Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Security Concerns Paramount After Early Reviews of Diaspora Code

Soulskill posted about 4 years ago | from the work-in-progress dept.

Open Source 206

Stoobalou writes with this excerpt from Thinq.co.uk: "Following the release of the source code for the Diaspora social networking platform, hackers and tinkerers the world over have been poring over the code in order to improve, enhance, and otherwise help the project in its attempt to unsettle Facebook. Sadly, the current opinion is that the code just isn't up to scratch. While the team clearly stated that 'we know there are security holes and bugs' in the code that was released, it's possible that they weren't aware of just how many show-stopping issues there are — issues which make it hard to recommend that you roll your own Diaspora server just yet."

cancel ×

206 comments

Sorry! There are no comments related to the filter you selected.

Freetard fail (-1, Flamebait)

Anonymous Coward | about 4 years ago | (#33610608)

Freetard fail!!! Diaspora is going to be another piece of FOSS junk thrown on the garbage heap because no regular user of Facebook is going to go to it.

Re:Freetard fail (2, Funny)

Anonymous Coward | about 4 years ago | (#33610644)

You're wrong. I'm 99% confident that 2011 will be the year of Diaspora on the desktop.

Re:Freetard fail (5, Interesting)

Anonymous Coward | about 4 years ago | (#33610662)

Yeah, but it will be like email is now. People won't need to run their own servers. They will be able to pick from a variety of free diaspora hosts who get their revenue from ad dollars and harvesting your data (and that of your friends, who might host their own diaspora node at home, or on another service), and then we will be free of facebook's horrible privacy violations, and be in a new universe of less accountable companies with even worse problems.

I can't wait, diaspora, here I come!

Re:Freetard fail (1)

oldspewey (1303305) | about 4 years ago | (#33610798)

a variety of free diaspora hosts who get their revenue from ad dollars and harvesting your data (and that of your friends ...

So this model is different from Facebook how exactly?

Specialized servers offering ad-free accounts (4, Informative)

tepples (727027) | about 4 years ago | (#33610870)

Unlike Facebook, the Diaspora network is planned to have more than one server operator. Some might offer ad-free accounts to subscribers. Others might be run by a company that offers ad-free accounts to its employees, a school that offers ad-free accounts to its students (echoing the original meaning of the word "facebook" [wiktionary.org] ), or a church or other non-profit club that offers ad-free accounts to its members.

Re:Specialized servers offering ad-free accounts (4, Interesting)

oldspewey (1303305) | about 4 years ago | (#33610982)

But as I understand it, an end user does not necessarily have control over where their information is routed/stored. So if there are a few rogue server managers out there acting the way FB does today (selling personal info as a source of revenue) then every member of the user base will (potentially) be affected.

Please correct me if I'm wrong, because I'd like to be wrong about this.

Re:Specialized servers offering ad-free accounts (3, Insightful)

koiransuklaa (1502579) | about 4 years ago | (#33611066)

All actual data like messages is (supposed to be) encrypted. So the rogue seed can see your network or parts of it but should not get anything else.

My understanding is from a quick glance, it would be awesome if the developers would document things a bit more and lay out the design and roadmaps properly.

Re:Freetard fail (4, Insightful)

Pojut (1027544) | about 4 years ago | (#33610830)

Something doesn't have to convince every user just to succeed. To me, Diaspora represents everything RIGHT with the FOSS community. Collaboration on software that, on its own, would never survive. However, with people working together on it, they can increase its usefulness (and increase their own skills, which by proxy would improve any future projects they worked on.) Diaspora is a grand experiment, one that I hope works out.

I fail to see how working with people dedicating their time and knowledge can be seen as a bad thing.

This isn't necessarily a bad thing (4, Insightful)

iONiUM (530420) | about 4 years ago | (#33610646)

It might encourage the workers on Diaspora code to work harder for security. I mean, even if you think you have every security hole plugged, until you open that code up to the world you won't really know. So what, there are many more security bugs than expected. That's fine, delay the release a little bit and start patching.

Unless this completely discourages them to the point that they turn emo and start lying in the dark crying, I'm pretty sure they can fix this and still release.

And that was to be expected (4, Insightful)

e065c8515d206cb0e190 (1785896) | about 4 years ago | (#33610684)

Seriously, a bunch of kids from NYU... what did you expect?

It's not a bad thing though, as long as people are willing to constructively collaborate on the project.

Re:And that was to be expected (1)

MoonBuggy (611105) | about 4 years ago | (#33610960)

Is that a jab at NYU or a jab at college kids in general?

Re:And that was to be expected (1)

e065c8515d206cb0e190 (1785896) | about 4 years ago | (#33610994)

Maybe it wasn't a jab at all?

Re:And that was to be expected (1)

suomynonAyletamitlU (1618513) | about 4 years ago | (#33611130)

Most college-level kids don't have experience coding a secure, distributed social networking site from scratch, and wouldn't be aware of all the potential snafus and pitfalls. In fact it's likely that they haven't written ANY software that is going to have enough traffic that security becomes a critical issue, and I doubt any college courses would focus on that in particular.

I don't see how that could possibly be considered a jab at anyone.

Re:And that was to be expected (0)

Anonymous Coward | about 4 years ago | (#33611198)

Most college-level kids don't have experience coding a secure, distributed social networking site from scratch

Wasn't that how Facebook started?

