
Code for open-source Facebook riddled with landmines  - tptacek
http://www.theregister.co.uk/2010/09/16/diaspora_pre_alpha_landmines/
======
elbrodeur
It's pre-alpha. I've yet to take a look at the repo, but any software that
isn't full of security holes, bugs and flaws at the pre-alpha stage is
probably ready for an alpha release. In other words: No duh.

It would actually be surprising to read the headline: "4 students develop bug
free, totally secure social networking platform in 3 months"

That being said, I'm excited to see how the project develops -- it's the kind
of project that I wish I had the time to contribute to.

~~~
patio11
What is the difference between a pre-alpha release, an alpha release, a beta
release, and a public release, from the perspective of a 20 year old college
co-ed who is looking at an IM window saying "Hey, Facebook doesn't respect our
privacy. Come sign up for Diaspora (linky), it is like Facebook except they
won't send your photos to your mom."

~~~
heyrhett
Sure, the names don't mean anything. Gmail was in beta with millions of users
for years.

However, the Diaspora github readme says this in bold: "PLEASE, DO NOT RUN IN
PRODUCTION. IT IS FUN TO GET RUNNING, BUT EXPECT THINGS TO BE BROKEN"

So, shame on the register for calling this news.

~~~
steveklabnik
Yes, as of 35 minutes ago, it says that. But before that, it didn't, and tons
of people are throwing this up on ec2, heroku, and everything else:
[http://github.com/diaspora/diaspora/commit/e668071ea51050ae7...](http://github.com/diaspora/diaspora/commit/e668071ea51050ae79058978ddb9c01945df4279)

~~~
heyrhett
good point. I didn't see that.

------
jlgbecom
No matter how many programmers this attracts or momentum the project has, if
the underlying software design is bad, people need to either do a rewrite with
a better design, or make a patchwork mess of it all until it becomes
unmanageable, in which case you do the rewrite you should have done in the
first place.

The problem is, there's a lot of eyeballs that are looking at the code right
now, and that does help to identify bugs, but if the bugs we're seeing are
deep seated architectural issues, then it's not very easy for someone to just
go in and fix them. Then Diaspora has to determine if the fixes are worth
including, and whether they fit into their system design (assuming they have
one). Basically, in order to actually utilize the community interest in any
practical way, they need to be solid managers. At 20 years old, with no real
world software development experience.

This is something open source doesn't seem to understand, and why even the
biggest projects end up being a small-ish team of dedicated professionals,
instead of the "bazaar" we imagine.

~~~
patio11
I totally agree with this comment. I don't know whether Diaspora is
architecturally secure or not. I strongly suspect that it isn't, but am
unqualified (and insufficiently interested) to constructively prove that.

The things I found were mostly tactical insecurities, springing from a
combination of Rails Security 101 errors and "web application programming is
hard." They're pervasive tactical insecurities. Maybe they'll all get fixed if
a lot of people pick over every line of that codebase for the remaining one
month before release. But that won't help address the part of the iceberg
below the waterline. (I can't see it, but the amount of ice above the
waterline strongly suggests it is there.)

~~~
tptacek
I haven't read the code or the design, but I'll say:

* To the extent that Diaspora's security depends on Rails, their problem is tenable; Rails (when properly configured, which this project isn't) does a really nice job of making CRUD secure.

* To the extent that Diaspora's security depends on cryptography, we needn't worry about the security of their current design at all, because they have no current design; what they have instead is a "hello world" of cryptography; someone professional (or in academia) will need to design something for them, and then write a paper on it.

~~~
morroccomole
The Diaspora crew came to my company and gave a talk. It was pretty boring
actually. They ARE NOT interested in cryptography in the first place. The only
crypto going on is SSL. Whoopy-doo-dah.

If they wanted to actually solve a problem they could have tried to make this
system pseudonymous, with all social graphs, user data and messages encrypted.
Oh well.

~~~
tptacek
Would that it were true that there was no crypto going on in Diaspora, but no:

    
    
      diaspora/lib/encryptor.rb

------
steveklabnik
+1 from me. The more I check out the code, the more screwed up stuff I find.

I went to go try and fix the XSS bugs and found no view testing, or
integration testing. Just model and controller unit tests. I managed to get a
general patch in [1] to help a bit, but there are other, deep seated problems.
This needs a lot of work. I'm no security expert by far, so like he says in
TFA, I fear for what tptacek or someone that knows what they're doing could
do.

