Slashdot Mirror
Open-Source Social Network Diaspora Goes Live
CWmike writes "Diaspora, a widely anticipated social network site built on open-source code, has cracked open its doors for business, at least for a handful of invited participants. 'Every week, we'll invite more people,' stated the developers behind the project, in a blog item posted Tuesday announcing the alpha release of the service. 'By taking these baby steps, we'll be able to quickly identify performance problems and iterate on features as quickly as possible.' Such a cautious rollout may be necessary, given how fresh the code is. In September, when the first version of the working code behind the service was posted, it was promptly criticized for being riddled with security errors. While Facebook creator Mark Zuckerberg may not be worried about Diaspora quite yet, the service is one of a growing number of efforts to build out open-source-based social-networking software and services."
who got first post on the site?
... is to facebook, as facebook was to myspace.
'Every week, we'll invite more people,'
I guess they'll be sending Friend Requests via Facebook?
It's more open than Facebook.
Facebook's selling point was its exclusivity - you originally joined Facebook because only college kids were on it, and no one else. You stayed on it for the clean interface.
There's no incentive to join Diaspora.
I really can't help but see it as a great thing that the security errors were found. It totally vindicates the open source model as a means for peer review and enhancement, the developers will have learned some extremely valuable lessons, and the publicity will mean more eyes will be trained on the codebase in future.
Now, if the source was proprietary....
Yes, I too love that a social network that purports to be secure and built to respect privacy is written by people who are incompetent at security. Where can I sign up!?!?!
I kinda agree... here are some others
http://en.wikipedia.org/wiki/Distributed_social_network
But, heck, if Diaspora has the mindshare maybe we should go with it... even if its not technically the greatest?
As I've said before, that's just not how it works in any decent-sized project. You design to meet the needs, then you redesign to meet the new needs, then you redesign yet again to meet the needs that have just come up. Diaspora's first release was (and should have been) to show proof of concept: that something working could be produced. Now they get to redesign to meet security and scalability, and over time they'll redesign to meet other needs. You don't get miracles in the first version.
You do not have a moral or legal right to do absolutely anything you want.
Are you kidding me? Every alpha has bugs. Get real. There's a reason it's invitation only.
Yes, every alpha does have bugs. But one would expect that people who claim to write secure software would actually, you know, be somewhat competent at writing secure software.
...to save the hassle of what twitter went though with the fail whale issue of their servers just getting slammed. Which is a good thing. Also I think google has tried the same things when rolling out a new web product like gmail/google voice/etc where you get invited to keep the load down to a manageable amount while you work out the kinks. Smart thinking on their part. I know I tried Orkut when I left facebook as an alternative and I noticed all the time I would update something on my page or change a profile picture, and orkut would report to me some sort of server error, leaving me with a bad taste in my mouth as to how stable the platform really was. With all the work that goes into a social networking site, I don't envy all the work ahead for diaspora. But I applaud their efforts. One question that lies in my mind since it's an open source site is, if it becomes popular, how easy would it be for people to find exploits to the system since they have the source right there to like pull all of your personal info or hijack accounts. But being opensource, the community can easily pitch in and say, "Hey, that method you are using is a giant security hole!". We'll see.
In other news -- even competent programmers write code with bugs. The important part is finding and fixing bugs, which the open-source model excels at.
what have you done of late that has been noteworthy?
I guess that's one opinion, the "hold out for perfection and scorn anything that isn't perfect" model is popular with many slashdotters. I guess suppressing all mention of those imperfect alternatives is logical to some.
I personally think that's idiotic. The alternative is, what, wait for people to become so dissatisfied with facebook selling all their private information and location that they decide to make their own? I'm finding it hard to believe that people "who know what they're doing" are just not doing it because they haven't thought "maybe I could do better than facebook."
None of the contenders are anywhere near complete (at least the last time I went looking). It will take a few years with people that care about this sort of thing to mature the various projects. If we wait for a "good experience the first time", it will be a long while. I'm prepared to put up with quite a bit if it means long term options for open social networks. For example by creating testbeds for open social APIs.
99% of people don't care and are going to stay on Facebook. These projects are not for those people. At least until TBL's recent prognostications about the emerging Walled Gardens come true.
Xix.
"Everything is adjustable, provided you have the right tools"
Security is a design philosophy. Either you've done it right, from the ground up, with your basic code writing habits, or you haven't. A redesign isn't going to cut it. You'd have to do a total rewrite.
What the GP is getting at is that Diaspora is only popular because they got a connection to some media exposure. They got $200,000 from the public when they had *nothing.* There are (and were) already alternatives that are much better and further along than Diaspora. As I mentioned in my post just below this one, Appleseed is one of them (there are others as well, but that happens to be the one that I personally feel deserves more attention).
In which case Disapora is worth some effort even if all it does is motivate Appleseed back into life. I found this article after reading Tim Berners-Lee's recent article. On hiatus since 2007 is not exactly a reassuring release history either.
http://downloadsquad.switched.com/2010/05/21/diaspora-social-network-fail-kickstarter-facebook/
Other comments about the lardy nature of Diaspora have also convinced me to only try it if I can put it one someone else's server.
Xix.
"Everything is adjustable, provided you have the right tools"
But, heck, if Diaspora has the mindshare maybe we should go with it... even if its not technically the greatest?
What mindshare, exactly, does Diaspora have? As far as I can tell, it's some subset of the same people who keep thinking desktop Linux is going to take off any year now.
So far, in these comments, pretty much every pro-Diaspora commenter mentions how it's open source. I've got news for you guys - the vast majority of people don't give a rat's rear end whether it, or any other piece of software, is open source or not. Sure, you can argue why they should care, and pretend all the great unwashed are going to awaken and come around to your way of thinking really soon now... but the onus is on you to show that's even remotely likely.
#DeleteChrome
The problems described by the linked article back in September are solvable. It's patently absurd to claim that they ought to ignore the relatively simple fixes and write the whole damn thing over again.
Do you even read what you write?
You admit that all alpha software has bugs, but expect these guys to write bug-free code?
IRC: The original social network.
See ya'll on freenode.
Maybe it's just me, but I feel like the name is one of the big stopping points here. For the nerd population, no one will care, but for the general public, I just don't see most people getting excited about updating their Diaspora status, or Diaspora-ing before bed, or sending out Diaspora invites for their birthday parties. Besides it being an unattractive (maybe not the best word to describe it, but you get the picture) word, I think that having four syllables detracts from it as well. Granted, these things shouldn't matter if the service is better, but that's not always the case.
This has already been done: it's called Facebook, MySpace, and Orkut. We know that it's possible to build a working web site for social networking, we didn't need Diaspora to show us that. Diaspora came to the table with the premise of building upon Facebook's "something working": namely, that users would be secure & in charge of their data. That was their key differentiator, they didn't need to show "hey somebody can build a web site that will allow people to communicate with friends!" They needed to show that it could be done more securely and with more respect for user's privacy.
They *failed* to produce a working proof of concept to show that goal could be met. They *failed* to do that because they did not incorporate simple security principles into their initial proof of concept.
So I'm not supposed to trust facebook, a single corporate entity that I can sue for breach of contract if necessary, but I am supposed to trust this software to store copies of my data(even if they are encrypted) on machines all over the planet, machines who may be running Windows and get infected with a botnet that can transfer all my data to another computer for later decryption and analysis. Yeah, sign me up for that.
I hope competitors have a model that DOESNT require me to trust the security of Windows machines.
Monstar L
Just had this pointed out to me:
* Goto http://www.joindiaspora.com/ using Internet Explorer
Instead of showing the page, what do you get? I'll tell you... a blank page with the following title:
You need to use a real browser in order to use Diaspora!
I'm not a IE fan, but this happens with Internet Explorer 8 for goodness sakes. Probably happens with IE9 too. FFS stop showing your fanboyish nature guys; you're basically stating that a good portion of users who only use IE, even if they're using a modern version of it with modern security features like sand-boxing and whatnot, is apparently not "real" enough for your fucking site.
This really does piss me off. Makes the rest of us "open" FOSS users look like a pack of childish geeks who have no idea. You want your little social site to work? Don't arbitrarily restrict browsers!
That was in May. Since then I've put out six revisions.
The thing is, although there was seemingly a stop in development (since 2008/2009, actually), I had never given up on the project. I had a notebook with all the ideas, sketches, mockups, etc. where I wanted to take the project. When Diaspora hit, I emailed them, offering to help. I never heard back, so I decided to push forward on Appleseed.
The pace may seem extraordinary considering I'm essentially the sole full time developer, with most help having come from designers and testers, and I handle a full time job on the side, while I do put in a lot of hours, things have moved along so quickly because I had gamed and spec'd out so much in the year prior.
Check out our roadmap, you'll see exactly where we're going.
http://opensource.appleseedproject.org/roadmap/
You can also send an email to invite@appleseedproject.org for an invite to the beta test site. Here's a screenshot for people who don't want to bother signing up (apologies for FB hosting. we're working on that :)
http://sphotos.ak.fbcdn.net/hphotos-ak-snc4/hs1207.snc4/155927_469182004405_510304405_5358353_7159703_n.jpg
Michael Chisari
Lead Developer, The Appleseed Project
so the code that implements the social network is open source, that means absolutely nothing, it really provides nothing to anyone, its just another social network that fragments the internet (in terms of end users) what we need is open standards for exchange of social media data, we can already do this in parts, facebook seems to have a pretty good api (i haven't delved too deep), but obviously its not a standard, we can import contacts from gmail to facebook and the similar but we can't just transfer our social data from one platform to another. migrate from facebook to diaspora and you start again with a clean sheet, who's going to do that? myspace versus facebook was early, now facebook is the standard. oh crap, i just realised that facebook is the social version of M$ windows.
It seems that Diaspora somehow got that NYTimes article, got mucho donations from that even though at that point they had NO CODE, and yet somehow now I hear about it all the time as somehow it's going to be a "facebook killer".
Linux got popular initially because Torvalds is an excellent programmer and his project spread through word-of-mouth. Diaspora got discovered because there was a Times article about vaporware.
Ok, they are probably not selling you out to advertisers right of the bat.
Now how do they intend to generate money to cover the huge server expenses ? Am I missing something ?
how many politicians are on facebook now? facebook is THE social network (some regions have other dominant networks i realise). it already has the mindshare and the majority of peoples social information, they won't move, if facebook screws soemthing up (in the eyes of the public) politicians will get involved
Now they get to redesign to meet security.....
Yes cause as we saw it worked so well for Microsoft...Some things can not be redesigned...they will require a complete rewrite. We're not talking about adding a new feature here or there. We're talking about a fundamental design flaw.
Quite, there were just security bugs there wasn't even an authorization framework in place! Hell, there wasn't even simple stuff like limiting access to things based on the owner.
Something which I would think is integral to the site design and should have been decided upon before they even started coding.
It's probably invitation-only because they have no way of searching for other Diaspora users and adding them short of exchanging URLs: http://groups.google.com/group/diaspora-discuss/browse_thread/thread/60f32519f623e690/23109444fefa1640?#23109444fefa1640 Diaspora's answer to Facebook's search? Google search! (I'm not making this up, read that thread)
Popularity and exposure does count for a lot when it comes to social networks. I've heard of diaspora several times, and never heard of appleseed before now. I doubt many of my friends have heard of it either, odds are low they've heard of diaspora, but I'm guessing more will sign up with the one they hear more about.
GP also seems to think it's a zero sum game when it comes to news about non-facebook social networks. That's not true. I think most people aren't aware there is more than facebook and myspace, making them more aware of diaspora might lead them to investigate your preferred ones.
Like me and this appleseed you're talking about...
But when security errors are found in closed software it doesn't vindicate anything, right? I WONDER WHY
I'm not an apologist or fan of proprietary software, but people's "logical" conclusions which are really based on clouded judgement because they like one thing more than the other should not be considered insightful. Idiotic advocacy is harmful.
Glad to hear it! The perceived hiatus was the only negative for Appleseed on my short list of FOSS social options to explore.
More likely than not I'll be taking you up on that invite. :)
"Everything is adjustable, provided you have the right tools"
A free software community inspired social network?
Why this has no more chance to succeed than an online encyclopedia that anyone could edit!
Any fool knows, just like Brittanica dominates that field with advantages that free (as in speech) could never compete with, so will Facebook always dominate in social networking.
Oh wait...
I'm more interested in a site that will do what Craigslist does, but modernized and free of all the bullshit that plagues CL. Currently, CL is akin to Mos Eisley and it doesn't appear that there have been any significant improvements in years.
Someone flopped a steamer in the gene pool.
You obviously don't work in IT Security...
Working on MVC in PHP. Impressive. This project looks very complicated and difficult to use with its many modules in php. Do you plan on providing documentation on using it?
That is true, but I would rather not use something that has contained vulnerabilities caused by a failure to follow basic good practice (I.e. incompetent developers).
If I understand correctly, you can run your own Diaspora server, is it right?
Well, then there must be a protocol to communicate between Diaspora servers. If that protocol is sound, then I will just write my OWN server with all the security features I need.
Do we know anything about the security of the protocol? I am more interested in that not in the security of the webapp.
I'm a little late to the discussion, but I'll throw in anyways.
The really important facet of what a Facebook alternative should look like is the ability to dis-intermediate the service from me and my use of the data that is collected about me. Facebook has barely supported an export feature, but removing my data from what is essentially a social connection tool to others is not a plan.
Example:
I own my cell phone, but I can choose to move myself, my data, (and in most places my phone number) to a different carrier. That means that the separation of the carrier in itself doesn't break my ability to communicate with friends or family through a mobile device. As it stands with social networks, if you're all on the same network, you can talk to one another. If you decide A and my sister decides B then there's no communication flow, and the ability to interact comes to an end.
The ability to make an alternative Facebook is important in the ability to further control what I do with my own data, the ability to use my entered data outside of some company's pervue, and to have a service that I can easily add, interact with people and not feel like I'm tied to something I don't like. Facebook is a closed ecosystem. They consume content and lock it up from prying eyes. If Diaspora has or will have support for open inter-operating service offerings then great, otherwise they're just building another Facebook wanna be to take over the world. Who cares if Diaspora's code is Open Source if my interaction with the system and my data is shackled behind a single company's vision of how social networking should work?