Re:And that was to be expected (5, Insightful)

gparent (1242548) | about 4 years ago | (#33611154)

It's not a jab at all. It's perfectly normal for inexperienced coders to have security issues in their applications, just like you can have any other bug.

Re:And that was to be expected (5, Insightful)

DJRumpy (1345787) | about 4 years ago | (#33610990)

Am I missing something here? This is the way it should work, and the true strength of open source. Assuming they have the skillset to address the security issues found, I just don't see an issue. This isn't release level software yet, and I would expect that anyone putting up such a site based on it would publish that fact. I'm pleased that they are getting such great input on key security flaws.

Re:And that was to be expected (1)

yincrash (854885) | about 4 years ago | (#33611056)

I think the implication is that a few kids still in school don't have the skill set to address those issues, let alone write quality code yet.

Re:And that was to be expected (1)

coldfarnorth (799174) | about 4 years ago | (#33611494)

They have been admitted to the school of practical experience with a great idea, but less practical experience than you would prefer. We have two choices: 1) Tell them "You suck", and throw them out on their asses. -or- 2) Teach them the skill sets they need. Choose wisely.

Re:And that was to be expected (2, Insightful)

coldfarnorth (799174) | about 4 years ago | (#33611520)

They have been admitted to the school of practical experience with a great idea, but less practical experience than you would prefer. We have two choices: 1) Tell them "You suck", throw them out on their asses, and consign their idea to the scrap heap -or- 2) Start to teach them the skill sets they need, and try to realize some of the promise of their idea. Choose wisely.

Re:And that was to be expected (1)

coldfarnorth (799174) | about 4 years ago | (#33611650)

Bloody double-posters!

These idiots can't manage to read the simplest of instructions. I'm going to track down this idiot in meatspace and give him a piece of my mind!

Oh wait . . .

Re:And that was to be expected (1)

Archangel Michael (180766) | about 4 years ago | (#33611622)

And your point is??

Learning is part of the experience we all share. Nobody learns to write perfect code, with no security holes in it, from the beginning.

The biggest problem with experience is that we tend to forget where we came from, and the big errors we've made in years past, or worse, we don't even know of the big errors we had early on, because we don't use that code any longer so the holes were never plugged.

Who here thinks that High School Standout can play professional Baseball right away? You don't tell that standout they "suck", and that they "make fundamental errors" and discourage them so they quit. A good coach takes what is good, and works on it to improve weaknesses .

Re:And that was to be expected (1)

idontgno (624372) | about 4 years ago | (#33611488)

FWIW, my take-aways on this topic are:

  • Never install the "dot-zero" version of ANYTHING for production
  • The devs are young. That means energetic and possibly well-intentioned, but inexperienced. If this works out, the OS community will be enriched by skilled and savvy devs who have seen the elephant and have the scars to prove it.

After all, "good judgment comes from experience, and experience comes from bad judgment."

Re:And that was to be expected (1)

poetmatt (793785) | about 4 years ago | (#33611116)

I think people forget that it's open source, so it's easily modified.

Able to code, and spot a vulnerability? Fix it yourself!

Re:And that was to be expected (3, Insightful)

yincrash (854885) | about 4 years ago | (#33611144)

Just because software is open source does not mean it is easily modified. In many cases, it could be easier to rewrite it from scratch to do the same thing than to modify existing code that is terrible.

Re:And that was to be expected (1)

poetmatt (793785) | about 4 years ago | (#33611508)

and? They could fork it.

Re:And that was to be expected (1)

Lunix Nutcase (1092239) | about 4 years ago | (#33611560)

I think people forget that it's open source, so it's easily modified.

It's "easy to modify" but not "easy to modify" and make sure that you don't break other things or introduce bugs. That is unless all the open source software you deal with is extremely trivial in nature.

Able to code, and spot a vulnerability? Fix it yourself!

Because all users are programmers, right?

Re:And that was to be expected (4, Insightful)

GreatBunzinni (642500) | about 4 years ago | (#33611362)

Seriously, a bunch of kids from NYU... what did you expect?

I don't know. What do you expect from a 21-year old kid from University of Helsinki? Personally I don't believe anyone expects much from it but nowadays you have the entire IT world being carried by a pet project made by a little Finnish kid from University of Helsinki.

Is this also the case? I don't know, really. Yet, I hope it is.

Re:This isn't necessarily a bad thing (0, Troll)

Disgruntled Goats (1635745) | about 4 years ago | (#33610688)

Is anyone actually surprised that a bunch of Ruby developers can't write secure code? Besides, the performance is probably going to be as shitty as Ruby on Snails as well.

Re:This isn't necessarily a bad thing (5, Insightful)

TheRaven64 (641858) | about 4 years ago | (#33610770)

Is anyone actually surprised that a bunch of Ruby developers can't write secure code?

No, but then I wouldn't be surprised if you substituted Python, Perl, Java, or C for Ruby in that statement. The proportion of programmers who can write secure code is a relatively small proportion of the number that can write code in any language.

That's one of the reasons why, as I said in the last story, I am more interested in the protocols than in the implementation. A set of standard protocols for social networking (ideally built on top of XMPP) would allow lots of different implementations, which would reduce the damage that could be done by a flaw in one of them.

Re:This isn't necessarily a bad thing (4, Insightful)

Tassach (137772) | about 4 years ago | (#33611296)

No, but then I wouldn't be surprised if you substituted Python, Perl, Java, or C for Ruby in that statement. The proportion of programmers who can write secure code is a relatively small proportion of the number that can write code in any language.

A great big helping of THIS. It is insanely difficult to write really secure code in any language. (Although it's harder in some than in others).

Look at Postfix -- it was designed and written specifically with security in mind by one of the world's foremost experts on TCP/IP security, and it STILL has had security bugs. If a hacker god like Wietse Venema [wikipedia.org] has security bugs in his code, what chance do mere mortals like us have of writing secure code?

This is something that has to be tackled on multiple levels -- in library code, at the compiler, at the operating system, and even in the language itself. Modern languages have garbage collection that prevents (most) memory leak issues; we need a similar language-level mechanism to address common security issues. Perl's taint mode is a definite step in the right direction, but there needs to be more research done on language-level security features.

Likewise, we have static and dynamic code checkers that highlight problematic code; while there are some for security, we need more/better tools in this area, and more importantly we need to teach young programmers to actually USE them, or better yet build them into the compiler so you HAVE to use them.

Re:This isn't necessarily a bad thing (0)

Anonymous Coward | about 4 years ago | (#33610724)

I believe this is an end to Diaspora. If the programmers don't have good security education, they will never be able to grasp the whole concept of vulnerabilities on the internet and the system will be always vulnerable. This will end up the same as phpBB2 with a lot of it's holes. Now phpBB3 is completely rewritten and pretty secure but it will never lose it's reputation of bad security software because of phpBB2.

Re:This isn't necessarily a bad thing (0)

Anonymous Coward | about 4 years ago | (#33611068)

So what, there are many more security bugs than expected. That's fine, delay the release a little bit and start patching.

That's not necessarily fine depending on how deep the bugs run. Security isn't something you just patch in at the last moment. They should be thinking about from the start, especially since privacy is supposed to be one of the core principles of the project. Proper security is obviously a prerequisite to protecting user privacy.

Re:This isn't necessarily a bad thing (1)

MaWeiTao (908546) | about 4 years ago | (#33611112)

Like everyone else, they're never going to be able to completely address security. I suppose the goal should be to eliminate any glaring flaws and stay on top of things for as long as the platform is being used. But people are going to always reveal flaws as quickly as they can be patched. Being open-source doesn't provide any inherent level of security simply because anyone has access to the code.

If anything, it's only a matter of time before we see a fork. Someone is going to decide they can do without certain features for the sake of security. Or someone else doesn't something else works and decides they'll do things differently. But once the base starts fragmenting I'm fairly certain Diaspora is doomed and will never be able to unseat Facebook.

In principle it's a great thing that someone is working on this. But I also think it's been over-hyped, especially since nobody has even interacted with it much. I think they've got the underdog factor going for them. Maybe it will end up being a success, but at this point I have my doubts.

Re:This isn't necessarily a bad thing (1)

gilesjuk (604902) | about 4 years ago | (#33611156)

These aren't small holes, these are major show stoppers. It's currently possible for anyone using the site to do anything they like to someone else's profile.

If you're designing a portal you need to design it to be secure. Otherwise when you start reworking the code to secure it the code gets messy.

It sounds like they've been designing this thing as they go along, not the best way really.

Re:This isn't necessarily a bad thing (1)

Americano (920576) | about 4 years ago | (#33611464)

It might encourage the people working on the code to work harder - or it might mean they run out of money, energy, and interest and Diaspora becomes another piece of abandoned FOSS code.

If there are so many glaring security holes from the start, it sounds to me like they have accomplished nothing but a basic mockup. How long can they delay the release while they refactor & rewrite? While they implement the many features they haven't completed? While they do thorough security testing, which will possibly uncover *design* flaws in the security, not just "oops I didn't check array bounds here," which could mean that they have to rewrite & redesign entire sections of the application.

How much longer will the money they raised continue to fund their development?

After how long? (4, Insightful)

Sarten-X (1102295) | about 4 years ago | (#33610668)

After a few months, a big project has bugs? Really? That's amazing! After all, Windows has been around for only 20 years and it's perfect, right?

I think I'll reserve judgment for sometime in 2012...

Re:After how long? (1, Insightful)

Anonymous Coward | about 4 years ago | (#33610706)

After a few months, a big project written by a bunch of students with no real-world big project experience has numerous showstopper bugs? Really? That's amazing!

Improved that for you.

Re:After how long? (5, Insightful)

ihatejobs (1765190) | about 4 years ago | (#33611018)

Irrelevant. A bug is a bug, and can be fixed. So long as they actually fix the bugs instead of pushing out a release, they should do fine.

Re:After how long? (3, Funny)

Posting=!Working (197779) | about 4 years ago | (#33611600)

Yeah, students with no real-world big project experience should all just get jobs with large companies and stop trying to be innovative until they've spent a few years updating comments and doing bugfixes in other people's code.

After all, no one has ever gotten ahead in computers by jumping into a huge project they had no experience in while they were young. They need to wait until they're in their 40's so they have enough experience and then start a small project.

Security problems in pre-Alpha code? The whole project is obviously a failure and should be abandoned. What idiots they are for trying!

Re:After how long? (0)

Anonymous Coward | about 4 years ago | (#33611692)

GP was in no way intended to imply that it should be abandoned, merely that it should come as absolutely no shock to anyone that something big and complex, executed by amateurs, when released as a pre-alpha, would contain not only a few bugs, but numerous showstopper security flaws.

