Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Lessons Learned From the Diaspora Launch

Posted by kdawson on from the off-the-rails dept.

patio11 writes "Diaspora, the privacy-respecting OSS social network, did a code release last week. Attention immediately focused on security. In fact the code base included several severe security bugs. This post walks through the code, showing what went wrong, and what it would let an attacker do to someone who was using Diaspora." The developer who wrote the post ends with: "You might believe in the powers of OSS to gather experts (or at least folks who have shipped a Rails app, like myself) to Diaspora’s banner and ferret out all the issues. You might also believe in magic code-fixing fairies. Personally, I’d be praying for the fairies because if Diaspora is dependent on the OSS community their users are screwed."

17 of 338 comments (clear)

  1. Security by Anonymous Coward · · Score: 4, Informative

    Because of course, obscurity is proper security.

    1. Re:Security by Anonymous Coward · · Score: 1, Informative

      If it were, say, a private company producing this product, wouldn't they have subjected it to the normal quality control processes in software companies, thrown dedicated testing resources at it, thrown their in-house security specialists at it, or perhaps hired outside security specialists? Both did I observe during my time at a software company.

      Not if it was a start up. I work for a private company started by students that scaled to tens of millions of users before even starting a security team or hiring the first security specialist. Of course if this company started a new product NOW, it would go through far more tight QA and security audits.

      During that time there where plenty of incidents, but often by luck nothing that put us out of work. I do think this case would be different, as the start up has been so vocal.

  2. Re:...huh? by hedwards · · Score: 3, Informative

    Isn't that a bit like saying "if getting this building completed is dependent on volunteer construction workers, we're screwed"?

    FTFY

  3. Axe job by spleen_blender · · Score: 2, Informative

    All the Diaspora hate coming from this PRE-ALPHA release of their source code seems so strangely out of place.
    I mean, nothing seems to point to me that this is shill garbage coming from facebook, but the conceptual idea of Diaspora is sound and the code was released for the precise reason of improving it, as it has done. Yet all I've heard is some disproportionate vitriol against the project. It doesn't make sense.
    And hell, the majority of the security issues found appear to be rather simple to fix. Just add authorization checks and use mongoDB stored procedures more frequently.

    1. Re:Axe job by rjstanford · · Score: 1, Informative

      This would be true if (and only if) the whole point of Diaspora wasn't to improve the security of your data. Seriously, that's the only significant quoted feature. And they didn't get that part close to right before launching? C'mon...

      --
      You're special forces then? That's great! I just love your olympics!
    2. Re:Axe job by BlueKitties · · Score: 3, Informative

      It's supposed to make your data less completely-controlled by a single mega corporation. Security will be an issue no matter who controls the data, what matters here though is the gatekeeper.

      --
      "Sorrow is better than laughter, for by sadness of face the heart is made glad." [Ecclesiastes 7:3]
  4. Not faeries... by bosef1 · · Score: 2, Informative

    Unfortunately, the existance of code-fixing faeries was disproven by Wirth in 1972. Code fixes are actually implemented by type of cobbler elf.

  5. Alternatives to Diaspora by Anonymous Coward · · Score: 5, Informative

    Here is a list of alternative open source Peer-to-peer social networking softwares

    Note that The Appleseed Project has existed since 2004 and is the first.

  6. Re:...huh? by bigrockpeltr · · Score: 4, Informative

    The summary took the quote slightly out of context. what i understood from TFA is that they are screwed in terms of meeting their (one month?) deadline.

    The team is manifestly out of their depth with regards to web application security, and it is almost certainly impossible for them to gather the required expertise and still hit their timetable for public release in a month.

    --
    $ unzip, strip, touch, finger, grep, mount, fsck, more, yes,fsck,fsck,fsck,umount, sleep
  7. Re:WTF? by gazbo · · Score: 5, Informative
    You've been taken in by Slashdot's trademark selective quoting. What was actually written was:

    The team is manifestly out of their depth with regards to web application security, and it is almost certainly impossible for them to gather the required expertise and still hit their timetable for public release in a month. You might believe in the powers of OSS to gather experts (or at least folks who have shipped a Rails app, like myself) to Diaspora's banner and ferret out all the issues. You might also believe in magic code-fixing fairies. Personally, I'd be praying for the fairies because if Diaspora is dependent on the OSS community their users are screwed.

