This is hiring a bunch of interns (with near zero experience) to implement your product, giving them three months, and then being shocked -- SHOCKED, when the code is not professional grade quality.
I was shocked when everyone and their brother was willing to shell out money to a group of completely unproven college students to produce a distributed open source 'Facebook Clone', that is also 'private'. My inclination is that the 'distributed' and 'private' parts of the description push it into the oxymoron tier of product specifications. I would have expected this alone to give people pause about what the architecture would be (somehow it didn't).
Honestly, at least they have produced something, and for the most part, it works. Hopefully they haven't burned through too much of the $250,000 that they started with. 3 months of development time is honestly nothing.
Presumably, they could get comments on this, throw the entire thing away, re-write while fixing the various issues, and be well beyond where they are now in another three months. (If this is as bad as Steve says, I hope this is the case). Presumably the development will go faster because previously they were learning and developing at the same time (presumably).
Hacking together a prototype that you then throw away is a perfectly reasonable development model. I'm impressed (and pleased) that they have produced anything.
They mention at least two large cost items - luxr (basically consulting by Janice Fraser, it says around $10k on the company page) and pivotal labs. Pivotal is the huge one, I once got a quote from them on a project I was working on and they basically said they don't do less than 6 figures. So unless they got some kind of insider discount, the back-of-the-napkin math says at least half of their cash is gone.
Whether it was worth it or not is a separate matter. As a resume builder for a young team: sure, why not, you could do a lot worse. As a product for end users: you might support their cause, it depends on whether you're 1) a Facebook-hating neckbeard-sporting privacy nut - excuse me, libertarian, or 2) willing to cut them slack on an early release because there's some interesting technical challenge they're tackling.
For everyone else: no thanks, Facebook's fine and we'll stick with the real thing.
What exactly is so abnormal about being concerned with Facebook's privacy problems? Particularly, what issues are normal to be concerned about and what issues make one a "neckbeard-sporting privacy nut"?
I don't think that the second system effect applies, specifically given that it isn't elegant or successful yet. (In fact, most of the comments are that it is inelegant and a failure).
Second system effect mostly reflects the evils of redesigning a perfectly good working product.
IMO, second system effect is doing everything you've done bigger and better while fixing the problems in the first system. It wasn't tied to the elegance of the first system design, at least in my mind.
(Debugging is 90% of software development).
But this isn't even debugged.
I write a prototype to learn the technologies for a given project all the time.
It is the first step in my development cycle (How the hell does this stuff work?)
I don't design it, I just start hacking.
Once I have an understanding of how the various pieces are able to fit together, then I make a design and put together the first system.
My point is that I don't think this is complete or well-implemented enough to comprise a first system.
(And it isn't, it is an alpha).
(Well, I have more than zero experience... maybe I'm overqualified)
I haven't read the code myself, but the OP is claiming "really, really bad security holes", and calls out the encryption code.
Security is not something that can be bolted on after the fact; it needs to be baked in from the start, in a product like this. And, remember, security/privacy was Diaspora's raison d'etre.
No one expects the first code dump to be polished, or feature-complete. But if there are serious flaws there, of the magnitude described, pointing it out isn't just "trash talk."
In fact, this is how it happens in the vast majority of cases, including the case of Facebook.
Facebook probably isn't the best starting point because anything working at that scale is a challenge no matter what.
(Edit: Though if one measure's Diaspora's eventual size if it reaches its goals and considers what percentage of the man-hours have been put in to date, this is still early in the process and major rearchitecting of every component was inevitable anyhow, so hopefully with one of those they can install some security too.)
...which is Diaspora's claim to existence.
Their code is out there, they have openly said it is full of bugs and they now have a hell of a lot of eyes, They will get a massive benefit from this being opened early and it really isnt their problem if people refuse to ignore all their and everyone elses advice and give out their banks password
Furthermore, one of the primary goals of the project was to make something more privacy-conscious than Facebook, and so far they show they have a development process that pays less attention to access control than any Rails app I'm aware of.
1. Build features, ignoring permissions entirely.
2. When the feature set is relatively stable, default to disallowing everything.
3. Re-enable one feature at a time as you add appropriate permissions checks.
Step 1 looks horribly irresponsible if you don't know 2 is coming. But if you do, it avoids a false sense of security from half-finished permissions in rapidly changing code, and it keeps up early motivation since you're rolling out "exciting" features right away. And counting on step 2 ensures you're always checking whether something is allowed, instead of foolishly checking whether something isn't allowed.