1:
[http://github.com/diaspora/diaspora/commit/22edec57766356cdc...](http://github.com/diaspora/diaspora/commit/22edec57766356cdc3d73740b65a557d2a6f57bd)

~~~
tptacek
The problem with stuff like this is, I'm not going to look at it. This story
came about in part because Coda Hale (another security pro) posted a message
to Twitter, linking to the crypto code in Diaspora with an abstract "uh oh".
It was warranted, I posted a message to that effect, and got an inquiry, which
was more properly addressed by Patrick, who has just provided Diaspora with
several thousand dollars of free consulting.

What was the problem I was getting at? Oh, yeah: Diaspora has no apparent
access to the software security expertise they need to pull this off. I looked
at it for 17 seconds, rolled my eyes, and stopped reading. Maybe someone at
iSec Partners will take this project under their wings. But why? Most software
security professionals are up to their ears in interesting projects that
aren't attempts by college kids to take on Facebook.

More than a few of those professionals are now busy working _for Facebook_.

This is a dumb idea for a project.

~~~
jameskilton
This isn't "software security expertise" this is a team of people not
communicating at all with each other. For example, the Photo controller

edit (show edit form) checks that it's your photo to edit

update (make changes to photo) does not, you can update anyone's photo to
anything

destroy (delete the photo) does not, you can delete anyone's photo w/ the id.

This is stuff you just DON'T DO in a web app. It's something any self
respecting web developer, especially Rails developer, will look at and
shudder. And those are the simple things that immediately stand out. Who knows
what kind of security failures are built into this system due to ignorance or
just plain lack of care.

~~~
tptacek
This isn't their fault. I'm really torn on how much snark to aim in their
direction. They had smart advisors (I like the Pivotal guys). It is not an
insane decision to post a code milestone like this, with all the crappy code
that entails. Our internal pre-alphas aren't --- well they're not this bad but
they're not perfect.

But none of that matters because they've picked a project that they have to
get right, and that in the long run is going to be defined in large part by
design security.

~~~
steveklabnik
In another thread, someone from Pivotal said that they didn't really advise
them more than just a few conversations during breakfast. They were just
working out of their office.

~~~
jlgbecom
At first, I thought those comments were a CYA distancing from Diaspora, since
their release has been so abysmal, but then I watched their presentation to
Pivotal again, and it really does seem like everyone there knew about as much
about Diaspora as we all did on Sep 14th.

------
patio11
To be flippant but accurate, the landmines are riddled with Diaspora code.

~~~
carbocation
Congrats on being quoted, by the way!

~~~
patio11
Thanks, but it sort of tastes like ash. Locally we have a engineering
tradition of Big Red Buttons. If you know a process is out of control, you
have to hit the Big Red Button. All work stops, the company starts losing huge
amounts of money instantly, etc. The reason we're taught to hit the Big Red
Button is that quality issues quickly propagate past the point where you can
stop them.

On the Internet, with a highly anticipated release getting mainstream media
attention and a dedicated community, quality issues propagate _quickly
indeed_.

But nobody ever _wants_ to hit the Big Red Button. I would greatly have
preferred getting a solid eight hours of sleep rather than spending several
hours checking if errors were exploitable (yes), sending four emails to try to
find someone on the inside, and getting quoted in a piece which is sure to
ruin several someones' day. But there are people putting data into Diaspora
instances as we speak, so Big Red Button it is.

------
mattmaroon
"They are going to get burned in a very serious manner very, very quickly if
they actually succeed in doing what they're trying to do." And by "burned in a
very serious manner" he means someone is going to see their vacation photos
and change their username to "Ima Douche."

If someone totally took over my Facebook account I'd be minorly annoyed and
that's about it. Unless you're putting your social security number into your
Diaspora account, who cares?

~~~
simonw
I think it's easy to underestimate how valuable something like a Facebook
account actually is.

If I meant someone real harm and had access to their Facebook account, I could
cause them a lot of trouble. I could send messages to their friends asking for
unreasonable favours, starting arguments or causing other offence, I could
embarrass them in front of their family. I could stalk them in real life. Look
what happened when 4chan got hold of the passwords to a bunch of Christian
student Facebook accounts:

[http://thenextweb.com/2009/08/22/4chan-launches-attack-
chris...](http://thenextweb.com/2009/08/22/4chan-launches-attack-christian-
evangelists-facebook/)

Your online reputation is valuable.

------
seancron
I find it funny that the related stories for this article are all about
security problems that Facebook has had.

------
sjtgraham
Diaspora will be fine, now it's on Github it has so many skilled eyes on it.
All they need to do is deal with the flood of pull requests effectively. A lot
of people want this to win. A lot of hackers will commit code to it because
it's a project with the world's eyes on. I wouldn't be surprised if Facebook
picked up a few people who commit really good code to it either.

~~~
steveklabnik
In theory, this is great, but it's really hard to do actual work while wading
through 6 separate reports of "It says the db can't connect to this host and
port, what do? Derp!" The mailing list is even worse.

It's really hard to separate real, actual issues from a few hundred people who
don't know how to run a ruby-based website.

~~~
thinkalone
> a few hundred people who don't know how to run a ruby-based website.

