Sweet Jesus. Please publish a security reporting page at the earliest possible convenience, because this will have private info on it within a day from now, and that is a very bad idea right now.
What? Correct me if I'm wrong, but it looks like they're just releasing the source code, not taking new users for "the" Diaspora or sharing access to any kind of central database of users. It's just a ruby web app you can download and run locally (or on a web server if you're that dumb...), right? And in that case, how is this any worse than the hundreds of other bits of (unsafe, untested) social networking code floating around the interwebs?
... is a question which would be better to answer privately, to a security contact. Use your imagination as to what the email would likely say.
This may just be a difference of philosophy, but I don't think "It isn't really a release, so nobody would be stupid enough to actually run this on a publicly accessible server." After all, consumers of The New Hotness have a lot less incentive to think through the security implications of running it than the developers did. [Edit: And the developers apparently have a publicly accessible instance running. That decision is curious.]
This will be running in production today. If very bad things happen, the TechCrunch article about it will have Diaspora in the headline.
That is enough of an incentive to have a security page.
Thanks for the response. I agree that a security page is a good, even necessary idea, it just doesn't strike me as a pressing emergency for them at the moment.
They're currently getting coverage on the Guardian, BBC, etc, and will get it on the New York Times within 24 hours. That is about to create an emergency for them, because being the secure, privacy-aware alternative to Facebook gives people some expectations as to how the software will work. Many of those expectations match the designed behavior. None match the software as actually implemented.
They just did a media launch and they're in for their earliest users getting burned in a very painful, public manner. If this isn't an emergency, what does an emergency look like?
There is no argument against having a policy for receiving, reviewing and patching security reports. It is that simple.
"hundreds of other bits of (unsafe, untested) social networking code floating around the interwebs" is not a benchmark that this project should aspire to.
This is the problem with public disclosure: I could tell you, but it would practically write exploit code which you could point at any one of the "Try Diaspora now!" sites popping up and do very bad things.
Here, let me tell you what isn't a problem: you cannot type "system('rm -rf /')" into their username field on the signup form and wipe any machine with Diaspora installed because some idiot passed untrusted user input straight to exec. But if that were a problem, do you understand why mentioning publicly "Hey, the username field is passed straight to exec... that's sort of bad." is a bad idea? Because that lets any idiot immediately create wipe_arbitrary_diaspora_install.rb
There are several vulnerabilities in Diaspora right now. They allow very bad things. There are multiple public Diaspora installations. They are all vulnerable to very bad things.
It's interesting to see people on HN downvoting some for being responsible with information while upvoting those who advocate irresponsible disclosure.
If you're smart enough to get code from github working on your own box, paranoid enough to worry about facebook's control of your data and be interested in an alternative, and savvy enough to get wind of such an early release, I don't think you're going to put anything that sensitive in this network!
They don't seem to be publicizing it, but there's a live version up at a subdomain of joindiaspora.com, which people are sharing on diaspora's facebook page. Won't link here because of the concerns above and because it's creaking under the load already.
>Feel free to try to get it running on your machines and use it, but we give no guarantees. We know there are security holes and bugs, and your data is not yet fully exportable. If you do find something, be sure to log it in our bugtracker, and we would love screenshots and browser info.
There exist publicly accessible Diaspora instances, and there will be more by the end of today. That was entirely predictable, since it has been marketed as the host-your-own federated Facebook. There is already someone on the mailing list asking how to let people use his from outside his university network, because they firewall non-80 ports. If he figures out how to configure thin, bad things happen.
Any disclosed vulnerability is an exploit roadmap for these public instances. Speaking generally, exploits of public web apps can sometimes be pretty severe. Yes, the software is immature, but is now immature and an attack vector.
There's no marginal benefit beyond what putting a security warning message on the download page would get you. In fact, filing a public bug would probably be less effective in preventing harm than such a message would be. The marginal cost is significant.
There's actually more of a case for disclosing security bugs in established products if the vendor doesn't respond quickly enough. If people are relying on a product for critical uses, having information that lets them minimize their risk could be helpful. I don't see the benefit in this case.
