Hacker News new | comments | show | ask | jobs | submit login

This isn't "software security expertise" this is a team of people not communicating at all with each other. For example, the Photo controller

edit (show edit form) checks that it's your photo to edit

update (make changes to photo) does not, you can update anyone's photo to anything

destroy (delete the photo) does not, you can delete anyone's photo w/ the id.

This is stuff you just DON'T DO in a web app. It's something any self respecting web developer, especially Rails developer, will look at and shudder. And those are the simple things that immediately stand out. Who knows what kind of security failures are built into this system due to ignorance or just plain lack of care.

This isn't their fault. I'm really torn on how much snark to aim in their direction. They had smart advisors (I like the Pivotal guys). It is not an insane decision to post a code milestone like this, with all the crappy code that entails. Our internal pre-alphas aren't --- well they're not this bad but they're not perfect.

But none of that matters because they've picked a project that they have to get right, and that in the long run is going to be defined in large part by design security.

In another thread, someone from Pivotal said that they didn't really advise them more than just a few conversations during breakfast. They were just working out of their office.

At first, I thought those comments were a CYA distancing from Diaspora, since their release has been so abysmal, but then I watched their presentation to Pivotal again, and it really does seem like everyone there knew about as much about Diaspora as we all did on Sep 14th.

I worked out of Pivotal's office for a few months. That sounds about right.

free publicity for Pivotal + freebie recruiting data (getting closer look at the Diaspora guys as possible future employee fodderr)

Who's fault is it then? The expectations were set - not that first code release would be awesome - but 'privacy' was the entire reason for diaspora starting.

I was expecting some integral libraries that would encapsulate privacy and authentication logic which would be reused for the entire framework. I don't really care if this was 'only' 3 months of work. That lack of security/privacy checking in that photo update section speaks volumes about where the developers and entire project are at.

Is it doomed? Probably not - apparently even Duke Nukem Forever has a new release date(?) - but they've got a long way to go to convince early adopter techies (people like me) to install this and evangelize on their next round.

I've seen too much total idiocy on long term, "real" software projects to sneer at anything even barely working produced in these circumstances.

A code review by frickin entire world???

This will help them WHEN THEY DO THEIR ALPHA RELEASE. Thanks...

Reading all this actually is the first moment I imagined that diaspora wouldn't be the total disaster it threatened to be.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact