Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Concerns Paramount After Early Reviews of Diaspora Code

Posted by Soulskill on from the work-in-progress dept.

Stoobalou writes with this excerpt from Thinq.co.uk: "Following the release of the source code for the Diaspora social networking platform, hackers and tinkerers the world over have been poring over the code in order to improve, enhance, and otherwise help the project in its attempt to unsettle Facebook. Sadly, the current opinion is that the code just isn't up to scratch. While the team clearly stated that 'we know there are security holes and bugs' in the code that was released, it's possible that they weren't aware of just how many show-stopping issues there are — issues which make it hard to recommend that you roll your own Diaspora server just yet."

25 of 206 comments (clear)

  1. This isn't necessarily a bad thing by iONiUM · · Score: 4, Insightful

    It might encourage the workers on Diaspora code to work harder for security. I mean, even if you think you have every security hole plugged, until you open that code up to the world you won't really know. So what, there are many more security bugs than expected. That's fine, delay the release a little bit and start patching.

    Unless this completely discourages them to the point that they turn emo and start lying in the dark crying, I'm pretty sure they can fix this and still release.

    1. Re:This isn't necessarily a bad thing by TheRaven64 · · Score: 5, Insightful

      Is anyone actually surprised that a bunch of Ruby developers can't write secure code?

      No, but then I wouldn't be surprised if you substituted Python, Perl, Java, or C for Ruby in that statement. The proportion of programmers who can write secure code is a relatively small proportion of the number that can write code in any language.

      That's one of the reasons why, as I said in the last story, I am more interested in the protocols than in the implementation. A set of standard protocols for social networking (ideally built on top of XMPP) would allow lots of different implementations, which would reduce the damage that could be done by a flaw in one of them.

      --
      I am TheRaven on Soylent News
    2. Re:This isn't necessarily a bad thing by Tassach · · Score: 4, Insightful

      No, but then I wouldn't be surprised if you substituted Python, Perl, Java, or C for Ruby in that statement. The proportion of programmers who can write secure code is a relatively small proportion of the number that can write code in any language.

      A great big helping of THIS. It is insanely difficult to write really secure code in any language. (Although it's harder in some than in others).

      Look at Postfix -- it was designed and written specifically with security in mind by one of the world's foremost experts on TCP/IP security, and it STILL has had security bugs. If a hacker god like Wietse Venema has security bugs in his code, what chance do mere mortals like us have of writing secure code?

      This is something that has to be tackled on multiple levels -- in library code, at the compiler, at the operating system, and even in the language itself. Modern languages have garbage collection that prevents (most) memory leak issues; we need a similar language-level mechanism to address common security issues. Perl's taint mode is a definite step in the right direction, but there needs to be more research done on language-level security features.

      Likewise, we have static and dynamic code checkers that highlight problematic code; while there are some for security, we need more/better tools in this area, and more importantly we need to teach young programmers to actually USE them, or better yet build them into the compiler so you HAVE to use them.

      --
      Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?
  2. Re:Freetard fail by Anonymous Coward · · Score: 5, Interesting

    Yeah, but it will be like email is now. People won't need to run their own servers. They will be able to pick from a variety of free diaspora hosts who get their revenue from ad dollars and harvesting your data (and that of your friends, who might host their own diaspora node at home, or on another service), and then we will be free of facebook's horrible privacy violations, and be in a new universe of less accountable companies with even worse problems.

    I can't wait, diaspora, here I come!

  3. After how long? by Sarten-X · · Score: 4, Insightful

    After a few months, a big project has bugs? Really? That's amazing! After all, Windows has been around for only 20 years and it's perfect, right?

    I think I'll reserve judgment for sometime in 2012...

    --
    You do not have a moral or legal right to do absolutely anything you want.
    1. Re:After how long? by truthsearch · · Score: 4, Interesting

      It looks like they've only focused on the front end so far. I was expecting an architectural prototype with a thin front end (in which case security should be baked in from the start). Instead they've only focused on the user interface, which pretty much makes this project pointless so far.

      --
      Developers: We can use your help.
    2. Re:After how long? by EggyToast · · Score: 4, Interesting

      Yeah, they've only focused on the "fun stuff." Or rather, it sounds more like their purpose was "Facebook's so annoying to use. Let's make one that works like we want!" without really caring about the backend stuff. Maybe they assume that the "open source community" will do all the backend stuff for them -- even though they're the ones getting paid?

    3. Re:After how long? by ihatejobs · · Score: 5, Insightful

      Irrelevant. A bug is a bug, and can be fixed. So long as they actually fix the bugs instead of pushing out a release, they should do fine.

      --
      Can anyone tell me why 99% of /. users are total assclowns?
    4. Re:After how long? by Sarten-X · · Score: 5, Insightful

      Not if it's anything like every big project I've worked on.

      First, projects go through a phase of "how can we do this" where various components are mashed together with the expectation that things will work later. That's a good thing to do while gathering initial funding.

      Then they go through the phase of "we can do this" where some parts of the project work, but most is broken.

      That's followed by the "demonstration" phase, where things work under perfect circumstances. That seems to be where Diaspora is at now.

      Next is the "we can do this well" phase, where the once-connected components are split up and divided into their appropriate layers and security is locked down, now that there's a clear idea of what the security model must support.

      Finally is the "continued development" phase, where the project is stable enough that new components don't need major changes to security, and extra features can be added.

      I've had a few projects that started with the frameworks and various layers of abstraction, and they've invariably failed after many refactorings and revisions. Heck, one project I worked on was a web-based game engine, which turned into a giant security model, and finally died without a single line of actual game code written. It took eight months to fail miserably. Projects change, and requirements change. Going into a security model too early can be worse than not having one.

      --
      You do not have a moral or legal right to do absolutely anything you want.
    5. Re:After how long? by Rival · · Score: 5, Insightful

      Yeah, they've only focused on the "fun stuff." Or rather, it sounds more like their purpose was "Facebook's so annoying to use. Let's make one that works like we want!" without really caring about the backend stuff. Maybe they assume that the "open source community" will do all the backend stuff for them -- even though they're the ones getting paid?

      Or possibly, that they are smart enough to recognize that having "something" to show possible investors (and more importantly, current investors) is worth a great deal more than a framework that can't be demonstrated.

      Don't get me wrong -- I really, *really* hope that the security model gets implemented well in Diaspora, and they don't get destracted by "ooh, shiny!" syndrome. But expecting them to go to folks who have given them money -- people who likely know even less about security than these college students -- and say, "This mystery code will work, it's really better, we just can't demonstrate it," is unreasonable.

      Prototype first, then refine. Bugs happen, just fix them and move on. It looks like they're on their way to me. If you (or others) think you can fix these bugs or fundamental flaws in their security model, talk to them. You might just find yourself a job at a potentially big startup.

  4. And that was to be expected by e065c8515d206cb0e190 · · Score: 4, Insightful

    Seriously, a bunch of kids from NYU... what did you expect?

    It's not a bad thing though, as long as people are willing to constructively collaborate on the project.

    1. Re:And that was to be expected by DJRumpy · · Score: 5, Insightful

      Am I missing something here? This is the way it should work, and the true strength of open source. Assuming they have the skillset to address the security issues found, I just don't see an issue. This isn't release level software yet, and I would expect that anyone putting up such a site based on it would publish that fact. I'm pleased that they are getting such great input on key security flaws.

    2. Re:And that was to be expected by gparent · · Score: 5, Insightful

      It's not a jab at all. It's perfectly normal for inexperienced coders to have security issues in their applications, just like you can have any other bug.

    3. Re:And that was to be expected by GreatBunzinni · · Score: 4, Insightful

      Seriously, a bunch of kids from NYU... what did you expect?

      I don't know. What do you expect from a 21-year old kid from University of Helsinki? Personally I don't believe anyone expects much from it but nowadays you have the entire IT world being carried by a pet project made by a little Finnish kid from University of Helsinki.

      Is this also the case? I don't know, really. Yet, I hope it is.

      --
      Slashdot, fix your code or at least hire someone who is competent at it to do it for you.
    4. Re:And that was to be expected by severoon · · Score: 4, Interesting

      It's too bad there's so many problems with this project...I was really looking forward to a good alternative to Facebook.

      If only there was some kind of development methodology where these issues could be discovered early on and addressed by those that do have the necessary experience...alas, I forget myself—such a thing is and shall forever remain unattainable fantasy.

      I guess we should just be glad they published the source code so the facts are out and we can all agree: the only path forward is to toss the whole idea.

