Back in April, four NYU students decided to raise money to spend the summer hacking on their project: a privacy-friendly open source social network. They put up a page on Kickstarter, a crowdsourced funding site. Talk about being in the right place at the right time: after a great article Four nerds and a cry to arms against Facebook came out in the New York Times, in a few weeks Diaspora* had raised $200,000.
At which point they moved to San Francisco, got free office space, spent the summer hacking, went to Burning Man … and on September 15, released their software to the community. Basic functionality is in place: status updates, photos, “aspects” to control who sees what. Kudos to them.
Alas, from a security perspective, the code was swiss cheese: filled with holes. Taking off my security hat for a moment: this was probably the right tradeoff for them to make at first. If the guys had spent all their time becoming security experts, they couldn’t have gotten as far as they have. There’s a huge amount of value in giving people something to play with even if it’s insecure.
Still, the major reason people are excited about Diaspora is because of privacy — and you can’t have privacy without security. So if they want people to trust them, they’re going to have to raise their game. And security is notoriously difficult and expensive to add after the fact. What to do?
Here’s a presentation I’m giving at the Microsoft Blue Hat security conference looking at how Diaspora, or the other emerging Facebook alternatives like Appleseed and OneSocialWeb, might approach it. The full text is available on Liminal States. Enjoy!