Personally, I would expect it to be a gigantic mess— but a fixable one. This is a learning process, and I hope those involved keep at it.

Re:After how long? (1)

Kjella (173770) | about 4 years ago | (#33610768)

The time when you did security by making sure you've dotted all the i's and crossed all the t's should be long over. Anything built now should have some clear security layers that prevent input validation attacks, cross scripting attack, database injection attacks and so on. The application may be unfinished but most of those errors sounds like it'll be a steaming pile when it's done too.

Re:After how long? (4, Interesting)

truthsearch (249536) | about 4 years ago | (#33610852)

It looks like they've only focused on the front end so far. I was expecting an architectural prototype with a thin front end (in which case security should be baked in from the start). Instead they've only focused on the user interface, which pretty much makes this project pointless so far.

Re:After how long? (4, Interesting)

EggyToast (858951) | about 4 years ago | (#33611006)

Yeah, they've only focused on the "fun stuff." Or rather, it sounds more like their purpose was "Facebook's so annoying to use. Let's make one that works like we want!" without really caring about the backend stuff. Maybe they assume that the "open source community" will do all the backend stuff for them -- even though they're the ones getting paid?

Re:After how long? (1)

randomencounter (653994) | about 4 years ago | (#33611414)

Don't diss the interface.

The open source landscape is littered with elegant backends with totally unusable interfaces, a good interface is not a trivial exercise.

They did a solid start on the part that they had talent and interest for, then went to the community. I'd say that they are doing it right.

Re:After how long? (5, Insightful)

Sarten-X (1102295) | about 4 years ago | (#33611046)

Not if it's anything like every big project I've worked on.

First, projects go through a phase of "how can we do this" where various components are mashed together with the expectation that things will work later. That's a good thing to do while gathering initial funding.

Then they go through the phase of "we can do this" where some parts of the project work, but most is broken.

That's followed by the "demonstration" phase, where things work under perfect circumstances. That seems to be where Diaspora is at now.

Next is the "we can do this well" phase, where the once-connected components are split up and divided into their appropriate layers and security is locked down, now that there's a clear idea of what the security model must support.

Finally is the "continued development" phase, where the project is stable enough that new components don't need major changes to security, and extra features can be added.

I've had a few projects that started with the frameworks and various layers of abstraction, and they've invariably failed after many refactorings and revisions. Heck, one project I worked on was a web-based game engine, which turned into a giant security model, and finally died without a single line of actual game code written. It took eight months to fail miserably. Projects change, and requirements change. Going into a security model too early can be worse than not having one.

Re:After how long? (1, Insightful)

Anonymous Coward | about 4 years ago | (#33611062)

So many rookie Security bugs in pre-Alpha software mean something very significant for the project

Pre-alpha (2, Informative)

mseidl (828824) | about 4 years ago | (#33610676)

zomg! Pre-alpha! This thing is sure to be a failure!

Re:Pre-alpha (1)

AnonymousClown (1788472) | about 4 years ago | (#33610792)

zomg! Pre-alpha! This thing is sure to be a failure!

I think it will - Facebook has the market locked up.

I may be wrong, and I usually am, but Dispora has no chance.

Re:Pre-alpha (1)

somersault (912633) | about 4 years ago | (#33611060)

I may be wrong, and I usually am, but Dispora has no chance.

If you usually are wrong, then it's probably that they have a chance here!

Facebook is the big player right now, but that doesn't mean it's going to be the leader forever. You can easily be a member of more than one social networking site at a time, and all it takes is for a site to come along with a cooler interface or set of features, a few people to move to it, their friends join too, then their friends, etc, and eventually everyone could end up on the new site and FB slowly dies. It's already happened with MySpace-->Facebook, hasn't it?

Good thing it's free... (4, Insightful)

metamechanical (545566) | about 4 years ago | (#33610708)

Okay, I have no horse in this race, as I only have a passing interest in online social networks (enough to read the article, but not enough to join one), so I am not very passionate about this news in one way or another, but...

Isn't that why it's called pre-Alpha software?? I mean, bugs happen. In open architectures, you fix them. If this were a closed software project, you wouldn't even know about them. If there were endemic, critical flaws inherent in their underlying assumptions going into this project, then that would be news, but "oversold Alpha software contains bugs!!!" is hardly worth noting. Being free software, many eyes will ensure that the Beta version is better, presumably.

Re:Good thing it's free... (1, Insightful)

Lunix Nutcase (1092239) | about 4 years ago | (#33610742)

If this were a closed software project, you wouldn't even know about them.

If this were true, no independent researchers would ever be able to find security holes in things like Windows or Adobe products. Having access to source code is a nicety but the vast majority of security holes aren't found staring at source code it's by poking around at the binary.

Re:Good thing it's free... (4, Informative)

metamechanical (545566) | about 4 years ago | (#33610876)

That's a fantastic point. I should have been more specific - what I meant was the only reason security concerns and bugs are being found out in a pre-alpha is that it is open. It is exceedingly rare that a closed piece of software releases up a pre-alpha for general review (and hence, you wouldn't have ever even known about them). In more mature released closed software, though, you're right that my point holds no water.

Re:Good thing it's free... (2, Insightful)

nine-times (778537) | about 4 years ago | (#33610898)

I think the point was that, if this were a closed project, no one would have acess to anything yet-- not the source, not the binary, nothing.

