It would actually be surprising to read the headline: "4 students develop bug free, totally secure social networking platform in 3 months"
That being said, I'm excited to see how the project develops -- it's the kind of project that I wish I had the time to contribute to.
If the roller manufacturer put a big warning on their packing, whose fault is the accident?
...serious hats off to them if they've learned enough to be dangerous (literally)...
I guess "be experienced web developers" (or hiring some) would have helped them to avoid writing insecure code. Retaining a security consultant would seem extreme given that this is an early code-only release.
Is their real mistake simply not doing more to counter the hype? I mean, if you take some code you hacked together over the summer, put it on Github, and non-developers start clamouring to use it, that's a vanishingly improbable best-case scenario for some software developers (at least you think it is until you get the bug reports :)). I guess they should have gone out of their way to say "please don't host this without big scary BETA warnings"?
It seems like the most irresponsible parties here are whoever is hosting these services that uninformed members of the public are signing up to.
They did say in their blog post that there were known bugs and holes. At the bottom. As the last sentence or two. But that's not stopping anyone...
Hiring the UX firm to get that piece right was a smart decision, since UX sells products. But, the product they're selling is a secure, distributed social network--my hope is that they realize this and get help from an outside security expert.
The real value these guys provide is their vision and initiative.
There's load of social networking platforms already far more mature that offer better security, permissioning, and many might say, an overall better user experience (elgg and buddypress spring to mind as names, although I won't say they're necessarily better UX).
Diaspora got a HUGE publicity boost from Facebook's earlier privacy blunders this year, and may be able to ride that wave a bit longer, but the 'federation' aspect they want to add could possibly/probably be added to existing product. Perhaps other products are considering this already? As someone else said yesterday, having an 'HTTP' for social media would be more important than having an 'Apache' for social media.
Let's think about what Richard Feynman meant when he said "what do you care what other people think?"
It's been released as pre-alpha. That's responsible. If it has a greater magnetic attraction to naive early adopters than other software, whose problem is it? Ours or the Darwin Awards?
However, the Diaspora github readme says this in bold:
"PLEASE, DO NOT RUN IN PRODUCTION. IT IS FUN TO GET RUNNING, BUT EXPECT THINGS TO BE BROKEN"
So, shame on the register for calling this news.
So I'm not surprised users ran out to try it.
We all started somewhere and were inexperienced, but there was a time, before Google Groups, where the ability to signup to a mailing list was a small hurdle that helped weed out some of the mailing list distraction. September never ends.
Bugs sure. But not security holes. Sure no one plans for security holes, but I can say with decent confidence that the websites I write don't have any obvious security holes.