Security Lessons Learned From the Diaspora Launch

patio11 writes "Diaspora, the privacy-respecting OSS social network, did a code release last week. Attention immediately focused on security. In fact the code base included several severe security bugs. This post walks through the code, showing what went wrong, and what it would let an attacker do to someone who was using Diaspora." The developer who wrote the post ends with: "You might believe in the powers of OSS to gather experts (or at least folks who have shipped a Rails app, like myself) to Diaspora’s banner and ferret out all the issues. You might also believe in magic code-fixing fairies. Personally, I’d be praying for the fairies because if Diaspora is dependent on the OSS community their users are screwed."

Re:...huh?

[MozeeToby]

Yeah, volunteers have never [wikipedia.org] put up a building before.

Re:Axe job

[idontgno]

You're overlooking a few points.

TFA's author acknowledges that it's a pre-alpha preview release. In a sane world, that means no one should ever go on-line with this code. But this is not a sane world, and he very specifically addresses how this release should have been done:

If you put a gun to my head and said "Our donations came from 6,000 people who want to see progress, give me something to show them", I would have released the code that they had with the registration pages elided, forcing people to only add new users via Rake tasks or the console. That preserves 100% of the ability of developers to work on the project, and for news outlets to take screenshots, without allowing technically unsophisticated people to successfully sign up to the Diaspora seed sites.

In other words, defang the thing before you turn it loose on an unsuspecting community. If I can successfully develop an open-source backyard nuclear fission generator, and release the pre-alpha blueprints, I would be rightly criticized for the occasional containment failure and subsequent deaths or injuries.

Also, the attitude of "meh, the security issues are trivially easy to fix" completely misses the point. If the known issues are trivially easy to fix, why weren't they trivially easy to avoid in the first place? Because, apparently, the core developers aren't sufficiently competent or committed to actual application and architectural security. So there's no reason for confidence that there won't be another batch of crippling security flaws with each new release.

Yeah, a lot of the backlash is probably in response to the hype around Diaspora. But much of the danger is also because of the hype. If Diaspora were just another quiet little Sourceforge project, it might have the luxury of a slow and casual crawl towards reliable application security. But guess what, Diaspora is the current Open Source equivalent of Paris Hilton. Being this screwed up is not an option, when the project is under such scrutiny and subject to such high expectations.

Re:Security

[Daengbo]

I read TFA (I know ...) and comments and many of the issues mentioned are addressable within Rails generally so I don't think that saying the project has no chance is fair to either the developers or to the OSS devs the author besmirches. That said, I have never been very pro-Diaspora and didn't expect anything secure or even really working in the first release from that team: they're just a bunch of college kids with little experience on summer break, after all.

I still think that extending XMPP is the way to go -- there's no need to reinvent the wheel and XMPP has had time to work the security issues out already and has quite a few implementations available. Check http://onesocialweb.org/ [onesocialweb.org]. The code has been available since Diaspora was announced and is developing quickly. XMPP with extensions has the benefit of having several large IM networks already in service that could simply move to the newer protocol. If Yahoo!, MSN, Baidu, and GTalk all went that way, Facebook would have to fall in line and update its XMPP, too.

Re:Invalid Argument

[aBaldrich]

I don't think "that it was open source that made people think they ought to test and review code". I think that open source makes it possible (not necessary) to increase the total number of people able to review the code, by orders of magnitude. The diaspora team has 4 people [joindiaspora.com]. The total number of forks in github [github.com] is 403, with over 2500 watchers.

Re:WTF?

[Nick Fel]

I guess because closed source projects generally DON'T receive public scrutiny? Without taking any stance on the open/closed debate, that's an undeniable risk of open source (along with the associated benefit that somebody might spot it and fix it, naturally).

If this article pisses you off

[codepunk]

Read the authors blog just a bit, I am not really sure the guy even wrote this article he may have had it commissioned. The author is a crapware distributor and this article is nothing more
than a attempt at driving traffic to his site which worked. Now his claim to fame is some "bingo card printing software for teachers".

A few minutes with a compiler and a few dictionary files will show him exactly what "Open Source" is good for. I could really care less about what he wrote but if I was pissed about it there would be a new open source bingo card printing software package released within the next two hours.

Re:Invalid Argument

[TheSunborn]

I don't think unproven oss assertion is that "many eyes make bugs shallow". I can accept that. The unproven oss assertion is that many(More then for a similar closed source program) eyes will ever look at the code just because it is open source. I am for example coding c,c++ and Java and running a Fedora Core 13 as my desktop os, but I have newer looked at any any source for any operation system or applications I have been running.

Re:...huh?

[Anonymous Coward]

Poor example. I appreciate what Habitat for Humanity does. Unfortunately, you wouldn't want Mike Holmes to inspect the majority of those homes.. Similar problem here with Diaspora.

Re:Security

[the_womble]

The OSS model has already proven better in this instance.

If Diaspora had been closed source, we would not have known about the vulnerabilities until AFTER they had been exploited - very exploited on a large scale. Because the code is open, it has been reviewed and the flaws spotted while it is still in alpha.

That said, I will still not use this. I am not a real developer and I would be unlikely to make some of the mistakes that these people are making.

Re:If this article pisses you off

[sorak]

Or if you're pissed and lazy, you can find others [sourceforge.net] to do it for you.

Re:Let's give it more than a few hours ...

[Fulcrum of Evil]

One idea for preventing the deployment of a proof-of-concept is to make the UI for the proof-of-concept as ugly and difficult to use as possible.

Sure, like that ever works.

Either whatever you did solved the problem kinda well enough

No, the prototype solves the functional requirements, but the nonfunctional ones are toast - maintainability, scalability, things like that.

magic code-fixing fairies

[Anonymous Coward]

There *are* magic code-fixing fairies... they're called "consultants" (clouds part and light shines down as heavenly choirs sing) The diaspora team should use the money raised through kickstarter to hire crack "security" consultants.

Re:Axe job

[horza]

Also completely confused by the weird feedback on Slashdot. Once the model has stabilised, an API will be fixed and loads of Diaspora clients and servers will come about written in all different languages. The current implementation is irrelevant, it will be trashed and rewritten at some point anyway.

Phillip.