Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Security Lessons Learned From the Diaspora Launch

kdawson posted about 4 years ago | from the off-the-rails dept.

Open Source 338

patio11 writes "Diaspora, the privacy-respecting OSS social network, did a code release last week. Attention immediately focused on security. In fact the code base included several severe security bugs. This post walks through the code, showing what went wrong, and what it would let an attacker do to someone who was using Diaspora." The developer who wrote the post ends with: "You might believe in the powers of OSS to gather experts (or at least folks who have shipped a Rails app, like myself) to Diaspora’s banner and ferret out all the issues. You might also believe in magic code-fixing fairies. Personally, I’d be praying for the fairies because if Diaspora is dependent on the OSS community their users are screwed."

cancel ×

338 comments

Sorry! There are no comments related to the filter you selected.

Security (4, Informative)

Anonymous Coward | about 4 years ago | (#33676232)

Because of course, obscurity is proper security.

Re:Security (2, Insightful)

spleen_blender (949762) | about 4 years ago | (#33676266)

Those words have meaning. Specific meaning, in fact. And they in no way apply to this topic.

Re:Security (1)

jimwelch (309748) | about 4 years ago | (#33676308)

I think the AC forgot the sarcasm tags

Re:Security (1)

MozeeToby (1163751) | about 4 years ago | (#33676712)

No, even with sarcasm the AC still has the meaning wrong. The phrase "Security through obscurity" doesn't refer to closed source code, and it doesn't refer to not disclosing known flaws. It refers, exclusively, to things like 'no one will ever go to www.example.com/admin so there's no need to require credentials on the admin page'. Or 'no one will ever try to randomly telnet into port 6424, we'll output all the debug stuff there'. Or 'no one will every to to call this unpublished function'.

Re:Security (1)

jimwelch (309748) | about 4 years ago | (#33676858)

I guess you are better at reading a mind then I am.
This is why lawyers are so long winded, even the honest ones.
Too few words, have too many meanings.
Yours are more robust, and have more specific meanings.
Only the AC knows what the true intention was. i.e., closed source vs "back doors"
Yours reminds me of DVD Easter eggs.

Re:Security (1)

mark72005 (1233572) | about 4 years ago | (#33676276)

I am curious to see if the OSS model will be able to bring something up to speed quickly that was unacceptable when unveiled.

I have to say I expected a better review of the first product given the "more eyeballs" theory.

Re:Security (2, Interesting)

Daengbo (523424) | about 4 years ago | (#33676632)

I read TFA (I know ...) and comments and many of the issues mentioned are addressable within Rails generally so I don't think that saying the project has no chance is fair to either the developers or to the OSS devs the author besmirches. That said, I have never been very pro-Diaspora and didn't expect anything secure or even really working in the first release from that team: they're just a bunch of college kids with little experience on summer break, after all.

I still think that extending XMPP is the way to go -- there's no need to reinvent the wheel and XMPP has had time to work the security issues out already and has quite a few implementations available. Check http://onesocialweb.org/ [onesocialweb.org] . The code has been available since Diaspora was announced and is developing quickly. XMPP with extensions has the benefit of having several large IM networks already in service that could simply move to the newer protocol. If Yahoo!, MSN, Baidu, and GTalk all went that way, Facebook would have to fall in line and update its XMPP, too.

Re:Security (1)

arndawg (1468629) | about 4 years ago | (#33676910)

You mean like passwords?

Let's give it more than a few hours ... (1, Insightful)

Anonymous Coward | about 4 years ago | (#33676238)

I think the hysterical jeremiads a little over-done.

Give it a couple of months and get back to me. I expect production deployments to be fairly reasonable in terms of security.

Re:Let's give it more than a few hours ... (1)

rjstanford (69735) | about 4 years ago | (#33676400)

This would be true if (and only if) the whole point of Diaspora wasn't to improve the security of your data. Seriously, that's the only significant quoted feature. And they didn't get that part close to right before launching? C'mon...

Re:Let's give it more than a few hours ... (4, Insightful)

shadowrat (1069614) | about 4 years ago | (#33676448)

it didn't "launch". as i understand it, they released some kind of alpha. I know i've worked for many managers who have this weird idea that software should be perfect before it's even done, but i didn't expect so many people in this community to hold that ideal.

Re:Let's give it more than a few hours ... (2, Insightful)

luis_a_espinal (1810296) | about 4 years ago | (#33676882)

it didn't "launch". as i understand it, they released some kind of alpha. I know i've worked for many managers who have this weird idea that software should be perfect before it's even done, but i didn't expect so many people in this community to hold that ideal.

There is a difference between perfect and free of fundamental errors in numbers so large that their correction became problematic if not resource-infeasible. There seem to be engineers who failed to understand this particular tenet (usually blaming managers as the ones who "never get it".)

Re:Let's give it more than a few hours ... (1)

natehoy (1608657) | about 4 years ago | (#33676816)

This would be true if (and only if) the whole point of Diaspora wasn't to improve the security of your data.

And, as I understand it, it still is. By providing a different foundation than a single privately-held company in possession of complete and unfettered access to all of that data. The concept may (or may not) still be valid now that it's been described by throwing out a demo framework that obviously still needs a lot of work.

And they didn't get that part close to right before launching?

If you can see into the future, can I get a few stock quotes from a year from now, please? Diaspora hasn't launched.

They released some code for public review. The codebase is full of holes and flaws, about like you'd expect any college student to put out.

If there's any interest, then a bunch of OSS geeks will get behind it, probably throw out or at least significantly rewrite all the code Diaspora has put out, and release something that may or may not be useful.

I hear Office 2025 really sucks, too. Care to comment?

...huh? (3, Insightful)

Pojut (1027544) | about 4 years ago | (#33676244)

Because if Diaspora is dependent on the OSS community their users are screwed.

Isn't that a bit like saying "if getting this building completed is dependent on construction workers, we're screwed"? Why would you make such a disparaging remark about the very people that will be keeping this thing going?

Re:...huh? (3, Informative)

hedwards (940851) | about 4 years ago | (#33676270)

Isn't that a bit like saying "if getting this building completed is dependent on volunteer construction workers, we're screwed"?

FTFY

Re:...huh? (3, Interesting)

MozeeToby (1163751) | about 4 years ago | (#33676434)

Yeah, volunteers have never [wikipedia.org] put up a building before.

Re:...huh? (1, Funny)

Anonymous Coward | about 4 years ago | (#33676664)

Extreme Makeover Home Edition too

Re:...huh? (0)

Anonymous Coward | about 4 years ago | (#33676746)

This is a Great example. Volunteers are used to do the simple stuff that can be completed with minimal training. However, the critical components (Foundation, electrical, plumbing, ect) is done by professionals.

Re:...huh? (2, Informative)

MozeeToby (1163751) | about 4 years ago | (#33676866)

However, the critical components (Foundation, electrical, plumbing, ect) is done by professionals.

It is a great example because those professionals are quite often working on volunteer time themselves. Just like how a lot of OSS projects are contributed to by amateurs and students, but often the deeper, more advanced work is done by professional coders and designers.

Re:...huh? (4, Informative)

jridley (9305) | about 4 years ago | (#33676848)

I work HfH construction once in a while. They hire professionals to do the important bits and the large stuff; excavating, pouring the foundation, wiring, plumbing, and often the finish carpentry. If you happen to have someone relatively skilled there, they may assist the pros; I've helped with all; wiring, plumbing, finish carpentry. But you don't let someone who is enthusiastic but doesn't know what they're doing do finish carpentry, they'll probably just wind up wrecking a lot of material. And if you let them do plumbing in an area where code requires copper pipe, you'll probably wind up with a mess that will take a pro 3 times longer to fix than if he'd just done it himself to start with.

I think the latter may be the case when it comes to this project. I really, really hope this project comes together, but as a programmer I fear that if they've built this thing from the ground up without a good basic understanding of web security, the thing may have to be gutted and rewritten to get to where it needs to be.

Lots of people can write web apps. Heck, I pretty much write web apps all day long, but I write them for intranet use, they're not accessible to the internet at large. If my stuff had to be hardened against the kind of general attack Diaspora is going to have to endure, I'd have to learn a lot more than I know now.

Re:...huh? (1)

MachDelta (704883) | about 4 years ago | (#33676490)

Volunteer construction? Yeah, there's an app^h^h^h organization for that.
http://www.habitat.org/ [habitat.org]

Re:...huh? (2, Funny)

Anonymous Coward | about 4 years ago | (#33676528)

From what I heard, since they're not experts at cutting corners, they tend to actually put together sturdier constructions than the professionals.

Re:...huh? (1)

Goaway (82658) | about 4 years ago | (#33676298)

No, it is like saying that you are screwed if you have to rely on bystanders to come in and fix the work your construction workers did.

Re:...huh? (2, Insightful)

Java Pimp (98454) | about 4 years ago | (#33676604)

Provided those bystanders are also construction workers.

Re:...huh? (1)

natehoy (1608657) | about 4 years ago | (#33676884)

The Diaspora team are not the programming equivalent of construction workers. More like back-of-napkin architects. They dropped a codebase that describes an approach to social networking that may or may not have merit. The codebase was never intended to be compiled and implemented as-is, and anyone who has done so has acted incredibly foolishly.

So, if you want your analogy to hold, it's like relying on architects and construction workers to come in and build the house you described, and you've conveniently spray-painted the rough outline of the house on the ground and maybe started some of the digging with a shovel to maybe save them some time.

Re:...huh? (1)

TheSunborn (68004) | about 4 years ago | (#33676900)

Hu? They did collect money to make a working implementation. That was in fact their excuse for releasing software of this quality. (Our customers paid, and wanted something they could see/use).

Re:...huh? (4, Informative)

bigrockpeltr (1752472) | about 4 years ago | (#33676634)

The summary took the quote slightly out of context. what i understood from TFA is that they are screwed in terms of meeting their (one month?) deadline.

The team is manifestly out of their depth with regards to web application security, and it is almost certainly impossible for them to gather the required expertise and still hit their timetable for public release in a month.

wit a minute (1, Insightful)

Anonymous Coward | about 4 years ago | (#33676260)

and because yo can see the code these bugs were found
imaigne htis being the windows os
you cant see it it dont exist until....too late

YEA this developer that point sit out PROVES OSS is a better way

Re:wit a minute (0)

Anonymous Coward | about 4 years ago | (#33676420)

YEA this developer that point sit out PROVES OSS is a better way

Consider this:
1. Open project X has code-release. Noone really cares yet to work on it
2. Users assemble, someone is curious how it works
3. User finds bug and can fix it, or abuse it
4. ...

It's a bit what you hope to get from it, I like the coding-faerie analogy alot.

WTF? (4, Insightful)

berryjw (1071694) | about 4 years ago | (#33676288)

Um, and if closed-source project were to receive the same level of public scrutiny, the users would be any less screwed?

Re:WTF? (2, Interesting)

Nick Fel (1320709) | about 4 years ago | (#33676716)

I guess because closed source projects generally DON'T receive public scrutiny? Without taking any stance on the open/closed debate, that's an undeniable risk of open source (along with the associated benefit that somebody might spot it and fix it, naturally).

