Hacker News new | comments | show | ask | jobs | submit login

+1 from me. The more I check out the code, the more screwed up stuff I find.

I went to go try and fix the XSS bugs and found no view testing, or integration testing. Just model and controller unit tests. I managed to get a general patch in [1] to help a bit, but there are other, deep seated problems. This needs a lot of work. I'm no security expert by far, so like he says in TFA, I fear for what tptacek or someone that knows what they're doing could do.

1: http://github.com/diaspora/diaspora/commit/22edec57766356cdc...

The problem with stuff like this is, I'm not going to look at it. This story came about in part because Coda Hale (another security pro) posted a message to Twitter, linking to the crypto code in Diaspora with an abstract "uh oh". It was warranted, I posted a message to that effect, and got an inquiry, which was more properly addressed by Patrick, who has just provided Diaspora with several thousand dollars of free consulting.

What was the problem I was getting at? Oh, yeah: Diaspora has no apparent access to the software security expertise they need to pull this off. I looked at it for 17 seconds, rolled my eyes, and stopped reading. Maybe someone at iSec Partners will take this project under their wings. But why? Most software security professionals are up to their ears in interesting projects that aren't attempts by college kids to take on Facebook.

More than a few of those professionals are now busy working for Facebook.

This is a dumb idea for a project.

This isn't "software security expertise" this is a team of people not communicating at all with each other. For example, the Photo controller

edit (show edit form) checks that it's your photo to edit

update (make changes to photo) does not, you can update anyone's photo to anything

destroy (delete the photo) does not, you can delete anyone's photo w/ the id.

This is stuff you just DON'T DO in a web app. It's something any self respecting web developer, especially Rails developer, will look at and shudder. And those are the simple things that immediately stand out. Who knows what kind of security failures are built into this system due to ignorance or just plain lack of care.

This isn't their fault. I'm really torn on how much snark to aim in their direction. They had smart advisors (I like the Pivotal guys). It is not an insane decision to post a code milestone like this, with all the crappy code that entails. Our internal pre-alphas aren't --- well they're not this bad but they're not perfect.

But none of that matters because they've picked a project that they have to get right, and that in the long run is going to be defined in large part by design security.

In another thread, someone from Pivotal said that they didn't really advise them more than just a few conversations during breakfast. They were just working out of their office.

At first, I thought those comments were a CYA distancing from Diaspora, since their release has been so abysmal, but then I watched their presentation to Pivotal again, and it really does seem like everyone there knew about as much about Diaspora as we all did on Sep 14th.

I worked out of Pivotal's office for a few months. That sounds about right.

free publicity for Pivotal + freebie recruiting data (getting closer look at the Diaspora guys as possible future employee fodderr)

Who's fault is it then? The expectations were set - not that first code release would be awesome - but 'privacy' was the entire reason for diaspora starting.

I was expecting some integral libraries that would encapsulate privacy and authentication logic which would be reused for the entire framework. I don't really care if this was 'only' 3 months of work. That lack of security/privacy checking in that photo update section speaks volumes about where the developers and entire project are at.

Is it doomed? Probably not - apparently even Duke Nukem Forever has a new release date(?) - but they've got a long way to go to convince early adopter techies (people like me) to install this and evangelize on their next round.

I've seen too much total idiocy on long term, "real" software projects to sneer at anything even barely working produced in these circumstances.

A code review by frickin entire world???

This will help them WHEN THEY DO THEIR ALPHA RELEASE. Thanks...

Reading all this actually is the first moment I imagined that diaspora wouldn't be the total disaster it threatened to be.

This is a dumb idea for a project.

Diaspora? Or doing a security audit of Diaspora's code?


Yep. And I don't want to help too much, because what happens if I only fix some problems? I can prevent against basic stuff, if their crypto is bad, that's above me. And if I fix some of it, and then somebody gets burned by something I didn't catch, I'd feel partially responsible.


Reasons to work on this?

Visibility, visibility, visibility, visibility, visibility, and visibility.

Did I mention visibility?

You're missing the context. You may see Diaspora as a great way to get visibility. I assure you, any competent software security person has much better ways of getting visibility.

Thanks, I was wondering why they had XSS bugs. Surely the point of using a framework is so that you don't have to think (too hard) about that sort of low level security issue?

You'd think. Rails 3 is supposed to handle this, Haml has that setting I enabled...

There are other ways to get XSS bugs than bad html escaping. For example, if you redirect to a user-provided location, they can inject javascript and/or http headers.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact