Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Concerns Paramount After Early Reviews of Diaspora Code

Posted by Soulskill on from the work-in-progress dept.

Stoobalou writes with this excerpt from Thinq.co.uk: "Following the release of the source code for the Diaspora social networking platform, hackers and tinkerers the world over have been poring over the code in order to improve, enhance, and otherwise help the project in its attempt to unsettle Facebook. Sadly, the current opinion is that the code just isn't up to scratch. While the team clearly stated that 'we know there are security holes and bugs' in the code that was released, it's possible that they weren't aware of just how many show-stopping issues there are — issues which make it hard to recommend that you roll your own Diaspora server just yet."

36 of 206 comments (clear)

  1. This isn't necessarily a bad thing by iONiUM · · Score: 4, Insightful

    It might encourage the workers on Diaspora code to work harder for security. I mean, even if you think you have every security hole plugged, until you open that code up to the world you won't really know. So what, there are many more security bugs than expected. That's fine, delay the release a little bit and start patching.

    Unless this completely discourages them to the point that they turn emo and start lying in the dark crying, I'm pretty sure they can fix this and still release.

    1. Re:This isn't necessarily a bad thing by TheRaven64 · · Score: 5, Insightful

      Is anyone actually surprised that a bunch of Ruby developers can't write secure code?

      No, but then I wouldn't be surprised if you substituted Python, Perl, Java, or C for Ruby in that statement. The proportion of programmers who can write secure code is a relatively small proportion of the number that can write code in any language.

      That's one of the reasons why, as I said in the last story, I am more interested in the protocols than in the implementation. A set of standard protocols for social networking (ideally built on top of XMPP) would allow lots of different implementations, which would reduce the damage that could be done by a flaw in one of them.

      --
      I am TheRaven on Soylent News
    2. Re:This isn't necessarily a bad thing by Tassach · · Score: 4, Insightful

      No, but then I wouldn't be surprised if you substituted Python, Perl, Java, or C for Ruby in that statement. The proportion of programmers who can write secure code is a relatively small proportion of the number that can write code in any language.

      A great big helping of THIS. It is insanely difficult to write really secure code in any language. (Although it's harder in some than in others).

      Look at Postfix -- it was designed and written specifically with security in mind by one of the world's foremost experts on TCP/IP security, and it STILL has had security bugs. If a hacker god like Wietse Venema has security bugs in his code, what chance do mere mortals like us have of writing secure code?

      This is something that has to be tackled on multiple levels -- in library code, at the compiler, at the operating system, and even in the language itself. Modern languages have garbage collection that prevents (most) memory leak issues; we need a similar language-level mechanism to address common security issues. Perl's taint mode is a definite step in the right direction, but there needs to be more research done on language-level security features.

      Likewise, we have static and dynamic code checkers that highlight problematic code; while there are some for security, we need more/better tools in this area, and more importantly we need to teach young programmers to actually USE them, or better yet build them into the compiler so you HAVE to use them.

      --
      Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?
  2. Re:Freetard fail by Anonymous Coward · · Score: 5, Interesting

    Yeah, but it will be like email is now. People won't need to run their own servers. They will be able to pick from a variety of free diaspora hosts who get their revenue from ad dollars and harvesting your data (and that of your friends, who might host their own diaspora node at home, or on another service), and then we will be free of facebook's horrible privacy violations, and be in a new universe of less accountable companies with even worse problems.

    I can't wait, diaspora, here I come!

  3. After how long? by Sarten-X · · Score: 4, Insightful

    After a few months, a big project has bugs? Really? That's amazing! After all, Windows has been around for only 20 years and it's perfect, right?

    I think I'll reserve judgment for sometime in 2012...

    --
    You do not have a moral or legal right to do absolutely anything you want.
    1. Re:After how long? by truthsearch · · Score: 4, Interesting

      It looks like they've only focused on the front end so far. I was expecting an architectural prototype with a thin front end (in which case security should be baked in from the start). Instead they've only focused on the user interface, which pretty much makes this project pointless so far.

      --
      Developers: We can use your help.
    2. Re:After how long? by EggyToast · · Score: 4, Interesting

      Yeah, they've only focused on the "fun stuff." Or rather, it sounds more like their purpose was "Facebook's so annoying to use. Let's make one that works like we want!" without really caring about the backend stuff. Maybe they assume that the "open source community" will do all the backend stuff for them -- even though they're the ones getting paid?

    3. Re:After how long? by ihatejobs · · Score: 5, Insightful

      Irrelevant. A bug is a bug, and can be fixed. So long as they actually fix the bugs instead of pushing out a release, they should do fine.

      --
      Can anyone tell me why 99% of /. users are total assclowns?
    4. Re:After how long? by Sarten-X · · Score: 5, Insightful

      Not if it's anything like every big project I've worked on.

      First, projects go through a phase of "how can we do this" where various components are mashed together with the expectation that things will work later. That's a good thing to do while gathering initial funding.

      Then they go through the phase of "we can do this" where some parts of the project work, but most is broken.

      That's followed by the "demonstration" phase, where things work under perfect circumstances. That seems to be where Diaspora is at now.

      Next is the "we can do this well" phase, where the once-connected components are split up and divided into their appropriate layers and security is locked down, now that there's a clear idea of what the security model must support.

      Finally is the "continued development" phase, where the project is stable enough that new components don't need major changes to security, and extra features can be added.

      I've had a few projects that started with the frameworks and various layers of abstraction, and they've invariably failed after many refactorings and revisions. Heck, one project I worked on was a web-based game engine, which turned into a giant security model, and finally died without a single line of actual game code written. It took eight months to fail miserably. Projects change, and requirements change. Going into a security model too early can be worse than not having one.

      --
      You do not have a moral or legal right to do absolutely anything you want.
    5. Re:After how long? by Posting=!Working · · Score: 3, Funny

      Yeah, students with no real-world big project experience should all just get jobs with large companies and stop trying to be innovative until they've spent a few years updating comments and doing bugfixes in other people's code.

      After all, no one has ever gotten ahead in computers by jumping into a huge project they had no experience in while they were young. They need to wait until they're in their 40's so they have enough experience and then start a small project.

      Security problems in pre-Alpha code? The whole project is obviously a failure and should be abandoned. What idiots they are for trying!

      --
      This sentence no verb.
    6. Re:After how long? by Rival · · Score: 5, Insightful

      Yeah, they've only focused on the "fun stuff." Or rather, it sounds more like their purpose was "Facebook's so annoying to use. Let's make one that works like we want!" without really caring about the backend stuff. Maybe they assume that the "open source community" will do all the backend stuff for them -- even though they're the ones getting paid?

      Or possibly, that they are smart enough to recognize that having "something" to show possible investors (and more importantly, current investors) is worth a great deal more than a framework that can't be demonstrated.

      Don't get me wrong -- I really, *really* hope that the security model gets implemented well in Diaspora, and they don't get destracted by "ooh, shiny!" syndrome. But expecting them to go to folks who have given them money -- people who likely know even less about security than these college students -- and say, "This mystery code will work, it's really better, we just can't demonstrate it," is unreasonable.

      Prototype first, then refine. Bugs happen, just fix them and move on. It looks like they're on their way to me. If you (or others) think you can fix these bugs or fundamental flaws in their security model, talk to them. You might just find yourself a job at a potentially big startup.

  4. And that was to be expected by e065c8515d206cb0e190 · · Score: 4, Insightful

    Seriously, a bunch of kids from NYU... what did you expect?

    It's not a bad thing though, as long as people are willing to constructively collaborate on the project.

    1. Re:And that was to be expected by DJRumpy · · Score: 5, Insightful

      Am I missing something here? This is the way it should work, and the true strength of open source. Assuming they have the skillset to address the security issues found, I just don't see an issue. This isn't release level software yet, and I would expect that anyone putting up such a site based on it would publish that fact. I'm pleased that they are getting such great input on key security flaws.

    2. Re:And that was to be expected by yincrash · · Score: 3, Insightful

      Just because software is open source does not mean it is easily modified. In many cases, it could be easier to rewrite it from scratch to do the same thing than to modify existing code that is terrible.

    3. Re:And that was to be expected by gparent · · Score: 5, Insightful

      It's not a jab at all. It's perfectly normal for inexperienced coders to have security issues in their applications, just like you can have any other bug.

    4. Re:And that was to be expected by GreatBunzinni · · Score: 4, Insightful

      Seriously, a bunch of kids from NYU... what did you expect?

      I don't know. What do you expect from a 21-year old kid from University of Helsinki? Personally I don't believe anyone expects much from it but nowadays you have the entire IT world being carried by a pet project made by a little Finnish kid from University of Helsinki.

      Is this also the case? I don't know, really. Yet, I hope it is.

      --
      Slashdot, fix your code or at least hire someone who is competent at it to do it for you.
    5. Re:And that was to be expected by severoon · · Score: 4, Interesting

      It's too bad there's so many problems with this project...I was really looking forward to a good alternative to Facebook.

      If only there was some kind of development methodology where these issues could be discovered early on and addressed by those that do have the necessary experience...alas, I forget myself—such a thing is and shall forever remain unattainable fantasy.

      I guess we should just be glad they published the source code so the facts are out and we can all agree: the only path forward is to toss the whole idea.

      --
      but have you considered the following argument: shut up.
    6. Re:And that was to be expected by Subm · · Score: 3, Insightful

      I don't know. What do you expect from a 21-year old kid from University of Helsinki? Personally I don't believe anyone expects much from it but nowadays you have the entire IT world being carried by a pet project made by a little Finnish kid from University of Helsinki.

      Is this also the case? I don't know, really. Yet, I hope it is.

      You know, there was a bit of code there before Linus started. Linus's pet project was one of many many people's pet projects.

      Sometimes I question calling the operating system GNU/Linux, but when people imply Linus wrote the entire OS, I see why people press for the recognition to everyone who contributed all the free code.

    7. Re:And that was to be expected by severoon · · Score: 4, Informative

      (To anyone that may have missed it, perhaps I should have included —coughcoughopensourcecough— at the end of that second paragraph.)

      --
      but have you considered the following argument: shut up.
  5. Good thing it's free... by metamechanical · · Score: 4, Insightful

    Okay, I have no horse in this race, as I only have a passing interest in online social networks (enough to read the article, but not enough to join one), so I am not very passionate about this news in one way or another, but...

    Isn't that why it's called pre-Alpha software?? I mean, bugs happen. In open architectures, you fix them. If this were a closed software project, you wouldn't even know about them. If there were endemic, critical flaws inherent in their underlying assumptions going into this project, then that would be news, but "oversold Alpha software contains bugs!!!" is hardly worth noting. Being free software, many eyes will ensure that the Beta version is better, presumably.

    --
    If I had a nickel for every time I had a nickel, I'd be richcursive!
    1. Re:Good thing it's free... by metamechanical · · Score: 4, Informative

      That's a fantastic point. I should have been more specific - what I meant was the only reason security concerns and bugs are being found out in a pre-alpha is that it is open. It is exceedingly rare that a closed piece of software releases up a pre-alpha for general review (and hence, you wouldn't have ever even known about them). In more mature released closed software, though, you're right that my point holds no water.

      --
      If I had a nickel for every time I had a nickel, I'd be richcursive!
    2. Re:Good thing it's free... by Monchanger · · Score: 3, Insightful

      If you expected to be rolling your own diaspora server right now, then you really didn't understand what was going on

      Exactly. Like much of the dumbed-down "news" we're subjected to, this is just a little more sensational nonsense.

      Breaking news! Infants can't grasp quantum physics. Are they stupid? You decide!

      The little coverage I've seen sticks strictly to usability ("aspects" and this very early revision of the UI) . If that's all they built, I wouldn't bother criticizing the more difficult areas of security, scalability and reliability (that's not to say one shouldn't report bugs). Since hearing of the project I've assumed that these problems may be something these kids are looking for others to pitch in. Releasing the code isn't a bad way to get other people to start working, and as we've seen that actually worked out well, significantly multiplying the number of contributors to the project.

      Diaspora, done right, is not a weekend project. Doesn't help that these naysayers are too immature to seek positive reinforcement.

  6. Protocol, not code by ath1901 · · Score: 5, Interesting

    I'm more interested in the protocol than the code. If the protocol is vulnerable to attacks/fraud then it is a show stopper.

    If the ruby-web-stuff-code contains bugs and security holes, I'll just write my own (read: wait for someone else to do it).

    I couldn't find any relevant info about the protocol in TFA. Am I missing something?

  7. Diaspora marketing by jdfox · · Score: 3, Insightful

    I don't understand why Diaspora has had saturation coverage in the mainstream press (and pretty heavy coverage here, for that matter) before it even went alpha, but identi.ca gets so little.

  8. Re:Freetard fail by Pojut · · Score: 4, Insightful

    Something doesn't have to convince every user just to succeed. To me, Diaspora represents everything RIGHT with the FOSS community. Collaboration on software that, on its own, would never survive. However, with people working together on it, they can increase its usefulness (and increase their own skills, which by proxy would improve any future projects they worked on.) Diaspora is a grand experiment, one that I hope works out.

    I fail to see how working with people dedicating their time and knowledge can be seen as a bad thing.

    --
    Living With a Nerd
  9. Horse before cart by drewhk · · Score: 4, Insightful

    Again, a project that was way overhyped before any code became available.

  10. Specialized servers offering ad-free accounts by tepples · · Score: 4, Informative

    Unlike Facebook, the Diaspora network is planned to have more than one server operator. Some might offer ad-free accounts to subscribers. Others might be run by a company that offers ad-free accounts to its employees, a school that offers ad-free accounts to its students (echoing the original meaning of the word "facebook"), or a church or other non-profit club that offers ad-free accounts to its members.

    1. Re:Specialized servers offering ad-free accounts by oldspewey · · Score: 4, Interesting

      But as I understand it, an end user does not necessarily have control over where their information is routed/stored. So if there are a few rogue server managers out there acting the way FB does today (selling personal info as a source of revenue) then every member of the user base will (potentially) be affected.

      Please correct me if I'm wrong, because I'd like to be wrong about this.

      --
      If libertarians are so opposed to effective government, why don't they all move to Somalia?
    2. Re:Specialized servers offering ad-free accounts by koiransuklaa · · Score: 3, Insightful

      All actual data like messages is (supposed to be) encrypted. So the rogue seed can see your network or parts of it but should not get anything else.

      My understanding is from a quick glance, it would be awesome if the developers would document things a bit more and lay out the design and roadmaps properly.

  11. This shouldn't be looked upon as a 'bad thing'... by antiparadigm · · Score: 4, Insightful

    Yes, I understand that any security vulnerability is a bad thing. In that merit this is a bad thing. BUT...

    These are people fresh out of college, and haven't gotten a lot of real world experience. I, myself, am only out of college by a year and a half. The first year was spent as a sys admin, but the past 6 as a developer. They have probably heard of some types of attacks, but are unfamilier with details. Others, if they are like me, they haven't even thought of. All of this comes from being "in the trade".

    This is why Open Source is good. It can rapidly increase a programmers competency if they get constructive criticism. It sounds like they are getting plenty of that, but the article kinda makes it sound like the should know all this.

