Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Lessons Learned From the Diaspora Launch

Posted by kdawson on from the off-the-rails dept.

patio11 writes "Diaspora, the privacy-respecting OSS social network, did a code release last week. Attention immediately focused on security. In fact the code base included several severe security bugs. This post walks through the code, showing what went wrong, and what it would let an attacker do to someone who was using Diaspora." The developer who wrote the post ends with: "You might believe in the powers of OSS to gather experts (or at least folks who have shipped a Rails app, like myself) to Diaspora’s banner and ferret out all the issues. You might also believe in magic code-fixing fairies. Personally, I’d be praying for the fairies because if Diaspora is dependent on the OSS community their users are screwed."

3 of 338 comments (clear)

  1. Alternatives to Diaspora by Anonymous Coward · · Score: 5, Informative

    Here is a list of alternative open source Peer-to-peer social networking softwares

    Note that The Appleseed Project has existed since 2004 and is the first.

  2. Re:WTF? by gazbo · · Score: 5, Informative
    You've been taken in by Slashdot's trademark selective quoting. What was actually written was:

    The team is manifestly out of their depth with regards to web application security, and it is almost certainly impossible for them to gather the required expertise and still hit their timetable for public release in a month. You might believe in the powers of OSS to gather experts (or at least folks who have shipped a Rails app, like myself) to Diaspora's banner and ferret out all the issues. You might also believe in magic code-fixing fairies. Personally, I'd be praying for the fairies because if Diaspora is dependent on the OSS community their users are screwed.

    (my bold) So he's not actually saying anything bad at all about OSS; he's just saying that being OSS doesn't mean that they can magically gain experience (or experienced developers) and fix their entire codebase in a month. The notion that OSS development is to blame was purely down to Slashdot (or the submitter).

  3. Re:WTF? by locallyunscene · · Score: 5, Informative

    Goddammit kdawson. That's it, your articles are blocked. You're the f***ing New York Post of Slashdot. Whatever merit any article you post may have you manage to completely overpower it with sensationalist editorial bias.