Bye!
I would join in a heartbeat if i feel i can trust Diaspora. Facebook on the other hand, no way in hell ill put my data up for theirs to sell to anyone.
I hate Facebook with a passion and i know a whole lot more people who does. The only reason some of them are there is "because everyone else is". Give them an alternative and theyll jump ship without looking back.
HTTP/1.1 400
These aren't "bugs," these are "gaping holes in security and privacy controls that don't appear to even have been considered."
There's a difference between "our security system will behave badly when somebody presents it with a specially crafted URL, leading to unauthorized escalation of privileges" (a bug) and "our security system assumes that anybody accessing URL automatically has access to update, modify, delete, etc. anything at that URL." (a gaping hole in security, and a glaring *design* flaw).
Unless you define "bug" to be such a broad category that it includes "incomplete, poorly thought-out rubbish," you cannot call some of these issues "bugs" in the software.
The big problem is that they're reinventing the wheel several times along the way. OneSocialWeb had a MUCH better idea. They simply boot strapped their API for sharing off the pre-existing XMPP/Jabber standard, and it works really well. They wrote a plugin for the Openfire XMPP server, leveraging their pre-existing presence, messaging, security, login, and user management structure. Hell, it even pulls my XMPP groups and uses them as groups for setting permissions on posts. If they could get the attention Diaspora is getting, I think the progress to a usable alternative could be far quicker.
The fact is, Diaspora's young team is showing just how young they are. Sure, they have energy, but they also have a case of NIH and needing to code everything from the ground up to feel good about it, instead of leveraging somebody else's having already solved part of your problem so that you can get on to solving the REAL issue. They're blocking IE, for fuck's sake. That's stupid. In order for this project to be useful, it has to INCLUDE as many people as possible, not EXCLUDE for arbitrary nerd-religion wars.
The only reason they got as much attention and funding as they did was the fortuitous timing as Facebook ignited the internet's collective nerd rage and they announced their project, because frankly they're Doing It Wrong(tm) pretty much every step of the way since then.
I've got news for you guys - the vast majority of people don't give a rat's rear end whether it, or any other piece of software, is open source or not.
Great!!! As I care much less what the vast majority of people think than they do care about the rat's end, maybe it is an opportunity to get more contacts more relevant for me that in other places?
In other words, why does a place need to be crowded to be attractive?
Questions raise, answers kill. Raise questions to stay alive.
Comment removed based on user account deletion
We just use the wave in the box code and make it more social like google couldn't do...
... is to facebook, as identi.ca is to twitter.
If they learned from their mistakes and adopted safer coding practices and added infrastructure that enforces proper security on the code then the review has paid off. On the other hand, if they only fixed the security bugs that were pointed out and continued coding the way they did before then it will never be secure since there won't be enough reviewers to keep up with all the new bugs being added.
Yes, things would have been worse if this source was not open, but that doesn't necessarily mean the code is good enough now.
Social networks don't tend to work very well when hardly anyone's on them. The clue's in the name.
awesome
Diaspora got discovered because there was a Times article about vaporware.
It's not vaporware if they come up with the product. They've come up with the product.
"I don't care about the Constitution!" --Bill O'Reilly, November 17, 2009
If there was a 'port facebook' to diaspora function then it might happen.
I dont really know why facebook took off in the first place as there were others around at the time. A mate was on faceparty all the time and I wasnt bothered at the time.
Now I mainly use it to keep up with people abroad and family and people I dont get to see. Hence the critical mass thing.
I always think never say never as yahoo disappeared as a search engine virtually overnight in my mind. I dont even know why I switched to google.
On a long enough timeline. The survival rate for everyone drops to zero. Chuck Palahniuk, Fight Club, 1996
Diaspora, the anti-social network!
Tired of social networks with their data sharing, privacy leaks and too many people looking at your stuff?
Join Diaspora! Write status updates nobody can see! Or don't, it's all the same in the end!
Anybody already tested it? are there user stories among the /. crowd?
How is the server performing? All in all, I think the decentralized architecture is very interesting for a social network, so how is the experience compared to e.g. facebook?
May be I'm going to setup a test server...
---
awake and alert!
-Penguin Mints
While I agree that Diaspora should have been built with security from the start, you are misunderstanding his point.
When one says that Diaspora needed to prove that it could be done, it doesn't mean that "it could be done by someone" it means "it could be done by Diaspora". It's different:
Finding out if it's possible at all is useful to decide if you want to invest in building it.
Finding out if it's possible for Diaspora is useful to decide if you want to invest in building it out of Diaspora's codebase.
But... the future refused to change.
I was one of the folks that sent Diaspora some money. I like the idea of an open social network where you have control of your information. Sure it's going to be tough to be a facebook killer but I want them to have every opportunity to try. I've been on the net since the Lynx days, I've worked on the net in one fashion or the other since then. To me the big promise of the net was to bring people of different cultures, different geographic locations together, not to mention having a wealth of information at your finger tips. There is a lot wrong with facebook. I'm all for social networks (which is nothing new, we've had social networks since the stone age). I don't like the way facebook is going about it. To me facebook is the present day AOL. I could go on and on but I'm behind Diaspora and hope they get it right.
i feel like it. if it doesnt become big, im sure hundreds of thousands of geeks will make it big, just like they made firefox.
facebook was starting to feel creepy anyway.
Read radical news here
The sad part is there is still no news on the protocol. Which is the most important part.
What if google want to make their own web portal, but with diaspora protocol and hence participate to the ecosystem? As they did with gtalk and XMMP.
What if some router constructor want to insert a diaspora node in their hardware?
Think email, the important is not gmail, nor exchange or thunderbird. The important is that there is a common protocol where people can INNOVATE on it. Like, you know ... internet.
I haven't seen any organization start off with the *intent* of usurping a website, a piece of software or a piece of hardware from an established niche and succeed, by intent.
Users tend to gather around a watering hole and stay there, despite better alternatives existing.
The Diaspora team would be smart to recognize this problem as being at least as large of a task as making their software. The wealthy uber geeks who donated large amounts of money to Diaspora would be wise to use their resources to get Diaspora some top notch marketing help.
The vast majority of people don't need to care that it's open source. Open source has many built in advantages over closed source. My mum doesn't know Firefox is open source but she likes it a hell of a lot better than IE6 (which she would have been using if FF hadn't arrived and kicked MS up the backside) Often closed source projects can slip up by neglecting demand for a particular feature or taking too long to roll it out. Open source projects don't always necessarily act quicker, but if the demand is great enough someone will fork it/fix it.
IE6 is actually quite a good analogy - it had basically all the browser share at one point and Microsoft thought no one would ever dare complete so they got lazy and didn't bother to advance it in any way. Web developers effectively had to ask MS how to develop website. There is a very real possibility that this could happen to Facebook too. The fact of the matter is it's very hard to kill and open source projects. Companies can go bust but open source projects will live on if people want them to. This will force FB to keep on it's toes and will generally be good for everyone.
So I'm pleased Dispora has arrived and I'm extremely pleased that it is open source!!
The average Facebook users isn't interested in technology and the average Facebook user is the type of person to shut down listening at the smallest hint of jargon-speak coming. IT people often lose the ability to see how very little people know.
The average Facebook user isn't going to understand the many seed concept, let alone being willing to figure it out and set it up. I hope they make it brain dead, push just 3 buttons easy.
The average Facebook user isn't going to understand or be enthusiastic about "open source" or "privacy aware".
I hate Facebook.
It is my sincere hope that the Diaspora team realizes that winning Facebook users over is a bigger challenge than building their software and that winning them over involves many things that have nothing to do with having better software...having better software is only one minimum requirement.
Linux "got popular" because *some* ( Windows still rules the market ) people wanted an alternative to Microsoft Windows.
Diaspora *may* get popular because many people want an alternative to Facebook.
A friend of mine and I did some research about what causes the "Next BIG Thing" on the internet (or nearly any other product or service) to be the next big thing. Based on that research, I don't think that creating a sub-culture is going to evolve attitude; I feel that Diaspora (and any other social network) is only achieving that goal...creating a subset of a larger culture. I feel that MySpace inherited from Geocities, Facebook inherited MySpace, Diaspora inherited from Facebook...everyone seems to be percolating over how to become the next step in the chain, but no real innovation is occurring. This seems to be in opposition of where I really feel we should be growing as a global community. When we consume X, then barf up Y it is still X. Diaspora (and nearly any other "Social Network" engine) doesn't seem to be offering any true innovation...just a perspective on the same system with a few twists != INNOVATION
Not all bugs are equal.
To have a right to do a thing is not at all the same as to be right in doing it
Current marital status: I'm posting on Diaspora, take a wild fucking guess.
To have a right to do a thing is not at all the same as to be right in doing it
I was reading about all that and wondered.. XMPP is distributed, you can accept peoples, see there picture and status. For sure you can chat and create private rooms to share a chat. There is not much missing. Maybe a wall and pictures. So I typed "XMPP has social network" on google. I have tonnes of responses.
Maybe that's what google wave was trying to be. But google wave was too complicated. It offered too much and nobody except google had an implementation.
Any thoughts about this?
I found http://onesocialweb.org/. That is maybe what I was looking for.
I would normally agree with you.. no one expects an early version to be secure right out of the gate.
However one of the main selling points of diaspora was supposed to be privacy and security. And the critisisms made against it were not minor, they were major problems with (specifically the complete lack of) a security architecture.
You can add in some security at the top, but real security comes from a strong underlying foundation, with diaspora didn't have.. and much like it's hard to replace the foundation of a house, it's hard to replace the foundation of a software without a complete re-write.