Whether this scenario applies to Diaspora at all ... I don't know. Time and another release will tell. But I do think there are valid situations where authorization is "the kind of thing you add later" for appropriate values of "later".
The question is, do the problems in the code establish beyond doubt that this team is not capable of delivering a final product that will see some level of acceptance? I really hope not.
1: I'm assuming that - I would hope they didn't think this was release-ready material.
And may I add, I think it is really great that many public seeds are being deployed, this is the only and best way to test a social federated network, pre-alpha or not.
I'm afraid that Diaspora might be in an impossible position. If they release something early, they'll get a lot of bad press from knuckleheads like this one that the quality is no good. If they release late, everyone will be clamoring over the wasted $250k in the interim, demanding: "when will we see something?".
Now growing it over time, standing up to public scrutiny, hardening, balancing, monetizing -- those are much harder problems. Getting code out? Not really, in my opinion.
There's some stuff that good/experienced developers do upfront naturally. There are some security, design and performance things that are clearly a case of bad development versus "this is an early release".
"Fundamentals" are things like: there's no identifiable data model, the code is pure spaghetti and structure is a fleeting concept.
From my very quick scan of their code, it's readable, the parts of the data model I looked at are fairly obvious (thanks Rails), dependencies are identified, crypto seems fairly localised. Correction of bugs seems definitely doable. Extra features shouldn't require a total refactoring. Looks good to me for an alpha drop.
Next up: posts criticising the spelling in the comments in the Diaspora code.
And I'd say having no authorization in a project that's supposed to be about privacy is missing a fundamental.
The fact is, the implementation is obviously problematic. I won't go as far as saying that the design is flawed, although some security vulnerabilities are certainly pointing that way. It's obvious that Diaspora's developers are inexperienced, and therefore could use all the help they can get from us. This is one point in favour of an early release, in my book. On the other hand, early design and implementation decisions have profound implications during the lifespan of a project (this is especially true when it comes to security), and I will not trust my personal details to Diaspora in its current form; the project still has a (very) long way to go before being technically up-to-date.
Judging from the noise their release makes here on HN i think the diaspora guys did well opening up their repo 'early'.
And to steve: i think you hold 'professional programmers' (which i interpret as programmer that get paid) waaay too high..
Their entire reason for existing is "Facebook but private". At the moment, they are delivering on that like ROT13Snap delivers on secure backup. And due to a programming bug, ROT13 was applied twice, and indexes are on in Apache. It is a cluster flop.
Strange thing is, the advantage Facebook had is that it launched to a small audience initially with very limited functionality.
it took me 2 minutes to find out what BCC means. for those also wondering:
sorry but BCC is not open source so i call it a bad comparison. commercial software is different. the thousands of diaspora end-users you talk of are probably quite aware they are guinnee-pigs of a facebook counter project.
"facebook but private", sorry but again i dont think you get diaspora as it is more like "facebook but distributed".
calling diaspora a "flop" is like calling mozilla before 1.0 a flop: it's open source (something you dont seem to get), its out there for _anyone_ to play with freely, to collaborate on, to learn from...
OTOH, they themselves seemed to have said it's not MVP either, so I think that's okay.
I'm still concerned about the longer-term viability using the reasoning of "This many basic mistakes doesn't bode well", but time will tell.
I wish them the best of luck.
What I meant was more of "someone who's knowledgeable about their craft," but you're absolutely right anyway.
Yeas, it's made some rookie mistakes. Yes, there's a load of things they shouldn't be trusting on postback (silly things like not checking the owner of an object on 'delete' commands).
That's not bad code, that's a bad implementation. That's not knowing what to trust and what not trust cause they've never been screwed up the ass by it yet.
But bad code? No.
The implementations are problems, they need this shit pointed out to them. That is all.
Steve and Patio11 are doing some serious damage to a good project for no apparent reason apart from self promotion. I want to call them nasty names, I really, really do.
Rather than type a bunch of replies to everyone, here's some random thoughts:
1. Release early, release often is great. But when your product's main focus is "a private social network where you control your data" and other people can do anything they'd like with your account...
2. If this was just unpolished, I wouldn't say anything. But like patio11 is saying, this has been covered by major news outlets, and many non-technical people are getting involved. This is a plea to pay attention to the fact that it's pre-alpha software.
3. The mistakes are beyond amateur. This isn't "omg it's not perfect," this is "I can't believe they didn't even apply the basics." The reason that this matters is that it doesn't bode well for the future of the project. If they can't even get this correct, how am I supposed to trust them later?
4. I only complain because I care. I want this project to succeed, and I really like a lot about the interface, actually. But that doesn't mean I won't call a spade a spade.
Can you pinpoint them? I don't think it makes sense not to at this point..
For example: http://github.com/diaspora/diaspora/blob/master/app/controll...
There's no check to see if this is your photo or not. And before you mention it, the before_filter only checks if they're logged in, not permissions.
There are many, many similar things to this. Check out lib/encryptor.rb and shudder. I'm no security expert, but...
Rails 3 has been in beta for the better part of the summer. This means that many plug-ins (Devise included) haven't been able to keep up 100% compatibility. It's entirely possible that they've only implemented Devise for login authentication, but plan on expanding with something like Warden or Clearance for model/controller level security as the plug-ins come up to speed.
Our group started on a Rails 3 app back in March, and we learned early on that we should stick to our core app development, avoiding plug-in implementations until things stabilize. Hell, look at Bundler. The jump from 0.9.x to 1.0 broke our app deployment methodology between the beta3 release and Rails 1.0. We never even got around to beta4. When you develop using a beta framework that evolves quickly and breaks compatibility, you have to be careful where you place your efforts.
I'm not ready to lay down on the tracks and defend them here, but I don't think it's an impossible to assume that they just haven't addressed security yet. Maybe they haven't arrived at a framework choice. The fact that there is literally no security would seem to suggest this is true more so than if they had sparse security.
One aspect remains true, however. Anyone who deploys this and puts anything of value in it is asking to get body slammed.
This is an alpha release. People shouldn't be using it, that's all. They should've put in an artificial limitation like max. 2 users with max. 2 pics each per server to avoid people using it.
The whole thing being in Rails is much more of a turn-off for me.
Realistically, though, so long as they don't get clever it might be fine. If they do clever things then review becomes very hard.
I'm putting it down to envy: these guys have shipped some pre-alpha code that's interesting to a large number of people.
Excellent marketing in the open source community for developer eyeballs, perhaps not so good in terms of end-user experiences, but that's not the point at this stage, numbers will be low and the perceptions of the dumb early-adopters (of pre-alpha distributed social networking code, ffs) shouldn't leak too badly into the mainstream.
However, people are now eating the dogfood, and I expect to see fairly rapid improvements in the code: not unexpected for an alpha drop in my experience.
To the people who are moaning, would you like others to see your alpha code and laugh bitterly about you being a young (or old for that matter) upstart?
More than the fact that the code isn't production ready (by a long shot it seems), I'm just surprised the released anything at all. Perhaps spending all that money on those consultants was a good thing for them. I doubt they would've been able to get by on their own given what was released and the hype they set in motion. It's a lot to live up to. They made some really bold claims.
Just goes to show that you can't just talk the talk and watch your dreams come true.
Thank God that our industry isn't lousy with ambitious but inexperienced twenty-somethings. If we let them run amok, we'd get crapware like MS-DOS and computers like the Apple II.
My point is that their problem is other peoples' expectations. Their ambition set the bar before they'd written a single line of code. Had they been more humble and waited to ask for a handout afte they had released what they have now I don't think there would be half as many articles hitting HN about how crappy their software is.
I think that they released something is great. I would never put some one down for having ambitions and aspirations to follow them. I would simply advise that they keep those ambitions to themselves and let their actions speak for them.
They didn't plan this. But they're giving it a shot.
Haters gon' hate.
All I got from it was they have security problems. What exactly? where exactly?
"Really, Really, Really Bad" is really subjective. When stating a problem try to be concrete and objective and give examples. For instance, if you think someones cooking is a bit off and you are a chef, say you need a little more salt or pepper or whatever the case maybe. A chef can't simply say it is really, really, really bad, leave such comments to amateurs who don't know what exactly they are experiencing and how exactly to fix it.