This was not intend to be a secure release or a complete release. This was the first release of an open source project, just to say "here, we have something, so let's get started.". If you expected to be rolling your own diaspora server right now, then you really didn't understand what was going on.

Re:Good thing it's free... (1)

shish (588640) | about 4 years ago | (#33611002)

This was not intend to be a secure release or a complete release

An empty project has no features, and the desired result is lots of features, so having half features at the half way point is expected; but an empty project has no security holes, and the desired result is no security holes, so if there is a hole at the half way point then something has gone wrong.

Re:Good thing it's free... (1)

mwvdlee (775178) | about 4 years ago | (#33611242)

If I bring my car to the garage to have the tires changed, it starts with four tires and the desired result is four tires. If somewhere halfway it does not have four tires, has something gone wrong or were they just actively working on it.

If you tell me you've ever started a software project that DIDN'T have any security issues halfway, then you lie.

Re:Good thing it's free... (3, Insightful)

Monchanger (637670) | about 4 years ago | (#33611356)

If you expected to be rolling your own diaspora server right now, then you really didn't understand what was going on

Exactly. Like much of the dumbed-down "news" we're subjected to, this is just a little more sensational nonsense.

Breaking news! Infants can't grasp quantum physics. Are they stupid? You decide!

The little coverage I've seen sticks strictly to usability ("aspects" and this very early revision of the UI) . If that's all they built, I wouldn't bother criticizing the more difficult areas of security, scalability and reliability (that's not to say one shouldn't report bugs). Since hearing of the project I've assumed that these problems may be something these kids are looking for others to pitch in. Releasing the code isn't a bad way to get other people to start working, and as we've seen that actually worked out well, significantly multiplying the number of contributors to the project.

Diaspora, done right, is not a weekend project. Doesn't help that these naysayers are too immature to seek positive reinforcement.

Re:Good thing it's free... (0)

AnonymousClown (1788472) | about 4 years ago | (#33610746)

Okay, I have no horse in this race, as I only have a passing interest in online social networks (enough to read the article, but not enough to join one), so I am not very passionate about this news in one way or another, but...

Dude! Are you that paranoid about being labeled a "fanboy"?

Re:Good thing it's free... (2, Informative)

metamechanical (545566) | about 4 years ago | (#33610810)

Biases and accusations of bias run rampant on slashdot. So yes, I was trying to avoid just that. I've followed them mostly because I found their way of getting funding novel, and have been curious how it would pan out in the end.

Re:Good thing it's free... (1)

alen (225700) | about 4 years ago | (#33610782)

and by that time facebook will add some more features and get up to a billion registered users

Re:Good thing it's free... (2, Insightful)

Spansh (219937) | about 4 years ago | (#33611238)

The problem about this is that many of those types of flaws have been well known about and well publicised for many years now (and many high profile sites have had widely publicised exploits ecause of them).

However, there are now many standard practices which seasoned/experienced programmers/developers/system designers use to mitigate most of those issues (Hell, whilst I may have some issues with Ruby on Rails, with the current release I believe you'd have to explicitly allow unescaped HTML into your pages).

Anyone who has been developing any web applications for any decent length of time should be treating security (XSS, SQL Injection, Request Forgery etc) as a matter of principle, because it's much harder to retrofit security once you're finished. So that their source has so many holes in it does not bode well for any underlying protocol, they are not approaching the project with security in mind at all (and it may seem that they are not experienced enough yet to approach it so). This would be fine if it was just your average open source project, however it's not. They have been donated some $200,000 with which to develop it, and the benefit that could be gained from it is immeasurable. If the code they write is full of flaws, you can probably expect the protocol to have issues as well.

As has been suggested, the very first thing they should have done is come up with the protocol/data schema/api with which the sites would communicate . This would include allowing extensions/non base data as if there isn't a standard way of doing this then many of the various companies who run the servers will attempt to extend them (ala Microsoft) to get their own kind of vendor lock in (The best way would probably be something similar to the RSS v2.0 modules via namespaces, though I haven't spent too much time thinking about it).

Protocol, not code (5, Interesting)

ath1901 (1570281) | about 4 years ago | (#33610714)

I'm more interested in the protocol than the code. If the protocol is vulnerable to attacks/fraud then it is a show stopper.

If the ruby-web-stuff-code contains bugs and security holes, I'll just write my own (read: wait for someone else to do it).

I couldn't find any relevant info about the protocol in TFA. Am I missing something?

Re:Protocol, not code (1)

truthsearch (249536) | about 4 years ago | (#33610892)

It doesn't look like they started out by documenting any new protocols (which is probably what I would have worked on first if this were my project). From the code it appears they've mostly focused on the user interface.

They also could leverage something like XMPP.

Diaspora marketing (3, Insightful)

jdfox (74524) | about 4 years ago | (#33610780)

I don't understand why Diaspora has had saturation coverage in the mainstream press (and pretty heavy coverage here [slashdot.org] , for that matter) before it even went alpha, but identi.ca gets so little.

Re:Diaspora marketing (0)

Anonymous Coward | about 4 years ago | (#33610918)

You said it yourself: Diaspora marketing. Does identi.ca do any marketing?

Re:Diaspora marketing (0)

Anonymous Coward | about 4 years ago | (#33611478)

because identi.ca is grass roots, not astro-turf?