Exactly. But I think Appleseed, Diaspora, and other open source social network software should be trying to create a standard protocol. Probably based on RSS or ATOM.
I don't get why Diaspora gets so much press. When I looked at it, I was impressed by it and there was some bad press about its security. I'm sure it will continue to advance, but the major problem I have with it is it doesn't even attempt to reuse existing technology. They claim to by using something like ruby modules to implement their features or whatever, but they are designing their own protocol and building a very kludgey system.
I use onesocialweb. It's built upon the xmpp protocol and plugs directly into an existing xmpp system, openfire. It has available integration with openfire (users, contacts, etc), a basic web interface, and a basic android application. As a module for openfire, and xmpp in general, a large part of the protocol is already defined. OSW simply extends the xmpp protocol to add social features.
Why is there virtually no press about OSW? I only discovered it while searching google for other possible open and distribute social systems other than Diaspora. Personally, I would rather see OSW succeed.
From the image you posted this project looks a lot more polished and refined than I was expecting. I would be proud to run a server/network running your software.
Why exactly do we need to prove that its possible to build a social network? There are already a number of very successful ones in existence.
Car analogy: diaspora said they were going to make a car that works better than a Toyota. They produced something with no doors, no locks, which gets 2 miles to the gallon, and which has the tendency to explode if you get too close to other cars.
Why would you then insist on arguing that they were going to destroy toyota's market dominance any day now?
They failed to produce a prototype that demonstrated any ability to create secure code. And yet people are still sitting here arguing that it's just a matter of time before this abortion takes over the web and saves us all from facebook, despite it having demonstrably worse security and privacy controls - the very reason for its existence! - than facebook.
Diaspora is a failed source forge project created by a couple enthusiastic kids whose biggest achievement was to figure out a way to convince people to give them 200,000 dollars.
So far, in these comments, pretty much every pro-Diaspora commenter mentions how it's open source
I see a lot of people mentioning privacy concerns on Facebook, and the distributed aspects of Diaspora as the pros. There has actually been a nice lack of "OMG open source" comments so far.
"I would rather not use something that has contained vulnerabilities caused by a failure to follow basic good practice (I.e. incompetent developers)."
Agreed. Diaspora was revealed on Sept 16th and the very next day major security holes were found. Not minor ones, "many show-stopping issues": cross-site scripting — attack vulnerabilities, a session token that's easy to steal, a lack of user input filtering, and repeated errors when a null character is entered into web fields.
These are huge and very well documented security violations dating back to the 90s. Anyone want to bet how many days before we find security vulnerabilities in this latest release?
This is open source, meaning people are going to be installing it that are not security experts and they expect everything to be done, they're not going to want to be pouring over code for security holes or installing MAJOR PATCH RELEASE every day.
I think a open source social networking site might work but obviously needs to be done by programmers with experience, not a few kids that took some CS classes at University and thought they could remake Facebook. They should have taken that $200,000 and hired real programmers.
my karma will be here long after I'm gone
This. Any idiot can build a web UI for a social networking site. For an open decentralized service the important parts are designing the protocol and the distributed authentication. If that's solid (and scalable) the quality of particular implementations really doesn't matter.
You're modded Funny but really this is Insightful.
my karma will be here long after I'm gone
Security is a design philosophy. Either you've done it right, from the ground up, with your basic code writing habits, or you haven't.
I think you're mixing design and implementation. It's perfectly possible to have a brilliant design with a dodgy prototype, and a horrible design with a perfect implementation. Diaspora-the-plan may or may not be genius; I haven't looked at it and I doubt I'm qualified to judge it anyway. Diaspora-the-prototype had some bugs that might have included security errors that have nothing to do with the design.
Quick example: suppose that the design for SSH is verifiably perfect on paper. The NSA shakes in fear because they'll never be able to crack it, and mathematicians worldwide sob because there's nothing they can do to top it. Yay! And then someone packaging it for distribution mistakenly comments out a critical part of the pseudorandom number generator and breaks the thing wide open. Would you advocate them throwing everything away and starting over, or is it enough to fix the bug and move on?
Dewey, what part of this looks like authorities should be involved?
"the "hold out for perfection and scorn anything that isn't perfect" model is popular with many slashdotters."
Isn't perfect? It's full of landmines. That's like buying a few acres and finding out it's covered in landmines and after you're done screaming at your real estate agent they turn to you and say "well I know it isn't perfect but..."
This isn't glass-half-empty, this is glass-smashed-on-floor-buy-new-glass. Diaspora had cross-site scripting vulnerabilities that dated back to the 90s.
I've heard the rumors that Facebook is selling data but if they are I haven't noticed it. Honestly I see nothing wrong with facebook.... yet
my karma will be here long after I'm gone
Ummm. they're basing it on OStatus. I'd prefer to see XMPP because security and granular permissions are already solved there, but OStatus is an open protocol.
