Slashdot Mirror
Security Lessons Learned From the Diaspora Launch
patio11 writes "Diaspora, the privacy-respecting OSS social network, did a code release last week. Attention immediately focused on security. In fact the code base included several severe security bugs. This post walks through the code, showing what went wrong, and what it would let an attacker do to someone who was using Diaspora." The developer who wrote the post ends with: "You might believe in the powers of OSS to gather experts (or at least folks who have shipped a Rails app, like myself) to Diaspora’s banner and ferret out all the issues. You might also believe in magic code-fixing fairies. Personally, I’d be praying for the fairies because if Diaspora is dependent on the OSS community their users are screwed."
Because of course, obscurity is proper security.
Because if Diaspora is dependent on the OSS community their users are screwed.
Isn't that a bit like saying "if getting this building completed is dependent on construction workers, we're screwed"? Why would you make such a disparaging remark about the very people that will be keeping this thing going?
Living With a Nerd
Um, and if closed-source project were to receive the same level of public scrutiny, the users would be any less screwed?
All the Diaspora hate coming from this PRE-ALPHA release of their source code seems so strangely out of place.
I mean, nothing seems to point to me that this is shill garbage coming from facebook, but the conceptual idea of Diaspora is sound and the code was released for the precise reason of improving it, as it has done. Yet all I've heard is some disproportionate vitriol against the project. It doesn't make sense.
And hell, the majority of the security issues found appear to be rather simple to fix. Just add authorization checks and use mongoDB stored procedures more frequently.
Unfortunately, the existance of code-fixing faeries was disproven by Wirth in 1972. Code fixes are actually implemented by type of cobbler elf.
Here is a list of alternative open source Peer-to-peer social networking softwares
Note that The Appleseed Project has existed since 2004 and is the first.
if Diaspora is dependent on the OSS community their users are screwed.
If it wasn't for the OSS community, everybody would believe they've released a safe program. Thanks to OSS, we now know that installing it is not the best decision yet.
I'd say the users would be screwed if diaspora was not open source. Linus Law once again.
I was not surprised to find out that the author sells proprietary software. I think that maybe, just maybe he's biased against FLOSS?
In soviet russia the government regulates the companies.
The editor forgot to mention that the post didn't actually end with what he claims it did, making out the writer to hate diaspora, the post actually ended with:
Include here the disclaimer that I like OSS, think the Diaspora team is really cool, and don’t mean to crush their spirits when I say that their code is unprofessional and not ready to be exposed to dedicated attackers any time soon.
He was doing exactly what OSS is for, reading the code, finding the bugs, and informing the developers so they can be fixed, he's only being vilified because the summary is written that way.
Orwell was an optimist.
it didn't "launch". as i understand it, they released some kind of alpha. I know i've worked for many managers who have this weird idea that software should be perfect before it's even done, but i didn't expect so many people in this community to hold that ideal.
I think the point they are trying to make (and perhaps badly) is that anytime you have to rely on volunteers you have the potential to get bit in the ass. Any volunteer organization or group has this problem, it's not just open source. Churches, after school groups, the Elks, etc. When volunteers are the main way you expect to get support, you are at their whim. This week people are busy, so no one shows up, or the kids have a soccer game, or some new more exciting group has their interest so you lose a few people.
I don't think the idea is that the open source community is going to screw people, but that the idea of expecting volunteers to always be plentiful and useful is a good way to cause yourself problems.
I will shred my adversaries. Pull their eyes out just enough to turn them towards their mewing, mutilated faces. Illyria
I mean, nothing seems to point to me that this is shill garbage coming from facebook, but the conceptual idea of Diaspora is sound and the code was released for the precise reason of improving it, as it has done ...
Okay well, sometimes I look at code and I think "good start" and then sometimes I feel like Simon Cowell ... and ask them to start over. So to determine where I stand with the Diaspora code, allow me to quote the article:
This basic pattern was repeated several times in Diaspora’s code base: security-sensitive actions on the server used the params hash to identify pieces of data they were to operate on, without checking that the logged in user was actually authorized to view or operate on that data. For example, if you were logged in to a Diaspora seed and knew the ID of any photo on the server, changing the URL of any destroy action from the ID of a photo you own to an ID of any other photo would let you delete that second photo. Rails makes exploits like this child’s play, since URLs to actions are trivially easy to guess and object IDs “leak” all over the place. Do not assume than an object ID is private.
Okay, I taught myself how to use the rails framework and code Ruby. And one of the things I was amazed at was the Rails magic. Because of how powerful it can be (both good and bad). Yes, it helps you prototype but it's errors like these that make me pause and reconsider if the person coding Ruby on Rails really understands how the framework is attempting to assist them. Obviously if you allow any user to enter any ID of a record in their URL for any CRUD action ... you aren't really understanding what those routes are trying to do for you. And you're a danger to your users.
While I could quickly remedy the above problem for the Diaspora team by improving the authentication and authorization code checks, it might be better to just start over. Now, I've devoted none of my time to the concept of liberating social network users and for that I thank the Diaspora team. This blog posting -- if true -- sure is a vote of no confidence for their capabilities of developing a realistic system. Can they improve? Certainly. But if you're making errors like that, you might be better off letting someone else take a stab at this. It's a harsh thing to say but you don't understand the tool you're using to prototype if you're even starting at this point.
I wish them the best of luck and I hope the community reaches out to them. But I'm not interested in recoding everything. I'd sooner simply start my own project.
My work here is dung.
Someone wrote a blog post to point out some security issues that need fixing in the pre-Alpha version of Diaspora, and here you are using his words for pointless sensationalism that undermines the work of the Diaspora team and propagates the "Diaspora is shite" gossip that will most certainly haunt the project even after the code has hit Beta. Shameful.
If you want to do something useful, then instead of repeating how doomed the project is, ask for people to join them (I think we have some capable individuals around here) and help out.
And no, I'm not affiliated with Diaspora, I'm just annoyed by what this sort of news reporting.
I don't really understand what's wrong with this blog author, this "Patrick" fellow. Diaspora is git-release of a pre-alpha. It's essentially proof-of-concept which was released so we can have a look at it and contribute. The author's "if this is OSS, we're screwed" assertion apparently ignores the fact that Chromium, Mozilla, Linux, and dozens of other open source projects work perfectly fine. Additionally, the "their code is unprofessional" accusation is simply wrong-headed. It was never intended to be "professional", so there's no way for it to be "unprofessional". It's a foundation released to the public that other people can build on.
As for all this worry about zero-day holes...every piece of software has them. If you think that these kids aren't professional because they can't make a perfect, idealized, secure pre-alpha, then you're riding the slopes of a Nirvana fallacy. The entire reason it was open-sourced was to allow researchers the opportunity to improve the code INSTEAD of going public in order to gain visits to their arrogant blog posts and acting like there's some huge problem not covered by the disclaimer. OOPS SORRY IS THAT TOO CLOSE TO HOME, PATRICK? I have never seen more arrogant douchebaggery in a security blog post. This "these are errors that shouldn't be present in any code!" bullshit is a result of Patrick and his circlejerk buds building the project up in their own heads, then being disappointed when the pre-alpha wasn't a facebook-killer.
Yes it has errors. But the very fact that it's 1) open source, and 2) being debugged even by douches such as Patrick, means that the whole "OSS Diaspora" concept ACTUALLY WORKS IN PRACTICE.
I think the reason behind all the bile being tossed at Diaspora is probably because of the hype attached to the project and people not realizing that a pre-alpha release isn't the same thing as a finished product at all. They just see "...Diaspora...released..." and jump to the wrong conclusion, not realizing that it isn't the final version. I'm eager to see where Diaspora goes once it's cleaned up.
My problem with their efforts is they used Ruby. Which might be really nice and all, but not that many people use it. Thus it is really hard to find people who understand it well enough to help them work on the code and or just check the code for bugs.
New things are always on the horizon
Read the authors blog just a bit, I am not really sure the guy even wrote this article he may have had it commissioned. The author is a crapware distributor and this article is nothing more
than a attempt at driving traffic to his site which worked. Now his claim to fame is some "bingo card printing software for teachers".
A few minutes with a compiler and a few dictionary files will show him exactly what "Open Source" is good for. I could really care less about what he wrote but if I was pissed about it there would be a new open source bingo card printing software package released within the next two hours.
Got Code?
it didn't "launch". as i understand it, they released some kind of alpha. I know i've worked for many managers who have this weird idea that software should be perfect before it's even done, but i didn't expect so many people in this community to hold that ideal.
There is a difference between perfect and free of fundamental errors in numbers so large that their correction became problematic if not resource-infeasible. There seem to be engineers who failed to understand this particular tenet (usually blaming managers as the ones who "never get it".)
A former employer of mine had a team build a proof of concept for a large and critical piece of software, on which much of the business would rely. The team worked for several months and produced a functioning proof of concept, which they demonstrated to the management. Management took a good look and said, "Great, install it, and support it."
Within a few more months almost all of the team had resigned in frustration.
As far as I know, that proof of concept is still in place, with teams of people dedicated to keeping it duct taped enough to keep staggering on.
The real, serious, carefully constructed and tested software never got built.
Somehow, I doubt this is a unique tale.
Moral of the story: start it the way you intend to keep on.
WALSTIB!
There was no "launch", this was an alpha code release. Alpha code often has bugs, sometimes major. They even called it a "Developer Release". So I don't understand the uproar about *gasp* bugs in alpha code! If they had branded it beta code then I'd be more concerned with fundamental bugs, but even the developers said it had security bugs when they released it:
http://www.joindiaspora.com/2010/09/15/developer-release.html
Feel free to try to get it running on your machines and use it, but we give no guarantees. We know there are security holes and bugs, and your data is not yet fully exportable. If you do find something, be sure to log it in our bugtracker, and we would love screenshots and browser info.
Security is part of the design, not the implementation.
Most developers still haven't learned that security isn't something you check for at various access points in the code: it is something you build directly into the business layer. For example, your code should not have a method like this anywhere:
public DeletePicture(int pictureID)
The method should be:
public DeletePicture(SecurityCredentials user, int pictureID)
This way it is impossible for your web to accidentally call DeletePicture() without checking for security. The security check is built-in to the lower-level and there is nothing you can do about it. Having worked on secure web services before, I realize I did not do this in my design, which was great for making simple tools, but it meant that all user-facing code had to have checks for security loopholes. The web is especially weird because users can hack the pages and the HTTP requests to call your methods in ways you never
"Security through hubris," which refers to the hawkers (selling security that ain't) of proprietary software and gawkers (buying security that ain't) with brand-pride. "Security through hubris," doesn't refer to closed source code, and it doesn't refer to not disclosing known flaws. It refers, exclusively, to things that AC may of been referring too, like 'no one will ever go be able to find the security flaws, no one will ever know about or use open-port 6424 for cracking, and/or no one will every know enough about the software to call any unpublished black-back-doors (any access/function available).
DAMN, I think, maybe we know what AC was trying to say ...?
Unaccountable leaders are masters, and unrepresented people are slaves. How do US and EU fare?
If their product was a shopping cart, and the preview version of their software was massively secure but didn't let you list items, or let a user add items or checkout, I'd be critical too.
Their main feature was security - there are fsckloads of social network apps out there, so re-writing that part of the app wasn't the point of the project at all. Doing it securely was the point. Can it be fixed? Surely. But it still fails pretty miserably as a preview.
