Security

Facebook Wannabe Diaspora Hit on Security Issues

The open-source project called Diaspora is being pitched as a secure and more privacy-friendly alternative to Facebook , but it is already running into early criticism over security issues by those who say they have tested it.

The team behind Diaspora this week released a pre-Alpha version of their source code on the open-source hosting site GitHub. The code is designed to spur development activity around the platform.

The code release was accompanied by a warning that it is by no means bug free. "We know there are security holes and bugs, and your data is not yet fully exportable," Diaspora said in announcing the Alpha release .

Even with that caveat, though, early reviewers have been unsparing in their criticism of Diaspora's security features -- or lack thereof.

"Basically, the code is really, really bad," Steve Klabnik, CTO of CloudFab, wrote in his blog Hackety Hack. "I don't mean to rain on anyone's parade, but there are really, really bad security holes" in the code. Klabnik could not be reached immediately for more details.

Diaspora was born earlier this year largely in response to privacy issues related to Facebook's data collection and usage practices. The effort is being spearheaded by four New York University students: Daniel Grippi, Maxwell Salzberg, Raphael Sofaer and Ilya Zhitomirskiy.

In the months since the effort began, it has attracted growing interest from Internet users and more than $200,000 in donations on sites such as Kickstart. It has also received considerable attention from mainstream media such as the New York Times which ran a lengthy profile soon after Diaspora was launched.

The basic premise behind Diaspora is that it will allow users to have social networking functionality similar to that offered by Facebook, but with far greater control over personal data.

According to a description on the project's Web site, Diaspora will allow users to set up 'seeds' or personal servers, that they can use to store their personal data and share it directly with their friends instead of routing it through a centralized hub as with Facebook. "Friend another seed and the two of you can synchronize over a direct and secure connection instead of through a superfluous hub," the site says. "Our real social lives do not have central managers, and our virtual lives do not need them."

But initial reviews and comments on sites such as GitHub , Y-Combinator and Slashdot suggest that many are disappointed over the quality of the code released so far.

Klabnik himself described security errors in the code as the sort that a professional programmer would not make. On GitHub, reviewers have so far raised more than 140 issues, several of them dealing with security concerns such as cross-site scripting errors and code-injection errors.

Meanwhile, Patrick McKenzie, a blogger and software developer, has been using Twitter to warn users to stay away from early versions of Diaspora. "Don't host it publicly. Don't invite people to do either. It is screamingly unsafe," he said in a Tweet, without providing details on the security issues he uncovered. McKenzie could not be reached immediately for comment.

Diaspora did not respond to e-mailed requests for comment. However, the project has its share of supporters. Many of those commenting on the release of the Alpha code said that bugs being uncovered in code at this stage are not all that uncommon.

"This code was released to developers as an incomplete preview," cilantro said on Y-Combinator. "I'm not sure why people are holding it to the same standards as a finished product that's being released to end users. Seems like a pretext to talk trash."

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com .

Read more about web 2.0 and web apps in Computerworld's Web 2.0 and Web Apps Topic Center.

Subscribe to the Security Watch Newsletter

Comments