Put identity in the browser.
"The big problem is that they're reinventing the wheel several times along the way".
Whats wrong with that? In an opens source world, having multiple views provides choice and possibly more efficient, "better" implementations. The availability of the code, open to all, permits lots of experimentation and nuance.
Why in a capitalistic society is there always such a desire to avoid competition? Why should only a few get to set all the rules going forward for everyone else to follow?
So what?
Its open source so others who "know better" can step in and fix it. With closed source such as Facebook, who really knows what you get, except obviously big profits by those buying and selling personal information.
Agreed on OneSocialWeb -- they were out the door with working, federatable servers before Diaspora even got announced. XMPP has its drawbacks, but I think social should be a W3C protocol and it should be integrated into the browser. Heck, just right-click on a picture in your browser, choose "share," and publish to anyone or everyone on any network. It should be that easy.
Put identity in the browser.
Not really. The concept of giving away your personal information so that it can be used by corporations to make money from marketers is a relatively new fad. Once the fad wears off, some other fad will come in and replace it. Myspace was once the fad. These kind of things can change quickly.
I think the important distinction here is that Diaspora is based on a model of 1) open source and 2) that individuals are themselves in a better position to control their own "node" in the network, rather than being simply a cog in someone else's business plan. Whether its successful is another issue entirely. Fox News has managed to convince millions that global warming is not a problem. It hardly means that it is not a fact of life and the human consequences won't be severe.
Are you trolling?
Car analogy: diaspora said they were going to make a car that works better than a Toyota. They produced something with no doors, no locks, which gets 2 miles to the gallon, and which has the tendency to explode if you get too close to other cars.
Because they said they'd built that car out of cheerios and succeeded, and now you know that you can build a car out of cheerios, you can work on improving it you're basically Ignoring what I said..
despite it having demonstrably worse security and privacy controls - the very reason for its existence! - than facebook.
The reason for it's existence is basically open sourcing facebook, and not just facebook the product but facebook the phenomenon. *This* is what it's at stake here and why it's worth trying
and trying again.
But... the future refused to change.
Agreed. The security of the code is irrelevant. None of mock-up proto-type code at the design phase will exist once it goes into production phase. As MaskedSlacker says, it will obviously be rewritten (probably several times by people who implement in their preferred languages). It is the protocol and APIs that are important. How resistant are they to spoofing? Man-in-the-middle attacks? Replay attacks? What kind of encryption and authentication is used? How is key management done?
Of course security plays only a minor role. Major factors are what functionality does it offer? How extensible is it? What is the roadmap? How often do they plan to break backward compatibility? How well is it documented? Will there be plenty of example code for people to play with? How do they plan to allow user feedback for new ideas or patches?
It's an ambitious project, and there is no reason it will not work, but it needs a clear vision.
Phillip.
Property for sale in Nice, France
Linux "got popular" because *some* ( Windows still rules the market ) people wanted an alternative to Microsoft Windows.
Personally I didn't see windows and think "this works great, I want to use something else" -- I wanted a system that worked, and what it is an alternative to doesn't matter
I mod down anyone who says "I will be modded down for this", regardless of the rest of their comment
DNF had numerous demos, too, but never really shipped.
Put identity in the browser.
Linux succeeded / got popular on the server in the 90s, long before GNOME or KDE existed. He wasn't talking about desktops or replacing MS Windows.
Put identity in the browser.
Once again: WE KNOW that you can build a social network, and we also know that you can build an open-source social network. It's been done. The project was not "interesting" from that perspective - Facebook, Myspace, Orkut, Appleseed, and a host of other 'social networks' have already done one or both of those things.
The key differentiator for Diaspora was the goal of creating a secure, decentralized model that put the user in charge of their own privacy. The differentiator emphatically WAS NOT that they were "open source" - again, that's already been proven to be possible by other projects.
Which brings us to the question of why we *should* give a shit about Diaspora. I'll let their Kickstarter writeup speak for itself, here's what they had to say:
Please point out for me where they say "we aim to open source Facebook," because I'm not seeing it.
The GOAL of Diaspora was to create a more-secure social networking environment which gave control of user privacy back to the users.
The METHOD they intended to use was to open-source what they produced, and then build a community around it.
The RESULT was an unmitigated mess: the code they spent months writing did NOTHING to achieve their stated goals, in fact it was even LESS secure and private than Facebook, because it ignored standard and common security and privacy practices - things which should be part of your design from the ground up, including user authentication and access control for each and every operation the system performs.
They started out by saying "We're going to build an alternative which puts the user in control of their data." They created an alternative which puts ANY user in control of ANY data.