Re:WTF? (5, Informative)

gazbo (517111) | about 4 years ago | (#33676802)

You've been taken in by Slashdot's trademark selective quoting. What was actually written was:

The team is manifestly out of their depth with regards to web application security, and it is almost certainly impossible for them to gather the required expertise and still hit their timetable for public release in a month. You might believe in the powers of OSS to gather experts (or at least folks who have shipped a Rails app, like myself) to Diaspora's banner and ferret out all the issues. You might also believe in magic code-fixing fairies. Personally, I'd be praying for the fairies because if Diaspora is dependent on the OSS community their users are screwed.

(my bold) So he's not actually saying anything bad at all about OSS; he's just saying that being OSS doesn't mean that they can magically gain experience (or experienced developers) and fix their entire codebase in a month. The notion that OSS development is to blame was purely down to Slashdot (or the submitter).

Re:WTF? (1)

Richard_at_work (517087) | about 4 years ago | (#33676844)

I don't think hes saying anything about closed source here - I think hes saying that there is a difference between the oft touted open source community approach, and the Red Hat-style sponsored project with paid developers approach.

Axe job (2, Informative)

spleen_blender (949762) | about 4 years ago | (#33676312)

All the Diaspora hate coming from this PRE-ALPHA release of their source code seems so strangely out of place.
I mean, nothing seems to point to me that this is shill garbage coming from facebook, but the conceptual idea of Diaspora is sound and the code was released for the precise reason of improving it, as it has done. Yet all I've heard is some disproportionate vitriol against the project. It doesn't make sense.
And hell, the majority of the security issues found appear to be rather simple to fix. Just add authorization checks and use mongoDB stored procedures more frequently.

Re:Axe job (1, Informative)

rjstanford (69735) | about 4 years ago | (#33676408)

This would be true if (and only if) the whole point of Diaspora wasn't to improve the security of your data. Seriously, that's the only significant quoted feature. And they didn't get that part close to right before launching? C'mon...

Re:Axe job (2, Insightful)

WinterSolstice (223271) | about 4 years ago | (#33676432)

What "launching"? They aren't launched, they just had a public pre-alpha to invite people to come take a look and provide feedback.

If that *had* been a launch, you'd be right. I tested the pre-alpha, and I provided my feedback. Let's let them go fix it now and see if the beta is better.

Re:Axe job (0, Redundant)

siride (974284) | about 4 years ago | (#33676488)

Yeah, but his point is that this is *the* major feature of diaspora. How could it be missing from any release? It should be in there from the beginning, in the core architecture.

Re:Axe job (3, Insightful)

Evanisincontrol (830057) | about 4 years ago | (#33676714)

Yeah, but his point is that [security] is *the* major feature of diaspora. How could it be missing from any release? It should be in there from the beginning, in the core architecture.

You make it sound like security is just some on/off switch that they forgot to turn on before making the code publicly viewable. That's not how it works. There will always be security improvements to be made to anything, and even... *gasp*... bugs. Especially in a pre-alpha. (If you don't believe me, then show me a major piece of software that's never had a security patch released).

I mean, christ, the code isn't done! They were just making it viewable it to the public so they could get suggestions for improvement. You know, open source and stuff?

Re:Axe job (1)

JorDan Clock (664877) | about 4 years ago | (#33676926)

For a feature like this, screwing it up is like putting in a cardboard basement and then trying to fix it after the house is done. The first functional release should have much better security in mind if anyone is going to take this seriously. These aren't edge cases. These aren't brute force attacks. These are very simple, very stupid mistakes. It is gladly asking for the user to authenticate themselves and then not check for authorization.
Diaspora was created because some group of paranoid guys thought Facebook knows too much and makes it too easy to get a hold of. But now they're putting together a system that might as well not ask for a password. You can't defend this. At all. It's sloppy beyond repair because now one of the most fundamental tenants of security is irreparably damaged: Trust. I won't trust Diaspora. I know anyone that cares about selectively spreading data won't use it.

Re:Axe job (3, Informative)

BlueKitties (1541613) | about 4 years ago | (#33676458)

It's supposed to make your data less completely-controlled by a single mega corporation. Security will be an issue no matter who controls the data, what matters here though is the gatekeeper.

Re:Axe job (1)

spleen_blender (949762) | about 4 years ago | (#33676502)

This is what I perceived as the point of the project too. I never expected this to be a hacker proof version of facebook, and that never seemed to me to be the PROBLEM with facebook.

The problem with facebook is how THEY use your data WITHOUT cracking a single thing.

Re:Axe job (5, Funny)

eln (21727) | about 4 years ago | (#33676520)

Exactly. It does exactly what it's supposed to do: Instead of having a single mega-corp have complete control of your data, it does completely the opposite and lets everyone in the world have complete control of your data! It truly is the anti-Facebook.

Re:Axe job (1)

MachDelta (704883) | about 4 years ago | (#33676524)

I think his point was that pre-alpha-release != launch.

Re:Axe job (1, Redundant)

jensend (71114) | about 4 years ago | (#33676538)

Uh- they haven't launched, and aren't launching for a good while yet. They just prefer to develop their code in an open fashion rather than "cathedral style." Sure, they could have just developed it in private until they felt it was "close to right"- and have lost many of the benefits of being an open-source project by doing so. Developing it in the open should result in a better codebase developed in less time.

Re:Axe job (2, Insightful)

Daengbo (523424) | about 4 years ago | (#33676794)

I am really on their side (and the side of all attempts at open social networking like XMPP's OneSocialWeb and Status.Net's OStatus), but they could have developed in the open from the beginning, and with the press they got, they would have had input on these problems when the code was in its infancy. It seems to me that the D team isn't open enough -- it's riding the fence and getting itself killed for the effort of doing so.

Re:Axe job (1)

spleen_blender (949762) | about 4 years ago | (#33676764)

Then start your own project. Because I see maybe one or two other projects trying to do what Diaspora is doing. Either help contribute and fix the code, start your own project, or stfu.

We need to get people free from the monitoring of facebook and this is in my opinion the best shot. If not just for the hype and catchy name. Those you can't change, the code you can, and quite easily. And the FOSS community will help keep it in check. So this criticism to me makes zero sense.

They tried, they aren't security pros clearly, it will be fixed, lessons will be learned, and it will grow in popularity hopefully.

Re:Axe job (5, Insightful)

Capt'n Hector (650760) | about 4 years ago | (#33676450)

It doesn't really matter that it's pre alpha, or whatever designation you want to give it. A platform touted as being a secure replacement for facebook ought to consist of secure code from day 1. Security needs to be built into the bones of the program, and If you read the article, you'd see that the errors made were pretty egregious. Fact is, any programmer worth his or her salt would not have started out with code like this with a plan to fix it later in future releases, they'd get it right from the very beginning. That they made these mistakes so early on speaks wonders about how inexperienced these programmers were (and hopefully are no longer now that they've learned their lesson). I'm still rooting for Diaspora but am a little disappointed by this.

Re:Axe job (1, Redundant)

spleen_blender (949762) | about 4 years ago | (#33676560)

There is no Silver Bullet in coding. You can't get it right from the beginning always, and you shouldn't hinge success on that hope. The biggest benefit projects get from the FOSS community is that such silly security problems are easily spotted and fixed. If anything this gives me HOPE because it shows there is enough interest in the project that the code is being held to a solid standard. And thanks to that same community those standards will be met, maintained, and hopefully exceeded.

Re:Axe job (5, Insightful)

Abcd1234 (188840) | about 4 years ago | (#33676930)

There is no Silver Bullet in coding. You can't get it right from the beginning always...

Oh come *on*. The errors in this code were deeply fundamental, and patently obvious to anyone paying any attention. Not authorizing actions performed by authenticated users? Really?? Jesus christ, that's *basic*.

Sorry, no, what we're talking about, here, are fundamental flaws in their security architecture (or, more to the point, a complete lack of security architecture). And security architecture is something you *have* to get right up front (which is why good software architects cost a lot of money... it's necessary work, and hard to do well).

Re:Axe job (0)

Anonymous Coward | about 4 years ago | (#33676580)

It doesn't really matter that it's pre alpha, or whatever designation you want to give it. A platform touted as being a secure replacement for facebook ought to consist of secure code from day 1. Security needs to be built into the bones of the program, and If you read the article, you'd see that the errors made were pretty egregious. Fact is, any programmer worth his or her salt would not have started out with code like this with a plan to fix it later in future releases, they'd get it right from the very beginning. That they made these mistakes so early on speaks wonders about how inexperienced these programmers were (and hopefully are no longer now that they've learned their lesson). I'm still rooting for Diaspora but am a little disappointed by this.

Yep that's true. I was just going to start a quick project, but I couldn't get passed this:

#include

So I gave up.

Re:Axe job (0)

Anonymous Coward | about 4 years ago | (#33676466)

Ah the lure of simplicity. How about setting some wagers with real money. Those who believe that the system security will be compromised on day 1 should wager those who believe that open source "magically" provides security . Let have people put money where their mouths are.

Re:Axe job (4, Insightful)

TheSunborn (68004) | about 4 years ago | (#33676484)

but the conceptual idea of Diaspora is sound

That may be and nobody is arguing about the concept itself. But a concept with not of much use without any usefull implementation.

And hell, the majority of the security issues found appear to be rather simple to fix.

This is exactly why this is so bad. The mistakes are so big and so obvious for any developer with experience in web applications that the developers which worked on Diaspora can not be trusted to write secure code. They have clearly demonstrated that they have absolutely no knowledge of security. They did not just make a security hole due to some obscure implementation detail, they designed and implemented a framework with no security at all.

And security is not something you can add after you write the code. Just ask Microsoft about that.

The only solution I see is to get a new team which know how to write code, and then ask them to take over(Or rewrite) the application.

Re:Axe job (4, Interesting)

idontgno (624372) | about 4 years ago | (#33676546)

You're overlooking a few points.

TFA's author acknowledges that it's a pre-alpha preview release. In a sane world, that means no one should ever go on-line with this code. But this is not a sane world, and he very specifically addresses how this release should have been done:

If you put a gun to my head and said "Our donations came from 6,000 people who want to see progress, give me something to show them", I would have released the code that they had with the registration pages elided, forcing people to only add new users via Rake tasks or the console. That preserves 100% of the ability of developers to work on the project, and for news outlets to take screenshots, without allowing technically unsophisticated people to successfully sign up to the Diaspora seed sites.

In other words, defang the thing before you turn it loose on an unsuspecting community. If I can successfully develop an open-source backyard nuclear fission generator, and release the pre-alpha blueprints, I would be rightly criticized for the occasional containment failure and subsequent deaths or injuries.

Also, the attitude of "meh, the security issues are trivially easy to fix" completely misses the point. If the known issues are trivially easy to fix, why weren't they trivially easy to avoid in the first place? Because, apparently, the core developers aren't sufficiently competent or committed to actual application and architectural security. So there's no reason for confidence that there won't be another batch of crippling security flaws with each new release.

Yeah, a lot of the backlash is probably in response to the hype around Diaspora. But much of the danger is also because of the hype. If Diaspora were just another quiet little Sourceforge project, it might have the luxury of a slow and casual crawl towards reliable application security. But guess what, Diaspora is the current Open Source equivalent of Paris Hilton. Being this screwed up is not an option, when the project is under such scrutiny and subject to such high expectations.

Re:Axe job (4, Insightful)

Darkness404 (1287218) | about 4 years ago | (#33676756)

Because, apparently, the core developers aren't sufficiently competent or committed to actual application and architectural security.

That is the entire point of having an open source project is that the developers don't have to be experts. Diaspora was developed not because some guys who were great at security decided one day to lunch an uber secure network, it was developed because people were tired of all the crap that FB had so they developed it. Now that the source code is out, security experts can audit the code and make improvements.

The original developers of an OSS project are like the managers, yeah, they know a little bit about the technical aspects but the main thing they have is vision then people who use it work on it to improve it. Or do you think Linus is some great wizard of security back when he wrote the very first version of Linux?

Just because the current main developers aren't that great of security doesn't mean security is compromised, actually its the opposite, they can get security advice from professionals and other people who are good at security.

Re:Axe job (1)

Dancindan84 (1056246) | about 4 years ago | (#33676770)

Diaspora is the current Open Source equivalent of Paris Hilton... subject to such high expectations.

Wait... what?

Sorry. I agree with most of what you said, but I couldn't let that slide.

Re:Axe job (0)

Anonymous Coward | about 4 years ago | (#33676918)

We expect her to be high?

Re:Axe job (1)

spleen_blender (949762) | about 4 years ago | (#33676810)

My attitude on them being easy to fix comes out of my belief in the community to hold them accountable. If the owners of the project really aren't sufficiently capable of creating secure code then I would expect them to acquiesce to those willing to contribute who are. And given the popularity I suspect there are many. That is why I am so lax about it and surprised about the vitriol.

Re:Axe job (0)

Anonymous Coward | about 4 years ago | (#33676558)

All the Diaspora hate coming from this PRE-ALPHA release of their source code seems so strangely out of place.

PRE-ALPHA isn't an excuse to leave out basic security that should have been part of the design from day one.

If they were building a throwaway proof-of-concept or a UI prototype, I'd agree. But this is apparently part of the codebase that's supposed to grow into the release version of Diaspora. Leaving security to the mercy of "We'll go back and fix it" is just begging for problems and oversights.

A Snippet from the Criticism (5, Insightful)

eldavojohn (898314) | about 4 years ago | (#33676576)

I mean, nothing seems to point to me that this is shill garbage coming from facebook, but the conceptual idea of Diaspora is sound and the code was released for the precise reason of improving it, as it has done ...

Okay well, sometimes I look at code and I think "good start" and then sometimes I feel like Simon Cowell ... and ask them to start over. So to determine where I stand with the Diaspora code, allow me to quote the article:

1.#In photos_controller.rb
2.def destroy
3. @album = Album.find_by_id params[:id] # BUG
4. @album.destroy
5. flash[:notice] = "Album #{@album.name} deleted."
6. respond_with :location => albums_url
7.end

This basic pattern was repeated several times in Diaspora’s code base: security-sensitive actions on the server used the params hash to identify pieces of data they were to operate on, without checking that the logged in user was actually authorized to view or operate on that data. For example, if you were logged in to a Diaspora seed and knew the ID of any photo on the server, changing the URL of any destroy action from the ID of a photo you own to an ID of any other photo would let you delete that second photo. Rails makes exploits like this child’s play, since URLs to actions are trivially easy to guess and object IDs “leak” all over the place. Do not assume than an object ID is private.

Okay, I taught myself how to use the rails framework and code Ruby. And one of the things I was amazed at was the Rails magic. Because of how powerful it can be (both good and bad). Yes, it helps you prototype but it's errors like these that make me pause and reconsider if the person coding Ruby on Rails really understands how the framework is attempting to assist them. Obviously if you allow any user to enter any ID of a record in their URL for any CRUD action ... you aren't really understanding what those routes are trying to do for you. And you're a danger to your users.

While I could quickly remedy the above problem for the Diaspora team by improving the authentication and authorization code checks, it might be better to just start over. Now, I've devoted none of my time to the concept of liberating social network users and for that I thank the Diaspora team. This blog posting -- if true -- sure is a vote of no confidence for their capabilities of developing a realistic system. Can they improve? Certainly. But if you're making errors like that, you might be better off letting someone else take a stab at this. It's a harsh thing to say but you don't understand the tool you're using to prototype if you're even starting at this point.

I wish them the best of luck and I hope the community reaches out to them. But I'm not interested in recoding everything. I'd sooner simply start my own project.

Ruby (2, Insightful)

Lennie (16154) | about 4 years ago | (#33676702)

My problem with their efforts is they used Ruby. Which might be really nice and all, but not that many people use it. Thus it is really hard to find people who understand it well enough to help them work on the code and or just check the code for bugs.

Re:A Snippet from the Criticism (1)

darthflo (1095225) | about 4 years ago | (#33676908)

That snipped looks bad. But, if the model was implemented right*, it may be close to best practice.
Rails allows you to overload functions. Ideally, Album#destroy would check if the current user is allowed to delete the object and either delete itself or ignore the request if the user isn't authorized to delete it. Implementing security checks at the model level has the great advantage of limiting all security-related functions to a single, easily audit-able, consistent code path. The snippet still lacks reporting for permission (or missing album) errors, so it's not really nice, but possibly still secure.
Additionally, photos_controller could be using a before_filter checking if the user is authorized to do whatever he's trying to do. Given the snippet, a matching filter function would have to be rather strange, but it could be done.

* Two problems: The code lacks any exception handling and, as far as I know, relying on the user credentials gathered from the session object in a model is not considered best (or even good) practice. This could be somewhat mitigated if Album#destroy were to allow an optional parameter providing a user [id].

Re:Axe job (5, Insightful)

jlechem (613317) | about 4 years ago | (#33676614)

I would agree, but that code was some junior level bullshit. Granted I haven't been doing this for 20 years, but damn that was some horrible coding going on there. Especially when they tout it as some super great OSS alternative to facebook. It almost made me question how good of a choice Ruby on Rails was for the entire project.

Re:Axe job (0)

Anonymous Coward | about 4 years ago | (#33676640)

I got into this problem with a crochet project once. My mouth was bigger than my skills. Of course, people didn't donate over $100,000 for my project and it wasn't overhyped on every media outlet the web could offer. Still, I churned out a half-decent afghan and this fellow has churned out some half-decent code. But if I had $100,000 in donations, I'd have hired someone who knew what they were doing to help me make the afghan.

Re:Axe job (1)

am 2k (217885) | about 4 years ago | (#33676740)

If I would manage someone who produced code like this, that person would be fired on the spot. This is not only bad coding, it shows a severe disregard for any common security practices. The feel for what you should do and shouldn't do (like validating all input) just isn't there. A server-side programmer seeing that kind of code is supposed to intuitively have an awkward feeling in his bowels and be unable to sleep until the problem is fixed in any way, not actually writing up and releasing this thing into the public for others to install. Note that I'm not talking about the more subtile bugs not mentioned in that article.

In my eyes, these programmers have lost all basis for trust of any kind, and should get some basic web programming education (they obviously have slept on that course if they ever attended it) before ever touching a code editor again.

Well, the "developer" doesn't get it (0)

Anonymous Coward | about 4 years ago | (#33676336)

They did a code-release, flaws were found, now they'll get corrected, that's how FOSS works.

Seems like this reviewer had the uncanny expectance that FOSS-devs are popes in respect to their field, making infallible code (OMG THEY USE LINUX!!!!!one!!eleven!).

Re:Well, the "developer" doesn't get it (1)

cronius (813431) | about 4 years ago | (#33676410)

Exactly, this guy is trying to prove that the open source model, where anyone can point out e.g. security holes to the developers which then will fix them doesn't work, because he is pointing out security holes to the developers which then will fix them ... and this proves his point how exactly?

Re:Well, the "developer" doesn't get it (4, Insightful)

Wolvenhaven (1521217) | about 4 years ago | (#33676426)

The editor forgot to mention that the post didn't actually end with what he claims it did, making out the writer to hate diaspora, the post actually ended with:

Include here the disclaimer that I like OSS, think the Diaspora team is really cool, and don’t mean to crush their spirits when I say that their code is unprofessional and not ready to be exposed to dedicated attackers any time soon.

He was doing exactly what OSS is for, reading the code, finding the bugs, and informing the developers so they can be fixed, he's only being vilified because the summary is written that way.

Re:Well, the "developer" doesn't get it (1)

modestmelody (1220424) | about 4 years ago | (#33676556)

Exactly. Diaspora, despite the critics is still a huge success for OSS even if they haven't made it to Alpha yet and here's why:

Something big and proprietary kind of sucks. Some bright, albeit inexperienced kids, have a pretty good idea about how they would rebuild that functionality in new software from the ground up that fixes some of the reason the big, proprietary software sucks. Two things then happen-- first, they're able to get people really interested in what they're doing, allowing them to raise capital. Second, they are able to do some of the initial work to lay out their idea and then draw upon the knowledge of the huge base of people who they just got really interested in their work.

This is precisely how good OSS development should work! Good idea, generate interest and support, seed the process with some code, and then crowdsource the development with the proper centralized decision-making to ensure steady, solid progress and goal setting.

Not faeries... (2, Informative)

bosef1 (208943) | about 4 years ago | (#33676340)

Unfortunately, the existance of code-fixing faeries was disproven by Wirth in 1972. Code fixes are actually implemented by type of cobbler elf.

That's... (1)

6Yankee (597075) | about 4 years ago | (#33676394)

Cobblers!

No Ruby (0, Flamebait)

codepunk (167897) | about 4 years ago | (#33676352)

I don't run anything coded with Ruby on any machine, problem solved.

Alternatives to Diaspora (5, Informative)

Anonymous Coward | about 4 years ago | (#33676382)

Here is a list of alternative open source Peer-to-peer social networking softwares [bitcoin.org]

Note that The Appleseed Project has existed since 2004 and is the first.

Re:Alternatives to Diaspora (-1, Flamebait)

Rhaban (987410) | about 4 years ago | (#33676592)

And in 6 years, they managed to get an 8 items long list of features lacking several that can be considered essential to any socialnetworking software.

Invalid Argument (4, Insightful)

aBaldrich (1692238) | about 4 years ago | (#33676386)

if Diaspora is dependent on the OSS community their users are screwed.

If it wasn't for the OSS community, everybody would believe they've released a safe program. Thanks to OSS, we now know that installing it is not the best decision yet.
I'd say the users would be screwed if diaspora was not open source. Linus Law once again.

I was not surprised to find out that the author sells [bingocardcreator.com] proprietary software. I think that maybe, just maybe he's biased against FLOSS?

Re:Invalid Argument (0, Troll)

siride (974284) | about 4 years ago | (#33676522)

Bullshit. Big piles of it. Do you really think that it was open source that made people think they ought to test and review code? No. It is an unproven *assertion* by certain OSS folks that many eyes make bugs shallow. So far as I know, there have been no studies to back that up and there is no logic as to why that must be necessarily true.