      --
      but have you considered the following argument: shut up.
    5. Re:And that was to be expected by severoon · · Score: 4, Informative

      (To anyone that may have missed it, perhaps I should have included —coughcoughopensourcecough— at the end of that second paragraph.)

      --
      but have you considered the following argument: shut up.
  5. Good thing it's free... by metamechanical · · Score: 4, Insightful

    Okay, I have no horse in this race, as I only have a passing interest in online social networks (enough to read the article, but not enough to join one), so I am not very passionate about this news in one way or another, but...

    Isn't that why it's called pre-Alpha software?? I mean, bugs happen. In open architectures, you fix them. If this were a closed software project, you wouldn't even know about them. If there were endemic, critical flaws inherent in their underlying assumptions going into this project, then that would be news, but "oversold Alpha software contains bugs!!!" is hardly worth noting. Being free software, many eyes will ensure that the Beta version is better, presumably.

    --
    If I had a nickel for every time I had a nickel, I'd be richcursive!
    1. Re:Good thing it's free... by metamechanical · · Score: 4, Informative

      That's a fantastic point. I should have been more specific - what I meant was the only reason security concerns and bugs are being found out in a pre-alpha is that it is open. It is exceedingly rare that a closed piece of software releases up a pre-alpha for general review (and hence, you wouldn't have ever even known about them). In more mature released closed software, though, you're right that my point holds no water.

      --
      If I had a nickel for every time I had a nickel, I'd be richcursive!
  6. Protocol, not code by ath1901 · · Score: 5, Interesting

    I'm more interested in the protocol than the code. If the protocol is vulnerable to attacks/fraud then it is a show stopper.

    If the ruby-web-stuff-code contains bugs and security holes, I'll just write my own (read: wait for someone else to do it).

    I couldn't find any relevant info about the protocol in TFA. Am I missing something?

  7. Re:Freetard fail by Pojut · · Score: 4, Insightful

    Something doesn't have to convince every user just to succeed. To me, Diaspora represents everything RIGHT with the FOSS community. Collaboration on software that, on its own, would never survive. However, with people working together on it, they can increase its usefulness (and increase their own skills, which by proxy would improve any future projects they worked on.) Diaspora is a grand experiment, one that I hope works out.

    I fail to see how working with people dedicating their time and knowledge can be seen as a bad thing.

    --
    Living With a Nerd
  8. Horse before cart by drewhk · · Score: 4, Insightful

    Again, a project that was way overhyped before any code became available.

  9. Specialized servers offering ad-free accounts by tepples · · Score: 4, Informative

    Unlike Facebook, the Diaspora network is planned to have more than one server operator. Some might offer ad-free accounts to subscribers. Others might be run by a company that offers ad-free accounts to its employees, a school that offers ad-free accounts to its students (echoing the original meaning of the word "facebook"), or a church or other non-profit club that offers ad-free accounts to its members.

    1. Re:Specialized servers offering ad-free accounts by oldspewey · · Score: 4, Interesting

      But as I understand it, an end user does not necessarily have control over where their information is routed/stored. So if there are a few rogue server managers out there acting the way FB does today (selling personal info as a source of revenue) then every member of the user base will (potentially) be affected.

      Please correct me if I'm wrong, because I'd like to be wrong about this.

      --
      If libertarians are so opposed to effective government, why don't they all move to Somalia?
  10. This shouldn't be looked upon as a 'bad thing'... by antiparadigm · · Score: 4, Insightful

    Yes, I understand that any security vulnerability is a bad thing. In that merit this is a bad thing. BUT...

    These are people fresh out of college, and haven't gotten a lot of real world experience. I, myself, am only out of college by a year and a half. The first year was spent as a sys admin, but the past 6 as a developer. They have probably heard of some types of attacks, but are unfamilier with details. Others, if they are like me, they haven't even thought of. All of this comes from being "in the trade".

    This is why Open Source is good. It can rapidly increase a programmers competency if they get constructive criticism. It sounds like they are getting plenty of that, but the article kinda makes it sound like the should know all this.

    I, for one, am glad they are doing this, and that they have decided to release some code early for review. Not only will it allow bugs to be fixed early, but it will also give them lessons for future use.

  11. Give'em A Break by Ukab+the+Great · · Score: 4, Insightful

    It's not any dumber than two college dropouts in Cupertino building a personal computer in their garage or some lone crazy finish student making his own OS.

    Budgets considerably larger than $200,000 have been spent on software projects written by professional programmers that don't run at all.