Thursday, September 23, 2010

Diaspora - Social Networking startup learns security no easy task

Diaspora is the brainchild of four new York University students. Earlier this year they announced their plan to create a privacy respecting Facebook clone and tried to raise a modest $10,000. They were inundated with over $200,000 in donations.

Dan Goodin reports at the Register that Diaspora has released pre-Alpha code for it's open source version of Facebook. Pre-Alpha code is code that has been written and may perform the basic functions intended, but has not been tested. It may (and probably will) have major bugs and flaws that will have to be found and fixed before final release. And Diaspora's initial code definitely has flaws. Dan reports that Patrick Mckensie, a software developer, has found major security holes:

“The bottom line is currently there is nothing that you cannot do to someone's Diaspora account, absolutely nothing,” said Patrick McKenzie, owner of Bingo Card Creator, a software company in Ogaki, Japan.

“About the only thing I haven't been able to do yet is to compromise the security of the server that Diaspora is installed on. That's not because that isn't possible. If a professional security researcher goes after this, I have every confidence that they will be able to do that.”

That's pretty extreme, even for pre-alpha code. But the good news is that the project is open source, so there are more eyes on the code than just the initial programmers. So the odds that the errors will be fixed is pretty good. But there's also bad news. Mackenzie participates in the projects email list, and has seen people trying to get Diaspora sites running, despite the programmers clearly stating it's not ready for the real world yet. He's concerned they're going to be burned very badly because they don't understand the problems.

Diaspora is a good idea. Since the first boy asked the first girl to watch the stars with him, people have been social without revealing everything about themselves to everybody. Facebook ignores that history, claiming that it is only giving people what they want - despite public outcry everytime privacy controls are opened up. People use Facebook for a number of reasons, one being that despite it's flaws, it's the best game in town. It could use some real competition, but Diaspora has an uphill battle both because of it's code problems and the fact it's set it's sites on the Goliath of social networking. Only this Goliath is the size of the Empire State Building, and the David that is Diaspora is smaller than an ant.

Good luck, Diaspora.