Since the sentiment here and in the article seems to be overwhelmingly negative, I'm curious what people think the Diaspora team could have done better. (Not rhetorically, actually curious.)
I guess "be experienced web developers" (or hiring some) would have helped them to avoid writing insecure code. Retaining a security consultant would seem extreme given that this is an early code-only release.
Is their real mistake simply not doing more to counter the hype? I mean, if you take some code you hacked together over the summer, put it on Github, and non-developers start clamouring to use it, that's a vanishingly improbable best-case scenario for some software developers (at least you think it is until you get the bug reports :)). I guess they should have gone out of their way to say "please don't host this without big scary BETA warnings"?
It seems like the most irresponsible parties here are whoever is hosting these services that uninformed members of the public are signing up to.
The thing is, the errors they've made are so basic as to raise questions to their competence. I don't want to give too much away, but think "absolutely no permissions checks anywhere." Think "base64 is not encryption."
They did say in their blog post that there were known bugs and holes. At the bottom. As the last sentence or two. But that's not stopping anyone...
There's only so much you can expect in such a short period of time from a few guys with little experience. I want them to succeed, but they need to develop or hire better engineering talent.
Hiring the UX firm to get that piece right was a smart decision, since UX sells products. But, the product they're selling is a secure, distributed social network--my hope is that they realize this and get help from an outside security expert.
The real value these guys provide is their vision and initiative.
Privacy was the key kickoff point in the first place. You can't have good privacy without good security. When these are your primary reasons for getting started, your 'user experience' has to entail security.
There's load of social networking platforms already far more mature that offer better security, permissioning, and many might say, an overall better user experience (elgg and buddypress spring to mind as names, although I won't say they're necessarily better UX).
Diaspora got a HUGE publicity boost from Facebook's earlier privacy blunders this year, and may be able to ride that wave a bit longer, but the 'federation' aspect they want to add could possibly/probably be added to existing product. Perhaps other products are considering this already? As someone else said yesterday, having an 'HTTP' for social media would be more important than having an 'Apache' for social media.