This is not trolling, this is an honest assessment of the progress & results of Diaspora. Their goals were more security & more privacy. They achieved neither of those goals with the code they wrote. Open source is not some magic sauce you marinate your code in in order to improve it, but suddenly the entire focus of Diaspora has gone from "it's more secure and more private," (their initial, stated goals) to "it's open source," as if that forgives the multitude of failings that the code has, simply because a bunch of people can read the source that implements those design flaws.
Open source is not magic sauce.
If Linus Torvalds was an utter incompetent, would anybody have bothered to "step in and fix" the Linux kernel?
If Richard Stallman was an utter incompetent, would anybody have bothered to "step in and fix" Emacs, or any of the other GNU tools he's had a hand in writing?
The point is this: When your system is designed by people who are *demonstrably* incapable of designing a system that meets the goals they've stated they will meet, how long do you expect any community to last around that? Diaspora has gotten so far only because of kind press. Looking at the impact graphs on Diaspora's github page, it looks as if there's roughly 10 people who are actively contributing to the project. How long until the community members get sick of fixing bad code, or realize that most of the code has been written by them because they had to rewrite the bulk of the original code to allow for things like security?
And how long after that until the project either loses contributors to forking, or it undergoes a leadership coup?
how many politicians are on facebook now? facebook is THE social network
Indeed, just like how MySpace was THE social network. And how Friendster was THE social network. And how LiveJournal was THE social network. And how...
Not to mention how there's certainly no politicians or celebrities on other websites, like Twitter.
Demanding constant attention will only lead to attention.
WTF? How long have they been working on that? There's nothing there. What about security, identity, scaling, message formats?
OpenID, OAuth, Atom/RSS, PubSubHubbub, ActivityStreams, Salmon, and WebFinger
Put identity in the browser.
Thank you. Looking again, I'd missed the link to this page.
No problem.
Put identity in the browser.
Hey Michael,
Looks like a very nice idea.
Did you see the Lorea's project?. Maybe they are interested in your proposal.
"Lorea is a project to create secure social cybernetic systems, in which human networks will become simultaneusly represented on a virtual shared world.
Its aim is to create a distributed and federated nodal organization of entities with no geophysical territory, interlacing their multiple relationships through binary codes and languages."
more info: http://lorea.org
You should get in contact with Lorea. They have a site https://n-1.cc/ which is doing lots of nice things. AFAIK they are based/working with Elgg and moving fast.
Is that a joke?
On the other hand, if they only fixed the security bugs that were pointed out and continued coding the way they did before then it will never be secure
No ifs there:
Continuing to focus on security.
When we released our initial code, we got some great feedback on better ways to do Rails security. Luckily, it was easy for us to take this feedback and quickly secure the application. We look forward to more such feedback with this release. Diaspora blog
They're relying on the community to pentest and correct their code for them while they are amassing venture capital. They refuse to do it right. They refuse to learn. They refuse to fucking take a Rails course before diving into a project of this scope. This is not going to change as long as they find enough idiots to help them out. Only that when Diaspora becomes bigger, it will be more rewarding to exploit the flaws than to do hand holding with a bunch of lazy script kiddies who got lucky.
Nobody who uses the words "quickly secure the application" in that sequence should be allowed to code social apps. Or any apps.
Linux "got popular" because *some* ( Windows still rules the market ) people wanted an alternative to Microsoft Windows.
What??
No.
Linux "got popular" because *some* people wanted an alternative to Minix. It didn't become a viable alternative to Windows until long after the project had started to take off amongst Unix aficionados.
But, hey, don't let me stop you from rewriting history...
That is how it started, it is not what desktop Linux became or what it is.
There is an old saying that people who use FreeBSD love Unix, people who use Linux hate windows.
If you poll most of the desktop Linux users they will tell you they use it because they like it better than Windows. Most of these people will not mention minix.
The year is 2010, not 1989
You might want to consider how this conversation started. Specifically, it was about the *genesis* of Linux and how that relates to Diaspora. Where Linux is today is utterly irrelevant to that conversation.
Thanks for playing, though.
That protocol doesn't exist: they didn't bother to specify it. Makes me wonder what they're testing against, if at all.
You don't get miracles in the first version.
I'll remember that next time the Creationists on SlashDot crawl out form under their logs.
[edited after 30 seconds thinking. I must be new here]
I hope that I'll remember that next time the Creationists on SlashDot crawl out from under their logs.
Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
It is a lot harder to fix design flaws than it is to fix a bug. Fixing design flaws may require a significant rewrite of the code. And since Diaspora is designed to be a decentralised network of servers, you have to make sure your fixes either don't break interoperability with other Diaspora servers or get adopted by them.
The thing is written in Ruby, with MVC. You can start putting shingles before digging the basement, meanwhile decorating the second and third floor, putting walls on the second. And that being disciplined. If you are in to hacks, let's just say I'm out of acid.
I know tobacco is bad for you, so I smoke weed with crack.
Have you considered Diaspora compatibility on some level? XMPP support?
I know tobacco is bad for you, so I smoke weed with crack.