If you don't really have the time to address each particular concern then give them a reference to some security books that are essential when developing something like this.
As it stands the community is no better off before than when you wrote this. You should have written an article about "10 security books that are a must read to prevent diaspora mistakes".[I would appreciate it if someone who is knowledge about this wrote something like this]
I've always been saying that making a distributed social network is much easier than "solving" privacy and security for such a thing. First of all, try even defining what it means to privately share things with people on the internet. Then, realize that most solutions (such as diaspora) will actually EXACERBATE the privacy problem, by making you trust the hosting services of all your friends instead of just facebook.
That said, after diaspora was announced it made me think about whether it's possible to ensure privacy in principle. Meaning, is it possible to only trust YOUR hosting company and friends, and cut out every other middleman from being able to snoop your data?
I came up with something which I think would be very useful, and I actually submitted a provisional patent for the technology, which basically enables distributed AND private social networking using just today's web browsers.
If you want to check it out or get involved, see http://myownstream.com . This is an open-source offshoot of a social network I'm building, which I hope to release next year. You can see the roadmap there, but so far it's been going really well :)
It's just a coincidence that these guys are also from NYU.
1. Most of the XSS errors should be handled by Rails 3 auto-escaping. I'm not certain why this isn't happening. It may be a simple HAML config error or bug.
2. The session key should be moved out of the Git repo.
3. Most of the authorization can be done by reaching through the current user's associations. For example "current_user.photos.destroy" would prevent users from destroying other's photos.
I'm not defending the developers here and agree these should not have gotten past them. My point is these problems can be fixed in a few days, and thanks to open source, there are many eyes looking at the code to find additional security issues.
Yes, the CS degree is about preparing students for CS graduate programs. But there was never a suggestion that perhaps the CS degree was not what we needed. Or maybe there was a suggestion, one, from some guy on Teh Intarwebs, against every other person in positions of respect around us. We were consistently told that the CS degree was the path to a software development degree. Yes, internships. They are very important. We don't do enough of them. We certainly need more of an apprenticeship model. I suspect that the development of good programmers would work in a culinary school model more than a research school model.
College graduates are basically the first level of competency worth training to become developers, or at least are supposed to be (let's just stick to ideal situations right now, with no wind resistance and infinite point masses). It's like in the martial arts, we say that black-belt is where the learning begins. Once you reach black-belt/BSCS, you have only acquired the tools that you need to start learning.
Every programmer I've known thought he was a super hacker by the time he got out of college. Me included. I see it in the interviews I conduct, also. There is an air of arrogance. There is a sense of shock and personal assault when pointing out their errors. They haven't yet grocked that the code is not them. They haven't yet learned that the errors are inevitable, that it is only time and experience that teaches us how to avoid them, that programming is about the pursuit of eventual perfection and not the dogmatic defense of yesterday's code.
So one of two things happens. Either the degreed programmer shucks his hubris and finds humility, or he becomes a leech on his coworkers (and my use of the masculine pronoun is no mistake, the female programmers I've known don't have this pathology). Unfortunately, the latter is apparently indistinguishable from the former for most management types. Haha, but digging on the liberal arts majors aside, most people who come out of college with a BS in CS do not want to make programming their wake-to-sleep life. They want it to be their 9-to-5 career, and leeching is the easier route to that.
The kids mean well, I'm sure they are quite intelligent, and they've got heart. But a startup was probably the worst first endeavor for them. I think it's better to go through your male-programmer-humiliation on someone else's dollar. They're basically going into more debt to learn how to be programmers now that they've gotten out of college. They could have been earning a salary to learn how to be programmers.
Diaspora is also a somewhat unusual case. For most consumer web startups, the back button is a much bigger threat than security vulnerabilities in the early stages. Once you've iterated a lot have a better idea of what you're actually building, one of the first steps is usually to hire coders who are much better than you. In Diaspora's case, it's unclear to me whether their vision is a business or an open-source project - in the latter case then having stronger coders lead the effort is more important.
