The thing is, the errors they've made are so basic as to raise questions to their competence. I don't want to give too much away, but think "absolutely no permissions checks anywhere." Think "base64 is not encryption."
They did say in their blog post that there were known bugs and holes. At the bottom. As the last sentence or two. But that's not stopping anyone...
There's only so much you can expect in such a short period of time from a few guys with little experience. I want them to succeed, but they need to develop or hire better engineering talent.
Hiring the UX firm to get that piece right was a smart decision, since UX sells products. But, the product they're selling is a secure, distributed social network--my hope is that they realize this and get help from an outside security expert.
The real value these guys provide is their vision and initiative.
Privacy was the key kickoff point in the first place. You can't have good privacy without good security. When these are your primary reasons for getting started, your 'user experience' has to entail security.
There's load of social networking platforms already far more mature that offer better security, permissioning, and many might say, an overall better user experience (elgg and buddypress spring to mind as names, although I won't say they're necessarily better UX).
Diaspora got a HUGE publicity boost from Facebook's earlier privacy blunders this year, and may be able to ride that wave a bit longer, but the 'federation' aspect they want to add could possibly/probably be added to existing product. Perhaps other products are considering this already? As someone else said yesterday, having an 'HTTP' for social media would be more important than having an 'Apache' for social media.