You're special forces then? That's great! I just love your olympics!
Why are you making the assumption that "noone really cares yet to work on it?"
These security flaws were found very VERY fast in the code, I suspect because there are many people who want to look it over and, perhaps, work on it.
Help! Help! I'm being repressed!
r0ml said it best at OSCON 2008, when describing how "real" software development and adoption methodologies work:
1. Commit to a version control repository.
2. Think about what you have right now, and release that crap.
3. Bug Reporting
4. Inventio: Ideas to fix the software.
5. Triage the problems.
6. Integrate the fixes.
He then went on to say "Some of you may notice something missing. There are no requirements. You just have bug reports. There is no development, there’s only maintenance."
He was working the crowd for a laugh of course, but quite a few folks weren't laughing.
-- "In order to have power, I must be taken seriously." -Mojo Jojo
More generalized moral of the story: There is no such thing as a temporary solution.
Either whatever you did solved the problem kinda well enough (which quickly turns it into a permanent solution), or it doesn't (in which case it's no solution at all). That means that when you do something to mitigate a problem temporarily, make it clear to any management types that the problem isn't really solved.
One idea for preventing the deployment of a proof-of-concept is to make the UI for the proof-of-concept as ugly and difficult to use as possible.
I am officially gone from
As I said here: http://groups.google.com/group/diaspora-dev/msg/17cf35b6ca8aeb00 ... Ideally (though few manage this), security needs to be woven intrinsically and mutually throughout an entire endeavor at all levels of the social process, and from beginning to end, from recruitment to developer training to coding standards to code reviews (or whatever works) to archiving procedures to product announcements to bug fix procedures to communications with the public, as well as at all levels of the code itself, the tests, and so on. For many situations, security is often like a chain -- any weak link makes it fail. The less a project embodies this end-to-end security ethic, the more constant vigilance or constant exercise of power is required by everyone involved in it (extrinsic security and/or unilateral security). ... :-( ... ..."
"The central issue many people are concerned about (reading comments elsewhere) is that security is not an "add on".
So, in that sense, security is cultural. If you try to bolt on security after the fact (like trying to use a big military to defend long oil supply lines instead of having local power sources like solar panels, or trying to be the one who has all the power and everyone is afraid of rather than being the one who has a lot of friends who all share power and look out for each other) you end up spending a lot of time, money, and lives on "security" and you possibly still end up insecure.
Unfortunately, intentional or not, the first Diaspora release has been taken by some people to be a statement about the culture of Diaspora development as regards end-to-end security, even if it was not an intentional statement or even it it perhaps may not be accurate assessment relative to intent or plans. So, it is going to take a bit of work to recover from that, but no doubt it can be done by showing steady progress to creating a developer culture that has a security mindset woven throughout it.
So how does one get security in practice, assuming you want to do it end-to-end? What engineering attitude may be best to cultivate within that mindset?
Often, the best security is just simplicity.
A 21st century issue: the irony of technologies of abundance in the hands of those still thinking in terms of scarcity.
One idea for preventing the deployment of a proof-of-concept is to make the UI for the proof-of-concept as ugly and difficult to use as possible.
Sure, like that ever works.
Either whatever you did solved the problem kinda well enough
No, the prototype solves the functional requirements, but the nonfunctional ones are toast - maintainability, scalability, things like that.
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
Ok, after actually reading TFA, I change my posture: the summary is misleading -- the article's main point isn't that there are security risks, but that Diaspora shouldn't have launched a product that 1. Can be so easily misused (public nodes created, users registered) without fixing security holes. and 2. has so many beginner-level security holes (all of the examples brought up should be second nature to rails developers). Which means Diaspora is doomed due to lack of talent. Oops.
There *are* magic code-fixing fairies... they're called "consultants" (clouds part and light shines down as heavenly choirs sing) The diaspora team should use the money raised through kickstarter to hire crack "security" consultants.