    I, for one, am glad they are doing this, and that they have decided to release some code early for review. Not only will it allow bugs to be fixed early, but it will also give them lessons for future use.

  12. Re:This shouldn't be looked upon as a 'bad thing'. by antiparadigm · · Score: 3, Insightful

    My point is, then obviously new they were inexperienced and that the code would have numerous problems. That's why the article said only the die-hard fans with blinders on would try to set this up and be subject to the security holes.

    What I'm trying to say in my post is that since they knew there were problems, they went ahead and released the code so others can look. This is one of the great strengths of open source. If you know you have problems in your code, you can release it and have others look over it and provide insights into what you are or are not doing correctly.

    Should inexperienced people be trusted to create a highly secure network protocol and implementation? No. Not even remotely. BUTThey took it upon themselves to get the process started. Once they felt they had something worth others looking at, they released the code, and professionals with more experience provided feedback.

  13. Call me old-fashioned... by pedantic+bore · · Score: 3, Insightful

    ... but after skimming through the code, I'm not terribly surprised to hear that it has issues, because there are virtually no comments or design docs.

    Each one of the coders probably thinks the other coders are responsible for security, because it's nobody knows exactly what the other modules actually do. It's not written down anywhere.

    To be fair, this isn't the only system I've seen like this... and kudos to the team for sticking their code out where everyone can see it. I'm sure that there are similar problems in many widely-used systems, but since they're closed source, we can only guess about the details.

    --
    Am I part of the core demographic for Swedish Fish?
  14. But how does it compare with the alternatives? by Linux_ho · · Score: 3, Funny

    The release of pre-alpha source code for their Diaspora social Website was only a few hours old on Wednesday when hackers began identifying flaws they said could seriously compromise the security of those who used it. Among other things, the mistakes make it possible to hijack accounts, friend users without their permission, and delete their photos.

    "The bottom line is currently there is nothing that you cannot do to someone's Diaspora account, absolutely nothing," said Patrick McKenzie, owner of Bingo Card Creator, a software company in Ogaki, Japan.

    So in other words, yes, it's a little bit worse than Facebook at this point.

    --
    include $sig;
    1;
  15. Why Would You "Roll" off a Developer Release??? by ideonexus · · Score: 3, Insightful

    "...issues that make it hard to recommend that you roll your own Diaspora server just yet."

    Umm... Am I missing something here? Why would you set up your own Diaspora server using a Developer's Release? It's in development, as in not ready for prime time yet. There might be too many security issues for it to go live in October, as is scheduled, but if the open source community gets behind the project, that could easily be overcome.

    Unfortunately, this seems to be the catch-22 of many open source start-ups: You need outside developers to help you work out the bugs in your software, but when you publish your development software, everyone beats you up for all the bugs they find in it.

    Stop criticizing and start coding.

    --
    i ~ Celebrating Science, Cyberspace, Speculation
  16. Summary of article and comments by Posting=!Working · · Score: 3, Insightful

    Article - A Pre-alpha release of the User Interface has security holes. For some reason this surprises people, and those who do know better are acting shocked, despite the fact that compiling "#include " by itself can be considered a pre-alpha release and that they have no idea about the project path.

    Comments - Since I wouldn't have started with the user interface, this project is a failure. Stupid kids with no real-world large project experience can't do anything. The money they raised is completely wasted, even though we've no idea how much of that they've actually spent, with 4 programmers living in NYC working on this, they must have spent the $200,000 on gold plated Ferraris. They are not following my formula for creating large successful social networks (my current success rate: 0/0), therefore it is worthless. Trying is the first step towards failure.

    Remind me never to show a work in progress on Slashdot.

    --
    This sentence no verb.
  17. Give'em A Break by Ukab+the+Great · · Score: 4, Insightful

    It's not any dumber than two college dropouts in Cupertino building a personal computer in their garage or some lone crazy finish student making his own OS.

    Budgets considerably larger than $200,000 have been spent on software projects written by professional programmers that don't run at all.