Re:Diaspora marketing (1)

GreatBunzinni (642500) | about 4 years ago | (#33611482)

If I'm not mistaken, identi.ca is a microblogging platform, not a full blown social networking platform. So, while Diaspora goes directly against the main area of investment where major multinational corporations are heavily dedicated, which has a profound impact on humanity's views on fundamental rights such as the right to privacy, identi.ca is designed to only offer a very specific and limited service which is currently seen as a novelty. To put it in other terms, while Facebook alone racks about 800 million dollars anually and myspace racks in around 400 million dollars annually, twitter only manages to get a comparatively meagre million or so.

So, it is quite natural that people pay much more attention to the next Facebook/myspace/whatever killer, which is currently where the big money is at.

Re:Diaspora marketing (1)

ihatejobs (1765190) | about 4 years ago | (#33611638)

What is identi.ca?

I think that should answer your question.

Why is there so much bad press at the moment. (1)

He who knows (1376995) | about 4 years ago | (#33610806)

Many people are reporting that it doesnt do what they want and is missing lots of functions that it needs as well as all the security vulnerabilities. of course lots will be missing this is a very early release. If you want to judge it at least wait till the first consumer release in october.

Re:Why is there so much bad press at the moment. (1)

Lunix Nutcase (1092239) | about 4 years ago | (#33610844)

It's being judged so harshly probably due to the all the hype about how it's going to be unseating Facebook, etc. If you are going to hype yourself that much any misstep is going to be hounded on mercilessly.

Re:Why is there so much bad press at the moment. (0)

Anonymous Coward | about 4 years ago | (#33610962)

I think it's being judged harshly because the bugs are naive, mostly covered by a not-so-advanced book like "19 deadly sins of software security".

Re:Why is there so much bad press at the moment. (2)

MonsterTrimble (1205334) | about 4 years ago | (#33611020)

What worries me is that from the sounds of it that there is so much wrong that they will miss their deadline of the october launch if they do it right and address the show stoppers before release (Ubuntu-itis perhaps?) If they make the deadline and it sucks it will fail. If they miss the deadline by a couple months or more, the hype will be gone and Diaspora will be tossed aside.

I honestly hope they succeed. I use facebook and I like it, however the endless amount of drivel I see (and have to ignore) plus all the security changes and stuff means the clock is ticking on the site before the mass exodus begins. I have high hopes for Diaspora because it's open source and not centralized, and I hope it hits before the next awesome social networking site pops up and takes the glory.

Horse before cart (4, Insightful)

drewhk (1744562) | about 4 years ago | (#33610866)

Again, a project that was way overhyped before any code became available.

Re:Horse before cart (1)

drewhk (1744562) | about 4 years ago | (#33610888)

Of course cart before the horse. Whatever.

Re:Horse before cart (1)

CannonballHead (842625) | about 4 years ago | (#33611286)

hehe, yeah I hate it when the horse gets in front of my cart. :P :)

Good idea to realise the code (1)

BobsPlumbers (1903128) | about 4 years ago | (#33610882)

Sure there may be some sniggling going on when we look over the code but these guys have took the necessary steps to start something which hopefully will become huge for them. I know if it is within my power to point out some helpful hints and tips i will and i would encourace everyone else to do the same. Best of luck to all on the team! The journey of a thousand miles begins with a single step, and whilst your first step may be shakey in this case you have the support of the development comunity to help u stay afloat. Bobs Belfast Plumbers [bobsplumbers.com]

This shouldn't be looked upon as a 'bad thing'... (4, Insightful)

antiparadigm (544353) | about 4 years ago | (#33610884)

Yes, I understand that any security vulnerability is a bad thing. In that merit this is a bad thing. BUT...

These are people fresh out of college, and haven't gotten a lot of real world experience. I, myself, am only out of college by a year and a half. The first year was spent as a sys admin, but the past 6 as a developer. They have probably heard of some types of attacks, but are unfamilier with details. Others, if they are like me, they haven't even thought of. All of this comes from being "in the trade".

This is why Open Source is good. It can rapidly increase a programmers competency if they get constructive criticism. It sounds like they are getting plenty of that, but the article kinda makes it sound like the should know all this.

I, for one, am glad they are doing this, and that they have decided to release some code early for review. Not only will it allow bugs to be fixed early, but it will also give them lessons for future use.

Re:This shouldn't be looked upon as a 'bad thing'. (0, Flamebait)

Lunix Nutcase (1092239) | about 4 years ago | (#33610928)

These are people fresh out of college, and haven't gotten a lot of real world experience.

So these are the people we should be trusting to make a highly secure network protocol and implementation? Really?

Re:This shouldn't be looked upon as a 'bad thing'. (3, Insightful)

antiparadigm (544353) | about 4 years ago | (#33611196)

My point is, then obviously new they were inexperienced and that the code would have numerous problems. That's why the article said only the die-hard fans with blinders on would try to set this up and be subject to the security holes.

What I'm trying to say in my post is that since they knew there were problems, they went ahead and released the code so others can look. This is one of the great strengths of open source. If you know you have problems in your code, you can release it and have others look over it and provide insights into what you are or are not doing correctly.

Should inexperienced people be trusted to create a highly secure network protocol and implementation? No. Not even remotely. BUTThey took it upon themselves to get the process started. Once they felt they had something worth others looking at, they released the code, and professionals with more experience provided feedback.