Re:Invalid Argument (4, Interesting)

aBaldrich (1692238) | about 4 years ago | (#33676666)

I don't think "that it was open source that made people think they ought to test and review code". I think that open source makes it possible (not necessary) to increase the total number of people able to review the code, by orders of magnitude. The diaspora team has 4 people [joindiaspora.com] . The total number of forks in github [github.com] is 403, with over 2500 watchers.

Re:Invalid Argument (4, Interesting)

TheSunborn (68004) | about 4 years ago | (#33676782)

I don't think unproven oss assertion is that "many eyes make bugs shallow". I can accept that. The unproven oss assertion is that many(More then for a similar closed source program) eyes will ever look at the code just because it is open source. I am for example coding c,c++ and Java and running a Fedora Core 13 as my desktop os, but I have newer looked at any any source for any operation system or applications I have been running.

Re:Invalid Argument (0)

Anonymous Coward | about 4 years ago | (#33676852)

Let's assume the author is biased (even though he explicitly says he likes OSS), his theoretical bias has NO impact on the fact that the security in a project (touted for its security) is absolutely horrible. Facts are facts, it doesn't matter if the author shaves chipmunks for a living.

If an exploit happens in the woods and no one... (1)

BlueKitties (1541613) | about 4 years ago | (#33676436)

Is around to see it, then obviously it must not exist or be exploitable.

It's really annoying when people start (1)

siride (974284) | about 4 years ago | (#33676568)

a message in the subject line and continue it in the body

Re:It's really annoying when people start (1)

BlueKitties (1541613) | about 4 years ago | (#33676668)

No UR MOM.

Maybe, but (0)

Anonymous Coward | about 4 years ago | (#33676682)

it can also serve as a method of squeezing a more complete thought into an unexpanded post.

Then once it's been modded up enough, or otherwise meets your criteria for expanding automatically, it just looks retarded.

Re:It's really annoying when people start (1)

sanosuke001 (640243) | about 4 years ago | (#33676696)

Honestly, I don't even read the subjects until I see a message that clearly is missing something at the beginning. The worst offenders are those that only send a message in a subject line of an email (which I almost never read)

diaspora security vs. facebook (0)

Anonymous Coward | about 4 years ago | (#33676498)

At least with Diaspora they know to call it a bug. At facebook, security holes are known as features, i.e. "places" aka the "please rob me" feature.

Volunteers (4, Insightful)

Thyamine (531612) | about 4 years ago | (#33676512)

I think the point they are trying to make (and perhaps badly) is that anytime you have to rely on volunteers you have the potential to get bit in the ass. Any volunteer organization or group has this problem, it's not just open source. Churches, after school groups, the Elks, etc. When volunteers are the main way you expect to get support, you are at their whim. This week people are busy, so no one shows up, or the kids have a soccer game, or some new more exciting group has their interest so you lose a few people.

I don't think the idea is that the open source community is going to screw people, but that the idea of expecting volunteers to always be plentiful and useful is a good way to cause yourself problems.

Re:Volunteers (4, Insightful)

JaredOfEuropa (526365) | about 4 years ago | (#33676902)

...the idea of expecting volunteers to always be plentiful and useful is a good way to cause yourself problems.

Software projects in business suffer from the same problem, actually. Oh, programmers are plentiful as long as you have budget to spare, but not all professional programmers are created equal, peer reviews / code inspections are slipshod or even omitted, and testing is haphazard. In fact sometimes there's a conscious decision to take shortcuts in those areas because of pressure on the timeline.

The potential to be bitten in the ass by substandard work that goes undetected is always there, in business as well as OSS projects.

BAD slashdot! (4, Insightful)

airfoobar (1853132) | about 4 years ago | (#33676602)

Someone wrote a blog post to point out some security issues that need fixing in the pre-Alpha version of Diaspora, and here you are using his words for pointless sensationalism that undermines the work of the Diaspora team and propagates the "Diaspora is shite" gossip that will most certainly haunt the project even after the code has hit Beta. Shameful.

If you want to do something useful, then instead of repeating how doomed the project is, ask for people to join them (I think we have some capable individuals around here) and help out.

And no, I'm not affiliated with Diaspora, I'm just annoyed by what this sort of news reporting.

Re:BAD slashdot! (2, Insightful)

Anonymous Coward | about 4 years ago | (#33676836)

The issue is that the community gave them $200,000. Frankly I'm surprised that so many people trusted 4 college students with this task. But now their incompetence is showing. Don't get me wrong, I'm sure they're brilliant -- *for college students* (actually I'm not so sure about that either, but even if they actually are at the top of their class, that does not mean they have any good experience). I chose to donate time and money to another project with more competent developers. They did nothing to prove that they have any experience. Look at your college undergrad classmates. If you were to pick 4 of them at random (when they were in college/graduating, if you've since graduated), do you really think they would be able to do what this Diaspora team is trying to do? My classmates came up with all sorts of good ideas, but they didn't have the practical experience to be able to implement anything significant.

Arrogant "security researcher" bullshit (4, Insightful)

Meditato (1613545) | about 4 years ago | (#33676626)

I don't really understand what's wrong with this blog author, this "Patrick" fellow. Diaspora is git-release of a pre-alpha. It's essentially proof-of-concept which was released so we can have a look at it and contribute. The author's "if this is OSS, we're screwed" assertion apparently ignores the fact that Chromium, Mozilla, Linux, and dozens of other open source projects work perfectly fine. Additionally, the "their code is unprofessional" accusation is simply wrong-headed. It was never intended to be "professional", so there's no way for it to be "unprofessional". It's a foundation released to the public that other people can build on.

