What Diaspora* can learn from Microsoft
Back in April, four NYU students decided to raise money to spend the summer hacking on their project: a privacy-friendly open source social network. They put up a page on Kickstarter, a crowdsourced funding site. Talk about being in the right place at the right time: after a great article Four nerds and a cry to arms against Facebook came out in the New York Times, in a few weeks Diaspora* had raised $200,000.
At which point they moved to San Francisco, got free office space, spent the summer hacking, went to Burning Man … and on September 15, released their software to the community. Basic functionality is in place: status updates, photos, “aspects” to control who sees what. Kudos to them.
Alas, from a security perspective, the code was swiss cheese: filled with holes. Taking off my security hat for a moment: this was probably the right tradeoff for them to make at first. If the guys had spent all their time becoming security experts, they couldn’t have gotten as far as they have. There’s a huge amount of value in giving people something to play with even if it’s insecure.
Still, the major reason people are excited about Diaspora is because of privacy — and you can’t have privacy without security. So if they want people to trust them, they’re going to have to raise their game. And security is notoriously difficult and expensive to add after the fact. What to do?
Here’s a presentation I’m giving at the Microsoft Blue Hat security conference looking at how Diaspora, or the other emerging Facebook alternatives like Appleseed and OneSocialWeb, might approach it. The full text is available on Liminal States. Enjoy!
Thanks to Adam, Jason, Alem, Sarah, tptacek, Locke1689, mahmud, Wayne, PeterH, Ed, Steve, SonyaLynn, Steve, Michael, Damon, Dan, Michael, Sarah, and Window for comments on previous iterations
Hi Mate,
I have to disagree, based on what I’ve learnt from security books and from OWASP – security cannot be an after-thought.
Excuse me if I’m wrong, and mis-interpreting a seemingly consistent message from the previously-mentioned sources,but you have to be security concious from the start – it has to be ingrained in your software development lifecycle.
You say this project would not be possible if they had no security knowledge – well, cars wouldn’t run properly if they were missing a part.
If this code were a prototype, however….
Please don’t take this the wrong way. I’m trying to get to learn web security myself and am nowhere near an expert – just airing my concerns.
Comment by Mr Cheese — October 15, 2010 @ 4:34 am
Thanks for the comment, Mr Cheese … great feedback, and I clearly gave a different impression than I meant to.
I totally agree that it’s much better to design in security up front — I talk about it in a couple of the points in the slide. In some of the previous iterations I suggested viewing the current version of Diaspora as a prototype. Obviously though that doesn’t come across in what I’ve written here. Let me think abou thow to edit it to make it clearer.
So thanks again … more soon!
jon
Comment by Jon — October 15, 2010 @ 9:19 am
Great post!
What security communities & experts do you recommend?
Comment by James — October 15, 2010 @ 12:00 pm
Good question, James (and glad you liked the post). Most of my intereactions with security these days are via conferneces, so the communities around CanSec/EUSec, Black Hat, etc. — or BlueHat, for that matter. There are also a lot of local groups, so checking around in your area could make sense.
If anybody else reading this has suggestions, please drop ’em in the comments!
Comment by Jon — October 15, 2010 @ 1:58 pm