Security Lessons Learned From the Diaspora Launch

patio11 writes "Diaspora, the privacy-respecting OSS social network, did a code release last week. Attention immediately focused on security. In fact the code base included several severe security bugs. This post walks through the code, showing what went wrong, and what it would let an attacker do to someone who was using Diaspora." The developer who wrote the post ends with: "You might believe in the powers of OSS to gather experts (or at least folks who have shipped a Rails app, like myself) to Diaspora’s banner and ferret out all the issues. You might also believe in magic code-fixing fairies. Personally, I’d be praying for the fairies because if Diaspora is dependent on the OSS community their users are screwed."

Security

Because of course, obscurity is proper security.

Alternatives to Diaspora

Here is a list of alternative open source Peer-to-peer social networking softwares

Note that The Appleseed Project has existed since 2004 and is the first.

Re:...huh?

[bigrockpeltr]

The summary took the quote slightly out of context. what i understood from TFA is that they are screwed in terms of meeting their (one month?) deadline.

The team is manifestly out of their depth with regards to web application security, and it is almost certainly impossible for them to gather the required expertise and still hit their timetable for public release in a month.

Re:WTF?

[gazbo]

You've been taken in by Slashdot's trademark selective quoting. What was actually written was:

The team is manifestly out of their depth with regards to web application security, and it is almost certainly impossible for them to gather the required expertise and still hit their timetable for public release in a month. You might believe in the powers of OSS to gather experts (or at least folks who have shipped a Rails app, like myself) to Diaspora's banner and ferret out all the issues. You might also believe in magic code-fixing fairies. Personally, I'd be praying for the fairies because if Diaspora is dependent on the OSS community their users are screwed.

(my bold) So he's not actually saying anything bad at all about OSS; he's just saying that being OSS doesn't mean that they can magically gain experience (or experienced developers) and fix their entire codebase in a month. The notion that OSS development is to blame was purely down to Slashdot (or the submitter).

Re:...huh?

[jridley]

I work HfH construction once in a while. They hire professionals to do the important bits and the large stuff; excavating, pouring the foundation, wiring, plumbing, and often the finish carpentry. If you happen to have someone relatively skilled there, they may assist the pros; I've helped with all; wiring, plumbing, finish carpentry. But you don't let someone who is enthusiastic but doesn't know what they're doing do finish carpentry, they'll probably just wind up wrecking a lot of material. And if you let them do plumbing in an area where code requires copper pipe, you'll probably wind up with a mess that will take a pro 3 times longer to fix than if he'd just done it himself to start with.

I think the latter may be the case when it comes to this project. I really, really hope this project comes together, but as a programmer I fear that if they've built this thing from the ground up without a good basic understanding of web security, the thing may have to be gutted and rewritten to get to where it needs to be.

Lots of people can write web apps. Heck, I pretty much write web apps all day long, but I write them for intranet use, they're not accessible to the internet at large. If my stuff had to be hardened against the kind of general attack Diaspora is going to have to endure, I'd have to learn a lot more than I know now.

Re:WTF?

[locallyunscene]

Goddammit kdawson. That's it, your articles are blocked. You're the f***ing New York Post of Slashdot. Whatever merit any article you post may have you manage to completely overpower it with sensationalist editorial bias.