

Diaspora website redesign, now with more info about the project - ique
http://www.joindiaspora.com/

======
mdasen
Here's the question I'm left with which has no answer on the site: how will a
distributed social network keep my private data private?

I understand how one can build secure communications. That part is easy. So, I
have a Diaspora account with "Awesomea" and you have a Diaspora account with
"Crapula". It's easy to have communications between Awesomea and Crapula be
secure. However, when you visit your Crapula page, you want to see my updates
which means that Crapula needs to be able to decrypt my updates. Even if you
have a different key for each user (ala public key encryption), for wide
adoption the service providers (in this case, Awesomea and Crapula) need to be
able to encrypt and decrypt that information (which means they hold the keys).

So, if I friend you and you're using Crapula, I need to trust both you and
Crapula that you won't do bad things with my data.

Part of this is that the Diaspora project doesn't seem to have any technical
information. They have lofty goals like, "you own your social graph, you have
access to your information however you want, whenever you want, and you have
full control of your online identity." However, they have scant information on
how they plan to accomplish that. They say they're using GPG, but are they
going to have a browser plugin with locally stored keys to decrypt the
information? That's the only way I can see this being secure. If you're
storing your key with Crapula and it's decrypting my information, it can store
is as well as show it to you.

Even if the design is to use locally stored keys, what's to stop a provider
from offering a "better" (better, in this case, means easier for non-tech-
inclined users) Diaspora-compatible server which stores them on the server?
And then I have to audit my friend requests to see how their server has set up
security?

It's kinda like handing a friend a classified document and a photocopier. You
tell them "please don't copy this" and they probably won't. But in this case
you're handing that classified document to Crapula and saying "pass this along
to my friend and don't copy it along the way". Yes, Facebook has that ability
too, but it's one company that has a reputation to defend (to an extent) as
well as a legal presence in the United States (which is good for me as a US
citizen) and by posting in the first place I'm trusting them with that data.
With Diaspora, I could start getting friend requests from all sorts of
services run by people a lot shadier than the Facebook folk and I now have to
deal with dozens of privacy policies rather than one.

BTW, this is probably the comment that I would most like to be proved wrong
on. I want distributed, secure social networking that puts me in control of my
data. It's just that I don't see how it works and the Diaspora website doesn't
have any information on it either. If someone here knows how this will work,
I'd love it! It's an exciting prospect, but I feel like it's the same as DRM:
if people can read it/see it/hear it, it can be copied. Likewise, if a service
provider is printing it on screen for one of their users, they can store it.
If anyone has technical information on how this works, it would be really
awesome!

~~~
Wolf_Larsen
Security is only one issue that is un-documented, from my viewpoint.

I've found it bizarre that there is so much support without any logical
outline of what Diaspora is. We have their reasoning (
<http://www.joindiaspora.com/project.html> ) and their FAQ (
<http://www.joindiaspora.com/faq.html> ) .

I don't think this is sufficient to begin a successful project.

Possibly they have not documented their logic to the extent that it exists?

Or possibly I'm the exception and this is not an actual concern for the
project's success?

~~~
cmelbye
_We have ... their FAQ_

And it's a pretty useless FAQ, at that. Most of the questions are about
Kickstarter. (They sure do like raising more and more money, don't they?)

~~~
loup-vaillant
Seconded. Also, the answer to the second question ("is Diaspora portable")
dodges the actual question, and makes me wonder what the Diaspora team
actually want to accomplish. An answer like "portability is not an issue, we
plan to sell you fully configured plug computers anyway" would be much more
reassuring.

I suspect they don't plan to sell such devices. And I totally don't understand
why not.

------
jschuur
Let's just focus on one thing that many people are used to: the news feed.

Say I want to find out what all my friends are up to lately. Since this
information doesn't live in a (more or less) central place any more like it
used to on Facebook, I need to go out and contact each node (in an encrypted,
secure way) that my friends run/pay to host on an ISP and ask them, what
they're up to lately. That information then gets merged by my local node (that
I presumably access to view a news stream) and displayed to me.

Isn't that more than a bit inefficient? Hundreds of friends, means hundreds of
connections going out, to grab friend updates, each with encryption overhead.
And all those nodes have to be up and running of course.

OK, so let's assume your own node is smart enough to cache these updates.
Maybe it even gets updates pushed to it when my friends update, so it's not
constantly polling all of them in search for updates. That means if my friend
withdraws permission to see their updates, I still have access to their cached
info local to my own node.

So perhaps there's also a push update system that handles revocation. You
remove permissions and send another message to those affected to forget your
info. But what if I run a modified node that chooses to ignore this
information? The whole thing is open source and anyone can tinker with their
node code. Say I friend a malicious entity, decide I don't like them anymore,
and take back their access. It could be too late.

See, this is the kind of technical detail I was hoping for. Real life examples
and a vague outline of how they're going to tackle them.

~~~
sorbus
Well, that's the problem with having friends. Whenever you let someone get
near to you, they could be carrying a hidden microphone and a video camera.
And, even if you explicitly tell them that you don't want to be friends with
them any more, they'll still remember everything you've told them.

The same issue crops up with email, letters ... hell, every way we've
communicated for hundreds or thousands of years: there is no way to revoke
access to information once granted, even if access to new information is
withheld.

You might as well complain that someone could take screenshots of everything
you say that shows up in their news feed.

------
agentultra
I've been particularly impressed with their amazing ability to avoid
mentioning any details about the projects implementation.

The following is a list of features the future might bring (if I understand
the project page correctly: <http://www.joindiaspora.com/project.html>)

 _OpenID_

I assume this is the standard they will use for authentication? What about
this encryption business? Do they intend to modify the OpenID protocol to do
some sort of challenge/reponse step and exchange keys?

 _Voice-over IP_

I'm at a loss for what this means or how it is important to the project. Are
they implementing a specific protocol, using a particular libary, or are they
going to attempt rolling their own system?

 _Distributed Encrypted Backups_

Backups of what? Distributed why? How?

 _Instant Messaging protocol_

There are a plethora of existing protocols they could use. Since they haven't
specified a particular one, does it mean they haven't decided which one to use
yet? Are they planning to build their own "encrypted" protocol? Magic?

 _UDP integration_

Whoa. Integration. With UDP? Mind-blowing. I'm assuming that they'll be
building the broad-casting bits of the P2P architecture on UDP. It's what most
distributed, encrypted P2P networks do.

Oh right, there are already dozens of them and have been for years. I guess
these kids are just too young to remember:

\- <http://en.wikipedia.org/wiki/WASTE> \- \- <http://office.microsoft.com/en-
us/groove/default.aspx> (before it got bought by MS and turned into corporate
turf) \- soulseek, gnutella, freenet, etc.

Wonder how they're planning to break that extra 10x

~~~
cmelbye
I think that's an example of things on "the list". (Things to do in the far
future after they finish other things that they have to do)

------
zaidf
_We are 140-character ideas. We are the pictures of your cat. We are blog
posts about the economy. We are the collective knowledge that is Wikipedia.
The internet is a canvas – of which, we paint broad and fine strokes of our
lives with. It is a forward extension of our physical lives; a meta-self
comprised of ones and zeros. We are all that is digital: If we weren’t, the
internet wouldn’t either._

sounds like pr-speak.

~~~
eavc
That would literally be the worst PR writing I'd ever seen.

It's more like a throwaway line from a draft script for the Matrix.

------
eagleal
What people here might really wanna know it's that the _source code_ will be
released _under AGPL_ (you must let your users download the source of the
program they're running).

In my opinion for boosting commercial adoption, a MIT license is truly needed.
I know it's not in their interest to do so (they plan to build a
wordpress.com-like hosting).

~~~
natrius
I doubt the AGPL would stop people from providing Diaspora servers. It would
just remove some of the incentive to improve the software.

~~~
loup-vaillant
With the AGPL, you have some guarantee that improvements will be given back to
the community. So while you're right ( _some_ of the incentives are removed),
you're wrong (other incentives are _added_ ). I bet the net effect will be
positive.

------
jlangenauer
The Diaspora guys have missed the problem completely: the issues are not
technical ones - the major problems here have been solved.

The issue is UX: Nobody - and certainly not Facebook - has come up with an
effective interface that allows us to manage our interactions online with the
fidelity that we want. And I doubt that these four kids are going to come up
with a spell-binding piece of design that does this. They seem to be Ruby
programmers, and certainly not designers - graphical, UX or otherwise if one
is to judge by their website.

Far deeper analysis of the problem is needed that the reactionary "Facebook
are arseholes, they're acting like a big corporation". The details of how we
create multiple online publics[1] for ourselves, how we relate to them, and
understand them is key to building any sort of infrastructure to manage those
publics. The Diaspora guys seem to be treating this as purely a technical
problem, when it most certainly is not.

[1] It's the other side of the coin to having multiple online identities, but
to me, makes a bit more sense as a conceptual model for what we're dealing
with.

------
andrewvc
Wouldn't it suck if you were some kid with a lot of ambition, and some huge
ideas, who tried to bite off more than he or she could handle, all while the
world watched and encouraged you? Wouldn't it suck if you felt a real
obligation to see through to some half-baked idea you came up with in your
early 20s?

I have sympathy for the Diaspora guys, I think if it went unnoticed and
unfunded it could be a great learning project for some young coders, even if
it didn't achieve practical success. Instead, it'll likely be (already is) a
public embarrassment.

If I could give the Diaspora guys one bit of advice, I'd say this, don't take
this too seriously; treat it like a fun summer project. The last thing you
want to be is the next freenet (no offense Freenet guys, awesome concept, but
it never really caught on).

------
pavs
The complete lack of technical information is dumbfounding.