Perhaps the problems also lie in the expectations of those giving money. I assure you that few experienced angel investors would have been upset or surprised that the college kids they gave $200K to produced code that was messy or had some bad security problems in the early stages. They would be a lot more concerned with how the founders planned on getting adoption for their fledgling service, or whether they were iterating on the product quickly enough. It seems that many who have donated to Diaspora (or who are getting upset on behalf of other people who donated to Diaspora) have different expectations. '
Just today I was playing with the product of a company in the just-ended YC batch. I found I was able to delete someone else's posted content on the site trivially easily. While I'm sure PG wouldn't be exactly happy to hear about this, he sure as heck wouldn't think that the founders should have spent more time learning to code in industry before taking his money to build a startup. He'd just tell them to fix it (and it's probably fixed by now), and then move on to more important questions like whether they were getting more users and building the right features.
Whether that media campaign was orchestrated by the developers, or their investors, or just surfaced naturally as some news stories tend to do, I think this attention didn't really help matters when it came to putting a group of inexperienced graduates together to create what potentially should be a rival to a multi billion dollar company in one summer.
They should have been given more time and let to lead more of a low profile than the charade that's taken place over the past few months
This is referred to in the Dreyfus Model of Skill Acquistion. It refers to a space in time where we are advanced enough to not be a novice, but not advanced to realize our own lack of expertise. Merlinn Mann refers to it as being an "advanced beginner". The problem with this stage is that's it's impossible to rationalize until you've escaped it - that or you use metacognition - with awareness of said likely ineptitude because of posts like this.
I'm pretty sure that's what just happened.
Sure there's a lot they have to learn, but there's no reason why they won't be able to learn by doing. They clearly have all of the funding and motivation they need to get to the point of having a stable release. I'm glad the author (of this blog post) submitted a patch, and hopefully momentum on this project will continue to grow, as more experienced developers offer their advice and expertise.
edit: Also, I'm not sure if "startup" is the best thing to call Diaspora. Given the fact that they're already well funded, and working towards the public good, they might be better off incorporating as a nonprofit, similar to what the Miro guys did (http://participatoryculture.org/).
Actually not awesome, because for the rest of your programming career you will realize that your code is terrible.
But awesome because that's when you leave the womb and start down the road to being a good programmer.
Wasn't Linus Torvalds a college student when he released linux? For that matter, Facebook was written by a college student. Some college students can do amazing things. Also, this is just a pet peeve of mine, but don't diminish college students by calling them "kids." Many may be young, but they are adults.
I think the problem is that four undergrads were given a quarter million dollars to compete with the largest website on the internet and people expected anything but disaster.
Some people are just really good. And a startup makes them even better, and much faster than if they had decided to be "apprentices" or "interns" forever.
The thing about Diaspora is that UNLIKE Facebook or many other startups, its source code is on the internet for all to see. Do you think the original Facebook (written in PHP) didn't have security holes that would be transparent upon reading the source code? For that matter, do you think today's Facebook source would withstand attack if posted on the internet tomorrow?
The question answers itself.
If it achieves its potential, Diaspora will be hardened to a considerable extent because of the scrutiny that open source provides. This is not the time to slam these kids as wet behind the ears undergrads. Their code is pretty good for something written in 3 months. And if you really are that much wiser than them, they are accepting patches.
I don't know. It seems like they are earning their "male-programmer-humiliation" in the most efficient way possible. If having an article about how atrociously buggy your code is at the top of Hacker News doesn't teach one instant humility, nothing will.
Many startups are started/coded by young programmers in or fresh out of college -- people who probably haven't really earned their 'black-belt' in programming through time and experience. This would lead you to believe that many startups (even relatively successful ones) have plenty of bad/buggy code under the hood, but they have the benefit of not being out there under the scrutiny of public eye.
That said, if you're a young (and thus, probably somewhat inexperienced) coder, it would seem you can get stuck in the conundrum of wanting to have enough experience to write good code, but also wanting to go for starting a company while you're still young. Would love to hear opinions/thoughts on how to solve that conundrum.
they didn't appear to use pbkdf2 or similar to derive their crypto keys, so that isn't good. but at least they didn't make up their own algorithm (though maybe they're making their own crypto protocol--hopefully not--i couldn't tell from the code).
it's very easy to say "this sucks", it's harder to say "this sucks and here's why" and it's even harder to say "this suck and here's why and here's how i do it in my deployed product"
The 'here's why' part gets tricky with security stuff. I don't want to be complicit in people trashing accounts. And if you read, I did submit patches.
And they are making up their own protocol. It's currently not documented.
