

I can't wait, diaspora, here I come!

Protocol, not code

[ath1901]

I'm more interested in the protocol than the code. If the protocol is vulnerable to attacks/fraud then it is a show stopper.

If the ruby-web-stuff-code contains bugs and security holes, I'll just write my own (read: wait for someone else to do it).

I couldn't find any relevant info about the protocol in TFA. Am I missing something?

Re:After how long?

[truthsearch]

It looks like they've only focused on the front end so far. I was expecting an architectural prototype with a thin front end (in which case security should be baked in from the start). Instead they've only focused on the user interface, which pretty much makes this project pointless so far.

Re:Specialized servers offering ad-free accounts

[oldspewey]

But as I understand it, an end user does not necessarily have control over where their information is routed/stored. So if there are a few rogue server managers out there acting the way FB does today (selling personal info as a source of revenue) then every member of the user base will (potentially) be affected.

Please correct me if I'm wrong, because I'd like to be wrong about this.

Re:After how long?

[EggyToast]

Yeah, they've only focused on the "fun stuff." Or rather, it sounds more like their purpose was "Facebook's so annoying to use. Let's make one that works like we want!" without really caring about the backend stuff. Maybe they assume that the "open source community" will do all the backend stuff for them -- even though they're the ones getting paid?

Re:And that was to be expected

[severoon]

It's too bad there's so many problems with this project...I was really looking forward to a good alternative to Facebook.

If only there was some kind of development methodology where these issues could be discovered early on and addressed by those that do have the necessary experience...alas, I forget myself—such a thing is and shall forever remain unattainable fantasy.

I guess we should just be glad they published the source code so the facts are out and we can all agree: the only path forward is to toss the whole idea.