The problem with stuff like this is, I'm not going to look at it. This story came about in part because Coda Hale (another security pro) posted a message to Twitter, linking to the crypto code in Diaspora with an abstract "uh oh". It was warranted, I posted a message to that effect, and got an inquiry, which was more properly addressed by Patrick, who has just provided Diaspora with several thousand dollars of free consulting.
What was the problem I was getting at? Oh, yeah: Diaspora has no apparent access to the software security expertise they need to pull this off. I looked at it for 17 seconds, rolled my eyes, and stopped reading. Maybe someone at iSec Partners will take this project under their wings. But why? Most software security professionals are up to their ears in interesting projects that aren't attempts by college kids to take on Facebook.
More than a few of those professionals are now busy working for Facebook.
This isn't "software security expertise" this is a team of people not communicating at all with each other. For example, the Photo controller
edit (show edit form) checks that it's your photo to edit
update (make changes to photo) does not, you can update anyone's photo to anything
destroy (delete the photo) does not, you can delete anyone's photo w/ the id.
This is stuff you just DON'T DO in a web app. It's something any self respecting web developer, especially Rails developer, will look at and shudder. And those are the simple things that immediately stand out. Who knows what kind of security failures are built into this system due to ignorance or just plain lack of care.
This isn't their fault. I'm really torn on how much snark to aim in their direction. They had smart advisors (I like the Pivotal guys). It is not an insane decision to post a code milestone like this, with all the crappy code that entails. Our internal pre-alphas aren't --- well they're not this bad but they're not perfect.
But none of that matters because they've picked a project that they have to get right, and that in the long run is going to be defined in large part by design security.
In another thread, someone from Pivotal said that they didn't really advise them more than just a few conversations during breakfast. They were just working out of their office.
At first, I thought those comments were a CYA distancing from Diaspora, since their release has been so abysmal, but then I watched their presentation to Pivotal again, and it really does seem like everyone there knew about as much about Diaspora as we all did on Sep 14th.
Who's fault is it then? The expectations were set - not that first code release would be awesome - but 'privacy' was the entire reason for diaspora starting.
I was expecting some integral libraries that would encapsulate privacy and authentication logic which would be reused for the entire framework. I don't really care if this was 'only' 3 months of work. That lack of security/privacy checking in that photo update section speaks volumes about where the developers and entire project are at.
Is it doomed? Probably not - apparently even Duke Nukem Forever has a new release date(?) - but they've got a long way to go to convince early adopter techies (people like me) to install this and evangelize on their next round.
Yep. And I don't want to help too much, because what happens if I only fix some problems? I can prevent against basic stuff, if their crypto is bad, that's above me. And if I fix some of it, and then somebody gets burned by something I didn't catch, I'd feel partially responsible.
You're missing the context. You may see Diaspora as a great way to get visibility. I assure you, any competent software security person has much better ways of getting visibility.
What was the problem I was getting at? Oh, yeah: Diaspora has no apparent access to the software security expertise they need to pull this off. I looked at it for 17 seconds, rolled my eyes, and stopped reading. Maybe someone at iSec Partners will take this project under their wings. But why? Most software security professionals are up to their ears in interesting projects that aren't attempts by college kids to take on Facebook.
More than a few of those professionals are now busy working for Facebook.
This is a dumb idea for a project.