------
heresy
Your $200,000 at work.

~~~
irrelative
I realize you're being sarcastic and this doesn't apply to you directly, but
this has been bugging me for a while:

Everyone needs to stop saying these guys are "well funded." $200k is nothing
especially for a team of 4 people. It's certainly not enough for them to hire
anyone else full time to join them. Yes, they didn't have to do much to get
this money and I realize it's infuriating if you're really struggling to get
your business off the ground when 4 nobodies get a chunk of money out of
nowhere, but please recognize that the amount is so small that it doesn't
warrant outrage.

Furthermore, they didn't even ask for that much. It got a big network effect
in light of the recent facebook privacy issues, but it's a one time thing and
most likely the last money they'll ever see for this project. I don't think
their situation is repeatable in any sort of predictable way, so it probably
doesn't warrant studying (please correct me if someone's figured out a way to
do this, cause I think most of us would like to figure out how to get free
funding). We should wish them the best of luck and only care when they make
something people want to use.

I can already see the headlines of outrage when they don't produce something
that destroys facebook overnight, or maybe don't release on time, or their
code is really bad. Anyone who contributed to them only expected to give
facebook a little jab. There are reasons to question their abilities, but
jealousy over their gimmicky funding really needs to stop.

~~~
iamdave
I don't think it's jealously over gimmicky funding, I think it's more along
the lines of all this hype was raised, all this money was raised and we're
still sitting here, sucking our thumbs to see what's supposed to happen.

The launch date is in September, and so far the last update since the NY Times
article was a redesign. The only technical information is that it's using
Ruby, "a little bit of rails" and some "other" frameworks.

This feels to me like giving a kid $0.25 for a glass of lemonade, and him
telling me he'll bring it to my house after he's built his lemonade stand,
bought the ingredients and actually produced a beverage.

~~~
Wolf_Larsen
_This feels to me like giving a kid $0.25 for a glass of lemonade, and him
telling me he'll bring it to my house after he's built his lemonade stand,
bought the ingredients and actually produced a beverage._

This is exactly the state of the project unless there is a whole lot that the
Diaspora team has not publicly documented.

But, as far as I know, they have never stated that this was not the case.
Their video made it pretty apparent they had yet to build the lemonade stand
and buy the ingredients.

------
godiaperoa
seems like they're already slipping on their promises and they haven't even
started development yet: <http://twitter.com/joindiaspora/status/14146589639>

what are they spending all their time doing?

~~~
icco
Which is hilarious, because their site claims they are almost done.

------
pclark
Doesn't render well on iPhone. And do they not own the -join.com?

~~~
ique
It seems like they do not own diaspora.com no, some guy in Las Vegas does and
I'm sure he's gotten quite a lot of traffic to his ad-parked site.

------
pedalpete
how did they go from having a nice visual & simple logo
[http://www.facebook.com/album.php?profile=1&id=118635234...](http://www.facebook.com/album.php?profile=1&id=118635234836351#!/photo.php?pid=147415&id=118635234836351)

to having this horribly designed website?

They likely didn't even need to use the money they have to get a half decent
design.

This is not instilling much confidence in these guys.

------
tewks
The typography is pretty bizarre.

~~~
eam
Especially in the navigation area.

------
eavc
I'm perfectly okay with them being fairly scarce with information until they
have something built.

They surely have high caliber advisers at this point. The peanut gallery
probably wouldn't be all that helpful as they try to lay the first
foundations.

Once there's something complete to react to and build on, they'll release the
code.

------
sebastian
If the project takes off and has mainstream adoption I couldn't wait to see a
MIT licensed django clone.

------
dmpatierno
As if they needed another blow to their already tenuous credibility, the site
doesn't even validate.

[http://validator.w3.org/check?uri=http%3A%2F%2Fwww.joindiasp...](http://validator.w3.org/check?uri=http%3A%2F%2Fwww.joindiaspora.com)

I have zero confidence in this group.

~~~
pook
[http://validator.w3.org/check?uri=http://news.ycombinator.co...](http://validator.w3.org/check?uri=http://news.ycombinator.com&charset=\(detect+automatically\)&doctype=Inline&group=0&user-
agent=W3C_Validator/1.767)

EDIT:
[http://validator.w3.org/check?uri=http://www.google.com&...](http://validator.w3.org/check?uri=http://www.google.com&charset=\(detect+automatically\)&doctype=Inline&group=0&user-
agent=W3C_Validator/1.767)

I suppose we should by this logic be 4 times more confident in Diaspora than
Google, and 15 times more confident than HN.

~~~
cmelbye
Google doesn't validate because they need to serve the page millions of times
a day. Hacker News is not a startup, it wasn't funded with $200,000, and its
goal is not to create a web application (Diaspora's is.)

~~~
pyre
> _Hacker News is not a startup, it wasn't funded with $200,000, and its goal
> is not to create a web application (Diaspora's is.)_

I'm confused. So does anything that is not a start-up, and/or web application
get a free pass on standards compliance? I was under the impression that the
standards were meant to apply to all web pages.

------
tkahn6
It took me a few seconds to realize the CSS had completely loaded.

------
ddemchuk
well at least we know they have 200k to spend on a good designer now :)