Looking through the code, it looks like Diaspora is really just putting a front end and "aspects" on top of OStatus. I think it might be good at this point to just scrap the Diaspora code and start over from the basics with a good OStatus-based reference implementation in Rails.
If it survives, I might do this... I think their approach is fine for rolling out a private enterprise FB or creating an alternative hosting solution, but I'd like to see an even more decentralized solution. Ruby isn't a good choice of language for mobile, or native compiled "IJW out of the box" deployable solutions.
Edit: I see jlgbecom already made a similar point below.
And these were in substantially larger systems.
With that said, I haven't looked at the code, so maybe the issue is more fundamental than that, but I haven't seen evidence of that yet.
Github issue #8: "Facebook has a majority market share"
Just wanted to say good on you for fixing bugs and contributing to Diaspora! Unfortunately I don't even know enough Ruby to understand what I'm looking at, but I'm excited about the project - they've definitely got a good resource in you! Is there any indication that they switched to Ruby during this Summer? I swear it was originally going to be in PHP, but I can't find any mention of that now. Could the oversights in the code be due to this being the first piece of Ruby the team has written?
I also vaguely remember that it was supposed to be in PHP as well, and several other people have mentioned that. I can't find a source...
It could be the reason, but things like "make sure if you're trying to delete a photo, it's yours" is something that transcends implementation languages, you know?
"Feel free to try to get it running on your machines and use it, but we give no guarantees. We know there are security holes and bugs..."
Twitter has had major security problems, same with many other "big" companies, shouldn't this be a lesson that security is the primary concern especially for an open source project?
Just think of many of the older more established FOSS projects, Linux, Apache, etc. Many of them started out very rough, but attracted developers and turned into something useful. I think that dumping the code right now, was probably the best move that they could have made.
During the summer, I could only shake my head at the hullabaloo coming from Diaspora supporters. Now it's at the detractors.
* literal SQL without escaping (They use Mongo it turns out)
* 10,000 lines of controller action (The biggest one is Photo#create, but far from huge). PS: They use carrierwave, which is AWESOME.
* giant business logic in the views (They use haml and the code is clean).
* Not escaping user's input (OK, there are places where they forgot to put it).
Their code is far from shit. Easily improvable as they gain more developers. Aren't we too quick to judge?
I believe they will get an amazing quantity of outside work.
And I'm also concerned that if they'd consider releasing something so broken that it won't be taken care of in the future.
It's this kind of code bashing that makes it difficult and intimidating for newbies to break into development. Think twice before you lambast younger, less experienced programmers on the internet. What a shame.
And it's infinitely better than the alternative, of getting everything right first time, because that's impossible. Something is better than nothing. Live it!
As is, the Diaspora code base is not viable.
Not even minimally so.
Logically, security and privacy are secondary: they are properties of some functionality/data.
However, my instinct tells me that the example you mention of say, an ad + landing page, IS an MVP in one good sense - to gauge interest in a potential product (an iPhone app, etc), gathering subscribers to mailing lists, beta signups, etc.
But in the scope of what Diaspora is trying to accomplish, releasing the code base like this doesn't qualify as a product - I think.
I am way more than willing to be wrong on this point, though. I'm also probably just splitting hairs by this point.
A following task is to discover if what they have is usable/useful by real people, and the only real test of that is to release it and get feedback. Related is flushing out bugs (most effectively done by actual usage); testing performance (even for small numbers of users); and of course flushing out specific privacy and security issues. Note that it's not actually necessary to even continue with the same codebase; it is possible to use it as a prototype.
I think a helpful way to separate a "product" from a "codebase" is to ask whether a complete rewrite in a different language with a different internal architecture (and of course codebase), that is indistinguishable to users, could be sold as the same product.
I think the Mythical Man Month would be of interest to you; he has your perspective, but with a wider scope. I think you'd really enjoy it, if you haven't already. Some fascinating ideas appear right up in chapter 1, very clearly written.
I enjoyed building and playing with the code, and I hope that there is a much improved version in the future.
I thought the idea of a developer release was to do exactly this.
My guess is that it was a much bigger piece of crap. A PHP crap. And guess who wrote it? Harvard undergrads. ^_^
If it was a piece of crappy software that I wrote and put it on Github, I am going to get criticize to the point that it's worthless, I'm not sure where is the open source spirit going this way.
Nothing to see here.