Point them towards Hackety Hack :)

~~~
steveklabnik
I should. :) That's what I should be doing rather than worrying about
Diaspora, anyway...

------
tmcw
The Register is simply silly journalism for the tech set: tailoring shocking
headlines and 'begging the question' far more often than they actually do
research.

------
jcapote
How do they have so many XSS bugs if they are using Rails 3 which does
automatic html escaping?

------
adnam
Author of article is blatantly a HN reader. Dan Goodin: identify yourself! :-)

------
ucentric
Very disappointing especially with $200k behind them to do this properly and
so many hopeful supporters.

As we predicted this is just another propitiatory system with open source
code. Sort of like OpenID.Clever PR but not really what it claims to be.

How do you justify using the 'open' when it is based upon a propitiatory
naming system? With Diaspora, whoever owns trydiaspora.com (anyone know who
does?) owns your content and connections, meaning you are effectively trusting
someone who is hiding their identity. Nice.

We try repeatedly to reach out to the Diaspora team when they kicked-off with
an alternative that is 100% open and user-centric called NetID (see
<http://ucentric.org>) but were ignored.

I guess that when you have $200,000 and no one to answer to, you can pretty
much ignore your stated goals and anyone trying to help you achieve them.It
also looks like that is basically what they are delivering for the $200k they
raised as their blog suggests it is now an open project for the community to
finish off...

As a side issue, is there any truth in the rumor that Zuckerberg gave them
$100K?

~~~
tptacek
"Propitiatory" turns out to be kind of a cool word to know. Thanks!

~~~
ucentric
See the latest post on ucentric.org and you will see our reasoning for this
opinion.

------
c00p3r
What you're expecting from a tabloid?

The code of OpenSSH and OpenBSD are available for years, and that is why it is
most secure. Just think how many people tried to find a hole in OpenSSH's
code!

Opening the code is the most important step. If the idea is worth and code is
useful it will be improved by community, just because it is useful for them.
nginx is a classic example - people around the globe are improving it because
they find it useful.

~~~
tptacek
_Bullshit_.

The code for OpenSSH and OpenBSD is secure because Theo Deraadt personally
roped crazy smart people into the project to audit the entire BSD operating
system line-by-line, and then set up a regime that treated all code as guilty
until proven innocent. He was the first person ever to have done either of
those two things.

(I had the privilege of being a semi-involved bystander while this happened; I
have one or two findings from the audit and wrote their first several
advisories).

Security does _not_ just happen for open source projects. The notion that it
does is one of the more harmful myths in software security. If you have any
questions about this, or about the difference between a bug (blows up in your
face and ruins your day, causing you to write a patch out of anger) and a
security flaw (hides in the shadows waiting for an adversary to find and
exploit it), _just ask Wordpress, Sendmail, or BIND_.

Open source makes a lot of software security problems easier, iff you care
about security --- like nginx always has, and maybe Apache not so much until
recently. But slapping a GPL on your codebase and pushing it to Github does
not make magical unicorns poop security findings into your mailbox.

~~~
c00p3r
Nope. It is good that Theo is so paranoid^Wpassionate, but it isn't a whole
reason. The whole reason is that so many people are involved, both on
contributing and seeking design or coding flaws. Crowd-sourcing is the key.

I didn't say that opening the code makes it secure by a magic, what I said is
that if the code is useful for some skilled people they will fix and improve
the code, at least for themselves. Good ones will submit the patches back to
the community.

So, fuck off.

~~~
Hexstream
tptacek is a recognized world-class computer security expert. He knows his
stuff.

Watch your tone. Mindlessly contradicting him in his field of expertise is not
advisable.

------
Groxx
"landmines" implies _intent_. Strongly. Landmines don't happen by accident,
they're _placed_. The title is rather offensive, probably for linkbait
reasons.

Agree with elbrodeur, it's a "duh" situation. Pre-alpha, no warranty, known
security holes and bugs. They haven't advertised it as _anything_ it isn't.

------
barkingcat
What I think people should do is fork the open source php version of Facebook
that they released about 2 years ago, call it something else, and basically
beat them at their own game using their own software.

Facebook operates on a lot of open source software.

The best thing diaspora can do is to take a look at that open source facebook
release - and just run it on a server - add some federation functions, and
voila, a prototype primitive facebook and twitter killer with a lot of
potential

In fact, maybe I should do such a thing..

~~~
mgunes
> _The best thing diaspora can do is to take a look at that open source
> facebook release - and just run it on a server - add some federation
> functions, and voila_

I want to live in your world.

~~~
barkingcat
Me too. Why is there a lot of doubt about this project? I mean what stops me
from forking FB open, add my own designs, my own glue code, and run it?

~~~
mgunes
> _Why is there a lot of doubt about this project?_

Because you make it sound awfully similar to the "StackOverflow in a weekend"
episode:

<http://news.ycombinator.com/item?id=679931>

~~~
barkingcat
But I'm not talking about a "weekend" - What if you had 2 years to do this,
with yourself and a technical co-founder? Wouldn't it work with proper project
planning? I'm not sure where the "weekend" vibe came from?

