Security Lessons Learned From the Diaspora Launch 338
patio11 writes "Diaspora, the privacy-respecting OSS social network, did a code release last week. Attention immediately focused on security. In fact the code base included several severe security bugs. This post walks through the code, showing what went wrong, and what it would let an attacker do to someone who was using Diaspora." The developer who wrote the post ends with: "You might believe in the powers of OSS to gather experts (or at least folks who have shipped a Rails app, like myself) to Diaspora’s banner and ferret out all the issues. You might also believe in magic code-fixing fairies. Personally, I’d be praying for the fairies because if Diaspora is dependent on the OSS community their users are screwed."
Security (Score:4, Informative)
Because of course, obscurity is proper security.
Re:...huh? (Score:4, Informative)
Isn't that a bit like saying "if getting this building completed is dependent on volunteer construction workers, we're screwed"?
FTFY
Axe job (Score:2, Informative)
I mean, nothing seems to point to me that this is shill garbage coming from facebook, but the conceptual idea of Diaspora is sound and the code was released for the precise reason of improving it, as it has done. Yet all I've heard is some disproportionate vitriol against the project. It doesn't make sense.
And hell, the majority of the security issues found appear to be rather simple to fix. Just add authorization checks and use mongoDB stored procedures more frequently.
Not faeries... (Score:2, Informative)
Unfortunately, the existance of code-fixing faeries was disproven by Wirth in 1972. Code fixes are actually implemented by type of cobbler elf.
Alternatives to Diaspora (Score:5, Informative)
Here is a list of alternative open source Peer-to-peer social networking softwares [bitcoin.org]
Note that The Appleseed Project has existed since 2004 and is the first.
Re:Axe job (Score:2, Informative)
This would be true if (and only if) the whole point of Diaspora wasn't to improve the security of your data. Seriously, that's the only significant quoted feature. And they didn't get that part close to right before launching? C'mon...
Re:Axe job (Score:3, Informative)
Re:...huh? (Score:4, Informative)
The team is manifestly out of their depth with regards to web application security, and it is almost certainly impossible for them to gather the required expertise and still hit their timetable for public release in a month.
Re:WTF? (Score:5, Informative)
(my bold) So he's not actually saying anything bad at all about OSS; he's just saying that being OSS doesn't mean that they can magically gain experience (or experienced developers) and fix their entire codebase in a month. The notion that OSS development is to blame was purely down to Slashdot (or the submitter).
Re:...huh? (Score:5, Informative)
I work HfH construction once in a while. They hire professionals to do the important bits and the large stuff; excavating, pouring the foundation, wiring, plumbing, and often the finish carpentry. If you happen to have someone relatively skilled there, they may assist the pros; I've helped with all; wiring, plumbing, finish carpentry. But you don't let someone who is enthusiastic but doesn't know what they're doing do finish carpentry, they'll probably just wind up wrecking a lot of material. And if you let them do plumbing in an area where code requires copper pipe, you'll probably wind up with a mess that will take a pro 3 times longer to fix than if he'd just done it himself to start with.
I think the latter may be the case when it comes to this project. I really, really hope this project comes together, but as a programmer I fear that if they've built this thing from the ground up without a good basic understanding of web security, the thing may have to be gutted and rewritten to get to where it needs to be.
Lots of people can write web apps. Heck, I pretty much write web apps all day long, but I write them for intranet use, they're not accessible to the internet at large. If my stuff had to be hardened against the kind of general attack Diaspora is going to have to endure, I'd have to learn a lot more than I know now.
Re:...huh? (Score:3, Informative)
However, the critical components (Foundation, electrical, plumbing, ect) is done by professionals.
It is a great example because those professionals are quite often working on volunteer time themselves. Just like how a lot of OSS projects are contributed to by amateurs and students, but often the deeper, more advanced work is done by professional coders and designers.
Re:Arrogant "security researcher" bullshit (Score:4, Informative)
You are right to a point.
The way I see it, the real problem is not that Diaspora has bugs; the problem is that it has fundamental bugs, bugs so fundamental that they question authors' understanding of the framework they're working with. It's bugs that shouldn't have been there at all.
Not verifying whether or not a user has the rights to edit an object is something pretty fundamental in my book.
Re:...huh? (Score:3, Informative)
Those services from professionals are almost always paid for not volunteered.
[Citation needed]. My uncle worked on a HFH home as an electrician and he was not paid for his time.
Re:WTF? (Score:5, Informative)
Re:Security, I agree ..., AC should say.... (Score:3, Informative)
"Security through hubris," which refers to the hawkers (selling security that ain't) of proprietary software and gawkers (buying security that ain't) with brand-pride. "Security through hubris," doesn't refer to closed source code, and it doesn't refer to not disclosing known flaws. It refers, exclusively, to things that AC may of been referring too, like 'no one will ever go be able to find the security flaws, no one will ever know about or use open-port 6424 for cracking, and/or no one will every know enough about the software to call any unpublished black-back-doors (any access/function available).
DAMN, I think, maybe we know what AC was trying to say ...?
Re:Security (Score:1, Informative)
If it were, say, a private company producing this product, wouldn't they have subjected it to the normal quality control processes in software companies, thrown dedicated testing resources at it, thrown their in-house security specialists at it, or perhaps hired outside security specialists? Both did I observe during my time at a software company.
Not if it was a start up. I work for a private company started by students that scaled to tens of millions of users before even starting a security team or hiring the first security specialist. Of course if this company started a new product NOW, it would go through far more tight QA and security audits.
During that time there where plenty of incidents, but often by luck nothing that put us out of work. I do think this case would be different, as the start up has been so vocal.
Not news (Score:1, Informative)