Re:This shouldn't be looked upon as a 'bad thing'. (0)

Anonymous Coward | about 4 years ago | (#33611214)

Good thing the world took the same attitude about those kooks Gates, Jobs, and Torvalds.

Re:This shouldn't be looked upon as a 'bad thing'. (1)

Lunix Nutcase (1092239) | about 4 years ago | (#33611606)

Jobs never was a programmer. Torvalds had help from other experienced programmers and Gates didn't single-handedly write all the software Microsoft put out and also hired experienced programmers. So I'm failing to see what analogous situation you are trying to build.

Re:This shouldn't be looked upon as a 'bad thing'. (1)

cparker15 (779546) | about 4 years ago | (#33611666)

Can you do better? If so, are you going to be contributing to the project?

Symptom of a closed development model (2, Insightful)

seandiggity (992657) | about 4 years ago | (#33611072)

I respect what's been done so far with Diaspora, but for all the hype and money poured into this project, this is a bit embarrassing. To me, it looks like a byproduct of a closed development model with a small team...I'm glad there can be community participation on the project now but I don't understand why the community wasn't involved in the beginning.

Re:Symptom of a closed development model (1)

CannonballHead (842625) | about 4 years ago | (#33611310)

I can't think of any open source project where it was completely community designed/programmed from the beginning. Most communities don't care enough to do that, bicker too much to do that, would have way too many different ideas to do that, etc.

I can be corrected, of course... but aren't most open-source projects started with just a couple people?

This isn't a symptom of closed or open development model. This is a symptom of young, inexperienced programmers who, frankly, it seems don't really even care about the security holes as much. Sounds kinda like Facebook?

Shocking, I know, but most young people don't care about security or privacy holes. Until something bad happens, of course.

Maybe the "community" could have helped, but I didn't see any highly experienced and wise open source programmers begging to spend their time (for free) programming this... I'd assume most of them have other things on their list of things to do, and an even longer list of things they want to do eventually. Diaspora, a Facebook-ish application that appeals to young people, probably isn't high on either of those lists :)

but how usefull will it be? (0)

Anonymous Coward | about 4 years ago | (#33611108)

But will I still be able to play Bejeweled?

Questioning the Whole Concept (2, Insightful)

am 2k (217885) | about 4 years ago | (#33611110)

So, they started from scratch whipping up a solution that's potentially huge, with programmers that apparently aren't that experienced.

I question how intelligent this approach really is.

My solution would have been: Take a standard XMPP server, use its capabilities in the area of code stability, pubsub technology, server-to-server communication and properly documented communications protocol (as an RFC), and just write a javascript-based client (based on jQuery and strophe.js for example) that uses it. Any common server like ejabberd would be perfectly able to handle the stuff they need, no server-side coding required at all. As a bonus, the code has already been tested for security and has fewer bugs due to being out in the open for much longer.

Additionally, it would be trivial to have competing implementations. They already exist.

Re:Questioning the Whole Concept (1)

gVibe (997166) | about 4 years ago | (#33611166)

Dude...they aren't making an Instant Messenger client. They are making a Facebook killer, social networking website. XMPP and eJabberd are both chat protocols. Maybe you should brush up on just what this Diaspora is all about before you comment.

Re:Questioning the Whole Concept (2, Informative)

am 2k (217885) | about 4 years ago | (#33611302)

If you think XMPP is only about instant messaging, you haven't looked into the protocol at all. I'm actually on facebook, so I know very well what's required for a direct competitor.

Here, let me help you with the spec on pubsub via XMPP [xmpp.org] .

In other words: Maybe you should brush up on just what this XMPP is all about before you comment.

Re:Questioning the Whole Concept (0)

Anonymous Coward | about 4 years ago | (#33611330)

http://onesocialweb.org/

What did people expect? And it *does* matter. (1, Insightful)

Anonymous Coward | about 4 years ago | (#33611142)

It is a web service created by a bunch of kids still in school. Unless they have been doing professional web design and service coding since they were 12 then I don't see why this would turn out any better than the internal web service I let the interns learn on.

Security, scalability, and maintenance concerns at the start of a project are a big deal. These are all foundations of a computer system that you cannot change or fix later without basically doing a complete rewrite.

Oh come on... (2, Insightful)

bigpistol (1311191) | about 4 years ago | (#33611212)

BURN THE WITCHES

Version 0.0.0.0.1 of something more complicated than "Hello world" released along with huge warnings that it is not ready for production and people are shooting the entire project down. It has had 4 people working on it, now they've stuck to their word and opened it at the time they said they would. Why is this news surprising or bad? Why is it even news?? People have found gaping holes, said people will close gaping holes - that was the whole point of it being open wasn't it?

“If you've been on the Diaspora mailing list, there are people who are clearly not security professionals who are asking each other, 'OK, what do I need to do to get this running because I hate being on Facebook,'” he said. “They are going to get burned in a very serious manner very, very quickly if they actually succeed in doing what they're trying to do.”

(screams into pillow)

Re:Oh come on... (1)

Chang (2714) | about 4 years ago | (#33611408)

There is something to be said for wasting the summer and wasting the enthusiasm. Had they opened it from start it might have turned out differently.

Of course, it also might have turned into design by committee marathon flame war. We'll never know.

What is readily apparent to me after getting a seed up and running this week is that these guys are not the web devs to lead this effort. I predict another effort will pick up steam. Maybe GNU social, although that's in a pretty bad alpha state right now also.