    (my bold) So he's not actually saying anything bad at all about OSS; he's just saying that being OSS doesn't mean that they can magically gain experience (or experienced developers) and fix their entire codebase in a month. The notion that OSS development is to blame was purely down to Slashdot (or the submitter).

  8. Re:...huh? by jridley · · Score: 4, Informative

    I work HfH construction once in a while. They hire professionals to do the important bits and the large stuff; excavating, pouring the foundation, wiring, plumbing, and often the finish carpentry. If you happen to have someone relatively skilled there, they may assist the pros; I've helped with all; wiring, plumbing, finish carpentry. But you don't let someone who is enthusiastic but doesn't know what they're doing do finish carpentry, they'll probably just wind up wrecking a lot of material. And if you let them do plumbing in an area where code requires copper pipe, you'll probably wind up with a mess that will take a pro 3 times longer to fix than if he'd just done it himself to start with.

    I think the latter may be the case when it comes to this project. I really, really hope this project comes together, but as a programmer I fear that if they've built this thing from the ground up without a good basic understanding of web security, the thing may have to be gutted and rewritten to get to where it needs to be.

    Lots of people can write web apps. Heck, I pretty much write web apps all day long, but I write them for intranet use, they're not accessible to the internet at large. If my stuff had to be hardened against the kind of general attack Diaspora is going to have to endure, I'd have to learn a lot more than I know now.

  9. Re:...huh? by MozeeToby · · Score: 2, Informative

    However, the critical components (Foundation, electrical, plumbing, ect) is done by professionals.

    It is a great example because those professionals are quite often working on volunteer time themselves. Just like how a lot of OSS projects are contributed to by amateurs and students, but often the deeper, more advanced work is done by professional coders and designers.

  10. Re:Arrogant "security researcher" bullshit by gaspyy · · Score: 3, Informative

    You are right to a point.

    The way I see it, the real problem is not that Diaspora has bugs; the problem is that it has fundamental bugs, bugs so fundamental that they question authors' understanding of the framework they're working with. It's bugs that shouldn't have been there at all.

    Not verifying whether or not a user has the rights to edit an object is something pretty fundamental in my book.

  11. Re:...huh? by Anonymous Coward · · Score: 3, Informative

    Those services from professionals are almost always paid for not volunteered.

    [Citation needed]. My uncle worked on a HFH home as an electrician and he was not paid for his time.

  12. Re:WTF? by locallyunscene · · Score: 5, Informative

    Goddammit kdawson. That's it, your articles are blocked. You're the f***ing New York Post of Slashdot. Whatever merit any article you post may have you manage to completely overpower it with sensationalist editorial bias.

  13. Re:Security, I agree ..., AC should say.... by OldHawk777 · · Score: 2, Informative

    "Security through hubris," which refers to the hawkers (selling security that ain't) of proprietary software and gawkers (buying security that ain't) with brand-pride. "Security through hubris," doesn't refer to closed source code, and it doesn't refer to not disclosing known flaws. It refers, exclusively, to things that AC may of been referring too, like 'no one will ever go be able to find the security flaws, no one will ever know about or use open-port 6424 for cracking, and/or no one will every know enough about the software to call any unpublished black-back-doors (any access/function available).

    DAMN, I think, maybe we know what AC was trying to say ...?

    --
    Unaccountable leaders are masters, and unrepresented people are slaves. How do US and EU fare?
  14. Not news by opaldraggy · · Score: 1, Informative

    Hmm. Diaspora specifically launched early, with an emphasis on the fact that it's a first step, and NOT a complete production ready system. Hell, in their press release they declared that they have security holes. Surprise surprise, they weren't lying. OMG, call the press. Again.