As for all this worry about zero-day holes...every piece of software has them. If you think that these kids aren't professional because they can't make a perfect, idealized, secure pre-alpha, then you're riding the slopes of a Nirvana fallacy. The entire reason it was open-sourced was to allow researchers the opportunity to improve the code INSTEAD of going public in order to gain visits to their arrogant blog posts and acting like there's some huge problem not covered by the disclaimer. OOPS SORRY IS THAT TOO CLOSE TO HOME, PATRICK? I have never seen more arrogant douchebaggery in a security blog post. This "these are errors that shouldn't be present in any code!" bullshit is a result of Patrick and his circlejerk buds building the project up in their own heads, then being disappointed when the pre-alpha wasn't a facebook-killer.

Yes it has errors. But the very fact that it's 1) open source, and 2) being debugged even by douches such as Patrick, means that the whole "OSS Diaspora" concept ACTUALLY WORKS IN PRACTICE.

Re:Arrogant "security researcher" bullshit (1)

codepunk (167897) | about 4 years ago | (#33676814)

Simple read the blog a bit the author is a crap ware distributor and he probably commissioned the article. Not that it matters much but if I you are really pissed about it crank up a compiler with a couple of dictionary files and write a open source version of his fantastic "bingo card printing software". If you take your time, a couple of hours at most I am sure you can top what he is charging 30 bucks for.

Re:Arrogant "security researcher" bullshit (3, Informative)

gaspyy (514539) | about 4 years ago | (#33676920)

You are right to a point.

The way I see it, the real problem is not that Diaspora has bugs; the problem is that it has fundamental bugs, bugs so fundamental that they question authors' understanding of the framework they're working with. It's bugs that shouldn't have been there at all.

Not verifying whether or not a user has the rights to edit an object is something pretty fundamental in my book.

Raising the bar to supporting a Semantic Desktop (1)

Paul Fernhout (109597) | about 4 years ago | (#33676628)

http://groups.google.com/group/diaspora-dev/browse_thread/thread/4cd369bdf16a346f [google.com]
(My comments, starting with: "Here are some general thoughts about how Diaspora might relate to the
Semantic Web and a Social Semantic Desktop, and how that might make it even
more awesome to encourage everyone to migrate to it.")

hey kdawson... (0, Troll)

dAzED1 (33635) | about 4 years ago | (#33676654)

fark you. I know this is just a troll response, but that was some of the most anti-OSS crap I've ever seen you editorialize. Is it because they want a token controversial-subject person, because they think it improves readership? Is that why they let you stay on while constantly bashing the same community this site used to be defined by?

Repetitve Astroturf and FUD (1)

vajrabum (688509) | about 4 years ago | (#33676662)

Sheesh. I know that the modern slashdot man is ahisotorical but this is the 2nd time in a week that this PR shite is being shoveled.

Impatience (2, Insightful)

doomcup (1756450) | about 4 years ago | (#33676688)

I think the reason behind all the bile being tossed at Diaspora is probably because of the hype attached to the project and people not realizing that a pre-alpha release isn't the same thing as a finished product at all. They just see "...Diaspora...released..." and jump to the wrong conclusion, not realizing that it isn't the final version. I'm eager to see where Diaspora goes once it's cleaned up.

Release early, release often. (1, Insightful)

Anonymous Coward | about 4 years ago | (#33676694)

I thought that was the OSS mantra.

Seriously though, they're only some inexperienced kids, they released a pre-alpha version of their code, cut them some slack. Not everyone is born with 20 years of programming experience (actually no one is born with 20 years of experience, but from the way some people talk you'd think they were).

not only security issues (0)

Anonymous Coward | about 4 years ago | (#33676732)

As much as I want Diaspora to succeed I do worry about its future viability. In addition to the security issues discussed ad nauseum I have to question some of the technology choices made. It seems like the authors were extremely well-intentioned but made a (tech student) mistake of choosing tech that's popular within tech circles, over ubiquitous, very accessible net staples (such as their choice of MongoDB over something like MySQL).

I don't mean to start a flame war, Ruby and MongoDB have their benefits, but as Diaspora was meant to be distributed very widely I can see the relative unfamiliarity with these as causing some problems. This is perhaps one of those things you learn from experience.

To take an example of successful OSS web app -- Wordpress --- part of the popularity is due to the fact that the system that powers it is supported by nearly host on the planet (regardless of good/poor technical competencies) and countless people have (or believe they have :) ) rudimentary knowledge of how to install, administer and modify it. Admittedly WP is a security nightmare, greater accessibility doesn't help with that problem, but there is no denying that by relying on familiar technology choices has helped make the app successful.

If this article pisses you off (4, Interesting)

codepunk (167897) | about 4 years ago | (#33676736)

Read the authors blog just a bit, I am not really sure the guy even wrote this article he may have had it commissioned. The author is a crapware distributor and this article is nothing more
than a attempt at driving traffic to his site which worked. Now his claim to fame is some "bingo card printing software for teachers".

A few minutes with a compiler and a few dictionary files will show him exactly what "Open Source" is good for. I could really care less about what he wrote but if I was pissed about it there would be a new open source bingo card printing software package released within the next two hours.

Re:If this article pisses you off (1)

Meditato (1613545) | about 4 years ago | (#33676790)

The "create controversy to increase blog traffic" strategy was my first thought as well. Either way, that guy is a douchebag.

What do you expect? (-1, Flamebait)

Anonymous Coward | about 4 years ago | (#33676838)

What do you expect from Apple-fanboy, hipster-douchebags using Ruby on Rails?

Seriously, check the videos. They are probably the most arrogant 'programmers' I've ever seen.

I'm surprised they got any code out at all; they clearly spend all their time pretending to do work at Starbucks and preening themselves.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?