The protocol is the key right now - the front end will sell this thing eventually but if the protocol sucks it will never go anywhere.

Diaspora, have you stopped beating your wife yet? (0)

Anonymous Coward | about 4 years ago | (#33611226)

Seriously, all of this hulabaloo is astro-turfed FUD. Inside of a year diaspora will be the most secure social network there is, and will end up providing a nucleus for a tremendous number of AGPL cloud services, from webmail to upper body strength increase.

Call me old-fashioned... (3, Insightful)

pedantic bore (740196) | about 4 years ago | (#33611240)

... but after skimming through the code, I'm not terribly surprised to hear that it has issues, because there are virtually no comments or design docs.

Each one of the coders probably thinks the other coders are responsible for security, because it's nobody knows exactly what the other modules actually do. It's not written down anywhere.

To be fair, this isn't the only system I've seen like this... and kudos to the team for sticking their code out where everyone can see it. I'm sure that there are similar problems in many widely-used systems, but since they're closed source, we can only guess about the details.

But how does it compare with the alternatives? (3, Funny)

Linux_ho (205887) | about 4 years ago | (#33611334)

The release of pre-alpha source code for their Diaspora social Website was only a few hours old on Wednesday when hackers began identifying flaws they said could seriously compromise the security of those who used it. Among other things, the mistakes make it possible to hijack accounts, friend users without their permission, and delete their photos.

"The bottom line is currently there is nothing that you cannot do to someone's Diaspora account, absolutely nothing," said Patrick McKenzie, owner of Bingo Card Creator, a software company in Ogaki, Japan.

So in other words, yes, it's a little bit worse than Facebook at this point.

The fact that it gets coverage (0)

Anonymous Coward | about 4 years ago | (#33611378)

says a lot about how pissed off such a large majority of people are with Facebook. People want it to succeed because they are tired of dealing with Facebook changing privacy pretty overwhelmingly without much notice or instruction guides and exposing your data more often that most on /. change underwear.

I've been a facebook user since the first year it rolled out at my college in 2K4 and it just sucks ass now. The fact that if you want to share info with your friends about what bands you like or interests they are now Pages with no way to hide them from anyone who sees your profile is "gayer than all the guys in the pile". If Diaspora takes these suggestions keeps up the hard work and makes a good product with a few bugs that has a regular patches I will drop Facebook like a rock.

Why Would You "Roll" off a Developer Release??? (3, Insightful)

ideonexus (1257332) | about 4 years ago | (#33611410)

"...issues that make it hard to recommend that you roll your own Diaspora server just yet."

Umm... Am I missing something here? Why would you set up your own Diaspora server using a Developer's Release? It's in development, as in not ready for prime time yet. There might be too many security issues for it to go live in October, as is scheduled, but if the open source community gets behind the project, that could easily be overcome.

Unfortunately, this seems to be the catch-22 of many open source start-ups: You need outside developers to help you work out the bugs in your software, but when you publish your development software, everyone beats you up for all the bugs they find in it.

Stop criticizing and start coding.

This report brought to you by... (0)

mdm-adph (1030332) | about 4 years ago | (#33611452)

Facebook, LLC.

Open Source Best Practices (2, Insightful)

Bob9113 (14996) | about 4 years ago | (#33611454)

It is excellent that security analysts have taken the time to investigate this code base. I think Eben Moglen made a very strong case for the value of this project, and the voluntary efforts by global security researchers is extremely valuable to the long-term health of Diaspora. Getting security people involved early is a Very Good Thing.

issues which make it hard to recommend that you roll your own Diaspora server just yet

Well, yeah. It is brand new pre-alpha code from a small team. If you are going to run brand new pre-alpha code from a small team on a network connected computer, it would be best to know about things like tripwire, process monitoring, traffic monitoring, and chroot, just for starters. You should probably be running it, if anywhere, on a sacrificial box that you can kill remotely. If you are considering running highly experimental code, you should either know how to handle it or know your limitations (I know I don't know enough to run this code in the wild).

Some products, like OpenBSD, start with high security as job one. Perhaps such projects can be somewhat trusted in their early state (though they will likely be deficient in other important areas). Others start with other prime motives, and should not be so trusted in the early days. The key value of Open Source is not that it is perfect in all critical areas on the first day of publication. It is that it can be collectively enhanced to become very strong in all areas over time. The first step in that process is publishing the broken stuff so the global system of experts can get together for a barn raising.

In short, this is exactly how it should work. This is not a sign of weakness but a significant step forward on the Open Source best practices road.

It's got potential (2, Interesting)

Ancalimar (920912) | about 4 years ago | (#33611516)

I admit that I haven't read through the code, and I am not a programmer. But it seems to me that if this can be hosted and run by individual institutions, it could have a fairly large impact in higher education in the next few years. Employees could use this like intranet-lite, and alumni and students could use this the way Facebook was originally used -- a social network for the school itself. The only difference is that it could provide very useful data directly to the school instead of an individual. I've also read a lot of complaints about how the project focused first on user interface instead of back-end programming. Isn't that similar to how Facebook itself started? I don't think there were a bunch of new protocols declared for the "Face book" launch.

How to clean up the code (2, Funny)

killmenow (184444) | about 4 years ago | (#33611556)

The Diaspora guys should hire Austin Heap.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>